AW: [cisco-voip] VoIP Security

Candace Holman candace_holman at harvard.edu
Thu Jun 9 11:35:05 EDT 2005


Additionally, firmware version 7.2(2) for 7940G/7960G has a new 
configurable parameter called "PC VLAN" which allows phones to strip 
802.1p/q tags from connected PC.  The parameter applies to voice VLANs in 
non-Cisco switches.  Jury is still out whether it works properly.

We are having one reported issue of a 7.2(2)-coincident performance problem 
with the PC port, yet the parameter was disabled.  Anyone else?

Candace Holman


At 06:36 AM 6/9/2005, Bernhard Albler wrote:
>Hi Ronald!
>
>Well, in the default configuration the pc can send tagged frames to the 
>voice vlan. There is a Phone Parameter which allows you to change this 
>called "PC Voice VLAN Access".
>If you disable PC Voice VLAN access the exact behaviour will depend on the 
>phone type:
>7970:
>Will drop all tagged frames
>7940/7960
>Will drop only frames tagged with VID of the Voice VLAN.
>7912
>AFAIK the parameter isn't avail. for the 7912
>
>Generally speaking:
>You won't be able to keep rogue clients from accessing the VVLAN in 
>someway Trust via CDP is not a Security mechanism per se and the phone 
>don't do dot1x yet.
>Basically you will have to accept this and you can still securite the 
>VVLAN very well via Switching Security features (VLAN ACLs, rate limiting, 
>policing, port security etc.). For details on this see the security guides 
>@cco and the miercom report.
>But you should not consider the devices in the VVLAN to be trusted.
>Best regards
>bernhard
>
>-----Ursprüngliche Nachricht-----
>Von: cisco-voip-bounces at puck.nether.net 
>[mailto:cisco-voip-bounces at puck.nether.net] Im Auftrag von Ronald Heitmann
>Gesendet: Donnerstag, 09. Juni 2005 12:26
>An: cisco-voip at puck.nether.net
>Betreff: [cisco-voip] VoIP Security
>
>Hi,
>
>what happens, if the PC behind the IP-phone sends 802.1Q-tagged
>ethernet-frames?
>
>//Szenario: [PC]--[IP.Phone]--[Catalyst-Switch]
>
>- will the phone discard these frames?
>or will they get switched into the network?
>
>In the second case, the hole trust-boundary-model will get compromised,
>even if I allow only the voice-vlan as tagged on the switchport, the pc
>can send frames directly into the voice-vlan.
>
>just as discussion...
>
>Regards,
>//Ronald
>_______________________________________________
>cisco-voip mailing list
>cisco-voip at puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-voip
>
>_______________________________________________
>cisco-voip mailing list
>cisco-voip at puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-voip




More information about the cisco-voip mailing list