Spanning Tree PortFast BPDU Guard Enhancement

Similar Messages

• Spanning tree portfast

  Hello,
  If I have port configure as spanning tree portfast and I plugged another switch instead of computer what will happened can it create loop or shutdown the port?

  Hello horacio27,
  You can use PortFast on access switch ports  or trunk ports that are connected to a single workstation, server to allow those devices to connect to the network immediately, instead of waiting for the port to transition from the listening and learning states to the forwarding state.
  You can use PortFast to connect a single end station or a switch port to a switch port. If you enable PortFast on a port that is connected to another Layer 2 device, such as a switch, you might create network loops.
  To Prevent loops, in network  the most secure implementation of PortFast is to enable it only on ports that connect end stations to switches. Because PortFast can be enabled on nontrunking ports connecting two switches, spanning tree loops can occur because BPDUs are still being transmitted and received on those ports.
  PortFast with BPDU guard prevents loops by moving non trunking port to err-disable state.

• Enable BPDUGuard on Spanning-tree Portfast Trunk Port: Yes or No?

  Hello to all the Cisco Experts,
  I have been searching around to get a confirmed answer as per my subject, but yet unable to come into any conclusion that could help me.
  This is all started when I configured the switchport configuration for my ESXi Server which is a dot1q trunk port. The reference will be as below URL:
  http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1006628
  The configuration of the switchport will be as below:
  interface GigabitEthernet1/0/1
   description ESXi
   switchport trunk encapsulation dot1q
   switchport trunk allowed vlan 11,15
   switchport mode trunk
   spanning-tree portfast trunk
  end
  The catch is, I had the bpduguard enabled on the global level in my switch = spanning-tree portfast bpduguard default.
  This will enable the bpduguard on the trunk port above due to the switchport is in portfast (the command: spanning-tree portfast trunk).
  Some of the guys in this forum mentioned that it is not recommended to have bpduguard on trunk port and some mentioned it is okay to have this.
  So, what do you all think on this? Any real life experience dealing with this kind of situtation that can be shared to us over here?
  Thank you in advance.

  Hi Leo,
  First of all, I would never, ever, consider any comment of yours as being offensive so don't worry, none taken. :)
  Enabling portfast on a trunk is so "yesterday", in my opinion.  If a trunk port(s) or an etherchannel is configured correctly, there's a significant chance portfast is irrelevant.  The speed to get the ports to go from down to passing traffic is really boils down to one or two seconds.
  Perhaps this is at the core of our different views. To my best knowledge, without the PortFast, a trunk - be it a single port or an EtherChannel - will become forwarding 30 seconds after entering the up/up state, not less. This is valid for STP, RSTP, and MSTP. In addition, if a new VLAN is created or added to the list of enabled VLANs on the trunk, it may take additional 30 seconds for that VLAN to become operational (forwarding) on that trunk. There is nothing besides PortFast and Proposal/Agreement that can cut down this time: the STP must go over the Listening-Learning-Forwarding sequence, and RSTP/MSTP must go through the Discarding-Learning-Forwarding sequence. The "one or two seconds" you have mentioned is perhaps the combined delay incurred by autonegotiation, LACP/PAgP, and DTP, but STP will take its own time and will not be deterred by any of these mechanisms.
  I see no benefit but mischief when you enable BPDU Guard on an inter-switch link.   
  Absolutely agree. That is why it doesn't make any sense to put a BPDU Guard on an inter-switch link, and I have never suggested doing that. The original post, however, deals with enabling PortFast on a trunk link that does not go to another switch but rather connects to an ESXi server on which, obviously, different virtual machines are bridged onto different VLANs.
  So what is the reaction of the port if you do happen to enable portfast and BPDU guard on an inter-switch link?  Wouldn't the two be a "Jekyll & Hyde", wouldn't it?
  It would be just the same as enabling PortFast and BPDU Guard on an access port that happens to be connected to another switch. Upon link-up, the port would become forwarding immediately, and after receiving a BPDU, it would be shot down to err-disabled. The fact the port is an access port or a trunk port makes no difference here. Just as before, I stress that this kind of configuration simply isn't meant to be used on inter-switch links. However, on trunks connected directly to routers, servers, autonomous APs supporting several SSIDs mapped to different VLANs, even to IP phones (remember the mini-trunk config used on old switches on which the switchport voice vlan command only instructed CDP to advertise the voice VLAN but did not cause the port to accept tagged frames in the voice VLAN so it had to be configured as a trunk?) - in all these situations, the PortFast can be beneficial. The BPDU Guard is a natural protective companion to the PortFast - wherever PortFast is eligible to be configured, the BPDU Guard is a natural additional protection to be activated as well.
  But given the complexity of interconnection of different switches to various stuff going around, we're happy with leaving portfast on a trunk port disabled.
  No argument here - but again, this is about trunks between switches on which I would never suggest using the PortFast or the BPDU Guard. The original post is talking about trunks to end hosts (i.e. edge trunk ports if we extend the terminology a little).
  Best regards,
  Peter

• Rapid spanning tree / portfast

  hello together,
  i have a question about rapid spanning tree.
  If I enable per vlan rapid spanning tree do i have to configure portfast on the access ports or is this nativly done in rstp?
  best regards
  lars

  Hi Lars,
  In RSTP, the access ports are known as "edge" ports. To configure a port as an "edge port" you use the same command to enable portfast to do this.
  "Edge ports—If you configure a port as an edge port on an RSTP switch by using the spanning-tree portfast interface configuration command, the edge port immediately transitions to the forwarding state. An edge port is the same as a Port Fast-enabled port, and you should enable it only on ports that connect to a single end station."
  http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12113ea1/3550scg/swmstp.htm
  HTH,
  Bobby
  *Please rate helpful posts.

• Spanning-tree portfast trunk

  Hi all,
  i read that portfast should only be enabled on access ports  not on trunk ports.
  when this command is used
  spanning-tree portfast trunk?
  under what cases we will use portfast command on trunk port ?
  thanks
  mahesh

  .... and there is one more case:
  you have access switch full of users and you want to provide them redundancy for internet connection, sou you use HSRP for example and now you have switch connected to 2 or more routers with internet links
  now, those links between switch and routers are also trunks and the topology is like a triangle with the switch on the tip , omitting PCs for now , at this point the only device taken into consideration is the switch - others don't use STP because routers have configured IP addresses on subinterfaces (each for one VLAN) so they break BRdomain and computers don't care about STP. In this case, you are sure that no routing loop can occur because other devices (all of them are L3) are boundary for that L2 segment and arp requests broadcasted in your LAN stay inside.
  What you've just managed to make is faster trunk transition to UP state so after reload of that switch, your users can quickly use network again.

• Command Info spanning-tree optimize bpdu transmission

  Cannot find any information on CCO, anyone have a link or definition of this command ??

  "spanning-tree optimize bpdu transmission" enables the switch to send multiple BPDUs from the interrupt context thereby reducing the CPU usage for the transmission function.
  Note that not all platforms support it.
  PS: Remember to rate useful posts.

• Purpose of "spanning-tree portfast trunk"

  We are going to try out two wireless accesspoints.  I won't name the manufacturer.  Their tech support asked for two ports in our Catalyst 3750g to be configured as trunk, dot1q, etc., and with "spanning-tree portfast trunk".  What is the purpose of this?
  Thanks in advance.

  As Inayath as already described, traditional portfast does not apply to trunked ports. In order for a trunked port to take the portfast status, you need to specify the 'trunk' keyword.
  The key thing to understand is why would you use this - trunked ports usually go between switches and you shouldn't be configuring portfast for such connections. However, keep in mind that you usually configure trunked interfaces for connections going to VMs, etc as well. These are typically treated as end hosts but since they may carry multiple VLANs over them, you can configure the port as a trunk.
  In such situations, you can go ahead and configure such trunked ports for portfast status as well.
  Regards,
  Aninda

• BPDU-STP Discrpancy - Help Please - spanning-tree portfast bpduguard

  Hi,
  I get this discrepancy report by the CicoWorks saying that BPDU-STP is disabled on ports (all te ports on my switch). I have seen a document on this and how to enable this Spanning Tree feature but I am not really sure if I need to do this or not? what is the benefit in having or not having this feature enabled? if enabled, then, wont I get into the port disabling and traffic disrruption business? understanding that there is a time out feature available as well.
  Thx,
  Masood

  Hi Masood.
  STP BPDUGuard is used only on the ports which are set to STP portfast. As when the portfast is enabled on the switch it trnasitions from blocking --> forwarding as soon as you connect any device on it. If you connect a switch or a bridge, this can cause a STP loop in your network which can bring your entire N/W to halt/down.
  STP BPDUguard is specially designed for the edgeports. So as far as you have a centralized control on your network device and no one can connect any device without proper approval (your) ,you can have it disable. But if you understand the potential impact of connecting a switch or a bridge by anyone without proper authority then you might want it enable it on your switch.
  http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a008009482f.shtml
  HTH, Please rate if it does.
  regards,
  -amit singh

• How to configure PortFast & BPDU Guard on an Aruba controller.

  Requirement:
  An Aruba controller running 6.4.3.x and above.
  Solution:
  PortFast:
  PortFast feature basically causes a switch port or a trunk port to directly enter the forwarding state instead of going through listening and learning state of the STP.
  PortFast is usually configured on an edge port, which means this port should not receive any STP BPDUs.
  If this port receives any STP BPDU, this port moves back to normal/regular mode and will end up participating in listening and learning states.
  BPDU Guard:
  The BPDU Guard feature basically guards the port against receiving any BPDUs.
  If it detects any incoming BPDUs on the port, it would put the port into ErrDis (Error-Disable).
  This port remains in the ErrDis state unless until this port is manually changed by using a configuration command “shut” followed by a “no-shut” applied on this interface.
  Configuration:
  Below screen shot show the configuration of Portfast for both Trunk and Access ports.
  Below screen shot shows the configuration of BPDU Guard for switch ports.
  Verification
  We can verify if the Portfast is enabled using the commands shown in below screen shot.
  We can verify if the BPDU Guard is enabled using commands shown in below screen shot.

  I was having troubles with this as well when a customer had an older Aruba Controller and 2 Access Points. We went with a couple IAP-205s and needed LDAP integration. Using the above configuration there were some additional items needed. I found that I needed the DISPLAY NAME of the admin for the Admin-DN. I had created a user with the first name Aruba and the last name LDAP. This made the DISPLAY NAME "Aruba LDAP". This is what needs to be in the CN= for the Admin-DN.I also found there is a difference in using the CN= and OU=Currently our admin account is in the Users group which is a “Container”. Our actual user accounts are stored in an Orginizational Unit with sub OUs as well. So the Admin-DN needed the CN=Users and the Base-DN needed the OU=MyUserOU.For the windows machines I had to download and install the Aruba GTC Shim because the customer was previously using GTC and they were not going to a RADIUS server at the moment. My Android phone and IPHONE did not need any additional addins for the authentication.  The windows laptop I am using I needed to manually create a wireless profile with… Security Tab >“Choose a network authentication method:”Microsoft: Protected EAP (PEAP)Settings >Select “Trusted Root Certification Authorities”GeoTrust Global CASelect Authentication Method:EAP-Token (This is the Aruba GTC Shim) This allowed me to use my domain login credentialsUsernamePasswordDomain (This is blank because the Base-DN already has this, if anything is put in here the authentication fails)

• ISE - 802.1X - Loop not detected by spanning-tree

  Hello,
  I have recently implemented the 802.1X on switchs 3750-X running 15.0(2)SE IOS version.
  The spanning-tree bpdufilter and bpduguard are globally enabled on the switchs.
  A user has created a loop on the network by connecting its Cisco IP-Phone twice on the network : one wire connected normally from switch to the RJ-45 phone connector and the second wire that should be connected to the PC had also been connected to the switch !
  The loop created has not been detected by the switch !
  I have made several tests and re-created the problem 3 times on 4 (only one time, the loop has been detected by bpduguard  20 seconds after the port up).
  Notice that without 802.1X configured on the same switch port, the loop is quickly detected and ports are err-disabled shutdown.
  Switch port with 802.1X is following :
  interface GigabitEthernet1/0/9
  switchport access vlan 950
  switchport mode access
  switchport nonegotiate
  switchport voice vlan 955
  no logging event link-status
  authentication control-direction in
  authentication event fail action next-method
  authentication event server dead action reinitialize vlan 950
  authentication event server dead action authorize voice
  authentication event server alive action reinitialize
  authentication host-mode multi-auth
  authentication order dot1x mab
  authentication priority dot1x mab
  authentication port-control auto
  authentication periodic
  authentication timer reauthenticate server
  mab
  dot1x pae authenticator
  dot1x timeout tx-period 10
  storm-control broadcast level 10.00
  storm-control multicast level 10.00
  spanning-tree portfast
  If I change the host-mode to multi-domain, a MAC violation restriction occurs and shutdown the port. But this is not the config I need.
  Is there any reason for spanning-tree not works properly with 802.1X ?
  Thanks,
  Olivier

  Hello Olivier
  When using bpdufilter, bpduguard and portfast all at the same time there are many things going on which are not well documented. Now when you add 802.1x to the mix then you really have no documentation. I had to do many labs on my own to finally have my configuration, and also discovered some bugs. According to my experience you shouldn't use bpdufilter and you should use bpduguard on the switchport not in the global config.
  Please read the following links about the differences between global and port bpdufilter, differences between global and port bpduguard, configuring bpduguard along with portfast , configuring bpdufilter along with portfast, and configuring bpduguard along with bpdufilter.
  http://aitaseller.wordpress.com/2010/01/17/bpdu-filter-vs-bpdu-guard-what-is-the-difference/
  http://costiser.wordpress.com/2011/05/23/subtle-difference-for-portfast-bpdufilter-used-together-globally-or-at-interface-level/
  https://learningnetwork.cisco.com/thread/21103
  http://blog.ipexpert.com/2010/12/06/bpdu-filter-and-bpdu-guard/
  Please rate if this helps

• The spanning-tree add strange value when I create new Vlans

  Hi,
  On all switchs access, the spanning-tree add strange value when I create new Vlans from Distrib Layer,
  and no association is created with any interface with spanning-tree vlan 700, see below in this exemple,
  until I reboot the switch.
  somebody already saw this values ?
  DSFDS112#sh span sum
  Switch is in rapid-pvst mode
  Root bridge for: none
  EtherChannel misconfig guard is enabled
  Extended system ID           is enabled
  Portfast Default             is disabled
  PortFast BPDU Guard Default  is disabled
  Portfast BPDU Filter Default is disabled
  Loopguard Default            is enabled
  UplinkFast                   is disabled
  Stack port is StackPort1
  BackboneFast                 is disabled
  Configured Pathcost method used is long
  Name                   Blocking Listening Learning Forwarding STP Active
  VLAN0001                     0         0        0          3          3
  VLAN0002                     0         0        0         22         22
  VLAN0006                     0         0        0          3          3
  VLAN0007                     0         0        0          8          8
  VLAN0009                     0         0        0          4          4
  VLAN0010                     0         0        0          3          3
  VLAN0011                     0         0        0          3          3
  VLAN0012                     0         0        0          3          3
  VLAN0013                     0         0        0          3          3
  VLAN0090                     0         0        0         15         15
  VLAN0109                     0         0        0          3          3
  VLAN0200                     0         0        0          4          4
  VLAN0300                     0         0        0         26         26
  VLAN0302                     0         0        0          4          4
  VLAN0700               -   253  -1872756560  2087191206  -1872756549  2080375982
  VLAN0702               -   253  -1872756560  2087191206  -1872756549  2080375982
  VLAN0704                     0         0        0          4          4
  VLAN0710               -   253  -1872756560  2087191206  -1872756549  2080375982
  VLAN0816                     0         0        0          3          3
  VLAN0820                     0         0        0          3          3
  20 vlans               -   759  -1323302384  1966606322  -1323302237  1946160764
  DSFDS112#sh span vlan 700
  VLAN0700
    Spanning tree enabled protocol rstp
    Root ID    Priority    4796
               Address     0008.e3ff.fcbc
               Cost        10000
               Port        608 (Port-channel1)
               Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
    Bridge ID  Priority    62140  (priority 61440 sys-id-ext 700)
               Address     885a.9213.6880
               Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
               Aging Time  300 sec
  Interface           Role Sts Cost      Prio.Nbr Type
  Po1                Root FWD 10000     128.608  P2p
  DSFDS112#sh run int Gi1/0/25
  Building configuration...
  Current configuration : 194 bytes
  interface GigabitEthernet1/0/25
   description Station12
   switchport access vlan 700
   switchport mode access
  end
  DSFDS112#sh span interface Gi1/0/25
  no spanning tree info available for GigabitEthernet1/0/25
  DSFDS112#sh int status interface Gi1/0/25
  Port      Name               Status       Vlan       Duplex  Speed Type
  Gi1/0/25  Station12          connected    700          full    100 10/100/1000BaseTX
  Thanks for your help,
  Regards.

  Venki,
  The ORA-00942 is okay because there is no existing object. But what stuck me is the ORA-01921 error which may indicate that this might not be a new database.
  CREATE ROLE exp_full_database
  ERROR at line 1:
  ORA-01921: role name 'EXP_FULL_DATABASE' conflicts with another user or role name
  CREATE ROLE imp_full_database
  ERROR at line 1:
  ORA-01921: role name 'IMP_FULL_DATABASE' conflicts with another user or role name
  Are there any existing databases on this server? Have you tried to create it on other machine?I searched on Metalink too and found Doc ID: 237486.1 ORA-29807 Signalled While Creating Database using DBCA which say that eroror could be ignored. You may want to review that as well.
  Ittichai

• Spanning tree loops

  Hi we are having regular spanning tree issues in our network.
  On our config we do not have bpduguard configured from what I can see? Could this be an issue?
  What can be done centrally on the core switches to remove this threat? Are their default configs that a wise network administrator would apply as standard?
  HELP!

  HI Mike [Pls Rate if HELPS]
  Refer link below for examples and identify redundant links, root and backup root bridge etc..
  http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a0080136673.shtml#intro
  Refer link for usage guidelines in implementing loopguard, bpdu guard etc..
  http://www.cisco.com/en/US/docs/switches/lan/catalyst4000/7.4/configuration/guide/stp_enha.html#wp1019943
  A Cisco router will give you a warning when you configure PortFast:
  SW1(config)#int fast 0/5
  SW1(config-if)#spanning-tree portfast
  %Warning: portfast should only be enabled on ports connected to a single host. Connecting hubs, concentrators, switches, bridges, etc... to this interface when portfast is enabled, can cause temporary bridging loops. Use with CAUTION
  %Portfast has been configured on FastEthernet0/5 but will only
  have effect when the interface is in a non-trunking mode.
  SW1(config-if)#
  Not only will the switch warn you about the proper usage of PortFast, but you must put the port into access mode before PortFast will take effect.
  But there is a chance - just a chance - that someone is going to manage to connect a switch to a port running Portfast. That could lead to two major problems, the first being the formation of a switching loop. Remember, the reason we have listening and learning modes is to help prevent switching loops. The next problem is that there could be a new root bridge elected - and it could be a switch that isn't even in your network!
  BPDU Guard protects against this disastrous possibility. If any BPDU comes in on a port that's running BPDU Guard, the port will be shut down and placed into error disabled state, shown on the switch as err-disabled. A port placed in err-disabled state must be reopened manually.
  BPDU Guard is off on all ports by default, and is enabled as shown here:
  SW1(config)#int fast 0/5
  SW1(config-if)#spanning-tree bpduguard enable
  It's a good idea to enable BPDU Guard on any port you're running PortFast on. There's no cost in overhead, and it does prevent the possibility of a switch sending BPDUs into a port configured with PortFast - not to mention the possibility of a switch not under your control becoming a root switch to your network!
  Refer link below for Understanding Spanning Tree Protocol:
  http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/sw_ntman/cwsimain/cwsi2/cwsiug2/vlan2/stpapp.htm
  Hope i am Informative and this HELPS.
  PLS RATE if HELPS
  Best Regards,
  Guru Prasad R

• BPDU guard - weird situation

  Hi guys,
  This morning unpleasant surprise happened to me. One of critical ports was err-disabled because of BPDU guard (device B). This wouldn't be surprise if this port (on Device B) wasn't configured as L3 port (I agree that BPDU filter shouldn't be enabled at all here, this is legacy config), and other end have BPDU filter enabled (Device A). Here is port config:
  Device A:
  interface GigabitEthernet4/0/24
   switchport access vlan 10
   switchport trunk encapsulation dot1q
   switchport mode access
   switchport nonegotiate
   logging event trunk-status
   spanning-tree bpdufilter enable
  Device B:
  interface GigabitEthernet2/45
   no switchport
   ip address 10.0.0.1 255.255.252.0
   ip helper-address 172.16.249.5
   logging event link-status
   logging event trunk-status
   spanning-tree portfast
   spanning-tree bpduguard enable
  Log from Device B indicating that it was err-disabled:
  Apr 20 20:08:52.336 CETS: %SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port Gi2/45 with BPDU Guard enabled. Disabling port.
  Apr 20 20:08:52.336 CETS: %PM-4-ERR_DISABLE: bpduguard error detected on Gi2/45, putting Gi2/45 in err-disable state
  Log form Device A indicating that BPDU never sent from this port:
  DeviceA#show spanning-tree vlan 10 detail
   Port 186 (GigabitEthernet4/0/24) of VLAN0010 is designated forwarding
     Port path cost 4, Port priority 128, Port Identifier 128.186.
     Designated root has priority 28740, address 001a.6da4.f000
     Designated bridge has priority 28740, address 001a.6da4.f000
     Designated port id is 128.186, designated path cost 0
     Timers: message age 0, forward delay 0, hold 0
     Number of transitions to forwarding state: 1
     Link type is point-to-point by default
     Bpdu filter is enabled
     BPDU: sent 0, received 0
  Did anyone had ever similar experience? By all logical explanations, this should never happen
  Thanks

  On the other hand, most SOHO switches do not implement Spanning Tree. If you are concerned about users installing switches, you need to take other precautions as well.
  You can stop the users using a switch to fan out a port, by configuring port security and only allowing one MAC address on the port.
  The BPDU guard will give you some protection against certain malicious user practices, even if the rogue switch does not do Spanning Tree. For example, the user who plug in a SOHO switch, and then plugs two other ports of that SOHO switch back-to-back with a cross-cable. In this case, your Catalyst will see its own BPDUs circulating round the loop, and will close the port down. (If the SOHO switch is not doing Spanning Tree, then it will pass the BPDUs through transparently.) This is why you should not have bdpu-guard and bpdu-filter on the same port.
  Kevin Dorrell
  Luxembourg

• BPDU Guard

  Ok, it's been a while since this was discussed, so I wanted to throw out another question about BPDU Guard...
  As is taught in CCNA Security, BPDU Guard is NOT enabled by default.
  If command:
  spanning-tree portfast
  is issued, BPDU Guard is NOT configured automatically, correct?
  Now, I'm confused on the per interface and global config commands.
  If I issue
  spanning-tree bpduguard enable
  from global config, it will be turned on with all ports running portfast that are NOT trunked, correct?
  Final question, what does:
  spanning-tree portfast bpduguard default
  accomplish? Is this a valid command statement? Because if that command is issued, if I do a sho run on a particular interface, and if that command actually turns on bpduguard, shouldnt I see "spanning-tree bpduguard enable"?
  Thanks!

  Question about this topic, why recommeds Cisco LMS 4.0 Best practice to use both BPDUfilter?
  LMS reports a Best Practice Deviation if PortFast is enabled and BPDU-Guard is not enabled on a port. BPDU-Guard prevents spanning-tree loops by moving a port into the errdisable state when a BPDU is received on that port. When you enable BPDU-Guard on the switch, spanning tree shuts down the interfaces that receive BPDUs instead of putting the interfaces into the spanning-tree blocking state. Impact Cisco recommends that you enable BPDUGuard to block incoming BPDUs on edge devices (end-hosts). The Cisco BPDUGuard feature, when enabled, informs the switch to disable PortFast ports if a BPDU is received on those ports. BDPUGuard can be enabled on each port or globally. When you enable BPDUGuard globally, it applies to all PortFast-enabled ports on the switch.
  LMS reports a Best Practice Deviation when BPDU Filter is not enabled on access ports. Impact BPDU filtering allows you to avoid transmitting BPDUs on PortFast-enabled ports that are connected to an end system. When you enable PortFast on the switch, spanning tree places ports in the forwarding state immediately, instead of going through the listening, learning, and forwarding states. By default, spanning tree sends BPDUs from all ports regardless of whether PortFast is enabled. BDPUFilter can be enabled for each port or globally. When you enable BPDUFilter globally, it applies to all PortFast-enabled ports on the switch. When you disable PortFast on a port, the BPDU Filter that was globally enabled on the PortFast enabled port is also disabled.

• Bpdu guard status still reflected disabled after configuration

  Hi,
  Has anyone encountered after configuring
  (config#)spanning-tree portfast bpduguard default
  bpdu guard status still reflected disabled after configuration using
  #sh spanning-tree summary totals
  Thanks.
  Christina

  BPDU Guard takes effect only on portfast ports. You can therefore think of BPDU guard the same as portfast BPDU guard when a port is a portfast port.
  PortFast BPDU guard can prevent loops by moving a nontrunking port into the errdisable state when a BPDU is received on that port. When the BPDU guard feature is enabled on the switch, spanning tree shuts down PortFast-configured interfaces that receive BPDUs, rather than putting them into the spanning tree blocking state. In a valid configuration, PortFast-configured interfaces do not receive BPDUs. Reception of a BPDU by a PortFast-configured interface signals an invalid configuration, such as connection of an unauthorized device. The BPDU guard feature provides a secure response to invalid configurations, because the administrator must manually put the interface back in service.
  When enabled on the switch, spanning tree applies the PortFast BPDU guard
  feature to all PortFast-configured interfaces.
  Portfast BPDU guard can be enabled or disabled on a global basis, thus
  affecting all ports with portfast configured.
  http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a008009482f.shtml