Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

portfast & bpdu guard

we have an access connecting to two different cores (2 fiber drops).

Is it a good idea (or a safe idea) to have the following:

spanning-tree portfast default

portfast should only be enabled on ports that do not connect to other switches, would that cause a problem for the ports used for the drops to the cores? Note each accesss switch has two drops, one to each core

spanning-tree portfast bpduguard default

would this shutdown the ports used for the drops?

Cisco Employee

Re: portfast & bpdu guard

Hi Ron,

Turning on portfast for ports where they are connected to another switch is always a bad idea. I see that you also want to have bpduguard for all the ports. In this case, the switch will errdisabled the port once it receives bpdu from the core. And you will end up unusable links.

You can issue the interface level command of no spanning-tree portfast for the two drops to the core from your access switch.



Re: portfast & bpdu guard


You generally would configure "spanning-tree portfast default" only on access/edge switches. You can then use bpduguard to protect you from end users connecting switches in their cubes. It would shut the port in an errdisabled state, and they'd have to call you and you can scold them. :)

I wouldn't put this command on your cores that are uplinked because the two switches will be sending bpdu's back and forth to each other which will cause the switches to stop communicating.

I hope I understand your question though.



HTH, John *** Please rate all useful posts ***
Community Member

Re: portfast & bpdu guard

The switch global command "spanning-tree portfast default" only enables portfast on ports that are configured as access ports. The command "spanning-tree portfast bpduguard default" causes the ports that are configured as access to go into error disable state if a switch or a device that generates a BPDU is connected to said port.

That being said, as long as your switch to switch connections are configured as trunks all is good, but should someone connect a switch to a port configured as access the port will go to error disable and stay down until you intervene.

If you use these commands the configuration of error disable recovery is a good idea, and even better plan is to implement rapid spanning tree on your switches and portfast is now not needed for your access ports. The command bpduguard can still be used as a security measure to prevent unwanted network switch connections to workstation ports.



Hall of Fame Super Silver

Re: portfast & bpdu guard

Hello Brian,

>> implement rapid spanning tree on your switches and portfast is now not needed for your access ports.

Actually rapid STP has the edge ports concept that is configured with spanning-tree portfast.

Classifying the user ports as edge ports is very important for Rapid STP because these ports are excluded by the synchronization process and this really improves convergence.

About the questions of Original poster uplink ports have to configured as standard STP ports without bpdu guard enabled.

A good companion of uplink ports is STP loop guard specially with Rapid STP that is too fast for UDLD.

Hope to help


CreatePlease to create content