Solved: Re: BPDUguard -- is it built in to Portfast?

jmayes · ‎03-04-2008

Can't see any documentation that says BPDUguard is built in to Portfast, but also don't find Cisco documentation showing BPDUguard always being turned on along with Portfast. (3750 documentation states that per-interface BPDUguard commad can be used to turn on BPDUguard without Portfast, for instance).

Using web-based ocnfigs turn both pon, so I assume both need to be enabled separately, but it's just fuzzy enough in documentaton that I can't tell for sure if Portfast has built-in BPDUguard support.

Any gurus out there?

mohammedmahmoud · ‎03-04-2008

Hi Joseph,

Both needs to be configured separately, lets discuss them briefly:

When PortFast is enabled (alone on an interface without BPDUGuard) the interface is running STP but it won't transit through listening and learning while coming up and it'll go directly to forwarding - and this would be a source of bridging loops if connected to another switch via this port, STP will eventually solve this loop but not immediately as the port has skipped the listen and learn when coming-up.

As for BPDU Guard, you must consider that BPDU Guard operation depends upon where it is configured. When enabled globally via "spanning-tree portfast bpduguard default" it affects only the ports configured with PortFast, simply if the interface receives a BPDU it err-disable the interface. While if configured on the interface level via " spanning-tree bpduguard enable" it doesn't depend on PortFast being enabled, it can be enabled without PortFast on the interface.

BR,

Mohammed Mahmoud.

View solution in original post

massimiliano.serafino · ‎03-04-2008

Hi,

The Portfast and the BPDU guard must be configured separately.

The commands are:

- spanning-tree portfast default (enable portfast on all non-trunk interfaces).

- spanning-tree portfast bpduguard deafult (enable BPDU guard on all portfast enabled interfaces).

I hope this helps.

Best regards.

Massimiliano.

mohammedmahmoud · ‎03-04-2008

Hi Joseph,

Both needs to be configured separately, lets discuss them briefly:

When PortFast is enabled (alone on an interface without BPDUGuard) the interface is running STP but it won't transit through listening and learning while coming up and it'll go directly to forwarding - and this would be a source of bridging loops if connected to another switch via this port, STP will eventually solve this loop but not immediately as the port has skipped the listen and learn when coming-up.

As for BPDU Guard, you must consider that BPDU Guard operation depends upon where it is configured. When enabled globally via "spanning-tree portfast bpduguard default" it affects only the ports configured with PortFast, simply if the interface receives a BPDU it err-disable the interface. While if configured on the interface level via " spanning-tree bpduguard enable" it doesn't depend on PortFast being enabled, it can be enabled without PortFast on the interface.

BR,

Mohammed Mahmoud.

jmayes · ‎03-04-2008

Thanks very much. Even Cisco's own BCMSN materials tell bpduguard is needed with portfast, but then leave it off on the examples. I saw the same issues on the config guides. Because automated setups add both, I was pretty sure they needed separate configuration, but your explanation clarifies the issue.

Joe

mohammedmahmoud · ‎03-04-2008

Hi Joe,

You are very welcomed, you can always comeback if you have any confusion from books, we are all here to share our experience, and i agree with you about the fuzzy covering of these features, my advice to you is the Cisco documentation plus labing every confusing topic and as i've said you can always come here with your query.

BR,

Mohammed Mahmoud.