<div>Hi Lee,</div>
<div> </div>
<div>BPDU Guard is enabled by default as far as i know on CE500. </div>
<div>This has come into my mind and checked the switch thus the reason why i ask if the IP Phone is sending BPDU. If not, BPDU guard will be just useless.</div>
<div><br>Anyway, checking cisco netpro forum, someone has encountered the same issue. Unfortunately no resolution.</div>
<div> </div>
<div>The reply was:</div>
<div>"Question1: Yes, IP phones donot send BPDU's.You can enable BPDU guard and it does not shut the port down when an IP Phone is connected. "</div>
<div> </div>
<div>Any ideas how to overcome this vulnerability?</div>
<div>It seems that it is not only on cisco CE500 only but on all types of cisco switches.</div>
<div> </div>
<div>Thanks,</div>
<div>Jeff</div><br><br>
<div><span class="gmail_quote">On 7/4/07, <b class="gmail_sendername">Lee Pedder</b> <<a href="mailto:lee.pedder@gmail.com">lee.pedder@gmail.com</a>> wrote:</span>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">I can't offer specific advice on the CE500 switch, but on other cisco<br>switches there is a bpduguard feature that you need to enable if you
<br>are using spanning-tree portfast. This will shutdown a port on receipt<br>of a BPDU (such as one received from itself on another port).<br><br>On 04/07/07, Jefflin Choi <<a href="mailto:jefflin.choi@gmail.com">jefflin.choi@gmail.com
</a>> wrote:<br>> Ahmed,<br>><br>> The users are using PC connected to the IP phones. Someone non-technical<br>> plugged both connections to the switch instead of one cable to the PC.<br>><br>> Educating end users to plug the ip phones to the correct devices is simple
<br>> but this is a security risk which can cause sabotage of the network.<br>><br>> Matt,<br>><br>> I do not see how "Try turning off GARP on the phone, disable web access and<br>> turn off voice vlan access." can help. Can you explain why this will help
<br>> solve the problem.<br>><br>> First, web access can be disabled. No problem with it. I can't see the<br>> relation with the loop though.<br>><br>> second voice vlan access, you mean to say not to allow the voice vlan on the
<br>> trunk?<br>><br>> Thanks,<br>> Jeff<br>><br>><br>><br>><br>> On 7/4/07, Ahmed Elnagar <<a href="mailto:aelnagar@act-eg.com">aelnagar@act-eg.com</a>> wrote:<br>> ><br>> ><br>
> ><br>> > Well, I was not trying to answer the Q. I was just sharing my dislikeness<br>> of this switch as I had alot o problems with it :), sepically with vlans<br>> trunking. I had it running with IP Phones normally with no problem.
<br>> changeing the port role on the switch sometimes it helps, but I dont think<br>> in ur case. but what I got from ur words seems that the users is not using a<br>> PC connected to th phone (otherwise they will connect 2 cables from the
<br>> switch) if that is the case try to disable the PC port of the IP Phone.<br>> ><br>> ><br>> ><br>> > Thanks and Best Regards<br>> ><br>> > Ahmed A. Elnagar<br>> > Network Engineer Specialist
<br>> ><br>> > Advanced Computer Technology (ACT)<br>> > 16 Fawzy Ramah St.Off Shehab St.Mohandessin, Giza, Egypt<br>> > Postal Code:12411 Cairo Egypt<br>> ><br>> > Mob : +2010-2833868<br>
> > Website: <a href="http://www.act-eg.com">www.act-eg.com</a><br>> > E-mail: <a href="mailto:aelnagar@act-eg.com">aelnagar@act-eg.com</a><br>> ><br>> > ________________________________<br>> From:
<a href="mailto:cisco-voip-bounces@puck.nether.net">cisco-voip-bounces@puck.nether.net</a> on behalf of Matt<br>> Slaga (US)<br>> > Sent: Tue 03-Jul-07 3:25 PM<br>> > To: Ahmed Elnagar; Jefflin Choi; <a href="mailto:cisco-voip@puck.nether.net">
cisco-voip@puck.nether.net</a><br>> > Subject: Re: [cisco-voip] cisco IP Phone causes stp loop.<br>> ><br>> ><br>> ><br>> ><br>> ><br>> > Wow, that reply should help you solve that problem lickety split!
<br>> ><br>> ><br>> ><br>> > Try turning off GARP on the phone, disable web access and turn off voice<br>> vlan access.<br>> ><br>> ><br>> ><br>> ><br>> ><br>> >
<br>> ><br>> ><br>> ><br>> > From: <a href="mailto:cisco-voip-bounces@puck.nether.net">cisco-voip-bounces@puck.nether.net</a><br>> [mailto:<a href="mailto:cisco-voip-bounces@puck.nether.net">cisco-voip-bounces@puck.nether.net
</a>] On Behalf Of<br>> Ahmed Elnagar<br>> > Sent: Tuesday, July 03, 2007 3:25 AM<br>> > To: Jefflin Choi; <a href="mailto:cisco-voip@puck.nether.net">cisco-voip@puck.nether.net</a><br>> > Subject: Re: [cisco-voip] cisco IP Phone causes stp loop.
<br>> ><br>> ><br>> ><br>> > Just a note<br>> ><br>> > I Hate 500 Express it is a very bad switch and it has a lot of strange<br>> configuration setting plus no useful troubleshooting capabilities at all.
<br>> ><br>> ><br>> ><br>> > ________________________________<br>><br>> ><br>> > From: <a href="mailto:cisco-voip-bounces@puck.nether.net">cisco-voip-bounces@puck.nether.net</a><br>> [mailto:
<a href="mailto:cisco-voip-bounces@puck.nether.net">cisco-voip-bounces@puck.nether.net</a>] On Behalf Of<br>> Jefflin Choi<br>> > Sent: Tuesday, July 03, 2007 9:56 AM<br>> > To: <a href="mailto:cisco-voip@puck.nether.net">
cisco-voip@puck.nether.net</a><br>> > Subject: [cisco-voip] cisco IP Phone causes stp loop.<br>> ><br>> ><br>> ><br>> ><br>> > Hi all,<br>> ><br>> ><br>> ><br>> >
<br>> ><br>> > Some end user plugged the pc port and switch port of an IP Phone to a<br>> Catalyst CE500 port at the same time causing our client's switch on a loop.<br>> ><br>> ><br>> >
<br>> ><br>> ><br>> > CE500--------7912 IP Phone<br>> ><br>> ><br>> > | |<br>> ><br>> ><br>> > |------------------------|<br>> ><br>> >
<br>> ><br>> ><br>> ><br>> ><br>> > We can't prevent end user making accidental mistakes like this which might<br>> cause network failure.<br>> ><br>> ><br>> ><br>> >
<br>> ><br>> > I was wondering if Cisco IP phones are sending BPDU so that the CE500 will<br>> errdisable the port. Doesn't it?<br>> ><br>> ><br>> ><br>> ><br>> ><br>> > Any way to prevent the this from happening?
<br>> ><br>> ><br>> ><br>> ><br>> ><br>> > Thanks,<br>> ><br>> ><br>> > Jeff<br>> ><br>> ><br>> ><br>> ><br>> > ________________________________
<br>><br>> ><br>> ><br>> ><br>> > Disclaimer: This e-mail communication and any attachments may contain<br>> confidential and privileged information and is for use by the designated<br>> addressee(s) named above only. If you are not the intended addressee, you
<br>> are hereby notified that you have received this communication in error and<br>> that any use or reproduction of this email or its contents is strictly<br>> prohibited and may be unlawful. If you have received this communication in
<br>> error, please notify us immediately by replying to this message and deleting<br>> it from your computer. Thank you.<br>> ><br>> ><br>> ><br>> ><br>><br>><br>> _______________________________________________
<br>> cisco-voip mailing list<br>> <a href="mailto:cisco-voip@puck.nether.net">cisco-voip@puck.nether.net</a><br>> <a href="https://puck.nether.net/mailman/listinfo/cisco-voip">https://puck.nether.net/mailman/listinfo/cisco-voip
</a><br>><br>><br>_______________________________________________<br>cisco-voip mailing list<br><a href="mailto:cisco-voip@puck.nether.net">cisco-voip@puck.nether.net</a><br><a href="https://puck.nether.net/mailman/listinfo/cisco-voip">
https://puck.nether.net/mailman/listinfo/cisco-voip</a><br></blockquote></div><br>