portfast & bpdu guard

Unanswered Question
Jun 18th, 2009
User Badges:

we have an access connecting to two different cores (2 fiber drops).

Is it a good idea (or a safe idea) to have the following:

spanning-tree portfast default

portfast should only be enabled on ports that do not connect to other switches, would that cause a problem for the ports used for the drops to the cores? Note each accesss switch has two drops, one to each core

spanning-tree portfast bpduguard default

would this shutdown the ports used for the drops?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jerry Ye Thu, 06/18/2009 - 05:54
User Badges:
  • Cisco Employee,

Hi Ron,

Turning on portfast for ports where they are connected to another switch is always a bad idea. I see that you also want to have bpduguard for all the ports. In this case, the switch will errdisabled the port once it receives bpdu from the core. And you will end up unusable links.

You can issue the interface level command of no spanning-tree portfast for the two drops to the core from your access switch.



John Blakley Thu, 06/18/2009 - 06:46
User Badges:
  • Purple, 4500 points or more


You generally would configure "spanning-tree portfast default" only on access/edge switches. You can then use bpduguard to protect you from end users connecting switches in their cubes. It would shut the port in an errdisabled state, and they'd have to call you and you can scold them. :)

I wouldn't put this command on your cores that are uplinked because the two switches will be sending bpdu's back and forth to each other which will cause the switches to stop communicating.

I hope I understand your question though.



bbaillie Thu, 06/18/2009 - 08:18
User Badges:
  • Bronze, 100 points or more

The switch global command "spanning-tree portfast default" only enables portfast on ports that are configured as access ports. The command "spanning-tree portfast bpduguard default" causes the ports that are configured as access to go into error disable state if a switch or a device that generates a BPDU is connected to said port.

That being said, as long as your switch to switch connections are configured as trunks all is good, but should someone connect a switch to a port configured as access the port will go to error disable and stay down until you intervene.

If you use these commands the configuration of error disable recovery is a good idea, and even better plan is to implement rapid spanning tree on your switches and portfast is now not needed for your access ports. The command bpduguard can still be used as a security measure to prevent unwanted network switch connections to workstation ports.



Giuseppe Larosa Thu, 06/18/2009 - 10:59
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Brian,

>> implement rapid spanning tree on your switches and portfast is now not needed for your access ports.

Actually rapid STP has the edge ports concept that is configured with spanning-tree portfast.

Classifying the user ports as edge ports is very important for Rapid STP because these ports are excluded by the synchronization process and this really improves convergence.

About the questions of Original poster uplink ports have to configured as standard STP ports without bpdu guard enabled.

A good companion of uplink ports is STP loop guard specially with Rapid STP that is too fast for UDLD.

Hope to help



This Discussion