[cisco-voip] cisco IP Phone causes stp loop.
Jefflin Choi
jefflin.choi at gmail.com
Wed Jul 4 21:11:32 EDT 2007
Problem now is seems like there is no way to disable portfast on CE500.
Will have a conf call with our local cisco systems later. I'll push them to
fix this vulnerability.
Thanks for all your help.
regards,
Jeff
On 7/4/07, Ahmed Elnagar <aelnagar at act-eg.com> wrote:
>
> I have just something came to my mind. in old configuration of IP
> Telephony the attached port was configured to be trunk not access port,
> maybe that could help in solving this here is the configuration:
> switchport trunk encapsulation dot1q
> switchport mode trunk
> switchport voice vlan 2
>
> this puts the voice traffic in vlan2. If u need to create data vlan just
> change the native vlan on that trunk to whatever u want. the delay that u r
> talking about when portfast is disabled only happens one time when powering
> on the devices that connect to the switch and if it is going to work this
> delay will be much more better than having a loop in the network.
>
> Thanks and Best Regards
> *
> Ahmed A. Elnagar
> *Network Engineer Specialist
>
> Advanced Computer Technology (ACT)
> 16 Fawzy Ramah St.Off Shehab St.Mohandessin, Giza, Egypt
> Postal Code:12411 Cairo Egypt
>
> *Mob**:* +2010-2833868
> *Website**: *www.act-eg.com
> *E-mail**: *aelnagar at act-eg.com
>
> ------------------------------
> *From:* cisco-voip-bounces at puck.nether.net on behalf of Jefflin Choi
> *Sent:* Wed 04-Jul-07 12:30 PM
> *To:* cisco-voip at puck.nether.net
> *Subject:* Re: [cisco-voip] cisco IP Phone causes stp loop.
>
>
> Got this reply...
>
> ========
> As far as i know, no solution exists for this race around condition.
>
> If two "port fast" enabled ports are looped, it will create a mess in the
> network.
> Because the switch will never send a BPDU via a port fast enabled port.
> Hence there is no way the switch can detected that both the ports are
> looped.
> It is better to disable the port fast in this scenario.
> If you encounter any solution, kindly keep us all posted.
> =======
>
> *Problem is*, if portfast is disabled, pc's/phones uptime will be delayed.
> This is also in conflict with cisco's SRND of enabling portfast.
>
> There should be some way to work this out. Any ideas?
>
> Thanks,
> Jeff
>
>
> On 7/4/07, Jefflin Choi <jefflin.choi at gmail.com> wrote:
> >
> > Hi Lee,
> >
> > BPDU Guard is enabled by default as far as i know on CE500.
> > This has come into my mind and checked the switch thus the reason why i
> > ask if the IP Phone is sending BPDU. If not, BPDU guard will be just
> > useless.
> >
> > Anyway, checking cisco netpro forum, someone has encountered the same
> > issue. Unfortunately no resolution.
> >
> > The reply was:
> > "Question1: Yes, IP phones donot send BPDU's.You can enable BPDU guard
> > and it does not shut the port down when an IP Phone is connected. "
> >
> > Any ideas how to overcome this vulnerability?
> > It seems that it is not only on cisco CE500 only but on all types of
> > cisco switches.
> >
> > Thanks,
> > Jeff
> >
> >
> > On 7/4/07, Lee Pedder <lee.pedder at gmail.com > wrote:
> > >
> > > I can't offer specific advice on the CE500 switch, but on other cisco
> > > switches there is a bpduguard feature that you need to enable if you
> > > are using spanning-tree portfast. This will shutdown a port on receipt
> > > of a BPDU (such as one received from itself on another port).
> > >
> > > On 04/07/07, Jefflin Choi < jefflin.choi at gmail.com > wrote:
> > > > Ahmed,
> > > >
> > > > The users are using PC connected to the IP phones. Someone
> > > non-technical
> > > > plugged both connections to the switch instead of one cable to the
> > > PC.
> > > >
> > > > Educating end users to plug the ip phones to the correct devices is
> > > simple
> > > > but this is a security risk which can cause sabotage of the network.
> > > >
> > > > Matt,
> > > >
> > > > I do not see how "Try turning off GARP on the phone, disable web
> > > access and
> > > > turn off voice vlan access." can help. Can you explain why this will
> > > help
> > > > solve the problem.
> > > >
> > > > First, web access can be disabled. No problem with it. I can't see
> > > the
> > > > relation with the loop though.
> > > >
> > > > second voice vlan access, you mean to say not to allow the voice
> > > vlan on the
> > > > trunk?
> > > >
> > > > Thanks,
> > > > Jeff
> > > >
> > > >
> > > >
> > > >
> > > > On 7/4/07, Ahmed Elnagar < aelnagar at act-eg.com> wrote:
> > > > >
> > > > >
> > > > >
> > > > > Well, I was not trying to answer the Q. I was just sharing my
> > > dislikeness
> > > > of this switch as I had alot o problems with it :), sepically with
> > > vlans
> > > > trunking. I had it running with IP Phones normally with no problem.
> > > > changeing the port role on the switch sometimes it helps, but I dont
> > > think
> > > > in ur case. but what I got from ur words seems that the users is not
> > > using a
> > > > PC connected to th phone (otherwise they will connect 2 cables from
> > > the
> > > > switch) if that is the case try to disable the PC port of the IP
> > > Phone.
> > > > >
> > > > >
> > > > >
> > > > > Thanks and Best Regards
> > > > >
> > > > > Ahmed A. Elnagar
> > > > > Network Engineer Specialist
> > > > >
> > > > > Advanced Computer Technology (ACT)
> > > > > 16 Fawzy Ramah St.Off Shehab St.Mohandessin, Giza, Egypt
> > > > > Postal Code:12411 Cairo Egypt
> > > > >
> > > > > Mob : +2010-2833868
> > > > > Website: www.act-eg.com
> > > > > E-mail: aelnagar at act-eg.com
> > > > >
> > > > > ________________________________
> > > > From: cisco-voip-bounces at puck.nether.net on behalf of Matt
> > > > Slaga (US)
> > > > > Sent: Tue 03-Jul-07 3:25 PM
> > > > > To: Ahmed Elnagar; Jefflin Choi; cisco-voip at puck.nether.net
> > > > > Subject: Re: [cisco-voip] cisco IP Phone causes stp loop.
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > Wow, that reply should help you solve that problem lickety split!
> > > > >
> > > > >
> > > > >
> > > > > Try turning off GARP on the phone, disable web access and turn off
> > > voice
> > > > vlan access.
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > From: cisco-voip-bounces at puck.nether.net
> > > > [mailto:cisco-voip-bounces at puck.nether.net ] On Behalf Of
> > > > Ahmed Elnagar
> > > > > Sent: Tuesday, July 03, 2007 3:25 AM
> > > > > To: Jefflin Choi; cisco-voip at puck.nether.net
> > > > > Subject: Re: [cisco-voip] cisco IP Phone causes stp loop.
> > > > >
> > > > >
> > > > >
> > > > > Just a note
> > > > >
> > > > > I Hate 500 Express it is a very bad switch and it has a lot of
> > > strange
> > > > configuration setting plus no useful troubleshooting capabilities at
> > > all.
> > > > >
> > > > >
> > > > >
> > > > > ________________________________
> > > >
> > > > >
> > > > > From: cisco-voip-bounces at puck.nether.net
> > > > [mailto: cisco-voip-bounces at puck.nether.net] On Behalf Of
> > > > Jefflin Choi
> > > > > Sent: Tuesday, July 03, 2007 9:56 AM
> > > > > To: cisco-voip at puck.nether.net
> > > > > Subject: [cisco-voip] cisco IP Phone causes stp loop.
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > Hi all,
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > Some end user plugged the pc port and switch port of an IP Phone
> > > to a
> > > > Catalyst CE500 port at the same time causing our client's switch on
> > > a loop.
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > CE500--------7912 IP Phone
> > > > >
> > > > >
> > > > > | |
> > > > >
> > > > >
> > > > > |------------------------|
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > We can't prevent end user making accidental mistakes like this
> > > which might
> > > > cause network failure.
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > I was wondering if Cisco IP phones are sending BPDU so that the
> > > CE500 will
> > > > errdisable the port. Doesn't it?
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > Any way to prevent the this from happening?
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > Thanks,
> > > > >
> > > > >
> > > > > Jeff
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > ________________________________
> > > >
> > > > >
> > > > >
> > > > >
> > > > > Disclaimer: This e-mail communication and any attachments may
> > > contain
> > > > confidential and privileged information and is for use by the
> > > designated
> > > > addressee(s) named above only. If you are not the intended
> > > addressee, you
> > > > are hereby notified that you have received this communication in
> > > error and
> > > > that any use or reproduction of this email or its contents is
> > > strictly
> > > > prohibited and may be unlawful. If you have received this
> > > communication in
> > > > error, please notify us immediately by replying to this message and
> > > deleting
> > > > it from your computer. Thank you.
> > > > >
> > > > >
> > > > >
> > > > >
> > > >
> > > >
> > > > _______________________________________________
> > > > cisco-voip mailing list
> > > > cisco-voip at puck.nether.net
> > > > https://puck.nether.net/mailman/listinfo/cisco-voip
> > > >
> > > >
> > > _______________________________________________
> > > cisco-voip mailing list
> > > cisco-voip at puck.nether.net
> > > https://puck.nether.net/mailman/listinfo/cisco-voip
> > >
> >
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://puck.nether.net/pipermail/cisco-voip/attachments/20070705/99b86b6e/attachment-0001.html
More information about the cisco-voip
mailing list