<div>Got this reply...</div>
<div> </div>
<div>========<br>As far as i know, no solution exists for this race around condition. <br><br>If two "port fast" enabled ports are looped, it will create a mess in the network. <br>Because the switch will never send a BPDU via a port fast enabled port. Hence there is no way the switch can detected that both the ports are looped.
<br>It is better to disable the port fast in this scenario. <br>If you encounter any solution, kindly keep us all posted. <br>=======<br> </div>
<div><strong>Problem is</strong>, if portfast is disabled, pc's/phones uptime will be delayed. This is also in conflict with cisco's SRND of enabling portfast.</div>
<div> </div>
<div>There should be some way to work this out. Any ideas?</div>
<div> </div>
<div>Thanks,</div>
<div>Jeff</div>
<div> </div>
<div> </div>
<div><span class="gmail_quote">On 7/4/07, <b class="gmail_sendername">Jefflin Choi</b> <<a href="mailto:jefflin.choi@gmail.com">jefflin.choi@gmail.com</a>> wrote:</span>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid"><span class="q">
<div>Hi Lee,</div>
<div> </div>
<div>BPDU Guard is enabled by default as far as i know on CE500. </div>
<div>This has come into my mind and checked the switch thus the reason why i ask if the IP Phone is sending BPDU. If not, BPDU guard will be just useless.</div>
<div><br>Anyway, checking cisco netpro forum, someone has encountered the same issue. Unfortunately no resolution.</div>
<div> </div>
<div>The reply was:</div>
<div>"Question1: Yes, IP phones donot send BPDU's.You can enable BPDU guard and it does not shut the port down when an IP Phone is connected. "</div>
<div> </div>
<div>Any ideas how to overcome this vulnerability?</div>
<div>It seems that it is not only on cisco CE500 only but on all types of cisco switches.</div>
<div> </div></span>
<div>Thanks,</div>
<div>Jeff</div><br><br>
<div><span class="q"><span class="gmail_quote">On 7/4/07, <b class="gmail_sendername">Lee Pedder</b> <<a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:lee.pedder@gmail.com" target="_blank">lee.pedder@gmail.com
</a>> wrote:</span> </span>
<div><span class="e" id="q_11390806c0e5ed4c_3">
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">I can't offer specific advice on the CE500 switch, but on other cisco<br>switches there is a bpduguard feature that you need to enable if you
<br>are using spanning-tree portfast. This will shutdown a port on receipt<br>of a BPDU (such as one received from itself on another port).<br><br>On 04/07/07, Jefflin Choi <<a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:jefflin.choi@gmail.com" target="_blank">
jefflin.choi@gmail.com </a>> wrote:<br>> Ahmed,<br>><br>> The users are using PC connected to the IP phones. Someone non-technical<br>> plugged both connections to the switch instead of one cable to the PC.
<br>><br>> Educating end users to plug the ip phones to the correct devices is simple <br>> but this is a security risk which can cause sabotage of the network.<br>><br>> Matt,<br>><br>> I do not see how "Try turning off GARP on the phone, disable web access and
<br>> turn off voice vlan access." can help. Can you explain why this will help <br>> solve the problem.<br>><br>> First, web access can be disabled. No problem with it. I can't see the<br>> relation with the loop though.
<br>><br>> second voice vlan access, you mean to say not to allow the voice vlan on the <br>> trunk?<br>><br>> Thanks,<br>> Jeff<br>><br>><br>><br>><br>> On 7/4/07, Ahmed Elnagar <<a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:aelnagar@act-eg.com" target="_blank">
aelnagar@act-eg.com</a>> wrote:<br>> ><br>> ><br>> ><br>> > Well, I was not trying to answer the Q. I was just sharing my dislikeness<br>> of this switch as I had alot o problems with it :), sepically with vlans
<br>> trunking. I had it running with IP Phones normally with no problem. <br>> changeing the port role on the switch sometimes it helps, but I dont think<br>> in ur case. but what I got from ur words seems that the users is not using a
<br>> PC connected to th phone (otherwise they will connect 2 cables from the <br>> switch) if that is the case try to disable the PC port of the IP Phone.<br>> ><br>> ><br>> ><br>> > Thanks and Best Regards
<br>> ><br>> > Ahmed A. Elnagar<br>> > Network Engineer Specialist <br>> ><br>> > Advanced Computer Technology (ACT)<br>> > 16 Fawzy Ramah St.Off Shehab St.Mohandessin, Giza, Egypt<br>> > Postal Code:12411 Cairo Egypt
<br>> ><br>> > Mob : +2010-2833868<br>> > Website: <a onclick="return top.js.OpenExtLink(window,event,this)" href="http://www.act-eg.com/" target="_blank">www.act-eg.com</a><br>> > E-mail: <a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:aelnagar@act-eg.com" target="_blank">
aelnagar@act-eg.com</a><br>> ><br>> > ________________________________<br>> From: <a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:cisco-voip-bounces@puck.nether.net" target="_blank">
cisco-voip-bounces@puck.nether.net</a> on behalf of Matt<br>> Slaga (US)<br>> > Sent: Tue 03-Jul-07 3:25 PM<br>> > To: Ahmed Elnagar; Jefflin Choi; <a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:cisco-voip@puck.nether.net" target="_blank">
cisco-voip@puck.nether.net</a><br>> > Subject: Re: [cisco-voip] cisco IP Phone causes stp loop.<br>> ><br>> ><br>> ><br>> ><br>> ><br>> > Wow, that reply should help you solve that problem lickety split!
<br>> ><br>> ><br>> ><br>> > Try turning off GARP on the phone, disable web access and turn off voice<br>> vlan access.<br>> ><br>> ><br>> ><br>> ><br>> ><br>> >
<br>> ><br>> ><br>> ><br>> > From: <a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:cisco-voip-bounces@puck.nether.net" target="_blank">cisco-voip-bounces@puck.nether.net</a><br>
> [mailto:<a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:cisco-voip-bounces@puck.nether.net" target="_blank">cisco-voip-bounces@puck.nether.net </a>] On Behalf Of<br>> Ahmed Elnagar<br>> > Sent: Tuesday, July 03, 2007 3:25 AM
<br>> > To: Jefflin Choi; <a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</a><br>> > Subject: Re: [cisco-voip] cisco IP Phone causes stp loop.
<br>> ><br>> ><br>> ><br>> > Just a note<br>> ><br>> > I Hate 500 Express it is a very bad switch and it has a lot of strange<br>> configuration setting plus no useful troubleshooting capabilities at all.
<br>> ><br>> ><br>> ><br>> > ________________________________<br>><br>> ><br>> > From: <a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:cisco-voip-bounces@puck.nether.net" target="_blank">
cisco-voip-bounces@puck.nether.net</a><br>> [mailto: <a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:cisco-voip-bounces@puck.nether.net" target="_blank">cisco-voip-bounces@puck.nether.net</a>] On Behalf Of
<br>> Jefflin Choi<br>> > Sent: Tuesday, July 03, 2007 9:56 AM<br>> > To: <a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net
</a><br>> > Subject: [cisco-voip] cisco IP Phone causes stp loop.<br>> ><br>> ><br>> ><br>> ><br>> > Hi all,<br>> ><br>> ><br>> ><br>> > <br>> ><br>> > Some end user plugged the pc port and switch port of an IP Phone to a
<br>> Catalyst CE500 port at the same time causing our client's switch on a loop.<br>> ><br>> ><br>> > <br>> ><br>> ><br>> > CE500--------7912 IP Phone<br>> ><br>> ><br>
> > | |<br>> ><br>> ><br>> > |------------------------|<br>> ><br>> > <br>> ><br>> ><br>> ><br>> ><br>> > We can't prevent end user making accidental mistakes like this which might
<br>> cause network failure.<br>> ><br>> ><br>> ><br>> > <br>> ><br>> > I was wondering if Cisco IP phones are sending BPDU so that the CE500 will<br>> errdisable the port. Doesn't it?
<br>> ><br>> ><br>> ><br>> ><br>> ><br>> > Any way to prevent the this from happening? <br>> ><br>> ><br>> ><br>> ><br>> ><br>> > Thanks,<br>> >
<br>> ><br>> > Jeff<br>> ><br>> ><br>> ><br>> ><br>> > ________________________________ <br>><br>> ><br>> ><br>> ><br>> > Disclaimer: This e-mail communication and any attachments may contain
<br>> confidential and privileged information and is for use by the designated<br>> addressee(s) named above only. If you are not the intended addressee, you <br>> are hereby notified that you have received this communication in error and
<br>> that any use or reproduction of this email or its contents is strictly<br>> prohibited and may be unlawful. If you have received this communication in <br>> error, please notify us immediately by replying to this message and deleting
<br>> it from your computer. Thank you.<br>> ><br>> ><br>> ><br>> ><br>><br>><br>> _______________________________________________ <br>> cisco-voip mailing list<br>> <a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:cisco-voip@puck.nether.net" target="_blank">
cisco-voip@puck.nether.net</a><br>> <a onclick="return top.js.OpenExtLink(window,event,this)" href="https://puck.nether.net/mailman/listinfo/cisco-voip" target="_blank">https://puck.nether.net/mailman/listinfo/cisco-voip
</a><br>><br>><br>_______________________________________________<br>cisco-voip mailing list<br><a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net
</a><br><a onclick="return top.js.OpenExtLink(window,event,this)" href="https://puck.nether.net/mailman/listinfo/cisco-voip" target="_blank">https://puck.nether.net/mailman/listinfo/cisco-voip</a><br></blockquote></span></div>
</div><br></blockquote></div><br>