Hello,

Is it normal to have the portfast option leading to a router?  I can see any way a loop can occure as these links go out to external providers.

Thanks

Normal is a tough thing to nail down, it depends on your priorities. If ensuring the ports come up as fast as possible is more important to you, turn on portfast. If ensuring that you don't have an outage when some hypothetical person comes along and mis-patches something, turn it off.

I would configure the device for rapid spanning tree and let it run. The delay on rapid spanning tree bringing up a port is pretty darn short.

You can have the best of both worlds
Enable port fast and BPDU guard.
Then the port will go into err disable if it receives a BPDU.

If you have never seen a layer 2 Loop be assured it is something you will only ever let happen once!

Sent from Cisco Technical Support iPad App

Hello,

If the  routers interface port is configured to IRB -integrated route bridging then that could cause stp loops.

The way around that would be to used bpduguard at interface level without portfast, STP (pvst mode) would then go to a learning state in  then errdisable (15 secs)

or

Use portfast and bpduguard at any level, then if bpdu's are received stp would go straight into a forwarding state and then err-disable.

res

Paul

Please don't forget to rate this post if it has been helpful.

Woudl you suggest the same for ports leading to a Cisco ASA.  On various ports I have 3 VLAN's one for the inside one for the outside and one for the trunk which has subinterfaces?

Hello,

If the interface is trunked, then portfast isnt recommended as the port wont be in access mode, however as stated if that trunked interface is connected something like ESX host which requires a trunked port, Then you can enable spanning-tree portfast trunk

res

Paul

Please don't forget to rate this post if it has been helpful.

I would suggest that you don't put any of the ports into portfast.
Use rstp then it's only 15s to get into forwarding state. Why is this so critical? The router or asa will take 2 or 3 minutes to boot another 15s isn't going to matter.

Portfast is evil. The only time I ever use it is for devices that are dhcp and have a problem getting an ip some printers and some ip phones.

If you must use portfast. A little known fact is that if you set
Spanning-tree bpduguard enable
In global configuration mode as opposed to interface configuration. Then port fast is automatically disabled when a BPDU is received.
If you set it in on the interface the port will go to err-disable

Sent from Cisco Technical Support iPad App

@Stuart

If you must use portfast. A little known fact is that if you set

Spanning-tree bpduguard enable

In global configuration mode as opposed to interface configuration. Then port fast is automatically disabled when a BPDU is received.

This is incorrect, STP is never disabled - When bpdufguard  is set a global level with any variation of portfast global or interface the port jumps to a forwarding state from blocking and then bpdugaurd err-disbables the port if bpdu's are received.


If bpduguard is set at global level without portfast, then the port goes through stp process -and no blocking occurs even if bpdu's are received

If bpduguard is set at interface level without portfast then the port goes to listen state (pvst) then blocks port (err-disable} if bpdu's are received

res

Paul

Please don't forget to rate this post if it has been helpful.

I disagree, I have tested this in a lab and in live environments.
There is much confusion in the docs and errors in much of the CCNA materials.
If you set portfast on the interface and set bpduguard in global
Without setting bpduguard on the interface.
Then the port goes directly into forward but if it receives a BPDU it will go into discarding
Effectively it disables portfast.

I agree though that even if you set portfast the interface will send BPDUs.
Unless you set portfast and bpdufilter, but that is asking for trouble.

Only by setting BPDU guard on the interface will it go to err disable.



Sent from Cisco Technical Support iPad App

@Stuart,

Then the port goes directly into forward but if it receives a BPDU it will go into discarding

Effectively it disables portfast.-

This is not disabling STP its disabling the port, which means the switch has shut it down so no traffic can be sent or received - Can you supply any reference for stp being disabled?

res

Paul

Please don't forget to rate this post if it has been helpful.

I can't because I did not say that it did.
A bpduguard set on the interface. Port goes to err disable if a BPDU is received.
B bpduguard set in global configuration. PORTFAST is disabled if a BPDU is received. The port returns to normal operation.

Bpdufilter prevents the port from sending or receiving BPDUs. This effectively disables stp on the port.

Sent from Cisco Technical Support iPad App

spanning-tree portfast default

spanning-tree portfast bpdufilter default

These commands have an interesting effect. BPDUs are not sent (note a few are sent when the port is first brought online) but if a BPDU is received the port loses portfast state and begins to forward BPDUs. Much different behavior from configuration applied to interface.

Regards,
Ryan