I had some issues yesterday with someone plugging in an Avaya phone to the network using both network connection on the phone. The phone plugged into a stack of 3750 PoE switches and those switches connected to two 3750 Metro swtiches. The Metro switches connected to DWDW and thrue that they connected to the Data Center that has 6509s also connected to DWDM. Here is the configuration of one of the ports from the 3750PoE switch:
switchport trunk encapsulation dot1q
switchport trunk native vlan 232
switchport trunk allowed vlan 232,800,832
switchport mode trunk
switchport voice vlan 832
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
mls qos trust cos
auto qos voip trust
no mdix auto
no cdp enable
spanning-tree portfast trunk
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
ip dhcp snooping limit rate 100
Is there anything else that I could configure on the interfaces that would take the interfaces down if someone does the same thing again?
I hope that is not the config for the switch port connected to the Avaya Phone.
I would configure the switchport connected to the phone as:-
spanning-tree bpdufilter enable - makes sense
spanning-tree bpduguard enable - make sense
errdisable detect cause bpduguard - detect and err-disable the port on loop detection
switchport access vlan <>
switchport voice vlan <
And that is all.
You are using:-
- mls qos trust cos - I hope you have configured the CM to supply the phone COS/DSCP values.
- auto qos voip trust - should be used for used for Cisco Phones ideally
- switchport trunk encapsulation dot1q - you should only need this on an Avaya Phone that does not support trunking, or a switch that does not have the AUX vlan feature.
- srr-queue bandwidth shape 10 0 0 0 - you want to give the Avaya Phone 10 Mbs in the priority queue?? Why? the heavest codec is G711 and 1 call is only 170Kbs.
The problem is that we have an Avaya PBX system. You should see the DHCP option 252 for this beast. I forgot to mention that the configuration of the srr-queue was added automatically after I added the auto qos command. I would like to prevent anything that happened yesterday, so if anyone plugs two network cables into the same phone the corresponding interfaces would be disabled. That way I would get an alert and would be able to see what is going on.
BPDUGuard is used for any ports that are configure to not take part in the blck/lis/lrn/fwd stages of SpanningTree (yes and the states a version dependant, for this it does not really matter) = Portfast is being used
So any port configured with PortFast should have BPDUGuard and will be effected.
Now hopefully your design/config does not have spanningtree trunk portfast on the distribution/core/access layer links to other switches.