Portfast and BPDUGuard with RPVST?

Answered Question
Jun 17th, 2007
User Badges:
  • Bronze, 100 points or more

We'll be retiring the last of our 3500XLs next month and replacing them with 3560 and 3570s. Once complete, I would like to migrate from PVST and RPVST across the board in order to speed up convergence times.


The implementation seems pretty straight forward, but one thing I'm confused about is Portfast and BPDUGuard. Can I still use these features with RPVST? The documention says that backbonefast and uplinkfast are obsolete in RPVST, but is iffy when it comes to portfast. We rely on them heavily for protection against and user dropping an unauthorized bridge in to the network, and without them I'd have to look in to doing port-security.

Correct Answer by Edison Ortiz about 10 years 1 month ago

If you want to shutdown ports when a switch receives BPDU, then you need to implement bpduguard in the global config or per port basis.


If configured in the global config, make sure to disable it on ports where you have authorized switches.


As for portfast, I recommend enabling it on all ports along with bpdufilter. Bpdufilter will disable portfast when a bpdu is received on that port.


You can also throw port-security into the mix. Hubs and some low-end switches do not transmit bpdus....



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Edison Ortiz Sun, 06/17/2007 - 10:27
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

If you want to shutdown ports when a switch receives BPDU, then you need to implement bpduguard in the global config or per port basis.


If configured in the global config, make sure to disable it on ports where you have authorized switches.


As for portfast, I recommend enabling it on all ports along with bpdufilter. Bpdufilter will disable portfast when a bpdu is received on that port.


You can also throw port-security into the mix. Hubs and some low-end switches do not transmit bpdus....



johnnylingo Mon, 06/18/2007 - 07:45
User Badges:
  • Bronze, 100 points or more

Thanks for the post. So I'm taking it that Portfast & BPDUGuard will continue to be supported with RPVST? The document says the following:


The Cisco implementation maintains that the PortFast keyword be used for edge port configuration. This makes the transition to RSTP simpler


But I was just wondering if this is accurate.


We plan to continue to use BPDUGuard, since all switches are managed by IT and are only plugged in to pre-defined ports.


You make a good point about using Port-security for hubs and other devices that don't transmit BPDUs. Thanks!

Edison Ortiz Mon, 06/18/2007 - 07:54
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Yes, RPVST will support Portfast and BPDUGuard.


http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3560/12225see/scg/swstpopt.htm#wp1031116


"Optional Spanning-Tree Configuration Guidelines


You can configure PortFast, BPDU guard, BPDU filtering, EtherChannel guard, root guard, or loop guard if your switch is running PVST+, rapid PVST+, or MSTP.


You can configure the UplinkFast or the BackboneFast feature for rapid PVST+ or for the MSTP, but the feature remains disabled (inactive) until you change the spanning-tree mode to PVST+. "



Actions

This Discussion