we have an access connecting to two different cores (2 fiber drops).
Is it a good idea (or a safe idea) to have the following:
spanning-tree portfast default
portfast should only be enabled on ports that do not connect to other switches, would that cause a problem for the ports used for the drops to the cores? Note each accesss switch has two drops, one to each core
Turning on portfast for ports where they are connected to another switch is always a bad idea. I see that you also want to have bpduguard for all the ports. In this case, the switch will errdisabled the port once it receives bpdu from the core. And you will end up unusable links.
You can issue the interface level command of no spanning-tree portfast for the two drops to the core from your access switch.
You generally would configure "spanning-tree portfast default" only on access/edge switches. You can then use bpduguard to protect you from end users connecting switches in their cubes. It would shut the port in an errdisabled state, and they'd have to call you and you can scold them. :)
I wouldn't put this command on your cores that are uplinked because the two switches will be sending bpdu's back and forth to each other which will cause the switches to stop communicating.
The switch global command "spanning-tree portfast default" only enables portfast on ports that are configured as access ports. The command "spanning-tree portfast bpduguard default" causes the ports that are configured as access to go into error disable state if a switch or a device that generates a BPDU is connected to said port.
That being said, as long as your switch to switch connections are configured as trunks all is good, but should someone connect a switch to a port configured as access the port will go to error disable and stay down until you intervene.
If you use these commands the configuration of error disable recovery is a good idea, and even better plan is to implement rapid spanning tree on your switches and portfast is now not needed for your access ports. The command bpduguard can still be used as a security measure to prevent unwanted network switch connections to workstation ports.
Hi everyone, I would like to thank you in advance for any help you can provide a newcomer like myself!
Im studying the 100-105 book by Odom and am currently on the topic of Port security. I purchased a used 2960 and I'm trying to follow a...
While deploying a number of 18xx/2802/3802 model access points (APs), which run AP-COS as their operating platform. It can be observed on some occasions that while many of their access points were able to join the fabric WLC withou...
I am going to design and build an LAN network under a tunnel underground with long distance between the switches.
I will have 2 Catalyst switches and 8 Industrial IE3000, and they will be connected with fiber.
For now I am planning on use Layer-2 s...