05-11-2012 07:11 AM
We have a situation where some switchports are in a public area with Cisco IP Phones connected. We want to disable the ACCESS VLAN but allow the VOICE. Is it best practice to just remove the 'switchport mode access' command?
Solved! Go to Solution.
05-11-2012 03:07 PM
That's one good step along the way.
If you really want to lock it down further use port-security and restrict the allowed MAC address to the single phone connected on a given port. That will put the port into err-disable if anything else is even plugged into it.
Otherwise someone could put their machine up on the phone VLAN, give themselves a static IP that the phone they displaced had gotten via DHCP, and possibly navigate around your network that way.
More advanced solutions would be use of 802.1x and/or ISE but that requires investment in products and significant configuration steps.
05-11-2012 03:07 PM
That's one good step along the way.
If you really want to lock it down further use port-security and restrict the allowed MAC address to the single phone connected on a given port. That will put the port into err-disable if anything else is even plugged into it.
Otherwise someone could put their machine up on the phone VLAN, give themselves a static IP that the phone they displaced had gotten via DHCP, and possibly navigate around your network that way.
More advanced solutions would be use of 802.1x and/or ISE but that requires investment in products and significant configuration steps.
05-14-2012 06:40 AM
Good idea, I will also add port security.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide