# Restrict Extension Registration Based on IP Address

Out of the box, Cloud Voice accepts a SIP registration for an extension from any IP (Internet Protocol) address. SIP (Session Initiation Protocol) is the signaling a phone or softphone app uses to log in to (register with) an extension and set up calls. That open default is convenient, but it also lets an attacker who steals or guesses an extension's credentials register from anywhere on the internet and run up expensive calls on your account. To close that gap, tie an extension to one or more approved IP addresses so that no other device can register, even with the correct username and password.

:::note
This restriction is set per extension, not system-wide. Apply it to each extension you want to protect. Any extension you leave alone keeps accepting registrations from any address.
:::

## Before you begin

Decide which addresses should be trusted. This can be a single host (one fixed IP) or a whole subnet (a network range), depending on whether the phone lives at one fixed address or somewhere on a known network. You will need the IP address, and for a range the matching subnet mask, when you configure the rule.

:::caution
Cloud Voice checks the address it actually sees the device connect from. For a phone behind a router (NAT, or Network Address Translation), that is the site's public internet IP address, not the phone's local address such as `192.168.x.x`. Enter the public IP. If that internet connection uses a dynamic IP that changes over time, the phone will stop registering the next time the address changes.
:::

## Limit registration to approved addresses

1. Sign in to the Cloud Voice web portal and go to **Extension and Trunk > Extension**, then open the extension you want to protect.
2. Select the **Security** tab.
3. Under **SIP Registration IP Restriction**, tick **Enable IP Restriction**.

   ![Enabling the SIP registration IP restriction option on an extension's Security tab](/images/pbx/enable-sip-registeration-restrict.png)

4. Add each address or range that should be allowed to register the extension:
   1. Click **Add IP**.
   2. Fill in **Permitted IP** and **Subnet Mask** to define the address or network you want to trust. Repeat for any additional entries.

   :::tip
   To allow a single phone at a fixed address, enter that address as **Permitted IP** and use a **Subnet Mask** of `255.255.255.255` (one host only). To allow a whole office network, use the network address with its mask, for example `203.0.113.0` with `255.255.255.0`. Keep the range as narrow as possible so that fewer outside devices are ever eligible to register.
   :::

5. Click **Save**, then **Apply**.

   :::caution
   Before you click **Apply**, confirm the list includes the exact address the protected phone registers from. If it does not, that phone will fail to register as soon as the rule takes effect and cannot make or receive calls until you correct the list. Calls already in progress are not dropped, but the device will not be able to re-register until its address is permitted.
   :::

## Result

Registration for this extension is now restricted to the addresses you listed. A device on any other IP is turned away, even with the correct credentials.
