System Access Control

You can configure a system access control list (ACL) for your Oracle® Enterprise Session Border Controller that determines what traffic the Oracle® Enterprise Session Border Controller allows over its management interface (wancom0). By specifying who has access to the Oracle® Enterprise Session Border Controller via the management interface, you can provide DoS protection for this interface.

Using a list of IP addresses and subnets that are allowable as packet sources, you can configure what traffic the Oracle® Enterprise Session Border Controller accepts and what it denies. All IP packets arriving on the management interface are subject; if it does not match your configuration for system ACL, then the Oracle® Enterprise Session Border Controller drops it.

Note:

All IP addresses configured in the SNMP community table are automatically permitted.

Adding an ACL for the Management Interface

The new subconfiguration system-access-list is now part of the system configuration, and its model is similar to host routes. For each entry, you must define an IP destination address and mask; you can specify either the individual host or a unique subnet.

If you do not configure this list, then there will be no ACL/DoS protection for the Oracle® Enterprise Session Border Controller’s management interface.

You access the system-access-list via system path, where you set an IP address and netmask. You can configure multiple system ACLs using this configuration.

To add an ACL for the management interface:

In Superuser mode, type configure terminal and press Enter.
```
ORACLE# configure terminal
```
Type system and press Enter to access the signaling-level configuration elements.
```
ORACLE(configure)# system
ORACLE(system)#
```

Type system-access-list and press Enter.

ORACLE(system)# system-access-list
ORACLE(system-access-list)#

source-address—Enter the IP address representing for the source network for which you want to allow traffic over the management interface.
netmask—Enter the netmask portion of the source network for the traffic you want to allow. The netmask is in dotted decimal notation.

Notes on Deleting System ACLs

If you delete a system ACL from your configuration, the Oracle® Enterprise Session Border Controller checks whether or not there are any active SFTP or SSH client was granted access when the entry was being removed. If such a client were active during ACL removal, the Oracle® Enterprise Session Border Controller would warn you about the condition and ask you to confirm the deletion. If you confirm the deletion, then the Oracle® Enterprise Session Border Controller’s session with the active client is suspended.

The following example shows you how the warning message and confirmation appear. For this example, and ACLI has been deleted, and the user is activating the configuration that reflects the change.

ORACLE # activate-config
Object deleted will cause service disruption:
 system-access-list: identifier=172.30.0.24
 ** WARNING: Removal of this system-ACL entry will result
             in the lockout of a current SFTP client
Changes could affect service, continue (y/n) y
Activate-Config received, processing.