Access Control for a Realm
Each host within a realm can be policed based on average rate, peak rate, and maximum burst size of signaling messages. These parameters take effect only when the host is trusted. You can also set the trust level for the host within the realm. All untrusted hosts share the bandwidth defined for the media manager: maximum untrusted bandwidth and minimum untrusted bandwidth.
To configure access control for a realm:
-
In Superuser mode, type
configure terminal and press Enter.
ORACLE# configure terminal
-
Type
media-manager and press Enter to access the system-level configuration elements.
ORACLE(configure)# media-manager
-
Type
realm-config
and press Enter. The system prompt changes to let you know that you can begin configuring individual parameters.
ORACLE(media-manager)# realm-config ORACLE(realm-config)#
- addr-prefix—Set the IP address prefix used to determine if an IP address is associated with the realm. This value is then associated with the ACLs you create to determine packet access. The default value is 0.0.0.0.
-
average-rate-limit—Set the sustained rate for host path traffic from a trusted source within the realm in bytes per second. The default value is zero (0), disabling this parameter. The valid range is:
-
Minimum—0
-
Maximum—4294967295
-
-
access-control-trust-level—Set the trust level for the host within the realm. The default value is
none. The valid values are:
-
none—Host is always untrusted. It is never promoted to the trusted list or demoted to the deny list.
-
low—Host can be promoted to the trusted list or demoted to the deny list.
-
medium—Host can be promoted to the trusted list but is only demoted to untrusted. It is never added to the deny list.
-
high—Host is always trusted.
-
-
invalid-signal-threshold— Enter the number of invalid signaling messages that trigger host demotion. The value you enter here is only valid when the trust level is low or medium. Available values are:
-
Minimum—Zero (0) is disabled.
-
Maximum—999999999
If the number of invalid messages exceeds this value based on the tolerance window parameter, configured in the media manager, the host is demoted.
The tolerance window default is 30 seconds. Bear in mind, however, that the system uses the same calculation it uses for specifying "recent" statistics in show commands to determine when the number of signaling messages exceeds this threshold. This calculation specifies a consistent start time for each time period to compensate for the fact that the event time, such as a user running a show command, almost never falls on a time-period's border. This provides more consistent periods of time for measuring event counts.
The result is that this invalid signal count increments for two tolerance windows, 60 seconds by default, within which the system monitors whether or not to demote the host. The signal count for the current tolerance window is always added to the signal count of the previous tolerance window and compared against your setting.
-
-
maximum-signal-threshold—Set the maximum number of signaling messages one host can send within the window of tolerance. The host is demoted if the number of messages received by the
Oracle® Enterprise Session Border Controller exceeds the number set here. Valid only when the trust level is set to low or medium. The default value is zero (0), disabling this parameter. The valid range is:
-
Minimum—0
-
Maximum—4294967295
-
-
untrusted-signal-threshold—Set the maximum number of untrusted messages the host can send within the tolerance window. Use to configure different values for trusted and un-trusted endpoints for valid signaling message parameters. Also configurable per realm. The default value is zero (0), disabling the parameter. The valid range is:
-
Minimum—0
-
Maximum—4294967295
-
-
deny-period—Set the length of time an entry is posted on the deny list. The host is deleted from the deny lost after this time period. The default value is
30. A value of
0 disables the parameter. The valid range is:
-
Minimum—0
-
Maximum—4294967295
-
-
nat-trust-threshold—Enter the number of endpoints behind a NAT that must be denied for the
Oracle® Enterprise Session Border Controller to demote the NAT device itself to denied (dynamic demotion of NAT devices). The default is 0, meaning dynamic demotion of NAT devices is disabled. The range is from 0 to 65535.
The following example shows a host access policing configuration.
realm-config identifier private addr-prefix 192.168.200.0/24 network-interfaces prviate:0 mm-in-realm disabled mm-in-network enabled msm-release disabled qos-enable disabled max-bandwidth 0 ext-policy-svr max-latency 0 max-jitter 0 max-packet-loss 0 observ-window-size 0 parent-realm dns-realm media-policy in-translationid out-translationid class-profile average-rate-limit 8000 access-control-trust-level medium invalid-signal-threshold 200 maximum-signal-threshold 0 untrusted-signal-threshold 500 deny-period 30 symmetric-latching disabled pai-strip disabled trunk-context