05-18-2016 06:12 PM - edited 03-05-2019 04:02 AM
With the help of Tim Y i created an ACL to prevent several vlans from accessing my management vlans. The ACL works as intended for the WIFI access point public vlan. The SIP vlan will not work however. IF I do not restart the SIP phone the it will continue to work as it should for about an hour. If I restart the phone it shows "network down" and "DHCP Fail". What am i missing? What else needs to be open to make the SIP phones work?
interface Vlan10
description MANAGEMNET
ip address 172.16.110.1 255.255.255.0
ip helper-address 172.16.110.29
ip helper-address 172.16.111.13
no ip redirects
interface Vlan12
description PHONE
ip address 172.16.112.1 255.255.255.240
ip access-group No_Management in
ip helper-address 172.16.110.29
ip helper-address 172.16.111.13
interface Vlan17
description PUBLIC WIFI
ip address 172.16.117.129 255.255.255.192
ip access-group No_Management in
ip helper-address 172.16.110.29
ip helper-address 172.16.111.13
ip access-list extended No_Management
permit udp 172.16.117.128 0.0.0.127 host 172.16.111.13 eq bootpc
permit udp 172.16.117.128 0.0.0.127 host 172.16.111.13 eq domain
permit udp 172.16.117.128 0.0.0.127 host 172.16.110.29 eq bootpc
permit udp 172.16.117.128 0.0.0.127 host 172.16.110.29 eq domain
deny ip 172.16.117.128 0.0.0.127 172.16.111.0 0.0.0.255
deny ip 172.16.117.128 0.0.0.127 172.16.110.0 0.0.0.255
permit ip 172.16.117.128 0.0.0.127 any
permit udp 172.16.112.0 0.0.0.15 host 172.16.111.13 eq bootpc
permit udp 172.16.112.0 0.0.0.15 host 172.16.111.13 eq domain
permit udp 172.16.112.0 0.0.0.15 host 172.16.110.29 eq bootpc
permit udp 172.16.112.0 0.0.0.15 host 172.16.110.29 eq domain
deny ip 172.16.112.0 0.0.0.15 172.16.111.0 0.0.0.255
deny ip 172.16.112.0 0.0.0.15 172.16.110.0 0.0.0.255
permit ip 172.16.112.0 0.0.0.15 any
EDIT: I changed my ACL to one that should allow all traffic from vlan 12 to my DC's and it still does not work.
permit ip 172.16.112.0 0.0.0.15 host 172.16.111.13
permit ip 172.16.112.0 0.0.0.15 host 172.16.110.29
deny ip 172.16.112.0 0.0.0.15 172.16.111.0 0.0.0.255
deny ip 172.16.112.0 0.0.0.15 172.16.110.0 0.0.0.255
permit ip 172.16.112.0 0.0.0.15 any
05-18-2016 08:38 PM
05-19-2016 05:02 AM
This tells me what ports SIP phones use but does not tell which ports SIP phones need open to DHCP and DNS.
I may be missing something else. I changed the ACL to:
permit ip 172.16.112.0 0.0.0.15 host 172.16.111.13
permit ip 172.16.112.0 0.0.0.15 host 172.16.110.29
deny ip 172.16.112.0 0.0.0.15 172.16.111.0 0.0.0.255
deny ip 172.16.112.0 0.0.0.15 172.16.110.0 0.0.0.255
permit ip 172.16.112.0 0.0.0.15 any
That should allow all traffic to my DC's however even with that ACL the phones will not work.
05-19-2016 06:23 AM
Hi!
Please refer to port 53 for DNS and port 67 for DHCP (or bootpc if using a helper-address and the ACL is used as IN).
Here is the documentation for the DHCP ports in case you feel like going more in depth:
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_dhcp/configuration/xe-3se/3850/dhcp-xe-3se-3850-book/config-dhcp-server.html
Hope it helps, best regards!
JC
05-19-2016 07:31 AM
Those are the ports I used in the ACL that is being used for vlan 17. It works fine for computer traffic.
I also tried in addition to bootpc, ports 37, 49, 53, 67, 68, 69, 137 and 138. The SIP phone will not work.
The ACL is applied as IN.
05-19-2016 09:12 AM
Which is the SIP VLAN?. VLAN 12?
05-19-2016 04:31 PM
Yes, vlan 12 is the SIP vlan.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide