WIXLIB

Ref LAN & Firewall Guidelines All Rights Reserved 2010 ClaranetClaranet Hosted VoiceLAN and FirewallGuidelines forMPLS CustomersFebruary 2022

Purpose and AudienceThe experience, call quality and reliability of an IP Voice deployment like Claranet Hosted Voice ishighly dependent on the local area network and firewall configurations at the site.The purpose of this document is to present for customers our recommended LAN and firewall settingsand configurations that will support the deployment of Hosted Voice. These are based on industrystandard practice and our experience from existing customer deployments.The audience for this document is technical network professionals with responsibility for and access toa Hosted Voice customer’s LAN and network firewall.Firewall & Security GuideIn order for IP phones to be able to access the service, some firewalls may need adjusting to allow thetraffic through. If the firewall is running inside to outside rules then ports should be opened to allow theHosted Voice protocols out.SIP ALGSIP ALG is the number one issue that will prevent phones registering to the platform and making calls.This is a setting that is quite often turned on automatically on most routers. If you have a self-managedFirewall, Switch or router please ensure this is turned off.Firewall RequirementsThe following table provides a list of all the TCP/UDP ports that are required to be accessible in order forthe Handset and ATA to function correctly. For MPLS customers with Claranet managed Breakoutfirewalls, the policies will be updated to accommodate the new telephony solution. Instances wherefirewalls are managed by customers or their third parties, it will be the customer’s responsibility to takethe appropriate steps to get firewall rules and policies updated.NOTE: If a customer is using a firewall inside their MPLS network for example behind a ClaranetMPLS router at one of their sites, then please increase TCP time out to 60 minutes.Phones and Office UC Desktop ClientDeviceProtocolPolycomDownload &ConfigurationPolycom RemoteProvisioning Server(RPS)YealinkDownload &ConfigurationYealink RemoteProvisioning .com52.71.103.102Destination PortTCP 443TCP 443TCP 443TCP 44335.156.148.166Cisco SmallBusiness Download& ConfigurationIP Phone & 1.160/27TCP 443UDP/TCP 50605075,8933

Title 7.0 - 6IP Phone & ATARTPMediaIP Phone & gUDP/TCP 50605075,8933UDP 32767 to65535UDP/TCP 123europe.pool.ntp.orgIP Phone & ATADNSSupplied locallyUDP/TCP 53If the Receptionist feature, Call Recording and Call Analytics have been ordered, you will need to allowthe following IP addresses and Port:FeatureProtocolCall Analytics PortalHTTPSVoice 3.113.10.32193.113.11.34Destination PortTCP 443TCP 443Note browser access isvia a redirect from theBusiness Portal.If the UC Desktop application is to be used, the following ports will need to be allowed out in order for theUC Client to function appropriately. For Office UC app to work using WiFi the same ports would alsoneed to allow the same ation MediaRTPDestinationDestination yourwhc.co.uk193.113.10.27193.113.11.27UDP/TCP 5060UDP 32767 to65535TCP 443Office UC Desktop &Skype for BusinessPlug-In DownloadsHTTPSOffice UCSmartphone andTablet DownloadsOffice UC Operationn/aApple StoreGoogle Play Storen/aXSITCP 443Office UC P 5222TCP 1081

Office P 5281TCP 10.8193.113.11.8TCP 8443*only permit this range if the WiFi subnet is different to Data and Voice SubnetOFFICE UC Mobile ClientApplicationProtocolDestinationDestination P 5060, 5074, 5075,8933Application 224/27UDP 32767 to 65535Cisco Webex Client requirements are as follows:DeviceProtocolDestinationDestination Port213.121.33.36213.121.34.130SRV: xsi-client. c.co.ukWebEx clients(Desktop, tablet lients-02.yourwhc.co.ukTCP 443More information can be found here - NetworkRequirements-for-Webex-Services

DHCP ConfigurationDHCP configuration is very important as this is one of the ways that the Phones will learn the VLANthat they reside in and also give enable administrators push out the phone configuration URLPLEASE NOTE: THE DHCP OPTIONS NEED TO BE ON THE DATA POOLSee example of a sample DHCP configuration below;ip dhcp pool DATA LANnetwork 172.16.0.0 255.255.255.0default-router 172.16.0.1dns-server 195.8.69.7 195.8.69.12option 132 ascii "VLAN-A 11;" (For Yealinks)option 144 ascii "VLAN-A 11;"(for Polycoms)ip dhcp pool IPT PHONES

Title 7.0 - 5network 10.0.1.0 255.255.255.0default-router 10.0.1.1dns-server 195.8.69.7 195.8.69.12*NOTE: VLAN 11 is the Voice Vlan.Switch Port ConfigurationStandard switch port configuration recommended by Cisco.Preferred Switch port config:interface GigabitEthernet0/47description Example switch port configswitchport access vlan 10switchport mode accessswitchport voice vlan 11spanning-tree portfastAn alternative config which will also work:interface GigabitEthernet0/47description Example switch port configSwitchport mode trunkSwitchport trunk allow vlan 10, 11*Note: VLAN 10 – Data, Vlan 11 – VoiceQoS configurationAt the moment we are trying to standardise the QoS configuration so as to make it easy for support.The following Modular QoS config has been tested on our test EFM circuitclass-map match-all SIGNALLINGmatch dscp af31class-map match-all VOICEmatch dscp ef!!policy-map STANDARD QoSclass VOICEpriority (Amount of bandwidth to be prioritised in Kilobits per second)class SIGNALLINGbandwidth (Amount of bandwidth to be allocated to Signalling class in Kilobits per second)

class class-defaultshape average (Total bandwidth of the circuit in bits per second)interface GigabitEthernet0/1Description WAN INTERFACEservice-policy output STANDARD QoSEND OF DOCUMENT

Polycom Remote HTTPS 52.183.240 TCP 443 Provisioning Server 54.86.39.219 (RPS) Yealink HTTPS dm.yourwhc.co.uk TCP 443 . WebEx clients (Desktop, tablet & HTTPS 213.121.33.36 213.121.34.130 -client._tcp.webex clients.yourwhc.co.uk webex-clients.yourwhc.co.uk webex-clients-01.yourwhc.co.uk webex -clients 02.yourwhc.co.uk TCP 443 . DHCP Configuration DHCP configuration is very important as .