Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

internal LAN port security/network security

We currently use NAC/VPN to protect our LAN from outside users coming in....we need a solution to protect the LAN from inside as well. We have a enterprise VOIP soulution so port/mac security is not an option for now. We want to protect against a person inside the LAN from disconnecting a PC then plugging in a laptop or WAP and getting an IP via DHCP...I am looking for solutions and practice ETC.


Re: internal LAN port security/network security

Do the VOIP phones support 802.1x? Even if the IP phones don't, empirically speaking, one could still get the desired result via 802.1x MDA (Multi-Domain Authencation) such that only the PC is challenged by the authentication server, while the phone is not, with MAB (MAC Address Bypass). See this doc for all the options, in a Cisco-centric LAN:

New Member

Re: internal LAN port security/network security

Thanks for the quick response. We have mainly Avaya 9630 phones

802.1X support - forwarding and supplicant. The 9600 Series telephones support several modes of 802.1X operation that include supplicant operation for true authentication of the telephone, pass-through of 802.1X messages for authentication of an attached PC, and a multi-supplicant mode in which both the telephone and the PC can be authenticated.

I am mosty concerned about a vendor or anyone wanting to do harm unplugging a inside trusted PC and then getting a DHCP address and access to our inside network. We are looking at using the voice vlan command and mac address port security. I am reading through the document now. All the PC hang off the VOIP phone.