Spanning Tree Loop through IP Phone - Page 2

jliow · ‎05-04-2007

Recently an end-user just wrecked havoc on the network, pluging in a lan cable that on the IP phone that is suppose to be for the PC back into a nearby empty wall jack.

While we enabled the spanning tree portfast for all the edge switches port, thinking its suppose to stop this kind of connection, however it didn't happen.

When we call up TAC, I was told thats because the PC port on the IP Phone doesn't send BPDU packets, that was why spanning tree didn't do any port blocking.

Question 1: I though the PC and network port on the IP phones are kinda like a mini switch, somehow I realise now that its not....that true?

Question 2: Most importantly how do I prevent this in future? Will Port-security mac address count contrl be useful?

8dstaicu · ‎07-07-2007

This problem is not limited to a certain phone or switch. It happens in all scenarios.

The only thing that helps a little is storm control. At least you will be able to access the switch and found the problem.

I have port-security, bpdu guard and other features enabled on all switches but when users are doing this by mistake storm control is the only feature that help us.

I think Cisco should fix this as the problem is the way that phones are passig traffic from one interface to the other one.

jechoi · ‎07-16-2007

Bdw, what other switch platform encountered this problem? We tested using 3650 and no problem with it so we assume that the problem is only CE500. BPDUguard works fine on 3650.

Francois Tallet · ‎07-16-2007

I've not checked manually all the platforms (I only tried a 3750) but it seems that the documentation does not show bpdufilter anywhere for the ip phone smartport.

In any case, the smartport are just macro. Except on the CE500 switches, you can do a show run and check that bpdufilter is not enable on the interface to make sure there is no problem.

Bpduguard (which will definitely be enabled by the smarport config) is ok.

Regards,

Francois

Francois Tallet · ‎07-09-2007

It's probably good to involve the tac here. I understand there is a problem, but I don't have enough information to determine exactly what is the source of the problem. What I'm sure of is that it's not because portfast ports are not sending BPDUs, and I'm very skeptical about IP phones filtering out BPDUs (that would be a very dumb thing to do, but I can never tell;-). A switch with two ports does not really need to run STP so long it is forwarding transparently BPDUs as well as traffic. Now, I guess the IP phone can be seen in certain respect as a switch with 3 ports, and I'm sure there are ways of making nasty combinations with it!

Thanks,

Francois

Francois Tallet · ‎07-13-2007

I got confirmation internally that the CE500 enables bpdufilter as part of the smartport phone configuration. This is wrong and I'll have a bug open for this. This bpdufilter configuration is specific to the CE500 so other switches should not be affected this way.

Regards,

Francois

jechoi · ‎07-16-2007

Thanks Francois!

Bdw, simulated this problem with 3650 switch. BPDU is indeed relayed. So problem is more on CE500.

We opened a TAC case with regards to this. You may want to inform the TAC engineer about the newly opened DDTS to avoid duplicate. SR 606386351

slove · ‎07-16-2007

We resolved this issue by ensuring that BPDUGUARD was enabled on all PortFast ports. This basically says that if it detects a BPDU coming in, shut the port down. The port will indicate "err-disable". So while the phone itself doesn't generate BPDUs, it will pass the BPDUs from it's upstream switch. BPDUGUARD will see the incoming BPDUs on a port as an error condition and shut the port down.