03-14-2005 07:13 AM - edited 03-02-2019 10:07 PM
I have several 2950 switchs that were recently install by an outside Cisco consulting firm. I always thought that any port on a switch that was connected to another device that provided mulitiple connections i.e Wirelss AP, Another switch, a router should have spanning tree turned off. When I asked the consultant they said it did not matter. Here is the configuration. What do you think?
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
!
!
!
interface FastEthernet0/1
description To AP ***MUST STAY IN VLAN 20****
switchport access vlan 10
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
03-14-2005 08:24 AM
No spanning tree should be on for any port connecting to another Cisco device , this is what prevents you from having loops in the network . Regular user ports don't neccesarily need it running but it is good practice just to leave it on , there is little overhead involved with it .
03-14-2005 11:04 AM
What the commands are doing in this instance is:
portfast: does not go through the spanning-tree algorhythm and comes up faster, almost instantly.
bpduguard: says that if a bpdu (spanning-tree packet) is received on this port, shutdown the port. This means that a multi-connection device (at least layer-2) should not be connected.
The idea that Spanning-tree should be turned off between Cisco devices is absolutley incorrect. If there is a possibility that a loop may be introduced in the network, then spanning-tree should be utilized to negate the loop.
03-14-2005 11:27 AM
Between switch/router to switch/router portfast should always be off, in order to ensure proper calculation of spanning tree convergence to the root. Spanning tree should always be turned on to avoid network loop at layer 2. A layer 3 (router) can process layer 2 (blocking), provided that IP bridge-routing is supported.
03-17-2005 04:58 AM
I think I am even more confused now.
03-17-2005 05:44 AM
OK, let me have a go at explaining it.
Loops in networks are bad. Packets go round and round in circles for ever, and end up consuming all your network bandwidth. So if you have a loop, you should break it.
Spanning Tree is a protocol between network devices, that detects loops, and cuts links to break any loops it detects. The clever thing about it is that it is automatic. It is enabled by default on all Cisco switches. And if the loop gets disconnected in a second place, Spanning Tree will repair the links it cut in order to repair the network.
Now the bad thing about Spanning Tree is that when it sees a new link, it takes 30 seconds to work out whether it should cut the link or not. During that time is holds it disabled. Thats not good if all you have done is plug in a PC. 'Cos we all know that a PC usually only has one connection, so cannot be a loop. So, what some NetAdmins do is, on the ports they are going to connect PCs, they bypass this "thinking time" by configuring "portfast". The Spanning tree will still cut the link if it sees a loop, but it is a bit more "gung ho!"about activating the port. But if there is a loop on that port, it can stil do the damage in the few seconds it takes to cut it. That's where the "bpdu-guard" comes in ... it says "if you detect a switch on this port, then disable the port immediately."
So ... if you got this far, then here is the crunch ... do NOT disable Spanning Tree. If you are using a port for PCs, by all means configure portfast to bypass the thinking time, but ONLY if you are connecting single-ended devices like a PC or workstation on the port.
Does that make it any clearer?
Kevin Dorrell
Luxembourg
03-17-2005 08:44 AM
I think I got it, so on all the ports that our consultant left
spanning-tree portfast
spanning-tree bpduguard enable
turned on that are connected to other Switchs and Wireless access points I need to remove these commands?
03-17-2005 09:03 AM
Thats right. The commands are only appropriate for PC and workstation ports.
The portfast command bypasses some of the safeguards built into Spanning Tree.
The bpduguard command mitigates some of the risks involved in bypassing those safeguards.
For ports connected to other network devices, you should remove those commands and let Spanning tree get on with its job without interference.
Hope this helps.
Kevin Dorrell
Luxembourg
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide