31.4.1 Configuring Classification Rules
The Classification table enables you to configure up to 100 Classification rules.
Classification rules are used to classify incoming SIP dialog-initiating requests (e.g.,
INVITE messages) to source IP Groups from where the SIP dialog request originated. The
identified IP Group is later used in the manipulation and routing processes.
Classification rules also enhance security by allowing you to create a SIP access list,
whereby classified calls can be denied (i.e., blacklist) or allowed (i.e., whitelist).
The Classification table is used to classify incoming SIP dialog requests only if the other
classification stages fail, as described below:
1. Classification Stage 1 - Registered Users Database: The device searches its
registration database to check if the incoming SIP dialog arrived from a registered
user:
• Compares the SIP Contact header of the received SIP dialog to the Contact of
the registered user.
• Compares the URL in the SIP P-Asserted-Identity/From header to the registered
address-of-record (AOR).
If this stage fails, the device proceeds to classification based on Proxy Set.
2. Classification Stage 2 - Proxy Set: If the database search fails, the device performs
classification based on Proxy Set if the 'Classify By Proxy Set' parameter is enabled
for the IP Group (see 'Configuring IP Groups' on page 210). If enabled, the device
checks whether the INVITE's IP address (if host names, then according to the
dynamically resolved IP address list) is defined for a Proxy Set ID (in the Proxy Set
table). If a Proxy Set ID has such an IP address, the device classifies the INVITE to
the IP Group that is associated with this Proxy Set. (The Proxy Set ID is assigned to
the IP Group using the IP Group table's 'Proxy Set ID' parameter.)
Note: For security purposes, it is highly recommended to disable the Classify by
Proxy Set feature so that the device can use the Classification table instead,
for "strict" classification of incoming calls to IP Groups. In addition, in cases
where multiple IP Groups are associated with the same Proxy Set ID, do not
use the Classify by Proxy Set feature.
If this stage fails (or Classify by Proxy Set is disabled), the device proceeds to
classification based on the Classification table.
3. Classification Stage 3 - Classification Table: If classification based on Proxy Set
fails (or disabled), the device uses the Classification table to classify the SIP dialog to
an IP Group. If it locates a classification rule whose characteristics (such as source IP
address) match the incoming SIP dialog, then the SIP dialog is assigned to the
associated IP Group. In addition, if the classification rule is defined as a whitelist, the
SIP dialog is allowed and proceeds with the manipulation, routing and other SBC
processes. If the classification rule is defined as a blacklist, the SIP dialog is denied.
If the classification process fails, the device rejects or allows the call, depending on the
setting of the 'Unclassified Calls' parameter (on the General Settings page - Configuration
tab > VoIP menu > SBC > General Settings). If this parameter is set to Allow, the
incoming SIP dialog is assigned to an IP Group as follows:
1. The device checks on which SIP listening port (e.g., 5061) the incoming SIP dialog
request arrived and the SIP Interface which is configured with this port (in the SIP
Interface table).
2. The device checks the SRD that is associated with this SIP Interface (in the SIP
Interface table) and then classifies the SIP dialog with the first IP Group that is
associated with this SRD. For example, if IP Groups 3 and 4 use the same SRD, the
device classifies the call to IP Group 3.
To Next Page
Loading...
Need help?
General
