RedMax EXtreme EX-LRT Anleitung zur Fehlerbehebung PDF herunterladen (Seite 74)

Oracle SBC Security Guide

Per-endpoint Call Admission Control

The SBC can demote endpoints from trusted to untrusted, or untrusted to denied queues when CAC

failures exceed a configured threshold. The SBC maintains CAC failures per-endpoint. The CAC failure

counter is incremented upon certain admission control failures only if either: cac-failure-threshold or

untrust-cac-fail-threshold is set to a non-zero integer.

The cac-failure-threshold parameter is configurable in the access control and realm configuration

elements. Exceeding the threshold integer defined in this parameter demotes an endpoint from the trusted

queue to the untrusted queue. Additionally, the untrust-cac-failure-threshold parameter is configurable in

the access control and realm configuration elements. Exceeding the threshold integer defined in this

parameter demotes an endpoint from the untrusted queue to the denied queue. If both the cac-failure-

threshold and untrust-cac-failure-threshold are configured to 0, admission control failures are considered

and counted as invalid signaling messages for determining if the invalid-signal-threshold parameter value

has been exceeded.

CAC failures used for Endpoint Demotion

The SBC determines CAC failures only by considering the number of signaling messages sent FROM an

endpoint TO the realm its signaling messages traverse.

If an endpoint exceeds the following CAC thresholds, the SBC will demote the endpoint when the CAC

failure thresholds are enabled.

 sip-interface user CAC sessions (realm-config > user-cac-sessions)

 sip-interface user CAC bandwidth (realm-config > user-cac-bandwidth)

 External policy server rejects a session

Thresholds and Trending Analysis

Thresholds and trending analysis are important concepts that must be well understood and implemented

during initial installation of the SBC. Thresholds should be monitored and settings periodically adjusted

as network usage or capacity requirements change. To be supported by Oracle TAC, SBC deployments

require a minimum set of standard configurations outlined in the DDoS BCPs [10, 11]. These settings are

considered the minimum configuration required to protect the SD. Upon deployment of a DDoS

provisioned SBC it’s recommended that customers continuously monitor common traffic load and

patterns of services traversing their SBC, and understand any alarms received.

Regardless of the monitoring method used (i.e. SNMP, CDR, HDR, Syslogs), during the initial period

after implementation it’s crucial to understand:

 The number of active SIP sessions seen during normal and peak periods

 Average call hold times

 Average signaling messages for a call (usually best collected via Wireshark or other network

capture tool)

 What are the stable and “common” values of these for the different counters

o Trusted to Untrusted Demotions

o Untrusted to Deny Demotions

o Demotions

o Promotions

 On-going demotions/promotions on ACLs, and to which SIP UAs they refer to

 Why there are any deny entries and to which SIP UAs they refer to

 Whether the deny period set is helping or causing more issues

1 2 ... 69 70 71 72 73 74 75 76 77 78 79 ... 141 142

Kommentare zu diesen Handbüchern

Keine Kommentare

RedMax EXtreme EX-LRT Anleitung zur Fehlerbehebung Seite 74

Kommentare zu diesen Handbüchern

Verwandte Produkte und Handbücher für Grasschneider RedMax EXtreme EX-LRT