×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

CUCM. Allow phone registration only from specific subnet

Unanswered Question
Sep 4th, 2013
User Badges:

Hello,


For example, we have CUCM 9.1 and 2 divisions:

-     Division1 with Network_Subnet1 and extensions 1XXX

-     Division2 with Network_Subnet2 and extensions 2XXX

How can I allow registration of phones with extensions 1XXX (or Device Pool DP_Div1) only from Network_Subnet1 and deny registration from Network_Subnet2?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Amine Nouasri Wed, 09/04/2013 - 05:35
User Badges:
  • Bronze, 100 points or more

One way of doing this, is to configure DHCP option 150 only for phones in subnet Network_Subnet1.

Phones in Network_Subnet2 won't have a TFTP server configured to get a configuration file.


Please rate helpful answers!

j.huizinga Wed, 09/04/2013 - 05:35
User Badges:
  • Silver, 250 points or more

If you have a DHCP, don't give option 150 (TFTP) on subnet 2


JH

Chris Deren Wed, 09/04/2013 - 06:06
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,
  • Cisco Designated VIP,

    2017 IP Telephony, Contact Center, Unified Communications

Another way can be to enable device mobility and force phones registered from a specific subnet not to have calling privileges for example.


HTH,


Chris

Sergii Shcherbynin Wed, 09/04/2013 - 06:15
User Badges:

We have phones with extensions 2XXX in Network_Subnet2 and they have calling privileges.

James Hawkins Wed, 09/04/2013 - 08:32
User Badges:
  • Blue, 1500 points or more

The only way I can see of doing this would be to maintain two lists of the phones MAC addresses (i.e. list 1 contains phones with 1xxx extensions and list 2 contains phones with 2xxx extensions) and then configure your network infrastructure such that only the 1xxx phones can connect to the VLAN1 ports and only the 2xxx phones can connect to the VLAN2 ports.


802.1x with MAC Authentication Bypass as described at the link below may allow you to do this.


http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/config_guide_c17-663759.html

However it may be costly to set up and painful to manage!

Actions

This Discussion