07-25-2006 04:55 AM - edited 03-03-2019 04:13 AM
Hi,
I have a switch port configured with a VLAN where a Avaya IP Telephone will be connected. The IP Telephone once connected will be assigned an IP by the DHCP server. If a user removes the IP telephone and connects a PC then a IP will automatically assigned. I require to protect the port against a rogue user connecting his PC. How can I protect the Voice VLAN ?
Solved! Go to Solution.
07-25-2006 05:58 AM
Then all the ports that will have stikclearning will learn the mac-adress automatically (you don't need to enter them) the first time they connect. Yes, you would have to configure a 2000 ports with sticky learning. You can do this with a managemnt tool like ciscoworks2000 in a bulk action if you alway use the same range of port of eacht switch. You can also do that for all ports even if there are othe type of devices on them. but remember if something moves later-on you have to erase the mac-adress from the port it moves to if ever something registered its mac-adres on that port. Especially connections for flexworkers and in conferancerooms it can me tedious so make an exceptions for them.
If this is still to much hassel. You should look into applying dot1.x By using dot1.x Something or someone first have to identify him self. A user will do this by logging in. An unattended device with do it by using a digital certificate. During that period the device will be in a seperrate vlan. After indentification it will be put in the correct vlan for that user or device.
Dot1.x setting up is al lot of hassel. You have to buy a server and software for it. Also your swithces need to be replaced if thay do not support dot1.x
* please rate posts
07-25-2006 05:14 AM
Hi,
Sameway as you would protect a port for an other system. Turn on prot security and switch on stickylearning for one mac-address. The it will only allow one mac-adress to be learned on that port.
07-25-2006 05:35 AM
lets say i have 2000 ip phones then
07-25-2006 05:58 AM
Then all the ports that will have stikclearning will learn the mac-adress automatically (you don't need to enter them) the first time they connect. Yes, you would have to configure a 2000 ports with sticky learning. You can do this with a managemnt tool like ciscoworks2000 in a bulk action if you alway use the same range of port of eacht switch. You can also do that for all ports even if there are othe type of devices on them. but remember if something moves later-on you have to erase the mac-adress from the port it moves to if ever something registered its mac-adres on that port. Especially connections for flexworkers and in conferancerooms it can me tedious so make an exceptions for them.
If this is still to much hassel. You should look into applying dot1.x By using dot1.x Something or someone first have to identify him self. A user will do this by logging in. An unattended device with do it by using a digital certificate. During that period the device will be in a seperrate vlan. After indentification it will be put in the correct vlan for that user or device.
Dot1.x setting up is al lot of hassel. You have to buy a server and software for it. Also your swithces need to be replaced if thay do not support dot1.x
* please rate posts
07-25-2006 07:13 AM
my 2 cents:
* Disable all administrative access to network infrastructure from voice
VLAN addresses.
* Configure dynamic ARP inspection to lower the risk of ARP poisoning
attacks.
* Configure DHCP snooping to lower the risk of DHCP server spoofing
attacks.
* Configure limits on the amount of MAC addresses allowed to be
connected to a switch port. This will lower the risk of port-stealing by
overwhelming the switch CAM table.
* Configure storm control to limit the risk of a DOS attack via
non-unicast traffic.
* Configure proper filtering between voice and data networks to ensure
that even if unauthorized voice VLAN access is achieved the risk
presented by this access is less than the risk posed by unauthorized
data VLAN access.
ps i use VMPS, but that's a whole another set of complexity with IP phones
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: