There are two features you can configure to complement the functionality of PortFast.
1. BPDU Guard
2. BPDU Filter
BPDU Guard: On PortFast-enabled ports, BPDU Guard provides the protection against Layer 2 loops that STP cannot provide when STP PortFast is enabled. In a valid configuration, PortFast Layer 2 LAN interfaces (edge ports) do not receive BPDUs.
When configured globally, BPDU Guard is only effective on ports in the operational PortFast (edge) state. Reception of a BPDU by a PortFast Layer 2 LAN interface signals an invalid configuration, such as connection of an unauthorized device. BPDU Guard provides a secure response to invalid configurations, because the administrator must manually put the Layer 2 LAN interface back in service. BPDU Guard can be configured at the interface level. When configured at the interface level, BPDU Guard shuts the port down as soon as the port receives a BPDU, regardless of the PortFast configuration.
*** To enable this on Global config mode *** 6506(config)# spanning-tree portfast edge bpduguard default *** To enable this on particular interface *** 6506(config) int g6/2 6506(config-if)# spanning-tree bpduguard enable
Once BPDU received on a port configured for BPDU guard, its going to err-disalbed (same as shutdown status) administrator has to manually enable the interface to bring port status up. You can configure automatically recover the port as long as it does not received BPDU packets on that port. You can use “errdisable recovery cause bpduguard” command to do this. Below shows the all the options available for err-disable port recovery.
6506(config)#errdisable recovery cause ? all Enable timer to recover from all causes arp-inspection Enable timer to recover from arp inspection error disable state bpduguard Enable timer to recover from BPDU Guard error disable state channel-misconfig Enable timer to recover from channel misconfig disable state dhcp-rate-limit Enable timer to recover from dhcp-rate-limit error disable state dtp-flap Enable timer to recover from dtp-flap error disable state gbic-invalid Enable timer to recover from invalid GBIC error disable state l2ptguard Enable timer to recover from l2protocol-tunnel error disable state link-flap Enable timer to recover from link-flap error disable state link-monitor-failure Enable timer to recover from link monitoring failure loopback Enable timer to recover from loopback disable state mac-limit Enable timer to recover from mac limit disable state oam-remote-failure Enable timer to recover from remote failure detected by OAM pagp-flap Enable timer to recover from pagp-flap error disable state psecure-violation Enable timer to recover from psecure violation disable state security-violation Enable timer to recover from 802.1x violation disable state storm-control Enable timer to recover from storm-control error disable state udld Enable timer to recover from udld error disable state unicast-flood Enable timer to recover from unicast flood disable state vmps Enable timer to recover from vmps shutdown error disable state
BPDU Filter: PortFast BPDU filtering allows the administrator to prevent the system from sending or even receiving BPDUs on specified ports.
When configured globally, PortFast BPDU filtering applies to all operational PortFast (edge) ports. Ports in an operational PortFast state are supposed to be connected to hosts, which typically drop BPDUs. If an operational PortFast port receives a BPDU, it immediately loses its operational PortFast status and becomes a normal port. In that case, PortFast BPDU filtering is disabled on this port and STP resumes sending BPDUs on this port.
PortFast BPDU filtering can also be configured on a per-port basis. When PortFast BPDU filtering is explicitly configured on a port, it does not send any BPDUs and drops all BPDUs it receives.
When you enable PortFast BPDU filtering globally and set the port configuration as the default for PortFast BPDU filtering, then PortFast enables or disables PortFast BPDU filtering. If the port configuration is not set to default, then the PortFast configuration will not affect PortFast BPDU filtering.
You can configure BPDU filter as shown in the below (global or interface level)
*** Enabling BPDU filtering on globally **** 6506(config)# spanning-tree portfast edge bpdufilter default *** Configuring BPDU Filter on an interface *** 6506(config-if)# spanning-tree bpdufilter [enable | disable]
“show spanning-tree summary totals” can be used to verify these as shown below
Router# show spanning-tree summary totals Root bridge for: Bridge VLAN0025 EtherChannel misconfiguration guard is enabled Extended system ID is enabled PortFast Edge BPDU Guard Default is enabled Portfast Edge BPDU Filter Default is enabled Portfast Default is edge Bridge Assurance is enabled Loopguard is disabled UplinkFast is disabled BackboneFast is disabled Pathcost method used is long
We will see “Root Guard” & “Loop Guard” features in the next post