You are viewing an old version of this page. View the current version.
Compare with Current
View Page History
Version 1
Current »
Security groups and security group rules control what traffic can access the instances. You can use the Horizon dashboard GUI or the OpenStack CLI to create security rules or security groups. Refer to OpenStack documentation or the documentation provided by your OpenStack vendor for more information.
Prior to instantiating the SBC SWe Cloud on OpenStack, you can consider adding a rule that enables the ICMP protocol to enable the instance to respond to ping message. In addition to such basic rules, the following tables provide a summary of all the ports used by the SBC SWe Cloud application. Access through these ports should be allowed by adding security rules in the default security group or in another security group you create and associate with the instance.
You can continue to add, delete, or modify security rules after the instance is deployed.
The fields in the following tables are:
The following three tables provide input for security rules grouped by port type.
Direction (Initial) | Ether Type | IP Protocol | Port Range | Remote IP Prefix | Notes |
---|
Ingress | IPv4/v6 | TCP | 22 | 0.0.0.0/0 | SSH to CLI |
Ingress | IPv4/v6 | UDP | 123 | ::/0 | NTP |
Egress | IPv4/v6 | UDP | 123 | ::/0 | NTP |
Ingress | IPv4/v6 | UDP | 161 | ::/0 | SNMP polling |
Egress | IPv4/v6 | UDP | 161 | ::/0 | SNMP polling |
Ingress | IPv4/v6 | UDP | 162 | ::/0 | SNMP traps |
Egress | IPv4/v6 | UDP | 162 | ::/0 | SNMP traps |
Ingress | IPv4/v6 | TCP | 2022 | 0.0.0.0/0 | NetConf over ssh |
Ingress | IPv4/v6 | TCP | 2024 | 0.0.0.0/0 | SSH to Linux |
Ingress | IPv4/v6 | TCP (HTTP) | 80 | 0.0.0.0/0 | EMA |
Ingress | IPv4/v6 | TCP | 444 | 0.0.0.0/0 | Platform Manager |
Ingress | IPv4/v6 | TCP (HTTPS) | 443 | 0.0.0.0/0 | REST to ConfD DB |
Ingress | IPv4/v6 | UDP | 3057 | 0.0.0.0/0 | Used for load balancing service |
Egress | IPv4/v6 | UDP | 3057 | 0.0.0.0/0 | Used for load balancing service |
Ingress | IPv4/v6 | UDP | 3054 | ::/0 | Call processing requests |
Egress | IPv4/v6 | UDP | 3054 | ::/0 | Call processing requests |
Ingress | IPv4/v6 | UDP | 3055 | 0.0.0.0/0 | Keep-alives and registration |
Egress | IPv4/v6 | UDP | 3055 | 0.0.0.0/0 | Keep-alives and registration |
Ingress | IPv4/v6 | TCP | 8443 | 0.0.0.0/0 | VNFM REST to SBC VNF-R The remote IP is either the remote IP of the VNFM load balancer or is wild-carded to 0.0.0.0/0 |
Egress | IPv4/v6 | TCP | 1024-65535 | x.x.x.x/y | SBC VNF-R REST interface towards VNFM |
Direction (Initial) | Ether Type | IP Protocol | Port Range | Remote IP Prefix | Notes |
---|
Ingress | IPv4 | UDP | 1024-65535 | | |
Ingress | IPv4 | TCP | 4000-8000 | x.x.x.x/y | Remote IP is the HA subnet |
Direction (Initial) | Ether Type | IP Protocol | Port Range | Remote IP Prefix | Notes |
---|
Ingress | IPv4 | UDP | 5060 | x.x.x.x/y | On the S-SBC only. One per signaling port accepting UDP SIP calls. The remote IP is either a peer network prefix or is wild-carded to 0.0.0.0/0 |
Ingress | IPv6 | UDP | 5060 | x::x/y | IPv6 equivalent to the above. |
Egress | IPv4 | UDP | 5060 | x.x.x.x/y | On the S-SBC only. One per signaling port initiating UDP SIP calls. The remote IP is either a peer network prefix or is wild-carded to 0.0.0.0/0 |
Egress | IPv6 | UDP | 5060 | x::x/y | IPv6 equivalent to above. |
Ingress | IPv4 | TCP | 5061 | x.x.x.x/y | TLS over TCP equivalents for each signaling port, for ingress calls. |
Ingress | IPv6 | TCP | 5061 | x::x/y | IPv6 equivalent to above. |
Ingress | IPv4 | UDP | 3055 | x.x.x.x/y | PSX queries. |
Ingress | IPv6 | UDP | 3055 | x::x/y | IPv6 equivalent to above. |
Egress | IPv4 | UDP | 3055 | x.x.x.x/y | PSX queries. |
Egress | IPv6 | UDP | 3055 | x::x/y | IPv6 equivalent to above. |
Egress | IPv4 | TCP | 1024-65535 | x.x.x.x/y | TCP equivalents for each signaling port initiating calls. Note that the source port is ephemeral for outbound TCP connections, hence the port range. |
Egress | IPv6 | TCP | 1024-65535 | x::x/y |
Ingress | IPv4 | UDP | 1024-65535 | 0.0.0.0/0 | RTP port space. On the M-SBC and I-SBC only. |
Ingress | IPv6 | UDP | 1024-65535 | ::/0 |
Egress | IPv4 | UDP | 1024-65535 | 0.0.0.0/0 |
Egress | IPv6 | UDP | 1024-65535 | ::/0 |
Egress | IPv4 | TCP | 1024-65535 | x.x.x.x/y | For the S-SBC only, client-side of media control protocol. The remote IP is the network prefix of the M-SBC cluster; the local port is ephemeral. |
Ingress | IPv4 | TCP | 4019 | x.x.x.x/y | For the M-SBC and S-SBC, server-side of media control protocol. The remote IP is the network prefix of the S-SBC cluster. |