Guest

Cisco Unified IP Phone 7900 Series

Field Notice: IP Phone in Loopback May Cause VLAN Instability


Revised November 16, 2004

October 15, 2004


Products Affected

Products

7902 - CP-7902G

7902 - CP-7902G-CCME

7902 - CP-7902G-CH1

7905 - CP-7905G

7905 - CP-7905G-CCME

7905 - CP-7905G-CH1

7910 - CP-7910G

7910 - CP-7910G-CH1

7910SW - CP-7910+SW

7910SW - CP-7910G+SW

7910SW - CP-7910G+SW-CH1

7912 - CP-7912

7912 - CP-7912G

7912 - CP-7912G-CCME

7912 - CP-7912G-CH1

7912 - CP-7912G-W

7940 - CP-7940G

7940 - CP-7940G-CCME

7940 - CP-7940G-CH1

7960 - CP-7960G

7960 - CP-7960G-CCME

7960 - CP-7960G-CH1

7970 - CP-7970G

7970 - CP-7970G-CH1

7970 - CP-7970G-CH2

Problem Description

Disconnecting power from a locally powered Cisco IP Phone connected to a non-Power Over Ethernet (POE) Cisco switch may expose the customer's network to loop back storms that destabalize the virtual local area network (VLAN). This exposure can be mitigated by configuring the switches with automatic loop detection and port recovery.

Background

Cisco in-line power uses a power discovery mechanism to detect the presence of POE-capable devices. When the link comes up, a switch that supports Cisco Inline Power sends a discovery pulse to a newly connected device and waits for a return looped back signal before switching on DC power on that port. If a Cisco in-line power enabled switch does not receive a returned signal, it does not supply DC power.

Devices that are capable of receiving POE, such as Cisco IP Phones, close the loop back circuit on their uplink Ethernet port when they are powered down to enable the POE discovery pulse message to be looped back to the switch. Powering on a Cisco IP Phone, whether through POE or through an AC power adapter and cord, opens the loop back circuit in the uplink Ethernet port, stopping the loop back and allowing normal traffic between the Cisco switch and the phone.

If the phone is not powered by an AC power adapter and the phone is connected to an Ethernet switch that does not provide POE support, the circuit inside the phone's uplink port remains closed. In this state, any traffic sent by the switch to the phone may loop back to the switch and create a loop back storm that disables the entire VLAN.

In the case of Cisco IP Phones with 10Mb ports, such as the 7902G, 7905G, and 7910G most network traffic sent to an unpowered phone returns as loop back messages. This is also true if any Cisco IP Phone is forced to use a 10Mb connection to the switch regardless of the phone's full capabilities.

For those phones that support 100Mb, such as the Cisco IP Phones, 7912G, 7910G+SW, 7940G, 7960G and 7970G, if enabled to use their 100Mb capacity, the uplink Ethernet port can filter most network traffic so that only a true POE-discovery pulse loops back to the switch and all other traffic is filtered down to a weak signal that does not invoke any reaction in the switch.

Note: There have been reported cases whereby customers have deployed locally powered Cisco IP phones in a 100Mbit network with a highly sensitive uplink switch that can read the filtered signal from the phone as loop back traffic.

In most cases reported to the Cisco TAC, and in controlled laboratory testing, the loop back issue does not normally appear in 100Mb networks, but is more likely to occur in 10Mb networks. In all cases, the problem can be resolved by one of the methods listed in the Workaround/Solution section.

Problem Symptoms

Depending on the make of the switch which the IP Phone is attached to, looped back traffic from the phone may result in the switch's port going into an error disable state, or it may result in the entire VLAN becoming disabled.

Workaround/Solution

WorkAround:

Cisco customers have the flexibility to power their Cisco IP Phones through either Power Over Ethernet (POE) or local power through an AC power adapter and cord attached to their phone. Customers who choose the latter method must follow these guidelines to avoid problems in their networks:

The following recommendations reduce the effect of loop back traffic generated between a network switch and a Cisco IP Phone.

  • The preferred method for powering Cisco IP Phones is through Power over Ethernet (POE). There are two variants of POE: Cisco Inline Power and the IEEE 802.3af standard. All Cisco IP Phones support the Cisco Inline Power variant, and the 7970G model offers both Cisco Inline Power and 802.3af support. .

  • If POE is not available, or the customer chooses to power the phones via an AC power adapter, the preferred network configuration is Cisco Catalyst Switches that have been configured for automatic loop detection and recovery. For more information, see Table 1 and Configuration Guidelines.

  • Cisco does not support the use of Cisco IP Phones with unmanaged, non-enterprise class switches that cannot automatically detect a loop condition and recover from the effect of loop back traffic. Follow the Configuration Guidelines section for specific recommendations.

Solution:

Many Cisco switches have the capability to automatically recover a port from an error disabled state within a configurable timeframe. Cisco switches running older versions of IOS/CatOS, or those that do not include automated recovery from an error disable state, may require a manual reset of the affected port via the command line interface. Table 1 lists the Cisco switches that support automated recovery and a recommended version of IOS/CatOS that provides this functionality. The information in Table 1 should be used along with the information in Configuration Guidelines to prevent any problems from occurring.

Third-party switches may have a range of reactions from automated recovery to requiring a manual reset or reboot to correct the problem. Upgrade to a release of CatOS or IOS that implements automated recovery from an error disable state. See Table 1.

Cisco Switches that Support Automated Recovery From Error Disable State

Switch Model

Recommended IOS/CatOS Release

16-port Etherswitch Network module for 2600, 3600 and 3700 routers

12.2(2)XT

Cisco Catalyst 2900XL LRE Series Switches

12.0(5)WC10

Cisco Catalyst 2900XL Series Switches

12.0(5)WC10

Cisco Catalyst 2940 Series Switches configured with cisco-phone Smartports Macro

12.1(22)EA1

Cisco Catalyst 2948G Series Switches using Port Security

5.2(1)

Cisco Catalyst 2948G-GE-TX Switches configured with Port Security

All Versions

Cisco Catalyst 2948G-L3 Series Switches

To Be Released

Cisco Catalyst 2950 LRE Series Switches configured with cisco-phone Smartports Macro

12.1(22)EA1

Cisco Catalyst 2950 Series Intelligent Ethernet Switches configured with cisco-phone Smartports Macro

12.1(22)EA1

Cisco Catalyst 2955 Series Industrial Ethernet Switches configured with cisco-phone Smartports Macro

12.1(22)EA1

Cisco Catalyst 2970 Series Switches configured with cisco-phone Smartports Macro

12.2(20)SE1

Cisco Catalyst 2980G Series Switches using Port Security

5.2(1)

Cisco Catalyst 3500XL Series Switches

12.0(5)WC10

Cisco Catalyst 3550 Series Intelligent Ethernet Switches configured with cisco-phone Smartports Macro

12.1(22)EA1

Cisco Catalyst 3560 Series Switches configured with cisco-phone Smartports Macro

In-line power only

Cisco Catalyst 3750 Metro Series Switches configured with cisco-phone Smartports Macro

12.1(14)AX1

Cisco Catalyst 3750 Series Intelligent Ethernet Switches configured with cisco-phone Smartports Macro

12.2(20)SE1

Cisco Catalyst 4000 IOS Series Switches using cisco-phone Smartports macro

12.2(18)EW

Cisco Catalyst 4000 IOS Series Switches using BPDUGuard and Port Security

12.1(13)EW

Cisco Catalyst 4000 CatOS Series Switches using Port Security

5.2(1)

Cisco Catalyst 4500 IOS Series Switches using cisco-phone Smartports macro

12.2(18)EW

Cisco Catalyst 4500 IOS Series Switches using and Port Security

12.1(13)EW

Cisco Catalyst 4500 CatOS Series Switches using Port Security

7.4(2)

Cisco Catalyst 4912G Series Switches using Port Security

5.2(1)

Cisco Catalyst 5000 Series Switches

5.4(1)

Cisco Catalyst 6500 Series Switches using BPDUGuard and Port Security

5.4(1) or 12.1(13)E

Recovery:

Cisco switches which are running older versions of IOS/CatOS, or those that do not include automated recovery from error disable mode in their functionality, may require a manual reset of the affected port via the command line interface.

Customer Messaging

Disconnecting power from a locally powered Cisco IP phone connected to a non-POE Cisco switch may expose the customer's network to loop back storms that destabalize the virtual local area network (VLAN). This exposure can be mitigated by configuring the switches with automatic loop detection and port recovery.

Cisco customers have the flexibility to power their Cisco IP Phones through either Power Over Ethernet (POE) or local power through an AC power adapter and cord. Customers who choose the latter method must follow these guidelines:

  • The preferred method for powering Cisco IP Phones is through Power Over Ethernet (POE). There are two variants of POE: Cisco Inline Power and the IEEE 802.3af standard. All Cisco IP Phones support the Cisco Inline Power variant, and the 7970G model offers both Cisco Inline Power and 802.3af support.

  • If POE is not available, or the customer chooses to power the phones via an AC power adapter, the preferred network configuration includes Cisco Catalyst switches with an IOS or CatOS release that supports automatic loop detection and the ability to automatically recover ports which are error disabled as a result of loop detection.

  • If the customer is using a switch model/version that does not support automatic loop detection and port recovery, the customer's network may be susceptible to loop back storms when any of the phones are powered down.

  • Cisco does not support the use of Cisco IP Phones with unmanaged, non-enterprise class switches that cannot automatically detect a loop condition and recover from the effect of loop back traffic.

Customers using IP Phones powered via an AC power adapter with Catalyst switches should configure the interfaces for BPDUguard and port-security with a maximum of 3 MAC addresses. Customers can also enable errdisable recovery timers to automatically bring the interface out of errdisable state once power is restored to the IP Phones.

If the problem persists, please contact your Cisco TAC representative for further troubleshooting guidance.

Configuration Guidelines

This section provides configuration guidelines for different switch models.

Running Smartports Macro on Catalyst Switches running IOS version 12.1(22)EA1

The cisco-phone macro applies the recommended settings when connecting a Cisco IP Phone to a Catalyst switch. The $AVID variable below is the access VLAN that will be configured on the interface; the $VVID variable below is the voice VLAN that will be configured on the interface.

Interface Configuration:

Switch(config)#interface FastEthernet0/5 
Switch(config-if)#macro apply cisco-phone $AVID 2 $VVID 3 

The resulting configuration is shown below: 
Switch#show running-config interface FastEthernet 0/5 
Building configuration... 

Current configuration : 423 bytes 
! 
interface FastEthernet0/5 
switchport access vlan 2 
switchport mode access 
switchport voice vlan 3 
switchport port-security 
switchport port-security maximum 3 
switchport port-security aging time 2 
switchport port-security violation restrict 
switchport port-security aging type inactivity 
mls qos trust device cisco-phone 
macro description cisco-phone 
spanning-tree portfast 
spanning-tree bpduguard enable 
end 

Global Configuration:

Switch(config)#errdisable detect cause loopback 
Switch(config)#errdisable recovery cause bpduguard 
Switch(config)#errdisable recovery cause loopback 
Switch(config)#errdisable recovery cause psecure-violation 

The user can also change the errdisable recovery timer from the default of 300 seconds using the errdisable recovery interval command.

For Catalyst 4000/4500, 2948G/2980G/4912G running CatOS, use the following configuration

set port security enable age 2 maximum 3 shutdown 3 unicast-flood enable violation shutdown 
set port host 

For Catalyst 4000/4500 running IOS before 12.2(18)EW

Interface configuration

Switch(config)#int fa0/5 
Switch(config-if)#switchport mode access 
Switch(config-if)#switchport port-security 
Switch(config-if)#switchport port-security maximum 3 
Switch(config-if)#switchport 
port-security aging time 2 
Switch(config-if)#switchport port-security violation restrict 

Switch(config-if)#switchport port-security aging type inactivity 
Switch(config-if)#spanning-tree portfast 
Switch(config-if)#spanning-tree bpduguard enable 

Global configuration

Switch(config)#error disable recovery cause psecure-violation 
Switch(config)#error disable recovery cause bpduguard 

For Catalyst 4000/4500 running IOS 12.2(18)EW or Later

Interface configuration:

Switch(config-if)#in fastEthernet 2/45 
Switch(config-if)#macro apply cisco-phone $AVID 2 $VVID 3 
%Warning: portfast should only be enabled on ports 
connected to a single host. Connecting hubs, concentrators, switches, bridges, etc... to this interface 
when portfast is enabled, can cause temporary bridging loops. 
Use with CAUTION 

%Portfast has been configured on FastEthernet2/45 but will only have effect when the interface is in a non-trunking mode. 

Switch (config-if)#end 
Switch# 
Switch#show run int fas 2/45 
Building configuration... 

Current configuration : 579 bytes 
! 
interface FastEthernet2/45 
switchport access vlan 2 
switchport mode access 
switchport voice vlan 3 
switchport port-security 
switchport port-security maximum 3 
switchport port-security aging time 2 
switchport port-security violation restrict 
switchport port-security aging type inactivity 
service-policy output autoqos-voip-policy 
qos trust device cisco-phone 
qos trust cos 
auto qos voip cisco-phone 
tx-queue 3 
bandwidth percent 33 
priority high 
shape percent 33 
macro description cisco-phone 
spanning-tree portfast 
spanning-tree bpduguard enable 
end 
     

Global Configuration

Switch(config)#error disable recovery cause psecure-violation 
Switch(config)#error disable recovery cause bpduguard 

For devices running 12.0(5)WC:

Interface configuration:

Switch(config)#interface FastEthernet0/5 
Switch(config-if)#switchport mode access 
Switch(config-if)#switchport access vlan 2 
Switch(config-if)#switchport voice vlan 3 
Switch(config-if)#port security 
Switch(config-if)#port security max-mac-count 3 
Switch(config-if)#port security aging time 2 
Switch(config-if)#port security action shutdown 
Switch(config-if)#switchport priority default 0 
Switch(config-if)#spanning-tree portfast 

For More Information

If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:

Receive Email Notification For New Field Notices

Product Alert Tool - Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.