Solved: Re: Loop Protection for IP Phone ports

Devinder Sharma · ‎01-10-2011

Hi All,

1. What is the cisco recommended config for access ports connecting to IP Phones, as regards to the loop protection, considering the scenario that a daisy chained PC cable can be looped back to the IP Phone? Will following suffice:

spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard loop

storm-control broadcast level 0.5
storm-control multicast level 2
storm-control action trap

2. Certain situations, we may have a 5 port mini switch, to gain ports, to permit attaching a local network printer or a laptop in additon PC to IP Phone PC port. In this situation, with mini switch not running STP and someone short circuiting two ports on the miniswitch, can result into a loop situation. Since there are no BPDU packets coming in from the miniswitch, not sure if guard loop works in this case (unless it now supports simply checking leaked CDP etc looping back in). setting up a lower value of broadcast / multicast level was all I thought of as a protection.

3. In HP Procurve, there is a nice feature called Loop-Protect that takes care of these issues. I could not find a suitable equivalent in Cisco.

Thanks in advance.

Giuseppe Larosa · ‎01-11-2011

Hello Devinder,

the right STP tool should be bdpu guard only

Loop Guard should be used only on inter link switches and it reacts to missing BPDUs by putting the port in an inconsistent state instead of promoting the port to designated port / forwarding role see it as a passive alternative to UDLD.

STP bdu guard does the opposite if a BPDU is heard on the port it disables the port

If a loop forms the switch will see its own BPDUs back on the same port so it is also very important to avoid to use STP bpdu filter.

see

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750x_3560x/software/release/12.2_53_se/configuration/guide/swstpopt.html#wp1059167

Hope to help

Giuseppe

View solution in original post

Devinder Sharma · ‎01-10-2011

Forgot to add that I am assuming newer switches that have auto mdix turned on by default (including some cheap 5 port ones), so regular straight thru patch cable is all that needed to short circuit the ports.

What will be the side effect of turning the default keepalive signaling off on the ports?

Thanks

Giuseppe Larosa · ‎01-11-2011

Hello Devinder,

the right STP tool should be bdpu guard only

Loop Guard should be used only on inter link switches and it reacts to missing BPDUs by putting the port in an inconsistent state instead of promoting the port to designated port / forwarding role see it as a passive alternative to UDLD.

STP bdu guard does the opposite if a BPDU is heard on the port it disables the port

If a loop forms the switch will see its own BPDUs back on the same port so it is also very important to avoid to use STP bpdu filter.

see

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750x_3560x/software/release/12.2_53_se/configuration/guide/swstpopt.html#wp1059167

Hope to help

Giuseppe

Devinder Sharma · ‎01-11-2011

Hi Giuseppe,

Thanks so much for your detailed response.

You have made it clear that loop guard is not the feature that I should be implementing on the access ports, it is a misnomer. The bpduguard will guard against someone connecing an unauthorized switch or access point, but will it also help if someone connects a switch that does not implement STP and hence does not inject BPDUs and for that scenario, will a short circuit on the two ports of that unauthorized switch, safeguard the network?

We had a sitiuation wherein someone used PC cable from the phone hoooked into adjoining jack on wall and thus created a sustained loop thru the built-in switch of the IP Phone.

Will "no mdix auto" on user ports help to some extent, as mdix auto is default on switches?

I will also be disabling the PC ports on the lobby and conf room phones.

Please advise.

Thanks so much.