[cisco-voip] cisco IP Phone causes stp loop.
Jefflin Choi
jefflin.choi at gmail.com
Thu Jul 19 04:12:26 EDT 2007
Fyi.
Bug has been filed by cisco TAC to address the problem related to CE500.
On 7/5/07, Ahmed Elnagar <aelnagar at act-eg.com> wrote:
>
>
>
> Yeah sorry I forget it is a 500 Express, u cannot customize it. Will update
> us if u find any solution with cisco
>
>
> ________________________________
>
>
> From: Jefflin Choi [mailto:jefflin.choi at gmail.com]
> Sent: Thursday, July 05, 2007 4:12 AM
> To: Ahmed Elnagar
> Cc: cisco-voip at puck.nether.net
>
> Subject: Re: [cisco-voip] cisco IP Phone causes stp loop.
>
> Subject: Re: [cisco-voip] cisco IP Phone causes stp loop.
>
>
>
>
>
>
> Problem now is seems like there is no way to disable portfast on CE500.
>
>
>
>
>
> Will have a conf call with our local cisco systems later. I'll push them to
> fix this vulnerability.
>
>
>
> Thanks for all your help.
>
>
>
>
>
> regards,
>
>
> Jeff
>
>
>
>
>
> On 7/4/07, Ahmed Elnagar <aelnagar at act-eg.com> wrote:
>
>
>
> I have just something came to my mind. in old configuration of IP Telephony
> the attached port was configured to be trunk not access port, maybe that
> could help in solving this here is the configuration:
>
>
> switchport trunk encapsulation dot1q
> switchport mode trunk
> switchport voice vlan 2
>
>
>
>
>
> this puts the voice traffic in vlan2. If u need to create data vlan just
> change the native vlan on that trunk to whatever u want. the delay that u r
> talking about when portfast is disabled only happens one time when powering
> on the devices that connect to the switch and if it is going to work this
> delay will be much more better than having a loop in the network.
>
>
>
>
>
> Thanks and Best Regards
>
> Ahmed A. Elnagar
> Network Engineer Specialist
>
>
>
>
>
>
> Advanced Computer Technology (ACT)
> 16 Fawzy Ramah St.Off Shehab St.Mohandessin, Giza, Egypt
> Postal Code:12411 Cairo Egypt
>
> Mob : +2010-2833868
> Website: www.act-eg.com
> E-mail: aelnagar at act-eg.com
>
>
>
> ________________________________
>
>
> From: cisco-voip-bounces at puck.nether.net on behalf of
> Jefflin Choi
> Sent: Wed 04-Jul-07 12:30 PM
> To: cisco-voip at puck.nether.net
>
>
> Subject: Re: [cisco-voip] cisco IP Phone causes stp loop.
>
>
>
>
>
>
>
>
> Got this reply...
>
>
>
>
>
> ========
> As far as i know, no solution exists for this race around condition.
>
> If two "port fast" enabled ports are looped, it will create a mess in the
> network.
> Because the switch will never send a BPDU via a port fast enabled port.
> Hence there is no way the switch can detected that both the ports are
> looped.
> It is better to disable the port fast in this scenario.
> If you encounter any solution, kindly keep us all posted.
> =======
>
>
>
> Problem is, if portfast is disabled, pc's/phones uptime will be delayed.
> This is also in conflict with cisco's SRND of enabling portfast.
>
>
>
>
>
> There should be some way to work this out. Any ideas?
>
>
>
>
>
> Thanks,
>
>
> Jeff
>
>
>
>
>
>
>
>
> On 7/4/07, Jefflin Choi <jefflin.choi at gmail.com > wrote:
>
>
> Hi Lee,
>
>
>
>
>
> BPDU Guard is enabled by default as far as i know on CE500.
>
>
> This has come into my mind and checked the switch thus the reason why i ask
> if the IP Phone is sending BPDU. If not, BPDU guard will be just useless.
>
>
>
> Anyway, checking cisco netpro forum, someone has encountered the same issue.
> Unfortunately no resolution.
>
>
>
>
>
> The reply was:
>
>
> "Question1: Yes, IP phones donot send BPDU's.You can enable BPDU guard and
> it does not shut the port down when an IP Phone is connected. "
>
>
>
>
>
> Any ideas how to overcome this vulnerability?
>
>
> It seems that it is not only on cisco CE500 only but on all types of cisco
> switches.
>
>
>
>
>
> Thanks,
>
>
> Jeff
>
>
>
>
> On 7/4/07, Lee Pedder <lee.pedder at gmail.com > wrote:
>
>
> I can't offer specific advice on the CE500 switch, but on other cisco
> switches there is a bpduguard feature that you need to enable if you
> are using spanning-tree portfast. This will shutdown a port on receipt
> of a BPDU (such as one received from itself on another port).
>
> On 04/07/07, Jefflin Choi < jefflin.choi at gmail.com > wrote:
> > Ahmed,
> >
> > The users are using PC connected to the IP phones. Someone non-technical
> > plugged both connections to the switch instead of one cable to the PC.
> >
> > Educating end users to plug the ip phones to the correct devices is simple
> > but this is a security risk which can cause sabotage of the network.
> >
> > Matt,
> >
> > I do not see how "Try turning off GARP on the phone, disable web access
> and
> > turn off voice vlan access." can help. Can you explain why this will help
> > solve the problem.
> >
> > First, web access can be disabled. No problem with it. I can't see the
> > relation with the loop though.
> >
> > second voice vlan access, you mean to say not to allow the voice vlan on
> the
> > trunk?
> >
> > Thanks,
> > Jeff
> >
> >
> >
> >
> > On 7/4/07, Ahmed Elnagar < aelnagar at act-eg.com> wrote:
> > >
> > >
> > >
> > > Well, I was not trying to answer the Q. I was just sharing my
> dislikeness
> > of this switch as I had alot o problems with it :), sepically with vlans
> > trunking. I had it running with IP Phones normally with no problem.
> > changeing the port role on the switch sometimes it helps, but I dont think
> > in ur case. but what I got from ur words seems that the users is not using
> a
> > PC connected to th phone (otherwise they will connect 2 cables from the
> > switch) if that is the case try to disable the PC port of the IP Phone.
> > >
> > >
> > >
> > > Thanks and Best Regards
> > >
> > > Ahmed A. Elnagar
> > > Network Engineer Specialist
> > >
> > > Advanced Computer Technology (ACT)
> > > 16 Fawzy Ramah St.Off Shehab St.Mohandessin, Giza, Egypt
> > > Postal Code:12411 Cairo Egypt
> > >
> > > Mob : +2010-2833868
> > > Website: www.act-eg.com
> > > E-mail: aelnagar at act-eg.com
> > >
> > > ________________________________
> > From: cisco-voip-bounces at puck.nether.net on behalf of
> Matt
> > Slaga (US)
> > > Sent: Tue 03-Jul-07 3:25 PM
> > > To: Ahmed Elnagar; Jefflin Choi; cisco-voip at puck.nether.net
> > > Subject: Re: [cisco-voip] cisco IP Phone causes stp loop.
> > >
> > >
> > >
> > >
> > >
> > > Wow, that reply should help you solve that problem lickety split!
> > >
> > >
> > >
> > > Try turning off GARP on the phone, disable web access and turn off voice
> > vlan access.
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > From: cisco-voip-bounces at puck.nether.net
> > [mailto:cisco-voip-bounces at puck.nether.net ] On Behalf Of
> > Ahmed Elnagar
> > > Sent: Tuesday, July 03, 2007 3:25 AM
> > > To: Jefflin Choi; cisco-voip at puck.nether.net
> > > Subject: Re: [cisco-voip] cisco IP Phone causes stp loop.
> > >
> > >
> > >
> > > Just a note
> > >
> > > I Hate 500 Express it is a very bad switch and it has a lot of strange
> > configuration setting plus no useful troubleshooting capabilities at all.
> > >
> > >
> > >
> > > ________________________________
> >
> > >
> > > From: cisco-voip-bounces at puck.nether.net
> > [mailto: cisco-voip-bounces at puck.nether.net] On Behalf Of
> > Jefflin Choi
> > > Sent: Tuesday, July 03, 2007 9:56 AM
> > > To: cisco-voip at puck.nether.net
> > > Subject: [cisco-voip] cisco IP Phone causes stp loop.
> > >
> > >
> > >
> > >
> > > Hi all,
> > >
> > >
> > >
> > >
> > >
> > > Some end user plugged the pc port and switch port of an IP Phone to a
> > Catalyst CE500 port at the same time causing our client's switch on a
> loop.
> > >
> > >
> > >
> > >
> > >
> > > CE500--------7912 IP Phone
> > >
> > >
> > > | |
> > >
> > >
> > > |------------------------|
> > >
> > >
> > >
> > >
> > >
> > >
> > > We can't prevent end user making accidental mistakes like this which
> might
> > cause network failure.
> > >
> > >
> > >
> > >
> > >
> > > I was wondering if Cisco IP phones are sending BPDU so that the CE500
> will
> > errdisable the port. Doesn't it?
> > >
> > >
> > >
> > >
> > >
> > > Any way to prevent the this from happening?
> > >
> > >
> > >
> > >
> > >
> > > Thanks,
> > >
> > >
> > > Jeff
> > >
> > >
> > >
> > >
> > > ________________________________
> >
> > >
> > >
> > >
> > > Disclaimer: This e-mail communication and any attachments may contain
> > confidential and privileged information and is for use by the designated
> > addressee(s) named above only. If you are not the intended addressee, you
> > are hereby notified that you have received this communication in error and
> > that any use or reproduction of this email or its contents is strictly
> > prohibited and may be unlawful. If you have received this communication in
> > error, please notify us immediately by replying to this message and
> deleting
> > it from your computer. Thank you.
> > >
> > >
> > >
> > >
> >
> >
> > _______________________________________________
> > cisco-voip mailing list
> > cisco-voip at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-voip
> >
> >
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
>
>
>
>
>
More information about the cisco-voip
mailing list