Sunday, December 31, 2017

Cisco CCNP:300-115 - 1.6.c PortFast, BPDUguard, BPDUfilter

Recently I needed to renew my Cisco CCNPs, that is both CCNP Routing and Switching as well as CCNP Security. While working with Cisco products (well now they own SourceFire, so exclude these) is not within my daily duties, I still thought it was important for me to maintain these two credentials. As a result, I've put together my notes below focusing on the key points I used to study. I believe that someone else may find them useful.

      - Portfast
          - Immediately brings an interface to forwarding state, bypassing listening and learning states
          - use when connected to single endpoint such as a server or workstation
          - Connected device does not need to wait for spanning tree to convergence
          - Portfast configured interfaces goes through the normal spanning-tree cycle when the switch is restarted
          - Configuring portfast on interfaces connected to another switch may result in loops
          - Portfast is cofigured via: 
              SW2(config-if)#int fa1/5
              SW2(config-if)#spanning-tree portfast
         
         
       -  BPDU Guard
          - Can be enabled globally or per port
          - At the global level, BPDU guard is enable on portfast enaled interfaces using:
             SW2(config)#spanning-tree portfast bpduguard default
         
          - Ports that are in portfast are shutdown if any BPDU is received on them
          - In valid configuration, portfast enabled ports do not receive BPDU
          - BPDU guard put the port in error-disabled state, which causes the switch to shutdown the entire port on which the violation occurred
          - To prevent the port from shutting down you can instead shutdown the offending VLAN on the port where the violation occurred using the following:
              SW2(config)#errdisable detect cause bpduguard shutdown vlan

          - BPDU Guard at the interface level can be configured using:
            SW2(config)#int fa1/5
            SW2(config)#spanning-tree bpduguard enable
          - When the port receives a BPDU, it puts the interface in error-disabled state
          - You must manually put the interface back in service
      
      
       -  BPDU Filtering
          - Can be enabled globally or per interface
          - When enabling globally on port fast enabled interfaces, use:
              SW2(config)#spanning-tree portfast bpdufilter default
          
          - Prevents portfast interfaces from sending or receiving BPDUs
          - At linkup the interface sends a few BPDUs
          - If a BPDU is received on a portfast enabled interface, the interface loses its portfast operational status and BPDU filtering is disabled
         
          - At the interface level, BPDU filtering is enabled using:
              SW2(config)#spanning-tree bpdufilter enable
          - The above command can be used without portfast feature
          - Prevents interfaces from sending or receiving BPDUs
          - Disables spanning tree and may result in spanning-tree loops
           
   
      - Uplink Fast
          - Configured via global config
          - speeds up the process of selecting a new root port when a link or switch fails or spanning tree re-configures itself
          - root port transitions to the forwarding state immediately
          - Does not go through the listening and learning states, as is done with normal spanning-tree
          - Default max-update-rate parameter is 150 packets per second
          - Most appropriate for connections at the access or edge of the network
          - Not appropriate for backbone devies
          - Provides fast convergence after a direct link failure
          - Uses uplink groups
          - Cannot be enabled on VLANs that have been configured with a switch priority
          - Switch priority must be restored to the default before enabling UplinkFast on a VLAN
          - Enabling UplinkFast affects all VLANs on the switch
          - UplinkFast cannot be configured on individual VLAN
          - Can be used with rapid PVST+ or MSTP
          - Spanning-tree mode must be changed to PVST+ before this can take effect
          - Enabling UplinkFast sets the switch priority for all VLANs to 49152
          - Changing the path cost to a value less than 3000 when enabling (or already enabled) UplinkFast causes the path cost for all interfaces to be increased by 3000
          - If path cost is changed to greater than 3000, the path cost is not altered
          - Disabling UplinkFast sets the switch priorities for all VLANs and path costs for all interface to th default value if they were not modified
          -
          - Use the following command to enable uplinkfast:
                SW2(config)#spanning-tree uplinkfast

References:
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3560/software/release/12-2_55_se/configuration/guide/3560_scg/swstpopt.html

No comments:

Post a Comment