Solved: Re: I dont want my PC user able to ping or access the phones

billobob123 · ‎10-08-2012

Morning,

the config is as follows: ( more or less )

http://www.hh.se/download/18.70cf2e49129168da015800092887/1234881384870/3_5_CME_Network_Parameters.pdf

changes to the doc in the link are noted here.

Console(config)#interface FastEthernet0/1

Console(config-if)#switchport mode access

Console(config-if)#switchport voice vlan 10

Console(config-if)#spanning-tree portfast

on the router i have the following

http://www.scribd.com/doc/44273275/Cisco-Call-Manager-Express-Example-Config

then on the router i have fastethernet 0.0 (native vlan) and fastethernet 0.1 ( vlan10) two different dhcps and of course networks,

from the pcs i can ping the phones, have not tested yet but the main thing i dont want people to be able to do is to use something like vomit to record audio.

if you could advise as to the config and what is okay and not okay.

cadet alain · ‎10-08-2012

Hi,

just configure an extended ACL denying all ip trafic between the data vlan and the voice vlan and permitting everything else and then apply inbound on the native vlan subinterface of the router.

for example if vlan 1= 192.168.1.0/24 and voice vlan= 192.168.10.0/24

ip access-list extended block-data-to-voice

deny ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255

permit ip any any

int f0/0.0

ip access-group block-data-to-voice in

Regards.

Alain

Don't forget to rate helpful posts.

View solution in original post

Jeff Van Houten · ‎10-08-2012

I don't know about ccm express but in ccm you can disable access to the voice vlan via the pc port on the back of the phone when you configure the phone.

Sent from Cisco Technical Support iPad App

View solution in original post

cadet alain · ‎10-08-2012

Hi,

have you got hits on your ACL ?

Regards.

Alain

Don't forget to rate helpful posts.

View solution in original post

cadet alain · ‎10-08-2012

Hi,

just configure an extended ACL denying all ip trafic between the data vlan and the voice vlan and permitting everything else and then apply inbound on the native vlan subinterface of the router.

for example if vlan 1= 192.168.1.0/24 and voice vlan= 192.168.10.0/24

ip access-list extended block-data-to-voice

deny ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255

permit ip any any

int f0/0.0

ip access-group block-data-to-voice in

Regards.

Alain

Don't forget to rate helpful posts.

Jeff Van Houten · ‎10-08-2012

I don't know about ccm express but in ccm you can disable access to the voice vlan via the pc port on the back of the phone when you configure the phone.

Sent from Cisco Technical Support iPad App

billobob123 · ‎10-08-2012

Hi there thanks for getting back to me,

I've applied the access list but the pcs are still able to ping the phone. Ummm the list you gave looked good not sure why it's not working? I'm looking around. Ideas?

Sent from Cisco Technical Support iPad App

cadet alain · ‎10-08-2012

Hi,

have you got hits on your ACL ?

Regards.

Alain

Don't forget to rate helpful posts.

billobob123 · ‎10-08-2012

Hi

Good point, but no not a single one.

Extended IP access list block-data-to-voice

10 deny ip 172.16.1.0 0.0.0.255 10.10.10.0 0.0.0.255

20 permit ip any any

The 10 Network are the phones

interface FastEthernet0/0

description $FW_INSIDE$

no ip address

ip access-group block-data-to-voice in

no ip redirects

no ip proxy-arp

ip flow ingress

ip flow egress

ip pim sparse-dense-mode

ip nat inside

ip virtual-reassembly

ip route-cache flow

speed auto

full-duplex

pppoe enable group global

pppoe-client dial-pool-number 1

service-policy output voip

!

interface FastEthernet0/0.10

description $FW_INSIDE$

encapsulation dot1Q 10

no ip redirects

no ip proxy-arp

ip pim sparse-dense-mode

ip nat inside

ip virtual-reassembly

service-policy output voip

Sent from Cisco Technical Support iPad App

kert_dezcom · ‎10-11-2012

You are applying access-group on Fa0/0 but not on subinterface Fa0/0.1 (if your data vlan id 1)

billobob123 · ‎10-11-2012

Hi Alex,

Thanks I'll give that a shot but I never created a sub interface fa0/0.1

Data vlan is 1 as is the native vlan.

I'll split them up to int fa0/0, fa0/0.1 and fa0/0.10 and apply the access list to fa0/0.1 and let you know how it goes.

Thanks

Sent from Cisco Technical Support iPad App

billobob123 · ‎10-10-2012

Hi any ideas as to what is not going right?

billobob123 · ‎10-11-2012

Thanks for your answer Jeff yes you can do this in cme as well but I am using the phone as a switch port for the pcs so can really do this.

Ideas welcomed

Sent from Cisco Technical Support iPad App

billobob123 · ‎10-23-2012

Hi Alain

Your answer was correct thanks for the help

Regards

Sent from Cisco Technical Support iPad App