Best Practices to separate voice and Data vlans

thomas.fayet · ‎11-03-2010

Hello All .

I am coming to the community to get some advices on a specific subject .

One of my customer is actually using vlan access-list to isolate it is data from it is voice vlan traffic .

As most of us knows VLAN ACLs are very difficult to deploy and manage at an access-port level that is highly mobile. Because of these management issues they have been looking for a replacement solution consisting of firewalls but apparently the price of the solution was too high in the sky .

Can someone guide me towards security best practices when it comes to data and voice vlan traffic isolation please ?

thanks

Regards

T.

Collin Clark · ‎11-03-2010

I designed a voice network that was not "trusted" by the data network. What I did was create vVLANs on the access switches, trunked to the distribution where I had a VRF for the voice traffic. That VRF then connected to a (non-data) network where the voice gateways, call managers,etc lived. That voice enclave has a firewall between it and the data network. That model was copied at each location. The voice enclave is logically separated from the data network with a firewall controlling access between them.

Hope it helps.

thomas.fayet · ‎11-03-2010

Thanks for the quick reply Collins .

I was thinking of doing the same kind of think but I am afraid of the solution costs (fws..) versus simple access-lists configured on vlans .

Would you have a HLD of the solution you have implemented on your network ?

Cisco Experts ,

Is there any best practices existing to secure a Cisco Based IPT network ? (port-security - Dhcp snooping Dynamic arp inspection etc....

thanks

T.

Collin Clark · ‎11-03-2010

I used a firewall, but there is no reason you can't use an ACL instead. The diagram is pretty detailed, I'll see if I can whip one for you quick.

Collin Clark · ‎11-03-2010

Here's the diagram.

Collin Clark · ‎11-03-2010

Also note there is only one firewall, not a firewall per vlan.

thomas.fayet · ‎11-03-2010

thanks

thomas.fayet · ‎11-03-2010

Hi again Collin ,

May I ask you what type of fw / switches / ios version you are using for this topology ?

Also is the media traffic going through your fw if one voice vlan wants to talk to another voice vlan ?

rgds

Collin Clark · ‎11-03-2010

thomas.fayet wrote:

Hi again Collin ,

May I ask you what type of fw / switches / ios version you are using for this topology ?

Also is the media traffic going through your fw if one voice vlan wants to talk to another voice vlan ?

rgds

Access Switches: 3560

Distro: 4500 or 6500

FW: ASA5510 or Juniper SSG 140 (phasing out the Junipers)

It depends. In the drawing above, no voice traffic would leave the voice enclave until it talks to a remote site. If we add other sites to the drawing, at a minimum call-sig would traverse the firewall and depending on the location of the callers, all voice traffic may cross the firewall. All of that depends on how you have your call managers/vm/voice gateways designed and where the callers are.