Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

security on a remote site

We need to extend our internal voice network to be able to access by the staff in a remote location that we dont have any administration.Just wondering if any of you guys have any experience locking down the network just only for voice no data at all

remote site will be using

CISCO 3750 connected via Microwave please refer to the toplogy

Please let me know your ideas,any security implementation on that is appreciated

Thanks in advance

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: security on a remote site

Hi there,

Depending on the amount of phones and the amount of switchports, I'd just go for a tight port security setup.

Then only put the voice-vlan ID as both access as voice vlan. (Or you could go and use 802.1x)

You could even further lock it by only opening specific network ports between phones and CUCM by using ACL's on the switch.

Please refer to the following document:

Cisco Unified Communications Manager 7.0 TCP and UDP Port Usage

http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/port/7_0/CCM_7.0PortList.pdf

There's such a document for all major versions of CUCM.

Furthermore, you should lock your switches from physical access if possible. Or at least put some sort of authentication on the local console (sometimes forgotten while only remote access is enabled)

Hope this helps you further.

Cedric

2 REPLIES
Cisco Employee

Re: security on a remote site

Hi there,

Depending on the amount of phones and the amount of switchports, I'd just go for a tight port security setup.

Then only put the voice-vlan ID as both access as voice vlan. (Or you could go and use 802.1x)

You could even further lock it by only opening specific network ports between phones and CUCM by using ACL's on the switch.

Please refer to the following document:

Cisco Unified Communications Manager 7.0 TCP and UDP Port Usage

http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/port/7_0/CCM_7.0PortList.pdf

There's such a document for all major versions of CUCM.

Furthermore, you should lock your switches from physical access if possible. Or at least put some sort of authentication on the local console (sometimes forgotten while only remote access is enabled)

Hope this helps you further.

Cedric

New Member

Re: security on a remote site

If the IP PBX is centrally located maybe the Cisco ASA Phone Proxy is the solution

  1. a Cisco IP Phone
  2. an ASA VPN box
  3. an ASA TLS Proxy license (phone proxy comes with 25 licenses to start then you can buy additional licenses.)

http://www.networkworld.com/community/node/42488

Cisco ASA Phone Proxy Configuration

http://angryciscoguy.com/jello/?p=100

414
Views
0
Helpful
2
Replies