Should portfast and bpdu guard be enabled on port connection to fw

mahesh18 · ‎07-16-2010

Hi,

We have 6509 CatOS switch where port from module 5 connects to firewall .

we have enabled portfast and bpduguard on that module 5.

is this good practice to enable both on port going to fw.

also recently that port received bpdu from fw and went into errdisabled,

anyone know why this happended

thanks

mahesh

altheb_5 · ‎07-16-2010

I don’t know if I understand your comment correctly

if you enable portfast (port connected to user port or router port), you need some features to help you

so portfast = direct to forward state

for example port 1 connected to user PC , and you don’t want the user wait 30 sec to come in forward state

you will enable portfast (because no loop will come from user port)

but if the user connect switch in port 1 , the switch will send bpdu and come to forward state

the bpdu guard and bpdu filter will help if the port receive bpdu

in bpdu gurd the port will be in errdisable

in bpdu filter the port will be auto disable portfast

,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

About port connected to firewall you I don’t recommended to enable portfast and bpdu gaurd

Ganesh Hariharan · ‎07-16-2010

Hi,

We have 6509 CatOS switch where port from module 5 connects to firewall .

we have enabled portfast and bpduguard on that module 5.

is this good practice to enable both on port going to fw.

also recently that port received bpdu from fw and went into errdisabled,

anyone know why this happended

thanks

mahesh

Hi Mahesh,

It's a good idea to enable BPDU Guard on any port you're running PortFast on. BPDU Guard protects against this disastrous possibility. If any BPDU comes in on a port that's running BPDU Guard, the port will be shut down and placed into error disabled state.

I dont think a right choice to enable BPDU gaurd in firewall port in switch.

Hope to Help !!

Ganesh.H

mahesh18 · ‎07-18-2010

hi Ganesh,

But we open cisco tac c ase they told us to turn off the port fast on the switch port that connects to fw not bpdu guard.

any comments or ideas?

thanks for help

mahesh

Nagaraja Thanthry · ‎07-18-2010

Hello,

You can turn-on the port-fast and not worry about the BPDU-Guard on an

interface that is connected to a routed device (routed devices will not

participate in Spanning-tree calculations). So, in your case, you can

turn-on port-fast on the interface connecting to the firewall without any

issues (as long as it is not participating in Spanning-tree).

Note: If your firewall is ASA 5505 (or similar) that has a switch module,

then what TAC said is correct. You should turn-off port-fast and turn-on

BPDU-guard.

Hope this helps.

Regards,

NT

mahesh18 · ‎07-19-2010

Hi,

thnaks for reply fw is juniper fw.

mahesh

Ganesh Hariharan · ‎07-18-2010

hi Ganesh,

But we open cisco tac c ase they told us to turn off the port fast on the switch port that connects to fw not bpdu guard.

any comments or ideas?

thanks for help

mahesh

Hi Mahesh,

As NT pointed out if ASA as switch modules the recommendation from cisco TAC is right.

Hope to Help !!

Ganesh.H