RE: Voice and Access-Lists

From: ccie2be (ccie2be@nyc.rr.com)
Date: Sat Mar 19 2005 - 11:53:09 GMT-3

• Next message: MANU mohan: "network 0.0.0.0 in RIP"
• Previous message: Scott Morris: "RE: VoIP"
• Maybe in reply to: Richard Anderson: "Voice and Access-Lists"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Richard,

If you add deny any any to the end of your acl, when you do a show
access-list, you'll see how many packets were matched against the deny any
statement. If you don't include the deny any any, you won't see that even
though there's an implicit deny any any at the end of every acl.

Router# show access-lists 101

Extended IP access list 101

    permit tcp host 198.92.32.130 any established (4304 matches) check=5

    permit udp host 198.92.32.130 any eq domain (129 matches)

    permit icmp host 198.92.32.130 any

    permit tcp host 198.92.32.130 host 171.69.2.141 gt 1023

    permit tcp host 198.92.32.130 host 171.69.2.135 eq smtp (2 matches)

    permit tcp host 198.92.32.130 host 198.92.30.32 eq smtp

    permit tcp host 198.92.32.130 host 171.69.108.33 eq smtp

    permit udp host 198.92.32.130 host 171.68.225.190 eq syslog

    permit udp host 198.92.32.130 host 171.68.225.126 eq syslog

    deny ip 150.136.0.0 0.0.255.255 224.0.0.0 15.255.255.255

    deny ip 171.68.0.0 0.1.255.255 224.0.0.0 15.255.255.255 (2 matches)
check=1

    deny ip 172.24.24.0 0.0.1.255 224.0.0.0 15.255.255.255

    deny ip 192.82.152.0 0.0.0.255 224.0.0.0 15.255.255.255

    deny ip 192.122.173.0 0.0.0.255 224.0.0.0 15.255.255.255

    deny ip 192.122.174.0 0.0.0.255 224.0.0.0 15.255.255.255

    deny ip 192.135.239.0 0.0.0.255 224.0.0.0 15.255.255.255

    deny ip 192.135.240.0 0.0.7.255 224.0.0.0 15.255.255.255

    deny ip 192.135.248.0 0.0.3.255 224.0.0.0 15.255.255.255

HTH, Tim

An access list counter counts how many packets are allowed by each line of
the access list. This number is displayed as the number of matches. Check
denotes how many times a packet was compared to the access list but did not
match.

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Richard Anderson
Sent: Wednesday, March 16, 2005 6:30 PM
To: ccielab@groupstudy.com
Subject: Voice and Access-Lists

What is the best way to troubleshoot Access-List issue?

Previous vendor has created access-list between IP Phone VLANS and Call
Manager VLANS.

For example,

Call Manager, Cisco Conference Connection, and Unity is on VLAN 10
/10.1.1.0/24, and IP Phones are on VLAN 20/10.1.2.0/24. Certain things
wouldn't work such as One way communication, Users can join the conference,
but can only hear one way.

Is there any way to find what port are used by these services, and then I
can open it one by one.

Any reference and feedback will be appreciated.

Note: If I remove the access-list everything works fine so for sure it is
an access-list.

Regards,

Richard.

• Next message: MANU mohan: "network 0.0.0.0 in RIP"
• Previous message: Scott Morris: "RE: VoIP"
• Maybe in reply to: Richard Anderson: "Voice and Access-Lists"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Apr 03 2005 - 17:56:48 GMT-3