Re: Disabling PortFast on Trunk for ALL vlans

soundguy75 · ‎05-23-2020

Hi all:

I'm brand new to the community & still a student, but did a search and could not find a question for this specific problem that I'm repeatably having that is driving me stark raving mad! lol

In PacketTracer, I want to disable portfast on my two vlan trunks (both statically assigned), so that I can globally enable both portfast using "spanning-tree portfast default" & also bpduguard using "spanning-tree portfast bpduguard default". This way all of my statically assigned access ports will have both portfast & bpduguard enabled, but bpduguard wont have a chance to completely freak out & shut down my trunks. BUT-- when I disable portfast on my trunks using the int sub-command "spanning-tree portfast disable", it is only disabling portfast for vlan 1 & NOT disabling it for any of the other vlans! I am running in pvst mode & also running vtp transparent mode on all switches.

A1#sh spanning-tree int fa0/1 portfast
VLAN0001 disabled
VLAN0010 enabled
VLAN0020 enabled

So when I globally enable both portfast & bpduguard, bpduguard completely freaks out & shuts down my trunks (as it should). How in the world do I completely disable portfast on my trunk ports for ALL vlans???! I thought portfast was only normally supposed to enable on access ports only, but this is not the case from the verification above!

Any help would be appreciated. Thanks so much in advance everyone!

Cheers,

Chad :)

Martin L · ‎05-23-2020

First of all, I would not trust PT; it is a simulator, not real IOS. Do u have access to real gear or virtual IOS?

2nd, show your relevant configs.

3rd, what's the goal or purpose of this?

Regards, ML
**Please Rate All Helpful Responses **

soundguy75 · ‎05-23-2020

Hi Martin:

Here is a copy of my running-config. I haven't globally enabled bpduguard in this config at this point yet, because it brings down my trunks every single time! No, unfortunately I don't have access to real gear or virtual IOS.:(

Current configuration : 2464 bytes
!
version 12.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname A1
!
!
!
!
vtp mode transparent
!
!
!
spanning-tree mode pvst
spanning-tree portfast default
spanning-tree extend system-id
!
vlan 10
name UserGroupA
!
vlan 20
name UserGroupB
!
interface FastEthernet0/1
switchport mode trunk
switchport nonegotiate
spanning-tree portfast disable
!
interface FastEthernet0/2
switchport mode trunk
switchport nonegotiate
spanning-tree portfast disable
!
interface FastEthernet0/3
switchport access vlan 10
switchport mode access
!
interface FastEthernet0/4
switchport access vlan 10
switchport mode access
!
interface FastEthernet0/5
switchport access vlan 10
switchport mode access
!
interface FastEthernet0/6
switchport access vlan 10
switchport mode access
!
interface FastEthernet0/7
switchport access vlan 10
switchport mode access
!
interface FastEthernet0/8
switchport access vlan 10
switchport mode access
!
interface FastEthernet0/9
switchport access vlan 10
switchport mode access
!
interface FastEthernet0/10
switchport access vlan 10
switchport mode access
!
interface FastEthernet0/11
switchport access vlan 10
switchport mode access
!
interface FastEthernet0/12
switchport access vlan 20
switchport mode access
!
interface FastEthernet0/13
switchport access vlan 20
switchport mode access
!
interface FastEthernet0/14
switchport access vlan 20
switchport mode access
!
interface FastEthernet0/15
switchport access vlan 20
switchport mode access
!
interface FastEthernet0/16
switchport access vlan 20
switchport mode access
!
interface FastEthernet0/17
switchport access vlan 20
switchport mode access
!
interface FastEthernet0/18
switchport access vlan 20
switchport mode access
!
interface FastEthernet0/19
switchport access vlan 20
switchport mode access
!
interface FastEthernet0/20
switchport access vlan 20
switchport mode access
!
interface FastEthernet0/21
switchport access vlan 20
switchport mode access
!
interface FastEthernet0/22
switchport access vlan 20
switchport mode access
!
interface FastEthernet0/23
switchport access vlan 20
switchport mode access
!
interface FastEthernet0/24
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
no ip address
shutdown
!
!
!
!
line con 0
!
line vty 0 4
login
line vty 5 15
login
!
!
!
!
end

Martin L · ‎05-23-2020

freak out & shut down my trunks ? no, that's not going to happen. If you globally enable both portfast using "spanning-tree portfast default" & also bpduguard using "spanning-tree portfast bpduguard default".

Per Cisco doc , see link

You can use the spanning-tree portfast default global configuration command to globally enable the Port Fast feature on all nontrunking ports.

To enable Port Fast on trunk ports, you must use the spanning-tree portfast trunk interface configuration command. The spanning-tree portfast command will not work on trunk ports.

At the global level, you enable BPDU guard on Port Fast-enabled ports by using the spanning-tree portfast bpduguard default global configuration command. Spanning tree shuts down ports that are in a Port Fast-operational state if any BPDU is received on them.

OR ,At the interface level, you enable BPDU guard on any port by using the spanning-tree bpduguard enable interface configuration command w ithout also enabling the Port Fast feature.

Regards, ML
**Please Rate All Helpful Responses **

soundguy75 · ‎05-23-2020

Hi Martin!

Thanks for your response. I was always under the impression from the very beginning that PortFast only enables on non-trunking ports as you say, but according to "show spanning-tree int fa0/1 portfast", fa0/1 (one of my trunks) still appears to have portfast enable on vlan 10 & 20. I just enabled bpduguard globally using exactly what you recommended in your last post & here is a copy/paste of the IOS response:

A1(config)#spanning-tree portfast bpduguard default

A1(config)#%SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port FastEthernet0/2 with BPDU Guard enabled. Disabling port.

%PM-4-ERR_DISABLE: bpduguard error detected on 0/2, putting 0/2 in err-disable state

%SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port FastEthernet0/1 with BPDU Guard enabled. Disabling port.

%PM-4-ERR_DISABLE: bpduguard error detected on 0/1, putting 0/1 in err-disable state

%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to administratively down

%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down

%LINK-5-CHANGED: Interface FastEthernet0/2, changed state to administratively down

%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/2, changed state to down

Martin L · ‎05-23-2020

that should not happen by default and since you manually disable Port-Fast feature using the spanning-tree portfast disable under f0/1. But it will happen when you apply spanning-tree portfast trunk on trunk ports manually; So, it Must be PT bug;
I will double check this on my virtual IOS lab later today or tomorrow.

soundguy75 · ‎05-23-2020

Hey, thanks so much Martin! That would be extremely helpful and great to know what actually happens in real life outside of the simulator.

Thanks!

Chad :)

Martin L · ‎05-24-2020

This is based on virtual IOS L3/2 switch which is pretty close to real one; my real 3750s are not accessible atm. Ports are E0/0 is access vlan 1 port; E2/0 and E2/1 are trunks

With Default settings on 2 switches:

IOU2#sh run | in spanning 
spanning-tree mode pvst
spanning-tree portfast edge default
spanning-tree portfast edge bpduguard default

IOU2#sh spanning-tree int e0/0 detail 
Port 1 (Ethernet0/0) of VLAN0001 is designated forwarding 
....few lines omitted.....
Number of transitions to forwarding state: 1
The port is in the portfast edge mode by default
Link type is point-to-point by default
Bpdu guard is enabled by default
BPDU: sent 382, received 0

IOU2#sh spanning-tree int e0/0 portfast 
VLAN0001 enabled

--------------------------- Trunking Port Config

sh run int e2/0
interface Ethernet2/0
switchport trunk encapsulation dot1q
switchport mode trunk
spanning-tree portfast disable  

IOU2#sh spanning-tree int e2/0 portfast 
VLAN0001 disabled
VLAN0010 disabled
VLAN0020 disabled
VLAN0030 disabled
VLAN0040 disabled
VLAN0050 disabled

My IOS has few "extra" options (edge/network) with command :

IOU2(config-if)#spanning-tree portfast ?
disable Disable portfast for this interface
edge Enable portfast edge on the interface
network Enable portfast network on the interface

IOU2(config-if)#spanning-tree portfast ed
IOU2(config-if)#spanning-tree portfast edge ?
trunk Enable portfast edge on the interface even in trunk mode
<cr>

IOU2(config-if)#spanning-tree portfast edge 
%Warning: portfast should only be enabled on ports connected to a single
host. Connecting hubs, concentrators, switches, bridges, etc... to this
interface when portfast is enabled, can cause temporary bridging loops.
Use with CAUTION

%Portfast has been configured on Ethernet2/0 but will only
have effect when the interface is in a non-trunking mode.

What happens when I add trunk to panning-tree portfast edge ?

IOU2(config-if)#spanning-tree portfast edge trunk 
%Warning: portfast should only be enabled on ports connected to a single host. Connecting hubs, concentrators, switches, bridges, etc... to this interface  when portfast is enabled, can cause temporary bridging loops.
 Use with CAUTION

IOU2(config-if)#
*May 25 02:19:57.863: %SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port Ethernet2/0 with BPDU Guard enabled. Disabling port.
IOU2(config-if)#
IOU2(config-if)#
*May 25 02:19:57.863: %PM-4-ERR_DISABLE: bpduguard error detected on Et2/0, putting Et2/0 in err-disable state
*May 25 02:19:58.867: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet2/0, changed state to down

IOU2#sh run int e2/0 
interface Ethernet2/0
switchport trunk encapsulation dot1q
switchport mode trunk
spanning-tree portfast edge trunk

Port was shutdown as it should since received BPDU.

Result: PT has a bug !

Regards, ML
**Please Rate All Helpful Responses **

soundguy75 · ‎05-25-2020

Hey, thanks so much for checking that for me! I'm jealous that when you configured:

spanning-tree portfast disable

on your trunks, then ran:

IOU2#sh spanning-tree int e2/0 portfast 
VLAN0001 disabled
VLAN0010 disabled
VLAN0020 disabled
VLAN0030 disabled
VLAN0040 disabled
VLAN0050 disabled

yours ACTUALLY disabled across all of the bloody vlans on the trunks & mine wont! haha! I even tried other models (including a layer 3 switch as well) in packet tracer. I even tried running in VTP server/client mode- just to see if that made a difference. Whatever I tried, portfast would only disable on vlan 1 as long as I had the global "portfast default" configured. Grrr!

Thanks again Martin. I appreciate the trouble you went through.

Regards,

Chad :)

Martin L · ‎05-26-2020

yes, but cisco doc says that command "spanning-tree portfast disable" on trunks is automatic and not needed; it might be a "hidden" command. this is due to command "spanning-tree portfast edge"
see message above "%Portfast has been configured on Ethernet2/0 but will only
have effect when the interface is in a non-trunking mode"

in other words I think
global command "spanning-tree portfast edge default" <> spanning-tree portfast disable is hidden!
at interface level command "spanning-tree portfast edge" <> spanning-tree portfast disable is not hidden
Result is the same in case of trunks