Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
524
Views
5
Helpful
4
Replies

Switchport security best practises for Cisco IP Phones

Go to solution
caspiguru
Level 1
Level 1

‎02-28-2015 06:59 AM

Hi.

I am having some trouble figuring out what the most secure method is to secure a Cisco IP Phone.

I can't find information on how to properly secure the Link between a switchport and a Cisco IP Phone, with a daisy chained computer to it.


The thing that I am specifically afraid of is how to secure against Double VLAN tagging and CDP attacks on that port.

I have searched whichever possible ressource for the answer and haven't found anything useful.

I also have a question in terms of port security on a switch: Can you set a minimum amount of Active MAC adresses and then limit the Aging period on MAC adresses on a specific switchport , such that if someone disconnects the phone and sets up a Cisco switch or another Rogue device, then the port should become Shutdown within the aging period.

 

Let me know, what you would suggest to best secure the line between the Cisco IP phone and the switch.
 

Best regards

Casper.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Scott Olsen
Level 6
Level 6

‎03-02-2015 07:17 AM

I would propose that the *most* secure way to lock down the port would be to implement a full blown 802.1x EAPOL protocol.  

I'm not a VoIP guy, but this would likely contain all the information you'd need?

http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/IP_Tele/IP_Telephony_DIG.pdf

HTH.

Cheers!

 

Scott Olsen Solutions Specialist Bulletproof Solutions Inc. Web: www.bulletproofsi.com

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Scott Olsen
Level 6
Level 6

‎03-02-2015 07:17 AM

I would propose that the *most* secure way to lock down the port would be to implement a full blown 802.1x EAPOL protocol.  

I'm not a VoIP guy, but this would likely contain all the information you'd need?

http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/IP_Tele/IP_Telephony_DIG.pdf

HTH.

Cheers!

 

Scott Olsen Solutions Specialist Bulletproof Solutions Inc. Web: www.bulletproofsi.com
0 Helpful

Go to solution
caspiguru
Level 1
Level 1
In response to Scott Olsen

‎03-02-2015 09:34 AM

Hi Scott.

Thanks for the reply.

That seems like the way to go :)
It should solve all the problems of authentication. 

It seems I have two posts for this specific question with the
same title as this post.

The correct post with this title and subject has the following
URL: https://supportforums.cisco.com/discussion/12439861/switchport-security-best-practises-cisco-ip-phones

In case you would like to respond, it would be great if you moved the reply to that post.

 

Best regards.

Go to solution
Scott Olsen
Level 6
Level 6
In response to caspiguru

‎03-03-2015 05:32 AM

I don't quite know how to move my post, but I'll go check out that URL you pointed out.

Scott Olsen Solutions Specialist Bulletproof Solutions Inc. Web: www.bulletproofsi.com
0 Helpful

Go to solution
Scott Olsen
Level 6
Level 6
In response to caspiguru

‎03-03-2015 05:40 AM

I think I see what you mean now, Caspiguru.

I'm not sure what's up, but I think the Forum gods are mashing posts and subsections together... or something is broken :-S

Scott Olsen Solutions Specialist Bulletproof Solutions Inc. Web: www.bulletproofsi.com
0 Helpful
Customers Also Viewed These Support Documents