08-27-2019 05:08 AM
Hello all,
We have data vlan and voice vlan. All the ports are configured with " switch port access vlan 10" and switchport voice vlan 20" commands.
Our problem is when provider changes some settings on auto-provision file, CDP and LLDP are disabled and phones are ending in DATA vlan.
How can block VoIP on DATA vlan?
Thank you.
Isac
08-27-2019 06:29 AM
Hello Isac,
it is not clear what you would like to achieve.
You describe the problem in the following manner:
>>
Our problem is when provider changes some settings on auto-provision file, CDP and LLDP are disabled and phones are ending in DATA vlan.
How can block VoIP on DATA vlan?
I suppose you mean that phones configuration file can be changed and some of them have CDP or LLDP MED disabled and they end up in data Vlan instead of voice Vlan for lack of communication via CDP or LLDP MED.
At this point you ask >> How can block VoIP on DATA vlan?
You can block VOIP signaling protocols, VOIP RTP bearer channels or both.
a) SCCP Skinny registration
you would need an ACL with the following statement
access-list 160 remark deny SSCP from data Vlan
access-list 160 deny tcp 10.10.10.0 0.0.0.255 any eq 2000
b) SIP protocol it can use UDP or TCP port 5060, 5061
access-list 160 remark deny SIP
access-list 160 deny udp 10.10.10.0 0.0.0.255 any eq 5060
access-list 160 deny tcp 10.10.10.0 0.0.0.255 any eq 5060
access-list 160 deny udp 10.10.10.0 0.0.0.255 any eq 5061
access-list 160 deny tcp 10.10.10.0 0.0.0.255 any eq 5061
c) deny RTP uses UDP 16384 to 32767 by default in this case we match on source port range
access-list 160 remark deny RTP
access-list 160 deny udp 10.10.10.0 0.0.0.255 range 16384 16383 any
! in Cisco ACLs the range uses the first value and the second value is actually added to the first value to find the highest value
d) permit all other traffic
access-list 160 permit ip 10.10.10.0 0.0.0.255 any
! please note ACL 160 is made of all statements described in points a) to d)
int vlan 10
ip access-group 160 in
Hope to help
Giuseppe
08-28-2019 06:00 AM
Hello Giuseppe,
Thank you for your message. Phone are getting IP from different pool (10.10.11.0/24) and PCs are getting IP from different pool (10.10.10.0/24). After CDP And LLDP are disabled, they are getting IP from data pool (10.10.10.0/24). Additionally PCs are using programs like skype and I don't want to block them.
Do you think it can be blocked somehow?
THanks.
Isac
08-28-2019 07:43 AM
Hello Isac,
>>
After CDP And LLDP are disabled, they are getting IP from data pool (10.10.10.0/24). Additionally PCs are using programs like skype and I don't want to block them.
Do you think it can be blocked somehow?
No, it is not possible to block only IP phones that are in the wrong IP subnet data 10.10.10.0/24.
IF the phones are able to register to the IP PABX you need to monitor IP addresses of all phones and to extract a list of IP phones with IP address in 10.10.10.x/24.
At that point you can try to access each IP phone enable CDP / LLDP MED manually and make them to reboot.
Hope to help
Giuseppe
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: