Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
494
Views
4
Helpful
5
Replies

Extended ACL Trunk SIP

abtt-39
Level 1
Level 1

‎07-03-2024 01:42 AM

Hello,

 

I want to create an extended ACL on an L3 switch. And apply this acl to vlans (SVI).
For telephony over a SIP trunk.
I have vlan 93, 10.39.93.0/24. Our internal SBC VMs (avaya) are on this vlan.
The switch port that is connected to the SIP ISP router is on vlan 92 (10.39.92.0/24).

I provided my ISP with 3 IPs from vlan 92, 10.39.92.100 and 200, and a VRRP IP (10.39.92.222) that he configured on the LAN interface of their 2 routers (primary and standby).

The ISP link for the SIP trunk is a dedicated MPLS link, only for telephony

I'm not very comfortable with ACLs.

 

ip access-lists SIP-ToIP
Extended IP access list SIP-ToIP
permit udp 10.39.92.0 0.0.0.255 10.39.93.0 0.0.0.255 eq 5060
permit udp 10.39.92.0 0.0.0.255 10.39.93.0 0.0.0.255 eq 5061
permit udp 10.39.93.0 0.0.0.255 10.39.92.0 0.0.0.255 eq 5060
permit udp 10.39.93.0 0.0.0.255 10.39.92.0 0.0.0.255 eq 5061
permit udp 10.39.92.0 0.0.0.255 109.0.103.0 0.0.0.127 eq 5060
permit udp 109.0.X.0 0.0.0.127 eq 5060 10.39.92.0 0.0.0.255 ==>103.0.x = ISP SBC
permit udp 10.39.92.0 0.0.0.255 109.0.X.0 0.0.0.127 eq 5061 ==>
permit udp 109.0.X.0 0.0.0.127 eq 5061 10.39.92.0 0.0.0.255
permit udp 10.39.92.0 0.0.0.255 host 10.39.1.15 eq snmp ==>for supervision
permit udp host 10.39.1.15 eq snmp 10.39.92.0 0.0.0.255 ==>For supervision
permit udp 10.39.92.0 0.0.0.255 host 10.39.1.4 eq snmp ==>For supervision
permit udp host 10.39.1.4 eq snmp 10.39.92.0 0.0.0.255 ==>For supervision
deny ip any any


I then applied to the vlan 92 interface:
ip access-group SIP-ToIP out
ip access-group SIP-ToIP in

If I do that and I test, from my IP phone, if I call someone, I hear the person, but they don't hear me.

If I remove the ACL, no problem (inter vlan routing is active).

Several questions:
should I also authorize rtp on the ACL? (in the prerequisites, the ISP talks about authorizing SIP over UDP
But I have very little information from them).

I applied the ACl in IN and Out on the same VLAN, because I saw someone on Google doing that. Is this something that is done?

 

 

Labels:
5 Replies 5

MHM Cisco World
VIP
VIP

‎07-03-2024 05:57 AM

one little trick do the job 
do 

deny ip any any log 
see what UDP port is drop by ACL 
add this UDP to permit lines and the issue will solve

MHM

abtt-39
Level 1
Level 1
In response to MHM Cisco World

‎07-04-2024 07:52 AM

Hello,

Thanks.

I activated the log and I have this:

 

Jul 3 16:28:17.844 MET-DST: %SEC-6-IPACCESSLOGP: list SIP-TOIP denied udp 10.39.92.120(10298) -> 109.0.103.20(51128), 1 packet
Jul 3 16:28:22.778 MET-DST: %SEC-6-IPACCESSLOGP: list SIP-TOIP denied udp 10.39.92.120(10299) -> 109.0.103.20(51129), 1 packet

I modified my ACL :

permit udp 10.39.92.0 0.0.0.255 10.39.93.0 0.0.0.255 eq 5060
permit udp 10.39.92.0 0.0.0.255 10.39.93.0 0.0.0.255 eq 5061
permit udp 10.39.93.0 0.0.0.255 10.39.92.0 0.0.0.255 eq 5060
permit udp 10.39.93.0 0.0.0.255 10.39.92.0 0.0.0.255 eq 5061
permit udp 10.39.92.0 0.0.0.255 109.0.103.0 0.0.0.127 eq 5060
permit udp 109.0.103.0 0.0.0.127 eq 5060 10.39.92.0 0.0.0.255
permit udp 10.39.92.0 0.0.0.255 109.0.103.0 0.0.0.127 eq 5061
permit udp 109.0.103.0 0.0.0.127 eq 5061 10.39.92.0 0.0.0.255
permit udp host 10.39.92.120 host 109.0.103.20
permit udp host 109.0.103.20 host 10.39.92.120
permit udp 10.39.92.0 0.0.0.255 10.39.93.0 0.0.0.255 range 16384 32767
permit udp 10.39.93.0 0.0.0.255 10.39.92.0 0.0.0.255 range 16384 32767
permit udp 10.39.92.0 0.0.0.255 host 10.39.1.15 eq snmp
permit udp host 10.39.1.15 eq snmp 10.39.92.0 0.0.0.255
permit udp 10.39.92.0 0.0.0.255 host 10.39.1.4 eq snmp
permit udp host 10.39.1.4 eq snmp 10.39.92.0 0.0.0.255
deny ip any any log

 

It's look ok now.

But if i show logs :

Jul 4 16:23:32.534 MET-DST: %SEC-6-IPACCESSLOGNP: list SIP-TOIP denied 112 10.39.92.100 -> 224.0.0.18, 49 packets
Jul 4 16:29:32.483 MET-DST: %SEC-6-IPACCESSLOGNP: list SIP-TOIP denied 112 10.39.92.100 -> 224.0.0.18, 446 packets

10.39.92.100 = LAN interface of the ISP router 

 

With or without ACL, I can't ping 10.39.92.100 from my computer , but i can ping it from my Core switch.

My computer is in a different VLAN, but without ACL. 

0 Helpful

MHM Cisco World
VIP
VIP
In response to abtt-39

‎07-04-2024 08:25 AM

Jul 4 16:23:32.534 MET-DST: %SEC-6-IPACCESSLOGNP: list SIP-TOIP denied 112 10.39.92.100 -> 224.0.0.18, 49 packets
Jul 4 16:29:32.483 MET-DST: %SEC-6-IPACCESSLOGNP: list SIP-TOIP denied 112 10.39.92.100 -> 224.0.0.18, 446 packets

this multicast 224.0.0.18 is use by VRRP and it must permit in ACL 

why I cant ping mostly because you have triangle topolgy and you apply ACL to both VRRP peers 

MHM 

0 Helpful

abtt-39
Level 1
Level 1
In response to MHM Cisco World

‎07-09-2024 04:14 AM

Something like this ?

permit vrrp host 10.39.92.100 host 224.0.0.18

Scott Leport
Level 7
Level 7

‎07-03-2024 02:04 PM

You do need to add the RTP ports as that's required for audio. You can do what @MHM Cisco World suggests and log any IP or UDP ports which are being denied by the ACL, but RTP will be on a specific UDP port range. You would be advised speaking to your ISP about which UDP port ranges they require to be open. You may also need to consider opening up the RTP port range used on your SBCs.

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card