Tuesday, August 20, 2013

Spanning tree portfast

Shorter convergence for access ports


If a client is attached to an access port of a Cisco switch, for an example a laptop, his user would want immediate access after plugging a cable into a NIC. Using STP protocol is a must in every enterprise and ISP scenario, but the time that transitions from listening to forwarding states could be longer than the users patience. 
User can be confused as the port is transitioning to forwarding state , and still not providing DHCP services to the client operating system. This is a common problem when using STP on your network. In a few more seconds, Windows will attempt to get an IP address again, and it will succeed.
To disable the functions for the interface from state transitioning we should enable portfast. These ports should only be connected to workstations and similar, no to other routers and switches, as this could be a serious security issue in a VTP domain enviroment.

Devices transition faster or slower depending on the type and hardware capabilities.


One can setup portfast on an individual interface level , or simply aplly it on complete range of interfaces. This can be done on global mode configuration:

SW1> enable
SW1# configure terminal 
SW1(config)#spanning-tree portfast ?
  bpdufilter  Enable portfast bdpu filter on this switch
  bpduguard   Enable portfast bpdu guard on this switch
  default     Enable portfast by default on all access ports

The configuration could be done using the spanning-tree portfast default command. After configuring the portfast on access ports you are informed about possibillites of the command used from the Cisco IOS.

%Warning: portfast should only be enabled on ports connected to a single host. Connecting hubs, concentrators, switches, bridges, etc... to this  interface  when portfast is enabled, can cause temporary bridging loops. Use with CAUTION%Portfast has been configured on FastEthernet0/24 but will only have effect when the interface is in a non-trunking mode

Other options for the portfast command could be useful in security practice with protecting the spoofed and malicious BPDUs sent of those access ports.

Spanning-tree portfast bpduguard default :  it will enable the bpduguard on the all of the portfast interfaces on the switch. This is only valid for access port.

Spanning-tree portfast bpdufilter default  :  it will enable the bdpufilter on the all of the portfast interfaces on the switch. This is only valid for access port.


Later on some talk on the guard and filter features.
Feel free to comment.

No comments:

Post a Comment