[cisco-voip] ACLs for voice
Lelio Fulgenzi
lelio at uoguelph.ca
Wed Aug 3 10:29:07 EDT 2011
hmmm, considering this is a key document people use, any chance on getting the folks who produce this tuned? G-sharp maybe? ;)
---
Lelio Fulgenzi, B.A.
Senior Analyst (CCS) * University of Guelph * Guelph, Ontario N1G 2W1
(519) 824-4120 x56354 (519) 767-1060 FAX (JNHN)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Cooking with unix is easy. You just sed it and forget it.
- LFJ (with apologies to Mr. Popeil)
----- Original Message -----
From: "Wes Sisk" <wsisk at cisco.com>
To: "Lelio Fulgenzi" <lelio at uoguelph.ca>
Cc: "cisco-voip (cisco-voip at puck.nether.net)" <cisco-voip at puck.nether.net>
Sent: Wednesday, August 3, 2011 10:07:40 AM
Subject: Re: [cisco-voip] ACLs for voice
Lelio,
It seems the document authors may not be attuned to details of SIP/TCP behavior.
Regards,
Wes
On 8/3/2011 9:39 AM, Lelio Fulgenzi wrote:
Hi Wes,
Just looking over your note and the document I was referring to:
http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/port/7_1_2/CCM_7.1.2PortList.pdf
The document has no mention of the behaviour you point out.
The document seems recent and there are also documents for 8.0 and 8.5, so it seems like it's being maintained.
Any idea why the discrepancy?
---
Lelio Fulgenzi, B.A.
Senior Analyst (CCS) * University of Guelph * Guelph, Ontario N1G 2W1
(519) 824-4120 x56354 (519) 767-1060 FAX (JNHN)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Cooking with unix is easy. You just sed it and forget it.
- LFJ (with apologies to Mr. Popeil)
----- Original Message -----
From: "Wes Sisk" <wsisk at cisco.com>
To: "Lelio Fulgenzi" <lelio at uoguelph.ca>
Cc: "cisco-voip ( cisco-voip at puck.nether.net )" <cisco-voip at puck.nether.net>
Sent: Tuesday, August 2, 2011 4:37:11 PM
Subject: Re: [cisco-voip] ACLs for voice
Most documents are superseded by the port numbers built into the platform now. Under platform web pages show->ip preferences.
This lists each service, port numbers, and peer device.
For SIP trunks the port usage is somewhat configurable. For SIP line side it is:
Phone initiates TCP session from TCP port 49499 to CUCM port 5060.
Phone sends register and proceeds as expected.
Another endpoint initiates a call to CUCM that is routed to this phone. CUCM attempts to initiate a TCP session from a CUCM ephemeral port to this phone on port 49499.
You're not going to be able to do an ACL for SIP traffic other than permit all for sessions initiated from CUCM ephemeral port range toward the end points.
Regards,
Wes
On 8/2/2011 4:04 PM, Lelio Fulgenzi wrote:
As mentioned in a previous thread, I'm updating our voice VLAN ACLs . I'm using 'established' entries to help out, but I'm going to assume many of the protocols are two way, so I'd like to include those where possible.
In reading the documentation, some of the requirements show what I'm pretty sure is a one way connection, i.e. Phone -> Unified CM = 2000/TCP. I take this to mean the phone picks a random TCP port and communicates to the Unified CM on port 2000 from this random port.
Others show Phone -> Unified CM = 5060/TCP,UDP and the opposite, Unified CM -> Phone = 5060/TCP,UDP.
Does this mean that the phone talks to Unified CM using port 5060 to port 5060, -or- does it mean that the phone picks a random port to talk to the Unified CM port 5060 and sometimes the Unified CM picks a random port to talk to the Phone's 5060 port?
There two different things in my opinion.
Thoughts?
Lelio
---
Lelio Fulgenzi, B.A.
Senior Analyst (CCS) * University of Guelph * Guelph, Ontario N1G 2W1
(519) 824-4120 x56354 (519) 767-1060 FAX (JNHN)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Cooking with unix is easy. You just sed it and forget it.
- LFJ (with apologies to Mr. Popeil)
_______________________________________________
cisco-voip mailing list cisco-voip at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20110803/2053340b/attachment.html>
More information about the cisco-voip
mailing list