Scenario 4-5: Configuring PortFast BPDU Guard

As previously discussed, it is important that you enable PortFast with caution, and only on ports that do not connect to multihomed devices such as hubs or switches. If you follow these rules, a PortFast port should never receive configuration BPDUs. If configuration BPDUs are received by a PortFast port, this reception indicates another bridge is somehow connected to the port, and it means that there is a possibility of a bridging loop forming during the Listening and Learning phases. In a valid PortFast configuration, configuration BPDUs should never be received, so Cisco switches support a feature called PortFast BPDU Guard, which is a feature that shuts down a PortFast-enabled port in the event a BPDU is received. This feature ensures that a bridging loop cannot form, because the switch's shutting down the port removes the possibility for a loop forming.

If you do not have BPDU Guard configured on a PortFast-enabled port that is receiving configuration BPDUs, the configuration BPDUs are processed by the switch and eventually the port might be shut down to prevent a loop. However, because during this time the switch is forwarding traffic (because PortFast is enabled), a bridging loop might be formed that could bring down the network before the port is blocked.

Enabling PortFast BPDU Guard

On CatOS, the PortFast BPDU Guard feature is disabled by default. It can be enabled or disabled globally for all PortFast ports or explicitly enabled or disabled for each physical PortFast port. To enable or disable PortFast BPDU Guard globally on a CatOS switch, you use the following command:

set spantree global-default bpdu-guard {enable | disable}

To explicitly enable or disable PortFast BPDU Guard for a specific port on a CatOS switch, you use the following command:

set spantree portfast bpdu-guard mod/port {enable | disable | default}

Configuring the default option means that the port inherits the global configuration state of the BPDU Guard feature.

On Cisco IOS, you can configure BPDU Guard only globally, except for IOS 12.1(11b)E and later for native IOS Catalyst 6000/6500 switches, which allow you to configure BPDU guard explicitly on an interface. To enable PortFast BPDU Guard on a Cisco IOS-based switch, you use the following global configuration command:

spanning-tree portfast bpduguard

To disable PortFast BPDU Guard, simply use the no form of the command.

Referring back to Figure 4-26, assume that you need to enable BPDU Guard on Switch-C and Switch-D. Example 4-42 demonstrates enabling PortFast BPDU Guard on Switch-C.

Example 4-42. Configuring PortFast BPDU Guard on Switch-C

Switch-C# configure terminal
Switch-C(config)# spanning-tree portfast bpduguard

The configuration in Example 4-42 applies for all PortFast-enabled interfaces on Switch-C. Example 4-43 demonstrates enabling PortFast BPDU Guard both globally and for specific ports on Switch-D.

Example 4-43. Configuring PortFast BPDU Guard on Switch-D

Switch-D> (enable) set spantree global-default bpdu-guard enable
Spantree global-default bpdu-guard enabled on this switch.
Switch-D> (enable) set spantree portfast bpdu-guard 2/3-48 enable
Spantree ports 2/3-48 bpdu guard enabled.

In Example 4-43, if BPDU Guard were not enabled globally, only ports 2/3-48 would have BPDU Guard enabled.

Testing BPDU Guard

To test BPDU Guard, you first incorrectly configure PortFast and BPDU Guard on interface Fa0/3 (connected to Switch-D) of Switch-B in the topology of Figure 4-26. You then configure Switch-D with a priority of 0, which forces it to begin generating configuration BPDUs out the previously blocked port 2/2, because it assumes the root bridge role. Switch-B should hear these configuration BPDUs generated by Switch-D, which will invoke BPDU Guard and shut down interface Fa0/3.

  1. On Switch-B, ensure that PortFast and BPDU Guard are enabled on interface Fa0/3, as shown in Example 4-44.

    Example 4-44. Configuring PortFast and BPDU Guard on Switch-B

    Switch-B# configure terminal
    Switch-B(config)# interface fa0/3
    Switch-B(config-if)#spanning-tree portfast trunk
    %Warning: portfast should only be enabled on ports connected to a single
     host. Connecting hubs, concentrators, switches, bridges, etc... to this
     interface  when portfast is enabled, can cause temporary bridging loops.
     Use with CAUTION
    Switch-B(config-if)# spanning-tree bpduguard enable
    
    In Example 4-44, the trunk keyword in the spanning-tree portfast trunk command forces PortFast to be enabled on the interface, even if it is a trunking interface.
  2. On Switch-D, set the priority for VLAN 1 as 0, as shown in Example 4-45.

    Example 4-45. Configuring a Priority of 0 on Switch-D

    Switch-D> (enable) set spanning-tree priority 0 1
    Spantree 1 bridge priority set to 0.
    
  3. At this stage, Switch-D has a lower bridge ID than the current root bridge (Switch-A) and assumes that it is the root bridge. Switch-D starts sending configuration BPDUs out port 2/2 to Switch-B. On Switch-B, you should see the following console messages:
    15:16:21: %SPANTREE-2-RX_PORTFAST: Received BPDU on PortFast enabled port.
        Disabling FastEthernet0/3.
    15:16:21: %PM-4-ERR_DISABLE: bpduguard error detected on Fa0/3,
        putting Fa0/3 in err-disable state
    15:16:22: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/3,
        changed state to down
    15:16:23: %LINK-3-UPDOWN: Interface FastEthernet0/3, changed state to down
    
    Notice that interface Fa0/3 is put into an err-disable state, which means that the interface has been administratively shut down.

+ Share This