Port Fast
1. Introduction to PortFast
What is PortFast?
PortFast is a feature in Spanning Tree Protocol (STP) that significantly reduces the time it takes for a port to move into the Forwarding state. Normally, STP ports transition through Listening and Learnin states, causing a delay of up to 30 seconds before becoming active.
Imagine a scenario where a device such as a PC connects to the network. Having a delay of 30 seconds before being able to sent data will protocols like DHCP. By enabling PortFast, the port immediately transitions to the Forwarding state, ensuring quick connectivity.
Did you know? PortFast is particularly useful for access ports connected to end devices, as these are not expected to cause loops.
Key Advantages of PortFast
- Faster Device Initialization: Ideal for end-hosts like PCs, printers, and IP phones.
- Immediate Connectivity: Prevents issues with time-sensitive protocols like DHCP.
In the example below, a PC labeled PC1 is connected to the switch SW2 on port GigabitEthernet0/2. Enabling PortFast allows the port to bypass intermediate states and transition directly to the Forwarding state, enabling traffic flow almost instantly.
2. Configuring PortFast
PortFast can be configured on individual interfaces or globally for all access ports. Let’s explore each method.
Enabling PortFast on an Individual Interface
A PC (PC1) is connected to switch SW2 on port GigabitEthernet0/2. To ensure fast connectivity, we enable PortFast on this port.
Configuration Steps
- Access the interface configuration mode:
SW2# configure terminal SW2(config)# interface GigabitEthernet0/2
2. Enable PortFast:
SW2(config-if)#spanning-tree portfast %Warning: portfast should only be enabled on ports connected to a single host. Connecting hubs, concentrators, switches, bridges, etc... to this interface when portfast is enabled, can cause temporary bridging loops. Use with CAUTION %Portfast has been configured on GigabitEthernet0/2 but will only have effect when the interface is in a non-trunking mode.
Warning: PortFast should only be enabled on ports connected to devices like PCs or printers. Enabling it on inter-switch links can create loops.
Verifying PortFast
After configuring PortFast, you can verify its status with the following command:
SW2#show spanning-tree interface g0/2 detail
Port 3 (GigabitEthernet0/2) of VLAN0001 is designated forwarding
Port path cost 4, Port priority 128, Port Identifier 128.3.
Designated root has priority 32769, address 50e2.aa04.6b00
Designated bridge has priority 32769, address 50e2.aa04.6b00
Designated port id is 128.3, designated path cost 0
Timers: message age 0, forward delay 0, hold 0
Number of transitions to forwarding state: 1
The port is in the portfast edge mode
Link type is point-to-point by default
BPDU: sent 82, received 0
Notice the line: “The port is in the portfast edge mode.” This confirms that PortFast is active on the interface.
Disable PortFast on an Individual Interface
To disable PortFast on an interface, use the following commands:
SW2(config)#int g0/2 SW2(config-if)#spanning-tree portfast disable
If you verify the interface again, you’ll see that PortFast is no longer mentioned:
SW2#show spanning-tree interface g0/2 detail Port 3 (GigabitEthernet0/2) of VLAN0001 is designated forwarding Port path cost 4, Port priority 128, Port Identifier 128.3. Designated root has priority 32769, address 50e2.aa04.6b00 Designated bridge has priority 32769, address 50e2.aa04.6b00 Designated port id is 128.3, designated path cost 0 Timers: message age 0, forward delay 0, hold 0 Number of transitions to forwarding state: 1 Link type is point-to-point by default BPDU: sent 124, received 0
PortFast is now disabled for this interface.
Enabling PortFast Globally
In addition to enabling PortFast on individual interfaces, you can also enable it globally. When enabled globally, all access ports on the switch will automatically be configured as PortFast ports.
We have two switches, SW2 and SW3, each with end-user devices connected. We’ll enable PortFast globally on both switches.
Configuration Steps
- Enable PortFast Globally on SW2 and SW3:
From global configuration mode, use the following command:
SW2(config)#spanning-tree portfast default %Warning: this command enables portfast by default on all interfaces. You should now disable portfast explicitly on switched ports leading to hubs, switches and bridges as they may create temporary bridging loops.
SW3(config)#spanning-tree portfast default %Warning: this command enables portfast by default on all interfaces. You should now disable portfast explicitly on switched ports leading to hubs, switches and bridges as they may create temporary bridging loops.
Verifying PortFast
After applying this command, you can verify the configuration:
SW2#show spanning-tree interface g0/2 detail
Port 3 (GigabitEthernet0/2) of VLAN0001 is designated forwarding
Port path cost 4, Port priority 128, Port Identifier 128.3.
Designated root has priority 32769, address 50e2.aa04.6b00
Designated bridge has priority 32769, address 50e2.aa04.6b00
Designated port id is 128.3, designated path cost 0
Timers: message age 0, forward delay 0, hold 0
Number of transitions to forwarding state: 1
The port is in the portfast edge mode by default
Link type is point-to-point by default
BPDU: sent 1174, received 0
SW3#show spanning-tree interface g0/2 detail
Port 3 (GigabitEthernet0/2) of VLAN0001 is designated forwarding
Port path cost 4, Port priority 128, Port Identifier 128.3.
Designated root has priority 32769, address 50d5.ff04.6d00
Designated bridge has priority 32769, address 50d5.ff04.6d00
Designated port id is 128.3, designated path cost 0
Timers: message age 0, forward delay 0, hold 0
Number of transitions to forwarding state: 1
The port is in the portfast edge mode by default
Link type is point-to-point by default
BPDU: sent 264, received 0
- Notice that the port is now automatically in portfast edge mode, as indicated in the output.
PortFast on a Trunk Interface
There are specific cases where we can safely use PortFast on trunk ports. Let’s look at our topology to understand these scenarios.
Virtualization Server
In the topology, we have a virtualization server connected to our switch. This server hosts multiple virtual machines, each assigned to different VLANs. To support this, the interface connecting the virtualization server to the switch must operate in trunk mode, as it needs to carry traffic for multiple VLANs.
Since the virtualization server is not a switch, it does not send BPDUs. As a result, we can safely apply PortFast trunk on this interface to allow the port to immediately transition to the Forwarding state by skipping the Listening and Learning stages of STP. This ensures fast connectivity for the virtual machines.
Router-on-a-Stick
Another case is the router-on-a-stick setup. The router is connected to the switch via a trunk port to handle inter-VLAN routing. Since the router also does not send BPDUs, we can enable PortFast trunk on the interface connecting the router to the switch. This allows the port to immediately start forwarding traffic without waiting for the STP transitions, ensuring efficient data flow between VLANs.
Configuration Steps
To configure PortFast on a trunk port, it must be done on a per-interface basis using the command spanning-tree portfast trunk.
Router-on-a-Stick Port Configuration
SW2(config)#int g0/0 SW2(config-if)#spanning-tree portfast trunk %Warning: portfast should only be enabled on ports connected to a single host. Connecting hubs, concentrators, switches, bridges, etc... to this interface when portfast is enabled, can cause temporary bridging loops. Use with CAUTION
Virtualization Server Port Configuration
SW2(config)#int g0/2 SW2(config-if)#spanning-tree portfast trunk %Warning: portfast should only be enabled on ports connected to a single host. Connecting hubs, concentrators, switches, bridges, etc... to this interface when portfast is enabled, can cause temporary bridging loops. Use with CAUTION
Verifying PortFast Trunk
Router-on-a-Stick Port Verification
SW2#show spanning-tree interface g0/0 detail Port 1 (GigabitEthernet0/0) of VLAN0001 is designated forwarding Port path cost 4, Port priority 128, Port Identifier 128.1. Designated root has priority 32769, address 50e2.aa04.6b00 Designated bridge has priority 32769, address 50e2.aa04.6b00 Designated port id is 128.1, designated path cost 0 Timers: message age 0, forward delay 0, hold 0 Number of transitions to forwarding state: 1 The port is in the portfast edge trunk mode Link type is point-to-point by default BPDU: sent 3787, received 0
In the output above, you can see the line “The port is in the portfast edge trunk mode”, which confirms that PortFast trunk is successfully enabled on the interface. This ensures the port bypasses the Listening and Learning states and transitions directly to the Forwarding state, allowing traffic to flow immediately.
Virtualization Server Port Verification
SW2#show spanning-tree interface g0/2 detail Port 3 (GigabitEthernet0/2) of VLAN0001 is designated forwarding Port path cost 4, Port priority 128, Port Identifier 128.3. Designated root has priority 32769, address 50e2.aa04.6b00 Designated bridge has priority 32769, address 50e2.aa04.6b00 Designated port id is 128.3, designated path cost 0 Timers: message age 0, forward delay 0, hold 0 Number of transitions to forwarding state: 1 The port is in the portfast edge trunk mode Link type is point-to-point by default BPDU: sent 3789, received 0
Similarly, for the virtualization server, the line “The port is in the portfast edge trunk mode” confirms that PortFast trunk is active on this port.
3. PortFast Edge
Now that we have seen how to configure PortFast on individual interfaces and globally, let’s explore an interesting detail about its behavior.
When we configure PortFast on an individual interface, such as GigabitEthernet0/2, using the command spanning-tree portfast:
SW2# configure terminal SW2(config)# interface GigabitEthernet0/2 SW2(config-if)#spanning-tree portfast
After applying this command, if we review the running configuration, the spanning-tree portfast command is automatically updated to spanning-tree portfast edge, indicating that the port is operating in edge mode:
SW2#show run int g0/2 Building configuration... Current configuration : 107 bytes ! interface GigabitEthernet0/2 switchport mode access negotiation auto spanning-tree portfast edge end
Edge Mode
By default, PortFast operates in edge mode, which is designed for ports connected directly to end devices (like PCs). These ports are considered safe because they cannot create bridging loops. As a result, they immediately transition to the Forwarding state, skipping the usual Listening and Learning stages of STP.
Key Points:
- The edge keyword is automatically added when PortFast is enabled, even if you don’t explicitly configure it.
- Edge mode is the default mode of PortFast.
- Other modes, such as network mode, exist but are beyond the scope of the CCNA exam. For CCNA, focus on edge mode.
- In certain simulators, like Packet Tracer, the edge keyword may not appear in the running configuration so don’t worry.
Command Examples
Here are some examples to demonstrate how PortFast is reflected in the running configuration:
- Enabling PortFast on an interface:
SW1(config-if)# spanning-tree portfast Building configuration... Current configuration : 107 bytes ! interface GigabitEthernet0/2 switchport mode access negotiation auto spanning-tree portfast edge end
Running configuration:
spanning-tree portfast edge
2. Enabling PortFast on a trunk interface:
SW1(config-if)# spanning-tree portfast trunk
Running configuration:
spanning-tree portfast edge trunk
3. Enabling PortFast globally:
SW1(config-if)# spanning-tree portfast default
Running configuration:
spanning-tree portfast edge
If you don’t specify edge mode, the edge keyword will always appear in the running configuration.
The only exception is when you disable PortFast:
- Disabling PortFast on individual interface:
SW1(config-if)# spanning-tree portfast disable
Behavior of Edge Ports
Important: While PortFast (edge) ports immediately forward traffic, they still listen for BPDUs. If a BPDU is detected, the port automatically loses its edge status and reverts to normal STP behavior. This ensures the network is protected against potential loops.
While PortFast improves startup times, it introduces potential risks if malicious users send unauthorized BPDUs. This highlights the need for additional protection mechanisms.
4. Conclusion: The Need for BPDU Guard
PortFast should only be configured on access ports connected to end-user devices like PCs or phones—not on ports connected to other switches. These ports are not expected to receive BPDUs, but a malicious user could exploit this by sending BPDUs to compromise the STP topology.
BPDU Guard addresses this vulnerability by immediately disabling any PortFast-enabled port that receives a BPDU. This ensures the port remains secure and the STP topology is not disrupted.
In the next course, we’ll explore how BPDU Guard protects the STP topology from vulnerabilities!