Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VoIP Vlans & NAC

Let's say VoIP network is going to be deployed in my organization.

GIven this is a FIPS-140-2 environment, we will have a separate MPLS network from data only dedicated for VoIP traffic.

If we also have NAC deployed, how is the best practice for NAC handling VoIP vlans and IP Phones?

From the reading the documentation I see that people exclude the VoIP VLAN from NAC. Is this right?

Question:

If it is true people should exclude VoIP VLAN traffic from getting to the NAC system, what happens if someone users a machine that fakes an IP Phone, but in reality it is a malicious PC in the network? How NAC is going to protect against that?

Everyone's tags (4)
1 REPLY

VoIP Vlans & NAC

IP Phones are excluded because NAC can't authenticate them. NAC uses "NAC agents" to authenticate and there are no "NAC agents" for IP phones.

I would recommend to use ISE instead of NAC appliances. Cisco ISE uses 802.1x and the newer families of Cisco IP Phones do support 802.1x authentication.

Please rate if it helps.

680
Views
0
Helpful
1
Replies