Thanks Arne, but I'm trying to prevent rooms and individuals from being able to dial into addresses that start with dr. All of my doctors provisioning addresses are dr.x.x@sipdomain.  All of my sip domains are added to the VCS correctly (I have 4).  So if I dial from 3500@vtc.home.ca to dr.david.livingston@vtc.home.ca, the call should be rejected because my search rule says any source (.*) is not permitted to dial dr(.*)@%localdomains%.

If I test this destination pattern in my VCS Check Patter tool, it works perfect.  alias dr.david.livingston@vtc.home.ca, Pattern Type is Regex, Pattern string is dr.(.*)@%localdomains%, Pattern Behavior is replace, and the replace string is testedgood.

Given this info, shouldn't the call policy rule work?

Darren

Darren,

I suspect that in your scenario, the calling endpoint is unauthenticated (For example if this is a locally registered endpoint which is registered in a subzone configured with authentication setting 'Do not check credentials').

When this is the case, the source field will be non-present, meaning it will not even match the '.*' regex, it will only correctly match the source field if this field is blank in your call policy rule.

I suggest that in your call policy rule you leave the source field blank, which will make the rule correctly source match any non-authenticated call request. Optionally you can configure the subzone in question to 'Treat as authenticated' or 'Check credentials', depending on your need, which mean that the source field will now properly match the source alias of the calling party.

Hope this helps,

Andreas

Andreas, my subzones are setup with "Treat as Authenticated".  Despite that, I created a call policy rule with a blank source, but the call still goes through.

Thanks for trying.

Darren

Hi Darren,

i hope you would be doing good

I just tested this in the lab i can replicate your scenario.

it seems when the regex is %localdomains% the CPL doesn't work for the call and allows the call.

however if i keep the regex as specific domain for e.g. "tptac.com" it matches properly.

i need sometime to test soem more scenarios. But as Andreas mentioned source as blank will be unauthenticated user and if the subzone is kept as "treat as authenticated" then the CPL will not be matched for unauthenticated source.

so your deployment ".*" as source is proper which is basically for authenticated source.

Rgds,

Alok

Guy is entirely correct, you can not use %localdomains% and similar %-type variables in call policy rules or CPL scripts, I failed to see that Darren was using this in his call policy rules

Darren, this means that you would have to create specific call policy rules for the each of the destination domains which you want to block.

- Andreas

Guy is correct.  Of course, putting the exact sip domain in the destination will work. (not that I like this very much).  I was sure that I had this working with %localdomains% back before x7. 

thanks for the responses and the suggestions.  I better get to making my very long call policy rules.

Darren

Darren,

I tested with x6.1 and i found same behavior with that version. so the behavior is not changed with x6 to x7.

rgds,

Alok

Thanks Alok, I've never been tested to rule out crazy. 

I know I marked this as answered, but I found in the X7.1 admin guide tonight that the VCS Call policy rules destination and source patterns support regular expressions:

Regular expressions can be used in conjunction with a number of VCS features such as alias

transformations, zone transformations, CPL policy and ENUM. The VCS uses POSIX format regular

expression syntax. The table below provides a list of commonly used special characters in regular

expression syntax. This is only a subset of the full range of expressions available. For a detailed description

Regular Expression Pocket Reference

So I still think %localdomains% should work since they work in the transforms.  They might not actually work right now, but I think they are supposed to.  wouldn't you say so, for the quote above?

"regular expressions" is just a way to match text. This does not neccessary include local variables like the %localdomains%

I would +1 on a feature request to have the %vcs% variables also available in the CPL.

The other option is to create a CPL Service and handle the domains in your webservice.

To be honest I was also under the impression that that worked before, but I might be mistaken like

you and it can also be a wrong configuration. At least with the more recent versions you have some

more features regards authenticated and non authenticated calls.

I assume you use the CPL wizzard, be aware that you have to match for authenticated and non

authenticated calls. This might be dependent on your setup and the source caller.

I was making some tests on X7.2.1....

If i put this rule on a CPL, it matches everything:

.*(?!.*@%localdomains%$).*

but when i put this one, don´t match anything:

(.*@%localdomains%$).*

Would someone from Cisco please confirm that we cannot use any kind of variables on CPL and if this is planned to be valid (roadmap)?

*it is very hard to control several IPs on a cluster with a hundred of domains without variables...

Thank you very much.

Elter,

we have already confirmed that you can't use %localdomains% and similar variables in CPL scripts, these only work when used in search rules and transforms.