PortFast & BPDU Guard Configuration

When an end device such as a PC, printer, or IP phone is plugged into a switch access port, it must wait up to 50 seconds for Spanning Tree Protocol (STP) to complete its Listening and Learning phases before the port starts forwarding traffic. For end devices that never participate in STP, this delay is unnecessary and causes problems — DHCP timeouts, slow boot issues, and user complaints about the network being unavailable after plugging in.

PortFast solves this by allowing access ports to skip straight to the Forwarding state. BPDU Guard works alongside PortFast to protect the network — if a BPDU is ever received on a PortFast-enabled port (which only happens if a switch is connected), the port is immediately shut down to prevent a rogue switch from disrupting the STP topology.

Before starting, complete Spanning Tree Protocol — Root Bridge Election and Assigning VLANs to Switch Ports.

1. The Problem PortFast Solves

Standard STP port states transition through four phases before forwarding traffic. For a switch port connecting two switches, every second of this process matters — it is preventing a loop. But for a PC plugged into an access port, there is no loop risk and no STP participation. The wait is completely wasted time:

STP State	Duration	Activity	Problem for End Devices
Blocking	Up to 20 sec	Receives BPDUs only	PC gets no network — DHCP request sent but no response possible
Listening	15 sec	Participating in STP election	PC still waiting — DHCP client may time out
Learning	15 sec	Building MAC table, no forwarding	PC still cannot send or receive data
Forwarding	Indefinite	Normal operation	PC finally has network access — up to 50 seconds after plugging in

PortFast makes the port skip Blocking, Listening, and Learning entirely — it goes directly to Forwarding the instant a device is connected. This is safe only on ports that connect to end devices, never to other switches.

PortFast vs Normal STP

Feature	Normal STP Port	PortFast Port
Time to forwarding	Up to 50 seconds	~1 second (immediate)
Transitions through	Blocking → Listening → Learning → Forwarding	Directly to Forwarding
Sends TCN on link up	✅ Yes — triggers topology change notification	❌ No — suppresses unnecessary TCNs
Safe for	Any port type	End devices only (PC, printer, IP phone, server)
Risk if used on trunk/switch port	N/A	⚠️ Loop risk — must be protected by BPDU Guard

Critical rule: Never enable PortFast on a trunk port or any port connecting to another switch. If a PortFast-enabled port is connected to a switch, the port enters Forwarding state immediately — before STP can evaluate whether doing so would create a loop. This is exactly what BPDU Guard protects against.

2. BPDU Guard — The Safety Net

BPDUs (Bridge Protocol Data Units) are the control frames that switches send to each other to run STP. An end device (PC, printer, phone) never sends BPDUs — only switches do. This makes BPDUs a reliable indicator that something unexpected is connected to a PortFast port.

BPDU Guard monitors PortFast-enabled ports for incoming BPDUs. The moment a BPDU is received on such a port, BPDU Guard immediately places the port into err-disabled state — a hardware-level shutdown that completely stops the port from forwarding any traffic. A log message is generated and the port stays down until an administrator manually recovers it (or automatic recovery is configured).

BPDU Guard Trigger Scenarios

What Was Connected	BPDU Sent?	BPDU Guard Action	Result
PC, laptop, printer	❌ No	None — port stays up	✅ Normal operation
Rogue unmanaged switch	✅ Yes	Port immediately err-disabled	🛑 Port shutdown — loop prevented
Managed switch (STP running)	✅ Yes	Port immediately err-disabled	🛑 Port shutdown — rogue switch isolated
IP phone (CDP only, no STP)	❌ No	None — port stays up	✅ Normal operation

err-disabled explained: An err-disabled port is completely shut down at the hardware level. It is different from an administratively disabled port (shutdown command). The interface shows "err-disabled" in show interfaces and "down/err-disabled" in show ip interface brief. It requires manual recovery or automatic err-disabled recovery.

3. Lab Scenario

NetsTuts_SW1 has three types of ports to configure:

Port	Connected To	VLAN	PortFast	BPDU Guard
Fa0/1 – Fa0/10	End-user PCs	10	✅ Yes	✅ Yes
Fa0/11 – Fa0/20	IP Phones + PCs	20 (data) + Voice	✅ Yes	✅ Yes
Gi0/1	NetsTuts_SW2 (uplink)	Trunk	❌ No	❌ No

4. Step 1 — Enable PortFast Per Interface

The most common and recommended approach is to enable PortFast explicitly on each access port. This gives precise control over which ports have PortFast enabled.

NetsTuts_SW1>en
NetsTuts_SW1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.

! ── PortFast on a single access port ─────────────────────
NetsTuts_SW1(config)#interface FastEthernet0/1
NetsTuts_SW1(config-if)#description PC-VLAN10-User1
NetsTuts_SW1(config-if)#switchport mode access
NetsTuts_SW1(config-if)#switchport access vlan 10
NetsTuts_SW1(config-if)#spanning-tree portfast
NetsTuts_SW1(config-if)#spanning-tree bpduguard enable
NetsTuts_SW1(config-if)#exit

PortFast and BPDU Guard enabled together on Fa0/1. IOS will display a warning about PortFast — this is expected and informational only.

IOS Warning When Enabling PortFast

NetsTuts_SW1(config-if)#spanning-tree portfast
%Warning: portfast should only be enabled on ports connected to a single
 host. Connecting hubs, concentrators, switches, bridges, etc... to this
 interface  when portfast is enabled, can cause temporary bridging loops.
 Use with CAUTION
%Portfast has been configured on FastEthernet0/1 but will only have effect
 when the interface is in a non-trunking mode.

This warning appears every time PortFast is enabled on an interface. It is informational — not an error. BPDU Guard is the mechanism that enforces the safety requirement described in the warning.

Enable PortFast on a Range of Access Ports

NetsTuts_SW1(config)#interface range FastEthernet0/1 - 10
NetsTuts_SW1(config-if-range)#description PC-VLAN10
NetsTuts_SW1(config-if-range)#switchport mode access
NetsTuts_SW1(config-if-range)#switchport access vlan 10
NetsTuts_SW1(config-if-range)#spanning-tree portfast
NetsTuts_SW1(config-if-range)#spanning-tree bpduguard enable
NetsTuts_SW1(config-if-range)#exit

Applying PortFast and BPDU Guard to all 10 ports at once using interface range. Efficient for bulk access port configuration.

5. Step 2 — Global PortFast and BPDU Guard (Optional)

Cisco IOS also supports enabling PortFast and BPDU Guard globally — applying them automatically to all access ports on the switch. This is convenient but requires careful management to ensure trunk ports are never accidentally left in access mode.

Enable PortFast Globally (Access Ports Only)

NetsTuts_SW1(config)#spanning-tree portfast default

Enables PortFast by default on all non-trunking ports. Ports configured as trunks are automatically excluded. Any port in access mode will have PortFast active.

Enable BPDU Guard Globally

NetsTuts_SW1(config)#spanning-tree portfast bpduguard default

Enables BPDU Guard on all PortFast-enabled ports globally. This pairs perfectly with spanning-tree portfast default — every access port automatically gets both PortFast and BPDU Guard.

Global vs Per-Interface — Comparison

Method	Command	Scope	Best For
Per-interface PortFast	`spanning-tree portfast`	Single interface or range	Precise control — production recommended
Per-interface BPDU Guard	`spanning-tree bpduguard enable`	Single interface or range	Precise control — always pair with PortFast
Global PortFast	`spanning-tree portfast default`	All access-mode ports	Bulk configuration — all access ports in one command
Global BPDU Guard	`spanning-tree portfast bpduguard default`	All PortFast-enabled ports	Automatic security — pairs with global PortFast

Disabling PortFast on a specific port (when global PortFast is enabled) — use the no spanning-tree portfast command on the individual interface. This is important for any port that might occasionally be used as a trunk or connected to another switch.

6. Complete Configuration

! ══════════════════════════════════════════════════════════
! NetsTuts PortFast & BPDU Guard Baseline — NetsTuts_SW1
! ══════════════════════════════════════════════════════════

NetsTuts_SW1>en
NetsTuts_SW1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.

! ── Global PortFast and BPDU Guard (all access ports) ────
NetsTuts_SW1(config)#spanning-tree portfast default
NetsTuts_SW1(config)#spanning-tree portfast bpduguard default

! ── Access ports — VLAN 10 user PCs ─────────────────────
NetsTuts_SW1(config)#interface range FastEthernet0/1 - 10
NetsTuts_SW1(config-if-range)#description PC-VLAN10
NetsTuts_SW1(config-if-range)#switchport mode access
NetsTuts_SW1(config-if-range)#switchport access vlan 10
NetsTuts_SW1(config-if-range)#exit

! ── Access ports — VLAN 20 + Voice ───────────────────────
NetsTuts_SW1(config)#interface range FastEthernet0/11 - 20
NetsTuts_SW1(config-if-range)#description IPPhone-VLAN20
NetsTuts_SW1(config-if-range)#switchport mode access
NetsTuts_SW1(config-if-range)#switchport access vlan 20
NetsTuts_SW1(config-if-range)#switchport voice vlan 100
NetsTuts_SW1(config-if-range)#exit

! ── Uplink trunk — NO PortFast ───────────────────────────
NetsTuts_SW1(config)#interface GigabitEthernet0/1
NetsTuts_SW1(config-if)#description Trunk-to-NetsTuts_SW2
NetsTuts_SW1(config-if)#switchport trunk encapsulation dot1q
NetsTuts_SW1(config-if)#switchport mode trunk
NetsTuts_SW1(config-if)#switchport nonegotiate
NetsTuts_SW1(config-if)#spanning-tree portfast disable
NetsTuts_SW1(config-if)#end
NetsTuts_SW1#wr
Building configuration...
[OK]
NetsTuts_SW1#

Global PortFast and BPDU Guard cover all access ports automatically. The trunk uplink has PortFast explicitly disabled as a safety measure — even though trunk ports are excluded from global PortFast, this makes the intent clear in the configuration.

7. Recovering from err-disabled State

When BPDU Guard triggers on a port, the port is placed into err-disabled state and a syslog message is generated:

%SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port FastEthernet0/5 with BPDU Guard
  enabled. Disabling port.
%PM-4-ERR_DISABLE: bpduguard error detected on Fa0/5, putting Fa0/5 in err-disable state
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/5, changed state to down
%LINK-3-UPDOWN: Interface FastEthernet0/5, changed state to down

Four log messages appear in sequence: BPDU Guard triggers, the port is err-disabled, then the line protocol goes down, then the interface goes down. Check show logging to see these messages and Syslog Configuration to forward them to a central server.

Verify err-disabled State

NetsTuts_SW1#show interfaces FastEthernet0/5 status
Port      Name               Status       Vlan       Duplex  Speed Type
Fa0/5                        err-disabled 10         auto    auto  10/100BaseTX

NetsTuts_SW1#show interfaces FastEthernet0/5
FastEthernet0/5 is down, line protocol is down (err-disabled)
  Hardware is Fast Ethernet, address is 0012.3456.0005
  ...

NetsTuts_SW1#show errdisable recovery
ErrDisable Reason            Timer Status   Timer Interval
--------------------------   -------------- --------------
bpduguard                    Disabled       300

show errdisable recovery shows that automatic recovery for bpduguard is disabled by default — manual recovery is required.

Method 1: Manual Recovery (Recommended)

NetsTuts_SW1#conf t
! ── 1. Remove the rogue switch first ─────────────────────
! ── 2. Shut the port, then bring it back ─────────────────
NetsTuts_SW1(config)#interface FastEthernet0/5
NetsTuts_SW1(config-if)#shutdown
NetsTuts_SW1(config-if)#no shutdown
NetsTuts_SW1(config-if)#end
NetsTuts_SW1#
%LINK-3-UPDOWN: Interface FastEthernet0/5, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/5, changed state to up

Always remove the rogue device first. If the switch is still connected when you do no shutdown, BPDU Guard will trigger again immediately and the port will be err-disabled again within seconds.

Method 2: Automatic err-disabled Recovery

NetsTuts_SW1(config)#errdisable recovery cause bpduguard
NetsTuts_SW1(config)#errdisable recovery interval 300

Configures automatic recovery — the port automatically re-enables after 300 seconds (5 minutes). If the rogue switch is still connected, the port will be err-disabled again immediately after recovery. Use cautiously.

8. Verification

show spanning-tree interface FastEthernet0/1 portfast

NetsTuts_SW1#show spanning-tree interface FastEthernet0/1 portfast
VLAN0010            enabled

Confirms PortFast is active on Fa0/1 for VLAN 10. "enabled" means PortFast is operational on this port.

show spanning-tree interface FastEthernet0/1 detail

NetsTuts_SW1#show spanning-tree interface FastEthernet0/1 detail
 Port 1 (FastEthernet0/1) of VLAN0010 is designated forwarding
   Port path cost 19, Port priority 128, Port Identifier 128.1.
   Designated root has priority 4097, address 0001.0001.0001
   Designated bridge has priority 4097, address 0001.0001.0001
   Designated port id is 128.1, designated path cost 0
   Timers: message age 0, forward delay 0, hold 0
   Number of transitions to forwarding state: 1
   The port is in the portfast mode
   Link type is point-to-point by default

"The port is in the portfast mode" confirms PortFast is active. Notice "forward delay 0" — the port skipped the 15-second forward delay entirely.

show spanning-tree summary

NetsTuts_SW1#show spanning-tree summary
Switch is in rapid-pvst mode
Root bridge for: VLAN0010 VLAN0020
Extended system ID           is enabled
Portfast Default             is enabled
PortFast BPDU Guard Default  is enabled
Portfast BPDU Filter Default is disabled
Loopguard Default            is disabled

Name                   Blocking Listening Learning Forwarding STP Active
---------------------- -------- --------- -------- ---------- ----------
VLAN0010                     0         0        0         10         10
VLAN0020                     0         0        0         10         10

"Portfast Default is enabled" and "PortFast BPDU Guard Default is enabled" confirm global configuration is active. All 10 ports in each VLAN are Forwarding — no delays.

show running-config interface FastEthernet0/1

NetsTuts_SW1#show running-config interface FastEthernet0/1
!
interface FastEthernet0/1
 description PC-VLAN10-User1
 switchport access vlan 10
 switchport mode access
 spanning-tree portfast
 spanning-tree bpduguard enable
!

Verification Command Summary

Command	What It Confirms
`show spanning-tree interface [int] portfast`	PortFast status on a specific interface per VLAN
`show spanning-tree interface [int] detail`	Detailed STP info including "The port is in the portfast mode"
`show spanning-tree summary`	Global PortFast and BPDU Guard status, port counts per VLAN
`show interfaces [int] status`	Shows "err-disabled" if BPDU Guard has triggered on the port
`show errdisable recovery`	Shows err-disabled causes and whether auto-recovery is configured
`show logging`	BPDU Guard trigger events and err-disabled log messages

9. Troubleshooting PortFast & BPDU Guard Issues

Problem	Symptom	Cause	Fix
Port immediately err-disabled after recovery	Port comes up then drops again within seconds	Rogue switch is still connected — BPDU Guard triggers again immediately	Disconnect the switch first, then recover the port with `shutdown` / `no shutdown`
DHCP timeout on PC boot	PC takes 30–60 seconds to get an IP after connecting	PortFast not enabled — port goes through full STP convergence	Enable `spanning-tree portfast` on the access port
PortFast not working on a port	Port still waits ~30 seconds before forwarding	Port is configured as trunk — PortFast only operates in non-trunking mode	Ensure `switchport mode access` is set before `spanning-tree portfast`
Loop risk — PortFast on wrong port	PortFast enabled on a trunk or inter-switch link	PortFast enabled on a non-access port — loop could form before STP acts	Remove PortFast: `no spanning-tree portfast`. Ensure BPDU Guard is enabled to protect
BPDU Guard not triggering	Rogue switch connected but port stays up	BPDU Guard not configured on the port (PortFast enabled but BPDU Guard missing)	Add `spanning-tree bpduguard enable` on the interface, or enable globally with `spanning-tree portfast bpduguard default`
Port shows err-disabled but no rogue switch	Legitimate device caused BPDU Guard to trigger	Device (e.g., an IP phone with an embedded switch) is sending BPDUs	Verify the device — if it is a known managed device, reconsider port security policy. Recover with `shutdown` / `no shutdown`

Key Points & Exam Tips

PortFast allows an access port to skip STP Listening and Learning states and go directly to Forwarding — reducing the wait from up to 50 seconds to approximately 1 second.
PortFast is only safe on ports connected to end devices (PCs, printers, IP phones, servers). Never enable it on trunk ports or inter-switch links.
PortFast also suppresses Topology Change Notifications (TCNs) when the port comes up — preventing unnecessary MAC table flushes across the network.
BPDU Guard places a PortFast-enabled port into err-disabled state the instant a BPDU is received — protecting against rogue switch connections.
An err-disabled port is completely shut down at hardware level. Recovery requires shutdown followed by no shutdown — after removing the offending device.
Per-interface: spanning-tree portfast and spanning-tree bpduguard enable. Global: spanning-tree portfast default and spanning-tree portfast bpduguard default.
spanning-tree portfast default only applies to ports in access mode — trunk ports are automatically excluded.
show spanning-tree summary shows whether global PortFast and BPDU Guard are enabled. Look for "Portfast Default is enabled" and "PortFast BPDU Guard Default is enabled".
Automatic err-disabled recovery (errdisable recovery cause bpduguard) is available but use with caution — if the rogue switch is still connected, the port will keep cycling between up and err-disabled.
On the CCNA exam, know the difference between BPDU Guard (err-disables the port) and BPDU Filter (suppresses BPDUs on PortFast ports — less commonly tested but important to distinguish). Also review RSTP which converges much faster than classic STP and works alongside PortFast.

Next Steps: With PortFast and BPDU Guard protecting access ports, continue to EtherChannel (LACP) Configuration to bundle multiple physical links between switches without STP blocking them. For per-port security controlling which devices can connect, see Port Security & Sticky MAC. For Layer 2 security against rogue DHCP servers on access ports, see DHCP Snooping & Dynamic ARP Inspection.

TEST WHAT YOU LEARNED

1. A PC is connected to a switch access port without PortFast. The PC sends a DHCP request immediately on boot. Why might the PC fail to get an IP address?

A. The DHCP server is not reachable via the switch B. The port is in Listening state during STP convergence — it does not forward frames including DHCP packets, so the DHCP request never reaches the server before the client times out C. DHCP is blocked by the default VLAN ACL D. The switch drops DHCP broadcasts while building its MAC table

Correct answer is B. Without PortFast, the port goes through Blocking (up to 20s), Listening (15s), and Learning (15s) before reaching Forwarding. During these phases, no frames are forwarded — including DHCP Discover packets. A typical DHCP client has a timeout of 30–60 seconds. If the DHCP request is sent before the port reaches Forwarding state, it is dropped and the client may time out before the port is ready. PortFast solves this by sending the port directly to Forwarding.

2. An engineer enables PortFast globally with `spanning-tree portfast default`. A trunk port exists on the switch configured with `switchport mode trunk`. Will PortFast activate on the trunk port?

A. Yes — global PortFast applies to all ports regardless of mode B. Yes — but IOS automatically disables BPDU Guard on trunk ports C. No — spanning-tree portfast default only activates on ports in non-trunking (access) mode D. Yes — the engineer must add spanning-tree portfast disable manually to every trunk port

Correct answer is C. The spanning-tree portfast default global command automatically excludes trunk ports. IOS only activates PortFast on ports that are in non-trunking (access) mode. However, as a best practice, it is still recommended to explicitly add spanning-tree portfast disable to trunk ports to make the intent clear in the configuration.

3. An employee plugs a small unmanaged switch into an access port that has PortFast and BPDU Guard enabled. What happens immediately?

A. The switch negotiates a trunk link and STP takes over the port B. Nothing — BPDU Guard only triggers when a managed switch is connected C. The port transitions to Blocking state and STP convergence begins D. BPDU Guard detects the BPDU from the rogue switch and immediately places the port into err-disabled state

Correct answer is D. Both managed and unmanaged switches send BPDUs as part of STP. The moment a BPDU arrives on a BPDU Guard-enabled port, BPDU Guard immediately triggers — regardless of whether the switch is managed or unmanaged. The port is placed into err-disabled state, completely stopping the port from forwarding any traffic and preventing the rogue switch from affecting the STP topology.

4. A port is in err-disabled state due to BPDU Guard. An engineer runs `no shutdown` on the port without removing the rogue switch. What happens?

A. The port briefly comes up, receives a BPDU from the still-connected rogue switch, and is immediately err-disabled again B. The port recovers successfully — BPDU Guard only triggers once per session C. The port recovers and BPDU Guard is temporarily suspended for 30 seconds D. The port recovers — BPDU Guard requires a reload to re-arm

Correct answer is A. BPDU Guard is always active on the port — it does not have a "used once" limitation. When the port comes back up, the rogue switch immediately sends a BPDU (STP Hello timer is 2 seconds), and BPDU Guard triggers again instantly. This cycle repeats indefinitely until the rogue switch is physically disconnected. Always remove the offending device before recovering the port.

5. What is the difference between BPDU Guard and BPDU Filter?

A. BPDU Guard filters incoming BPDUs silently; BPDU Filter shuts the port down B. They are identical — BPDU Guard is just the newer name for BPDU Filter C. BPDU Guard err-disables the port if a BPDU is received — protecting the topology. BPDU Filter suppresses BPDUs on PortFast ports (stops sending and ignores incoming BPDUs) — effectively removing that port from STP, which can be dangerous D. BPDU Filter is recommended for production; BPDU Guard is only used in labs

Correct answer is C. BPDU Guard is the security feature — it detects unexpected BPDUs on PortFast ports and shuts the port down to protect the STP topology. BPDU Filter suppresses BPDU transmission and ignores incoming BPDUs on PortFast ports — effectively making STP unaware of that port. BPDU Filter can be dangerous because if a switch is connected, neither side sees the other's BPDUs and the loop detection mechanism fails. BPDU Guard is the recommended option for access port protection.

6. Which command confirms that PortFast is actively running on a specific interface?

A. show spanning-tree summary B. show spanning-tree interface FastEthernet0/1 detail C. show interfaces FastEthernet0/1 status D. show running-config

Correct answer is B. show spanning-tree interface [int] detail includes the line "The port is in the portfast mode" when PortFast is actively running on that port. show spanning-tree summary only shows whether global PortFast is enabled — not per-interface status. show running-config shows configuration but not operational state.

7. An engineer configures `spanning-tree portfast` on a trunk port by mistake. What is the risk?

A. No risk — IOS automatically disables PortFast on trunk ports B. The trunk will stop forwarding tagged VLAN traffic C. BPDU Guard will immediately trigger and err-disable the trunk port D. The trunk port enters Forwarding immediately — before STP can evaluate whether a loop exists, potentially causing a bridging loop if the topology has redundant paths

Correct answer is D. IOS will accept spanning-tree portfast on a trunk port (with a warning) but notes it will only take effect if the port is in non-trunking mode. However, if the port somehow transitions to access mode, PortFast would activate. More importantly, if BPDU Guard is also enabled, the trunk would be immediately err-disabled when it receives BPDUs from the connected switch. Always verify port mode before enabling PortFast.

8. Why does PortFast suppress Topology Change Notifications (TCNs) when a port comes up?

A. End device ports coming up and down are normal events — sending TCNs for each one would cause unnecessary MAC table flushes across the entire network, disrupting traffic for all VLANs briefly B. TCNs cause DHCP servers to release existing IP leases C. PortFast ports do not participate in STP so they cannot generate BPDUs of any kind D. TCNs would cause the root bridge to re-elect

Correct answer is A. A Topology Change Notification (TCN) triggers every switch in the STP domain to flush their MAC address tables and shorten their MAC aging timers — causing a temporary flood of unknown unicast traffic. In a large office where dozens of PCs connect and disconnect daily, each event would send a TCN that disrupts the entire network. PortFast suppresses TCNs for normal end-device connect/disconnect events since these do not represent a real STP topology change.

9. What does `show errdisable recovery` reveal about BPDU Guard recovery?

A. It shows which ports currently have BPDU Guard enabled B. It shows the number of BPDU Guard events that have occurred C. It shows whether automatic recovery is enabled for bpduguard and the configured recovery interval — by default automatic recovery is disabled and manual recovery is required D. It resets all err-disabled ports immediately

Correct answer is C. show errdisable recovery displays all err-disable causes and their recovery timer status. For bpduguard, the default shows "Timer Status: Disabled" — meaning no automatic recovery is configured. If enabled with errdisable recovery cause bpduguard, the port will automatically re-enable after the configured interval (default 300 seconds). The command does not reset ports — it only shows the recovery configuration.

10. A switch has global PortFast and BPDU Guard enabled. An access port Fa0/8 is later repurposed as a trunk port to connect a second switch. The engineer runs `switchport mode trunk` but forgets to disable PortFast. What will happen when the trunk link comes up?

A. The trunk forms normally — global PortFast does not affect trunk ports B. The port forms a trunk briefly but BPDU Guard triggers when the connected switch sends BPDUs, placing Fa0/8 in err-disabled state and breaking the trunk link C. PortFast prevents the trunk from forming — the port stays in access mode D. IOS automatically disables BPDU Guard when the port mode changes to trunk

Correct answer is B. When global BPDU Guard is enabled (spanning-tree portfast bpduguard default), it applies to all PortFast-enabled ports. If per-interface BPDU Guard was configured alongside global PortFast, the port will still have BPDU Guard active. When the connected switch sends BPDUs (which it always does), BPDU Guard triggers and the port is err-disabled. Always add spanning-tree portfast disable and remove BPDU Guard when repurposing an access port as a trunk.

Back to Home