Re: switchport voice detect cisco-phone from garry baker on 2010-02-13 (Ccielab archives /201002)

From: garry baker <baker.garry_at_gmail.com>
Date: Sat, 13 Feb 2010 06:14:50 +0300

well looks like the 3 attributes is the right idea, see the following test
using cisco phone with poe and with power brick...I didnt have a chance to
get the voiphopper on my PC, but i assume that if i tried to 'emulate' a
cisco phone without using poe it would errdisable the port as well...

but if you are using a program like voiphopper on a device with poe
capability, not sure that this command would see it any different than the
cisco phone...

a test for another time, this is an interesting command, that i didnt know
before though...

QOS_TEST#sh run int g0/4
interface GigabitEthernet0/4
switchport access vlan 11
switchport voice vlan 51
switchport voice detect cisco-phone full-duplex
spanning-tree portfast

PLUG PC INTO PORT and WAIT to see what happens approx 8 mins, nothing
happens:
QOS_TEST#sh clo
05:44:06.764 UTC Sat Feb 13 2010
QOS_TEST#sh int g0/4
GigabitEthernet0/4 is up, line protocol is up (connected)

QOS_TEST#sh clo
05:51:56.719 UTC Sat Feb 13 2010
QOS_TEST#sh int g0/4
GigabitEthernet0/4 is up, line protocol is up (connected)

SO ADD A PHONE, using power brick:
QOS_TEST#
00:22:07: %CPDE-6-DETECT: Device detected on GigabitEthernet0/4 violating
configuration
00:22:07: %PM-4-ERR_DISABLE: security-violation error detected on Gi0/4,
putting Gi0/4 in err-disable state

UNPLUG POWER BRICK from PHONE:
QOS_TEST(config-if)#no shut
QOS_TEST(config-if)#
00:25:17: %ILPOWER-7-DETECT: Interface Gi0/4: Power Device detected: IEEE PD
00:25:18: %ILPOWER-5-POWER_GRANTED: Interface Gi0/4: Power granted
00:25:19: %LINK-3-UPDOWN: Interface GigabitEthernet0/4, changed state to
down
00:25:22: %LINK-3-UPDOWN: Interface GigabitEthernet0/4, changed state to up
00:25:23: %LINEPROTO-5-UPDOWN: Line protocol on Interface
GigabitEthernet0/4, changed state to up
00:27:01: %CPDE-6-DETECT: Cisco IP Phone 7971 detected on GigabitEthernet0/4
in full duplex mode
QOS_TEST#sh cdp neighbors detail
-------------------------
Device ID: SEP0022905C3F55
Entry address(es):
Platform: Cisco IP Phone 7971, Capabilities: Host Phone
Interface: GigabitEthernet0/4, Port ID (outgoing port): Port 1
Holdtime : 124 sec
Version :
SCCP70.8-3-3SR2S
advertisement version: 2
Duplex: full
Power drawn: 14.900 Watts
Power request id: 16213, Power management id: 1
Power request levels are:14900 0 0 0 0
Management address(es):
QOS_TEST#sh int g0/4
GigabitEthernet0/4 is up, line protocol is up (connected)

REMOVE PHONE and PLUG PC into port:
QOS_TEST#
00:28:42: %LINEPROTO-5-UPDOWN: Line protocol on Interface
GigabitEthernet0/4, changed state to down
00:28:42: %ILPOWER-5-IEEE_DISCONNECT: Interface Gi0/4: PD removed
00:28:43: %LINK-3-UPDOWN: Interface GigabitEthernet0/4, changed state to
down
00:28:57: %LINK-3-UPDOWN: Interface GigabitEthernet0/4, changed state to up
00:28:58: %LINEPROTO-5-UPDOWN: Line protocol on Interface
GigabitEthernet0/4, changed state to up

PLUG PHONE BACK INTO PORT, without power brick:
00:31:08: %LINK-3-UPDOWN: Interface GigabitEthernet0/4, changed state to
down
00:31:10: %ILPOWER-7-DETECT: Interface Gi0/4: Power Device detected: IEEE PD
00:31:11: %ILPOWER-7-DETECT: Interface Gi0/4: Power Device detected: IEEE PD
00:31:12: %ILPOWER-5-POWER_GRANTED: Interface Gi0/4: Power granted
00:31:16: %LINK-3-UPDOWN: Interface GigabitEthernet0/4, changed state to up
00:31:17: %LINEPROTO-5-UPDOWN: Line protocol on Interface
GigabitEthernet0/4, changed state to up
00:32:54: %CPDE-6-DETECT: Cisco IP Phone 7971 detected on GigabitEthernet0/4
in full duplex mode

PLUG IN PHONE using power brick:
QOS_TEST#
00:34:43: %ILPOWER-5-IEEE_DISCONNECT: Interface Gi0/4: PD removed
00:34:43: %LINEPROTO-5-UPDOWN: Line protocol on Interface
GigabitEthernet0/4, changed state to down
00:34:44: %LINK-3-UPDOWN: Interface GigabitEthernet0/4, changed state to
down
00:34:51: %CPDE-6-DETECT: Device detected on GigabitEthernet0/4 violating
configuration
00:34:51: %PM-4-ERR_DISABLE: security-violation error detected on Gi0/4,
putting Gi0/4 in err-disable state
QOS_TEST#sh int g0/4
GigabitEthernet0/4 is down, line protocol is down (err-disabled)

--
Garry L. Baker
"There is no 'patch' for stupidity." - www.sqlsecurity.com
On Fri, Feb 12, 2010 at 3:01 PM, Sadiq Yakasai <sadiqtanko_at_gmail.com> wrote:
> Guys,
>
> So that command actually checks 3 attributes on a device connection, AFAIK.
> I have not verified it but this is my take on it:
>
> It checks for CDP messages, Full Duplex and PoE for the connecting device,
> else err-disable the port.
>
> Gary, when you tried your hack with connecting a PC, did you wait like 2
> minutes? Try waiting that long and see if the port indeed goes into
> err-disabled state.
>
> Sadiq
>
>
> On Fri, Feb 12, 2010 at 10:14 AM, garry baker <baker.garry_at_gmail.com>wrote:
>
>> yeah that is a good find on that link, and the voiphopper, good stuff, so
>> i
>> tried the command and plugged a PC in...
>>
>> but nothing happened, guess i will need to get more creative, and try a
>> phone then a PC and see if anything happens, maybe after a 'trust' happens
>> on the port....
>>
>> maybe even get the voiphopper and play around...
>>
>> cause i cannot seem to find any thing else about...
>>
>> anybody else seen this in a real case and how it works?
>>
>> thanks..
>> garry..
>>
>>
>> On Fri, Feb 12, 2010 at 8:44 AM, Tyson Scott <tscott_at_ipexpert.com> wrote:
>>
>> > Garry,
>> >
>> > From reading the following:
>> >
>> >
>> >
>> https://supportforums.cisco.com/thread/236503.pdf;jsessionid=D81A3BD19C0F114
>> > 1EB3C5A3288ADD32A.node0
>> >
>> > It looks like it is used to help protect a switchport from allowing any
>> > user
>> > to plug into a port and join the voice VLAN for snooping the Voice VLAN
>> > without the CDP exchange used between Cisco Phones and the switch.  I
>> was
>> > not sure about the command until finding this.  It was interesting to
>> find.
>> >
>> > Regards,
>> >
>> > Tyson Scott - CCIE #13513 R&S, Security, and SP
>> > Technical Instructor - IPexpert, Inc.
>> > Mailto: tscott_at_ipexpert.com
>> > Telephone: +1.810.326.1444, ext. 208
>> > Live Assistance, Please visit: www.ipexpert.com/chat
>> > eFax: +1.810.454.0130
>> >
>> >
>> >
>> > -----Original Message-----
>> > From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
>> > garry baker
>> > Sent: Friday, February 12, 2010 12:00 AM
>> > To: Cisco certification
>> > Subject: switchport voice detect cisco-phone
>> >
>> > I came across this command and I do not have a cisco phone to test with,
>> > wondering if anyone knows what this does and is used to do or NOT to
>> do...
>> >
>> > 'switchport voice detect cisco-phone'
>> >
>> >
>> >
>> http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/1
>> > 2.2_52_se/command/reference/cli3.html#wp3464954
>> >
>> >
>> > Thanks..
>> > Garry..
>> >
>> >
>> > Garry L. Baker
>> >
>> > "There is no 'patch' for stupidity." - www.sqlsecurity.com
>> >
>> >
>> > Blogs and organic groups at http://www.ccie.net
>> >
>> > _______________________________________________________________________
>> > Subscription information may be found at:
>> > http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>>
>
>
> --
> CCIE #19963
Blogs and organic groups at http://www.ccie.net

Received on Sat Feb 13 2010 - 06:14:50 ART

This archive was generated by hypermail 2.2.0 : Mon Mar 01 2010 - 06:28:35 ART