TCP and UDP Port Usage Guide for Cisco Unified Communications Manager, Release 9.0(1)

mchance · ‎05-18-2016

With the help of Tim Y i created an ACL to prevent several vlans from accessing my management vlans. The ACL works as intended for the WIFI access point public vlan. The SIP vlan will not work however. IF I do not restart the SIP phone the it will continue to work as it should for about an hour. If I restart the phone it shows "network down" and "DHCP Fail". What am i missing? What else needs to be open to make the SIP phones work?

interface Vlan10
description MANAGEMNET
ip address 172.16.110.1 255.255.255.0
ip helper-address 172.16.110.29
ip helper-address 172.16.111.13
no ip redirects

interface Vlan12
description PHONE
ip address 172.16.112.1 255.255.255.240

ip access-group No_Management in
ip helper-address 172.16.110.29
ip helper-address 172.16.111.13

interface Vlan17
description PUBLIC WIFI
ip address 172.16.117.129 255.255.255.192
ip access-group No_Management in
ip helper-address 172.16.110.29
ip helper-address 172.16.111.13

ip access-list extended No_Management
permit udp 172.16.117.128 0.0.0.127 host 172.16.111.13 eq bootpc
permit udp 172.16.117.128 0.0.0.127 host 172.16.111.13 eq domain
permit udp 172.16.117.128 0.0.0.127 host 172.16.110.29 eq bootpc
permit udp 172.16.117.128 0.0.0.127 host 172.16.110.29 eq domain
deny ip 172.16.117.128 0.0.0.127 172.16.111.0 0.0.0.255
deny ip 172.16.117.128 0.0.0.127 172.16.110.0 0.0.0.255
permit ip 172.16.117.128 0.0.0.127 any
permit udp 172.16.112.0 0.0.0.15 host 172.16.111.13 eq bootpc
permit udp 172.16.112.0 0.0.0.15 host 172.16.111.13 eq domain
permit udp 172.16.112.0 0.0.0.15 host 172.16.110.29 eq bootpc
permit udp 172.16.112.0 0.0.0.15 host 172.16.110.29 eq domain
deny ip 172.16.112.0 0.0.0.15 172.16.111.0 0.0.0.255
deny ip 172.16.112.0 0.0.0.15 172.16.110.0 0.0.0.255
permit ip 172.16.112.0 0.0.0.15 any

EDIT: I changed my ACL to one that should allow all traffic from vlan 12 to my DC's and it still does not work.

permit ip 172.16.112.0 0.0.0.15 host 172.16.111.13
permit ip 172.16.112.0 0.0.0.15 host 172.16.110.29
deny ip 172.16.112.0 0.0.0.15 172.16.111.0 0.0.0.255
deny ip 172.16.112.0 0.0.0.15 172.16.110.0 0.0.0.255
permit ip 172.16.112.0 0.0.0.15 any

Leo Laohoo · ‎05-18-2016

TCP and UDP Port Usage Guide for Cisco Unified Communications Manager, Release 9.0(1)

mchance · ‎05-19-2016

This tells me what ports SIP phones use but does not tell which ports SIP phones need open to DHCP and DNS.

I may be missing something else. I changed the ACL to:

permit ip 172.16.112.0 0.0.0.15 host 172.16.111.13
permit ip 172.16.112.0 0.0.0.15 host 172.16.110.29
deny ip 172.16.112.0 0.0.0.15 172.16.111.0 0.0.0.255
deny ip 172.16.112.0 0.0.0.15 172.16.110.0 0.0.0.255
permit ip 172.16.112.0 0.0.0.15 any

That should allow all traffic to my DC's however even with that ACL the phones will not work.

Carlos Villagran · ‎05-19-2016

Hi!

Please refer to port 53 for DNS and port 67 for DHCP (or bootpc if using a helper-address and the ACL is used as IN).

Here is the documentation for the DHCP ports in case you feel like going more in depth:

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_dhcp/configuration/xe-3se/3850/dhcp-xe-3se-3850-book/config-dhcp-server.html

Hope it helps, best regards!

JC

mchance · ‎05-19-2016

Those are the ports I used in the ACL that is being used for vlan 17. It works fine for computer traffic.

I also tried in addition to bootpc, ports 37, 49, 53, 67, 68, 69, 137 and 138. The SIP phone will not work.

The ACL is applied as IN.

Carlos Villagran · ‎05-19-2016

Which is the SIP VLAN?. VLAN 12?

mchance · ‎05-19-2016

Yes, vlan 12 is the SIP vlan.

What ports need to be open for SIP phones to work?

TCP and UDP Port Usage Guide for Cisco Unified Communications Manager, Release 9.0(1)