BPDU Guard and PortFast

Unanswered Question

Is this true?

If you do not have BPDu Guard configured on a PortFast-enabled port that is receiving configuration BPDUs. the configuration

BPOUs are processed by the switch and eventually the port might be shut down to prevent a loop However, because during this

time the switch is forwarding traffic (because PortFast is enabled), a brdging loop might be formed that could bring dowm the

network before the port is blocked.

InformIT: CCNP Practical Studies: Switching > Scenario 4-5: Configuring PortFast BPDU Guard

http://www.informit.com/library/content.aspx?b=CCNP_Studies_Switching&seqNum=37

Screen clipping taken: 11/4/2008, 6:39 PM

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Mark Yeates Wed, 11/05/2008 - 19:56

That is true. Having spanning tree portfast enabled puts the port directly in the forwarding state. Having the port configured with portfast prevents the switch from participating in spanning tree which could prevent a layer two loop if enabled. BPDU guard is designed to shut a port down if a BPDU is received on the port. Portfast is designed to have an end user such as a PC, IP phone...etc not a network device. Bpduguard will put the port immediately into errdisable when it receives a BPDU.

HTH,

Mark

Sannie179 Wed, 11/05/2008 - 23:37

BPDU guard is not on by default on a portfast port, unless bpduguard has been enabled globally on the switch.

These are two ways to enable BPDU guard:

1. Globally for all portfast enabled ports switch(config)#spanning-tree portfast bpduguard default

2. On the individual ports

switch(config-if)#spanning-tree bpduguard enable

So if you have it turned on globally, all ports that are portfast will have bpduguard aswell. You can use the interface configuration command to override the global setting if you wish to disable bpduguard on individual portfast switchports.

This is text out of the Cisco Press BCMSN book:

"By default, BPDU guard is disabled on all switch ports. You can configure BPDU guard as a global default. affecting all switch ports with a single command. All ports that have PortFast enabled also have BPDU guard automatically enabled."

I am not disputing that is not on by default.

Even if I do not have bpdu guard enabled globally, this last statement tells me that when i issue the portfast command, bpdu guard is automatically enabled on that specific port.

My two sources do not align, so I am trying to figure out which one is correct. My understanding is that I can have bpdu guard on a port without putting portfast on, but I can't have portfast on a port without bpdu guard, if it is automatically enabled on the port by issuing the portfast command.

Further clarification appreciated!

jimmyc_2 Mon, 01/05/2009 - 06:50

I think what you are seeing is mediocre technical writing. I'm almost certain the last sentence should have read "Once global BPDU guard is enabled, then all ports that have PortFast enabled also have BPDU guard automatically enabled".

Actions

This Discussion