Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Connecting a PC in the voice subnet

I want to remove the data vlan from the switch port and leave only voice vlan to have the ip phone only communication from that port due to some security issue.

Can anyone still be able to connect a PC to the voice subnet and access the network?

If yes, what is the best practice to protect that unwanted PC access?

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Connecting a PC in the voice subnet

Avaya has probably hijacked the CDP protocol.

If you do a sniffer, I'll bet you'll see Avaya picking up on the CDP.

This is the only way for the voice VLAN to be advertised, so it's not too much of a mystery.

hth,

nick

4 REPLIES

Re: Connecting a PC in the voice subnet

You can give it a 'switchport access vlan x' that does not have connectivity.

By default, the access vlan will be VLAN 1.

When you configure 'switchport voice vlan', this information is communicated to the IP phone using CDP.

Unless the PC has been hacked to support CDP, it will not gain access to the voice vlan.

You can enable port security:

interface FastEthernet0/5

switchport access vlan 200

switchport mode access

switchport voice vlan 233

switchport port-security

switchport port-security mac-address sticky

spanning-tree portfast

This would be an example where VLAN 200 doesn't have an SVI (no connectivity), and 233 is the voice vlan.

This will give only the phone (whatever MAC registers first) access.

hth,

nick

New Member

Re: Connecting a PC in the voice subnet

Hi Nick,

Thanks for your answer.

This raised another question in my mind though. As the voice vlan works on CDP, how the Avaya phones are communicating the voice vlans as our phones are Avaya phones and switch is Cisco Cat 4500?

Re: Connecting a PC in the voice subnet

Avaya has probably hijacked the CDP protocol.

If you do a sniffer, I'll bet you'll see Avaya picking up on the CDP.

This is the only way for the voice VLAN to be advertised, so it's not too much of a mystery.

hth,

nick

New Member

Re: Connecting a PC in the voice subnet

Hehe, no doubt that Avaya has hijacked a lot of VoIP setup as Aruba did for Wireless.

I came to know that Avaya phones depends on DHCP for their initiation to the network, so, we can't disable the data vlan (In this case DHCP server has to be specifically configured)

289
Views
0
Helpful
4
Replies