Implement Auxiliary VLANs to make VoIP Networks secure

Ways to ensure the voice network security are many. In this article we will se the first of them that must be configured in every serious network. Implementing Auxiliary VLANs will make VoIP Networks more secure using separated VLANS for data traffic and voice.

VoIP axiliarity VLANVoice and data traffic will be transferred in the same way across the same cable and same switch by default. That means that calls and all other network traffic will be transferred in the same time in the same way and every user on the network will be able to see that data using some network sniffing tool like Wireshark. This default network setting may be used to capture call packets that are crossing the network and attacker can reproduce the call in .mp3 or some other sound format. We need to separate voice network from data network completely in order to make impossible to sniff call packets from user computer. 

You surely want to avoid VoIP calls to be transferred in the mix with data traffic. This is very simple config in which you easily implement separate VLAN and insert all communication equipment into than VLAN.

This voice VLAN that you have now is normally called an auxiliary VLAN.

Many Cisco IP Phones have an extra Ethernet port so in this way they can connect a PC into it. This example is showed in the image that you can se on the top of the page. The attached PC is sending data across the Cisco IP Phone to Cisco switch at the access layer. In this case the story from upper part of text becomes important. PC and the Phone are transmitting all the traffic by the same cable to the switch but data traffic is in separate VLAN than call traffic. The switch and phone’s port are configured with “switch port mode trunk” to be able to tag packets for every separate VLAN. These two devices are connected on the same switch port but the traffic is separated and the switch is making it seem that every device is connected to his own port and more than that, the switch is making it seem that these devices are connected to separate switches to. They are basically connected to different networks while still connecting to a single Cisco Catalyst switch port.

 

Leave a Reply