I did an upgrade for
the IOS of my voice gateway / CME from 12.4T(24) to 15.1(2). I have noticed
couple of features introduced related to Toll Fraud Prevention which changed
the way how VGW handles incoming calls.
IP Address Trust List
IP address trusted authentication process
blocks unauthorized calls to be made through VGW. VoIP (SIP/H.323) calls will succeed only if
the remote IP address of an incoming VoIP call is successfully validated from
the system IP address trusted list.
System IP address trusted list is built automatically based on session target
addresses of VoIP dial-peers (assuming that dial-peer status is UP). Addresses can be added manually as well to
trusted list to be used for validation of incoming calls.
If the IP address
trusted authentication fails, an incoming VoIP call is then disconnected by the
application with a user- defined cause code and a new application Internal
Error Code 31 message (TOLL_FRAUD_CALL_BLOCK) is logged.
Note: The voice IEC error
messages are logged to syslog if “voice iec syslog” option is enabled.
%VOICE_IEC-3-GW:
Application Framework Core: Internal Error (Toll fraud call rejected):
IEC=1.1.228.3.31.0 on callID 3 GUID=AE5066C5883E11DE8026A96657501A09
Notes:
- This feature is enabled by default.
- Duplicate addresses aren't allowed
- IP address trusted list authentication will be suspended if VGW is registered with GK.
Restrictions
- IP address trusted authentication is skipped if an incoming SIP call is originated from a SIP phone.
- IP address trusted authentication is skipped if an incoming call is an IPv6 call.
- For an incoming VoIP call, IP trusted authentication must be invoked when the IP address trusted authentication is in “UP” operational state.
Configuration & Verification Commands
voice service
voip
ip address trusted authenticate
ip-address trusted call-block cause
ip address trusted list
ipv4 ipv4
address network mask
Router #show
ip address trusted list
IP Address
Trusted Authentication
Administration State: UP
Operation State: UP
IP Address
Trusted Call Block Cause: call-reject (21)
VoIP Dial-peer
IPv4 Session Targets:
Peer Tag Oper State Session Target
-------- ---------- --------------
11 DOWN ipv4:1.3.45.1
1 UP ipv4:1.3.45.1
IP Address
Trusted List:
ipv4 172.19.245.1
ipv4 172.19.247.1
ipv4 172.19.243.1
ipv4 171.19.245.1
ipv4 172.19.245.0 255.255.255.0''
Disconnecting ISDN Calls With no Matching Dial-peer
In case no inbound
dial-peer is matched for incoming POTS
calls on ISDN, the call will be disconnected instead of matching default
dial-peer. The cause code of this disconnected can be modified using the
command dial-peer no-match disconnect-cause.
Disconnecting ISDN Calls With no Matching Dial-peer
The direct-inward-dial isdn feature in enabled to
prevent the toll fraud for incoming ISDN calls even if direct-inward-dial option is disabled from a selected
Inbound POTS
dial-peer. The called number of an incoming ISDN enbloc dialing call is used to
match the outbound dial-peers and incase no outbound dial-peer matched the call
will disconnect with cause code “unassigned-number
(1)”.
Blocking Two-stage Dialing Service on Analog and
Digital FXO Ports
This is enabled by
default on FXO ports using the command no
secondary dialtone. In this case, no digits are collected from the port
and no outbound dial-peer lookup is performed when the call is answered without
PLAR configured on voice-port. The call will be disconnected with cause code “unassigned-number (1)”.
Hope this was useful. I will let you know if something interesting pops in between ...
