Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4876
Views
10
Helpful
5
Replies

Layer 2 Loop + portfast enabled with spanning-tree portfast edge bpduguard default

Go to solution
Steph1963
Level 1
Level 1

‎07-29-2011 07:48 PM - edited ‎03-07-2019 01:28 AM

Hi to all,

1) Layer 2 loop

I am presently studying for my SWITCH exam and the book is talking about layer 2 loops withtout really giving some details about  it.

Just like to know if packets will start to loop on the following network when the Host A or Host B start to send packet with MAC destination address that are unknown to the switches MAC addres tables or when either Host A or B sends packet to the layer 2 broadcast address (ex. ARP packet). Can I assume that the layer 2 packet will not loop if their destination address is known by the layer 2 switches.

untitle.JPG

2) BPDU guard

I would like to know if the global command spanning-tree portfast edge bpduguard default enables portfast by default on all non-trunking interfaces (interface not configured as switchport mode trunk). In other words does the following command

Switch (config)#  spanning-tree portfast edge bpduguard default

is equivalant to

Switch (config)# spanning-tree portfast default

Switch (config)# spanning-tree portfast edge bpduguard default

Thanks for your help

Stephane

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee

‎07-30-2011 02:23 AM

Hello Stephane,

To your question 1)

I am somewhat confused by the picture you have included - you are talking about switches, yet the topology as depicted in your exhibit contains routers.

If the topology consisted of routers then by definition, routers would neither forward nor flood link-layer broadcasts so no loops would occur.

If the network consisted of switches without STP running, there is indeed a possibility of a frame looping. A frame would certainly loop if its destination MAC address is unknown to switches, or if its destination MAC is a broadcast/multicast address. The reason is that all such frames are flooded through all ports except the incoming port, and would eventually reach the same switch they originally came from.

If the switching tables were already correctly populated with correct MAC addresses and outgoing ports (i.e. knowing all connected stations and pointing towards loop-free shortest paths), loops would not occur because the frame would be forwarded through a single port only, presumably on the shortest switched path towards the recipient. However, as soon as a frame towards a new so-far-unknown destination or multicast/broadcast address was received, it would again get stuck in a loop. In a switched topology where no Layer2 loop protection is activated, the apparent loop-free operation is a very volatile and unstable state.

To your question 2)

I am afraid there is no command of the form spanning-tree portfast edge bpduguard default - the "edge" keyword here is superfluous. The correct syntax should be simply spanning-tree portfast bpduguard default

In any case, the command spanning-tree portfast bpduguard default does not activate PortFast on all non-trunking interfaces. It simply activates the BPDUGuard feature on those ports which are already PortFast-enabled. How the ports came into the PortFast mode is not relevant to the command.

Writing simply spanning-tree portfast bpduguard default without using the spanning-tree portfast default would therefore enable the BPDUGuard only on those interfaces which have explicitly been configured using the spanning-tree portfast command in their interface configuration mode (note that this command has no effect on trunking interfaces, and hence the BPDUGuard would also not be activated on them as a result).

Writing both spanning-tree portfast bpduguard default and spanning-tree portfast default would make all non-trunking ports implicitly behave as PortFast ports, and exactly those ports would then be protected by the BPDUGuard feature. No spanning-tree portfast interface-level command would be necessary here.

Please feel welcome to ask further.

Best regards,

Peter

View solution in original post

5 Replies 5

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee

‎07-30-2011 02:23 AM

Hello Stephane,

To your question 1)

I am somewhat confused by the picture you have included - you are talking about switches, yet the topology as depicted in your exhibit contains routers.

If the topology consisted of routers then by definition, routers would neither forward nor flood link-layer broadcasts so no loops would occur.

If the network consisted of switches without STP running, there is indeed a possibility of a frame looping. A frame would certainly loop if its destination MAC address is unknown to switches, or if its destination MAC is a broadcast/multicast address. The reason is that all such frames are flooded through all ports except the incoming port, and would eventually reach the same switch they originally came from.

If the switching tables were already correctly populated with correct MAC addresses and outgoing ports (i.e. knowing all connected stations and pointing towards loop-free shortest paths), loops would not occur because the frame would be forwarded through a single port only, presumably on the shortest switched path towards the recipient. However, as soon as a frame towards a new so-far-unknown destination or multicast/broadcast address was received, it would again get stuck in a loop. In a switched topology where no Layer2 loop protection is activated, the apparent loop-free operation is a very volatile and unstable state.

To your question 2)

I am afraid there is no command of the form spanning-tree portfast edge bpduguard default - the "edge" keyword here is superfluous. The correct syntax should be simply spanning-tree portfast bpduguard default

In any case, the command spanning-tree portfast bpduguard default does not activate PortFast on all non-trunking interfaces. It simply activates the BPDUGuard feature on those ports which are already PortFast-enabled. How the ports came into the PortFast mode is not relevant to the command.

Writing simply spanning-tree portfast bpduguard default without using the spanning-tree portfast default would therefore enable the BPDUGuard only on those interfaces which have explicitly been configured using the spanning-tree portfast command in their interface configuration mode (note that this command has no effect on trunking interfaces, and hence the BPDUGuard would also not be activated on them as a result).

Writing both spanning-tree portfast bpduguard default and spanning-tree portfast default would make all non-trunking ports implicitly behave as PortFast ports, and exactly those ports would then be protected by the BPDUGuard feature. No spanning-tree portfast interface-level command would be necessary here.

Please feel welcome to ask further.

Best regards,

Peter

Go to solution
Steph1963
Level 1
Level 1
In response to Peter Paluch

‎08-02-2011 01:20 PM

Hi Peter,

Thanks for another great explanation

Stephane

0 Helpful

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee
In response to Steph1963

‎08-02-2011 01:29 PM

Stephane,

Thank you for your kind words. It has been, and always will be, a pleasure.

Best regards,

Peter

0 Helpful

Go to solution
joelvanpraag
Level 1
Level 1
In response to Peter Paluch

‎11-29-2012 06:54 AM

Hi Peter,

I am afraid your answer to question 2 is incorrect. The command:

spanning-tree portfast edge bpduguard default

is supported on 6500.

See:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/stp_enha.html

Kind regards, Joel van Praag

0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to joelvanpraag

‎11-29-2012 10:42 AM

Disclaimer

The  Author of this posting offers the information contained within this  posting without consideration and with the reader's understanding that  there's no implied or expressed suitability or fitness for any purpose.  Information provided is for informational purposes only and should not  be construed as rendering professional advice of any kind. Usage of this  posting's information is solely at reader's own risk.

Liability Disclaimer

In  no event shall Author be liable for any damages whatsoever (including,  without limitation, damages for loss of use, data or profit) arising out  of the use or inability to use the posting's information even if Author  has been advised of the possibility of such damage.

Posting

joelvanpraag wrote:
Hi Peter,
I am afraid your answer to question 2 is incorrect. The command:
spanning-tree portfast edge bpduguard default
is supported on 6500.
See:
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/stp_enha.html
Kind regards, Joel van Praag

True in the later IOS versions.  Those that support the "edge" keyword, I believe, will accept (and convert) prior syntax.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card