cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
421
Views
5
Helpful
4
Replies

Switchport security best practises for Cisco IP Phones

caspiguru
Beginner
Beginner

Hi.

I am having some trouble figuring out what the most secure method is to secure a Cisco IP Phone.

I can't find information on how to properly secure the Link between a switchport and a Cisco IP Phone, with a daisy chained computer to it.


The thing that I am specifically afraid of is how to secure against Double VLAN tagging and CDP attacks on that port.

I have searched whichever possible ressource for the answer and haven't found anything useful.

I also have a question in terms of port security on a switch: Can you set a minimum amount of Active MAC adresses and then limit the Aging period on MAC adresses on a specific switchport , such that if someone disconnects the phone and sets up a Cisco switch or another Rogue device, then the port should become Shutdown within the aging period.

 

Let me know, what you would suggest to best secure the line between the Cisco IP phone and the switch.
 

Best regards

Casper.

1 Accepted Solution

Accepted Solutions

Scott Olsen
Frequent Contributor
Frequent Contributor

I would propose that the *most* secure way to lock down the port would be to implement a full blown 802.1x EAPOL protocol.  

I'm not a VoIP guy, but this would likely contain all the information you'd need?

http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/IP_Tele/IP_Telephony_DIG.pdf

HTH.

Cheers!

 

Scott Olsen Solutions Specialist Bulletproof Solutions Inc. Web: www.bulletproofsi.com

View solution in original post

4 Replies 4

Scott Olsen
Frequent Contributor
Frequent Contributor

I would propose that the *most* secure way to lock down the port would be to implement a full blown 802.1x EAPOL protocol.  

I'm not a VoIP guy, but this would likely contain all the information you'd need?

http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/IP_Tele/IP_Telephony_DIG.pdf

HTH.

Cheers!

 

Scott Olsen Solutions Specialist Bulletproof Solutions Inc. Web: www.bulletproofsi.com

Hi Scott.

Thanks for the reply.

That seems like the way to go :)
It should solve all the problems of authentication. 

It seems I have two posts for this specific question with the
same title as this post.

The correct post with this title and subject has the following
URL: https://supportforums.cisco.com/discussion/12439861/switchport-security-best-practises-cisco-ip-phones

In case you would like to respond, it would be great if you moved the reply to that post.

 

Best regards.

Scott Olsen
Frequent Contributor
Frequent Contributor

I don't quite know how to move my post, but I'll go check out that URL you pointed out.

Scott Olsen Solutions Specialist Bulletproof Solutions Inc. Web: www.bulletproofsi.com

Scott Olsen
Frequent Contributor
Frequent Contributor

I think I see what you mean now, Caspiguru.

I'm not sure what's up, but I think the Forum gods are mashing posts and subsections together... or something is broken :-S

Scott Olsen Solutions Specialist Bulletproof Solutions Inc. Web: www.bulletproofsi.com
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers