Re: [Asterisk-Users] Cisco 7940 Reboot
Kristian Kielhofner ha scritto: Or you can keep using the phones with SIP and use sip_notify. I think Ciscos support it. In my last try it was not doing it on cisco sip phones. Sergio ___ --Bandwidth and Colocation provided by Easynews.com -- Asterisk-Users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] Cisco 7940 Reboot
I think what the OP's managers were suggesting is that its not all that difficult to overflow the switch forwarding table, and cause packets to appear on a vlan where it shouldn't be. The approach has been around for a while, and the higher quality switches now handle the table overflow issue in a much more secure way. No compromised layer-3 needed at all, and it doesn't make any difference if the vlans are defined on a per-port or other basis. The lower-end workgroup switches are more likely to be issues in current products as opposed to the higher-end switches. But, one only needs to find "a" switch within the layer-2 trunked network. I'm not a VLAN expert either, but there's one switch that ties the private vlans into the public vlan, so all you have to do is add a route from your box to the vlan over that switch, effectively hopping you onto the vlan. Not really sure the details on it, but that's basically the gist of what I understand it (I'm just the voip guy, not the network expert ;). So we've effectively got the phones and servers isolated into their own vlan. Aaron Patrick wrote: On Mon, 2005-12-12 at 16:20 -0600, Aaron Daniel wrote: We do currently have the cisco's on their own vlan along with the servers, but I'm told vlan hopping is trivial so that's not considered secure... considering all you have to do is change a route on a box to get to the vlan. Far from being the VLAN expert here but isn't it possible to tie a VLAN to physical ports on the switch too? In that case how would adding a route allow you to hop over to the phone's VLAN (realizing this point is moot if the PC & phone share a single network cable instead of each their own)? ___ --Bandwidth and Colocation provided by Easynews.com -- Asterisk-Users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] Cisco 7940 Reboot
I'm not a VLAN expert either, but there's one switch that ties the private vlans into the public vlan, so all you have to do is add a route from your box to the vlan over that switch, effectively hopping you onto the vlan. Not really sure the details on it, but that's basically the gist of what I understand it (I'm just the voip guy, not the network expert ;). So we've effectively got the phones and servers isolated into their own vlan. Aaron Patrick wrote: On Mon, 2005-12-12 at 16:20 -0600, Aaron Daniel wrote: We do currently have the cisco's on their own vlan along with the servers, but I'm told vlan hopping is trivial so that's not considered secure... considering all you have to do is change a route on a box to get to the vlan. Far from being the VLAN expert here but isn't it possible to tie a VLAN to physical ports on the switch too? In that case how would adding a route allow you to hop over to the phone's VLAN (realizing this point is moot if the PC & phone share a single network cable instead of each their own)? Regards, Patrick ___ --Bandwidth and Colocation provided by Easynews.com -- Asterisk-Users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users ___ --Bandwidth and Colocation provided by Easynews.com -- Asterisk-Users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] Cisco 7940 Reboot
Patrick wrote: On Mon, 2005-12-12 at 16:20 -0600, Aaron Daniel wrote: We do currently have the cisco's on their own vlan along with the servers, but I'm told vlan hopping is trivial so that's not considered secure... considering all you have to do is change a route on a box to get to the vlan. Far from being the VLAN expert here but isn't it possible to tie a VLAN to physical ports on the switch too? In that case how would adding a route allow you to hop over to the phone's VLAN (realizing this point is moot if the PC & phone share a single network cable instead of each their own)? Regards, Patrick Patrick, VLANS (IEEE 802.1q) operate at layer two of the OSI model. I don't see how adding a route (layer three) in Linux can hop VLANS (unless you had an unsecured router connected to both). It depends on how the VLANs are implemented. With most decent switches, you can allow tagging of a particular VLAN and specify a "default" VLAN on a per port, per VLAN basis. This combined with 802.1x and other security measures actually makes for some decent security at such a low level. In a typical network deployment with VoIP, you might specify your switch ports to allow native "untagged" VLAN traffic, and assign it to VLAN 100 (or whatever). You would then create a new VLAN (110 or something) for VoIP traffic. You would then configure the switch to allow tagged traffic for vlan 110 while making untagged traffic part of vlan 100 - the default. You would then configure one port to use 110 as the default - and connect your Asterisk system to it. It would magically end up on the same network as your phones. The problem with this is, someone could connect a Linux box, load 8021q.ko and use vconfig to get that machine on the VoIP VLAN. However, if people can just bring in random machines and connect them to your network, it isn't very secure anyways :). -- Kristian Kielhofner ___ --Bandwidth and Colocation provided by Easynews.com -- Asterisk-Users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] Cisco 7940 Reboot
On Mon, 2005-12-12 at 16:20 -0600, Aaron Daniel wrote: > We do currently have the cisco's on their own vlan along with the > servers, but I'm told vlan hopping is trivial so that's not considered > secure... considering all you have to do is change a route on a box to > get to the vlan. Far from being the VLAN expert here but isn't it possible to tie a VLAN to physical ports on the switch too? In that case how would adding a route allow you to hop over to the phone's VLAN (realizing this point is moot if the PC & phone share a single network cable instead of each their own)? Regards, Patrick ___ --Bandwidth and Colocation provided by Easynews.com -- Asterisk-Users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] Cisco 7940 Reboot
We do currently have the cisco's on their own vlan along with the servers, but I'm told vlan hopping is trivial so that's not considered secure... considering all you have to do is change a route on a box to get to the vlan. And has anyone actually got sip_notify to work for the cisco phones? I can't quite figure out how to configure it to send the phone a reboot. The default doesn't work, and neither do any of the variations I've used. Aaron Kristian Kielhofner wrote: Joseph wrote: On Mon, 2005-12-12 at 11:36 -0600, Aaron Daniel wrote: We've currently got 4 servers, and anytime we make any major modifications to the servers, the phones have to be rebooted. We've got about 55 cisco 7940's (which is going to steadily increase over the next few months), does anyone know of a way to reboot the phones without using the telnet function? The powers that be here don't like the telnet cause it's insecure, and I can't really find any other way to do the reboot. Any help would be appreciated. You can secure the network that the phones have access to via a vlan that restricts who can telnet to the phones. Or you can move the phones to chan_sccp which lets you restart or reset the phones from the * console. Or you can keep using the phones with SIP and use sip_notify. I think Ciscos support it. ___ --Bandwidth and Colocation provided by Easynews.com -- Asterisk-Users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] Cisco 7940 Reboot
Joseph wrote: On Mon, 2005-12-12 at 11:36 -0600, Aaron Daniel wrote: We've currently got 4 servers, and anytime we make any major modifications to the servers, the phones have to be rebooted. We've got about 55 cisco 7940's (which is going to steadily increase over the next few months), does anyone know of a way to reboot the phones without using the telnet function? The powers that be here don't like the telnet cause it's insecure, and I can't really find any other way to do the reboot. Any help would be appreciated. You can secure the network that the phones have access to via a vlan that restricts who can telnet to the phones. Or you can move the phones to chan_sccp which lets you restart or reset the phones from the * console. Or you can keep using the phones with SIP and use sip_notify. I think Ciscos support it. -- Kristian Kielhofner ___ --Bandwidth and Colocation provided by Easynews.com -- Asterisk-Users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] Cisco 7940 Reboot
On Mon, 2005-12-12 at 11:36 -0600, Aaron Daniel wrote: > We've currently got 4 servers, and anytime we make any major > modifications to the servers, the phones have to be rebooted. We've got > about 55 cisco 7940's (which is going to steadily increase over the next > few months), does anyone know of a way to reboot the phones without > using the telnet function? The powers that be here don't like the > telnet cause it's insecure, and I can't really find any other way to do > the reboot. Any help would be appreciated. You can secure the network that the phones have access to via a vlan that restricts who can telnet to the phones. Or you can move the phones to chan_sccp which lets you restart or reset the phones from the * console. -- respectfully, Joseph ___ --Bandwidth and Colocation provided by Easynews.com -- Asterisk-Users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users