cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1042
Views
0
Helpful
1
Replies

VoIP Vlans & NAC

news2010a
Participant
Participant

Let's say VoIP network is going to be deployed in my organization.

GIven this is a FIPS-140-2 environment, we will have a separate MPLS network from data only dedicated for VoIP traffic.

If we also have NAC deployed, how is the best practice for NAC handling VoIP vlans and IP Phones?

From the reading the documentation I see that people exclude the VoIP VLAN from NAC. Is this right?

Question:

If it is true people should exclude VoIP VLAN traffic from getting to the NAC system, what happens if someone users a machine that fakes an IP Phone, but in reality it is a malicious PC in the network? How NAC is going to protect against that?

1 Reply 1

Eduardo Aliaga
Enthusiast
Enthusiast

IP Phones are excluded because NAC can't authenticate them. NAC uses "NAC agents" to authenticate and there are no "NAC agents" for IP phones.

I would recommend to use ISE instead of NAC appliances. Cisco ISE uses 802.1x and the newer families of Cisco IP Phones do support 802.1x authentication.

Please rate if it helps.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers