Monday, August 6, 2012

CME Call Blocking


Call Blocking Based on Date and Time

There have been many recorded incidents of business phone calls being placed After-hours, when staff has left for the evening. To prevent this you can implement After-hours call blocking on CME.

After-Hours call blocking allows you to define ranges of times specified as After-hours intervals. User has an option to list a number of patterns that are not allowed during those intervals. If any user places a call from a phone registered to CME (SCCP or SIP) during the After-hours time range that matches one of the defined patterns, CME will play a busy tone and disconnect the call.

In addition to phones, the after-hours configuration applies to dial peers (H323, SIP, or POTS).  E.g. CUCM connected to VGW using H323 trunk and a call initiated from CUCM phone to PSTN. After inbound dial-peer matches, in case the dialed pattern matches after-hours pattern and after-hours interval is active, the call is blocked.

After-hours exemptions are used to provide exceptions to some users in order to dial during after-hours intervals. After-hours exemption can be applied at DN, Phone (covers all DNs in the phone), templates, global, or Dial-peer.

Another method to achieve exemption is using phone PIN. CME admin can configure PIN per phone which the phone user will use it to login. Once login is successful, the phone will be considered as exempt. To login, the user should navigate to Services Button > MyPhoneApp > After-Hour Login.

Note: PIN exemption is applicable for SCCP phones only

After-hours call blocking has three major steps of configuration

Step1 Define days and/or hours of the day that your company considers off-hours.
Step2 Specify the patterns that you want to bock during the time specified as off-hours.
Step3 Create exemptions to the policy, if needed.

Configuration Commands

telephony-service
 after-hours block pattern tag pattern [7-24]   !!!... In case 7-24 is applied, this pattern will be blocked 24x7 and exemption won't be applied to it
 after-hours day day start-time stop-time
 after-hours date month date start-time stop-time
 login [timeout [minutes]] [clear time]   !!!... Defines when PIN login will timeout or be rested.
!
dial-peer voice tag {pots | voatm | vofr | voip}
 paramspace callsetup after-hours-exempt true   !!!... Exempt dial-peer from call-blocking
!
ephone phone-tag
 after-hour exempt
!
ephone phone-tag
 pin pin-number
!
voice register pool pool-tag 
 after-hour exempt
! 
voice register dn dn-tag
 after-hour exempt

Note: Call-blocking exempt is supported only for phones with soft-key display.

Optionally, you can configure after-hours exemption at telephony service, ephone-template, voice register global, or voice register template using the commands

telephony-service
 after-hours override-code pattern
!
voice register global
 after-hour exempt   !!!... In SIP it will override for all patterns.

Class of Restriction (COR)

COR is used to restrict phones calls based on the dialed patterns. How it works?

COR is often described as a lock and key mechanism. Locks are assigned to dial peers/DNs using an outgoing COR lists. Keys are assigned to dial peers/DNs using incoming COR lists. For a call to succeed, the inbound dial peer/DN must have the key for each of the locks that is assigned to the outbound dial peer.
Below is a summary of COR operation.
Incoming COR List
Outgoing COR List
Result
None
None
Call succeeds
None
Applied
Call succeeds
Applied
None
Call succeeds
Applied
Subset of incoming COR list
Call succeeds
Applied
Not a subset of incoming COR list
Call fails

Follow below four steps to implement COR:
  1. Define COR labels using the dial-peer cor custom name [label] command
  1. Build the permissions groups using the dial-peer cor list [list-name] member [label] command. A best practice is to assign one member for each outgoing list and multiple members for incoming lists. This will make the operation similar to CSS/Partition concept in CUCM.
  1. Apply COR lists to the outgoing dial peers/DNs using the corlist outgoing [list-name] command. Only one outgoing COR list is supported per dial peer/DN.
  1. Apply COR lists to the incoming dial peers/DNs using the corlist incoming [list-name] command.
Example:

dial-peer cor custom
 name LABEL1
 name LABEL2
 name LABEL3
 name LABEL4
!
dial-peer cor list 1
 member LABEL1
!
dial-peer cor list 2
 member LABEL2
!
dial-peer cor list 3
 member LABEL3
!
dial-peer cor list 4
 member LABEL4
!
dial-peer cor list MANAGERS
 member LABEL1
 member LABEL2
 member LABEL3
 member LABEL4
!
dial-peer cor list Employees
 member LABEL1
 member LABEL4
!
dial-peer cor list Executives
 member LABEL1
!
dial-peer cor list App
 member LABEL2
 member LABEL3
!
dial-peer cor list SD
 member LABEL3
!
dial-peer voice 2 voip
 corlist outgoing 2
 destination-pattern 1001
 voice-class h323 100
 session target ipv4:200.200.200.200
 req-qos guaranteed-delay audio
 acc-qos guaranteed-delay audio
 codec g711ulaw
!
dial-peer voice 3 voip
 corlist outgoing 3
 destination-pattern 200.
 session protocol sipv2
 session target ipv4:150.150.150.150
 dtmf-relay sip-notify rtp-nte
!
ephone-dn 1
 description Leeds Admin
 number 4005
 cor incoming Employees
!
ephone-dn 2
 description Leeds Manager
 number 4010
 cor incoming MANAGERS
!
ephone-dn 3
 description Leeds Executive
 number 4050
 cor incoming Executives
voice register dn 1
 number 971509242497
!
voice register pool 1
 id mac 000D.ED22.ED33
 type 7960-7940
 number 1 dn 1
 cor incoming Executives

Inbound & outbound cor lists can be applied simultaneously to same dial-peer/DN.
at 1 comment:
Labels:

Saturday, May 26, 2012

Toll Fraud Prevention in IOS 15.1(2) / CME 8.1

I did an upgrade for the IOS of my voice gateway / CME from 12.4T(24) to 15.1(2). I have noticed couple of features introduced related to Toll Fraud Prevention which changed the way how VGW handles incoming calls.


IP Address Trust List

IP address trusted authentication process blocks unauthorized calls to be made through VGW.  VoIP (SIP/H.323) calls will succeed only if the remote IP address of an incoming VoIP call is successfully validated from the system IP address trusted list. System IP address trusted list is built automatically based on session target addresses of VoIP dial-peers (assuming that dial-peer status is UP). Addresses can be added manually as well to trusted list to be used for validation of incoming calls.

If the IP address trusted authentication fails, an incoming VoIP call is then disconnected by the application with a user- defined cause code and a new application Internal Error Code 31 message (TOLL_FRAUD_CALL_BLOCK) is logged.

Note: The voice IEC error messages are logged to syslog if “voice iec syslog” option is enabled.

%VOICE_IEC-3-GW: Application Framework Core: Internal Error (Toll fraud call rejected): IEC=1.1.228.3.31.0 on callID 3 GUID=AE5066C5883E11DE8026A96657501A09

Notes:
  • This feature is enabled by default.
  • Duplicate addresses aren't allowed
  • IP address trusted list authentication will be suspended if VGW is registered with GK.

Restrictions
  • IP address trusted authentication is skipped if an incoming SIP call is originated from a SIP phone.
  • IP address trusted authentication is skipped if an incoming call is an IPv6 call.
  • For an incoming VoIP call, IP trusted authentication must be invoked when the IP address trusted authentication is in “UP” operational state.

Configuration & Verification Commands

voice service voip
 ip address trusted authenticate
 ip-address trusted call-block cause

 ip address trusted list
  ipv4 ipv4 address network mask

Router #show ip address trusted list

IP Address Trusted Authentication
 Administration State: UP
 Operation State: UP

IP Address Trusted Call Block Cause: call-reject (21)

VoIP Dial-peer IPv4 Session Targets:

Peer Tag      Oper State      Session Target
--------      ----------      --------------
11            DOWN            ipv4:1.3.45.1
1             UP              ipv4:1.3.45.1

IP Address Trusted List:
 ipv4 172.19.245.1
 ipv4 172.19.247.1
 ipv4 172.19.243.1
 ipv4 171.19.245.1
 ipv4 172.19.245.0 255.255.255.0''

Disconnecting ISDN Calls With no Matching Dial-peer

In case no inbound dial-peer is matched for incoming  POTS calls on ISDN, the call will be disconnected instead of matching default dial-peer. The cause code of this disconnected can be modified using the command dial-peer no-match disconnect-cause.

Disconnecting ISDN Calls With no Matching Dial-peer

The direct-inward-dial isdn feature in enabled to prevent the toll fraud for incoming ISDN calls even if direct-inward-dial option is disabled from a selected
Inbound POTS dial-peer. The called number of an incoming ISDN enbloc dialing call is used to match the outbound dial-peers and incase no outbound dial-peer matched the call will disconnect with cause code “unassigned-number (1)”.

Blocking Two-stage Dialing Service on Analog and Digital FXO Ports

This is enabled by default on FXO ports using the command no secondary dialtone. In this case, no digits are collected from the port and no outbound dial-peer lookup is performed when the call is answered without PLAR configured on voice-port. The call will be disconnected with cause code “unassigned-number (1)”

Hope this was useful. I will let you know if something interesting pops in between ...
at No comments:
Labels:
Subscribe to: Comments (Atom)

DNS Performance Troubleshooting

When you are troubleshooting internet performance, there are different parts of the connection should be verified:   ·         DNS Pe...