Keeping PC's off Voice Network

SOLVED
Network-dad
A model citizen

Keeping PC's off Voice Network

Hello Everyone,

I have a Full Stack Meraki deployment at one of my locations. We have a voice network with several SIP phones deployed through the building... I'm trying to figure out the best way to keep people from plugging their computers into these phones and getting past my firewall policies... I can't do anything physically to the devices this must be done via policies... I was thinking of group policy but wasn't sure if there is a better way... 

Dakota Snow | Network-dad Linkdedin
CMNO | A+ | ECMS2
Check out The Bearded I.T. Dad onThe Bearded I.T. DadThe Bearded I.T. Dad
1 ACCEPTED SOLUTION
Nash
Kind of a big deal


@Network-dad wrote:

We have over 130 SIP phones throughout the hotel... 99% of them are plugged into an MR30H so if i could find a way to do as layer 7 firewall rule to only allow SIP traffic thought that would work... but all i see is deny layer 7 rules ... is there i can do a Deny Any rule then an alow for SIP?

 


Missed the 30H part, so not sure if those will allow you to do a mac whitelist or not... You've already mentioned the config restrictions, and my KB skills are failing me.

 

I'm really thinking that blocking the phone PC jack on the phone is your best option. Added advantage of moving it to the point of data entry, thus reducing traffic on the network.

View solution in original post

19 REPLIES 19
Nash
Kind of a big deal

Meraki switch? Can you get the mac address of the phone and setup a mac whitelist for those network ports, configured for that phone? Most of your users are probably not savvy enough to spoof a mac address.

 

Issue is overhead. You'd have to remember to update that if the phone is replaced.

 

Other option: Can you disable the PC port on the phone itself? We use Digium phones here and we can do that.

We have over 130 SIP phones throughout the hotel... 99% of them are plugged into an MR30H so if i could find a way to do as layer 7 firewall rule to only allow SIP traffic thought that would work... but all i see is deny layer 7 rules ... is there i can do a Deny Any rule then an alow for SIP?

 

Dakota Snow | Network-dad Linkdedin
CMNO | A+ | ECMS2
Check out The Bearded I.T. Dad onThe Bearded I.T. DadThe Bearded I.T. Dad
jdsilva
Kind of a big deal

This should be solvable by using a tagged voice VLAN and an untagged data VLAN. Are you not using that type of setup?

No, because all the phones are connected to an MR30H I can only assign one VLAN per port unlike with switches. (Voice Vlan is 200)2019-11-12 09_40_25-Window.png2019-11-12 09_38_59-Window.png

Dakota Snow | Network-dad Linkdedin
CMNO | A+ | ECMS2
Check out The Bearded I.T. Dad onThe Bearded I.T. DadThe Bearded I.T. Dad
jdsilva
Kind of a big deal

Oh shoot, of course. 30H, you did say that. My bad.

 

I think @Nash is on the right track and the best way to solve this is to disable the ports on the phones. Failing that you could write a bunch of rules to only allow the needed flows off that VLAN. You could also implement dox1x or MAB.

Nash
Kind of a big deal


@Network-dad wrote:

We have over 130 SIP phones throughout the hotel... 99% of them are plugged into an MR30H so if i could find a way to do as layer 7 firewall rule to only allow SIP traffic thought that would work... but all i see is deny layer 7 rules ... is there i can do a Deny Any rule then an alow for SIP?

 


Missed the 30H part, so not sure if those will allow you to do a mac whitelist or not... You've already mentioned the config restrictions, and my KB skills are failing me.

 

I'm really thinking that blocking the phone PC jack on the phone is your best option. Added advantage of moving it to the point of data entry, thus reducing traffic on the network.

It would be a few hours work but can you setup the voice network so that phones IP are statically assigned via DHCP and then disable the dynamic DHCP on that network meaning anyone that plugs in will only get a self assigned IP. You could use the room numbers as the IP address i.e. room 101 = xxx.xxx.xxx.101

 

Once its setup maintaining it would be very easy. 


@BlakeRichardson wrote:

 so that phones IP are statically assigned via DHCP and then disable the dynamic DHCP


Can you clarify please? I'm not following. "Statically assigned via DHCP"? And if you disable DHCP what happens when a phone's lease starts to expire and it needs to renew?

@jdsilva  Statically assigned DHCP, means DHCP server gives device with MAC xx:xx:xx:xx:xx the IP address of xxx.xxx.xxx.xxx  rather than dynamic DHCP where server just gives the device any old IP in its DHCP range.

 

I don't mean disable the DHCP service entitrely I just mean disable the dynamic range. 

@BlakeRichardson Ah, thanks!. Your terminology threw me there, but I got you now and that makes sense. 

@jdsilva  Must be a kiwi thing then. I've heard that terminology used a lot over the years. 

Thinking it over I think the easiest way is a mac address filter... I already have all the mac addresses in a spreadsheet so it would not be too hard to do.

Dakota Snow | Network-dad Linkdedin
CMNO | A+ | ECMS2
Check out The Bearded I.T. Dad onThe Bearded I.T. DadThe Bearded I.T. Dad
jdsilva
Kind of a big deal

I must really be having one of those days. It started with me not understanding what @BrechtSchamp was talking about in chat this morning, then I totally spaced on what @BlakeRichardson was trying to say with his solution, and now I'm totally not groking how whitelist can help here. 

 

MAC whitelist is only available on access switch ports. So if you want that then you can't bridge SSID's to VLANs. OK, fine, you use a flat VLAN. But then, if you don't whitelist every client that possibly ever connects to the AP then when they do connect they won't be able to do anything because they aren't whitelisted. 

 

Unless you're using a tunneled SSID?

 

I'm sure I'm missing something here again so please help a guy out!

@jdsilva Simply what @Network-dad  is trying to do it make the phones work and kill network connectivity to anything else that is plugged into those phones i.e. stop people piggy backing off the phones LAN connection. White listing only the phones MAC on the ports associated with his voice VLAN will do this. Any device that is not within the whitelist won't get an IP address.

 

Please correct me if I am wrong @Network-dad  otherwise I to have missed what you are wanting to achieve. 

Right, that's how I understand the problem too @BlakeRichardson, but @Network-dad did say it was Meraki full stack, and the MAC whitelist feature cannot be applied per-VLAN. It's per-port only. Also with Meraki, clients are generally bridged to a VLAN for a given SSID meaning the client's MAC is seen by the switch port. 

 

Meraki NAT or tunneled SSID overcome these issues, but if those are not being used then a MAC whitelist will certainly stop clients from plugging into the phone, as well as connecting to the AP.

@jdsilva  Correct so if he has all of his phones on VLAN 10 simply search that VLAN and apply the MAC whitelist in bullk using the switchports page and job done. If the network is flat and everything is on VLAN 1 that idea wont work. 

 

I've done a quick check and I was able to enter 140 sperate lines of MAC before i got bored and gave up so you can have a reasonable sized whitelist. 

Yeh, I'm really not asking my question correctly. I'm not sure how to say this differently...

 

OK, so if we assume that the phones are on VLAN 10, and they are connected to a port on an MR30H, then one must configure a "Wired-Only" SSID to assign to the port profile used to configure the MR30H port. Now, since MAC whitelisting is only available on access ports, the MS switch that the MR30H hangs off of MUST be configured as an access port in VLAN10. The Wired-Only SSID then must be configured to bridge to the native VLAN, which would be VLAN 10.

 

As a side effect of this config, any additional SSID's condifured for WiFi clients on the 30H must also be bridged to native VLAN. Since the switchport is configured for access 10, if you configured an SSID to brigde to a tagged VLAN it will be dropped on ingress to the switch port.

 

MAC whitelists apply to the entire port. You cannot apply a MAC whitelist to only one VLAN. And since MAC whiteslists are only avaialble on access ports this really isn't an issue (let's put aside Voice VLANs for a moment since they don't apply to this example). 

 

Given the above example I need to put three things into the whitelist: All the MACs of the phones, all the MACs of the AP (their mgmt will be on VLAN 10 too), and all the MACs of all the wifi clients that could possible ever connect to the APs.

 

The only thing I don't want in there is the wired MACs of whatever I don't want connecting to the phones. 

 

Does that make sense?

 

 

I think I get what you mean, I haven't played around with the MR30H but what you are saying makes sense the problem is its late afternoon for me know so I can't fully wrap my brain around things. 

 

I still think solving the problem using DHCP is a better option its just not as secure asa  MAC access policy

Haha all good dude! Yeh if you haven't played around with the 30H then maybe that's where you and I aren't syncing? You don't configure the wired ports on a 30H like a switchport... You basically bind a wired port to an SSID (yes, I said to an SSID). You don't have things like access or trunk or whitelistsing or BDPU Guard available on the 30H. I agree with you that your DHCP solution is much better in this situation. I appreciate you talking this out with me nonetheless!

 

And for now I'm going to stand by my assertion that MAC Whitelisting won't solve this problem 🙂

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels