https://community.cisco.com/t5/network-access-control/voice-vlan-hopping-hown-to-mitigate/m-p/2110296#M142265 <HTML><HEAD></HEAD><BODY><P>Yes, you can use smartports without the need of an external device/solution. You can reference the document in the link below to see the different scenarios and guidelines:</P><P></P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/switches/lan/auto_smartports/12.2_55_se/configuration/guide/configure.html#wp1064388">http://www.cisco.com/en/US/docs/switches/lan/auto_smartports/12.2_55_se/configuration/guide/configure.html#wp1064388</A></P><P></P><P><EM style="background-color: #f7fafb; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">Thank you for rating helpful posts!</EM></P></BODY></HTML> Tue, 20 Nov 2012 19:06:31 GMT nspasov 2012-11-20T19:06:31Z https://community.cisco.com/t5/network-access-control/voice-vlan-hopping-hown-to-mitigate/m-p/2110291#M142256 <P>Hi,</P><P>I want your help to advise how to mitigate to voice vlan hopping attack.</P><P></P><P><STRONG>First Scenario : </STRONG></P><P></P><P>PC behind IP Phone : the PC will send 802.1q tag including VID of Voice VLAN. Then, the PC will get IP Address automatically from voice vlan subnet.</P><P></P><P><SPAN style="color: #ff0000;"><STRONG>Solution : this attack can be mitigated by dropping 802.1q trafic from PC port. It's done at CUCM level.</STRONG></SPAN></P><P></P><P><STRONG>Second Scenario :</STRONG></P><P></P><P>The attacker connects directly to port instead of IP Phone. When he send 802.1q tag including VVID, he will retrieve IP Address from voice vlan subnet.</P><P></P><P><SPAN style="color: #ff0000;"><STRONG>Solution : ????</STRONG></SPAN></P><P></P><P>Regards</P><P>Driss</P> Mon, 11 Mar 2019 02:48:35 GMT https://community.cisco.com/t5/network-access-control/voice-vlan-hopping-hown-to-mitigate/m-p/2110291#M142256 Driss BENATTOU 2019-03-11T02:48:35Z https://community.cisco.com/t5/network-access-control/voice-vlan-hopping-hown-to-mitigate/m-p/2110292#M142258 <HTML><HEAD></HEAD><BODY><P>You can configure 802.1x on your access ports and with the help with a AAA solution such as Cisco ISE you can deny/authorize different devices on different VLANs, apply dynamic ACLs, blackhole devices, etc. For example, you can have an authorization policy where it will only authorize devices on the voice vlan if they pass EAP-TLS certificate authentication and/or dynamic profiling while sending everything else to different vlans (Data, guest, etc)</P><P></P><P>You can potentially also use macros/smart ports where a port will automatically be assigned to a "Blackhole" vlan as soon as the IP phone gets disconnected. This will prevent users/attackers from bypassing your phone/phone security </P><P></P><P><EM>Thank you for rating!</EM></P></BODY></HTML> Tue, 20 Nov 2012 15:05:10 GMT https://community.cisco.com/t5/network-access-control/voice-vlan-hopping-hown-to-mitigate/m-p/2110292#M142258 nspasov 2012-11-20T15:05:10Z https://community.cisco.com/t5/network-access-control/voice-vlan-hopping-hown-to-mitigate/m-p/2110293#M142260 <HTML><HEAD></HEAD><BODY><P>Thank you for your answer. </P><P>should I use the smart port option in combination with 802.1X or can I use it without ?</P><P></P><P>Regards</P><P>Driss</P></BODY></HTML> Tue, 20 Nov 2012 16:18:29 GMT https://community.cisco.com/t5/network-access-control/voice-vlan-hopping-hown-to-mitigate/m-p/2110293#M142260 Driss BENATTOU 2012-11-20T16:18:29Z https://community.cisco.com/t5/network-access-control/voice-vlan-hopping-hown-to-mitigate/m-p/2110294#M142261 <HTML><HEAD></HEAD><BODY><P>Hello Driss-</P><P></P><P>That would be up to you. You can use either one or the combination of the two. Using both of them will add more security to your network but it could also require more admin overheard if phones get moved around often. </P><P></P><P><EM>Thank you for rating helpful posts!</EM></P></BODY></HTML> Tue, 20 Nov 2012 17:53:40 GMT https://community.cisco.com/t5/network-access-control/voice-vlan-hopping-hown-to-mitigate/m-p/2110294#M142261 nspasov 2012-11-20T17:53:40Z https://community.cisco.com/t5/network-access-control/voice-vlan-hopping-hown-to-mitigate/m-p/2110295#M142263 <HTML><HEAD></HEAD><BODY><P>Hello Neno,</P><P>I want to mean if smart port option will be enough for my situation, without depending on other hardware &amp; software prerequisities ?</P><P></P><P>Regards</P><P>Driss</P></BODY></HTML> Tue, 20 Nov 2012 17:59:01 GMT https://community.cisco.com/t5/network-access-control/voice-vlan-hopping-hown-to-mitigate/m-p/2110295#M142263 Driss BENATTOU 2012-11-20T17:59:01Z https://community.cisco.com/t5/network-access-control/voice-vlan-hopping-hown-to-mitigate/m-p/2110296#M142265 <HTML><HEAD></HEAD><BODY><P>Yes, you can use smartports without the need of an external device/solution. You can reference the document in the link below to see the different scenarios and guidelines:</P><P></P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/switches/lan/auto_smartports/12.2_55_se/configuration/guide/configure.html#wp1064388">http://www.cisco.com/en/US/docs/switches/lan/auto_smartports/12.2_55_se/configuration/guide/configure.html#wp1064388</A></P><P></P><P><EM style="background-color: #f7fafb; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">Thank you for rating helpful posts!</EM></P></BODY></HTML> Tue, 20 Nov 2012 19:06:31 GMT https://community.cisco.com/t5/network-access-control/voice-vlan-hopping-hown-to-mitigate/m-p/2110296#M142265 nspasov 2012-11-20T19:06:31Z https://community.cisco.com/t5/network-access-control/voice-vlan-hopping-hown-to-mitigate/m-p/2110297#M142267 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P>I tried the configuration but with no positive result.</P><P>I have not control to block 802.1q tag issued from PC (Vlan hopping)</P><P></P><P>Any idea ?</P><P></P><P>Thanks</P><P>Driss</P></BODY></HTML> Thu, 22 Nov 2012 01:02:35 GMT https://community.cisco.com/t5/network-access-control/voice-vlan-hopping-hown-to-mitigate/m-p/2110297#M142267 Driss BENATTOU 2012-11-22T01:02:35Z https://community.cisco.com/t5/network-access-control/voice-vlan-hopping-hown-to-mitigate/m-p/2110298#M142270 <HTML><HEAD></HEAD><BODY><P>Can you elaborate on which solution you tried and exactly what results you got? Also, perhaps post some configs too for evaluation...</P></BODY></HTML> Thu, 22 Nov 2012 01:10:48 GMT https://community.cisco.com/t5/network-access-control/voice-vlan-hopping-hown-to-mitigate/m-p/2110298#M142270 nspasov 2012-11-22T01:10:48Z https://community.cisco.com/t5/network-access-control/voice-vlan-hopping-hown-to-mitigate/m-p/2110299#M142273 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P>I use auto smartport option.</P><P></P><P>the configuration applied is below : </P><DIV><PRE><STRONG> </STRONG></PRE></DIV><P> <A name="wp1220636"></A></P><DIV><PRE><PRE>Switch(config)# macro auto global processing</PRE> Switch(config)# <STRONG>macro auto execute CISCO_PHONE_EVENT builtin CISCO_PHONE_AUTO_SMARTPORT&nbsp; ACCESS_VLAN=32 VOICE_VLAN=132<BR /></STRONG><BR /> <PRE>Switch(config-if)#<STRONG> macro auto global processing</STRONG><BR /><PRE><PRE>Switch(config-if)# <STRONG>macro auto control device phone </STRONG><BR /><PRE><PRE><PRE><PRE>Switch(config-if)# macro auto control detection cdp<BR /><PRE><PRE><PRE><PRE><PRE><PRE><PRE><PRE>Switch(config-if)# macro auto control trigger</PRE> </PRE> When i plug PC behind IP&nbsp; phone and I tag NIC Card with VLAN ID corresponding to VVLAN, then I receive ip address from voice subnet range.<BR /><BR />Regards<BR />Driss <BR /></PRE> </PRE> </PRE> </PRE> </PRE> </PRE> <BR /></PRE> </PRE> </PRE> </PRE> <BR /><BR /> <BR /> </PRE> </PRE> <BR /><BR /> <BR /></PRE> <BR /><STRONG> </STRONG></PRE></DIV></BODY></HTML> Sat, 24 Nov 2012 16:00:29 GMT https://community.cisco.com/t5/network-access-control/voice-vlan-hopping-hown-to-mitigate/m-p/2110299#M142273 Driss BENATTOU 2012-11-24T16:00:29Z https://community.cisco.com/t5/network-access-control/voice-vlan-hopping-hown-to-mitigate/m-p/2110300#M142275 <HTML><HEAD></HEAD><BODY><P>Hi Driss-</P><P></P><P>I thought that you can mitigate that issue by controlling the voice vlan tagging at CUCM level? The goal of the auto smart port is to shutdown/place the port into a dead VLAN once a phone is disconnected. </P></BODY></HTML> Sun, 25 Nov 2012 17:21:39 GMT https://community.cisco.com/t5/network-access-control/voice-vlan-hopping-hown-to-mitigate/m-p/2110300#M142275 nspasov 2012-11-25T17:21:39Z https://community.cisco.com/t5/network-access-control/voice-vlan-hopping-hown-to-mitigate/m-p/2110301#M142276 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P>At CUCM Level, i can block incoming tagged trafic. But, for PC connecting directly to network by bypassing the ip phone, I can't do it.</P><P></P><P>Driss</P></BODY></HTML> Mon, 26 Nov 2012 15:50:25 GMT https://community.cisco.com/t5/network-access-control/voice-vlan-hopping-hown-to-mitigate/m-p/2110301#M142276 Driss BENATTOU 2012-11-26T15:50:25Z https://community.cisco.com/t5/network-access-control/voice-vlan-hopping-hown-to-mitigate/m-p/2110302#M142277 <HTML><HEAD></HEAD><BODY><P>Sorry Driss I fell on some of the discussions here as I got really busy. I have a quick question for you: Were you able to get the autosmart ports to work properly? If so then once the phone is disconnected from the switch, the switch should remove all relevant "VOICE" configuration. You can potentially write a script to force shutdown the port once the phone is disconnected from the port. All of this should along with the CUCM changes should provide you with enough security to block a malicious user from VLAN hopping. </P><P></P><P><EM>Thank you for rating!</EM></P></BODY></HTML> Mon, 17 Dec 2012 02:40:24 GMT https://community.cisco.com/t5/network-access-control/voice-vlan-hopping-hown-to-mitigate/m-p/2110302#M142277 nspasov 2012-12-17T02:40:24Z