06-27-2012 08:55 AM - edited 03-17-2019 11:22 PM
Hello All,
I am opening this topic to grab some info about call policy on the Cisco VCS running 7.x version.
In my case, I set up an ISDN GW that is used with the prefix "9".
Tto avoid any "Toll fraud" on my ISDN GW from the Public Internet, I set up a call policy on the VCS Expressway To answer by a "403/Deny by Policy" each attempt from a non-authenticated source dialing [9](.*)@<domain name or Public IP adresse of VCS Expressway>.
Hopefully it works perfectly.
But I am now facing another behaviour. My VCS dial plan is 9910XX...so it means that the MCU is using this range for Multiway as well.
When I am escalting a call to Multiway with a external and unknown participant, the Multiway send a SIP REFER to all the endpoint, inviting them to dial back 9910XX@<domain> to enter the ad-hoc conference.
But, it starts by 9, and Call Policy kick it out.
So, my question is, is there a way, on the Call Policy, to avoid call attemps starting by 9 from unknown source, except if it is inside a specific range (9910XX@<domain>) ?
I am a bit confuse, I don't know how to perform "exclusion" to a rule in the call policy.
Thanks a lot!
Cheers
Solved! Go to Solution.
06-27-2012 03:18 PM
Gabriel,
if your ISDN Gateway is registering a prefix of 9, then this prefix should be owned exclusively by this gateway, you shouldn't allow other devices to use aliases starting with 9, and neither should Multiway. I'd recommend that you reconfigure Multiway and endpoints so that they use aliases starting with other digits.
- Andreas
06-27-2012 03:18 PM
Gabriel,
if your ISDN Gateway is registering a prefix of 9, then this prefix should be owned exclusively by this gateway, you shouldn't allow other devices to use aliases starting with 9, and neither should Multiway. I'd recommend that you reconfigure Multiway and endpoints so that they use aliases starting with other digits.
- Andreas
06-27-2012 09:33 PM
The call policy is design to process first match rule so you could setup policy to except call in specific range which listed above than the policy to reject all other call.
However as Andreas mention, if your ISDN GW directly registered on VCS using prefix of “9”, this prefix should be owned exclusively by ISDN Gateway.
Our recommendation is to change prefix or Endpoint alias assignment making sure to not overlap alias range.
Other method is
- Enable embedded gatekeeper on ISDN Gateway (if support), then create neighbor zone on VCS pointing to ISDN Gateway.
- Create search rule match for 99xx Endpoint alias range and target to local zone (or zone/subzone your endpoint registered)
- Create search rule match for prefix 9 and target to ISDN Gateway neighbor zone with lower priority than above search rule.
This allows keeping current alias assignment, but makes more complicate for VC deployment.
We strongly recommend redesigning the alias assignment.
06-27-2012 11:59 PM
Okay thanks you guys,
I was thinking about that, but I wanted to be sure if things were not possible.
So I will change the ISDN GW prefix.
Thanks for your help!
Gabriel
06-28-2012 12:34 AM
Might want to take a look at this too:
https://supportforums.cisco.com/message/3542518#3542518
/jens
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide