Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5318
Views
0
Helpful
8
Replies

ACL IP telephony - voice VLAN - testing.

Zeljko Milinovic
Level 1
Level 1

‎05-15-2012 07:57 AM - edited ‎03-07-2019 06:43 AM

Hello members. I am trying to write an extended ACL for the voice vlan.

My scenario is the following:

I have two PBXs with two Catalyst 4505 L3 switches.

The C4505 are connected trough a trunk link.

I have a VTP domain configured.

Voice VLANs are Vlan 100 and Vlan 101 with networks 10.2.0.0/16 and 10.4.0.0/16

Voip telephones are communicating between them self and everything is working fine.

I want to secure both voice VLANs with an ACL to allow only couple of IPs to administer the phones.

The PCs are connected trough a integrated switch via VOIP telephone.

Here is the sample configuration of the dhcp pool for the PC VLAN:

ip dhcp pool PCs

   network 10.1.0.0 255.255.0.0

   default-router 10.1.1.1

   dns-server 10.10.10.1

   option 43 hex 010a.5369.656d.656e.7300.0000.0204.0000.0064.0000.0000.00ff

I had to implement the 43 hex option because the PCs did not get the ip from the DHCP because of the vendor specific information.

The thing that worries me is will the DHCP forward the ACKs for the PCs if I implement this test ACL:

ip access-list extended VLAN100

permit ip 10.2.0.0 0.0.255.255 10.4.0.0 0.0.255.255

permit ip 10.4.0.0 0.0.255.255 10.2.0.0 0.0.255.255

permit ip 192.168.2.0 0.0.0.255 10.2.0.0 0.0.255.255

permit ip 192.168.2.0 0.0.0.255 10.4.0.0 0.0.255.255

permit udp host 0.0.0.0 eq bootpc host 255.255.255.255 eq bootps  (this I am not sure do I need)

permit udp host 255.255.255.255 eq bootps host 0.0.0.0 eq bootpc   (also this)

deny   ip any any

I only want to allow the network 192.168.2.0/24 and maybe some other hosts to access the web based http gui to adiminister the IP phones.

All PCs are connected trough the VOIP terminals. I do not want to deny the traffic to PCs.

Any help would be appreciated.

Labels:
0 Helpful
8 Replies 8

d.hillman
Level 1
Level 1

‎05-15-2012 08:33 AM

If you apply this ACL outbound on the VLAN100 SVI, it will not block ACKs from the phone back to the PCs in the 192.168.2.0 network, because the ACL isn't applied inbound on the SVI.  The ACLs are not bi-directional, so the following lines are not needed on VLAN 100.

permit ip 10.2.0.0 0.0.255.255 10.4.0.0 0.0.255.255

permit ip 192.168.2.0 0.0.0.255 10.4.0.0 0.0.255.255

permit udp host 255.255.255.255 eq bootps host 0.0.0.0 eq bootpc

You also aren't covering traffic to/from CUCM, or any other application, so they will also be blocked.  

All that being said, why not just disable web access on the phones?   If needed, re-enable momentarily.  This will cause you less issues long term.

0 Helpful

d.hillman
Level 1
Level 1
In response to d.hillman

‎05-15-2012 08:41 AM

Or if that isn't agreeable, why not the following ACL outbound?

ip access-list extended VLAN100

permit tcp 192.168.2.0 0.0.0.255 any eq 80

deny tcp any any eq 80

permit ip  any any

One other random observation, /16 networks for voice is against SRND of no larger than /23 networks.

0 Helpful

Zeljko Milinovic
Level 1
Level 1
In response to d.hillman

‎05-15-2012 10:28 AM

Thanks for the fast reply.

I understand that ACLs are not bidirectional so I need not so many lines.

I did not quite phrase myself.

I do not want to block only web based managament, I want to block sniffing the trafic and every kind of traffic coming to the voice vlan other than the DHCP offers to PCs and voip traffic.

I have many other dhcp pools configured with /22 CIDR for other PC VLANS.

I am using a Siemens Hipath communication server with gateway IP cards in 10.4.0.0/16 lan and 10.2.0.0/16 lan

I only need to allow the server VLAN and couple of PCs in one of the PC VLAN.

I have several other VLANs.

So you think if I apply the outbound extended ACL to the VLAN 100 and 101 SVI than the ACKS from the DHCP for the PCs will be reachable? Do I need extra commands for this in the ACL? Are these necessary:

permit udp host 0.0.0.0 eq bootpc host 255.255.255.255 eq bootps 

permit udp host 255.255.255.255 eq bootps host 0.0.0.0 eq bootpc 

I know when I apply and outbound extended ACL it will filter traffic going out of the SVI interface.

But if I block that DHCP handshake traffic how can PCs get the IP trough the telephone switch?

Do I need to use any other lines in the ACL for the voice VLAN?

P.S. I had to input option 43 hex with the hexadecimal value of the voice vlan at the end because the telephones did not get the IP from the DHCP.

This allows the IP phone to receive an ACK from the native data VLAN DHCP and then remember the voice vlan from the 43 dhcp hex value.

Thanks in advance.

0 Helpful

Gordon Ross
Level 9
Level 9
In response to Zeljko Milinovic

‎05-15-2012 10:38 PM

As your query is more network/IOS related and doesn't involve CallManager, you might want to move/ask this in the routing/switching forums.

GTG

Please rate all helpful posts.
0 Helpful

Zeljko Milinovic
Level 1
Level 1
In response to Gordon Ross

‎05-16-2012 02:35 AM

I have moved the thread to LAN routing & switching.

Any suggestion is welcome.

0 Helpful

Zeljko Milinovic
Level 1
Level 1

‎05-16-2012 12:15 PM

I have created a test VLAN with the subnet 172.18.1.0/24

The ACL that I will test would be configured on this VLAN that I will define to be a voice VLAN.

This subnet has all the routes to the PBX gateways for the telephones to associate with the pbx.

The thing I would like to test is that are these lines enouge to pass the DHCP packets to the PCs connected via IP phones:

permit udp host 0.0.0.0 eq bootpc host 255.255.255.255 eq bootps 

permit udp host 255.255.255.255 eq bootps host 0.0.0.0 eq bootpc 

0 Helpful

Zeljko Milinovic
Level 1
Level 1

‎05-17-2012 06:20 AM

I have created the actual VOICE ACL for the VLAN101, 10.4.0.0/16 on the inbound interface VLAN101

IP access-list extended vlan101

  permit udp host 255.255.255.255 eq bootps host 0.0.0.0 eq bootpc

  permit udp host 0.0.0.0 eq bootpc host 255.255.255.255 eq bootps

  permit ip 10.4.0.0 0.0.255.255 10.2.0.0 0.0.255.255

  permit ip 10.4.0.0 0.0.255.255 10.10.100.0 0.0.0.255

  deny ip any any log

The 10.2.0.0/16 is anothe telephony vlan from the other pbx.

10.10.100.0/16 is the mgmt VLAN

When I apply the ACL the VOIP telephones are working but I have a lot of denied packets.

The PCs get ther DHCP offer and handshake but the IP secure packet are like this

%SEC-6-IPACCESSLOGP: list vlan101 denied tcp 10.4.0.4(4060) -> 10.10.48.71(1024), 1 packet

%SEC-6-IPACCESSLOGP: list vlan101 denied tcp 10.4.0.4(4060) -> 10.3.2.226(1024), 1 packet

%SEC-6-IPACCESSLOGP: list vlan101 denied tcp 10.4.0.4(12270) -> 10.3.2.66(1720), 1 packet

%SEC-6-IPACCESSLOGP: list vlan101 denied udp 10.4.0.3(29132) -> 10.10.59.103(5004), 1 packet

The 10.4.0.4 is the local PBX gateway card and the 4060 is the gateway default TCP port.

I am not sure because in quite little time alot of packets are blocke, as what it seems from data VLAN or backward to the voice VLAN. Only traffic that should pass is DHCP handshake which I thaught I solved with the bootpc bootps lines.

Any help would be appreciated.

Thanks in advance.

0 Helpful

Zeljko Milinovic
Level 1
Level 1
In response to Zeljko Milinovic

‎05-21-2012 11:44 AM

I have entered the ACL and I the voice VLAN is working fine, but I have a lot of denied packet in a couple of days like 8 miliard, for the port 4060 from the data VLAN to VOICE. The lomgmt proccess cpu is working higher then before, do I need to upgrade the IOS ?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card