Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1017
Views
0
Helpful
3
Replies

Block VoIP on Data Vlan

Izac ICT
Level 1
Level 1

‎08-27-2019 05:08 AM

Hello all,

We have data vlan and voice vlan. All the ports are configured with " switch port access vlan 10" and switchport voice vlan 20" commands.

Our problem is when provider changes some settings on auto-provision file, CDP and LLDP are disabled and phones are ending in DATA vlan.

How can block VoIP on DATA vlan?

 

Thank you.

Isac

Labels:
0 Helpful
3 Replies 3

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎08-27-2019 06:29 AM

Hello Isac,

it is not clear what you would like to achieve.

You describe the problem in the following manner:

 

>>

Our problem is when provider changes some settings on auto-provision file, CDP and LLDP are disabled and phones are ending in DATA vlan.

How can block VoIP on DATA vlan?

 

I suppose you mean that phones configuration file can be changed and some of them have CDP or LLDP MED disabled and they end up in data Vlan instead of voice Vlan for lack of communication via CDP or LLDP MED.

 

At this point you ask >> How can block VoIP on DATA vlan?

 

You can block VOIP signaling protocols, VOIP RTP bearer channels or both.

 

a) SCCP Skinny registration

you would need an ACL with the following statement

access-list 160 remark deny SSCP from data Vlan

access-list 160 deny tcp 10.10.10.0 0.0.0.255 any eq 2000

 

b) SIP protocol it can use UDP or TCP port 5060, 5061

access-list 160 remark deny SIP

access-list 160 deny udp 10.10.10.0 0.0.0.255 any eq 5060

access-list 160 deny tcp 10.10.10.0 0.0.0.255 any eq 5060

access-list 160 deny udp 10.10.10.0 0.0.0.255 any eq 5061

access-list 160 deny tcp 10.10.10.0 0.0.0.255 any eq 5061

 

c) deny RTP uses UDP 16384 to 32767 by default in this case we match on source port range

 

access-list 160 remark deny RTP

access-list 160 deny udp 10.10.10.0 0.0.0.255 range 16384 16383 any

 

! in Cisco ACLs the range uses the first value and the second value is actually added to the first value to find the highest value

 

d) permit all other traffic

access-list 160 permit ip 10.10.10.0 0.0.0.255 any

 

! please note ACL 160 is made of all statements described in points a) to d)

 

int vlan 10

ip access-group 160 in

 

Hope to help

Giuseppe

 

0 Helpful

Izac ICT
Level 1
Level 1
In response to Giuseppe Larosa

‎08-28-2019 06:00 AM

Hello Giuseppe,

Thank you for your message. Phone are getting IP from different pool (10.10.11.0/24) and PCs are getting IP from different pool (10.10.10.0/24). After CDP And LLDP are disabled, they are getting IP from data pool (10.10.10.0/24). Additionally PCs are using programs like skype and I don't want to block them.

 

Do you think it can be blocked somehow?

 

THanks.

Isac

0 Helpful

Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to Izac ICT

‎08-28-2019 07:43 AM

Hello Isac,

>>

After CDP And LLDP are disabled, they are getting IP from data pool (10.10.10.0/24). Additionally PCs are using programs like skype and I don't want to block them.

 

Do you think it can be blocked somehow?

 

No, it is not possible to block only IP phones that are in the wrong IP subnet data 10.10.10.0/24.

 

IF the phones are able to register to the IP PABX you need to monitor IP addresses of all phones and to extract a list of IP phones with IP address in 10.10.10.x/24.

At that point you can try to access each IP phone enable CDP / LLDP MED manually and make them to reboot.

 

Hope to help

Giuseppe

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card