| Include Page |
|---|
| _SBC 5100 5200 Unsupported |
|---|
| _SBC 5100 5200 Unsupported |
|---|
|
IP Access Control Lists (IP ACLs) are the packet filtering objects applied to incoming IP packets on the
. These objects protect the system from a variety of network-borne attacks.
Use IP ACLs to specify rules to permit or deny packets into the
. The IP ACL can optionally pass the traffic but at only a certain policed rate.
| Warning |
|---|
When you create an IP ACL rule, its state defaults to "disabled". Change the state to "enabled" to active the rule. |
The default IP ACL supports 20 Record-Routes.
| Info |
|---|
|
When a user creates a new management group the user must add user defined ACL rules to get the equivalent rules that are set up for the default management group. |
| Include Page |
|---|
| IP_IGs_ServedBySeperateProcessors |
|---|
| IP_IGs_ServedBySeperateProcessors |
|---|
|
The SBC 5xx05400/7000/SWe CLI syntax, parameter descriptions and command examples is provided below. Refer to to IP Access Control List - Cloud - CLI for Cloud-equivalent CLI.
Command Syntax
| Code Block |
|---|
|
% set addressContext <addressContext_name> ipAccessControlList... |
// Mandatory parameters.
| Code Block |
|---|
|
rule <rule_name>
precedence <1-65535> |
// Non-mandatory parameters.
| Code Block |
|---|
|
action <accept | discard>
bucketSize <bucket_size>
destinationAddressPrefixLength <length>
destinationIpAddress <IPv4/IPv6 Address>
destinationPort <port number>
fillRate <#>
ipInterface <ipInterface name>
ipInterfaceGroup <ipInterfaceGroup name>
mgmtIpInterface <mgmtIpInterface name>
mgmtIpInterfaceGroup <mgmtIpInterfaceGroup name>
minTTL <0-255>
protocol <any|0-255>
sourceAddressPrefixLength <0-128>
sourceIpAddress <IPv4/IPv6 Address>
sourcePort <port number>
state <disbled | enabled>
vmAppName <VM application name> |
Command Parameters
| Info |
|---|
|
The following conditions apply: sourceIpAddress and sourcePort belong to the entity that sends packets to the SBC.destinationIpAddress and destinationPort belong to the SBC that receives the packets.ACLs is applicable only when an instance is receiving the packets and not when sending out the packets.
|
| Caption |
|---|
| 0 | Table |
|---|
| 1 | IP Access Control List Parameters (Non-Cloud) |
|---|
| 3 | IP Access Control List Parameters (Non-Cloud) |
|---|
|
Parameter | Length/Range | Description |
|---|
Mandatory parameters: | addressContext
| 1-23 | The name of the address context. The address context is a container of objects that correspond to a specific IP Addressing domain. | rule
| N/A | Access Control List rule name. | action
| N/A | Action to take when this rule is matched. accept – (default) Incoming packets matching this ACL rule are accepted into the system.discard – Incoming packets matching this ACL rule are discarded (not allowed into system).
| bucketSize
| 1-255, or unlimited | The policing bucket size (in packets). A "bucketSize" represents a credit balance that should be consumed before the packets are discarded. The consumed credits reside in the bucket and gets reduced for every packet received on the Network Interface (NI). If a packet is received when the credit balance is less than the size of the packet, the packet is discarded subjected to the discard rate set in the IP Policing Alarm profile or in the Policer Alarm monitoring this Media Port. A setting of 'unlimited' allows continuous policing. (default = 50) | destinationAddressPrefixLength
| N/A | The length of destination IP address prefix which must match the protocol. (default = 0). | destinationIpAddress
| N/A | The destination IPv4 or IPv6 address to match. (default = 0.0.0.0). NOTE: When configuring a destinationIpAddress, the destinationAddressPrefixLength must also be specified. | destinationPort
| 0-65535 | Destination port to match.. | fillRate
| 1-10000, or unlimited | The number of packets to add to the bucket credit balance (in packets/second). If a packet is received at a rate exceeding this fill rate, it is discarded subjected to the discard rate set in the IP Policing Alarm profile or in the Policer Alarm monitoring this Media Port. The bucket credit balance is always less than the configured bucket size regardless of the size of this increment. A setting of 'unlimited' passes packets unconditionally. (default = 50). | ipInterface
| N/A | Enter IP interface name to match, or "any" to match any IP interface. (See Invalid Characters table below for a list of invalid characters) | ipInterfaceGroup
| N/A | Enter IP interface group name to match. (See Invalid Characters table below for a list of invalid characters) | mgmtIpInterface
| N/A | Enter MGMT IP interface name to match, or "any" to match any MGMT IP interface. (See Invalid Characters table below for a list of invalid characters) | mgmtIpInterfaceGroup
| N/A | Enter MGMT IP interface group name to match, or "any" to match any MGMT IP interface group. (See Invalid Characters table below for a list of invalid characters) | minTTL | <0-255> | Use this paramenter for BFD traffic submisstion to specify the minimum TTL value allowed. For single-hop BFD traffic, set the value to 255. Default is 0. | precedence
| 1-65535 | Use this parameter to specify the rule precedence to control which ACL rule is applied when multiple rules match a given packet. If an incoming packet matches multiple rules, the IP ACL rule with the highest precedence (lowest numerical precedence value) is applied to that packet. Each IP ACL rule must use a unique precedence value. | protocol
| N/A | Enter IP protocol type for use as a criterion of the IP input match. Choices are 0-255, or one of the following: any – (default) filter all protocolsicmp – filter ICMP onlyicmpv6 – filter ICMPv6 onlyospf – filter OSPF onlytcp – filter TCP onlyudp – filter UDP only
These protocols are typically associated with particular logical port values. | sourceAddressPrefixLength
| N/A | The length of source IP address prefix which must match the protocol (default = 0). | sourceIpAddress
| N/A | The source IPv4 or IPv6 address to match. (default = 0.0.0.0). NOTE: When configuring a sourceIpAddress, the sourceAddressPrefixLength must also be specified. | sourcePort
| 0-65535, or any | The source IP port to match. (default = 'any') | state
| N/A | Administrative state of the IP access control list rule. enabled – All incoming packets are matched against this ACL rule.disabled – (default) The ACL rule is not used for any incoming packet matching.
| vmAppName | N/A | The virtual machine application name against which to apply this ACL rule. If no name is specified, the rule is applied to the SBC application. |
|
| Caption |
|---|
| 0 | Table |
|---|
| 1 | Invalid Characters |
|---|
| 3 | Invalid Characters |
|---|
|
| # | % | ^ | & | ( | ) | { | } | < | > | , | / | ; | | [ | ] | = | ! | $ | * | ? | | | ~ | <space> | ' | " |
|
|
Command Examples
| Code Block |
|---|
|
set addressContext default ipAccessControlList rule 2 action accept bucketSize unlimited destinationAddressPrefixLength 2 destinationIpAddress 10.34.25.153 destinationPort any fillRate 33 ipInterface ipInterface1
ipInterfaceGroup INTERNAL_IPIG precedence 22 protocol any sourceAddressPrefixLength 1 sourceIpAddress 10.32.22.145 sourcePort any state disabled
show addressContext default ipAccessControlList
rule 2 {
precedence 22;
protocol any;
ipInterfaceGroup INTERNAL_IPIG;
ipInterface ipInterface1;
sourceIpAddress 10.32.22.145;
sourceAddressPrefixLength 1;
destinationIpAddress 10.34.25.153;
destinationAddressPrefixLength 2;
sourcePort any;
destinationPort any;
action accept;
fillRate 33;
bucketSize unlimited;
state disabled;
} |
To display the IP access control list details with display level set to 1:
| Code Block |
|---|
|
show addressContext default ipAccessControlList displaylevel 1
rule RULE1;
rule rule1; |
To display the IP access control list details with display level set to 3:
| Code Block |
|---|
|
show addressContext default ipAccessControlList displaylevel 3
rule RULE1 {
precedence 4;
}
rule rule1 {
precedence 1;
protocol any;
sourceIpAddress 0.0.0.0;
sourceAddressPrefixLength 0;
destinationIpAddress 0.0.0.0;
destinationAddressPrefixLength 0;
sourcePort any;
destinationPort any;
action accept;
fillRate unlimited;
bucketSize unlimited;
state disabled;
} |
To view the configured rules and precedence from System-level CLI:
| Code Block |
|---|
|
show table addressContext default ipAccessControlList rule
show table addressContext default ipAccessControlList ipAclRulesByPrecedence |
To view statistics from System-level CLI:
| Code Block |
|---|
|
show table addressContext default ipAccessControlList ipAclOverallStatistics
show table addressContext a1 ipAccessControlList ipAclRuleStatistics |
If using a management interface group other than the default, adding a set of ACL rules as shown below will replicate the defaulted ACL rules the system provides for the default management interface group. In this example, a management interface group mgmtGroup1 has been previously created.
| Code Block |
|---|
|
set addressContext default ipAccessControlList rule mgmt2_22 destinationPort 22 mgmtIpInterfaceGroup mgmtGroup1 protocol tcp bucketSize 10 fillRate 100 precedence 200 action accept state enabled
set addressContext default ipAccessControlList rule mgmt2_80 destinationPort 80 mgmtIpInterfaceGroup mgmtGroup1 protocol tcp bucketSize 10 fillRate 100 precedence 201 action accept state enabled
set addressContext default ipAccessControlList rule mgmt2_161 destinationPort 161 mgmtIpInterfaceGroup mgmtGroup1 protocol udp bucketSize 10 fillRate 50 precedence 202 action accept state enabled
set addressContext default ipAccessControlList rule mgmt2_123 sourcePort 123 mgmtIpInterfaceGroup mgmtGroup1 protocol udp bucketSize 4 fillRate 4 precedence 103 state enabled
set addressContext default ipAccessControlList rule mgmt2_162 sourcePort 162 mgmtIpInterfaceGroup mgmtGroup1 protocol udp bucketSize fillRate 10 precedence 104 state enabled
set addressContext default ipAccessControlList rule mgmt2_1812 sourcePort 1812 mgmtIpInterfaceGroup mgmtGroup1 protocol udp bucketSize 4 fillRate 4 precedence 105 state enabled
set addressContext default ipAccessControlList rule mgmt2_2022 destinationPort 2022 mgmtIpInterfaceGroup mgmtGroup1 protocol tcp bucketSize 10 fillRate 10 precedence 206 action accept state enabled
set addressContext default ipAccessControlList rule mgmt2_443 destinationPort 443 mgmtIpInterfaceGroup mgmtGroup1 protocol tcp bucketSize 10 fillRate 100 precedence 208 action accept state enabled
set addressContext default ipAccessControlList rule mgmt2_2024 destinationPort 2024 mgmtIpInterfaceGroup mgmtGroup1 protocol tcp bucketSize 250 fillRate 2500 precedence 209 action accept state enabled
set addressContext default ipAccessControlList rule mgmt2_1813 sourcePort 1813 mgmtIpInterfaceGroup mgmtGroup1 protocol udp bucketSize 250 fillRate 1200 precedence 110 state enabled
commit |
To view the default system IP ACL statistics:
| Div |
|---|
|
| Code Block |
|---|
| show table addressContext default ipAccessControlList defaultAclStatistics
ADDRESS LIF VM
ACL CONTEXT GRP SOURCE IP DESTINATION IP POLICING BUCKET POL POL PACKET PACKET GUEST
ID PROTOCOL APPLICATION ID ID ADDRESS ADDRESS MODE SIZE CREDIT RATE ID PRIORITY ACCEPT DISCARD AGG POL OWNER ID
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
9 UDP dns_udp_guest * * * (53) * (0) PktRate 50 pkt 1000 pkt/s 0 0 0 0 none vm anyVm
10 TCP dns_tcp_guest * * * (53) * (0) PktRate 50 pkt 1000 pkt/s 0 0 0 0 none vm anyVm
11 TCP sftp_guest * * * (0) * (2024) DataPktRate 50000 pkt 50000 pkt/s 0 0 0 0 none vm anyVm
12 TCP ssh_guest * * * (0) * (22) DataPktRate 50000 pkt 50000 pkt/s 0 0 1 0 none vm anyVm
13 ICMPv4 icmpv4_guest * * * (0) * (0) DataPktRate 10 pkt 50 pkt/s 18 1 0 0 pol_icmp vm anyVm
14 ICMPv6 icmpv6_guest * * * (0) * (0) DataPktRate 10 pkt 400 pkt/s 18 1 0 0 pol_icmp vm anyVm
18 ICMPv4 icmpv4 * * * (0) * (0) PktRate 50 pkt 50 pkt/s 22 1 66 0 ICMP SBX5000SBX5400 host
19 ICMPv6 icmpv6 * * * (0) * (0) PktRate 50 pkt 50 pkt/s 22 1 0 0 ICMP SBX5000SBX5400 host
20 TCP ssh 1 1 * (0) 10.6.82.35/32 (22) PktRate 50 pkt 1000 pkt/s 19 1 118 0 OAM SBX5000SBX5400 host
21 TCP web-client 1 1 * (0) 10.6.82.35/32 (80) PktRate 50 pkt 10 pkt/s 19 1 31 0 OAM SBX5000SBX5400 host
22 UDP snmp 1 1 * (0) 10.6.82.35/32 (161) PktRate 50 pkt 1000 pkt/s 19 1 0 0 OAM SBX5000SBX5400 host
23 TCP confd 1 1 * (0) 10.6.82.35/32 (2022) PktRate 50 pkt 100 pkt/s 19 1 0 0 OAM SBX5000SBX5400 host
24 TCP secure-web-client 1 1 * (0) 10.6.82.35/32 (443) PktRate 50 pkt 20000 pkt/s 20 1 5583 0 SFTP SBX5000SBX5400 host
25 TCP sftp 1 1 * (0) 10.6.82.35/32 (2024) PktRate 50 pkt 20000 pkt/s 20 1 0 0 SFTP SBX5000SBX5400 host
26 TCP connexIp-manager 1 1 * (0) 10.6.82.35/32 (444) PktRate 50 pkt 20000 pkt/s 20 1 0 0 SFTP SBX5000SBX5400 host
27 TCP secure-LI-client 1 1 * (0) 10.6.82.35/32 (1099) PktRate 50 pkt 10 pkt/s 19 1 0 0 OAM SBX5000SBX5400 host
28 TCP ssreq-tcp 1 1 * (0) 10.6.82.35/32 (3091) PktRate 50 pkt 10 pkt/s 19 1 0 0 OAM SBX5000SBX5400 host
29 UDP ssreq-udp 1 1 * (0) 10.6.82.35/32 (3090) PktRate 50 pkt 10 pkt/s 19 1 0 0 OAM SBX5000SBX5400 host
30 TCP ssh 1 1 * (0) 10.6.83.35/32 (22) PktRate 50 pkt 1000 pkt/s 19 1 0 0 OAM SBX5000SBX5400 host
31 TCP web-client 1 1 * (0) 10.6.83.35/32 (80) PktRate 50 pkt 10 pkt/s 19 1 0 0 OAM SBX5000SBX5400 host
32 UDP snmp 1 1 * (0) 10.6.83.35/32 (161) PktRate 50 pkt 1000 pkt/s 19 1 0 0 OAM SBX5000SBX5400 host
33 TCP confd 1 1 * (0) 10.6.83.35/32 (2022) PktRate 50 pkt 100 pkt/s 19 1 0 0 OAM SBX5000SBX5400 host
34 TCP secure-web-client 1 1 * (0) 10.6.83.35/32 (443) PktRate 50 pkt 20000 pkt/s 20 1 0 0 SFTP SBX5000SBX5400 host
35 TCP sftp 1 1 * (0) 10.6.83.35/32 (2024) PktRate 50 pkt 20000 pkt/s 20 1 0 0 SFTP SBX5000SBX5400 host
36 TCP connexIp-manager 1 1 * (0) 10.6.83.35/32 (444) PktRate 50 pkt 20000 pkt/s 20 1 0 0 SFTP SBX5000SBX5400 host
37 TCP secure-LI-client 1 1 * (0) 10.6.83.35/32 (1099) PktRate 50 pkt 10 pkt/s 19 1 0 0 OAM SBX5000SBX5400 host
38 TCP ssreq-tcp 1 1 * (0) 10.6.83.35/32 (3091) PktRate 50 pkt 10 pkt/s 19 1 0 0 OAM SBX5000SBX5400 host
39 UDP ssreq-udp 1 1 * (0) 10.6.83.35/32 (3090) PktRate 50 pkt 10 pkt/s 19 1 0 0 OAM SBX5000SBX5400 host
40 UDP ntp 1 1 10.1.1.2/32 (123) * (0) PktRate 50 pkt 10 pkt/s 21 1 267 0 RBA SBX5000SBX5400 host |
|
The following example CLI ipAccessControlList commands define ACL rules to allow SSReq to receive packets on ports 3090 and 3091:
- Port 3090 is used by SSReq Server to receive XML requests over UDP from a SSReq Client.
- Port 3091 is used by SSReq Server to receive XML requests over TCP from a SSREeq Client.
| Code Block |
|---|
|
set addressContext default ipAcessControlList rule ssrequdp precedence 2 destinationPort 3090 state enabled
set addressContext default ipAcessControlList rule ssreqtcp precedence 3 destionationPort 3091 state enabled |
| Info |
|---|
|
System ACLs are displayed only for default AddressContext. |
System ACL Command Parameters
| Caption |
|---|
| 0 | Table |
|---|
| 1 | System ACL Parameters |
|---|
|
Parameter | Description |
|---|
addressContextID
| Displays the address context ID of the ACL rule. | application
| Displays the application that uses the ACL rule. | bucketSize
| Displays the policer bucket size. | creditRate
| Displays the allowed packet rate. | destinationIpAddress
| Displays the destination IP address, Port Number and Prefix length. | lifGrpId
| Displays the management group ID. | packetAccpet
| Displays the number of packets accepted by the rule. | packetDiscard
| Displays the number of packets discarded by the ACL policer. | polId
| Displays the aggregator policer ID. | polPriority
| Displays the aggregator policer priority. | policingMode
| Displays the policing mode in packets per second. | protocol
| Displays the protocol type of the rule. | sourceIpAddress
| Displays the source IP address, Port Number and Prefix length. |
|