For SIP Trunking configurations, define ACL “white lists” to only allow traffic from the far ends (IP address) in a SIP peering scenario.
For each trunk group, do the following:
The SBC 52x0 and SBC 7000 systems support creating IP Interface Groups containing sets of IP interfaces that are not "processor friendly" (i.e. carried on physical Ethernet ports served by separate processors). However, restrictions exist regarding the usage of such Interface Groups.
(This ability does not apply to the SBC 51x0 and SBC 5400 systems which have only two physical media ports. IP interfaces from the two physical ports may be configured within the same IP Interface Groups without restriction.)
For complete details, refer to Configuring IP Interface Groups and Interfaces.
The below rule allows unlimited traffic from “10.35.66.187” (the IP address of the far end for this example) to destination port 5060. This IP address is also an IP Peer and included in the trunk group ingress IP prefix.
% set addressContext "default" ipAccessControlList rule "WHITELIST_PEER_01" precedence "1000" protocol "udp" ipInterfaceGroup "EXTERNAL.IPIG" sourceIpAddress "10.35.66.187" sourceAddressPrefixLength "32" destinationPort "5060" fillRate "unlimited" bucketSize "unlimited" state "enabled"
Make sure the sourceAddressPrefixLength is set to a nonzero value (“32” is used in this example). Otherwise the length defaults to “0” which allows all IP addresses to be “white listed”.
The following rule blocks all traffic that is not explicitly allowed:
% set addressContext "default" ipAccessControlList rule "DENYALL_UNTRUST" precedence "65015" ipInterfaceGroup "EXTERNAL.IPIG" action "discard"
The precedence of WHITELIST_PEER_01 is a lower value than DENYALL_UNTRUST. This causes WHITELIST_PEER_01 to take precedence over DENYALL_UNTRUST which allows the SBC to accept traffic from 10.35.66.187.