PortFast Accidentally Enabled on Trunk Port
Presenting Symptom
A workstation connected to a trunk port experiences intermittent connectivity and excessive MAC address flapping notifications on the switch.
Network Context
A small branch office with a single Cisco Catalyst 2960 switch running IOS 15.0. Two VLANs (10 and 20) are configured, and the switchport connecting to an access switch is configured as a trunk. PortFast has been accidentally enabled on this trunk port, causing the switch to bypass STP convergence and forward traffic immediately, leading to loops and MAC flapping.
Diagnostic Steps
Check interface status and errors
show interfaces trunkPort Mode Encapsulation Status Native vlan Gi0/1 on 802.1q trunking 1 Port Vlans allowed on trunk Gi0/1 1-1005 Port Vlans allowed and active in management domain Gi0/1 1,10,20 Port Vlans in spanning tree forwarding state and not pruned Gi0/1 1,10,20
The trunk is operational. Look for any inconsistencies in allowed VLANs or native VLAN mismatch. Normal output shows trunking status and VLANs in forwarding state.
Check spanning-tree port status
show spanning-tree interface gigabitethernet 0/1 detailPort 1 (GigabitEthernet0/1) of VLAN0001 is forwarding Port path cost 4, Port priority 128, Port Identifier 128.1. Designated root has priority 32768, address aaaa.bbbb.cccc Designated bridge has priority 32768, address aaaa.bbbb.cccc Designated port id is 128.1, designated path cost 0 Timers: message age 0, forward delay 0, hold 0 Number of transitions to forwarding state: 1 The port is in the portfast mode Link type is point-to-point by default
The output shows 'The port is in the portfast mode' on a trunk port, which is abnormal. PortFast should only be on access ports. This indicates the misconfiguration.
Check for MAC address flapping
show mac address-table | include Gi0/110 aaaa.bbbb.0001 DYNAMIC Gi0/1 20 aaaa.bbbb.0002 DYNAMIC Gi0/1 10 aaaa.bbbb.0003 DYNAMIC Gi0/1 20 aaaa.bbbb.0004 DYNAMIC Gi0/1
Multiple MAC addresses on the same trunk port are normal if many devices are reachable via that trunk. However, if the same MAC appears on different ports, that indicates flapping. Look for duplicate MACs across ports.
Check for loop or TCN propagation
show spanning-tree vlan 10 detail | begin Port 1Port 1 (GigabitEthernet0/1) of VLAN0010 is forwarding Port path cost 4, Port priority 128, Port Identifier 128.1. Designated root has priority 32768, address aaaa.bbbb.cccc Designated bridge has priority 32768, address aaaa.bbbb.cccc Designated port id is 128.1, designated path cost 0 Timers: message age 0, forward delay 0, hold 0 Number of transitions to forwarding state: 1 The port is in the portfast mode Link type is point-to-point by default
Again, PortFast is enabled on the trunk. This causes the port to skip listening/learning states, potentially causing loops if there is a redundant path. The port transitions directly to forwarding, which can lead to temporary loops and MAC flapping.
Root Cause
PortFast has been accidentally configured on a trunk port (GigabitEthernet0/1) using the 'spanning-tree portfast' interface command. This bypasses the normal STP convergence process, causing the port to immediately transition to forwarding state. If there is any redundancy in the network (e.g., another trunk link), this can create a bridging loop, leading to MAC address flapping and intermittent connectivity.
Resolution
Verification
Verify that PortFast is removed from the trunk: show spanning-tree interface gigabitethernet 0/1 detail | include portfast Expected output: (no line indicating portfast mode) Also verify that the trunk port is in a proper STP state (listening/learning then forwarding): show spanning-tree vlan 10 Expected output: The port should show 'forwarding' but with proper timers (forward delay 15, etc.) and no 'portfast' indication.
Prevention
1. Use the 'spanning-tree portfast default' global command to enable PortFast on all access ports, but manually disable it on trunk ports with 'no spanning-tree portfast'. 2. Implement BPDU guard on access ports to prevent accidental loops: 'spanning-tree bpduguard enable'. 3. Follow best practice: only enable PortFast on ports connected to end devices (workstations, printers, servers), never on trunk links or ports connecting to other switches.
CCNA Exam Relevance
On the CCNA 200-301 exam, this scenario may appear as a troubleshooting question where you are given symptoms of intermittent connectivity and MAC flapping. You must identify that PortFast is incorrectly applied to a trunk port. The exam tests understanding of STP port states, PortFast function, and proper configuration. Key fact: PortFast should only be used on access ports to speed up convergence for end devices.
Exam Tips
Remember that PortFast bypasses listening and learning states; it is only safe on access ports where no BPDUs are expected.
The exam may show a 'show spanning-tree' output with 'portfast' on a trunk; you must recognize that as the misconfiguration.
Know the command 'show spanning-tree interface <int> detail' to verify PortFast status.
Commands Used in This Scenario
show interfaces trunk
Displays trunk interface status, allowed VLANs, and pruning information for all trunk ports on a Cisco switch, used to verify trunking configuration and VLAN membership.
show mac address-table
Displays the MAC address table (also known as CAM table) on a switch, showing which MAC addresses are learned on which VLAN and port, used to verify Layer 2 forwarding and detect issues like MAC flooding or incorrect port assignments.
show spanning-tree
Displays the Spanning Tree Protocol (STP) state and configuration for all VLANs or a specific VLAN, used to verify root bridge, port roles, and STP topology.
Test Your CCNA Knowledge
Practice with scenario-based questions to prepare for the CCNA 200-301 exam.
Practice CCNA Questions