group_name must be a string of length between one to 63 characters.
The following command applies the AAA server group star1 to a subscriber within the specific context:
access-link ip-fragmentation {
normal |
df-ignore |
df-fragment-and-icmp-notify }
GTPP CDR RADIUS accounting is enabled for the current local subscriber. The radius-diameter keyword is available if both GTPP RADIUS and RADIUS-Diameter accounting are to be used.
RADIUS-Diameter accounting is enabled for the current local subscriber. The gtpp keyword is available if both GTPP RADIUS and RADIUS-Diameter accounting are to be used.
If the gtpp option is used, then GTPP RADIUS is used as configured in the Context Configuration mode or the AAA Server Group Configuration mode and GTPP charging records will be enabled.
If the radius-diameter option is used, either the RADIUS or the Diameter protocol is used as configured in the Context Configuration mode or the AAA Server Group Configuration mode.
RADIUS accounting can also be enabled and disabled at the context level with the aaa accounting command in the Context Configuration Mode. If RADIUS accounting is enabled at the context level, the accounting-mode command can be used to disable RADIUS accounting for individual local subscriber configurations.
If the accounting mode is set to rf-style, then BM will generate accounting records corresponding to AIMS RF.
bandwidth_policy must be an alpha and/or numeric string from 1 through 63 characters in length.
rulebase_name must be an alpha and/or numeric string of 1 through 63 characters in length.
Caution: When always-on is enabled, the subscriber must have an idle time-out period configured (default is 0, no time-out). Failure to configure an idle time-out results in a subscriber session that is indefinite in length.
Two timers and a counter are associated with this feature. Refer to the timeout command in this chapter and the
ppp echo-retransmit-timeout msec and
ppp echo-max-retransmissions num_retries commands.
Disables always-on. The user is disconnected after the idle time expires.
pdf_id must be an integer between 1 and 65535.
svc_profile_id is a preconfigured Service Profile Identifier configured in the Context Configuration Mode.
sdf_id must be an integer between 1 and 65535.
asn-pdfid 1 asn-service-profile-id 3 asn-sdfid 2
Remove the existing profile ID setting specified by profile_id.
profile_id must be an integer from 0 through 65535.
cf_policy_id must be a preconfigured category policy id in Active Charging Configuration Mode.
In case category policy identifier cf_policy_id used here is not configured in Active Charging Configuration Mode, all packets will be passed regardless of the categories determined for such packets.
Important: Category Policy Id configured through this mode overrides the Category Policy id configured through
content-filtering category policy-id command in Rulebase Configuration Mode of Active Charging Service Configuration mode.
Important: If Content Filtering Category Policy ID is not specified here the similar command in Rulebase Configuration Mode of Active Charging Configuration Mode determines the policy.
name must be from 1 to 63 alpha and/or numeric characters.
name must be an existing LRO profile county name and be from 1 to 127 alpha and/or numeric characters.
user_id must be from 1 to 127 alpha and/or numeric characters.
name must be an existing CSCF session template name and be from 1 to 79 alpha and/or numeric characters.
Important: This command is obsolete. To configure the Diameter Credit Control Origin Endpoint, in the Credit Control Configuration mode, use the
diameter origin endpoint command.
dcca peer-select peer host_name [ realm realm_name ] [ secondary-peer host_name [ realm realm_name ] ]
peer_name must be an alpha and/or numeric string of from 1 through 127 characters.
peer_name allows punctuation marks.
The realm_name must be an alpha and/or numeric string of 1 through 127 characters in length. The realm may typically be a company or service name.
realm_name allows punctuation characters.
Warning: This configuration completely overrides all instances of
diameter peer-select that have been configured with in the Credit Control Configuration Mode for an Active Charging service.
default {
access-link ip-fragmentation |
accounting-mode |
data-tunneling ignore df-bit | idle-timeout-activity dormant-downlink-data |
inter-pdsn-handoff |
ip {
alloc-method |
allowed-dscp |
header-compression |
hide-service-address |
multicast discard |
qos-dscp |
source-validation } |
loadbalanace-tunnel-peers |
long-duration-action |
mobile-ip {
home-agent |
mn-aaa-removal-indication |
mn-ha-hash-algorithm |
reverse-tunnel |
security-level |
send {
dns-address |
terminal-verification } } |
permission |
ppp {
always-on-vse-packet |
data-compression {
mode |
protocols } |
keepalive |
min-compression-size |
mtu } |
radius accounting interim interval-timeout |
timeout {
absolute |
idle } }
Sets this option to the default behavior, which is to send an ICMP unreachable - need to frag message back to the sender and drop the packet, in the case that fragmentation is required but the DF bit is set.
allowed-dscp: resets the allowed DSCP parameters to the system defaults: class none, max-class be.
hide-service-address: specifies the default setting for hide the ip-address of the service from the subscriber. Default is Disabled
multicast discard: configures the default multicast settings which is to discard PDUs
qos-dscp: sets the quality of service setting to the system default.
source-validation: Specifies the default IP source validation. Default is Enabled.
user-datagram-tos copy: Disable copying of the IP TOS octet value to all tunnel encapsulation IP headers.
allow-aaa-address-assignment: Disables the FA from accepting a home address assigned by an AAA server.
home-agent:Sets home agent IP address to its default of 0.0.0.0.
match-aaa-assigned-address: Disables the FA validating the home address in the RRQ against the one assigned by AAA server.
mn-aaa-removal-indication:Sets this parameter to its default of disabled.
mn-ha-hash-algorithm: Sets the encryption algorithm to the default of hmac-md5.
reverse-tunnel:Sets this parameter to its default of enabled.
security-level:Sets this parameter to its default of none.
send dns-address: Disables the HA from sending the DNS address NVSE in the RRP.
send terminal-verification: Disables the FA from sending the terminal verification NVSE in the RRQ.
always-on-vse-packet: Re-enables the PDSN to send special 3GPP2 VSE PPP packets to the Mobile Node with a max inactivity timer value for always on sessions. This configuration is applicable only for PDSNsessions.
data-compression {
mode |
protocols }: restores the default value for either the data compression
mode or compression
protocols as follows:
ip-header-compression negotiation: sets the IP header compressions negotiation to the system default: force.
keepalive: sets the subscriber’s PPP keep alive option to the system default: 30 seconds.
min-compression-size: restores the PPP minimum packet size for compression: 128 octets.
mtu: sets the maximum message transfer unit packet size to the system default: 1500 octets.
[ no ] dns {
primary |
secondary }
ip_address
primary: Indicates the primary domain name server for the subscriber is to be updated.
secondary: Indicates the secondary domain name server for the subscriber is to be updated.
dur is the lifetime value in seconds and must be an integer from 60 through 65535.
The following command sets the lifetime for MSK key to 4800 seconds for a WiMAX subscriber through EAP authentication:
password is the encrypted password and must be an alpha and/or numeric string of from 1 to 63 characters.
Important: This command is only available in StarOS 8.0. In StarOS 8.1 and later, this configuration is available in the Rulebase Configuration Mode.
Important: Unless Stateful Firewall support for this subscriber is enabled using this command, firewall processing for this subscriber is disabled.
Important: If firewall is enabled, and the rulebase has no firewall configuration, Stateful Firewall will cause all packets to be discarded.
Important: This command is customer-specific and is only available in StarOS 8.1. This command must be used to configure the Policy-based Firewall-and-NAT feature.
fw_nat_policy must be an alpha and/or numeric string of 1 through 63 characters in length. Note that this policy will override the
default Firewall-and-NAT policy configured in the ACS rulebase.
domain-name must be from 1 to 63 alpha and/or numeric characters.
ipv4-address ipv4-address
[ default |
no ]
ims-auth-service auth_svc_name
auth_svc_name must be from 1 to 63 alpha and/or numeric characters preconfigured within the same context of this subscriber.
[ no ] ip access-group group_name [ in | out ]
Specifies the name of the IPv4/IPv6 access group. acl_group_name is a configured ACL group and must be an alpha and/or numeric string of 1 to 79 characters.
Specifies the access-group as either inbound or outbound by the keywords in and
out, respectively. If neither of these key words is specified, the command associates the
group_name access group with the current subscriber for both inbound and outbound access.
The following command associates the sampleGroup access group with the current subscriber for both inbound and outbound access:
[ no ] ip address ip_address netmask
The following command configures a static IP address of 192.168.1.15 with a subnet mask of
255.255.255.0 to the subscriber:
ip address 192.168.1.15 255.255.255.0
[ no ] ip address pool name pool_name
pool_name must be the name of an existing IP pool or IP pool group and from 1 to 31 alpha and/or numeric characters.
ip address pool name public1
Removes a previously configured auxiliary pool named aux_pool_name for multiple host support in ASN GW service.
pool_name must be the name of an existing IP pool or IP pool group and from 1 to 31 alpha and/or numeric characters.
ip allowed-dscp class class max-class maxclass [
rt-marking marking ]
Resets the parameters to the defaults: class none, max-class be. This indicates that all packets are let through without any dscp checking
class must be one of the following;
a: packets with AF DSCPs are allowed
e: packets with EF DSCP are allowed
o: packets for experimental or local use are allowed
ae: packets with AF and EF DSCPs are allowed
ao: packets with AF DSCPs or packets for experimental or local use are allowed
eo: packets with EF DSCPs or packets for experimental or local use are allowed
aeo: packets with AF or EF DSCPs or packets for experimental or local use are allowed
none: only the
be and
sc1 through
sc7 code points are allowed
The list below lists the code points from lowest to highest precedence. For example, if the maxclass is set to af22, that becomes the maximum code point that the subscriber session may mark it’s packets with and only
be, af13, af12, af11,af23, and
af22 are allowed. If a subscriber session marks its packets with anything after af22 in this list, the PDSN service re-marks the packets with the QOS-DSCP value specified by the lower of the maxclass and the
ip qos-dscp command.
If class is set to none only the be and sc1 through sc7 codepoints are allowed. For example; if class is set to none and you set
max-class to
sc1, only the
sc1 and
be codepoints are allowed.
maxclass must be one of the following;
be: best effort forwarding
af13: assured Forwarding 13
af12: assured Forwarding 12
af11: assured Forwarding 11
af23: assured Forwarding 23
af22: assured Forwarding 22
af21: assured Forwarding 21
af31: assured Forwarding 31
af32: assured Forwarding 32
af33: assured Forwarding 33
af41: assured Forwarding 41
af42: assured Forwarding 42
af43: assured Forwarding 43
marking must be one of the following;
be: best effort forwarding
af11: assured Forwarding 11
af12: assured Forwarding 12
af13: assured Forwarding 13
af21: assured Forwarding 21
af22: assured Forwarding 22
af23: assured Forwarding 23
af31: assured Forwarding 31
af32: assured Forwarding 32
af33: assured Forwarding 33
af41: assured Forwarding 41
af42: assured Forwarding 42
af43: assured Forwarding 43
This command uses class and type of marker (
rt-marking for reverse tunnels) for configuration with
max-class maximum code point that a subscriber session may mark its packets with.
The following command will allow o packets for experimental or local use with best effort forwarding
be:
ip allowed-dscp class o max-class be
[ no ] ip context-name name
ip context-name sampleName
no ip context-name sampleName
Important: ROHC is only supported for use with the PDSN.
any: Apply ROHC header compression in both the uplink and downlink directions.
mode { optimistic | reliable | unidirectional }:
•
|
optimistic: Sets the ROHC mode to Bidirectional Optimistic mode (O-mode). In this mode packets are sent in both directions. A feedback channel is used to send error recovery requests and (optionally) acknowledgments of significant context updates from decompressor to compressor. Periodic refreshes are not used in the Bidirectional Optimistic mode.
|
•
|
reliable: Sets the ROHC mode to Bidirectional Reliable mode (R-mode). This mode applies an intensive usage of a feedback channel and a strict logic at both the compressor and the decompressor that prevents loss of context synchronization between the compressor and the decompressor. Feedback is sent to acknowledge all context updates, including updates of the sequence number field.
|
•
|
unidirectional: Sets the ROHC mode to Unidirectional mode (U-mode). With this mode packets are sent in one direction only, from the compressor to the decompressor. This mode therefore makes ROHC usable over links where a return path from the decompressor to the compressor is unavailable or undesirable.
|
cid-mode { { large | small } [ marked-flows-only | dm | max-hdr value | mrru value ] }: Specifies the ROHC packet type to be used.
•
|
max-cid integer: Default: 0 The highest context ID number to be used by the compressor. integer must be an integer from 0 through 15 when small packet size is selected and must be an integer from 0 through 31 when large packet size is selected.
|
•
|
max-hdr value: Specifies the maximum header size to use. Default: 168. value must be an Integer from 0 through 65535.
|
•
|
mrru value: Specifies the maximum reconstructed reception unit to use. Default: 65535. value must be an Integer from 0 through 65535.
|
marked-flows-only: Specifies that ROHC is to be applied only to marked flows.
max-hdr value: Specifies the maximum header size to use. Default: 168.
value must be an Integer from 0 through 65535.
mrru value: Specifies the maximum reconstructed reception unit to use. Default: 65535.
value must be an Integer from 0 through 65535.
downlink: Apply the ROHC algorithm only in the downlink direction.
uplink: Apply the ROHC algorithm only in the uplink direction.
Important: When ROHC is enabled for downlink or uplink only the operational mode is Unidirectional.
If both vj and
rohc are specified,
vj must be specified first.
Important: If both VJ and ROHC header compression are specified, the optimum header compression algorithm for the type of data being transferred is used for data in the downlink direction.
local-address 192.168.1.23
[ no ] ip route ip_address ip_mask [
gateway_address ]
1 bits in the ip_mask indicate that bit position in the
ip_address must also have a value of 1.
0 bits in the ip_mask indicate that bit position in the
ip_address does not need to match, i.e., the bit can be either a 0 or a 1.
no ip route 1.2.3.4 1.2.0.0
no ip route 1.2.3.4 1.2.0.0 1.2.255.254
ipv6 access-group name [ in | out ]
[ no ] ipv6 address { prefix address | prefix-pool name }
ipv6 address 1:1:1:1:1:1:1:1/24
ipv6 dns primary 1:1:1:1:1:1:1:1
ifid is a 64 bit unsigned integer.
ipv6 interface-id 00-00-00-05-47-00-37-44
[ no ] ipv6 secondary-address { prefix ipv6_address_prefix | prefix-pool pool_name }
loadbalance-tunnel-peers {
balanced |
prioritized |
random }
suppress-notifiaction: Suppress the SNMP TRAP and CORBA notification after detecting and disconnecting a long duration session. Default: Disabled
dormant only: Disconnects the dormant sessions after long duration timer and inactivity time with idle time-out duration expires. If the long duration timeout is fired and the call is not dormant, the call is disconnected when the call later moves to dormancy.
Important: For HA calls, the inactivity-time is considered as gauge for dormancy.
When the no keyword is used in conjunction with the
dns-address keyword, information received from both the home-agent and the AAA server is sent if available.
home-agent: If the DNS address is received from the home-agent only that information is sent to the MN. Otherwise the DNS address received from the AAA server is sent.
aaa: If the DNS address is received from the AAA server only that information is sent to MN. Otherwise the DNS address received from the home-agent issent.
Important: This mode will only work for IP addresses that have been assigned from a static IP address pool.
home-agent ip_address [alternate]
alternate - Specifies the secondary, or alternate, Home Agent to use when Proxy Mobile IP HA Failover is enabled.
hmac-md5: Use HMAC-MD5 hash algorithm, as defined in RFC-2002bis. This is the default algorithm.
md5: Use the MD-5 hash algorithm.
rfc2002-md5: Use the MD-5 hash algorithm variant as defined in RFC-2002.
Specifies the SPI number. spi_num must be an integer from 256 through 4294967295.
ipsec: both MIP control and data traffic are secured with IPSEC
none: none of the traffic is secured
Important: This keyword corresponds to the 3GPP2-Security-Level RADIUS attribute. This attribute indicates the type of security that the home network mandates on the visited network.
Important: For this attribute, integer value: 3 : Enables IPSec for tunnels and registration messages 4 : Disables IPSec
accounting-correlation-info: Configures whether the FA sends the correlation info to the NVSE in the RRQ. Default is disabled.
dns-address: Enables the HA to send the DNS address NVSE in the RRP. Default is disabled. This should only be enabled on the HA side.
imsi: Configures sending the IMSI NVSE in the RRQ. Default is sending IMSI in custom-1 format.
terminal-verification: Enables the FA to send the terminal verification NVSE in the RRQ. Default is disabled. This should only be enabled on the FA side.
Important: send dns-address is a proprietary feature developed for a specific purpose and requires the MN to be able to renegotiate IPCP for DNS addresses and reregister MIP if necessary. Since this feature needs the MN to support certain PPP/MIP behavior, and not all MNs may support that particular behavior, send dns-addres
s should be enabled only after careful consideration.
name must be a string of alphanumeric characters from 1 through 63 characters in length.
dur must be an integer from 1 through 65534.
home-address ipv6_address
Specifies the home address for the subscriber. ipv6_address must be a an IPv6 address in colon notation.
To set the domain name to private1 use the following command:
nbns { primary IPv4-address | secondary IPv4-address }
no nbns { primary [ IPv4-address ] | secondary [ IPv4-address ] }
nbns primary 192.168.1.15
Important: This functionality is not supported for use with the PDSN at this time.
nw-reachability server server_name
Important: Refer to the HA configuration mode command
policy nw-reachability-fail to configure the action that should be taken when network reachability fails.
Important: Refer to the context configuration mode command
nw-reachability server to configure network reachability servers.
Important: Refer to the
nw-reachability server server_name keyword of the
ip pool command in the context configuration mode chapter to bind the network reachability server to an IP pool.
To bind a network reachability server named InternetDevice to the current subscriber, enter the following command:
outbound [
encrypted ]
password pwd
The password specified as pwd must be from 1 to 63 alpha and/or numeric characters without encryption and must be from 1 to 127 alpha and/or numeric characters when encryption has been indicated.
The encrypted keyword is intended only for use by the chassis while saving configuration scripts. The system displays the
encrypted keyword in the configuration file as a flag that the variable following the
password keyword is the encrypted version of the plain text password. Only the encrypted password is saved as part of the configuration file.
outbound password secretPwdoutbound encrypted password
scrambledPwdno outbound password
threshold inactivity-time inactivity_time_threshold
Sets the inactivity time threshold in seconds. This value must be from 0 to 4294967295. The default value of zero disables this feature. If inactivity-time for the subscriber’s session is greater than
inactivity_time_threshold, the session becomes a candidate for disconnection.
threshold connect-time connect_time_threshold
The encrypted keyword is intended only for use by the chassis while saving configuration scripts. The system displays the
encrypted keyword in the configuration file as a flag that the variable following the
password keyword is the encrypted version of the plain text password. Only the encrypted password is saved as part of the configuration file.
Specifies the users password for authentication. pwd must be from 1 to 63 alpha and/or numeric characters or from 1 to 127 characters if the
encrypted keyword was specified. A “null” password is allowed and is entered as consecutive quotes (""). See Example(s) for correct syntax.
Important: Subscribers configured with a null password will be authenticated using PAP and CHAP (MD5) only. Subscribers configured without a password (
no password) will only be able to access services if the service is configured to allow no authentication.
Important: Subscribers with no password will only be able to access services if the service is configured to allow no authentication.
password secretPwdpassword
““no password
ha-mobile-ip: enable/disable the home agent support for mobile IP service.
pdsn-mobile-ip: enable/disable the packet data and foreign agent support for mobile IP service.
pdsn-simple-ip: enable/disable the packet data support for simple IP service.
fragment:Adjust Tunnel MTU and Fragment Packets
notfiy-sender:Send a ICMPv6 Packet Too Big the original sender
policy_group_name consist of from 1 to 15 alpha and/or numeric characters in length and is case sensitive.
•
|
in: specifies the incoming traffic
|
•
|
out: specifies the outgoing traffic
|
mode: sets the mode of compression where
modes must be one of:
protocols protocols: sets the compression protocol where
protocols must be one of:
detect: The local side does not include the VJ Compression option in its IPCP configuration request unless the peer sends an IPCP NAK including a VJ compression option. If the peer requests the VJ compression option in its IPCP request the local side will ACK/NAK.
force: The IP header compression negotiation in IPCP happens normally. The local side requests the VJ compression option in its IPCP configure request. If the peer side requests VJ compression in its IPCP request, the local side will ACK/NAK the option.
vj compress-slot-id [ both | none | receive | transmit ]: This keyword configures the direction in which VJ slotid compression should be negotiated.
•
|
both - If the client proposes VJ slotid compression, accept it and propose slotid compression for downlink and uplink.
|
•
|
none - If the client proposes VJ slotid compression, NAK the offer,do not propose slotid compression for downlink.
|
•
|
receive - (Default) If the client proposes VJ slotid compression in the uplink direction accept the configuration.
|
•
|
transmit - Propose VJ slotid compression for uplink.
|
disable: The PDSN does not negotiate IPCP with the mobile.
enable: The PDSN negotiates IPCP with the mobile.
passive: The PDSN initiates IPCP only when the mobile sends an IPCP request.
disable: The PDSN does not negotiate IPCP with the mobile.
enable: The PDSN negotiates IPCP with the mobile.
passive: The PDSN initiates IPCP only when the mobile sends an IPCP request.
•
|
always: The session is automatically disconnected.
|
•
|
nai-prefix-msid-mismatch: The session is disconnected only if the MSID of the session does not match NAI-Prefix (prefix before “@” for the NAI). The configuration of the renegotiated (new) NAI is used for the matching process.
|
duration-quota final-duration-algorithm: Reset the end of billing duration quota algorithm to the default of current-time.
preference: Reset the preference to duration, If both duration and volume attributes are present.
Sets the low-watermark for remaining byte credits. percentage is a percentage of the subscriber sessions total credits. When the low-watermark is reached a new RADIUS access-request is sent to the RADIUS server to retrieve more credits.
percentage must be an integer from 1 to 99.
no-final-access-request: Stops sending final online access-request on termination of 3GPP2 prepaid sessions. By default, this option is disabled.
current-time: Selects the duration quota as the difference between the session termination timestamp and the session setup timestamp.
last-airlink-activity-time: Selects the duration quota as the difference between the last-user-activity timestamp (G17) and the session setup timestamp.
last-user-layer3-activity-time: Selects the duration quota as the difference between the timestamp of the last layer-3 packet sent to or received from the user and the session setup timestamp.
duration: The duration attribute takes precedence.
volume: The volume attribute takes precedence
byte-count: Reset to the default of basing the prepaid byte credits on the flow of uncompressed traffic.
low-watermark: Disable sending an access request to retrieve more credits when a low watermark is reached.
byte-count compressed: The prepaid byte credits are based on the flow of uncompressed traffic. This is the default.
low-watermark: Disables the low watermark feature. An access-request isn’t sent to the RADIUS server until the credits granted for the subscriber session are depleted.
renewal: Disables time-based renewals for prepaid accounting.
Sets the low-watermark for remaining byte credits. percentage is a percentage of the subscriber sessions total credits. When the low-watermark is reached a new RADIUS access-request is sent to the RADIUS server to retrieve more credits.
percentage must be an integer from 1 to 99.
duration: The duration attribute takes precedence.
volume: The volume attribute takes precedence
name is the name of the intercept list and must be a string from 1 to 63 characters in length.
noqosrate-limit direction{ downlink | uplink } [ class { background | conversational | interactivetraffic_priority| streaming } ]
•
|
background: Specifies the QoS for traffic patterns in which the data transfer is not time-critical (for example, e-mail exchanges). This traffic pattern should be the lowest QoS.
|
•
|
conversational: Specifies the QoS for traffic patterns in which there is a constant flow of packets in each direction, upstream and downstream. This traffic pattern should be the highest QoS.
|
•
|
interactive traffic_priority: Specifies the QoS for traffic patterns in which there is an intermittent flow of packets in each direction, upstream and downstream. This traffic pattern should be a higher QoS than the background pattern, but not as high as that for the streaming pattern. traffic_priority is the 3GPP traffic handling priority and can be the integers 1,2, or 3.
|
•
|
streaming: Specifies the QoS for traffic patterns in which there is a constant flow of data in one direction, either upstream or downstream. This traffic pattern should be a higher QoS than the interactive pattern, but not as high as that for the conversational pattern.
|
Important: If this keyword is omitted, the same values are used for all classes.
Important: The user packet buffer function in traffic shaping is not applicable for real-time traffic.
Important: If the exceed/violate action is set to “lower-ip-precedence”, this command may override the configuration of the
ip qos-dscp command in the GGSN service configuration mode for packets from the GGSN to the PDG/TTG. In addition, the GGSN service
ip qos-dscp command configuration can override the APN setting for packets from the GGSN to the Internet. Therefore, it is recommended that command not be used in conjunction with this action.
Important: This command should be used in conjunction with the max-contexts command to limit the maximum possible bandwidth consumption by the APN.
qos traffic-police direction {
downlink |
uplink } [
burst-size bytes ] [
committed-data-rate bps ] [
exceed-action {
drop |
lower-ip-precedence |
transmit } ] [
peak-data-rate bps ] [
violate-action {
drop |
lower-ip-precedence |
transmit } ]
no qos traffic-police direction {
downlink |
uplink }
bytes must be an integer from 0 through 4294967295.
Important: It is recommended that this parameter be configured to at least the greater of the following two values: 1) 3 times greater than packet MTU for the subscriber connection, OR 2) 3 seconds worth of token accumulation within the “bucket” for the configured peak-data-rate.
bps must be an integer from 0 through 4294967295).
lower-ip-precedence: Transmit the packet after lowering the ip-precedence
transmit: Transmit the packet
bps must be an integer from 0 through 4294967295).
lower-ip-precedence: Transmit the packet after lowering the IP precedence
transmit: Transmit the packet
Important: If the exceed/violate action is set to “lower-ip-precedence”, the TOS value for the outer packet becomes “best effort” for packets that exceed/violate the traffic limits regardless of what the
ip user-datagram-tos copy command is configured to. In addition, the “lower-ip-precedence” option may also override the configuration of the
ip qos-dscp command. Therefore, it is recommended that command not be used when specifying this option.
The following command sets an uplink peak data rate of 128000 bps and lowers the IP precedence when the committed-data-rate and the peak-data-rate are exceeded:
The following command sets a downlink peak data rate of 256000 bps and drops packets when the committed-data-rate and the peak-data-rate are exceeded:
Important: This feature is NOT supported for real-time traffic.
qos traffic-shape direction { downlink | uplink } [ burst-size bytes ] [ committed-data-rate bps ] [ exceed-action { drop | lower-ip-precedence | transmit } ] [ peak-data-rate bps ] [ violate-action { drop | lower-ip-precedence | buffer [transmit-when-buffer-full] | transmit } ] +
bytes must be an integer from 0 through 4294967295.
Important: It is recommended that this parameter be configured to at least the greater of the following two values: 1) 3 times greater than packet MTU for the subscriber connection, OR 2) 3 seconds worth of token accumulation within the “bucket” for the configured peak-data-rate.
bps must be an integer from 0 through 4294967295).
lower-ip-precedence: Transmit the packet after lowering the ip-precedence
transmit: Transmit the packet
bps must be an integer from 0 through 4294967295).
lower-ip-precedence: Transmit the packet after lowering the IP precedence
buffer [transmit-when-buffer-full]: Enables the traffic shaping and provides the buffering of user packets when subscriber traffic violates the allowed peak/committed data rate. The
[transmit-when-buffer-full] keyword allows the packet to be transimitted when buffer memory is full.
transmit: Transmit the packet
Important: If the exceed/violate action is set to “lower-ip-precedence”, the TOS value for the outer packet becomes “best effort” for packets that exceed/violate the traffic limits regardless of what the
ip user-datagram-tos copy command is configured to. In addition, the “lower-ip-precedence” option may also override the configuration of the
ip qos-dscp command. Therefore, it is recommended that command not be used when specifying this option.
The following command sets an uplink peak data rate of 128000 bps and lowers the IP precedence when the committed-data-rate and the peak-data-rate are exceeded:
The following command buffers the excess user packets when the subscriber traffic violates the configured peak-data-rate 256000 bps in downlink direction. Once the peak/committed data rate for that subscriber goes below the configured limit it transmit them. It also transmits them if buffer memory is full:
radiusaccounting { interim { interval-timeouttimeout| normal | suppress } | ip remote-address list-id list_id| mode { session-based | access-flow-based { none |auxillary-flows |all-flows| main-a10-only} } | start { normal | suppress } | stop { normal | suppress } }
interim { interval-timeout timeout | normal | suppress }
interval-timeout timeout: Indicates the time (in seconds) between updates to session counters (log file on RADIUS or AAA event log) during the session.
timeout must be an integer from 50 to 40000000.
Caution: Interim interval settings received from the RADIUS server take precedence over this setting on the system. While the low limit of this setting on the system is a minimum of 50 seconds, the low limit setting on the RADIUS server can be as little as 1 second. To avoid increasing network traffic unnecessarily and potentially reducing network and system performance, do not set this parameter to a value less than 50 on the RADIUS server.
normal: If RADIUS accounting is enabled, send this Acct-Status-Type message when required by normal operation
suppress: If RADIUS accounting is enabled, suppress the sending of this Acct-Status-Type message.
list_id: Specifies the RADIUS accounting remote IP address list identifier for remote-address accounting for the subscriber.
list_id must be an integer from 1 through 65535.
Remote address lists are configured using the list keyword in the
radius accounting ip remote-address command in the Context Configuration mode.
mode { session-based | access-flow-based { none | auxillary-flows
| all-flows | main-a10-only
} }
session-based: configures session-based RADIUS accounting behavior for the subscriber - which means a single radius accounting message generated for the subscriber session not separate accounting messages for individual A10 connections or flows.
access-flow-based: configures access-flow-based RADIUS accounting behavior for the subscriber. This offers flexibility by generating separate accounting messages for flows and A10 sessions.
•
|
all-flows: Generates separate RADIUS accounting messages per access flow. Separate accounting messages are not generated for data path connections. (For example, separate messages are not sent for the main A10 or auxilliary connections.).
|
•
|
auxillary-flows: Generates RADIUS accounting records for the main data path connection and for access-flows for all auxiliary data connections. (For example, separate RADIUS accounting messages are generated for the main A10 session and for access-flows within auxiliary A10 connections. The main A10 session accounting does not include octets or other accounting information from the auxiliary flows.)
|
•
|
none: Separate RADIUS accounting messages are generated for all data path connections (for example, PDSN main or auxiliary A10 connections) but not for individual access-flows. This is essentially A10 connection-based accounting.
|
normal: If RADIUS accounting is enabled, send this Acct-Status-Type message when required by normal operation
suppress: If RADIUS accounting is enabled, suppress the sending of this Acct-Status-Type message.
normal: If RADIUS accounting is enabled, send this Acct-Status-Type message when required by normal operation
suppress: If RADIUS accounting is enabled, suppress the sending of this Acct-Status-Type message.
ip remote-address list-id list_id: Deletes the entry for the specified
list_id.
interim [ interval-timeout ]: Disables the interim interval setting.
Set the accounting interim interval to one minute (60 seconds) for all sessions that use the current subscriber configuration:
group_name must be a string of size 1 to 63 character. It must be the same as configured earlier within the same context of subscriber.
The following command specifies that the RoHC profile named rohc-cfg1 is to be applied to all bearer sessions belonging to this subscriber:
Important: This command is license dependent, requiring the 600-00-7871 NAT Bypass license. Please contact your local sales representative for more information.
pool_name must be an alpha and/or numeric string of 1 through 31 characters in length.
idle_timeout must be a value in the range from 0 through 4294967295.
ldt_timeout must be a value in the range from 0 through 4294967295.
inact_timeout must be a value in the range from 0 through 4294967295.
Refer to the long-duration-action detection and
long-duration-action disconnection section for more information.
timeout long-duration 300 inactivity-time 45
For GGSN systems, this command can also be specified in the APN Configuration mode (tunnel address-policy) which would mean the system defers to the old
l3-to-l2-tunnel address policy command for calls coming through L2TP tunnels.
peer-address peer_address
peer-address peer_address
local-address 192.168.1.100
tunnell2tp [ peer-addressip address [ [ encrypted ] [secretsecret] ] [ preferencenumber] [ tunnel-contextcontext ] [ local-addressip_address ] [ crypto-mapmap_name { [ encrypted ] isakmp-secretsecret } ] ]
encrypted: The encrypted shared key between the L2TP Network Server (LNS) associated with this LAC (L2TP Access Concentrator).
secret must be between 1 and 128 alpha and/or numeric characters and is case sensitive.
The encrypted keyword is intended only for use by the system while saving configuration scripts. The system displays the encrypted keyword in the configuration file as a flag that the variable following the
secret keyword is the encrypted version of the plain text secret. Only the encrypted secret is saved as part of the configuration file.
crypto-map map_name { [encrypted] isakmp-secret secret }
map_name is the name of a crypto map that has been configured in the current context.
map_name must be a string from 1 to 127 alphanumeric characters.
isakmp-secret secret: The pre-shared key for IKE.
secret must be a string from 1 to 127 alphanumeric characters.
encrypted isakmp-secret secret: The pre-shared key for IKE. Encryption must be used when sending the key.
secret must be a string from 1 to 127 alphanumeric characters.
To specify L2tp tunneling to the LNS peer at the IP address 198.162.10.100 with a shared secret of
bigco and preference of
1, enter the following command: