Noprint | |||||||||
---|---|---|---|---|---|---|---|---|---|
|
Panel | ||||
---|---|---|---|---|
In this section:
|
For a SIP Trunking configuration, use the following guidelines when creating ACL rules:
Allow unlimited traffic
This rule allows unlimited traffic from "10.35.66.187" (the IP address of the far end in this example). This IP address would also be an IP Peer, and in the trunk group ingress IP prefix) to destination port 5060.
Code Block |
---|
% set addressContext "default" ipAccessControlList rule "WHITELIST_PEER_01" precedence "1000" protocol "udp" ipInterfaceGroup "EXTERNAL.IPIG" sourceIpAddress "10.35.66.187" sourceAddressPrefixLength "32" destinationPort "5060" state "enabled" |
Note |
---|
Make sure the sourceAddressPrefixLength is set (32 in the above example). Otherwise it defaults to 0, which would allow all IP address to be "white listed". |
Block all traffic not explicitly allowed
As its name implies, this rule blocks all traffic that is not explicitly allowed. Enable the ACLs in order of precedence. So in this example, this ACL should be the last one enabled.
Code Block |
---|
% set addressContext "default" ipAccessControlList rule "DENYALL_UNTRUST" precedence "65015" ipInterfaceGroup "EXTERNAL.IPIG" action "discard" |
Note |
---|
In the above examples, the precedence of WHITELIST_PEER_01 is a lower value than DENYALL_UNTRUST. This causes WHITELIST_PEER_01 to take precedence over DENYALL_UNTRUST, which allows traffic from 10.35.66.187 to be accepted by the SBC. |
For a SIP Access configuration, you do not manually "white list" the IP address of all the phones that will register (since the address may change and there are so many). Instead, create a rule that allows traffic destined for the SIP Port of the
Spacevars | ||
---|---|---|
|
Summary of Steps Needed:
Spacevars | ||
---|---|---|
|
Spacevars | ||
---|---|---|
|
Allow traffic from any IP address destined for this SIP port
This rule is an example for Step #1, where 10.35.66.143 is the
Spacevars | ||
---|---|---|
|
Code Block |
---|
% set addressContext "default" ipAccessControlList rule "ALLOW_SIP_PORT_ACCESS" precedence "1001" protocol "udp" ipInterfaceGroup "EXTERNAL.IPIG" destinationIpAddress "10.35.66.143" destinationPort "5060" |
Block everything else
This rule is an example for Step #2 in summary above. Enable the ACLs in order of precedence. So in this example, this ACL should be the last one enabled.
Code Block |
---|
% set addressContext "default" ipAccessControlList rule "DENYALL_ACCESS" precedence "65020" ipInterfaceGroup "EXTERNAL.IPIG" action "discard" |
You may wish to allow some ICMP traffic. This can be useful for network debugging situations. Also, if you have the
Spacevars | ||
---|---|---|
|
Allow some ICMP (ping) traffic
This rule allows a small amount of ICMP traffic.
Code Block |
---|
% set addressContext "default" ipAccessControlList rule "AllowICMP_UNTRUST" precedence "64985" protocol "icmp" ipInterfaceGroup "EXTERNAL.IPIG" fillRate "10" bucketSize "10" state "enabled" |
Pagebreak |
---|