I have spanning-tree porfast enabled across all (non-trunk ports) in our enterprise. In fact, using the auxiliar vlan on ports ( switchport voice vlan X) enables spanning-tree on the port. I have also enabled globally spaning-tree portfast bpdu guard default to mitigate the posibility of anyone plugging a smart switch in these port and create a loop.
Last friday, someone in the conference rooms looped 2 ports by plugging a dumb-switch (non managable) to 2 ports on the wall configured as edge port (spanning-tree portfast) and created a loop and the network almost dropped. Eventually one of the ports got disabled due to spaning treee portfast bpdu guard, but during 2 to 3 minutes the network was in disarray.
How can I mitigate this from ever happening again? I thought portfast bpdu guard default would do the trick but it did not, or at least not rapidly enough to avoid network problems and user complaints. Do I have to disable spanning tree portfast on all edge ports? I have Voip phones on many of these ports. I've opened a case with cisco and basically that what they told me is to disable spaning tree porfast if I can or advised me to enable port-security but that another topic I dont want to pursue just yet.
Any help, solutions would be welcomed and very well appreaciatted.