In this section:
IP Access Control Lists (IP ACLs) specify a 5-tuple of destination IP address, destination TCP/UDP port, source IP address, source port, and transport protocol that are to be matched against the incoming IP packets. Use IP ACLs to specify rules to permit or deny packets into the SBC SWe cloud. The IP ACL can optionally pass the traffic but at only a certain policed rate.
The destination and source IP address indicates a network mask or wild-carded instead of a fully qualified IP address. The destination and source ports, and the transport protocol is also wild-carded. While this ability to wildcard the destination (or local) IP is sufficient for basic IP ACL functionality in the dynamic address environment of the cloud, additional functionality to explicitly use a local interface and SIP Signaling Port (SSP) as the destination IP address allows more simpler and generic configurations.
The SBC SWe cloud platform uses the local packet interface name, local management interface name, SIP signaling port number, or IP address with prefix as the destination IP address in IP ACL configuration.
When you create an IP ACL rule, its state defaults to "disabled
". Change the state to "enabled
" to activate the rule.
The default IP ACL supports 20 Record-Routes.
When a user creates a new management group, the user must add user defined ACL rules to get the equivalent rules that are set up for the default management group.
Refer to SBC Provisioning Limits for the maximum number of IP ACLs allowed on the SBC.
The SBC SWe cloud CLI syntax, parameter descriptions and command examples is provided below. Refer to IP Access Control List - Non-Cloud - CLI for non-Cloud equivalent CLI.
Command Syntax
% set addressContext <addressContext_name> ipAccessControlList...
// Mandatory parameters.
rule <rule_name> precedence <1-65535>
// Optional parameters.
- The
sourceIpAddress
andsourcePort
belong to the entity that sends packets to the SBC. - The
destIpAddress
anddestinationPort
belong to the SBC that receives the packets. ACLs are applicable only when an instance is receiving the packets and not when sending out the packets.
action <accept | discard> bucketSize <bucket_size> destIpAddress <IP address> destIpAddressPrefixLength <prefix length> destIpInterface <IP interface> destIpInterfaceGroup <Destination IPIG> destMgmtIpInterface <Destination mgmt IPI> destMgmtIpInterfaceGroup <Destination mgmt IPIG> destSipSigPortIndex <Destination SSP index> destSipSigPortZone <Destination SSP zone name> destTypeIpVersion <Destination IP address version type> destinationPort <port number> fillRate <#> ipInterface <ipInterface name> ipInterfaceGroup <ipInterfaceGroup name> mgmtIpInterface <mgmtIpInterface name> mgmtIpInterfaceGroup <mgmtIpInterfaceGroup name> minTTL <0-255> protocol <any|0-255> sourceAddressPrefixLength <0-128> sourceIpAddress <IPv4/IPv6 Address> sourcePort <port number> state <disbled | enabled> vmAppName <VM application name>
Command Parameters
Command Examples
set addressContext default ipAccessControlList rule 2 action accept bucketSize unlimited destinationAddressPrefixLength 2 destinationIpAddress 10.34.25.153 destinationPort any fillRate 33 ipInterface ipInterface1 ipInterfaceGroup INTERNAL_IPIG precedence 22 protocol any sourceAddressPrefixLength 1 sourceIpAddress 10.32.22.145 sourcePort any state disabled show addressContext default ipAccessControlList rule 2 { precedence 22; protocol any; ipInterfaceGroup INTERNAL_IPIG; ipInterface ipInterface1; sourceIpAddress 10.32.22.145; sourceAddressPrefixLength 1; destinationIpAddress 10.34.25.153; destinationAddressPrefixLength 2; sourcePort any; destinationPort any; action accept; fillRate 33; bucketSize unlimited; state disabled; }
To display the IP access control list details with display level set to 1:
show addressContext default ipAccessControlList displaylevel 1 rule RULE1; rule rule1;
To display the IP access control list details with display level set to 3:
show addressContext default ipAccessControlList displaylevel 3 rule RULE1 { precedence 4; } rule rule1 { precedence 1; protocol any; sourceIpAddress 0.0.0.0; sourceAddressPrefixLength 0; destinationIpAddress 0.0.0.0; destinationAddressPrefixLength 0; sourcePort any; destinationPort any; action accept; fillRate unlimited; bucketSize unlimited; state disabled; }
To view the configured rules and precedence from System-level CLI:
show table addressContext default ipAccessControlList rule show table addressContext default ipAccessControlList ipAclRulesByPrecedence
To view statistics from System-level CLI:
show table addressContext default ipAccessControlList ipAclOverallStatistics show table addressContext a1 ipAccessControlList ipAclRuleStatistics
If using a management interface group other than the default, adding a set of ACL rules as shown below will replicate the defaulted ACL rules the system provides for the default management interface group. In this example, a management interface group mgmtGroup1
has been previously created.
set addressContext default ipAccessControlList rule mgmt2_22 destinationPort 22 mgmtIpInterfaceGroup mgmtGroup1 protocol tcp bucketSize 10 fillRate 100 precedence 200 action accept state enabled set addressContext default ipAccessControlList rule mgmt2_80 destinationPort 80 mgmtIpInterfaceGroup mgmtGroup1 protocol tcp bucketSize 10 fillRate 100 precedence 201 action accept state enabled set addressContext default ipAccessControlList rule mgmt2_161 destinationPort 161 mgmtIpInterfaceGroup mgmtGroup1 protocol udp bucketSize 10 fillRate 50 precedence 202 action accept state enabled set addressContext default ipAccessControlList rule mgmt2_123 sourcePort 123 mgmtIpInterfaceGroup mgmtGroup1 protocol udp bucketSize 4 fillRate 4 precedence 103 state enabled set addressContext default ipAccessControlList rule mgmt2_162 sourcePort 162 mgmtIpInterfaceGroup mgmtGroup1 protocol udp bucketSize fillRate 10 precedence 104 state enabled set addressContext default ipAccessControlList rule mgmt2_1812 sourcePort 1812 mgmtIpInterfaceGroup mgmtGroup1 protocol udp bucketSize 4 fillRate 4 precedence 105 state enabled set addressContext default ipAccessControlList rule mgmt2_2022 destinationPort 2022 mgmtIpInterfaceGroup mgmtGroup1 protocol tcp bucketSize 10 fillRate 10 precedence 206 action accept state enabled set addressContext default ipAccessControlList rule mgmt2_443 destinationPort 443 mgmtIpInterfaceGroup mgmtGroup1 protocol tcp bucketSize 10 fillRate 100 precedence 208 action accept state enabled set addressContext default ipAccessControlList rule mgmt2_2024 destinationPort 2024 mgmtIpInterfaceGroup mgmtGroup1 protocol tcp bucketSize 250 fillRate 2500 precedence 209 action accept state enabled set addressContext default ipAccessControlList rule mgmt2_1813 sourcePort 1813 mgmtIpInterfaceGroup mgmtGroup1 protocol udp bucketSize 250 fillRate 1200 precedence 110 state enabled commit
To view the default system IP ACL statistics:
show table addressContext default ipAccessControlList defaultAclStatistics ADDRESS LIF ACL CONTEXT GRP SOURCE IP DESTINATION IP POLICING BUCKET POL POL PACKET PACKET ID PROTOCOL APPLICATION ID ID ADDRESS ADDRESS MODE SIZE CREDIT RATE ID PRIORITY ACCEPT DISCARD AGG POL OWNER ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ 9 UDP dns_udp_guest * * * (53) * (0) PktRate 50 pkt 1000 pkt/s 0 0 0 0 none vm 10 TCP dns_tcp_guest * * * (53) * (0) PktRate 50 pkt 1000 pkt/s 0 0 0 0 none vm 11 TCP sftp_guest * * * (0) * (2024) DataPktRate 50000 pkt 50000 pkt/s 0 0 0 0 none vm 12 TCP ssh_guest * * * (0) * (22) DataPktRate 50000 pkt 50000 pkt/s 0 0 1 0 none vm 13 ICMPv4 icmpv4_guest * * * (0) * (0) DataPktRate 10 pkt 50 pkt/s 18 1 0 0 pol_icmp vm 14 ICMPv6 icmpv6_guest * * * (0) * (0) DataPktRate 10 pkt 400 pkt/s 18 1 0 0 pol_icmp vm 18 ICMPv4 icmpv4 * * * (0) * (0) PktRate 50 pkt 50 pkt/s 22 1 66 0 ICMP SBX5000 19 ICMPv6 icmpv6 * * * (0) * (0) PktRate 50 pkt 50 pkt/s 22 1 0 0 ICMP SBX5000 20 TCP ssh 1 1 * (0) 10.6.82.35/32 (22) PktRate 50 pkt 1000 pkt/s 19 1 118 0 OAM SBX5000 21 TCP web-client 1 1 * (0) 10.6.82.35/32 (80) PktRate 50 pkt 10 pkt/s 19 1 31 0 OAM SBX5000 22 UDP snmp 1 1 * (0) 10.6.82.35/32 (161) PktRate 50 pkt 1000 pkt/s 19 1 0 0 OAM SBX5000 23 TCP confd 1 1 * (0) 10.6.82.35/32 (2022) PktRate 50 pkt 100 pkt/s 19 1 0 0 OAM SBX5000 24 TCP secure-web-client 1 1 * (0) 10.6.82.35/32 (443) PktRate 50 pkt 20000 pkt/s 20 1 5583 0 SFTP SBX5000 25 TCP sftp 1 1 * (0) 10.6.82.35/32 (2024) PktRate 50 pkt 20000 pkt/s 20 1 0 0 SFTP SBX5000 26 TCP connexIp-manager 1 1 * (0) 10.6.82.35/32 (444) PktRate 50 pkt 20000 pkt/s 20 1 0 0 SFTP SBX5000 27 TCP secure-LI-client 1 1 * (0) 10.6.82.35/32 (1099) PktRate 50 pkt 10 pkt/s 19 1 0 0 OAM SBX5000 28 TCP ssreq-tcp 1 1 * (0) 10.6.82.35/32 (3091) PktRate 50 pkt 10 pkt/s 19 1 0 0 OAM SBX5000 29 UDP ssreq-udp 1 1 * (0) 10.6.82.35/32 (3090) PktRate 50 pkt 10 pkt/s 19 1 0 0 OAM SBX5000 30 TCP ssh 1 1 * (0) 10.6.83.35/32 (22) PktRate 50 pkt 1000 pkt/s 19 1 0 0 OAM SBX5000 31 TCP web-client 1 1 * (0) 10.6.83.35/32 (80) PktRate 50 pkt 10 pkt/s 19 1 0 0 OAM SBX5000 32 UDP snmp 1 1 * (0) 10.6.83.35/32 (161) PktRate 50 pkt 1000 pkt/s 19 1 0 0 OAM SBX5000 33 TCP confd 1 1 * (0) 10.6.83.35/32 (2022) PktRate 50 pkt 100 pkt/s 19 1 0 0 OAM SBX5000 34 TCP secure-web-client 1 1 * (0) 10.6.83.35/32 (443) PktRate 50 pkt 20000 pkt/s 20 1 0 0 SFTP SBX5000 35 TCP sftp 1 1 * (0) 10.6.83.35/32 (2024) PktRate 50 pkt 20000 pkt/s 20 1 0 0 SFTP SBX5000 36 TCP connexIp-manager 1 1 * (0) 10.6.83.35/32 (444) PktRate 50 pkt 20000 pkt/s 20 1 0 0 SFTP SBX5000 37 TCP secure-LI-client 1 1 * (0) 10.6.83.35/32 (1099) PktRate 50 pkt 10 pkt/s 19 1 0 0 OAM SBX5000 38 TCP ssreq-tcp 1 1 * (0) 10.6.83.35/32 (3091) PktRate 50 pkt 10 pkt/s 19 1 0 0 OAM SBX5000 39 UDP ssreq-udp 1 1 * (0) 10.6.83.35/32 (3090) PktRate 50 pkt 10 pkt/s 19 1 0 0 OAM SBX5000 40 UDP ntp 1 1 10.1.1.2/32 (123) * (0) PktRate 50 pkt 10 pkt/s 21 1 267 0 RBA SBX5000
The following example CLI ipAccessControlList
commands define ACL rules to allow SSReq to receive packets on ports 3090 and 3091:
- Port 3090 is used by SSReq Server to receive XML requests over UDP from a SSReq Client.
- Port 3091 is used by SSReq Server to receive XML requests over TCP from a SSREeq Client.
set addressContext default ipAcessControlList rule ssrequdp precedence 2 destinationPort 3090 state enabled set addressContext default ipAcessControlList rule ssreqtcp precedence 3 destionationPort 3091 state enabled
System ACLs are displayed only for default AddressContext.
System ACL Command Parameters