Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Best Practices to separate voice and Data vlans

Hello All .

I am coming to the community to get some advices on a specific subject .

One of my customer is actually using vlan access-list to isolate it is data  from it is voice vlan traffic .

As most of us knows VLAN ACLs are very difficult to deploy and manage at an access-port level that is highly mobile. Because of these management issues they have been looking for a replacement solution consisting of firewalls but apparently the price of the solution was too high in the sky .

Can someone guide me towards security best practices when it comes to data and voice vlan traffic isolation please ?

thanks

Regards

T.

8 REPLIES

Re: Best Practices to separate voice and Data vlans

I designed a voice network that was not "trusted" by the data network. What I did was create vVLANs on the access switches, trunked to the distribution where I had a VRF for the voice traffic. That VRF then connected to a (non-data) network where the voice gateways, call managers,etc lived. That voice enclave has a firewall between it and the data network. That model was copied at each location. The voice enclave is logically separated from the data network with a firewall controlling access between them.

Hope it helps.

New Member

Re: Best Practices to separate voice and Data vlans

Thanks for the quick reply Collins .

I was thinking of doing the same kind of think but I am afraid of the solution costs (fws..) versus simple access-lists configured on vlans .

Would you have a HLD of the solution you have implemented on your network ?

Cisco Experts ,

Is there any best practices existing to secure a Cisco Based IPT network ? (port-security  - Dhcp snooping Dynamic arp inspection etc....

thanks

T.

Re: Best Practices to separate voice and Data vlans

I used a firewall, but there is no reason you can't use an ACL instead. The diagram is pretty detailed, I'll see if I can whip one for you quick.

Re: Best Practices to separate voice and Data vlans

Here's the diagram.

Re: Best Practices to separate voice and Data vlans

Also note there is only one firewall, not a firewall per vlan.

New Member

Re: Best Practices to separate voice and Data vlans

thanks

New Member

Re: Best Practices to separate voice and Data vlans

Hi again Collin ,

May I ask you what type of fw / switches / ios version you are using for this topology ?

Also is the media traffic going through your fw if one voice vlan wants to talk to another voice vlan ?

rgds

Re: Best Practices to separate voice and Data vlans

thomas.fayet wrote:

Hi again Collin ,

May I ask you what type of fw / switches / ios version you are using for this topology ?

Also is the media traffic going through your fw if one voice vlan wants to talk to another voice vlan ?

rgds

Access Switches: 3560

Distro: 4500 or 6500

FW: ASA5510 or Juniper SSG 140 (phasing out the Junipers)

It depends. In the drawing above, no voice traffic would leave the voice enclave until it talks to a remote site. If we add other sites to the drawing, at a minimum call-sig would traverse the firewall and depending on the location of the callers, all voice traffic may cross the firewall. All of that depends on how you have your call managers/vm/voice gateways designed and where the callers are.

3467
Views
0
Helpful
8
Replies