02-03-2005 01:01 AM - edited 03-13-2019 07:53 AM
One of my VoIP customer sites has a situation where users connect hubs and switches up to the Ethernet ports on the back of the IP phones. Not ideal I know, and currently they dont have an IT security policy in place to hit these users with, this is being addressed.
One solution I'm considering is using BPDU guard on the switch port the phone is connected to, has anyone tried this, did it cause any other problems?
I cannot see an option on the phone to provide this feature on the actual phone port, anyone any other ideas on how to protect against rouge devices being connected into the phone ports.
02-03-2005 01:34 AM
Hi
I would have imagined that bpdu guard would shutdown the port as the phone has a built in switch... a quick search on this forum found this:
Which doesn't really make things any clearer... not sure whether he'd introduced a bug or fixed it :-)
Anyway, perhaps another option would be to use port mac security - can't quite remember the commands but I'm sure you could set a limit on the number of MAC addresses on the port, and an aging time for them... So limit it to 3 or so and set an aging time of a few minutes, and it would prevent multiple users on a hub...
Just ideas though, not tested either myself.
Aaron
02-03-2005 01:36 AM
Just found this link, refers to the number of MACs you should allow with port security and IP Phones...
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/12111yj/scg/swtrafc.htm
02-03-2005 12:22 PM
Hi,
That is good info, I've decided to try the port security sticky ARP approach with a 3 MAC addresse limit.
I agree with your comments regarding the switch in the phone, I'd expect it to generate BPDU frames, so BPDU guard is not an option on the connecting switch.
Thanks for the info,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide