This document explains the PortFast Bridge Protocol Data Unit (BPDU) guard feature. This feature is one of the Spanning Tree Protocol (STP) enhancements that created. This feature enhances switch network reliability, manageability, & security.

Bạn đang xem: Portfast and bpdu guard



There are no specific requirements for this document.

Components Used

These software versions introduced the STP PortFast BPDU guard:

Catalyst OS (CatOS) software version 5.4.1 for the Catalyst 4500/4000 (Supervisor Engine II), 5500/5000, 6500/6000, 2926, 2926G, 2948G, and 2980G platforms IOS® Software Release 12.0(7)XE for the Catalyst 6500/6000 platforms tiện ích ios Software Release 12.1(8a)EW for the Catalyst 4500/4000 Supervisor Engine III tiện ích ios Software Release 12.1(12c)EW for the Catalyst 4500/4000 Supervisor Engine IV quả táo Software Release 12.0(5)WC5 for the Catalyst 2900XL and 3500XL series ios Software Release 12.1(11)AX for the Catalyst 3750 series switches ios Software Release 12.1(14)AX for the Catalyst 3750 Metro switches quả táo Software Release 12.1(19)EA1 for the Catalyst 3560 series switches game ios Software Release 12.1(4)EA1 for the Catalyst 3550 series switches tiện ích ios Software Release 12.1(11)AX for the Catalyst 2970 series switches tiện ích ios Software Release 12.1(12c)EA1 for the Catalyst 2955 series switches quả táo Software Release 12.1(6)EA2 for the Catalyst 2950 series switches ios Software Release 12.1(11)EA1 for the Catalyst 2950 Long-Reach Ethernet (LRE) switches ios Software Release 12.1(13)AY for the Catalyst 2940 series switches

Note:STP PortFast BPDU guard is not available for the Catalyst 8500 series, 2948G-L3, or 4908G-L3 switches.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.


Refer khổng lồ Technical Tips Conventions for more information on document conventions.

Feature description

STP configures meshed topology into a loop-free, tree-like topology. When the links on a bridge port goes up, STP calculation occurs on that port. The result of the calculation is the transition of the port into forwarding or blocking state. The result depends on the position of the port in the network và the STP parameters. This calculation & transition period usually takes about 30 lớn 50 seconds. At that time, no user data pass via the port. Some user applications can time out during the period.

In order khổng lồ allow immediate transition of the port into forwarding state, enable the STP PortFast feature. PortFast immediately transitions the port into STP forwarding mode upon linkup. The port still participates in STP. So if the port is to be a part of the loop, the port eventually transitions into STP blocking mode.

As long as the port participates in STP, some device can assume the root bridge function và affect active STP topology. To assume the root bridge function, the device would be attached to lớn the port và would run STP with a lower bridge priority than that of the current root bridge. If another device assumes the root bridge function in this way, it renders the network suboptimal. This is a simple khung of a denial of service (DoS) attack on the network. The temporary introduction và subsequent removal of STP devices with low (0) bridge priority cause a permanent STP recalculation.

The STP PortFast BPDU guard enhancement allows network designers to lớn enforce the STP domain name borders & keep the active topology predictable. The devices behind the ports that have STP PortFast enabled are not able to lớn influence the STP topology. At the reception of BPDUs, the BPDU guard operation disables the port that has PortFast configured. The BPDU guard transitions the port into errdisable state, và a message appears on the console. This message is an example:

2000 May 12 15:13:32 %SPANTREE-2-RX_PORTFAST:Received BPDU on PortFast enable port. Disabling 2/1 2000 May 12 15:13:32 %PAGP-5-PORTFROMSTP:Port 2/1 left bridge port 2/1 Consider this example:

Figure 1


Bridge A has priority 8192 và is the root for the VLAN. Bridge B has priority 16384 and is the backup root bridge for the same VLAN. Bridges A and B, which a Gigabit Ethernet links connects, 3d a chip core of the network. Bridge C is an access switch & has PortFast configured on the port that connects to device D. If the other STP parameters are default, the bridge C port that connects khổng lồ bridge B is in STP blocking state. Device D (PC) does not participate in STP. The dashed arrows indicate the flow of STP BPDUs.

Figure 2


In Figure 2, device D has started to participate in STP. For example, a Linux-based bridge application is launched on a PC. If the priority of the software bridge is 0 or any value below the priority of the root bridge, the software bridge takes over the root bridge function. The Gigabit Ethernet links that connects the two vi xử lý core switches transitions into blocking mode. The transition causes all the data in that VLAN to flow via the 100-Mbps link. If more data flow via the core in the VLAN than the liên kết can accommodate, the drop of frames occurs. The frame drop leads lớn a connectivity outage.

The STP PortFast BPDU guard feature prevents such a situation. The feature disables the port as soon as bridge C receives the STP BPDU from device D.


You can enable or disable STP PortFast BPDU guard on a global basis, which affects all ports that have PortFast configured. By default, STP BPDU guard is disabled. Issue this command in order lớn enable STP PortFast BPDU guard on the switch:

CatOS Command

Console> (enable) set spantree portfast bpdu-guard enable Spantree portfast bpdu-guard enabled on this switch. Console> (enable) quả táo Software Command CatSwitch-IOS(config)# spanning-tree portfast bpduguard CatSwitch-IOS(config) When STP BPDU guard disables the port, the port remains in the disabled state unless the port is enabled manually. You can configure a port to lớn reenable itself automatically from the errdisable state. Issue these commands, which set the errdisable-timeout interval and enable the timeout feature:

CatOS Commands

Console> (enable) phối errdisable-timeout interval 400 Console> (enable) set errdisable-timeout enable bpdu-guard quả táo Software Commands CatSwitch-IOS(config)# errdisable recovery cause bpduguardCatSwitch-IOS(config)# errdisable recovery interval 400 Note:The default timeout interval is 300 seconds and, by default, the timeout feature is disabled.


In order to verify whether the feature is enabled or disabled, issue this command:

Command output

CatOS Command

Console> (enable) show spantree summaryRoot switch for vlans: 3-4.Portfast bpdu-guard enabled for bridge.

Xem thêm: Lật Lại Lịch Sử: Bitkingdom Là Gì? Dom Là Gì? Thông Tin Về Dự Án Bitkingdom Lừa Đảo

Uplinkfast disabled for bridge.Backbonefast disabled for bridge.Summary of Connected Spanning Tree Ports By VLAN: Vlan Blocking Listening Learning Forwarding STP Active ----- -------- --------- -------- ---------- ---------- 1 0 0 0 1 1 3 0 0 0 1 1 4 0 0 0 1 1 đôi mươi 0 0 0 1 1 Blocking Listening Learning Forwarding STP Active ----- -------- --------- -------- ---------- ---------- Total 0 0 0 4 4 Console> (enable) game ios Software Command CatSwitch-IOS# show spanning-tree summary totals Root bridge for: none.PortFast BPDU Guard is enabledUplinkFast is disabledBackboneFast is disabledSpanning tree default pathcost method used is shortName Blocking Listening Learning Forwarding STP Active-------------------- -------- --------- -------- ---------- ---------- 1 VLAN 0 0 0 1 1 CatSwitch-IOS#

Related Information