Cisco Enhancements to STP

The following sections cover items that Cisco has developed to enhance the performance of STP, thus decreasing your convergence times. These features include Cisco's proprietary PortFast, UplinkFast, and BackboneFast.

PortFast

Cisco's proprietary PortFast feature reduces the size of the STP database by excluding ports that do not have bridges or switches connected to them and removing them from the STP topology, thereby minimizing downtime when changes occur in a switched network. When a change occurs, STP flushes the content-addressable memory (CAM) table, thereby preventing any communication between devices until STP has the ports go through the blocking, listening, learning, and forwarding states. Using the PortFast feature is very important in environments where servers require constant communication between them and the end users' devices or where changes are constantly taking place. Using the PortFast configuration commands greatly reduces the number of ports in STP and therefore decreases the time it takes for convergence to occur when changes take place in a switched network.

PortFast Operation

When a change occurs that causes STP to recalculate, ports enabled for PortFast remain in a forwarding state and the entries in the CAM table for these ports are not removed.

To take a port out of STP, you can place it in PortFast mode. When STP is run and the ports go through the four different modes, ports in PortFast mode are kept in a forwarding state. The advantage of this is that the ports configured for PortFast do not have to wait 30 50 seconds while the STP algorithm is running. Make sure that you do this only for ports that you know are not part of any Layer 2 loop. This is primarily used for ports connected to PCs, servers, and routers.

If you have devices that acquire addressing information (DHCP, IPX, AppleTalk) when they boot up, you'll have to enable PortFast for them. For example, you turn on your PC and it tries to use DHCP to acquire its IP addressing information. If PortFast is not enabled, your PC probably won't get its IP addressing information because the port has to go through the various STP states to be placed into a forwarding state (listening, learning, and forwarding). As STP is running and going through its states, the device is trying to acquire its addressing information. In many instances, the device will give up before STP has had time to converge, thus preventing the device from acquiring the necessary addressing to participate in the Layer 3 network.

PortFast Configuration

To configure PortFast on a Catalyst switch, execute the following command:

 Switch(config)# interface type slot_#/port_# Switch(config-if)# [no] spanning-tree portfast 

To verify your configuration, use the show spanning-tree summary command or the show running-config interface command. Here's an example of the former command:

 Switch> show spanning-tree summary Switch is in pvst mode Root bridge for: none EtherChannel misconfiguration guard is enabled Extended system ID is enabled Portfast is disabled by default PortFast BPDU Guard is disabled by default Portfast BPDU Filter is disabled by default Loopguard is disabled by default UplinkFast is disabled BackboneFast is disabled Pathcost method used is short Name       Blocking Listening Learning Forwarding STP Active ---------- -------- --------- -------- ---------- ---------- VLAN0001   0        0         0        1          1 <--output truncated--> 

In this example, you can see that PortFast is not enabled.

BPDU Guard

BPDU Guard is a Cisco feature that shuts down a PortFast port if a BPDU is received on it. When the port is shut down, the status of the interface is error disabled. BPDU Guard is disabled by default. To enable it, use the following commands:

 Switch(config)# interface type slot_#/port_# Switch(config-if)# spanning-tree portfast bpduguard 

To verify whether BPDU Guard is enabled, use the show spanning-tree summary command.

BPDU Filtering

The BPDU filtering feature enables you to filter BPDUs on ports of your switch. This is handy for ports that you know should be connected only to user devices. It prevents a switch that is mistakenly connected to one of these ports from creating Layer 2 loops.

To configure BPDU filtering, you must first enable PortFast on the port. After PortFast is enabled, you can enable BPDU filtering on the interface. Here's an example of its configuration:

 Switch(config)# interface type slot_#/port_# Switch(config-if)# spanning-tree portfast bpdufilter default 

If a switch receives more than 10 BPDUs on a PortFast port when BPDU filtering is enabled, the switch disables PortFast on the port and treats the port as a normal STP port. The advantage that BPDU filtering has over BPDU Guard is that BPDU filtering allows a port to dynamically switch to and from PortFast, whereas BPDU Guard restricts the port to PortFast only. Use the show spanning-tree summary command to verify your configuration.

PortFast takes a port out of STP and leaves it in a forwarding state. Use the spanning-tree portfast command to enable this on an interface. When enabled, you must not connect a switch to a port configured for PortFast. You can use the BPDU Guard and BPDU filtering features to detect this problem and deal with it.

UplinkFast

STP guarantees a loop-free environment. However, one large disadvantage of STP is the 30- to 50-second convergence time before redundant links can be used when failures occur. This is problematic in environments where real-time or bandwidth-intensive applications are deployed. Cisco's proprietary UplinkFast feature allows the almost-immediate use of a redundant switched connection (a blocked port) without recalculating STP when the primary path fails. This reduces the transition period from 30 or 50 seconds to less than 4 seconds.

The name of this feature describes its purpose. It's typically used on uplink ports that connect access layer switches to distribution layer switches. An example of this is shown in Figure 5.1. The left side shows two distribution layer switches. The one on the left is the root and the one on the right is the backup, or secondary, root. Note that the primary link is from the access layer switch to the root switch located on the left. When the link on the left fails, the access layer switch uses the backup link on the right within 2 to 4 seconds after detecting the failure. It does this by placing the blocked port into a forwarding state, bypassing the listening and learning states of STP.

The following must be true for UplinkFast to perform its task:

• The UplinkFast feature must be enabled on your switches. By default, it is disabled.

• The switch must have one port in a blocking state. This means that there's an alternative path to the root switch.

• The failure that's detected must be on the root port of this switch. Therefore, failures on other switches could still affect convergence for this switch.

Remember the UplinkFast requirements: It must be enabled, one port must be in a blocking state, and the failure must be on the currently attached root port of the switch.

It's highly recommended that UplinkFast be configured on your access layer switches only. If a switch is the root of STP, the switch will automatically disable it even if you have UplinkFast enabled. In other words, UplinkFast is a feature designed for nonroot, or leaf, switches.

To turn on UplinkFast for your Catalyst switch, use the following command:

 Switch(config)# [no] spanning-tree uplinkfast                         [max-update-rate update_rate] 

By default, the switch generates 150 multicasts every second. You can increase or decrease this value, which either decreases the amount of time to detect failures or increases it, respectively. Note that there is no option to enable or disable this per interface or VLAN you either enable it for the whole switch or you leave it disabled. To verify UplinkFast's configuration, use the show spanning-tree summary command, which was shown earlier in the chapter in the "PortFast Configuration" section. You can also use the show spanning-tree uplinkfast command:

 Switch> show spanning-tree uplinkfast UplinkFast is enabled Station update rate set to 150 packets/sec. UplinkFast statistics ----------------------- Number of transitions via uplinkFast (all VLANs)           : 7 Number of proxy multicast addresses transmitted (all VLANs): 4238 Name                 Interface List -------------------- ----------------------- VLAN1                Fa0/1 (fwd), Fa(0/3) <--output truncated--> 

Use the spanning-tree uplinkfast command to enable UplinkFast on a switch.

BackboneFast

Cisco's proprietary BackboneFast feature is an enhancement to STP that provides scalability to STP on your backbone switches: It's not meant for your access layer switches but rather for your core and distribution layer switches. BackboneFast and UplinkFast are complementary STP enhancements. One major difference between UplinkFast and BackboneFast is that UplinkFast works only for directly connected links that fail, whereas BackboneFast has the capability to detect indirect link failures that is, links not physically connected to a switch.

Let's take a look at how the BackboneFast feature works. Let's assume that you have three core switches that are interconnected, as shown in step 1 of Figure 5.2. Switch 1 is the root, and switch 2 is the designated bridge for the segment between switch 2 and switch 3. Because of this, switch 3 places its port on the left in a blocking state.

The BackboneFast feature begins its process when it receives an inferior BPDU from its designated switch, either on the root port or on a blocked port of a switch. An inferior BPDU can be defined as a BPDU that identifies a single switch as both the root switch and the designated switch. In this case, switch 3 begins receiving these inferior BPDUs from switch 2 the designated switch. When switch 3 starts receiving these BPDUs, it essentially tells the switch that an indirect link a link it's not physically connected to has failed and therefore the designated switch has lost its connection to the real root switch. This is shown in step 2 of Figure 5.2.

In a normal situation, the inferior BPDUs that switch 3 is receiving from switch 2 would be ignored until the maximum aging time had expired, thereby slowing down convergence. At that point, switch 3 will try to determine whether it has a primary or alternative path to the real root switch. It does this by examining all its other ports whether they're blocked or if one happens to be a root port. In a worst case, if there's only a root port and no blocked port, this tells the receiving switch that it has lost all connectivity to the root. In either of these cases, the normal STP rules take place. The receiving switch waits until the maximum aging time has expired, promotes itself as root, and then starts the STP algorithm.

If there are alternative paths, the BackboneFast feature alleviates the problem of rerunning STP and creating convergence issues. If the inferior BPDU arrives on a root port, an alternative path must be found hopefully, one of the blocked ports will provide a secondary route. In this situation, not only has the neighbor lost its primary path to the root, but also the switch receiving the inferior BPDU. However, if the inferior BPDU arrives on a blocked port, the receiving switch knows it already has a valid primary path: the root port itself. In step 2 of the example, switch 3 has a root port the port on the bottom connecting to the root bridge, switch 1.

If there is an alternative path, the bridge generates a special kind of PDU, called a Root Link Query PDU (RPDU), out all its alternative ports, blocked or root. The switch will then determine whether it has a valid alternative path to the root, based on BPDUs coming from other switches (if it received the inferior BPDU on its root port or if it has a primary path to the root on its root port). If it does, as is the case for switch 3 in step 2, it expires the maximum aging timer on the port(s) on which it received the inferior BPDU. This causes the switch to make the port on which it received its inferior BPDU a designated port. The switch moves the port immediately from a blocking state to listening, learning, and then forwarding, as shown in step 3 of Figure 5.2 with switch 3.

Here is where BackboneFast has an advantage over the normal occurrence of STP. With STP, a port must stay in a blocked state for 20 seconds. But with BackboneFast, the port is immediately placed into a listening state, thus reducing your convergence time from 50 seconds to 30 seconds. However, for this feature to work, you must enable it on all switches in your network your distribution and core layer switches.

To enable BackboneFast, use the following command:

 Switch(config)# spanning-tree backbonefast 

After BackboneFast is enabled, you can use the show spanning-tree summary and show spanning-tree backbonefast commands to verify its configuration and operation. Here's an example of the latter command:

 Switch> show spanning-tree backbonefast BackboneFast is enabled BackboneFast statistics ----------------------- Number of transition via backboneFast (all VLANs) : 0 Number of inferior BPDUs received (all VLANs)     : 0 Number of RLQ request BPDUs received (all VLANs)  : 0 <--output truncated--> 

Where UplinkFast detects failures on directly connected interfaces, BackboneFast detects failures on nonconnected interfaces. BackboneFast can detect this condition by looking for inferior BPDUs. Use the spanning-tree backbonefast command to enable this feature.