Security groups and security group rules control what traffic can access the instances. Use the Horizon dashboard GUI or the OpenStack CLI to create security rules or security groups.  Refer to OpenStack documentation or the documentation provided by your OpenStack vendor for more information. 

Prior to instantiating the SBC SWe Cloud on OpenStack, consider adding a rule that enables the ICMP protocol to enable the instance to respond to ping message. In addition to such basic rules, the following tables provide a summary of all the ports used by the SBC SWe Cloud application. Allow access through these ports by adding security rules in the default security group or in another security group you create and associate with the instance. 

Continue to add, delete, or modify security rules after the instance is deployed. 

Note:

Some ports are specific to an application or a feature and are only required when it is in use. Similarly, some ports are specific to a particular SBC personality type (M-SBC, S-SBC, I-SBC).

The fields in the following tables are:

  • Direction (initial) - for UDP, this will be BOTH. For TCP, this will be OUTBOUND for clients and INBOUND for servers (to match the direction of the initial connection). 

    These definitions match the way firewall rules are typically defined.

  • Ether Type - It is either IPv4 or IPv6. Separate rules are supplied when both IPv4 and IPv6 are supported.
  • IP Protocol - UDP or TCP.
  • Local Port - an exact port number, or a wildcard. Note that TCP clients usually use an ephemeral local port which is wildcarded.
  • Local IP/interface - the local interface or internal object (such as SIP SP)
  • Remote Port - an exact port number, or a wildcard. Note that TCP clients usually use an ephemeral local port which is wildcarded.
  • Remote Peers - peer type. Use this to set the most constrained remote network prefix. 

The following three tables provide input for security rules grouped by port type.

Management Port

Direction
(Initial) 
Ether TypeIP ProtocolPort RangeRemote IP PrefixNotes
IngressIPv4/v6TCP220.0.0.0/0SSH to CLI
IngressIPv4/v6UDP123::/0NTP
EgressIPv4/v6UDP123::/0NTP
IngressIPv4/v6UDP161::/0SNMP polling
EgressIPv4/v6UDP161::/0SNMP polling
IngressIPv4/v6UDP162::/0SNMP traps
EgressIPv4/v6UDP162::/0SNMP traps
IngressIPv4/v6TCP20220.0.0.0/0NetConf over ssh
IngressIPv4/v6TCP20240.0.0.0/0SSH to Linux
IngressIPv4/v6TCP (HTTP)800.0.0.0/0EMA
IngressIPv4/v6TCP4440.0.0.0/0Platform Manager
IngressIPv4/v6TCP (HTTPS)4430.0.0.0/0REST to ConfD DB
IngressIPv4/v6UDP30570.0.0.0/0Used for load balancing service
EgressIPv4/v6UDP30570.0.0.0/0Used for load balancing service
IngressIPv4/v6UDP3054::/0Call processing requests
EgressIPv4/v6UDP3054::/0Call processing requests
IngressIPv4/v6UDP30550.0.0.0/0Keep-alives and registration
EgressIPv4/v6UDP30550.0.0.0/0Keep-alives and registration
Ingress  IPv4/v6 TCP84430.0.0.0/0 VNFM REST to SBC VNF-R
The remote IP is either the remote IP of the VNFM load balancer or is wild-carded to 0.0.0.0/0
EgressIPv4/v6 TCP1024-65535x.x.x.x/y 

SBC VNF-R REST interface towards VNFM

HA Ports

Direction
(Initial) 
Ether TypeIP ProtocolPort RangeRemote IP PrefixNotes
IngressIPv4UDP1024-65535

IngressIPv4TCP4000-8000x.x.x.x/yRemote IP is the HA subnet
EgressIPv4 TCP1-65535x.x.x.x/y Initialization between VMs

Packet Ports

Direction
(Initial) 
Ether TypeIP ProtocolPort RangeRemote IP PrefixNotes
IngressIPv4UDP5060x.x.x.x/yOn the S-SBC only. One per signaling port accepting UDP SIP calls. The remote IP is either a peer network prefix or is wild-carded to 0.0.0.0/0
IngressIPv6UDP5060x::x/yIPv6 equivalent to the above.
EgressIPv4UDP5060x.x.x.x/yOn the S-SBC only. One per signaling port initiating UDP SIP calls. The remote IP is either a peer network prefix or is wild-carded to 0.0.0.0/0
EgressIPv6UDP5060x::x/yIPv6 equivalent to above.
IngressIPv4TCP5061x.x.x.x/yTLS over TCP equivalents for each signaling port, for ingress calls.
IngressIPv6TCP5061x::x/yIPv6 equivalent to above.
IngressIPv4UDP3055x.x.x.x/yPSX queries.
IngressIPv6UDP3055x::x/yIPv6 equivalent to above.
EgressIPv4UDP3055x.x.x.x/yPSX queries.
EgressIPv6UDP3055x::x/yIPv6 equivalent to above.
EgressIPv4TCP1024-65535x.x.x.x/yTCP equivalents for each signaling port initiating calls. Note that the source port is ephemeral for outbound TCP connections, hence the port range.
EgressIPv6TCP1024-65535x::x/y
IngressIPv4UDP1024-655350.0.0.0/0RTP port space. On the M-SBC and I-SBC only.
IngressIPv6UDP1024-65535::/0
EgressIPv4UDP1024-655350.0.0.0/0
EgressIPv6UDP1024-65535::/0
EgressIPv4TCP1024-65535x.x.x.x/yFor the S-SBC only, client-side of media control protocol. The remote IP is the network prefix of the M-SBC cluster; the local port is ephemeral.
IngressIPv4TCP4019x.x.x.x/yFor the M-SBC and S-SBC, server-side of media control protocol. The remote IP is the network prefix of the S-SBC cluster.