Lab 2.

4 – Configuring Rapid PVST+, Portfast and BPDUGuard

Addressing Table
Device Interface IP Address Subnet Mask
PC-A NIC 192.168.10.1 255.255.255.0
PC-C NIC 192.168.10.2 255.255.255.0

Objectives
Part 1: Build the Network and Configure Device Initial Settings
Part 2: Configure the Root Bridge and Examine PVST+ Convergence
Part 3: Configure Rapid PVST+, PortFast, BPDU Guard, and Examine Convergence

Background / Scenario
Rapid PVST+ (IEEE 802.1w) is an enhanced version of PVST+ and allows for faster spanning-tree
calculations and convergence in response to Layer 2 topology changes. Rapid PVST+ defines three port
states: discarding, learning, and forwarding, and provides multiple enhancements to optimize network
performance.
In this lab, you will configure the primary and secondary root bridge, examine PVST+ convergence, configure
Rapid PVST+ and compare its convergence to PVST+. In addition, you will configure edge ports to transition
immediately to a forwarding state using PortFast and prevent the edge ports from forwarding BDPUs using
BDPU guard.

Part 1: Build the Network and Configure Basic Device Settings

Step 1: Cable the network as shown in the topology.

Step 2: Configure PC hosts.

Assign PC IP addresses and subnet according to the addressing table.

© 2024 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 1 of 7
Lab – Configuring and Verifying Standard IPv4 ACLs

Step 3: Configure basic and VLAN settings for each switch.

a. Configure switch host names.
b. Configure VLANs and trunks on switches.
1) Use the appropriate commands to create VLAN 10 on all of the switches. Name VLAN 10 as User
2) Configure S1 F0/6 and S3 F0/18 as access ports and assign them to VLAN 10.
3) Configure ports F0/1 and F0/3 on all switches as trunk ports.

Step 4: Test host connectivity

Perform a ping test from PC-A to PC-C. If unsuccessful, troubleshoot network settings as necessary.

Part 2: Configure the Root Bridge and Examine PVST+ Convergence

In Part 2, you will determine the default root in the network, assign the primary and secondary root, and
examine convergence of PVST+.

Step 1: Configure a primary and secondary root bridge for all existing VLANs.
a. Configure switch S2 to be the primary root bridge for all existing VLANs.
What command/s are needed to accomplish this?

spanning-tree vlan 1 root primary

spanning-tree vlan 10 root primary

b. Configure switch S1 to be the secondary root bridge for all existing VLANs.
What command/s are needed to accomplish this?

spanning-tree vlan 1 root secondary

spanning-tree vlan 10 root secondary

c. Wait for the network spanning tree to converge then observe the state of the network links.

Which interface in the network is currently in a blocking state? S3 fa0/3

Step 2: Change the Layer 2 topology and examine convergence.

To examine PVST+ convergence, you will create a Layer 2 topology change and monitor the progression of
spanning-tree events.
a. Create a topology change by disabling interface F0/1 on S3.
S3(config)# interface f0/1
S3(config-if)# shutdown
S3(config-if)# end

b. Immediately afterwards, issue the show spanning-tree command on S3 every 15 seconds to observe
changes in port states.
S3#show spanning-tree
VLAN0001
Spanning tree enabled protocol ieee

© 2024 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 2 of 7
Lab – Configuring and Verifying Standard IPv4 ACLs

Root ID Priority 24577

Address 00E0.B096.BB8C
Cost 38
Port 3(FastEthernet0/3)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)

Address 00E0.A3AB.D3E6
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 20

Interface Role Sts Cost Prio.Nbr Type

---------------- ---- --- --------- -------- --------------------------------
Fa0/3 Root LSN 19 128.3 P2p

S3#show spanning-tree
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 24577
Address 00E0.B096.BB8C
Cost 38
Port 3(FastEthernet0/3)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)

Address 00E0.A3AB.D3E6
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 20

Interface Role Sts Cost Prio.Nbr Type

---------------- ---- --- --------- -------- --------------------------------
Fa0/3 Root LRN 19 128.3 P2p

S3#show spanning-tree
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 24577
Address 00E0.B096.BB8C
Cost 38
Port 3(FastEthernet0/3)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)

Address 00E0.A3AB.D3E6
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 20

Interface Role Sts Cost Prio.Nbr Type

---------------- ---- --- --------- -------- --------------------------------

© 2024 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 3 of 7
Lab – Configuring and Verifying Standard IPv4 ACLs

Fa0/3 Root FWD 19 128.3 P2p

Which port states did F0/3 transition through during network convergence?

BLK to LSN (blocking to listening state), LSN to FWD (listening to forward state).

Approximately how long did it take the network to converge and ports to settle in forwarding state after the
topology change?

Approximately 20 seconds.

Part 3: Configure Rapid PVST+, PortFast, BPDU Guard, and Examine

Convergence
In Part 3, you will configure Rapid PVST+ on all switches. You will configure PortFast and BPDU guard on all
access ports, and then observe the speed at which Rapid PVST+ converges after a topology change.

Step 1: Configure Rapid PVST+.

a. Configure the switches to use Rapid PVST+ mode for their spanning trees. Note that there is no need to
reconfigure the bridge priority settings since the previously configured commands are also applied to
Rapid-PVST+ mode.
S1(config)#spanning-tree mode rapid-pvst

S2(config)#spanning-tree mode rapid-pvst

S3(config)#spanning-tree mode rapid-pvst

b. Verify configurations using the show spanning-tree command.

S1# show spanning-tree
VLAN0001
Spanning tree enabled protocol rstp
Root ID Priority 24577
Address 00E0.B096.BB8C
Cost 19
Port 1(FastEthernet0/1)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)

Address 00E0.A3AB.D3E6
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 20

Interface Role Sts Cost Prio.Nbr Type

---------------- ---- --- --------- -------- --------------------------------
Fa0/1 Root FWD 19 128.1 P2p
Fa0/3 Altn BLK 19 128.3 P2p

© 2024 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 4 of 7
Lab – Configuring and Verifying Standard IPv4 ACLs

Step 2: Examine Rapid PVST+ convergence.

Create a topology change by enabling interface F0/1 on switch S3 and observe the time for ports to be fully
operational.
S3(config)# interface f0/1
S3(config-if)# no shutdown
How does the convergence time of Rapid PVST+ compare with PVST+ when responding to a topology
change?

Rapid pvst supercedes the original PVST by increasing the speed of spanning tree calculation.

Step 3: Configure PortFast on access ports.

PortFast is a feature of spanning tree that transitions a port immediately to a forwarding state as soon as it is
turned on. This is useful in connecting hosts so that they can start communicating on the VLAN instantly,
rather than waiting on spanning tree.
a. Disconnect then reconnect PC-A on F0/6 of S1.
b. While the link indicator of S1 F0/6 is still orange, attempt to ping PC-C from PC-A.

What is the result of the ping test? Failed

c. After some time, the link indicator should turn green, reattempt to ping PC-C from PC-A

What is the result of the ping test? Successful

Why do you think is there a noticeable delay from the time that the PC is connected to the port before the
link becomes fully operational?

Initialization and negotiation processes between the PC and the port cause the delay.

d. Enable PortFast on S1 interface F0/6.

S1(config)#interface f0/6
S1(config-if)#spanning-tree portfast
%Warning: portfast should only be enabled on ports connected to a single
host. Connecting hubs, concentrators, switches, bridges, etc... to this
interface when portfast is enabled, can cause temporary bridging loops.
Use with CAUTION

%Portfast has been configured on FastEthernet0/6 but will only

have effect when the interface is in a non-trunking mode.

Step 4: Observe the effect of PortFast on access ports.

a. Disconnect then reconnect PC-A on F0/6 of S1 again then observe the interface link indicator.
How does the port behavior upon connection of a host compare to when Portfast was not enabled?

Using portfast, the port transition immediately to forwarding state.

© 2024 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 5 of 7
Lab – Configuring and Verifying Standard IPv4 ACLs

b. Attempt to ping PC-C from PC-A.

What is the result of the ping test? Successful

c. Using the show spanning tree command on S1, view the status of F0/6.

What is the current port state of F0/6? FWD

Step 5: Configure BPDUGuard on access ports

A port that immediately transitions to a forwarding state can cause issues when a switch is accidentally or
intentionally connected to it because this can lead to an unwanted spanning tree topology change. The
BPDUGuard feature can be enabled to prevent ports that are configured with PortFast from forwarding
BPDUs which could change the spanning tree topology.
Enable BPDUGuard on S1 F0/6 since this port is intended for connection to end devices only.
S1(config)#interface f0/6
S1(config-if)#spanning-tree bpduguard enable

Step 6: Observe the effect of BPDUGuard on access ports.

a. Disconnect PC-A from S1 F0/6 and replace it with a switch. You may do so by adding a new switch to the
topology and connecting any of its ports to S1 F0/6.
Observe and describe what happens to S1 F0/6 when the new switch was connected:

Port fa/06 was blocked and disabled, then a red link light appeared between S1 and the additional
switch.

b. Check the status of S1 F0/6 using the show interface command.

S1#show interface f0/6
FastEthernet0/6 is down, line protocol is down (err-disabled)
Hardware is Lance, address is 0010.118a.6406 (bia 0010.118a.6406)
BW 100000 Kbit, DLY 1000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 100Mb/s
input flow-control is off, output flow-control is off
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:08, output 00:00:05, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue :0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
956 packets input, 193351 bytes, 0 no buffer
Received 956 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 watchdog, 0 multicast, 0 pause input

© 2024 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 6 of 7
Lab – Configuring and Verifying Standard IPv4 ACLs

0 input packets with dribble condition detected

2357 packets output, 263570 bytes, 0 underruns
0 output errors, 0 collisions, 10 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out

What is the status of the F0/6 interface?

Down, err-disabled

Reflection
1. Why would the faster convergence time of Rapid-PVST+ be considered an advantage over PVST+?

Rapid-PVST+ offers faster convergence time by using a rapid spanning tree protocol, providing quicker
network recovery in the event of topology changes compared to the slower convergence of PVST+.

2. Why is it considered a security risk to enable Portfast on access ports without enabling BPDUGuard as well?

Enabling Portfast without BPDUGuard on access ports may pose a security risk by allowing unauthorized
switches to introduce loops into the network without being detected.

© 2024 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 7 of 7