09-03-2008 02:42 PM - edited 03-06-2019 01:09 AM
We are looking to build up a very tight trusted bundary for different none Cisco voice-hard/soft-phones on the edge of the LAN.
We are trying to use vendors mac address and used voice/UDP/RTP-ports to classify the "trusted" traffic for EF.
Config could look like:
mac access-list extended vendmac
permit 0080.9f00.0000 0000.00ff.ffff any
access-list 2250 permit udp any range 32514 32515 any range 32560 32570
access-list 2226 permit tcp any any eq 1720
access-list 2226 permit tcp any any range 16340 16800
class-map match-all voice
match access-group name vendmac
match access-group 2250
class-map match-all voice-control
match access-group 2226
class-map match-any best_effort
match access-group 2201
policy-map VoIP
class voice
set dscp ef
class voice-control
set dscp af21
class best_effort
set dscp default
int fa0/1 - 48
service-policy input VoIP
Unfortunately, the service-policy VoIP is not being accepted on the switch ports (fa0/1 -48), since the "class-map match-all voice" contains 2 match statements. (if either of the two match statements is kept as a single entry in the class-map, everything is OK, but then we are loosing the relation VendorMac<>used RTP stream to qualify for real voice traffic!!)
-> Is this a bug ? Works as designed?
-> Any work around??
thank you for any input on this
09-03-2008 09:48 PM
first of all
the udp ACl should be like
permit udp any any range 16384 32767
what i suggest you to do only use the udp ACl
as i mention it above thus, u can remark this udp traffic to EF in the ingres policy on the port
u dont need the mac address
if u look for security issues u cam use port security with max mac can be used on any port to one
good luck
if helpful Rate
09-03-2008 10:14 PM
Dear Rate,
thx for replying. We are aware off this u cam port security features.
Unfortunatley, we want to correlate vendor mac with the UDP/RTP voice stream, used by the vendor.
09-03-2008 10:28 PM
but as long it is not support it
and i think u dont need it if u shore the device is connected is a phon
even on cisco documentations and srnds they u se the ACL i sen you to match voice traffic
or u can match the traffic based on its vlan
for example u have all phones i network 10.1.1.0/24
so u mtach all udp traffic from that network
then mark it as EF
any good luck
if helpful Rate
Marwan
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: