04-01-2010 08:45 AM - edited 03-15-2019 10:04 PM
Does anyone know a way to turn on security on switch port to force it to inform the port to only allow assign a voice IP address to a Cisco IP phone and if it's a PC then it will only get a data IP address. Basically we don't want a user spoofing his PC to get a voice IP address. I know switchport voice vlan needs CDP, but I have an over paranoid security dept that know that CDP can be simulated by hacker to potentially get access to the voice subnet. Problem is I have a site with multiple VRF's in an MPLS environment and if someone gets access to voice subnet they get into trusted VRF from the protected VRF??
>
> Dont want to have to use NAC etc
04-01-2010 09:09 AM
There is so much security you can implement on cisco switch. 802.1x, mac limits and much more.
Make sure the secuirty dept. will understand the time and associate cost when doing these things, because secuirity doesn't come free, and that is the the N. 1 rule.
So that teh decision resides with true managers, and you will find that they can be more pragmatic.
04-01-2010 09:22 AM
Another option might be to restrict the traffic on the voice VLAN to actual voice traffic via ACL. If you limit the protocols allowed on the VRF to RTP and SCCP (and possibly HTTP to the CUCM or other internal web server for Corp Dir access), you can eliminate an benifit to accessing the voice network.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide