cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2241
Views
0
Helpful
14
Replies

VCS X7.1 call policy rule not working

Darren McKinnon
Level 1
Level 1

I have recently been having troubles with my call policy rules. I only have 9, so I deleted them all and created the following:

Source: .*  Destination: test@%localdomains%. REJECT

When I dial test@sip domain the call goes through. If i change the destination rule to test@sip domain, the call gets rejected like it should.

Has something changed causing %localdomains% to not work?

Sent from Cisco Technical Support iPhone App

1 Accepted Solution

Accepted Solutions

I believe pattern matching variables such as %localdomains% are not supported in CPL.

The Admin guide -

http://www.cisco.com/en/US/docs/telepresence/infrastructure/vcs/admin_guide/Cisco_VCS_Administrator_Guide_X7-2.pdf - states (page 368) "The VCS makes use of pattern matching in a number of its features, namely Allow Lists and Deny Lists, presearch

transforms and when configuring search rules and zone transforms." It doesn't mention CPL or Call policy rules at all.

View solution in original post

14 Replies 14

aostense
Level 1
Level 1

Hi Darren,

Normally I use the following RegEx to restrict this:

(?!.*@%localdomains%)$)

This search rule setting (target set to DNS zone) will prevent invites going out the DNS zone, if the domain already exist in the VCS SIP Domains (make sure the SIP domain you are testing with is added here: VCS configuration > Protocols > SIP > Domain).

Could you try to use this instead, and see if that makes any difference?

Hope this helps,

Arne

Thanks Arne, but I'm trying to prevent rooms and individuals from being able to dial into addresses that start with dr. All of my doctors provisioning addresses are dr.x.x@sipdomain.  All of my sip domains are added to the VCS correctly (I have 4).  So if I dial from 3500@vtc.home.ca to dr.david.livingston@vtc.home.ca, the call should be rejected because my search rule says any source (.*) is not permitted to dial dr(.*)@%localdomains%.

If I test this destination pattern in my VCS Check Patter tool, it works perfect.  alias dr.david.livingston@vtc.home.ca, Pattern Type is Regex, Pattern string is dr.(.*)@%localdomains%, Pattern Behavior is replace, and the replace string is testedgood.

Given this info, shouldn't the call policy rule work?

Darren

Darren,

I suspect that in your scenario, the calling endpoint is unauthenticated (For example if this is a locally registered endpoint which is registered in a subzone configured with authentication setting 'Do not check credentials').

When this is the case, the source field will be non-present, meaning it will not even match the '.*' regex, it will only correctly match the source field if this field is blank in your call policy rule.

I suggest that in your call policy rule you leave the source field blank, which will make the rule correctly source match any non-authenticated call request. Optionally you can configure the subzone in question to 'Treat as authenticated' or 'Check credentials', depending on your need, which mean that the source field will now properly match the source alias of the calling party.

Hope this helps,

Andreas

Andreas, my subzones are setup with "Treat as Authenticated".  Despite that, I created a call policy rule with a blank source, but the call still goes through.

Thanks for trying.

Darren

Hi Darren,

i hope you would be doing good

I just tested this in the lab i can replicate your scenario.

it seems when the regex is %localdomains% the CPL doesn't work for the call and allows the call.

however if i keep the regex as specific domain for e.g. "tptac.com" it matches properly.

i need sometime to test soem more scenarios. But as Andreas mentioned source as blank will be unauthenticated user and if the subzone is kept as "treat as authenticated" then the CPL will not be matched for unauthenticated source.

so your deployment ".*" as source is proper which is basically for authenticated source.

Rgds,

Alok

I believe pattern matching variables such as %localdomains% are not supported in CPL.

The Admin guide -

http://www.cisco.com/en/US/docs/telepresence/infrastructure/vcs/admin_guide/Cisco_VCS_Administrator_Guide_X7-2.pdf - states (page 368) "The VCS makes use of pattern matching in a number of its features, namely Allow Lists and Deny Lists, presearch

transforms and when configuring search rules and zone transforms." It doesn't mention CPL or Call policy rules at all.

Guy is entirely correct, you can not use %localdomains% and similar %-type variables in call policy rules or CPL scripts, I failed to see that Darren was using this in his call policy rules

Darren, this means that you would have to create specific call policy rules for the each of the destination domains which you want to block.

- Andreas

Guy is correct.  Of course, putting the exact sip domain in the destination will work. (not that I like this very much).  I was sure that I had this working with %localdomains% back before x7. 

thanks for the responses and the suggestions.  I better get to making my very long call policy rules.

Darren

Darren,

I tested with x6.1 and i found same behavior with that version. so the behavior is not changed with x6 to x7.

rgds,

Alok

Thanks Alok, I've never been tested to rule out crazy. 

I know I marked this as answered, but I found in the X7.1 admin guide tonight that the VCS Call policy rules destination and source patterns support regular expressions:

Regular expressions can be used in conjunction with a number of VCS features such as alias

transformations, zone transformations, CPL policy and ENUM. The VCS uses POSIX format regular

expression syntax. The table below provides a list of commonly used special characters in regular

expression syntax. This is only a subset of the full range of expressions available. For a detailed description

of regular expression syntax see the publication

Regular Expression Pocket Reference

So I still think %localdomains% should work since they work in the transforms.  They might not actually work right now, but I think they are supposed to.  wouldn't you say so, for the quote above?

"regular expressions" is just a way to match text. This does not neccessary include local variables like the %localdomains%

I would +1 on a feature request to have the %vcs% variables also available in the CPL.

The other option is to create a CPL Service and handle the domains in your webservice.

To be honest I was also under the impression that that worked before, but I might be mistaken like

you and it can also be a wrong configuration. At least with the more recent versions you have some

more features regards authenticated and non authenticated calls.

I assume you use the CPL wizzard, be aware that you have to match for authenticated and non

authenticated calls. This might be dependent on your setup and the source caller.

Please remember to rate helpful responses and identify

I was making some tests on X7.2.1....

If i put this rule on a CPL, it matches everything:

.*(?!.*@%localdomains%$).*

but when i put this one, don´t match anything:

(.*@%localdomains%$).*

Would someone from Cisco please confirm that we cannot use any kind of variables on CPL and if this is planned to be valid (roadmap)?

*it is very hard to control several IPs on a cluster with a hundred of domains without variables...

Thank you very much.

Elter,

we have already confirmed that you can't use %localdomains% and similar variables in CPL scripts, these only work when used in search rules and transforms.