Network Automation Engineer: Roger Perkin CCIE 50038

CCIE, Wireless, F5, Ansible, AWS, Cloud and data centre to Network Automation - my journey as a network engineer

Spanning-Tree Portfast – The Definitive Guide

The spanning-tree portfast command is a very simple feature but often mis-understood.
In this short post I will explore how this feature behaves, how it works and how to configure it on a cisco switch.
Portfast is a Cisco Propietary feature that was originally developed to overcome an issue when a PC was trying to obtain a DHCP address and going past the DHCP process before the port had gone into a forwarding state. The portfast feature brought the port into a forwarding state as soon as it came up enabling the PC to obtain a DHCP address. The feature was then standardised and is now called the Edge port.

This is the main point to be remembered.

An interface that has portfast configured on it will skip the listening and learning phases of spanning tree but only when the interface comes up.

Configuring Spanning Tree Portfast

There are two ways of configuring portfast globally and per interface.

In both cases these features are conditional upon incoming BPDUs

If portfast is configured on a port and it receives a BPDU the port will disable the portfast feature.

Another mis-conception is that when portfast is enabled on a port that it will stop sending BPDUs, this is not true the only thing that enabling portfast on a cisco switch does is to disable the listening and learning phases, all other elements are still there. BPDUs will still be sent and BPDUs being received will be processed.

Interface Configuration

To configure an interface with portfast, under the interface configuration simply enter the command spanning-tree portfast
you will receive a warning which I will explain later.

SW1#conf t
SW1#int fa0/23
SW#(config-if)#spanning-tree portfast

%Warning: Portfast should only be enabled on ports connected to a single host. 
Connecting hubs, concentrators, switches, bridges, etc... to this interface 
when portfast is enabled, can cause temporary bridging loops.
Use with caution
%Portfast has been configured on FastEthernet0/23 but will only have effect 
when the interfaceis in a non-trunking mode.

When configuring per-interface you also have the option to configure trunk mode.

SW1(config-if)#spanning-tree portfast ?
disable Disable portfast for this interface
trunk Enable portfast on the interface even in trunk mode
<cr>

SW1(config-if)#spanning-tree portfast

This will also enable portfast on trunk links also.

Global Configuration

To configure portfast globally under global configuration mode enter the command spanning-tree portfast default

This will enable portfast on all operational access ports.

SW1(config)#spanning-tree port
SW1(config)#spanning-tree portfast default
%Warning: this command enables portfast by default on all interfaces. You
should now disable portfast explicitly on switched ports leading to hubs,
switches and bridges as they may create temporary bridging loops.

SW1(config)#

Now this is how you actually configure it, but you also have to be very aware of the operational portfast status of a port. Other features depend on the operational status of portfast for correct operation. One of these is bpduguard.

If configured globally bpduguard will only take effect on ports that have their ports in a portfast operational status.

Irrespective of the configuration on a port the command below will show you the actual portfast operational status.

SW1#sh spanning-tree interface fa0/23 portfast 
VLAN0010 disabled

If we show the configuration on this port you will see that we have actually configured portfast

SW1#sh run int fa0/23
Building configuration...
!
interface FastEthernet0/23
 switchport access vlan 10
 switchport mode access
 spanning-tree portfast
end

So why is it disabled? The reason is because the other end of fa0/23 is connected to SW2 the port has received a BPDU and disabled the portfast status

So if we tried to enable bpduguard globally this would  have no effect at all as the portfast status is disabled. This is what we want as if this was an access port and not connected to a switch it would not be receiving BPDUs and thus the portfast status would be enabled. Then when enabling bpduguard it would be operational and be ready to shut down the port if it received any BPDUs on that port indicating that someone had connected a switch to an access port.

BPDU Guard – any received BPDU will cause the port to go into err-disabled state.

Another  feature that interacts with the operational portfast status of a port is BPDU Filter 

The video below from Marco explains the interaction better than I can.

Want to learn more about Network Automation?

Network Automation skills are becoming a must for network engineers of the future. Get started and learn the skills you need with my free resources!

Network Automation Tutorials

The Author

roger perkin ccie network automation engineer
Roger Perkin, (CCIE #50038) is a Senior Network & Security Consultant. Currently working as a Network Automation Engineer for a Cisco Gold Partner
Roger is an evangelist for Network Automation and is continuing to develop skills in Ansible and the Devops culture.

Contact Roger

CCIE

 My CCIE Journey
My CCIE Study Plan
Cisco Continuing Education Program

ROUTING PROTOCOLS

BGP
OSPF

Ansible

Where are Ansible Modules stored
Ansible IOS Command Example
Ansile Backup Cisco Config
How to Install Ansible Tower

Python

Best way to learn Python
Nornir Tutorial
Start using Python for Netowrking

Home Office

Best Vertical Mouse
My Standing Desk
Folding Laptop Stand - Roost
How to clean computer screen and keyboard

Personal Development

How to Focus

Most Visited Pages

Software Upgrade Guides
Wireless Console Cable
Network Automation Tools 
Bose Connect Windows 10
Private VLANs explained
Cisco ISE Overview