CSS Stylesheet |
---|
img.confluence-embedded-image { display: inline-block !important; } |
Add_workflow_for_techpubs | ||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Panel | ||||
---|---|---|---|---|
In this section:
|
Info |
---|
Resequencing Rules are not supported in the SBC SWe Lite. |
To add or modify an ACL rule:
Info |
---|
For System Default IPv4 and IPv6 Access Control Lists Configuration, refer to: IPv4 and IPv6 ACLs. For Sample Teams Direct Routing ACL Rule Configuration, refer to Teams Direct Routing ACLs. |
Below includes instructions for creating an ACL rule entry:
Enter the desired configuration. See SWe Lite and Modifying Rules for IPv4 Access Control Lists. For sample configurations, see SWe Lite and Modifying Rules for IPv4 Access Control Lists.. For detailed field configuration see Field Descriptions.
Note | ||
---|---|---|
| ||
Federated IP addresses and FQDNs specified in an Access Control List are whitelisted. |
Click OK.
Panel | ||||||
---|---|---|---|---|---|---|
| ||||||
|
...
Anchor | ||||
---|---|---|---|---|
|
Note | ||||
---|---|---|---|---|
| ||||
An ACL may not be deleted if it is bound to any port or logical interface. However, you may delete or modify a rule within a bound ACL. Any modification or deletion is effective immediately. |
...
Panel | ||||
---|---|---|---|---|
| ||||
The protocol of the IP packets subject to this rule. Valid options: TCP, UDP, ICMP, OSPF, Any, or Other. Default value: TCP. |
Panel | ||||
---|---|---|---|---|
| ||||
Specifies the action to be taken upon packets matching this rule. Valid selections: Allow (default, packets matching this rule are accepted) or Deny (packets matching this rule are not accepted). |
Panel | ||||
---|---|---|---|---|
| ||||
The Internet Assigned Numbers Authority (IANA) port number for various protocols. This field is available only when Other is selected from the SWe Lite and Modifying Rules for IPv4 Access Control Lists Protocol drop down box. |
Panel | ||||
---|---|---|---|---|
| ||||
Either Service or Single Port. The Services option allows you to define the service for either UDP or TCP protocol. The Single Port option should be used to specify a specific source or destination port number. This field is available only when either TCP or UDP is selected from the Protocol drop down box. Valid entry: Service or Single Port. |
Panel | ||||||
---|---|---|---|---|---|---|
| ||||||
|
Panel | ||||
---|---|---|---|---|
| ||||
This parameter specifies the rule precedence to control which ACL rule is applied when multiple rules match a given packet. If an incoming packet matches multiple rules, the IP ACL rule with the highest precedence (lowest numerical precedence value) is applied to that packet. Every rule should have a unique precedence value. Value range is entry: 1 - 65535, and default is . Default: 1. |
Panel | ||||
---|---|---|---|---|
| ||||
The policing bucket size (in packets). It represents a credit balance that should be consumed before the packets are discarded. The consumed credits reside in the bucket and gets reduced for every packet received. Valid entry: 0-255 packets/second. |
Panel | ||||
---|---|---|---|---|
| ||||
The number of packets to add to the bucket credit balance (in packets/second). If a packet is received at a rate exceeding this fill rate, it is discarded subjected to the discard rate set in the IP Policing Alarm profile or in the Policer Policing Alarm monitoring this Media Port. The bucket credit balance is always less than the configured bucket size regardless of the size of this increment. Valid entry: 0-25000 packet/second. |
Panel | ||||
---|---|---|---|---|
| ||||
A drop-down menu that allows the user to select an interface to which this ACL rule should be applied. |
Panel | ||||
---|---|---|---|---|
| ||||
The IPv4 source address of the packets subject to this rule. |
Panel | ||||
---|---|---|---|---|
| ||||
The subnet mask of the source IP address. |
Panel | ||||
---|---|---|---|---|
| ||||
The port number associated with the source packets subject to this rule. This field is available only when TCP or UDP is selected from the Protocol drop down box and Single Port is selected from the Port Selection Method drop down box. |
Panel | ||||
---|---|---|---|---|
| ||||
The IPv4 destination address of the packets subject to this rule. |
Panel | ||||
---|---|---|---|---|
| ||||
The subnet mask of the destination IP address. |
Panel | ||||
---|---|---|---|---|
| ||||
The port number associated with the source packets subject to this rule. This field is available only when TCP or UDP is selected from the Protocol drop down box and Single Port is selected from the Port Selection Method drop down box. |
...
class | pdf6pttext |
---|
Noprint | |
---|---|
|
...
title | Click to read more... |
---|
...
These are sample ACLs and should be customized for your specific deployment.
One use-case for access controls lists is to isolate management traffic on the SBC 2000 to accomplish the following: the SBC WebUI is available only through certain ports on the SBC (i.e., Admin port) and the SBC WebUI is not accessible on those ports.
In a hosted or multi-tenant environment, the SBC is managed by a service provider and is shared with multiple end-customers. The ADMIN port is used solely for managing the SBC by the service provider. In order to configure this ACL, you must do the following:
This ACL allows packets related to VoIP application only and bound to all user ports. This example is for SBC 2000 and should be customized for your specific requirements.
...
ID
...
Source IP Subnet
...
Dest IP Subnet
...
Protocol
...
Source port
...
Destination port
...
Action
...
Notes
...
1
...
192.168.7.7/24
...
ANY
...
ANY
...
ANY
...
5060
...
ACCEPT
...
Accepts all traffic from Lync server to the SBC's SIP port 5060 or ASM's SIP port 5060.
...
2
...
192.168.9.8/24
...
ANY
...
UDP
...
53
...
ANY
...
ACCEPT
...
Accepts DNS traffic from the DNS server 192.168.9.8.
...
3
...
ANY
...
ANY
...
UDP
...
ANY
...
16000-17000
...
ACCEPT
...
4
...
192.168.33.3/24
...
ANY
...
UDP
...
30000
...
30000
...
ACCEPT
...
Accepts control packets between ASM installed on the same SBC and the SBC CPU. UDP/30000 is a reserved port.
...
5
...
192.168.33.3/24
...
ANY
...
UDP
...
30001
...
30001
...
ACCEPT
...
Accepts control packets between ASM installed on the same SBC and the SBC CPU. UDP/30001 is a reserved port.
...
6
...
ANY
...
ANY
...
UDP
...
30000
...
30000
...
DROP
...
Drops any other source that uses the reserved port 30000.
...
7
...
ANY
...
ANY
...
UDP
...
30001
...
30001
...
DROP
...
Drops any other source that uses the reserved port 30001.
...
8
...
ANY
...
ANY
...
ANY
...
ANY
...
ANY
...
DROP
...
By default discards all traffic, if the above rules don't match.
This ACL accepts specified management traffic and discards all other packets. Also the ACLs should be bound to all ports used only for administration.This example is for SBC 2000 and should be customized for your specific requirements.
ID | Source IP Subnet | Dest IP Subnet | Protocol | Source port | Destination port | Action | Notes |
---|---|---|---|---|---|---|---|
1 | ANY | ANY | TCP | ANY | 443 | ACCEPT | Accepts incoming HTTPS request. |
2 | ANY | ANY | TCP | ANY | 80 | ACCEPT | Accepts incoming HTTP request. |
3 | ANY | ANY | UDP | ANY | 161 | ACCEPT | Accepts incoming SNMP requests. |
4 | ANY | ANY | TCP | ANY | 22 | ACCEPT | Accepts incoming SSH requests. |
5 | ANY | 192.168.33.3/28 | TCP | ANY | 3389 | ACCEPT | Accepts incoming RDP packets to ASM (assuming ASM's IP address is 192.168.33.3). |
6 | ANY | ANY | ANY | ANY | ANY | DROP | By default, drops all traffic, if the above rules don't match. |
The ACLs in this example are applied only to the inbound direction of the ports. Once the ACLs are bound to the ports, ports Ethernet 1-4 are used only for VoIP and not for management. The ADMIN port is used only for management and not for user traffic.
Port | ACL Name | Direction | Notes |
---|---|---|---|
Ethernet 1 | usertraffic | INBOUND | Ethernet 1 is used primarily only for user's traffic such as VoIP calls. The WebUI or any management traffic will be discarded. |
Ethernet 2 | usertraffic | INBOUND | same as above. |
Ethernet 3 | usertraffic | INBOUND | same as above. |
Ethernet 4 | usertraffic | INBOUND | same as above. |
ADMIN | admintraffic | INBOUND | ADMIN port is used only for administration. All user traffic (i.e., SIP, RTP) is discarded. |
...
class | pdf6pttext |
---|
Noprint | |
---|---|
|
...
title | Click to read more... |
---|
...
These are sample ACLs and should be customized for your specific deployment.
...
Include Page | ||||||
---|---|---|---|---|---|---|
|
Include Page | ||||||
---|---|---|---|---|---|---|
|
Note | ||||
---|---|---|---|---|
| ||||
An ACL may not be deleted if it is bound to any port or logical interface. However, you may delete or modify a rule within a bound ACL. Any modification or deletion is effective immediately. |
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
The following are the system defaults for IPv4 and IPv6 Access Control Lists.
Note |
---|
System defaults for IPv4 and IPv6 cannot be deleted. |
Caption | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Caption | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Anchor | ||||
---|---|---|---|---|
|
Caption | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
...
When configuring ACLs, it is possible to isolate the SBC out of the network. Ensure there are rules in place to accept HTTPS on at least one IP interface. The order of rules in the ACL is important.
For this example, consider that the
(For this example, this ACL must be applied to 'Ethernet 1 IP' as "Input ACL")
Description | Protocol | Action | Port | Service | Source | Source Mask | Source | Source Max Port | Dest IP | Dest Mask | Dest Min Port | Dest Max Port | Description |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Allow WebUI/HTTPS | TCP | Allow | Service | HTTPS | 0.0.0.0 | 0.0.0.0 | 0.0.0.0 | 0.0.0.0 | For more security, replace the source IP and mask with the network addresses that is on the LAN-side. Also, consider the subnets used for VPN users of that corporate network. | ||||
Allow WebUI/HTTP to redirect to HTTPS | TCP | Allow | Service | HTTP | 0.0.0.0 | 0.0.0.0 | 0.0.0.0 | 0.0.0.0 | Not strictly required, but this is good for convenience. SBC will redirect all HTTP requests to HTTPS. | ||||
Accept SIP Signaling over UDP | UDP | Allow | Range | 40.1.1.1 | 255.255.255.255 | 1024 | 65535 | 0.0.0.0 | 0.0.0.0 | 5060 | 5060 | Create one rule for every SIP protocol/port combination on the SBC, based on all Signaling Groups. Source IP and mask, must match what is configured on the Federated-IP network as well. In this example, perhaps 40.1.1.1 is an IP-PBX that supports SIP over UDP. | |
Accept SIP Signaling over TCP and TLS | TCP | Allow | Range | 50.1.1.2 | 255.255.255.255 | 1024 | 65535 | 0.0.0.0 | 0.0.0.0 | 5067 | 5067 | Create one rule for every SIP protocol/port combination on the SBC, based on all Signaling Groups. Source IP and mask, must match what is configured on the Federated-IP network as well. In this example, perhaps 50.1.1.2 is a Lync Mediation Server that supports SIP over TLS. | |
Accept SIP Signaling TCP and TLS ACKs | TCP | Allow | Range | 50.1.1.2 | 255.255.255.255 | 5067 | 5067 | 0.0.0.0 | 0.0.0.0 | 1024 | 65535 | Create one rule for every SIP server. This rule allows the TCP ACKs to return to the SBC. Source IP and mask, must match what is configured on the Federated-IP network as well. In this example, perhaps 50.1.1.2 is a Lync mediation server that supports SIP over TLS. | |
Accept RTP/RTCP packets | UDP | Allow | Range | 0.0.0.0 | 0.0.0.0 | 1024 | 65535 | 0.0.0.0 | 0.0.0.0 | 16384 | 17583 | Accept all RTP/SRTP packets. Note that the port-range must match that of Media System Configuration on the SBC. | |
Accept DNS responses | UDP | Allow | Range | 0.0.0.0 | 0.0.0.0 | 53 | 53 | 0.0.0.0 | 0.0.0.0 | 1024 | 65535 | Accept DNS responses for all DNS_requests initiated by the SBC. | |
Discard all other packets | ANY | Deny | 0.0.0.0 | 0.0.0.0 | 0.0.0.0 | 0.0.0.0 | Discard all other packets. |
(For this example, this ACL must be applied to 'Ethernet 2 IP' as "Input ACL")
Description | Protocol | Action | Port | Source | Source Mask | Source | Source Max Port | Dest IP | Dest Mask | Dest Min Port | Dest Max Port | Description |
---|---|---|---|---|---|---|---|---|---|---|---|---|
Accept SIP Signaling over UDP | UDP | Allow | Range | 20.5.1.20 | 255.255.255.255 | 1024 | 65535 | 10.1.10.10 | 255.255.255.255 | 5060 | 5060 | Create one rule for every SIP protocol/port combination on the SBC, based on all Signaling Groups. Source IP and mask, must match what is configured on the Federated-IP network as well. In this example, perhaps 20.5.1.20 is the IP address of the SIP-trunk peer. |
Accept RTP/RTCP packets | UDP | Allow | Range | 20.5.1.20 | 255.255.255.255 | 1024 | 65535 | 10.1.10.10 | 255.255.255.255 | 16384 | 17583 | Accept all RTP/SRTP packets. Note that the port-range must match that of Media System Configuration on the SBC. |
Accept DNS responses | UDP | Allow | Range | 0.0.0.0 | 0.0.0.0 | 53 | 53 | 0.0.0.0 | 0.0.0.0 | 1024 | 65535 | Accept DNS responses for all DNS_requests initiated by the SBC. |
Discard all other packets | ANY | Deny | 0.0.0.0 | 0.0.0.0 | 0.0.0.0 | 0.0.0.0 | Discard all other packets. |
...
Pagebreak |
---|