Hey guys, what’s going on Jim here again, bringing another tutorial with the be6 case mall in mind today, we’re looking at Coughlin and the security goes along with that and in case you’re. Brand new to Cisco voice will be an awesome little tutorial for you to see all the different things in a previous tutorial. We set up calling search, spaces and partitions. I just wanted to point out in the partition sections. We have this restricted partition and this inbound partition also going towards our system devices is our main DN partition.
Alright and then, if we go over to the colleague search spaces, you can see we have an inbound calling search space and our main calling search space in a line calling search space within the line is our restricted. That’S very important for call flow security in our inbound calling search space. All we have is our inbound partition, so first things. First, let’s go ahead and set up a gateway device in this case we’re going to have a sip gateway to connect. That’S going to be our medium to the PSTN, so we’re going to go ahead and set up a sip gateway from call manager to the gateway so we’ll have set to sit.
So, let’s go over here to trunk, add new and we’re going to do. Sip trunk continue enough security there, our device name bringing our standard device pool there and our media resource group plus all this was done in previous tutorials. Now very important here is our inbound call flow and we’re going to use our inbound concert space, which only goes to the inbound partition and outbound cause. Pretty much leave that as it is put some redirecting in there and then, of course, we need to add our gateway in our central profile and we can change that within the SIP profiles. If need be DTMF, let’s do 28:33 and we’ll save that up.
So now we have our gateway device in there configured. I will get rid of my face, so there’s more room on the screen. I want to go in and start explaining some coffee security and this is going to be for out down. So, basically, we’re going to have a device, a phone, a soft phone whatever, and it’s going to have a live, calling search space and a device calling search space. So if we actually go over, I have a couple route points here.
We go over to our like this will be a lot and then would see in a device, and it has a calling search space on the actual line itself and those are going to get the line calling search space which only has the restricted partition within it. We go back at the device level. It has a different calling search space that you can put, so you can have a calling search space for the line and the device line has preference. So you have an ordered list of the partitions in your lawn Kong spurts to certain space, after that it will truncate into the device calling search space and have an ordered list there. So from top to bottom you have your line and your device.
So in our line device calling search space, we’re going to have the restricted partition. What we’re going to do with that? We’Re going to go over here to a translation pattern and we’ll create a new and then we’re going to do we’re going to use nine to get out. So we’re going to do non dot at here. Okay and we’re going to put it in that restricted partition, and this is going to be for known, malicious numbers and there are different links out there.
You can find a populate these lists. This is going to be restricted us other and we need to put it in a numbering plan, so that will allow route filters and I’ve already uploaded all my route filters through the bulk admin import tool. So we’re going to put these other us and we are going to set this to block. We could choose what kind of error message it gets and as long as this is block, if foe goes off, if it does nine and then a node bad number that some of these route filters, it will block it. So we’ll save that we have a couple more too deep here again, these are in the restricted partition has to be in the North American Numbering plan, and this is special-purpose and we want to block it and we’re going to use uh Nickell unallocated number get a Busy one more of these extra to partition junkies, Caribbean, which is the well known, malicious numbers and block it right.
So in this case, if one and we can actually go over here to the route filters – and you can see all these different area – codes of known, malicious numbers – okay and if we Dowe one of those from elan – has the on college search space that has the Restricted partition in it if one of those numbers match its going to go to a busy signal, as we have set it but doesn’t match. One of those will continue down and look at the regular device calling search space which, on a regular device, will have our normal concert, space or jabber going search space, and in these guys, in this normal concert space, we have access to PST it okay. So that’s how we get out as long as it doesn’t match a known, bad number and you can do other forms of call blocking. You know, if you add, to those route filters and that’s a way to provide outbound security. We’Re actually going to add one more translation pattern, a lot.
It’S actually a route pattern. This is going to be for toll-free numbers because also have a route filter for that. But this is going to be in the PSTN toll-free partition, so this will be allowed and it’s a route pattern, so this is just going in the normal way. Tomorrow there we go toll free route, filter and we’ll. We can send it straight to this sit device, but I’m actually going to create a hot list or a route list and a route pattern for those.
So we’ll go ahead and set it for this guy right now, so we can save it and we’re going to go back over here to our route group. We’Re going to add in that’s because I used it on them. The Mouse’s going crazy. So, let’s actually delete this out. Do this the correct way at our sip gateway as a route group?
So if we add other devices in here later, we’ll be easier to have an ordered list of gateways. So, let’s go back here there is. Our route group is pointing to our gate, our segue, that we configured, let’s do our route list and at our route group to it, oops, and we can also add in special calling masks and prefixes here. If we need to that’d be a good place to add, you know seven digits, and now we can go back to our route pattern that in our toll-free route filter there. Now we can add in our PSD and rat list, so it’ll be easy to go into thoughtless later and add redundant gateways and I’m actually not going to do any stripping at this level.
I’M actually going to do it on my sip gateway. So it’s a little bit easier. Dealing with srst calls all right. So that’s that now we can add some more route groups here route patterns. I guess that’s it’s a two for outbound calling, so we can have our nine one.
This is the pattern I usually use. This will be in the long distance pattern partition oops. I hit two totally the wrong description. This is long distance and it will be using our PSTN route list and I’m going to do any digit stripping, go ahead and add a new with our regular ten digit same route list, no digits triple and we’re going to go ahead and add in our nine One one and I’m going to go ahead and provide four nine, nine and nine one one. This will our emergency partition and it’s still going to go to at the same gateway as of right now.
So, just like that, we have pretty much I’m going to set up for our outbound calls. We can go ahead and put in here for International and we’re going to block it by default, but it will be here ready in case. We need to do or allow international calls and I’m going to quickly add another one here with termination, so this will be an international call with the pound keep termination. The first one would just wait for the initial digit time which is in command, or I believe five seconds might be three can’t remember I talking ahead, but we can go to service parameters. Since I can’t remember off the top, my head will just look it up.
All right so we’re looking for sorry. The 302 timer falls way off its default at 15 seconds. Let’S move that down to five, so the T 302 timer is the inter digit timeout. So basically, the timeout between when you enter your last digit before you’re, going to have a system error, or in this case the inter digit timeout error. So it was it 15 seconds.
So if you were doing an international call without termination that last digit would take 15 seconds before one would actually route out waiting to make sure that it didn’t match another digit right. So we have our route patterns or nama, one local, long-distance international and toll-free, along with our security now for inbound. What we did with this and two trunk, not a gateway, is in the actual SIP trunk. Our inbound is looking at this calling search space. So what we could do at this point is in our translation patterns.
We could go over here, add incoming number, whatever it might be. I will just say, for example, we’re getting a four-digit number. We point it in the inbound partition because otherwise it won’t hit this translation. Give it a description point it to the correct calling search based on internal. So we can use internal or the actual device, calling search space and tell it what internal director number and needing to Dowe.
So we could take resemble five by five and strip it off the floor or whatever or if we had full 10 digit dialing it strip. It down to the internal three digit extension, so that’s about it for coffee and coffee love security. The main thing to remember here is the line and device calling search spaces and how those interact with each other and what all you could do to provide some extra security. So someone that might be able to you know you never know. What’S going on might have the capability to hack the SIP trunk, they wouldn’t just be able to make straight calls internal, because it’s going to go through this internal partition to begin with, so you don’t have direct access inside and also outbound.
We have the layer security of having to go through the route filters and do an initial check for the outbound called number can pass out to the SIP trunk. So that’s going to do it for today’s lesson on route filters and calling search, spaces and comm flow with security like for you to subscribe and share and like and all that good stuff you