Convergence of Port Security

Convergence occurs when all ports on bridges and switches have transitioned to either forwarding or blocking modes. No data will be forwarded until convergence is complete. And before data can begin being forwarded again, all devices must be updated. When STP is converging, all host data stops transmitting! So if you want to remain on speaking terms with your network’s users (or remain employed for any length of time), you positively must make sure that your switched network is physically designed really well so that STP can converge quickly. Create core switch as STP root for fastest STP convergence. Convergence is truly important because it ensures that all devices have the same database. It usually takes 50 seconds to go from blocking to forwarding mode, and I don’t recommend changing the default STP timers. (But you can adjust those timers if necessary.) By creating your physical switch design in a hierarchical manner.

To address this hitch, you can disable spanning tree on individual ports using PortFast.

  • Spanning Tree PortFast

    If you have a server or other devices connected into your switch that you’re totally sure won’t create a switching loop if STP is disabled, you can use something called portfast on these ports. Using it means the port won’t spend the usual 50 seconds to come up into forwarding mode while STP is converging.

    Switch(config-if)#spanning-tree portfast ?
    disable Disable portfast for this interface
    trunk Enable portfast on the interface even in trunk mode
    < cr >

    Switch(config-if)#spanning-tree portfast %Warning: portfast should only be enabled on ports connected to a single host. Connecting hubs, concentrators, switches, bridges, etc... to this interface when portfast is enabled, can cause temporary bridging loops.
    Use with CAUTION %Portfast has been configured on FastEthernet0/1 but will only have effect when the interface is in a non-trunking mode.


    Portfast is enabled on port f0/1, but notice that you get a pretty long message telling you to be careful. One last helpful interface command I want to tell you about is the range command, which you can use on switches to help you configure multiple ports at the same time.

    Switch(config)#int range fastEthernet 0/1 - 12
    Switch(config-if-range)#spanning-tree portfast
    The preceding range command allows me to set all 12 of my switch ports into portfast mode by typing in one command and then simply pressing the Enter key. Sure hope I didn’t create any loops! Again, just be super careful with the portfast command.
  • Spanning Tree UplinkFast

    UplinkFast is a Cisco-specific feature that improves the convergence time of STP in case of a link failure. UplinkFast allows a switch to find alternate paths to the root bridge before the primary link fails. This means that if the primary link fails, the secondary link would come up more quickly the port wouldn’t wait for the normal STP convergence time of 50 seconds. So if you’re running the 802.1d STP and you have redundant links on your Access layer switches,you definitely want to turn on UplinkFast.
  • Spanning Tree BackboneFast

    Unlike UplinkFast, which is used to determine and quickly fix link failures on the local switch,another Cisco-proprietary STP extension called BackboneFast is used for speeding up convergence when a link that’s not directly connected to the switch fails. If a switch running BackboneFast receives an inferior BPDU from its designated bridge, it knows that a link on the path to the roothas can save20 seconds on the default 50-second STP convergence time.
  • Rapid Spanning Tree Protocol (RSTP) 802.1w

    Cisco created PortFast, UplinkFast, and BackboneFast to “fix” the holes and liabilities the IEEE 802.1d standard presented. The drawbacks to these enhancements are only that they are Cisco proprietary and need additional configuration. But the new 802.1w standard (RSTP)addresses all these “issues” in one tight package.It’s important that you make sure all the switches in your network are running the 802.1wprotocol for 802.1w to work properly! But RSTP actually can inter operate with legacy STP protocols. Just know that the inherently fast convergence ability of802.1w is lost when it interacts with legacy bridges.


Instead of having redundant links and allowing STP to put one of the links in BLK (blocked)mode, we can bundle the links and create a logical aggregation so that our multiple links will then appear as a single one. Since doing this would still provide the same redundancy as STP,there’s the Cisco version of EtherChannel and the IEEE version. Cisco’s version is called Port Aggregation Protocol (PAgP) and the IEEE802.3ad standard is called Link Aggregation Control Protocol (LACP).

Port Security

So just how do you stop someone from simply plugging a host into one of your switch ports or worse, adding a hub, switch, or access point into the Ethernet jack in their office? By default,MAC addresses will just dynamically appear in your MAC forward/filter database. You can stopthem in their tracks by using port security. Here are your options:

Switch#config t
Switch(config)#int f0/1
Switch(config-if)#switchport port-security ?

aging           Port-security aging commands
mac-address     Secure mac address
maximum         Max secure addresses
violation       Security violation mode

< cr >

Switch(config-if)#switchport port-security maximum 1
Switch(config-if)#switchport port-security violation shutdown
Switch(config-if)#switchport port-security mac-address sticky
Switch(config-if)#switchport port-security maximum 2
Switch(config-if)#switchport port-security violation shutdown

h4 ExamMATE

Online Personalised Exam Preparation Tool to score higher using Assessment, Analytics & Artificial Intelligence

Copyright ©2015, All Rights Reserved. h4 ExamMATEâ„¢ is registered trademark of Hub4tech Portal Services Pvt. Ltd.
All trademarks and logos appearing on this website are the property of their respective owners.
Need help? Ask h4 ExamMATE Bot