×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ISDN GW 3241 to CUCM calls needs to be block

Answered Question
Sep 21st, 2013
User Badges:

Hi Experts


I need your suggestion on below requirement


One of our customer using cisco Telepresence infra setup (VCSc&E, Conductor, TIP Server & TMS, CUCM). CUCM and VCS integrated, Recently we installed  ISDN the GW (3241)


Now customer wants to block the incoming calls from ISDN GW to CUCM extension and Outgoing calls from CUCM extension to ISDN GW


CUCM Numbering plan is 62XXXX series and VCS E.164 numbering Plan is 64XXXX. All the products in Latest version S/W


anybody suggest how we complete this requirement


Regards


SR

Correct Answer by Paulo Souza about 3 years 11 months ago

Hi, welcome to Cisco Support Community!  =)


There are two methods to address your need, the first is by using search rules with named source zones and the second is by using CPL script. I will give you an example about using search rules, which is the easier way to achieve your need:


Blocking from ISDN to CUCM


1) Register your ISDN gateway to a separated subzone in VCS Control, for example "ISDN-SubZone". Only the gateway must to register to this subzone.

2) Create a search rule that matches your CUCM number plan, in your case, 62XXXX. Set this rule to have priority over any other rule. Set the parameter "source" as being the "ISDN-SubZone". Use the parameter "replace" and tranform the number to an unknown number. Set the parameter "On sucessfull match" to "Stop". So your ISDN gateway won't be able to call any CUCM's endpoints.


Blocking from CUCM to ISDN


1) The easier way to do that is by blocking the calls using CUCM itself. You can use CSS/Partition features of CUCM in order to deny certain endpoints do call ISDN numbers

2) But you also can use VCS to block the calls. You can use the same logic above. Create a search rule that matches your ISDN number plan, in my case, 0\d*. Set this rule to have priority over any other rule. Set the parameter "source" as being the CUCM Neighbor Zone. Use the parameter "replace" and tranform the number to an unknown number. Set the parameter "On sucessfull match" to "Stop". So all your CUCM's endpoints won't be able to call any ISDN Numbers. Be aware that it will be applied to all endpoints registered to CUCM, if you want to block only specific endpoints, use the CSS/Partition features of CUCM.


Toll Fraud Prevention


When you implement an ISDN gateway registered to VCS, mainly when you have a VCS Expressway, you should consider the need of implementing a toll fraud prevention mechanism that will avoid external users to use your system as a free telephone system. For example, if you don't implement this kind of mechanism, external users from internet can use your VCS Expressway to reach your ISDN gateway and then make free ISDN calls using your gateway. Furthermore, there is another fraud method called "hairpinning", where the external user dials to your ISDN gateway via ISDN and get connected to the gateway's auto attendant, if it is enabled, then the user redial another ISDN number and then the call is routed towards ISDN using your gateway, in another words, malicious users can make a local call to your gateway and then use your gateway to redial and make an international call, for example.


Therefore, it is extremely important to consider a toll fraud prevention schema when implementing any ISDN gateway registered to VCS, mainly when you have VCSE.


Fortunately, Cisco has provided a configuration example explaining how to block both toll fraud methods. Take a look at this guide starting on page 40:

http://www.cisco.com/en/US/docs/telepresence/infrastructure/vcs/config_guide/Cisco_VCS_Basic_Configuration_Control_with_Expressway_Deployment_Guide_X7-2.pdf


I suggest you to consider all the examples above, save a time to plan and then implement your ISDN restriction and toll fraud prevention mechanism.




I hope this help.


Paulo Souza


Was my response helpful? Please rate useful replies and remember to mark any solved questions as "answered".

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Paulo Souza Sat, 09/21/2013 - 23:57
User Badges:
  • Gold, 750 points or more

Hi, welcome to Cisco Support Community!  =)


There are two methods to address your need, the first is by using search rules with named source zones and the second is by using CPL script. I will give you an example about using search rules, which is the easier way to achieve your need:


Blocking from ISDN to CUCM


1) Register your ISDN gateway to a separated subzone in VCS Control, for example "ISDN-SubZone". Only the gateway must to register to this subzone.

2) Create a search rule that matches your CUCM number plan, in your case, 62XXXX. Set this rule to have priority over any other rule. Set the parameter "source" as being the "ISDN-SubZone". Use the parameter "replace" and tranform the number to an unknown number. Set the parameter "On sucessfull match" to "Stop". So your ISDN gateway won't be able to call any CUCM's endpoints.


Blocking from CUCM to ISDN


1) The easier way to do that is by blocking the calls using CUCM itself. You can use CSS/Partition features of CUCM in order to deny certain endpoints do call ISDN numbers

2) But you also can use VCS to block the calls. You can use the same logic above. Create a search rule that matches your ISDN number plan, in my case, 0\d*. Set this rule to have priority over any other rule. Set the parameter "source" as being the CUCM Neighbor Zone. Use the parameter "replace" and tranform the number to an unknown number. Set the parameter "On sucessfull match" to "Stop". So all your CUCM's endpoints won't be able to call any ISDN Numbers. Be aware that it will be applied to all endpoints registered to CUCM, if you want to block only specific endpoints, use the CSS/Partition features of CUCM.


Toll Fraud Prevention


When you implement an ISDN gateway registered to VCS, mainly when you have a VCS Expressway, you should consider the need of implementing a toll fraud prevention mechanism that will avoid external users to use your system as a free telephone system. For example, if you don't implement this kind of mechanism, external users from internet can use your VCS Expressway to reach your ISDN gateway and then make free ISDN calls using your gateway. Furthermore, there is another fraud method called "hairpinning", where the external user dials to your ISDN gateway via ISDN and get connected to the gateway's auto attendant, if it is enabled, then the user redial another ISDN number and then the call is routed towards ISDN using your gateway, in another words, malicious users can make a local call to your gateway and then use your gateway to redial and make an international call, for example.


Therefore, it is extremely important to consider a toll fraud prevention schema when implementing any ISDN gateway registered to VCS, mainly when you have VCSE.


Fortunately, Cisco has provided a configuration example explaining how to block both toll fraud methods. Take a look at this guide starting on page 40:

http://www.cisco.com/en/US/docs/telepresence/infrastructure/vcs/config_guide/Cisco_VCS_Basic_Configuration_Control_with_Expressway_Deployment_Guide_X7-2.pdf


I suggest you to consider all the examples above, save a time to plan and then implement your ISDN restriction and toll fraud prevention mechanism.




I hope this help.


Paulo Souza


Was my response helpful? Please rate useful replies and remember to mark any solved questions as "answered".

Actions

This Discussion