VLAN settings for VoIP networks

From Etel

Contents 1 Title 2 Problem 3 Solution 4 Discussion 5 See Also 6 Metadata

Title

VLAN settings for VoIP networks

Problem

Data and voice share the same network aera. This is a problem when anyone can listen audio data with free software. Security is also a problem, because it is very easy to send crafted SIP packets (or any other protocol) to VoIP PBX.

Solution

You have two solutions: physical separation, or virtual separation. Virtual separation is made using 802.1q protocol, which defines virtual LAN, or VLAN. This is what we are going to set up now. You can create up to 4096 VLANs over a wired lan. This is quite sufficient to build a VoIP specific network.

Discussion

For this kind of infrastructure, we will use the following hardware:

• any available PC (for tests)
• an VoIP phone (I am using a SIP enabled Cisco 7940)
• a network

On the PC, I install a Linux CentOS server, plus Asterisk 1.4 (installed from SVN branch, not with yum). For testing purpose, I will set my VLAN to 49, which is absolutely arbitrary.

So, on my CentOS server, I configure an ethernet card as eth0.49.

• in /etc/sysconfig/networking/devices, I add the file ifcfg-eth0.49 with the following content

ONBOOT=yes
BOOTPROTO=static
IPADDR=192.168.49.1
NETMASK=255.255.255.0
BROADCAST=192.168.49.255
GATEWAY=192.168.49.254
TYPE=ETHERNET
VLAN=yes

Notice the last line, VLAN=yes. Then, issue the command /etc/init.d/network restart. /sbin/ifconfig eth0.49 output should reflect our settings

eth0.49   Link encap:Ethernet  HWaddr 00:XX:XX:XX:XX:E3  
          inet addr:192.168.49.1  Bcast:192.168.49.255  Mask:255.255.255.0
          inet6 addr: fe80::230:1bff:xxxx:xxxx/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:64966 errors:0 dropped:0 overruns:0 frame:0
          TX packets:57237 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:13916507 (13.2 MiB)  TX bytes:15299445 (14.5 MiB)

• configure asterisk to listen on VLAN only

in /etc/asterisk/sip.conf, set bindaddr=192.168.49.1.
You may set the same for other protocols you are using:

• h323.conf
• iax.conf
• mgcp.conf
• skinny.conf

even manager.conf may be changed.

Then restart asterisk.

/bin/netstat -anu is showing our changes:

[root@localhost asterisk]# /bin/netstat -anu
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address               Foreign Address             State      
udp        0      0 0.0.0.0:67                  0.0.0.0:*                               
udp        0      0 192.168.49.1:5060           0.0.0.0:*                               
udp        0      0 0.0.0.0:68                  0.0.0.0:*                               
udp        0      0 0.0.0.0:69                  0.0.0.0:*                               

Anyone not in our VLAN will not be able to send SIP packets.

And now, the funny part: configure boot process for SIP phone

To configure boot process, you need two key components:

1. a dhcp server, to serve dynamic IP over your VLAN
2. a tftp server, to serve configuration to your VoIP hardphones

In our test network, let's install the following component on the CentOS server.
Install ISC DHCP server, and a tftp-server.

First of all, after dhcpd installation, edit /etc/sysconfig/dhcpd and add

DHCPDARGS=" eth0.49"

Your dhcpd will not answer for requests not incoming from your VLAN now.

Then, configure dhcp to server a range of IP addresses to your phone. Here is my /etc/dhcpd.conf:

ddns-update-style none;
ignore client-updates;
ignore bootp;
authoritative;

subnet 192.168.49.0 netmask 255.255.255.0 {

# --- default gateway
	option routers			192.168.49.254;
	option subnet-mask		255.255.255.0;

	option nis-domain		"your.domain.tld";
	option domain-name		"your.domain.tld";
	option domain-name-servers	192.168.49.1; # my asterisk

	option ntp-servers		192.168.49.1;
# --- my range of IP addresses for my hard phones
	range dynamic-bootp 192.168.49.128 192.168.49.253;
	default-lease-time 21600;
	max-lease-time 43200;
}

Enable your tftp server by setting no into /etc/xinetd.d/tftp in the line disable = yes. Restrict incoming tftp requests from VLAN. Add bind = 192.168.49.1 at the end of the section.
Restart xinetd.

Start your DHCP server now.

• Configure you Cisco IP phone to use VLAN 49 in the menu

Settings -> Network Configuration -> Admin VLAN Id, and enter 49. (Operational VLAN Id will be set to Admin VLAN Id after the reboot. See Cisco documentation).

Then reboot your phone (* + 6 + Settings). Your VoIP phone is now in your VLAN 49, and you can configure it the same way you did without VLAN.
This is completely transparent.

To achieve complete separation, you may use a VLAN compatible network switch (almost all are compatible), and select only VoIP "aware" ports in VLAN frame forwarding.

See Also

• I332-016R-2005.pdf Security Guidance for Deploying IP Telephony Systems, Systems and Network Attack Center, NSA (pp8-10).
• Keeping IP Voice Safe and Sound
• Any VoIP Best Practices articles speaks about VLAN

Metadata

• By: NicolasBelan 10:34, 11 May 2007 (PDT)
• Outline reference: Preparation