Having portfast enabled on a port connected to a device generating Bridge Protocol Data Units (BPDUs) causes the port to go to errdisable status when BPDU guard is enabled on the switch.
BPDU Guard one of the feature that protect STP from several types of problems or attacks, depending on whether a port is a trunk or access port.
BPDU Guard puts an interface configured for STP PortFast into the err-disable state upon receipt of a BPDU. The BPDU Guard disables interfaces as a preventive step to avoid a potential bridging loop. The BPDU Guard feature is used to protect the Spanning Tree domain from external influence. BPDU Guard is disabled by default but is recommended for all ports on which the Port Fast feature has been enabled. This prevents false information from being injected into the Spanning Tree domain on ports that have Spanning Tree disabled.
When a port only has a host device connected to it, we will enable portfast, this will speed up the port initialization process and put the port into forwarding state straight away. This eliminates 30 seconds of delay that would have been encountered if STP was not bypassed and the port went through the Listening and Learning states. Because host is a workstation, it sends no BPDUs and so disabling Spanning Tree on a port like this is not an issue.
If we removed this end host of this port and connected a switch. This new switch will start to generate BPDUs and could take over as been the Root Bridge for the network, or it could cause a loop in our network if it has another link connected into another part of the network.
So what BPDU Guard will provide is a secure response to invalid configurations, or unauthorised switches onto our network, because the administrator must manually reenable the err-disabled interface after fixing the invalid configuration, or removing the unauthorised switch form the network.
A port may be in errdisable status due to BPDU guard.
The errdisable status indicates that the port was automatically disabled by the switch operating system software because of an error condition encountered on the port.
To determine if a port is in errdisablestatus, issue the show port command. For example, to check the status on port 3/2, issue the show port 3/2 command. This is a sample command output:
The switch sends a message to the console describing why the port is disabled when it puts a port in the errdisable state. If syslog is configured, the message is available on the syslog server as well.
Another way to determine the reason for the errdisable status is to issue the show errdisable-timeout command. This command is available in Catalyst OS (CatOS) 5.4(1)or later. This is a sample command output:
If the switch configured with BPDU guard enabled sees a BPDU coming into a port that has portfast enabled, it puts the port in errdisable status and a message similar to this is printed on the console:
%SPANTREE-2-RX_PORTFAST: Received BPDU on PortFast enabled port. Disabling 3/2. (CatOS)
%PM-SP-4-ERR_DISABLE: bpduguard error detected on Gi4/1, putting Gi4/1 in err-disable state. (Cisco IOS system software)
If BPDU guard is the reason for the errdisable status, check these settings:
Verify that the port using portfast is connected to an end station, not to a device that generates Spanning-Tree Protocol (STP) BPDU packets such as switches, bridges, or routers doing bridging.
If the port is connected to a STP device which is generating BPDU packets, disable portfast on that port. The command to disable portfast on port 3/2 is set spantree portfast 3/2 disable.
Once the cause of the errdisable status has been found and corrected, re-enable the port by issuing the set port enable command. For example, to re-enable port 3/2, issue the set port enable 3/2 command.
If the set port enable command is issued without the cause of the errdisable status being corrected, the port eventually goes back to the errdisable status.