Page History
For SIP Trunking configurations, define ACL “white lists” to only allow traffic from the far ends (IP address) in a SIP peering scenario.
For each trunk group, do the following:
- Create an ACL with a high priority (low precedence value) to allow traffic from the far end.
- Create a “Block Everything Else” ACL at a lower priority (higher precedence value) to block all traffic EXCEPT traffic that is explicitly allowed.
| Include Page | ||||
|---|---|---|---|---|
|
Allow Unlimited Traffic
The below rule allows unlimited traffic from “10.35.66.187” (the IP address of the far end for this example) to destination port 5060. This IP address is also an IP Peer and included in the trunk group ingress IP prefix.
| Code Block | ||
|---|---|---|
| ||
% set addressContext "default" ipAccessControlList rule "WHITELIST_PEER_01" precedence "1000" protocol "udp" ipInterfaceGroup "EXTERNAL.IPIG" sourceIpAddress "10.35.66.187" sourceAddressPrefixLength "32" destinationPort "5060" fillRate "unlimited" bucketSize "unlimited" state "enabled" |
Make sure the sourceAddressPrefixLength is set to a nonzero value (“32” is used in this example). Otherwise the length defaults to “0” which allows all IP addresses to be “white listed”.
Block All Traffic Not Explicitly Allowed
The following rule blocks all traffic that is not explicitly allowed:
| Code Block | ||
|---|---|---|
| ||
% set addressContext "default" ipAccessControlList rule "DENYALL_UNTRUST" precedence "65015" ipInterfaceGroup "EXTERNAL.IPIG" action "discard" |
The precedence of WHITELIST_PEER_01 is a lower value than DENYALL_UNTRUST. This causes WHITELIST_PEER_01 to take precedence over DENYALL_UNTRUST which allows the SBC to accept traffic from 10.35.66.187.
| Note |
|---|
| Enable the ACLs in precedence order. In this example, this ACL should be the last one enabled. |
Overview
Content Tools