22-2
Cisco IE 2000 Switch Software Configuration Guide
OL-25866-01
Chapter 22 Configuring Optional Spanning-Tree Features
Information About Configuring the Optional Spanning-Tree Features
Interfaces connected to a single workstation or server should not receive bridge protocol data units
(BPDUs). An interface with PortFast enabled goes through the normal cycle of spanning-tree status
changes when the switch is restarted.
Note Because the purpose of PortFast is to minimize the time interfaces must wait for spanning-tree to
converge, it is effective only when used on interfaces connected to end stations. If you enable PortFast
on an interface connecting to another switch, you risk creating a spanning-tree loop.
You can enable this feature by using the spanning-tree portfast interface configuration or the
spanning-tree portfast default global configuration command.
Figure 22-1 PortFast-Enabled Interfaces
BPDU Guard
The BPDU guard feature can be globally enabled on the switch or can be enabled per port, but the feature
operates with some differences.
At the global level, you enable BPDU guard on PortFast-enabled ports by using the spanning-tree
portfast bpduguard default global configuration command. Spanning tree shuts down ports that are in
a PortFast-operational state if any BPDU is received on them. In a valid configuration, PortFast-enabled
ports do not receive BPDUs. Receiving a BPDU on a PortFast-enabled port means an invalid
configuration, such as the connection of an unauthorized device, and the BPDU guard featur e puts the
port in the error-disabled state. When this happens, the switch shuts down the entire port on which the
violation occurred.
To prevent the port from shutting down, you can use the errdisable detect cause bpduguard shutdown
vlan global configuration command to shut down just the offending VLAN on the port where the
violation occurred.
At the interface level, you enable BPDU guard on any port by using the spanning-tree bpduguard
enable interface configuration command without also enabling the PortFast feature. When the port
receives a BPDU, it is put in the error-disabled state.
The BPDU guard feature provides a secure response to invalid configurations because you must
manually put the interface back in service. Use the BPDU guard feature in a service-provider network
to prevent an access port from participating in the spanning tree.
WorkstationsWorkstations
Server
Port
Fast-enabled port
Port
Fast-enabled
ports
101225