CCNP SWITCH: Portfast, BPDUGuard, RootGuard

Portfast

Enable Portfast per interface

Switch (config)# interface range fastethernet 0/1-48
Switch (config-if)# spanning-tree portfast

Enable Portfast globally on all access ports (NOTE – this will not enable portfast on trunk link until you configure “spanning-tree portfast trunk” on the interface)

Switch (config)# spanning-tree portfast default

Troubleshooting commands

Switch (config)# show spanning-tree interface fastethernet 0/4 portfast
Switch (config)# show spanning-tree summary

BPDUGuard

Enable BPDUGuard per interface

Switch (config)# interface range fastethernet 0/1-48
Switch (config-if)# spanning-tree bpduguard enable

Enable BPDUGuard globally

Switch (config)# spanning-tree portfast bpduguard default

Enable auto-recovery for bpduguard errors, disabled by default (re-enables the port if BPDUs transmitted the port will errdisable again and shutdown) and specify the interval (in seconds)

Switch (config)# interface errdisable recovery cause bpduguard
Switch (config)# interface errdisable recovery interval 60

Root Guard

With root guard enabled if another switch with a superior BPDU (lower bridge ID) is connected to one of the access ports root guard will deny traffic on that port by placing the interface in a root inconsistent state. Once the offending switch is no longer sending superior BPDUs the root guard will unblock the port.

Enable Root Guard per interface

Switch (config)# interface range fastethernet 0/1-48
Switch (config-if)# spanning-tree guard root

Verify Root Guard enabled on interface

Switch (config)# show spanning-tree interface fastethernet 0/3 detail

Troubleshooting Commands

Switch (config)# show spanning-tree inconsistentports

BPDUGuard and Root Guard enabled on the same interface

When BPDUGuard and Root Guard are enabled on the same interface testing reveals that it is BPDUGuard that will react first, by disabling the port and putting the interface in err-disable state.


Removing the BPDUGuard command from the interface, bouncing the port (shutdown followed by no shutdown) root guard will kick in and block the interface. The interface will be blocked until the offending switch is unplugged or the STP priority increased.

If BPDUGuard is enabled on all the access ports I don’t see the need for root guard, unless someone else can enlighten me?

To be continued…….

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s