VLAN

Virtual LAN for VoIP networks

Aim: Keep the phones working even when the data network is congested.

The “Voice VLAN” is a special access port feature of Ethernet Switches which allows IP Phones to auto-configure and easily associate to a logically separate VLAN. This feature provided various benefits, but one particular benefit is when the Voice VLAN is enabled on a switch port that is also enabled to allow simultaneous access for a regular PC. This feature allows a PC to be daisy chained to an IP Phone and the connection for both PC and Phone to be trunked through the same physical Ethernet cable.

Enabling Voice VLANs raises the complexity to properly secure these physical Ethernet ports. Enabling without the proper security controls in place can increase the risk to an organization. When implementing a VoIP network, it should not be assumed that the security of the IP Phones and Voice VLANs is assured in a default installation. Due to the simple nature of attacks and the potential critical losses that can result, VoIP Integrators should:

  1. Implement rigorous protection safeguards to these Ethernet ports.
  2. Test the Ethernet ports of connected IP Phones to ensure that they match the security goals of the environment.

Security advice

  • A VLAN as such is not a security measure
  • Make sure to place a firewall between the VoIP VLAN and the data VLAN
  • Publicly exposed (or remote) IP Phones should be treated as external IP hosts (consider a VoIP DMZ)
  • LAN access control based on MAC address and/or 802.1X is a good first step, but not sufficiently secure


Remarks and additional thoughts

  • Consider if you would like your PC users to be able to access their IP phone's web interface
  • Many IP phones have their MAC address printed on the back (or display it in a configuration menu on the LCD), which makes MAC spoofing (too) easy
  • IP phones with built-in switches typically do not touch the traffic of the PC that has been attached to it, i.e. the Ethernet frames of the computer reach the central office switch unaltered (the IP phone does not add a VLAN tag).

Articles, HowTos and Guides


See also


Virtual LAN for VoIP networks

Aim: Keep the phones working even when the data network is congested.

The “Voice VLAN” is a special access port feature of Ethernet Switches which allows IP Phones to auto-configure and easily associate to a logically separate VLAN. This feature provided various benefits, but one particular benefit is when the Voice VLAN is enabled on a switch port that is also enabled to allow simultaneous access for a regular PC. This feature allows a PC to be daisy chained to an IP Phone and the connection for both PC and Phone to be trunked through the same physical Ethernet cable.

Enabling Voice VLANs raises the complexity to properly secure these physical Ethernet ports. Enabling without the proper security controls in place can increase the risk to an organization. When implementing a VoIP network, it should not be assumed that the security of the IP Phones and Voice VLANs is assured in a default installation. Due to the simple nature of attacks and the potential critical losses that can result, VoIP Integrators should:

  1. Implement rigorous protection safeguards to these Ethernet ports.
  2. Test the Ethernet ports of connected IP Phones to ensure that they match the security goals of the environment.

Security advice

  • A VLAN as such is not a security measure
  • Make sure to place a firewall between the VoIP VLAN and the data VLAN
  • Publicly exposed (or remote) IP Phones should be treated as external IP hosts (consider a VoIP DMZ)
  • LAN access control based on MAC address and/or 802.1X is a good first step, but not sufficiently secure


Remarks and additional thoughts

  • Consider if you would like your PC users to be able to access their IP phone's web interface
  • Many IP phones have their MAC address printed on the back (or display it in a configuration menu on the LCD), which makes MAC spoofing (too) easy
  • IP phones with built-in switches typically do not touch the traffic of the PC that has been attached to it, i.e. the Ethernet frames of the computer reach the central office switch unaltered (the IP phone does not add a VLAN tag).

Articles, HowTos and Guides


See also


Created by: JustRumours, Last modification: Wed 30 of Apr, 2008 (00:43 UTC)
Please update this page with new information, just login and click on the "Edit" or "Discussion" tab. Get a free login here: Register Thanks! - Find us on Google+