An ACL may not be deleted if it is bound to any port or logical interface. However, you may delete or modify a rule within a bound ACL. Any modification or deletion is effective immediately.
Resequencing Rules
Include Page
_Resequence_Entry
_Resequence_Entry
nopanel
true
Anchor
properties
properties
General Information Panel - Field Definitions
Protocol
Panel
bgColor
#FAFAFA
borderStyle
none
The protocol of the IP packets subject to this rule. Valid options: TCP, UDP, ICMP, OSPF, Any, or Other. Default value: TCP.
Action
Panel
bgColor
#FAFAFA
borderStyle
none
Specifies the action to be taken upon packets matching this rule. Valid selections: Deny (default, packets matching this rule are not accepted) or Allow (packets matching this rule are accepted).
Either Service or Range. The Services option allows you to define the service for either UDP or TCP protocol. The Range option should be used to specify a specific source or destination port number or port number range. This field is available only when either TCP or UDP is selected from the Protocol drop down box.
Service
Panel
bgColor
#FAFAFA
borderStyle
none
Services available for either TCP or UPD. Only those Ports for which the SBC 1000/2000 is a server are available as Services. This field is available only when UDP or TCP is selected from the Port Selection Method drop down box.
Source Panel - Field Definitions
IP Address
Panel
bgColor
#FAFAFA
borderStyle
none
Specifies the IPv6 address of the destination host or subnet; this entry is in a colon-hex notation (i.e., 2001:db8:10::100).
Network Prefix
Panel
bgColor
#FAFAFA
borderStyle
none
Specifies the network prefix of the destination host or subnet (i.e., 0 - 128).
Minimum Port Number
Panel
bgColor
#FAFAFA
borderStyle
none
The minimum port number associated with the source packets subject to this rule. This field is available only when TCP or UDP is selected from the Protocol drop down box and Range is selected from the Port Selection Method drop down box.
Maximum Port Number
Panel
bgColor
#FAFAFA
borderStyle
none
The maximum port number associated with the source packets subject to this rule. This field is available only when TCP or UDP is selected from the Protocol drop down box and Range is selected from the Port Selection Method drop down box.
Destination Panel - Field Definitions
IP Address
Panel
bgColor
#FAFAFA
borderStyle
none
Specifies the IPv6 address of the destination host or subnet; this entry is in a colon-hex notation (i.e., 2001:db8:10::100).
Network Prefix
Panel
bgColor
#FAFAFA
borderStyle
none
Specifies the network prefix of the destination host or subnet (i.e., 0 - 128).
Minimum Port Number
Panel
bgColor
#FAFAFA
borderStyle
none
The minimum port number associated with the destination packets subject to this rule. This field is available only when TCP or UDP is selected from the Protocol drop down box and Range is selected from the Port Selection Method drop down box.
Maximum Port Number
Panel
bgColor
#FAFAFA
borderStyle
none
The maximum port number associated with the destination packets subject to this rule. This field is available only when TCP or UDP is selected from the Protocol drop down box and Range is selected from the Port Selection Method drop down box.
Sample ACL Rule Configuration
Isolated Management Traffic
Div
class
pdf6pttext
Noprint
Click to read more...
Toggle Cloak
Cloak
title
Click to read more...
These are sample ACLs and should be customized for your specific deployment.
One use-case for access controls lists is to isolate management traffic on the SBC 2000 to accomplish the following: the SBC WebUI is available only through certain ports on the SBC (i.e., Admin port) and the SBC WebUI is not accessible on those ports.
In a hosted or multi-tenant environment, the SBC is managed by a service provider and is shared with multiple end-customers. The ADMIN port is used solely for managing the SBC by the service provider. In order to configure this ACL, you must do the following:
Create ACLs that describe the type of traffic that should be accepted or denied.
Bind the ACLs to the ports for the designated purpose.
Sample ACL "usertraffic"
This ACL allows packets related to VoIP application only and bound to all user ports. This example is for SBC 2000 and should be customized for your specific requirements.
ID
Source IP/Mask
Dest IP Mask
Protocol
Source port
Destination port
Action
Notes
1
2001:db8:7:1::7/64
ANY
ANY
ANY
5060
ACCEPT
Accepts all traffic from Lync server to the SBC's SIP port 5060 or ASM's SIP port 5060.
2
2001:db8:7:1::7/64
ANY
UDP
53
ANY
ACCEPT
Accepts DNS traffic from the DNS server 2001:db8:7:1::7/64.
3
ANY
ANY
UDP
ANY
16000-17000
ACCEPT
Accepts all UDP traffic carrying RTP and RTCP payload from other devices to the SBC. The port range should be same as the range configured under Media System Configuration. See .
4
2001:db8:33:1::3/64
ANY
UDP
30000
30000
ACCEPT
Accepts control packets between ASM installed on the same SBC and the SBC CPU. UDP/30000 is a reserved port.
5
2001:db8:33:1::3/64
ANY
UDP
30001
30001
ACCEPT
Accepts control packets between ASM installed on the same SBC and the SBC CPU. UDP/30001 is a reserved port.
6
ANY
ANY
UDP
30000
30000
DROP
Drops any other source that uses the reserved port 30000.
7
ANY
ANY
UDP
30001
30001
DROP
Drops any other source that uses the reserved port 30001.
8
ANY
ANY
ANY
ANY
ANY
DROP
By default discards all traffic, if the above rules don't match.
Sample ACL "admintraffic"
This ACL accepts specified management traffic and discards all other packets. Also the ACLs should be bound to all ports used only for administration.This example is for SBC 2000 and should be customized for your specific requirements.
ID
Source IP Subnet
Dest IP Subnet
Protocol
Source port
Destination port
Action
Notes
1
ANY
ANY
TCP
ANY
443
ACCEPT
Accepts incoming HTTPS request.
2
ANY
ANY
TCP
ANY
80
ACCEPT
Accepts incoming HTTP request.
3
ANY
ANY
UDP
ANY
161
ACCEPT
Accepts incoming SNMP requests.
4
ANY
ANY
TCP
ANY
22
ACCEPT
Accepts incoming SSH requests.
5
ANY
2001:db8:33:1::3/64
TCP
ANY
3389
ACCEPT
Accepts incoming RDP packets to ASM (assuming ASM's IP address is 2001:db8:33:1::3/64).
Sample ACL Binding
The ACLs in this example are applied only to the inbound direction of the ports. Once the ACLs are bound to the ports, ports Ethernet 1-4 are used only for VoIP and not for management. The ADMIN port is used only for management and not for user traffic.
Port
ACL Name
Direction
Notes
Ethernet 1
usertraffic
INBOUND
Ethernet 1 is used primarily only for user's traffic such as VoIP calls. The WebUI or any management traffic will be discarded.
Ethernet 2
usertraffic
INBOUND
same as above.
Ethernet 3
usertraffic
INBOUND
same as above.
Ethernet 4
usertraffic
INBOUND
same as above.
ADMIN
admintraffic
INBOUND
ADMIN port is used only for administration. All user traffic (i.e., SIP, RTP) is discarded.
Typical WAN/LAN Deployment
Info
These are sample ACLs and should be customized for your specific deployment.
A typical SBC deployment may have two 'sides'. One side is the LAN-side or the corporate-network side, and the other is the Internet-side, WAN-side or the provider-network side. Neither side should be trusted entirely. ACLs must be configured so that only SIP/VOIP/RTP traffic is allowed on both sides. An additional task is usually to determine the IP interface WebUI/REST management is allowed on.
Note
When configuring ACLs, it is possible to isolate the SBC out of the network. Ensure there are rules in place to accept HTTPS on at least one IP interface. The order of rules in the ACL is important.
For this example, consider that the Ribbon SBC 1000 has two IP interfaces
(For this example, this ACL must be applied to 'Ethernet 1 IP' as "Input ACL")
Div
class
pdf6pttext
Description
Protocol
Action
Port Selection
Service
Source IP
Source Prefix Length
Source Min Port
Source Max Port
Dest IP
Dest Prefix Length
Dest Min Port
Dest Max Port
Description
Allow WebUI/HTTPS
TCP
Allow
Service
HTTPS
::
0
::
0
For more security, replace the source IP and mask with the network addresses that is on the LAN-side. Also, consider the subnets used for VPN users of that corporate network.
Allow WebUI/HTTP to redirect to HTTPS
TCP
Allow
Service
HTTP
::
0
::
0
Not strictly required, but this is good for convenience. SBC will redirect all HTTP requests to HTTPS.
Accept SIP Signaling over UDP
UDP
Allow
Range
2001:db8:40:1:1::1
128
1024
65535
::
0
5060
5060
Create one rule for every SIP protocol/port combination on the SBC, based on all Signaling Groups. Source IP and mask, must match what is configured on the Federated-IP network as well.
In this example, perhaps 2001:db8:40:1:1::1 is a IP-PBX that supports SIP over UDP.
Accept SIP Signaling over TCP and TLS
TCP
Allow
Range
2001:db8:50:1:1::2
128
1024
65535
::
0
5067
5067
Create one rule for every SIP protocol/port combination on the SBC, based on all Signaling Groups. Source IP and mask, must match what is configured on the Federated-IP network as well.
In this example, perhaps 2001:db8:50:1:1::2 is a Lync Mediation Server that supports SIP over TLS.
Accept SIP Signaling TCP and TLS ACKs
TCP
Allow
Range
2001:db8:50:1:1::2
128
5067
5067
::
0
1024
65535
Create one rule for every SIP server. This rule allows the TCP ACKs to return to the SBC. Source IP and mask, must match what is configured on the Federated-IP network as well.
In this example, perhaps 2001:db8:50:1:1::2 is a Lync mediation server that supports SIP over TLS.
Accept RTP/RTCP packets
UDP
Allow
Range
::
0
1024
65535
::
0
16384
17583
Accept all RTP/SRTP packets. Note that the port-range must match that of Media System Configuration on the SBC.
Accept DNS responses
UDP
Allow
Range
::
0
53
53
::
0
1024
65535
Accept DNS responses for all DNS_requests initiated by the SBC.
Discard all other packets
ANY
Deny
::
0
::
0
Discard all other packets.
SIP Trunk Side ACL
(For this example, this ACL must be applied to 'Ethernet 2 IP' as "Input ACL")
Div
class
pdf6pttext
Description
Protocol
Action
Port Selection
Source IP
Source Prefix
Source Min Port
Source Max Port
Dest IP
Dest Prefix
Dest Min Port
Dest Max Port
Description
Accept SIP Signaling over UDP
UDP
Allow
Range
2001:db8:20:5:1::20
128
1024
65535
2001:db8:10:1:10::10
128
5060
5060
Create one rule for every SIP protocol/port combination on the SBC, based on all Signaling Groups. Source IP and mask, must match what is configured on the Federated-IP network as well.
In this example, perhaps 2001:db8:20:5:1::20 is the IP address of the SIP-trunk peer.
Accept RTP/RTCP packets
UDP
Allow
Range
2001:db8:20:5:1::20
128
1024
65535
2001:db8:10:1:10::10
128
16384
17583
Accept all RTP/SRTP packets. Note that the port-range must match that of Media System Configuration on the SBC.
Accept DNS responses
UDP
Allow
Range
::
0
53
53
::
0
1024
65535
Accept DNS responses for all DNS_requests initiated by the SBC.
) icon.