Solved: ISDN GW 3241 to CUCM calls needs to be block

soundararajan t · ‎09-21-2013

Hi Experts

I need your suggestion on below requirement

One of our customer using cisco Telepresence infra setup (VCSc&E, Conductor, TIP Server & TMS, CUCM). CUCM and VCS integrated, Recently we installed ISDN the GW (3241)

Now customer wants to block the incoming calls from ISDN GW to CUCM extension and Outgoing calls from CUCM extension to ISDN GW

CUCM Numbering plan is 62XXXX series and VCS E.164 numbering Plan is 64XXXX. All the products in Latest version S/W

anybody suggest how we complete this requirement

Regards

SR

Paulo Souza · ‎09-21-2013

Hi, welcome to Cisco Support Community! =)

There are two methods to address your need, the first is by using search rules with named source zones and the second is by using CPL script. I will give you an example about using search rules, which is the easier way to achieve your need:

Blocking from ISDN to CUCM

1) Register your ISDN gateway to a separated subzone in VCS Control, for example "ISDN-SubZone". Only the gateway must to register to this subzone.

2) Create a search rule that matches your CUCM number plan, in your case, 62XXXX. Set this rule to have priority over any other rule. Set the parameter "source" as being the "ISDN-SubZone". Use the parameter "replace" and tranform the number to an unknown number. Set the parameter "On sucessfull match" to "Stop". So your ISDN gateway won't be able to call any CUCM's endpoints.

Blocking from CUCM to ISDN

1) The easier way to do that is by blocking the calls using CUCM itself. You can use CSS/Partition features of CUCM in order to deny certain endpoints do call ISDN numbers

2) But you also can use VCS to block the calls. You can use the same logic above. Create a search rule that matches your ISDN number plan, in my case, 0\d*. Set this rule to have priority over any other rule. Set the parameter "source" as being the CUCM Neighbor Zone. Use the parameter "replace" and tranform the number to an unknown number. Set the parameter "On sucessfull match" to "Stop". So all your CUCM's endpoints won't be able to call any ISDN Numbers. Be aware that it will be applied to all endpoints registered to CUCM, if you want to block only specific endpoints, use the CSS/Partition features of CUCM.

Toll Fraud Prevention

When you implement an ISDN gateway registered to VCS, mainly when you have a VCS Expressway, you should consider the need of implementing a toll fraud prevention mechanism that will avoid external users to use your system as a free telephone system. For example, if you don't implement this kind of mechanism, external users from internet can use your VCS Expressway to reach your ISDN gateway and then make free ISDN calls using your gateway. Furthermore, there is another fraud method called "hairpinning", where the external user dials to your ISDN gateway via ISDN and get connected to the gateway's auto attendant, if it is enabled, then the user redial another ISDN number and then the call is routed towards ISDN using your gateway, in another words, malicious users can make a local call to your gateway and then use your gateway to redial and make an international call, for example.

Therefore, it is extremely important to consider a toll fraud prevention schema when implementing any ISDN gateway registered to VCS, mainly when you have VCSE.

Fortunately, Cisco has provided a configuration example explaining how to block both toll fraud methods. Take a look at this guide starting on page 40:

http://www.cisco.com/en/US/docs/telepresence/infrastructure/vcs/config_guide/Cisco_VCS_Basic_Configuration_Control_with_Expressway_Deployment_Guide_X7-2.pdf

I suggest you to consider all the examples above, save a time to plan and then implement your ISDN restriction and toll fraud prevention mechanism.

I hope this help.

Paulo Souza

Was my response helpful? Please rate useful replies and remember to mark any solved questions as "answered".

Paulo Souza Was my response helpful? Please rate useful replies and remember to mark any solved questions as "answered".

View solution in original post

Paulo Souza · ‎09-21-2013

Hi, welcome to Cisco Support Community! =)

There are two methods to address your need, the first is by using search rules with named source zones and the second is by using CPL script. I will give you an example about using search rules, which is the easier way to achieve your need:

Blocking from ISDN to CUCM

1) Register your ISDN gateway to a separated subzone in VCS Control, for example "ISDN-SubZone". Only the gateway must to register to this subzone.

2) Create a search rule that matches your CUCM number plan, in your case, 62XXXX. Set this rule to have priority over any other rule. Set the parameter "source" as being the "ISDN-SubZone". Use the parameter "replace" and tranform the number to an unknown number. Set the parameter "On sucessfull match" to "Stop". So your ISDN gateway won't be able to call any CUCM's endpoints.

Blocking from CUCM to ISDN

1) The easier way to do that is by blocking the calls using CUCM itself. You can use CSS/Partition features of CUCM in order to deny certain endpoints do call ISDN numbers

2) But you also can use VCS to block the calls. You can use the same logic above. Create a search rule that matches your ISDN number plan, in my case, 0\d*. Set this rule to have priority over any other rule. Set the parameter "source" as being the CUCM Neighbor Zone. Use the parameter "replace" and tranform the number to an unknown number. Set the parameter "On sucessfull match" to "Stop". So all your CUCM's endpoints won't be able to call any ISDN Numbers. Be aware that it will be applied to all endpoints registered to CUCM, if you want to block only specific endpoints, use the CSS/Partition features of CUCM.

Toll Fraud Prevention

When you implement an ISDN gateway registered to VCS, mainly when you have a VCS Expressway, you should consider the need of implementing a toll fraud prevention mechanism that will avoid external users to use your system as a free telephone system. For example, if you don't implement this kind of mechanism, external users from internet can use your VCS Expressway to reach your ISDN gateway and then make free ISDN calls using your gateway. Furthermore, there is another fraud method called "hairpinning", where the external user dials to your ISDN gateway via ISDN and get connected to the gateway's auto attendant, if it is enabled, then the user redial another ISDN number and then the call is routed towards ISDN using your gateway, in another words, malicious users can make a local call to your gateway and then use your gateway to redial and make an international call, for example.

Therefore, it is extremely important to consider a toll fraud prevention schema when implementing any ISDN gateway registered to VCS, mainly when you have VCSE.

Fortunately, Cisco has provided a configuration example explaining how to block both toll fraud methods. Take a look at this guide starting on page 40:

http://www.cisco.com/en/US/docs/telepresence/infrastructure/vcs/config_guide/Cisco_VCS_Basic_Configuration_Control_with_Expressway_Deployment_Guide_X7-2.pdf

I suggest you to consider all the examples above, save a time to plan and then implement your ISDN restriction and toll fraud prevention mechanism.

I hope this help.

Paulo Souza

Was my response helpful? Please rate useful replies and remember to mark any solved questions as "answered".

Paulo Souza Was my response helpful? Please rate useful replies and remember to mark any solved questions as "answered".

soundararajan t · ‎09-22-2013

Hi Paulo

Thanks a lot

Regards

SR