Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

voice vlan security

What you guys do for voice vlan security? I'm using NAC which takes care of the data vlan but I have nothing enabled for voice vlans yet, other than using the port security.

I have Avaya phone system witch Avaya IP phones. Any recommendation would be helpful.


Re: voice vlan security

A few basic things:

- voice vlans are never allowed to talk to the internet (or in my opinion, any other network)

- nothing can talk to the voice vlans but voice appliances (which should be in your voice vlan anyways) and management nodes

- ensure that phones remark any inbound traffic to CoS0 so chained PCs cannot send traffic with higher markings and have it honored by the switch/infrastructure

- make sure you use sRTP so eavesdropping is not as likely to cause data leaks

I have more but it's late and I'm trying to give you just a few ideas...

New Member

Re: voice vlan security

I agree voice vlans should never allow to talk to Internet but the newer phones have options to go to etc. Someday we'll have to allow limited Internet access.

How do you restrict that nothing can talk to Voice vlans but the voice appliances? I see this can  happen via ACL , do you use anything else other than ACLs? I wish Cisco NAC would do that but that's not the case.  I'm looking the option to buy Palo Altos to restrict user traffc from data center which will also take care of voice vlans etc. But I want to see what other people are doing before I put this on the table for my mgmt.

Re: voice vlan security

Apply an ACL to any SVIs to prevent traffic from routing from an outside VLAN into the voice vlan. It's simple yet elegant.

I'm fairly sure you don't have to have the phones going to the internet to get the data. Usually you can stream all this over the xml features from the call manager and voice gateways, and not have to actually provide real internet access. We had stock tickers, weather, sports scores, etc streaming to our phones and none of the phones had internet access.

CreatePlease to create content