- User's Guide
- ACL Configuration
- Configure an ACL
Configure an ACL
You can add to specify how you want the Communications Broker to enforce realm access by configuring access control entries.
- Access the Access
Control configuration object
Click the Configuration tab, System Administration section, DoS
- On the Access
Control page, do the following:
Realm ID Enter the Name of the ingress realm to which this ACL applies. Description Enter a text description of the ACL for identification purposes. Source Address Enter the source IPv4 address and port number for the host in the following format: <IP address>[/number of address bits>][:<port>][/<port bits>]
For example:
10.0.0.1/24:5000/14 10.0.0.1/16 10.0.0.1/24:5000 10.0.0.1:5000
Destination Address (This is ignored if you configure an application protocol.) Enter the destination IPv4 address and port for the destination in the following format: <IP address>[/number of address bits>][:<port>[/<port bits>]]
You do not need to specify the number of address bits if you want all 32 bits of the address to be matched. You also do not need to specify the port bits if you want the exact port number matched. If you do not set the port mask value or if you set it to 0, the exact port number will be used for matching. The default value is 0.0.0.0.
Application Protocol Enter the application protocol type for this ACL entry. The valid values are: - SIP
- None
Note:
If application-protocol is set to none, the destination-address and port will be used. Ensure that your destination-address is set to a non-default value (0.0.0.0.)Transport Protocol Select the transport-layer protocol configured for this ACL entry. The default value is ALL. The only valid value is: - ALL
Access Enter the access control type or trusted list based on the trust-level parameter configuration for this host. The default value is permit. The valid values are: - permit—Puts the entry into the untrusted list.
- deny—Puts the entry in the deny list.
trust-level Indicate the trust level for the host with the realm. The default value is none. The valid values are: - none—Host is always untrusted. It is never promoted to the trusted list or demoted to the deny list.
- low—Host can be promoted to the trusted list or demoted to the deny list.
- medium—Host can be promoted to the trusted list but is only demoted to untrusted. It is never added to the deny list.
- high—Host is always trusted.
invalid-signal-threshold Enter the number of invalid signaling messages that trigger host demotion. The value you enter here is only valid when the trust level is low or medium. Available values are: - Minimum—Zero (0) is disabled.
- Maximum—999999999
If the number of invalid messages exceeds this value based on the tolerance window parameter, the host is demoted.
The tolerance window default is 30 seconds. Bear in mind, however, that the system uses the same calculation it uses for specifying "recent" statistics in show commands to determine when the number of signaling messages exceeds this threshold. This calculation specifies a consistent start time for each time period to compensate for the fact that the event time, such as a user running a show command, almost never falls on a time-period's border. This provides more consistent periods of time for measuring event counts.
The result is that this invalid signal count increments for two tolerance windows, 60 seconds by default, within which the system monitors whether or not to demote the host. The signal count for the current tolerance window is always added to the signal count of the previous tolerance window and compared against your setting.
maximum-signal-threshold - Minimum—Zero (0) is disabled.
- Maximum—999999999
If the number of messages received exceeds this value within the tolerance window, the host is demoted.
untrusted-signal-threshold Set the maximum number of untrusted messages the host can send within the tolerance window. Use to configure different values for trusted and un-trusted endpoints for valid signaling message parameters. Also configurable per realm. The default value is 0, disabling this parameter. The valid range is: - Minimum—Zero (0) is disabled.
- Maximum—999999999
deny-period Indicate the time period in seconds after which the entry for this host is removed from the deny list. The default value is 30. The valid range is: - Minimum—Zero (0) is disabled.
- Maximum—999999999
- Click OK.
- (Optional) Add another Access Control list.
- Save the configuration.