In trying to look for best practices for connecting various sorts of devices to a network, there are any number of combinations of portfast, bpduguard, and bpdufilter from which to choose.
Bpduguard checks for bpdu's entering the network when none are expected: a layer three device is normally connected, but then someone swaps in a switch which may create a loop connection.
Bpdufilter prevents bpdu's from exiting the network. This is used when someone the other side is looking for bpdu's, and you don't want them to see any, because you are certain not to create a loop.
What I want is to be able to bring up a port fast, and not have to go through the spanning-tree negotiation sequence, but I also want the protection that spanning-tree can offer, should strange configurations come into play.
The following table represents some scenarios with global bpduguard, global bpdufilter, interface level bpduguard, and interface level bpdufilter, all with portfast in place. This is a simple test on two adjacent ports on a switch with a cross over cable between the two ports.
Global Bpduguard/Bpdufilter Enabled | ||
interface bpduguard | interface bpdufilter | result |
---|---|---|
disabled | disabled | blocking |
n/a | n/a | err-disable |
n/a | disabled | err-disable |
disabled | enabled | crash |
enabled | enabled | crash |
enabled | disabled | err-disable |
&nb; | enabled | crash |
No Global Bpduguard/Bpdufilter | ||
interface bpduguard | interface bpdufilter | result |
disabled | disabled | blocking |
disabled | enabled | crash |
enabled | enabled | crash |
enabled | disabled | err-disable |
The final combination we came up with is to have global 'spanning-tree bpduguard' with interface local 'spanning-tree portfast'.
With 'spanning-tree bpduguard' at the interface level, the interface continuously generates bpdus. With 'spanning-tree bpduguard' at the global level, and not at the interface level, is that when the interface comes up, bpdus are generated for 20 seconds, then are no more are generated. This allows the interface to be checked for loops during the up transition, and then no more checks are needed as the interface is deemed to be good layer three interface for the duration.
For these 'spanning-tree portfast' ports, I have started to apply 'spanning-tree rootguard' as a matter of course.
Eric Leahy has a good reference for BPDU Guard, BPDU Filter, Root Guard, Loop Guard & UDLD settings.