Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
2215
Views
0
Helpful
9
Replies

ACL for VOIP, Softphone consideration

Go to solution
neteng2323
Level 1
Level 1

‎11-17-2014 06:19 AM - edited ‎03-07-2019 09:32 PM

Hey all, long time lurker, this is my first post (I think?)!

My company doesn't have Cisco switches but we do have Adtran switches and they're basically Cisco clones with a few variations on syntax.

Our network is simple, 2 VLANS (voice 10.10.10.0/24, data 10.10.1.0/24) with one cable run for PC and Phone.  We use a Softphone on the PC's that can connect with the desk phone.  We have a NEC SV8100 PBX.  All phones are actually static IP's with no DHCP.

Right now every user can get to their phone (http gui) on the voice vlan if they wanted to.  I know, I know, big security violation, however, it's a small office and median age would be in the 50's and mostly female so.... but yeah I'm trying to use best practice here.

I need an ACL that will block them from getting to their phones but still have use of the softephone.  My boss and I would need access to administer the phones if need be so just 2 IP's permitted. 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ghostinthenet
Level 7
Level 7
In response to neteng2323

‎11-18-2014 11:24 AM

The implicit deny will kill the access between the two networks, so you want to do something like this instead:

permit tcp host 10.10.1.100 10.10.10.0 0.0.0.255 eq 80
deny tcp any 10.10.10.0 0.0.0.255 eq 80
permit ip any any

This way you permit the HTTP traffic from the host you want, deny HTTP traffic from any other host and then permit any other traffic that doesn't satisfy the first two rules.

View solution in original post

0 Helpful
9 Replies 9

Go to solution
ghostinthenet
Level 7
Level 7

‎11-17-2014 08:14 AM

You may not need to do anything on the switches. Assuming that all web requests are coming in from the data VLAN, they'll need to be routed over to the voice VLAN to reach the phones. An ACL on the router (or L3 switch interface) that permits HTTP traffic only from specific stations on the data VLAN to the voice VLAN should cover you off.

0 Helpful

Go to solution
neteng2323
Level 1
Level 1
In response to ghostinthenet

‎11-17-2014 08:43 AM

The Adtrans are L3 and are currently routing between the 2 vlans that's users could get to the web interface on the phones.  My main concern is just still permitting the softphone (that's on the data vlan) to access the phones on the voice vlan.

0 Helpful

Go to solution
ghostinthenet
Level 7
Level 7
In response to neteng2323

‎11-17-2014 08:47 AM

Most phones are going to be using SIP/RTP or H.323/RTP for all of their traffic. They may be using HTTP to access the voice server for additional details, so that may be of some concern. I would begin with one phone and restricting HTTP traffic destined only for its address rather than the entire subnet. Once you've verified that everything works as it should, you can extend that to the entire VLAN.

0 Helpful

Go to solution
neteng2323
Level 1
Level 1
In response to ghostinthenet

‎11-18-2014 08:58 AM

I must be missing something with the way Adtran implements ACL's.  I can create the ACL but I can't find where to apply it.  It doesn't look like you can apply it to the layer 2 interface or the VLAN interface?

0 Helpful

Go to solution
ghostinthenet
Level 7
Level 7
In response to neteng2323

‎11-18-2014 09:06 AM

On a Cisco switch, it would be applied to the layer 3 VLAN interface, but Adtran may be different enough that it has another way of doing things. Getting useful support on Cisco workalike devices is going to be hit or miss here. It might be worth trying a more general forum for better results.
0 Helpful

Go to solution
neteng2323
Level 1
Level 1
In response to ghostinthenet

‎11-18-2014 10:26 AM

Found it.  On Adtran switches you have to configure a Hardware ACL in order to apply it to a L3 Vlan Interface. Is that the same as a router ACL on Cisco?

0 Helpful

Go to solution
neteng2323
Level 1
Level 1
In response to ghostinthenet

‎11-18-2014 11:21 AM

So to reference your first post, and I apologize for my noobness here, if I wanted to allow, say just 1 pc to access the voice vlan on http would the acl look like this?

permit tcp 10.10.1.100  10.10.10.0  0.0.0.255 eq 80

 

So I know there's an implicit deny all at the end isn't that going to kill the softphone access to the desktphone for each user?

 

 

0 Helpful

Go to solution
ghostinthenet
Level 7
Level 7
In response to neteng2323

‎11-18-2014 11:24 AM

The implicit deny will kill the access between the two networks, so you want to do something like this instead:

permit tcp host 10.10.1.100 10.10.10.0 0.0.0.255 eq 80
deny tcp any 10.10.10.0 0.0.0.255 eq 80
permit ip any any

This way you permit the HTTP traffic from the host you want, deny HTTP traffic from any other host and then permit any other traffic that doesn't satisfy the first two rules.

0 Helpful

Go to solution
neteng2323
Level 1
Level 1
In response to ghostinthenet

‎11-18-2014 11:32 AM

That's it. Awesome, thanks.

0 Helpful
Top