-
Catalyst 5000 Family Software Configuration Guide (6.3 and 6.4)
-
Index
-
Release Notes for Catalyst 5000 Family Software Release 6.x
-
Preface
-
Product Overview
-
Using the Command-Line Interface
-
Configuring the Switch IP Address and Default Gateway
-
Using Redundant Supervisor Engines
-
Configuring Ethernet and Fast Ethernet Switching
-
Configuring Gigabit Ethernet Switching
-
Configuring Fast EtherChannel and Gigabit EtherChannel
-
Configuring Spanning Tree
-
Configuring Spanning Tree PortFast, UplinkFast, and BackboneFast
-
Configuring VTP
-
Configuring VLANs
-
Configuring VLAN Trunks on Fast Ethernet and Gigabit Ethernet Ports
-
Configuring Dynamic Port VLAN Membership with VMPS
-
Configuring GVRP
-
Configuring QoS
-
Configuring Multicast Services
-
Configuring Broadcast/Multicast Suppression
-
Configuring Port Security
-
Configuring the IP Permit List
-
Configuring Protocol Filtering
-
Checking Port Status and Connectivity
-
Configuring CDP
-
Using Switch TopN Reports
-
Configuring UDLD
-
Configuring SNMP
-
Configuring RMON
-
Configuring SPAN
-
Configuring the Network Analysis Module
-
Administering the Switch
-
Configuring Switch Access Using AAA
-
Modifying the Switch Boot Configuration
-
Using the Flash File System
-
Working with System Software Images
-
Working with Configuration Files
-
Configuring System Message Logging
-
Configuring DNS
-
Configuring NTP
-
Configuring FDDI/CDDI Switching
-
Configuring FDDI 802.10 Trunks
-
Configuring Token Ring Switching
-
Configuring Token Ring Filters
-
Acronyms
-
Table Of Contents
Configuring Spanning Tree PortFast, UplinkFast, and BackboneFast
Understanding How PortFast Works
Enabling Spanning Tree PortFast
Disabling Spanning Tree PortFast
Understanding How PortFast BPDU Guard Works
Configuring PortFast BPDU Guard
Understanding How PortFast BPDU Filter Works
Configuring PortFast BPDU Filter
Disabling PortFast BPDU Filter
Understanding How UplinkFast Works
Understanding How BackboneFast Works
Displaying BackboneFast Statistics
Understanding How Loop Guard Works
Configuring Spanning Tree PortFast, UplinkFast, and BackboneFast
This chapter describes how to configure the PortFast, UplinkFast, and BackboneFast spanning tree features.
Note
For information on configuring spanning tree, see Chapter 8, "Configuring Spanning Tree."
Note
This chapter consists of these sections:
•
•
•
•
•
•
•
•
Understanding How PortFast Works
The spanning tree PortFast feature causes a port to enter the spanning tree forwarding state immediately, bypassing the listening and learning states. You can use PortFast on switch ports connected to a single workstation or server to allow those devices to connect to the network immediately, instead of waiting for the port to transition from the listening and learning states to the forwarding state.
Caution
When the switch powers up, or when a device is connected to a port, the port normally enters the spanning tree listening state. When the forward delay timer expires, the port enters the learning state. When the forward delay timer expires a second time, the port is transitioned to the forwarding or blocking state.
When you enable PortFast on a port, the port is immediately and permanently transitioned to the spanning tree forwarding state.
Configuring PortFast
These sections describe how to configure spanning tree PortFast on the switch:
•
•
Enabling Spanning Tree PortFast
Caution
To enable PortFast on a switch port, perform this task in privileged mode:
Step 1
Enable PortFast on a switch port connected to a single workstation or server.
set spantree portfast mod/port enable
Step 2
Verify the PortFast setting.
show spantree mod/port
This example shows how to enable PortFast on a port and verify the configuration (the PortFast status is shown in the "Fast-Start" column):
Console> (enable) set spantree portfast 4/1 enableWarning: Spantree port fast start should only be enabled on ports connectedto a single host. Connecting hubs, concentrators, switches, bridges, etc. toa fast start port can cause temporary spanning tree loops. Use with caution.Spantree port 4/1 fast start enabled.Console> (enable) show spantree 4/1Port Vlan Port-State Cost Priority Fast-Start Group-method--------- ---- ------------- ----- -------- ---------- ------------4/1 1 blocking 19 20 enabled4/1 100 forwarding 10 20 enabled4/1 521 blocking 19 20 enabled4/1 522 blocking 19 20 enabled4/1 523 blocking 19 20 enabled4/1 524 blocking 19 20 enabled4/1 1003 not-connected 19 20 enabled4/1 1005 not-connected 19 4 enabledConsole> (enable)Disabling Spanning Tree PortFast
To disable PortFast on a switch port, perform this task in privileged mode:
Step 1
Disable PortFast on a switch port.
set spantree portfast mod/port disable
Step 2
Verify the PortFast setting.
show spantree mod/port
This example shows how to disable PortFast on a port:
Console> (enable) set spantree portfast 4/1 disableSpantree port 4/1 fast start disabled.Console> (enable)Understanding How PortFast BPDU Guard Works
To prevent loops from occuring in a network, the spanning tree PortFast mode should be configured only on nontrunking access ports because these ports usually do not transmit or receive BPDUs. The most secure implementation of PortFast is to enable it only on ports that connect end stations to switches.
The PortFast BPDU guard feature prevents loops by moving a nontrunking port into ErrDisable state when a BPDU is received on that port. When the BPDU guard feature is enabled on the switch, spanning tree shuts down PortFast-configured interfaces that receive BPDUs instead of putting them into the spanning tree blocking state. In a valid configuration, PortFast-configured interfaces should not receive BPDUs. If a PortFast-configured interface receives a BPDU, an invalid configuration exists, such as connection of an unauthorized device. The BPDU guard feature provides a secure response to invalid configurations because the administrator must manually put the interface back in service and correct the invalid configuration.
Note
Configuring PortFast BPDU Guard
These sections describe how to configure spanning tree PortFast BPDU guard on the switch:
•
Enabling PortFast BPDU Guard
Note
To enable PortFast BPDU guard on a nontrunking switch port, perform this task in privileged mode:
Step 1
Enable PortFast BPDU guard on the switch.
set spantree portfast bpdu-guard enable
Step 2
Verify the PortFast BPDU guard setting.
show spantree summary
This example shows how to enable PortFast BPDU guard and verify the configuration:
console > (enable) set spantree portfast bpdu-guard enableSpantree portfast bpdu-guard enabled on this switch.Console> (enable) show spantree summaryRoot switch for vlans: none.Portfast bpdu-guard enabled for bridge.
Uplinkfast disabled for bridge.Backbonefast disabled for bridge.Vlan Blocking Listening Learning Forwarding STP Active----- -------- --------- -------- ---------- ----------1 0 0 0 4 42 0 0 0 4 43 0 0 0 4 44 0 0 0 4 45 0 0 0 4 46 0 0 0 4 410 0 0 0 4 420 0 0 0 4 450 0 0 0 4 4100 0 0 0 4 4152 0 0 0 4 4200 0 0 0 5 5300 0 0 0 4 4400 0 0 0 4 4500 0 0 0 4 4521 0 0 0 4 4524 0 0 0 4 4570 0 0 0 4 4801 0 0 0 0 0802 0 0 0 0 0850 0 0 0 4 4917 0 0 0 4 4999 0 0 0 4 41003 0 0 0 0 01005 0 0 0 0 0Blocking Listening Learning Forwarding STP Active----- -------- --------- -------- ---------- ----------Total 0 0 0 85 85Console> (enable)Disabling PortFast BPDU Guard
To disable PortFast BPDU guard, perform this task in privileged mode:
Step 1
Disable PortFast BPDU guard.
set spantree portfast bpdu-guard disable
Step 2
Verify the PortFast BPDU guard setting.
show spantree summary
This example shows how to disable spanning tree PortFast BPDU guard on the switch and verify the configuration:
console > (enable) set spantree portfast bpdu-guard disableSpantree portfast bpdu-guard disabled on this switch.Console> (enable) show spantree summarySummary of connected spanning tree ports by vlanPortfast bpdu-guard disabled for bridge.Uplinkfast disabled for bridge.Backbonefast disabled for bridge.Vlan Blocking Listening Learning Forwarding STP Active----- -------- --------- -------- ---------- ----------1 0 0 0 4 42 0 0 0 4 43 0 0 0 4 44 0 0 0 4 45 0 0 0 4 46 0 0 0 4 410 0 0 0 4 420 0 0 0 4 450 0 0 0 4 4100 0 0 0 4 4152 0 0 0 4 4200 0 0 0 5 5300 0 0 0 4 4400 0 0 0 4 4500 0 0 0 4 4521 0 0 0 4 4524 0 0 0 4 4570 0 0 0 4 4801 0 0 0 0 0802 0 0 0 0 0850 0 0 0 4 4917 0 0 0 4 4999 0 0 0 4 41003 0 0 0 0 01005 0 0 0 0 0Blocking Listening Learning Forwarding STP Active----- -------- --------- -------- ---------- ----------Total 0 0 0 85 85Console> (enable)Understanding How PortFast BPDU Filter Works
BPDU filtering provides a method for you to avoid transmitting BPDUs on a PortFast-enabled port; connected to an end system, which helps save CPU time. This feature is on a per-switch basis. After BPDU filtering is enabled it applies to all PortFast-enabled ports.
The PortFast BPDU filter allows access ports to move directly to the forwarding state as soon as end hosts are connected. Spanning tree sends BPDUs from all ports regardless of whether PortFast is enabled or not. PortFast BPDU filtering is enabled globally but applies to PortFast-enabled ports only.
Configuring PortFast BPDU Filter
These sections describe how to configure the spanning tree PortFast BPDU filter option on the switch:
•
•
Enabling PortFast BPDU Filter
Note
To enable the PortFast BPDU filter option on a nontrunking switch port, perform this task in privileged mode:
This example shows how to enable the PortFast BPDU filter option on the switch and verify the configuration in PVST+ mode:
Note
Console> (enable) set spantree portfast bpdu-filter enableUsage: set spantree portfast <mod/port> <enable|disable>set spantree portfast bpdu-guard <enable|disable>set spantree portfast bpdu-filter <enable|disable>Spantree portfast bpdu-filter enabled on this switch.Console> (enable) show spantree portfastPortfast BPDU guard is disabled.Portfast BPDU filter is disabled.Console> (enable) show spantree summaryRoot switch for vlans: none.Portfast bpdu-filter enabled for bridge.Uplinkfast disabled for bridge.Backbonefast disabled for bridge.Vlan Blocking Listening Learning Forwarding STP Active----- -------- --------- -------- ---------- ----------1 0 0 0 4 42 0 0 0 4 43 0 0 0 4 44 0 0 0 4 45 0 0 0 4 46 0 0 0 4 410 0 0 0 4 420 0 0 0 4 450 0 0 0 4 4100 0 0 0 4 4152 0 0 0 4 4200 0 0 0 5 5300 0 0 0 4 4400 0 0 0 4 4500 0 0 0 4 4521 0 0 0 4 4524 0 0 0 4 4570 0 0 0 4 4801 0 0 0 0 0802 0 0 0 0 0850 0 0 0 4 4917 0 0 0 4 4999 0 0 0 4 41003 0 0 0 0 01005 0 0 0 0 0Blocking Listening Learning Forwarding STP Active----- -------- --------- -------- ---------- ----------Total 0 0 0 85 85Console> (enable)Disabling PortFast BPDU Filter
To disable the PortFast BPDU filter option on the switch, perform this task in privileged mode:
This example shows how to disable spanning tree PortFast BPDU filter on the switch and verify the configuration:
Console> (enable) set spantree portfast bpdu-filter disableSpantree portfast bpdu-filter disabled on this switch.Console> (enable) show spantree summarySummary of connected spanning tree ports by vlanPortfast bpdu-filter disabled for bridge.Uplinkfast disabled for bridge.Backbonefast disabled for bridge.Vlan Blocking Listening Learning Forwarding STP Active----- -------- --------- -------- ---------- ----------1 0 0 0 4 42 0 0 0 4 43 0 0 0 4 44 0 0 0 4 45 0 0 0 4 46 0 0 0 4 410 0 0 0 4 420 0 0 0 4 450 0 0 0 4 4100 0 0 0 4 4152 0 0 0 4 4200 0 0 0 5 5300 0 0 0 4 4400 0 0 0 4 4500 0 0 0 4 4521 0 0 0 4 4524 0 0 0 4 4570 0 0 0 4 4801 0 0 0 0 0802 0 0 0 0 0850 0 0 0 4 4917 0 0 0 4 4999 0 0 0 4 41003 0 0 0 0 01005 0 0 0 0 0Blocking Listening Learning Forwarding STP Active----- -------- --------- -------- ---------- ----------Total 0 0 0 85 85Console> (enable)Understanding How UplinkFast Works
The UplinkFast feature provides fast convergence in the network access layer after a spanning tree topology change by using uplink groups. An uplink group is a set of ports (per VLAN), only one of which is forwarding at any given time. Specifically, an uplink group consists of the root port (which is forwarding) and a set of blocked ports (not including self-looped ports). The uplink group provides an alternate path in case the link that is currently forwarding fails.
Note
Figure 9-1 shows an example UplinkFast network topology. Switch A, the root switch, is connected directly to Switch B over link L1 and to Switch C over link L2. The port on Switch C that is connected to Switch B over link L3 is in blocking state.
Figure 9-1 UplinkFast Example Before Direct Link Failure
If Switch C detects a link failure on the currently active link L2 (a direct link failure), UplinkFast unblocks the blocked port on Switch C and transitions it to the forwarding state immediately, without transitioning the port through the listening and learning states (as shown in Figure 9-2). This switchover takes approximately one to five seconds.
Figure 9-2 UplinkFast Example After Direct Link Failure
As soon as the switch transitions the alternate port to the forwarding state, the switch begins transmitting dummy multicast frames on that port, one for each entry in the local EARL table (except those entries associated with the failed root port). By default, approximately 15 dummy multicast frames are transmitted per 100 milliseconds.
Each dummy multicast frame uses the station address in the EARL table entry as its source MAC address and a dummy multicast address (01-00-0C-CD-CD-CD) as the destination MAC address.
Switches receiving these dummy multicast frames immediately update their EARL table entries for each source MAC address to use the new port, allowing the switches to begin using the new path almost immediately.
If connectivity on the original root port is restored, the switch waits for a period equal to twice the forward delay time plus 5 seconds before transitioning the port to the forwarding state. This wait allows the neighbor port time to transition through the listening and learning states to the forwarding state.
Configuring UplinkFast
These sections describe how to configure the UplinkFast feature on the switch:
Enabling UplinkFast
When you enable spanning tree UplinkFast on the switch, UplinkFast processing is enabled and the spanning tree bridge priority for all VLANs is set to 49152, making it unlikely that the switch will become the root switch. The spanning tree port cost and port-VLAN cost of all ports on the switch is increased by 3000.
The station_update_rate value in the UplinkFast command represents the number of dummy multicast packets transmitted per 100 milliseconds (the default is 15 packets per 100 milliseconds) in the event of a direct link failure.
Use the all-protocols on keywords on switches that have UplinkFast enabled but do not have protocol filtering enabled, and that are connected to upstream switches in the network that have protocol filtering enabled. The all-protocols on keywords cause the switch to generate multicasts for each protocol-filtering group.
On switches with both UplinkFast and protocol filtering enabled, or if no other switches have protocol filtering enabled, you do not need to use the all-protocols on keywords.
Note
To enable UplinkFast, perform this task in privileged mode:
This example shows how to enable UplinkFast with a station-update rate of 40 packets per 100 milliseconds and how to verify that UplinkFast is enabled:
Console> (enable) set spantree uplinkfast enableVLANs 1-1005 bridge priority set to 49152.The port cost and portvlancost of all ports set to above 3000.Station update rate set to 40 packets/100ms.uplinkfast all-protocols field set to off.uplinkfast enabled for bridge.Console> (enable) show spantree uplinkfastStation update rate set to 15 packets/100ms.uplinkfast all-protocols field set to off.VLAN port list-----------------------------------------------1 1/1(fwd),1/2100 1/2(fwd)521 1/1(fwd),1/2522 1/1(fwd),1/2523 1/1(fwd),1/2524 1/1(fwd),1/2Console> (enable)This example shows how to display the UplinkFast feature settings for all VLANs:
Console> show spantree uplinkfastStation update rate set to 15 packets/100ms.uplinkfast all-protocols field set to off.VLAN port list------------------------------------------------1-20 1/1(fwd),1/2-1/521-50 1/9(fwd), 1/6-1/8, 1/10-1/1251-100 2/1(fwd), 2/12Console>Disabling UplinkFast
To disable UplinkFast and restore the default spanning tree bridge priority, port cost, and port-VLAN cost values to their default values, enter the clear spantree uplinkfast command.
Caution
You can disable only spanning tree UplinkFast processing on the switch using the set spantree uplinkfast disable command. This command does not affect the bridge priority, port cost, and port-VLAN cost values on the switch.
Note
To disable UplinkFast on the switch, perform this task in privileged mode:
This example shows how to disable UplinkFast on the switch and restore the default bridge priority, port cost, and port-VLAN cost values:
Console> (enable) clear spantree uplinkfastThis command will cause all portcosts, portvlancosts, and thebridge priority on all vlans to be set to default.Do you want to continue (y/n) [n]? yVLANs 1-1005 bridge priority set to 32768.The port cost of all bridge ports set to default value.The portvlancost of all bridge ports set to default value.uplinkfast all-protocols field set to off.uplinkfast disabled for bridge.Console> (enable) show spantree uplinkfastuplinkfast disabled for bridge.Console> (enable)Understanding How BackboneFast Works
The BackboneFast feature provides fast convergence in the network backbone after a spanning tree topology change occurs. A switch detects an indirect link failure (the failure of a link to which the switch is not directly connected) when the switch receives inferior BPDUs from its designated bridge on its root port or blocked ports. These inferior BPDUs indicate that the designated bridge has lost its connection to the root bridge. An inferior BPDU identifies a single switch as both the root bridge and the designated bridge. Under normal spanning tree rules, the switch ignores inferior BPDUs for the configured maximum aging time (specified by the set spantree maxage command).
The switch tries to determine if it has an alternate path to the root bridge. If the inferior BPDU arrives on a blocked port, the root port and other blocked ports on the switch become alternate paths to the root bridge. If the inferior BPDU arrives on the root port, all blocked ports become alternate paths to the root bridge. If the inferior BPDU arrives on the root port and there are no blocked ports, the switch assumes that it has lost connectivity to the root bridge, which causes the maximum aging time on the root to expire, and the switch becomes the root switch according to normal spanning tree rules.
If the switch has alternate paths to the root bridge, it transmits Root Link Query PDUs out all alternate paths to the root bridge. If the switch determines that it still has an alternate path to the root, it causes the maximum aging time on the ports on which it received the inferior BPDU to expire. If all the alternate paths to the root bridge indicate that the switch has lost connectivity to the root bridge, the switch causes the maximum aging times on the ports on which it received an inferior BPDU to expire. If one or more alternate paths can still connect to the root bridge, the switch makes all ports on which it received an inferior BPDU its designated ports and moves them out of the blocking state (if they were in blocking state), through the listening and learning states, and into the forwarding state.
Figure 9-3 shows an example BackboneFast network topology. Switch A, the root switch, connects directly to Switch B over link L1 and to Switch C over link L2. The port on Switch C that connects directly to Switch B over link L3 is in the blocking state.
Figure 9-3 BackboneFast Example Before Indirect Link Failure
If link L1 fails, Switch C detects this failure as an indirect failure, because it is not connected directly to link L1. Switch B no longer has a path to the root switch. BackboneFast allows the blocked port on Switch C to move immediately to the listening state without waiting for the maximum aging time for the port to expire. BackboneFast then transitions the port on Switch C to the forwarding state, providing a path from Switch B to Switch A. This switchover takes approximately 30 seconds. Figure 9-4 shows how BackboneFast reconfigures the topology to account for the failure of link L1.
Figure 9-4 BackboneFast Example After Indirect Link Failure
If a new switch is introduced into a shared-medium topology, BackboneFast is not activated. Figure 9-5 shows a shared-medium topology in which a new switch is added. The new switch begins sending inferior BPDUs, which indicate that it is the root switch. However, the other switches ignore these inferior BPDUs and the new switch learns that Switch B is the designated bridge to Switch A, the root switch.
Figure 9-5 Adding a Switch in a Shared-Medium Topology
Configuring BackboneFast
These sections describe how to configure the BackboneFast feature:
•
Enabling BackboneFast
Note
To enable BackboneFast on the switch, perform this task in privileged mode:
Step 1
Enable BackboneFast on the switch.
set spantree backbonefast enable
Step 2
Verify that BackboneFast is enabled.
show spantree backbonefast
This example shows how to enable BackboneFast on the switch and how to verify the configuration:
Console> (enable) set spantree backbonefast enableBackbonefast enabled for all VLANsConsole> (enable) show spantree backbonefastBackbonefast is enabled.Console> (enable)Displaying BackboneFast Statistics
To display BackboneFast statistics, perform this task in privileged mode:
This example shows how to display BackboneFast statistics:
Console> (enable) show spantree summarySummary of connected spanning tree ports by vlanUplinkfast disabled for bridge.Backbonefast enabled for bridge.Vlan Blocking Listening Learning Forwarding STP Active----- -------- --------- -------- ---------- ----------1 0 0 0 1 1Blocking Listening Learning Forwarding STP Active----- -------- --------- -------- ---------- ----------Total 0 0 0 1 1BackboneFast statistics-----------------------Number of inferior BPDUs received (all VLANs) : 0Number of RLQ req PDUs received (all VLANs) : 0Number of RLQ res PDUs received (all VLANs) : 0Number of RLQ req PDUs transmitted (all VLANs) : 0Number of RLQ res PDUs transmitted (all VLANs) : 0Console> (enable)Disabling BackboneFast
To disable BackboneFast on the switch, perform this task in privileged mode:
Step 1
Disable BackboneFast on the switch.
set spantree backbonefast disable
Step 2
Verify that BackboneFast is disabled.
show spantree backbonefast
This example shows how to disable BackboneFast on the switch and how to verify the configuration:
Console> (enable) set spantree backbonefast disableBackbonefast enabled for all VLANsConsole> (enable) show spantree backbonefastBackbonefast is disable.Console> (enable)Understanding How Loop Guard Works
Unidirectional link failures may cause a root port or alternate port to become designated as root if BPDUs are absent. Some software failures may introduce temporary loops in the network. The loop guard feature checks if a root port or an alternate root port receives BPDUs. If the port is not receiving BPDUs, the loop guard feature puts the port into an inconsistent state until it starts receiving BPDUs again. Loop guard isolates the failure and lets spanning tree converge to a stable topology without the failed link or bridge.
You can enable loop guard on a per-port basis. When you enable loop guard, it is automatically applied to all of the active instances or VLANs to which that port belongs. When you disable loop guard, it is disabled for the specified ports. Disabling loop guard moves all loop-inconsistent ports to the listening state.
If you enable loop guard on a channel and the first link becomes unidirectional, loop guard blocks the entire channel until the affected port is removed from the channel. Figure 9-6 shows loop guard in a triangle switch configuration.
Figure 9-6 Triangle Switch Configuration with Loop Guard
Figure 9-6 illustrates the following configuration:
•
•
•
Use loop guard only in topologies where there are blocked ports. Topologies that have no blocked ports, which are loop free, do not need to enable this feature. Enabling loop guard on a root switch has no effect but provides protection when a root switch becomes a nonroot switch.
Follow these guidelines when using loop guard:
•
•
•
Loop guard interacts with other features as follows:
•
•
Note
•
•
•
•
•
These caveats apply to loop guard:
–
–
–
Note
•
Configuring Loop Guard
These sections describe how to configure BackboneFast:
Enabling Loop Guard
Use the set spantree guard command to enable or disable the spanning tree loop guard feature on a per-port basis.
To enable loop guard on the switch, perform this task in privileged mode:
This example shows how to enable loop guard:
Console> (enable) set spantree guard loop 5/1Rootguard is enabled on port 5/1, enabling loopguard will disable rootguard onthis port.Do you want to continue (y/n) [n]? yLoopguard on port 5/1 is enabled.Console> (enable)Disabling Loop Guard
To disable loop guard on the switch, perform this task in privileged mode:
This example shows how to disable loop guard:
Console> (enable) set spantree guard none 5/1Rootguard is disabled on port 5/1, disabling loopguard will disable rootguard onthis port.Do you want to continue (y/n) [n]? yLoopguard on port 5/1 is disabled.Console> (enable)
