Re: PortFast Question

[Chris Moody <cmoody () qualcomm com>]

Actually, to correct the previous post, portfast does NOT discard
speed/duplex negotiation.

Portfast is used in situations where spanning-tree is not required on a
switchport.  If you are connecting a host (aka regular 'ol dumb pc or
server system) to a switchport, there is no need to run an instance of
spanning-tree protocol on that port.  I have yet to see someone use their
pc as a switch and cascade other machines under it topologically, but
that's what BPDU guard is for. ;o) and is a topic for another
conversation.

Anyway, in switched networks, quite often you will have several switches
cascaded onto each other...forming a tree (heirarchical topology model) of
sorts.  Spanning-tree is a protocol that is used in situations such as
this to prevent switching loops from occurring. If you try to create
"redundancy" in a layer-2 (switching ...remember) topology by
interconnecting switches together with multiple links, you
will create what is called a switching/bridging loop.  There are TONS of
docs online that illustrate and explain the details...so I'll not bother
in this forum.

At any rate, spanning-tree goes through several stages upon activation of
a link.  It is these stages (which can take up to 50 seconds to complete)
that portfast was designed to circumvent.

Portfast has -nothing- to do with duplex....port speed...etc.

These parameters are passed via the physical layer via AUI and MII.  This
is highly dependent upon the card as well as the switchport.

To answer the original post directly, in cases where there is a host
connected to the switchport, you would actually want to use the "set port
host" command (catOS) to disable trunking & channeling, and enable
portfast.  You do not want a normal host to have to wait approx a minute
to come online as most machines make their DHCP requests during this time.


Cheers,
-Chris



On Mon, 27 Sep 2004, Sec News wrote:

> I read up on Port Fast  @
> http://www.cisco.com/en/US/products/hw/switches/ps663/products_configuration_guide_chapter09186a00800e46f2.html#11213
>
> On that page I read
>
> "Spanning tree PortFast causes a switch or trunk port to enter the
> spanning tree forwarding state immediately, bypassing the listening
> and learning states.
>
> You can use PortFast on switch or trunk ports connected to a single
> workstation, switch, or server to allow those devices to connect to
> the network immediately, instead of waiting for the port to transition
> from the listening and learning states to the forwarding state."
>
> When I read this I thought it was referring to MAC  Addresses not port
> speed. (I will be re-reading).  Thanks for the clarification.  I
> thought this because there are other options on the switch that allow
> you change the port speed manually between 10/100/Auto.  The Ethernet
> port on the device is 10 only.  I did test using port speeds set
> manually to auto, 10, and for good measure I tested 100 to be sure.
> None of those setting made any difference so I don't think the problem
> is related *only* to speed negotiation since I tested the port on the
> switch in 10 only mode.  Enabling PortFast was the only setting that I
> found that allowed the device to work.
>
> I am still confused as to why.  Any further help is greatly appreciated!
>
> Thanks
>
> On Mon, 27 Sep 2004 10:16:00 -0400, lordinfidel () directionweb com
> <lordinfidel () directionweb com> wrote:
> > If I had to guess.....  the proprietary hardware box is having a hard time
> > using auto-negotiation.
> >
> > Here's what happens when you connect a device to a switch/hub, and both
> > sides are set to auto-negotiate.
> >
> > The connecting device will try to connect at it's maximum speed and duplex.
> > If the other side(in this case the switch) can understand the connecting
> > device and hence agree at the speed and duplex, the connection is made.  If
> > it can not understand the connecting device, it says Hey I can't understand
> > that connection request, try another...
> >
> > And they both go back and forth until a connection is made.  Now there are
> > times when a connection, "appears" to be made but you can not ping or it
> > seems like the connection is really slow.  That is because there are
> > transmission errors due to the way each connection is expecting to receive
> > the data.
> >
> > Now with portfast, you are removing auto-negotiation from the switch and you
> > are telling the switch port "Do not attempt to auto-negotiate, assume the
> > port is 100/Full and bring the port up as such".
> >
> > As far as protecting that port, you can lock that port down to the MAC
> > address of the connecting device.
> >
> > Typically, for any static network device that you are using, (servers,
> > routers, firewalls, etc), the network adapter on the device should be
> > manually set for speed/duplex.  Never leave it set to auto.
> >
> >
> >
> >
> > -----Original Message-----
> > From: Josh Sukol [mailto:secnews () gmail com]
> > Sent: Friday, September 24, 2004 10:05 AM
> > To: security-basics () securityfocus com
> > Subject: PortFast Question
> >
> > I am running a small network using four Cisco Catalyst 2950 switches.
> > I am in the process of configuring a new software package that uses
> > some proprietary hardware that connects to the  network via Ethernet.
> > When plugged into the network the device would connect for a minute or
> > two and than connectivity would drop (i.e. ping would fail, and the
> > light on the switch would turn from green to amber)  This pattern
> > continued for as long as the device was plugged into the network.  The
> > cabling was checked and tested with other equipment and there were no
> > other problems.
> >
> > After trying several other things I eventually started changing the
> > ethernet port settings on the switch itself and found that by enabling
> > portfast the device functioned fine.  I have found very little
> > information about port fast security issues.  I was able to find and
> > did read up on PortFast BPDU guard and potential DoS using malformed
> > packets.  Are there any other security issues that effect me enabling
> > Portfast on specific ports that connect back to a single device?  Are
> > there any other ways to solve this problem that might allow me to
> > sidestep this potential security issues all together?
> >
> > - Slightly Off Topic -
> > If anyone knows why this behavior occurs and why enabling portfast
> > fixes the connectivity issue I would be very interested to a hear an
> > explanation.
> >
> > Thanks in advance for the wisdom!
> >
> > ---------------------------------------------------------------------------
> > Computer Forensics Training at the InfoSec Institute. All of our class sizes
> > are guaranteed to be 12 students or less to facilitate one-on-one
> > interaction with one of our expert instructors. Gain the in-demand skills of
> > a certified computer examiner, learn to recover trace data left behind by
> > fraud, theft, and cybercrime perpetrators. Discover the source of computer
> > crime and abuse so that it never happens again.
> >
> > http://www.infosecinstitute.com/courses/computer_forensics_training.html
> > ----------------------------------------------------------------------------