Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 994
  • Last Modified:

Cisco Switch Portfast

Cisco is saying that portfast can be used on the port that s connected to a single host. it also says that portfast will have effect only when it is used in a Non-Trunking port, which means access port.

So why would we worry about the usage of Portfast since it will have effect only on the access port.?
Why it is not enabled by default on access ports.?
why it can be configured on some access ports only, and not on the other access ports?
And if you enable portfast : spanning-tree portfast default.

it will tell you to explicitly disable it  on the ports leading to switches,etc....

I thought it previously said , it will have effect only when applied to non-trunkin ports, why should it ask about explicitly disabling it on ports leading to switches?


any expert to clear it up, please.
Thanks
0
jskfan
Asked:
jskfan
  • 4
  • 3
  • 3
  • +3
10 Solutions
 
Istvan KalmarHead of IT Security Division Commented:
HI,

Please refer this page:

http://www.freeccnaworkbook.com/labs/section-4-configuring-cisco-catalyst-series-switches/lab-4-16-configuring-switchport-spanning-tree-portfast/

Portfast need for PCs which gets IP address from dhcp server, all switches blocking 30 sec the traffic, so the PC-s not get address, if it disabled!
But if you enabled portfast and loop occured the switch CPU goes to overload....

Best regards,
Istvan
0
 
SeeMeShakinMyHeadCommented:
Well, it can be configured on all access ports.  Portfast allows the port to skip the Spanning-Tree states and go right to forwarding.  On ports that you use portfast, you want to make sure that you are using bpdugaurd to prevent another switch from being used on that port.  So, the question as to why portfast isn't enabled by default and bpduguard is disabled by default is kinda a means for non-technically savvy people to use cisco switches in a L2 manner (while being able to connect other switches) without shooting themselves in the foot to bad while giving them plugnplay capabilities.
0
 
Marius GunnerudSenior Systems EngineerCommented:
To understand this you need to have some background on trunking.  Trunking is used to transport more than one vlan.  If you connect two switches together and place those two ports into vlan 5 then traffic for vlan 5 will flow over that link.

Now if you add a switch into your network and connect the switches together with the ports that have portfast enabled, Spanning tree will not have enough time to elect root paths and a loop will occur, as ikalmar mentioned. This will slow down your network tremendously and if not corrected will bring down your network.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
jskfanAuthor Commented:

-- The one thing that I don't understand is when configuring a port as an access port, the STP doesn't or shouldn't have any effect.
the Loops occur only when switches are connected to each other, and when a port is configured as an access port, there should be no worry about loops.

So, the access ports should have the capabilities of portfast enabled by default. Why would an access port go through learning.listening,forwarding at the first place?


0
 
Don JohnstonInstructorCommented:
>The one thing that I don't understand is when configuring a port as an access port, the STP doesn't or shouldn't have any effect.

By default, all ports start out as access ports. Since it's possible to create a loop with just access ports, STP goes through it's normal procedure to discover loops.

>So, the access ports should have the capabilities of portfast enabled by default.

I would agree that if a port is manually configured as an access port that it would make sense for portfast to be automatically enabled.

>Why would an access port go through learning.listening,forwarding at the first place?

Because by default, portfast is disabled. :-)

I think what's happening here is that you're overthinking the situation. Normally, an access port will have portfast on. But because any port could be an access port and any port could be part of a loop, spanning-tree needs to discover the loop before any traffic can pass.
0
 
jskfanAuthor Commented:
If I understand your statement is an access port can be part of a loop? but if you enable portfast it will not because it will not receive BPDUs.

if so I can enable all access ports where the PCs are plugged as Portfast, this way at least the PC will boot faster.

 





0
 
Don JohnstonInstructorCommented:
>If I understand your statement is an access port can be part of a loop?

Correct.

>but if you enable portfast it will not because it will not receive BPDUs.

No. A (physical) loop can exist regardless of whether spanning-tree is running or not.  The purpose of spanning-tree is to detect the presence of loops and disable ports to eliminate it.

>if so I can enable all access ports where the PCs are plugged as Portfast, this way at least the PC will boot faster.

Portfast won't make a PC boot faster. It just makes the port on the switch move to a forwarding state faster. Now for a PC that gets it's IP address from a DHCP server, this will allow obtaining an address faster which could be interpreted as allowing the PC to "boot faster".
0
 
diepesCommented:
I agree with SeeMeShakinMyHead:  above.

Default prevents you from shooting yourself in the foot.

If you connect 2 ports to a external non cisco switch it would be a loop, and you need the spanning tree.

The solution for you is.
1. Portfast on all access ports of on by default.
2. BPDU guard on all access ports, this will disable the port if it ever sees a spanningtree bpdu.
0
 
jskfanAuthor Commented:
in most of environment , I have not seen them using PORTFAST at all, except for very few cases where one PC or two are acting very weird, and couldn't pick an IP from DHCP.

Other than that, PORTFAST is a forgotten command, in most of the environment
0
 
SeeMeShakinMyHeadCommented:
I do see where a lot of people forget to use the spanning-tree portfast command on access ports.  Before, it didn't matter back when computers were much slower.  Now that computers boot faster, there is a need to have the port brought from blocking to forwarding much faster, but at the same time, still look for BPDU's to prevent unauthorized switches from entering the network.  Example:  UserA brings in a 4 port switch and plugs it into his cat6 port under his desk.  He could do this for several reasons (needs more ports, etc...), but regardless of the situation, he's a user so he does this.  Two possible outcomes:  This switch becomes a root bridge or he loops back one of cables my mistake and possibly brings down your VLAN that the access port on the switch is setup for.  Either way, you don't want this to happen.
0
 
Don JohnstonInstructorCommented:
>Other than that, PORTFAST is a forgotten command, in most of the environment

I would disagree with that. I see portfast used all the time in many different networks.
0
 
SeeMeShakinMyHeadCommented:
Agreed donjohnston, it is widely used.  I do, however, see where people leave it off and wonder why logon scripts are running on desktops.  Should just be a default on newer Cisco IOS's; but it is what it is...
0
 
Marius GunnerudSenior Systems EngineerCommented:
cisco is just having a hard time letting go of their original defaults... old habits die hard
0
 
jskfanAuthor Commented:
thanks guys
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 4
  • 3
  • 3
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now