02-28-2015 06:59 AM
Hi.
I am having some trouble figuring out what the most secure method is to secure a Cisco IP Phone.
I can't find information on how to properly secure the Link between a switchport and a Cisco IP Phone, with a daisy chained computer to it.
The thing that I am specifically afraid of is how to secure against Double VLAN tagging and CDP attacks on that port.
I have searched whichever possible ressource for the answer and haven't found anything useful.
I also have a question in terms of port security on a switch: Can you set a minimum amount of Active MAC adresses and then limit the Aging period on MAC adresses on a specific switchport , such that if someone disconnects the phone and sets up a Cisco switch or another Rogue device, then the port should become Shutdown within the aging period.
Let me know, what you would suggest to best secure the line between the Cisco IP phone and the switch.
Best regards
Casper.
Solved! Go to Solution.
03-02-2015 07:17 AM
I would propose that the *most* secure way to lock down the port would be to implement a full blown 802.1x EAPOL protocol.
I'm not a VoIP guy, but this would likely contain all the information you'd need?
http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/IP_Tele/IP_Telephony_DIG.pdf
HTH.
Cheers!
03-02-2015 07:17 AM
I would propose that the *most* secure way to lock down the port would be to implement a full blown 802.1x EAPOL protocol.
I'm not a VoIP guy, but this would likely contain all the information you'd need?
http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/IP_Tele/IP_Telephony_DIG.pdf
HTH.
Cheers!
03-02-2015 09:34 AM
Hi Scott.
Thanks for the reply.
That seems like the way to go :)
It should solve all the problems of authentication.
It seems I have two posts for this specific question with the
same title as this post.
The correct post with this title and subject has the following
URL: https://supportforums.cisco.com/discussion/12439861/switchport-security-best-practises-cisco-ip-phones
In case you would like to respond, it would be great if you moved the reply to that post.
Best regards.
03-03-2015 05:32 AM
I don't quite know how to move my post, but I'll go check out that URL you pointed out.
03-03-2015 05:40 AM
I think I see what you mean now, Caspiguru.
I'm not sure what's up, but I think the Forum gods are mashing posts and subsections together... or something is broken :-S
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide