Re: switchport voice detect cisco-phone

Great testing Garry. That was really informative.

-- 
Cheers,
Jared Scrivener
CCSI #30878, CCIE3 #16983 (R&S, SP, Security)
www.MicronicsTraining.com
Sr. Technical Instructor
YES! We take Cisco Learning Credits!
Training And Remote Racks available
LinkedIn:www.linkedin.com/in/jaredscrivener
On Sat, Feb 13, 2010 at 1:14 PM, garry baker <baker.garry_at_gmail.com> wrote:
> well looks like the 3 attributes is the right idea, see the following test
> using cisco phone with poe and with power brick...I didnt have a chance to
> get the voiphopper on my PC, but i assume that if i tried to 'emulate' a
> cisco phone without using poe it would errdisable the port as well...
>
> but if you are using a program like voiphopper on a device with poe
> capability, not sure that this command would see it any different than the
> cisco phone...
>
> a test for another time, this is an interesting command, that i didnt know
> before though...
>
> QOS_TEST#sh run int g0/4
> interface GigabitEthernet0/4
>  switchport access vlan 11
>  switchport voice vlan 51
>  switchport voice detect cisco-phone full-duplex
>  spanning-tree portfast
>
>
>
> PLUG PC INTO PORT and WAIT to see what happens approx 8 mins, nothing
> happens:
> QOS_TEST#sh clo
> 05:44:06.764 UTC Sat Feb 13 2010
> QOS_TEST#sh int g0/4
> GigabitEthernet0/4 is up, line protocol is up (connected)
>
> QOS_TEST#sh clo
> 05:51:56.719 UTC Sat Feb 13 2010
> QOS_TEST#sh int g0/4
> GigabitEthernet0/4 is up, line protocol is up (connected)
>
>
> SO ADD A PHONE, using power brick:
> QOS_TEST#
> 00:22:07: %CPDE-6-DETECT: Device detected on GigabitEthernet0/4 violating
> configuration
> 00:22:07: %PM-4-ERR_DISABLE: security-violation error detected on Gi0/4,
> putting Gi0/4 in err-disable state
>
>
> UNPLUG POWER BRICK from PHONE:
> QOS_TEST(config-if)#no shut
> QOS_TEST(config-if)#
> 00:25:17: %ILPOWER-7-DETECT: Interface Gi0/4: Power Device detected: IEEE
> PD
> 00:25:18: %ILPOWER-5-POWER_GRANTED: Interface Gi0/4: Power granted
> 00:25:19: %LINK-3-UPDOWN: Interface GigabitEthernet0/4, changed state to
> down
> 00:25:22: %LINK-3-UPDOWN: Interface GigabitEthernet0/4, changed state to up
> 00:25:23: %LINEPROTO-5-UPDOWN: Line protocol on Interface
> GigabitEthernet0/4, changed state to up
> 00:27:01: %CPDE-6-DETECT: Cisco IP Phone 7971 detected on
> GigabitEthernet0/4
> in full duplex mode
> QOS_TEST#sh cdp neighbors detail
> -------------------------
> Device ID: SEP0022905C3F55
> Entry address(es):
> Platform: Cisco IP Phone 7971,  Capabilities: Host Phone
> Interface: GigabitEthernet0/4,  Port ID (outgoing port): Port 1
> Holdtime : 124 sec
> Version :
> SCCP70.8-3-3SR2S
> advertisement version: 2
> Duplex: full
> Power drawn: 14.900 Watts
> Power request id: 16213, Power management id: 1
> Power request levels are:14900 0 0 0 0
> Management address(es):
> QOS_TEST#sh int g0/4
> GigabitEthernet0/4 is up, line protocol is up (connected)
>
>
>
> REMOVE PHONE and PLUG PC into port:
> QOS_TEST#
> 00:28:42: %LINEPROTO-5-UPDOWN: Line protocol on Interface
> GigabitEthernet0/4, changed state to down
> 00:28:42: %ILPOWER-5-IEEE_DISCONNECT: Interface Gi0/4: PD removed
> 00:28:43: %LINK-3-UPDOWN: Interface GigabitEthernet0/4, changed state to
> down
> 00:28:57: %LINK-3-UPDOWN: Interface GigabitEthernet0/4, changed state to up
> 00:28:58: %LINEPROTO-5-UPDOWN: Line protocol on Interface
> GigabitEthernet0/4, changed state to up
>
>
>
> PLUG PHONE BACK INTO PORT, without power brick:
> 00:31:08: %LINK-3-UPDOWN: Interface GigabitEthernet0/4, changed state to
> down
> 00:31:10: %ILPOWER-7-DETECT: Interface Gi0/4: Power Device detected: IEEE
> PD
> 00:31:11: %ILPOWER-7-DETECT: Interface Gi0/4: Power Device detected: IEEE
> PD
> 00:31:12: %ILPOWER-5-POWER_GRANTED: Interface Gi0/4: Power granted
> 00:31:16: %LINK-3-UPDOWN: Interface GigabitEthernet0/4, changed state to up
> 00:31:17: %LINEPROTO-5-UPDOWN: Line protocol on Interface
> GigabitEthernet0/4, changed state to up
> 00:32:54: %CPDE-6-DETECT: Cisco IP Phone 7971 detected on
> GigabitEthernet0/4
> in full duplex mode
>
>
>
> PLUG IN PHONE using power brick:
> QOS_TEST#
> 00:34:43: %ILPOWER-5-IEEE_DISCONNECT: Interface Gi0/4: PD removed
> 00:34:43: %LINEPROTO-5-UPDOWN: Line protocol on Interface
> GigabitEthernet0/4, changed state to down
> 00:34:44: %LINK-3-UPDOWN: Interface GigabitEthernet0/4, changed state to
> down
> 00:34:51: %CPDE-6-DETECT: Device detected on GigabitEthernet0/4 violating
> configuration
> 00:34:51: %PM-4-ERR_DISABLE: security-violation error detected on Gi0/4,
> putting Gi0/4 in err-disable state
> QOS_TEST#sh int g0/4
> GigabitEthernet0/4 is down, line protocol is down (err-disabled)
>
>
> --
> Garry L. Baker
>
> "There is no 'patch' for stupidity." - www.sqlsecurity.com
>
>
> On Fri, Feb 12, 2010 at 3:01 PM, Sadiq Yakasai <sadiqtanko_at_gmail.com>
> wrote:
>
> > Guys,
> >
> > So that command actually checks 3 attributes on a device connection,
> AFAIK.
> > I have not verified it but this is my take on it:
> >
> > It checks for CDP messages, Full Duplex and PoE for the connecting
> device,
> > else err-disable the port.
> >
> > Gary, when you tried your hack with connecting a PC, did you wait like 2
> > minutes? Try waiting that long and see if the port indeed goes into
> > err-disabled state.
> >
> > Sadiq
> >
> >
> > On Fri, Feb 12, 2010 at 10:14 AM, garry baker <baker.garry_at_gmail.com
> >wrote:
> >
> >> yeah that is a good find on that link, and the voiphopper, good stuff,
> so
> >> i
> >> tried the command and plugged a PC in...
> >>
> >> but nothing happened, guess i will need to get more creative, and try a
> >> phone then a PC and see if anything happens, maybe after a 'trust'
> happens
> >> on the port....
> >>
> >> maybe even get the voiphopper and play around...
> >>
> >> cause i cannot seem to find any thing else about...
> >>
> >> anybody else seen this in a real case and how it works?
> >>
> >> thanks..
> >> garry..
> >>
> >>
> >> On Fri, Feb 12, 2010 at 8:44 AM, Tyson Scott <tscott_at_ipexpert.com>
> wrote:
> >>
> >> > Garry,
> >> >
> >> > From reading the following:
> >> >
> >> >
> >> >
> >>
> https://supportforums.cisco.com/thread/236503.pdf;jsessionid=D81A3BD19C0F114
> >> > 1EB3C5A3288ADD32A.node0
> >> >
> >> > It looks like it is used to help protect a switchport from allowing
> any
> >> > user
> >> > to plug into a port and join the voice VLAN for snooping the Voice
> VLAN
> >> > without the CDP exchange used between Cisco Phones and the switch.  I
> >> was
> >> > not sure about the command until finding this.  It was interesting to
> >> find.
> >> >
> >> > Regards,
> >> >
> >> > Tyson Scott - CCIE #13513 R&S, Security, and SP
> >> > Technical Instructor - IPexpert, Inc.
> >> > Mailto: tscott_at_ipexpert.com
> >> > Telephone: +1.810.326.1444, ext. 208
> >> > Live Assistance, Please visit: www.ipexpert.com/chat
> >> > eFax: +1.810.454.0130
> >> >
> >> >
> >> >
> >> > -----Original Message-----
> >> > From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf
> Of
> >> > garry baker
> >> > Sent: Friday, February 12, 2010 12:00 AM
> >> > To: Cisco certification
> >> > Subject: switchport voice detect cisco-phone
> >> >
> >> > I came across this command and I do not have a cisco phone to test
> with,
> >> > wondering if anyone knows what this does and is used to do or NOT to
> >> do...
> >> >
> >> > 'switchport voice detect cisco-phone'
> >> >
> >> >
> >> >
> >>
> http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/1
> >> > 2.2_52_se/command/reference/cli3.html#wp3464954
> >> >
> >> >
> >> > Thanks..
> >> > Garry..
> >> >
> >> >
> >> > Garry L. Baker
> >> >
> >> > "There is no 'patch' for stupidity." - www.sqlsecurity.com
> >> >
> >> >
> >> > Blogs and organic groups at http://www.ccie.net
> >> >
> >> >
> _______________________________________________________________________
> >> > Subscription information may be found at:
> >> > http://www.groupstudy.com/list/CCIELab.html
> >>
> >>
> >> Blogs and organic groups at http://www.ccie.net
> >>
> >> _______________________________________________________________________
> >> Subscription information may be found at:
> >> http://www.groupstudy.com/list/CCIELab.html
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >
> >
> > --
> > CCIE #19963
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>
-- 
Cheers,
Jared Scrivener
CCSI #30878, CCIE3 #16983 (R&S, SP, Security)
www.MicronicsTraining.com
Sr. Technical Instructor
YES! We take Cisco Learning Credits!
Training And Remote Racks available
LinkedIn:www.linkedin.com/in/jaredscrivener
Blogs and organic groups at http://www.ccie.net