cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
357
Views
0
Helpful
2
Replies

Voice Over IP Trust Issue

boconnell1
Level 1
Level 1

Does anyone know a way to turn on security on switch port to force it to inform the port to only allow assign a voice IP address to a Cisco IP phone and if it's a PC then it will only get a data IP address. Basically we don't want a user spoofing his PC to get a voice IP address. I know switchport voice vlan needs CDP, but I have an over paranoid security dept that know that CDP can be simulated by hacker to potentially get access to the voice subnet. Problem is I have a site with multiple VRF's in an MPLS environment and if someone gets access to voice subnet they get into trusted VRF from the protected VRF??

>

> Dont want to have to use NAC etc

2 Replies 2

paolo bevilacqua
Hall of Fame
Hall of Fame

There is so much security you can implement on cisco switch. 802.1x, mac limits and much more.

Make sure the secuirty dept. will understand the time and associate cost when doing these things, because secuirity doesn't come free, and that is the the N. 1 rule.

So that teh decision resides with true managers, and you will find that they can be more pragmatic.

Another option might be to restrict the traffic on the voice VLAN to actual voice traffic via ACL.  If you limit the protocols allowed on the VRF to RTP and SCCP (and possibly HTTP to the CUCM or other internal web server for Corp Dir access), you can eliminate an benifit to accessing the voice network.