I am new pretty new to networking and am trying to understand my orginizations current configs. We have a large hub and spoke network, but my question is for the remote side of the house. On the remote we have 3 seperate networks (2 user and 1 transport). On the transport we have a 2811 rtr and a 3560G. The 3560G runs to two HAIPE devices (KG-250's) that have our 2 user networks behind them.
On the user network it is just 1 3560G that is essentially an access switch for our users. We run 2-3 Vlan's on these switches, but all ports on the switch are access mode. We also use a Riverbed (network accellerator) on the user networks. The attached layout shows cabling layout and vlan association. Here is the configs we have for our access switches.
Globally
spanning-tree mode rapid-pvst
spanning-tree portfast default
spanning-tree extend system-id
spanning-tree vlan 2-3 priority 24576
Interfaces 1 & 2
switchport access vlan 3
switchport mode access
switchport port-security
switchport port-security mac-address sticky
no cdp enable
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
spanning-tree guard root
Interfaces 47 & 48
switchport access vlan 98
switchport mode access
no cdp enable
From my understanding running portfast on a port disables spanning-tree and the portfast default command enables it on all access ports which all of the ports on these switches are. Besides trunking ports, which we dont do, arent all ports on a switch layer 2 access ports? If so, why would you enable portfast and stp globally? Wont portfast override and cancel out STP? Also, isn't overkill or unneccessary to run bpdufilter, bpduguard, & guard root on all of our ports?
**Quick note: I did some testing to see how bpdu's ran through this layout. I took off filter and guard root just leaving bpduguard on all of the ports. And ports 47 (Riverbed WAN) and port 1 (Riverbed LAN) kept err-disabling.** None of the other ports received bpdu's**
