Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

DMVPN FOR VIP ONLY

hello 

i want to be sure that only the VOIP trafic who can pass by dmvpn , can i do some filtering to authorize only the mac of FxS or IP PHONE for passing  via my dmvpn 

the goal is to bloc all tries to use the DMVPN for passing  ftp ssh or http..... 

Regards 

 

Everyone's tags (1)
1 REPLY

Authorizing MACs is

Authorizing MACs is problematic because the MAC address doesn't leave the subnet of the phone. If you want to make sure that FTP, SSH and HTTP don't cross the DMVPN, you can implement an outgoing ACL that only permits voice-related traffic. Something like this:

ip access-list extended ACL_Phones
 permit tcp any any eq 2000 ! SCCP
 permit tcp any any eq 2443 ! SCCP (Secure)
 permit tcp any any range 5060 5061 ! SIP and SIP-TLS
 permit udp any any range 67 68 ! DHCP
 permit udp any any eq 69 ! TFTP
 permit udp any any gt 1023 ! RTP

That ACL leaves things open for DHCP relays and TFTP configuration should those be handled from a server across the DMVPN, but they can be removed if you don't need them. You'll also need to make allowances for any IP-based routing protocols that you use on the DMVPN.

17
Views
0
Helpful
1
Replies