These are sample ACLs and should be customized for your specific deployment.
One use-case for access controls lists is to isolate management traffic on the SBC 2000 to accomplish the following: the SBC WebUI is available only through certain ports on the SBC (i.e., Admin port) and the SBC WebUI is not accessible on those ports.
In a hosted or multi-tenant environment, the SBC is managed by a service provider and is shared with multiple end-customers. The ADMIN port is used solely for managing the SBC by the service provider. In order to configure this ACL, you must do the following:
Create ACLs that describe the type of traffic that should be accepted or denied.
Bind the ACLs to the ports for the designated purpose.
Sample ACL "usertraffic"
This ACL allows packets related to VoIP application only and bound to all user ports. This example is for SBC 2000 and should be customized for your specific requirements.
ID
Source IP/Mask
Dest IP Mask
Protocol
Source port
Destination port
Action
Notes
1
2001:db8:7:1::7/64
ANY
ANY
ANY
5060
ACCEPT
Accepts all traffic from Skype server to the SBC's SIP port 5060 or ASM's SIP port 5060.
2
2001:db8:7:1::7/64
ANY
UDP
53
ANY
ACCEPT
Accepts DNS traffic from the DNS server 2001:db8:7:1::7/64.
3
ANY
ANY
UDP
ANY
16000-17000
ACCEPT
Accepts all UDP traffic carrying RTP and RTCP payload from other devices to the SBC. The port range should be same as the range configured under Media System Configuration. See .
4
2001:db8:33:1::3/64
ANY
UDP
30000
30000
ACCEPT
Accepts control packets between ASM installed on the same SBC and the SBC CPU. UDP/30000 is a reserved port.
5
2001:db8:33:1::3/64
ANY
UDP
30001
30001
ACCEPT
Accepts control packets between ASM installed on the same SBC and the SBC CPU. UDP/30001 is a reserved port.
6
ANY
ANY
UDP
30000
30000
DROP
Drops any other source that uses the reserved port 30000.
7
ANY
ANY
UDP
30001
30001
DROP
Drops any other source that uses the reserved port 30001.
8
ANY
ANY
ANY
ANY
ANY
DROP
By default discards all traffic, if the above rules don't match.
Sample ACL "admintraffic"
This ACL accepts specified management traffic and discards all other packets. Also the ACLs should be bound to all ports used only for administration. This example is for SBC 2000 and should be customized for your specific requirements.
ID
Source IP Subnet
Dest IP Subnet
Protocol
Source port
Destination port
Action
Notes
1
ANY
ANY
TCP
ANY
443
ACCEPT
Accepts incoming HTTPS request.
2
ANY
ANY
TCP
ANY
80
ACCEPT
Accepts incoming HTTP request.
3
ANY
ANY
UDP
ANY
161
ACCEPT
Accepts incoming SNMP requests.
4
ANY
ANY
TCP
ANY
22
ACCEPT
Accepts incoming SSH requests.
5
ANY
2001:db8:33:1::3/64
TCP
ANY
3389
ACCEPT
Accepts incoming RDP packets to ASM (assuming ASM's IP address is 2001:db8:33:1::3/64).
Sample ACL Binding
The ACLs in this example are applied only to the inbound direction of the ports. Once the ACLs are bound to the ports, ports Ethernet 1-4 are used only for VoIP and not for management. The ADMIN port is used only for management and not for user traffic.
Port
ACL Name
Direction
Notes
Ethernet 1
usertraffic
INBOUND
Ethernet 1 is used primarily only for user's traffic such as VoIP calls. The WebUI or any management traffic will be discarded.
Ethernet 2
usertraffic
INBOUND
same as above.
Ethernet 3
usertraffic
INBOUND
same as above.
Ethernet 4
usertraffic
INBOUND
same as above.
ADMIN
admintraffic
INBOUND
ADMIN port is used only for administration. All user traffic (i.e., SIP, RTP) is discarded.