Cisco IP Phone 初始化过程抓包分析:
1.初始初期的一些二层流量 (PVSTP EAP CDP)
<a href="http://blog.51cto.com/attachment/201110/152805574.jpg" target="_blank"></a>
2.DHCP流量
<a href="http://blog.51cto.com/attachment/201110/152816396.jpg" target="_blank"></a>
3.TFTP流量:
<a href="http://blog.51cto.com/attachment/201110/152827249.jpg" target="_blank"></a>
4.SCCP (Skinny流量)
<a href="http://blog.51cto.com/attachment/201110/152837414.jpg" target="_blank"></a>
5.通话阶段的RTP:
<a href="http://blog.51cto.com/attachment/201110/152847388.jpg" target="_blank"></a>
穿越ASA防火墙处理(由低到高):
************************普通IP Phone需要放的流量*************************
access-list out extended permit udp any host CallCenter地址 eq bootps (DHCP)
access-list out extended permit udp any host CallCenter地址 eq tftp (TFTP)
access-list out extended permit tcp any host CallCenter地址 eq 2000 (Skinny)
************************软电话测试需要额外放行的流量**********************
access-list out extended permit tcp any host CallCenter地址 eq 6970
access-list out extended permit tcp any host CallCenter地址 eq 8080
注意需要监控的协议:
policy-map global_policy
class inspection_default
inspect skinny
inspect tftp
注意:监控的好处就在于不用放行RTP流量,RTP的端口范围很大,如果要放行会有很大的安全漏洞
如果要放行RTP,可以使用如下ACL:
permit udp any any range 16384 32767
穿越IOS防火墙(CBAC)处理:
ip inspect name gz.voice tftp
ip inspect name gz.voice skinny
ip access-list extended PermitOnlyVoiceTraffic
permit udp object-group Voice.IP host CallCenter地址 eq tftp
permit tcp object-group Voice.IP host CallCenter地址 eq 2000
permit tcp object-group Voice.IP host CallCenter地址 eq 6970
ip access-list extended deny.any.traffic
deny ip any any
interface Virtual-Template100 type tunnel
description For-Voice-Traffic
ip unnumbered Loopback0
ip access-group PermitOnlyVoiceTraffic in
ip access-group deny.any.traffic out
本文转自Yeslab教主 51CTO博客,原文链接:http://blog.51cto.com/xrmjjz/683556
![iOS APP提交上架最新流程[图]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)