Hello,Not really. Portfast is

JoshGarmonCiscoCCNA · ‎10-15-2015

Do all Portfast ports need Bpduguard on them everytime?

Jose Solano · ‎10-15-2015

Hi,

As a best practice is recommended, however the BPDU guard feature can be globally enabled on the switch or can be enabled per port, but the feature operates with some differences.

At the global level, you enable BPDU guard on Port Fast-enabled ports by using the spanning-tree portfast bpduguard default global configuration command. Spanning tree shuts down ports that are in a Port Fast-operational state if any BPDU is received on them. In a valid configuration, Port Fast-enabled ports do not receive BPDUs. Receiving a BPDU on a Port Fast-enabled port means an invalid configuration, such as the connection of an unauthorized device, and the BPDU guard feature puts the port in the error-disabled state. When this happens, the switch shuts down the entire port on which the violation occurred.

To prevent the port from shutting down, you can use the errdisable detect cause bpduguard shutdown vlan global configuration command to shut down just the offending VLAN on the port where the violation occurred.

At the interface level, you enable BPDU guard on any port by using the spanning-tree bpduguard enable interface configuration command without also enabling the Port Fast feature . When the port receives a BPDU, it is put in the error-disabled state.

This is for 3750:

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/12-2_55_se/configuration/guide/3750xscg/swstpopt.html#pgfId-1095752

Hope this helps,

Leo

Zach S · ‎10-15-2015

Josh,

To go a little bit more into the two features. Portfast lets a port skip the listening and learning stages of Spanning Tree Protocol. It's only recommended to be used on ports facing end devices, NEVER on port that connects to another switch, because if the port skips listening and learning there is a significant chance that you could introduce a Layer 2 loop into your network. As added protection BPDU guard will shut down the port if it a BPDU gets received on the port. Since switches send out BPDU's to negotiate spanning tree, that means the device connected to the port would most likely be a switch, again this is to prevent loops.

So, no the two aren't necessary for the other to function, but they both are used to prevent switching loops and work well together.

More info: http://www.cisco.com/c/en/us/support/docs/lan-switching/spanning-tree-protocol/10586-65.html

Joseph W. Doherty · ‎10-16-2015

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

And even some more info ;)

A port-fast enabled port, if it sees a BPDU, will revert to normal STP operation, i..e. STP could block it or another port to break a potential loop. The problem is, a port-fast port will already be active, and a L2 loop could degrade the network so rapidly, STP doesn't block the loop.

BPDUguard, along with port-fast, will hopefully take the port down before a L2 loop is created, but I understand that's not 100% guaranteed; but it's a "better" safeguard, which is why the two commands are often paired.

paul driver · ‎10-16-2015

Hello

Please see below an earlier test I performed against these two features:

Portfast-

global or interface - bypasses listen/learn goes into forwarding state

Bpduguard-
spanning-tree portfast bpduguard (Global) - goes through stp process - no blocking
spanning-tree bpduguard enable (Interface) - listen state then blocks port (err-disable}

Porrfast and Bpduguard together:
spanning-tree portfast default
spanning-tree portfast bpduguard default -jumps to forwarding from blocking - then blocks port (err-disable}

spanning-tree portfast default
spanning-tree bpduguard enable (interface mode) -jumps to forwarding from blocking - then blocks port (err-disable}

spanning-tree portfast bpduguard default
spanning-tree portfast – (interface mode) -jumps to forwarding from blocking - -then blocks port (err-disable}

spanning-tree portfast–interface mode)
spanning-tree bpduguard enable -(interface mode) jumps to forwarding from blocking - -then blocks port (err-disable}

Summary

Portfast (global or interface) = bypasses listen/learn goes into forwarding state

Bpduguard
(Global) - goes through stp process - no blocking
(Interface) - listen state then blocks port (err-disable}

bpduguard + portfast (any variation) = jumps to forwarding from blocking - then blocks port (err-disable)

res

Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Masoud Pourshabanian · ‎10-16-2015

Hello,

Not really. Portfast is enabled on Access port. So when you are enabling portfast, you are sure that there will be a host connected to that port not another switch.

What happens if you connect a switch instead of a host to that port? Connecting a switch to another switch may cause layer2 loop.

How to avoid that? Bpduguard is an option you can use. If you connect a switch to the existing switch and Bpduguard is enabled on its ports, switch shutdowns that port to avoid layer2 loop.

What does layer2 loop do? Simply, shutdowns the whole network.

Masoud

BPDUGuard on Portfast ports?