cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
448
Views
0
Helpful
4
Replies

Switch Port Security : Protecting VLans used for IP telephony

kaustav.gupta
Level 1
Level 1

Hi,

I have a switch port configured with a VLAN where a Avaya IP Telephone will be connected. The IP Telephone once connected will be assigned an IP by the DHCP server. If a user removes the IP telephone and connects a PC then a IP will automatically assigned. I require to protect the port against a rogue user connecting his PC. How can I protect the Voice VLAN ?

1 Accepted Solution

Accepted Solutions

Then all the ports that will have stikclearning will learn the mac-adress automatically (you don't need to enter them) the first time they connect. Yes, you would have to configure a 2000 ports with sticky learning. You can do this with a managemnt tool like ciscoworks2000 in a bulk action if you alway use the same range of port of eacht switch. You can also do that for all ports even if there are othe type of devices on them. but remember if something moves later-on you have to erase the mac-adress from the port it moves to if ever something registered its mac-adres on that port. Especially connections for flexworkers and in conferancerooms it can me tedious so make an exceptions for them.

If this is still to much hassel. You should look into applying dot1.x By using dot1.x Something or someone first have to identify him self. A user will do this by logging in. An unattended device with do it by using a digital certificate. During that period the device will be in a seperrate vlan. After indentification it will be put in the correct vlan for that user or device.

Dot1.x setting up is al lot of hassel. You have to buy a server and software for it. Also your swithces need to be replaced if thay do not support dot1.x

* please rate posts

View solution in original post

4 Replies 4

hgru
Level 1
Level 1

Hi,

Sameway as you would protect a port for an other system. Turn on prot security and switch on stickylearning for one mac-address. The it will only allow one mac-adress to be learned on that port.

lets say i have 2000 ip phones then

Then all the ports that will have stikclearning will learn the mac-adress automatically (you don't need to enter them) the first time they connect. Yes, you would have to configure a 2000 ports with sticky learning. You can do this with a managemnt tool like ciscoworks2000 in a bulk action if you alway use the same range of port of eacht switch. You can also do that for all ports even if there are othe type of devices on them. but remember if something moves later-on you have to erase the mac-adress from the port it moves to if ever something registered its mac-adres on that port. Especially connections for flexworkers and in conferancerooms it can me tedious so make an exceptions for them.

If this is still to much hassel. You should look into applying dot1.x By using dot1.x Something or someone first have to identify him self. A user will do this by logging in. An unattended device with do it by using a digital certificate. During that period the device will be in a seperrate vlan. After indentification it will be put in the correct vlan for that user or device.

Dot1.x setting up is al lot of hassel. You have to buy a server and software for it. Also your swithces need to be replaced if thay do not support dot1.x

* please rate posts

kleo
Level 3
Level 3

my 2 cents:

* Disable all administrative access to network infrastructure from voice

VLAN addresses.

* Configure dynamic ARP inspection to lower the risk of ARP poisoning

attacks.

* Configure DHCP snooping to lower the risk of DHCP server spoofing

attacks.

* Configure limits on the amount of MAC addresses allowed to be

connected to a switch port. This will lower the risk of port-stealing by

overwhelming the switch CAM table.

* Configure storm control to limit the risk of a DOS attack via

non-unicast traffic.

* Configure proper filtering between voice and data networks to ensure

that even if unauthorized voice VLAN access is achieved the risk

presented by this access is less than the risk posed by unauthorized

data VLAN access.

ps i use VMPS, but that's a whole another set of complexity with IP phones

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: