Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: PortFast Question

From: "John R. Morris" <jrmorris () nerdality com>
Date: Mon, 27 Sep 2004 17:03:09 -0400
Josh Sukol wrote:
I am running a small network using four Cisco Catalyst 2950 switches. I am in the process of configuring a new software package that uses some proprietary hardware that connects to the network via Ethernet. When plugged into the network the device would connect for a minute or 
two and than connectivity would drop (i.e. ping would fail, and the
light on the switch would turn from green to amber)  This pattern
continued for as long as the device was plugged into the network.  The
cabling was checked and tested with other equipment and there were no
other problems.

After trying several other things I eventually started changing the
ethernet port settings on the switch itself and found that by enabling
portfast the device functioned fine.  I have found very little
information about port fast security issues.  I was able to find and
did read up on PortFast BPDU guard and potential DoS using malformed
packets.  Are there any other security issues that effect me enabling
Portfast on specific ports that connect back to a single device?  Are
there any other ways to solve this problem that might allow me to
sidestep this potential security issues all together?


The only potential  security problems are:
1 That the port you enable portfast on connects to a switch or hub which then gets connected back to your network, creating a loop and lots of problems... 

2. Implementation flaws (usually DoS which you noted above already).
- Slightly Off Topic - If anyone knows why this behavior occurs and why enabling portfast 
fixes the connectivity issue I would be very interested to a hear an
explanation.
Ok, so what PortFast the wonder Cisco (TM) technology does is bypass SpanningTree (the nifty Layer 2 stuff that blocks loops in your network but still allows redundant connections (and when the active links goes down it switches on the blocked one if applicable, keeping things flowing on your network, even though part of it failed. So it protects against idiots who would create loops and uses your useful redundancies effectively.) normal mode of blocking, learning and then forwarding (for a host (or even, though it ain't recommended! a hub or switch of only hosts that is never going to get plugged in twice. Better to not enable portfast anytime you see multiple MACS from a port unless you know A>they're all from one machine B> you have absolute confidence/control of that hub or switch and will never run the risk of a loop) device). Essentially hosts devices PCs, printers, alien doodads with an ethernet jack, whatever like to forward their packets. Having 30 seconds or so where the packets are being blocked and MAC addresses learned and such is not useful. PortFast spares you that (obviously, the switch still sees the packets and learns the MAC address but without the safety first blocking of a potential loop). It's a good thing. Do it on all your host ports.
Other things to check with odd host connectivity include (but not limited to) duplex/speed mismatches between port and device, (some cards don't play well with Cisco's autodetection or vice versa, depending on your viewpoint), bad ethernet card, bad switchport (check the error counters), or bad OS kernel driver for the ethernet card (check for patches), cabling problems (test/replace/test).
Other cool technologies by Cisco such as VMPS toss the first packet (has to read it in order to assign the VLAN membership dynamically. Now why it can't store it and send it on after it does that beats me... Most hosts can tolerate losing their first packet as they come up. If not you can do things like embed a single ping command in the startup right after the network comes up so your lost packet is not of any consequence. There are tons of important things to know like Portfast to properly configure a switch for good performance and not giving you fits. You'll be surprised once you make those configuration changes how much better things work. Of course, then you have to keep copies of your no longer default configs and pretty soon you are sucked in deep into the world of networking.
Anyway, this is just off the hip, google will of course provide tons more reference on Portfast, Spanningtree and such. Better written than I could possibly manage, but the above is correct to the best of my memory. 

HTH,
John "If you have a job for a sysadmin / network admin in North Carolina e-mail me" Morris
Previous By Date Next
Previous By Thread Next

Current thread: