access-control
The access-control configuration element
is used to manually create ACLs for the host path in the Oracle Communications Session Border Controller.
Note:
This configuration element is not RTC supported.Parameters
- realm-id
- Enter the ingress realm of traffic destined to host to apply this ACL
- description
- Provide a brief description of the access-control configuration element
- destination-address
- Enter the destination address, net mask, port number, and port
mask to specify traffic matching for this ACL. Not specifying a port mask
implies an exact source port. Not specifying an address mask implies an
exact IP address. This parameter is entered in the following format:
<ip-address>[/<num-bits>] [:<port>][/<port-bits>]
- Default: 0.0.0.0
- source-address
- Enter the source address, net mask, port number, and port mask to specify
traffic matching for this ACL. Not specifying a port mask implies an exact
source port. Not specifying an address mask implies an exact IP address.
This parameter is entered in the following format:
<ip-address>[/<num-bits>] [:<port>][/<port-bits>]
- Default: 0.0.0.0
Note:
Oracle recommends that you avoid creating static ACLs using the source address 0.0.0.0 unless explicitly directed to so. Static ACLs using source address 0.0.0.0 can conflict with internally created ACLs (Realm based default global ACLs) that also use source-address 0.0.0.0. If you create these static ACLs, the system may drop traffic or experience unpredictable behavior after you delete them and may require a reboot to resume forwarding that traffic. - application-protocol
- Select the application-layer protocol configured for this ACL
entry
- Values: SIP | H323 | MGCP |
DIAMETER | NONE
Note:
If application-protocol is set to none, the destination-address and port will be used. Ensure that your destination-address is set to a non-default value (0.0.0.0.)
- Values: SIP | H323 | MGCP |
DIAMETER | NONE
- transport-protocol
- Select the transport-layer protocol configured for this ACL
entry
- Default: ALL
- Values: UDP | TCP | SCTP | ALL
- access
- Select the access control type for this entry
- Default: permit
- Values:
- permit—Puts the entry in trusted or untrusted list depending on the trust-level parameter. This gets promoted and demoted according to the trust level configured for the host.
- deny—Puts this entry in the deny list.
- average-rate-limit
-
On hardware platforms that are not the Acme Packet 1100 or the Acme Packet 3900, enter the allowed sustained rate in bytes per second for host path traffic from a trusted source within the realm. A value of 0 disables the policing.
- Default: 0
- Values: Min: 0 / Max: 4294967295
On virtual platforms, enter the allowed sustained rate as a percentage of the maximum signaling rate for host path traffic from a trusted source within the realm. A value of 0 disables the policing.- Default: 0
- Values: Min: 0 / Max: 100
- trust-level
- Select the trust level for the host
- Default: None
- Values:
- none—Hosts will always remain untrusted. Will never be promoted to trusted list or will never get demoted to deny list
- low—Hosts can be promoted to trusted-list or can get demoted to deny-list
- medium—Hosts can get promoted to trusted, but can only get demoted to untrusted. Hosts will never be put in deny-list.
- high—Hosts always remain trusted
- minimum-reserved-bandwidth
- Enter the minimum reserved bandwidth in bytes per second that
you want for the session agent, which will trigger the creation of a
separate pipe for it. This parameter is only valid when the trust-level
parameter is set to high. Only a non-zero value will allow the feature to
work properly.
- Default: 0
- Values: Min: 0 / Max: 4294967295
- invalid-signal-threshold
- Enter the rate of signaling messages per second to be exceeded
within the tolerance-window that causes a demotion event. This parameter is
only valid when trusted-level is configured as low or medium. A value of 0
means no threshold.
- Default: 0
- Values: Min: 0 / Max: 4294967295
- maximum-signal-threshold
- Enter the maximum number of signaling messages per second that
one host can send within the tolerance-window. The host will be demoted if
the Oracle Communications Session Border Controller receives messages
more than the configured number. This parameter is only valid when
trusted-level is configured low or medium. A value of 0 means no threshold.
- Default: 0
- Values: Min: 0 / Max: 999999999
- untrusted-signal-threshold
- Enter the maximum number of signaling messages from untrusted
sources allowed within the tolerance window.
- Default: 0
- Values: Min: 0 / Max: 999999999
- deny-period
- Enter the time period in seconds a deny-listed or deny entry is
blocked by this ACL. The host is taken out of deny-list after this time
period elapses.
- Default: 30
- Values: Min: 0 / Max: 999999999
- nat-trust-threshold
- Enter maximum number of denied endpoints that set the NAT
device they are behind to denied. 0 means dynamic demotion of NAT devices is
disabled.
- Default: 0
- Values: Min: 0 | Max: 65535
- max-endpoints-per-nat
- Maximum number of endpoints that can exist behind a NAT before
demoting the NAT device.
- Default: 0 (disabled)
- Values: Min: 0 | Max: 65535
- nat-invalid-message-threshold
- Enter the acceptable number of invalid messages from behind a
NAT.
- Default: 0
- Values: Min: 0 | Max: 65535
- cac-failure-threshold
- Enter the number of CAC failures for any single endpoint that
will demote it from the trusted queue to the untrusted queue.
- Default: 0
- Values: Min: 0 / Max: 4294967295
- untrust-cac-failure-threshold
- Enter the number of CAC failures for any single endpoint that
will demote it from the untrusted queue to the denied queue.
- Default: 0
- Values: Min: 0 / Max: 4294967295
Path
access-control is an element of the session-router path. The full path from the topmost ACLI prompt is: .
Note:
This is a multiple instance configuration element.