Configuring Static Flows
This section explains how to configure static flows. It also provides sample configurations for your reference. You can configure static flows with or without NAT ALG. If you configure static flows with NAT ALG, you can choose NAPT or TFTP as the ALG type.
Basic Static Flow Configuration Overview
This section outlines the basic static flow configuration, without NAT ALG. You configure static flows by specifying ingress traffic criteria followed by egress re-sourcing criteria.
When configuring static flows, the following conventions are used:
- An address of 0.0.0.0 matches all addresses. This token is used as the wildcard for both IPv4 and IPv6 static flows
- Enclose the address portion of an IPv6 address in brackets:
[7777::11]/64:5000
- Not specifying a port implies all ports.
- Not specifying a subnet mask implies a /32, matching for all 32 bits of the IPv4 address , or a /128 matching for all 128 bits of the IPv6 address.
Static Flow Configuration
This section describes how to configure the static-flow element using the ACLI.
The ingress IP address criteria is set first. These parameters are applicable to traffic entering the ingress side of the Oracle® Enterprise Session Border Controller .
- in-realm-id—The access realm, where endpoints are located.
- in-source—The source network in the access realm where the endpoints exist. This parameter is entered as an IP address and netmask in slash notation to indicate a range of possible IP addresses.
- in-destination—The IP address and port pair where the endpoints send their traffic. This is usually the IP address and port on a Oracle® Enterprise Session Border Controller interface that faces the access realm.
The egress IP address criteria is entered next. These parameters determine how traffic is re-sourced as it leaves the Oracle® Enterprise Session Border Controller and enters the backbone network.
- out-realm-id—The backbone realm, where servers are located.
- out-source—The IP address on the interface of the Oracle® Enterprise Session Border Controller where traffic exits the Oracle® Enterprise Session Border Controller into the backbone realm. Do not enter a port for this parameter.
- out-destination—The IP address and port pair destination of the traffic. This is usually a server in the backbone realm.
- protocol—The protocol associated with the static flow. The protocol you choose must match the protocol in the IPv4 header. Valid entries are TCP, UDP, ICMP, ALL.
The type of NAT ALG, if any.
- alg-type—The type of NAT ALG. Set this to NAPT, TFTP, or none.
The port range for port re-sourcing as traffic affected by the NAT ALG exits the egress side of the Oracle® Enterprise Session Border Controller is set next. (Not applicable if alg-type is set to none.)
- start-port—The starting port the NAT ALG uses as it re-sources traffic on the egress side of the Oracle® Enterprise Session Border Controller .
- end-port—The ending port the NAT ALG uses as it re-sources traffic on the egress side of the Oracle® Enterprise Session Border Controller .
The flow timers are set next. (Not applicable if alg-type is set to none.)
- flow-time-limit—Total session time limit in seconds. The default is 0; no limit.
Note:
Note that the static flow-time-limit must have a value larger than initial-guard-timer and subsq-guard-timer for static flows. - initial-guard-timer—Initial flow guard timer for an ALG dynamic flow in seconds. The default is 0; no limit.
- susbsq-guard-timer—Subsequent flow guard timer for an ALG dynamic flow in seconds. The default is 0; no limit.
Finally, you can set the optional bandwidth policing parameter for static flows (with or without NAT ALG applied).
- average-rate-limit—Sustained rate limit in bytes per second for the static flow and any dynamic ALG flows. The default is 0; no limit.
To configure static flow:
Example Configuration: Bidirectional Static Flows
The configuration lines below present the configuration of two example static flows to be used for ICMP to a specific host through the Oracle® Enterprise Session Border Controller.
The following lines present the example configuration for the access to core side.
static-flow
in-realm-id access
description
in-source 0.0.0.0
in-destination 10.1.215.63
out-realm-id core
out-source 10.2.214.63
out-destination 10.2.214.51
protocol ICMP
alg-type none
start-port 0
end-port 0
flow-time-limit 0
initial-guard-timer 60
subsq-guard-timer 60
average-rate-limit 0
The following lines present the example configuration for the core to access side.
static-flow
in-realm-id core
description
in-source 10.2.214.51
in-destination 10.2.214.63
out-realm-id access
out-source 10.1.215.63
out-destination 0.0.0.0
protocol ICMP
alg-type none
start-port 0
end-port 0
flow-time-limit 0
initial-guard-timer 60
subsq-guard-timer 60
average-rate-limit 0