Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

iphones udp/tcp poer number

Hello all:

I am trying to protect few ipphones connected to a C3550 switch. The following acl was apply to the vlan interface of the ipphones:

permit udp 172.16.25.10 0.0.0.9 host 172.17.1.10 eq 69

permit udp 172.16.25.10 0.0.0.9 host 172.17.1.11 eq 69

permit tcp 172.16.25.10 0.0.0.9 172.17.1.0 0.0.0.255 eq 2000

permit tcp 172.16.25.10 0.0.0.9 host 172.17.1.10 eq 80

permit tcp 172.16.25.10 0.0.0.9 host 172.17.1.11 eq 80

deny ip any any log-input

The problem is that the directory option does not work. Does anyone konws what port tcp port number is needed for this. I am guessing is LDAP, but I am not sure is this is correct.

Regards,

Carlos Roque

10 REPLIES
New Member

Re: iphones udp/tcp poer number

LDAP uses TCP port 389

hth,

Rob

New Member

Re: iphones udp/tcp poer number

Thank you,

I added that port to the ACL.

Carlos Roque

Hall of Fame Super Silver

Re: iphones udp/tcp poer number

Refer to this doc for all TCP and UDP ports used by CCM:

http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_tech_note09186a00801a62b9.shtml

Chris

New Member

Re: iphones udp/tcp poer number

Thank you,

I am assuming this apply to CM version 4.x.

Carlos Roque

Hall of Fame Super Silver

Re: iphones udp/tcp poer number

Yes, the same ports are used.

Chris

Green

Re: iphones udp/tcp poer number

Src or dst LDAP is not used by IP Phones, IP Phones sends HTTP requests, and LDAP requests are handled between the Web Server (CCM normally) and Directory.

http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_implementation_design_guide_chapter09186a0080447505.html#wp1043132.

I think the best option here, is follow Cisco recommendations for securing an IP telephony network.

http://www.cisco.com/univercd/cc/td/doc/product/voice/c_callmg/4_1/sec_vir/index.htm

I attach a sniffer capture for my IPC accesing Directory services, which may be helpful (check src port for HTTP SYN,ACK).

Gonz

Green

Re: iphones udp/tcp poer number

Attachment

IPC IP address is:

New Member

Re: iphones udp/tcp poer number

I'll check these documents and will follow their recomendations.

I am still having problems with directory access from the ipphones. After applying the acl the log shows denied udp packets form the ipphones in high ranges port numbers. That means that the phone is using dynamic udp high port numbers which the acl is not allowing.

I am investigating the posibility of using reflexive acl.

.

Regards,

Carlos Roque

Re: iphones udp/tcp poer number

the high numbered udp ports sounds like the rtp traffic. when you say the directory access does not work, how far does it get? does the option show up on the IP phone? If the option doesnt show up, it could be a problem with name resolution and not acl's.

New Member

Re: iphones udp/tcp poer number

DC directory uses port 8404 and if Callmanager is integrated to Active Directory, then port 389 is used.

Check which directory is used by your Callmanager and depending on that, enable the ports.

Lemme know if you have any questions.

170
Views
0
Helpful
10
Replies
CreatePlease login to create content