Refer to the exhibit. An engineer must implement toll fraud prevention on a Cisco UCM cluster by allowing only the indicated IP address and protocols through Cisco Unified Border Element. What must be configured?
I think it is A
the CUBE must allow the customer to reach the representative.
it must allow SIP to H323
it must add the SIP trunk remote device .10.10
that is what A is. right?
As far as I know ip address trusted list isn't needed when there are up and running dial-peers with valid session target so all we need to focus in here are directions. As we already have h323 to sip we need to add sip to h323.
However why in the world do we have two matching answers. From both of them I'd have picked up A since local IP address is trusted by default so 10.10 is the answer.
At least this is how I can see this.
i was thinking the same , especially because in the given config there is already h.323 to sip allowed so now should be in opposite way allowed as well
Need the allow-connections both way or CUBE will drop it. The ip address trusted list is not needed if the session target is already defined. Just a trick to get people confuse.
Well, first let us to discard B. and D. because they are trusting the CUBE interfaces and it is not reasonable.
Now, if we see the configuration, it already exists "allow-connections h323 to sip". Just we need add "allow-connections sip to h323" and this condition can be provided by Answer A, because C does not have sense (in first instance because "allow-connections h323 to sip" is done and the cucm ip addres is alreade trusted in the dial peer).
Another thing that is weird, why both dial peers are using "session protocol sipv2"?, in this case, it is needed "allow-connections sip-to-sip" and answer B could be the solution even though "ipv4 192.168.11.10" is wrong (however it does not affect, it is cosmetic, because the correct ip addresses are already trusted from the dial-peers).
The another stuff weird is in the drawing, I do not understand why the "H323" text (between the CUCM and CUBE icons), if the dial peers are exhibiting other such a very different thing. I just say, watchout in the exam.
A makes sense to me, you gotta trust the source IP of your incoming calls. This Cisco video states "if the source IP does not match an explicit entry in the configuration as a trusted VoIP source, the call is rejected"
https://video.cisco.com/detail/video/6050186898001
I would go with C, and here is my reasoning:
If we are trusting the IP of the "Customer", then we are allowing the "Customer" to send whatever traffic/signalling to the CUBE (which can allow for Toll Fraud).
So , we do not trust "Customer" side but instead we trust the traffic/signalling from the System side (because the system is configured by Admins not Customers)
I'm going with C. This allows the CUBE to trust endpoints on the line side.
Unified CME 12.6 enforces security and toll fraud prevention for SIP line side on Unified CME. The ip address trusted authentication configuration blocks unauthorized calls from the line side. Hence, the Toll fraud Prevention feature secures Unified CME 12.6 and later from unauthorized users on the line side. As part of the configuration for toll fraud prevention on Unified CME 12.6, all the line side endpoints must register to Unified CME.
https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucme/admin/configuration/manual/cmeadm/cmetoll.html
It should depends what is the call direction (inbound or outbound):
"The CLI command ip address trusted list lists the IP address of INCOMING calls from all the registered directory numbers. The command is configured under voice service voip configuration mode."
So A, or C or Both
This section is not available anymore. Please use the main Exam Page.350-801 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
auswar3ft
Highly Voted 2 years, 3 months agoWeNt48
2 years, 2 months agoPanda_man
2 years, 3 months agov1nhthanh
Most Recent 1 week, 1 day agov1nhthanh
1 week, 4 days agoG0y0
2 months agoG0y0
2 months agodecdca7
5 months, 2 weeks agob3532e4
8 months, 1 week agoTheBabu
11 months, 3 weeks agoKomy
1 year agoc6176b5
1 year, 3 months agoALLENNN
2 years agoTelcoeric
2 years, 3 months agojayceeAD
2 years, 3 months agoBr_Ry
2 years, 3 months agoNNickyy
2 years, 3 months agowwisp3422112
2 years, 5 months agomzmrizmy
2 years, 4 months ago