Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   Cisco (http://www.velocityreviews.com/forums/f27-cisco.html)
-   -   VoIP VLAN across router-router link? (http://www.velocityreviews.com/forums/t379415-voip-vlan-across-router-router-link.html)

One's Too Many 10-24-2006 10:28 PM

VoIP VLAN across router-router link?
 
Can anyone point me to a howto, or other tutorial that might provide
some insight in solving this problem....

Two buildings "A" and "B", each with it's own LAN made up of C3750
switches. A 2800 router is at each building and a fiber optic WAN
point-to-point line connects between the two routers. Each building has
it's own separate IP address network, and very limited traffic is
allowed to pass across the routers between the two networks. In fact,
all traffic is shut off by ACL's in the routers except for a limited
number of workstations in building "A" are permitted to access some
applications on a very specific limited enumerated set of host
addresses and tcp ports in building "B" and vice-versa. Opening up
broad ranges of hosts and/or ports in either routers' ACL lists is
strictly forbidden. The dilemma is that there is a desire to install
one Cisco VoIP phone system across the two buildings' LANS as if they
were one single network and one single organization when they are in
fact two separate organizations on the data network side of things...
the data networks must remain strictly separated except for the limited
amount of individual host-to-host traffic. Is it at all possible to
create a separate voice VLAN that spans both buildings so that the
phones will work seemlessly, while preserving the relative isolation of
the two separate data networks? The Cisco pc apps such as Attendant
Console, video conferencing, etc, would have to work seemlessly from
PCs on the data networks in either building too. It would have to be
so secure also, that there would be no possible way at all for an
unauthorized workstation in either building to then be able to
circumvent the routers' ACLs and gain access to any unpermitted host in
the other building. Security of the data networks is of such paramount
importance that even an accidental breach could bring about severe
punishment to the poor schmuck who's in charge of securing the networks.


Thrill5 10-25-2006 12:53 AM

Re: VoIP VLAN across router-router link?
 

"One's Too Many" <onez2many@yahoo.com> wrote in message
news:1161728932.862751.78400@k70g2000cwa.googlegro ups.com...
> Can anyone point me to a howto, or other tutorial that might provide
> some insight in solving this problem....
>
> Two buildings "A" and "B", each with it's own LAN made up of C3750
> switches. A 2800 router is at each building and a fiber optic WAN
> point-to-point line connects between the two routers. Each building has
> it's own separate IP address network, and very limited traffic is
> allowed to pass across the routers between the two networks. In fact,
> all traffic is shut off by ACL's in the routers except for a limited
> number of workstations in building "A" are permitted to access some
> applications on a very specific limited enumerated set of host
> addresses and tcp ports in building "B" and vice-versa. Opening up
> broad ranges of hosts and/or ports in either routers' ACL lists is
> strictly forbidden. The dilemma is that there is a desire to install
> one Cisco VoIP phone system across the two buildings' LANS as if they
> were one single network and one single organization when they are in
> fact two separate organizations on the data network side of things...
> the data networks must remain strictly separated except for the limited
> amount of individual host-to-host traffic. Is it at all possible to
> create a separate voice VLAN that spans both buildings so that the
> phones will work seemlessly, while preserving the relative isolation of
> the two separate data networks? The Cisco pc apps such as Attendant
> Console, video conferencing, etc, would have to work seemlessly from
> PCs on the data networks in either building too. It would have to be
> so secure also, that there would be no possible way at all for an
> unauthorized workstation in either building to then be able to
> circumvent the routers' ACLs and gain access to any unpermitted host in
> the other building. Security of the data networks is of such paramount
> importance that even an accidental breach could bring about severe
> punishment to the poor schmuck who's in charge of securing the networks.
>

Sounds like you need a PIX in between to enforce the security.

Scott



billyc5022@gmail.com 10-26-2006 01:46 AM

Re: VoIP VLAN across router-router link?
 
In your environment I would us the 3750s instead of the 2800 any way.
You can move the fiber connections to the 3750, have the networks
seperated by a VLAN. This would still be a layer-3 hope, you could
install ACLs to secure your network. Plus you could have Voice VLANs
at each site.


One's Too Many wrote:
> Can anyone point me to a howto, or other tutorial that might provide
> some insight in solving this problem....
>
> Two buildings "A" and "B", each with it's own LAN made up of C3750
> switches. A 2800 router is at each building and a fiber optic WAN
> point-to-point line connects between the two routers. Each building has
> it's own separate IP address network, and very limited traffic is
> allowed to pass across the routers between the two networks. In fact,
> all traffic is shut off by ACL's in the routers except for a limited
> number of workstations in building "A" are permitted to access some
> applications on a very specific limited enumerated set of host
> addresses and tcp ports in building "B" and vice-versa. Opening up
> broad ranges of hosts and/or ports in either routers' ACL lists is
> strictly forbidden. The dilemma is that there is a desire to install
> one Cisco VoIP phone system across the two buildings' LANS as if they
> were one single network and one single organization when they are in
> fact two separate organizations on the data network side of things...
> the data networks must remain strictly separated except for the limited
> amount of individual host-to-host traffic. Is it at all possible to
> create a separate voice VLAN that spans both buildings so that the
> phones will work seemlessly, while preserving the relative isolation of
> the two separate data networks? The Cisco pc apps such as Attendant
> Console, video conferencing, etc, would have to work seemlessly from
> PCs on the data networks in either building too. It would have to be
> so secure also, that there would be no possible way at all for an
> unauthorized workstation in either building to then be able to
> circumvent the routers' ACLs and gain access to any unpermitted host in
> the other building. Security of the data networks is of such paramount
> importance that even an accidental breach could bring about severe
> punishment to the poor schmuck who's in charge of securing the networks.



One's Too Many 10-27-2006 09:59 PM

Re: VoIP VLAN across router-router link?
 
Removing the pair of 2800's is not an option. I am mandated to force
all traffic between the two sites' data networks to only be permitted
to flow between the two routers. Bridging the two buildings' 3750
stacks together physically at the hardware level is strictly forbidden
by the policy I must work under. We've pretty much decided that we must
build a separate voice-only network in building "B" and bridge that one
to the combined voice+data network in building "A". We'll simply do
without having the Cisco VoIP-related PC apps from being able to work
seemlessly on the data network PCs in building "B" unless we can simply
open up a most minimal set of host-to-host address/port ACL's in the
routers to let that traffic thru for a select few workstations. Getting
a single phone network working across the 2 buildings is more important
that getting the voip-related PC apps to work also at building "B"...
while preserving the critical security of the data network in building
"B". Having a combined voice+data network in building "A" is not a
problem, but keeping B's data network isolated, with the single
egress/ingress point of the router is about the only way get past the
security auditing entity which governs my operation, and they have all
but declared VLAN separation to be artificial, make-believe,
software-emulated separation that flunks their security mandates.


billyc5022@gmail.com wrote:
> In your environment I would us the 3750s instead of the 2800 any way.
> You can move the fiber connections to the 3750, have the networks
> seperated by a VLAN. This would still be a layer-3 hope, you could
> install ACLs to secure your network. Plus you could have Voice VLANs
> at each site.
>
>
> One's Too Many wrote:
> > Can anyone point me to a howto, or other tutorial that might provide
> > some insight in solving this problem....
> >
> > Two buildings "A" and "B", each with it's own LAN made up of C3750
> > switches. A 2800 router is at each building and a fiber optic WAN
> > point-to-point line connects between the two routers. Each building has
> > it's own separate IP address network, and very limited traffic is
> > allowed to pass across the routers between the two networks. In fact,
> > all traffic is shut off by ACL's in the routers except for a limited
> > number of workstations in building "A" are permitted to access some
> > applications on a very specific limited enumerated set of host
> > addresses and tcp ports in building "B" and vice-versa. Opening up
> > broad ranges of hosts and/or ports in either routers' ACL lists is
> > strictly forbidden. The dilemma is that there is a desire to install
> > one Cisco VoIP phone system across the two buildings' LANS as if they
> > were one single network and one single organization when they are in
> > fact two separate organizations on the data network side of things...
> > the data networks must remain strictly separated except for the limited
> > amount of individual host-to-host traffic. Is it at all possible to
> > create a separate voice VLAN that spans both buildings so that the
> > phones will work seemlessly, while preserving the relative isolation of
> > the two separate data networks? The Cisco pc apps such as Attendant
> > Console, video conferencing, etc, would have to work seemlessly from
> > PCs on the data networks in either building too. It would have to be
> > so secure also, that there would be no possible way at all for an
> > unauthorized workstation in either building to then be able to
> > circumvent the routers' ACLs and gain access to any unpermitted host in
> > the other building. Security of the data networks is of such paramount
> > importance that even an accidental breach could bring about severe
> > punishment to the poor schmuck who's in charge of securing the networks.



Walter Roberson 10-27-2006 10:11 PM

Re: VoIP VLAN across router-router link?
 
In article <1161986378.001459.315140@b28g2000cwb.googlegroups .com>,
One's Too Many <onez2many@yahoo.com> wrote:
>Removing the pair of 2800's is not an option. I am mandated to force
>all traffic between the two sites' data networks to only be permitted
>to flow between the two routers.


> Having a combined voice+data network in building "A" is not a
>problem, but keeping B's data network isolated, with the single
>egress/ingress point of the router is about the only way get past the
>security auditing entity which governs my operation, and they have all
>but declared VLAN separation to be artificial, make-believe,
>software-emulated separation that flunks their security mandates.


How would they feel about MPLS? Supported to various degrees on
both the Cisco 2800 series routers and the Cisco Cat 3750 "Metro"
series.

One's Too Many 10-30-2006 06:18 PM

Re: VoIP VLAN across router-router link?
 
Walter Roberson wrote:
> How would they feel about MPLS? Supported to various degrees on
> both the Cisco 2800 series routers and the Cisco Cat 3750 "Metro"
> series.


The security folks had never heard of MPLS, but after showing them some
some info on what it was all about, were surprisingly warm to the idea.
Unfortunately our VoIP integrator/vendor had also never heard of it and
refuses to consider it due to perceived worries about QoS and voice
performance issues and not wanting to be a pioneer with any technology
on this contract. Looks like we're going the separate physical network
way for voice in the security-sensitive building. It really won't add
all that much to the total project cost, just a couple percent in the
big picture, and certainly will provide the best voice network there,
plus keep the data network physically isolated. Sometimes it's just not
worth banging your head against a wall too much to try to save a few
bucks on a big project, eh?


freeNAC 11-01-2006 03:57 PM

Re: VoIP VLAN across router-router link?
 

One's Too Many wrote:
> Looks like we're going the separate physical network
> way for voice in the security-sensitive building. It really won't add
> all that much to the total project cost, just a couple percent in the
> big picture, and certainly will provide the best voice network there,
> plus keep the data network physically isolated. Sometimes it's just not
> worth banging your head against a wall too much to try to save a few
> bucks on a big project, eh?


Agree! :-)
But did you considered the costs of having to maintain the two
networks? Need a new IPphone, then you need to patch a new socket to
the Voice Network. Moving the furnitures around? Patch and Unpatch
again...
This can be quickly an issue...

Probably you will not manage to convince your security/auditors that
VLAN are nice, but if you do, you may want to check
http://www.freenac.net
It allows dynamic vlan management: you configure all your switches the
same way, and based on the MAC address, you end up in one VLAN or in
another. And you get free live inventory of all your systems on your
LAN. ;-) (Auditors like this!)

Ok, MAC authentication is not bullet proof (but hey, still better than
nothing), and freenac is currently testing 802.1x integration (with
fallback on MAC auth for non 802.1x enabled devices. Did I hear IP
Phones somewhere?)

Best regards, and good luck with your security staff!

Steph



All times are GMT. The time now is 02:18 AM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.