In this section:
Use the IP Access Control List - Rule window to configure your own IP Access Control List (ACL) rules within a specified address context. Use IP ACL rules to permit or deny packets into the SBC. These rules are applied to incoming packets in addition to the system-defined and default ACL rules. Refer to IP ACL Policing - Packet Filtering and Types of ACLs for more information on SBC access control lists and types of rules.
To View Rules
On the SBC main screen, navigate to All > Address Context > IP Access Control List > Rule. The Rule window opens showing rules for all address contexts. Select an address context in the Address Context list to filter the list for a specific address context.
IP Access Control List - Rule Window
To Create a Rule
A new IP ACL rule must be created within a specific address context. To create a new rule:
- Select an address context within the Address Context list. The New Rule option becomes available.
Click New Rule. The Create New Rule window opens. The figure below shows options for a hardware-based SBC. Note that the rule options are different for an SBC SWe D-SBC deployment as described in the table that follows.
Create New Rule Window
- Use the following table to configure the rule options and then click Save.
Rule Parameters
Parameter | Description |
|---|---|
Name | Specify a name for the ACL rule. |
Precedence | Specify the rule precedence to control which ACL rule is applied when multiple rules match. If an incoming packet matches multiple rules, the IP ACL rule with the highest precedence (lowest numeric value) is applied to that packet. Each IP ACL rule must include a precedence value and each precedence value must be unique. |
Protocol | Specify an IP protocol type to match. Choices are 0-255, or one of the following:
These protocols are typically associated with particular logical port values. |
IP Interface | Select an IP interface group to specify to match a specific IP interface group. |
IP Interface | Select an IP interface to specify to match a specific IP interface. |
Mgmt IP Interface Group | Select a management interface group to match a specific management interface group. NOTE: The Mgmt IP Interface Group parameter is only available from the default address context, even if the default address context does not contain any other configurations. |
Mgmt IP Interface | Select a Management Interface to match a specific Management Interface. NOTE: The Mgmt IP Interface parameter is only available from the default address context, even if the default address context does not contain any other configurations. |
Source IP Address | Specify the source IP address to match. The default is 0.0.0.0. NOTE: If you configure a Source IP Address, then a Source Address Prefix Length must also be specified. |
Source Address | Specify a length for the source IP address prefix. Must be 0 - 128, the default is 0. |
Destination IP Address | Specify the destination IP address to match. The default is 0.0.0.0. NOTE: If you configure a Destination IP Address, then a Destination Address Prefix Length must also be specified. |
| Destination Address Prefix Length | Specify a length for the destination IP address prefix. The value ranges from 0 to 128. The default is 0. |
Source Port | Specify a source port value. Must be 0 - 65535 or any, the default is any. |
Destination | Specify a destination port value. Must be 0 - 65535 or any, the default is any. |
Action | Specify the action to take when a packet matches the rule. The options are:
|
Fill Rate | Specify the number of packets to add to the bucket credit balance (in packets/second). If packets are received at a rate exceeding this fill rate, they are discarded subject to the discard rate set in the IP Policing Alarm profile or in the PolicerAlarm monitoring this port. The bucket credit balance is always less than the configured bucket size regardless of the size of this increment. Must be 1 - 320000 or unlimited, the default is 50. |
Bucket Size | Specify the policing bucket size (in packets). This represents a credit balance that can be consumed before packets are discarded which allows for occasional traffic bursts. If a packet is received when the credit balance is less than the size of the packet, the packet is discarded subject to the discard rate set in the IP Policing Alarm profile or in the PolicerAlarm monitoring this port. Must be 1-255 or unlimited, the default is 50. |
State | Specify the administrative state for the ACL rule.
|
| The following options appear when you create an ACL rule for a D-SBC SWe system. | |
| Dest Type IP Version | Specify the IP version type for the destination. The options are:
|
Destination IP Address | Specify the destination IP address (IPV4/IPV6) to match.
|
| Destination Address Prefix Length | Specify a length for the destination IP address prefix. The value ranges from 0 to 128. |
| Dest IP Interface Group | Select an IP interface group to specify to match a specific IP interface group for the destination host address. |
| Dest IP Interface | Select an IP interface to specify to match a specific IP interface for the destination host address. |
| Dest Mgmt IP Interface Group | Select a management interface group to match a specific management interface group for the destination host address. |
| Dest Mgmt IP Interface | Select a management interface to match a specific management interface for the destination host address. |
| Dest SIP Sig Port Zone | Select the zone name of the SIP signaling port for the destination address. |
| Dest SIP Sig Port Index | Specify the index number for the SIP signaling port for the destination address. |
To Edit a Rule
To edit the configuration of a custom ACL rule:
- Click the radio button next to the rule you want to edit. The Edit Selected Rule window opens.
- Modify the options as needed and click Save.
To Copy a Rule
To copy the configuration of a custom ACL rule and make changes to the copy:
- Click the radio button next to the rule you want to copy. The Copy Selected Rule window opens.
- Modify the options as needed and click Save.
To Delete a Rule
To delete the configuration of a custom ACL rule:
- Click the radio button next to the rule that you want to delete.
- Click the Delete (X) icon at the end of the row.
- Confirm the deletion when prompted.
Overview
Content Tools