Thursday, October 22, 2015

Cisco Spanning Tree Portfast and BPDUGuard

There are two powerful tools available for those of us (the majority I believe) that are still relying on Spanning Tree Protocol (STP) for our switch loop protection. They are Portfast! and BPDUGuard! (Don't the sound impressive with those exclamation points?)


Enabling PortFast on a switchport skips the listening and learning states when a device is plugged in (you know, that annoying wait time with the amber light?). From an STP perspective the port is set to a forwarding state immediately, This works out great for most accessthat are trustworthy to be connected only to a single device such as a server or workstation

Here are a couple of key commands related to basic portfast:

To globally set PortFast on all NON-Trunking ports:
Switch (config)#spanning-tree portfast default

To locally set PortFast on a particular interface:
Switch (config-if)#spanning-tree portfast


PortFast is designed for access ports that do not receive Switch to Switch BPDU packets from STP. It is possible to have non-trunking ports that connect two switches, however, which can then cause spanning tree loops. With BPDUGuard enabled on top of PortFast the receipt of a BPDU packet over a PortFast interface triggers the port to move into an err-disabled state instead of configuring the port in an STP blocking port configuration which would look like this:
Switch#show interfaces gigabitethernet 1/1 status
Port    Name               Status       Vlan       Duplex  Speed Type
Gi1/1                      err-disabled 100          full   1000 1000BaseSX

This security measure then leads a network administrator to either:
a) unplug the switch from this port and move it to a correct port
b) change the port to a trunking port rather than an access port so that STP can function normally

 Here are a couple of key commands related to basic BPDUGuard:

To globally set BPDUGuard on all NON-Trunking ports:
Switch (config)#spanning-tree portfast bpduguard default

To locally set BPDUGuard on a particular interface:
Switch (config-if)#spanning-tree bpduguard enable

To recover from the err-disabled state:
Switch(config-if)#spanning-tree portfast disable


  1. Note the similarities and differences between the PortFast and BPDUGuard commands
  2. Consider the order in which you would set them (Portfast first!)
  3. Recognize Err-Disabled as a possibly a BPDUGuard issue
Err-Disabled triggers include:
  • BPDU guard violation
  • Duplex mismatch
  • Port channel misconfiguration
  • UniDirectional Link Detection (UDLD) condition
  • Late-collision detection
  • Link-flap detection
  • Security violation
  • Port Aggregation Protocol (PAgP) flap
  • Layer 2 Tunneling Protocol (L2TP) guard
  • DHCP snooping rate-limit
  • Incorrect GBIC / Small Form-Factor Pluggable (SFP) module or cable
  • Address Resolution Protocol (ARP) inspection
  • Inline power
 Hope that keeps it all straight in your head!

No comments: