Re: PortFast Question
From: John R. Morris (jrmorris_at_nerdality.com)
Date: 09/27/04
- Previous message: Rob Hughes: "Something new in my inbox"
- In reply to: Josh Sukol: "PortFast Question"
- Next in thread: Scherer, Brian: "RE: PortFast Question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 27 Sep 2004 17:03:09 -0400 To: Josh Sukol <secnews@gmail.com>
Josh Sukol wrote:
>I am running a small network using four Cisco Catalyst 2950 switches.
>I am in the process of configuring a new software package that uses
>some proprietary hardware that connects to the network via Ethernet.
>When plugged into the network the device would connect for a minute or
>two and than connectivity would drop (i.e. ping would fail, and the
>light on the switch would turn from green to amber) This pattern
>continued for as long as the device was plugged into the network. The
>cabling was checked and tested with other equipment and there were no
>other problems.
>
>After trying several other things I eventually started changing the
>ethernet port settings on the switch itself and found that by enabling
>portfast the device functioned fine. I have found very little
>information about port fast security issues. I was able to find and
>did read up on PortFast BPDU guard and potential DoS using malformed
>packets. Are there any other security issues that effect me enabling
>Portfast on specific ports that connect back to a single device? Are
>there any other ways to solve this problem that might allow me to
>sidestep this potential security issues all together?
>
>
>
The only potential security problems are:
1 That the port you enable portfast on connects to a switch or hub which
then gets connected back to your network, creating a loop and lots of
problems...
2. Implementation flaws (usually DoS which you noted above already).
>- Slightly Off Topic -
>If anyone knows why this behavior occurs and why enabling portfast
>fixes the connectivity issue I would be very interested to a hear an
>explanation.
>
>
>
Ok, so what PortFast the wonder Cisco (TM) technology does is bypass
SpanningTree (the nifty Layer 2 stuff that blocks loops in your network
but still allows redundant connections (and when the active links goes
down it switches on the blocked one if applicable, keeping things
flowing on your network, even though part of it failed. So it protects
against idiots who would create loops and uses your useful redundancies
effectively.) normal mode of blocking, learning and then forwarding (for
a host (or even, though it ain't recommended! a hub or switch of only
hosts that is never going to get plugged in twice. Better to not enable
portfast anytime you see multiple MACS from a port unless you know
A>they're all from one machine B> you have absolute confidence/control
of that hub or switch and will never run the risk of a loop) device).
Essentially hosts devices PCs, printers, alien doodads with an ethernet
jack, whatever like to forward their packets. Having 30 seconds or so
where the packets are being blocked and MAC addresses learned and such
is not useful. PortFast spares you that (obviously, the switch still
sees the packets and learns the MAC address but without the safety first
blocking of a potential loop). It's a good thing. Do it on all your host
ports.
Other things to check with odd host connectivity include (but not
limited to) duplex/speed mismatches between port and device, (some cards
don't play well with Cisco's autodetection or vice versa, depending on
your viewpoint), bad ethernet card, bad switchport (check the error
counters), or bad OS kernel driver for the ethernet card (check for
patches), cabling problems (test/replace/test).
Other cool technologies by Cisco such as VMPS toss the first packet (has
to read it in order to assign the VLAN membership dynamically. Now why
it can't store it and send it on after it does that beats me... Most
hosts can tolerate losing their first packet as they come up. If not you
can do things like embed a single ping command in the startup right
after the network comes up so your lost packet is not of any
consequence. There are tons of important things to know like Portfast to
properly configure a switch for good performance and not giving you
fits. You'll be surprised once you make those configuration changes how
much better things work. Of course, then you have to keep copies of your
no longer default configs and pretty soon you are sucked in deep into
the world of networking.
Anyway, this is just off the hip, google will of course provide tons
more reference on Portfast, Spanningtree and such. Better written than I
could possibly manage, but the above is correct to the best of my memory.
HTH,
John "If you have a job for a sysadmin / network admin in North Carolina
e-mail me" Morris
- Previous message: Rob Hughes: "Something new in my inbox"
- In reply to: Josh Sukol: "PortFast Question"
- Next in thread: Scherer, Brian: "RE: PortFast Question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
