Access Control List Configuration

To configure access control lists:

  1. Access the access-control configuration element. 
    ACMEPACKET# configure terminal
ACMEPACKET(configure)# session-router
ACMEPACKET(session-router)# access-control
ACMEPACKET(access-control)#
  2. Type select to choose and configure an existing object. 
    ACMEPACKET(access-control)# select
<src-ip>:
1: src 0.0.0.0; 0.0.0.0; realm01; ; ALL
  3. realm-id—Enter the ID of the host’s ingress realm.
  4. source-address—Enter the source IPv4 address and port number for the host in the following format: 
    <IP address>[/number of address bits>][:<port>][/<port bits>]

    For example: 

    10.0.0.1/24:5000/14
10.0.0.1/16
10.0.0.1/24:5000
10.0.0.1:5000

    You do not need to specify the number of address bits if you want all 32 bits of the address to be matched. You also do not need to specify the port bits if you want the exact port number matched. If you do not set the port mask value or if you set it to 0, the exact port number will be used for matching. The default value is 0.0.0.0.

  5. destination-address—(Is ignored if you configure an application protocol in step 7.) Enter the destination IPv4 address and port for the destination in the following format: 
    <IP address>[/number of address bits>][:<port>[/<port bits>]]

    You do not need to specify the number of address bits if you want all 32 bits of the address to be matched. You also do not need to specify the port bits if you want the exact port number matched. If you do not set the port mask value or if you set it to 0, the exact port number will be used for matching. The default value is 0.0.0.0.

  6. application-protocol—Enter the application protocol type for this ACL entry. The valid values are:

    • SIP | H.323 | None

      Note:

      If application-protocol is set to none, the destination-address and port will be used. Ensure that your destination-address is set to a non-default value (0.0.0.0.)
  7. transport-protocol—Select the transport-layer protocol configured for this ACL entry. The default value is ALL. The valid values are:

    • ALL | TCP | UDP

  8. access—Enter the access control type or trusted list based on the trust-level parameter configuration for this host. The default value is permit. The valid values are:

    • permit—Puts the entry into the untrusted list. The entry is promoted or demoted according to the trust level set for this host.

    • deny—Puts the entry in the deny list.

  9. average-rate-limit—Indicate the sustained rate in bytes per second for host path traffic from a trusted source within the realm. The default value is 0. A value of 0 means policing is disabled. The valid range is:

    • Minimum—0

    • Maximum—999999999

  10. trust-level—Indicate the trust level for the host with the realm. The default value is none. The valid values are:

    • none—Host is always untrusted. It is never promoted to the trusted list or demoted to the deny list.

    • low—Host can be promoted to the trusted list or demoted to the deny list.

    • medium—Host can be promoted to the trusted list but is only demoted to untrusted. It is never added to the deny list.

    • high—Host is always trusted.

  11. invalid-signal-threshold— Enter the number of invalid signaling messages that trigger host demotion. The value you enter here is only valid when the trust level is low or medium. Available values are:

    • Minimum—Zero (0) is disabled.

    • Maximum—999999999

      If the number of invalid messages exceeds this value based on the tolerance window parameter, configured in the media manager, the host is demoted.

      The tolerance window default is 30 seconds. Bear in mind, however, that the system uses the same calculation it uses for specifying "recent" statistics in show commands to determine when the number of signaling messages exceeds this threshold. This calculation specifies a consistent start time for each time period to compensate for the fact that the event time, such as a user running a show command, almost never falls on a time-period's border. This provides more consistent periods of time for measuring event counts.

      The result is that this invalid signal count increments for two tolerance windows, 60 seconds by default, within which the system monitors whether or not to demote the host. The signal count for the current tolerance window is always added to the signal count of the previous tolerance window and compared against your setting.

  12. maximum-signal-threshold—Set the maximum number of signaling messages the host can send within the tolerance window. The value you enter here is only valid when the trust level is low or medium. The default value is 0, disabling this parameter. The valid range is:

    • Minimum—0

    • Maximum—999999999

      If the number of messages received exceeds this value within the tolerance window, the host is demoted.

  13. untrusted-signal-threshold—Set the maximum number of untrusted messages the host can send within the tolerance window. Use to configure different values for trusted and un-trusted endpoints for valid signaling message parameters. Also configurable per realm. The default value is 0, disabling this parameter. The valid range is:

    • Minimum—0

    • Maximum—999999999

  14. deny-period—Indicate the time period in seconds after which the entry for this host is removed from the deny list. The default value is 30. The valid range is:

    • Minimum—0

    • Maximum—999999999

  15. nat-trust-threshold—Enter the number of endpoints behind a NAT that must be denied for the Oracle® Enterprise Session Border Controller to demote the NAT device itself to denied (dynamic demotion of NAT devices). The default is 0, meaning dynamic demotion of NAT devices is disabled. The range is from 0 to 65535.

    The following example shows access control configured for a host in the external realm. 

    access-control
        realm-id                       external
        source-address                 192.168.200.215
        destination-address            192.168.10.2:5000
        application-protocol           SIP
        transport-protocol             ALL
        access                         permit
        average-rate-limit             3343
        trust-level                    low
        invalid-signal-threshold       5454
        maximum-signal-threshold       0
        untrusted-signal-threshold     0
        deny-period                    0

    The following example of how to configure a black-list entry: 

    access-control
        realm-id                       external
        source-address                 192.168.200.200
        destination-address            192.168.10.2:5000
        application-protocol           SIP
        transport-protocol             ALL
        access                         deny
        average-rate-limit             0
        trust-level                    none
        invalid-signal-threshold       0
        maximum-signal-threshold       0
        untrusted-signal-threshold     0
        deny-period                    0
Previous
Previous 		Next
Next
Go To Table Of Contents
Contents