Filter
Top Products
Deploying SpectraLink 8020/8030
Wireless Telephones
May 2009 Best Practices Guide
forward these tags, but are otherwise compatible with 802.1Q up to the Ethernet switch ports used for the
SpectraLink equipment.
5.4 MAC Filtering and Authentication
Most access points can be configured to allow or deny association of wireless clients based on their
unique MAC address, which can be used as a method of securing the WLAN. This process generally
works well, but can cause some performance issues on some APs and is never recommended when
using voice on a WLAN.
5.5 Firewalls and Traffic Filtering
The traffic filtering capabilities of firewalls, Ethernet switches and wireless controllers can also be used as
an additional security layer if configured to allow only certain types of traffic to pass onto specific areas of
the LAN. To properly provide access control, it is necessary to understand the type of IP traffic used by
the SpectraLink handsets. When using SpectraLink Telephony Gateways to interface to a traditional PBX
or an SVP Server in an IP PBX implementation, the handset uses the SpectraLink Radio IP Protocol (ID
119).
While the SpectraLink handset will generally work through a firewall if the appropriate ports are made
available, this is never recommended. Firewalls create a great deal of jitter in the network which can
severely limit the successful, on-time delivery of audio packets to the wireless telephone. Additionally, the
use of ICMP redirects is not supported because of the extreme delay this can result when the gateway of
the SVP Server or handsets is changed dynamically. SpectraLink handset requires less than one
millisecond of jitter from the SVP Server to handset. This will be difficult to achieve if there are multiple
‘hops’ between the handset and the SVP Server.
For an IP telephony server interface, the ports used depend on the IP telephony protocol of the telephony
switch interface. The SpectraLink Wireless Telephones, Telephony Gateways and SVP Server use TCP
and UDP and other common IP protocols from time to time. These include DHCP, DNS, WINS, TFTP,
FTP, NTP, Telnet, ARP and ICMP. Polycom uses proprietary UDP channels between the infrastructure
components i.e. UDP ports 5454 - 5458. The push-to-talk (PTT) mode of the SpectraLink i640 Wireless
Telephone uses the multicast IP address 224.0.1.116, which other model handsets and SpectraLink
infrastructure components also employ to locate and maintain connection with each other. Some other
common ports between the SVP Server and call server will be RTP traffic on ports 16384 through 32767.
The port used will be chosen randomly by the phone and call server at the time of call setup.
5.6 Virtual Private Networks (VPNs)
Virtual Private Networks (VPNs) are secure, private network connections. VPNs typically employ some
combination of strong encryption, digital certificates, strong user authentication and access control to
provide maximum security to the traffic they carry. They usually provide connectivity to many devices
behind a VPN concentrator. The network can be broken into two portions - protected and unprotected:
1) The area behind the VPN server is referred to as the “protected” portion of the network. Sensitive,
private network equipment such as file servers, e-mail servers and databases reside in this portion.
2) The area in front of the VPN server is referred to as the “unprotected” network, where the wireless
APs and less sensitive network equipment often reside.
VPNs offer an extremely effective method for securing a wireless network. Many network administrators
implement VPNs to maintain the integrity of their WLANs by requiring wireless users who need access to
the protected portion of the network to connect through a VPN server.
25
©2009 Polycom, Inc. All rights reserved.
Polycom and the Polycom logo are registered trademarks of Polycom, Inc. All other trademarks are the property of Polycom, Inc. or their respective companies.