Spanning tree: Portfast and BPDUGuard

Spanning tree: Portfast and BPDUGuard

by Cyrus Lok on Friday, May 14, 2010 at 1:04pm

Portfast to bypass the 2 stages that STP has and straight away transition from blocking to forwarding.
The portfast feature should never be configured on a port that’s connecting to another switch, if configured on the port that’s connecting to another switch a temporary loop will form.

fastethernet 0/8 of 2950-1 will be my test port.
I have configured portfast on fa0/8:

2950-1(config)#int fa0/8
2950-1(config-if)#description Test Port
2950-1(config-if)#spanning-tree portfast

I connect a cross over cable from fa0/8 of 2950-1 to fa0/8 of 2950-2

00:13:39: %SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port FastEthernet0/8 with BPDU Guard enabled. Di sabling port.
2950-1(config)#
00:13:39: %PM-4-ERR_DISABLE: bpduguard error detected on Fa0/8, putting Fa0/8 in err-disable state
2950-1(config)#

Immediately there’s no light on both ports of my switches, because bpduguard was configured previously, but I forgot which switch.

2950-1#sh spanning-tree summary total
Switch is in pvst mode
Root bridge for: none
EtherChannel misconfig guard is enabled
Extended system ID is enabled
Portfast Default is disabled
PortFast BPDU Guard Default is disabled
Portfast BPDU Filter Default is disabled
Loopguard Default is disabled
UplinkFast is disabled
BackboneFast is disabled
Pathcost method used is short

Name Blocking Listening Learning Forwarding STP Active
———————- ——– ——— ——– ———- ———-
1 vlan 0 0 0 2 2

So 2950-1 has no bpduguard enabled by default.

But it has portfast and bpduguard enabled on fa0/8
2950-1#sh run interface fa0/8
Building configuration…

Current configuration : 136 bytes
!
interface FastEthernet0/8
description Test Port
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
end

2950-2#sh run int fa0/8
Building configuration…

Current configuration : 113 bytes
!
interface FastEthernet0/8
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
end

So both ports on both switches are configured with spanning-tree portfast and bpduguard.
Jeremy Ciora said that portfast is to turn off stp which is wrong, portfast only bypass listening and learning stage and straight away transition from blocking to forwarding bpdu is still send and receive by the switchport as verified by wireshark in my previous notes.

So let say if fa0/8 is supposed to connect to a server, however due to some reason a server was replaced by a switch, the switch will send bpdu, when a new switch is introduced the stp will reconverges, and the new switch connecting to a portfast enabled port will introduce a temporary broadcast loop. In order to prevent this, bpduguard is enabled. if a switch is connected to a portfast enabled and bpduguard enabled port, the port will go into error disabled state which practically “shut down” the port. The port will remain shut down for300s by default:
2950-2#sh errdisable recovery
ErrDisable Reason Timer Status
—————– ————–
udld Disabled
bpduguard Disabled
security-violatio Disabled
channel-misconfig Disabled
vmps Disabled
pagp-flap Disabled
dtp-flap Disabled
link-flap Disabled
psecure-violation Disabled
gbic-invalid Disabled
dhcp-rate-limit Disabled
unicast-flood Disabled
loopback Disabled

Timer interval: 300 seconds

Interfaces that will be enabled at the next timeout:

2950-2#sh int status err-disabled

Port Name Status Reason
Fa0/8 err-disabled bpduguard
2950-2#

the command to verify which port has been error disabled:
show interfaces status err-disabled. (I forgot this….)

So do an experiment:
2950-2(config-if)#spanning-tree bpduguard disable
2950-2(config-if)#shu
2950-2(config-if)#no shut
2950-2(config-if)#
00:35:51: %LINK-5-CHANGED: Interface FastEthernet0/8, changed state to administratively down
2950-2(config-if)#
00:35:54: %LINK-3-UPDOWN: Interface FastEthernet0/8, changed state to down

2950-1(config-if)#spanning-tree bpduguard disable
2950-1(config-if)#shut
2950-1(config-if)#no shut
2950-1(config-if)#
00:37:08: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/8, changed state to up
2950-1(config-if)#
00:37:10: %LINK-3-UPDOWN: Interface FastEthernet0/8, changed state to up

2950-2 fa0/8 is blocked, amber light. 2950-1 fa0/8 green light. Let’s check their status

2950-1#sh spanning-tree vlan 1

VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 4097
Address 000b.be08.f480
Cost 19
Port 1 (FastEthernet0/1)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address 000d.2944.c200
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300

Interface Role Sts Cost Prio.Nbr Type
—————- —- — ——— ——– ——————————–
Fa0/1 Root FWD 19 128.1 P2p
Fa0/2 Desg FWD 19 128.2 P2p
Fa0/8 Desg FWD 19 128.8 P2p

2950-1 ports are all in forward mode

2950-2#sh spanning-tree vlan 1

VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 4097
Address 000b.be08.f480
Cost 19
Port 2 (FastEthernet0/2)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address 0016.9d05.5080
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300

Interface Role Sts Cost Prio.Nbr Type
—————- —- — ——— ——– ——————————–
Fa0/1 Desg FWD 19 128.1 P2p
Fa0/2 Root FWD 19 128.2 P2p
Fa0/8 Altn BLK 19 128.8 P2p

2950-2 fa0/8 blocked, well there does not seem to be an impact though…. rstp converges really fast, as soon as I turned bpduguard on both ports on both switches, fa0/8 of 2950-2 was blocked….

old stp 802.1d:
1 blocking
2 listening (for bpdu)
3 learning (port roles)
4 forwarding
approximately 50s convergence

rstp 802.1w
1 discarding
2 learning
3 forwarding
approximately 30s convergence, 20s saved.

To enable bpduguard whenever portfast is enabled, in global configuration mode:

2950-2(config)#spanning-tree portfast bpduguard default

To verify:
2950-2(config)#do sh span sum tot
Switch is in pvst mode
Root bridge for: none
EtherChannel misconfig guard is enabled
Extended system ID is enabled
Portfast Default is disabled
PortFast BPDU Guard Default is enabled
Portfast BPDU Filter Default is disabled
Loopguard Default is disabled
UplinkFast is disabled
BackboneFast is disabled
Pathcost method used is short

Name Blocking Listening Learning Forwarding STP Active
———————- ——– ——— ——– ———- ———-
1 vlan 1 0 0 2 3

bpduguard by default has been enabled.

Advertisements
This entry was posted in Route. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s