Solved: Cisco Switch - Allow VoIP Disable ACCESS

TomTinsley · ‎05-11-2012

We have a situation where some switchports are in a public area with Cisco IP Phones connected. We want to disable the ACCESS VLAN but allow the VOICE. Is it best practice to just remove the 'switchport mode access' command?

Marvin Rhoads · ‎05-11-2012

That's one good step along the way.

If you really want to lock it down further use port-security and restrict the allowed MAC address to the single phone connected on a given port. That will put the port into err-disable if anything else is even plugged into it.

Otherwise someone could put their machine up on the phone VLAN, give themselves a static IP that the phone they displaced had gotten via DHCP, and possibly navigate around your network that way.

More advanced solutions would be use of 802.1x and/or ISE but that requires investment in products and significant configuration steps.

View solution in original post

Marvin Rhoads · ‎05-11-2012

That's one good step along the way.

If you really want to lock it down further use port-security and restrict the allowed MAC address to the single phone connected on a given port. That will put the port into err-disable if anything else is even plugged into it.

Otherwise someone could put their machine up on the phone VLAN, give themselves a static IP that the phone they displaced had gotten via DHCP, and possibly navigate around your network that way.

More advanced solutions would be use of 802.1x and/or ISE but that requires investment in products and significant configuration steps.

TomTinsley · ‎05-14-2012

Good idea, I will also add port security.