In this section:


System Created ACLs

System-created ACLs are configured to accept only incoming traffic. The SBC Core installs a set of System defined ACL rules. These rules are statically defined and support ping, DNS, and different OAM traffic without any configuration.

System ACL rules filter the packets based on the source port (Client applications) or destination port (server applications) and protocol. Figure 1  gives a brief overview of a system-created ACL.

System-Created ACL


System Defined Rules

ACL read-only rules defined by the system to allow some of the known services:

  • Allow SSH traffic into the system, fill rate is 100 packets/sec
  • Allow SFTP traffic into the system, fill rate is 12,500 packets/sec
  • Allow HTTP traffic into the system, fill rate is 100 packets/sec
  • Allow HTTPS traffic into the system, fill rate is 12,500 packets/sec
  • Allow SNMP traffic into the system, fill rate is 50 packets/sec
  • Allow DNS traffic into the system, fill rate is 600 packets/sec
  • Allow Radius authentication traffic into the system, fill rate is 4 packets/sec
  • Allow Radius Accounting traffic into the system, fill rate is 1200 packets/sec
  • Allow NTP traffic into the system, fill rate is 4 packets/sec
  • Allow SNMP Trap traffic into the system, fill rate is 10 packets/sec
  • Allow ICMPv4 traffic into the system, fill rate is 50 packets/sec
  • Allow ICMPv6 traffic into the system, fill rate is 400 packets/sec

Accept Rules

Accept rules can optionally specify packet policings. If so configured, packets matching these rules are only accepted up to the configured policing limits.

Default Rules

Default rules are read-only and defined by the system to allow access to some of the known services. Default rules can be overridden by the operator defined rules.

SBC installs a set of approximately 15 System OAM ACL (band-4 ACLs) rules at boot time. These rules are statically defined at compile time and serve to permit OAM traffic over the default management interface group with no customer configuration effort. The system installs additional call signaling-specific (for example SIP Unknown Peer) ACL rules dynamically whenever signaling ports are enabled. ACL rule keys include:

  • Address Context ID
  • Interface Group ID
  • Interface ID
  • IP source address and prefix-length, v4 or v6
  • IP destination address and prefix-length, v4 or v6
  • IPv4 Protocol field or IPv6 Next Header field
  • TCP/UDP source port
  • TCP/UDP destination port

This strategy allows for more dynamic System Default rules which are driven by the specific configuration of the system for better protection (rules more tightly tailored to the actual traffic expected) and reduces the amount of user effort required to provision and operate the system.

Operator Created ACLs

An operator-created ACL has higher priority therefore can override any system-created rule for a given packet.

Each operator-created ACL rule is given a unique precedence and if a packet does not match the rule, it is denied entrance into SBC server. Figure 2  gives a brief overview of operator created ACL policing.

Operator-Created ACL


Operator Provisioned Rules

Operator-defined accept or discard rules apply to all incoming packets and are provisioned using the CLI or EMA. Operator created ACL filter rules are configured to permit, deny or unconditionally deny access based on:

  • Protocol
  • Source IP Address
  • Destination IP Address
  • Next Layer Protocol
  • Source Port Number
  • Ingress IP Interface
  • Interface Group Destination Port Number

Before creating operator-provisioned rules, be aware of the following:

  • An unconditionalDeny Operator rule will block microflow traffic if the rule has the highest precedence. This is useful in a situation where you want to migrate a group of endpoints from one SBC to another SBC by purposely failing the traffic and causing the endpoints to register with another SBC.
  • Operator-created rules are evaluated first and may override any system-created rule that match a given packet.
  • If only PERMIT rules are created by the operator, any packets not matching one of these rules "fall through" and are accepted or discarded according to the system-created rules. In this situation, there is no concern about blocking any essential traffic. Be careful not to be excessive with what you permit.
  • If one or more DISCARD rules are created, they may preempt system-created rules that permit necessary OAM or signaling packet flows. In such cases it may be necessary to create additional compensating PERMIT rules to restore access for those packet flows.
  • If using TCP- or SCTP-based signaling in a peering (non-REGISTERing) deployment, note that TCP or SCTP connections that are initiated outbound from the SBC use unpredictable, ephemeral local port numbers. If operator-created DISCARD rules block incoming packets for these flows, you must create compensating PERMIT rules for that TCP or SCTP traffic (that is with the local (destination) port set to ANY).
  • Media packets (RTP, RTCP) are always processed according to the SBC dynamic media pinhole management and are not subject to ACL filters.

IP ACL Rule Examples


Note

The Bucket Size value is insignificant if the Fill Rate value is unlimited.

  • The Fill Rate is the maximum rate you expect for the traffic to pass the policer.
  • The Bucket Size is the number of additional packets allowed to pass in a given period if available packets are in the bucket. The credit balance is consumed before the packets are discarded.

If the ACL rules with action = discard, the Fill Rate and the Bucket Size values are irrelevant, and the packets are dropped based on the Type, IP address, or Port.

The Fill Rate and the Bucket Size parameters do not play any role since the policer portion of an ACL is only applicable for the "accept" action and is ignored with the "discard" action since all the packets are already discarded by the criteria.

RULE 1: The below rule is an example where 10.11.12.134 is the SBC SIP IP address that phones register with.

% set addressContext "default" ipAccessControlList rule "darkGrayCarrierAccess" precedence "64500" protocol "udp" ipInterfaceGroup "EXTERNAL.IPIG" destinationIpAddress "10.11.12.134" destinationPort "5060" fillRate "556" bucketSize "50" state "enabled"

 
RULE 2: Another example showing the discard action is listed below.

% set addressContext "default" ipAccessControlList rule "DENYALL_ACCESS" precedence "65020" ipInterfaceGroup "EXTERNAL.IPIG" action "discard" 

 

  • No labels