Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
213
Views
5
Helpful
3
Replies

Providing BPDU protection on 79x0 Ethernet port

aacole
Level 5
Level 5

‎02-03-2005 01:01 AM - edited ‎03-13-2019 07:53 AM

One of my VoIP customer sites has a situation where users connect hubs and switches up to the Ethernet ports on the back of the IP phones. Not ideal I know, and currently they dont have an IT security policy in place to hit these users with, this is being addressed.

One solution I'm considering is using BPDU guard on the switch port the phone is connected to, has anyone tried this, did it cause any other problems?

I cannot see an option on the phone to provide this feature on the actual phone port, anyone any other ideas on how to protect against rouge devices being connected into the phone ports.

Labels:
0 Helpful
3 Replies 3

Aaron Harrison
VIP Alumni
VIP Alumni

‎02-03-2005 01:34 AM

Hi

I would have imagined that bpdu guard would shutdown the port as the phone has a built in switch... a quick search on this forum found this:

http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.1dd74db2

Which doesn't really make things any clearer... not sure whether he'd introduced a bug or fixed it :-)

Anyway, perhaps another option would be to use port mac security - can't quite remember the commands but I'm sure you could set a limit on the number of MAC addresses on the port, and an aging time for them... So limit it to 3 or so and set an aging time of a few minutes, and it would prevent multiple users on a hub...

Just ideas though, not tested either myself.

Aaron

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!
0 Helpful

Aaron Harrison
VIP Alumni
VIP Alumni
In response to Aaron Harrison

‎02-03-2005 01:36 AM

Just found this link, refers to the number of MACs you should allow with port security and IP Phones...

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/12111yj/scg/swtrafc.htm

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!

aacole
Level 5
Level 5
In response to Aaron Harrison

‎02-03-2005 12:22 PM

Hi,

That is good info, I've decided to try the port security sticky ARP approach with a 3 MAC addresse limit.

I agree with your comments regarding the switch in the phone, I'd expect it to generate BPDU frames, so BPDU guard is not an option on the connecting switch.

Thanks for the info,

0 Helpful
Customers Also Viewed These Support Documents