Versions Compared

Old Version 4

changes.mady.by.user Ribbon Communications

Saved on

compared with

New Version Current

changes.mady.by.user Ribbon Communications

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


CSS Stylesheet
img.confluence-embedded-image { display: inline-block !important; }

Add_workflow_for_techpubs
AUTH2cclemetsonUserResourceIdentifier{userKey=8a00a0c85b2726c2015b58aa779d0003, userName='null'}
AUTH1amiddlebrookUserResourceIdentifier{userKey=8a00a0c85b2726c2015b58aa779d0003, userName='null'}
JIRAIDAUTHSYMCHOR-244774967
REV5amiddlebrookUserResourceIdentifier{userKey=8a00a0c857f0393d015845e3e4d4000f, userName='null'}
REV6cclemetson
REV3neelakab
UserResourceIdentifier{userKey=8a00a0c85b2726c2015b58aa779d0003, userName='null'}
REV3UserResourceIdentifier{userKey=8a00a02355cd1c2f0155cd26ccd308e6, userName='null'}
REV4UserResourceIdentifier{userKey=8a00a02355cd1c2f0155cd26cef30cd0, userName='null'}
REV1UserResourceIdentifier{userKey=8a00a02355cd1c2f0155cd26cc5207f0, userName='null'}
REV2UserResourceIdentifier{userKey=8a00a02355cd1c2f0155cd26c9d6032b, userName='null'}REV1cchu

Panel

In this section:

Table of Contents
maxLevel3


Info

Resequencing Rules are not supported in the SBC SWe Lite.

To add or modify an ACL rule:

  1. In the WebUI, click the Settings tab.
  2. In the left navigation pane, go to Protocols > IP > Access Control Lists.

 

Creating a Rule Entry

Info

For System Default IPv4 and IPv6 Access Control Lists Configuration, refer to: IPv4 and IPv6 ACLs.

For Sample Teams Direct Routing ACL Rule Configuration, refer to Teams Direct Routing ACLs.

Below includes instructions for creating an ACL rule entry:

  1. In the left navigation panel, click on Access Control Lists and click on the desired table.

  2. Click the Create Access Control List Entry ( Image Removed) iconon the desired entry.

  3. Enter the desired configuration. See SWe Lite and Modifying Rules for IPv4 Access Control Lists. For sample configurations, see SWe Lite and Modifying Rules for IPv4 Access Control Lists.For detailed field configuration see Field Descriptions

    Note
    titleNote

    Federated IP addresses and FQDNs specified in an Access Control List are whitelisted.


  4. Click OK.

    Panel
    borderStylenone


    Caption
    0Figure
    1Create Rule Entry
    Image Removed

Modifying a Rule

...

  1. Image Added



Anchor
fields
fields

Note
iconfalse
titleRestrictions on Deleting ACLs

An ACL may not be deleted if it is bound to any port or logical interface. However, you may delete or modify a rule within a bound ACL. Any modification or deletion is effective immediately.

Resequencing Rules

...

General Information Panel - Field Definitions

Protocol

Panel
bgColor#FAFAFA
borderStylenone

The protocol of the IP packets subject to this rule. Valid options: TCP, UDP, ICMP, OSPF, Any, or Other. Default value: TCP.

Action

Panel
bgColor#FAFAFA
borderStylenone

Specifies the action to be taken upon packets matching this rule. Valid selections: Allow (default, packets matching this rule are accepted) or Deny (packets matching this rule are not accepted).

IANA IP Protocol Number

Panel
bgColor#FAFAFA
borderStylenone

The Internet Assigned Numbers Authority (IANA) port number for various protocols. This field is available only when Other is selected from the SWe Lite and Modifying Rules for IPv4 Access Control Lists Protocol drop down box.

Port Selection Method

Panel
bgColor#FAFAFA
borderStylenone

Either Service or Single Port. The Services option allows you to define the service for either UDP or TCP protocol. The Single Port option should be used to specify a specific source or destination port number. This field is available only when either TCP or UDP is selected from the Protocol drop down box. Valid entry: Service or Single Port.

Service

Panel
bgColor#FAFAFA
borderStylenone


When this is the
Protocol selection... 		...the Service
choices are:
TCP
  • HTTPS
  • HTTP
  • SSH
UDP
  • SNMP
  • DHCP
  • DNS
  • RIP


Precedence

Panel
bgColor#FAFAFA
borderStylenone

This parameter specifies the rule precedence to control which ACL rule is applied when multiple rules match a given packet. If an incoming packet matches multiple rules, the IP ACL rule with the highest precedence (lowest numerical precedence value) is applied to that packet.

Every rule should have a unique precedence value. Value range is entry: 1 - 65535, and default is . Default: 1.

Bucket Size

Panel
bgColor#FAFAFA
borderStylenone

The policing bucket size (in packets). It represents a credit balance that should be consumed before the packets are discarded. The consumed credits reside in the bucket and gets reduced for every packet received.

  Valid entry: 0-255 packets/second.

Fill Rate

Panel
bgColor#FAFAFA
borderStylenone

The number of packets to add to the bucket credit balance (in packets/second). If a packet is received at a rate exceeding this fill rate, it is discarded subjected to the discard rate set in the IP Policing Alarm profile or in the Policer Policing Alarm monitoring this Media Port. The bucket credit balance is always less than the configured bucket size regardless of the size of this increment.

Valid entry: 0-25000 packet/second.

Interface Name

Panel
bgColor#FAFAFA
borderStylenone

A drop-down menu that allows the user to select an interface to which this ACL rule should be applied.

Source Panel - Field Definitions

IP Address

Panel
bgColor#FAFAFA
borderStylenone

The IPv4 source address of the packets subject to this rule.

Netmask

Panel
bgColor#FAFAFA
borderStylenone

The subnet mask of the source IP address.

Port Number

Panel
bgColor#FAFAFA
borderStylenone

The port number associated with the source packets subject to this rule. This field is available only when TCP or UDP is selected from the Protocol drop down box and Single Port is selected from the Port Selection Method drop down box.

Destination Panel - Field Definitions

IP Address

Panel
bgColor#FAFAFA
borderStylenone

The IPv4 destination address of the packets subject to this rule.

Netmask

Panel
bgColor#FAFAFA
borderStylenone

The subnet mask of the destination IP address.

Port Number

Panel
bgColor#FAFAFA
borderStylenone

The port number associated with the source packets subject to this rule. This field is available only when TCP or UDP is selected from the Protocol drop down box and Single Port is selected from the Port Selection Method drop down box.

...

Modifying a Rule

...

Isolated Management Traffic

...

Info

These are sample ACLs and should be customized for your specific deployment.

One use-case for access controls lists is to isolate management traffic on the SBC 2000 to accomplish the following: the SBC WebUI is available only through certain ports on the SBC (i.e., Admin port) and the SBC WebUI is not accessible on those ports.

In a hosted or multi-tenant environment, the SBC is managed by a service provider and is shared with multiple end-customers. The ADMIN port is used solely for managing the SBC by the service provider. In order to configure this ACL, you must do the following:

  • Create ACLs that describe the type of traffic that should be accepted or denied.
  • Bind the ACLs to the ports for the designated purpose.
Sample ACL "usertraffic"

This ACL allows packets related to VoIP application only and bound to all user ports. This example is for SBC 2000 and should be customized for your specific requirements.

ID

Source IP Subnet

Dest IP Subnet

Protocol

Source port

Destination port

Action

Notes

1

192.168.7.7/24

ANY

ANY

ANY

5060

ACCEPT

Accepts all traffic from Lync server to the SBC's SIP port 5060 or ASM's SIP port 5060.

2

192.168.9.8/24

ANY

UDP

53

ANY

ACCEPT

Accepts DNS traffic from the DNS server 192.168.9.8.

3

ANY

ANY

UDP

ANY

16000-17000

ACCEPT

Accepts all UDP traffic carrying RTP and RTCP payload from other devices to the SBC. The port range should be same as the range configured under Media System Configuration. See Configuring the Media System.

4

192.168.33.3/24

ANY

UDP

30000

30000

ACCEPT

Accepts control packets between ASM installed on the same SBC and the SBC CPU. UDP/30000 is a reserved port.

5

192.168.33.3/24

ANY

UDP

30001

30001

ACCEPT

Accepts control packets between ASM installed on the same SBC and the SBC CPU. UDP/30001 is a reserved port.

6

ANY

ANY

UDP

30000

30000

DROP

Drops any other source that uses the reserved port 30000.

7

ANY

ANY

UDP

30001

30001

DROP

Drops any other source that uses the reserved port 30001.

8

ANY

ANY

ANY

ANY

ANY

DROP

By default discards all traffic, if the above rules don't match.

Sample ACL "admintraffic"

This ACL accepts specified management traffic and discards all other packets. Also the ACLs should be bound to all ports used only for administration.This example is for SBC 2000 and should be customized for your specific requirements.

ID

Source IP Subnet

Dest IP Subnet

Protocol

Source port

Destination  port

Action

Notes

1

ANY

ANY

TCP

ANY

443

ACCEPT

Accepts incoming HTTPS request.

2

ANY

ANY

TCP

ANY

80

ACCEPT

Accepts incoming HTTP request.

3

ANY

ANY

UDP

ANY

161

ACCEPT

Accepts incoming SNMP requests.

4

ANY

ANY

TCP

ANY

22

ACCEPT

Accepts incoming SSH requests.

5

ANY

192.168.33.3/28

TCP

ANY

3389

ACCEPT

Accepts incoming RDP packets to ASM (assuming ASM's IP address is 192.168.33.3).

6

ANY

ANY

ANY

ANY

ANY

DROP

By default, drops all traffic, if the above rules don't match.

Sample ACL Binding

The ACLs in this example are applied only to the inbound direction of the ports. Once the ACLs are bound to the ports, ports Ethernet 1-4 are used only for VoIP and not for management. The ADMIN port is used only for management and not for user traffic.

Port

ACL Name

Direction

Notes

Ethernet 1

usertraffic

INBOUND

Ethernet 1 is used primarily only for user's traffic such as VoIP calls. The WebUI or any management traffic will be discarded.

Ethernet 2

usertraffic

INBOUND

same as above.

Ethernet 3

usertraffic

INBOUND

same as above.

Ethernet 4

usertraffic

INBOUND

same as above.

ADMIN

admintraffic

INBOUND

ADMIN port is used only for administration. All user traffic (i.e., SIP, RTP) is discarded.

Include Page
_Modify_Entry
_Modify_Entry
nopaneltrue
Include Page
_Delete_Entry_Procedure
_Delete_Entry_Procedure
nopaneltrue

Note
iconfalse
titleRestrictions on Deleting ACLs

An ACL may not be deleted if it is bound to any port or logical interface. However, you may delete or modify a rule within a bound ACL. Any modification or deletion is effective immediately.


Anchor
properties
properties

Anchor
Default
Default
System Default IPv4 and IPv6 Access Control Lists

The following are the system defaults for IPv4 and IPv6 Access Control Lists.

Note

System defaults for IPv4 and IPv6 cannot be deleted.


Caption
0Figure
1System Default IPv4 ACL List


IPv4 Default ListProtocolSource IP/MaskDestination IP/MaskProtocol ServiceActionInterface NamePrecedencePrimary Key
Allow DHCP Access
allow-dhcpv4-dstPort-67UDPAnyAnyDHCP/BOOTP (Server)Allow-650001
allow-dhcpv4-dstPort-68UDPAnyAny--None--Allow-650012
allow-dhcpv4-srtPort-67UDPAnyAny--None--Allow-650023
allow-dhcpv4-srtPort-68UDPAnyAny--None--Allow-650034
Allow Terminal Services
allow-ssh-=dstPort-22TCPAnyAnySSHAllow-650041
allow-ssh-=dstPort-80TCPAnyAnyHTTPAllow-650052
allow-ssh-=dstPort-443TCPAnyAnyHTTPSAllow-650063
Allow Everything
allow-all-tcpTCPAnyAny--None--Allow-650071
allow-all-udpUDPAnyAny--None--Allow-650082
allow-all-icmpICMPAnyAny--None--Allow-650093



Caption
0Figure
1System Default IPv6 ACL List


IPv6 Default ListProtocolSource IP/MaskDestination IP/MaskProtocol ServiceActionInterface NamePrecedencePrimary Key
Allow DHCP Access
allow-dhcpv4-dstPort-67UDPAnyAny--None--Allow-640001
allow-dhcpv4-dstPort-68UDPAnyAny--None--Allow-640012
allow-dhcpv4-srtPort-67UDPAnyAny--None--Allow-640023
allow-dhcpv4-srtPort-68UDPAnyAny--None--Allow-640034
Allow Terminal Services
allow-ssh-=dstPort-22TCPAnyAny--None--Allow-640041
allow-ssh-=dstPort-80TCPAnyAny--None--Allow-640052
allow-ssh-=dstPort-443TCPAnyAny--None--Allow-640063
Allow Everything
allow-all-tcpTCPAnyAny--None--Allow-640071
allow-all-udpUDPAnyAny--None--Allow-640082
allow-all-icmpICMPv6AnyAny--None--Allow-640093



Anchor
Sample
Sample
Sample Teams Direct Routing ACL Rule Configuration

Caption
0Figure
1Sample ACL Rule for Microsoft Teams


DescriptionProtocolSource IP/MaskDestination IP/MaskProtocol ServiceActionInterface NamePrecedencePrimary Key
Outbound DNS RequestTCP<Source IP/Mask>AnyDNSAllowEthernet 111
Outbound DNS ReplyTCPAny<Destination IP/Mask>--None--AllowEthernet 122
Outbound DNS RequestUDP<Source IP/Mask>AnyDNSAllowEthernet 133
Outbound DNS ReplyUDPAny<Destination IP/Mask>--None--AllowEthernet 144
Outbound NTP RequestUDP<Source IP/Mask>Any--None--AllowEthernet 155
Outbound NTP ReplyUDPAny<Destination IP/Mask>--None--AllowEthernet 166
Outbound SIP RequestTCP<Source IP/Mask>Any--None--AllowEthernet 177
Outbound SIP ReplyTCPAny<Destination IP/Mask>--None--AllowEthernet 188
Inbound SIP RequestTCPAny<Destination IP/Mask>--None--AllowEthernet 199
Inbound SIP ReplyTCP<Source IP/Mask>Any--None--AllowEthernet 11010
Outbound DHCP Request Port-67UDPAnyAnyDHCP/BOOTP (Server)AllowEthernet 11111
Outbound DHCP Request Port-68UDPAnyAny--None--AllowEthernet 11212
Outbound DHCP Reply Port-67UPDAnyAny--None--AllowEthernet 11313
Outbound DHCP Reply Port-68UPDAnyAny--None--AllowEthernet 11414
Deny All ProtocolAnyAnyAny--None--DenyEthernet 11515

Typical WAN/LAN Deployment

(Destination IP and mask may be replaced with a specific IP address of the SBC on the SIP-trunk side).
Expand
titleClick here for Sample ACL Rule (Packet Filter)
Info

These are sample ACLs and should be customized for your specific deployment.

A typical SBC deployment may have two 'sides'.  One side is the LAN-side or the corporate-network side, and the other is the Internet-side, WAN-side or the provider-network side. Neither side should be trusted entirely.  ACLs must be configured so that only SIP/VOIP/RTP traffic is allowed on both sides. An additional task is usually to determine the IP interface WebUI/REST management is allowed on.

Note

When configuring ACLs, it is possible to isolate the SBC out of the network. Ensure there are rules in place to accept HTTPS on at least one IP interface. The order of rules in the ACL is important.

For this example, consider that the

Spacevars
0company
SBC 1000 has two IP interfaces

  1. Ethernet 1 IP: 12.3.10.10/24  (LAN-side, office-side, branch-side, corporate network-side)
  2. Ethernet 2 IP: 10.1.10.10/24  (SIP trunk side, WAN-side, Provider-side, Internet-side)
LAN Side ACL

(For this example, this ACL must be applied to 'Ethernet 1 IP' as "Input ACL")

DescriptionProtocolAction

Port
Selection

Service

Source
IP

Source
Mask

Source
Min Port

Source
Max Port		Dest
IP		Dest
Mask		Dest
Min Port		Dest
Max Port		Description
Allow WebUI/HTTPSTCPAllowServiceHTTPS0.0.0.00.0.0.0  0.0.0.00.0.0.0  For more security, replace the source IP and mask with the network addresses that is on the LAN-side. Also, consider the subnets used for VPN users of that corporate network.
Allow WebUI/HTTP to redirect to HTTPSTCPAllowServiceHTTP0.0.0.00.0.0.0  0.0.0.00.0.0.0  Not strictly required, but this is good for convenience. SBC will redirect all HTTP requests to HTTPS.
Accept SIP Signaling over UDPUDPAllowRange 40.1.1.1255.255.255.2551024655350.0.0.00.0.0.050605060

Create one rule for every SIP protocol/port combination on the SBC, based on all Signaling Groups. Source IP and mask, must match what is configured on the Federated-IP network as well.

In this example, perhaps 40.1.1.1 is an IP-PBX that supports SIP over UDP.

Accept SIP Signaling over TCP and TLSTCPAllowRange 50.1.1.2255.255.255.2551024655350.0.0.00.0.0.050675067

Create one rule for every SIP protocol/port combination on the SBC, based on all Signaling Groups. Source IP and mask, must match what is configured on the Federated-IP network as well.

In this example, perhaps 50.1.1.2 is a Lync Mediation Server that supports SIP over TLS.

Accept SIP Signaling TCP and TLS ACKsTCPAllowRange 50.1.1.2255.255.255.255506750670.0.0.00.0.0.0102465535

Create one rule for every SIP server. This rule allows the TCP ACKs to return to the SBC. Source IP and mask, must match what is configured on the Federated-IP network as well.

In this example, perhaps 50.1.1.2 is a Lync mediation server that supports SIP over TLS.

Accept RTP/RTCP packetsUDPAllowRange 0.0.0.00.0.0.01024655350.0.0.00.0.0.01638417583Accept all RTP/SRTP packets. Note that the port-range must match that of Media System Configuration on the SBC.
Accept DNS responsesUDPAllowRange 0.0.0.00.0.0.053530.0.0.00.0.0.0102465535Accept DNS responses for all DNS_requests initiated by the SBC.
Discard all other packetsANYDeny  0.0.0.00.0.0.0  0.0.0.00.0.0.0  Discard all other packets.
             (Destination IP and mask may be replaced with a specific IP address of 12.3.10.10/255.255.255.255, for ensuring all communications only use that specific IP address. )

 

SIP Trunk Side ACL

(For this example, this ACL must be applied to 'Ethernet 2 IP' as "Input ACL")

DescriptionProtocolAction

Port
Selection

Source
IP

Source
Mask

Source
Min Port

Source
Max Port		Dest
IP		Dest
Mask		Dest
Min Port		Dest
Max Port		Description
Accept SIP Signaling over UDPUDPAllowRange20.5.1.20255.255.255.25510246553510.1.10.10255.255.255.25550605060

Create one rule for every SIP protocol/port combination on the SBC, based on all Signaling Groups. Source IP and mask, must match what is configured on the Federated-IP network as well.

In this example, perhaps 20.5.1.20 is the IP address of the SIP-trunk peer.

Accept RTP/RTCP packetsUDPAllowRange20.5.1.20255.255.255.25510246553510.1.10.10255.255.255.2551638417583Accept all RTP/SRTP packets. Note that the port-range must match that of Media System Configuration on the SBC.
Accept DNS responsesUDPAllowRange0.0.0.00.0.0.053530.0.0.00.0.0.0102465535Accept DNS responses for all DNS_requests initiated by the SBC.
Discard all other packetsANYDeny 0.0.0.00.0.0.0  0.0.0.00.0.0.0  Discard all other packets.
            



Pagebreak