Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. In the WebUI, click the Settings tab.
  2. In the left navigation pane, click Protocols > IPv6 > Access Control Lists.

...

  1. In the left navigation pane, click Protocols > IPv6 > Access Control Lists.
  2. Click the Create IPv6 Access Control List Entry ( ) icon.
  3. Enter the desired configuration. See General Information Panel - Field Definitions. For sample configurations, see Sample ACL Rule Configuration.
  4. Click OK.


Modifying a Rule

Include Page
_Modify_Entry
_Modify_Entry
nopaneltrue
Include Page
_Delete_Entry_Procedure
_Delete_Entry_Procedure
nopaneltrue

...

Div
classpdf6pttext


Noprint

Click to read more...

Toggle Cloak


Cloak
titleClick to read more...


These are sample ACLs and should be customized for your specific deployment.

One use-case for access controls lists is to isolate management traffic on the SBC 2000 to accomplish the following: the SBC WebUI is available only through certain ports on the SBC (i.e., Admin port) and the SBC WebUI is not accessible on those ports.

In a hosted or multi-tenant environment, the SBC is managed by a service provider and is shared with multiple end-customers. The ADMIN port is used solely for managing the SBC by the service provider. In order to configure this ACL, you must do the following:

  • Create ACLs that describe the type of traffic that should be accepted or denied.
  • Bind the ACLs to the ports for the designated purpose.
Sample ACL "usertraffic"

This ACL allows packets related to VoIP application only and bound to all user ports. This example is for SBC 2000 and should be customized for your specific requirements.

ID

Source IP/Mask

Dest IP Mask

Protocol

Source port

Destination port

Action

Notes

1

2001:db8:7:1::7/64

ANY

ANY

ANY

5060

ACCEPT

Accepts all traffic from Lync Skype server to the SBC's SIP port 5060 or ASM's SIP port 5060.

2

2001:db8:7:1::7/64

ANY

UDP

53

ANY

ACCEPT

Accepts DNS traffic from the DNS server 2001:db8:7:1::7/64.

3

ANY

ANY

UDP

ANY

16000-17000

ACCEPT

Accepts all UDP traffic carrying RTP and RTCP payload from other devices to the SBC. The port range should be same as the range configured under Media System Configuration. See .

4

2001:db8:33:1::3/64

ANY

UDP

30000

30000

ACCEPT

Accepts control packets between ASM installed on the same SBC and the SBC CPU. UDP/30000 is a reserved port.

5

2001:db8:33:1::3/64

ANY

UDP

30001

30001

ACCEPT

Accepts control packets between ASM installed on the same SBC and the SBC CPU. UDP/30001 is a reserved port.

6

ANY

ANY

UDP

30000

30000

DROP

Drops any other source that uses the reserved port 30000.

7

ANY

ANY

UDP

30001

30001

DROP

Drops any other source that uses the reserved port 30001.

8

ANY

ANY

ANY

ANY

ANY

DROP

By default discards all traffic, if the above rules don't match.

Sample ACL "admintraffic"

This ACL accepts specified management traffic and discards all other packets. Also the ACLs should be bound to all ports used only for administration. This example is for SBC 2000 and should be customized for your specific requirements.

ID

Source IP Subnet

Dest IP Subnet

Protocol

Source port

Destination  port

Action

Notes

1

ANY

ANY

TCP

ANY

443

ACCEPT

Accepts incoming HTTPS request.

2

ANY

ANY

TCP

ANY

80

ACCEPT

Accepts incoming HTTP request.

3

ANY

ANY

UDP

ANY

161

ACCEPT

Accepts incoming SNMP requests.

4

ANY

ANY

TCP

ANY

22

ACCEPT

Accepts incoming SSH requests.

5

ANY

2001:db8:33:1::3/64

TCP

ANY

3389

ACCEPT

Accepts incoming RDP packets to ASM (assuming ASM's IP address is 2001:db8:33:1::3/64).

 
Sample ACL Binding
 

The ACLs in this example are applied only to the inbound direction of the ports. Once the ACLs are bound to the ports, ports Ethernet 1-4 are used only for VoIP and not for management. The ADMIN port is used only for management and not for user traffic.

Port

ACL Name

Direction

Notes

Ethernet 1

usertraffic

INBOUND

Ethernet 1 is used primarily only for user's traffic such as VoIP calls. The WebUI or any management traffic will be discarded.

Ethernet 2

usertraffic

INBOUND

same as above.

Ethernet 3

usertraffic

INBOUND

same as above.

Ethernet 4

usertraffic

INBOUND

same as above.

ADMIN

admintraffic

INBOUND

ADMIN port is used only for administration. All user traffic (i.e., SIP, RTP) is discarded.



...

Div
classpdf6pttext


DescriptionProtocolAction

Port
Selection

Service

Source
IP

Source
Prefix Length

Source
Min Port

Source
Max Port
Dest
IP
Dest
Prefix Length
Dest
Min Port
Dest
Max Port
Description
Allow WebUI/HTTPSTCPAllowServiceHTTPS::0

::0

For more security, replace the source IP and mask with the network addresses that is on the LAN-side. Also, consider the subnets used for VPN users of that corporate network.
Allow WebUI/HTTP to redirect to HTTPSTCPAllowServiceHTTP::0

::0

Not strictly required, but this is good for convenience. SBC will redirect all HTTP requests to HTTPS.
Accept SIP Signaling over UDPUDPAllowRange
2001:db8:40:1:1::1128102465535::050605060

Create one rule for every SIP protocol/port combination on the SBC, based on all Signaling Groups. Source IP and mask, must match what is configured on the Federated-IP network as well.

In this example, perhaps 2001:db8:40:1:1::1 is a IP-PBX that supports SIP over UDP.

Accept SIP Signaling over TCP and TLSTCPAllowRange

2001:db8:50:1:1::2


128102465535::050675067

Create one rule for every SIP protocol/port combination on the SBC, based on all Signaling Groups. Source IP and mask, must match what is configured on the Federated-IP network as well.

In this example, perhaps 2001perhaps 2001:db8:50:1:1::2 is a Lync Skype Mediation Server that supports SIP over TLS.

Accept SIP Signaling TCP and TLS ACKsTCPAllowRange
2001:db8:50:1:1::212850675067::0102465535

Create one rule for every SIP server. This rule allows the TCP ACKs to return to the SBC. Source IP and mask, must match what is configured on the Federated-IP network as well.

In this example, perhaps 2001perhaps 2001:db8:50:1:1::2 is a Lync Skype mediation server that supports SIP over TLS.

Accept RTP/RTCP packetsUDPAllowRange
::0102465535::01638417583Accept all RTP/SRTP packets. Note that the port-range must match that of Media System Configuration on the SBC.
Accept DNS responsesUDPAllowRange
::05353::0102465535Accept DNS responses for all DNS_requests initiated by the SBC.
Discard all other packetsANYDeny

::0

::0

Discard all other packets.


...