Port isolation with SIP

Just browsing

Port isolation with SIP

We're currently discussing the use of port isolation for security reasons for  a customer. They want to minimize the effect of a possible malware incident.

They have a setup, where they connect many of the network clients through the internal switch if IP phones.


I was just wondering, whether port isolation would break internal SIP calls between the IP phones.

From what I know, SIP initiates direct connections between the phones after they've got corresponding IP information from the SIP server.

Is there a way to make an exception from port isolation for single VLANs?

Or would the customer need to implement something like a SIP proxy?


Kind of a big deal
Kind of a big deal

There is no vlan exception. You need force rtp / sip traffic through the gateway. The gateway cant be on a isolated port

Kind of a big deal
Kind of a big deal

I think you'd need to do something like putting each SIP endpoint on it's own VLAN, then the calls would route through the gateway, not sure if you can force it not to connect locally (at least on Cisco SIP solutions)

Kind of a big deal
Kind of a big deal

This varies by phone system.  Some systems have the phones talk directly to each other, some proxy all calls through the phone system.  On some systems, this is a configurable setting.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.