Portfast and BPDU Guard

daniel.bowen · ‎06-22-2004

Hi everyone, I am looking at placing Portfast and BPDU guard on all access ports in a clients network due to them complaining about machines failing to get DHCP addresses at bootup. Trouble is, we do not have control over what is connected to the switch ports at any time. If I configure both portfast and bpdu guard on each port, if ever a switch/hub/concentrator is patched into one of these ports then the network should still be safe?

Can anyone see any possible problems with this?

Many thanks,

Danny,

befthimi · ‎06-22-2004

Danny,

It should be safe, in that, BPDU Guard will shutdown the port if it detects a BPDU incoming on the portfast interface. There will be no effect with a HUB/Concentrator. If you need a switch to function when connected to these ports, then I'm not sure that you want to enable BPDU Guard. So, it depends. BPDU Guard is meant for protecting environments were customers do not want to tolerate 'unknown or unexpected' switches/bridges appearing.

On the otherhand, if aquiring a DHCP address is the main problem, then typically, portfast is the solution. Depending on the switch and environment, then we can also set port speed and duplex, disable DTP (trunk negotiation) and PAGP (Etherchannel negotiation).

The following document may also help you:

http://www.cisco.com/en/US/partner/products/hw/switches/ps700/products_tech_note09186a00800b1500.shtml

I hope this all helps.

Bill.

daniel.bowen · ‎06-22-2004

many thanks Bill,

Daniel