In this section:
To add or modify an ACL rule:
- In the WebUI, click the Settings tab.
- In the left navigation pane, click Protocols > IPv6 > Access Control Lists.
Creating a Rule Entry
- In the left navigation pane, click Protocols > IPv6 > Access Control Lists.
- Click the Create IPv6 Access Control List Entry ( ) icon.
- Enter the desired configuration. See General Information Panel - Field Definitions. For sample configurations, see Sample ACL Rule Configuration.
Click OK.
Modifying a Rule
- Click the expand () Icon next to the entry you wish to modify.
- Edit the entry properties as required, see details below.
To delete an entry, select the checkbox next to the entry and then click the Delete () icon.
Resequencing Rules
- Click the Resequence icon ( ) at the top of the table.
- Select the row(s) you want to move.
- Click the Move Selected Rows Up ( ) or Move Selected Rows Down ( ) icon to reposition the row(s) in the table.
- Click Apply.
General Information Panel - Field Definitions
Protocol
The protocol of the IP packets subject to this rule. Valid options: TCP, UDP, ICMP, OSPF, Any, or Other. Default value: TCP.
Action
Specifies the action to be taken upon packets matching this rule. Valid selections: Deny (default, packets matching this rule are not accepted) or Allow (packets matching this rule are accepted).
IANA IP Protocol Number
The Internet Assigned Numbers Authority (IANA) port number for various protocols. This field is available only when Other is selected from the Protocol drop down box.
Port Selection Method
Either Service or Range. The Services option allows you to define the service for either UDP or TCP protocol. The Range option should be used to specify a specific source or destination port number or port number range. This field is available only when either TCP or UDP is selected from the Protocol drop down box.
Service
Services available for either TCP or UPD. Only those Ports for which the SBC 1000/2000 is a server are available as Services. This field is available only when UDP or TCP is selected from the Port Selection Method drop down box.
Source Panel - Field Definitions
IP Address
Specifies the IPv6 address of the destination host or subnet; this entry is in a colon-hex notation (i.e., 2001:db8:10::100).
Network Prefix
Specifies the network prefix of the destination host or subnet (i.e., 0 - 128).
Minimum Port Number
The minimum port number associated with the source packets subject to this rule. This field is available only when TCP or UDP is selected from the Protocol drop down box and Range is selected from the Port Selection Method drop down box.
Maximum Port Number
The maximum port number associated with the source packets subject to this rule. This field is available only when TCP or UDP is selected from the Protocol drop down box and Range is selected from the Port Selection Method drop down box.
Destination Panel - Field Definitions
IP Address
Specifies the IPv6 address of the destination host or subnet; this entry is in a colon-hex notation (i.e., 2001:db8:10::100).
Network Prefix
Specifies the network prefix of the destination host or subnet (i.e., 0 - 128).
Minimum Port Number
The minimum port number associated with the destination packets subject to this rule. This field is available only when TCP or UDP is selected from the Protocol drop down box and Range is selected from the Port Selection Method drop down box.
Maximum Port Number
The maximum port number associated with the destination packets subject to this rule. This field is available only when TCP or UDP is selected from the Protocol drop down box and Range is selected from the Port Selection Method drop down box.
Sample ACL Rule Configuration
Isolated Management Traffic
Typical WAN/LAN Deployment
These are sample ACLs and should be customized for your specific deployment.
A typical SBC deployment may have two 'sides'. One side is the LAN-side or the corporate-network side, and the other is the Internet-side, WAN-side or the provider-network side. Neither side should be trusted entirely. ACLs must be configured so that only SIP/VOIP/RTP traffic is allowed on both sides. An additional task is usually to determine the IP interface WebUI/REST management is allowed on.
When configuring ACLs, it is possible to isolate the SBC out of the network. Ensure there are rules in place to accept HTTPS on at least one IP interface. The order of rules in the ACL is important.
For this example, consider that the Ribbon SBC 1000 has two IP interfaces
- Ethernet 1 IP: 2001:db8:12:3:10::10 (LAN-side, office-side, branch-side, corporate network-side)
- Ethernet 2 IP: 2001:db8:10:1:10::10 (SIP trunk side, WAN-side, Provider-side, Internet-side)
LAN Side ACL
(For this example, this ACL must be applied to 'Ethernet 1 IP' as "Input ACL")
Description | Protocol | Action | Port | Service | Source | Source Prefix Length | Source | Source Max Port | Dest IP | Dest Prefix Length | Dest Min Port | Dest Max Port | Description |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Allow WebUI/HTTPS | TCP | Allow | Service | HTTPS | :: | 0 | :: | 0 | For more security, replace the source IP and mask with the network addresses that is on the LAN-side. Also, consider the subnets used for VPN users of that corporate network. | ||||
Allow WebUI/HTTP to redirect to HTTPS | TCP | Allow | Service | HTTP | :: | 0 | :: | 0 | Not strictly required, but this is good for convenience. SBC will redirect all HTTP requests to HTTPS. | ||||
Accept SIP Signaling over UDP | UDP | Allow | Range | 2001:db8:40:1:1::1 | 128 | 1024 | 65535 | :: | 0 | 5060 | 5060 | Create one rule for every SIP protocol/port combination on the SBC, based on all Signaling Groups. Source IP and mask, must match what is configured on the Federated-IP network as well. In this example, perhaps 2001:db8:40:1:1::1 is a IP-PBX that supports SIP over UDP. | |
Accept SIP Signaling over TCP and TLS | TCP | Allow | Range | 2001:db8:50:1:1::2
| 128 | 1024 | 65535 | :: | 0 | 5067 | 5067 | Create one rule for every SIP protocol/port combination on the SBC, based on all Signaling Groups. Source IP and mask, must match what is configured on the Federated-IP network as well. In this example, perhaps 2001:db8:50:1:1::2 is a Lync Mediation Server that supports SIP over TLS. | |
Accept SIP Signaling TCP and TLS ACKs | TCP | Allow | Range | 2001:db8:50:1:1::2 | 128 | 5067 | 5067 | :: | 0 | 1024 | 65535 | Create one rule for every SIP server. This rule allows the TCP ACKs to return to the SBC. Source IP and mask, must match what is configured on the Federated-IP network as well. In this example, perhaps 2001:db8:50:1:1::2 is a Lync mediation server that supports SIP over TLS. | |
Accept RTP/RTCP packets | UDP | Allow | Range | :: | 0 | 1024 | 65535 | :: | 0 | 16384 | 17583 | Accept all RTP/SRTP packets. Note that the port-range must match that of Media System Configuration on the SBC. | |
Accept DNS responses | UDP | Allow | Range | :: | 0 | 53 | 53 | :: | 0 | 1024 | 65535 | Accept DNS responses for all DNS_requests initiated by the SBC. | |
Discard all other packets | ANY | Deny | :: | 0 | :: | 0 | Discard all other packets. |
SIP Trunk Side ACL
(For this example, this ACL must be applied to 'Ethernet 2 IP' as "Input ACL")
Description | Protocol | Action | Port | Source | Source Prefix | Source | Source Max Port | Dest IP | Dest Prefix | Dest Min Port | Dest Max Port | Description |
---|---|---|---|---|---|---|---|---|---|---|---|---|
Accept SIP Signaling over UDP | UDP | Allow | Range | 2001:db8:20:5:1::20 | 128 | 1024 | 65535 | 2001:db8:10:1:10::10
| 128 | 5060 | 5060 | Create one rule for every SIP protocol/port combination on the SBC, based on all Signaling Groups. Source IP and mask, must match what is configured on the Federated-IP network as well. In this example, perhaps 2001:db8:20:5:1::20 is the IP address of the SIP-trunk peer. |
Accept RTP/RTCP packets | UDP | Allow | Range | 2001:db8:20:5:1::20 | 128 | 1024 | 65535 | 2001:db8:10:1:10::10 | 128 | 16384 | 17583 | Accept all RTP/SRTP packets. Note that the port-range must match that of Media System Configuration on the SBC. |
Accept DNS responses | UDP | Allow | Range | :: | 0 | 53 | 53 | :: | 0 | 1024 | 65535 | Accept DNS responses for all DNS_requests initiated by the SBC. |
Discard all other packets | ANY | Deny | :: | 0 | :: | 0 | Discard all other packets. |