access-control
The access-control configuration element
is used to manually create ACLs for the host path in the Oracle Communications Session Border Controller.
Note:
This configuration element is not RTC supported.Parameters
- realm-id
- Enter the ingress realm of traffic destined to host to apply this ACL
- description
- Provide a brief description of the access-control configuration element
- destination-address
- Enter the destination address, net mask, port number, and port
mask to specify traffic matching for this ACL. Not specifying a port mask
implies an exact source port. Not specifying an address mask implies an
exact IP address. This parameter is entered in the following format:
<ip-address>[/<num-bits>] [:<port>][/<port-bits>]
- Default: 0.0.0.0
- source-address
- Enter the source address, net mask, port number, and port mask
to specify traffic matching for this ACL. Not specifying a port mask implies
an exact source port. Not specifying an address mask implies an exact IP
address. This parameter is entered in the following format:
<ip-address>[/<num-bits>] [:<port>][/<port-bits>]
- Default: 0.0.0.0
- application-protocol
- Select the application-layer protocol configured for this ACL
entry
- Values: SIP | H323 | MGCP |
DIAMETER | NONE
Note:
If application-protocol is set to none, the destination-address and port will be used. Ensure that your destination-address is set to a non-default value (0.0.0.0.)
- Values: SIP | H323 | MGCP |
DIAMETER | NONE
- transport-protocol
- Select the transport-layer protocol configured for this ACL
entry
- Default: ALL
- Values: UDP | TCP | SCTP | ALL
- access
- Select the access control type for this entry
- Default: permit
- Values:
- permit—Puts the entry in trusted or untrusted list depending on the trust-level parameter. This gets promoted and demoted according to the trust level configured for the host.
- deny—Puts this entry in the deny list.
- average-rate-limit
-
On hardware platforms that are not the Acme Packet 1100 or the Acme Packet 3900, enter the allowed sustained rate in bytes per second for host path traffic from a trusted source within the realm. A value of 0 disables the policing.
- Default: 0
- Values: Min: 0 / Max: 4294967295
On virtual platforms, enter the allowed sustained rate as a percentage of the maximum signaling rate for host path traffic from a trusted source within the realm. A value of 0 disables the policing.- Default: 0
- Values: Min: 0 / Max: 100
- trust-level
- Select the trust level for the host
- Default: None
- Values:
- none—Hosts will always remain untrusted. Will never be promoted to trusted list or will never get demoted to deny list
- low—Hosts can be promoted to trusted-list or can get demoted to deny-list
- medium—Hosts can get promoted to trusted, but can only get demoted to untrusted. Hosts will never be put in deny-list.
- high—Hosts always remain trusted
- minimum-reserved-bandwidth
- Enter the minimum reserved bandwidth in bytes per second that
you want for the session agent, which will trigger the creation of a
separate pipe for it. This parameter is only valid when the trust-level
parameter is set to high. Only a non-zero value will allow the feature to
work properly.
- Default: 0
- Values: Min: 0 / Max: 4294967295
- invalid-signal-threshold
- Enter the rate of signaling messages per second to be exceeded
within the tolerance-window that causes a demotion event. This parameter is
only valid when trusted-level is configured as low or medium. A value of 0
means no threshold.
- Default: 0
- Values: Min: 0 / Max: 4294967295
- maximum-signal-threshold
- Enter the maximum number of signaling messages per second that
one host can send within the tolerance-window. The host will be demoted if
the Oracle Communications Session Border Controller receives messages
more than the configured number. This parameter is only valid when
trusted-level is configured low or medium. A value of 0 means no threshold.
- Default: 0
- Values: Min: 0 / Max: 4294967295
- untrusted-signal-threshold
- Enter the maximum number of signaling messages from untrusted
sources allowed within the tolerance window.
- Default: 0
- Values: Min: 0 / Max: 4294967295
- deny-period
- Enter the time period in seconds a deny-listed or deny entry is
blocked by this ACL. The host is taken out of deny-list after this time
period elapses.
- Default: 30
- Values: Min: 0 / Max: 4294967295
- nat-trust-threshold
- Enter maximum number of denied endpoints that set the NAT
device they are behind to denied. 0 means dynamic demotion of NAT devices is
disabled.
- Default: 0
- Values: Min: 0 | Max: 65535
- max-endpoints-per-nat
- Maximum number of endpoints that can exist behind a NAT before
demoting the NAT device.
- Default: 0 (disabled)
- Values: Min: 0 | Max: 65535
- nat-invalid-message-threshold
- Enter the acceptable number of invalid messages from behind a
NAT.
- Default: 0
- Values: Min: 0 | Max: 65535
- cac-failure-threshold
- Enter the number of CAC failures for any single endpoint that
will demote it from the trusted queue to the untrusted queue.
- Default: 0
- Values: Min: 0 / Max: 4294967295
- untrust-cac-failure-threshold
- Enter the number of CAC failures for any single endpoint that
will demote it from the untrusted queue to the denied queue.
- Default: 0
- Values: Min: 0 / Max: 4294967295
Path
access-control is an element of the session-router path. The full path from the topmost ACLI prompt is: .
Note:
This is a multiple instance configuration element.