I am trying to secure IP phones on a voice vlan from the data vlans. CMs and Unity are on a third vlan.
I am building ACLs as specific as possible to control the trafic. I have isolated most UDP and TCP ports but I still have problems with dynamic ports with both the Attendant Console and the TFTP transfers.
1- Attendant Console:
From my latest sniffer traces using CCM 3.3.3sr3, I can see several specific ports:
PC to Pub using TCP 1101
PC to Pub/sub using TCP 2748
Sub/Pub to PC using a specified UDP port
The problem comes from another session on a TCP port that seems to be negociated within the TCP 1101 session. In my traces, the publisher sends a TCP port (ex: XXXX) in the data portion of the TCP 1101 session. Then the console PC initiates a session to PUB with that XXXX as the destination port.
Is there a way to make sure the negociated port (XXXX) is always the same or at least stays in a given range ??
Of course phone issue read requests from some high port to UDP 69. However the TFTP server sends the requested file from some UDP dynamic port to the UDP port that requested the file.
Is there some way of restricting the range of UDP ports use by the TFTP server to send the files??
My third problem may be IPCC express but I haven't had time yet to put the sniffer on it.
I'm not able to access my old voice mail messages all of a sudden. The recording says something like 'the message is currently not available'. This has never happened before in all the years I have been using this system. I have t...
If you have 2 ISR routers, one acting as Failover, do we need to have both the same number of SRST licenses on the 2 routers?
No. You will only need the SRST licenses on the primary router. Because this feature...