if access-flow traffic-validation is enabled for the service and the subscriber then the flows are checked against the filter rules. If the packets does not match the filter rules, and N violations occur in K seconds, the rp connection is downgraded to best-effort flow, if it is not already a best-effort flow
threshold { [violations limit] [interval seconds]}
violations limit: Sets the parameters that determine traffic access violations. This is determined by setting the maximum number of violations within a set time period. must be an integer from 1 through 100000.
interval seconds: Sets the time interval, in seconds. must be an integer from 1 through 100000.
Configures the realm for the access-network. realm_name must be a string from 1 to 128 characters in length.
The following command creates an access-network realm named
realm2.
It uses poorly-formed-request option by default to deny a request.
These are optional keywords that used with deny sub-command to deny the A11 RRQ messages that have either an unsupported vendor Id or A11 Requests with bad/poor formation.
unsupported-vendor-id denies request on the basis of vendor Id.
poorly-formed-request will deny the A11 request on the basis of request formation or structure. It is the default deny code for
deny sub-command.
A chap_priority must be specified in conjunction with this option. Priorities specify which authentication protocol should be attempted first, second, third and so on.
chap_priority must be an integer from 1 through 1000. The lower the integer, the higher the preference. CHAP is enabled by default as the highest preference.
A mschap_priority must be specified in conjunction with this option. Priorities specify which authentication protocol should be attempted first, second, third and so on.
mschap_priority must be an integer from 1 through 1000. The lower the integer, the higher the preference.
A pap_priority must be specified in conjunction with this option. Priorities specify which authentication protocol should be attempted first, second, third and so on.
pap_priority must be an integer from 1 through 1000. The lower the integer, the higher the preference. PAP is enabled by default as the second highest preference.
Important: At least one of the keywords must be used to complete the command.
count can be configured to any integer value between 0 and 500,000.
Important: The maximum number of subscribers supported is dependant on the license key and the number of active PACs/PSCs installed in the system. A fully loaded system with 13 active PACs/PSCs can support 500,000 total subscribers. Refer to the license key command for additional information.
When configuring the max-subscribers option, be sure to consider the following:
The following command would bind the logical IP interface with the address of 192.168.3.1 to the PDSN service and specifies that a maximum of
600 simultaneous subscriber sessions can be facilitated by the interface/service at any given time.
bcmcs [ custom | flow-id value { header-compression rohc { rohc-profile name name } }| grpusrname group_name | [ encrypted ] grppasswd group_passwd | ptt {destination-context disconnect-dscp-label rohc-profile-name}]
ptt {destination-context dest_name | disconnect-dscp-label dscp-label_value| mtu | rohc-profile-name profile_name }
destination-context: Specify the intended destination context name. This value must be string of 1 to 79 characters in length.
mtu: Configures maximum transmission unit, This value must be ranging from 100 to 2000. Default is 1500.
rohc-profile-name: Profile name of the ROHC compresser and decompressor. This value should be a string of 1 to 63.
Important: This is a customer-specific command.
checksum: Disables the introduction of the checksum field in outgoing GRE packets.
checksum-verify: Disables verification of the GRE checksum (if present) in incoming GRE packets.
protocol-type: Restores the GRE protocol type the default protocol-type any
sequence-numbers: Restores the GRE sequence number parameters to the default sequence-numbers enabled
•
|
drop-limit: Sets the number of source violations within a detection period before forcing a call disconnect to the default: 10.
|
•
|
period : Sets the length of time, in seconds, for a source violation detection period to last to the default: 120 seconds.
|
•
|
reneg-limit : Sets the number of source violations within a detection period before forcing a PPP renegotiation to the default: 5.
|
max-deny-reply-limit: Resets the maximum number of retries of erroneous registration request message from PCF for a session before PDSN terminates the session. to the default. Default is 3.
new-call connection-setup-record-absent: Configures the PDSN not to reject calls that do not have the airlink connection setup record in the RRQ.
new-call reverse-tunnel-unavailable: Configures the PDSN not to reject calls if the GRE key for a user collides with that of another user.
session-already-active: disables the PDSN from denying RP renew and dereg requests for active R-P sessions.
session-already-closed: disables the PDSN from denying RP renew and dereg requests for absent R-P sessions.
session-already-dormant: disables the PDSN from denying RP renew and dereg requests for dormant R-P sessions.
terminate-session-on-error: Disables the PDSN from terminating a session if an erroneous registration request message is received for the session.
use-zero-gre-key: Configures the PDSN not to set the GRE key to zero (0) when denying a new R-P session.
bad-extension: Set the PDSn so that it does not immediately discard registration requests that have multiple vendor information elements of the same type.
gre-key-change: Sets the PDSN so that it does not discard Registration Requests that have a GRE key that is different than the one for the existing IMSI session.
handoff connection-setup-record-absent:Sets the PDSN so that it does not discard A11 Handoff requests that do not contain the Airlink Setup record.
Specifies the name of the configured subscriber profile. profile_name can be between 1 and 63 alpha and/or number characters and is case sensitive.
Use the no default subscriber profile_name command to delete the configured default subscriber.
To configure the PDSN service to apply the rules configured for a subscriber named user1 to every other subscriber session it processes, enter the following command:
Disabling fragmentation may cause the sessmgr to perform outer IP fragmentation of the outgoing packet, if the resulting packet exceeds the MED MTU.
gre { checksum | checksum-verify | flow control | ip-header-dscp value { all-control-packets | setup-packets-only } | flow-control-timeout { seconds | msec milliseconds } action { resume-session | disconnect-session } | protocol-type { any | byte-stream | ppp } | reorder-timeout milliseconds | sequence-mode { none | reorder } | segmentation | sequence-numbers | threegppp2-ext-header qos-marking }
ip-header-dscp value { all-control-packets | setup-packets-only }
•
|
value : Represents the DSCP setting. It represents the first six most-significant bits of the ToS field. It can be configured to any hex value from 0x0 through 0x3F.
|
•
|
all-control-packets : Dictates that the DSCP marking is to be provided in all GRE control packets.
|
•
|
setup-packets-only : Dictates that the DSCP marking is to be provided only in GRE setup packets.
|
action {disconnect-session | resume-session}:
•
|
resume-session: Switches flow control to XON and resumes delivery of packets to the RAN.
|
timeout {
seconds |
msec milliseconds }
seconds: Specifies the amount of time in seconds before the timeout is reached.
seconds must be an integer from 1 through 1000.
msec milliseconds: Specifies the amount of time in milliseconds before the timeout is reached.
milliseconds must be an integer from 1 through 1000000.
any: Specifies that the PDSN service will accept GRE packets encapsulated using any protocol.
byte-stream: Specifies that the PDSN service will accept GRE packets only encapsulated using byte stream. Using byte stream encapsulation, PPP packets are framed at different intervals and sent.
ppp: Specifies that the PDSN service will accept GRE packets only encapsulated using the Point-to-Point Protocol (PPP). Using PPP encapsulation, PPP packets are framed at regular intervals and sent.
none: Specifies that sequence numbers in packets are ignored and all arriving packets are processed in the order they arrive.
reorder: Specifies that out of sequence packets are stored in a sequencing queue until one of the conditions is met:
The no keyword, enables qos-marking in the gre header based on the tos value in the header.
The gre protocol-type command can be used to prevent the PDSN service from servicing PCFs that use a specific form of encapsulation.
Use the no gre sequence-numbers command to disable the inclusion of GRE sequence numbers in the A10 data path.
number can be any integer value between 1 and 65535.
Important: The UDP port setting on the PCF must match the local-port setting for the PDSN service on the system in order for the two devices to communicate.
Use the following command to specify a UDP port of 3950 for the PDSN service to use to communicate with the PCF on the R-P interface:
num can be any integer value from 1 to 1000000.
secs can be any integer value from 1 to1000000.
num can be any integer value from 1 to 1000000.
The following command sets the drop limit to 15 and leaves the other values at their defaults:
time is measured in seconds and can be configured to any integer value between 1 and 65534.
Use the no lifetime command to delete a previously configured lifetime setting. If after deleting the lifetime setting you desire to return the lifetime parameter to its default setting, use the
default lifetime command.
The following command specifies a time of 3600 seconds (1 hour) for subscriber sessions on this PDSN service:
count can be configured to any integer value between 1 and 1,000,000.
Use the no mobile-ip foreign-agent context to delete a previously configured destination context.
min_length is any Integer value between 10 to 15, but should be less than
max_length specified with
max.
max_length is any Integer value between 10 to 15, but should be more than
min_length specified with
min.
Use the no nai-constructed domain command to deleted a configured alias.
Important: This command should only be used if the PDSN service is configured to allow no authentication using the authentication allow-noauth command.
Additionally, the aaa constructed-nai command in the Context Configuration mode can be used to configure a password for constructed NAIs.
If the configuration is no new-call conflict terminate-session-old-pcf system will not send registration update to old PCF on receiving a new call (A11-RRQ(Type1)) request for an existing active/dormant session. The default behavior is to send registration updates.
seconds must be an integer in the range from 60 through 3600.
seconds must be an integer from 1 through 3600.
num must be an integer in the range from 0 through 100.
seconds must be in the range from 1 through 10.
peer-pcf ip_address bcmcs_framing { hdlc-like | segment-based }
ip_address must be specified using the standard IPv4 dotted decimal notation or colon notation for IPv6.
policy overload { redirect address [ weight weight_num ] [ address2 [ weight weight_num ] ... address16 [ weight weight_num ] ] } | { reject [ use-reject-code { admin-prohibited | insufficient-resources } ] }
policy msid-match msid_with_wildcards { redirect address [ weight weight_num ] [ address2 [ weight weight_num ] ... address16 [ weight weight_num ] ] }
policy pcf-zone-match zone_number { redirect address [ weight weight_num ] [ address2 [ weight weight_num ] ... address16 [ weight weight_num ] ] }
no policy { msid-match msid_with_wildcards | overload [ redirect address ] | pcf-zone-match zone_number | rrq mei-from-current-pcf {suppress-ppp-restart} | service-option | unknown-cvse enforce }
no policy { overload [ redirect address [ address2...address16 ] ] | rrq mei-from-current-pcf {suppress-ppp-restart} | service-option | unknown-cvse enforce }
overload: This keyword without any options deletes the complete overload policy from the PDSN service.
overload redirect address [
address2 ... address16 ]: deletes up to 16 IP addresses from the overload redirect policy. The IP addresses must be expressed in IP v4 dotted decimal notation
rrq mei-from-current-pcf suppress-ppp-restart: suppresses the PPP restart, when RRQ containing MEI comes from the current PCF. This is disabled by default.
service-option: Resets the PDSN service to accept calls that do not contain the service option(s) configured using the service option command.
unknown-cvse enforce: When unknown-cvse policy is enforced, PDSN will deny RRQs with unknown CVSEs (unknown vendor id, unknown app type or unknown app subtype) with an error code.
policy overload { redirect address [ weight weight_num ] [ address2 [ weight weight_num ] ... address16 [ weight weight_num ] ] } | { reject [ use-reject-code { admin-prohibited | insufficient-resources } ] }
redirect: This option enables a redirect policy for overloading conditions. When a redirect policy is invoked, the PDSN service rejects new sessions with an A11 Registration Reply Code of 88H (unknown PDSN address) and provides the IP address of an alternate PDSN. This command can be issued multiple times.
weight weight_num: When multiple addresses are specified, they are selected in a weighted round-robin scheme. Entries with higher weights are more likely to be chosen. If a weight is not specified the entry is automatically assigned a weight of 1.
weight_num must be an integer from 1 through 10.
reject: This option will cause any overload traffic to be rejected. The PDSN will send an A11 Registration Reply Code of 82H (insufficient resources).
use-reject-code admin-prohibited: When this keyword is specified and traffic is rejected, the error code admin prohibited is returned instead of the error code insufficient resources. This is the default behavior.
use-reject-code insufficient-resources: When this keyword is specified and traffic is rejected, the error code insufficient resources is returned instead of the error code admin prohibited.
policy msid-match msid_with_wildcards { redirect address [ weight weight_num ] [ address2 [ weight weight_num ] ... address16 [ weight weight_num ] ] }
msid_with_wildcards: An MSID in which up to 16 digits have been replaced with the wildcard ‘$’. This defines the list of possible matches for incoming calls.
redirect: This option enables a redirect policy for overloading conditions. When a redirect policy is invoked, the PDSN service rejects new sessions with an A11 Registration Reply Code of 88H (unknown PDSN address) and provides the IP address of an alternate PDSN. This command can be issued multiple times.
address: The IP address of an alternate PDSN expressed in IP v4 dotted decimal notation. Up to 16 IP addresses can be specified either in one command or by issuing the redirect command multiple times. If you try to add more than 16 IP addresses to the redirect policy the CLI issues an error message. If you specify an IP address and weight that already exists in the redirect policy the new values override the existing values.
weight weight_num: When multiple addresses are specified, they are selected in a weighted round-robin scheme. Entries with higher weights are more likely to be chosen. If a weight is not specified the entry is automatically assigned a weight of 1.
weight_num must be an integer from 1 through 10.
policy pcf-zone-match zone_number { redirect address [ weight weight_num ] [ address2 [ weight weight_num ] ... address16 [ weight weight_num ] ] }
zone_number: An integer between 1 and 32 that defines the zone incoming calls must match for redirection.
redirect: This option enables a redirect policy for overloading conditions. When a redirect policy is invoked, the PDSN service rejects new sessions with an A11 Registration Reply Code of 88H (unknown PDSN address) and provides the IP address of an alternate PDSN. This command can be issued multiple times.
address: The IP address of an alternate PDSN expressed in IP v4 dotted decimal notation. Up to 16 IP addresses can be specified either in one command or by issuing the redirect command multiple times. If you try to add more than 16 IP addresses to the redirect policy the CLI issues an error message. If you specify an IP address and weight that already exists in the redirect policy the new values override the existing values.
weight weight_num: When multiple addresses are specified, they are selected in a weighted round-robin scheme. Entries with higher weights are more likely to be chosen. If a weight is not specified the entry is automatically assigned a weight of 1.
weight_num must be an integer from 1 through 10.
Use the no policy {
overload |
service-option } command to delete a previously configured policy. If after deleting the policy setting you desire to return the policy parameter to its default setting, use the
default policy command.
Caution: Incorrect configuration of the
policy msid-match and
policy pcf-zone-match keywords could result in sessions failing to be established. For example, if PDSN1 is configured to redirect sessions to PDSN2 while PDSN2 is configured to redirect sessions to PDSN1, a loop is created in which all sessions would fail to be connected. In addition, sessions will not be established if the PDSN to which the sessions are being redirected is unavailable.
l2tp: Force all subscriber sessions in this PDSN service to use L2TP tunneling.
l2tp-secure: Force all subscriber sessions in this PDSN service to use L2TP tunneling and use IPSEC to ensure a secure connection.
none: Do not force L2TP tunneling. This is the default.
Important: If the context specified by the
ppp tunnel-context context_name command does not have a LAC service configured and
tunnel-type is set to
l2tp or
l2tp-secure, the call is rejected.
Important: If the PPP tunnel context has not been set or has been cleared with the
no ppp tunnel-context command and
tunnel-type is set to
l2tp or
l2tp-secure, the context where the current PDSN service resides is used. If that context does not have a LAC service configured the call is rejected.
To set the tunnel context to the context named context1 and enable forced L2TP tunneling, use the following commands;
qos-profile-id-mapping profile-id id_num { description desc | downlink-bw dl_bw | drop-rate drop_percentage | latency latency_duration | qos-class {class-A | class-B | class-C | class-D | class-E | calss-F } uplink-bw ul_bw }+
id_num must be an integer between 0 and 65535.
desc must be an alpha and/or numeric string between 1 and 32 characters.
dl_bw must be an integer value between 0 and 100000.
drop-rate drop_percentage
drop_percentage must be an integer value between 0 and 100.
latency_duration must be an integer value between 0 and 1000.
ul_bw must be an integer value between 0 and 100000.
The following command sets the downlink bandwidth to 32 kbps, latency duration as
1000 ms, uplink bandwidth to
32 kbps, and QoS class to Class-C for the QoS profile ID
11 in a PDSN service:
Sets the wait time for A11 RRQ for QoS changes. seconds must be an integer from 1 through 1000.
action: configures the action on the wait-timeout
•
|
disconnect-session: Drops the call if the A11 RRQ has not been received for the QoS update. This includes all of the IP flows for the session.
|
•
|
downgrade-to-best-effort: Drops packets if the A11 RRQ has not been received for the QoS update. Sends the forward traffic over best effort (flow FF or FE if available).
|
•
|
drop-packets: Drops packets if the A11 RRQ has not been received for the QoS update.
|
The following command sets wait-timeout to
60 seconds and invokes
downgrade-to-best-effort if the A11 RRQ has not been received for the QoS update:
connection-setup-record-absent [ use-deny-code { poorly-formed-request | reason-unspecified }: When enabled the PDSN denies or discards handoff R-P sessions that do not have an Airlink Connection Setup record in the A11 Registration Request. Default is disabled. Default PDSN behavior is to accept such requests.
[ use-deny-code { poorly-formed-request | reason-unspecified }: Sets the specified Registration Deny Code when denying a handoff because of a missing connection setup record.
connection-setup-record-absent: Configures the PDSN to reject calls that do not have the airlink connection setup record in the RRQ.
use-deny-code {
poorly-formed-request |
reason-unspecified } When rejecting calls that do not have the airlink setup record, use the the specified deny code.
reverse-tunnel-unavailable: Configures the PDSN to reject calls if the GRE key for a user collides with that of another user.
If this option is used with the pdsn-code-nvse keyword, then pdsn-code-nvse configuration is disabled.
If this option is used with the wait-timeout keyword, a separate A11 timer is not used. The PDSN waits for the ppp retransmit-timeout and then sends the A11 Update. If a value is provided, then the "ppp retransmit-timeout" is ignored and a separate A11 timeout is started immediately upon sending the LCP Term-Ack. The A11 Update is then sent when the timer expires.
The number of seconds to wait. secs must be an integer in the range from 0 through 16.
The wait-tiimeout keyword configures the PDSN to wait the specified amount of time before sending out a Registration-Update to clear the Session from the PCF.
Use the retransmission timeout command in conjunction with the max-retransmissions command in order to configure the PDSN services behavior when it does not receive a response from a particular PCF.
Use the no retransmission-timeout command to delete a previously configured timeout value. If after deleting the lifetime setting you desire to return the lifetime parameter to its default setting, use the
default retransmission-timeout command.
server-address ipaddress/mask
ipaddress is the IP address expressed in dotted decimal notation.
mask is the number of mask bits.
packet-length-range min min_range max max_range
min min_range configures the minimum packet length as an integer value between 1 and 65535.
max max_range configures the maximum packet length as an integer value between 1 and 65535.
Important: This command is for use with a customer-specific implementation and requires a valid Short Data Burst feature-use license to be installed.
Important: Option 67 is used for auxiliary connections for Rev-A calls. PPP encapsulation of data packets does not flow over this service option connection. ROHC can be performed without PPP for this service option.
Use the no service-option number command to delete a previously configured service option. If after deleting the service option setting you desire to return the service option parameter to its default setting, use the
default service-option command.
spi remote-address { pcf_ip_address | ip_addr_mask_combo } spi-number number { encrypted secret enc_secret | secret secret } [ description string ] [ hash-algorithm { md5 | rfc2002-md5 } ] [ replay-protection { nonce | timestamp } ] [ timestamp-tolerance tolerance ] [ zone zone_id ]
remote-address { pcf_ip_address | ip_addr_mask_combo }
pcf_ip_address: Specifies the IP address of the PCF. pcf_ip_address is an IP address expressed in IP v4 dotted decimal notation.
ip_addr_mask_combo: Specifies the IP address of the PCF and specifies the IP address network mask bits.
ip_addr_mask_combo must be specified using the form ‘IP Address/Mask Bits’ where the IP address must either be an IPv4 address expressed in dotted decimal notation or an IPv6 address expressed in colon notation and the mask bits are a numeric value which is the number of bits in the subnet mask.
encrypted secret enc_secret | secret secret
encrypted secret enc_secret: Specifies the encrypted shared key (enc_secret) between the PCF and the PDSN service. enc_secret must be between 1 and 254 alpha and/or numeric characters and is case sensitive.
secret secret: Specifies the shared key (secret) between the PCF and the PDSN services. secret must be between 1 and 127 alpha and/or numeric characters and is case sensitive.
The encrypted keyword is intended only for use by the chassis while saving configuration scripts. The system displays the
encrypted keyword in the configuration file as a flag that the variable following the
secret keyword is the encrypted version of the plain text secret key. Only the encrypted secret key is saved as part of the configuration file.
This is a description for the SPI. string must be an alpha and or numeric string of from 1 through 31 characters.
md5: Configures the hash-algorithm to implement MD5 per RFC 1321.
rfc2002-md5: Configures the hash-algorithm to implement keyed-MD5 per RFC 2002.
nonce: Configures replay protection to be implemented using NONCE per RFC 2002.
timestamp: Configures replay protection to be implemented using timestamps per RFC 2002.
Important: The SPI configuration on the PCF must match the SPI configuration for the PDSN service on the system in order for the two devices to communicate properly.
Use the no version of this command to delete a previously configured SPI.
This command used with zone zone_id redirects all calls on the basis of PCF zone to the specific PDSN on the basis of parameters configured at policy pcf-zone-match command.
The following command deletes the configured SPI of 400 for an PCF with an IP address of
172.100.3.200:
The following command creates the configured SPI of 400 for an PCF with an IP address of
172.100.3.200 and zone id as 11:
Important: The SPI configuration on the PCF must match the SPI configuration for the PDSN service on the system in order for the two devices to communicate properly.
Use the no version of this command to delete a previously configured SPI.
The following command deletes the configured SPI of 400 for an PCF with an IP address of
172.100.3.200:
Important: This value is ignored for the Alert model. In addition, if this value is not configured for the Alarm model, the system assumes it is identical to the high threshold.
•
|
Enter condition: Actual number of A11 Registration Response failures > High Threshold
|
•
|
Clear condition: Actual number of A11 Registration Response failures £ Low Threshold
|
Important: This value is ignored for the Alert model. In addition, if this value is not configured for the Alarm model, the system assumes it is identical to the high threshold.
•
|
Enter condition: Actual number of Discarded A11 Registration Requests > High Threshold
|
•
|
Clear condition: Actual number of Discarded A11 Registration Requests £ Low Threshold
|
Important: This value is ignored for the Alert model. In addition, if this value is not configured for the Alarm model, the system assumes it is identical to the high threshold.
•
|
Enter condition: Actual number of Discarded A11 Registration Acknowledgements > High Threshold
|
•
|
Clear condition: Actual number of Discarded A11 Registration Acknowledgements £ Low Threshold
|
Important: This value is ignored for the Alert model. In addition, if this value is not configured for the Alarm model, the system assumes it is identical to the high threshold.
Important: This value is ignored for the Alert model. In addition, if this value is not configured for the Alarm model, the system assumes it is identical to the high threshold.
The following command configures a number of calls setup per second threshold of 1000 and a low threshold of
500 for a system using the Alarm thresholding model: