In this section:
This page describes the summary of all the ports used in the Sonus cloud products.
The ports are specific to an application or a feature and only applies when it is in use.
In the cloud environment, these ports are allowed in the security group associated with the instance type. The various fields are:
Direction (initial) - for UDP, this will be BOTH. For TCP, this will be OUTBOUND for clients and INBOUND for servers (to match the direction of the initial connection).
This definition matches the way firewall rules typically have to be defined.
- Ether Type - It is either IPv4 or IPv6. Separate rules are supplied when both IPv4 and IPv6 are supported.
- IP Protocol - UDP or TCP.
- Local Port - an exact port number, or a wildcard. Note that TCP clients usually use an ephemeral local port which must be wildcarded.
- Local IP/interface - the local interface or internal object (such as SIP SP)
- Remote Port - an exact port number, or a wildcard. Note that TCP clients usually use an ephemeral local port (which must be wildcarded).
- Remote Peers - peer type. Use this to set the most constrained remote network prefix.
SBC Configurator Security Rules
The following tables provide security rules for SBC Configurator - Only the management interface is used.
SBC Configurator Security Rules
| Direction (Initial) | Ether Type | IP Protocol | Notes |
|---|---|---|---|
| Ingress | IPv4/v6 | TCP | SSH to CLI |
| Both | IPv4/v6 | UDP | NTP |
| Ingress | IPv4/v6 | TCP | REST to ConfD DB (HTTPS) |
| Egress | IPv4/v6 | TCP | REST back to EMS |
| Ingress | IPv4/v6 | TCP | NetConf over ssh |
| Ingress | IPv4/v6 | TCP | SSH to Linux, EMS SFTP |
S-SBC and M-SBC Security Rules
The following tables provide security rules for S-SBC and M-SBC:
Management Port
| Direction (Initial) | Ether Type | IP Protocol | Port Range | Remote IP Prefix | Notes |
|---|---|---|---|---|---|
| Ingress | IPv4/v6 | TCP | 2024 | 0.0.0.0/0 | SSH to CLI |
| Ingress | IPv4/v6 | UDP | 123 | ::/0 | NTP |
| Egress | IPv4/v6 | UDP | 123 | ::/0 | NTP |
| Ingress | IPv4/v6 | UDP | 161 | ::/0 | SNMP Polling |
| Egress | IPv4/v6 | UDP | 161 | ::/0 | SNMP Polling |
| Ingress | IPv4/v6 | UDP | 162 | ::/0 | SNMP traps |
| Egress | IPv4/v6 | UDP | 162 | ::/0 | SNMP traps |
| Ingress | IPv4/v6 | TCP | 2022 | 0.0.0.0/0 | NetConf over ssh |
| Ingress | IPv4/v6 | TCP | 2024 | 0.0.0.0/0 | SSH to Linux |
| Ingress | IPv4/v6 | TCP (HTTP) | 80 | 0.0.0.0/0 | EMA |
| Ingress | IPv4/v6 | TCP | 444 | 0.0.0.0/0 | Platform Manager |
| Ingress | IPv4/v6 | TCP (HTTPS) | 443 | 0.0.0.0/0 | REST to ConfD DB |
| Ingress | IPv4/v6 | UDP | 3057 | 0.0.0.0/0 | Used for load balancing service |
| Egress | IPv4/v6 | UDP | 3057 | 0.0.0.0/0 | Used for load balancing service |
| Ingress | IPv4/v6 | UDP | 3054 | ::/0 | Call processing requests |
| Egress | IPv4/v6 | UDP | 3054 | ::/0 | Call processing requests |
| Ingress | IPv4/v6 | UDP | 3055 | 0.0.0.0/0 | Keep Alives and Registration |
| Egress | IPv4/v6 | UDP | 3055 | 0.0.0.0/0 | Keep Alives and Registration |
| Ingress | IPv4/v6 | TCP | 4019 | ::/0 | Applicable to M-SBC only |
| Egress | IPv4/v6 | TCP | 4019 | 0.0.0.0/0 | Applicable to S-SBC only |
| Ingress | IPv4/v6 | UDP | 5093 | ::/0 | SLS (license server) traffic |
| Egress | IPv4/v6 | UDP | 5093 | ::/0 | SLS (license server) traffic |
HA Ports
| Direction (Initial) | Ether Type | IP Protocol | Port Range | Remote IP Prefix | Notes |
|---|---|---|---|---|---|
| Ingress | IPv4 | UDP | 1024-65535 | ||
| Ingress | IPv4 | TCP | 4000-8000 | x.x.x.x/y | Remote IP is HA subnet |
Packet Ports
| Direction (Initial) | Ether Type | IP Protocol | Port Range | Remote IP Prefix | Notes |
|---|---|---|---|---|---|
| Ingress | IPv4 | UDP | 5060 | x.x.x.x/y | On S-SBC only. One per signaling port accepting UDP SIP calls; Remote IP is either a peer network prefix or wild-carded to 0.0.0.0/0 |
| Ingress | IPv6 | UDP | 5060 | x::x/y | IPv6 equivalent to the above. |
| Egress | IPv4 | UDP | 5060 | x.x.x.x/y | On S-SBC only. One per signaling port initiating UDP SIP calls; remote IP is either a peer network prefix or wild-carded to 0.0.0.0/0 |
| Egress | IPv6 | UDP | 5060 | x::x/y | IPv6 equivalent to above. |
| Ingress | IPv4 | TCP | 5061 | x.x.x.x/y | TCP equivalents for each signaling port for ingress calls |
| Ingress | IPv6 | TCP | 5061 | x::x/y | |
| Egress | IPv4 | TCP | 1024-65535 | x.x.x.x/y | TCP equivalents for each signaling initiating calls. Note that the source port is ephemeral for outbound TCP connections, hence the port range. |
| Egress | IPv6 | TCP | 1024-65535 | x::x/y | |
| Ingress | IPv4 | UDP | 1024-65535 | 0.0.0.0/0 | RTP port space. On M-SBC only. |
| Ingress | IPv6 | UDP | 1024-65535 | ::/0 | |
| Egress | IPv4 | UDP | 1024-65535 | 0.0.0.0/0 | |
| Egress | IPv6 | UDP | 1024-65535 | ::/0 | |
| Egress | IPv4 | TCP | 1024-65535 | x.x.x.x/y | For S-SBC only; client-side of media control protocol; remote IP is the network prefix of the M-SBC cluster; local port is ephemeral |
| Ingress | IPv4 | TCP | 4019 | x.x.x.x/y | For M-SBC only; server-side of media control protocol; remote IP is the network prefix of the S-SBC cluster. |
Overview
Content Tools