Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Securing the Voice Vlan or SSID - best practices?


I am trying to determine how best to keep my voip ssid's & or vlans secure from the standpoint of a hacker getting a pc/device onto this ssid or vlan and having access to my corperate network.

We have a CUCM Pub & Sub in my HQ location along with the WLC.

Both remotely and locally we have voip ssid's which I would like to lock down so only voice calls, ftp, dhcp etc..

In my mind I am thinking some form of ACL's on the vlans which filter based on source/destination ip addresses as well as port ranges and protocols.

So far I am having a hard time locating any straight forward document on this.

Currently my voip ssid's are using a static key, broadcasted ssid & WPA2 AES.  - DHCP required

We do H-REAP (local vlans) at the port where the AP's touch the switched trunk ports, including the voice vlan.

Most of the phones will be on a different ip scheme and vlan since they are at several remote locations.

Any help would  be appreciated & thank you.

Here are some of the critical devices IP addresses.


Pub -

Sub - - option 150 points here (ftp)

DHCP server (several based on geographical location) but here is one example




Securing the Voice Vlan or SSID - best practices?

Really you have two issues at hand: first is securing so you can't get to corporate resources, second is keeping the devices off the network.

The first one is simple, use ACLs like you have mentioned on the upstream switch ports, while the WLC can do ACLs I like to do these on the switches upstream and not burden the WLC with those tasks, one more item to forget to do if a WLC fails as well.

Second issue is that you are using PSK, if someone gets your PSK then they can easily put their device on the network. This doesn't have to be an outsider, this could be an employee as well. If someone where to get on your VoIP network they could flood it with traffic causing issues for people trying to make calls. I would look at a more secure method of getting your devices on line, why? Because then you could use the abilities of ISE to see who is coming in, from what device, and what network. This would allow you to tell if someone is trying to connect a laptop to your VoIP network and then force them out a different VLAN at least, or block the connection completely.

HREAP complicates this somewhat, but we are starting to see enhancements to HREAP (now FlexConnect) that will allow this.

New Member

Securing the Voice Vlan or SSID - best practices?


Thank you for your time and response.

I will say I agree with you on both points BUT....

#1 While we agree that I need to put some form of ACL on the switch at the edge I am still struggling to understand what ports/ protocols I need to allow so the existing and future voip devices can do what they need then filter out the rest.

#2 PSK is not the most secure method for sure but given our desire for a simple, not a lot of touching process it was the most efficient ( i chose wpa2 AES to give us the best security available with a PSK) process I could see.

So given that we are a very small IT staff I have to balance the amount of time we potentially spend vs available resources.

So any specifics would be appreciated.

CreatePlease login to create content