I had a switchport shut down today due to an unexpected bpdu - and I have bpduguard enabled. Turns out it was a 7940 phone on that port...do the 7940's send bpdu's or would someone have to have plugged something into the switchport on the phone for this to happen?
Should portfast be disabled on ports with phones?
No, IP Phone do not send BPDUs as they don't run any Spanning-Tree (just a note; dumb hubs do not send BPDUs either).
Having the switchport with BPDUguard prevented a loop in your network and you must keep it active on host facing switchports.
Portfast must be enabled on host facing switchports as this feature speed up the process for obtaining vital information such as DHCP IP.
It has happened that the user sitting at the desk where the IP phone is connects one of the free cables connected to another jack to the "computer port" on the IP phone and of course the cable from the jack is connected to a switchport, this will trigger the bdpuguard violation. All of this is good because otherwise it could have caused a network loop.
Actually, I would like to chime in here.
BPDU guard is a matter of enforcing a policy, not preventing loop. It's not because that you received a BPDU that there was redundancy. And if there is redundancy detected in the content of a BPDU, STP is responsible for breaking the loop.
So don't consider that BPDUguard saved you from a loop. BPDU guard reacted to a security policy that prevents a device running STP from connecting to your access port.
I'd agree. I've enabled BPDUguard to prevent people from bringing home switches/wireless devices and plugging them in.
When we've had users loop their phone back into the network the port just disables with a general loopback error.