Questions on Cisco IOS Switch Config for the Novice

Joined
Dec 5, 2003
Messages
517
Here is a sample of a configuration done by a "Cisco Engineer:"

interface GigabitEthernet0/7
switchport access vlan 343
switchport mode access
switchport nonegotiate
snmp trap mac-notification change added
snmp trap mac-notification change removed
no cdp enable
spanning-tree portfast


There are a few things that don't make sense:

1. This person has disabled cdp on every interface, why not do this globally with "no cdp run"?

2. Why do you need to disable DTP (switchport nonegotiate) when you have specified the port as an access port (switchport mode acces)?

3. Do you need "spanning-tree portfast" when you specify a port as an access port? I read that the "switchport mode access" command will configure the port not to through the spanning-tree process. Was I misinformed?
 
The guy may not have known about the global cdp command, or he wanted to have certain interfaces use cdp, like switch to switch links.

Statically setting the port to access will prevent it from becoming a trunk with DTP. Maybe he has it set like that in case he ends up changing the port to a trunk.

Switchport mode access will not turn on portfast. There's a command "switchport host", which does this:

Code:
CORE(config)#int gi0/12
CORE(config-if)#sw host
switchport mode will be set to access
spanning-tree portfast will be enabled
channel group will be disabled

Maybe that's what you were thinking of.
 
Thanks... going to add that command to my reference sheet. My thought was there was no need for portfast if setting a port to access disables STP. However, with the command you have given me I must have been misinformed.
 
Also... port-fast doesn't disable spanning tree, correct? It just sets the port to forward and does spanning-tree calcs in the background?
 
Okay... why would you enable spanning-tree if you are using portfast? If I understand correctly there are 5-states a port can be in (blocking, listening, learning, forwarding, and disabled), portfast bypasses the listening and learning states to the forwarding state. If spanning tree was disabled the port would never go through listening learning states...

Another example that has caused some confusion:

interface Port-channel1
description ETH_CHANN1
switchport trunk allowed vlan 3,223-225
switchport mode trunk
switchport nonegotiate
spanning-tree portfast
ip dhcp snooping trust


In the above example you are allowing certain vlans, but not removing others (there is no switchport trunk allowed vlan remove x, y, z.). My research indicates a trunk link carries all VLANs that exist on a switch. I would write this as follows:

interface Port-channel1
description ETH_CHANN1
switchport trunk allowed vlan remove 1-1001
switchport trunk allowed vlan add 3, 223-225
switchport mode trunk
switchport nonegotiate
spanning-tree portfast
ip dhcp snooping trust

Also, why would you disable portfast on a trunk port? Perhaps these are all things learned with experience... or a tech that doesn't know what they are doing.
 
You do one or the other when permitting VLANs across a trunk. So:

switchport trunk allowed vlan 2-799

Allows ONLY VLANs 2-799, you don't need the remove statement.

I don't understand what you're asking about portfast.
 
I can answer your question about PortFast, the reason you use PortFast on a switch is when you implement a new switch into a topology and you want it to transition immediatley into a forwarding state instead of going through the STP process.

Directly from the cisco.com site

Cisco added the PortFast or fast-start feature. With this feature, the STP for this port assumes that the port is not part of a loop and immediately moves to the forwarding state and does not go through the blocking, listening, or learning states. This command does not turn STP off. This command makes STP skip a few initial steps (unnecessary steps, in this circumstance) on the selected port.

It's best practice to only use PortFast on a port with only one computer connected to it, as doing so with multiple computers can cause errors.


Here's another thing about PortFast, also taken from the Cisco site.

Caution: Never use the PortFast feature on switch ports that connect to other switches, hubs, or routers. These connections can cause physical loops, and spanning tree must go through the full initialization procedure in these situations. A spanning tree loop can bring your network down. If you turn on PortFast for a port that is part of a physical loop, there can be a window of time when packets are continuously forwarded (and can even multiply) in such a way that the network cannot recover.





Hope that helps you understand it better unless you need to know something else? Also, the point of PortFast is faster convergence.
 
More information to chew on:

Okay... why would you enable spanning-tree if you are using portfast?
One of the general reasons people use portfast is so DHCP clients can correctly obtain their leases when the port becomes active. Also if you unplug a network cable and then plug it back in again you won't have to wait for spanning-tree to cycle through all the states again (>20 seconds for the old versions). It just starts forwarding immediately. I've seen people literally patch two wall-jacks together before (through an unmanaged swtich) causing a loop. If spanning tree was running on those ports properly one of them would've transitioned to a blocking state and no harm would've occurred (even if portfast was enabled although you'd have to hope it starts blocking before the broadcast storm locks up the switch).

Also, why would you disable portfast on a trunk port?
Any device that can forward messages (switches for example) should not have portfast enabled on the interface it is patched into to prevent loops from occurring.

Additionally, spanning-tree is usually "disabled" at the VLAN level if you don't want it running (a rare occasion). For instance if you have a flat (untagged) switch that only has one VLAN on it (native) and you don't want spanning tree to run at all you can just do a "no spann vlan 1". This is not a common configuration though in the Cisco world.

Generally if all your switches support it you can just do "spanning-tree mode rapid-pvst" and do "switchport host" for the ports that servers and such are plugged into. Let the protocol do the work for you. If you have a complex topology and "need" the root bridge to be somewhere specific then there are commands to inflate its priority and keep it from changing (more info than you need at this point I'm sure).
 
Last edited:
I made a mistake in regard to my question about portfast and trunk ports. Why would you use portfast with a trunk port?

I will respond in detail after I digest the other posts.
 
Why would you use portfast with a trunk port?
Generally that's not a good idea for reasons that people listed above. It's not "wrong" but something like CiscoWorks would report that as a "best practice deviation" I'm sure. I'd try to avoid that personally unless it was a dot1q trunk to a host that supported VLAN tagging (server virtualization hosts).
 
Q. Why would you use PortFast with a trunk port?

A. Caution: Never use the PortFast feature on switch ports that connect to other switches, hubs, or routers. These connections can cause physical loops, and spanning tree must go through the full initialization procedure in these situations. A spanning tree loop can bring your network down. If you turn on PortFast for a port that is part of a physical loop, there can be a window of time when packets are continuously forwarded (and can even multiply) in such a way that the network cannot recover.


Trunk ports are generally done between switches to other switches or from a switch to a router. You have no reason to use PortFast on a trunk port in general practice because of the answer above. I don't know what else there is to comprehend.
 
Message received. I brought in a CCIE to configure some network switches and then started to look over the configuration. Your explanation is consistent with my thoughts... I do comprehend what STP is and it's intended purpose. I wanted to seek clarification from the Hard Forum community before I make changes to a configuration done by an "expert." Thanks everyone for your feedback.
 
Furthermore, I learned about PortFast just this past Winter 2009 semester in CCNA 3, if that CCIE really did what you say he did, I shudder to think about paper CCIE's out there pretending to be pros when an amateur like me who isn't even Cisco certified knows that basic thing.

It's possible that he just made a simple mistake, we all do, and I'm sure that PortFast isn't used in very many situations because 20 seconds isn't all that long to give a switch time to converge with the rest of the network, there aren't very many situations at all where you'd want to use PortFast anyway, the only reason to use PortFast is when you need IMMEDIATE convergence.

You might wanna ask him for his CCIE number (all CCIE's get one) and you can check it against Cisco's CCIE database to see if he's for real or just playing you.
 
Also, not all CCIE's are "routing and switching". That's not to mention the fact a lot of people like to specialize so even though they passed the tests they may not spend a lot of time focusing on things that don't interest them (I did my CCNP training a long time ago (BCRAN was in there lol) but really the work I do most of the time is more like a CCDP/CCSP even though I never took the tests). Most CCIE's I've met are very busy so he just might've glossed over something so trivial.

I've also met a lot of completely worthless people with tons of certs that couldn't troubleshoot a random live network if their life depended on it. They just take tests for a living.
 
Thanks for your feedback everyone. I am just trying to make sense of what the CCIE did so I can learn from it... don't want to bring him back if I don't have to.
 
There are several ways to set up switchports and the mode they're in will determine what configuration is used.

In IOS, if a port is in trunking mode, portfast will not enable on that port. It wasn't a "clean" (subjectively speaking) config on those ports but the CCIE did no harm with the command.
 
In IOS, if a port is in trunking mode, portfast will not enable on that port.

Actually, 'spanning-tree portfast trunk' at the interface level will enable portfast on a trunk. Not saying I subscribe to the theory of turning on portfast on a trunk but more of the point that you can enable portfast on a trunk if you really wanted to. Obviously from the sh run he posted of the port it's only spanning-tree portfast without the _trunk_ which means having it on the port does absolutely nothing and will not turn on spanning-tree on that port.
 
Back
Top