Does anyone know of any concerns, issues, problems, or hidden gotchas that have been experienced with creating a VRF for a VoIP network? What I would actually like to do is place everything (except the media gateways) in a VRF and firewall it. Thus only call signaling, management traffic, and any required database connectivity would have to pass through the firewall. Any thoughts, anyone?
This is certainly doable and I remember the SRND recommending this. However, this will come with its cost as far as management goes since you have a firewall in the mix and all kinds of inspection that happens with it. You can also look at the SRND for Trusted Relay points which will help in maintaining the number of ports you need to open on a firewall for media traversal. Good luck!
Firewalling voice is always a headache. Unfortunately a lot of signaling protocols are proprietary like SCCP, and MGCP (not really). Or just change a lot, or not completely standardized like SIP.
Between the time a Dev on a VTG group decides to add a new field to a protocol like SCCP, and the time it takes the corresponding Dev on a Firewall group to add the support for that field on its 'Inspection' engine sometimes takes months. And the fact that all communications are opened on random dynamic ports between the 16K and 32K makes matters worst.
I do think it's a good idea, specially with cybersecuirty threads on the rise, and toll fraud so prevalent this days. I think SBC and Media relay points are a good way to get everything more in control.
I just wanted to raise some awareness that if you want to go down that path, you do need a solid roll-out and testing plan as things will likely get bizarre a few times.
You have reached the Cisco Logistics Support Center.. To Check Status of
your RMA, visit Product Returns & Replacements (RMA). Need help? Contact
us by Phone or Email. North Americas Phone: 1800 553 2447 Option 4
Email: email@example.com Europe Phone: +3...
The short answer is that you don't.... That isn't entirely true while at
the same time it kind of is, but for the most part you don't configure
the softkeys. You enable or disable them via TCL. Here is the long
answer. Be sure to read the whole thing or e...
Topology: IP Phone > Switches > Microsoft NPS setup to forward 802.1x
proxy to > ISE 2.1 patch 3 Authentication: EAP-TLS using Cisco MIC SANs
Phone Models 802.1X support? 802.1x flavor Addtl Comment EAP-MD5 EAP-TLS
Cisco 3905 Y Y N Cisco 6911 Y Y N Cisco ...