Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
370
Views
0
Helpful
1
Replies

question about ACL, SIP and routing

abtt-39
Level 1
Level 1

ā€Ž11-03-2023 03:38 AM

Hello,


Next week, I will migrate our telephony to a SIP trunk. Our IPBX (AVAYA Vm), is already in production.
We have 2 VMs that are on VLAN 90.

SVI VLAN 90 : 10.39.90.254 255.255.255.0

An integrator will help us create 2 SBC VMs ( AVAYA). I created a new VLAN named TRUNK SIP, vlan 92 for this.

SVI VLAN 92 : 10.39.92.254 255.255.255.0

This is created on our core switch, an L3 switch (3850). intervlan routing is active.

The SIP trunk will be an operator MPLS network, only dedicated to telephony. The ISP has its own SBC on its side. they asked me to provide them with 3 IP addresses of the subnet 10.39.92.0.

The SIP trunk is made up of 2 separate fiber links, a main link and a back-up

I give up
10.39.92.100 ( main ISP LAN router)
10.39.92.200 ( backup ISP LAN router)
10.39.92.222 ( HSRP or VRRP on ISP Router).

Since I don't have the VMs yet, I tested with a PC addressed in VLAN 92, port in access mode on vlan 92.
I can ping the 2 LAN gateways of the operator routers, as well as the redundancy IP.

The operator also asked me to test the ping to their SBC , I added a static route on the core switch. After that, I ping their SBC in 109.0.x.x (but only from the 10.39.92.0 subnet)
If I try to ping from my PC test (10.39.92.130) to 10.39.92.254 = OK
ping from PC test to 10.39.92.100 = OK
ping from PC test to 10.39.92.200 = OK
ping from PC test to 10.39.92.222 = OK
ping from PC test to 109.0.x.x ( ISP SBC) = OK

ping from my IPBX (10.39.90.90) to 10.39.92.254 = OK
ping from my IPBX (10.39.90.90) to 10.39.92.130 ( PC test) = OK
ping from my IPBX (10.39.90.90) to 10.39.92.100 = don't work
ping from my IPBX (10.39.90.90) to 10.39.92.200 = don't work
ping from my IPBX (10.39.90.90) to 10.39.92.222 = don't work

Is it normal? I don't have access to our ISP's router, so I don't know how it's configured.

For my part, the ports of the switches where the routers are connected, I configured in access mode, and access VLAN92

And as a second question, I'm looking to create ACLs on this VLAN92. For the moment, there is none. There is also none on VLAN 90 (IPBX).

the goal will be to isolate. I would like IP exchanges to be limited to IPBXs and media gateways

Extended IP access list trunk_sip
permit ip 10.39.92.0 0.0.0.255 host 10.39.90.90 ( main IPBX)
permit ip 10.39.92.0 0.0.0.255 host 10.39.90.91 ( second IPBX)
permit ip host 10.39.90.90 10.39.92.0 0.0.0.255
permit ip host 10.39.90.91 10.39.92.0 0.0.0.255

i want also supervise the SBC Vm with SNMP

something like that ?
permit udp 10.39.92.0 0.0.0.255 eq 160 host 10.39.1.15 ( SNMP server)
permit udp 10.39.92.0 0.0.0.255 host 10.39.1.15 eq 162

AND

SVI VLAN 92 :

ip access-group trunk_sip in


Or, isolate even more, the ips told me by email that their SIP trunk uses UDP on port 5060?

 

 

 

 

 

Labels:
0 Helpful
1 Reply 1

Georg Pauwen
VIP
VIP

ā€Ž11-03-2023 07:51 AM

Hello,

to answer your first question, it simply looks like your ISP has either no route back to the 10.39.90.254 255.255.255.0 subnet, or has access to that subnet blocked for security reasons.

The access list looks ok.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card