Hello

This done so, the 6500 are configured as root and backup root bridge.

But to make the configuration most common on all switches we decide to use the ?spanning-tree portfast bpduguard default? command. Because the 6506 switches has a mix use of sever and uplink ports. The network is too small to use the classic Cisco access, distribution, core design. Around the 7 main switches are about 60 access layer 2 switches most 2950 and 2960. I study a few documents, but I found no principal reason way this not should work.

You should not run bpduguard on the links that connect the cisco switches.

You can run bpduguard on server connected ports.

Hello

I have now BPDU guard on those ports disabled, as you see in the example below:

interface GigabitEthernet3/1

description Link SW_FN2 2/4 (1610)

switchport access vlan 20

switchport mode access

spanning-tree bpduguard disable

But back on the ?spanning-tree portfast bpduguard default? command, maybe I understand it wrong.

There should proper uplink detect and appropriate handled. The active links are all working.

Only the redundant, by spanning tree blocked link cause problems. From the defined root bridges seen, it is correct blocked.

I found the Interface handle this configuration as access port. So we have to disable the BPDU guard manually on this ports.

Gugger:

Lets start from scratch. As a CCIE, I am sure you know that BPDUGUARD should be configured on ports that you do NOT wish to have partipipate in the STP convergence/root election process.

In other words, an access port, to which you would only have a user PC or a server connected, is not going to pose a threat of creating a redundant inter-switch connection and a possible layer 2 loop. Therefore, BPDUs do not need to be sent to such a port. It does not need to participate in STP convergence.

So, you can configure that access port for portfast, thereby by-passing the STP port states and going directly to the forwarding state. If you also configure BPDUGUARD, it will shut down an access port configured for portfast IF it receives a BPDU by mistake. In other words, if some fool plugs a switch into an access port with portfast on it. In that case the switch says,

"Hey, wait a minute. You configured this port for portfast because you promised me that nothing but a PC or server would be connected to it, but here you go breaking your promise and you, instead, connected this switch, which may now create a redundant link and an L2 loop. So, I am going to shut that port down until his indentity crisis is up."

A redundant inter-switch connection CAN be a threat, so you DO want a port like that to go through all the STP states and partipate in the STP convergence process because it may have to be placed in a blcoking state to prevent it from becoming part of an L2 loop. Therefore, you must NOT configure such a port with portfast or BPDUGUARD.

HTH and makes sense to you...

Do you also enabled spanning-tree portfast default? Spanning-tree portfast bpduguard default (as its name is trying to say;-) is only applied to portfast ports. As I don't see portfast explicitly configured on your g3/1, I guess that you enabled it globally.

The global commands are a way of applying a feature to the majority of the ports in one shot. But the flip side of the coin is that, of course, you need to disable the feature explicitly on the minority of ports that don't need it. On the uplinks, you should explicitly disable portfast. Of course, I'm also assuming that you agree that using portfast or bpduguard is not a good idea on a redundant link.

Regards,

Francois

So the handling is absolute clear, I don?t understand anymore way I don?t see this from begin The ports run as uplinks for this single VLAN and only this, without any additional services of normal trunk.. As you mentioned I have to disable both port fast and BPDU guard. Tanks to all how help to open my eyes.

Andy Gugger