10-12-2010 04:27 PM - edited 03-16-2019 01:18 AM
We need to extend our internal voice network to be able to access by the staff in a remote location that we dont have any administration.Just wondering if any of you guys have any experience locking down the network just only for voice no data at all
remote site will be using
CISCO 3750 connected via Microwave please refer to the toplogy
Please let me know your ideas,any security implementation on that is appreciated
Thanks in advance
Solved! Go to Solution.
10-13-2010 05:46 AM
Hi there,
Depending on the amount of phones and the amount of switchports, I'd just go for a tight port security setup.
Then only put the voice-vlan ID as both access as voice vlan. (Or you could go and use 802.1x)
You could even further lock it by only opening specific network ports between phones and CUCM by using ACL's on the switch.
Please refer to the following document:
http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/port/7_0/CCM_7.0PortList.pdf
There's such a document for all major versions of CUCM.
Furthermore, you should lock your switches from physical access if possible. Or at least put some sort of authentication on the local console (sometimes forgotten while only remote access is enabled)
Hope this helps you further.
Cedric
10-13-2010 05:46 AM
Hi there,
Depending on the amount of phones and the amount of switchports, I'd just go for a tight port security setup.
Then only put the voice-vlan ID as both access as voice vlan. (Or you could go and use 802.1x)
You could even further lock it by only opening specific network ports between phones and CUCM by using ACL's on the switch.
Please refer to the following document:
http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/port/7_0/CCM_7.0PortList.pdf
There's such a document for all major versions of CUCM.
Furthermore, you should lock your switches from physical access if possible. Or at least put some sort of authentication on the local console (sometimes forgotten while only remote access is enabled)
Hope this helps you further.
Cedric
10-13-2010 06:43 AM
If the IP PBX is centrally located maybe the Cisco ASA Phone Proxy is the solution
http://www.networkworld.com/community/node/42488
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide