VoIP VLAN across router-router link?

Discussion in 'Cisco' started by One's Too Many, Oct 24, 2006.

  1. Can anyone point me to a howto, or other tutorial that might provide
    some insight in solving this problem....

    Two buildings "A" and "B", each with it's own LAN made up of C3750
    switches. A 2800 router is at each building and a fiber optic WAN
    point-to-point line connects between the two routers. Each building has
    it's own separate IP address network, and very limited traffic is
    allowed to pass across the routers between the two networks. In fact,
    all traffic is shut off by ACL's in the routers except for a limited
    number of workstations in building "A" are permitted to access some
    applications on a very specific limited enumerated set of host
    addresses and tcp ports in building "B" and vice-versa. Opening up
    broad ranges of hosts and/or ports in either routers' ACL lists is
    strictly forbidden. The dilemma is that there is a desire to install
    one Cisco VoIP phone system across the two buildings' LANS as if they
    were one single network and one single organization when they are in
    fact two separate organizations on the data network side of things...
    the data networks must remain strictly separated except for the limited
    amount of individual host-to-host traffic. Is it at all possible to
    create a separate voice VLAN that spans both buildings so that the
    phones will work seemlessly, while preserving the relative isolation of
    the two separate data networks? The Cisco pc apps such as Attendant
    Console, video conferencing, etc, would have to work seemlessly from
    PCs on the data networks in either building too. It would have to be
    so secure also, that there would be no possible way at all for an
    unauthorized workstation in either building to then be able to
    circumvent the routers' ACLs and gain access to any unpermitted host in
    the other building. Security of the data networks is of such paramount
    importance that even an accidental breach could bring about severe
    punishment to the poor schmuck who's in charge of securing the networks.
     
    One's Too Many, Oct 24, 2006
    #1
    1. Advertising

  2. One's Too Many

    Thrill5 Guest

    "One's Too Many" <> wrote in message
    news:...
    > Can anyone point me to a howto, or other tutorial that might provide
    > some insight in solving this problem....
    >
    > Two buildings "A" and "B", each with it's own LAN made up of C3750
    > switches. A 2800 router is at each building and a fiber optic WAN
    > point-to-point line connects between the two routers. Each building has
    > it's own separate IP address network, and very limited traffic is
    > allowed to pass across the routers between the two networks. In fact,
    > all traffic is shut off by ACL's in the routers except for a limited
    > number of workstations in building "A" are permitted to access some
    > applications on a very specific limited enumerated set of host
    > addresses and tcp ports in building "B" and vice-versa. Opening up
    > broad ranges of hosts and/or ports in either routers' ACL lists is
    > strictly forbidden. The dilemma is that there is a desire to install
    > one Cisco VoIP phone system across the two buildings' LANS as if they
    > were one single network and one single organization when they are in
    > fact two separate organizations on the data network side of things...
    > the data networks must remain strictly separated except for the limited
    > amount of individual host-to-host traffic. Is it at all possible to
    > create a separate voice VLAN that spans both buildings so that the
    > phones will work seemlessly, while preserving the relative isolation of
    > the two separate data networks? The Cisco pc apps such as Attendant
    > Console, video conferencing, etc, would have to work seemlessly from
    > PCs on the data networks in either building too. It would have to be
    > so secure also, that there would be no possible way at all for an
    > unauthorized workstation in either building to then be able to
    > circumvent the routers' ACLs and gain access to any unpermitted host in
    > the other building. Security of the data networks is of such paramount
    > importance that even an accidental breach could bring about severe
    > punishment to the poor schmuck who's in charge of securing the networks.
    >

    Sounds like you need a PIX in between to enforce the security.

    Scott
     
    Thrill5, Oct 25, 2006
    #2
    1. Advertising

  3. One's Too Many

    Guest

    In your environment I would us the 3750s instead of the 2800 any way.
    You can move the fiber connections to the 3750, have the networks
    seperated by a VLAN. This would still be a layer-3 hope, you could
    install ACLs to secure your network. Plus you could have Voice VLANs
    at each site.


    One's Too Many wrote:
    > Can anyone point me to a howto, or other tutorial that might provide
    > some insight in solving this problem....
    >
    > Two buildings "A" and "B", each with it's own LAN made up of C3750
    > switches. A 2800 router is at each building and a fiber optic WAN
    > point-to-point line connects between the two routers. Each building has
    > it's own separate IP address network, and very limited traffic is
    > allowed to pass across the routers between the two networks. In fact,
    > all traffic is shut off by ACL's in the routers except for a limited
    > number of workstations in building "A" are permitted to access some
    > applications on a very specific limited enumerated set of host
    > addresses and tcp ports in building "B" and vice-versa. Opening up
    > broad ranges of hosts and/or ports in either routers' ACL lists is
    > strictly forbidden. The dilemma is that there is a desire to install
    > one Cisco VoIP phone system across the two buildings' LANS as if they
    > were one single network and one single organization when they are in
    > fact two separate organizations on the data network side of things...
    > the data networks must remain strictly separated except for the limited
    > amount of individual host-to-host traffic. Is it at all possible to
    > create a separate voice VLAN that spans both buildings so that the
    > phones will work seemlessly, while preserving the relative isolation of
    > the two separate data networks? The Cisco pc apps such as Attendant
    > Console, video conferencing, etc, would have to work seemlessly from
    > PCs on the data networks in either building too. It would have to be
    > so secure also, that there would be no possible way at all for an
    > unauthorized workstation in either building to then be able to
    > circumvent the routers' ACLs and gain access to any unpermitted host in
    > the other building. Security of the data networks is of such paramount
    > importance that even an accidental breach could bring about severe
    > punishment to the poor schmuck who's in charge of securing the networks.
     
    , Oct 26, 2006
    #3
  4. Removing the pair of 2800's is not an option. I am mandated to force
    all traffic between the two sites' data networks to only be permitted
    to flow between the two routers. Bridging the two buildings' 3750
    stacks together physically at the hardware level is strictly forbidden
    by the policy I must work under. We've pretty much decided that we must
    build a separate voice-only network in building "B" and bridge that one
    to the combined voice+data network in building "A". We'll simply do
    without having the Cisco VoIP-related PC apps from being able to work
    seemlessly on the data network PCs in building "B" unless we can simply
    open up a most minimal set of host-to-host address/port ACL's in the
    routers to let that traffic thru for a select few workstations. Getting
    a single phone network working across the 2 buildings is more important
    that getting the voip-related PC apps to work also at building "B"...
    while preserving the critical security of the data network in building
    "B". Having a combined voice+data network in building "A" is not a
    problem, but keeping B's data network isolated, with the single
    egress/ingress point of the router is about the only way get past the
    security auditing entity which governs my operation, and they have all
    but declared VLAN separation to be artificial, make-believe,
    software-emulated separation that flunks their security mandates.


    wrote:
    > In your environment I would us the 3750s instead of the 2800 any way.
    > You can move the fiber connections to the 3750, have the networks
    > seperated by a VLAN. This would still be a layer-3 hope, you could
    > install ACLs to secure your network. Plus you could have Voice VLANs
    > at each site.
    >
    >
    > One's Too Many wrote:
    > > Can anyone point me to a howto, or other tutorial that might provide
    > > some insight in solving this problem....
    > >
    > > Two buildings "A" and "B", each with it's own LAN made up of C3750
    > > switches. A 2800 router is at each building and a fiber optic WAN
    > > point-to-point line connects between the two routers. Each building has
    > > it's own separate IP address network, and very limited traffic is
    > > allowed to pass across the routers between the two networks. In fact,
    > > all traffic is shut off by ACL's in the routers except for a limited
    > > number of workstations in building "A" are permitted to access some
    > > applications on a very specific limited enumerated set of host
    > > addresses and tcp ports in building "B" and vice-versa. Opening up
    > > broad ranges of hosts and/or ports in either routers' ACL lists is
    > > strictly forbidden. The dilemma is that there is a desire to install
    > > one Cisco VoIP phone system across the two buildings' LANS as if they
    > > were one single network and one single organization when they are in
    > > fact two separate organizations on the data network side of things...
    > > the data networks must remain strictly separated except for the limited
    > > amount of individual host-to-host traffic. Is it at all possible to
    > > create a separate voice VLAN that spans both buildings so that the
    > > phones will work seemlessly, while preserving the relative isolation of
    > > the two separate data networks? The Cisco pc apps such as Attendant
    > > Console, video conferencing, etc, would have to work seemlessly from
    > > PCs on the data networks in either building too. It would have to be
    > > so secure also, that there would be no possible way at all for an
    > > unauthorized workstation in either building to then be able to
    > > circumvent the routers' ACLs and gain access to any unpermitted host in
    > > the other building. Security of the data networks is of such paramount
    > > importance that even an accidental breach could bring about severe
    > > punishment to the poor schmuck who's in charge of securing the networks.
     
    One's Too Many, Oct 27, 2006
    #4
  5. In article <>,
    One's Too Many <> wrote:
    >Removing the pair of 2800's is not an option. I am mandated to force
    >all traffic between the two sites' data networks to only be permitted
    >to flow between the two routers.


    > Having a combined voice+data network in building "A" is not a
    >problem, but keeping B's data network isolated, with the single
    >egress/ingress point of the router is about the only way get past the
    >security auditing entity which governs my operation, and they have all
    >but declared VLAN separation to be artificial, make-believe,
    >software-emulated separation that flunks their security mandates.


    How would they feel about MPLS? Supported to various degrees on
    both the Cisco 2800 series routers and the Cisco Cat 3750 "Metro"
    series.
     
    Walter Roberson, Oct 27, 2006
    #5
  6. Walter Roberson wrote:
    > How would they feel about MPLS? Supported to various degrees on
    > both the Cisco 2800 series routers and the Cisco Cat 3750 "Metro"
    > series.


    The security folks had never heard of MPLS, but after showing them some
    some info on what it was all about, were surprisingly warm to the idea.
    Unfortunately our VoIP integrator/vendor had also never heard of it and
    refuses to consider it due to perceived worries about QoS and voice
    performance issues and not wanting to be a pioneer with any technology
    on this contract. Looks like we're going the separate physical network
    way for voice in the security-sensitive building. It really won't add
    all that much to the total project cost, just a couple percent in the
    big picture, and certainly will provide the best voice network there,
    plus keep the data network physically isolated. Sometimes it's just not
    worth banging your head against a wall too much to try to save a few
    bucks on a big project, eh?
     
    One's Too Many, Oct 30, 2006
    #6
  7. One's Too Many

    freeNAC Guest

    One's Too Many wrote:
    > Looks like we're going the separate physical network
    > way for voice in the security-sensitive building. It really won't add
    > all that much to the total project cost, just a couple percent in the
    > big picture, and certainly will provide the best voice network there,
    > plus keep the data network physically isolated. Sometimes it's just not
    > worth banging your head against a wall too much to try to save a few
    > bucks on a big project, eh?


    Agree! :)
    But did you considered the costs of having to maintain the two
    networks? Need a new IPphone, then you need to patch a new socket to
    the Voice Network. Moving the furnitures around? Patch and Unpatch
    again...
    This can be quickly an issue...

    Probably you will not manage to convince your security/auditors that
    VLAN are nice, but if you do, you may want to check
    http://www.freenac.net
    It allows dynamic vlan management: you configure all your switches the
    same way, and based on the MAC address, you end up in one VLAN or in
    another. And you get free live inventory of all your systems on your
    LAN. ;-) (Auditors like this!)

    Ok, MAC authentication is not bullet proof (but hey, still better than
    nothing), and freenac is currently testing 802.1x integration (with
    fallback on MAC auth for non 802.1x enabled devices. Did I hear IP
    Phones somewhere?)

    Best regards, and good luck with your security staff!

    Steph
     
    freeNAC, Nov 1, 2006
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Jarek Jarzebowski
    Replies:
    1
    Views:
    1,190
  2. Rob
    Replies:
    5
    Views:
    8,006
  3. relder
    Replies:
    0
    Views:
    586
    relder
    Apr 25, 2007
  4. Replies:
    4
    Views:
    672
    turnip
    Aug 28, 2007
  5. Martin Pugh

    VLAN across a routed connection?

    Martin Pugh, Sep 15, 2007, in forum: Cisco
    Replies:
    9
    Views:
    1,245
    stephen
    Sep 19, 2007
Loading...

Share This Page