09-23-2016 02:11 PM - edited 03-17-2019 08:10 AM
I have toll fraud enabled with a list of trusted carrier IPs on them. I want to put an ACL in place that denies all traffic, except for the traffic coming from the trusted IPs list. Should I add the
Thanks.
09-23-2016 11:28 PM
With Toll Fraud Prevention Feature, router by default will reject the calls from the IP Addresses that are not in the Trusted List. Hence there is no specific need to create an ACL and put the trusted IP's there as well however from a double preventive measure point of view, there is no harm in doing it either
http://www.cisco.com/c/en/us/support/docs/voice/call-routing-dial-plans/112083-tollfraud-ios.html
Regards
Deepak
09-23-2016 11:55 PM
You can create an access list which first permits the traffic from the nodes defined in the trusted list and then block the rest of the traffic on port 5060/5061 or the entire SIP port range based on TCP & UDP.
Sample Configuration:
ip extended access-list PREVENT_TOLL_FRAUD
10 permit tcp host (trusted_remote_ip) host (my_rtr_loopback_ip) eq 5060
20 permit udp host (trusted_remote_ip) host (my_rtr_loopback_ip) eq 5060
50 deny tcp any host (my_rtr_loopback_ip) eq 5060
60 deny udp any host (my_rtr_loopback_ip) eq 5060
90 permit ip any any
!
interface
ip access-group PREVENT_TOLL_FRAUD in
Aseem
(Please rate if useful)
09-24-2016 01:07 AM
Hi,
As deepak mentioned, you don't need to have an ACL if you want to enable toll fraud. Defining addresses in trusted list will be enough to block calls from any other IP.
If you want toll fraud with ACLs, then you can create voice source group and associate the ACL which includes the trusted IPs as permitted IPs.
Also, Aseem mentioned how to protect your network against none-trusted traffic (this isn't specific to toll fraud). With ACLs on interfaces, you can secure your voip network against attacks such as SIP DDoS, SIP Reconnaissance which is very common using dummy SIP messages (OPTIONS, REGISTER, INVITE).
To define ACLs on interface you need to understand what protocols used in your network. The ports listed below are specific to SIP. In you are using MGCP, H323, SCCP, CTI, etc then you have a different set of ports to be allowed. Also, you need to allow media range which varies between UDP 16384 to 65535 (Cisco extended the range from 32767 to 65535).
Personally, I suggest you combine both which I do to secure your network.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide