I have two switches (Cisco 2960's) with a trunk between them (two ports in an ether-channel) and each has a trunk up to a separate router, all other switch ports are access ports to end devices;
R1 R2
| |
| |
| |
SW1 === SW2
I want to implement various STP options, port fast on all ports, BPDU filter and BPDU guard. I have read various Cisco documents and other reputable web site feeds, just a few are;
I wish to configured all access ports as follows, I already know and use these features and so there is no problems here:
int gi0/10
description End Device Port
switchport mode access
switchport access vlan 10
spanning-tree portfast
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
I wish to configured trunk ports between switches and up to routers as follows, again I already use this configuration and see no issues here;
int gi0/1
description Trunk to R1
switchport mode trunk
spanning-tree portfast trunk
What I can't find any good documentation on is mixing BPDU filter and BPDU guard as global defaults with ports configured for portfast trunk. To save my self configuring port-fast on every access port with BPDU guard and BPDU filter, I can simply enter these three global configuration commands;
spanning-tree portfast default
spanning-tree portfast bpdufilter default
spanning-tree portfast bpduguard default
BPDU filter and BPDU guard will now become active on all portfast ports, but what about portfast ports that are configured as portfast trunk such as between the switches, I want BPDU's being sent between switches. I can't find any documentation that says if or if not enabling BPDU guard/filter globally will also configure this on portfast trunk ports, which could stop STP running between switches and potentially cause those trunk ports to errdisable.
What happens when this situation is configured and are there any official online Cisco doc's to clarify?
Best Answer
First, like the others have mentioned you have no bridging loop here due to running a Portchannel. That said, running STP is still fine. Let me clear some confusions on how these commands work on Cisco switches.
This command is supposed to be run on trunk ports towards non bridging devices, such as a server with multiple VLANs or a router. This command should not be run on trunks towards switches because the port will bypass the listening and learning phase which could potentially create a bridging loop.
If you have an interface configured like this:
BPDU guard will never kick in because BPDU filter is filtering both the outgoing and incoming BPDUs. This also means that the port can never lose its Portfast status which it would normally do if BPDUs were received inbound. If you remove the filter then BPDU guard will kick in and shutdown the port if a BPDU is received. This is done before the port can lose its Portfast operatational state so basically the port will always operate in Porfast operational mode.
If you apply the commands globally instead:
The first command enables Portfast on all access ports.
When BPDU filter is applied globally, the difference is that it sends out 11 BPDUs before going silent. Because normally one BPDU is sent out every 2 seconds and the default MaxAge is 20 seconds that means that if there is a device at the other end that can process BPDUs, at least one BPDU would be received when the old BPDU (if there was one) has expired.
If a BPDU is received inbound when BPDU filter is applied globally then the port stops filtering and it will lose its Portfast status.
The BPDU guard default command will only apply to ports that are in a Portfast operational state.
If you combine these three commands together then what will happen is that when a BPDU is received the port loses its BPDU filter, BPDU guard can then kick in. The port will never lose its Portfast operational state because the port is shutdown before.
So you see when applied to the interface BPDU guard can never kick in but if you apply it globally it can.
If you run just Portfast globally and BPDU filter globally then if a BPDU comes in, the port loses the filter and loses the Portfast operational state and will operate as a normal port.