how to block VOIP on cisco routers?

Discussion in 'Cisco' started by Jason, Jan 11, 2006.

  1. Jason

    Jason Guest

    my network is being bogged down by "junk"

    number one on the hitlist : VOIP phones - anyone got any idea how to block
    them?

    2nd problem is streaming radio, people just chewing up bandwidth the whole
    day! how to kill those?

    any ideas?
     
    Jason, Jan 11, 2006
    #1
    1. Advertising

  2. Jason

    John Agosta Guest

    "Jason" <> wrote in message
    news:...
    > my network is being bogged down by "junk"
    >
    > number one on the hitlist : VOIP phones - anyone got any idea how to block
    > them?
    >
    > 2nd problem is streaming radio, people just chewing up bandwidth the whole
    > day! how to kill those?
    >
    > any ideas?
    >
    >
    >


    Access lists to permit what you consider non-junk perhaps ?
     
    John Agosta, Jan 11, 2006
    #2
    1. Advertising

  3. We have the same problem with voip boxes...

    I'll assume that when you plug in an adapter running H.323, it establishes a
    nailed up connection to a server, which is why they seem to work behind
    firewalls. As an outbound connection, you dont need to map ports. (I've
    seen 5 Linksys/Vonage boxes sitting on a Linksys BEFSX41 with a static on
    the WAN side, all work fine for both in and outbound).

    So... how would you go about blocking H.323 traffic? If not possible, how
    about blocking the fqnd or ips of the servers that the major players -
    Vonage, Packet8, etc - use? (Someone must have a list of the servers). And
    with SIP (5060) and IAX (4569), can't the ports they use be blocked cutting
    off the signalling path?

    Ideas? Help?

    Thanks in advance
    Dave






    "John Agosta" <j_agosta@remove_wideopenwest.kom> wrote in message
    news:...
    >
    > "Jason" <> wrote in message
    > news:...
    >> my network is being bogged down by "junk"
    >>
    >> number one on the hitlist : VOIP phones - anyone got any idea how to
    >> block them?
    >>
    >> 2nd problem is streaming radio, people just chewing up bandwidth the
    >> whole day! how to kill those?
    >>
    >> any ideas?
    >>
    >>
    >>

    >
    > Access lists to permit what you consider non-junk perhaps ?
    >
    >
    >
     
    Henry Cabot Henhouse III, Jan 11, 2006
    #3
  4. Jason

    Jason Guest

    yes lets fogure out how to block this: I have the following info, I am going
    to try and block all these ports mentioned below this weekend, and I'll see
    what happens

    Anyone else feel free to comment







    a.. IAX is not the result of a standards group, rather a collaborative,
    community based effort
    a.. IAX uses a single UDP port 4569, and thus works well in NAT environments
    (the obsolete IAX1 protocol used port 5036). IAX uses ONLY one udp port for
    both control and data traffic. As outlined in point 4 of the IAX versus SIP
    topic with IAX you will always have audio if the control connection can be
    established.

    a.. SIP is a text-based protocol that uses UTF-8 encoding
    a.. SIP uses port 5060 both for UDP and TCP. SIP may use other transports


    1718 H.323 RAS (Multicast Discovery)
    1719 H.323 RAS (Unicast)
    1720 H.323 Call Signaling (TCP)
    2099 H.501 Border Element Signaling (H.225.0 Annex G)
    2427 MGCP
    2517 H.323 Call Signalling (UDP, H.323 Annex E)
    2944 H.248
    5060 SIP


    "Henry Cabot Henhouse III" <> wrote in message
    news:...
    > We have the same problem with voip boxes...
    >
    > I'll assume that when you plug in an adapter running H.323, it establishes
    > a
    > nailed up connection to a server, which is why they seem to work behind
    > firewalls. As an outbound connection, you dont need to map ports. (I've
    > seen 5 Linksys/Vonage boxes sitting on a Linksys BEFSX41 with a static on
    > the WAN side, all work fine for both in and outbound).
    >
    > So... how would you go about blocking H.323 traffic? If not possible, how
    > about blocking the fqnd or ips of the servers that the major players -
    > Vonage, Packet8, etc - use? (Someone must have a list of the servers). And
    > with SIP (5060) and IAX (4569), can't the ports they use be blocked
    > cutting
    > off the signalling path?
    >
    > Ideas? Help?
    >
    > Thanks in advance
    > Dave
    >
    >
    >
    >
    >
    >
    > "John Agosta" <j_agosta@remove_wideopenwest.kom> wrote in message
    > news:...
    >>
    >> "Jason" <> wrote in message
    >> news:...
    >>> my network is being bogged down by "junk"
    >>>
    >>> number one on the hitlist : VOIP phones - anyone got any idea how to
    >>> block them?
    >>>
    >>> 2nd problem is streaming radio, people just chewing up bandwidth the
    >>> whole day! how to kill those?
    >>>
    >>> any ideas?
    >>>
    >>>
    >>>

    >>
    >> Access lists to permit what you consider non-junk perhaps ?
    >>
    >>
    >>

    >
    >





    --------------------------------------------------------------------------------
     
    Jason, Jan 11, 2006
    #4
  5. "Jason" <> wrote in message
    news:...
    > my network is being bogged down by "junk"
    >
    > number one on the hitlist : VOIP phones - anyone got any idea how to block
    > them?
    >
    > 2nd problem is streaming radio, people just chewing up bandwidth the whole
    > day! how to kill those?
    >
    > any ideas?
    >
    >


    First question - do you have access to the Interent Router or to the
    Firewall? What brand they are? What is your position? Network Administrator?

    Another question - is it legal within your company to block any access for
    your employee? First, you have to define HR policy within your company which
    will define that it's prohibited to use IP phones and listen an Interent
    radio. If your manager or VP will decide to listen some news or make an VoIP
    call, and it will not work because of your activity - you are in trouble.

    And from the practical standpoint - it's really easy to do. For example, if
    you block TCP port 5060, SIP phones will not work (unless you have VoIP
    guru, who know how to change default port). For streaming audio most radio
    work either over port 1755 (Windows Media), or port 554 (Real Media). Sure,
    you can not block all possible media players, but blocking these two will
    cut most of radiostations.

    Good luck,

    Mike
    www.ciscoheadsetadapter.com
     
    CiscoHeadsetAdapter.com, Jan 11, 2006
    #5
  6. Jason

    Jason Guest

    yeah we actually lease out t1 access to smaller businesses

    what we plan on doing is notifying them that certain T1s are not to be used
    for VOIP and radio broadcasts and junk like that, and other t1's are going
    to be used for that, so we are not blocking them per se, just restricting
    what certain t1's can be used for

    can an end user figure out how to change the default port on a VOIP phone
    like vonage?

    if they can maybe its better to throttle bandwidth to like 2k/sec instead of
    blocking port 5060




    "CiscoHeadsetAdapter.com" <> wrote in message
    news:...
    > "Jason" <> wrote in message
    > news:...
    >> my network is being bogged down by "junk"
    >>
    >> number one on the hitlist : VOIP phones - anyone got any idea how to
    >> block them?
    >>
    >> 2nd problem is streaming radio, people just chewing up bandwidth the
    >> whole day! how to kill those?
    >>
    >> any ideas?
    >>
    >>

    >
    > First question - do you have access to the Interent Router or to the
    > Firewall? What brand they are? What is your position? Network
    > Administrator?
    >
    > Another question - is it legal within your company to block any access for
    > your employee? First, you have to define HR policy within your company
    > which will define that it's prohibited to use IP phones and listen an
    > Interent radio. If your manager or VP will decide to listen some news or
    > make an VoIP call, and it will not work because of your activity - you are
    > in trouble.
    >
    > And from the practical standpoint - it's really easy to do. For example,
    > if you block TCP port 5060, SIP phones will not work (unless you have VoIP
    > guru, who know how to change default port). For streaming audio most radio
    > work either over port 1755 (Windows Media), or port 554 (Real Media).
    > Sure, you can not block all possible media players, but blocking these two
    > will cut most of radiostations.
    >
    > Good luck,
    >
    > Mike
    > www.ciscoheadsetadapter.com
    >
    >
     
    Jason, Jan 11, 2006
    #6
  7. I am the network admin, with access to the router, in a multi tenant
    environment. The exclusion of voip devices and anything that can whack
    bandwidth is expressly forbidden in the lease.




    "CiscoHeadsetAdapter.com" <> wrote in message
    news:...
    > "Jason" <> wrote in message
    > news:...
    >> my network is being bogged down by "junk"
    >>
    >> number one on the hitlist : VOIP phones - anyone got any idea how to
    >> block them?
    >>
    >> 2nd problem is streaming radio, people just chewing up bandwidth the
    >> whole day! how to kill those?
    >>
    >> any ideas?
    >>
    >>

    >
    > First question - do you have access to the Interent Router or to the
    > Firewall? What brand they are? What is your position? Network
    > Administrator?
    >
    > Another question - is it legal within your company to block any access for
    > your employee? First, you have to define HR policy within your company
    > which will define that it's prohibited to use IP phones and listen an
    > Interent radio. If your manager or VP will decide to listen some news or
    > make an VoIP call, and it will not work because of your activity - you are
    > in trouble.
    >
    > And from the practical standpoint - it's really easy to do. For example,
    > if you block TCP port 5060, SIP phones will not work (unless you have VoIP
    > guru, who know how to change default port). For streaming audio most radio
    > work either over port 1755 (Windows Media), or port 554 (Real Media).
    > Sure, you can not block all possible media players, but blocking these two
    > will cut most of radiostations.
    >
    > Good luck,
    >
    > Mike
    > www.ciscoheadsetadapter.com
    >
    >
     
    Henry Cabot Henhouse III, Jan 12, 2006
    #7
  8. Jason

    Jonathan Guest

    "Jason" <> wrote in message
    news:...
    > my network is being bogged down by "junk"
    >
    > number one on the hitlist : VOIP phones - anyone got any idea how to block
    > them?
    >
    > 2nd problem is streaming radio, people just chewing up bandwidth the whole
    > day! how to kill those?
    >
    > any ideas?


    Are they Cisco phones? If so, block SCCP (TCP 2000)

    If not, then block SIP and H.323 (SIP is TCP 5060, and H.323 is 1720).

    You may also need to block the media stream, so UDP 16384 to 32768.



    Jonathan
     
    Jonathan, Jan 29, 2006
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Dineyar Buhariwala

    Connect 2 routers (wireless and regular routers)

    Dineyar Buhariwala, Nov 22, 2004, in forum: Wireless Networking
    Replies:
    1
    Views:
    2,593
  2. Faustino Dina
    Replies:
    4
    Views:
    9,705
    Faustino Dina
    Sep 29, 2004
  3. Jon L. Miller

    cisco routers and netgear routers

    Jon L. Miller, Feb 4, 2005, in forum: Cisco
    Replies:
    2
    Views:
    1,234
    SysAdm
    Feb 5, 2005
  4. Henry Cabot Henhouse III

    Re: how to block VOIP on cisco routers?

    Henry Cabot Henhouse III, Jan 11, 2006, in forum: VOIP
    Replies:
    1
    Views:
    572
    Jason
    Jan 11, 2006
  5. Default User
    Replies:
    4
    Views:
    565
    alexd
    Apr 14, 2009
Loading...

Share This Page