1. ACLI Configuration Guide
  2. Static Flows
  3. Configuring Static Flows

Configuring Static Flows

This section explains how to configure static flows. It also provides sample configurations for your reference. You can configure static flows with or without NAT ALG. If you configure static flows with NAT ALG, you can choose NAPT or TFTP as the ALG type.

Basic Static Flow Configuration Overview

This section outlines the basic static flow configuration, without NAT ALG. You configure static flows by specifying ingress traffic criteria followed by egress re-sourcing criteria.

When configuring static flows, the following conventions are used:

  • An address of 0.0.0.0 matches all addresses. This token is used as the wildcard for both IPv4 and IPv6 static flows
  • Enclose the address portion of an IPv6 address in brackets: [7777::11]/64:5000
  • Not specifying a port implies all ports.
  • Not specifying a subnet mask implies a /32, matching for all 32 bits of the IPv4 address , or a /128 matching for all 128 bits of the IPv6 address.
  1. Set the static flows’ incoming traffic-matching criteria. First set the ingress realm where you expect to receive traffic that will be routed via a static flow. Second, set the traffic’s source IP address, source subnet, and source port or port range criteria. Third, set the traffic’s destination IP address, destination subnet, and destination port criteria. This is usually an external address on theOracle® Enterprise Session Border Controller.
  2. Set the criteria that describes how traffic should be translated on the egress side of the Oracle® Enterprise Session Border Controller. First set the egress realm where you want to send the traffic to be routed by this static flow. Second, set the traffic’s source IP address, source subnet, and source port or port range criteria. This is usually an external address on the Oracle® Enterprise Session Border Controller. Third, set the traffic’s destination IP address, destination subnet, and destination port criteria.
  3. Set the protocol this static flow entry acts upon. This type of packet, as the payload of the IP packet, remains untouched as traffic leaves the Oracle® Enterprise Session Border Controller . Specifying a layer 4 protocol here acts as another criteria to filter against for this static flow.

    The combination of entries in the ingress realm, ingress source address, ingress destination address, and protocol fields must be unique. For bidirectional traffic, you need to define a separate static flow in the opposite direction.

Static Flow Configuration

This section describes how to configure the static-flow element using the ACLI.

The ingress IP address criteria is set first. These parameters are applicable to traffic entering the ingress side of the Oracle® Enterprise Session Border Controller .

  • in-realm-id—The access realm, where endpoints are located.
  • in-source—The source network in the access realm where the endpoints exist. This parameter is entered as an IP address and netmask in slash notation to indicate a range of possible IP addresses.
  • in-destination—The IP address and port pair where the endpoints send their traffic. This is usually the IP address and port on a Oracle® Enterprise Session Border Controller interface that faces the access realm.

The egress IP address criteria is entered next. These parameters determine how traffic is re-sourced as it leaves the Oracle® Enterprise Session Border Controller and enters the backbone network.

  • out-realm-id—The backbone realm, where servers are located.
  • out-source—The IP address on the interface of the Oracle® Enterprise Session Border Controller where traffic exits the Oracle® Enterprise Session Border Controller into the backbone realm. Do not enter a port for this parameter.
  • out-destination—The IP address and port pair destination of the traffic. This is usually a server in the backbone realm.
  • protocol—The protocol associated with the static flow. The protocol you choose must match the protocol in the IPv4 header. Valid entries are TCP, UDP, ICMP, ALL.

The type of NAT ALG, if any.

  • alg-type—The type of NAT ALG. Set this to NAPT, TFTP, or none.

The port range for port re-sourcing as traffic affected by the NAT ALG exits the egress side of the Oracle® Enterprise Session Border Controller is set next. (Not applicable if alg-type is set to none.)

  • start-port—The starting port the NAT ALG uses as it re-sources traffic on the egress side of the Oracle® Enterprise Session Border Controller .
  • end-port—The ending port the NAT ALG uses as it re-sources traffic on the egress side of the Oracle® Enterprise Session Border Controller .

The flow timers are set next. (Not applicable if alg-type is set to none.)

  • flow-time-limit—Total session time limit in seconds. The default is 0; no limit.

    Note:

    Note that the static flow-time-limit must have a value larger than initial-guard-timer and subsq-guard-timer for static flows.
  • initial-guard-timer—Initial flow guard timer for an ALG dynamic flow in seconds. The default is 0; no limit.
  • susbsq-guard-timer—Subsequent flow guard timer for an ALG dynamic flow in seconds. The default is 0; no limit.

Finally, you can set the optional bandwidth policing parameter for static flows (with or without NAT ALG applied).

  • average-rate-limit—Sustained rate limit in bytes per second for the static flow and any dynamic ALG flows. The default is 0; no limit.

    To configure static flow:

  1. In Superuser mode, type configure terminal and press Enter. 
    ORACLE# configure terminal
  2. Type media-manager and press Enter to access the media-manager path. 
    ORACLE(configure)# media-manager
  3. Type static-flow and press Enter. The system prompt changes to let you know that you can begin configuring individual parameters. 
    ORACLE(media-manager)# static-flow

    From this point, you can configure media policing parameters.

  4. in-realm-id—Enter the ingress realm or interface source of packets to match for static flow translation. This in-realm-id field value must correspond to a valid identifier field entry in a realm-config. This is a required field. Entries in this field must follow the Name Format.
  5. in-source—Enter the incoming source IP address and port of packets to match for static flow translation. IP address of 0.0.0.0 matches any source address. Port 0 matches packets received on any port. The port value has no impact on system operation if either ICMP or ALL is the selected protocol. This parameter takes the format:

    in-source <ip-address>[:<port>]

    The default value is 0.0.0.0. The valid port range is:

    • Minimum—0

    • Maximum—65535

  6. in-destination—Enter the incoming destination IP address and port of packets to match for static-flow translation. An IP address of 0.0.0.0 matches any source address. Port 0 matches packets received on any port. The port value has no impact on system operation if either ICMP or ALL is the selected protocol. The in-source parameter takes the format:

    in-destination <ip-address>[:<port>]

    The default value is 0.0.0.0. The valid port range is:

    • Minimum—0

    • Maximum—65535

  7. out-realm-id—Enter the defined realm where traffic leaving this NAT ALG exits theOracle® Enterprise Session Border Controller .
  8. out-source—Enter the egress IPv4 address. This is the IPv4 address of the network interface where traffic subject to the NAT ALG you are defining leaves the Oracle® Enterprise Session Border Controller . Do not enter a port number for this parameter. The default value is 0.0.0.0.
  9. out-destination—Enter the IPv4 address and port number of the server or other destination to which traffic is directed. The default value is 0.0.0.0. The valid port range is:

    • Minimum—0

    • Maximum—65535

  10. protocol—Enter the protocol this NAPT ALG acts upon. The default value is UDP. The valid values are:

    • TCP | UDP | ICMP | ALL

  11. alg-type—Enter the type of NAT ALG to use. The default value is none. The valid values are:

    • none—No dynamic ALG functionality

    • NAPT—Configure as NAPT ALG

    • TFTP—Configure as TFTP ALG

  12. start-port—Enter the beginning port number of the port range that the Oracle® Enterprise Session Border Controller allocates on the egress side for flows that this NAPT ALG redirects. The default value is 0. The valid range is:

    • Minimum—0, 1025

    • Maximum—65535

  13. end-port—Enter the ending port number of the port range that the Oracle® Enterprise Session Border Controller allocates on the egress side for flows that this NAPT ALG redirects. The default value is 0. The valid range is:

    • Minimum—0, 1025

    • Maximum—65535

  14. flow-time-limit—Enter the total time limit for a flow in seconds. A value of 0 means there is no limit. The valid range is:

    • Minimum—0

    • Maximum—999999999

  15. initial-guard-timer—Enter the initial guard timer value in seconds. A value of 0 means there is no limit. The valid range is:

    • Minimum—0

    • Maximum—999999999

  16. subsq-guard-timer—Enter the subsequent guard timer value in seconds. A value of 0 means there is no limit. The valid range is:

    • Minimum—0

    • Maximum—999999999

  17. average-rate-limit—Enter a maximum sustained rate limit in bytes per second. The default value is 0; no limit. The valid range is:

    • Minimum—0

    • Maximum—125000000

      The following example shows a static-flow configuration element configured for a NAPT ALG. 

              in-realm-id                    access
        in-source                      172.16.0.0/16
        in-destination                 172.16.1.16:23
        out-realm-id                   backbone
        out-source                     192.168.24.16
        out-destination                192.168.24.95:23
        protocol                       TCP
        alg-type                       NAPT
        start-port                     11000
        end-port                       11999
        flow-time-limit                0
        initial-guard-timer            60
        subsq-guard-timer              60
        average-rate-limit             0

Example Configuration: Bidirectional Static Flows

The configuration lines below present the configuration of two example static flows to be used for ICMP to a specific host through the Oracle® Enterprise Session Border Controller.

The following lines present the example configuration for the access to core side. 

static-flow
in-realm-id access
description
in-source 0.0.0.0
in-destination 10.1.215.63
out-realm-id core
out-source 10.2.214.63
out-destination 10.2.214.51
protocol ICMP
alg-type none
start-port 0
end-port 0
flow-time-limit 0
initial-guard-timer 60
subsq-guard-timer 60
average-rate-limit 0

The following lines present the example configuration for the core to access side. 

static-flow
in-realm-id core
description
in-source 10.2.214.51
in-destination 10.2.214.63
out-realm-id access
out-source 10.1.215.63
out-destination 0.0.0.0
protocol ICMP
alg-type none
start-port 0
end-port 0
flow-time-limit 0
initial-guard-timer 60
subsq-guard-timer 60
average-rate-limit 0