Security groups and security group rules control what traffic can access the instances. Use the Horizon dashboard GUI or the OpenStack CLI to create security rules or security groups. Refer to OpenStack documentation or the documentation provided by your OpenStack vendor for more information.
Prior to instantiating the SBC SWe Cloud on OpenStack, consider adding a rule that enables the ICMP protocol to enable the instance to respond to ping message. In addition to such basic rules, the following tables provide a summary of all the ports used by the SBC SWe Cloud application. Allow access through these ports by adding security rules in the default security group or in another security group you create and associate with the instance.
Continue to add, delete, or modify security rules after the instance is deployed.
Note:
Some ports are specific to an application or a feature and are only required when it is in use. Similarly, some ports are specific to a particular SBC personality type (M-SBC, S-SBC, I-SBC).
The fields in the following tables are:
Direction (initial) - for UDP, this will be BOTH. For TCP, this will be OUTBOUND for clients and INBOUND for servers (to match the direction of the initial connection).
These definitions match the way firewall rules are typically defined.
- Ether Type - It is either IPv4 or IPv6. Separate rules are supplied when both IPv4 and IPv6 are supported.
- IP Protocol - UDP or TCP.
- Local Port - an exact port number, or a wildcard. Note that TCP clients usually use an ephemeral local port which is wildcarded.
- Local IP/interface - the local interface or internal object (such as SIP SP)
- Remote Port - an exact port number, or a wildcard. Note that TCP clients usually use an ephemeral local port which is wildcarded.
- Remote Peers - peer type. Use this to set the most constrained remote network prefix.
The following three tables provide input for security rules grouped by port type.
Management Port
| Direction (Initial) | Ether Type | IP Protocol | Port Range | Remote IP Prefix | Notes |
|---|---|---|---|---|---|
| Ingress | IPv4/v6 | TCP | 22 | 0.0.0.0/0 | SSH to CLI |
| Ingress | IPv4/v6 | UDP | 123 | ::/0 | NTP |
| Egress | IPv4/v6 | UDP | 123 | ::/0 | NTP |
| Ingress | IPv4/v6 | UDP | 161 | ::/0 | SNMP polling |
| Egress | IPv4/v6 | UDP | 161 | ::/0 | SNMP polling |
| Ingress | IPv4/v6 | UDP | 162 | ::/0 | SNMP traps |
| Egress | IPv4/v6 | UDP | 162 | ::/0 | SNMP traps |
| Ingress | IPv4/v6 | TCP | 2022 | 0.0.0.0/0 | NetConf over ssh |
| Ingress | IPv4/v6 | TCP | 2024 | 0.0.0.0/0 | SSH to Linux |
| Ingress | IPv4/v6 | TCP (HTTP) | 80 | 0.0.0.0/0 | EMA |
| Ingress | IPv4/v6 | TCP | 444 | 0.0.0.0/0 | Platform Manager |
| Ingress | IPv4/v6 | TCP (HTTPS) | 443 | 0.0.0.0/0 | REST to ConfD DB |
| Ingress | IPv4/v6 | UDP | 3057 | 0.0.0.0/0 | Used for load balancing service |
| Egress | IPv4/v6 | UDP | 3057 | 0.0.0.0/0 | Used for load balancing service |
| Ingress | IPv4/v6 | UDP | 3054 | ::/0 | Call processing requests |
| Egress | IPv4/v6 | UDP | 3054 | ::/0 | Call processing requests |
| Ingress | IPv4/v6 | UDP | 3055 | 0.0.0.0/0 | Keep-alives and registration |
| Egress | IPv4/v6 | UDP | 3055 | 0.0.0.0/0 | Keep-alives and registration |
| Ingress | IPv4/v6 | TCP | 8443 | 0.0.0.0/0 | VNFM REST to SBC VNF-R The remote IP is either the remote IP of the VNFM load balancer or is wild-carded to 0.0.0.0/0 |
| Egress | IPv4/v6 | TCP | 1024-65535 | x.x.x.x/y | SBC VNF-R REST interface towards VNFM |
HA Ports
| Direction (Initial) | Ether Type | IP Protocol | Port Range | Remote IP Prefix | Notes |
|---|---|---|---|---|---|
| Ingress | IPv4 | UDP | 1024-65535 | ||
| Ingress | IPv4 | TCP | 4000-8000 | x.x.x.x/y | Remote IP is the HA subnet |
| Egress | IPv4 | TCP | 1-65535 | x.x.x.x/y | Initialization between VMs |
Packet Ports
| Direction (Initial) | Ether Type | IP Protocol | Port Range | Remote IP Prefix | Notes |
|---|---|---|---|---|---|
| Ingress | IPv4 | UDP | 5060 | x.x.x.x/y | On the S-SBC only. One per signaling port accepting UDP SIP calls. The remote IP is either a peer network prefix or is wild-carded to 0.0.0.0/0 |
| Ingress | IPv6 | UDP | 5060 | x::x/y | IPv6 equivalent to the above. |
| Egress | IPv4 | UDP | 5060 | x.x.x.x/y | On the S-SBC only. One per signaling port initiating UDP SIP calls. The remote IP is either a peer network prefix or is wild-carded to 0.0.0.0/0 |
| Egress | IPv6 | UDP | 5060 | x::x/y | IPv6 equivalent to above. |
| Ingress | IPv4 | TCP | 5061 | x.x.x.x/y | TLS over TCP equivalents for each signaling port, for ingress calls. |
| Ingress | IPv6 | TCP | 5061 | x::x/y | IPv6 equivalent to above. |
| Ingress | IPv4 | UDP | 3055 | x.x.x.x/y | PSX queries. |
| Ingress | IPv6 | UDP | 3055 | x::x/y | IPv6 equivalent to above. |
| Egress | IPv4 | UDP | 3055 | x.x.x.x/y | PSX queries. |
| Egress | IPv6 | UDP | 3055 | x::x/y | IPv6 equivalent to above. |
| Egress | IPv4 | TCP | 1024-65535 | x.x.x.x/y | TCP equivalents for each signaling port initiating calls. Note that the source port is ephemeral for outbound TCP connections, hence the port range. |
| Egress | IPv6 | TCP | 1024-65535 | x::x/y | |
| Ingress | IPv4 | UDP | 1024-65535 | 0.0.0.0/0 | RTP port space. On the M-SBC and I-SBC only. |
| Ingress | IPv6 | UDP | 1024-65535 | ::/0 | |
| Egress | IPv4 | UDP | 1024-65535 | 0.0.0.0/0 | |
| Egress | IPv6 | UDP | 1024-65535 | ::/0 | |
| Egress | IPv4 | TCP | 1024-65535 | x.x.x.x/y | For the S-SBC only, client-side of media control protocol. The remote IP is the network prefix of the M-SBC cluster; the local port is ephemeral. |
| Ingress | IPv4 | TCP | 4019 | x.x.x.x/y | For the M-SBC and S-SBC, server-side of media control protocol. The remote IP is the network prefix of the S-SBC cluster. |
Overview
Content Tools