In this section:


For SIP Trunking configurations, define ACL “allowlists” to only allow traffic from the far ends (IP address) in a SIP peering scenario.

For each trunk group, do the following:

  • Create an ACL with a high priority (low precedence value) to allow traffic from the far end.
  • Create a “Block Everything Anternatively” ACL at a lower priority (higher precedence value) to block all traffic EXCEPT traffic that is explicitly allowed.


Note

The SBC 5400 and SBC 7000 systems support creating IP Interface Groups containing sets of IP interfaces that are not "processor friendly" (i.e. carried on physical Ethernet ports served by separate processors). However, restrictions exist regarding the usage of such Interface Groups.

For complete details, refer to Configuring IP Interface Groups and Interfaces.

Allow Unlimited Traffic

The below rule allows unlimited traffic from “10.35.66.187” (the IP address of the far end for this example) to destination port 5060. This IP address is also an IP Peer and is included in the trunk group ingress IP prefix.


Note

The Bucket Size value is insignificant if the Fill Rate value is unlimited.

  • The Fill Rate is the maximum rate you expect for the traffic to pass the policer.
  • The Bucket Size is the number of additional packets allowed to pass in a given period if available packets are in the bucket. The credit balance is consumed before the packets are discarded.

If the ACL rules with action = discard, the Fill Rate and the Bucket Size values are irrelevant, and the packets are dropped based on the Type, IP address, or Port.

The Fill Rate and the Bucket Size parameters do not play any role since the policer portion of an ACL is only applicable for the "accept" action and is ignored with the "discard" action since all the packets are already discarded by the criteria.

% set addressContext "default" ipAccessControlList rule "WHITELIST_PEER_01" precedence "1000" protocol "udp" ipInterfaceGroup "EXTERNAL.IPIG" sourceIpAddress "10.35.66.187" sourceAddressPrefixLength "32" destinationPort "5060" fillRate "unlimited" bucketSize "unlimited" state "enabled"

Ensure the sourceAddressPrefixLength is set to a nonzero value (“32” is used in this example). Otherwise, the length defaults to “0, " allowing all IP addresses to be “allowlisted.”

Block All Traffic Not Explicitly Allowed

The following rule blocks all traffic that is not explicitly allowed:

% set addressContext "default" ipAccessControlList rule "DENYALL_UNTRUST" precedence "65015" ipInterfaceGroup "EXTERNAL.IPIG" action "discard"

The precedence of WHITELIST_PEER_01 is a lower value than DENYALL_UNTRUST. This causes WHITELIST_PEER_01 to take precedence over DENYALL_UNTRUST, allowing the SBC to accept traffic from 10.35.66.187.

Enable the ACLs in precedence order. In this example, this ACL should be the last one enabled.