Thursday, October 22, 2015

Cisco Spanning Tree Portfast and BPDUGuard

There are two powerful tools available for those of us (the majority I believe) that are still relying on Spanning Tree Protocol (STP) for our switch loop protection. They are Portfast! and BPDUGuard! (Don't the sound impressive with those exclamation points?)

Portfast!

Enabling PortFast on a switchport skips the listening and learning states when a device is plugged in (you know, that annoying wait time with the amber light?). From an STP perspective the port is set to a forwarding state immediately, This works out great for most accessthat are trustworthy to be connected only to a single device such as a server or workstation

Here are a couple of key commands related to basic portfast:

To globally set PortFast on all NON-Trunking ports:
Switch (config)#spanning-tree portfast default

To locally set PortFast on a particular interface:
Switch (config-if)#spanning-tree portfast

BPDUGuard!

PortFast is designed for access ports that do not receive Switch to Switch BPDU packets from STP. It is possible to have non-trunking ports that connect two switches, however, which can then cause spanning tree loops. With BPDUGuard enabled on top of PortFast the receipt of a BPDU packet over a PortFast interface triggers the port to move into an err-disabled state instead of configuring the port in an STP blocking port configuration which would look like this:
Switch#show interfaces gigabitethernet 1/1 status
Port    Name               Status       Vlan       Duplex  Speed Type
Gi1/1                      err-disabled 100          full   1000 1000BaseSX

This security measure then leads a network administrator to either:
a) unplug the switch from this port and move it to a correct port
b) change the port to a trunking port rather than an access port so that STP can function normally

 Here are a couple of key commands related to basic BPDUGuard:

To globally set BPDUGuard on all NON-Trunking ports:
Switch (config)#spanning-tree portfast bpduguard default

To locally set BPDUGuard on a particular interface:
Switch (config-if)#spanning-tree bpduguard enable

To recover from the err-disabled state:
Switch(config-if)#spanning-tree portfast disable

TestTakers!

  1. Note the similarities and differences between the PortFast and BPDUGuard commands
  2. Consider the order in which you would set them (Portfast first!)
  3. Recognize Err-Disabled as a possibly a BPDUGuard issue
Err-Disabled triggers include:
  • BPDU guard violation
  • Duplex mismatch
  • Port channel misconfiguration
  • UniDirectional Link Detection (UDLD) condition
  • Late-collision detection
  • Link-flap detection
  • Security violation
  • Port Aggregation Protocol (PAgP) flap
  • Layer 2 Tunneling Protocol (L2TP) guard
  • DHCP snooping rate-limit
  • Incorrect GBIC / Small Form-Factor Pluggable (SFP) module or cable
  • Address Resolution Protocol (ARP) inspection
  • Inline power
 Hope that keeps it all straight in your head!

No comments: