11-03-2010 05:40 AM - edited 03-09-2019 11:14 PM
Hello All .
I am coming to the community to get some advices on a specific subject .
One of my customer is actually using vlan access-list to isolate it is data from it is voice vlan traffic .
As most of us knows VLAN ACLs are very difficult to deploy and manage at an access-port level that is highly mobile. Because of these management issues they have been looking for a replacement solution consisting of firewalls but apparently the price of the solution was too high in the sky .
Can someone guide me towards security best practices when it comes to data and voice vlan traffic isolation please ?
thanks
Regards
T.
11-03-2010 06:57 AM
I designed a voice network that was not "trusted" by the data network. What I did was create vVLANs on the access switches, trunked to the distribution where I had a VRF for the voice traffic. That VRF then connected to a (non-data) network where the voice gateways, call managers,etc lived. That voice enclave has a firewall between it and the data network. That model was copied at each location. The voice enclave is logically separated from the data network with a firewall controlling access between them.
Hope it helps.
11-03-2010 07:30 AM
Thanks for the quick reply Collins .
I was thinking of doing the same kind of think but I am afraid of the solution costs (fws..) versus simple access-lists configured on vlans .
Would you have a HLD of the solution you have implemented on your network ?
Cisco Experts ,
Is there any best practices existing to secure a Cisco Based IPT network ? (port-security - Dhcp snooping Dynamic arp inspection etc....
thanks
T.
11-03-2010 07:34 AM
I used a firewall, but there is no reason you can't use an ACL instead. The diagram is pretty detailed, I'll see if I can whip one for you quick.
11-03-2010 07:47 AM
Here's the diagram.
11-03-2010 07:49 AM
Also note there is only one firewall, not a firewall per vlan.
11-03-2010 07:48 AM
thanks
11-03-2010 08:03 AM
Hi again Collin ,
May I ask you what type of fw / switches / ios version you are using for this topology ?
Also is the media traffic going through your fw if one voice vlan wants to talk to another voice vlan ?
rgds
11-03-2010 08:11 AM
thomas.fayet wrote:
Hi again Collin ,
May I ask you what type of fw / switches / ios version you are using for this topology ?
Also is the media traffic going through your fw if one voice vlan wants to talk to another voice vlan ?
rgds
Access Switches: 3560
Distro: 4500 or 6500
FW: ASA5510 or Juniper SSG 140 (phasing out the Junipers)
It depends. In the drawing above, no voice traffic would leave the voice enclave until it talks to a remote site. If we add other sites to the drawing, at a minimum call-sig would traverse the firewall and depending on the location of the callers, all voice traffic may cross the firewall. All of that depends on how you have your call managers/vm/voice gateways designed and where the callers are.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide