Portfast and bpduguard applications

PortFast accelerates the convergence of terminal hosts into the stp network.
Only applicable to ports that are connected to the host (Computer) on the vswitch and should not be used on the ports of network devices that are connected to the vswitch, vro, or hub.
Setting portfast for a port is to stop the port from using the STP algorithm.
In STP, the port has five states: disable, blocking, listening, learning, and forwarding.
The port can only send user data in the forwarding status. If a port is not connected to a pc at the beginning, once the pc is connected, it will experience blocking-> listening-> learing-> forwarding. Each state change will take some time, in this way, there will be a total of three phases, and the default configuration takes 50 seconds. In this way, it takes 50 seconds to connect the network cable from the pc to send user data. However, if portfast is set, you do not need to wait for the 50 seconds.
 
Portfast can only be used in the access layer. That is to say, portfast can be used only when the port of the switch is connected to the HOST. If the port is connected to the switch, it cannot be enabled. Otherwise, a new loop will occur.
Portfast is usually used because of application requirements. cisco recommends setting qualified ports to portfast.
 
PS:
 
After the SWITCH port is set to spanning-tree portfast, if the port is connected to another SWITCH or HUB, the loop problem may occur. After spanning-tree bpduguard enable is added, the port enters the errdisable state after receiving the BPDU package, thus avoiding loops.
The bpdu guard function is to set the port to Error-Disabled immediately when it receives any BPDU.
We know that when the STP function of the switch is enabled, all ports will participate in STP by default, and send and
Accept BPDU. if a self-loop exists under this port, the BPDU sent from it will be received by itself after the loop is rolled back on the small switch, at this time, bpdu guard will immediately set it to Error-Disabled. This port is equivalent to being closed and will not forward any data, thus cutting off the loop and protecting the entire network.
Portfast and bpduguard configurations:
Switch (config) # interface range f0/1-5
Switch (config-if-range) # spanning-tree portfast
Switch (config-if-range) # spanning-tree bpduguard enable
BPDU Guard enables PortFast ports to enter the err-disable status when receiving BPDU to avoid bridging loops. It can be configured globally or on interfaces (disabled by default ), you can use the errdisable recovery cause bpduguard command to enable automatic port recovery.
Unlike BPDU protection, BPDU Filter has different functions when configured in global/interface mode. When PortFast port mode is enabled, the switch does not send any BPDU, in addition, all received BPDU are discarded. When the global mode is enabled, the port discards the PortFast status and the BPDU filtering feature when it receives any BPDU, change back to the normal STP operation. The BPDU Filter feature is disabled by default.
When both bpduguard and bpdufilter are enabled, bpdufilter has a higher priority and bpduguard fails.
LOOP Guard is mainly used to avoid the situation where the blocked port is mistakenly transitioned to the forwarding status, resulting in a bridge LOOP. When the switch stops receiving BPDU on a non-designated port with the loopguard feature enabled, the switch will cause the port to enter the STP "inconsistentports" blocking status. When the inconsistent port receives the BPDU again, the port will be automatically filtered to the STP status based on the BPDU. Run the sh spanning-tree inconsistentports command to view the inconsistent port status. The loopguard feature is enabled by default.
BPDU GUARD
The function is to set the port to Error-Disabled immediately when it receives any BPDU. We know that when the STP function of the switch is enabled, all ports are involved in STP by default, and BPDU are sent and accepted. When bpdu guard is enabled, under normal circumstances, A downstream port does not receive any BPDU, because both the PC and the non-network administrator do not support STP, so it does not send and receive BPDU. If a self-loop exists under this port, the BPDU sent by the port will be received by itself after the loop is switched to the non-network administrator, at this time, bpdu guard will immediately set it to Error-Disabled. This port is equivalent to being closed and will not forward any data, thus cutting off the loop and protecting the entire network.
The BPDU Guard feature can be enabled globally or based on interfaces. The two methods are slightly different.
 
 
When the Port with the Port Fast feature enabled receives the BPDU, The BPDU Guard closes the Port so that the Port is in the err-disable state, in this case, you must manually restore the port to normal.
 
Configure BPDU Guard:
Switch (config) # spanning-tree portfast bpduguard default/--- enable BPDUguard on the port with the PortFast feature enabled ---/
Switch (config-if) # spanning-tree bpduguard enable/--- enable BPDUguard without enabling the PortFast feature ---/
 
BPDU Filtering
This feature is very similar to the BPDU Guard feature. The use of BPDU Filtering prevents the switch from sending BPDU to the host on a Port with the Port Fast feature enabled.
 
If the BPDU Filtering is configured globally, when a Port Fast receives the BPDU, the switch will disable the Port Fast and BPDU Filtering features and change the Port back to the normal STP status.
If you enable BPDU Filtering on a separate Port Fast Port, this Port does not send any BPDU and ignores all received BPDU.
 
NOTE: If BPDUFiltering is configured on the port connecting to another vswitch (not the port of the connected host), the Layer 2 loop (Prevent from sending and stopping ing BPDU) may occur ). in addition, if the BPDU Guard feature is configured on the same port with the BPDU Filtering Enabled, The BPDU Guard does not work, and the function is BPDU Filtering.
 
Configure BPDU Filtering:
Switch (config) # spanning-tree portfast bpdufilter default/--- enable BPDU Filtering on the Port with the Port Fast feature enabled ---/
Switch (config-if) # spanning-tree bpdufilter enable/--- enable BPDU Filtering without enabling the Port Fast feature ---/
ROOT Guard
Root Guard: prevents the newly added vswitch (with a lower Root bridge ID) from affecting a stable (with a Root bridge already exists) Switching Network, and prevents unauthorized vswitches from becoming the Root bridge.
Working principle: When a port starts this feature and receives a BPDU packet with a higher priority than the root bridge, it immediately blocks the port, make it impossible to form a loop. This port feature is dynamic. If you do not receive a better package, the port will change to the forwarding status.
ROOT Guard is performed on the specified port of the DP (designated port), and the port will not change. It will only be DP, which can prevent the newly added switch from becoming root, this port is changed to permanent DP (show spann inconsistentport). If the newly added switch wants to become root, its port cannot work, until the new vswitch completes the RP.
Loop Guard
Loop Guard: prevents a blocked port from being forwarded if the link is abnormal (two-way communication is not allowed) and the port cannot be connected to the BPDU, the loop-inconsistent blocking state is blocked even if the BPDU is not received (the root guard is automatically disabled when loop guard is enabled );
 
Loop guard is enabled on the RP interface or alternative port:
Switch (config-if) # spanning-tree guard loop
 
Global Enabling:
Switch (config) # spantree global-default loopguard enable
If loop guard is enabled on a port with root guard enabled, loop guard disables the root guard function.