Voice Over IP Trust Issue

Unanswered Question
Apr 1st, 2010

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin:0cm; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;}

Does anyone know a way to turn on security on switch port to force it to inform the port to only allow assign a voice IP address to a Cisco IP phone and if it's a PC then it will only get a data IP address. Basically we don't want a user spoofing his PC to get a voice IP address. I know switchport voice vlan needs CDP, but I have an over paranoid security dept that know that CDP can be simulated by hacker to potentially get access to the voice subnet. Problem is I have a site with multiple VRF's in an MPLS environment and if someone gets access to voice subnet they get into trusted VRF from the protected VRF??


> Dont want to have to use NAC etc

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Paolo Bevilacqua Thu, 04/01/2010 - 09:09

There is so much security you can implement on cisco switch. 802.1x, mac limits and much more.

Make sure the secuirty dept. will understand the time and associate cost when doing these things, because secuirity doesn't come free, and that is the the N. 1 rule.

So that teh decision resides with true managers, and you will find that they can be more pragmatic.

CHRIS CHARLEBOIS Thu, 04/01/2010 - 09:22

Another option might be to restrict the traffic on the voice VLAN to actual voice traffic via ACL.  If you limit the protocols allowed on the VRF to RTP and SCCP (and possibly HTTP to the CUCM or other internal web server for Corp Dir access), you can eliminate an benifit to accessing the voice network.


This Discussion