Cisco – Should STP Be Disabled on Access Ports?

cisco-catalystlayer2spanning treeswitchswitching

I'm going to replace some old "central" access switches to some Cisco Catalyst 2960X, and I'm not sure what to do on their STP configurations.

For this network, we have some "central" access switches, that connect some hosts and some unknown unmanaged or "smart" switches. For now, I have to maintain these unknown switches working, but I want to avoid getting my entire network down in case of a loop.

How should I configure these access ports regarding STP? At first, I thought it was better to turn off the STP using portfast in all ports (except my trunk), but i'm afraid that some of these connected switches might cause a loop in the entire network. If I turn on BPDU filter, as far as I know, any connected switch will put the port in err-disable, and I don't want that either.

Is there a way that I can have these unmanaged switches connected on the access ports and just disable their ports to the Cisco in case of a problem?

Best Answer

You really, really do not want to disable STP where you connect switches to other switches. That is the entire purpose of STP. If you disable STP, and there is a problem, it will really be too late because your entire network could crash when you notice it, and recovering from a broadcast storm is no fun at all.

By the way, portfast doesn't actually disable STP, it just skips the whole learning process, and it should only be enabled on a true access interface, not where you connect another switch.

A best practice is to not connect an access switch to another access switch, but if you do this, you can set the interface to trunk and set the native VLAN to what you had for the access VLAN. You can even restrict the VLANs allowed to only allow the native VLAN.

The use of globally enabled portfast and bpduguard is recommended. This will not be enabled on trunk interfaces unless you use the trunk keyword. This will give you the protection on access interfaces, but not anywhere you connect other switches with a trunk interface.

Related Solutions

Spanning Tree – Preventing STP Loops in EtherChannel Configurations

You should not be using "on" for link aggregation as it can lead to problems. On the side with aggregation statically on, it will use the interfaces in the etherchannel, no matter what the configuration is on the other side.

While storm control (from comments) can be very helpful with some of the problems that result, it does not resolve all of them. For instance if one of the remote side links is an access port on a different VLAN, all traffic that goes down that port will likely never reach its destination. Depending on how constant the traffic and the load balancing across the etherchannel, this may result in a complete "outage" for some hosts.

I always recommend the use of LACP over PAgP, so instead of desirable/auto or on, use either active on both sides or active on one and passive on the other. The reason for this is that LACP is standards based while PAgP is Cisco proprietary.

Of course this is in part dependent on the hardware platform, so check the appropriate documentation for your platform.

Cisco – Mixing Cisco STP Features: BPDU Guard, BPDU Filter, PortFast and PortFast Trunk

First, like the others have mentioned you have no bridging loop here due to running a Portchannel. That said, running STP is still fine. Let me clear some confusions on how these commands work on Cisco switches.

spanning-tree portfast trunk

This command is supposed to be run on trunk ports towards non bridging devices, such as a server with multiple VLANs or a router. This command should not be run on trunks towards switches because the port will bypass the listening and learning phase which could potentially create a bridging loop.

If you have an interface configured like this:

interface x/x
spanning-tree portfast
spanning-tree bpdufilter enable
spanning-tree bpduguard enable

BPDU guard will never kick in because BPDU filter is filtering both the outgoing and incoming BPDUs. This also means that the port can never lose its Portfast status which it would normally do if BPDUs were received inbound. If you remove the filter then BPDU guard will kick in and shutdown the port if a BPDU is received. This is done before the port can lose its Portfast operatational state so basically the port will always operate in Porfast operational mode.

If you apply the commands globally instead:

spanning-tree portfast default
spanning-tree portfast bpdufilter default
spanning-tree portfast bpduguard default

The first command enables Portfast on all access ports.

When BPDU filter is applied globally, the difference is that it sends out 11 BPDUs before going silent. Because normally one BPDU is sent out every 2 seconds and the default MaxAge is 20 seconds that means that if there is a device at the other end that can process BPDUs, at least one BPDU would be received when the old BPDU (if there was one) has expired.

If a BPDU is received inbound when BPDU filter is applied globally then the port stops filtering and it will lose its Portfast status.

The BPDU guard default command will only apply to ports that are in a Portfast operational state.

If you combine these three commands together then what will happen is that when a BPDU is received the port loses its BPDU filter, BPDU guard can then kick in. The port will never lose its Portfast operational state because the port is shutdown before.

So you see when applied to the interface BPDU guard can never kick in but if you apply it globally it can.

If you run just Portfast globally and BPDU filter globally then if a BPDU comes in, the port loses the filter and loses the Portfast operational state and will operate as a normal port.

Best Answer

Related Solutions

Spanning Tree – Preventing STP Loops in EtherChannel Configurations

Cisco – Mixing Cisco STP Features: BPDU Guard, BPDU Filter, PortFast and PortFast Trunk

Related Topic