Access Control for a Realm

Each host within a realm can be policed based on average rate, peak rate, and maximum burst size of signaling messages. These parameters take effect only when the host is trusted. You can also set the trust level for the host within the realm. All untrusted hosts share the bandwidth defined for the media manager: maximum untrusted bandwidth and minimum untrusted bandwidth.

To configure access control for a realm:

  1. In Superuser mode, type configure terminal and press Enter. 
    ORACLE# configure terminal
  2. Type media-manager and press Enter to access the system-level configuration elements. 
    ORACLE(configure)# media-manager
  3. Type realm-config and press Enter. The system prompt changes to let you know that you can begin configuring individual parameters. 
    ORACLE(media-manager)# realm-config
ORACLE(realm-config)#
  4. addr-prefix—Set the IP address prefix used to determine if an IP address is associated with the realm. This value is then associated with the ACLs you create to determine packet access. The default value is 0.0.0.0.
  5. average-rate-limit—Set the sustained rate for host path traffic from a trusted source within the realm in bytes per second. The default value is zero (0), disabling this parameter. The valid range is:

    • Minimum—0

    • Maximum—4294967295

  6. access-control-trust-level—Set the trust level for the host within the realm. The default value is none. The valid values are:

    • none—Host is always untrusted. It is never promoted to the trusted list or demoted to the deny list.

    • low—Host can be promoted to the trusted list or demoted to the deny list.

    • medium—Host can be promoted to the trusted list but is only demoted to untrusted. It is never added to the deny list.

    • high—Host is always trusted.

  7. invalid-signal-threshold— Enter the number of invalid signaling messages that trigger host demotion. The value you enter here is only valid when the trust level is low or medium. Available values are:

    • Minimum—Zero (0) is disabled.

    • Maximum—999999999

      If the number of invalid messages exceeds this value based on the tolerance window parameter, configured in the media manager, the host is demoted.

      The tolerance window default is 30 seconds. Bear in mind, however, that the system uses the same calculation it uses for specifying "recent" statistics in show commands to determine when the number of signaling messages exceeds this threshold. This calculation specifies a consistent start time for each time period to compensate for the fact that the event time, such as a user running a show command, almost never falls on a time-period's border. This provides more consistent periods of time for measuring event counts.

      The result is that this invalid signal count increments for two tolerance windows, 60 seconds by default, within which the system monitors whether or not to demote the host. The signal count for the current tolerance window is always added to the signal count of the previous tolerance window and compared against your setting.

  8. maximum-signal-threshold—Set the maximum number of signaling messages one host can send within the window of tolerance. The host is demoted if the number of messages received by the Oracle® Enterprise Session Border Controller exceeds the number set here. Valid only when the trust level is set to low or medium. The default value is zero (0), disabling this parameter. The valid range is:

    • Minimum—0

    • Maximum—4294967295

  9. untrusted-signal-threshold—Set the maximum number of untrusted messages the host can send within the tolerance window. Use to configure different values for trusted and un-trusted endpoints for valid signaling message parameters. Also configurable per realm. The default value is zero (0), disabling the parameter. The valid range is:

    • Minimum—0

    • Maximum—4294967295

  10. deny-period—Set the length of time an entry is posted on the deny list. The host is deleted from the deny lost after this time period. The default value is 30. A value of 0 disables the parameter. The valid range is:

    • Minimum—0

    • Maximum—4294967295

  11. nat-trust-threshold—Enter the number of endpoints behind a NAT that must be denied for the Oracle® Enterprise Session Border Controller to demote the NAT device itself to denied (dynamic demotion of NAT devices). The default is 0, meaning dynamic demotion of NAT devices is disabled. The range is from 0 to 65535.

    The following example shows a host access policing configuration. 

    realm-config
        identifier                     private
        addr-prefix                    192.168.200.0/24
        network-interfaces
                                       prviate:0
        mm-in-realm                    disabled
        mm-in-network                  enabled
        msm-release                    disabled
        qos-enable                     disabled
        max-bandwidth                  0
        ext-policy-svr
        max-latency                    0
        max-jitter                     0
        max-packet-loss                0
        observ-window-size             0
        parent-realm
        dns-realm
        media-policy
        in-translationid
        out-translationid
        class-profile
        average-rate-limit             8000
        access-control-trust-level     medium
        invalid-signal-threshold       200
        maximum-signal-threshold       0
        untrusted-signal-threshold     500
        deny-period                    30
        symmetric-latching             disabled
        pai-strip                      disabled
        trunk-context
Previous
Previous 		Next
Next
Go To Table Of Contents
Contents