Allow ports for VoIP on a cisco router and QoS

per the ISP I have to allow certain traffic into our cisco router for VoIP traffic, was wondering what the best approach might be?

for example i need to allow tcp/udp ports 5060 - 5061, 2427 and 2727, etc.
then they mention a QoS template and recommend queuing method C or B.

going through a lot of info i'm just getting lost and hoping someone could help
i'm guessing inbound ACLs on the external interface, but don't know what the best way to accomplish?

thanks,
AMtekAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

alltechdennyCommented:
I usually tend to define rules for STUN and SIP based on the sockets required and bound to the static of the carrier and for instance Carrier X requires 3478 to PBX internal 192.168.X.10 so create rule to allow ONLY 3478 from Carrier X. Are you provisioning phones externally are all behind firewall? What PBX are you using?
0
AMtekAuthor Commented:
thx for the reply, it's not a PBX it's a 'hosted' solution from the ISP.

they said i just needed to make sure certain ports are open on the router and set up QoS
the phones are on their own VLAN/Subnet, routing is good, DHCP is set and confirmed, L3 routing with a switch is working perfect, just not sure about if there is any nat or a combo of nat and acl to open ports

i'm really out of practice for acls and have never configured QoS so i'm at a loss how to attack
0
alltechdennyCommented:
What I personally would do then is verify ports ( usually 3478,5000,5060,5061,9000-9049) and create a rule for traffic to the ISP provided source. The QOS should be in the internal page. What model Switch? SG200?
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

AMtekAuthor Commented:
i have a list of the ports, no ISP source as of yet
TCP ports 5060 and 5061 (for SIP)
UDP ports 5060 and 5061 (for SIP)
TCP ports 2427 and 2727 (for MGCP)
UDP ports 2427 and 2727 (for MGCP)
UDP ports 16384-32767 (for RTP)1
TCP port 123 and UDP port 123 (for NTP)
TCP port 69 and UDP port 69 (for TFTP)
TCP port 80 and UDP port 80 (for HTTP)
TPC port 2208 and UDP port 2208 (for HTTP)
TPC port 443 and UDP port 443 (for HTTP)

two switches, a 2960XR is doing the routing, phones are connected to voice vlan 10 on a 2960X switch
the 2960XR is connected to a 1941 router
0
alltechdennyCommented:
What kind of speed from ISP?
0
AMtekAuthor Commented:
100Mb
0
alltechdennyCommented:
I have a client with 24 phones (External) @ 100/100 and zero issues with no QOS so you MAY not even need it depending on what else they do there but I would begin with defining the source "all traffic" rule to VLAN sub and see how it sounds...may be a breeze!
0
AMtekAuthor Commented:
do you have an example? i'm not even sure of the syntax
0
alltechdennyCommented:
router#configure terminal
  Enter configuration commands, one per line.  End with CNTL/Z.
  router(config)#access-list 101 deny icmp any any
  router(config)#access-list 101 permit ip any any
  router(config)#^Z
 
  router#show access-list
  Extended IP access list 101
      deny icmp any any
      permit ip any any
  router#
  *Mar  9 00:43:12.784: %SYS-5-CONFIG_I: Configured from console by console

  router#configure terminal
  Enter configuration commands, one per line.  End with CNTL/Z.
  router(config)#no access-list 101 deny icmp any any
  router(config)#^Z
 
  router#show access-list
  router#
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
alltechdennyCommented:
Did you try? Mark as answer if all set Please.
0
AMtekAuthor Commented:
thanks, ended up going a totally different way. but i appreciate the responses.
0
alltechdennyCommented:
Absolutely!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.