In this section:
IP Access Control Lists (IP ACLs) specify a 5-tuple of destination IP address, destination TCP/UDP port, source IP address, source port, and transport protocol that are to be matched against the incoming IP packets. Use IP ACLs to specify rules to permit or deny packets into the SBC SWe cloud. The IP ACL can optionally pass the traffic but at only a certain policed rate.
The destination and source IP address indicates a network mask or wild-carded instead of a fully qualified IP address. The destination and source ports, and the transport protocol is also wild-carded. While this ability to wildcard the destination (or local) IP is sufficient for basic IP ACL functionality in the dynamic address environment of the cloud, additional functionality to explicitly use a local interface and SIP Signaling Port (SSP) as the destination IP address allows more simpler and generic configurations.
The SBC SWe cloud platform uses the local packet interface name, local management interface name, SIP signaling port number, or IP address with prefix as the destination IP address in IP ACL configuration.
When you create an IP ACL rule, its state defaults to "disabled". Change the state to "enabled" to activate the rule.
The default IP ACL supports 20 Record-Routes.
Note
When a user creates a new management group, the user must add user defined ACL rules to get the equivalent rules that are set up for the default management group.
Refer to SBC Provisioning Limits for the maximum number of IP ACLs allowed on the SBC.
The SBC SWe cloud CLI syntax, parameter descriptions and command examples is provided below. Refer to IP Access Control List - Non-Cloud - CLI for non-Cloud equivalent CLI.
Command Syntax
% set addressContext <addressContext_name> ipAccessControlList...
// Mandatory parameters.
rule <rule_name> precedence <1-65535>
// Optional parameters.
Note
- The
sourceIpAddressandsourcePortbelong to the entity that sends packets to the SBC. - The
destIpAddressanddestinationPortbelong to the SBC that receives the packets. ACLs are applicable only when an instance is receiving the packets and not when sending out the packets.
action <accept | discard> bucketSize <bucket_size> destIpAddress <IP address> destIpAddressPrefixLength <prefix length> destIpInterface <IP interface> destIpInterfaceGroup <Destination IPIG> destMgmtIpInterface <Destination mgmt IPI> destMgmtIpInterfaceGroup <Destination mgmt IPIG> destSipSigPortIndex <Destination SSP index> destSipSigPortZone <Destination SSP zone name> destTypeIpVersion <Destination IP address version type> destinationPort <port number> fillRate <#> ipInterface <ipInterface name> ipInterfaceGroup <ipInterfaceGroup name> mgmtIpInterface <mgmtIpInterface name> mgmtIpInterfaceGroup <mgmtIpInterfaceGroup name> minTTL <0-255> protocol <any|0-255> sourceAddressPrefixLength <0-128> sourceIpAddress <IPv4/IPv6 Address> sourcePort <port number> state <disbled | enabled> vmAppName <VM application name>
Command Parameters
IP Access Control List Parameters (Cloud)
Parameter | Length/Range | Description |
|---|---|---|
Mandatory parameters: | ||
| 1-23 | The name of the address context. The address context is a container of objects that correspond to a specific IP Addressing domain. |
| N/A | Access Control List rule name. |
| N/A | Action to take when this rule is matched.
|
| 1-255, or unlimited | The policing bucket size (in packets). A "bucketSize" represents a credit balance that should be consumed before the packets are discarded. The consumed credits reside in the bucket and gets reduced for every packet received on the Network Interface (NI). If a packet is received when the credit balance is less than the size of the packet, the packet is discarded subjected to the discard rate set in the IP Policing Alarm profile or in the Policer Alarm monitoring this Media Port. A setting of 'unlimited' allows continuous policing. (default = 50) |
destIpAddress | N/A | <IP address> – The destination IP address to match. |
destIpAddressPrefixLength | N/A | <Prefix length> – The length of destination IP address prefix to match. |
destIpInterface | 1-23 | <IP Interface name> – The name of an IP interface for destination host address. |
destIpInterfaceGroup | 1-23 | <IPIG name> – The interface group name of IP interface for destination host address. |
destMgmtIpInterface | 1-23 | <MIP name> – The name of a MGMT IP interface for destination host address. |
destMgmtIpInterfaceGroup | 1-23 | <MIPI name> – The interface group name of a MGMT IP interface for destination host address. |
destSipSigPortIndex | 1-2048 | <Destination SSP Index> – The index of SIP Signaling Port for destination address. |
destSipSigPortZone | 1-23 | <Destination SSP Zone name> – The zone name of SIP Signaling Port for destination address. |
destTypeIpVersion | N/A |
|
| 0-65535, or any |
|
| 1-10000, or unlimited |
|
| N/A | Enter IP interface name to match, or "any" to match any IP interface. |
| N/A | Enter IP interface group name to match, or "any" to match any IP interface group. |
| N/A | Enter MGMT IP interface name to match, or "any" to match any MGMT IP interface. |
| N/A | Enter MGMT IP interface group name to match, or "any" to match any MGMT IP interface group. |
minTTL | <0-255> | Minimum TTL value allowed. Used for BFD traffic admission. For single-hop BFD traffic, set this to 255. Default is 0 |
| 1-65535 | Use this parameter to specify the rule precedence to control which ACL rule is applied when multiple rules match a given packet. If an incoming packet matches multiple rules, the IP ACL rule with the highest precedence (lowest numerical precedence value) is applied to that packet. Each IP ACL rule must use a unique precedence value. |
| N/A | Enter IP protocol type for use as a criterion of the IP input match. Choices are 0-255, or one of the following:
These protocols are typically associated with particular logical port values. |
| N/A | The length of source IP address prefix which must match the protocol (default = 0). |
| N/A | The source IPv4 or IPv6 address to match. (default = 0.0.0.0). NOTE: When configuring a |
| 0-65535, or any | The source IP port to match. (default = 'any') |
| N/A | Administrative state of the IP access control list rule.
|
vmAppName | N/A | The virtual machine application name against which to apply this ACL rule. If no name is specified, the rule is applied to the SBC application. |
Command Examples
set addressContext default ipAccessControlList rule 2 action accept bucketSize unlimited destinationAddressPrefixLength 2 destinationIpAddress 10.34.25.153 destinationPort any fillRate 33 ipInterface ipInterface1 ipInterfaceGroup INTERNAL_IPIG precedence 22 protocol any sourceAddressPrefixLength 1 sourceIpAddress 10.32.22.145 sourcePort any state disabled
show addressContext default ipAccessControlList
rule 2 {
precedence 22;
protocol any;
ipInterfaceGroup INTERNAL_IPIG;
ipInterface ipInterface1;
sourceIpAddress 10.32.22.145;
sourceAddressPrefixLength 1;
destinationIpAddress 10.34.25.153;
destinationAddressPrefixLength 2;
sourcePort any;
destinationPort any;
action accept;
fillRate 33;
bucketSize unlimited;
state disabled;
}
To display the IP access control list details with display level set to 1:
show addressContext default ipAccessControlList displaylevel 1 rule RULE1; rule rule1;
To display the IP access control list details with display level set to 3:
show addressContext default ipAccessControlList displaylevel 3
rule RULE1 {
precedence 4;
}
rule rule1 {
precedence 1;
protocol any;
sourceIpAddress 0.0.0.0;
sourceAddressPrefixLength 0;
destinationIpAddress 0.0.0.0;
destinationAddressPrefixLength 0;
sourcePort any;
destinationPort any;
action accept;
fillRate unlimited;
bucketSize unlimited;
state disabled;
}
To view the configured rules and precedence from System-level CLI:
show table addressContext default ipAccessControlList rule show table addressContext default ipAccessControlList ipAclRulesByPrecedence
To view statistics from System-level CLI:
show table addressContext default ipAccessControlList ipAclOverallStatistics show table addressContext a1 ipAccessControlList ipAclRuleStatistics
If using a management interface group other than the default, adding a set of ACL rules as shown below will replicate the defaulted ACL rules the system provides for the default management interface group. In this example, a management interface group mgmtGroup1 has been previously created.
set addressContext default ipAccessControlList rule mgmt2_22 destinationPort 22 mgmtIpInterfaceGroup mgmtGroup1 protocol tcp bucketSize 10 fillRate 100 precedence 200 action accept state enabled set addressContext default ipAccessControlList rule mgmt2_80 destinationPort 80 mgmtIpInterfaceGroup mgmtGroup1 protocol tcp bucketSize 10 fillRate 100 precedence 201 action accept state enabled set addressContext default ipAccessControlList rule mgmt2_161 destinationPort 161 mgmtIpInterfaceGroup mgmtGroup1 protocol udp bucketSize 10 fillRate 50 precedence 202 action accept state enabled set addressContext default ipAccessControlList rule mgmt2_123 sourcePort 123 mgmtIpInterfaceGroup mgmtGroup1 protocol udp bucketSize 4 fillRate 4 precedence 103 state enabled set addressContext default ipAccessControlList rule mgmt2_162 sourcePort 162 mgmtIpInterfaceGroup mgmtGroup1 protocol udp bucketSize fillRate 10 precedence 104 state enabled set addressContext default ipAccessControlList rule mgmt2_1812 sourcePort 1812 mgmtIpInterfaceGroup mgmtGroup1 protocol udp bucketSize 4 fillRate 4 precedence 105 state enabled set addressContext default ipAccessControlList rule mgmt2_2022 destinationPort 2022 mgmtIpInterfaceGroup mgmtGroup1 protocol tcp bucketSize 10 fillRate 10 precedence 206 action accept state enabled set addressContext default ipAccessControlList rule mgmt2_443 destinationPort 443 mgmtIpInterfaceGroup mgmtGroup1 protocol tcp bucketSize 10 fillRate 100 precedence 208 action accept state enabled set addressContext default ipAccessControlList rule mgmt2_2024 destinationPort 2024 mgmtIpInterfaceGroup mgmtGroup1 protocol tcp bucketSize 250 fillRate 2500 precedence 209 action accept state enabled set addressContext default ipAccessControlList rule mgmt2_1813 sourcePort 1813 mgmtIpInterfaceGroup mgmtGroup1 protocol udp bucketSize 250 fillRate 1200 precedence 110 state enabled commit
To view the default system IP ACL statistics:
show table addressContext default ipAccessControlList defaultAclStatistics
ADDRESS LIF
ACL CONTEXT GRP SOURCE IP DESTINATION IP POLICING BUCKET POL POL PACKET PACKET
ID PROTOCOL APPLICATION ID ID ADDRESS ADDRESS MODE SIZE CREDIT RATE ID PRIORITY ACCEPT DISCARD AGG POL OWNER
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
9 UDP dns_udp_guest * * * (53) * (0) PktRate 50 pkt 1000 pkt/s 0 0 0 0 none vm
10 TCP dns_tcp_guest * * * (53) * (0) PktRate 50 pkt 1000 pkt/s 0 0 0 0 none vm
11 TCP sftp_guest * * * (0) * (2024) DataPktRate 50000 pkt 50000 pkt/s 0 0 0 0 none vm
12 TCP ssh_guest * * * (0) * (22) DataPktRate 50000 pkt 50000 pkt/s 0 0 1 0 none vm
13 ICMPv4 icmpv4_guest * * * (0) * (0) DataPktRate 10 pkt 50 pkt/s 18 1 0 0 pol_icmp vm
14 ICMPv6 icmpv6_guest * * * (0) * (0) DataPktRate 10 pkt 400 pkt/s 18 1 0 0 pol_icmp vm
18 ICMPv4 icmpv4 * * * (0) * (0) PktRate 50 pkt 50 pkt/s 22 1 66 0 ICMP SBX5000
19 ICMPv6 icmpv6 * * * (0) * (0) PktRate 50 pkt 50 pkt/s 22 1 0 0 ICMP SBX5000
20 TCP ssh 1 1 * (0) 10.6.82.35/32 (22) PktRate 50 pkt 1000 pkt/s 19 1 118 0 OAM SBX5000
21 TCP web-client 1 1 * (0) 10.6.82.35/32 (80) PktRate 50 pkt 10 pkt/s 19 1 31 0 OAM SBX5000
22 UDP snmp 1 1 * (0) 10.6.82.35/32 (161) PktRate 50 pkt 1000 pkt/s 19 1 0 0 OAM SBX5000
23 TCP confd 1 1 * (0) 10.6.82.35/32 (2022) PktRate 50 pkt 100 pkt/s 19 1 0 0 OAM SBX5000
24 TCP secure-web-client 1 1 * (0) 10.6.82.35/32 (443) PktRate 50 pkt 20000 pkt/s 20 1 5583 0 SFTP SBX5000
25 TCP sftp 1 1 * (0) 10.6.82.35/32 (2024) PktRate 50 pkt 20000 pkt/s 20 1 0 0 SFTP SBX5000
26 TCP connexIp-manager 1 1 * (0) 10.6.82.35/32 (444) PktRate 50 pkt 20000 pkt/s 20 1 0 0 SFTP SBX5000
27 TCP secure-LI-client 1 1 * (0) 10.6.82.35/32 (1099) PktRate 50 pkt 10 pkt/s 19 1 0 0 OAM SBX5000
28 TCP ssreq-tcp 1 1 * (0) 10.6.82.35/32 (3091) PktRate 50 pkt 10 pkt/s 19 1 0 0 OAM SBX5000
29 UDP ssreq-udp 1 1 * (0) 10.6.82.35/32 (3090) PktRate 50 pkt 10 pkt/s 19 1 0 0 OAM SBX5000
30 TCP ssh 1 1 * (0) 10.6.83.35/32 (22) PktRate 50 pkt 1000 pkt/s 19 1 0 0 OAM SBX5000
31 TCP web-client 1 1 * (0) 10.6.83.35/32 (80) PktRate 50 pkt 10 pkt/s 19 1 0 0 OAM SBX5000
32 UDP snmp 1 1 * (0) 10.6.83.35/32 (161) PktRate 50 pkt 1000 pkt/s 19 1 0 0 OAM SBX5000
33 TCP confd 1 1 * (0) 10.6.83.35/32 (2022) PktRate 50 pkt 100 pkt/s 19 1 0 0 OAM SBX5000
34 TCP secure-web-client 1 1 * (0) 10.6.83.35/32 (443) PktRate 50 pkt 20000 pkt/s 20 1 0 0 SFTP SBX5000
35 TCP sftp 1 1 * (0) 10.6.83.35/32 (2024) PktRate 50 pkt 20000 pkt/s 20 1 0 0 SFTP SBX5000
36 TCP connexIp-manager 1 1 * (0) 10.6.83.35/32 (444) PktRate 50 pkt 20000 pkt/s 20 1 0 0 SFTP SBX5000
37 TCP secure-LI-client 1 1 * (0) 10.6.83.35/32 (1099) PktRate 50 pkt 10 pkt/s 19 1 0 0 OAM SBX5000
38 TCP ssreq-tcp 1 1 * (0) 10.6.83.35/32 (3091) PktRate 50 pkt 10 pkt/s 19 1 0 0 OAM SBX5000
39 UDP ssreq-udp 1 1 * (0) 10.6.83.35/32 (3090) PktRate 50 pkt 10 pkt/s 19 1 0 0 OAM SBX5000
40 UDP ntp 1 1 10.1.1.2/32 (123) * (0) PktRate 50 pkt 10 pkt/s 21 1 267 0 RBA SBX5000
The following example CLI ipAccessControlList commands define ACL rules to allow SSReq to receive packets on ports 3090 and 3091:
- Port 3090 is used by SSReq Server to receive XML requests over UDP from a SSReq Client.
- Port 3091 is used by SSReq Server to receive XML requests over TCP from a SSREeq Client.
set addressContext default ipAcessControlList rule ssrequdp precedence 2 destinationPort 3090 state enabled set addressContext default ipAcessControlList rule ssreqtcp precedence 3 destionationPort 3091 state enabled
Note
System ACLs are displayed only for default AddressContext.
System ACL Command Parameters
System ACL Parameters
Parameter | Description |
|---|---|
| Displays the address context ID of the ACL rule. |
| Displays the application that uses the ACL rule. |
| Displays the policer bucket size. |
| Displays the allowed packet rate. |
| Displays the destination IP address, Port Number and Prefix length. |
| Displays the management group ID. |
| Displays the number of packets accepted by the rule. |
| Displays the number of packets discarded by the ACL policer. |
| Displays the aggregator policer ID. |
| Displays the aggregator policer priority. |
| Displays the policing mode in packets per second. |
| Displays the protocol type of the rule. |
| Displays the source IP address, Port Number and Prefix length. |
Overview
Content Tools