Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

port security with voice vlan

If I have a switch (3500, 4000, or 6000) with ports configured with voice VLANs and have phone connected, is there any way to absolutely ensure that nothing except the phone is able to send traffic on the voice VLAN?

MAC address-based security would not work for this because it seems this is assigned per port and we would not know the MAC address of the PC using the data VLAN on that port.

Is there some way to only allow CDP-enabled devices to connect to a port? Or what about restricting certain MAC addresses per port per VLAN, i.e. allowing only the phone's MAC address on the voice VLAN but allow any other MAC address on the data VLAN?

Though private VLANs are a step in the right direction, it seems to me that if a PC is capable of sending 802.1Q-tagged frames on the voice VLAN, somebody could potentially have access to the voice VLAN, sniff the network to discover the IP addressing scheme and cause problems for devices that the private VLAN allows communication with, i.e. CallManager servers.

Any help with this would be greatly appreciated!

1 REPLY
Silver

Re: port security with voice vlan

Hi,

I guess there is no way to ensure that only phone is able to send traffic on the VLAN.

As you said, Mac address based security does not work here....

297
Views
0
Helpful
1
Replies
CreatePlease to create content