Prevent Phones From Registering Based on Subnet 1

[linksboy]

Hi guys,

What would be the best way from preventing phones from registering if they were moved to a different subnet?

9611, CM6.3.

We would like to prevent inadvertent moves to areas not covered by 911 configuration, and prevent 911 issues. The phones being inoperable would be better in our environment.

Thank you, LB

 

[kyle555]

make them a network region that has no medpros and no network region connectivity to regions with DSPs

 

[linksboy]

Thanks Kyle,

Is it possible to overlap subnets to make this easier to manage?

IE 10.0.0.0/32 to Network region bogus with no resource,

10.0.1.0/24 to region 1 with resources.

Phones in /24 subnets entered into the IP-Network-map register in NR 1, all other subnets are in NR bogus.

Thanks LB

 

[kyle555]

Just checked and you can't have overlapping IP ranges.

You'll have a lot of entries to make to manage it just from the CM network map.

ACLs on a router might be more helpful.
You can blacklist IPs in Session Manager if they were SIP stations

 

[rejackson]

Modify the DHCP in the other subnets to not have the options to tell the phones where to register.

 

[linksboy]

rejackson,

The problem with that approach is that phones which are moved retain their settings, and will therefore register. I suppose you could pass bogus settings along, but that will lead to confusion and errors.

Trying to find a different approach.

Thank you for the rely though.

LB

 

[rejackson]

I never realized that. I thought they trashed their network settings when they rebooted unless they were manually configured. I just did a test though and you are correct.

 

[janni78]

IP-ranges that are not specified in ip-network-map will end up in ip-network-region 1.

If you move your MedPros/Procr to ip-network-region 2 you can deny access from region 1 -> region 2.

"Trying is the first step to failure..." - Homer

 

[kyle555]

Good thinking janni... are you sure that the phones will default to NR1 or would they not default to the NR of procr or their point of registration instead?

 

[jimbojimbo]

kyle555 - You are correct. The phones will be assigned to the region of PE or CLAN they register with. Normally I put PE in NR-241 with nothing else in it. This makes identification of phones registered in subnets not in the IP-Network-Map very easy. You can assign a location with everything denied. The end users are sure to call into the support desk when they can't dial anything.

 

[kyle555]

Bleh. I'm not a fan of no DSPs connected to procr.
Design best practices are to have procr in its own region and have your NRs connect to all other NRs through procr so you can implement BW controls through a hub and spoke approach.

There are ways to do what OP wants, but none of them are really "right". I think the best answer if you want to prevent subnet X from accessing port Y on subnet Z is an ACL.

 

[dialtonebone]

You could ask your network guys to use ACLs that whitelist all the "approved" subnets, then deny the rest based up TCP1719 for registration