Saturday, September 10, 2011

A new 15.1(2)T IOS feature that should be considered when upgrading


One of the first things to make sure when an H.323 gateway will not work with Cisco Unified Communication Manager (CUCM) is the IP address configuration. This is a common mistake where engineers would configure the gateway in CUCM using its voice interface IP address and would have no problem calling out from IP phones to the PSTN, but would fail on the inbound calls. The reason is that the gateway was using a different IP address (than the one configured on the voice vlan) to contact CUCM and CUCM would reject the call setup packet.
On the other end, the Cisco IOS gateway had no problems accepting calls from any IP address and would not require anything specific to be configured on it. The problem with this approach is toll fraud and call theft. On a gateway that has exposure to external networks such as the internet, hackers can use an H323 or SIP client and call out via the gateway to external destinations on your expense. There are ways to protect against that using access lists but in version 15.1(2)T Cisco secured the IOS and created a CUCM like behavior which means that everything is denied unless it was specifically allowed.

Why is it important to know about this? Because it may be that a network wide IOS upgrade will be performed and without special preparations, the gateways will stop serving calls.
This was documented in a detailed Cisco tech note alongside with ways to detect and prevent it, but I'm assuming that just like me, most of you will not see it until it's too late. Fortunately for me I work for a big company and someone else ran into it and brought it to everyone's attention.
Please do yourselves a favor and spend some time reading this document in the following URL:
Post a Comment