[cisco-voip] ACLs for voice

Wes Sisk wsisk at cisco.com
Wed Aug 3 10:37:18 EDT 2011 

WIP.  You too can submit feedback on the document on the left hand side:
http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/port/8_6_1/portlist861.html

Regards,
Wes

On 8/3/2011 10:29 AM, Lelio Fulgenzi wrote:
> hmmm, considering this is a key document people use, any chance on 
> getting the folks who produce this tuned? G-sharp maybe?;)
>
> ---
> Lelio Fulgenzi, B.A.
> Senior Analyst (CCS) * University of Guelph * Guelph, Ontario N1G 2W1
> (519) 824-4120 x56354 (519) 767-1060 FAX (JNHN)
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> Cooking with unix is easy. You just sed it and forget it.
>                               - LFJ (with apologies to Mr. Popeil)
>
>
> ------------------------------------------------------------------------
> *From: *"Wes Sisk" <wsisk at cisco.com>
> *To: *"Lelio Fulgenzi" <lelio at uoguelph.ca>
> *Cc: *"cisco-voip (cisco-voip at puck.nether.net)" 
> <cisco-voip at puck.nether.net>
> *Sent: *Wednesday, August 3, 2011 10:07:40 AM
> *Subject: *Re: [cisco-voip] ACLs for voice
>
> Lelio,
>
> It seems the document authors may not be attuned to details of SIP/TCP 
> behavior.
>
> Regards,
> Wes
>
> On 8/3/2011 9:39 AM, Lelio Fulgenzi wrote:
>
>     Hi Wes,
>
>     Just looking over your note and the document I was referring to:
>
>     http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/port/7_1_2/CCM_7.1.2PortList.pdf
>
>     The document has no mention of the behaviour you point out.
>
>     The document seems recent and there are also documents for 8.0 and
>     8.5, so it seems like it's being maintained.
>
>     Any idea why the discrepancy?
>
>     ---
>     Lelio Fulgenzi, B.A.
>     Senior Analyst (CCS) * University of Guelph * Guelph, Ontario N1G 2W1
>     (519) 824-4120 x56354 (519) 767-1060 FAX (JNHN)
>     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>     Cooking with unix is easy. You just sed it and forget it.
>                                   - LFJ (with apologies to Mr. Popeil)
>
>
>     ------------------------------------------------------------------------
>     *From: *"Wes Sisk" <wsisk at cisco.com>
>     *To: *"Lelio Fulgenzi" <lelio at uoguelph.ca>
>     *Cc: *"cisco-voip (cisco-voip at puck.nether.net)"
>     <cisco-voip at puck.nether.net>
>     *Sent: *Tuesday, August 2, 2011 4:37:11 PM
>     *Subject: *Re: [cisco-voip] ACLs for voice
>
>     Most documents are superseded by the port numbers built into the
>     platform now. Under platform web pages show->ip preferences.
>
>     This lists each service, port numbers, and peer device.
>
>     For SIP trunks the port usage is somewhat configurable. For SIP
>     line side it is:
>
>     Phone initiates TCP session from TCP port 49499 to CUCM port 5060.
>     Phone sends register and proceeds as expected.
>     Another endpoint initiates a call to CUCM that is routed to this
>     phone.  CUCM attempts to initiate a TCP session from a CUCM
>     ephemeral port to this phone on port 49499.
>
>     You're not going to be able to do an ACL for SIP traffic other
>     than permit all for sessions initiated from CUCM ephemeral port
>     range toward the end points.
>
>     Regards,
>     Wes
>
>     On 8/2/2011 4:04 PM, Lelio Fulgenzi wrote:
>
>         As mentioned in a previous thread, I'm updating our voice VLAN
>         ACLs. I'm using 'established' entries to help out, but I'm
>         going to assume many of the protocols are two way, so I'd like
>         to include those where possible.
>
>         In reading the documentation, some of the requirements show
>         what I'm pretty sure is a one way connection, i.e. Phone ->
>         Unified CM = 2000/TCP. I take this to mean the phone picks a
>         random TCP port and communicates to the Unified CM on port
>         2000 from this random port.
>
>         Others show Phone -> Unified CM = 5060/TCP,UDP and the
>         opposite, Unified CM -> Phone = 5060/TCP,UDP.
>
>         Does this mean that the phone talks to Unified CM using port
>         5060 to port 5060, -or- does it mean that the phone picks a
>         random port to talk to the Unified CM port 5060 and sometimes
>         the Unified CM picks a random port to talk to the Phone's 5060
>         port?
>
>         There two different things in my opinion.
>
>         Thoughts?
>
>         Lelio
>
>
>         ---
>         Lelio Fulgenzi, B.A.
>         Senior Analyst (CCS) * University of Guelph * Guelph, Ontario
>         N1G 2W1
>         (519) 824-4120 x56354 (519) 767-1060 FAX (JNHN)
>         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>         Cooking with unix is easy. You just sed it and forget it.
>                                       - LFJ (with apologies to Mr. Popeil)
>
>
>
>         _______________________________________________
>         cisco-voip mailing list
>         cisco-voip at puck.nether.net
>         https://puck.nether.net/mailman/listinfo/cisco-voip
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20110803/9b357ae6/attachment.html>

More information about the cisco-voip mailing list