[c-nsp] protecting router MAC addresses

lee.e.rian at census.gov lee.e.rian at census.gov
Wed Oct 13 08:56:53 EDT 2004

Hi Chuck,

Cisco has said what we're doing is not a supported configuration & if we
don't want this problem again we just shouldn't plug one phone into
another.  But since we _have_ had this problem I'm generalizing it to what
happens if we have a malicious user intentionally spoofing the HSRP MAC

Given the choice between an administrative solution of "just don't do that"
and a technical solution of "I don't care what you do, malicious or not,
you can't steal the HSRP MAC address" I like the technical solution.  But I
haven't been able to come up with that kind of technical solution & was
hoping someone on the list could think of one...

I like the suggestion of enabling bpduguard & suspect that will handle the
non-malicious cases we've had of Cisco IP phones echoing frames back to the
switch.  But how to handle the case of a malicious user trying to cause


|         |           "Church, Chuck"  |
|         |           <cchurch at netcogov|
|         |           .com>            |
|         |                            |
|         |           10/13/2004 07:33 |
|         |           AM               |
|         |                            |
  |                                                                                                                                             |
  |       To:       <lee.e.rian at census.gov>, <cisco-nsp at puck.nether.net>                                                                        |
  |       cc:                                                                                                                                   |
  |       Subject:  RE: [c-nsp] protecting router MAC addresses                                                                                 |


             Is the first phone being put in a voice VLAN (i.e. dynamically
creating a trunk via CDP)?  If so, what is the second daisy-chained
phone doing, since it's plugged in a probably set as access (non-trunk),
but trying to trunk as well.  Perhaps these tagged frames coming from
the 2nd phone are causing some confusion on the 6500.  Maybe try turning
off voice vlan support on those daisy-chained phones?  5.x code is
pretty old to be handling voice VLAN stuff, maybe a later 6.x release
would work better.  Or a mac-address access-list.  HTH.

Chuck Church
Lead Design Engineer
Netco Government Services - Design & Implementation Team
1210 N. Parker Rd.
Greenville, SC 29609
Home office: 864-335-9473
Cell: 703-819-3495
cchurch at netcogov.com  <-note new address!
PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4371A48D
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of
lee.e.rian at census.gov
Sent: Wednesday, October 13, 2004 7:04 AM
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] protecting router MAC addresses

> > We've had a couple of times recently where Cisco IP phones
> > together get into a state where they echo frames back to the switch.
> > that happens the switch learns the router MAC address on the user
> > traffic meant for the router is black-holed.  It finally happened on
> > switch running 5.x code & we got a lot of these syslog messages
>     Isn't this is sort of a problem that spanning tree is designed to
> Enabling spanning tree or bpduguard on your access ports should solve

> problem I think... if I understood well what you meant by "daisy
> phones...

We do have spanning tree enabled on all vlans.  We don't have bpduguard
enabled & that sounds like something worth doing.  But I don't know if
enabling bpduguard would prevent the problem or not - we haven't been
to recreate the problem.  By "daisy chained" I mean
switch == phone == phone == phone
so spanning tree shouldn't make any difference since there's no loop


cisco-nsp mailing list  cisco-nsp at puck.nether.net
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list