本文转自:http://xrmjjz.blog.51cto.com/3689370/683556

Cisco IP Phone 初始化过程抓包分析:

1.初始初期的一些二层流量 (PVSTP EAP CDP)

 

2.DHCP流量

 

3.TFTP流量:

 

4.SCCP (Skinny流量)

 

5.通话阶段的RTP:

 

穿越ASA防火墙处理(由低到高):

************************普通IP Phone需要放的流量*************************

access-list out extended permit udp any host CallCenter地址 eq bootps (DHCP)
access-list out extended permit udp any host CallCenter地址 eq tftp (TFTP)
access-list out extended permit tcp any host CallCenter地址 eq 2000 (Skinny)

************************软电话测试需要额外放行的流量**********************
access-list out extended permit tcp any host CallCenter地址 eq 6970
access-list out extended permit tcp any host CallCenter地址 eq 8080

注意需要监控的协议:

policy-map global_policy
class inspection_default
inspect skinny

inspect tftp

注意:监控的好处就在于不用放行RTP流量,RTP的端口范围很大,如果要放行会有很大的安全漏洞

如果要放行RTP,可以使用如下ACL:

permit udp any any range 16384 32767

穿越IOS防火墙(CBAC)处理:

ip inspect name gz.voice tftp
ip inspect name gz.voice skinny

ip access-list extended PermitOnlyVoiceTraffic
permit udp object-group Voice.IP host CallCenter地址 eq tftp
permit tcp object-group Voice.IP host CallCenter地址 eq 2000
permit tcp object-group Voice.IP host CallCenter地址 eq 6970

ip access-list extended deny.any.traffic
deny ip any any

interface Virtual-Template100 type tunnel
description For-Voice-Traffic
ip unnumbered Loopback0
ip access-group PermitOnlyVoiceTraffic in
ip access-group deny.any.traffic out