cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
485
Views
0
Helpful
4
Replies

portfast & bpdu guard

ronshuster
Level 1
Level 1

we have an access connecting to two different cores (2 fiber drops).

Is it a good idea (or a safe idea) to have the following:

spanning-tree portfast default

portfast should only be enabled on ports that do not connect to other switches, would that cause a problem for the ports used for the drops to the cores? Note each accesss switch has two drops, one to each core

spanning-tree portfast bpduguard default

would this shutdown the ports used for the drops?

4 Replies 4

Jerry Ye
Cisco Employee
Cisco Employee

Hi Ron,

Turning on portfast for ports where they are connected to another switch is always a bad idea. I see that you also want to have bpduguard for all the ports. In this case, the switch will errdisabled the port once it receives bpdu from the core. And you will end up unusable links.

You can issue the interface level command of no spanning-tree portfast for the two drops to the core from your access switch.

HTH,

jerry

Ron,

You generally would configure "spanning-tree portfast default" only on access/edge switches. You can then use bpduguard to protect you from end users connecting switches in their cubes. It would shut the port in an errdisabled state, and they'd have to call you and you can scold them. :)

I wouldn't put this command on your cores that are uplinked because the two switches will be sending bpdu's back and forth to each other which will cause the switches to stop communicating.

I hope I understand your question though.

HTH,

John

HTH, John *** Please rate all useful posts ***

bbaillie
Level 1
Level 1

The switch global command "spanning-tree portfast default" only enables portfast on ports that are configured as access ports. The command "spanning-tree portfast bpduguard default" causes the ports that are configured as access to go into error disable state if a switch or a device that generates a BPDU is connected to said port.

That being said, as long as your switch to switch connections are configured as trunks all is good, but should someone connect a switch to a port configured as access the port will go to error disable and stay down until you intervene.

If you use these commands the configuration of error disable recovery is a good idea, and even better plan is to implement rapid spanning tree on your switches and portfast is now not needed for your access ports. The command bpduguard can still be used as a security measure to prevent unwanted network switch connections to workstation ports.

Cheers,

Brian

Hello Brian,

>> implement rapid spanning tree on your switches and portfast is now not needed for your access ports.

Actually rapid STP has the edge ports concept that is configured with spanning-tree portfast.

Classifying the user ports as edge ports is very important for Rapid STP because these ports are excluded by the synchronization process and this really improves convergence.

About the questions of Original poster uplink ports have to configured as standard STP ports without bpdu guard enabled.

A good companion of uplink ports is STP loop guard specially with Rapid STP that is too fast for UDLD.

Hope to help

Giuseppe

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: