Should portfast and bpdu guard be enabled on port connection to fw

Unanswered Question
Jul 16th, 2010
User Badges:

Hi,


We have 6509  CatOS  switch where port from module 5 connects to firewall .

we have enabled  portfast and bpduguard on that module 5.

is this good practice to enable both on port going to fw.


also recently that port received bpdu from fw and went into errdisabled,

anyone know why this happended


thanks

mahesh

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

I don’t know if I understand your comment correctly

if you enable portfast (port connected to user port or router port), you need some features to help you

so portfast = direct to forward state

for example port 1 connected to user PC , and you don’t want the user wait 30 sec to come in forward state

you will enable portfast (because no loop will come from user port)

but if the user connect switch in port 1 , the switch will send bpdu and come to forward state

the bpdu guard and bpdu filter will help if the port receive bpdu

in bpdu gurd the port will be in errdisable

in bpdu filter the port will be auto disable portfast

,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

About port connected to firewall you I don’t recommended to enable portfast and bpdu gaurd  

Ganesh Hariharan Fri, 07/16/2010 - 12:08
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Member's Choice, February 2016

Hi,


We have 6509  CatOS  switch where port from module 5 connects to firewall .

we have enabled  portfast and bpduguard on that module 5.

is this good practice to enable both on port going to fw.


also recently that port received bpdu from fw and went into errdisabled,

anyone know why this happended


thanks

mahesh


Hi Mahesh,


It's a good idea to enable BPDU Guard on any port you're running PortFast on.  BPDU Guard protects against this disastrous possibility. If any BPDU comes in on a port that's running BPDU Guard, the port will be shut down and placed into error disabled state.

I dont think a right choice to enable BPDU gaurd in firewall port in switch.

Hope to Help !!

Ganesh.H
mahesh18 Sun, 07/18/2010 - 19:45
User Badges:

hi Ganesh,


But we open cisco tac c ase they told us to turn off the port fast on the switch port that connects to fw not bpdu guard.

any comments or ideas?


thanks for help

mahesh

Nagaraja Thanthry Sun, 07/18/2010 - 21:00
User Badges:
  • Cisco Employee,

Hello,


You can turn-on the port-fast and not worry about the BPDU-Guard on an

interface that is connected to a routed device (routed devices will not

participate in Spanning-tree calculations). So, in your case, you can

turn-on port-fast on the interface connecting to the firewall without any

issues (as long as it is not participating in Spanning-tree).


Note: If your firewall is ASA 5505 (or similar) that has a switch module,

then what TAC said is correct. You should turn-off port-fast and turn-on

BPDU-guard.


Hope this helps.


Regards,


NT

mahesh18 Mon, 07/19/2010 - 07:08
User Badges:

Hi,


thnaks for reply fw is juniper fw.


mahesh

Ganesh Hariharan Sun, 07/18/2010 - 22:51
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Member's Choice, February 2016

hi Ganesh,


But we open cisco tac c ase they told us to turn off the port fast on the switch port that connects to fw not bpdu guard.

any comments or ideas?


thanks for help

mahesh


Hi Mahesh,


As NT pointed out if ASA as switch modules the recommendation from cisco TAC is right.


Hope to Help !!


Ganesh.H

Actions

This Discussion