Rapid spanning tree / portfast
hello together,
i have a question about rapid spanning tree.
If I enable per vlan rapid spanning tree do i have to configure portfast on the access ports or is this nativly done in rstp?
best regards
lars
Hi Lars,
In RSTP, the access ports are known as "edge" ports. To configure a port as an "edge port" you use the same command to enable portfast to do this.
"Edge portsIf you configure a port as an edge port on an RSTP switch by using the spanning-tree portfast interface configuration command, the edge port immediately transitions to the forwarding state. An edge port is the same as a Port Fast-enabled port, and you should enable it only on ports that connect to a single end station."
http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12113ea1/3550scg/swmstp.htm
HTH,
Bobby
*Please rate helpful posts.
Similar Messages
-
All,
I have a question about Rapid Spanning Tree reconfiguration. I have to following situation:
As you can see 3 switches with RSTP, and 2 switches without RSTP (or any other spanning tree, just unmanaged).
The 2 switch will form a loop in my network. Switch 1 will block one of the ports and the other port will forward the traffic.
If I break the link "Just Forwarding", my second switch won't be able to cumminucate for around 40 seconds. It will take some time before the backup link will be up again.
Cisco has the Fastforwarding mechanism. Will this help in this situation? I would like to shorten the 40 seconds time.
Thans in advance.I'd guess the unmanaged devices run legacy spanning tree, and rapid
pvst switches will run rapid according the "heard" protocol. So if it hears
the legacy bpdu, it will run regular spanning tree, hence the 40 second delay.
chris -
Hi all,
i read that portfast should only be enabled on access ports not on trunk ports.
when this command is used
spanning-tree portfast trunk?
under what cases we will use portfast command on trunk port ?
thanks
mahesh.... and there is one more case:
you have access switch full of users and you want to provide them redundancy for internet connection, sou you use HSRP for example and now you have switch connected to 2 or more routers with internet links
now, those links between switch and routers are also trunks and the topology is like a triangle with the switch on the tip , omitting PCs for now , at this point the only device taken into consideration is the switch - others don't use STP because routers have configured IP addresses on subinterfaces (each for one VLAN) so they break BRdomain and computers don't care about STP. In this case, you are sure that no routing loop can occur because other devices (all of them are L3) are boundary for that L2 segment and arp requests broadcasted in your LAN stay inside.
What you've just managed to make is faster trunk transition to UP state so after reload of that switch, your users can quickly use network again. -
Hello,
If I have port configure as spanning tree portfast and I plugged another switch instead of computer what will happened can it create loop or shutdown the port?Hello horacio27,
You can use PortFast on access switch ports or trunk ports that are connected to a single workstation, server to allow those devices to connect to the network immediately, instead of waiting for the port to transition from the listening and learning states to the forwarding state.
You can use PortFast to connect a single end station or a switch port to a switch port. If you enable PortFast on a port that is connected to another Layer 2 device, such as a switch, you might create network loops.
To Prevent loops, in network the most secure implementation of PortFast is to enable it only on ports that connect end stations to switches. Because PortFast can be enabled on nontrunking ports connecting two switches, spanning tree loops can occur because BPDUs are still being transmitted and received on those ports.
PortFast with BPDU guard prevents loops by moving non trunking port to err-disable state. -
Rapid Spanning Tree, 802.1w
Do any SBTG switches support Rapid Spanning Tree? It appears the 3560x does, but looking for more "cost effective" solution.
Hi Art,
The new and improved 300 series (SRWxxx-K9-NA) which is a refresh for the older SRW series, shows that it supports STP, RSTP and MSTP.
http://www.cisco.com/en/US/products/ps10898/prod_models_comparison.html
regards and seasons greetings
Dave Hornstein -
Enable BPDUGuard on Spanning-tree Portfast Trunk Port: Yes or No?
Hello to all the Cisco Experts,
I have been searching around to get a confirmed answer as per my subject, but yet unable to come into any conclusion that could help me.
This is all started when I configured the switchport configuration for my ESXi Server which is a dot1q trunk port. The reference will be as below URL:
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1006628
The configuration of the switchport will be as below:
interface GigabitEthernet1/0/1
description ESXi
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 11,15
switchport mode trunk
spanning-tree portfast trunk
end
The catch is, I had the bpduguard enabled on the global level in my switch = spanning-tree portfast bpduguard default.
This will enable the bpduguard on the trunk port above due to the switchport is in portfast (the command: spanning-tree portfast trunk).
Some of the guys in this forum mentioned that it is not recommended to have bpduguard on trunk port and some mentioned it is okay to have this.
So, what do you all think on this? Any real life experience dealing with this kind of situtation that can be shared to us over here?
Thank you in advance.Hi Leo,
First of all, I would never, ever, consider any comment of yours as being offensive so don't worry, none taken. :)
Enabling portfast on a trunk is so "yesterday", in my opinion. If a trunk port(s) or an etherchannel is configured correctly, there's a significant chance portfast is irrelevant. The speed to get the ports to go from down to passing traffic is really boils down to one or two seconds.
Perhaps this is at the core of our different views. To my best knowledge, without the PortFast, a trunk - be it a single port or an EtherChannel - will become forwarding 30 seconds after entering the up/up state, not less. This is valid for STP, RSTP, and MSTP. In addition, if a new VLAN is created or added to the list of enabled VLANs on the trunk, it may take additional 30 seconds for that VLAN to become operational (forwarding) on that trunk. There is nothing besides PortFast and Proposal/Agreement that can cut down this time: the STP must go over the Listening-Learning-Forwarding sequence, and RSTP/MSTP must go through the Discarding-Learning-Forwarding sequence. The "one or two seconds" you have mentioned is perhaps the combined delay incurred by autonegotiation, LACP/PAgP, and DTP, but STP will take its own time and will not be deterred by any of these mechanisms.
I see no benefit but mischief when you enable BPDU Guard on an inter-switch link.
Absolutely agree. That is why it doesn't make any sense to put a BPDU Guard on an inter-switch link, and I have never suggested doing that. The original post, however, deals with enabling PortFast on a trunk link that does not go to another switch but rather connects to an ESXi server on which, obviously, different virtual machines are bridged onto different VLANs.
So what is the reaction of the port if you do happen to enable portfast and BPDU guard on an inter-switch link? Wouldn't the two be a "Jekyll & Hyde", wouldn't it?
It would be just the same as enabling PortFast and BPDU Guard on an access port that happens to be connected to another switch. Upon link-up, the port would become forwarding immediately, and after receiving a BPDU, it would be shot down to err-disabled. The fact the port is an access port or a trunk port makes no difference here. Just as before, I stress that this kind of configuration simply isn't meant to be used on inter-switch links. However, on trunks connected directly to routers, servers, autonomous APs supporting several SSIDs mapped to different VLANs, even to IP phones (remember the mini-trunk config used on old switches on which the switchport voice vlan command only instructed CDP to advertise the voice VLAN but did not cause the port to accept tagged frames in the voice VLAN so it had to be configured as a trunk?) - in all these situations, the PortFast can be beneficial. The BPDU Guard is a natural protective companion to the PortFast - wherever PortFast is eligible to be configured, the BPDU Guard is a natural additional protection to be activated as well.
But given the complexity of interconnection of different switches to various stuff going around, we're happy with leaving portfast on a trunk port disabled.
No argument here - but again, this is about trunks between switches on which I would never suggest using the PortFast or the BPDU Guard. The original post is talking about trunks to end hosts (i.e. edge trunk ports if we extend the terminology a little).
Best regards,
Peter -
Rapid spanning tree combnation
Dear All,
I am new to Spanning tree technology...and it sounds pretty good to run 802.w on LAN,
Is it posible to run 802.w on switches that support Rapid spanning tree and some old ones that do not ?
Is there any way to prevent BPDU to be send to switch that do not support 802.w ?
Looking forward to hearing from you??
Best regards,
SholehThe roles were in fact introduced by RSTP. Because it was also very convenient with regular STP, we added them to our implementation of STP. However, older software are just showing the information defined in STP at that time.
A forwarding port is indeed designated or root. In order to make a difference between the two, you need to check what is the designated bridge ID. If this is the local bridge, the port is designated. If it's a different bridge, it's a root port.
Another simple way: you also get the root port for the vlan in the show spantree. There is only a maximum of one root port on a bridge, so if your forwarding port is not the root port, it is then designated.
Note that STP does not make any difference between backup and alternate port either. For this, you need again to look for the designated bridge ID on this port. If it is the bridge itself, this is a backup port, else, an alternate port (this is useful for uplinkfast, only alternate port can do fast transition).
Regards,
Francois -
Purpose of "spanning-tree portfast trunk"
We are going to try out two wireless accesspoints. I won't name the manufacturer. Their tech support asked for two ports in our Catalyst 3750g to be configured as trunk, dot1q, etc., and with "spanning-tree portfast trunk". What is the purpose of this?
Thanks in advance.As Inayath as already described, traditional portfast does not apply to trunked ports. In order for a trunked port to take the portfast status, you need to specify the 'trunk' keyword.
The key thing to understand is why would you use this - trunked ports usually go between switches and you shouldn't be configuring portfast for such connections. However, keep in mind that you usually configure trunked interfaces for connections going to VMs, etc as well. These are typically treated as end hosts but since they may carry multiple VLANs over them, you can configure the port as a trunk.
In such situations, you can go ahead and configure such trunked ports for portfast status as well.
Regards,
Aninda -
BPDU-STP Discrpancy - Help Please - spanning-tree portfast bpduguard
Hi,
I get this discrepancy report by the CicoWorks saying that BPDU-STP is disabled on ports (all te ports on my switch). I have seen a document on this and how to enable this Spanning Tree feature but I am not really sure if I need to do this or not? what is the benefit in having or not having this feature enabled? if enabled, then, wont I get into the port disabling and traffic disrruption business? understanding that there is a time out feature available as well.
Thx,
MasoodHi Masood.
STP BPDUGuard is used only on the ports which are set to STP portfast. As when the portfast is enabled on the switch it trnasitions from blocking --> forwarding as soon as you connect any device on it. If you connect a switch or a bridge, this can cause a STP loop in your network which can bring your entire N/W to halt/down.
STP BPDUguard is specially designed for the edgeports. So as far as you have a centralized control on your network device and no one can connect any device without proper approval (your) ,you can have it disable. But if you understand the potential impact of connecting a switch or a bridge by anyone without proper authority then you might want it enable it on your switch.
http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a008009482f.shtml
HTH, Please rate if it does.
regards,
-amit singh -
Hi all,
I am experiencing an RSTP problem. I have two swtitches connected via wireless link, the port is in trunk mode, the native vlan is vlan 1 the problem is that bpdu's are exchanged for other vlan's but not for vlan 1, when i connect a second backup wireless link it causes the loop, it seems that there are no bpdu exchanges between switches for vlan 1, also in trunk ports i see that BPDU's for vlan 1 are sent by both switches but they do not receive any BPDU's from each other. Any explanation about thiss issue ?
Thanks in advanceI would need to know some things to troubleshoot this:
1. Is VLAN 1 the native VLAN of the trunk, on both sides?
2. I presume VLAN 1 is in the allowed VLANs list on both sides of the link?
3. If the native VLAN is not 1, is the native VLAN allowed on the trunk, on both sides?
4. What model of switch is it, and what version of the software?
5. Can you do a show run int for each end of each trunk link?
6. Can you do a show int xxx trunk for each end of each trunk link?
7. Can you do a show spanning-tree vlan 1 on each side of each trunk?
Kevin Dorrell
Luxembourg -
Spanning Tree PortFast BPDU Guard Enhancement
Will this solve our problems interconnecting 2 ports configured in 2 different vlans?
TIAHi Windell,
STP portfast BPDU guard is the feature which is specifically desinged for the ports running stp portfast on them so that a temporary introduction of a switch with lower bridge ID should not disrupt the network topology.At the reception of BPDUs, the BPDU guard operation disables the port that has PortFast configured. The BPDU guard transitions the port into errdisable state.
Please see the link:
http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a008009482f.shtml
I didnot get your question. Can you eleborate more on this.
regards,
-amit singh -
Spanning-tree link-type shared
Hi,
i 've this problem.
My PC must boot OS (windows) from network (Server sends Operating System by PC's mac-address)
PC needs a ip-address within 5-10 seconds.
I try it using hub and PC loads correctly OS and works properly.
I try on my network (without hub) using Catalyst Switch in 2 ways:
IOS and CatOS
For the IOS i find this solution:
i use the follows CLI:
spanning-tree portfast
spanning-tree link-type shared
in this case i resolved my problem.
FOR catOS , this command not work properly
i use the follows CLI:
set spantree portfast mod/port enable
set spantree link-type mod/port shared
After, if i see the configuration , i find the CLI
"set spantree mst link-type mod/port shared"
Can you help me?
Thanks
FCostalungaConfiguring a ports STP link type to shared is sort of invalid if the port is also configured as an STP portfast port. 'Shared' effectively means this is a half-duplex connection to a hub that may also be connected to another switch (hence it can't be a point-to-point link). Normal STP operation should operate over 'shared' links and you won't get the rapid start a P2P link has.
If the port is connected directly to a host then simply configuring the port as a portfast port will be enough (it will also make it a P2P link by default).
HTH
Andy -
ISE - 802.1X - Loop not detected by spanning-tree
Hello,
I have recently implemented the 802.1X on switchs 3750-X running 15.0(2)SE IOS version.
The spanning-tree bpdufilter and bpduguard are globally enabled on the switchs.
A user has created a loop on the network by connecting its Cisco IP-Phone twice on the network : one wire connected normally from switch to the RJ-45 phone connector and the second wire that should be connected to the PC had also been connected to the switch !
The loop created has not been detected by the switch !
I have made several tests and re-created the problem 3 times on 4 (only one time, the loop has been detected by bpduguard 20 seconds after the port up).
Notice that without 802.1X configured on the same switch port, the loop is quickly detected and ports are err-disabled shutdown.
Switch port with 802.1X is following :
interface GigabitEthernet1/0/9
switchport access vlan 950
switchport mode access
switchport nonegotiate
switchport voice vlan 955
no logging event link-status
authentication control-direction in
authentication event fail action next-method
authentication event server dead action reinitialize vlan 950
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 10
storm-control broadcast level 10.00
storm-control multicast level 10.00
spanning-tree portfast
If I change the host-mode to multi-domain, a MAC violation restriction occurs and shutdown the port. But this is not the config I need.
Is there any reason for spanning-tree not works properly with 802.1X ?
Thanks,
OlivierHello Olivier
When using bpdufilter, bpduguard and portfast all at the same time there are many things going on which are not well documented. Now when you add 802.1x to the mix then you really have no documentation. I had to do many labs on my own to finally have my configuration, and also discovered some bugs. According to my experience you shouldn't use bpdufilter and you should use bpduguard on the switchport not in the global config.
Please read the following links about the differences between global and port bpdufilter, differences between global and port bpduguard, configuring bpduguard along with portfast , configuring bpdufilter along with portfast, and configuring bpduguard along with bpdufilter.
http://aitaseller.wordpress.com/2010/01/17/bpdu-filter-vs-bpdu-guard-what-is-the-difference/
http://costiser.wordpress.com/2011/05/23/subtle-difference-for-portfast-bpdufilter-used-together-globally-or-at-interface-level/
https://learningnetwork.cisco.com/thread/21103
http://blog.ipexpert.com/2010/12/06/bpdu-filter-and-bpdu-guard/
Please rate if this helps -
When is it appropriate to use "spanning-tree bpdufilter enable"
What exactly does enabling bpdu filter do? I see some examples where bpdu filtering is enabled on access ports? Is this correct or are there dangers in this approach?
Hi John,
Simple way of saying would that it would disable the STP on that port.
BPDU filter filters the BPDU's coming in both directions. which means it effectively disable the STP on the port.
Detailed explanation:
===============
BPDUfilter on the other hand just filters BPDUs in both directions, which effectively disables STP on the port.Bpdu filter will prevent inbound and outbound bpdu but will remove portfast state on a port if a bpdu is received.Enabling BPDU filtering on an interface is the same as disabling spanning tree on it and can result in spanning-tree loops.
Following are the method to configure BPDU Filter in switches
Interface mode:
spanning-tree bpdufilter enable (Results port to not participate in STP, loops may occur).
Global mode:
spanning-tree portfast bpdufilter default (It enables bpdufiltering on ports that have port-fast configuration, so it sends a few bpdu while enabling port then it filters bdpu unless receives a bpdu, after that itchanges from port-fast mode and disables filtering for port to operate like a normal port cause it has received bpdu).
You always should allow STP to run on a switch to prevent loops. However, in special cases when you need to prevent BPDUs from being sent or processed on one or more switch ports, you can use BPDU filtering to effectively disable STP on those ports.you would use bpdufilter when you want a switch plugged into your network but you don't want it participating in spanning tree.
An example: In an office environment where someone needs another network drop under their desk but you don't have time/budget to run a new line for now. you are been given a small switch but don't want it to break spanning tree.The switch you have lying around for this task is a simple unmanaged switch and will only have one uplink into your network. so you put bpdufilter on your switch port.
Ref:https://supportforums.cisco.com/docs/DOC-11825
HTH
Regards
Inayath
*Plz rate if this info is helpfull and mark as answered if this resolved your query. -
I am a newbie for cisco switch.
I need a failover solution for both switch and AP Bridge link on both side.
I have 2 of location (Location A and Location B)
Location A
There has 3 set of cisco 2960 switch.
switch C is active switch
switch A is redundancy switch , it will be active when primary Wi-FI Link and switch C is failure.
Location B
There has 3 set of cisco 2960 switch
switch D is active switch
switch B is redundancy switch ,it will be active when primary Wi-Fi Link and switch D is failure.
I would like to use spanning tree protocol for this case.
As show my diagram, Can it achive failover for both switch and AP bridge link if I use this network design
Please help to comment
Thanks
JohnHi John,
This is achievable. The best way to do this is, If you can control the client switches,
make the Client switch at location A, the root primary for the STP domain.
On the Client switch at location B, make the STP cost high on the port towards the Switch B.
Assuming all other STP settings are on default values, this should block the link between LocationB client switch and Switch B. So all your traffic will take the path through switchC-SwitchD.
If the Wifi Bridge fails (AP3-AP4), the blocked link will start forwarding (make sure you are using rapid spanning tree for fast transition)
Now the most important thing in this design is to make sure that the Wifi bridges pass STP BPDU traffic, if they don't, this will not work.
Even if one of the switches fails on the active path, the backup path would still kick in..
Let me know how you go with this..
please rate helpful posts.. :)
Maybe you are looking for
-
Illustrator and Bridge CS6 don't launch in Mac 10.8.5
Recently, when I try to run Illustrator and Bridge CS6, my mac doesn't let me do while initializing (it shows a splash) and gives me "Adobe Illustrator CS6 quit unexpectedly". I can run Acrobat, InDesign, and Photoshop (package of CS6 design standard
-
Printer and stereo in different rooms
Up to this point we have used our Airport Express as an extension of our wireless linksys network to share a printer. We recently wanted to use iTunes over our stero which is in the living room, and the set up worked fine. However, since our printer
-
The Scaling tool doesn't work correctly
I want to click an area on screen where I want an object to scale to. Only the left click doesn't work. I have to alt click in order to pick a point, and when I do that a dialogue box appears with % proportions. Not very intuitive. I have tried reset
-
Hi friends if requirements are coming from external planning system(NON-SAP) to SRM system via XI. what settings need to be done in order to send requirements from non-sap planning system to srm system regards Yshnavi
-
Error Installing JavaCheck 2.0.1
i get the following error while istalling JavaCheck 2.0.1 java.io.IOException: javacheckinstall_en_US.zip at java.io.RandomAccessFile.<init>(RandomAccessFile.java:65) at java.util.zip.ZipFile.<init>(ZipFile.java:44) at JavaCheckInstaller.main(Compile