We can protect our voice network with simple Auxiliary VLAN but sometimes to be more secure Auxiliary VLAN are not enough. In this case we can use Security appliances such firewalls or VPN termination devices or both.
Firewall maybe seems like very clean and simple mechanism to protect RTP protocols transmitted voice packets but there’s a problem. Protecting voice networks with a firewall is not so simple because we are not sure what UDP port will be used by the RTP voice packets flow.
If we look at some Cisco network architecture and Cisco device environment, a UDP port for an RTP stream is an random port selected from the pool of 16,384 to 32,767. We surely don’t want to open all those ports on firewall just to be sure that the VoIP will function well. So many open ports may be seen from other side like a bunch of security holes.