Block outbound call number by default, permitted for extention group


I’m trying to block call by default for a particular cell phone number (rooms) but permit it for an extension group (staff). We have only one SIP Trunk.

I’ve read the document “How to Manage Inbound / Outbound Routes on UCM6XXX” and tried an outbound route with “enable filter on source caller ID” + “Available Extensions / Extentions Groups”, it doesn’t work.

I put this rule the first on top (the general default route accessible by everybody is below). I was thinking that the first rule would catch the dialed # (_5145556666, this is a false number just for sake of explanation!) and would block the non-members of the extension group. It doesn’t seem to behave that way and call is permitted…

For half of the rooms we have (mentally hill peoples), we wanted to block 911 using the same recipe, it doesn’t work either. As anybody succeeded implementing this kind of outbound call filtering? I am a network engineer used to work with access lists in switches and routers, with the UCM6204 PBX, i’m a bit lost and i don’t know why it doesn’t work and what is should do!!!


It does work, but you probably have another rule that allow this call.
UCM will check ANY route that allow call.


That’s exactly the very unclear behavior in this. When you deal with firewall rules, the matching is done from top to bottom. As soon of a matching rule is matched, it is evaluated and if it is a denied, the communication is blocked and the rest of the bottom rules are skipped. (match loop / action / exit).

I can’t find any way to have a “deny rule”. I’m totally lost as of how to implement this. Probably my thinking is too much influenced by the fact that i manage firewall much more than PBX !!! The closest i’ve been is matchin everybody but the “permitted extentions” and strip 9 digits, which gives the voice message “all circuits are busy”. It kinda works but it is heavy to support and not elegant.

If you have a way to implement this with an example, it would be greatly appreciated!


That depends on which routers. Many now have added filter that adds block unless further rules allow. I use this all the time as my first rule is to block any sip to the pbx. I then add rules following that so I can allow the IPs I want. In this manner I need not reorder them should I need to add an IP later.

The rules are indeed examined top to bottom. As Marcin indicated, the UCM examines them to see if there are any matches. It will give access using the first rule that matches. So, you likely had a rule for any 11 digit number that was allowed for all extensions. So, while the first rule likely stopped the extensions from accessing, the following rule(s) let it go out. 911is different as it has a special section that ignores the outbound rules.


UCM first check PATTERN not sequence.
Sequence is when are SAME patterns.


The effect is the same. If the pattern is not the same then it won’t react anyway, but if the pattern is the same then it does indeed look for the match with the first rule that matches.