cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3071
Views
16
Helpful
7
Replies

BPDUGuard enabled automatically when Portfast enabled?

Willard Dennis
Level 1
Level 1

Hi everyone,

I just read in the CCNP SWITCH OCG the following:

"All ports that have PortFast enabled also have BPDU Guard automatically enabled."

So I could enable Portfast on a interface and be confident that if the end user connects a switch to that int, that the interface would go into errdisable state? (due to the operation of BPDUGuard)

I've been holding off using Portfast on the end-user-connected interfaces because in our facility (R&D), it's quite possible that the user may connect a switch to the wall jack in place of a PC... You never know what they will do next

Sent from Cisco Technical Support iPad App

1 Accepted Solution

Accepted Solutions

Peter Paluch
Cisco Employee
Cisco Employee

Hello,

To sum up the answers of other friends here, the PortFast and BPDU Guard are two independent features. On a per-port basis, they can be activated in a totally independent way.

However, it is very often necessary to have the PortFast activated globally for all access-mode ports (as they are supposed to be connected to end stations - especially crucial for RSTP and MSTP) - and then, if a switch is inadvertently or intentionally connected to these ports, these ports should be better protected. This is done by two commands in the global configuration mode:

  • spanning-tree portfast default: activates the PortFast feature on all ports in the access mode
  • spanning-tree portfast bpduguard default: activates the BPDU Guard on all ports that are running in PortFast mode

This may lead to the erroneous conclusion that a BPDU Guard-protected port must also be PortFast enabled. It is true only of this particular way of configuring the PortFast and BPDU Guard on the global level; however, directly on an interface, these two features can be activated independently of each other: the PortFast is activated using the spanning-tree portfast command, the BPDU Guard is activated using the spanning-tree bpduguard enable command.

Best regards,

Peter

View solution in original post

7 Replies 7

cadet alain
VIP Alumni
VIP Alumni

Hi,

I don't think it's true at least on the platforms I've been working with you have to use the command

spanning-tree portfast bpduguard default  to enable BPDU guard on Portfast ports.

Regards.

Alain.

Don't forget to rate helpful posts.

ameya_oke
Level 1
Level 1

Hey Dennis,

"

t's quite possible that the user may connect a switch to the wall jack in place of a PC"

If that is the case i advice you have a VTP authentication in place.

Ameya

Gregory Brunn
Spotlight
Spotlight

Yeah in my experience with the 2960 series switch we always turn on portfast

And then enable bpdugaurd on the port after that. The nice thing about bpdugaurd is that you can set a time period that the port will stay in the err-disabled status if you want or you can leave the default of leaving it in the err-disable status until the port is shutdown and brought back up. I am still studying for my route and have not started on the switch ccnp exam yet so I can not confirm what the book says. You can always put on bpduroot guard as well on the port for extra protection.

I agree with setting your vtp setting as well don't want someone to plug In a switch and start messing up your vlans

Sent from Cisco Technical Support iPhone App

Hi,

VTP is only running on trunk ports so if the switch is set to access mode I don't think you'll have any VTP problem but I'm waiting for other point of view to see if my reasoning is right.

Regards.

Alain.

Don't forget to rate helpful posts.

billy.williams
Level 1
Level 1

If you are using spanning-tree port fast. I would always suggest using spanning-tree bpduguard enable on all user ports. This shuts down a port if another switch is connected to avoid layer 2 loops in your network. To auto recover the port use the command errdisable recovery cause bpduguard. Another good one is errdisable recovery interval 300.

Sent from Cisco Technical Support iPhone App

Leo Laohoo
Hall of Fame
Hall of Fame
"All ports that have PortFast enabled also have BPDU Guard automatically enabled."

By default, portfast and BPDUguard is disabled.

Peter Paluch
Cisco Employee
Cisco Employee

Hello,

To sum up the answers of other friends here, the PortFast and BPDU Guard are two independent features. On a per-port basis, they can be activated in a totally independent way.

However, it is very often necessary to have the PortFast activated globally for all access-mode ports (as they are supposed to be connected to end stations - especially crucial for RSTP and MSTP) - and then, if a switch is inadvertently or intentionally connected to these ports, these ports should be better protected. This is done by two commands in the global configuration mode:

  • spanning-tree portfast default: activates the PortFast feature on all ports in the access mode
  • spanning-tree portfast bpduguard default: activates the BPDU Guard on all ports that are running in PortFast mode

This may lead to the erroneous conclusion that a BPDU Guard-protected port must also be PortFast enabled. It is true only of this particular way of configuring the PortFast and BPDU Guard on the global level; however, directly on an interface, these two features can be activated independently of each other: the PortFast is activated using the spanning-tree portfast command, the BPDU Guard is activated using the spanning-tree bpduguard enable command.

Best regards,

Peter

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: