Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
286602
Views
175
Helpful
164
Comments

Blocking Calls Based on Calling Party ID

dakeller
Cisco Employee
Cisco Employee

‎09-07-2011 12:29 PM - edited ‎02-02-2021 10:27 AM

 

Application Note:

Blocking Inbound calls to Cisco Unified Communications Manager based on Caller ID

 

Introduction:

The ability to block calls based on the calling party number is a feature required by many customers to prevent unwanted calls, whether from telemarketer, malicious callers, or others, from reaching their end users. This application note will describe and illustrate how to set up call blocking using Cisco Unified Communications Manager v8.0 and later.

 

Audience:

This document is targeted at administrators that are familiar with call routing in the Cisco Unified Communications Manager environment. To implement this feature, the administrator must have good knowledge of the existing dialplan, call routing and call flows to be able to implement the caller ID blocking feature. The administrator must understand Partitions, Calling Search Spaces and Translation Patterns.

 

Call flow:

Traditionally, when calls arrive in the Cisco Unified Communications Manager environment, the call is processed based on the called party with no routing decision made on the calling party number.  Starting in Cisco Unified Communications Manager v8.0, by using familiar call routing techniques, an administrator can now match and deny a call into their system based on the calling party number as well as the called number.

 

image1.png

 

In CUCM 8.0, there is a new parameter on Translation Patterns called “Route Next Hop By Calling Party Number”.   After matching an inbound Translation Pattern that has the “Route Next Hop by Calling Party Number” check box selected, CUCM will perform digit analysis on the calling party number and thus allow the administrator the ability to block the call if matched (in order for the restricted calling party feature to work, all target directory numbers must be contained in a partition reachable through a Calling Search Space. The called number cannot be in the <none> partition.)

 

If the calling party number does not match a Translation Pattern number to block, then CUCM will continue processing the call and route the call to the destination directory number.

 

Configuration:

Only a few Partitions and Calling Search Spaces are necessary to create a call blocking “Filter list” of calling numbers.  See Figure 1 above for call flow.

1)      Create two Partitions called ‘Inbound_Calls’ and ‘Filter_List’.

 

2)      Create two Calling Search Spaces called ‘Gateways’ and ‘To_Filter_List’.

 

3)      Add ‘Inbound_Calls’ partition into the ‘Gateways’ Calling Search Space.

 

NOTE: The ‘Gateways’ Calling Search Space must not contain any partitions that contain directory numbers, otherwise, calls will be routed directly rather than through the calling party filters.

 

4)      Add the ‘Filter_List’ partition to the ‘To_Filter_List’ Calling Search Space.

 

5)      Create a Translation Pattern ! in the ‘Inbound_Calls’ Partition. Set the Calling Search Space to ‘To_Filter_List’ and check the ‘Route Next Hop By Calling Party’.

 

NOTE: The ! pattern is used to match all incoming called parties in order to route the calls into the ‘Filter_List’ Partition for calling party matching.

image2.png

 

6)      Create a Translation Pattern ! in the ‘Filter_List’ Partition. Set the Calling Search Space to route non-blocked calls to their destination.  If the Directory Numbers are +E.164, you will also need to create a /+! translation pattern in order to reach the called directory number. 
The ! in the ‘Filter_List’ Partition is used to route any calling party number that is not specifically defined as a blocked number . The Calling Search Space routes the call back to the phone’s partition for normal call routing

image3.png

7)      Some calls may arrive without caller id or a restricted caller ID. If you wish to allow calls without caller ID, there will also need to be a <none> or blank Translation Pattern. If the administrator does not define a <none> Translation Pattern, then all calls without caller id will be rejected.

 

image4.png

 

      Using normal pattern matching, create Translation Patterns to match calling party numbers you want to block. To block all calls that have a calling party number beginning with 800, create a Translation Pattern of 800! in the Filter_List Partition. Set the Route Option to ‘Block this pattern’ with the desired reason code.

 

image5.png

Alternatively, instead of outright rejecting a call, the administrator can configure a directory number in the ‘Called party transform Mask’ field which will allow calls to be redirected to a specific DN.   For example, an administrator can send calls to an Auto Attendant with a message indicating their call has been blocked or rejected.

 

 

9)      The last step is to assign the ‘Gateways’ Calling Search Space to any ingress gateway that will be blocking inbound calls based on calling party identification (H323, MGCP or SIP trunk).

 

Adding Call Blocking Based on Calling Party ID to an existing system:

Customers that already have a dialplan in place that want to add Call Blocking based on Calling Party can easily do so. When a call arrives in Communication Manager from a gateway or trunk, the call is routed based on the Calling Search Space assigned to that gateway or trunk.   Following the configuration steps above, an administrator can set up the global translate and blocked number Partitions through step 8 without affecting call processing in the system. But the last step should be done after hours or during a maintenance window because after the change to a Calling Search Space, the trunk or gateway must be reset to have the changes take effect.

 

Blocking "anonymous" calls over a SIP trunk:

With the rapid adoption of SIP trunks, an anonymous caller will actually have the words "anonymous", "restricted" or "unavailable" in the different From: headers (PPI, PAI, RPID or FROM).  Cisco Unified Communications Manager digit analysis engine is not designed to match on non-numeric strings (see note below),  so the name anonymous is not a valid string.  To correctly identify and block anonymous or unavailable callers, apply the SIPTrunkAnonymousCalls.lua.txt script to any SIP trunk that receives call that you want to allow or block anonymous calls.  Instructions for use are included in the script itself.
NOTE: In UCM 9.0, digit analysis was enhanced to support URI dialing, so string based dialing is supported UCM, but as an administrator, you cannot define a string/uri as a translation pattern.  Since this configuration relies on translation patterns to match dialing stings to allow or block a call, anonymous calls cannot be handled like standards numbers.

08-17-2017: The LUA script has been updated to restore the original from header on response messages to the SP/CUBE.  Please see the notes section of the script for details.

06-05-2018: Anyone that is using the v2 version of the LUA script needs to replace their script with the v5 version.  The replacement logic used global variables and not context specific variables.  This may cause calls to fail when operating under load.  The v5 script eliminates this issue.

03-25-2019: The original v5 of the LUA script had a memory leak which would cause the script to run out of memory.  The leak has been identified and correct.  The v5a of the script does not have the leak.

 

Additional Guidance for Contact Center Integration and ILS\GDRP:

Contact Center: If the post destination of an inbound call is a CTI Route Point or a CTI Route Port, there is a call processing caveat that will need to be taken into account.  When implementing call blocking, the ingress gateways will change their calling search space to direct all calls to the partition that will trigger filtering.  If the destination after filtering is a CTI Route Point or CTI Route Port (typically used by Contact Center applications), the call processing must take into account redirecting behavior of the CTI Route Points and CTI Route Ports.  By default, when CTI devices issue a call redirect, CUCM will use the calling party device’s calling search space to find the target port number.   To use call filtering with contact center, the calling search space on the inbound gateway will need to include the partition of the CTI Route Ports.  For additional details on this call processing caveat, please review the release note for CSCso91760 (CCO login required).

ILS\GDPR with Session Manager Edition: If your deployment is blocking calls in a SME and the called number has been learned through ILS\GDPR, then the inbound SIP Trunk’s calling search space must include the partition that has the SIP Route string for routing an ILS/GDPR call.  For example, if the inbound called party is 14085551212@cisco.com and is not blocked in the filter partition, then the resolved destination that has been learned by ILS\GDPR must be routeable from the SIP Trunk.   Meaning, if 14085551212@cisco.com resolves to 14084441212@us-sj-ucm.cisco.com on the SME, then the inbound SIP trunk must have access to the partition for route string for *@us-sj-ucm.cisco.com

Preview file
9 KB
Comments
dakeller
Cisco Employee
Cisco Employee
‎11-16-2012 07:48 AM

Christopher,

I read it the other way around.  What patterns do you have defined that you are blocking?  In the configuraiton above where you have the <NULL> and ! patterns as allowed, the anonymous tag will actually match the ! and continue throught for call routing.  Unless you have something different set up, anonymous will work out of the box.  Please email me directly so I can get some specifics on what you are seeing.

Thanks,

Dan Keller

Technical Marketing Engineer

JMistrot1
Level 1
Level 1
‎12-06-2012 06:59 PM

Wondering if anyone has implemented this but run into an issue where calls that are ultmately bound for a CTI routepoint to UCCX get rejected.  I just opened a TAC case around this.  I used this page to build my implmentation plan and everything seemed fine until later in the morning we discovered that DNs inbound from the GWs bound for a CTI RP and UCCX trigger get rejected everytime.

dakeller
Cisco Employee
Cisco Employee
‎12-06-2012 08:30 PM

Jerry,

Unless you change the calling party number to something that UCCX does not accept, the call egressing from the 'route next hop by calling party number'  will look like any other call.  Since I am the author of this doc, I am very interested in seeing what is happening.  I could not find the TAC Case, so can you forward me the SR number and hopefully there will be a trace file for me to look at.  Let's take the troubleshooting off line and I will update this thread when I figure out the issue.

Thanks,

Dan Keller

Technical Marketing Engineer

CHRISTOPHER YUEN
Level 1
Level 1
‎12-07-2012 03:58 AM

Jerry,

Are your CTI RP's and ports in a different partition from your phone DN's?  You may want to double-check the CSS that you have applied to the translation patterns that allow the calls in to make sure they can hit both the CTI RP and the CTI ports themselves.

fergus.w
Community Member
‎12-17-2012 04:57 PM

Hi Dan,

I think the CTI issue is summed up well in the "Cisco Unified Attendant Console Troubleshooting Guide v8.6.x". (www.cisco.com/en/US/docs/.../CiscoTSGv8_6_x.pdf).

On page 2-8 it mentions:

"As CUxAC uses TSP and CTI to move calls, the function of CTI Redirect performed on the call forces it to inherit the CSS of the gateway which does not always allow calls to all phones. Modify the gateway CSS to accommodate this and resolve the problem"

My understanding is this means the gateway CSS needs access to the Route Points, CTI Ports and Agent Phones.  That is to say, CTI/TSP connectivity doesn't honour any CSS changes through translation patterns as the redirect uses the original device's CSS.  Certainly this has been my experience since CCM 3.2.

Unfortunately this would then mean any calls to a CTI/TSP connected system could not use the flow to block on CLI as the gateway CSS prohibits access to any other partition than the initial "!" tranlsation pattern, and hence prevents the redirect to the CTI/TSP devices.

It would be ideal if CTI could be reworked to honour changes in CSS through translations, but until that time, I suspect we're limited in how we can apply some of the more interesting dial plan features.

Hopefully I'm mistaken and things work differently to how I think.

Thanks,

Fergus.

dakeller
Cisco Employee
Cisco Employee
‎12-20-2012 06:50 AM

Fergus,

You understanding is correct. By default, on a redirect, the CSS of the calling device (GW or Phone) is used to redirect the call.  The CTI application can set the redirect CSS to use, but only the CTI application can do this. You cannot set this behavior at the CUCM level. 

Thanks,

Dan Keller

Technical Marketing Engineer

Robert Burlingame
Level 1
Level 1
‎04-09-2013 07:33 AM

Dan,

I'm with Christopher on this one. We implemented this and "anonymous" and "unavailable" callers get blocked. This is due to the fact that translation patterns only recognize certain numbers and characters. They only recognize the following alphabetic characters: A,B,C,D (capital only)

http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/admin/6_0_1/ccmsys/a03rp.html#wp1043633

I realize the above article is dated, but, I can't find anything to the contrary.

Thanks,

Robert

markjpurdy3316
Level 1
Level 1
‎04-12-2013 11:18 AM

Dan, I've also run into this configuration issue.   It appears because I am filtering on SIP trunks, the <null> translation does not allow "restricted", "anonymous," and unknown strings to pass.   Since SIP does not recognize the various dial plan types as does MGCP,  what options do I have other than some CUBE configuration.   I want to pass these anonymous calls thru.    How would your script work for this instance?  

dakeller
Cisco Employee
Cisco Employee
‎04-18-2013 07:55 AM

The original configuration that automatically passed 'restricted' and 'anonymous' calls does not appear to work on all versions.  I am currently working on a way to simplify and ensure no version dependencies.  

So I would appreciate some feedback from the community on how you use this feature and how you would like the issue solved.

1) When blocking incoming calls with no number, specifically calls listed as 'restricted', 'unavailable', 'anonymous' or no numbers at all, will all 5 be treated the same?  Are you planning to block all 3 calls or would you plan to allow 'restricted', but deny the other 3?  Do you want the ability to treat the different types of anonymous callers uniquely?

2) If you plan on passing anonymous callers to your users, what do you expect to see on the display of the called phone?  Do you require differentiation of 'restricted' vs 'anonymous' vs 'unavailable'?  Would it be acceptable to classify all 3 to display the same?  Also, would it be acceptable to make all 3 appear as 'restricted'?

Please provide the feedback to me directly in a private message so I can work on the solution. 

Thanks,

Dan Keller

Technical Marketing Engineer

Stuart McGrath
Level 1
Level 1
‎04-25-2013 12:22 AM

We tried this and had the same issue as Mark above. "restricted" and "anonymous" unkown calls do not pass when this is in place.

Has anyone figured out a workaround?

Robert Burlingame
Level 1
Level 1
‎04-25-2013 05:30 AM

TAC has worked with me to try the following on our CUBE (gateway device):

voice class sip-profiles 1

request INVITE sip-header From modify “Anonymous” “999”

!

!

dial-peer voice 1 voip

voice-class sip profiles 1

Note: We've not implemented this in production yet, so, all warnings apply. However, we have modified the headers before and it seems to work as expected.

Robert

tm54189873
Community Member
‎05-30-2013 06:19 AM

Dan,

In response to "the original configuration..does not appear to work on all versions", could you please specify which versions have been tested that Route Next Hop By Calling Party Number has been validated on?

We have an urgent need to implement the block incoming calls based on ANI, using this new TP feature, but also need to pass both 'restricted' and 'anonymous' calls like Christopher, Mark and Stuart have described.  We are running version 8.6.2.20000-2 and hesitate moving forward with this implementation without validation since it will cause an impact by blocking these sourced calls.

In the interim I'll email you directly as requested indicating our preferences on your #1 and 2 inquiries in efforts to engineer a solution for all versions.

Thanks,

Trent

dakeller
Cisco Employee
Cisco Employee
‎05-30-2013 07:36 AM

It's been quite some time since I did this script.  I thought I had written it against 8.5, but obviously I had not because it does not work in my retest.  So I might have tested 8.6, but  I cannot commit to that right now. This script does work on 9.x because Cisco added URI dialing capability to the digit analysis which means it could now handle alpha characters along with the 0-9*#ABCD. 

There was an addition to the original script that stripped the anonymous/unavailable/restricted that would allow the call to pass for all versions. 

I am working on newer version of the script so simplify the logic, but given my current workload, I do not see it getting coded, documented, tested and posted until July.

Thanks,

Dan Keller

Technical Marketing Engineer

gsimon
Level 4
Level 4
‎07-24-2013 11:59 AM

Hi Dan,

Is the issue with restricted callerID calls not being allowed, specifically for SIP calls or it's happening for PRI as well?

Also is the null pattern required for ISDN or it's just for SIP?

Thanks,

Ginesh

dakeller
Cisco Employee
Cisco Employee
‎07-24-2013 01:20 PM

Ginesh,

Yes, the <NULL> pattern is needed if you want to pass a call that does not have a calling party.  This is very true for ISDN, but SIP trunks might be different because they will send 'Restricted' or 'anonymous', which will not match a number, so that is why I have included a script to handle these types of calling number.

Thanks,

Dan Keller

Technical Marketing Engineer

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents