1.23 STP Porfast default

 

The verifcation and explanation for 1.23, in the Solution Guide, is VERY LIGHT.

 

 

I say some interesting messages when I used the GLOBAL Portfast command: spanning-tree portfast default

 

Basically, I had issues with LOOPS on different ports.  All of the switches were claiming to be the ROOT.   I assumed that this was normal for the task and I then added BPDUFILTER at the global level and the loops went away.

 

Was this normal behavior?  If it is, shouldn't that be in the Solution guide?  I think the solution just picks one interface and that perhaps a better way to verify would be "sho spanning-tree | include Edge".  During the lab you would probably want to see them all very quickly.

 

Below is just some output from sw1 and sw3.. if you are curious go ahead and have a look, no further comments below. NET_OG============

Here is an example on SW1...

*Mar  1 07:47:00.273: %SW_MATM-4-MACFLAP_NOTIF: Host 0000.0c34.168d in vlan 1 is flapping between port Fa0/16 and port Fa0/13
*Mar  1 07:47:00.407: %SW_MATM-4-MACFLAP_NOTIF: Host 0000.0c34.168d in vlan 1 is flapping between port Fa0/17 and port Fa0/18
Rack15SW1(config-if-range)#
*Mar  1 07:47:06.489: %SW_MATM-4-MACFLAP_NOTIF: Host 0000.0c34.168c in vlan 43 is flapping between port Fa0/17 and port Fa0/14
Rack15SW1(config-if-range)#     

 

SW3:

*Mar  1 08:27:25.477: %SW_MATM-4-MACFLAP_NOTIF: Host 0000.0c34.168c in vlan 43 is flapping between port Fa0/19 and port Fa0/20
Rack15SW3#
*Mar  1 08:27:40.457: %SW_MATM-4-MACFLAP_NOTIF: Host 0000.0c34.168c in vlan 43 is flapping between port Fa0/19 and port Fa0/14
Rack15SW3#
Rack15SW3#
Rack15SW3#
Rack15SW3#
Rack15SW3#
Rack15SW3#sho spann
Rack15SW3#sho spanning-tree

VLAN0001
  Spanning tree enabled protocol ieee
  Root ID    Priority    32769
             Address     000f.9084.e580
             This bridge is the root
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    32769  (priority 32768 sys-id-ext 1)
             Address     000f.9084.e580
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time 300

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Fa0/13              Desg FWD 19        128.13   P2p
Fa0/14              Desg FWD 19        128.14   P2p

 

 

Regards,

 

 

Net_OG

 

 

Comments

  • Hi Net_OG,

    i haven't done the task yet, but from a logical point of view i highly doubt that this behavior is the desired solution from INE.

    The MAC Flapping is definitely not normal and is most of the times an indicator for a layer 2 loop, as (probably) broadcast frames sourced from a specific device/host (in your case the ones with the MAC 0000.0c34.168c and d) are seen on different ports in a short period of time which triggers the MAC Flapping Console Message.

    The only thing i could image why this has happend if some connections between 2 switches where not in the trunking mode and only in access mode and through activating portfast on the access port (which includes of course the connection between 2 switches in access mode) the Loop was formed as listening and learning where skipped between the (access port) connection between the 2 switches. This is the only scenario currently i can think of which triggered this behavior.

    The show spanning-tree output looks normal without having the whole context. The only thing we can see on the output is that sw3 is the STP Root for VLAN 1 and all ports are in the forwarding state which is normal behavior.

    Kind regards,

    Christopher

     

     

     

  • I agree with what Christopher is saying, you should only have seen temporary loops on access ports. They should only have been temporary loops because as soon as an interface enabled for portfast receives a BPDU it should go back in to the normal spanning-tree state, how long did you see the mac's flapping?

    I also like to look at the interface stats when I see issues like this, you should see the number of input/output packets increase at a high rate if you have a permanent layer2 loop.

    Maybe there was some config left over from a previous task that could have caused this issue, dot1q tunneling is always a good suspect.

    Below is an example of the portfast interface jumping to forwarding and then going back to blocking as soon as it receives a bpdu:

    interface FastEthernet0/13
     switchport mode access
     shutdown
     spanning-tree portfast
    end
    Rack1SW1(config-if)#int fa0/13
    Rack1SW1(config-if)#no shut

    *Mar  1 18:14:20.233: set portid: VLAN0001 Fa0/13: new port id 800F
    *Mar  1 18:14:20.233: STP: VLAN0001 Fa0/13 ->jump to forwarding from blocking
    *Mar  1 18:14:20.283: %LINK-3-UPDOWN: Interface FastEthernet0/13, changed state to up
    *Mar  1 18:14:21.290: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/13, changed state to up
    *Mar  1 18:14:21.483: STP: VLAN0001 sent Topology Change Notice on Fa0/19
    *Mar  1 18:14:21.483: STP: VLAN0001 Fa0/13 -> blocking

    Rack1SW1(config-if)#do s span vlan 1

    VLAN0001
      Spanning tree enabled protocol ieee

    Interface           Role Sts Cost      Prio.Nbr Type
    ------------------- ---- --- --------- -------- --------------------------------

    Fa0/13              Altn BLK 19        128.15   P2p

     

    Note: I also tested this using the global 'spanning-tree portfast default' command and I saw the same result.

    HTH

    Jason

     

  • Hi,

    thats quite interesting because until now i was under the impression that an Portfast enabled port is only reverted out of the portfast state if Portfast is configured globally in conjunction with the BPDU Filter command.

    Good to know, thanks for sharing.

    Cheers,

    Christopher

  • What's the point of BPDU guard if portfast does the same feature ?

     

     

    I thought that if a BPDU was received on a portfast interface (wether globally and non globally configured) the port would remove his portfast attribute and become a normal port ....

     

    Checking on the DOC-CD about that !

  • Hey Muns 

     

    I m pretty sure that u have the global spanning tree portfast bpduguard enable.

     

     

    Under "normal" circumstances, if a portfast port receives a BPDU it does not shut the port. it only revert it to normal STP path (LIS LEAR FWD)

     

    If you have the spanning portfast bpduguard enable , yes it shut the port.

     

     

    interface FastEthernet1/0/1

     switchport mode access

    !

    interface FastEthernet1/0/2

     switchport mode access

    !

    interface FastEthernet1/0/3

     switchport mode access

    !

    interface FastEthernet1/0/4

     switchport mode access

    !

    interface FastEthernet1/0/5

     switchport mode access

    !

    interface FastEthernet1/0/6

     switchport mode access

    !

    interface FastEthernet1/0/7

     switchport mode access

    !

    interface FastEthernet1/0/8

     switchport mode access

    !

    interface FastEthernet1/0/9

     switchport mode access


    -------------------------------------------------------------------------------------------------------------------------------



    Now I m configuring spanning port fast



    Switch(config)#

    Switch(config)#spannin

    Switch(config)#spanning-tree port

    Switch(config)#spanning-tree portfast ?

      bpdufilter  Enable portfast bpdu filter on this switch

      bpduguard   Enable portfast bpdu guard on this switch

      default     Enable portfast by default on all access ports


    Switch(config)#spanning-tree portfast de

    Switch(config)#spanning-tree portfast default

    %Warning: this command enables portfast by default on all interfaces. You

     should now disable portfast explicitly on switched ports leading to hubs,

     switches and bridges as they may create temporary bridging loops.


    Switch(config)#do sh run

    Building configuration...


    Current configuration : 2879 bytes

    !

    version 12.2

    no service pad

    service timestamps debug datetime msec

    service timestamps log datetime msec

    no service password-encryption

    !

    hostname Switch


    spanning-tree mode pvst

    spanning-tree portfast default

    spanning-tree etherchannel guard misconfig

    spanning-tree extend system-id

    !

    vlan internal allocation policy ascending

    !

    vlan 100

     name VOICE

    !

    vlan 200

     name DATA

    !

    !

    !

    !

    interface FastEthernet1/0/1

     switchport mode access

    !

    interface FastEthernet1/0/2

     switchport mode access

    !

    interface FastEthernet1/0/3

     switchport mode access

    !

    interface FastEthernet1/0/4

     switchport mode access

    !

    interface FastEthernet1/0/5

     switchport mode access




    portfast is not explicitely configured on the interface but configured as a global command.


    next 



    Switch(config)#spanning-tree portfast bpduguard default



    Switch(config)#do sh run

    Building configuration...


    Current configuration : 2920 bytes

    !

    version 12.2

    no service pad

    service timestamps debug datetime msec

    service timestamps log datetime msec

    no service password-encryption

    !

    hostname Switch

    !

    boot-start-marker

    boot-end-marker

    !

    !


    !

    !

    !

    spanning-tree mode pvst

    spanning-tree portfast default

    spanning-tree portfast bpduguard default

    spanning-tree etherchannel guard misconfig

    spanning-tree extend system-id

    !

    vlan internal allocation policy ascending

    !

    vlan 100

     name VOICE

    !

    vlan 200

     name DATA

    !

    !

    !

    !

    interface FastEthernet1/0/1

     switchport mode access

    !




    Still the interface doesnt have anything config . now I m gonna loop Port 1/0/1 and 1/0/2







    *Mar  1 00:18:23.663: STP: VLAN0001 Fa1/0/2 ->jump to forwarding from blocking

    *Mar  1 00:18:23.672: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up

    *Mar  1 00:18:23.705: set portid: VLAN0001 Fa1/0/1: new port id 8003

    *Mar  1 00:18:23.705: STP: VLAN0001 Fa1/0/1 ->jump to forwarding from blocking

    *Mar  1 00:18:25.660: %LINK-3-UPDOWN: Interface FastEthernet1/0/2, changed state to up

    *Mar  1 00:18:25.668: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/2, changed state to up

    *Mar  1 00:18:25.668: %SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port Fa1/0/2 with BPDU Guard enabled. Disabling port.

    *Mar  1 00:18:25.668: %PM-4-ERR_DISABLE: bpduguard error detected on Fa1/0/2, putting Fa1/0/2 in err-disable state

    *Mar  1 00:18:25.677: %SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port Fa1/0/1 with BPDU Guard enabled. Disabling port.

    *Mar  1 00:18:25.677: %PM-4-ERR_DISABLE: bpduguard error detected on Fa1/0/1, putting Fa1/0/1 in err-disable state

    *Mar  1 00:18:25.685: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/2, changed state to down

    *Mar  1 00:18:25.685: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down

    *Mar  1 00:18:27.682: %LINK-3-UPDOWN: Interface FastEthernet1/0/2, changed state to down















     

     

     

     

     

     

     

     

  • No I did not have bpduguard enabled.

     

    PORTFAST will only bypass the listening and learning states of STP, and if it receives a BPDU it goes back in to normal states, first it moves from forwarding to blocking and begins listening, then it waits the forward-delay time before moving to learning, and after another forwarding-delay period it will go to forwarding, assuming there are no loops.

     

    The normal stages of STP are Blocking, Listening, Learning, and Forwarding

     

    BPDUGUARD will cause an interface to be err-disabled upon receiving a BPDU, it can be used in conjunction with portfast, where posrtfast only skips listening an learning stages, and then if a BPDU is received BPDUGUARD will err-disable the port.

     

    The original post was in regards to a layer2 loop, and how that could be caused by portfast. I was showing how portfast will only cause temporary layer2 loops because as soon as a BPDU is received on a portfast enabled port it will start blocking (blocking is NOT err-disabling, it is only the first stage of the STP process).

     

    Hope that clears up my post.

     

    Jason

  • Hi,

    we were talking about BPDU FILTER and not BDPU Guarrd.

    The point why it is interesting is that the command reference does not indicate that a port is reverted out of the port fast state if port fast is configured global/on the interface interface.

    They even warn you just to use it on ports where end host are connected.

    Global Configuration guide line from command reference:

    "Configure Port Fast only on interfaces that
    connect to end stations; otherwise, an accidental topology loop could
    cause a data packet loop and disrupt switch and network operation"

    Nearly the same for interface configuration guideline:

    "Use this feature only on interfaces that connect
    to end stations; otherwise, an accidental topology loop could cause a
    data packet loop and disrupt switch and network operation."

    So for me both statements imply that something bad will happen (Loop) if i connect a switch to a port fast enabled port.

    There is no mentioning in the Command Reference that these ports will be reverted out of the port fast state if it receives a BPDU.

    Only in the spanning-tree portfast bpdufilter default section the command reference states that the port is reverted out.

    Use the spanning-tree portfast bpdufilter default
    global configuration command to globally enable BPDU filtering on
    interfaces that are Port Fast-enabled (the interfaces are in a Port
    Fast-operational state). The interfaces still send a few BPDUs at
    link-up before the switch begins to filter outbound BPDUs. You should
    globally enable BPDU filtering on a switch so that hosts connected to
    switch interfaces do not receive BPDUs. If a BPDU is received on a Port
    Fast-enabled interface, the interface loses its Port Fast-operational
    status and BPDU filtering is disabled
    .

     

    Hope this clears it up.

    Cheers,

    Christopher

     

     

     

Sign In or Register to comment.