Wireless Access

Reply
Highlighted
Frequent Contributor I

WiFi Calling?

Question for anyone who has WiFi calling working on their network.

The hardest part seems to be sussing out the relevant IP's and hostnames for each provider so that the traffic can be allowed to those destinations. Does anyone have a resource which helps to aggreate that info?

 

For example:

AT&T IP's, hostnames, protocols/ports

Sprint IP's, hostnames, protocols/ports

T-Mobile IP's, hostnames, protocols/ports

Verizon IP's, hostnames, protocols/ports


Accepted Solutions
Moderator

Re: WiFi Calling?

If you want to track and allow wificalling traffic, it would be best to limit it by the FQDN of the carriers ePDG (their end of the wifi calling session). On the controller this means using the "name" abilities of netdestionations to write ACLs based on DNS snooped names. Then you would put an ACL into the user role along the lines of

 

   user alias wificalling_list udp 4500 permit

 

Some of ePDG FQDNs for US carriers are listed in the CLI guide, see "voice wificalling (6.5.x) or ucc wificalling (8.x). Generally most carriers follow some sort of naming convention like

 

epdg.epc.mnc001.mcc123.pub.3gppnetwork.org

 

where mnc### and mcc### are carrier specific. But, the USA carriers seem to mix it up a bit (you will see in the config guide), so that's not a golden rule. You can also try some broad capturing rules like "*.pub.3gppnetwork.org".

 

How to find out for your use case ? You can try to ask the carriers, check online forums or capture the packets sent by the device when it's trying to connect to wificalling, the DNS requests sent by the phone will tell you what you need to know.

 

To capture the phone packets, use a tunnel mode VAP and the 'packet-catpure datapath mac <mac> decrypted' command and either send to a host using packet-capure destination ip-address <ip> (wireshark can decode) or capture to the filesystem (destination filesystem) and extract (packet-capture copy-to-flash datapath-pcap)

 

 

 

 

View solution in original post


All Replies
Highlighted
Guru Elite

Re: WiFi Calling?

Highlighted
Frequent Contributor I

Re: WiFi Calling?

Thanks Joseph. Helpful doc.

 

Looks like there's only two options- 

Allow IPSEC outbound to all, OR spend time identifying the destinations for each provider then limit IPSEC to those destinations. The latter will be a fragile config since those VPN details could change over time. Also you would have to test a phone from each carrier...

 

Are folks really just letting VPN traffic egress their network to any/all destinations? Seems absurd from a security perspective.

 

 

Highlighted
Guru Elite

Re: WiFi Calling?

It would be good to hear what others think, yes.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
ArubaOS Consolidated Release Notes
Aruba Technical Webinars
Moderator

Re: WiFi Calling?

If you want to track and allow wificalling traffic, it would be best to limit it by the FQDN of the carriers ePDG (their end of the wifi calling session). On the controller this means using the "name" abilities of netdestionations to write ACLs based on DNS snooped names. Then you would put an ACL into the user role along the lines of

 

   user alias wificalling_list udp 4500 permit

 

Some of ePDG FQDNs for US carriers are listed in the CLI guide, see "voice wificalling (6.5.x) or ucc wificalling (8.x). Generally most carriers follow some sort of naming convention like

 

epdg.epc.mnc001.mcc123.pub.3gppnetwork.org

 

where mnc### and mcc### are carrier specific. But, the USA carriers seem to mix it up a bit (you will see in the config guide), so that's not a golden rule. You can also try some broad capturing rules like "*.pub.3gppnetwork.org".

 

How to find out for your use case ? You can try to ask the carriers, check online forums or capture the packets sent by the device when it's trying to connect to wificalling, the DNS requests sent by the phone will tell you what you need to know.

 

To capture the phone packets, use a tunnel mode VAP and the 'packet-catpure datapath mac <mac> decrypted' command and either send to a host using packet-capure destination ip-address <ip> (wireshark can decode) or capture to the filesystem (destination filesystem) and extract (packet-capture copy-to-flash datapath-pcap)

 

 

 

 

View solution in original post

Highlighted
New Contributor

Re: WiFi Calling?

hey ,

thanks all for your responses. i was having similar questions and your answers were helpful to me.

best regards!!

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: