Rapid spanning tree / portfast

Similar Messages

• Rapid Spanning Tree Question

  All,
  I have a question about Rapid Spanning Tree reconfiguration. I have to following situation:
  As you can see 3 switches with RSTP, and 2 switches without RSTP (or any other spanning tree, just unmanaged).
  The 2 switch will form a loop in my network. Switch 1 will block one of the ports and the other port will forward the traffic.
  If I break the link "Just Forwarding", my second switch won't be able to cumminucate for around 40 seconds. It will take some time before the backup link will be up again.
  Cisco has the Fastforwarding  mechanism. Will this help in this situation? I would like to shorten the 40 seconds time.
  Thans in advance.

  I'd guess the unmanaged devices run legacy spanning tree, and rapid
  pvst switches will run rapid according the "heard" protocol. So if it hears
  the legacy bpdu, it will run regular spanning tree, hence the 40 second delay.
  chris

• Spanning-tree portfast trunk

  Hi all,
  i read that portfast should only be enabled on access ports  not on trunk ports.
  when this command is used
  spanning-tree portfast trunk?
  under what cases we will use portfast command on trunk port ?
  thanks
  mahesh

  .... and there is one more case:
  you have access switch full of users and you want to provide them redundancy for internet connection, sou you use HSRP for example and now you have switch connected to 2 or more routers with internet links
  now, those links between switch and routers are also trunks and the topology is like a triangle with the switch on the tip , omitting PCs for now , at this point the only device taken into consideration is the switch - others don't use STP because routers have configured IP addresses on subinterfaces (each for one VLAN) so they break BRdomain and computers don't care about STP. In this case, you are sure that no routing loop can occur because other devices (all of them are L3) are boundary for that L2 segment and arp requests broadcasted in your LAN stay inside.
  What you've just managed to make is faster trunk transition to UP state so after reload of that switch, your users can quickly use network again.

• Spanning tree portfast

  Hello,
  If I have port configure as spanning tree portfast and I plugged another switch instead of computer what will happened can it create loop or shutdown the port?

  Hello horacio27,
  You can use PortFast on access switch ports  or trunk ports that are connected to a single workstation, server to allow those devices to connect to the network immediately, instead of waiting for the port to transition from the listening and learning states to the forwarding state.
  You can use PortFast to connect a single end station or a switch port to a switch port. If you enable PortFast on a port that is connected to another Layer 2 device, such as a switch, you might create network loops.
  To Prevent loops, in network  the most secure implementation of PortFast is to enable it only on ports that connect end stations to switches. Because PortFast can be enabled on nontrunking ports connecting two switches, spanning tree loops can occur because BPDUs are still being transmitted and received on those ports.
  PortFast with BPDU guard prevents loops by moving non trunking port to err-disable state.

• Rapid Spanning Tree, 802.1w

  Do any SBTG switches support Rapid Spanning Tree? It appears the 3560x does, but looking for more "cost effective" solution.

  Hi Art,
  The new and improved  300 series  (SRWxxx-K9-NA) which is a refresh for the older SRW series,  shows that it supports STP,   RSTP and    MSTP.
  http://www.cisco.com/en/US/products/ps10898/prod_models_comparison.html
  regards and seasons greetings
  Dave Hornstein

• Enable BPDUGuard on Spanning-tree Portfast Trunk Port: Yes or No?

  Hello to all the Cisco Experts,
  I have been searching around to get a confirmed answer as per my subject, but yet unable to come into any conclusion that could help me.
  This is all started when I configured the switchport configuration for my ESXi Server which is a dot1q trunk port. The reference will be as below URL:
  http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1006628
  The configuration of the switchport will be as below:
  interface GigabitEthernet1/0/1
   description ESXi
   switchport trunk encapsulation dot1q
   switchport trunk allowed vlan 11,15
   switchport mode trunk
   spanning-tree portfast trunk
  end
  The catch is, I had the bpduguard enabled on the global level in my switch = spanning-tree portfast bpduguard default.
  This will enable the bpduguard on the trunk port above due to the switchport is in portfast (the command: spanning-tree portfast trunk).
  Some of the guys in this forum mentioned that it is not recommended to have bpduguard on trunk port and some mentioned it is okay to have this.
  So, what do you all think on this? Any real life experience dealing with this kind of situtation that can be shared to us over here?
  Thank you in advance.

  Hi Leo,
  First of all, I would never, ever, consider any comment of yours as being offensive so don't worry, none taken. :)
  Enabling portfast on a trunk is so "yesterday", in my opinion.  If a trunk port(s) or an etherchannel is configured correctly, there's a significant chance portfast is irrelevant.  The speed to get the ports to go from down to passing traffic is really boils down to one or two seconds.
  Perhaps this is at the core of our different views. To my best knowledge, without the PortFast, a trunk - be it a single port or an EtherChannel - will become forwarding 30 seconds after entering the up/up state, not less. This is valid for STP, RSTP, and MSTP. In addition, if a new VLAN is created or added to the list of enabled VLANs on the trunk, it may take additional 30 seconds for that VLAN to become operational (forwarding) on that trunk. There is nothing besides PortFast and Proposal/Agreement that can cut down this time: the STP must go over the Listening-Learning-Forwarding sequence, and RSTP/MSTP must go through the Discarding-Learning-Forwarding sequence. The "one or two seconds" you have mentioned is perhaps the combined delay incurred by autonegotiation, LACP/PAgP, and DTP, but STP will take its own time and will not be deterred by any of these mechanisms.
  I see no benefit but mischief when you enable BPDU Guard on an inter-switch link.   
  Absolutely agree. That is why it doesn't make any sense to put a BPDU Guard on an inter-switch link, and I have never suggested doing that. The original post, however, deals with enabling PortFast on a trunk link that does not go to another switch but rather connects to an ESXi server on which, obviously, different virtual machines are bridged onto different VLANs.
  So what is the reaction of the port if you do happen to enable portfast and BPDU guard on an inter-switch link?  Wouldn't the two be a "Jekyll & Hyde", wouldn't it?
  It would be just the same as enabling PortFast and BPDU Guard on an access port that happens to be connected to another switch. Upon link-up, the port would become forwarding immediately, and after receiving a BPDU, it would be shot down to err-disabled. The fact the port is an access port or a trunk port makes no difference here. Just as before, I stress that this kind of configuration simply isn't meant to be used on inter-switch links. However, on trunks connected directly to routers, servers, autonomous APs supporting several SSIDs mapped to different VLANs, even to IP phones (remember the mini-trunk config used on old switches on which the switchport voice vlan command only instructed CDP to advertise the voice VLAN but did not cause the port to accept tagged frames in the voice VLAN so it had to be configured as a trunk?) - in all these situations, the PortFast can be beneficial. The BPDU Guard is a natural protective companion to the PortFast - wherever PortFast is eligible to be configured, the BPDU Guard is a natural additional protection to be activated as well.
  But given the complexity of interconnection of different switches to various stuff going around, we're happy with leaving portfast on a trunk port disabled.
  No argument here - but again, this is about trunks between switches on which I would never suggest using the PortFast or the BPDU Guard. The original post is talking about trunks to end hosts (i.e. edge trunk ports if we extend the terminology a little).
  Best regards,
  Peter

• Rapid spanning tree combnation

  Dear All,
  I am new to Spanning tree technology...and it sounds pretty good to run 802.w on LAN,
  Is it posible to run 802.w on switches that support Rapid spanning tree and some old ones that do not ?
  Is there any way to prevent BPDU to be send to switch that do not support 802.w ?
  Looking forward to hearing from you??
  Best regards,
  Sholeh

  The roles were in fact introduced by RSTP. Because it was also very convenient with regular STP, we added them to our implementation of STP. However, older software are just showing the information defined in STP at that time.
  A forwarding port is indeed designated or root. In order to make a difference between the two, you need to check what is the designated bridge ID. If this is the local bridge, the port is designated. If it's a different bridge, it's a root port.
  Another simple way: you also get the root port for the vlan in the show spantree. There is only a maximum of one root port on a bridge, so if your forwarding port is not the root port, it is then designated.
  Note that STP does not make any difference between backup and alternate port either. For this, you need again to look for the designated bridge ID on this port. If it is the bridge itself, this is a backup port, else, an alternate port (this is useful for uplinkfast, only alternate port can do fast transition).
  Regards,
  Francois

• Purpose of "spanning-tree portfast trunk"

  We are going to try out two wireless accesspoints.  I won't name the manufacturer.  Their tech support asked for two ports in our Catalyst 3750g to be configured as trunk, dot1q, etc., and with "spanning-tree portfast trunk".  What is the purpose of this?
  Thanks in advance.

  As Inayath as already described, traditional portfast does not apply to trunked ports. In order for a trunked port to take the portfast status, you need to specify the 'trunk' keyword.
  The key thing to understand is why would you use this - trunked ports usually go between switches and you shouldn't be configuring portfast for such connections. However, keep in mind that you usually configure trunked interfaces for connections going to VMs, etc as well. These are typically treated as end hosts but since they may carry multiple VLANs over them, you can configure the port as a trunk.
  In such situations, you can go ahead and configure such trunked ports for portfast status as well.
  Regards,
  Aninda

• BPDU-STP Discrpancy - Help Please - spanning-tree portfast bpduguard

  Hi,
  I get this discrepancy report by the CicoWorks saying that BPDU-STP is disabled on ports (all te ports on my switch). I have seen a document on this and how to enable this Spanning Tree feature but I am not really sure if I need to do this or not? what is the benefit in having or not having this feature enabled? if enabled, then, wont I get into the port disabling and traffic disrruption business? understanding that there is a time out feature available as well.
  Thx,
  Masood

  Hi Masood.
  STP BPDUGuard is used only on the ports which are set to STP portfast. As when the portfast is enabled on the switch it trnasitions from blocking --> forwarding as soon as you connect any device on it. If you connect a switch or a bridge, this can cause a STP loop in your network which can bring your entire N/W to halt/down.
  STP BPDUguard is specially designed for the edgeports. So as far as you have a centralized control on your network device and no one can connect any device without proper approval (your) ,you can have it disable. But if you understand the potential impact of connecting a switch or a bridge by anyone without proper authority then you might want it enable it on your switch.
  http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a008009482f.shtml
  HTH, Please rate if it does.
  regards,
  -amit singh

• Rapid Spanning Tree Problem

  Hi all,
  I am experiencing an RSTP problem. I have two swtitches connected via wireless link, the port is in trunk mode, the native vlan is vlan 1 the problem is that bpdu's are exchanged for other vlan's but not for vlan 1, when i connect a second backup wireless link it causes the loop, it seems that there are no bpdu exchanges between switches for vlan 1, also in trunk ports i see that BPDU's for vlan 1 are sent by both switches but they do not receive any BPDU's from each other. Any explanation about thiss issue ?
  Thanks in advance

  I would need to know some things to troubleshoot this:
  1. Is VLAN 1 the native VLAN of the trunk, on both sides?
  2. I presume VLAN 1 is in the allowed VLANs list on both sides of the link?
  3. If the native VLAN is not 1, is the native VLAN allowed on the trunk, on both sides?
  4. What model of switch is it, and what version of the software?
  5. Can you do a show run int for each end of each trunk link?
  6. Can you do a show int xxx trunk for each end of each trunk link?
  7. Can you do a show spanning-tree vlan 1 on each side of each trunk?
  Kevin Dorrell
  Luxembourg

• Spanning Tree PortFast BPDU Guard Enhancement

  Will this solve our problems interconnecting 2 ports configured in 2 different vlans?
  TIA

  Hi Windell,
  STP portfast BPDU guard is the feature which is specifically desinged for the ports running stp portfast on them so that a temporary introduction of a switch with lower bridge ID should not disrupt the network topology.At the reception of BPDUs, the BPDU guard operation disables the port that has PortFast configured. The BPDU guard transitions the port into errdisable state.
  Please see the link:
  http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a008009482f.shtml
  I didnot get your question. Can you eleborate more on this.
  regards,
  -amit singh

• Spanning-tree link-type shared

  Hi,
  i 've this problem.
  My PC must boot OS (windows) from network (Server sends Operating System by PC's mac-address)
  PC needs a ip-address within 5-10 seconds.
  I try it using hub and PC loads correctly OS and works properly.
  I try on my network (without hub) using Catalyst Switch in 2 ways:
  IOS and CatOS
  For the IOS i find this solution:
  i use the follows CLI:
  spanning-tree portfast
  spanning-tree link-type shared
  in this case i resolved my problem.
  FOR catOS , this command not work properly
  i use the follows CLI:
  set spantree portfast mod/port enable
  set spantree link-type mod/port shared
  After, if i see the configuration , i find the CLI
  "set spantree mst link-type mod/port shared"
  Can you help me?
  Thanks
  FCostalunga

  Configuring a ports STP link type to shared is sort of invalid if the port is also configured as an STP portfast port. 'Shared' effectively means this is a half-duplex connection to a hub that may also be connected to another switch (hence it can't be a point-to-point link). Normal STP operation should operate over 'shared' links and you won't get the rapid start a P2P link has.
  If the port is connected directly to a host then simply configuring the port as a portfast port will be enough (it will also make it a P2P link by default).
  HTH
  Andy

• ISE - 802.1X - Loop not detected by spanning-tree

  Hello,
  I have recently implemented the 802.1X on switchs 3750-X running 15.0(2)SE IOS version.
  The spanning-tree bpdufilter and bpduguard are globally enabled on the switchs.
  A user has created a loop on the network by connecting its Cisco IP-Phone twice on the network : one wire connected normally from switch to the RJ-45 phone connector and the second wire that should be connected to the PC had also been connected to the switch !
  The loop created has not been detected by the switch !
  I have made several tests and re-created the problem 3 times on 4 (only one time, the loop has been detected by bpduguard  20 seconds after the port up).
  Notice that without 802.1X configured on the same switch port, the loop is quickly detected and ports are err-disabled shutdown.
  Switch port with 802.1X is following :
  interface GigabitEthernet1/0/9
  switchport access vlan 950
  switchport mode access
  switchport nonegotiate
  switchport voice vlan 955
  no logging event link-status
  authentication control-direction in
  authentication event fail action next-method
  authentication event server dead action reinitialize vlan 950
  authentication event server dead action authorize voice
  authentication event server alive action reinitialize
  authentication host-mode multi-auth
  authentication order dot1x mab
  authentication priority dot1x mab
  authentication port-control auto
  authentication periodic
  authentication timer reauthenticate server
  mab
  dot1x pae authenticator
  dot1x timeout tx-period 10
  storm-control broadcast level 10.00
  storm-control multicast level 10.00
  spanning-tree portfast
  If I change the host-mode to multi-domain, a MAC violation restriction occurs and shutdown the port. But this is not the config I need.
  Is there any reason for spanning-tree not works properly with 802.1X ?
  Thanks,
  Olivier

  Hello Olivier
  When using bpdufilter, bpduguard and portfast all at the same time there are many things going on which are not well documented. Now when you add 802.1x to the mix then you really have no documentation. I had to do many labs on my own to finally have my configuration, and also discovered some bugs. According to my experience you shouldn't use bpdufilter and you should use bpduguard on the switchport not in the global config.
  Please read the following links about the differences between global and port bpdufilter, differences between global and port bpduguard, configuring bpduguard along with portfast , configuring bpdufilter along with portfast, and configuring bpduguard along with bpdufilter.
  http://aitaseller.wordpress.com/2010/01/17/bpdu-filter-vs-bpdu-guard-what-is-the-difference/
  http://costiser.wordpress.com/2011/05/23/subtle-difference-for-portfast-bpdufilter-used-together-globally-or-at-interface-level/
  https://learningnetwork.cisco.com/thread/21103
  http://blog.ipexpert.com/2010/12/06/bpdu-filter-and-bpdu-guard/
  Please rate if this helps

• When is it appropriate to use "spanning-tree bpdufilter enable"

  What exactly does enabling bpdu filter do?  I see some examples where bpdu filtering is enabled on access ports?  Is this correct or are there dangers in this approach? 

  Hi John,
  Simple way of saying would that it would disable the STP on that port.
  BPDU filter filters the BPDU's coming in both directions. which means it effectively disable the STP on the port.
  Detailed explanation:
  ===============
  BPDUfilter on the other hand just filters BPDUs in both directions, which effectively disables STP on the port.Bpdu filter will prevent inbound and outbound bpdu but will remove portfast state on a port if a bpdu is received.Enabling BPDU filtering on an interface is the same as disabling spanning tree on it and can result in spanning-tree loops.
  Following are the method to configure BPDU Filter in switches
  Interface mode:
  spanning-tree bpdufilter enable                        (Results port to not participate in STP, loops may occur).
  Global mode:                                                
  spanning-tree portfast bpdufilter default             (It enables bpdufiltering on ports that have port-fast configuration, so it sends a few bpdu while enabling port then it filters bdpu unless receives a bpdu, after that itchanges from port-fast mode and disables filtering for port to operate like a normal port cause it has received bpdu).
  You always should allow STP to run on a switch to prevent loops. However, in special cases when you need to prevent BPDUs from being sent or processed on one or more switch ports, you can use BPDU filtering to effectively disable STP on those ports.you would use bpdufilter when you want a switch plugged into your network but you don't want it participating in spanning tree.
  An example:  In an office environment where someone needs  another network drop under their desk but you don't have time/budget to  run a new line for now.  you are been given a small switch but don't want it to break spanning tree.The switch  you have lying around for this task is a simple unmanaged switch and  will only have one uplink into your network. so you put bpdufilter on your  switch port.
  Ref:https://supportforums.cisco.com/docs/DOC-11825
  HTH
  Regards
  Inayath
  *Plz rate if this info is helpfull and mark as answered if this resolved your query.

• About Spanning tree problem

  I am a newbie for cisco switch.
  I need a failover solution for both switch and AP Bridge link on both side.
  I have 2 of location (Location A and Location B)
  Location A
  There has 3 set of cisco 2960 switch.
  switch C is active switch
  switch A is redundancy switch , it will be active when primary Wi-FI Link and switch C is failure.
  Location B
  There has 3 set of cisco 2960 switch
  switch D is active switch
  switch B is redundancy switch ,it will be active when primary Wi-Fi Link and switch D is failure.
  I would like to use spanning tree protocol for this case.
  As show my diagram, Can it achive failover for both switch and AP bridge link if I use this network design
  Please help to comment
  Thanks
  John

  Hi John,
  This is achievable. The best way to do this is, If you can control the client switches,
  make the Client switch at location A, the root primary for the STP domain.
  On the Client switch at location B, make the STP cost high on the port towards the Switch B.
  Assuming all other STP settings are on default values,  this should block the link between LocationB client switch and Switch B. So all your traffic will take the path through switchC-SwitchD.
  If the Wifi Bridge fails (AP3-AP4), the blocked link will start forwarding (make sure you are using rapid spanning tree for fast transition)
  Now the most important thing in this design is to make sure that the Wifi bridges pass STP BPDU traffic, if they don't, this will not work.
  Even if one of the switches fails on the active path, the backup path would still kick in.. 
  Let me know how you go with this..
  please rate helpful posts.. :)