Showing results for 
Search instead for 
Did you mean: 

ACL IP telephony - voice VLAN - testing.

Hello members. I am trying to write an extended ACL for the voice vlan.

My scenario is the following:

I have two PBXs with two Catalyst 4505 L3 switches.

The C4505 are connected trough a trunk link.

I have a VTP domain configured.

Voice VLANs are Vlan 100 and Vlan 101 with networks and

Voip telephones are communicating between them self and everything is working fine.

I want to secure both voice VLANs with an ACL to allow only couple of IPs to administer the phones.

The PCs are connected trough a integrated switch via VOIP telephone.

Here is the sample configuration of the dhcp pool for the PC VLAN:

ip dhcp pool PCs




   option 43 hex 010a.5369.656d.656e.7300.0000.0204.0000.0064.0000.0000.00ff

I had to implement the 43 hex option because the PCs did not get the ip from the DHCP because of the vendor specific information.

The thing that worries me is will the DHCP forward the ACKs for the PCs if I implement this test ACL:

ip access-list extended VLAN100

permit ip

permit ip

permit ip

permit ip

permit udp host eq bootpc host eq bootps  (this I am not sure do I need)

permit udp host eq bootps host eq bootpc   (also this)

deny   ip any any

I only want to allow the network and maybe some other hosts to access the web based http gui to adiminister the IP phones.

All PCs are connected trough the VOIP terminals. I do not want to deny the traffic to PCs.

Any help would be appreciated.

8 Replies 8

Level 1
Level 1

If you apply this ACL outbound on the VLAN100 SVI, it will not block ACKs from the phone back to the PCs in the network, because the ACL isn't applied inbound on the SVI.  The ACLs are not bi-directional, so the following lines are not needed on VLAN 100.

permit ip

permit ip

permit udp host eq bootps host eq bootpc

You also aren't covering traffic to/from CUCM, or any other application, so they will also be blocked.  

All that being said, why not just disable web access on the phones?   If needed, re-enable momentarily.  This will cause you less issues long term.

Or if that isn't agreeable, why not the following ACL outbound?

ip access-list extended VLAN100

permit tcp any eq 80

deny tcp any any eq 80

permit ip  any any

One other random observation, /16 networks for voice is against SRND of no larger than /23 networks.

Thanks for the fast reply.

I understand that ACLs are not bidirectional so I need not so many lines.

I did not quite phrase myself.

I do not want to block only web based managament, I want to block sniffing the trafic and every kind of traffic coming to the voice vlan other than the DHCP offers to PCs and voip traffic.

I have many other dhcp pools configured with /22 CIDR for other PC VLANS.

I am using a Siemens Hipath communication server with gateway IP cards in lan and lan

I only need to allow the server VLAN and couple of PCs in one of the PC VLAN.

I have several other VLANs.

So you think if I apply the outbound extended ACL to the VLAN 100 and 101 SVI than the ACKS from the DHCP for the PCs will be reachable? Do I need extra commands for this in the ACL? Are these necessary:

permit udp host eq bootpc host eq bootps 

permit udp host eq bootps host eq bootpc 

I know when I apply and outbound extended ACL it will filter traffic going out of the SVI interface.

But if I block that DHCP handshake traffic how can PCs get the IP trough the telephone switch?

Do I need to use any other lines in the ACL for the voice VLAN?

P.S. I had to input option 43 hex with the hexadecimal value of the voice vlan at the end because the telephones did not get the IP from the DHCP.

This allows the IP phone to receive an ACK from the native data VLAN DHCP and then remember the voice vlan from the 43 dhcp hex value.

Thanks in advance.

As your query is more network/IOS related and doesn't involve CallManager, you might want to move/ask this in the routing/switching forums.


Please rate all helpful posts.

I have moved the thread to LAN routing & switching.

Any suggestion is welcome.

I have created a test VLAN with the subnet

The ACL that I will test would be configured on this VLAN that I will define to be a voice VLAN.

This subnet has all the routes to the PBX gateways for the telephones to associate with the pbx.

The thing I would like to test is that are these lines enouge to pass the DHCP packets to the PCs connected via IP phones:

permit udp host eq bootpc host eq bootps 

permit udp host eq bootps host eq bootpc 

I have created the actual VOICE ACL for the VLAN101, on the inbound interface VLAN101

IP access-list extended vlan101

  permit udp host eq bootps host eq bootpc

  permit udp host eq bootpc host eq bootps

  permit ip

  permit ip

  deny ip any any log

The is anothe telephony vlan from the other pbx. is the mgmt VLAN

When I apply the ACL the VOIP telephones are working but I have a lot of denied packets.

The PCs get ther DHCP offer and handshake but the IP secure packet are like this

%SEC-6-IPACCESSLOGP: list vlan101 denied tcp ->, 1 packet

%SEC-6-IPACCESSLOGP: list vlan101 denied tcp ->, 1 packet

%SEC-6-IPACCESSLOGP: list vlan101 denied tcp ->, 1 packet

%SEC-6-IPACCESSLOGP: list vlan101 denied udp ->, 1 packet

The is the local PBX gateway card and the 4060 is the gateway default TCP port.

I am not sure because in quite little time alot of packets are blocke, as what it seems from data VLAN or backward to the voice VLAN. Only traffic that should pass is DHCP handshake which I thaught I solved with the bootpc bootps lines.

Any help would be appreciated.

Thanks in advance.

I have entered the ACL and I the voice VLAN is working fine, but I have a lot of denied packet in a couple of days like 8 miliard, for the port 4060 from the data VLAN to VOICE. The lomgmt proccess cpu is working higher then before, do I need to upgrade the IOS ?

Review Cisco Networking for a $25 gift card