Security Basics mailing list archives
Re: PortFast Question
From: Chris Moody <cmoody () qualcomm com>
Date: Tue, 28 Sep 2004 19:28:50 -0700 (PDT)
Actually, to correct the previous post, portfast does NOT discard speed/duplex negotiation. Portfast is used in situations where spanning-tree is not required on a switchport. If you are connecting a host (aka regular 'ol dumb pc or server system) to a switchport, there is no need to run an instance of spanning-tree protocol on that port. I have yet to see someone use their pc as a switch and cascade other machines under it topologically, but that's what BPDU guard is for. ;o) and is a topic for another conversation. Anyway, in switched networks, quite often you will have several switches cascaded onto each other...forming a tree (heirarchical topology model) of sorts. Spanning-tree is a protocol that is used in situations such as this to prevent switching loops from occurring. If you try to create "redundancy" in a layer-2 (switching ...remember) topology by interconnecting switches together with multiple links, you will create what is called a switching/bridging loop. There are TONS of docs online that illustrate and explain the details...so I'll not bother in this forum. At any rate, spanning-tree goes through several stages upon activation of a link. It is these stages (which can take up to 50 seconds to complete) that portfast was designed to circumvent. Portfast has -nothing- to do with duplex....port speed...etc. These parameters are passed via the physical layer via AUI and MII. This is highly dependent upon the card as well as the switchport. To answer the original post directly, in cases where there is a host connected to the switchport, you would actually want to use the "set port host" command (catOS) to disable trunking & channeling, and enable portfast. You do not want a normal host to have to wait approx a minute to come online as most machines make their DHCP requests during this time. Cheers, -Chris On Mon, 27 Sep 2004, Sec News wrote:
I read up on Port Fast @ http://www.cisco.com/en/US/products/hw/switches/ps663/products_configuration_guide_chapter09186a00800e46f2.html#11213 On that page I read "Spanning tree PortFast causes a switch or trunk port to enter the spanning tree forwarding state immediately, bypassing the listening and learning states. You can use PortFast on switch or trunk ports connected to a single workstation, switch, or server to allow those devices to connect to the network immediately, instead of waiting for the port to transition from the listening and learning states to the forwarding state." When I read this I thought it was referring to MAC Addresses not port speed. (I will be re-reading). Thanks for the clarification. I thought this because there are other options on the switch that allow you change the port speed manually between 10/100/Auto. The Ethernet port on the device is 10 only. I did test using port speeds set manually to auto, 10, and for good measure I tested 100 to be sure. None of those setting made any difference so I don't think the problem is related *only* to speed negotiation since I tested the port on the switch in 10 only mode. Enabling PortFast was the only setting that I found that allowed the device to work. I am still confused as to why. Any further help is greatly appreciated! Thanks On Mon, 27 Sep 2004 10:16:00 -0400, lordinfidel () directionweb com <lordinfidel () directionweb com> wrote:If I had to guess..... the proprietary hardware box is having a hard time using auto-negotiation. Here's what happens when you connect a device to a switch/hub, and both sides are set to auto-negotiate. The connecting device will try to connect at it's maximum speed and duplex. If the other side(in this case the switch) can understand the connecting device and hence agree at the speed and duplex, the connection is made. If it can not understand the connecting device, it says Hey I can't understand that connection request, try another... And they both go back and forth until a connection is made. Now there are times when a connection, "appears" to be made but you can not ping or it seems like the connection is really slow. That is because there are transmission errors due to the way each connection is expecting to receive the data. Now with portfast, you are removing auto-negotiation from the switch and you are telling the switch port "Do not attempt to auto-negotiate, assume the port is 100/Full and bring the port up as such". As far as protecting that port, you can lock that port down to the MAC address of the connecting device. Typically, for any static network device that you are using, (servers, routers, firewalls, etc), the network adapter on the device should be manually set for speed/duplex. Never leave it set to auto. -----Original Message----- From: Josh Sukol [mailto:secnews () gmail com] Sent: Friday, September 24, 2004 10:05 AM To: security-basics () securityfocus com Subject: PortFast Question I am running a small network using four Cisco Catalyst 2950 switches. I am in the process of configuring a new software package that uses some proprietary hardware that connects to the network via Ethernet. When plugged into the network the device would connect for a minute or two and than connectivity would drop (i.e. ping would fail, and the light on the switch would turn from green to amber) This pattern continued for as long as the device was plugged into the network. The cabling was checked and tested with other equipment and there were no other problems. After trying several other things I eventually started changing the ethernet port settings on the switch itself and found that by enabling portfast the device functioned fine. I have found very little information about port fast security issues. I was able to find and did read up on PortFast BPDU guard and potential DoS using malformed packets. Are there any other security issues that effect me enabling Portfast on specific ports that connect back to a single device? Are there any other ways to solve this problem that might allow me to sidestep this potential security issues all together? - Slightly Off Topic - If anyone knows why this behavior occurs and why enabling portfast fixes the connectivity issue I would be very interested to a hear an explanation. Thanks in advance for the wisdom! --------------------------------------------------------------------------- Computer Forensics Training at the InfoSec Institute. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors. Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse so that it never happens again. http://www.infosecinstitute.com/courses/computer_forensics_training.html ----------------------------------------------------------------------------
Current thread:
- PortFast Question Josh Sukol (Sep 24)
- Re: PortFast Question John R. Morris (Sep 28)
- <Possible follow-ups>
- RE: PortFast Question Stephen W. Corey - 5535 (Sep 27)
- RE: PortFast Question Steve Fletcher (Sep 28)
- RE: PortFast Question LordInfidel (Sep 28)
- RE: PortFast Question JGrimshaw (Sep 28)
- Re: PortFast Question Maarten Claes (Sep 29)
- Re: PortFast Question Sec News (Sep 28)
- Re: PortFast Question Chris Moody (Sep 30)
- RE: PortFast Question David Gillett (Sep 29)
- RE: PortFast Question JGrimshaw (Sep 28)
- RE: PortFast Question Scherer, Brian (Sep 28)
- RE: PortFast Question LordInfidel (Sep 29)