which work along with existing L2 STP feature. These two features enhance network reliability, manageability,
and security for the existing L2 STP feature.
Some devices and local stacks running on systems/workstations are capable of generating potential STP
BPDUs that cause Denial of Service (DOS)attacks. PortFast and BPDU Guard features provide stability and
security for network topologies to prevent such attacks.
PortFast
The PortFast feature is introduced to avoid network connectivity issues. These issues are caused by delays in
STP enabled ports moving from blocking-state to forwarding-state after transitioning from the listening and
learning states. STP enabled ports that are connected to devices such as a single switch, workstation, or a
server can access the network only after passing all these STP states. Some applications need to connect to the
network immediately, else they will timeout.
Enabling the PortFast feature causes a switch or a trunk port to enter the STP forwarding-state immediately or
upon a linkup event, thus bypassing the listening and learning states. The PortFast feature is enabled at a port
level, and this port can either be a physical or a logical port. When PortFast feature is enabled on a switch or a
trunk port, the port immediately transitions to the STP forwarding state.
Though PortFast is enabled the port still participates in STP. If the port happens to be part of topology that
could form a loop, the port eventually transitions into STP blocking mode. PortFast is usually configured on an
edge port, which means the port should not receive any STP BPDUs. If the port receives any STP BPDU, it
moves back to normal/regular mode and will participate in the listening and learning states.
In most deployments, edge ports are access ports. However, in this scenario there are no restrictions in
enabling the PortFast feature. The mode of the port changes from PortFast to non-PortFast when the port
receives a STP BPDU. To re-enable this feature on a port, run the shut command followed by a no-shut
command at the interface/port level.
Configuring PortFast on a non-edge port can cause instability to the STP topology.
BPDU Guard
BPDU Guard feature protects the port from receiving STP BPDUs, however the port can transmit STP BPDUs.
When a STP BPDU is received on a BPDU Guard enabled port, the port is shutdown and the state of the port
changes to ErrDis (Error-Disable) state. The port remains in the ErrDis state until the port status is manually
changed by using the configuration command shut followed by a no-shut applied on the interface. In most
deployments, BPDU Guard feature is configured over the PortFast enabled STP ports, but in this
implementation the BPDU Guard feature can be enabled on any of the STP ports, with or without PortFast
feature being enabled on these ports.
It is recommended not to enable the BPDUGuard feature on a trunk port that forms the STP topology.
Scenarios Supported on PortFast and BPDU Guard
PortFast and BPDU Guard features are applied at the port/interface level. These features can also be applied in
the following scenarios:
n RSTP and PVST modes
n Access and Trunk ports
n Physical and Logical ports
The PortFast and BPDU Guard features can be applied either independently or together.
AOS-W 6.5.3.x | User Guide BranchSwitch Config for Cloud Services Switches | 255
To Next Page
Loading...