In this section:

IP Access Control Lists (IP ACLs) specify a 5-tuple of destination IP address, destination TCP/UDP port, source IP address, source port, and transport protocol that are to be matched against the incoming IP packets. Use IP ACLs to specify rules to permit or deny packets into the SBC SWe cloud. The IP ACL can optionally pass the traffic but at only a certain policed rate.

The destination and source IP address indicates a network mask or wild-carded instead of a fully qualified IP address. The destination and source ports, and the transport protocol is also wild-carded. While this ability to wildcard the destination (or local) IP is sufficient for basic IP ACL functionality in the dynamic address environment of the cloud, additional functionality to explicitly use a local interface and SIP Signaling Port (SSP) as the destination IP address allows more simpler and generic configurations.

The SBC SWe cloud platform uses the local packet interface name, local management interface name, SIP signaling port number, or IP address with prefix as the destination IP address in IP ACL configuration.

When you create an IP ACL rule, its state defaults to "disabled". Change the state to "enabled" to activate the rule.


The default IP ACL supports 20 Record-Routes.

Note

When a user creates a new management group, the user must add user defined ACL rules to get the equivalent rules that are set up for the default management group. 

Refer to SBC Provisioning Limits for the maximum number of IP ACLs allowed on the SBC.

The SBC SWe cloud CLI syntax, parameter descriptions and command examples is provided below. Refer to IP Access Control List - Non-Cloud - CLI for non-Cloud equivalent CLI. 

Command Syntax

% set addressContext <addressContext_name> ipAccessControlList...

// Mandatory parameters.

rule <rule_name> 
precedence <1-65535>


// Optional parameters.

Note
  • The sourceIpAddress and sourcePort belong to the entity that sends packets to the SBC.
  • The destIpAddress and destinationPort belong to the SBC that receives the packets.
  • ACLs are applicable only when an instance is receiving the packets and not when sending out the packets.

action <accept | discard> 
bucketSize <bucket_size> 
destIpAddress <IP address>
destIpAddressPrefixLength <prefix length>
destIpInterface <IP interface>
destIpInterfaceGroup <Destination IPIG>
destMgmtIpInterface <Destination mgmt IPI>
destMgmtIpInterfaceGroup <Destination mgmt IPIG>
destSipSigPortIndex <Destination SSP index>
destSipSigPortZone <Destination SSP zone name>
destTypeIpVersion <Destination IP address version type>
destinationPort <port number> 
fillRate <#> 
ipInterface <ipInterface name> 
ipInterfaceGroup <ipInterfaceGroup name> 
mgmtIpInterface <mgmtIpInterface name> 
mgmtIpInterfaceGroup <mgmtIpInterfaceGroup name> 
minTTL <0-255>
protocol <any|0-255> 
sourceAddressPrefixLength <0-128> 
sourceIpAddress <IPv4/IPv6 Address> 
sourcePort <port number> 
state <disbled | enabled> 
vmAppName <VM application name>

Command Parameters

IP Access Control List Parameters (Cloud)

Parameter

Length/Range

Description

Mandatory parameters:

addressContext

1-23

The name of the address context. The address context is a container of objects that correspond to a specific IP Addressing domain.

rule

N/A

Access Control List rule name.

action

N/A

Action to take when this rule is matched.

  • accept(default) Incoming packets matching this ACL rule are accepted into the system.
  • discard Incoming packets matching this ACL rule are discarded (not allowed into system).

bucketSize

1-255, or unlimited

The policing bucket size (in packets). A "bucketSize" represents a credit balance that should be consumed before the packets are discarded. The consumed credits reside in the bucket and gets reduced for every packet received on the Network Interface (NI). If a packet is received when the credit balance is less than the size of the packet, the packet is discarded subjected to the discard rate set in the IP Policing Alarm profile or in the Policer Alarm monitoring this Media Port. A setting of 'unlimited' allows continuous policing. (default = 50)

destIpAddressN/A<IP address> – The destination IP address to match.
destIpAddressPrefixLengthN/A<Prefix length> – The length of destination IP address prefix to match.
destIpInterface 1-23 <IP Interface name> – The name of an IP interface for destination host address.
destIpInterfaceGroup1-23 <IPIG name> – The interface group name of IP interface for destination host address.
destMgmtIpInterface1-23 <MIP name> – The name of a MGMT IP interface for destination host address.
destMgmtIpInterfaceGroup1-23 <MIPI name> – The interface group name of a MGMT IP interface for destination host address.
destSipSigPortIndex 1-2048 <Destination SSP Index> – The index of SIP Signaling Port for destination address.
destSipSigPortZone

1-23

<Destination SSP Zone name> – The zone name of SIP Signaling Port for destination address.
destTypeIpVersion

N/A

<Destination IP address version type> – The IP address version type when specifying the destination IP address using an interface name or SIP Signaling Port Index

  • ipV4 (default)
  • ipV6

destinationPort

0-65535, or any

<port number, or 'any'> – Destination port to match. (default = 'any').

fillRate

1-10000, or unlimited

<Number of packets> – The number of packets to add to the bucket credit balance (in packets/second). If a packet is received at a rate exceeding this fill rate, it is discarded subjected to the discard rate set in the IP Policing Alarm profile or in the Policer Alarm monitoring this Media Port. The bucket credit balance is always less than the configured bucket size regardless of the size of this increment. A setting of 'unlimited' passes packets unconditionally. (default = 50).

ipInterface

N/A

Enter IP interface name to match, or "any" to match any IP interface.

ipInterfaceGroup

N/A

Enter IP interface group name to match, or "any" to match any IP interface group.

mgmtIpInterface

N/A

Enter MGMT IP interface name to match, or "any" to match any MGMT IP interface.

mgmtIpInterfaceGroup

N/A

Enter MGMT IP interface group name to match, or "any" to match any MGMT IP interface group.

minTTL<0-255>Minimum TTL value allowed.   Used for BFD traffic admission.   For single-hop BFD traffic, set this to 255.  Default is 0

precedence

1-65535

Use this parameter to specify the rule precedence to control which ACL rule is applied when multiple rules match a given packet. If an incoming packet matches multiple rules, the IP ACL rule with the highest precedence (lowest numerical precedence value) is applied to that packet.

Each IP ACL rule must use a unique precedence value.

protocol

N/A

Enter IP protocol type for use as a criterion of the IP input match. Choices are 0-255, or one of the following:

  • any – (default) filter all protocols
  • icmp filter ICMP only
  • icmpv6 filter ICMPv6 only
  • ospf filter OSPF only
  • tcp filter TCP only
  • udp filter UDP only 

These protocols are typically associated with particular logical port values.

sourceAddressPrefixLength

N/A

The length of source IP address prefix which must match the protocol (default = 0).

sourceIpAddress

N/A

The source IPv4 or IPv6 address to match. (default = 0.0.0.0).

NOTE: When configuring a sourceIpAddress, the sourceAddressPrefixLength must also be specified.

sourcePort

0-65535, or any

The source IP port to match. (default = 'any')

state

N/A

Administrative state of the IP access control list rule.

  • enabled – All incoming packets are matched against this ACL rule.
  • disabled – (default) The ACL rule is not used for any incoming packet matching.
vmAppNameN/AThe virtual machine application name against which to apply this ACL rule. If no name is specified, the rule is applied to the SBC application.


Command Examples

set addressContext default ipAccessControlList rule 2 action accept bucketSize unlimited destinationAddressPrefixLength 2 destinationIpAddress 10.34.25.153 destinationPort any fillRate 33 ipInterface ipInterface1 ipInterfaceGroup INTERNAL_IPIG precedence 22 protocol any sourceAddressPrefixLength 1 sourceIpAddress 10.32.22.145 sourcePort any state disabled
 
show addressContext default ipAccessControlList
	rule 2 {
		precedence 22;
	protocol any;
	ipInterfaceGroup INTERNAL_IPIG;
	ipInterface ipInterface1;
	sourceIpAddress 10.32.22.145;
	sourceAddressPrefixLength 1;
	destinationIpAddress 10.34.25.153;
	destinationAddressPrefixLength 2;
	sourcePort any;
	destinationPort any;
	action accept;
	fillRate 33;
	bucketSize unlimited;
	state disabled;
 }

To display the IP access control list details with display level set to 1:

show addressContext default ipAccessControlList displaylevel 1
 rule RULE1;
 rule rule1;

To display the IP access control list details with display level set to 3:

show addressContext default ipAccessControlList displaylevel 3
	rule RULE1 {
		precedence 4;
	}
	rule rule1 {
		precedence 1;
		protocol any;
		sourceIpAddress 0.0.0.0;
		sourceAddressPrefixLength 0;
		destinationIpAddress 0.0.0.0;
		destinationAddressPrefixLength 0;
		sourcePort any;
		destinationPort any;
		action accept;	
		fillRate unlimited;
		bucketSize unlimited;
		state disabled;
	}

 To view the configured rules and precedence from System-level CLI:

show table addressContext default ipAccessControlList rule
 
show table addressContext default ipAccessControlList ipAclRulesByPrecedence

To view statistics from System-level CLI:

show table addressContext default ipAccessControlList ipAclOverallStatistics

show table addressContext a1 ipAccessControlList ipAclRuleStatistics 

If using a management interface group other than the default, adding a set of ACL rules as shown below will replicate the defaulted ACL rules the system provides for the default management interface group. In this example, a management interface group mgmtGroup1 has been previously created.

set addressContext default ipAccessControlList rule mgmt2_22 destinationPort 22 mgmtIpInterfaceGroup mgmtGroup1 protocol tcp bucketSize 10 fillRate 100 precedence 200 action accept state enabled
set addressContext default ipAccessControlList rule mgmt2_80 destinationPort 80 mgmtIpInterfaceGroup mgmtGroup1 protocol tcp bucketSize 10 fillRate 100 precedence 201 action accept state enabled
set addressContext default ipAccessControlList rule mgmt2_161 destinationPort 161 mgmtIpInterfaceGroup mgmtGroup1 protocol udp bucketSize 10 fillRate 50 precedence 202 action accept state enabled
set addressContext default ipAccessControlList rule mgmt2_123 sourcePort 123 mgmtIpInterfaceGroup mgmtGroup1 protocol udp bucketSize 4 fillRate 4 precedence 103 state enabled
set addressContext default ipAccessControlList rule mgmt2_162 sourcePort 162 mgmtIpInterfaceGroup mgmtGroup1 protocol udp bucketSize fillRate 10 precedence 104 state enabled
set addressContext default ipAccessControlList rule mgmt2_1812 sourcePort 1812 mgmtIpInterfaceGroup mgmtGroup1 protocol udp bucketSize 4 fillRate 4 precedence 105 state enabled
set addressContext default ipAccessControlList rule mgmt2_2022 destinationPort 2022 mgmtIpInterfaceGroup mgmtGroup1 protocol tcp bucketSize 10 fillRate 10 precedence 206 action accept state enabled
set addressContext default ipAccessControlList rule mgmt2_443 destinationPort 443 mgmtIpInterfaceGroup mgmtGroup1 protocol tcp bucketSize 10 fillRate 100 precedence 208 action accept state enabled
set addressContext default ipAccessControlList rule mgmt2_2024 destinationPort 2024 mgmtIpInterfaceGroup mgmtGroup1 protocol tcp bucketSize 250 fillRate 2500 precedence 209 action accept state enabled
set addressContext default ipAccessControlList rule mgmt2_1813 sourcePort 1813 mgmtIpInterfaceGroup mgmtGroup1 protocol udp bucketSize 250 fillRate 1200 precedence 110 state enabled
commit

To view the default system IP ACL statistics:

show table addressContext default ipAccessControlList defaultAclStatistics

                                  ADDRESS  LIF                                                                                                                                   
ACL                               CONTEXT  GRP  SOURCE IP          DESTINATION IP        POLICING     BUCKET                  POL  POL       PACKET  PACKET                      
ID   PROTOCOL  APPLICATION        ID       ID   ADDRESS            ADDRESS               MODE         SIZE       CREDIT RATE  ID   PRIORITY  ACCEPT  DISCARD  AGG POL   OWNER    
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
9    UDP       dns_udp_guest      *        *    * (53)             * (0)                 PktRate      50 pkt     1000 pkt/s   0    0         0       0        none      vm       
10   TCP       dns_tcp_guest      *        *    * (53)             * (0)                 PktRate      50 pkt     1000 pkt/s   0    0         0       0        none      vm       
11   TCP       sftp_guest         *        *    * (0)              * (2024)              DataPktRate  50000 pkt  50000 pkt/s  0    0         0       0        none      vm       
12   TCP       ssh_guest          *        *    * (0)              * (22)                DataPktRate  50000 pkt  50000 pkt/s  0    0         1       0        none      vm       
13   ICMPv4    icmpv4_guest       *        *    * (0)              * (0)                 DataPktRate  10 pkt     50 pkt/s     18   1         0       0        pol_icmp  vm       
14   ICMPv6    icmpv6_guest       *        *    * (0)              * (0)                 DataPktRate  10 pkt     400 pkt/s    18   1         0       0        pol_icmp  vm       
18   ICMPv4    icmpv4             *        *    * (0)              * (0)                 PktRate      50 pkt     50 pkt/s     22   1         66      0        ICMP      SBX5000  
19   ICMPv6    icmpv6             *        *    * (0)              * (0)                 PktRate      50 pkt     50 pkt/s     22   1         0       0        ICMP      SBX5000  
20   TCP       ssh                1        1    * (0)              10.6.82.35/32 (22)    PktRate      50 pkt     1000 pkt/s   19   1         118     0        OAM       SBX5000  
21   TCP       web-client         1        1    * (0)              10.6.82.35/32 (80)    PktRate      50 pkt     10 pkt/s     19   1         31      0        OAM       SBX5000  
22   UDP       snmp               1        1    * (0)              10.6.82.35/32 (161)   PktRate      50 pkt     1000 pkt/s   19   1         0       0        OAM       SBX5000  
23   TCP       confd              1        1    * (0)              10.6.82.35/32 (2022)  PktRate      50 pkt     100 pkt/s    19   1         0       0        OAM       SBX5000  
24   TCP       secure-web-client  1        1    * (0)              10.6.82.35/32 (443)   PktRate      50 pkt     20000 pkt/s  20   1         5583    0        SFTP      SBX5000  
25   TCP       sftp               1        1    * (0)              10.6.82.35/32 (2024)  PktRate      50 pkt     20000 pkt/s  20   1         0       0        SFTP      SBX5000  
26   TCP       connexIp-manager   1        1    * (0)              10.6.82.35/32 (444)   PktRate      50 pkt     20000 pkt/s  20   1         0       0        SFTP      SBX5000  
27   TCP       secure-LI-client   1        1    * (0)              10.6.82.35/32 (1099)  PktRate      50 pkt     10 pkt/s     19   1         0       0        OAM       SBX5000  
28   TCP       ssreq-tcp          1        1    * (0)              10.6.82.35/32 (3091)  PktRate      50 pkt     10 pkt/s     19   1         0       0        OAM       SBX5000  
29   UDP       ssreq-udp          1        1    * (0)              10.6.82.35/32 (3090)  PktRate      50 pkt     10 pkt/s     19   1         0       0        OAM       SBX5000  
30   TCP       ssh                1        1    * (0)              10.6.83.35/32 (22)    PktRate      50 pkt     1000 pkt/s   19   1         0       0        OAM       SBX5000  
31   TCP       web-client         1        1    * (0)              10.6.83.35/32 (80)    PktRate      50 pkt     10 pkt/s     19   1         0       0        OAM       SBX5000  
32   UDP       snmp               1        1    * (0)              10.6.83.35/32 (161)   PktRate      50 pkt     1000 pkt/s   19   1         0       0        OAM       SBX5000  
33   TCP       confd              1        1    * (0)              10.6.83.35/32 (2022)  PktRate      50 pkt     100 pkt/s    19   1         0       0        OAM       SBX5000  
34   TCP       secure-web-client  1        1    * (0)              10.6.83.35/32 (443)   PktRate      50 pkt     20000 pkt/s  20   1         0       0        SFTP      SBX5000  
35   TCP       sftp               1        1    * (0)              10.6.83.35/32 (2024)  PktRate      50 pkt     20000 pkt/s  20   1         0       0        SFTP      SBX5000  
36   TCP       connexIp-manager   1        1    * (0)              10.6.83.35/32 (444)   PktRate      50 pkt     20000 pkt/s  20   1         0       0        SFTP      SBX5000  
37   TCP       secure-LI-client   1        1    * (0)              10.6.83.35/32 (1099)  PktRate      50 pkt     10 pkt/s     19   1         0       0        OAM       SBX5000  
38   TCP       ssreq-tcp          1        1    * (0)              10.6.83.35/32 (3091)  PktRate      50 pkt     10 pkt/s     19   1         0       0        OAM       SBX5000  
39   UDP       ssreq-udp          1        1    * (0)              10.6.83.35/32 (3090)  PktRate      50 pkt     10 pkt/s     19   1         0       0        OAM       SBX5000  
40   UDP       ntp                1        1    10.1.1.2/32 (123)  * (0)                 PktRate      50 pkt     10 pkt/s     21   1         267     0        RBA       SBX5000  

The following example CLI ipAccessControlList commands define ACL rules to allow SSReq to receive packets on ports 3090 and 3091:

  • Port 3090 is used by SSReq Server to receive XML requests over UDP from a SSReq Client.
  • Port 3091 is used by SSReq Server to receive XML requests over TCP from a SSREeq Client.
set addressContext default ipAcessControlList rule ssrequdp precedence 2 destinationPort 3090 state enabled
set addressContext default ipAcessControlList rule ssreqtcp precedence 3 destionationPort 3091  state enabled
Note

System ACLs are displayed only for default AddressContext.


System ACL Command Parameters

System ACL Parameters

Parameter

Description

addressContextID

Displays the address context ID of the ACL rule.

application

Displays the application that uses the ACL rule.

bucketSize

Displays the policer bucket size.

creditRate

Displays the allowed packet rate.

destinationIpAddress

Displays the destination IP address, Port Number and Prefix length.

lifGrpId

Displays the management group ID.

packetAccpet

Displays the number of packets accepted by the rule.

packetDiscard

Displays the number of packets discarded by the ACL policer.

polId

Displays the aggregator policer ID.

polPriority

Displays the aggregator policer priority.

policingMode

Displays the policing mode in packets per second.

protocol

Displays the protocol type of the rule.

sourceIpAddress

Displays the source IP address, Port Number and Prefix length.