RE: PortFast Question

["Steve Fletcher" <safletcher () insightbb com>]

Actually, it sounds like the problem is that portfast is NOT enabled on.
The reason that some devices have problems when this is not enabled is due
to the system expecting the network connection up sooner.  With portfast
disabled, the switch will check for a loop BEFORE it enables the port.  This
increases the time before the port is enabled, which causes problems with
some devices.  When portfast IS enabled, the port is turned on and the
device is allowed access to the network, while in the background switch
continues to check for loops.  If a loop is then found, the port is
shutdown.

Also, because of the way portfast works, it IS possible to connect another
switch into a port with portfast enabled.  However, it is NOT RECOMMENDED.
If a switch is connected to a portfast enabled port and a loop is created,
this will cause problems on the network until the loop is detected and the
offending port is shutdown.  Therefore, any port that a switch is connected
to should have portfast disabled.

As for security issues, I don't know of any security issues that should
arise from the use of portfast.  The only possibility is for a limited time
Denial of Service attack by creating a loop, but once the switch discovers
the loop, it will take care of itself.  Now, disabling spanning tree
altogether is another story.  Doing that would allow someone to create a
loop that will last until you can find it and shutdown the offending port.

Hope this helps.

Steve Fletcher
MCSE (NT4/Win2k), MCSE: Security (Win2k), HP Master ASE, CCNA, Security+
safletcher () insightbb com

-----Original Message-----
From: Stephen W. Corey - 5535 [mailto:swc () wardandsmith com] 
Sent: Monday, September 27, 2004 7:03 AM
To: security-basics () securityfocus com
Subject: RE: PortFast Question

We run portfast on all Catalyst ports that connect to a "non-switch"
device, like PCs, servers, routers, etc. From what I saw, it works by
not listening for MAC addresses as long before going to "active" state.
I have never heard of any security issues by doing this. I believe Cisco
still recommends this mode for optimum performance. You can always use
Nessus (or some other up to date vuln scanner) to see if anything can be
exploited. 

As for why it happens, here's my thought. Because it's speeding up a
"natural" switch port process, weird things can happen. Depending on how
the device (i.e. PC hardware) acts on layer 2, it may need the "full"
startup procedure to be run. To me, portfast is a non-standard shortcut,
and it may  not work in every situation. As you probably read, you can't
plug a portfast port into a switch, so there could easily be other
devices it's incompatible with (Cisco can't test everything).
  

-----Original Message-----
From: Josh Sukol [mailto:secnews () gmail com] 
Sent: Friday, September 24, 2004 10:05 AM
To: security-basics () securityfocus com
Subject: PortFast Question

I am running a small network using four Cisco Catalyst 2950 switches. 
I am in the process of configuring a new software package that uses some
proprietary hardware that connects to the  network via Ethernet. 
When plugged into the network the device would connect for a minute or
two and than connectivity would drop (i.e. ping would fail, and the
light on the switch would turn from green to amber)  This pattern
continued for as long as the device was plugged into the network.  The
cabling was checked and tested with other equipment and there were no
other problems.

After trying several other things I eventually started changing the
ethernet port settings on the switch itself and found that by enabling
portfast the device functioned fine.  I have found very little
information about port fast security issues.  I was able to find and did
read up on PortFast BPDU guard and potential DoS using malformed
packets.  Are there any other security issues that effect me enabling
Portfast on specific ports that connect back to a single device?  Are
there any other ways to solve this problem that might allow me to
sidestep this potential security issues all together?

- Slightly Off Topic -
If anyone knows why this behavior occurs and why enabling portfast fixes
the connectivity issue I would be very interested to a hear an
explanation.


Thanks in advance for the wisdom!

------------------------------------------------------------------------
---
Computer Forensics Training at the InfoSec Institute. All of our class
sizes
are guaranteed to be 12 students or less to facilitate one-on-one
interaction with one of our expert instructors. Gain the in-demand
skills of
a certified computer examiner, learn to recover trace data left behind
by
fraud, theft, and cybercrime perpetrators. Discover the source of
computer
crime and abuse so that it never happens again.

http://www.infosecinstitute.com/courses/computer_forensics_training.html
------------------------------------------------------------------------
----