<html><head><style type='text/css'>p { margin: 0; }</style></head><body><div style='font-family: Verdana; font-size: 10pt; color: #000000'>so it looks like the Cisco Jabber client uses an RTP port out of this range as well.<br><br>considering that we could be using devices other than Cisco phones on our voice VLANs, and who knows, maybe even Cisco phones will change depending on the underlying OS, i'm guessing i'm going to have to change my ACLs to be either of:<br><br>permit udp <network> <mask> range 16384 65535 udp <network> <mask> range 16384 65535<br><br>OR<br><br>permit udp <network> <mask> range 1024 65535 udp <network> <mask> range 1024 65535<br><br><span>I'm a little leary of doing the latter, but if need be, I'll do it.<br><br>What are people's thoughts?<br><br>Lelio<br><span name="x"></span>---<br>Lelio Fulgenzi, B.A.<br>Senior Analyst (CCS) * University of Guelph * Guelph, Ontario N1G 2W1<br>(519) 824-4120 x56354 (519) 767-1060 FAX (ANNU)<br>^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^<br>Cooking with unix is easy. You just sed it and forget it. <br> - LFJ (with apologies to Mr. Popeil)<br><span name="x"></span><br></span><br><hr id="zwchr"><b>From: </b>"Lelio Fulgenzi" <lelio@uoguelph.ca><br><b>To: </b>"Wes Sisk" <wsisk@cisco.com><br><b>Cc: </b>"Cisco VoIPoE List" <cisco-voip@puck.nether.net><br><b>Sent: </b>Friday, December 2, 2011 5:34:04 PM<br><b>Subject: </b>Re: [cisco-voip] more ACL questions - RTP from CUE outside RTP range<br><br><style>p { margin: 0; }</style><div style="font-family: Verdana; font-size: 10pt; color: rgb(0, 0, 0);">so how is someone supposed to set up ACLs to protect his voice network if these things don't follow the range outlined in the documents?<br><br>I'm guessing for now I can change my phone ACLs to be:<br><br>out:<br>permit udp <net> <mask> 10.104.0.0 0.0.255.255 range 16384 32767 <br><br>in:<br>permit udp 10.104.0.0 0.0.255.255 range 16384 32767 <net> <mask><br><br>seems like ACLs are a loosing proposition. which isn't easy.<br><br><span><br><span></span>---<br>Lelio Fulgenzi, B.A.<br>Senior Analyst (CCS) * University of Guelph * Guelph, Ontario N1G 2W1<br>(519) 824-4120 x56354 (519) 767-1060 FAX (ANNU)<br>^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^<br>Cooking with unix is easy. You just sed it and forget it. <br> - LFJ (with apologies to Mr. Popeil)<br><span></span><br></span><br><hr id="zwchr"><b>From: </b>"Wes Sisk" <wsisk@cisco.com><br><b>To: </b>"Lelio Fulgenzi" <lelio@uoguelph.ca><br><b>Cc: </b>"Cisco VoIPoE List" <cisco-voip@puck.nether.net><br><b>Sent: </b>Friday, December 2, 2011 5:24:05 PM<br><b>Subject: </b>Re: [cisco-voip] more ACL questions - RTP from CUE outside RTP range<br><br>only some devices use that port range for RTP. CUCM does not. CIPC does not. IOS does because of the way it allocates port numbers.<div><br></div><div>for anything based on a common os (windows/linux) the socket command does not allow specifying a subset of port numbers. this makes compliance nearly impossible.</div><div><br></div><div>CUE is running on linux.</div><div><br><div><div>On Dec 2, 2011, at 5:02 PM, Lelio Fulgenzi wrote:</div><br class="Apple-interchange-newline"><span class="Apple-style-span" style="border-collapse: separate; font-family: Helvetica; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; font-size: medium;"><div><div style="font-family: Verdana; font-size: 10pt; color: rgb(0, 0, 0);">So I've got another ACL question.<span class="Apple-converted-space"> </span><br><br>When trying to communicate with my CUE module, I get the following error:<br><br>%SEC-6-IPACCESSLOGP: list voice_endpoints_out denied udp cue.ipaddr(32773) -> ipphone.ipaddr(19072), 1 packet<br><br>I'm assuming this is RTP communications, but then why is the source address higher than the advertised range 16384 to 32767?<br><br>I always thought RTP would only communicate to each other from and to a port within this range.<br><br>Thoughts?<br><br><br><span><br><span></span>---<br>Lelio Fulgenzi, B.A.<br>Senior Analyst (CCS) * University of Guelph * Guelph, Ontario N1G 2W1<br>(519) 824-4120 x56354 (519) 767-1060 FAX (ANNU)<br>^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^<br>Cooking with unix is easy. You just sed it and forget it.<span class="Apple-converted-space"> </span><br> - LFJ (with apologies to Mr. Popeil)<br><span></span><br></span><br></div>_______________________________________________<br>cisco-voip mailing list<br><a href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</a><br><a href="https://puck.nether.net/mailman/listinfo/cisco-voip" target="_blank">https://puck.nether.net/mailman/listinfo/cisco-voip</a><br></div></span></div><br></div></div></div></body></html>