|
Home > Archive > Voice over IP Cisco > June 2005 > AW: VoIP Security
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
|
|
| Bernhard Albler 2005-06-09, 7:45 am |
| Hi Ronald!
Well, in the default configuration the pc can send tagged frames to the voi=
ce vlan. There is a Phone Parameter which allows you to change this called =
"PC Voice VLAN Access".
If you disable PC Voice VLAN access the exact behaviour will depend on the =
phone type:
7970:
Will drop all tagged frames
7940/7960
Will drop only frames tagged with VID of the Voice VLAN.
7912
AFAIK the parameter isn't avail. for the 7912
Generally speaking:
You won't be able to keep rogue clients from accessing the VVLAN in someway=
.. Trust via CDP is not a Security mechanism per se and the phone don't do d=
ot1x yet.
Basically you will have to accept this and you can still securite the VVLAN=
very well via Switching Security features (VLAN ACLs, rate limiting, polic=
ing, port security etc.). For details on this see the security guides @cco =
and the miercom report.
But you should not consider the devices in the VVLAN to be trusted.
Best regards
bernhard
-----Urspr=FCngliche Nachricht-----
Von: cisco-voip-bounces@puck.nether.net [mailto:cisco-voip-bounces@puck.net=
her.net] Im Auftrag von Ronald Heitmann
Gesendet: Donnerstag, 09. Juni 2005 12:26
An: cisco-voip@puck.nether.net
Betreff: [cisco-voip] VoIP Security
Hi,
what happens, if the PC behind the IP-phone sends 802.1Q-tagged =
ethernet-frames?
//Szenario: [PC]--[IP.Phone]--[Catalyst-Switch]
- will the phone discard these frames?
or will they get switched into the network?
In the second case, the hole trust-boundary-model will get compromised, =
even if I allow only the voice-vlan as tagged on the switchport, the pc =
can send frames directly into the voice-vlan.
just as discussion...
Regards,
//Ronald
________________________________________
_______
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip
| |
| Candace Holman 2005-06-09, 5:45 pm |
| Additionally, firmware version 7.2(2) for 7940G/7960G has a new =
configurable parameter called "PC VLAN" which allows phones to strip =
802.1p/q tags from connected PC. The parameter applies to voice VLANs in =
non-Cisco switches. Jury is still out whether it works properly.
We are having one reported issue of a 7.2(2)-coincident performance problem =
with the PC port, yet the parameter was disabled. Anyone else?
Candace Holman
At 06:36 AM 6/9/2005, Bernhard Albler wrote:
>Hi Ronald!
>
>Well, in the default configuration the pc can send tagged frames to the =
>voice vlan. There is a Phone Parameter which allows you to change this =
>called "PC Voice VLAN Access".
>If you disable PC Voice VLAN access the exact behaviour will depend on the =
>phone type:
>7970:
>Will drop all tagged frames
>7940/7960
>Will drop only frames tagged with VID of the Voice VLAN.
>7912
>AFAIK the parameter isn't avail. for the 7912
>
>Generally speaking:
>You won't be able to keep rogue clients from accessing the VVLAN in =
>someway Trust via CDP is not a Security mechanism per se and the phone =
>don't do dot1x yet.
>Basically you will have to accept this and you can still securite the =
>VVLAN very well via Switching Security features (VLAN ACLs, rate limiting, =
>policing, port security etc.). For details on this see the security guides =
>@cco and the miercom report.
>But you should not consider the devices in the VVLAN to be trusted.
>Best regards
>bernhard
>
>-----Urspr=FCngliche Nachricht-----
>Von: cisco-voip-bounces@puck.nether.net =
>[mailto:cisco-voip-bounces@puck.nether.net] Im Auftrag von Ronald Heitmann
>Gesendet: Donnerstag, 09. Juni 2005 12:26
>An: cisco-voip@puck.nether.net
>Betreff: [cisco-voip] VoIP Security
>
>Hi,
>
>what happens, if the PC behind the IP-phone sends 802.1Q-tagged
>ethernet-frames?
>
>//Szenario: [PC]--[IP.Phone]--[Catalyst-Switch]
>
>- will the phone discard these frames?
>or will they get switched into the network?
>
>In the second case, the hole trust-boundary-model will get compromised,
>even if I allow only the voice-vlan as tagged on the switchport, the pc
>can send frames directly into the voice-vlan.
>
>just as discussion...
>
>Regards,
>//Ronald
> ________________________________________
_______
>cisco-voip mailing list
>cisco-voip@puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-voip
>
> ________________________________________
_______
>cisco-voip mailing list
>cisco-voip@puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-voip
|
|
|
|
|