Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

H323 Dial-peer security - why no cor on voice-port?

How can I prevent calls coming in one voice-port from calling numbers going out another voice-port?

Cor can only be applied to e-phones and not voice-ports and i don't see any commands on the voic-port or dial-peer that would restrict who can use them.

This setup is strictly routers w/PRIs for toll bypass. No Call managers.

Thanks

7 REPLIES
New Member

Re: H323 Dial-peer security - why no cor on voice-port?

Hi,

You can apply CoR to dial-peers voice ports.

Its very basic though very easy to get confused.

The way I look at it is CoR is just a bunch of names you assign if you dont assign a CoR/name to a Dial-peer then it will be able to be called by everyone

EVERY OTHER CoR CLASS...this is ok if you want the call to use a particular port,Just dont apply core it you will be able to access no matter what you have anywhere else.

It can get very nasty if you have may dial-peers beacause they all need CoR .

Here is how COR works.

###THE RULES###

If COR applied on an incoming dial-peer (for incoming calls) is a super set or equal to the COR applied to the outgoing dial-peer (for outgoing calls), the call will go through. Now incoming and outgoing are with respect to the "voice ports". If you hook up a phone to one of the FXS port of the router and try to make a call from that phone, it is an incoming call for the router/voice-port. Similarly if you make a call to that FXS phone, then it is an outgoing call.

By default an incoming call leg has the highest COR priority and the outgoing COR

list has the lowest COR priority which means if there is no COR configuration for incoming calls on a dial-peer, then you can make a call from this dial-peer( a phone attached to this dial-peer) going out of any other dial-peer irrespective of the COR configuration on that dial-peer.

How do you make sub sets and super sets..?

First you configure “dial-peer cor custom” and assign a whole bunch of meaningful names under this. For example:

Dial-peer cor custom

name 911

name 1800

name 1900

name local_call

Now you create the actual lists that you apply to the dial-peer.

Dial-peer cor list call911

Member 911

Dial-peer cor list call1800

Member 1800

Dial-peer cor list call1900

Member 1900

Dial-peer cor list calllocal

Member local_call

Dial-peer cor list Engineering

Member 911

Member local_call

Dial-peer cor list Manager

Member 911

Member 1800

Member 1900

Member local_call

Dial-peer cor list HR

Member 911

Member 1800

Member local_call

I have created five dial-peers below for the following destination numbers = 734…., 1800……., 1900……., 911 and 316…. Appropriate cor-list is applied to each of the dial-peer.

Dial-peer voice 1 voip

Destination pattern 734….

Session target ipv4:1.1.1.1

Cor outgoing calllocal

Dial-peer voice 2 voip

Destination pattern 1800…….

Session target ipv4:1.1.1.1

Cor outgoing call1800

Dial-peer voice 3 pots

Destination pattern 1900…….

Port 1/0/0

Cor outgoing call1900

Dial-peer voice 4 pots

Destination pattern 911

Port 1/0/1

Cor outgoing call911

Dial-peer voice 5 pots

Destination pattern 316….

Port 1/1/0 --à No cor applied here

Remember the rules/priority up the top incoming/outgoing And that they are just names.

Try play around with 2 phones connected to FXS ports

You will find it easier to acclompish your goal.

I have used CoR in a scenario wherby their were anolog phones connected to FXS ports that were placed in a area accessible by anyone we didnt to allow these phones to access the PRI only internal numbers Security employees etc. i.e. NO PSTN access

I used CoR

HTH ; )

Allan

Re: H323 Dial-peer security - why no cor on voice-port?

The sample config you posted is from a cisco page, and is missing step 4 which associates ephone ports to a cor list they configured.

Ephone-dn 1

Number 1001

Cor incoming Engineering

I've done cor before w/e-phones and know how it works, but since cor command is not available on voice-port I don't see what associates the voice-port to a cor list so restrictions can be done.

So for example, if call comes in on voice-port 1/0:23 (PRI) and no cor association it wouldn't use dial-peer 1 because dial-peer 1 is a member of cor list callocal and the voice-port isn't member of that group.

Anyone else have any input, or know why the cor command isn't available on voice-ports?

New Member

Re: H323 Dial-peer security - why no cor on voice-port?

Yes you are correct it is from Cisco page ...

COR Configuration

By Rajesh Haridas

Now you have CoR incoming Engineering

on ephone.

-->So for example, if call comes in on voice-port

-->1/0:23 (PRI) and no cor association it wouldn't

-->use dial-peer 1 because dial-peer 1 is a member

-->of cor list callocal and the voice-port isn't

-->member of that group.

Incorrect you must understand the CoR rules outlined in my previous post, your voice port 1/0:23 would be able to call all ephones incoming !! as it has no CoR its free to call anyone.

1)You have COR list applied for incoming calls on ephone

2)You dont have COR list on outgoing dial-peer therfor the PRI T1

3)The call will succeed !!!!! Why ? ---->

--- The Rule ---

Outgoing dial-peer by default has the lowest priority. Since there is some COR configurations for incoming calls on the incoming/originating dial-peer it is a super set of the outgoing call CORconfigs on outgoing/terminating dial-peer "Call will Succeed"

The ephone will be able to call out through that PRI t1 1/0:23

If you want to stop that Ephone from using the PRI T1

Then here is the definitive answer not from Cisco site...

dial-peer cor custom

name access-internal

name all-areas

!

!

dial-peer cor list Ephone(apply incoming to ephone)

member access-internal

!

dial-peer cor list 9T

member all-areas

Dial-peer voice 1 pots

corlist outgoing 9T

incoming called-number .

destination-pattern 9T

progress_ind setup enable 3

progress_ind alert enable 8

direct-inward-dial

port 1/0:23

Now that ephone wont be able to call out PSTN but calls can still be received inbound to the EPHONE

This is what your after ?

"Tip"

Incoming being the most restrictive...

HTH more : )

Allan

Re: H323 Dial-peer security - why no cor on voice-port?

I'm not using Ephones (I was talking about the cisco sample). Nor am I using fxs/fxo ports. I'm just using PRIs.

3 PRI's on one router. PRI 1 and PRI 2 can not place calls to one and another. Inbound calls in those 2 PRIs go out PRI 3 to a PBX.

So am trying to use CoR to restrict incoming calls on PRI 1 from going out PRI 2. I could use translation-profiles and rules but don't really want to manipulate with numbers or get into that unless needed.

So lets say , I have following config:

dial-peer cor custom

name PRI1

name PRI2

dial-peer cor list FirstPRI

member PRI1

dial-peer cor list SecondPRI

member PRI2

Dial-peer voice 1 pots

corlist outgoing FirstPRI

destination-pattern 1....

port 1/0:23

Dial-peer voice 2 pots

corlist outgoing SecondPRI

destination-pattern 2....

port 2/0:23

Dial-peer voice 3 pots

incoming called-number .

destination-pattern .T

direct-inward-dial

port 3/0:23

What stops incoming calls on PRI1 going to 12345 from going out PRI2?

New Member

Re: H323 Dial-peer security - why no cor on voice-port?

Hi,

You need to outline your thoughts about what you are trying to achieve more clearly for anyone to help you.

At this stage your pretty confused...

-->What stops incoming calls on PRI1 going to 12345

-->from going out PRI2?

The call will never go out port2/0:23 PRI two because of the destination pattern on dial-peer 2 which is 2... NO match!!!

If the called party is 12345 coming in on 1/0:23 which is what you have said, there is no digit manipulation happening.

what do you think will happen ?

Good recomended reading

http://www.cisco.com/en/US/tech/tk652/tk90/technologies_tech_note09186a008010fed1.shtml

My second example explains CoR and how it works and the Cisco doco explaines subsets supersets "RULES"

You are not clear in your posts and are obviously confused.

Tell me what are the called party (DNIS) numbers coming in on PRI1 and PRI2 ...

You can always Open a Tac case...

Allan

Re: H323 Dial-peer security - why no cor on voice-port?

I made a typo... I had to enter that reply twice because first time the submit failed for some reason.

Anyway, what I meant to say...

If a call comes in PRI2 for number 12345 what prevents it from going out PRI1 whose dial-peer has destination pattern of 1.... ?

If I need a incoming called-number statement on a dial-peer with cor incoming list, then the issue I see there is how to limit inbound calls on that dial-peer too just PRI1 or PRI2. Can't use DNIS because a call from same number could come in on both PRIs.

I think both of us may be confused, partly due to the lack of documentation or samples on this feature.

The whole reason why I posted this question, was I was wondering why there isn't a way to apply the cor command to a voice-port like you can a ephone.

New Member

Re: H323 Dial-peer security - why no cor on voice-port?

Ebergquist - Go to bed!!

320
Views
0
Helpful
7
Replies
CreatePlease login to create content