In this section:
System-created ACLs are configured to accept only incoming traffic. The SBC Core installs a set of System defined ACL rules. These rules are statically defined and support ping, DNS, and different OAM traffic without any configuration.
System ACL rules filter the packets based on the source port (Client applications) or destination port (server applications) and protocol. Figure 1 gives a brief overview of a system-created ACL.
System-Created ACL
ACL read-only rules defined by the system to allow some of the known services:
Accept rules can optionally specify packet policings. If so configured, packets matching these rules are only accepted up to the configured policing limits.
Default rules are read-only and defined by the system to allow access to some of the known services. Default rules can be overridden by the operator defined rules.
SBC installs a set of approximately 15 System OAM ACL (band-4 ACLs) rules at boot time. These rules are statically defined at compile time and serve to permit OAM traffic over the default management interface group with no customer configuration effort. The system installs additional call signaling-specific (for example SIP Unknown Peer) ACL rules dynamically whenever signaling ports are enabled. ACL rule keys include:
This strategy allows for more dynamic System Default rules which are driven by the specific configuration of the system for better protection (rules more tightly tailored to the actual traffic expected) and reduces the amount of user effort required to provision and operate the system.
An operator-created ACL has higher priority therefore can override any system-created rule for a given packet.
Each operator-created ACL rule is given a unique precedence and if a packet does not match the rule, it is denied entrance into SBC server. Figure 2 gives a brief overview of operator created ACL policing.
Operator-Created ACL
Operator-defined accept or discard rules apply to all incoming packets and are provisioned using the CLI or EMA. Operator created ACL filter rules are configured to permit, deny or unconditionally deny access based on:
Before creating operator-provisioned rules, be aware of the following:
The Bucket Size value is insignificant if the Fill Rate value is unlimited. If the ACL rules with action = discard, the Fill Rate and the Bucket Size values are irrelevant, and the packets are dropped based on the Type, IP address, or Port. The Fill Rate and the Bucket Size parameters do not play any role since the policer portion of an ACL is only applicable for the "accept" action and is ignored with the "discard" action since all the packets are already discarded by the criteria.
RULE 1: The below rule is an example where 10.11.12.134 is the SBC SIP IP address that phones register with.
% set addressContext "default" ipAccessControlList rule "darkGrayCarrierAccess" precedence "64500" protocol "udp" ipInterfaceGroup "EXTERNAL.IPIG" destinationIpAddress "10.11.12.134" destinationPort "5060" fillRate "556" bucketSize "50" state "enabled"
RULE 2: Another example showing the discard action is listed below.
% set addressContext "default" ipAccessControlList rule "DENYALL_ACCESS" precedence "65020" ipInterfaceGroup "EXTERNAL.IPIG" action "discard"