400 101 CCIE Routing and Switching 93 Portfast BPDU Guard BPDU Filter

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] advanced spanning-tree features and here I'm going to talk about three in particular that I noticed that a lot of my students and CCI candidates are struggling great deal with so these features are going to be portfast bpdu guard and bpdu filter now these three features as I said is something that a lot of students are struggling a lot with and one of the contributing factor for the struggle about these features is somewhat imprecise documentation from Cisco about what these features do and then added to that is the interpretation of various people around the internet about that so if you're going on all sorts of different blogs and social media sites to read about these three features beware about what you read because most of those articles that you will find are in one or many ways very very wrong about that including unfortunately a particular article written by yours truly so I'm now giving you a warning be careful about you what you read about these three features because the information out there on the Internet may not be as correct as you hope and when you are in the CCI lab the grading Proctor's don't care what it says on the internet or in the documentation about these features take care about what these features actually do so this is what we are going to explore today and with a little bit of luck I will be able to prove how these features actually behave and what is their purpose and how they actually work so let's attack the first one the portfast now the portfast the usual understanding of this feature is that the interface that has portfast enabled on it will skip listening and learning phases of the spanning tree now the important thing to know about this is only when interface comes up so this does not apply if interface was for example in the blocking state and has port first enabled on it in that case the interface will actually have to go through listening and learning phases and I will explain why now to explore this feature a little bit we need to understand that there are two ways of configuring this feature one is global and the other way of configuring this feature would be per interface now in both cases these features are con are conditional on incoming VP dues what I mean by that is that if we enable port fast on a particular port and on that port we actually receive a BP do any sort of BP do the port fast on that port will actually be disabled now when you take a look at the interface that is configured as such it is going to appear as if the port West is enabled on that port because what you are going to be seeing is the actual configuration of the interface to illustrate that I'm going to start on by the way the ping we started a long long time ago is still ongoing so what I'm going to do now I'm on cat 3 at the moment and we have this interface fast it led 24 which is now configured as the trunk so what I'm going to do is on both of my switches in fact I'm going to undo the changes that I did before so I'm just going to say default interface lastly 23 and default interface fast ethernet 24 and I'm just going to say that interface firstly 23 is going to be shut down and I'm going to make interface firstly 24 switch port suit port mode access switch port access villian 10 so I'm just going to make these switches configured as such because I really don't want trunks right now because I want to explore the behavior just of the port fast as it behaves on a single interface that is actually an access port so now if I take a look at the configuration of the interface this is how you would configure a normal access port so let's go to first minute 24 I'm going to shut this interface down and I'm going to say spanning-tree portfast so when you enable spanning-tree portfast you are getting this warning message here that says that port file should be only enable on ports connected to single host etc so sorry it kind of gives you warning that you might be creating loops now as you will hopefully see you real soon this is a misplaced warning there is actually no need for this warning to be in place so if we take a look at show interface fastener 24 I see here that port fast is enabled on it so let's do the exact same configuration on fast internet 23 so here is fast May 23 and I'm going to say spanning-tree portfast and let me just do that on both switches at once so this goes in and this goes in so now we have two interfaces actually there is maybe a more efficient way of doing that so this is the configuration that I'm going to have on cat 4 and on get 3 so if I do show spanning tree what I'm going to be seeing now is that in our villain 10 which is the only active villain right now because these are access port fast in the 23 on cat 3 is root forwarding and fastly 24 is outlet blocking now we are using our STP so maybe these interfaces came up because of the RSTP faster let's change that as well even though it's unrelated but I want to show you the default behavior so spanning spanning tree mode PTSD so I'm going to change the spanning tree mode and let me just shut these interfaces down and cat 3 so I'm going to do no shutdown and then we interfaces come up I'm going to do show spanning tree so there we go the interfaces are up doing show spanning tree and take a look first in the 23 is immediately in 14 and fast in the 24 is in blocking state now you might remember from one of the previous examples is if I was to shut down fast in a 24 now because we are running the traditional spanning tree the Pavillon spanning tree plus what will happen is that fast in at 23 would go from forwarding to learning to sorry to listening and then learning phases but now the port fast is enabled on that port so what will happen if I actually go too fast in a 23 and I shut it down if I do show spanning tree this is what happens the port is actually going into the listening phase and it will go into the learning now if I take a look at the interface as I said I see the port fast enabled but this is the administrative state of the port fast not the actual operational State of the port fast if I run the command show spanning tree interface fastly 24 port fast this will tell me what is the actual operational port fast State on the board so port fast on this port was actually disabled why was it disabled well if you remember our topology that we are dealing here with we have switch 1 that is connected to switch to actually it was switched 3 and switch for but doesn't matter and this one here was configured to be the route which means that route is actually sending BP dues now the fact that I have actually configured port fast on these ports was effective when these ports were taken out of shutdown so for very brief instant moment in time these both ports were forwarded but then the BP news were received and then these ports actually lost their port fast status so they are no longer port fast port why because the incoming BP do removed that operational port fast eight this is what I mean that they are conditional on incoming BPD use but let me show you that brief moment in time when both of these interfaces are actually forwarding to traffic so what I'm going to do here I'm going to say interface range firstly 23 to 24 I'm going to shut them down and I'm going to say do show spanning tree belong 10 so what I want to do is I want to have this command in the command history because I will be running it very fast couple of times so I'm going to say no shutdown and immediately going to start running this command and there we go let me scroll back up so when the interfaces initially came up I can see here that both interfaces are actually designated and forwarding so the port fast worked the interface change stayed from down to up and the port fast takes effect now if you take a look at here next time I ran it it was still the same status and here at this point so we can see here that there were a couple of log log messages there was a brief loop the MAC addresses flap from one intervention or so for a brief period of time there yes we do have a problem but relatively quickly in worst case scenario two seconds if this is the the BPU hello time for up to two seconds we are going to have that problem but then take a look at what happened the port 24 immediately changed state to blocking and this one remains forwarding because it was supposed to be forwarding to begin with and then the state continues normally now this is why you get that warning about the portals that it can create temporary loops in your network but my opinion of it is that it's rather misplaced because you're going to get a very very temporary loop now in temporary loops could be problem in your natural but in most environments this problem would have not been noticed by production traffic now another point that I want to illustrate is all cat for portfast was also configured and this is yet another misconception that I see with many CCI candidates is that when you enable port fast on the port you are actually not sending VP news out of this port that is not true the beep idioms are actually going to be sent out of this port even if the port is port fast so the only thing that port fast actually does is when the port initially comes up it will skip listening and learning phases but all other operations when it comes to spanning tree are still there the BP news will be sent and the BP news if received they will be processed except that the incoming bpdu will actually reset the port fast state the port that receives the BPD you will no longer be a port fast port now going back to the configuration there are two ways of configuring it the global is when in the global configuration mode we say spanning-tree portfast default now this yeah just do this a little bit better so spanning-tree portfast default this will enable port fest on all operational access ports so all ports that are in operational access mode will be enabled for port fast this includes ports that have been statically configured for port 4 for access with switch port mode access all dynamic ports that have actually failed to negotiate the trunk so if you have dynamic ports and they fail to negotiate the trunk when you configure this command you are actually going to be enabling port fast on those now when you're configuring per interface port fast the command is interface X and then spanning-tree portfast now there is an optional trunk keyword that you can configure there if you do not configure it port fast will be active on operational access port now if you configured trunk will include trunks as well now what do you mean by this is let's say that you had that you had a port that was configured for porta so you had interface fastethernet 0/1 and you had spanning-tree portfast trunk configured and you say here switch port mode access now this port will be port fast because you configured spanning-tree portfast but this trunk keyword here says even if this port is a trunk B port fast on it what you cannot do is tell this interface B poor fast only if your trunk but if you're not drunk don't be port fast this is impossible to do so the only thing that you can actually do is you can tell the port to be poor first even if your trunk so if we had a configuration that looked something like interface faster than 0 - and we had spanning-tree portfast configured and we had switchport trunk encapsulation dot1q and switchport mode trunk so let's say here that this will be portfast but this one here will not be portfast because spanning-tree portfast here does not include trunks so if you want this interface parse it in a 0 - let's do a the third example here if I had interface fasting at 0 3 and I had spanning-tree portfast trunk and I had switch port trunk and capsulation dot1q and switch port mode trunk this wouldn't actually be port fast because I am including the trunk keyword here and the interface East trunk or an access port so this here is not a valid configuration if you want to have the port fast but these two are actually both acceptable solutions to make these interfaces port fast now I should point out that port fast is a cisco proprietary feature that cisco implemented to work around a specific problem originally noticed with Windows 98 now Windows 98 and very very relevant for 2013 I'll give you that but when Windows 98 was booting during the boot process it would send the DHCP request a couple of times during the boot but then it would never ever stop that resent those DHCP requests if there were no replies received now this was a problem if the spanning tree on the port was going through the listening and learning phases because this port would be actually dropping those DHCP requests coming from a PC so Cisco needed to find a way to work around this limitation in Windows 98 so they came up with this port fast feature but port fast feature was actually received so well by the networking community that it actually got standardized with the rapid spanning tree where it's called the edge port functionality now the edge or functionality in the rapid spanning tree it brings couple more behavioral changes one thing is that when we have a port that is declared to be an edge port any change on that port it does not called does not cause the switch to send a topology change notification bpdu which would cause other switches to actually lower the aging timers on their MAC address tables because it is considered to be just that an edge port now for Cisco to maintain the backwards compatibility with all the configurations that were implemented when you are running rapid spanning tree when you are actually typing out the command spanning-tree portfast what you are actually doing is not configuring Cisco specific port fast feature you are actually configuring a standardized edge port feature so cisco kept the same command line but it's two very related almost identical features except that one is standardized behavior the other one is cisco specific when you are running non rapid spanning tree so this is port fast now one of the most important things from this that I would like you to take is that there is this concept of where did I put it that there is this concept here of operational port fast state now this is very different from what is actually configured on the interface this is how the interface actually behaves right now and this idea of an operational port fast state is sorry very very important for one reason only that there are other features on Cisco switches that actually depend on the operational port fast state of the port not on the administrative configured State on the port but instead on the actual operational port fast State now one of those features is VP du gard bpdu guard is a relatively easy feature to explain pour any received BPD you will cause the port to be error disabled so this is what bpdu guard us when you can when you enable bpdu guard on a certain port basically any incoming BPD will cause this port to go into the error disable state just like with port fast there are two ways of actually configuring this feature one is global and the other one is per interface let me first explain four interface configuration it's very very simple you're going to say interface X spanning tree BP new guard enable now what this feature does is unconditionally enables bpdu guard on that interface now what I mean by unconditional is this feature when enabled on per interface basis is not dependent on the port fast state basically on that interface if we receive BPD that's it BAM the port will go error disabled let me show that so sorry I'm going to go to a cap 3 here and I'm going to set interface fast in a 23 spanning tree bpdu guard enable done so what's going to happen now immediately when the port was received this port here became error disabled right so there was no delay there was nothing and if I do show interface firstly 23 what I'm going to see here is that the port is actually error disabled I hope this makes sense let me remove this feature from the interface and to recover from the error disabled state by default I actually need to shut the interface down and bring it out of shutdown so there it is the interface is back up and there is disconnected and fast in 24 is also connected so I'm all good there now let's take a look at the globally configured bpdu guard the inter Finnick configuration for that is in the global configuration mode spanning-tree portfast bpdu guard default now what this do or what this does is that enables bpdu guard on all operational port fast ports now again emphasis on operational Port Trust ports now this doesn't matter are they trunks are they access ports how they were a port fast where they poor trusts as the result of the global configuration using spanning-tree portfast default or birthday port fast ports because they were enabled per interface no matter how the interface actually became port fast if it is port fast and you have this command configured the interface will actually have guard enabled on it so let me show you one more thing so here I have my cat tree in cat 4 so this is the interface fastness 0:23 and fastly 24 and as we can see I have port fast enabled on both of them so I'm going to go in the global configuration mode and I'm going to say spanning-tree portfast bpdu guard default so when I enter this command I should be seeing both of those interfaces going into error disabled but I'm not actually seeing that I'm not seeing that because none of those interfaces are in operational port fast state they actually are disabled for port fast so if I enable this command right now on port 23 and 24 it will have absolutely no effect but let's say that I go to interface faster Internet 23 and I shut it down now when I shut it down the operational port fast state is cleared and when I do no shutdown when the port initially comes up it will be actually operational port fast now when this port R comes up it will receive a BPD from the other side but because at this point in time it was actually operational port fast the incoming VP new will actually reset the state on this port so there we go we can actually not reset the step but it will actually error disable the poor so take a look guard here did have effect now firstly 24 is still unaffected by it because it is in OP the portrait is operationally disabled on that port so if I do show interface faster than 23 I will see that now the bpdu guard kicked in and this is what I mean by this is actually dependent on the operation of port faster port says enabled VP Dugard on all operational port fast port but again a thing to note that fast in a 23 became port fast not as the result of the global configuration it became port fast as the result of per port configuration so it doesn't matter how this port became port fast the global configuration did take effect on it because it was an operational port fast board and yet again fast email 24 is at the moment unaffected by that configuration because we have configured it after the port first was actually turned off on that port the operational port fast the next thing that I'm going to talk about if you thought that bpdu guard is a little bit unknown or maybe a little bit complicated what comes up next is downright bizarre so the next thing that I'm going to talk about is bpdu filter now bpdu filter is very very unfortunate thing it's an unfortunate thing because they're actually two very unrelated features in iOS that carry the same name now one feature is when you enable BPD you filter as the result of the global configuration any other one is when you enable it per port now I'm going to talk about purport one because that one is much much easier to explain and much much easier to actually understand the configuration there is on the interface so interface X we are going to say spanning tree bpdu guard will be PDO filtering sorry bpdu filter enable now what this command does is unconditionally filters all incoming and all outgoing BPD use before they are seen by any other feature this is an equivalent of turning off spanning tree on that port so this port will not send a single bpdu out and all incoming beep videos will be dropped before they are seen by any other feature and by this any other feature what I actually mean is port fast or guard so if I configure BPD you filter on the port no BPD use will be sent or received on that port so let me demonstrate that in action so I'm going to go to my cat 3 and cat 4 here and I'll start with Katherine on interface range fasting at 23 to 24 I'm going to shut them down now remember that on this port what I have configured is portfast per port and I also have guard configured globally ok so when this port comes up if I receive the BPD on this port the guard will kick in just like it did in the previous example but now on the court I'm going to enable the BPD you filter so this is the configuration of my poor 23 and my port 24 so I'm going to do now shut down here and my port should come up and stay up well I do get my flap notification take a look at this fast admit 23 and 24 are both designated forwarding this bridge is the route so cat 3 now thinks it's the route now we have kept for configured as the route but cat 3 cannot see this because we have effectively turned off the spanning tree between them now you remember that warning message that you get when you type in spanning-tree portfast on the port and you get that warning message says oh by the way this can create loops that's a completely misplaced warning here when I type spanning tree BP new filter on the interface which actually is the dangerous one I'm getting zero warning but if I take a look at one thing so bear with me for one second here so what I'm going to do is I'm just going to change load every load interval to 30 just to see statistics not on a five-minute basis but 30 second basis so I'm going to say show interface fasting at 23 take a look at the traffic on my network now this interface has been up for about what 1 minute maybe and we are already having 12 megabits per second and now if I take a look at the run we are now at 29 megabits if I take a look at the configuration now we are a 31 Meg's etc and by the way there is no traffic on my network what is looping now our spanning tree BPD frames the CDP frames maybe an ARP coming from cat 3 or cat 4 because I do have those SV eyes there is no traffic on my network so to speak there is no production traffic and I have a bridging loop in place now if I leave this for 5 or 10 minutes I'm going to hit hundred Meg's and my network will start experiencing serious serious issues so this is the situation that spanning tree is designed to prevent but now I have effectively turned it off so in cat 3 there is no spanning tree now on cat 4 if I do show spanning tree here in VLAN 10 I have the exact same situation fast in the 23 and 24 they're both designated 14 because cat 4 thinks it's the root so I have a completely cut off spanning tree between these two so this is what spanning tree BP do filter does on interface it effectively turns off the spanning tree operations on that interface not all of them because if I remove the port fast from the interface so if I say fast in the 23 here and let me do the same thing on first in the 23 and 24 so I'm going to shut them down now and I'm going to remove the port fast ok so this is now the configuration on the two of my interfaces so port fast is now gone from the picture and if I do no shutdown show spanning tree VLAN 10 take a look at this now the ports are going to go through listening phase and the learning phase but this will not change the fact that this bridge will remain the route that these two ports will eventually move into the forwarding state so we can see that if they go into the learning they will go to forwarding so I'm just delaying the formation of the loop now so port fast is not culprit here it is the BPD filter that is actually causing the problem and there we go now we have converged to the exact same situation that we had before with the port fast and we can see that the bpdu filter is configured on the interface is not actually conditional on the port fast state of the interface it's a completely unconditional thing now let's take a look at what bpdu filter does when it's configured globally so the command line for configuring the global BPD filter is spanning tree port bpdu filter enable oh I'm sorry not enable default apologies about that now when you configure this on the global interface outgoing or actually let me start with the incoming incoming bit videos actually mmm let's start over this is conditional it enables I'm going to call it global the PDO filter on all operational port fast ports just like with the bpdu guard in the previous example it doesn't matter how the port became port fast if it's port fast no matter what this feature will actually be enabled on it but I'm calling it the global bpdu filter here because as you will see the behavior is somewhat different than this one here so it enables global BPD filter on all operational port port fast port what it does is outgoing or actually incoming BPD use are not filtered which means that incoming bit videos will not be blocked by this feature most but not all outgoing BP dues are filtered let me demonstrate this feature so to do this I'm going to go back to my terminal and just to check on the state here yeah we are now at 22 Meg's so let me stop the loop so I'm just going to shut one of these interfaces down because it is actually slowing down my switches a little bit they are they are fairly busy you can see that this is maybe not a lot of bandwidth but 43,000 packets is considerable amount of bending so what I'm going to focus on is port number three now port number three is the port that you might remember from one of the previous examples that was configured for monitoring so I'm going to remove that stuff and all I want to do is have port facility Row 3 to be up and running because this is what is connected to my wireshark capture so let me go to my Wireshark here and what I'm going to do is I'm going to actually not going to restart the capture but I do have the filter that is capturing only the spanning 3 frames so going back to my terminal I'm going to configure interphase faster than 0-3 let me shut it down I'm going to say that it is interface switch port mode access switch port access VLAN 10 and I'm going to say that it is spanning tree actually not going to do that I'm going to configure it as a global port facility port fast default so all operational access ports will be now port fast by default and I'm going to say spanning-tree portfast bpdu filter default so now all operational access ports will have the global BP do filter enabled by default and I'm going to go to interface fast in e3 and I'm going to shut it down so going back to my Wireshark I'm going to restart the capture here which will do really nothing okay which will do really nothing because I don't have any traffic going in there so going back to my terminal I'm going to say no shut down and let's go back to my Wireshark so here is the BPD and as you will see and as I said this is truly bizarre behavior so there we are this is the five six seven eight nine ten eleven and that's it I'm not going to receive any more videos now so when the port came up eleven BPD's were sent out of this interface after these eleven are sent out no more BP dues will be served now what's the catch here well the catch here is that when configured globally the BPD filter is going to filter mostly outgoing BPD use after it has determined that there is no switch connected on the other side now what is this code doing here it looks weird but it actually isn't that bad idea now imagine that you had two switches just like we have so switch one and let's switch to here and that we had multiple links connected and for whatever reason these were all access ports and they were all enabled globally for port fest and you had the global bpdu filter enabled now if you connect this as it is what we're going to end up having is the loop just like the one we had before but when we are using the global port fast what's actually going to happen is this switch here if these are poor that are portfast as they are and are enabled for global BPD filter is actually going to send a BP do here now when this port here receives this BPD it will reset the port fast state on it and with it reset the configured global filter which means that a similar thing might happen in return that the BP new from this side is actually going to reset the state on our end which means that we can converge our network in a loop free environment so Cisco is trying to kind of idiot-proof the network to prevent us from inadvertently creating the loops by using the global bpdu filter because BPD filter is such a dangerous thing to have now when you configure it per interface as you've seen it's unconditional in that case Cisco says ok you better know what you're doing because this turns off spanning tree in fact this is what they should say when you enter that command but they don't they warn you about the port fast which is not even close to being dangerous in comparison to the BPD you filter so this is what the global bit video filter does and this is what per port BPD you filter does now the reason why I'm telling you this in such a great detail is that you could go into the lab and the tasks in the lab could say configure all interfaces facing routers as access ports inappropriate violence and make sure that they immediately come up when you configure them and make sure that you are not sending any BP news out of this port so you might be thinking okay I have to configure 10 ports they are all access ports so I'm just going to make them globally port fast and don't send any B videos yeah I'm just going to enable BP new filter globally to prevent BP news from being sent how does that work because look we are going to be sending eleven bit videos out of each and every one of these ports you can just failed that task so what you need to do here is you can configure all of them as access port because this is what the task says you can configure them as the global port fast that's perfectly legit but then you have to go on everything interface and enable bpdu filter on those interfaces because if you don't do that you will be sending some VP dues right or an alternate task could be configure all interfaces facing routers as access ports make sure that you are putting them in the appropriate villains make sure that they start forwarding traffic immediately when the interfaces come up and send enough beep videos to detect if the switch is connected on the other side now what they are telling you there is to actually use the global port fast it sorry the global bpdu filter because with the global BPD filter you will be actually sending some beep videos to detect the switch on the other side and if you detect the switch you are going to continue operating spanning tree normally and not creating the loop in your network this is very very important to understand one thing that I want to explain and this is the order of operations when you have port fast when you have BP new guard and BPD you filter configured on the port at the same time so let's say that this here is the port and that we have an incoming bpdu on that port oops what am I doing here so BP you okay so if we have let's say that we are dealing with BP new filter local that means per port so the first feature that sits on this port will be the BP new filter the next feature that sits right behind the BP new filter will be the bpdu guard and then we have port fast here which means that the incoming BPD will actually hit the filter and this frame will be dropped before the guard is encountered which means that if you had a configuration like this so interface X spanning tree BP new filter enable and spanning-tree bpdu guard enable and spanning-tree portfast this here is completely meaningless because you will never ever hit the guard in this case because BPD filter will get rid of this traffic before it is actually seen by the guard now imagine that there was no bpdu filter here the guard will be hit before the BPU filter before the portfast is actually encountered but let's take a look at another example and in this case here let me just call this page so in this case here let's say that we are dealing with a portfast sorry with the BPD filter that is configured not locally but instead that it was actually configured as part of the global configuration this is going to be the global case now in that case the order of operation is slightly different the first feature that we are going to encounter here is going to be the BPD guard just below the bpdu guard is where we have the portfast sitting and bpdu filter actually is the last feature that will be encountered that means that the incoming bpdu here will first hit the guard if it's configured and then it will reset the port fast but with the port fast because there is this relationship between these two the filter will actually be gone from the interface as well if it was configured as the global so this is the order of operations if you have these multiple spanning tree features configured on the interface at the same time so this is again yet another thing that is important to understand because at least one of these combinations makes no sense if you have this configured on your interfaces it makes no sense because the guard will never ever be active on this port as we have seen in our example I believe

Info

Channel: Networking Lessons

Views: 1,041

Rating: undefined out of 5

Keywords: configrouter.com, Cisco, Cisco Networking Videos, Cisco Networking

Id: BluMyjuCpGs

Channel Id: undefined

Length: 46min 18sec (2778 seconds)

Published: Thu Oct 12 2017