---

I agree @Elliot Dierksen  - - stp on its own without any of its enchantments applied should be enough to negate a loop but in reality other factors can prohibit that or slow it down, so applying these enchantments is a extra layer of insurance and shouldn't be ignored

---

I wonder if my experience has to do with the lesser known thing that portfast does. Everyone seems to know that PF make it bypass the listening and learning phase, and go straight to forwarding. The other thing PF does is it suppresses the sending of TCN's when a PF enabled port goes up or down. This could be why other switches don't realize that a loop has been created. I don't know that for sure. The suppressing of TCN's from host ports is a good thing because it keeps the network from flooding unicast traffic as it should by definition while a TCN is active. I have seen cases of a host port without PF enabled was flapping which caused serious network degradation because of that flooding.

I have seen cases of a host port without PF enabled was flapping which caused serious network degradation because of that flooding.

Yes, an example of how easily switch CPUs can be overwhelmed.

Story time (laugh) . . .

So, years ago, I was working in an environment where many branches had two 2811s, each with a single T1/E1 link, often fractional.  LAN switches were 3750Gs, sometimes stacked.  The routing protocol was OSPF, running on all of them.

The IOS, early on (I recall??), for the 3750s, was available in 3 versions, IP Base, IP Services and IP Advanced Services.  Full featured OSPF, I also recall, required the Advanced Services version, the must expensive version, both initially and for a support contract.

Looking to penny pinch, I wondered whether we could run RIP between the 3750G and the 2811s, as on 3750, RIP was in IP Base (again, as I recall).

Technically, a 2811, couldn't really support even one of its FE ports at wirespeed, while the 3750G could run up to (about) 16 of its gig ports at sustained wirespeed.  (A huge data forwarding difference, about 300x better.)

I enabled RIP on all 3 devices.  I then started to decrease RIP update intervals.  When I got down to about a 2 second interval, the 2811s showed maybe an additional 1% CPU load, while the CPU was maxed out on the 3750!

Initially I was shocked, but what I suspect the issue was, the 3750 has dedicated ASIC(s) for its dataplane (usually the most resource demanding), which means a CPU, as "powerful" as the 2811's, isn't usually needed, so Cisco possibly provides a CPU that's sufficient for normal 3750 switch CPU control plane processes but if you do something unusually control plane CPU demanding, it's not particularly difficult to max out the switch's CPU, such as also possibly dealing with a high volume of TCNs.

Hi,

 @Elliot Dierksen I see the "better safe than sorry" approach, and I agree it's the way to go in real life. At the same time, 30-60 seconds for convergence in the case of STP with the default timers, it's just not how this piece of technology works regardless of the STP flavour and any weird non-recommended layer 2 topology you might have.

      And yes, PortFast with BPDUGuard is sort of a golden standard, not only because you dictate through your configuration on which ports there should be no switch attached, but also because if one fails to keep the network running (PortFast /STP to react and break the loop), the other one which is BPDuGuard comes to the rescue by transitioning the port to ErrDiasbled state (and ye to isolate part of the layer 2 domain which should not have been there to begin with, as better to cut a hand as opposed to die by bleeding).

Thanks,

Cristian.

Hi,

   We speak here about permanent loops, not transient loops or microloops, as transient in classic / STP based layer 2 environments can't be eliminated, as you rely on BPDU's being sent and / or received (depending on the layer 2 topology and Root Bridge placement).

    I've never seen such cases where PorttFast being enabled and STP running everywhere ends up in a permanent loop. It doesn't add up, this must have been an ugly bug, in which case such ugly bug might as well happen with BPDUGuard an any other feature, so if we take the worst case scenario, it doesn't matter what you do, you'll have a permanent loop.

Thanks,

Cristian.

Oh, one possible last thought of the difference between portfast with STP breaking a L2 loop vs. BPDUGuard breaking a L2 loop, I had earlier mentioned the L2 loop perhaps flooding a switch's CPU, but switch ports may be flooded too, the latter, perhaps dropping BPDUs.  Such BPDU loss is likely to increase the problem of STP functioning to break an active loop, where as BPDUGuard need to only see just one BPDU to shut the port.  (BTW, manually, L2 loops are often broken by disconnecting Ethernet cables or even yanking power cables.)

Portfast bypasses STP loop creation protection.

BPDUGuard is the backstop to Portfast.

Hello

---

@Joseph W. Doherty wrote:

Oh, one possible last thought of the difference between portfast with STP breaking a L2 loop vs. BPDUGuard breaking a L2 loop, 

Portfast bypasses STP loop creation protection.

BPDUGuard is the backstop to Portfast.

---

I would say when both features are applied simultaneously either at a global/interface level they interact with each other and protection is provided 

However global/interface combinations of PF/guard & filter can work differently 

Example:
In a situation PF isnt applied to a port, and either BPDUguard/Filter is ONLY applied globally then both features will have no affect and a possible loop could form

Same goes for bpduguard/filter at an interface level, filter will take precedence and received bpdus are ignored ( possible loop) but if both applied at a global level ( with PF enabled either way) filter will negate sending bpdu and guard will err-disable upon a received bpdu

My summary of a edge host attachment  (various combinations)

bpduguard + portfast (any variation) = jumps into forwarding state- then blocks port (err-disable

portfast: (global or interface - no guard/filter) = jumps into forwarding state but if bpdus are received loses PF status

bpduguard: (no portfast)
global = goes through stp process = no blocking 
interface = listen state then blocks port (err-disable}

bpdufilter (no portfast)
global = goes through stp process  = no filtering occurs 
interface = goes through stp process = filtering occurs

bpdufilter (global) + portfast = jumps into forwarding state (no filtering occurs)
bpdufilter (interface) + portfast - jumps into forwarding state(filtering occurs)

bpduguard + bpdufilter (no portfast)
global = no filtering/blocking occurs 
interface = filtering occurs -no blocking of port

bpduguard + bpdufilter (portfast)
global = filtering/blocking occurs 
interface = filtering occurs -no blocking of port

Example:

In a situation PF isnt applied to a port, and either BPDUguard/Filter is ONLY applied globally then both features will have no affect and a possible loop could form

If Portfast isn't being used, but a STP variant is (correctly) being used, then how would a L2 loop be allowed to form?  The whole purpose of STP is to preclude a L2 loop.

Additionally, again with no PF, and either/both bpduguard/filter and a STP variant, either will create an impact, either shutting a port or blocking BPDUs, the latter possiblity allowing a L2 loop.

Of course is there's no active STP variant, Portfast, bpduguard/filter wouldn't have any effect.

Hello

---

@Joseph W. Doherty wrote:

f Portfast isn't being used, but a STP variant is (correctly) being used, then how would a L2 loop be allowed to form?  The whole purpose of STP is to preclude a L2 loop.

Of course is there's no active STP variant, Portfast, bpduguard/filter wouldn't have any effect.

---

I agree the whole purpose of stp alone in an ideal network is to negate a loop but even when its being correctly used but just because its suppose to do it, doesn't mean it will do it or should i say have chance to do it.

what if the switch(s) are not capable of processing stp at that particular time or the design of the network is that convergence of stp is slow, Enough to an extent a loop can be formed to cause a disruption?

---

@paul driver wrote:

I agree the whole purpose of stp alone in an ideal network is to negate a loop but even when its being correctly used but just because its suppose to do it, doesn't mean it will do it or should i say have chance to do it.

what if the switch(s) are not capable of processing stp at that particular time or the design of the network is that convergence of stp is slow, Enough to an extent a loop can be formed to cause a disruption?

---

@paul driver  , an excellent question, although using an "ideal network", using STP as intended, makes it much less likely for a L2 loop to be initially created, due to, a port coming on-line blocks all but BPDU traffic while it ascertains, whether it appears safe to unblock that port.

The risk of Portfast is, it immediately unblocks the port, without any dynamic analysis, whether it's safe to do so.

Big difference in approaches.

Standard STP, let's first hopefully determine if we're going to create a L2 loop before unblocking the port, vs. Portfast, let's possibly create a L2 loop first, hopefully we don't, and then, also hopefully, somehow, successfully close one we did create.

Admittedly, the standard STP analysis approach, can fail, and the STP recovery after the loop is inadvertently formed approach might succeed, but which would you suspect might have a better chance of not causing an issue?

As STP, in theory, can recover after inadvertent loop creation, in theory, for that purpose, alone, no need for BPDUGuard.

Or another way to say it, BPDUGuard, if used to break a loop that STP didn't, might be considered, what we used to call, a "belt and suspenders" solution.  In theory, if either the belt or suspenders fails, your pants don't fall down.  We now have failure redundancy.

However, if our belt was but a string, might it be more prone to failure?  If so, if using that as a belt, alone, probability failure likely increases but offset by using suspenders.

So, let's consider Portfast a string belt.

Is this making any sense?

BTW, I'm not against using BPDUGuard, or against redundancy, but there's cost to redundancy, and various odds of different kinds of failure.

For example, one chassis might have redundant sups, power supplies and line cards, but the chassis, itself, remains a single point of failure.  Chassis, though, generally, have a lower expectation of failure, than the active components.  However, we might go with a two chassis setup, for something like the core.  (In the latter, two chassis setup, one can then debate, should the two chassis have dual sups, dual line cards, dual power supplies.)

In one firm I worked at, they took redundancy very, very seriously, they even considered whether dual chassis should use totally different platforms, even perhaps different hardware vendors, hoping a bug on one wouldn't be on the other.  For our WAN connections, even using different WAN providers, we tried to avoid those different vendor links running down the same trench or to the same pop.

I sometimes point out, the famous Titanic sinking, many died from an insufficient number of life boats, but not due to drowning, as some often assume!  I believe, life jackets were available for everyone.  Hundreds (337) were later recovered, most floating about in their life jackets, but having died from the freezing water.

So, after the Titanic, ships now are required to have sufficient life boats for all aboard.  However, in the sinking of the Andrea Doria and Costa Concordia, both listed enough, half the life boats couldn't be used.

Oh, I'm not implying, ship life boats should be reduced, but even with redundancy, they might be suited for the more common failure probabilities rather than any possible failure.  (Or consider, if you've flown commercially, where was your parachute?)

Such I think is this case, I believe, with STP, Portfast, BPPDGuard.  Do your own analysis.  Figure out what appears best for you.

Lastly, networks I've designed and/or maintained, almost always used Portfast on edge ports.  But to mitigate L2 loop creation, we avoided having any STP intentional redundant L2 links; our redundancy was via L3, single logical device and/or Etherchannel.

Hi,

   @Joseph W. Doherty To make a joke which I know you'll not take it personally, If I live in Antarctica I for sure might not know or give a penny about suncream, as well as if I live in Vanuatu I've might never heard or cared about first layer clothing.

"For those using Portfast and BPDUGuard, have you, within the last few years, seen BPDUGuard disable any ports, especially on relatively current gen switches?"

Yes, if you take projects across the globe, you'll find cultures where the belief is that anything can be plugged into anything, or at least give it a try. So yes, I've seen enough, it's not about the platform, it's about the trigger showing up or not.

"Similarly, for those running Portfast without BPDUGuard, have you seen, again within the last few years, any L2 loops form, and did they self correct or did you need to manually intervene, especially on relatively recent gen switches?"

I'm mostly using both features, so not enough room for comment here. However, some 5-10 years ago, which is not that far way like the dinosaur era, I've had implementations where BDPUGuard was not desired, however PortFast was, accidental switches have been plugged and loops were self healed / corrected, as expected.

"If fact, on an edge port that's not using Portfast, BPDUGuard might still be a reasonable standard (although I'm unsure whether it would have a conflict with a STP port that's not logically also an edge port)."

In Cisco world, you can't have EDGE functionality without PortFast.

Thanks,

Cristian.