Cisco IP Phone 初始化過程抓包分析:
1.初始初期的一些二層流量 (PVSTP EAP CDP)
<a href="http://blog.51cto.com/attachment/201110/152805574.jpg" target="_blank"></a>
2.DHCP流量
<a href="http://blog.51cto.com/attachment/201110/152816396.jpg" target="_blank"></a>
3.TFTP流量:
<a href="http://blog.51cto.com/attachment/201110/152827249.jpg" target="_blank"></a>
4.SCCP (Skinny流量)
<a href="http://blog.51cto.com/attachment/201110/152837414.jpg" target="_blank"></a>
5.通話階段的RTP:
<a href="http://blog.51cto.com/attachment/201110/152847388.jpg" target="_blank"></a>
穿越ASA防火牆處理(由低到高):
************************普通IP Phone需要放的流量*************************
access-list out extended permit udp any host CallCenter位址 eq bootps (DHCP)
access-list out extended permit udp any host CallCenter位址 eq tftp (TFTP)
access-list out extended permit tcp any host CallCenter位址 eq 2000 (Skinny)
************************軟電話測試需要額外放行的流量**********************
access-list out extended permit tcp any host CallCenter位址 eq 6970
access-list out extended permit tcp any host CallCenter位址 eq 8080
注意需要監控的協定:
policy-map global_policy
class inspection_default
inspect skinny
inspect tftp
注意:監控的好處就在于不用放行RTP流量,RTP的端口範圍很大,如果要放行會有很大的安全漏洞
如果要放行RTP,可以使用如下ACL:
permit udp any any range 16384 32767
穿越IOS防火牆(CBAC)處理:
ip inspect name gz.voice tftp
ip inspect name gz.voice skinny
ip access-list extended PermitOnlyVoiceTraffic
permit udp object-group Voice.IP host CallCenter位址 eq tftp
permit tcp object-group Voice.IP host CallCenter位址 eq 2000
permit tcp object-group Voice.IP host CallCenter位址 eq 6970
ip access-list extended deny.any.traffic
deny ip any any
interface Virtual-Template100 type tunnel
description For-Voice-Traffic
ip unnumbered Loopback0
ip access-group PermitOnlyVoiceTraffic in
ip access-group deny.any.traffic out
本文轉自Yeslab教主 51CTO部落格,原文連結:http://blog.51cto.com/xrmjjz/683556
![iOS APP送出上架最新流程[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)