cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8059
Views
10
Helpful
18
Replies

Portfast on access switches

jasonsalomons
Level 1
Level 1

So, I've been retouching up on my spanning tree knowledge and I was wanting to know how others in their own networks are deploying portfast on their access switches.

Firstly a quick question: Does globally enabling portfast spanning-tree portfast default turn a portfast port back to a traditional port should it received BPDUs?

Also what happens to a port when portfast is configured per interface only (rather than globally) and that port receives BPDUs from a connected switch? Does that port default back to listening/learning etc like it does under the global command or remain a portfast port?

I was reading up here: https://learningnetwork.cisco.com/thread/33283

and this comment was posted:

The most commonly deployed configuration I see these days is for the use  of PortFast in conjunction with BPDUGuard. Should there be a rogue  bridge introduction in the network, the error-disabled state and the  subsequent administrator notification is preferred to any other  automated response a layer 2 feature can introduce.

and also this comment:

I also like to set the errdisable recovery feature to re-enable the ports after a short period of time, like 60 seconds:

errdisable recovery interval 60

errdisable recovery cause bpduguard

So I would like to know how others are implementing portfast SAFELY in their own production networks (not lab enviroments). It might be worthwhile advising whether the commands you are using are configured at interface level or global level as they have two very different outcomes!).

18 Replies 18

Nice new star, Peter. 

Hello Leo,

Wow, that's a good story I guess I will make it a required reading for my CCNP:SWITCH classes

Anyway, this is a great example of the fact that the BPDUGuard tries to do its best but it is not a bulletproof protection against a switching loop caused by looping two PortFast-enabled ports.

Regarding the "new star" - thank you! Somehow, it happened. I am not sure I am that far.

Best regards,

Peter

Wow Leo,

Because if you have this command then you, as a "network engineer" should be thrown off the cliff, into the sea and wearing a pair of concrete "shoes".

That punishment is probably a little to aggressive

Reza

Joseph W. Doherty
Hall of Fame
Hall of Fame

Disclaimer

The  Author of this posting offers the information contained within this  posting without consideration and with the reader's understanding that  there's no implied or expressed suitability or fitness for any purpose.  Information provided is for informational purposes only and should not  be construed as rendering professional advice of any kind. Usage of this  posting's information is solely at reader's own risk.

Liability Disclaimer

In  no event shall Author be liable for any damages whatsoever (including,  without limitation, damages for loss of use, data or profit) arising out  of the use or inability to use the posting's information even if Author  has been advised of the possibility of such damage.

Posting

and also this comment:

I also like to set the errdisable recovery feature to re-enable the ports after a short period of time, like 60 seconds:

errdisable recovery interval 60

errdisable recovery cause bpduguard

So I would like to know how others are implementing portfast SAFELY in their own production networks (not lab enviroments). It might be worthwhile advising whether the commands you are using are configured at interface level or global level as they have two very different outcomes!).

Last, first, as already noted by other posters, Portfast and BPDUGuars works the same regardless of whether configured per port or globally.

Next to last, our production 5,000 device Enterprise network has been using Portfast/BPDUGuard per port, but we've just changed the standard to start using the commands globally.  We're making the change because too often individual ports were not configured correctly.  The only issue with using the global settings, they may apply to ports where you want these commands off (there are commands to deactivate the global per port).  (Another reason we're going with the global settings, make the config listing just a little smaller.  )

Oh, maybe I wouldn't throw network engineers off cliffs with concrete overshoes (now I know to stay on Leo's good side), but you would want to be very careful using the error recovery.  If you were to use the command at all, maybe a long period recovery period like 24 hours because you want to know why you saw an unexpected BPDU and you don't want the port flapping.