12-17-2008 08:52 AM - edited 03-15-2019 03:07 PM
I am trying to test out SRST mode for one site without shutting ccm service.
I got hold of this ACL.
access-list 111 deny tcp 10.111.70.1 255.255.255.255 host 10.10.10.1 eq 2000
access-list 111 deny tcp 10.111.70.1 255.255.255.255 host 10.10.10.1 eq 2428
access-list 111 deny udp 10.111.70.1 255.255.255.255 host 10.10.10.1 eq 2427
access-list 111 permit ip any any
where 10.10.10.1 is ccm and 10.111.70.1 is router ip addr.
The issue is when I apply this acl and check sh ccm fallback, the router does nto fail to srst mode.
I believe their remote site has
data----voice gtw--phone
voice gtw has 2 FE connections and 10.111.70.1 is ip of voice gtw towards data router.
Do you think this acl will work?
12-17-2008 10:48 AM
Hi, try to shutdown the port where the CCM is connected or crate an ACL like: access-list 111 deny tcp IPT-Network host CUCM eq 2000
When the IP phones (not GW) lose 3 keepalives with the CCM, they try to register with the local gateway that is configured for SRST mode. When the WAN link is restored, the IP Phones are able to re-establish a TCP connection with the CCM.
Best regards
David
12-17-2008 02:30 PM
The simplest option to ensure that CUCM traffic is blocked would be to restrict the CallManager host completely:
ip access-list extended Block-CCM
deny ip host 10.10.10.1 any
permit ip any any
Apply the ACL to the inbound interface on the Voice gateway from the Data router, if you believe this is the route towards CallManager?
When you apply the ACL you should see that the Callmanager Agent status is down when you do a 'show ccm-manager'
Hope this helps
Allan.
12-17-2008 11:38 PM
You should implement ACL on two sides of the WAN.
Why?
Beacause ACLs filter traffic that path THROUGH the gateway, but they didn't block access the gateway to the CCM.
I tested SRST like your ACL, and in this mode maximum that you can take - is to register phones on gateway, but gateway still be working in normal mode.
Also you can make static route to test SRST.
12-18-2008 03:45 AM
Hi
You could also user static host route pointing to bin instead of shutting down CCM Service.
ip route xxx.xxx.xxx 255.255.255.255 null 0
works fine for me.
cheers
Ikram
12-18-2008 08:30 AM
I several acl without any luck.
This is their network
MPLS circuit--0/46--switch1-0/47-data-voicegtw
|
|--0/48---voice---voicegtw
voice:vlan2
data:vlan1
Does anyone has recommendation how to block the ccm access from voicegtw?
12-18-2008 08:33 AM
the switch has connections to 0/48--voice--voicegtw not the mpls circuit
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide