[cisco-voip] 15.1(2)T Toll Fraud Enhancements (show ip address trusted list)
Jason Aarons (US)
jason.aarons at us.didata.com
Sun Sep 19 10:44:06 EDT 2010
Noticed some new banners at bootup of 15.1(2T) and heard that out-of-box sip blocking was coming at Cisco Live;
15.1(2)T What's New
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps8802/ps10587/ps10592/ps10952/product_bulletin_c25-620744.html
Understanding Toll Fraud Enhancements in 15.1(2)T
https://supportforums.cisco.com/docs/DOC-12228
A new feature introduced with 15.(1)2T is the default behavior of a toll-fraud prevention feature.
This purpose of this document is to raise awareness of this new feature, as upgrading to this release will require additional configuration to allow for these calls to route. It is important to note that upgrading to 15.1(2)T will block all inbound VoIP call setups, until the gateway is properly configured to trust these sources. Hence, any plans to upgrade to releases with this feature must include extra steps to configure trusted VoIP hosts after the upgrade, in order for calls to route successfully. Additionally, two-stage dialing is no longer enabled by default with this release.
Behavior Prior to 15.1(2)T
For all IOS releases prior to 15.1(2)T, the default behavior for IOS voice gateways is to accept call setups from all sources. As long as voice services are running on the router, the default configuration will treat a call setup from any source IP address as a legitimate and trusted source to set a call up for.
Also, FXO ports and inbound calls on ISDN circuits will present secondary-dial tone for inbound calls, allowing for two-stage dialing. This assumes a proper inbound dial-peer is being matched.
Behavior With 15.1(2)T and later releases
Upon booting on a version of IOS with the toll-fraud prevention application, the following will be printed to the device's console during the boot sequence:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!Following voice command is enabled: !!
!! voice service voip !!
!! ip address trusted authenticate !!
!! !!
!!The command enables the ip address authentication !!
!!on incoming H.323 or SIP trunk calls for toll fraud !!
!!prevention supports. !!
!! !!
!!Please use "show ip address trusted list" command !!
!!to display a list of valid ip addresses for incoming !!
!!H.323 or SIP trunk calls. !!
!! !!
!!Additional valid ip addresses can be added via the !!
!!following command line: !!
!! voice service voip !!
!! ip address trusted list !!
!! ipv4 <ipv4-address> [<ipv4 network-mask>] !!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
The router will automatically add any destinations that are defined as an ipv4 target in a VoIP dial-peer to the trusted source list. You can observe this behavior with the output of the following command:
Router# show ip address trusted list
IP Address Trusted Authentication
Administration State: UP
Operation State: UP
IP Address Trusted Call Block Cause: call-reject (21)
VoIP Dial-peer IPv4 Session Targets:
Peer Tag Oper State Session Target
-------- ---------- --------------
3000 UP ipv4:203.0.113.100
1001 UP ipv4:192.0.2.100
-----------------------------------------
Disclaimer:
This e-mail communication and any attachments may contain
confidential and privileged information and is for use by the
designated addressee(s) named above only. If you are not the
intended addressee, you are hereby notified that you have received
this communication in error and that any use or reproduction of
this email or its contents is strictly prohibited and may be
unlawful. If you have received this communication in error, please
notify us immediately by replying to this message and deleting it
from your computer. Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20100919/f185a5d9/attachment.html>
More information about the cisco-voip
mailing list