In this section:

Resequencing Rules are not supported in the SBC SWe Edge.

To add or modify an ACL rule:

  1. In the WebUI, click the Settings tab.
  2. In the left navigation pane, go to Protocols > IP > Access Control Lists.

Creating a Rule Entry

For System Default IPv4 and IPv6 Access Control Lists Configuration, refer to: IPv4 and IPv6 ACLs.

For Sample Teams Direct Routing ACL Rule Configuration, refer to Teams Direct Routing ACLs.

Below includes instructions for creating an ACL rule entry.

  1. In the left navigation panel, click on Access Control Lists and click on the desired table.

  2. Click on the desired entry.

  3. Enter the desired configuration. See General Information Panel - Field Definitions.

    Note

    Federated IP addresses and FQDNs specified in an Access Control List are whitelisted.

  4. Click OK.

General Information Panel - Field Definitions

Protocol

The protocol of the IP packets subject to this rule. Valid options: TCP, UDP, ICMP, OSPF, Any, or Other. Default value: TCP.

Action

Specifies the action to be taken upon packets matching this rule. Valid selections: Allow (default, packets matching this rule are accepted) or Deny (packets matching this rule are not accepted).

IANA IP Protocol Number

The Internet Assigned Numbers Authority (IANA) port number for various protocols. This field is available only when Other is selected from the Protocol drop down box.

Port Selection Method

The Services option allows you to define the service for either UDP or TCP protocol. The Single Port option should be used to specify a specific source or destination port number. This field is available only when either TCP or UDP is selected from the Protocol drop down box. Valid entry: Service or Single.

Service

When this is the
Protocol selection... 
...the Service
choices are:
TCP
  • HTTPS
  • HTTP
  • SSH
UDP
  • SNMP
  • DHCP
  • DNS
  • RIP

Precedence

Every rule should have a unique precedence value. Value range is 1 - 65535. Default: 1.

Bucket Size

The policing bucket size (in packets). It represents a credit balance that should be consumed before the packets are discarded. The consumed credits reside in the bucket and gets reduced for every packet received.

 Valid entry: 0-255 packets/second.

Fill Rate

The number of packets to add to the bucket credit balance (in packets/second). If a packet is received at a rate exceeding this fill rate, it is discarded subjected to the discard rate set in the IP Policing Alarm profile or in the Policing Alarm monitoring this Media Port. The bucket credit balance is always less than the configured bucket size regardless of the size of this increment.

Valid entry: 0-25000 packet/second.

Interface Name

A drop-down menu that allows the user to select an interface to which this ACL rule should be applied.

Source Panel - Field Definitions

IP Address

The IPv4 source address of the packets subject to this rule.

Netmask

The subnet mask of the source IP address.

Port Number

The port number associated with the source packets subject to this rule. This field is available only when TCP or UDP is selected from the Protocol drop down box and Single Port is selected from the Port Selection Method drop down box.

Destination Panel - Field Definitions

IP Address

The IPv4 destination address of the packets subject to this rule.

Netmask

The subnet mask of the destination IP address.

Port Number

The port number associated with the source packets subject to this rule. This field is available only when TCP or UDP is selected from the Protocol drop down box and Single Port is selected from the Port Selection Method drop down box.

Modifying a Rule

  1. Click the expand () Icon next to the entry you wish to modify.
  2. Edit the entry properties as required, see details below.

To delete an entry, select the checkbox next to the entry and then click the Delete () icon.

Restrictions on Deleting ACLs

An ACL may not be deleted if it is bound to any port or logical interface. However, you may delete or modify a rule within a bound ACL. Any modification or deletion is effective immediately.

System Default IPv4 and IPv6 Access Control Lists

The following are the system defaults for IPv4 and IPv6 Access Control Lists.

System defaults for IPv4 and IPv6 cannot be deleted.


System Default IPv4 ACL List

IPv4 Default ListProtocolSource IP/MaskDestination IP/MaskProtocol ServiceActionInterface NamePrecedencePrimary Key
Allow DHCP Access
allow-dhcpv4-dstPort-67UDPAnyAnyDHCP/BOOTP (Server)Allow-650001
allow-dhcpv4-dstPort-68UDPAnyAny--None--Allow-650012
allow-dhcpv4-srtPort-67UDPAnyAny--None--Allow-650023
allow-dhcpv4-srtPort-68UDPAnyAny--None--Allow-650034
Allow Terminal Services
allow-ssh-=dstPort-22TCPAnyAnySSHAllow-650041
allow-ssh-=dstPort-80TCPAnyAnyHTTPAllow-650052
allow-ssh-=dstPort-443TCPAnyAnyHTTPSAllow-650063
Allow Everything
allow-all-tcpTCPAnyAny--None--Allow-650071
allow-all-udpUDPAnyAny--None--Allow-650082
allow-all-icmpICMPAnyAny--None--Allow-650093


System Default IPv6 ACL List

IPv6 Default ListProtocolSource IP/MaskDestination IP/MaskProtocol ServiceActionInterface NamePrecedencePrimary Key
Allow DHCP Access
allow-dhcpv4-dstPort-67UDPAnyAny--None--Allow-640001
allow-dhcpv4-dstPort-68UDPAnyAny--None--Allow-640012
allow-dhcpv4-srtPort-67UDPAnyAny--None--Allow-640023
allow-dhcpv4-srtPort-68UDPAnyAny--None--Allow-640034
Allow Terminal Services
allow-ssh-=dstPort-22TCPAnyAny--None--Allow-640041
allow-ssh-=dstPort-80TCPAnyAny--None--Allow-640052
allow-ssh-=dstPort-443TCPAnyAny--None--Allow-640063
Allow Everything
allow-all-tcpTCPAnyAny--None--Allow-640071
allow-all-udpUDPAnyAny--None--Allow-640082
allow-all-icmpICMPv6AnyAny--None--Allow-640093

Sample Teams Direct Routing ACL Rule Configuration


Sample ACL Rule for Microsoft Teams

DescriptionProtocolSource IP/MaskDestination IP/MaskProtocol ServiceActionInterface NamePrecedencePrimary Key
Outbound DNS RequestTCP<Source IP/Mask>AnyDNSAllowEthernet 111
Outbound DNS ReplyTCPAny<Destination IP/Mask>--None--AllowEthernet 122
Outbound DNS RequestUDP<Source IP/Mask>AnyDNSAllowEthernet 133
Outbound DNS ReplyUDPAny<Destination IP/Mask>--None--AllowEthernet 144
Outbound NTP RequestUDP<Source IP/Mask>Any--None--AllowEthernet 155
Outbound NTP ReplyUDPAny<Destination IP/Mask>--None--AllowEthernet 166
Outbound SIP RequestTCP<Source IP/Mask>Any--None--AllowEthernet 177
Outbound SIP ReplyTCPAny<Destination IP/Mask>--None--AllowEthernet 188
Inbound SIP RequestTCPAny<Destination IP/Mask>--None--AllowEthernet 199
Inbound SIP ReplyTCP<Source IP/Mask>Any--None--AllowEthernet 11010
Outbound DHCP Request Port-67UDPAnyAnyDHCP/BOOTP (Server)AllowEthernet 11111
Outbound DHCP Request Port-68UDPAnyAny--None--AllowEthernet 11212
Outbound DHCP Reply Port-67UPDAnyAny--None--AllowEthernet 11313
Outbound DHCP Reply Port-68UPDAnyAny--None--AllowEthernet 11414
Deny All ProtocolAnyAnyAny--None--DenyEthernet 11515