08-03-2013 05:17 PM - edited 03-07-2019 02:44 PM
So, I've been retouching up on my spanning tree knowledge and I was wanting to know how others in their own networks are deploying portfast on their access switches.
Firstly a quick question: Does globally enabling portfast spanning-tree portfast default turn a portfast port back to a traditional port should it received BPDUs?
Also what happens to a port when portfast is configured per interface only (rather than globally) and that port receives BPDUs from a connected switch? Does that port default back to listening/learning etc like it does under the global command or remain a portfast port?
I was reading up here: https://learningnetwork.cisco.com/thread/33283
and this comment was posted:
The most commonly deployed configuration I see these days is for the use of PortFast in conjunction with BPDUGuard. Should there be a rogue bridge introduction in the network, the error-disabled state and the subsequent administrator notification is preferred to any other automated response a layer 2 feature can introduce.
and also this comment:
I also like to set the errdisable recovery feature to re-enable the ports after a short period of time, like 60 seconds:
errdisable recovery interval 60
errdisable recovery cause bpduguard
So I would like to know how others are implementing portfast SAFELY in their own production networks (not lab enviroments). It might be worthwhile advising whether the commands you are using are configured at interface level or global level as they have two very different outcomes!).
Solved! Go to Solution.
08-05-2013 09:16 PM
Nice new star, Peter.
08-09-2013 12:54 PM
Hello Leo,
Wow, that's a good story I guess I will make it a required reading for my CCNP:SWITCH classes
Anyway, this is a great example of the fact that the BPDUGuard tries to do its best but it is not a bulletproof protection against a switching loop caused by looping two PortFast-enabled ports.
Regarding the "new star" - thank you! Somehow, it happened. I am not sure I am that far.
Best regards,
Peter
08-04-2013 03:56 PM
Wow Leo,
Because if you have this command then you, as a "network engineer" should be thrown off the cliff, into the sea and wearing a pair of concrete "shoes".
That punishment is probably a little to aggressive
Reza
08-05-2013 04:26 AM
Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
and also this comment:I also like to set the errdisable recovery feature to re-enable the ports after a short period of time, like 60 seconds:
errdisable recovery interval 60
errdisable recovery cause bpduguard
So I would like to know how others are implementing portfast SAFELY in their own production networks (not lab enviroments). It might be worthwhile advising whether the commands you are using are configured at interface level or global level as they have two very different outcomes!).
Last, first, as already noted by other posters, Portfast and BPDUGuars works the same regardless of whether configured per port or globally.
Next to last, our production 5,000 device Enterprise network has been using Portfast/BPDUGuard per port, but we've just changed the standard to start using the commands globally. We're making the change because too often individual ports were not configured correctly. The only issue with using the global settings, they may apply to ports where you want these commands off (there are commands to deactivate the global per port). (Another reason we're going with the global settings, make the config listing just a little smaller. )
Oh, maybe I wouldn't throw network engineers off cliffs with concrete overshoes (now I know to stay on Leo's good side), but you would want to be very careful using the error recovery. If you were to use the command at all, maybe a long period recovery period like 24 hours because you want to know why you saw an unexpected BPDU and you don't want the port flapping.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide