Cisco 3500 switch, PIX 525 and PortFast

Discussion in 'Cisco' started by Gary, Apr 7, 2004.

  1. Gary

    Gary Guest

    From what I read a switch to Pix should be hardcoded 100MB/Full but as the
    PIX is layerIII should the switch also have portfast set ?

    Can this cause any problems or is it just to stop the listening/learning
    phases so should always be applied as standard ?

    Apart from 100MB Full/Portfast what else should be applied as standard if
    anything.

    Many thanks
    Gary
     
    Gary, Apr 7, 2004
    #1

    1. Advertisements

  2. Gary

    chris Guest

    There's no real reason to set the portfast option. It only comes into
    play when the link first comes up. It is normally set for clients
    that use DHCP to avoid the initial blocking that interfers with a
    client sending out a DHCP request.
     
    chris, Apr 8, 2004
    #2

    1. Advertisements

  3. Gary

    SysAdm Guest

    wrote in
    So what if the primary pix fails ? Do you wanna wait till SPT goes
    through its full cycle until your secondary pix becomes active ?

    Rule of thumb with connectivity to FWs is make set the L2 port as
    portfast.

    SysAdm
     
    SysAdm, Jun 27, 2004
    #3
  4. Gary

    Kevin Widner Guest



    Actually the secondary pix will have negotiated a link already, you
    will not have to wait for the STP negotiations for the secondary pix
    to take over. However, I would still recommend portfast on a port that
    the PIX connects to.

    When do you not want to use it? Portfast should be disabled on any
    port where you might see a spanning tree BPDU come from, this is
    generally only other switches, hubs, or routers. However, just because
    you turn portfast on, that doesn't mean that you have turned spanning
    tree off for that port, it's just that the switch will not do a check
    for loops before bringing up the port. If BPDU's are recieved on that
    port a standard STP calculation will take place and may end up putting
    the port in blocking mode, but the damage from a possible loop may
    have already been done by this point.

    Why should you use it, other than helping DHCP hosts which was
    mentioned above, and MS domain authentication, a better reason might
    be:

    Every time a link becomes active and moves to the forwarding state in
    STP, the switch will send a special STP packet named a Topology Change
    Notification (TCN). The TCN notification is passed up to the root of
    the Spanning Tree where it is propagated to all the switches in the
    VLAN. This causes all the switches to age out their table of MAC
    addresses using the forward delay parameter, which is usually set to
    15 seconds. So every time a workstation joins the bridge group, the
    MAC addresses on all the switches will be aged out after 15 seconds
    instead of the normal 300 seconds.

    When a workstation becomes active, it does not change the topology to
    any significant degree. As far as all the switches in the VLAN are
    concerned, it is unnecessary for them to have to go through the
    fast-aging TCN period. If you turn on PortFast, the switch will not
    send TCN packets when a port becomes active.
     
    Kevin Widner, Jul 16, 2004
    #4

    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.
Similar Threads

  1. Cisco Firewall PIX 525 Hardware Detection

  2. PIX 525 and two PIX-4FE-66=

  3. rules for Cisco PIX 525 firewall rules

  4. Pix 525 and Version 7.0(4) Transparent mode and vlans

  5. enable Span on Cisco Switch 3500

  6. My Cisco Catalyst 3500 XL Switch is Dead ?!!

  7. no Portfast in cisco 85x?

  8. ASA 525, Cisco 3960 switch

Loading...