AW: [cisco-voip] VoIP Security
Bernhard Albler
balbler at nts.at
Thu Jun 9 06:36:13 EDT 2005
Hi Ronald!
Well, in the default configuration the pc can send tagged frames to the voice vlan. There is a Phone Parameter which allows you to change this called "PC Voice VLAN Access".
If you disable PC Voice VLAN access the exact behaviour will depend on the phone type:
7970:
Will drop all tagged frames
7940/7960
Will drop only frames tagged with VID of the Voice VLAN.
7912
AFAIK the parameter isn't avail. for the 7912
Generally speaking:
You won't be able to keep rogue clients from accessing the VVLAN in someway. Trust via CDP is not a Security mechanism per se and the phone don't do dot1x yet.
Basically you will have to accept this and you can still securite the VVLAN very well via Switching Security features (VLAN ACLs, rate limiting, policing, port security etc.). For details on this see the security guides @cco and the miercom report.
But you should not consider the devices in the VVLAN to be trusted.
Best regards
bernhard
-----Ursprüngliche Nachricht-----
Von: cisco-voip-bounces at puck.nether.net [mailto:cisco-voip-bounces at puck.nether.net] Im Auftrag von Ronald Heitmann
Gesendet: Donnerstag, 09. Juni 2005 12:26
An: cisco-voip at puck.nether.net
Betreff: [cisco-voip] VoIP Security
Hi,
what happens, if the PC behind the IP-phone sends 802.1Q-tagged
ethernet-frames?
//Szenario: [PC]--[IP.Phone]--[Catalyst-Switch]
- will the phone discard these frames?
or will they get switched into the network?
In the second case, the hole trust-boundary-model will get compromised,
even if I allow only the voice-vlan as tagged on the switchport, the pc
can send frames directly into the voice-vlan.
just as discussion...
Regards,
//Ronald
_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip
More information about the cisco-voip
mailing list