Cisco IP Phone, Unified Video Advantage and/or Jabber Video Chat are blocked by Endpoint Protection's Network Threat Protection component

book

Article ID: 151554

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Cisco IP Phones, Unified Video Advantage and Jabber Video Chat software is blocked when Symantec Endpoint Protection's (SEP) Network Threat Protection (NTP) component is installed. This occurs when the default SEP NTP rules are used.

 

SEP Traffic Logs show ethernet protocol traffic with multicast addresses 01-00-0c-cc-cc-cc or 01-00-0c-cc-cc-cd being blocked by the SEP firewall.

Cause

These devices/software use the Cisco Discovery Protocol (CDP) which is a proprietary layer 2 network protocol developed by Cisco Systems. This protocol is used on Cisco equipment and is used to share information about other directly connected Cisco equipment, such as the operating system version and IP address. Cisco devices send CDP announcements to the multicast destination address 01-00-0c-cc-cc-cc / cd and it is blocked by NTP. CdpPacketWdmCvl.sys is the Cisco Discover Protocol Packet driver. 

SEP does not recognize this traffic with the default firewall policy. As such, it is blocked by the "Block all other traffic" rule.

Resolution

Create a rule in the firewall to allow MAC Address 01-00-0c-cc-cc-cc and 01-00-0c-cc-cc-cd as well as Ethernet Protocols 0x10b and 0x2000.

  1. Log in to Symantec Endpoint Protection Manager.
  2. Click on the Policy tab
  3. Edit the Firewall Policy
  4. Select Rules
  5. Click on Add Blank Rule
  6. Rename it to something meaningful (i.e. Allow CDP Packets)
  7. Action should be Allow
  8. Open the Host List and set to Source/Destination
  9. Then click Add under Destination
  10. Select MAC address from the drop down menu
  11. Add the MAC Addresses 01-00-0c-cc-cc-cc and 01-00-0c-cc-cc-cd
  12. Click OK
  13. Open the Service List
  14. Click Add and select Ethernet under the Protocol drop down.
  15. Add the 0x10b and direction set to Both
  16. Repeat above to also include the 0x2000 protocol with direction set to Both
  17. Apply the policy to the client groups as applicable.