On which of the following layers of the hierarchical network design model should you implement PortFast, BPDU guard, and root guard? (Select the best answer.)
- only on core layer ports
- only on distribution layer ports
- only on access layer ports
- only on core and distribution layer ports
- on core, distribution, and access layer ports
You should implement PortFast, BPDU guard, and root guard only on access layer ports. PortFast, BPDU guard, and root guard are enhancements to Spanning Tree Protocol (STP). The access layer is the network hierarchical layer where enduser devices connect to the network. The distribution layer is used to connect the devices at the access layer to those in the core layer. The core layer, which is also referred to as the backbone, is used to provide connectivity to devices connected through the distribution layer.
PortFast reduces convergence time by immediately placing user access ports into a forwarding state.
PortFast is recommended only for ports that connect to enduser devices, such as desktop computers. Therefore, you would not enable PortFast on ports that connect to other switches, including distribution layer ports and core layer ports. To enable PortFast, issue the spanningtree portfast command from interface configuration mode.
BPDU guard disables ports that erroneously receive bridge protocol data units (BPDUs). User access ports should never receive BPDUs, because user access ports should be connected only to enduser devices, not to other switches. When BPDU guard is applied, the receipt of a BPDU on a port with BPDU guard enabled will result in the port being placed into a disabled state, which prevents loops from occurring. To enable BPDU guard, issue the spanningtree bpduguard enable command from interface configuration mode.
Root guard is used to prevent newly introduced switches from being elected as the root. The device with the lowest bridge priority is elected the root. If an additional device is added to the network with a lower priority than the current root, it will become the new root. However, this could cause the network to reconfigure in unintended ways, particularly if an access layer switch were to become the root. To prevent this, root guard can be applied to ports that connect to other switches in order to maintain control over which switch is the root. Root guard is applied on a perport basis with the spanningtree guard root command.