Examples of Creating ACL Rules

SIP Trunking ACLs

For a SIP Trunking configuration, use the following guidelines when creating ACL rules:

• Define ACL "white lists" to only allow traffic from the far ends (IP addresses) you are peering with. ACLs are used to prevent traffic from all other IP addresses except those on the "white list".
• For each trunk group, create an ACL that allows traffic from the far end with a high priority (low precedence value).
• Create a "Block Everything Else" ACL at a lower priority (higher precedence value). This has the effect of blocking all traffic EXCEPT traffic that is explicitly allowed.

Example Rules

1. Allow unlimited traffic
   
   This rule allows unlimited traffic from "10.35.66.187" (the IP address of the far end in this example). This IP address would also be an IP Peer, and in the trunk group ingress IP prefix) to destination port 5060.

   % set addressContext "default" ipAccessControlList rule "WHITELIST_PEER_01" precedence "1000" protocol "udp" ipInterfaceGroup "EXTERNAL.IPIG" sourceIpAddress "10.35.66.187" sourceAddressPrefixLength "32" destinationPort "5060" state "enabled"

   Make sure the sourceAddressPrefixLength is set (32 in the above example). Otherwise it defaults to 0, which would allow all IP address to be "white listed".

2. Block all traffic not explicitly allowed
   
   As its name implies, this rule blocks all traffic that is not explicitly allowed. Enable the ACLs in order of precedence. So in this example, this ACL should be the last one enabled.

   % set addressContext "default" ipAccessControlList rule "DENYALL_UNTRUST" precedence "65015" ipInterfaceGroup "EXTERNAL.IPIG" action "discard"

   In the above examples, the precedence of WHITELIST_PEER_01 is a lower value than DENYALL_UNTRUST. This causes WHITELIST_PEER_01 to take precedence over DENYALL_UNTRUST, which allows traffic from 10.35.66.187 to be accepted by the SBC.

SIP Access ACLs

For a SIP Access configuration, you do not manually "white list" the IP address of all the phones that will register (since the address may change and there are so many). Instead, create a rule that allows traffic destined for the SIP Port of the SBC.

Summary of Steps Needed:

1. Create an ACL that allows traffic FROM any IP address destined for only the SBC SIP Port. This ACL should specify the protocol, destination IP address, destination port, and have a low precedence value. This ACL could also be used to limit the rate of traffic allowed on the SIP Port. See IP ACL Policing - Packet Filtering.
   
   
2. Create a "Block Everything Else" ACL with a high precedence value. In conjunction with the ACL from step #1, this has the effect of only allowing traffic destined to the SBC SIP port.
   
   
3. The SBC will automatically allow ("white list") traffic from phones once REGISTRATION is successful. This automatic step prevents the traffic from these phones from being included in the total traffic allowed for the ACL if included in step #1.

Example Rules

1. Allow traffic from any IP address destined for this SIP port
   
   This rule is an example for Step #1, where 10.35.66.143 is the SBC SIP Port IP address that phones register with, and 5060 is port.

   % set addressContext "default" ipAccessControlList rule "ALLOW_SIP_PORT_ACCESS" precedence "1001" protocol "udp" ipInterfaceGroup "EXTERNAL.IPIG" destinationIpAddress "10.35.66.143" destinationPort "5060"

2. Block everything else
   
   This rule is an example for Step #2 in summary above. Enable the ACLs in order of precedence. So in this example, this ACL should be the last one enabled.

   % set addressContext "default" ipAccessControlList rule "DENYALL_ACCESS" precedence "65020" ipInterfaceGroup "EXTERNAL.IPIG" action "discard"

Debugging ACL

You may wish to allow some ICMP traffic. This can be useful for network debugging situations. Also, if you have the SBC Link Detection feature enabled with Ping Targets, then you must allow Ping traffic. Make sure this has a lower precedence value than your "discard all" rule.

Example Rule

Allow some ICMP (ping) traffic

This rule allows a small amount of ICMP traffic.

% set addressContext "default" ipAccessControlList rule "AllowICMP_UNTRUST" precedence "64985" protocol "icmp" ipInterfaceGroup "EXTERNAL.IPIG" fillRate "10" bucketSize "10" state "enabled"