Connecting a PC in the voice subnet

Answered Question
Jan 19th, 2009

I want to remove the data vlan from the switch port and leave only voice vlan to have the ip phone only communication from that port due to some security issue.

Can anyone still be able to connect a PC to the voice subnet and access the network?

If yes, what is the best practice to protect that unwanted PC access?

I have this problem too.
0 votes
Correct Answer by Nicholas Matthews about 7 years 10 months ago

Avaya has probably hijacked the CDP protocol.

If you do a sniffer, I'll bet you'll see Avaya picking up on the CDP.

This is the only way for the voice VLAN to be advertised, so it's not too much of a mystery.

hth,

nick

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Nicholas Matthews Mon, 01/19/2009 - 09:00

You can give it a 'switchport access vlan x' that does not have connectivity.

By default, the access vlan will be VLAN 1.

When you configure 'switchport voice vlan', this information is communicated to the IP phone using CDP.

Unless the PC has been hacked to support CDP, it will not gain access to the voice vlan.

You can enable port security:

interface FastEthernet0/5

switchport access vlan 200

switchport mode access

switchport voice vlan 233

switchport port-security

switchport port-security mac-address sticky

spanning-tree portfast

This would be an example where VLAN 200 doesn't have an SVI (no connectivity), and 233 is the voice vlan.

This will give only the phone (whatever MAC registers first) access.

hth,

nick

aminhaq Mon, 01/19/2009 - 09:47

Hi Nick,

Thanks for your answer.

This raised another question in my mind though. As the voice vlan works on CDP, how the Avaya phones are communicating the voice vlans as our phones are Avaya phones and switch is Cisco Cat 4500?

Correct Answer
Nicholas Matthews Mon, 01/19/2009 - 11:12

Avaya has probably hijacked the CDP protocol.

If you do a sniffer, I'll bet you'll see Avaya picking up on the CDP.

This is the only way for the voice VLAN to be advertised, so it's not too much of a mystery.

hth,

nick

aminhaq Mon, 01/19/2009 - 12:23

Hehe, no doubt that Avaya has hijacked a lot of VoIP setup as Aruba did for Wireless.

I came to know that Avaya phones depends on DHCP for their initiation to the network, so, we can't disable the data vlan (In this case DHCP server has to be specifically configured)

Actions

This Discussion