[cisco-voip] Restricting VoIP VLAN ports to known phones only

Mike Armstrong mfa at crec.ifas.ufl.edu
Thu Apr 14 09:22:32 EDT 2005


Unfortunately, we don't have the dollars or port densities in our several 
buildings to justify the fancy VMPS server switches, which would be ideal 
for all of our endpoint security concerns (MAC-spoofing aside).  The 
whitepaper is wonderful, but all it does is tell me to do what I want to do 
anyway.  I'm hoping that Stage 2 NAC eventually will address the problem 
also, but have been  unable to get detailed planning information about that.

Does anyone have experience with the Open VMPS server? 
(http://sourceforge.net/projects/vmps/)

Mike

----- Original Message ----- 
From: "Marcin Nowacki" <Marcin_Nowacki at sevenet.pl>
To: "Kádár Zsolt" <Zsolt.Kadar at synergon.hu>; "Mike Armstrong" 
<mfa at crec.ifas.ufl.edu>; <cisco-voip at puck.nether.net>
Sent: Thursday, April 14, 2005 7:44 AM
Subject: RE: [cisco-voip] Restricting VoIP VLAN ports to known phones only


Check this out :

http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns128/networking_solutions_white_paper09186a00801b7a50.shtml


Marcin

-----Original Message-----
From: cisco-voip-bounces at puck.nether.net 
[mailto:cisco-voip-bounces at puck.nether.net] On Behalf Of Kádár Zsolt
Sent: Thursday, April 14, 2005 1:32 PM
To: Mike Armstrong; cisco-voip at puck.nether.net
Subject: RE: [cisco-voip] Restricting VoIP VLAN ports to known phones only


Hi Mike,

If you have any Catalyst 4000, 5000, 6000 in your network, try to use VMPS 
feature.

http://www.cisco.com/en/US/products/hw/switches/ps628/products_configuration_guide_chapter09186a00800d84be.html#xtocid36

Zsolt Kadar


-----Original Message-----
From: Mike Armstrong [mailto:mfa at crec.ifas.ufl.edu]
Sent: Thursday, April 14, 2005 1:07 PM
To: cisco-voip at puck.nether.net
Subject: [cisco-voip] Restricting VoIP VLAN ports to known phones only

We've got ports for IP phones dropped in many public areas, conference 
rooms, etc.  I'd like to restrict these ports to known IP phones only.  Port 
Security won't work (at least not on the 3524s), since it restricts MAC 
addresses to one specific port --  I don't care which port the device(s) 
connect to, and in fact several devices (mostly conference phones) do roam.
Can't do it with DHCP, since an attacker could plug in a device with a 
static IP.  Any suggestions?  Would changing the switches to another model 
(3550s or 3750s) help?

Mike Armstrong
UF/IFAS CREC
Lake Alfred, FL

_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip



Ez az üzenet és a hozzá kapcsolódó fájlok, tervezetek kizárólag a
Címzettnek szólnak, a bennük foglalt információk bizalmasak, melyek
titokban maradásához a Synergon Informatika Rt.-nek jogilag méltányolható
érdeke fűződik. Amennyiben valamely hiba folytán Ön nem a címzettje ennek a
levélnek, kérjük, semmisítse meg, és értesítse az üzenet küldőjét. Az
üzenet az elküldés előtt vírusellenőrzésen esett át, de a vírusmentességére
nincs semmilyen garancia, ezért kérjük, ellenőrizze azt!

DISCLAIMER

This e-mail and any attached files are confidential and may be legally
privileged. The content of this e-mail is subject of efforts by Synergon to
maintain its confidentiality. Also this e-mail is intended for the sole use
of the individual or entity to whom it is addressed. If you are not the
addressee, and received this transmission in error please delete this
e-mail and notify its sender immediately. This e-mail message has been
checked for computer viruses but it could still be infected. Please test it
for viruses before use.



_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip



More information about the cisco-voip mailing list