Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
989
Views
0
Helpful
10
Replies

iphones udp/tcp poer number

minoc
Level 1
Level 1

‎10-20-2005 10:22 AM - edited ‎03-15-2019 03:46 AM

Hello all:

I am trying to protect few ipphones connected to a C3550 switch. The following acl was apply to the vlan interface of the ipphones:

permit udp 172.16.25.10 0.0.0.9 host 172.17.1.10 eq 69

permit udp 172.16.25.10 0.0.0.9 host 172.17.1.11 eq 69

permit tcp 172.16.25.10 0.0.0.9 172.17.1.0 0.0.0.255 eq 2000

permit tcp 172.16.25.10 0.0.0.9 host 172.17.1.10 eq 80

permit tcp 172.16.25.10 0.0.0.9 host 172.17.1.11 eq 80

deny ip any any log-input

The problem is that the directory option does not work. Does anyone konws what port tcp port number is needed for this. I am guessing is LDAP, but I am not sure is this is correct.

Regards,

Carlos Roque

Labels:
0 Helpful
10 Replies 10

ROBERT Clark
Level 1
Level 1

‎10-20-2005 10:27 AM

LDAP uses TCP port 389

hth,

Rob

0 Helpful

minoc
Level 1
Level 1
In response to ROBERT Clark

‎10-21-2005 01:08 PM

Thank you,

I added that port to the ACL.

Carlos Roque

0 Helpful

Chris Deren
Hall of Fame
Hall of Fame

‎10-20-2005 11:58 AM

Refer to this doc for all TCP and UDP ports used by CCM:

http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_tech_note09186a00801a62b9.shtml

Chris

0 Helpful

minoc
Level 1
Level 1
In response to Chris Deren

‎10-21-2005 01:06 PM

Thank you,

I am assuming this apply to CM version 4.x.

Carlos Roque

0 Helpful

Chris Deren
Hall of Fame
Hall of Fame
In response to minoc

‎10-22-2005 05:03 AM

Yes, the same ports are used.

Chris

0 Helpful

gogasca
Level 10
Level 10

‎10-22-2005 08:46 PM

Src or dst LDAP is not used by IP Phones, IP Phones sends HTTP requests, and LDAP requests are handled between the Web Server (CCM normally) and Directory.

http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_implementation_design_guide_chapter09186a0080447505.html#wp1043132.

I think the best option here, is follow Cisco recommendations for securing an IP telephony network.

http://www.cisco.com/univercd/cc/td/doc/product/voice/c_callmg/4_1/sec_vir/index.htm

I attach a sniffer capture for my IPC accesing Directory services, which may be helpful (check src port for HTTP SYN,ACK).

Gonz

0 Helpful

gogasca
Level 10
Level 10
In response to gogasca

‎10-22-2005 08:49 PM

Attachment

IPC IP address is:

5382-Directory.cap
0 Helpful

minoc
Level 1
Level 1
In response to gogasca

‎10-25-2005 11:26 AM

I'll check these documents and will follow their recomendations.

I am still having problems with directory access from the ipphones. After applying the acl the log shows denied udp packets form the ipphones in high ranges port numbers. That means that the phone is using dynamic udp high port numbers which the acl is not allowing.

I am investigating the posibility of using reflexive acl.

.

Regards,

Carlos Roque

0 Helpful

Steven Smith
Level 7
Level 7
In response to minoc

‎10-25-2005 06:47 PM

the high numbered udp ports sounds like the rtp traffic. when you say the directory access does not work, how far does it get? does the option show up on the IP phone? If the option doesnt show up, it could be a problem with name resolution and not acl's.

0 Helpful

bhattacharya.s
Level 1
Level 1

‎10-25-2005 07:28 AM

DC directory uses port 8404 and if Callmanager is integrated to Active Directory, then port 389 is used.

Check which directory is used by your Callmanager and depending on that, enable the ports.

Lemme know if you have any questions.

0 Helpful
Customers Also Viewed These Support Documents