Thanks Reza, I read somewhere that configuring portfast only in global config has a differnent outcome than when it is configured only per interface so I've made some changes to my orignal wording to get a clear answer on portfast:

Does globally enabling portfast spanning-tree portfast default turn a portfast port back to a traditional port should it received BPDUs? (i assume YES)

Also what happens to a port when portfast is configured per  interface only (rather than globally) and that port receives BPDUs from a  connected switch? Does that port default back to listening/learning etc  like it does under the global command or remain a portfast port? If yes like the global command, is this common across all platforms, IOS versions etc?

According to this blog here, portfast on a global level, and on a port level have two very different outcomes:

http://blog.ipexpert.com/2010/12/06/bpdu-filter-and-bpdu-guard/

On the other hand, enabling portfast feature on the port itself is unconditional

.  Regardless of any BPDU being received, port will remain in portfast  state. This small, but, crucial difference is important for the  remainder of our analysis. We will see that history, so to speak,  repeats itself.

I would like to test this hopefully this week but am sitting for SWITCH before I am going to get a chance to lab it up.... grrrrrr.

Hello Jason and Reza,

According to this blog here, portfast on a global level, and on a port level have two very different outcomes:
 http://blog.ipexpert.com/2010/12/06/bpdu-filter-and-bpdu-guard/
On the other hand, enabling portfast feature on the port itself is unconditional

That blog is outright wrong on this topic. Even if a PortFast is enabled directly on a port, it is not unconditional. If a port receives a BDPU even though it is configured via spanning-tree portfast, it will lose the PortFast operational status and will become a normal non-edge port. The command will not be removed from its configuration, just the operational state of the port move from edge to non-edge. This can be trivially demonstrated using the show span int XXX portfast command - it will either report the PortFast as enabled or disabled on a port.

The 802.1w (now 802.1D-2004) RSTP standard has explicit provisions that  cause an edge port move to non-edge operation if it receives a BPDU. Since PortFast is Cisco's implementation of edge/non-edge, it must behave as mandated by the standard.

I totally agree with Reza that if access ports are connected to other switches, it is best to activate PortFast only on a per-port basis. However, networks I have worked with always interconnected switches using trunks, so in those cases, I strongly vouch for using spanning-tree portfast default global config command. Especially in RSTP networks, properly configuring edge ports is crucial, otherwise the network's performance may be even worse than with STP.

Best regards,

Peter

Thanks Paul for clarifying. It seems there is alot of confusion regarding portfast, bpdugard, and bpdufilter across the internet and people give out false information which doesnt help those learning.

One other thing I'd like to clarify - is the below statetment incorrect?

BPDU Filter (Global): This depends on/is an add-on to the global configuration of Portfast.

Personally I would say that it doesnt matter if portfast is enabled globally or interface level when it comes to BPDUfilter but what is more important is where BPDUfilter is applied (ie Global or Interface) as these do different things.

Thanks,

Jason

Hi Peter,

Thank you for the detailed reply. The information you have provided confirms my understanding of these features which is exactly what I was hoping for (and in time for my upcoming SWITCH exam).I hope others can beneift from this information as well.

I think I have managed to spend the last several hours reading to discount other's misinformation which is very frustrating as you can imagine as there are a few other topics I need to brush up on.

I have just two quick questions - do you personally enable bpduguard globally within your network on a portfast port or are you happy to allow the port to come up into listening/learning mode?

And if portfast is enabled and a BPDU is received which transitions the port to non portfast, does this generate a event in the log?

Regards,

Jason

Hi Jason,

do you personally enable bpduguard globally within your network on a portfast port or are you happy to allow the port to come up into listening/learning mode?

As Peter correctly said, you can enable it globally if you know for sure you don't have any access port connecting to other switches, but I like to be specific and enable it where I want it. One of the reasons I like to do it per interface is that if some one connect a switch to the network and configure the port as access, I don't have to worry about loop in the network. If you do it per interface, there is more manual process involved.  Another word, if some one connect a switch to the network, they also have to enable portfast on that port to cause loop, vs with global it is already there.  It all comes down to a matter of preference and your environment.

here is ample port config:

end

*Mar 11 17:54:00.906: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/2, changed state to up

*Mar 11 17:54:01.921: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/2, changed state to up

interface GigabitEthernet1/0/1
spanning-tree portfast
spanning-tree bpduguard enable
end

if portfast is enabled and a BPDU is received which transitions the port to non portfast, does this generate a event in the log?

I tested this and the only thing I saw in the log is this:

*Mar 11 17:54:00.906: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/2, changed state to up
*Mar 11 17:54:01.921: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/2, changed state to up

HTH

Hi Jason,

To add to Reza's answers:

I have just two quick questions - do you personally enable bpduguard  globally within your network on a portfast port or are you happy to  allow the port to come up into listening/learning mode? 

I am not sure if I understand you here, as BPDUGuard does not directly relate with "coming up into listening/learning" states. Perhaps you meant PortFast here?

Anyway, I do tend to use both span portfast default and span portfast bpduguard default as originally noted. And Reza's comment is absolutely correct. In a well maintained network where you know what you're keeping inside, either approach will do - just be sure you know what you are doing.

And if portfast is enabled and a BPDU is received which transitions  the port to non portfast, does this generate a event in the log?

It does not generate any logs to my best knowledge, and I have not come across any configuration command that would cause these events to be logged, sadly. Any Cisco engineer reading this? It would be a good feature enhancement request!

Best regards,

Peter

Peter Paluch wrote:
Hi Jason,
To add to Reza's answers:
I have just two quick questions - do you personally enable bpduguard  globally within your network on a portfast port or are you happy to  allow the port to come up into listening/learning mode? 
I am not sure if I understand you here, as BPDUGuard does not directly relate with "coming up into listening/learning" states. Perhaps you meant PortFast here?

Sorry Peter, it was my way asking whether in your network you have BPDUGuard enabled? Ie without it configured and portfast enabled only, the portfast port will go back through the stages of LIS/LRN etc when a switch is connected.

I did get a chance to connect a couple of switches to verify BPDUguard this morning and did receive it in my logs (with logging informational) when configured globally or per interface.

00:04:20: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up

00:04:22: %SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port FastEthernet0/1 with BPDU Guard enabled. Disabling port.

00:04:22: %PM-4-ERR_DISABLE: bpduguard error detected on Fa0/1, putting Fa0/1 in err-disable state

00:04:24: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to down

I have just two quick questions - do you personally enable bpduguard globally within your network on a portfast port or are you happy to allow the port to come up into listening/learning mode?

In our network, all access ports have STP PortFast and BPDUGuard enabled.  I also make sure that we do NOT enable "errdisable recovery cause bpduguard".  This command is THE MOST IMPORTANT of them all.  Because if you have this command then you, as a "network engineer" should be thrown off the cliff, into the sea and wearing a pair of concrete "shoes".

Hi Leo,

You're so adamant about not enabling the errdisable recovery cause bpduguard Have any personal experience, or a good story to tell?

Best regards,

Peter

Have any personal experience, or a good story to tell?

Queue the opening tune from the "Godfather".

Yeah.  We had someone configure this and we had "fun" times trying to figure out where the STP loop was coming from.

It took hours crawling through each config and when we found it, we went "Gotcha, you SOB!" so we got rid of the command ... a few hours later another loop.  So we all looked at each other and went, "Please don't tell me the ding-a-ling configured MORE of the same command?".  And, yes, he did.

Like I said, "fun" times.

Since then, I've learned to look for this command and take it out immediately.  All my Zero-Touch templates have the "no errdisable recovery cause bpduguard".  Just to be sure.

Disclaimer

The   Author of this posting offers the information contained within this   posting without consideration and with the reader's understanding that   there's no implied or expressed suitability or fitness for any purpose.   Information provided is for informational purposes only and should not   be construed as rendering professional advice of any kind. Usage of  this  posting's information is solely at reader's own risk.

Liability Disclaimer

In   no event shall Author be liable for any damages whatsoever (including,   without limitation, damages for loss of use, data or profit) arising  out  of the use or inability to use the posting's information even if  Author  has been advised of the possibility of such damage.

Posting

Leo Laohoo wrote:
Queue the opening tune from the "Godfather".

Hmm, let me guess and if you only want to "warn" another network engineer, they might wake up with a severed supervisor card next to them in their bed.  Of course, it's nothing person, just business.

they might wake up with a severed supervisor card next to them in their bed.

He sleeps with da fish with his newly mixed Christian Di0r concrete shoes.