<div>Problem now is seems like there is no way to disable portfast on CE500.</div>
<div> </div>
<div>Will have a conf call with our local cisco systems later. I'll push them to fix this vulnerability.</div>
<div><br>Thanks for all your help.</div>
<div> </div>
<div>regards,</div>
<div>Jeff</div>
<div> </div>
<div><span class="gmail_quote">On 7/4/07, <b class="gmail_sendername">Ahmed Elnagar</b> <<a href="mailto:aelnagar@act-eg.com">aelnagar@act-eg.com</a>> wrote:</span>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">
<div>
<div dir="ltr">
<div dir="ltr"><font face="Arial" color="#000000" size="2">I have just something came to my mind. in old configuration of IP Telephony the attached port was configured to be trunk not access port, maybe that could help in solving this here is the configuration:
</font></div>
<div dir="ltr"> switchport trunk encapsulation dot1q<br> switchport mode trunk<br> switchport voice vlan 2</div>
<div dir="ltr"> </div>
<div dir="ltr">this puts the voice traffic in vlan2. If u need to create data vlan just change the native vlan on that trunk to whatever u want. the delay that u r talking about when portfast is disabled only happens one time when powering on the devices that connect to the switch and if it is going to work this delay will be much more better than having a loop in the network.
</div><span class="q">
<div dir="ltr"> </div>
<div dir="ltr"><font face="Arial" color="#000000" size="2"><span style="FONT-SIZE: 10pt; COLOR: #003366; FONT-FAMILY: Tahoma">Thanks and Best Regards<br><b><br>Ahmed A. Elnagar<br></b>Network Engineer <font color="#000000">
Specialist</font></span></font></div></span></div><span class="q">
<div dir="ltr">
<div>
<div style="MARGIN: auto 0in"><span style="FONT-SIZE: 10pt; COLOR: #003366; FONT-FAMILY: Tahoma"></span><span style="FONT-SIZE: 6pt; COLOR: black; FONT-FAMILY: Tahoma"></span> </div>
<div style="MARGIN: auto 0in"><span lang="ES" style="FONT-SIZE: 10pt; COLOR: #003366; FONT-FAMILY: Tahoma">Advanced Computer Technology (ACT)<br>16 Fawzy Ramah St.Off Shehab St.Mohandessin, Giza, Egypt <br>Postal Code:12411 Cairo Egypt
<br></span><span style="FONT-SIZE: 6pt; COLOR: #003366; FONT-FAMILY: Tahoma"><br></span><span><b><span lang="ES" style="FONT-SIZE: 10pt; COLOR: #003366; FONT-FAMILY: Tahoma">Mob</span></b></span><b><span style="FONT-SIZE: 10pt; COLOR: #003366; FONT-FAMILY: Tahoma">
:</span></b><span style="FONT-SIZE: 10pt; COLOR: #003366; FONT-FAMILY: Tahoma"> +2010-2833868</span><span style="FONT-SIZE: 10pt; COLOR: black; FONT-FAMILY: Tahoma"><br></span><b><span lang="ES" style="FONT-SIZE: 10pt; COLOR: #003366; FONT-FAMILY: Tahoma">
Website</span></b><b><span style="FONT-SIZE: 10pt; COLOR: black; FONT-FAMILY: Tahoma">: </span></b><span lang="ES" style="FONT-SIZE: 10pt; COLOR: #003366; FONT-FAMILY: Tahoma"><a onclick="return top.js.OpenExtLink(window,event,this)" href="http://www.act-eg.com/" target="_blank">
www.act-eg.com</a><br><b>E-mail</b></span><b><span style="FONT-SIZE: 10pt; COLOR: #004600; FONT-FAMILY: Tahoma">: </span></b><span lang="ES" style="FONT-SIZE: 10pt; COLOR: #003366; FONT-FAMILY: Tahoma"><a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:aelnagar@act-eg.com" target="_blank">
aelnagar@act-eg.com</a></span></div></div></div></span>
<div dir="ltr"><br>
<hr>
<font face="Tahoma" size="2"><b>From:</b> <a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:cisco-voip-bounces@puck.nether.net" target="_blank">cisco-voip-bounces@puck.nether.net</a> on behalf of Jefflin Choi
<br><b>Sent:</b> Wed 04-Jul-07 12:30 PM<span class="q"><br><b>To:</b> <a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</a><br></span>
<div><span class="e" id="q_1139101c10b34543_6"><b>Subject:</b> Re: [cisco-voip] cisco IP Phone causes stp loop.<br></span></div></font><br> </div>
<div><span class="e" id="q_1139101c10b34543_8">
<div>
<div>Got this reply...</div>
<div> </div>
<div>========<br>As far as i know, no solution exists for this race around condition. <br><br>If two "port fast" enabled ports are looped, it will create a mess in the network. <br>Because the switch will never send a BPDU via a port fast enabled port. Hence there is no way the switch can detected that both the ports are looped.
<br>It is better to disable the port fast in this scenario. <br>If you encounter any solution, kindly keep us all posted. <br>=======<br> </div>
<div><strong>Problem is</strong>, if portfast is disabled, pc's/phones uptime will be delayed. This is also in conflict with cisco's SRND of enabling portfast.</div>
<div> </div>
<div>There should be some way to work this out. Any ideas?</div>
<div> </div>
<div>Thanks,</div>
<div>Jeff</div>
<div> </div>
<div> </div>
<div><span class="gmail_quote">On 7/4/07, <b class="gmail_sendername">Jefflin Choi</b> <<a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:jefflin.choi@gmail.com" target="_blank">jefflin.choi@gmail.com
</a>> wrote:</span>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid"><span>
<div>Hi Lee,</div>
<div> </div>
<div>BPDU Guard is enabled by default as far as i know on CE500. </div>
<div>This has come into my mind and checked the switch thus the reason why i ask if the IP Phone is sending BPDU. If not, BPDU guard will be just useless.</div>
<div><br>Anyway, checking cisco netpro forum, someone has encountered the same issue. Unfortunately no resolution.</div>
<div> </div>
<div>The reply was:</div>
<div>"Question1: Yes, IP phones donot send BPDU's.You can enable BPDU guard and it does not shut the port down when an IP Phone is connected. "</div>
<div> </div>
<div>Any ideas how to overcome this vulnerability?</div>
<div>It seems that it is not only on cisco CE500 only but on all types of cisco switches.</div>
<div> </div></span>
<div>Thanks,</div>
<div>Jeff</div><br><br>
<div><span><span class="gmail_quote">On 7/4/07, <b class="gmail_sendername">Lee Pedder</b> <<a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:lee.pedder@gmail.com" target="_blank">lee.pedder@gmail.com
</a>> wrote:</span> </span>
<div><span>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">I can't offer specific advice on the CE500 switch, but on other cisco<br>switches there is a bpduguard feature that you need to enable if you
<br>are using spanning-tree portfast. This will shutdown a port on receipt<br>of a BPDU (such as one received from itself on another port).<br><br>On 04/07/07, Jefflin Choi <<a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:jefflin.choi@gmail.com" target="_blank">
jefflin.choi@gmail.com </a>> wrote:<br>> Ahmed,<br>><br>> The users are using PC connected to the IP phones. Someone non-technical<br>> plugged both connections to the switch instead of one cable to the PC.
<br>><br>> Educating end users to plug the ip phones to the correct devices is simple <br>> but this is a security risk which can cause sabotage of the network.<br>><br>> Matt,<br>><br>> I do not see how "Try turning off GARP on the phone, disable web access and
<br>> turn off voice vlan access." can help. Can you explain why this will help <br>> solve the problem.<br>><br>> First, web access can be disabled. No problem with it. I can't see the<br>> relation with the loop though.
<br>><br>> second voice vlan access, you mean to say not to allow the voice vlan on the <br>> trunk?<br>><br>> Thanks,<br>> Jeff<br>><br>><br>><br>><br>> On 7/4/07, Ahmed Elnagar <<a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:aelnagar@act-eg.com" target="_blank">
aelnagar@act-eg.com</a>> wrote:<br>> ><br>> ><br>> ><br>> > Well, I was not trying to answer the Q. I was just sharing my dislikeness<br>> of this switch as I had alot o problems with it :), sepically with vlans
<br>> trunking. I had it running with IP Phones normally with no problem. <br>> changeing the port role on the switch sometimes it helps, but I dont think<br>> in ur case. but what I got from ur words seems that the users is not using a
<br>> PC connected to th phone (otherwise they will connect 2 cables from the <br>> switch) if that is the case try to disable the PC port of the IP Phone.<br>> ><br>> ><br>> ><br>> > Thanks and Best Regards
<br>> ><br>> > Ahmed A. Elnagar<br>> > Network Engineer Specialist <br>> ><br>> > Advanced Computer Technology (ACT)<br>> > 16 Fawzy Ramah St.Off Shehab St.Mohandessin, Giza, Egypt<br>> > Postal Code:12411 Cairo Egypt
<br>> ><br>> > Mob : +2010-2833868<br>> > Website: <a onclick="return top.js.OpenExtLink(window,event,this)" href="http://www.act-eg.com/" target="_blank">www.act-eg.com</a><br>> > E-mail: <a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:aelnagar@act-eg.com" target="_blank">
aelnagar@act-eg.com</a><br>> ><br>> > ________________________________<br>> From: <a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:cisco-voip-bounces@puck.nether.net" target="_blank">
cisco-voip-bounces@puck.nether.net</a> on behalf of Matt<br>> Slaga (US)<br>> > Sent: Tue 03-Jul-07 3:25 PM<br>> > To: Ahmed Elnagar; Jefflin Choi; <a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:cisco-voip@puck.nether.net" target="_blank">
cisco-voip@puck.nether.net</a><br>> > Subject: Re: [cisco-voip] cisco IP Phone causes stp loop.<br>> ><br>> ><br>> ><br>> ><br>> ><br>> > Wow, that reply should help you solve that problem lickety split!
<br>> ><br>> ><br>> ><br>> > Try turning off GARP on the phone, disable web access and turn off voice<br>> vlan access.<br>> ><br>> ><br>> ><br>> ><br>> ><br>> >
<br>> ><br>> ><br>> ><br>> > From: <a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:cisco-voip-bounces@puck.nether.net" target="_blank">cisco-voip-bounces@puck.nether.net</a><br>
> [mailto:<a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:cisco-voip-bounces@puck.nether.net" target="_blank">cisco-voip-bounces@puck.nether.net </a>] On Behalf Of<br>> Ahmed Elnagar<br>> > Sent: Tuesday, July 03, 2007 3:25 AM
<br>> > To: Jefflin Choi; <a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</a><br>> > Subject: Re: [cisco-voip] cisco IP Phone causes stp loop.
<br>> ><br>> ><br>> ><br>> > Just a note<br>> ><br>> > I Hate 500 Express it is a very bad switch and it has a lot of strange<br>> configuration setting plus no useful troubleshooting capabilities at all.
<br>> ><br>> ><br>> ><br>> > ________________________________<br>><br>> ><br>> > From: <a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:cisco-voip-bounces@puck.nether.net" target="_blank">
cisco-voip-bounces@puck.nether.net</a><br>> [mailto: <a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:cisco-voip-bounces@puck.nether.net" target="_blank">cisco-voip-bounces@puck.nether.net</a>] On Behalf Of
<br>> Jefflin Choi<br>> > Sent: Tuesday, July 03, 2007 9:56 AM<br>> > To: <a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net
</a><br>> > Subject: [cisco-voip] cisco IP Phone causes stp loop.<br>> ><br>> ><br>> ><br>> ><br>> > Hi all,<br>> ><br>> ><br>> ><br>> > <br>> ><br>> > Some end user plugged the pc port and switch port of an IP Phone to a
<br>> Catalyst CE500 port at the same time causing our client's switch on a loop.<br>> ><br>> ><br>> > <br>> ><br>> ><br>> > CE500--------7912 IP Phone<br>> ><br>> ><br>
> > | |<br>> ><br>> ><br>> > |------------------------|<br>> ><br>> > <br>> ><br>> ><br>> ><br>> ><br>> > We can't prevent end user making accidental mistakes like this which might
<br>> cause network failure.<br>> ><br>> ><br>> ><br>> > <br>> ><br>> > I was wondering if Cisco IP phones are sending BPDU so that the CE500 will<br>> errdisable the port. Doesn't it?
<br>> ><br>> ><br>> ><br>> ><br>> ><br>> > Any way to prevent the this from happening? <br>> ><br>> ><br>> ><br>> ><br>> ><br>> > Thanks,<br>> >
<br>> ><br>> > Jeff<br>> ><br>> ><br>> ><br>> ><br>> > ________________________________ <br>><br>> ><br>> ><br>> ><br>> > Disclaimer: This e-mail communication and any attachments may contain
<br>> confidential and privileged information and is for use by the designated<br>> addressee(s) named above only. If you are not the intended addressee, you <br>> are hereby notified that you have received this communication in error and
<br>> that any use or reproduction of this email or its contents is strictly<br>> prohibited and may be unlawful. If you have received this communication in <br>> error, please notify us immediately by replying to this message and deleting
<br>> it from your computer. Thank you.<br>> ><br>> ><br>> ><br>> ><br>><br>><br>> _______________________________________________ <br>> cisco-voip mailing list<br>> <a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:cisco-voip@puck.nether.net" target="_blank">
cisco-voip@puck.nether.net</a><br>> <a onclick="return top.js.OpenExtLink(window,event,this)" href="https://puck.nether.net/mailman/listinfo/cisco-voip" target="_blank">https://puck.nether.net/mailman/listinfo/cisco-voip
</a><br>><br>><br>_______________________________________________<br>cisco-voip mailing list<br><a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net
</a><br><a onclick="return top.js.OpenExtLink(window,event,this)" href="https://puck.nether.net/mailman/listinfo/cisco-voip" target="_blank">https://puck.nether.net/mailman/listinfo/cisco-voip</a><br></blockquote></span></div>
</div><br></blockquote></div><br> </div></span></div></div></blockquote></div><br>