Large Scale VoIP Deployment and ACL's

We are planning a large scale VoIP deployment at our company and we are currently "negotiating" with info security group over what security measures we need to put into place. They have read the Cisco "SAFE" white paper on IP Telephony deployments it recommends to apply ACL's to block traffic between the data VLANs and the voice VLANs. In a large deployment (over

1000 locations) this seems very impractical because to make a call from one location to another the traffic must pass over the "data" portion of the network. They want us to deploy ACL's at every location that only allows traffic out of the voice VLAN's on to the data network if it going to another voice VLAN (to prevent DoS, hacking of the voice traffic etc.) With a few sites this would be manageable but in large deployments this would be a management nightmare! (Every time you and another voice location you would need to update the ACL's at every existing voice location). My question is what is everyone else out there doing? We have excellent security practices and policies in place, IDS, virus protection software on every computer, and I think the risk is small. The last time we had a virus outbreak was 3 years ago and it was a very limited outbreak. (The only systems infected were those that were found not to have had virus protection software installed, about 1% of the computers. This has subsequently been corrected). The virus was detected very early by the IDS's and was eradicated in a few days. What are other companies out there doing in large scale VoIP deployments?



Reply to
Loading thread data ...

Hi Scott,

You may wish to investigate Cisco's Voice Success Stories:

formatting link

Brad Reese BradReese.Com=AE Cisco Resource Center Toll Free: 877-549-2680 International: 828-277-7272 =20 Website:

formatting link

Reply to

this doesnt prevent DoS - anyoine who can spoof the address to get past your ACLs can send packets into the voice domain - but it does take local knowledge and customisation so isnt an issue for a generic worm or virus.


i think that this may be fixable - if you have the ability to plan the address space.

if all voice subnets come from a single block of space, then you can use a single simple ACL to limit access at each point. And if you have some spare space then you wont need to alter ACLs later when more voice subnets get implemented.

the drawback is that if you already try to minimise the number of IP routes, then this technique will expand the number of subnets in routing tables throughout your network - but that is surely why cisco keep increasing the default RAM in thier boxes ? :)


i designed a campus about 2 years back where we planned separate address space blocks for voice and data - and it has worked reasonably well. Note sure whether this would be as easy over a WAN though.

We have excellent

Reply to
stephen Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.