when port-fast is used under interface it doesn't mean the STP is disabled because the interface will still be sending out BPDU's and will be listening for BPDUS and in case BPDU is received port-fast will automatically be disabled.BPDU Filter will drop BPDU's as they go out or in of a interface and typically used on access interfaces (Towards end users ) , If feature configured under interface now the disadvantage of this that if the other end start to run spanning tree the interface that has bpdu filter configured will still be filtering out incoming/outgoing BDPU packets and this could you be used to prevent man in middle attack. If feature configured globally with portfast using command (spanning-tree portfast bpdufilter default/spanning-tree portfast default) Bpdu's will be filtered out of the link but it will be still listening to BPDU's in since portfast is used , incase BPDU is received from the other side portfast will be disabled automatically and interface will be part of spanning tree instance that is running on your network and this does leave you open to L2 man in middle attack.

---

Posted by WebUser Marwan Hassan from Cisco Support Community App

With BPDU Guard is more secure in since that if BPDU recieved on the interface it would shut it down , this could be configured globally or at interface level , at the interface level it will be waiting for any BPDU's to come in and once received the interface will be in ERR-Disable mode.Now if used globally with portfast ( spanning-tree portfast bdpuguard default) we will be listening to BPDUs if one received the interface will be in ERR-Disable mode if not then u'll be making use of the portfast feature which allow the interface to transit right away to forwarding state. So we can consider the using BPDU-Guard is more secure than BPDU filter. hope that helped you

---

Posted by WebUser Marwan Hassan from Cisco Support Community App