BPDUGuard enabled automatically when Portfast enabled?

Answered Question
Sep 17th, 2011

Hi everyone,

I just read in the CCNP SWITCH OCG the following:

"All ports that have PortFast enabled also have BPDU Guard automatically enabled."

So I could enable Portfast on a interface and be confident that if the end user connects a switch to that int, that the interface would go into errdisable state? (due to the operation of BPDUGuard)

I've been holding off using Portfast on the end-user-connected interfaces because in our facility (R&D), it's quite possible that the user may connect a switch to the wall jack in place of a PC... You never know what they will do next

Sent from Cisco Technical Support iPad App

I have this problem too.
0 votes
Correct Answer by Peter Paluch about 2 years 7 months ago

Hello,

To sum up the answers of other friends here, the PortFast and BPDU Guard are two independent features. On a per-port basis, they can be activated in a totally independent way.

However, it is very often necessary to have the PortFast activated globally for all access-mode ports (as they are supposed to be connected to end stations - especially crucial for RSTP and MSTP) - and then, if a switch is inadvertently or intentionally connected to these ports, these ports should be better protected. This is done by two commands in the global configuration mode:

  • spanning-tree portfast default: activates the PortFast feature on all ports in the access mode
  • spanning-tree portfast bpduguard default: activates the BPDU Guard on all ports that are running in PortFast mode

This may lead to the erroneous conclusion that a BPDU Guard-protected port must also be PortFast enabled. It is true only of this particular way of configuring the PortFast and BPDU Guard on the global level; however, directly on an interface, these two features can be activated independently of each other: the PortFast is activated using the spanning-tree portfast command, the BPDU Guard is activated using the spanning-tree bpduguard enable command.

Best regards,

Peter

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (3 ratings)
Cadet Alain Sat, 09/17/2011 - 06:56

Hi,

I don't think it's true at least on the platforms I've been working with you have to use the command

spanning-tree portfast bpduguard default  to enable BPDU guard on Portfast ports.

Regards.

Alain.

ameya_oke Sat, 09/17/2011 - 09:41

Hey Dennis,

"

t's quite possible that the user may connect a switch to the wall jack in place of a PC"

If that is the case i advice you have a VTP authentication in place.

Ameya

gregbrunn Sat, 09/17/2011 - 09:54

Yeah in my experience with the 2960 series switch we always turn on portfast

And then enable bpdugaurd on the port after that. The nice thing about bpdugaurd is that you can set a time period that the port will stay in the err-disabled status if you want or you can leave the default of leaving it in the err-disable status until the port is shutdown and brought back up. I am still studying for my route and have not started on the switch ccnp exam yet so I can not confirm what the book says. You can always put on bpduroot guard as well on the port for extra protection.

I agree with setting your vtp setting as well don't want someone to plug In a switch and start messing up your vlans

Sent from Cisco Technical Support iPhone App

Cadet Alain Sat, 09/17/2011 - 11:03

Hi,

VTP is only running on trunk ports so if the switch is set to access mode I don't think you'll have any VTP problem but I'm waiting for other point of view to see if my reasoning is right.

Regards.

Alain.

billy.williams@... Sat, 09/17/2011 - 18:50

If you are using spanning-tree port fast. I would always suggest using spanning-tree bpduguard enable on all user ports. This shuts down a port if another switch is connected to avoid layer 2 loops in your network. To auto recover the port use the command errdisable recovery cause bpduguard. Another good one is errdisable recovery interval 300.

Sent from Cisco Technical Support iPhone App

Leo Laohoo Sat, 09/17/2011 - 22:52
"All ports that have PortFast enabled also have BPDU Guard automatically enabled."

By default, portfast and BPDUguard is disabled.

Correct Answer
Peter Paluch Sun, 09/18/2011 - 12:24

Hello,

To sum up the answers of other friends here, the PortFast and BPDU Guard are two independent features. On a per-port basis, they can be activated in a totally independent way.

However, it is very often necessary to have the PortFast activated globally for all access-mode ports (as they are supposed to be connected to end stations - especially crucial for RSTP and MSTP) - and then, if a switch is inadvertently or intentionally connected to these ports, these ports should be better protected. This is done by two commands in the global configuration mode:

  • spanning-tree portfast default: activates the PortFast feature on all ports in the access mode
  • spanning-tree portfast bpduguard default: activates the BPDU Guard on all ports that are running in PortFast mode

This may lead to the erroneous conclusion that a BPDU Guard-protected port must also be PortFast enabled. It is true only of this particular way of configuring the PortFast and BPDU Guard on the global level; however, directly on an interface, these two features can be activated independently of each other: the PortFast is activated using the spanning-tree portfast command, the BPDU Guard is activated using the spanning-tree bpduguard enable command.

Best regards,

Peter

Actions

Login or Register to take actions

This Discussion

Posted September 17, 2011 at 6:19 AM
Stats:
Replies:7 Avg. Rating:5
Views:1073 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard

Rank Username Points
1 15,007
2 8,150
3 7,730
4 7,083
5 6,742
Rank Username Points
140
72
69
65
45