portfast

. . . (this EDGE port type was added for faster end-to-end layer 2 convergence, as in RSTP / MSTP only non-Edge ports needs to reconverge to avoid loops)

For possibly further clarification, BTW, specifically, I believe, it avoids edge ports from generating needless TCNs (and the workload imposed on STP processing nodes).

I guess it's clear that the feature will be enabled on access or trunk ports where there's no switch on the other side; so what can be on the other side, it can be a user device / machine like computer, printer, server or a non-layer 2 network device like router, firewall, access-point , or a switch with a routed / layer 3 physical port.

Also, BTW (and possibly for further clarification), whether you're dealing with a L2 switch, or not, is a generalization.  For example, an edge switch, that doesn't create a L2 loop could be connected to a portfast configured port, conversely something like a server running a virtual switch, and/or possibly with misconfigured Etherchannel might cause a L2 loop too.  So, one has to consider whether it's at all possible for a downstream device to create a L2 loop.

BPDUGuard

This is a administrative security feature, aimed to logically disable the port if someone accidentally / unintentionally or intentionally connects a layer 2 switch on the port, which per your company policy should not happen; it does not serve any other scope, it does not enhance / optimise STP functionality and it does not prevent or stop layer 2 loops from happening, as if the feature would not be enabled and a BPDU would be received ingress, the port will instantly start state and role renegotiation to prevent / stop layer 2 loops.

It's certainly possibly that both M02@rt37 and myself (and @Mark Elsen believing the combination is "safer"), mentioning a possible small time window, where Portfast, without BPDUGuard, may allow a L2 loop has never been true (i.e. just a networking "wive's tale"), or perhaps it once was true, and on newer equipment is no longer true.

However, I submitted this question on my browser, "cisco can a l2 happen with portfast" and its AI results summary provided:

Yes, enabling PortFast on a switch port can create a small window where Layer 2 loops (L2 loops) can occur if a device connected to that port sends Bridge Protocol Data Units (BPDUs). To mitigate this risk, it's recommended to use BPDU Guard alongside PortFast.

But, I don't take AI or (this AI summary of) "groupthink" (even if correctly summarized) as being always correct.

Personally, this not something I've tried to verify, and even if I did verify, one answer over the other answer, I'm, personally, nervous of "always" or "never" answers unless it's something defined in a specification and there's documented prescribed behavior.  (I believe both Portfast and BPDUGuard are Cisco proprietary.)

So, along the lines of Pascal's wager, using the combination of the two options doesn't seem to have any major cons, but it may be "safer".

Hi,

   You always get the best out of myself and I say that in a good way.

. . . (this EDGE port type was added for faster end-to-end layer 2 convergence, as in RSTP / MSTP only non-Edge ports needs to reconverge to avoid loops)

Yes, faster convergence by the port remaining stable in state in role, in RSTP / MSTP terminology for EDGE port it means there is no STP negotiation happening on the EDGE port for when there's a topology change.

I guess it's clear that the feature will be enabled on access or trunk ports where there's no switch on the other side; so what can be on the other side, it can be a user device / machine like computer, printer, server or a non-layer 2 network device like router, firewall, access-point , or a switch with a routed / layer 3 physical port.

If there's a virtual / non-virtual switch attached running any flavour of STP, the port looses its portfast / EDGE status and behaves like a normal STP port, negotiating its state and role, no danger here. If there's a virtual / non-virtual switch attached that does NOT run STP and this switch is NOT physically looped in the network, the port keeps its portfast / EDGE attributes and there's no risk for a loop to happen.  If there's a virtual / non-virtual switch attached that does NOT run STP and this switch is physically looped in the network you're busted as the loop will be formed and melt your entire layer 2 infrastructure, unless the attached switch NOT running STP forward the STP packets as data-plane packets (which is expected from a switch not running STP, to treat the STP packets as data-plane) and the loop is broken by the switches attached to both sides of this newly added switch, or unless you have storm-control enabled which will  transition the port into errdisable state and break the loop while isolating the attached network segment (you cut a hand to save yourself).

It's certainly possibly that both M02@rt37 and myself (and @Mark Elsen believing the combination is "safer"), mentioning a possible small time window, where Portfast, without BPDUGuard, may allow a L2 loop has never been true (i.e. just a networking "wive's tale"), or perhaps it once was true, and on newer equipment is no longer true. However, I submitted this question on my browser, "cisco can a l2 happen with portfast" and its AI results summary provided.

In real life, we all might be right or wrong at the same time. However, I always add logic to the clear understanding of how things work and should work given a functional code, as this is what we should relate to. From loop formation perspective, why I see the result as being the same when PortFast is enabled, with or without BPDUGuard enabled: in both cases, if someone attaches a switch that runs STP and is looped in the network (cause if this new switch is not looped in the network, our next points are useless), until the BPDU is received, because PortFast instantly transition the port to DSG / FW upon LINK UP event (assuming here carrier-delay UP is set to 0 and interface manager process is functioning properly and signalling all processes including STP that link came UP without significant delays), there is window of 0-2 seconds (2 seconds being the BPDU Hello Interval) where there is a loop formed; once the BPDU is received, if BPDGuard is enabled the port transition to errdisable state and loop is broken, if BPDUGuard is not enabled the port will negotiate its new role and state and loop is broken. If the question is which feature reacts faster upon BPDU being received to faster break the loop, BPDUGuard or PortFast, the way I look at is as follows: we speak here about some extra ms interval level, so if there was loop of up to 2s initially anyways and we imagine a 10G or 100G link or why not 400G link, those 2 second are enough for disaster to happen, few additional ms won't make a difference; also, even if some SW GURU from Cisco, knowing the internal architecture of the NOS would say that one feature rects faster than the other, based on my experience this is as of today, subject to change anytime in near future (not far away), due to either intentional internal architectural changes that shift the behaviour, either due to unintentional changes or bugs in the code. So, from my perspective, the way to go is having both features turned on (each of them having different scopes, not that one or the other break the loop faster) and implicitly having the loop broken in time.

Thanks,

Cristian.

---

@Cristian Matei wrote:

   You always get the best out of myself and I say that in a good way.

Your best, is excellent.  If fact, reading your posting reminds me much of reading Peter Paluch's postings.

To reiterate, to be concerned about how fast Portfast STP processing will kick in, with "seeing" a BPDU, or how fast BPDUGuard processing will kick in, again with "seeing" a BPDU (i.e. L2 loop duration), or which is faster, if either is faster, might be just an old networking "wife's tale", totally without merit.  Further, if it was ever an issue, at all, it may not be an issue on modern hardware.

I known you're not keen on suppositions, but I'll relay what I understood was the "issue" of a temporary L2 loop and why it might not be an issue today.

My understanding was, the danger of Portfast allowing a L2 loop, the loop, itself, may flood switches' CPU, such that the "normal" STP process is unable to complete at all.  I.e. the L2 loop is never broken.

Couldn't the same be true with BPDUGuard?  Sure, although, in theory, possibly it has less to do.  Remember, the new L2 loop, from a STP perspective, might actually be the new better path.  Whereas with BPDUGuard, it only needs to concern itself with shutting down the port.

Later gen switches, besides likely having more powerful CPUs, now have usually CPU protections like CoPP.  Or, as you mention, storm-control protections (which, I recall, were available before CoPP), but they have their own limitation too.

However, even with more powerful CPUs, and/or "circuit breakers", why isn't Portfast the standard.  I mean, if we only need to worry about, maybe a very short duration L2 loop, which Portfast (or BPDUGuard) will break, why waste anytime at all coming on-line before joining a L2 domain, regardless of what's joining it?

So, for your network requirements, practically, it may not matter to you how fast Portfast or BPDUGuard break formation of a L2 loop, assuming they always can.  However, other networks, may want to be preclude any such possibility, and might never want to depend on either of those configuration commands, without knowing what to expect.  There might also be a third kind of network requirements, that's willing to gamble, if you can provide actual probabilities.

So, from my perspective, the way to go is having both features turned on (each of them having different scopes, not that one or the other break the loop faster) and implicitly having the loop broken in time.

That's fine, but implicitly, the only advantage of using BPDUGuard, in your analysis is, you want to (for administrative reasons only) shut the port.  I mean, your analysis is STP alone will (practically) be all that's needed to deal with accidental formation of a L2 loop and it protect the network.

As an aside, I don't ever recall having to personally deal with a production L2 accidental loop.  That's not to say, firms I worked at never had any, they very occasionally would have one, but I wasn't involved with troubleshooting it, fixing it, or determining the reason why it came to be.  I recall though, the loop was generally limited to a single (logical) L2 edge switch and its "parent" distro L3 switch.  Root cause, in hindsight, would have been interesting, as, by standard, all edge ports were portfast, running pvst or rapid-pvst, but without BPDUGuard.  I vaguely recall, though, the physical cause was inadvertently looping two of the same VLAN ports on the single logical edge L2 switch.  (Do note, this was, decades ago, sort of when the original 3560/3750 were newly released, or when the 6500 sup might still be a sup1 or sup2.)

Mt experience is that the L2 loop is not broken on a port with portfast enabled much more often than not. Based on that, my opinion is that BPDU guard is required on ports with portfast enabled. I always add "spanning-tree portfast bpduguard default" to global config.

@Elliot Dierksen interesting!

Three questions . . .

The cases where portfast alone didn't break a L2, this was with a STP variant active on the port, correct?

If STP was active, do you recall the STP variant and possible platform/IOS?

Lastly, was this on just "older" platforms/IOS or also on "current gen" equipment?

The aforementioned pain and suffering was quite some time ago. It was sufficiently painful that I never wanted to go there again. You could very well be correct that this is no longer an issue, but I don't think my old school take on this hurts anything either. A temporary 30-60 second loop is still enough to cause the user population to break out the torches and pitchforks! 

Hi,

   Can you briefly explain how can one end up with a 30-60 seconds window for a layer 2 loop? With default STP timers, loop is broken within very first few ms of link coming up, worst case, within max 2 seconds. Again, we don't account for weirdo bugs.

Thanks,

Cristian.

Cannot speak on @Elliot Dierksen 's experience, on the apparent cause of what he has seen as a L2 loop, and what was its actual cause.  As I've previously written, they have (rarely) happened at companies I've worked at, but I wasn't present when they happened nor participated in any postmortem analysis (I was an expensive contractor, and firms didn't consider it worth my time).

That said, yes I can see them possibly happening, mainly because I suspect supporting STP is more dependent on everything working as normal than BPDUGuard.  (Again, if either can break an inadvertently created L2 loop, due to bypassing, expected STP startup behavior, and/or taking the same time to do that, what's the need for recommendating also using BPDUGuard beyond wanting to shut the port?)

Now, although I haven't dealt with L2 loops, I have done postmortem analysis on a OSPF network meltdown due to a flapping interface.  Interestingly, it was a mixed vendor environment, Cisco and Brand X.  Brand X's OSPF implementation didn't have the non OSPF RFC proprietary Cisco enhancements.  I.e. without those features, the OSPF meltdown made sense.  Cisco, might not have meltdown.

I also did a postmortem analysis, on the Brand X core L3 switches, sort of an equivalent to the 6500 with sup2 with a fabric board, which melted down during the Code Red virus outbreak.  In this case, I suspected a sup1 or sup2 might have had the same issue, but also that a sup720 wouldn't have (due to architectural differences).

The L3 switch core Code Red issue was also interesting to me, because I was very much involved with its greenfield topology.  I proposed a L2 core.  The Brand X support engineer (smart fellow) proposed a L3 core.  We both had good reasons, but he convinced me his were better overall.  However, I believe the L2 core would have been immune to the Code Red issue, but as I too agreed the distro layer had to be L3, laugh, I couldn't say I told you so.

@Cristian Matei Perhaps this is an element of "under-promise and over-deliver", but I have been telling customers 30-60 seconds for STP to settle down after a topology change for years. The portfast issue and a loop never being detected happened more than once, but that could easily have been 20 years ago. I am 100% ok with disabling a single port to save the rest of the network if a switch is plugged in where I am expecting only an end station. It might not be a problem any longer, but applying the combination of portfast with BPDU guard always works without causing me or the customer any issues. If there is a better way, I am all ears.I guess I don't spend a lot of time re-evaluating a practice that that has been 100% successful unless there is a compelling reason to do so.