[cisco-voip] cisco IP Phone causes stp loop.
Ahmed Elnagar
aelnagar at ACT-EG.COM
Thu Jul 5 04:07:45 EDT 2007
Yeah sorry I forget it is a 500 Express, u cannot customize it. Will
update us if u find any solution with cisco
________________________________
From: Jefflin Choi [mailto:jefflin.choi at gmail.com]
Sent: Thursday, July 05, 2007 4:12 AM
To: Ahmed Elnagar
Cc: cisco-voip at puck.nether.net
Subject: Re: [cisco-voip] cisco IP Phone causes stp loop.
Problem now is seems like there is no way to disable portfast on CE500.
Will have a conf call with our local cisco systems later. I'll push them
to fix this vulnerability.
Thanks for all your help.
regards,
Jeff
On 7/4/07, Ahmed Elnagar <aelnagar at act-eg.com> wrote:
I have just something came to my mind. in old configuration of IP
Telephony the attached port was configured to be trunk not access port,
maybe that could help in solving this here is the configuration:
switchport trunk encapsulation dot1q
switchport mode trunk
switchport voice vlan 2
this puts the voice traffic in vlan2. If u need to create data vlan just
change the native vlan on that trunk to whatever u want. the delay that
u r talking about when portfast is disabled only happens one time when
powering on the devices that connect to the switch and if it is going to
work this delay will be much more better than having a loop in the
network.
Thanks and Best Regards
Ahmed A. Elnagar
Network Engineer Specialist
Advanced Computer Technology (ACT)
16 Fawzy Ramah St.Off Shehab St.Mohandessin, Giza, Egypt
Postal Code:12411 Cairo Egypt
Mob : +2010-2833868
Website: www.act-eg.com <http://www.act-eg.com/>
E-mail: aelnagar at act-eg.com
________________________________
From: cisco-voip-bounces at puck.nether.net on behalf of Jefflin Choi
Sent: Wed 04-Jul-07 12:30 PM
To: cisco-voip at puck.nether.net
Subject: Re: [cisco-voip] cisco IP Phone causes stp loop.
Got this reply...
========
As far as i know, no solution exists for this race around condition.
If two "port fast" enabled ports are looped, it will create a mess in
the network.
Because the switch will never send a BPDU via a port fast enabled port.
Hence there is no way the switch can detected that both the ports are
looped.
It is better to disable the port fast in this scenario.
If you encounter any solution, kindly keep us all posted.
=======
Problem is, if portfast is disabled, pc's/phones uptime will be delayed.
This is also in conflict with cisco's SRND of enabling portfast.
There should be some way to work this out. Any ideas?
Thanks,
Jeff
On 7/4/07, Jefflin Choi <jefflin.choi at gmail.com > wrote:
Hi Lee,
BPDU Guard is enabled by default as far as i know on CE500.
This has come into my mind and checked the switch thus the reason why i
ask if the IP Phone is sending BPDU. If not, BPDU guard will be just
useless.
Anyway, checking cisco netpro forum, someone has encountered the same
issue. Unfortunately no resolution.
The reply was:
"Question1: Yes, IP phones donot send BPDU's.You can enable BPDU guard
and it does not shut the port down when an IP Phone is connected. "
Any ideas how to overcome this vulnerability?
It seems that it is not only on cisco CE500 only but on all types of
cisco switches.
Thanks,
Jeff
On 7/4/07, Lee Pedder <lee.pedder at gmail.com > wrote:
I can't offer specific advice on the CE500 switch, but on other
cisco
switches there is a bpduguard feature that you need to enable if
you
are using spanning-tree portfast. This will shutdown a port on
receipt
of a BPDU (such as one received from itself on another port).
On 04/07/07, Jefflin Choi < jefflin.choi at gmail.com
<mailto:jefflin.choi at gmail.com> > wrote:
> Ahmed,
>
> The users are using PC connected to the IP phones. Someone
non-technical
> plugged both connections to the switch instead of one cable to
the PC.
>
> Educating end users to plug the ip phones to the correct
devices is simple
> but this is a security risk which can cause sabotage of the
network.
>
> Matt,
>
> I do not see how "Try turning off GARP on the phone, disable
web access and
> turn off voice vlan access." can help. Can you explain why
this will help
> solve the problem.
>
> First, web access can be disabled. No problem with it. I can't
see the
> relation with the loop though.
>
> second voice vlan access, you mean to say not to allow the
voice vlan on the
> trunk?
>
> Thanks,
> Jeff
>
>
>
>
> On 7/4/07, Ahmed Elnagar < aelnagar at act-eg.com
<mailto:aelnagar at act-eg.com> > wrote:
> >
> >
> >
> > Well, I was not trying to answer the Q. I was just sharing
my dislikeness
> of this switch as I had alot o problems with it :), sepically
with vlans
> trunking. I had it running with IP Phones normally with no
problem.
> changeing the port role on the switch sometimes it helps, but
I dont think
> in ur case. but what I got from ur words seems that the users
is not using a
> PC connected to th phone (otherwise they will connect 2 cables
from the
> switch) if that is the case try to disable the PC port of the
IP Phone.
> >
> >
> >
> > Thanks and Best Regards
> >
> > Ahmed A. Elnagar
> > Network Engineer Specialist
> >
> > Advanced Computer Technology (ACT)
> > 16 Fawzy Ramah St.Off Shehab St.Mohandessin, Giza, Egypt
> > Postal Code:12411 Cairo Egypt
> >
> > Mob : +2010-2833868
> > Website: www.act-eg.com <http://www.act-eg.com/>
> > E-mail: aelnagar at act-eg.com
> >
> > ________________________________
> From: cisco-voip-bounces at puck.nether.net on behalf of Matt
> Slaga (US)
> > Sent: Tue 03-Jul-07 3:25 PM
> > To: Ahmed Elnagar; Jefflin Choi; cisco-voip at puck.nether.net
> > Subject: Re: [cisco-voip] cisco IP Phone causes stp loop.
> >
> >
> >
> >
> >
> > Wow, that reply should help you solve that problem lickety
split!
> >
> >
> >
> > Try turning off GARP on the phone, disable web access and
turn off voice
> vlan access.
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > From: cisco-voip-bounces at puck.nether.net
> [mailto:cisco-voip-bounces at puck.nether.net ] On Behalf Of
> Ahmed Elnagar
> > Sent: Tuesday, July 03, 2007 3:25 AM
> > To: Jefflin Choi; cisco-voip at puck.nether.net
> > Subject: Re: [cisco-voip] cisco IP Phone causes stp loop.
> >
> >
> >
> > Just a note
> >
> > I Hate 500 Express it is a very bad switch and it has a lot
of strange
> configuration setting plus no useful troubleshooting
capabilities at all.
> >
> >
> >
> > ________________________________
>
> >
> > From: cisco-voip-bounces at puck.nether.net
> [mailto: cisco-voip-bounces at puck.nether.net] On Behalf Of
> Jefflin Choi
> > Sent: Tuesday, July 03, 2007 9:56 AM
> > To: cisco-voip at puck.nether.net
> > Subject: [cisco-voip] cisco IP Phone causes stp loop.
> >
> >
> >
> >
> > Hi all,
> >
> >
> >
> >
> >
> > Some end user plugged the pc port and switch port of an IP
Phone to a
> Catalyst CE500 port at the same time causing our client's
switch on a loop.
> >
> >
> >
> >
> >
> > CE500--------7912 IP Phone
> >
> >
> > | |
> >
> >
> > |------------------------|
> >
> >
> >
> >
> >
> >
> > We can't prevent end user making accidental mistakes like
this which might
> cause network failure.
> >
> >
> >
> >
> >
> > I was wondering if Cisco IP phones are sending BPDU so that
the CE500 will
> errdisable the port. Doesn't it?
> >
> >
> >
> >
> >
> > Any way to prevent the this from happening?
> >
> >
> >
> >
> >
> > Thanks,
> >
> >
> > Jeff
> >
> >
> >
> >
> > ________________________________
>
> >
> >
> >
> > Disclaimer: This e-mail communication and any attachments
may contain
> confidential and privileged information and is for use by the
designated
> addressee(s) named above only. If you are not the intended
addressee, you
> are hereby notified that you have received this communication
in error and
> that any use or reproduction of this email or its contents is
strictly
> prohibited and may be unlawful. If you have received this
communication in
> error, please notify us immediately by replying to this
message and deleting
> it from your computer. Thank you.
> >
> >
> >
> >
>
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://puck.nether.net/pipermail/cisco-voip/attachments/20070705/03c1fd5b/attachment-0001.html
More information about the cisco-voip
mailing list