The spanning-tree portfast command is a very simple feature but often mis-understood.
In this short post I will explore how this feature behaves, how it works and how to configure it on a cisco switch.
Portfast is a Cisco Propietary feature that was originally developed to overcome an issue when a PC was trying to obtain a DHCP address and going past the DHCP process before the port had gone into a forwarding state. The portfast feature brought the port into a forwarding state as soon as it came up enabling the PC to obtain a DHCP address. The feature was then standardised and is now called the Edge port.
This is the main point to be remembered.
An interface that has portfast configured on it will skip the listening and learning phases of spanning tree but only when the interface comes up.
Configuring Spanning Tree Portfast
There are two ways of configuring portfast globally and per interface.
In both cases these features are conditional upon incoming BPDUs
If portfast is configured on a port and it receives a BPDU the port will disable the portfast feature.
Another mis-conception is that when portfast is enabled on a port that it will stop sending BPDUs, this is not true the only thing that enabling portfast on a cisco switch does is to disable the listening and learning phases, all other elements are still there. BPDUs will still be sent and BPDUs being received will be processed.
Interface Configuration
To configure an interface with portfast, under the interface configuration simply enter the command spanning-tree portfast
you will receive a warning which I will explain later.
SW1#conf t SW1#int fa0/23 SW#(config-if)#spanning-tree portfast %Warning: Portfast should only be enabled on ports connected to a single host. Connecting hubs, concentrators, switches, bridges, etc... to this interface when portfast is enabled, can cause temporary bridging loops. Use with caution %Portfast has been configured on FastEthernet0/23 but will only have effect when the interfaceis in a non-trunking mode.
When configuring per-interface you also have the option to configure trunk mode.
SW1(config-if)#spanning-tree portfast ? disable Disable portfast for this interface trunk Enable portfast on the interface even in trunk mode <cr> SW1(config-if)#spanning-tree portfast
This will also enable portfast on trunk links also.
Global Configuration
To configure portfast globally under global configuration mode enter the command spanning-tree portfast default
This will enable portfast on all operational access ports.
SW1(config)#spanning-tree port SW1(config)#spanning-tree portfast default %Warning: this command enables portfast by default on all interfaces. You should now disable portfast explicitly on switched ports leading to hubs, switches and bridges as they may create temporary bridging loops. SW1(config)#
Now this is how you actually configure it, but you also have to be very aware of the operational portfast status of a port. Other features depend on the operational status of portfast for correct operation. One of these is bpduguard.
If configured globally bpduguard will only take effect on ports that have their ports in a portfast operational status.
Irrespective of the configuration on a port the command below will show you the actual portfast operational status.
SW1#sh spanning-tree interface fa0/23 portfast VLAN0010 disabled
If we show the configuration on this port you will see that we have actually configured portfast
SW1#sh run int fa0/23 Building configuration...
! interface FastEthernet0/23 switchport access vlan 10 switchport mode access spanning-tree portfast end
So why is it disabled? The reason is because the other end of fa0/23 is connected to SW2 the port has received a BPDU and disabled the portfast status
So if we tried to enable bpduguard globally this would have no effect at all as the portfast status is disabled. This is what we want as if this was an access port and not connected to a switch it would not be receiving BPDUs and thus the portfast status would be enabled. Then when enabling bpduguard it would be operational and be ready to shut down the port if it received any BPDUs on that port indicating that someone had connected a switch to an access port.
BPDU Guard – any received BPDU will cause the port to go into err-disabled state.
Another feature that interacts with the operational portfast status of a port is BPDU Filter
The video below from Marco explains the interaction better than I can.
Roger Perkin - CCIE #50038 is a Network Automation Engineer & CCIE Consultant based in the UK, currently working for Softcat Plc as a Senior Network & Security Consultant.
Rogers' CCIE Journey | About Roger | Contact | Twitter | Linkedin
