1. ACLI Reference Guide
  2. ACLI Configuration Elements A-M
  3. access-control

access-control

The access-control configuration element is used to manually create ACLs for the host path in the Oracle Communications Session Border Controller.

Note:

This configuration element is not RTC supported.

Parameters

realm-id
Enter the ingress realm of traffic destined to host to apply this ACL
description
Provide a brief description of the access-control configuration element
destination-address
Enter the destination address, net mask, port number, and port mask to specify traffic matching for this ACL. Not specifying a port mask implies an exact source port. Not specifying an address mask implies an exact IP address. This parameter is entered in the following format: <ip-address>[/<num-bits>] [:<port>][/<port-bits>]
  • Default: 0.0.0.0
An IPV6 address is valid for this parameter.
source-address
Enter the source address, net mask, port number, and port mask to specify traffic matching for this ACL. Not specifying a port mask implies an exact source port. Not specifying an address mask implies an exact IP address. This parameter is entered in the following format: <ip-address>[/<num-bits>] [:<port>][/<port-bits>]
  • Default: 0.0.0.0
An IPV6 address is valid for this parameter.
application-protocol
Select the application-layer protocol configured for this ACL entry
  • Values: SIP | H323 | MGCP | DIAMETER | NONE

    Note:

    If application-protocol is set to none, the destination-address and port will be used. Ensure that your destination-address is set to a non-default value (0.0.0.0.)
transport-protocol
Select the transport-layer protocol configured for this ACL entry
  • Default: ALL
  • Values: ALL | TCP | UDP
access
Select the access control type for this entry
  • Default: permit
  • Values:
    • permit—Puts the entry in trusted or untrusted list depending on the trust-level parameter. This gets promoted and demoted according to the trust level configured for the host.
    • deny—Puts this entry in the deny list.
average-rate-limit
Enter the allowed sustained rate in bytes per second for host path traffic from a trusted source within the realm. A value of 0 disables the policing.
  • Default: 0
  • Values: Min: 0 / Max: 999999999
trust-level
Select the trust level for the host
  • Default: None
  • Values:
    • none—Hosts will always remain untrusted. Will never be promoted to trusted list or will never get demoted to deny list
    • low—Hosts can be promoted to trusted-list or can get demoted to deny-list
    • medium—Hosts can get promoted to trusted, but can only get demoted to untrusted. Hosts will never be put in deny-list.
    • high—Hosts always remain trusted
minimum-reserved-bandwidth
Enter the minimum reserved bandwidth in bytes per second that you want for the session agent, which will trigger the creation of a separate pipe for it. This parameter is only valid when the trust-level parameter is set to high. Only a non-zero value will allow the feature to work properly.
  • Default: 0
  • Values: Min: 0 / Max: 4294967295
invalid-signal-threshold
Enter the rate of signaling messages per second to be exceeded within the tolerance-window that causes a demotion event. This parameter is only valid when trusted-level is configured as low or medium. A value of 0 means no threshold.
  • Default: 0
  • Values: Min: 0 / Max: 999999999
maximum-signal-threshold
Enter the maximum number of signaling messages per second that one host can send within the tolerance-window. The host will be demoted if the Oracle Communications Session Border Controller receives messages more than the configured number. This parameter is only valid when trusted-level is configured low or medium. A value of 0 means no threshold.
  • Default: 0
  • Values: Min: 0 / Max: 999999999
untrusted-signal-threshold
Enter the maximum number of signaling messages from untrusted sources allowed within the tolerance window.
  • Default: 0
  • Values: Min: 0 / Max: 999999999
deny-period
Enter the time period in seconds a deny-listed or deny entry is blocked by this ACL. The host is taken out of deny-list after this time period elapses.
  • Default: 30
  • Values: Min: 0 / Max: 999999999

nat-trust-threshold
Enter maximum number of denied endpoints that set the NAT device they are behind to denied. 0 means dynamic demotion of NAT devices is disabled.
  • Default: 0
  • Values: Min: 0 | Max: 65535
max-endpoints-per-nat
Maximum number of endpoints that can exist behind a NAT before demoting the NAT device.
  • Default: 0 (disabled)
  • Values: Min: 0 | Max: 65535
cac-failure-threshold
Enter the number of CAC failures for any single endpoint that will demote it from the trusted queue to the untrusted queue.
  • Default: 0
  • Values: Min: 0 / Max: 4294967295
untrust-cac-failure-threshold
Enter the number of CAC failures for any single endpoint that will demote it from the untrusted queue to the denied queue.
  • Default: 0
  • Values: Min: 0 / Max: 4294967295

Path

access-control is an element of the session-router path. The full path from the topmost ACLI prompt is: configure terminal , and then session-router , and then access-control.

Note:

This is a multiple instance configuration element.