[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Port Fast, BPDU and HyperV

Posted on 2014-01-20
14
Medium Priority
?
2,084 Views
Last Modified: 2014-02-05
Hello Experts,

I'm having a little trouble understanding portfast, bpdu guard, smart ports and when to use them
 I am also running into problems whilst enabling smartports and using HyperV (2012 R2).

 Should I be plugging our VOIP PBX into a portfast port and do I also need to enable bpdu guard?
 Would it be your advice to also set this as a smartport and label it as a switch?

 Secondly, what about all our other servers? Should they have portfast enabled and bpdu guard?

 Lastly :) - When enabling smartports and selecting a desktop for a port, whenever a Hyper V host server is plugged into that port with a few VM's running on the same NIC (not recommended I know) we seem to be getting constant intermittent network disconnections. So a server will work fine and when the other VM starts that VM will get network connectivity and the first looses network connectivity. Single servers do not have this issue.

I believe it maybe the result of multiple MAC addresses on the same NIC therefore the Cisco switch may be blocking multiple connections? Is there a way to check this on the switches? It's a Cisco 2960 by the way.


 Thanks!
0
Comment
Question by:dqnet
  • 7
  • 4
  • 2
  • +1
14 Comments
 
LVL 7

Expert Comment

by:unfragmented
ID: 39793944
generally, use portfast and bpduguard whenever you connect to anything except a switch.  

PBX is not a switch, therefore it should have portfast and bpduguard on the port.

Server is not a switch, therefore should have portfast and bpduguard on the port.

If you think something funny is going on with the switch, console or telnet into it and do a show log.  That should give you some clues.

The desktop smartport macro enables portsecurity.  This sounds like your issue.  Multiple MAC addresses from the hyperv host will cause the port to lockout.  Disable with cli command "no switchport port-security" on the relevant interface.
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39794348
Just to expand on portfast and bpdu guard.  however unfragmented is correct.

These are related to spanning tree protocol (STP) which is solely used to remove layer 2 loops in a switching environment.  There are times that you know no loop is possible.  Such as when you plug a single layer 2 device into a port (e.g. PBX, server).  So enabling portfast "skips" a lot of the STP process that tries to detect if forwarding data on that port would cause a loop.  Since you know that it won't it is safe to enable that so that your devices can start sending data faster.

BPDU guard on the other hand should normally be used with portfast.  Remember portfast skips states so that the port forwards data.  What if you move the PBX and plug a switch into that port.  Well now you might accidentally introduce a loop.  BPDU's are messages that switches send to one another to determine where loops are occurring so it can shut down interfaces to prevent looping.  So enabling BPDU guard will disable an interface that receives a BPDU message because its expecting that it should /not/ see those types of messages and if it does then something is wrong.

I have limited experience with HyperV but I thought the virtual switches they have are cable of vlans.  So again, what unfragmented is correct in that HyperV is most likely causing some of the issues you're seeing based on if portfast/bpdu guard is enabled.
0
 
LVL 26

Expert Comment

by:Soulja
ID: 39795052
There isn't a mac address restriction on the port unless you explicitly set up port security.

In regards to the multiple VM's on that interface. Is the port setup as a trunk?

Anytime I connect ESX hosts to any or our switches I set the interface to trunk mode.

You also want portfast on the trunk:

int typex/x
switchport trunk encapsulation dot1q
switchport mode trunk
spanning-tree portfast trunk
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 

Author Comment

by:dqnet
ID: 39805044
Hi experts,

Learnt a ton for your answers.. Thanks a million..!

I'll make all the necessary amendments and get back to you for your advice!
0
 

Author Comment

by:dqnet
ID: 39808520
I was on my way to configure portfast and bpdu guard on our ports however when I went to this site:  http://www.omnisecu.com/cisco-certified-network-associate-ccna/how-to-configure-and-verify-spanning-tree-protocol-stp-portfast.php   to get an idea of how to do them on the necessary ports I noticed the part where it says;

"%Portfast will be configured in 10 interfaces due to the range command
 but will only have effect when the interfaces are in a non-trunking mode.
Switch2(config-if-range)#end"

my interfaces are currently set with no access or no trunking. I understand the differences between the two and since all ports will be on the default vlan with no other then using trunk I am assuming is fine. But why does it say on that site that portfast doesn't work on trunk ports?

my ports are currently configured with nothing so they look like this;

interface GigabitEthernet1/0/1
!
interface GigabitEthernet1/0/2
!
interface GigabitEthernet1/0/3
!
interface GigabitEthernet1/0/4
!
etc. etc.

thanks.
0
 

Author Comment

by:dqnet
ID: 39808533
Total ignorance - excuse the last comment.
So just to confirm I will be enabling;

portfast, bpdu and switchport mode access

correct?
0
 

Author Comment

by:dqnet
ID: 39813141
Anyone?
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39813204
with hyperv it should just be treated as a trunk port. granted I haven't worked with it for long as I found too many limitations for my environment.  however everywhere i've read it should be treated as a trunk port so no portfast, bpdu guard, etc.
0
 
LVL 26

Expert Comment

by:Soulja
ID: 39813209
Yes,

switchport mode access
 lock the port into access mode, so it doesn't try to negotiate into a trunk.

Yes, portfast and bpdu guard should be enabled on any port where there is an endhost connected to it.

There are case where you would enable portfast on trunks, this is the command spanning-tree portfast trunk

This is used on endhosts that are doing trunking suck as VMWare server hosts.
0
 

Author Comment

by:dqnet
ID: 39827536
So if I was to convert all my HyperV host ports to a trunk and  I don't enable portfast on a trunk wouldn't it take a long time for the servers to communicate?
0
 
LVL 26

Expert Comment

by:Soulja
ID: 39827739
No, you SHOULD enable portfast on the the trunks to your HyperV hosts? What if some of those VM's require DHCP services. The port wouldn't come up in time. Use the command I posted above for your ports connected to HyperV hosts.

spanning-tree portfast trunk
0
 

Author Comment

by:dqnet
ID: 39836029
@Soulia
Unless I understood wrong, Cyclops is saying the opposite " however everywhere i've read it should be treated as a trunk port so no portfast, bpdu guard, etc."

??
0
 
LVL 26

Accepted Solution

by:
Soulja earned 2000 total points
ID: 39836080
What you are reading is regarding trunks that connect to other switches. If you are connecting to a server that is tagging traffic in which a HyperV or VMWare esx host is doing, you will want to use spanning-tree portfast trunk. Believe me I use it in my datacenters.
0
 

Author Comment

by:dqnet
ID: 39836140
Great - thanks
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
In this Micro Tutorial viewers will learn how to restore single file or folder from Bare Metal backup image of their system. Tutorial shows how to restore files and folders from system backup. Often it is not needed to restore entire system when onl…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Suggested Courses

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question