Security groups and security group rules control what traffic can access the instances. You can use the Horizon dashboard GUI or the OpenStack CLI to create security rules or security groups. Refer to OpenStack documentation or the documentation provided by your OpenStack vendor for more information.
OpenStack security groups do not apply to SR-IOV interfaces.
Prior to instantiating, you can consider adding a rule that enables the ICMP protocol to enable the instance to respond to ping message. In addition to such basic rules, the following tables provide a summary of all the ports used by the SBC SWe application in an OpenStack cloud environment. Access through these ports should be allowed by adding security rules in the default security group or in another security group you create and associate with the instance.
You can continue to add, delete, or modify security rules after the instance is deployed.
Some ports are specific to an application or a feature and are only required when it is in use. Similarly, some ports are specific to a particular SBC personality type (M-SBC, S-SBC, I-SBC, SLB) or OAM nodes.
The fields in the following tables are:
Direction (initial) - for UDP, this will be BOTH. For TCP, this will be OUTBOUND for clients and INBOUND for servers (to match the direction of the initial connection).
These definitions match the way firewall rules typically have to be defined.
- Ether Type - It is either IPv4 or IPv6. Separate rules are supplied when both IPv4 and IPv6 are supported.
- IP Protocol - UDP or TCP.
- Local Port - an exact port number, or a wildcard. Note that TCP clients usually use an ephemeral local port which must be wildcarded.
- Local IP/interface - the local interface or internal object (such as SIP SP)
- Remote Port - an exact port number, or a wildcard. Note that TCP clients usually use an ephemeral local port (which must be wildcarded).
- Remote Peers - peer type. Use this to set the most constrained remote network prefix.
The following three tables provide input for security rules grouped by port type.
Management Port
Direction (Initial) | Ether Type | IP Protocol | Port Range | Remote IP Prefix | Notes |
---|---|---|---|---|---|
Ingress | IPv4/v6 | TCP | 22 | 0.0.0.0/0 | SSH to CLI |
Ingress | IPv4/v6 | UDP | 123 | ::/0 | NTP |
Egress | IPv4/v6 | UDP | 123 | ::/0 | NTP |
Ingress | IPv4/v6 | UDP | 161 | ::/0 | SNMP polling |
Egress | IPv4/v6 | UDP | 161 | ::/0 | SNMP polling |
Ingress | IPv4/v6 | UDP | 162 | ::/0 | SNMP traps |
Egress | IPv4/v6 | UDP | 162 | ::/0 | SNMP traps |
Ingress | IPv4/v6 | TCP | 2022 | 0.0.0.0/0 | NetConf over ssh |
Ingress | IPv4/v6 | TCP | 2024 | 0.0.0.0/0 | SSH to Linux |
Ingress | IPv4/v6 | TCP (HTTP) | 80 | 0.0.0.0/0 | EMA |
Ingress | IPv4/v6 | TCP | 444 | 0.0.0.0/0 | Platform Manager |
Ingress | IPv4/v6 | TCP (HTTPS) | 443 | 0.0.0.0/0 | RESTCONF to ConfD DB |
Ingress | IPv4/v6 | UDP | 3057 | 0.0.0.0/0 | Used for load balancing service on the M-SBC only. |
Egress | IPv4/v6 | UDP | 3057 | 0.0.0.0/0 | Used for load balancing service on the M-SBC only. |
Ingress | IPv4/v6 | UDP | 3054 | ::/0 | Call processing requests |
Egress | IPv4/v6 | UDP | 3054 | ::/0 | Call processing requests |
Ingress | IPv4/v6 | UDP | 3055 | 0.0.0.0/0 | Keep-alives and registration |
Egress | IPv4/v6 | UDP | 3055 | 0.0.0.0/0 | Keep-alives and registration |
Ingress | IPv4/v6 | TCP | 8449 | 0.0.0.0/0 | VNFM RESTCONF to SBC VNF-R The remote IP is either the remote IP of the VNFM load balancer or is wild-carded to 0.0.0.0/0 |
Ingress | IPv4/v6 | TCP | 8099 | 0.0.0.0/0 | VNFM RESTCONF to SBC VNF-R over http |
Egress | IPv4/v6 | TCP | 8099 | x.x.x.x/y | SBC VNF-R RESTCONF interface towards VNFM over http |
Egress | IPv4/v6 | TCP | 8449 | x.x.x.x/y | SBC VNF-R RESTCONF interface towards VNFM over https |
HA Ports
Direction (Initial) | Ether Type | IP Protocol | Port Range | Remote IP Prefix | Notes |
---|---|---|---|---|---|
Ingress | IPv4 | UDP | 1024-65535 | ||
Ingress | IPv4 | TCP | 4000-8000 | x.x.x.x/y | Remote IP is the HA subnet |
Ingress | IPv4 | UDP | 7948 | On S-SBC, I-SBC, and OAM. | |
Ingress | IPv4 | TCP | 7948 | On S-SBC, I-SBC, and OAM. | |
Ingress | IPv4 | TCP | 5555 | On S-SBC, I-SBC, and OAM. | |
Ingress | IPv4 | TCP | 11111 | OAM only | |
Ingress | IPv4 | TCP | 22222-22223 | N:1 deployments | |
Ingress | IPv4 | UDP | 24007 | OAM only | |
Ingress | IPv4 | TCP | 24007 | OAM only | |
Ingress | IPv4 | TCP | 49152-49153 | OAM only | |
Egress | IPv4 | TCP | 1-65535 | x.x.x.x/y | Initialization between VMs |
Packet Ports
Direction (Initial) | Ether Type | IP Protocol | Port Range | Remote IP Prefix | Notes |
---|---|---|---|---|---|
Ingress | IPv4 | UDP | 5060 | x.x.x.x/y | On S-SBC, I-SBC, and SLB. One per signaling port accepting UDP SIP calls. The remote IP is either a peer network prefix or is wild-carded to 0.0.0.0/0 |
Ingress | IPv6 | UDP | 5060 | x::x/y | IPv6 equivalent to the above. |
Egress | IPv4 | UDP | 5060 | x.x.x.x/y | On S-SBC, I-SBC, and SLB. One per signaling port initiating UDP SIP calls. The remote IP is either a peer network prefix or is wild-carded to 0.0.0.0/0 |
Egress | IPv6 | UDP | 5060 | x::x/y | IPv6 equivalent to above. |
Ingress | IPv4 | TCP | 5061 | x.x.x.x/y | TLS over TCP equivalents for each signaling port, for ingress calls. |
Ingress | IPv6 | TCP | 5061 | x::x/y | IPv6 equivalent to above. |
Ingress | IPv4 | UDP | 3055 | x.x.x.x/y | PSX queries. |
Ingress | IPv6 | UDP | 3055 | x::x/y | IPv6 equivalent to above. |
Egress | IPv4 | UDP | 3055 | x.x.x.x/y | PSX queries. |
Egress | IPv6 | UDP | 3055 | x::x/y | IPv6 equivalent to above. |
Ingress | IPv4 | UDP | 3057 | 0.0.0.0/0 | Used for load balancing service on the M-SBC only. The 3057 ports are also used on the management interface for load balancing. |
Ingress | IPv6 | UDP | 3057 | 0.0.0.0/0 | |
Egress | IPv4 | UDP | 3057 | 0.0.0.0/0 | |
Egress | IPv6 | UDP | 3057 | 0.0.0.0/0 | |
Egress | IPv4 | TCP | 1024-65535 | x.x.x.x/y | For the S-SBC only. Client-side of the media control protocol, TCP equivalents for each signaling port initiating calls. Note that the source port is ephemeral for outbound TCP connections, hence the port range. The remote IP is the network prefix of the M-SBC cluster. |
Egress | IPv6 | TCP | 1024-65535 | x::x/y | |
Ingress | IPv4 | UDP | 1024-65535 | 0.0.0.0/0 | RTP port space. On the M-SBC and I-SBC only. |
Ingress | IPv6 | UDP | 1024-65535 | ::/0 | |
Egress | IPv4 | UDP | 1024-65535 | 0.0.0.0/0 | |
Egress | IPv6 | UDP | 1024-65535 | ::/0 | |
Ingress | IPv4 | TCP | 4019 | x.x.x.x/y | For the M-SBC and S-SBC, server-side of media control protocol. The remote IP is the network prefix of the S-SBC cluster. |
Ingress | IPv6 | TCP | 4019 | x::x/y | |
Ingress | IPv4 | TCP | 5556-5557 | x.x.x.x/y | On S-SBC, I-SBC, and SLB. |
Ingress | IPv6 | TCP | 5556-5557 | x::x/y |