! ip access-list extended ACL-UC-IN/OUT remark *** 172.16/16 dedicated to Unified Communications *** permit ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255 ! interface Vlan <VOICE-VLAN> ip access-group ACL-UC-IN/OUT in ip access-group ACL-UC-IN/OUT out !
Although the preceding ACL is meant to be illustrative and is not comprehensive, this type of VLAN is an area in which improved security is often welcomed because voice VLANs typically bypass the security controls that are applied to data segments (such as 802.1x or Network Admission Control).
Administrators must devise an interface and device grouping methodology as a first step. A security-oriented methodology should aim to minimize the configuration complexity of network devices and applications. If standard device or interface naming has been deployed in an organization, administrators can examine those structures to identify parallels that should be carried into the addressing methodology.
The following list provides a starting point for an organization-specific grouping scheme. It is important to note that a single device will likely be in more than one group; a particular IP address, and not the entire device, is included in the group.
After the groups have been defined and vetted, addressing must be assigned to each group of devices and interfaces. This step may be made easier through the use of addresses set aside for private use according to RFC 1918. One common approach that can make it easier to associate an IP address to its role is to use similar but obviously different addresses for roles that are different but somehow related. For example, administrators could assign the subnet 172.16.1.0/24 to the data network at a remote location and 10.16.1.0/24 to the phones at the same location.
Administrators can use any proven re-addressing strategy after completing the address assignment methodology; however, a pure network re-addressing exercise is very difficult. A more appropriate approach would be to implement this strategy for deployments of new networks or IPv6, or to incorporate the re-addressing into the phased reprovisioning of the network.
When any change is made to a network, it is important to understand its ramifications. The following questions should be answered prior to pursuing a security-oriented addressing methodology.
This document is provided on an “as is” basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information in the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document without notice at any time.