Hi to all,
One of the challenges I faced today at work , is a customer requesting to block data traffic on EX port configured as access data / voice vlan :
set interfaces ge-0/0/2 unit 0 family ethernet-switching port-mode access
set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members Data-only
set ethernet-switching-options voip interface ge-0/0/2.0 vlan VOIP-only
set vlans Data-only vlan-id 203
set vlans VOIP-only vlan-id 303
set protocols lldp interface all
set protocols lldp-med interface all
without the forwarding class statement :
set ethernet-switching-options voip interface ge-0/0/2.0 forwarding-class assured-forwarding
In this port was connected only an IP phone , and thats it . So , if an external user got an physical access to this switch , he could disconnect the IP phone and connect his laptop , and start surfing the internet and internal sites .
The customer requested to block such this scenario .
We came across those three options:
1- ACL at the L3 backbone switch or policy in the firewall . which is blocking 80\443 ports towards any , and accepting only DHCP traffic toward the DHCP server and RTP + high ports toward the CUCM server and all other voice ports ..
2- installing a NAC server, which can indentify the vendor of the connected OUI MAC of the device , and allowing-blocking via fingerprints \ OUI policies configured on the NAC server .. (such as portnox server)
3- a simple solution but very basic, is to configure a port-security sticky (persistent-learning) . this solution could be hacked if the end external user knows how to change his laptop MAC address to the MAC of the IP phone . Also a clear command is needed every time you need to move the IP phone to another port .. (lazy administrator -_- i know)
[edit ethernet-switching-options secure-access-port]
set interface ge-0/0/2 mac-limit 1
set interface ge-0/0/2 persistent-learning
or manually :
set interface ge-0/0/2 allowed-mac 00:01:02:03:04:05
I'll be glad if someone has a difference opinion 