how to block VOIP on cisco routers?

my network is being bogged down by "junk"

number one on the hitlist : VOIP phones - anyone got any idea how to block them?

2nd problem is streaming radio, people just chewing up bandwidth the whole day! how to kill those?

any ideas?

Reply to
Jason
Loading thread data ...

Access lists to permit what you consider non-junk perhaps ?

Reply to
John Agosta

We have the same problem with voip boxes...

I'll assume that when you plug in an adapter running H.323, it establishes a nailed up connection to a server, which is why they seem to work behind firewalls. As an outbound connection, you dont need to map ports. (I've seen 5 Linksys/Vonage boxes sitting on a Linksys BEFSX41 with a static on the WAN side, all work fine for both in and outbound).

So... how would you go about blocking H.323 traffic? If not possible, how about blocking the fqnd or ips of the servers that the major players - Vonage, Packet8, etc - use? (Someone must have a list of the servers). And with SIP (5060) and IAX (4569), can't the ports they use be blocked cutting off the signalling path?

Ideas? Help?

Thanks in advance Dave

Reply to
Henry Cabot Henhouse III

yes lets fogure out how to block this: I have the following info, I am going to try and block all these ports mentioned below this weekend, and I'll see what happens

Anyone else feel free to comment

a.. IAX is not the result of a standards group, rather a collaborative, community based effort a.. IAX uses a single UDP port 4569, and thus works well in NAT environments (the obsolete IAX1 protocol used port 5036). IAX uses ONLY one udp port for both control and data traffic. As outlined in point 4 of the IAX versus SIP topic with IAX you will always have audio if the control connection can be established.

a.. SIP is a text-based protocol that uses UTF-8 encoding a.. SIP uses port 5060 both for UDP and TCP. SIP may use other transports

1718 H.323 RAS (Multicast Discovery) 1719 H.323 RAS (Unicast) 1720 H.323 Call Signaling (TCP) 2099 H.501 Border Element Signaling (H.225.0 Annex G) 2427 MGCP 2517 H.323 Call Signalling (UDP, H.323 Annex E) 2944 H.248 5060 SIP

begin 666 term_flag.gif M1TE&.#EA!P`$`(

Reply to
Jason

yes lets fogure out how to block this: I have the following info, I am going to try and block all these ports mentioned below this weekend, and I'll see what happens

Anyone else feel free to comment

a.. IAX is not the result of a standards group, rather a collaborative, community based effort a.. IAX uses a single UDP port 4569, and thus works well in NAT environments (the obsolete IAX1 protocol used port 5036). IAX uses ONLY one udp port for both control and data traffic. As outlined in point 4 of the IAX versus SIP topic with IAX you will always have audio if the control connection can be established.

a.. SIP is a text-based protocol that uses UTF-8 encoding a.. SIP uses port 5060 both for UDP and TCP. SIP may use other transports

1718 H.323 RAS (Multicast Discovery) 1719 H.323 RAS (Unicast) 1720 H.323 Call Signaling (TCP) 2099 H.501 Border Element Signaling (H.225.0 Annex G) 2427 MGCP 2517 H.323 Call Signalling (UDP, H.323 Annex E) 2944 H.248 5060 SIP

--------------------------------------------------------------------------------

Reply to
Jason

First question - do you have access to the Interent Router or to the Firewall? What brand they are? What is your position? Network Administrator?

Another question - is it legal within your company to block any access for your employee? First, you have to define HR policy within your company which will define that it's prohibited to use IP phones and listen an Interent radio. If your manager or VP will decide to listen some news or make an VoIP call, and it will not work because of your activity - you are in trouble.

And from the practical standpoint - it's really easy to do. For example, if you block TCP port 5060, SIP phones will not work (unless you have VoIP guru, who know how to change default port). For streaming audio most radio work either over port 1755 (Windows Media), or port 554 (Real Media). Sure, you can not block all possible media players, but blocking these two will cut most of radiostations.

Good luck,

Mike

formatting link

Reply to
CiscoHeadsetAdapter.com

yeah we actually lease out t1 access to smaller businesses

what we plan on doing is notifying them that certain T1s are not to be used for VOIP and radio broadcasts and junk like that, and other t1's are going to be used for that, so we are not blocking them per se, just restricting what certain t1's can be used for

can an end user figure out how to change the default port on a VOIP phone like vonage?

if they can maybe its better to throttle bandwidth to like 2k/sec instead of blocking port 5060

Reply to
Jason

I am the network admin, with access to the router, in a multi tenant environment. The exclusion of voip devices and anything that can whack bandwidth is expressly forbidden in the lease.

Reply to
Henry Cabot Henhouse III

Are they Cisco phones? If so, block SCCP (TCP 2000)

If not, then block SIP and H.323 (SIP is TCP 5060, and H.323 is 1720).

You may also need to block the media stream, so UDP 16384 to 32768.

Jonathan

Reply to
Jonathan

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.