Hi there,

I am trying to secure IP phones on a voice vlan from the data vlans. CMs and Unity are on a third vlan.

I am building ACLs as specific as possible to control the trafic. I have isolated most UDP and TCP ports but I still have problems with dynamic ports with both the Attendant Console and the TFTP transfers.

1- Attendant Console:

From my latest sniffer traces using CCM 3.3.3sr3, I can see several specific ports:

PC to Pub using TCP 1101

PC to Pub/sub using TCP 2748

Sub/Pub to PC using a specified UDP port

The problem comes from another session on a TCP port that seems to be negociated within the TCP 1101 session. In my traces, the publisher sends a TCP port (ex: XXXX) in the data portion of the TCP 1101 session. Then the console PC initiates a session to PUB with that XXXX as the destination port.

Is there a way to make sure the negociated port (XXXX) is always the same or at least stays in a given range ??

2- TFTP

Of course phone issue read requests from some high port to UDP 69. However the TFTP server sends the requested file from some UDP dynamic port to the UDP port that requested the file.

Is there some way of restricting the range of UDP ports use by the TFTP server to send the files??

My third problem may be IPCC express but I haven't had time yet to put the sniffer on it.

Thanx in advance for your inputs.

Eric