I just read in the CCNP SWITCH OCG the following:
"All ports that have PortFast enabled also have BPDU Guard automatically enabled."
So I could enable Portfast on a interface and be confident that if the end user connects a switch to that int, that the interface would go into errdisable state? (due to the operation of BPDUGuard)
I've been holding off using Portfast on the end-user-connected interfaces because in our facility (R&D), it's quite possible that the user may connect a switch to the wall jack in place of a PC... You never know what they will do next
Sent from Cisco Technical Support iPad App
To sum up the answers of other friends here, the PortFast and BPDU Guard are two independent features. On a per-port basis, they can be activated in a totally independent way.
However, it is very often necessary to have the PortFast activated globally for all access-mode ports (as they are supposed to be connected to end stations - especially crucial for RSTP and MSTP) - and then, if a switch is inadvertently or intentionally connected to these ports, these ports should be better protected. This is done by two commands in the global configuration mode:
- spanning-tree portfast default: activates the PortFast feature on all ports in the access mode
- spanning-tree portfast bpduguard default: activates the BPDU Guard on all ports that are running in PortFast mode
This may lead to the erroneous conclusion that a BPDU Guard-protected port must also be PortFast enabled. It is true only of this particular way of configuring the PortFast and BPDU Guard on the global level; however, directly on an interface, these two features can be activated independently of each other: the PortFast is activated using the spanning-tree portfast command, the BPDU Guard is activated using the spanning-tree bpduguard enable command.