Spanning Tree Protocol (STP) and PortFast
The time Spanning Tree Protocol (STP) takes to transition ports over to the Forwarding state can cause problems. PortFast is a Cisco network function which can be configured to resolve this problem.
This factor of time is not an issue for many people, but it can cause problems for some. For example, if you power up my computer in the morning, power goes to the network card immediately, and the port on the switch enters the Listening state.
By the time the OS wants to start up the network card drivers and get an address from DHCP, the port on the switch is in Forwarding state, which works well most of the time.
If, however, you had unplugged the NIC on the laptop to move it to another desk, Windows will tell you that it has a problem communicating on the network. Why? The NIC connected to the port changed the link state of the port to Up, Windows immediately tried to get a DHCP address, but the port is not yet in a Forwarding state.
This is a common problem when using STP on your network. In a few more seconds, Windows will attempt to get an IP address again, and it will succeed.
The other time you may see this issue is with Pre-Boot Execution (PXE) devices, such as Windows Deployment Services. The following figure shows a typical PXE implementation. Here is what happens with PXE:
You apply power to your computer, which activates the NIC, but less than five seconds later, the computer’s POST finishes and the NIC attempts to get an IP address from DHCP so that it can load a boot image directly from the PXE server, which fails.
The computer attempts to get an IP address from a DHCP server several times within approximately 10 seconds, after which it gives up and moves onto another boot device, such as the hard drive. The unfortunate part of this process is that because it fails to get an IP address or connect with the PXE server, you are not able to install your new operating system image on that computer.
The problem with this scenario is that because STP makes the computer wait 45 seconds prior to forwarding traffic on the port, the PXE network boot has timed out.
PortFast is the solution to this problem of delays when client computers are connecting to switches. PortFast is not enabled by default. With PortFast enabled on a port, you effectively take the port and tell spanning tree not to implement STP on that port.
This solution is not a bad one if only one computer is plugged into the port — so that people will not be creating accidental loops on the network, which can be frighteningly easy to do.
Setting PortFast on all ports
While there may be some ports you want to exclude from the PortFast configuration, if you want most ports to use PortFast you make that default setting. To set PortFast on all ports from Global Configuration mode, use the command spanning-tree portfast default:
Switch2> enable Switch2# configure terminal Switch2(config)#spanning-tree portfast ? bpdufilter Enable portfast bdpu filter on this switch bpduguard Enable portfast bpdu guard on this switch default Enable portfast by default on all access ports
Setting PortFast on specific ports
You can also implement PortFast on specific ports, as illustrated here, where the following command enables PortFast for FastEthernet ports 1 through 10. Notice the big warning about the dangers of PortFast.
Switch2#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch2(config)#interface range Switch2(config)#interface range fastEthernet 0/1 -10 Switch2(config-if-range)#spanning-tree portfast %Warning: portfast should only be enabled on ports connected to a single host. Connecting hubs, concentrators, switches, bridges, etc... to this interface when portfast is enabled, can cause temporary bridging loops. Use with CAUTION %Portfast will be configured in 10 interfaces due to the range command but will only have effect when the interfaces are in a non-trunking mode. Switch2(config-if-range)#end
The BPDU Guard option removes the danger expressed in the warning. In this case, I incorrectly selected my ports, and ports 1 and 2 should have spanning tree enabled normally on them.
BPDU Guard throws up warnings right away to prevent the loop that has been created from causing a problem on my network. When a PortFast port with BPDU Guard on it sees a BPDU frame, the action causes the switch to say, Hey, this port is configured incorrectly! and immediately the switch puts that port in an error state.
Switch2#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch2(config)#interface range fastEthernet 0/1 -10 Switch2(config-if-range)#spanning-tree bpduguard enable Switch2(config-if-range)# 3d14h: %SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port FastEthernet0/2 with BPDU Guard enabled. Disabling port. 3d14h: %PM-4-ERR_DISABLE: bpduguard error detected on Fa0/2, putting Fa0/2 in err-disable state 3d14h: %SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port FastEthernet0/1 with BPDU Guard enabled. Disabling port. 3d14h: %PM-4-ERR_DISABLE: bpduguard error detected on Fa0/1, putting Fa0/1 in err-disable state 3d14h: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/2, changed state to down 3d14h: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down 3d14h: %LINK-3-UPDOWN: Interface FastEthernet0/2, changed state to down 3d14h: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to down Switch2(config-if-range)#end
To correct the error state on the port, connect to that port in Interface Configuration mode and then shut down and re-enable those ports as shown here:
Switch2#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch2(config)#interface range Switch2(config)#interface range fastEthernet 0/1 -10 Switch2(config-if-range)#shutdown Switch2(config-if-range)#no shutdown