administrator: Enables/disables AAA accounting for context-level administrative users.
subscriber: Enables/disables AAA accounting for subscribers.
Important: The accounting parameters in the APN Configuration Mode take precedence over this command for subscriber sessions. Therefore, if accounting is disabled using this command but enabled within the APN configuration, accounting is performed for subscriber sessions.
administrator: Configures default administrator authentication (local+RADIUS).
subscriber: Configures AAA authentication for subscriber(s). This sets the default value, which is RADIUS.
local: Disables local authentication for current context.
radius-diameter: Disables RADIUS or Diameter-based authentication.
administrator: Enables/disables authentication for administrative users.
subscriber: Enables/disables authentication for subscribers.
local: Enables local authentication for current context.
none: Disables authentication for current context.
radius-diameter: Enables RADIUS or Diameter-based authentication.
encrypted: Specifies that the specified password is an encrypted password.
password user_password: Configures an authentication user-password for the NAI-constructed user.
user_password must be an alpha and/or numeric string of 0 through 63 characters in length.
For simple IP sessions facilitated by PDSN services in which the authentication allow-noauth and
aaa constructed-nai commands are configured, this command provides a password used for the duration of the session.
The encrypted keyword is intended only for use by the system while saving configuration scripts. The system displays the encrypted keyword in the configuration file as a flag that the variable following the
password keyword is the encrypted version of the plain text password. Only the encrypted password is saved as part of the configuration file.
Important: The domain alias can be set with the
nai-construction domain command in the PDSN Service Configuration mode, or the
aaa default-domain subscriber command in the Global Configuration mode for other core network services.
•
|
If the domain alias is set by nai-construction domain, that value is always used and the aaa default-domain subscriber value is disregarded, if set. The NAI is of the form <msid><symbol><nai-construction domain>.
|
•
|
If the domain alias is not set by nai-construction domain, and the domain alias is set by aaa default-domain subscriber, the aaa default-domain subscriber value is used. The NAI is of the form <msid><symbol><aaa default-domain subscriber>.
|
•
|
If the domain alias is not set by nai-construction domain or aaa default-domain subscriber, the domain name alias is the name of the source context for the PDSN service. The NAI is of the form <msid><symbol><source context of PDSN Service>.
|
Default: Disabled; same as no aaa filter-id rulebase mapping
group_name must be a string of 1 through 63 characters in length.
The following command creates a AAA group named test321, and enters the AAA Group Configuration Mode:
deny-all: Specifies all packets will be dropped.
permit-all: Specifies all packets will be forwarded.
administrator user_name [ encrypted ] password password | [ ecs ] [ expiry-date date_time ] [ ftp ] [ li-administration ] [ nocli ] [ noecs ] [ timeout-absolute timeout_absolute ] [ timeout-min-absolute timeout_min_absolute ] [ timeout-idle timeout_idle ] [ timeout-min-idle timeout_min_idle ]
Specifies password for the user name. Optionally, the encrypted keyword can be used to specify the password uses encryption.
Without encryption password must be an alpha and/or numeric string of 1 through 63 characters in length. With encryption
password can be an alpha and/or numeric string of 1 through 127 characters in length.
The encrypted keyword is intended only for use by the system while saving configuration scripts. The system displays the
encrypted keyword in the configuration file as a flag that the variable following the
password keyword is the encrypted version of the plain text password. Only the encrypted password is saved as part of the configuration file.
Important: Users who have Lawful Intercept privileges are only given those privileges when connected to the system through a Secure Shell (SSH). If this user connects through a Telnet session or through the console port, Lawful Intercept privileges are not enabled.
timeout-absolute timeout_absolute
timeout-min-absolute timeout_min_absolute
timeout-idle timeout_idle
timeout-min-idle timeout_min_idle
Important: A maximum of 128 administrative users and/or subscribers may be locally configured per context.
apn_name can be from 1 to 62 alpha and/or numeric characters and is not case sensitive. It may also contain dots (.) and/or dashes (-).
Warning: If this keyword option is used with
no apn apn_name command the APN named
apn_name will be deleted with all active/inactive subscribers without prompting any warning or confirmation.
asn-qos-descriptor idqos_table_id[default] dscp [be | af11 | af12 | af13 | af21 | af22 | af23 | af31 | af32 | af33 | af41 | af 42 | af 43 | ef][-noconfirm ]
no asn-qos-descriptorqos_table_id[default] dscp [be | af11 | af12 | af13 | af21 | af22 | af23 | af31 | af32 | af33 | af41 | af 42 | af 43 | ef][-noconfirm ]
qos_table_id must be an integer between 1 to 65535.
Warning: If this keyword option is used with
no asn-qos-descriptor id qos_table_id command the ASN QoS descriptor table with identifier
qos_table_id will be deleted with all active/inactive configurations without prompting any warning or confirmation.
qos_table_id must be an integer between 1 to 65535.
bi-directional: This keyword enables this service profile in both direction of uplink and downlink.
downlink: This keyword enables this service profile in downlink direction, towards the subscriber.
uplink: This keyword enables this service profile in uplink direction, towards the system.
Warning: If this keyword option is used with
no asn-service-profile id asn_profile_id command the ASN service profile with identifier
asn_profile_id will be deleted with all active/inactive configurations without prompting any warning or confirmation.
asngw_name must be from 1 to 63 alpha and/or numeric characters and is case sensitive.
Warning: If this keyword option is used with
no asn-service asngw_name command the ASN-GW service named
asngw_name will be deleted with all active/inactive subscribers without prompting any warning or confirmation.
Caution: Large numbers of services greatly increase the complexity of management and may impact overall system performance (i.e. resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your local service representative for more information.
asn_pc_svc_name must be from 1 to 63 alpha and/or numeric characters and is case sensitive.
Warning: If this keyword option is used with
no asnpc-service asn_pc_svc_name command the ASN Paging Controller service named
asn_pc_svc_name will be deleted and disabled with all active/inactive paging groups and paging agents configured in a context for ASN paging controller service without prompting any warning or confirmation.
Caution: Large numbers of services greatly increase the complexity of management and may impact overall system performance (i.e. resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your local service representative for more information.
bmsc_profile_name can be from 1 to 62 alpha and/or numeric characters and is not case sensitive. It may also contain dots (.) and/or dashes (-).
Warning: If this keyword option is used with
no bmsc-profile name bmsc_profile_name command the BM-SC profile named
bmsc_profile_name will be deleted with all active/inactive subscribers without prompting any warning or confirmation.
address-range start_address end_address
Busyout all addresses from start_address through
end_address.
start_address: The beginning IP address of the range of addresses to busyout. This IP address must exist in the pool specified and must be entered in IP v4 dotted decimal notation.
end_address: The ending IP address of the range of addresses to busyout. This IP address must exist in the pool specified and must be entered in IP v4 dotted decimal notation.
Important: In this mode classification rules added sequentially with
match command to form a Class-Map. To change and/or delete or re-add a particular rule entire Class-Map is required to delete.
Important: Users who have Lawful Intercept privileges are only given those privileges when connected to the system through a Secure Shell (SSH). If this user connects through a Telnet session or through the console port, Lawful Intercept privileges are not enabled.
timeout-idle idle_seconds
Important: A maximum of 128 administrative users and/or subscribers may be locally configured per context.
cf_server_group_name must be an alpha and/or numeric string of 1 through 63 characters in length.
service_name must be an alpha and/or numeric string of 1 through 63 characters in length.
The following command creates a credit-control service named test159, and enters the Credit control Service Configuration mode:
Important: A maximum of 32 crypto groups per context can be configured.
crypto ipsec transform-settransform_name[ ah { hmac { md5-96 | none | sha1-96 } { esp { hmac { { md5-96 | sha1-96 } { cipher {des-cbc | 3des-cbc | aes-cbc } } | none } } } } ]
•
|
md5-96: Message Digest 5 truncated to 96 bits
|
•
|
none: Disables the use of the AH protocol for the transform set.
|
•
|
sha1-96: Secure Hash Algorithm-1 truncated to 96 bits
|
•
|
md5-96: Message Digest 5 truncated to 96 bits
|
•
|
none: Disables the use of the AH protocol for the transform set.
|
•
|
sha1-96: Secure Hash Algorithm-1 truncated to 96 bits
|
•
|
3des-cbc: Triple Data Encryption Standard (3DES) in chain block (CBC) mode
|
•
|
aes-cbc: Advanced Encryption Standard (AES) in CBC mode
|
Important: The
ah and subsequent keywords are required when the transform set is initially configured.
crypto map name[ ikev2-ipv6 | ipsec-dynamic | ipsec-ikev1 | ipsec-manual ] no crypto map name
The name by which the crypto map will be recognized by the system. name must be a string of from 1 through 127 alpha and/or numeric characters and is case sensitive.
•
|
Manual crypto maps: These are static tunnels that use pre-configured information (including security keys) for establishment. Because they rely on statically configured information, once created, the tunnels never expire; they exist until their configuration is deleted.
|
Important: Because manual crypto map configurations require the use of static security keys (associations), they are not as secure as crypto maps that rely on dynamically configured keys. Therefore, it is recommended that they only be configured and used for testing purposes.
•
|
IKEv1 crypto maps: These tunnels are similar to manual crypto maps in that they require some statically configured information such as the IP address of a peer security gateway and that they are applied to specific system interfaces. However, IKEv1 crypto maps offer greater security because they rely on dynamically generated security associations through the use of the Internet Key Exchange (IKE) protocol.
|
•
|
Dynamic crypto maps: These tunnels are used for protecting L2TP-encapsulated data between the system and an LNS/security gateway or Mobile IP data between an FA service configured on one system and an HA service configured on another.
|
Important: The crypto map type (dynamic, IKEv1, IKEv2-IPv6, or manual) is specified when the map is first created using this command.
Assigns a previously configured crypto map policy to this crypto node. name must be a string of from 1 through 127 alpha and/or numeric characters and is case sensitive.
name { ikev2-pdif | ipsec-3gpp-cscf }
Specifies the name of a new or existing crypto template. name must be from 1 to 127 alpha and/or numeric characters.
ikev2-pdif: Configure the Crypto Template to be used for configuring PDIF functionality.
Important: This keyword cannot be used with IPSec for the SCM.
ipsec-3gpp-cscf: Configure the Crypto Template to be used for configuring P-CSCF IPSec functionality.
Important: This keyword can only be used with IPSec for the SCM.
Important: The CSCF crypto template should be configured in the same context in which the P-CSCF is configured.
[context_name]
hostname(cfg-crypto-tmpl-ikev2-tunnel)#
[context_name]
hostname(cfg-crypto-tmpl-ims-cscf-tunnel)#
Crypto Template Configuration Mode commands are defined in the Crypto Template Configuration Mode Commands and
CSCF Crypto Template Configuration Mode Commands chapters.
The following command configures a P-CSCF crypto template called crypto2 and enters the CSCF Crypto Template Configuration Mode:
profile_name must be from 1 to 79 alpha and/or numeric characters.
[context_name]
hostname(config-cscf-access-profile)#
The following command creates a CSCF Access Profile named profile2 and enters the Access Profile Configuration Mode:
list_name must be from 1 to 47 alpha and/or numeric characters in length.
[context_name]
hostname(config-cscf-acl)#
cscf ifc-filter-criteria name fc_name priority pri profile-part-indicator { registered | unregistered } app-server uri scheme { sip | sips } as as-default-handling { session-continue | session-terminate } [ -noconfirm ] | [ service-info info ][ trigger-point tp_name ] [ -noconfirm ] | [ trigger-point tp_name ] [ -noconfirm ]
fc_name must be from 1 to 39 alpha and/or numeric characters in length.
pri must be an integer from 0 through 1024.
Indicates whether the iFC is a part of the registered (registered) or unregistered (
unregistered) user profile.
as must be from 1 to 127 alpha and/or numeric characters in length.
Determines whether the dialog should be released (session-terminate) or not (
session-continue) if the application server could not be reached or on application server error return.
info must be from 1 to 63 alpha and/or numeric characters in length.
tp_name must be from 1 to 39 alpha and/or numeric characters in length.
Important: Filter criteria is associated with an ISC template in the ISC Template Configuration Mode.
Important: Filter criteria can be assigned to more than one ISC template.
The following command creates an iFC filter criteria named ifcfc1, which has a priority of 2 and is part of the registered user profile.
ifcfc1 is assigned to a sip application server named
appserver. The dialog will not be released if the application server can not be reached.
ifcfc1 is also assigned a trigger point named tp2:
cscf ifc-filter-criteria name ifcfc1 priority 2 profile-part-indicator registered app-server uri scheme sip appserver as-default-handling session-continue trigger-point tp2
cscf ifc-spt-condition name cond_name { request-uri content uri_content | session-case { originating-registered | originating-unregistered | terminating-registered | terminating-unregistered } | session-description sdp [ content sdp_data ] | sip-header hdr [ content hdr_data ] | sip-method method } [ -noconfirm ] [ condition-negated ]
cond_name must be from 1 to 39 alpha and/or numeric characters in length.
uri_content must be from 1 to 127 alpha and/or numeric characters in length.
Important: Wildcard Extended Regular Expressions (ERE) are supported for this value. For example, "sip.user[0-9]@192\\.168\\.176\\.150"
session-description sdp [ content sdp_data ]
sdp must be from 1 to 15 alpha and/or numeric characters in length.
content specifies content on the SDP line.
sdp_data must be from 1 to 127 alpha and/or numeric characters in length.
sip-header hdr [ content hdr_data ]
hdr must be from 1 to 127 alpha and/or numeric characters in length.
content specifies content on the header.
hdr_data must be from 1 to 127 alpha and/or numeric characters in length.
method must be from 1 to 127 alpha and/or numeric characters in length.
Important: An iFC SPT group may be associated with multiple SPT conditions.
cscf ifc-spt-group name group_name [ [-noconfirm] | reg-type { de-registration | initial-registration | re-registration } [-noconfirm] ]
group_name must be from 1 to 39 alpha and/or numeric characters in length.
Important: An iFC SPT group may be associated with multiple SPT conditions.
[context_name]
hostname(config-cscf-ifc-spt-group)#
tp_name must be from 1 to 39 alpha and/or numeric characters in length.
cnf: conjunctive normal form
dnf: disjunctive normal form
Important: An iFC SPT group can be assigned to more than one iFC trigger point.
[context_name]
hostname(config-cscf-ifc-trigger-point)#
template_name must be from 1 to 39 alpha and/or numeric characters in length.
[context_name]
hostname(config-cscf-isc-tmpl)#
The following command creates an ISC template named template1 and enters the ISC Template Configuration Mode:
profile_name must be from 1 to 79 alpha and/or numeric characters in length.
county-name: Profile specific to the county-name criteria.
[context_name]
hostname(config-county-name-lro-profile)#
round-robin: Profile specific to the round-robin criteria.
[context_name]
hostname(config-round-robin-lro-profile)#
Important: Last route profiles are associated with peer servers in the CSCF Peer Server Monitoring Configuration Mode.
The following command creates a last route profile named lro1 and enters the CSCF Last Route Profile Criteria Configuration Mode to specify county name criteria:
The following command creates a last route profile named lro2 and enters the CSCF Last Route Profile Criteria Configuration Mode to specify round robin criteria:
cscf peer-servers server_name type { bgcf | ibcf | icscf | mgcf | mrfc | pcscf | scscf | sip-as } [ -noconfirm ]
server_name must be from 1 to 79 alpha and/or numeric characters in length.
•
|
ibcf: Interconnect Border Control Function
|
[context_name]
hostname(config-cscf-peer-servers)#
[context_name]
hostname(config-aor-policy)#
policy_name must be from 1 to 79 alpha and/or numeric characters in length.
[context_name]
hostname(config-cscf-policy)#
The following command creates a policy group named group2 and enters the CSCF Policy Configuration Mode:
route_name must be from 1 to 79 alpha and/or numeric characters in length.
[context_name]
hostname(config-cscf-route)#
The following command creates a route group named route_group5 and enters the Route Group Configuration Mode:
Specifies the name of the CSCF service. If service_name does not refer to an existing service, the new service is created if resources allow.
service_name must be from 1 to 63 alpha and/or numeric characters.
Caution: Large numbers of services greatly increase the complexity of management and may impact overall system performance (for example, resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your local service representative for more information.
[context_name]
hostname(config-cscf-service)#
template_name must be from 1 to 79 alpha and/or numeric characters in length.
[context_name]
hostname(config-cscf-session-template)#
list_name must be from 1 to 79 alpha and/or numeric characters in length.
[context_name]
hostname(config-cscf-translation)#
list_name must be from 1 to 79 alpha and/or numeric characters.
[context_name]
hostname(config-cscf-service-urn)#
administrator: Restores the system default setting for RADIUS accounting for administrative user sessions.
subscriber: Restores the system default setting for RADIUS accounting for subscriber sessions.
subscriber: Restores the system default setting for RADIUS authentication for subscribers.
administrator: Restores the system default setting for RADIUS authentication for administrative users.
receive: Set the ACFC receive setting to the default, allow. The local PPP side indicates that it can process ACFC compressed PPP packets and compressed packets are allowed.
transmit: Set the ACFC transmit setting to the default, ignore. If the peer requests ACFC, the request is accepted, but ACFC is not applied for transmitted PPP packets.
Important: This option is not supported in conjunction with the GGSN product.
receive: Sets the Protocol Field Compression (PFC) receive setting to the default, allow. The peer is allowed to request PFC during LCP negotiation.
transmit: Sets the PFC transmit setting to the default, ignore. If the peer requests PFC, it is accepted but PFC is not applied for transmitted packets.
algorithm: restores the accounting server selection algorithm to the system default.
apn-to-be-included: configures the APN name to be included for radius accounting.
archive: enables archiving of RADIUS accounting messages.
deadtime: restores the default number of seconds before attempting to communicate an accounting server marked as unreachable.
detect-dead-server consecutive-failures: restores the default value for the number of consecutive failed attempts to reach an accounting server before it is marked as unreachable.
radius accounting ha policy: resets the HA accounting policy to the system default: session-start-stop. Send Accounting Start when the Session is connected, Send Accounting Stop when the session is disconnected.
keepalive: restores the default keepalive accounting related parameters values.
max-outstanding: restores the system default for the maximum number of outstanding messages to queue for a given accounting server.
max-pdu-size: restores the maximum size a packet data unit can be.
max-retries: restores the maximum number of times a packet will be retransmitted to the system default.
max-transmissions: disables the maximum transmissions limit.
rp trigger-policy: restores the RADIUS accounting R-P policy to the default of Airlink Usage.
timeout: restores the number of seconds to wait before retransmitting a PDU to the system default.
nas-identifier: restores the network access server Id to the system default.
keepalive [ calling-station-id id | consecutive-response number | encrypted | interval seconds | password | retries number | timeout seconds | username name | valid-response access-accept [ access-reject ] ]
calling-station-id id: restores the default calling-station-id to be used for the keepalive authentication.
consecutive-response number: restores the default number of consecutive authentication responses after which the server is marked as reachable.
interval seconds: restores the default time interval between the keepalive access requests.
password: restores the default password to be used for the authentication.
retries number: restores the default number of times the keepalive access request to be sent before marking the server as unreachable.
timeout seconds: restores the default time interval between each keepalive access request retries.
username name: restores the default username to be used for the authentication.
valid-response access-accept [
access-reject ]: restores the default valid response for the authentication request.
Caution: Large numbers of services greatly increase the complexity of management and may impact overall system performance (i.e. resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your local service representative for more information.
endpoint: Removes the currently configured accounting endpoint. The default accounting server configured in the default AAA group will be used.
hd-mode: Sends records to the Diameter server, if all Diameter servers are down or unreachable, then copies records to the local HDD and periodically retries the Diameter server.
hd-storage-policy: Disables use of the specified HD storage policy.
max-retries: Disables the retry attempts for Diameter accounting in this AAA group.
max-transmissions: Disables the maximum number of transmission attempts for Diameter accounting in this AAA group.
server host_name: Removes the Diameter host
host_name from this AAA server group for Diameter accounting.
dictionary: Sets the context’s dictionary as the system default.
hd-mode: Sends records to the Diameter server, if all Diameter servers are down or unreachable, then copies records to the local HDD and periodically retries the Diameter server.
max-retries: Sets the retry attempts for Diameter accounting in this AAA group to default 0 (disable).
max-transmissions: Sets the maximum transmission attempts for Diameter accounting in this AAA group to default 0 (disable).
request-timeout: Sets the timeout duration, in seconds, for Diameter accounting requests in this AAA group to default (20).
aaa-custom1 ... aaa-custom10: The custom dictionaries. Even though the CLI syntax supports several custom dictionaries, not necessarily all of them have been defined. If a custom dictionary that has not been implemented is selected, the default dictionary will be used.
nasreq: nasreq dictionary—the dictionary defined by RFC 4005.
rf-plus: RF Plus dictionary.
endpoint_name must be a string of 1 through 63 characters in length.
hd_policy must be the name of a configured HD Storage policy, and must be a string of 1 through 63 alpha and/or numeric characters in length.
This and the hd-mode command are used to enable the storage of Rf Diameter Messages to HDD in case all Diameter Servers are down or unreachable.
tries specifies the maximum number of retry attempts. The value must be an integer from 1 through 1000.
transmissions specifies the maximum number of transmission attempts for a Diameter request. The value must be an integer from 1 through 1000.
duration specifies the number of seconds the system will wait for a response from a Diameter server before re-transmitting the request. The value must be an integer from 1 to 3600.
server host_name priority priority
host_name specifies the Diameter host name, it must be a string of 1 through 63 characters in length.
priority specifies the relative priority of this Diameter host. The priority is used in server selection. The priority must be an integer from 1 through 1000.
endpoint: Removes the authentication endpoint. The default server configured in default AAA group will be used.
max-retries: Disables the retry attempts for Diameter authentication in this AAA group.
max-transmissions: Disables the maximum transmission attempts for Diameter authentication in this AAA group.
server host_name: Removes the Diameter host
host_name from this AAA server group for Diameter authentication.
dictionary: Sets the context’s dictionary as the system default.
max-retries: Sets the retry attempts for Diameter authentication requests in this AAA group to default 0 (disable).
max-transmissions: Sets the configured maximum transmission attempts for Diameter authentication in this AAA group to default 0 (disable).
redirect-host-avp: Sets the redirect choice to default (just-primary).
request-timeout: Sets the timeout duration, in seconds, for Diameter authentication requests in this AAA group to default (20).
aaa-custom1 ... aaa-custom20: The custom dictionaries. Even though the CLI syntax supports several custom dictionaries, not necessarily all of them have been defined. If a custom dictionary that has not been implemented is selected, the default dictionary will be used.
Important: aaa-custom11 dictionary is only available in Release 8.1 and later.
aaa-custom12 to
aaa-custom20 dictionaries are only available in Release 9.0 and later releases.
nasreq: nasreq dictionary—the dictionary defined by RFC 4005.
endpoint_name must be a string of 1 through 63 characters in length.
tries specifies the maximum number of retry attempts, and must be an integer from 1 through 1000.
transmissions specifies the maximum number of transmission attempts, and must be an integer from 1 through 1000.
just-primary: Redirect only to primary host.
primary-then-secondary: Redirect to primary host, if fails then redirect to the secondary host.
duration specifies the number of seconds the system will wait for a response from a Diameter server before re-transmitting the request, and must be an integer from 1 through 3600.
server host_name priority priority
host_name specifies the Diameter host name, and must be a string of 1 through 63 characters in length.
priority specifies the relative priority of this Diameter host, and must be an integer from 1 through 1000. The priority is used in server selection.
result-code result_code { [ to result_code ] action { continue | retry-and-terminate | terminate } }
result_code: Specifies the result code number, must be an integer from 1 through 65535.
to result_code: Specifies the upper limit of a range of result codes.
to result_code must be greater than
result_code.
This command is deprecated and is replaced by the diameter accounting dictionary and
diameter authentication dictionary commands. See
diameter accounting and
diameter authentication commands respectively.
endpoint_name must be an alpha and/or numeric string of 1 through 63 characters in length.
heartbeat-interval: Sets the heartbeat interval to the default value.
path max-retransmissions: Sets the SCTP path maximum retransmissions to the default value.
interval must be an integer from 1 through 255.
retransmissions must be an integer from 1 through 10.
Specifies a name for the DNS client. name must be from 1 to 63 alpha and/or numeric characters in length.
[context_name]
hostname(config-dns-client)#
domain [ * ] domain_name [ default subscriber subs_temp_name ]
domain_name specifies the domain alias to create/remove from the current context. If the domain portion of a subscribers user name matches this value, the current context is used for that subscriber.
domain_name must be an alpha and/or numeric string of 1 through 79 characters in length. The domain name can contain all special characters, however note that the character * (wildcard character) is only allowed at the beginning of the domain name.
Important: The domain alias specified must not conflict with the name of any existing context or domain names.
Specifies the name of the subscriber template to apply to subscribers using this domain alias. subs_temp_name must be an alpha and/or numeric string of 1 through 127 characters in length. If this keyword is not specified the default subscriber configuration in the current context is used.
Specifies the name of a new or existing EAP profile. name must be from 1 to 256 alpha and/or numeric characters.
[context_name]
hostname(config-ctx-eap-profile)#
Specifies the name of the eGTP service. If service_name does not refer to an existing service, the new service is created if resources allow.
service_name must be from 1 to 63 alpha and/or numeric characters.
Caution: Large numbers of services greatly increase the complexity of management and may impact overall system performance (for example, resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your local service representative for more information.
[context_name]
hostname(config-egtp-service)#
Specifies the name of the FA service to configure. If name does not refer to an existing service, the new service is created if resources allow.
name must be from 1 to 63 alpha and/or numeric characters.
Caution: Large numbers of services greatly increase the complexity of management and may impact overall system performance (i.e. resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your local service representative for more information.
The following command will remove sampleService as being a defined FA service.
name must be from 1 to 63 alpha and/or numeric characters and is case sensitive.
Caution: Large numbers of services greatly increase the complexity of management and may impact overall system performance (i.e. resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your local service representative for more information.
Important: For details about the commands and parameters for this mode, check the GPRS Service Configuration Mode chapter.
[context_name]
hostname(config-gprs-service)#
Important: For details about the commands and parameters for this mode, refer Gs Service Configuration Mode chapter.
Specifies that the AGW must send accounting data to n (more than one) CGFs based on their priority. Response from any one of the
n CGFs would suffice to proceed with the call. The full set of accounting data is sent to each of the
n CGFs.
n is the number of CGFs to which accounting data will be sent, and must be an integer from 2 through 65535.
•
|
36 - if the SGSN sends us "delete PDP context request".
|
•
|
38 - if the GGSN sends "delete PDP context request" due to GTP-C/GTP-U echo timeout with SGSN.
|
•
|
40 - if the GGSN sends "delete PDP context request" due to receiving a RADIUS Disconnect-Request message.
|
•
|
26 - if the GGSN sends "delete PDP context request" for any other reason (e.g., the operator types "clear subscribers" on the GGSN).
|
string: This is the configured Node-ID-Suffix having any string between 1 to16 characters.
Important: The NodeID field is a printable string of the
ndddstring format:
n: The first digit is the SessMgr restart counter having a value between 0 and 7.
ddd: The number of SessMgr instances. Uses the specified NodeID-suffix in all CDRs. The “Node-ID” field is consists of SessMgr Recovery counter (1 digit)
n + AAA Manager identifier (3 digits)
ddd + the configured Node-Id-suffix (1 to 16 characters)
string.
Important: If the centralized LRSN feature is enabled, the “Node-ID” field consists of only the specified NodeID-suffix. Otherwise GTPP group name is used. For default GTPP groups, GTPP context-name (truncated to 16 characters) is used.
Important: SessMgr recovery counter gets updated in case of “session recovery not enabled” If session recovery is enabled, the counter never updates. The node-id is displayed in the G-CDR irrespective of gtpp dictionary. The G-CDR is not decoded in monitor protocol for custom1 / custom3 dictionaries.
Important: For the GGSN it provides radio access identifier as the SGSN PLMN Id and for SGSN it includes the PLMN-id of RNC.
unknown-use uncode_value encodes the specified value for "SGSN PLMN Identifier" in the CDR if SGSN PLMN-ID information is unavailable.
Must be followed by the uncode_value value to be encoded.
uncode_value must be an hexadecimal value between 0x0 and 0xFFFFFF.
Important: This command can be repeated multiple times with different keywords to configure multiple GTPP attributes.
ip_address must be configured using dotted decimal notation.
If port is not defined IP will take default port number 49999.
port is a port number. Must be followed by an integer, ranging from 1 to 65535.
Important: Configuring gtpp charging-agent on port 3386 may interfere with ggsn-service configured with the same ip address.
Important: This command is customer specific. For more information please contact your local service representative.
time is measured in seconds and can be configured to any integer value from 1 to 65535.
Refer to the gtpp detect-dead-server and
gtpp max-retries commands for additional information on the process the system uses to mark a CGF as down.
max_number could be configured to any integer value from 0 to 1000.
This command works in conjunction with the gtpp max-retries parameter to set a limit to the number of communication failures that can occur with a configured CGF.
Refer to the gtpp max-retries command for additional information.
gtpp duplicate-hold-time minutes
minutes must be an integer from 1 to 10080.
time is measured in seconds and can be configured to any integer value from 60 to 2147483647.
•
|
same-in-all-partials - Specifies that the same closing cause is to be included for multiple final eG-CDRs
|
•
|
unique - Specifies that the closing cause for final eG-CDRs is to be unique.
|
•
|
all - Specifies that all content-ids be included in the final eG-CDR.
|
•
|
only-with-traffic - Specifies that only content-ids with traffic be included in the final eG-CDRs.
|
service-data-flow threshold [ interval seconds | volume { downlink | total | uplink } bytes ]
seconds can be configured to any integer value from 10 to 86,400.
group_name must be a string of size 1 to 63 character.
Following command configures a GTPP server group named star1 for charging gateway function accounting functionality and this server group is available for all subscribers with in that context.
number_cdrs: any integer value from 1 to 255.
time: any integer from 1 to 300.
Important: If the
wait-time expires, the packet is sent as this keyword over-rides
number_cdrs.
pdu_size is measured in octets and can be configured to any integer value from 1024 to 65400.
Important: The maximum size of an IPv4 PDU (including the IPv4 and subsequent headers) is 65,535. However, a slightly smaller limit is imposed by this command because the system’s max-pdu-size doesn't include the IPv4 and UDP headers, and because the system may need to encapsulate GTPP packets in a different/larger IP packet (for sending to a backup device).
max_attempts can be configured to any integer value from 1 to 15.
This command works in conjunction with the gtpp detect-dead-server and
gtpp timeout parameters to set a limit to the number of communication failures that can occur with a configured CGF.
Refer to the gtpp detect-dead-server and
gtpp timeout commands for additional information.
node_id must be a string of 1 through 16 characters in length.
gtpp serverip_address[ maxmsgs] [ prioritypriority][ udp-portport] [ node-alive { enable | disable } ] [-noconfirm ]
msgs can be configured to any integer value from 1 to 256.
priority can be configured to any integer value from 1 to 1000. When configuring two or more servers with the same priority you will be asked to confirm that you want to do this. If you use the
-noconfirm option, you are not asked for confirmation and multiple servers could be assigned the same priority.
Important: The configuration of multiple CGFs with the same IP address but different port numbers is not supported.
Important: This command only takes affect if
gtpp single-source in the Global Configuration Mode is also configured. Additionally, this command is customer specific. Please contact your local sales representative for additional information.
gzip — Enables Gzip file compression.
none — Disables Gzip file compression -this is the default value.
custom1 — File format custom1 - this is the default value.
custom2 — File format custom2.
custom3 — File format custom3.
custom4 — File format custom4.
custom5 — File format custom5.
custom6 — File format custom6 with a block size of 8K for CDR files.
prefix — Enter a string of 1 to 64 alphanumeric characters.
Important: This option is available only when GTPP server storage mode is configured for local storage of CDRs with the
gtpp storage-server mode local command.
Optional keyword purge-interval purge_dur provides an option for user to control the purge interval duration in minutes by setting
purge_dur.
purge_dur must be and integer between 1 through 259200. Which has a default value of 60 minutes.
rotation { cdr-count count | time-interval time | volume mb size }
cdr-count count — Configure the CDR count for the file rotation. Enter a value from 1000 to 65000. Default value 10000.
time-interval time — Configure the time interval for file rotation. Enter a value in seconds ranging from 30 to 86400. Default value is 3600 seconds (1 hour).
volume mb size — Configure the file volume, in MB, for file rotation. Enter a value ranging from 2 to 40. This trigger can not be disabled. Default value is 10MB.
max_attempts can be configured to any integer value from 1 to 15.
This command works in conjunction with the gtpp storage-server timeout parameters to set a limit to the number of communication failures that can occur with a configured GTPP back-up storage server.
duration is measured in seconds and can be configured to any integer value from 30 to 120.
This command works in conjunction with the gtpp storage-server max-retries command to establish a limit on the number of times that communication with a GTPP back-up storage server is attempted before a failure is logged.
time is measured in seconds and can be configured to any integer value from 1 to 60.
This command works in conjunction with the gtpp max-retries command to establish a limit on the number of times that communication with a CGF is attempted before a failure is logged.
Specifies the name of the GTP-U service. If service_name does not refer to an existing service, a new service is created if resources allow.
service_name must be from 1 to 63 alpha and/or numeric characters.
Caution: Large numbers of services greatly increase the complexity of management and may impact overall system performance (for example, resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your local service representative for more information.
[context_name]
hostname(config-gtpu-service)#
Specifies the name of the HA service to configure. If name does not refer to an existing service, the new service is created if resources allow.
name must be from 1 to 63 alpha and/or numeric characters.
Caution: Large numbers of services greatly increase the complexity of management and may impact overall system performance (i.e. resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your local service representative for more information.
The following command will remove sampleService as being a defined HA service.
Specifies the name of the HNB-GW service. If service_name does not refer to an existing service, the new service is created if resources allow.
service_name must be from 1 to 63 alpha and/or numeric characters.
Caution: Large numbers of services greatly increase the complexity of management and may impact overall system performance (for example, resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your local service representative for more information.
[context_name]
hostname(config-hnbgw-service)#
The commands configured in this mode are defined in the HNB-GW Service Configuration Mode Commands chapter of Command
Line Interface Reference.
Caution: This is a critical configuration. The HNB-GW service can not be configured without this configuration. Any change to this configuration would lead to restarting the HNB-GW service and removing or disabling this configuration will stop the HNB-GW service.
Specifies the name of the HSGW service. If service_name does not refer to an existing service, the new service is created if resources allow.
service_name must be from 1 to 63 alpha and/or numeric characters.
Caution: Large numbers of services greatly increase the complexity of management and may impact overall system performance (for example, resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your local service representative for more information.
[context_name]
hostname(config-hsgw-service)#
interval is measured in seconds and can be configured to any integer value between 10 and 3600.
time is measured in seconds and can be configured to any integer value between 10 and 3600.
retries can be configured to any integer value between 1 and 100.
Important: The peer security gateway must support RFC 3706 in order for this functionality to function properly.
Important: If DPD is enabled while IPSec tunnels are up, it will not take affect until all of the tunnels are cleared.
[context_name]
hostname(cfg-ctx-ikev2ikesa-tran-set)#
auth_svc_name must be a unique string of 1 through 63 characters in length.
Name of the IMS-Sh-service to be configured. name must be from 1 to 63 alpha and/or numeric characters.
[context_name]
hostname(config-ims-sh-service)#
ecs - Permits the specific user to access ACS-specific configuration commands.
noecs - Prevents the specific user to access ACS-specific configuration commands.
Important: Users who have Lawful Intercept privileges are only given those privileges when connected to the system through a Secure Shell (SSH). If this user connects through a Telnet session or through the console port, Lawful Intercept privileges are not enabled.
timeout-idle idle_seconds
Important: A maximum of 128 administrative users and/or subscribers may be locally configured per context.
interfacename [ broadcast | loopback| point-to-point
| tunnel ]
Specifies the name of the interface to configure. If name does not refer to an existing interface, the new interface is created if resources allow.
name must be from 1 to 79 alpha and/or numeric characters.
Important: Refer to the Ethernet interface Configuration Mode Command chapter for more information.
Important: Refer to the Loopback Interface Configuration Mode Command chapter for more information.
Important: Refer to the PVC interface Configuration Mode Command chapter for more information.
Important: Refer to the Tunnel Interface Configuration Mode Command chapter for more information.
Important: If no keyword is specified, broadcast is assumed and the interface is Ethernet by default.
The following command removes sampleService as being a defined interface.
In Release 8.1 and later, name must be an alpha and/or numeric string of 1 through 47 characters in length.
In Release 8.0, name must be an alpha and/or numeric string of 1 through 79 characters in length.
Important: Up to 8 ACLs can be applied to a group provided that the number of rules configured within the ACL(s) does not exceed the 256 rule limit for the context.
The in and
out keywords are deprecated and are only present for backward compatibility. The Context-level ACL are applied only to outgoing packets.
Specifies the priority of the access group. 0 is the highest priority. If priority_value is not specified, the priority is set to 0.
priority_value must be an integer from 0 through 4294967295.
Use this command to add IP access lists (refer to the ip access-list command) configured with in the same context to an ACL group.
The following commands add sampleGroup to the context-level ACL with a priority of 0.
In Release 8.0, name must be an alpha and/or numeric string of 1 through 79 characters in length.
In Release 8.1 and later, name must be an alpha and/or numeric string of 1 through 47 characters in length.
Important: A maximum of 64 rules can be configured per ACL. The maximum number of ACLs that can be configured per context is limited by the amount of available memory in the VPN Manager software task; it's typically less then 200.
The following command creates an access list named sampleList, and enters the Access List configuration mode:
ip arpip_address mac_address[vrf
vrf_name]
Specifies the IP address to configure the ARP options where ip_address must be specified using the standard IPv4 dotted decimal notation.
Specifies the media-specific access control layer address for the IP address. mac_address must be specified as a an 6-byte hexadecimal number with each byte separated by a colon, e.g., ‘AA:12:bb:34:f5:0E’.
vrf_name is name of a preconfigured virtual routing and forwarding (VRF) context configured in Context configuration mode through
ip vrf command.
ip arp 1.2.3.4 F1:E2:D4:C5:B6:A7
ip arp 1.2.3.4 F1:E2:D4:C5:B6:A7 vrf GRE_vrf1
To add new rules to an existing list, enter the list name. list_name must be a string of alpha numerical characters from 1 through 79 characters.
deny: Deny access to AS paths that match the regular expression.
permit: Allow access to AS paths that match the regular expression.
A regular expression to define the AS paths to match. reg_expr must be a string containing 1 through 254 alpha and/or numeric characters.
Important: The
? (question mark) character is not supported in regular expressions for this command.
Important: This command must be entered in the destination context for the subscriber. If there are multiple destination contexts for different subscribers, the command must be entered in each context.
Specifies an interface in this context used for redirected DNS packets. ip_address must be specified using the standard IPv4 dotted decimal notation.
Specifies the logical domain name to use for domain name server address resolution. name must be from 1 to 1023 alpha and/or numeric characters formatted to be a valid IP domain name.
size can be configured to any integer value from 0 to 2000.
Specifies the logical host name for the local machine the current context resides on. name must be from 1 to 1023 alpha and/or numeric characters formatted to be a valid IP host name.
Specifies the IP address for the static mapping. ip_address must be specified using the standard IPv4 dotted decimal notation.
Specifies the IP address of a domain name server. ip_address must be specified using the standard IPv4 dotted decimal notation.
Specifies the IP address of a secondary domain name server. secondary_ip_address must be specified using the standard IPv4 dotted decimal notation.
3. DNS values locally configured with APN with dns and
ipv6 dns commands has the third preference.
Important: The same preference would be applicable for the NBNS servers to be negotiated via ICPC with the LNS.
ip pool pool_name { ip_address subnet_mask | ip_address_mask_combo | range start_ip_address end_ip_address } [ address-hold-timer address_hold_timer ] [ advertise-if-used ] [ alert-threshold [ group-available | pool-free | pool-hold | pool-release | pool-used ] low_thresh [ clear high_thresh ] ] [ explicit-route-advertise ] [ group-name group_name ] [ include-nw-bcast ] [ napt-users-per-ip-address users_per_ip [ alert-threshold { { pool-free | pool-hold | pool-release | pool-used } low_thresh [ clear high_thresh ] } + ] [ max-chunks-per-user max_chunks_per_user [ nat-binding-timer nat_binding_timer ] [ nexthop-forwarding-address ip_address ] [ on-demand ] [ port-chunk-size port_chunk_size ] [ port-chunk-threshold port_chunk_threshold ] [ send-nat-binding-update ] + ] [ nat priority ] [ nat-one-to-one [ alert-threshold { { pool-free | pool-hold | pool-release | pool-used } low_thresh [ clear high_thresh ] } + ] [ nat-binding-timer nat_binding_timer ] [ nexthop-forwarding-address ip_address ] [ on-demand ] [ send-nat-binding-update ] + ] [ nat-realm users-per-nat-ip-address users [ on-demand [ address-hold-timer address_hold_timer ] ] ] [ nexthop-forwarding-address ip_address [ overlap vlanid vlan_id ] [ respond-icmp-echo ip_address ] ] [ nw-reachability server server_name ] [ policy allow-static-allocation ] [ private priority ] [ public priority ] [ resource priority ] [ send-icmp-dest-unreachable ] [ srp-activate ] [ static ] [ suppress-switchover-arps ] [ tag { none | pdif-setup-addr } ] [ unicast-gratuitous-arp-address ip_address ] [ vrf vrf_name { [ mpls-label input in_label_value | output out_label_value1 [ out_label_value2 ] } ] +
no ip pool pool_name [ address-hold-timer ] [ advertise-if-used ] [ alert-threshold [ [ group-available ] [ pool-free ] [ pool-hold ] [ pool-release ] [ pool-used ] + ] [ explicit-route-advertise ] [ group-name ] [ include-nw-bcast ] [ nexthop-forwarding-address [ respond-icmp-echo ] ] [ nw-reachability server ] [ policy allow-static-allocation ] [ send-icmp-dest-unreachable ] [ srp-activate ] [ suppress-switchover-arps ] [ tag { none | pdif-setup-addr } ] [ unicast-gratuitous-arp-address ] + [ send-nat-binding-update ]
Specifies the logical name of the IP address pool. name must be an alpha and/or numeric string of 1 through 31 characters in length.
Important: An error message displays if the
ip pool name and the
group name in the configuration are the same. An error message displays if the
ip pool name or
group name are already used in the context.
Specifies the beginning IP address of the IP address pool. ip_address can either be an IPv4 address expressed in dotted decimal notation, or an IPv6 address expressed in colon notation.
1 bits in the ip_mask indicate that bit position in the
ip_address must also have a value of 1.
0 bits in the ip_mask indicate that bit position in the
ip_address does not need to match, i.e., the bit can be either a 0 or a 1.
Specifies a combined IP address subnet mask bits to indicate what IP addresses the route applies to. ip_address_mask_combo must be specified using the form ‘IP Address/Mask Bits’ where the IP address is specified using the standard IPv4 dotted decimal notation and the mask bits are a numeric value which is the number of bits in the subnet mask.
range start_ip_address end_ip_address
seconds is the time in seconds and must be an integer from 0 through 31556926.
group-available: Set an alert based on the available percentage of IP addresses for the entire IP pool group.
pool-free: Set an alert based on the percentage of IP addresses that are unassigned in this IP pool.
pool-hold: Set an alert based on the percentage of IP addresses from this IP pool that are on hold.
pool-release: Set an alert based on the percentage of IP addresses from this IP pool that are in the release state.
pool-used: This command sets an alert based on the percentage of IP addresses that have been assigned from this IP pool.
Important: Refer to the
threshold available-ip-pool-group and
threshold monitoring commands in this chapter for additional information on IP pool utilization thresholding.
low_thresh: The IP pool utilization percentage that must be met or exceeded within the polling interval to generate an alert or alarm. It can be configured to any integer value between 0 and 100.
clear high_thresh : The IP pool utilization percentage that maintains a previously generated alarm condition. If the utilization percentage rises above the high threshold within the polling interval, a clear alarm is generated. It may be configured to any integer value between 0 and 100.
Important: This value is ignored for the Alert model. In addition, if this value is not configured for the Alarm model, the system assumes it is identical to the low threshold.
Assigns preconfigured one or more IP pools to the IP pool group group_name.
group_name is case sensitive and must be a string of 1 to 31 characters. One or more IP pool groups are assigned to a context and one IP pool group consists one or more IP pool(s).
napt-users-per-ip-address users_per_ip [ alert-threshold { { pool-free | pool-hold | pool-release | pool-used } low_thresh [ clear high_thresh ] } + ] [ max-chunks-per-user max_chunks_per_user [ nat-binding-timer nat_binding_timer ] [ nexthop-forwarding-address ip_address ] [ on-demand ] [ port-chunk-size port_chunk_size ] [ port-chunk-threshold port_chunk_threshold ] [ send-nat-binding-update ] +
Important: In UMTS deployments this keyword is available in Release 9.0 and later releases. In CDMA deployments this keyword is available in Release 8.3 and later releases.
Important: In UMTS deployments, on upgrading from Release 8.1 to Release 9.0, and in CDMA deployments, on upgrading from Release 8.1 to 8.3, all NAT realms configured in Release 8.1 using the
nat-realm keyword must be reconfigured using either the
nat-one-to-one (for one-to-one NAT realms) or the
napt-users-per-ip-address (for many-to-one NAT realms) keywords.
•
|
users_per_ip: Specifies how many users can share a single NAT IP address. users_per_ip must be an integer from 2 through 2016.
|
Important: Thresholds configured using the
alert-threshold keyword are specific to the pool that they are configured in. Thresholds configured using the
threshold ip-pool-* commands in the Context Configuration Mode apply to all IP pools in that context, and override the threshold configurations set within individual pools.
•
|
pool-free: Percentage free alert threshold for this pool
|
•
|
pool-hold: Percentage hold alert threshold for this pool
|
•
|
pool-release: Percentage released alert threshold for this pool
|
•
|
pool-used: Percentage used alert threshold for this pool
|
•
|
low_thresh: The IP pool utilization percentage that must be met or exceeded within the polling interval to generate an alert or alarm. low_thresh must be an integer from 0 through 100.
|
•
|
clear high_thresh : The IP pool utilization percentage that maintains a previously generated alarm condition. If the utilization percentage rises above the high threshold within the polling interval, a clear alarm is generated. high_thresh must be an integer from 0 through 100.
|
Important: The
high_thresh value is ignored for the Alert model. In addition, if this value is not configured for the Alarm model, the system assumes it is identical to the low threshold.
•
|
max-chunks-per-user max_chunks_per_user: Specifies the maximum number of port chunks to be allocated per subscriber in the many-to-one NAT pool. max_chunks_per_user must be an integer from 1 through 2016. Default: 1
|
•
|
nat-binding-timer binding_timer: Specifies NAT Binding Timer for the NAT pool. timer must be an integer from 0 through 31556926. If set to 0, is disabled. Default: 0
|
•
|
nexthop-forwarding-address address: Specifies the nexthop forwarding address for this pool. address must be a standard IPv4 or IPv6 address. If configured for a NAT pool, packets that are NATed using that NAT pool will be routed based on the configured nexthop address.
|
Important: The
nexthop-forwarding-address support for NAT IP pools is functional only in later releases of Release 9.0 and in Release 10.0 and later releases.
•
|
on-demand: Specifies allocating IP when matching data traffic begins.
|
•
|
port-chunk-size size: Specifies NAT port chunk size (number of NAT ports per chunk) for many-to-one NAT pool. size must be an integer from 32 through 32256.
|
Important: The
port-chunk-size configuration is only available for many-to-one NAT pools.
•
|
port-chunk-threshold chunk_threshold: Specifies NAT port chunk threshold in percentage of number of chunks for many-to-one NAT pool. chunk_threshold must be an integer from 1 through 100. Default: 100%
|
Important: The
port-chunk-threshold configuration is only available for many-to-one NAT pools.
Important: send-nat-binding-update is not supported for many-to-one realms.
•
|
group-name group_name : This keyword is available for NAT pool configuration only in Release 10.0 and later releases.
|
group_name must be an alpha and/or numeric string of 1 through 31 characters in length, and is case sensitive .
priority specifies the priority of the NAT pool. 0 is the highest priority. If
priority is not specified, the priority is set to 0.
Important: This functionality is currently supported for use with systems configured as an A-BG or P-CSCF.
nat-one-to-one [ alert-threshold { { pool-free | pool-hold | pool-release | pool-used } low_thresh [ clear high_thresh ] } + ] [ nat-binding-timer nat_binding_timer ] [ nexthop-forwarding-address ip_address ] [ on-demand ] [ send-nat-binding-update ] +
Important: In UMTS deployments this keyword is available in Release 9.0 and later releases. In CDMA deployments this keyword is available in Release 8.3 and later releases.
Important: In UMTS deployments, on upgrading from Release 8.1 to Release 9.0, and in CDMA deployments, on upgrading from Release 8.1 to Release 8.3, all NAT realms configured in Release 8.1 using the
nat-realm keyword must be reconfigured using either the
nat-one-to-one (for one-to-one NAT realms) or the
napt-users-per-ip-address (for many-to-one NAT realms) keywords.
Important: Thresholds configured using the
alert-threshold keyword are specific to the pool that they are configured in. Thresholds configured using the
threshold ip-pool * commands in the Context Configuration Mode apply to all IP pools in the context, and override the threshold configurations set within individual pools.
•
|
pool-free: Percentage free alert threshold for this pool
|
•
|
pool-hold: Percentage hold alert threshold for this pool
|
•
|
pool-release: Percentage released alert threshold for this pool
|
•
|
pool-used: Percentage used alert threshold for this pool
|
•
|
low_thresh: The IP pool utilization percentage that must be met or exceeded within the polling interval to generate an alert or alarm. low_thresh must be an integer from 0 through 100.
|
•
|
clear high_thresh : The IP pool utilization percentage that maintains a previously generated alarm condition. If the utilization percentage rises above the high threshold within the polling interval, a clear alarm is generated. high_thresh must be an integer from 0 through 100.
|
Important: The
high_thresh value is ignored for the Alert model. In addition, if this value is not configured for the Alarm model, the system assumes it is identical to the low threshold.
•
|
nat-binding-timer nat_binding_timer: Specifies NAT binding timer for the NAT pool. binding_timer must be an integer from 0 through 31556926. If set to 0, is disabled.
|
Important: For many-to-one NAT pools, the default NAT binding timer value is 60 seconds. For one-to-one NAT pools, it is 0. I.e., by default, the feature is disabled—the IP addresses/ port-chunks once allocated will never be freed.
•
|
nexthop-forwarding-address ip_address: Specifies the nexthop forwarding address for this pool. address must be a standard IPv4 or IPv6 address. If configured for a NAT pool, packets that are NATed using that NAT pool will be routed based on the configured nexthop address.
|
Important: The
nexthop-forwarding-address support for NAT IP pools is functional only in later releases of Release 9.0 and in Release 10.0 and later releases.
•
|
on-demand: Specifies allocating IP address when matching data traffic begins.
|
Important: send-nat-binding-update is not supported for many-to-one realms.
•
|
group-name group_name : This keyword is available for NAT pool configuration only in Release 10.0 and later releases.
|
group_name must be an alpha and/or numeric string of 1 through 31 characters in length, and is case sensitive .
nat-realm users-per-nat-ip-address users [ on-demand [ address-hold-timer address_hold_timer ] ]
Important: The
nat-realm keyword is only available in Release 8.1.
Important: In Release 8.1, the NAT On-demand feature is not supported.
Important: This functionality is currently supported for use with systems configured as an A-BG or P-CSCF.
users-per-nat-ip-address users: Specifies the number of users sharing a single NAT IP address.
users must be an integer from 1 through 5000.
on-demand: Specifies to allocate IP when matching data traffic begins.
address-hold-timer address_hold_timer: Specifies the address hold timer for this pool, in seconds.
address_hold_timer must be an integer from 0 through 31556926. If set to 0, the address hold timer is disabled.
vlan_id is the identification number of a VLAN assigned to a physical port and can be configured to any integer value from 1 to 4095.
Important: This functionality is currently supported for use with systems configured as an HA, or as a PDSN for Simple IP, or as a GGSN. This keyword can only be issued for pools of type private or static and must be associated with a different nexthop forwarding address and VLAN. A maximum of 256 over-lapping pools can be configured per context and a maximum of 256 over-lapping pools can be configured per HA or simple IP PDSN. For GGSNs, the total number of pools is limited by the number of VLANs defined but the maximum number per context is 256. Additional network considerations and configuration outside of the system may be required.
server_name: Specifies the name of a network reachabile server that has been defined in the current context, and must be a string of 1 through 16 characters in length.
Important: Also see the following commands for more information: Refer to the
policy nw-reachability-fail command in the HA Configuration Mode to configure the action that should be taken when network reachability fails. Refer to the
nw-reachability server command in this chapter to configure network reachability servers. Refer to the
nw-reachability-server command in the Subscriber Configuration Mode to bind a network reachability server to a specific subscriber.
Important: In order for this functionality to work, all of the pools should contain an initial IP address that can be pinged.
vrf vrf_name { [ mpls-label input in_label_value | output out_label_value1 [ out_label_value2 ] }
Important: This command must be used with next-hop paramters.
vrf_name is name of a preconfigured virtual routing and forwarding (VRF) context configured in Context configuration mode through
ip vrf command.
•
|
in_label_value is the MPLS label that identifies the inbound traffic destined for this pool.
|
•
|
The out_label_value1 and out_label_value2 identify the MPLS labels to be added to the outgoing packets sent for subscriber from this pool. Where out_label_value1 is the inner output label and out_label_value2 is the outer output label.
|
Important: You cannot have overlapping pool addresses using the same VRF. Also you cannot have two pools using different VRF’s but the same in-label irrespective of whether the pools are overlapping or not. The pool must be private or static pool in-order to be associated with a certain VRF. If the VRF with such a name is not configured, then the pool configuration would return an error prompting to add the VRF before configuring a pool.
Important: In static allocation scenario, the pool group name is returned by AAA in the attribute
SN1-IP-Pool-Name, and the IP address to use will be returned in the
Framed-IP-Address attribute.
Important: If an IP address pool is matched to a ISAKMP crypto map and is resized, removed, or added, the corresponding security association must be cleared in order for the change to take effect. Refer to the
clear crypto command in the Exec mode for information on clearing security associations.
Over-lapping IP Pools - The system supports the configuration of over-lapping IP address pools within a particular context. Over-lapping pools are configured using either the resource or overlap keywords.
The resource keyword allows over-lapping addresses tunneled to different VPN end points.
The overlap keyword allows over-lapping addresses each associated with a specific virtual LAN (VLAN) configured for an egress port. It uses the VLAN ID and the nexthop address to determine how to forward subscriber traffic with addresses from the pool thus resolving any conflicts with overlapping addresses.
Note that if an overlapping IP Pool is bound to an IPSec Tunnel (refer to the match ip pool command in the Crypto Group Configuration Mode chapter), that tunnel carries the traffic ignoring the nexthop configuration. Therefore, the IPSec Tunnel takes precedence over the nexthop configuration. (Thus, one can configure the overlapping IP Pool with fake VLAN ID and nexthop and still be able to bind it to an IPSec Tunnel for successful operation.
The overlap keyword allows over-lapping addresses each associated with a specific VLAN can only be issued for pools of type private or static and must be associated with a different nexthop forwarding address and VLAN. A maximum of 128 over-lapping pools can be configured per context and a maximum of 256 over-lapping pools can be configured per system.
Important: Overlapping IP address functionality is currently supported for use with systems configured as an HA for Mobile IP, or as a PDSN for Simple IP, or as a GGSN. For deployments in which subscriber traffic is tunneled from the FA to the HA using IP-in-IP, a separate HA service must be configured for each over-lapping pool.
IP Pool Address Assignment Method - IP addresses can be dynamically assigned from a single pool or from a group of pools. The addresses are placed into a queue in each pool. An address is assigned from the head of the queue and, when released, returned to the end. This method is known as least recently used (LRU).
Important: Note that setting different priorities on each individual pool in a group can cause addresses in some pools to be used more frequently.
ipprefix-list namelist_name [ seqseq_number ] { deny | permit } { any | network_address/net_mask [ gege_value ] [ lele_value ]
noipprefix-listlist_name [ seqseq_number ] { deny | permit } { any | network_address/net_mask [ gege_value ] [ lele_value ]
Specifies a name for the prefix list. list_name must be a string of 1 through 79 characters in length.
network_address/net_mask [ ge ge_value ] [ le le_value ]
network_address/net_mask : the IP address and the length, in bits, of the network mask that defines the prefix. This must be an IP address entered in dotted decimal notation and a mask (192.168.0/24). When neither ge or le are specified an exact match is assumed.
ge ge_value: The minimum prefix length to match. This must be an integer from 0 through 32. If only the ge value is specified, the range is from the ge value to 32. The ge value must be greater than
net_mask and less than the le value.
le le_value: The maximum prefix length to match. This must be an integer from 0 through 32. If only the le value is specified, the range is from the
net_mask to the le value. The le value must be less than or equal to 32.
net_mask <
ge_value <
le_value <= 32
[ no ] ip route {ip_address/ip_mask | ip_address ip_mask} { gateway_ip_address | next-hop next_hop_ip_address | point-to-point | tunnel} egress_intrfc_name [ costcost ] [ precedenceprecedence ] [vrf
vrf_name] +
ip_address/ip_mask | ip_address ip_mask
ip_address/ip_mask: Specifies a combined IP address subnet mask bits to indicate what IP addresses to which the route applies.
ip_address/ip_mask must be specified using the form ‘IP Address/Mask Bits’ where the IP address is specified using the standard IPv4 dotted decimal notation and the mask bits are a numeric value which is the number of bits in the subnet mask.
ip_address ip_mask: Specifies an IP address and the networking (subnet) mask pair which is used to identify the set of IP addresses to which the route applies.
ip_address must be specified using the standard IPv4 dotted decimal notation.
ip_mask must be specified using the standard IPv4 dotted decimal notation as network mask for subnets.
The mask as specified by ip_mask or resulting from
ip_address/ip_mask is used to determine the network for packet routing.
gateway_ip_address | next-hop next_hop_ip_address | point-to-point | tunnel
gateway_ip_address: Specifies the IP address of the network gateway to which to forward packets. The address must be entered in IPv4 dotted decimal notation (###.###.###.###).
next-hop next_hop_ip_address: The next-hop IP address to which to forward packets. The address must be entered in IPv4 dotted decimal notation (###.###.###.###).
point-to-point: Specifies that the egress port is an ATM point-to-point interface.
tunnel: This keyword sets the static route for this egress interfaceas tunnel type. i.e. IPv6-over-IPv4 or GRE.
Specifies the relative cost of the route. cost must be a value in the range 0 through 255 where 255 is the most expensive.
Specifies the selection order precedence for this routing information. precedence must be a value in the range from 1through 254 where 1 is the highest precedence.
vrf_name is name of a preconfigured virtual routing and forwarding (VRF) context configured in Context configuration mode through
ip vrf command.
Important: A maximum of 1200 static routes may be configured per context.
ip route 1.2.3.0/32 192.168.1.2 egressSample1 precedence 160
ip route 1.2.3.4 255.224.0.0 10.1.2.3 egressSample2 cost 43
no ip route 1.2.3.0/32 192.168.1.2 egressSample1 precedence 160
no ip route 1.2.3.4 255.224.0.0 10.1.2.3 egressSample2 cost 43
ip route 1.2.3.0/32 tunnel egressSample1 precedence 160 vrf GRE_vrf1
vrf_name must be an alpha and/or neumeric string of 1 t o 79 characters.
This command swithces the command mode to IP VRF Context Configuraiton Mode and prompt will be changed to the following:
[context_name>]
host_name(config-context-vrf)#
Kindly refer IP VRF Context Configuration Mode Commands chapter for parameter configurations.
Important: The IPMS is a license enabled external application support. Refer to the IPMS Installation and Administration Guide for more information on this product.
Warning: If this keyword option is used with
no ipms command the IPMS client service will be deleted with all active/inactive IPMS sessions without prompting any warning or confirmation.
Specifies the name of a new or existing transform set. name must be from 1 to 127 alpha and/or numeric characters
.
[context_name]
hostname(cfg-ctx-ipsec-tran-set)#
The following command configures an IPSec transform set called ipsec12 and enters the IPSec Transform Set Configuration Mode:
ipsg-service name [ mode { radius-server | radius-snoop } ] [ -noconfirm ]
Specifies the name of the IPSG service to be configured. If name does not refer to an existing service, the new service is created if resources allow.
name must be an alpha and/or numeric string of 1 through 63 characters in length.
radius-server: Creates an IP Services Gateway RADIUS Server service in the context and enters the IPSG RADIUS Server Configuration Mode.
radius-snoop: Creates an IP Services Gateway RADIUS Snoop service in the context and enters the IPSG RADIUS Snoop Configuration Mode.
[context_name-service_name]
hostname(config-radius-server)#
Caution: A large number of services greatly increases the complexity of system management and may impact overall system performance (i.e., resulting from system handoffs). Do not configure a large number of services unless your application requires it. Contact your local service representative for more information.
Important: IP Services Gateway functionality is a license-controlled feature. A valid feature license must be installed prior to configuring an IPSG service. If you have not previously purchased this feature, contact your sales representative for more information.
Specifies the priority of the access group. 0 is the highest priority. If priority_value is not specified the priority is set to 0.
priority_value must be a value from 0 to 4294967295.
ipv6 neighbor ipv6_address hardware_address
ipv6_address is the IP address of node to be added to the table.
hardware_address is the associated 48-bit MAC address.
Add the ipv6 address fe80::210:83ff:fef7:7a9d::/24 and associated 48 bit MAC address
0:10:83:f7:7a:9d to the table.
ipv6 poolname{ 6to4 local-endpointipv4_address[ default-relay-routerrouter_address] | alert threshold | group-namename| policy { allow-static-allocation | dup-addr-detection} | prefixip_address/len[ 6to4-tunnel local-endpointip_address| default-relay-routerrouter_address] | rangestart_address end_address| suppress-switchover-arps } [ privatepriority] [ publicpriority] [ sharedpriority] [ staticpriority] [group-namename]
Specifies the logical name of the IP address pool. name must be from 1 to 31 alpha and/or numeric characters.
alert threshold { 6to4 local-endpoint ipv4_address | alert threshold | group-available | group-name name | policy { allow-static-allocation | dup-addr-detection} | pool-free | pool-used | prefix | range start_address end_address }
•
|
6to4 - Sets an alert based on the IPv6 Pool for 6to4 compatible address type.
|
•
|
alert-threshold - Sets an alert based on the percentage free alert threshold for this group.
|
•
|
group-available - Sets an alert based on the percentage free alert threshold for this group.
|
•
|
group-name - Sets an alert based on the IPv6 Pool Group.
|
•
|
pool-free - Sets an alert based on the percentage free alert threshold for this pool.
|
•
|
pool-used - Sets an alert based on the percentage used alert threshold for this pool.
|
•
|
prefix - Sets an alert based on the IPv6 Pool address prefix.
|
•
|
range - Sets an alert based on the IPv6 address pool range of addresses.
|
•
|
suppress-switchover-arps - Sets an alert based on the Suppress Gratuitous ARPS when performing a line card switchover.
|
Specifies the beginning IPv4 address of the IPv4 address pool. ipv4_address must be specified using the standard IPv4 dotted decimal notation.
This command is valid for IPv6 shared pools only (Sample syntax: ipv6 pool name prefix ip_address/len shared policy dup-addr-detection). When this policy is enabled, the IPv6 shared pool allows a prefix to be shared in different call sessions with different interface IDs for an IPv6 address. This allows the tracking of interface IDs per prefix and the detection of duplicated IDs.
range start_address end_address
start_address specifies the beginning of the range of addresses for the IPv6 pool.
end_address specifies the end of the range of addresses for the IPv6 pool.
private priority | public priority | shared priority | static priority
private priority: address pool may only be used by mobile stations which have requested an IP address from a specified pool. When private pools are part of an IP pool group, they are used in a priority order according to the precedence setting.
priority must be a value in the range from 0 through 10 with 0 being the highest. The default is 0.
public priority: address pool is used in priority order for assigning IP addresses to mobile stations which have not requested a specific address pool.
priority must be a value in the range from 0 through 10 with 0 being the highest and with a default of 0.
shared priority: address pool that may be used by more than one session at any time.
priority must be a value in the range from 0 through 10 with 0 being the highest and with a default of 0.
static priority: address pool is used for statically assigned mobile stations. Statically assigned mobile stations are those with a fixed IP address at all times.
priority must be a value in the range from 0 through 10 with 0 being the highest and with a default of 0.
name is the name of the group by which the IPv6 pool is to be configured and must be a string having 1 to 79 alpha and/or numeric characters.
[ no ] ipv6 route ipv6_address/prefix_length { interface name | next-hop ipv6_address interface name } [ cost cost ] [ precedence precedence ]
ipv6_address/prefix_length
ipv6_address/prefix_length must be specified in IPv6 colon separated notation.
Specifies the name of the interface on this system associated with the specified route or next-hop address. name must be an existing interface name on the system and be from 1 to 79 alpha and/or numeric characters.
The IPv6 address of the directly connected next hop device. ipv6_address must be specified in IPv6 colon separated notation.
Use the following example to configure a static route with ipv6 prefix/length 2001:0db8:3c4d:0015:0000:0000:abcd:ef12/24 to the next hop interface
egress1:
ipv6 route 2001:0db8:3c4d:0015:0000:0000:abcd:ef12/24 interface egress1
This command is deprecated. Use ikev1 disable-phase1-rekey command to configure the parameters for Phase1 SA rekeying when ISAKMP lifetime expires for IKE v1 protocol.
This command is deprecated. Use ikev1 keepalive dpd command to configure ISAKMP IPSec Dead Peer Detection (DPD) message parameters for IKE v1 protocol.
This command is deprecated. Use ikev1 policy command to create/configure an ISAKMP policy with the specified priority for IKE v1 protocol.
Important: For details about the commands and parameters for this mode, check the IuPS Service Configuration Mode chapter.
Caution: Large numbers of services greatly increase the complexity of management and may impact overall system performance (i.e. resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your local service representative for more information.
Specifies the name of the LMA service. If service_name does not refer to an existing service, the new service is created if resources allow.
service_name must be from 1 to 63 alpha and/or numeric characters.
Caution: Large numbers of services greatly increase the complexity of management and may impact overall system performance (for example, resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your local service representative for more information.
[context_name]
hostname(config-lma-service)#
Caution: Large numbers of services greatly increase the complexity of management and may impact overall system performance (i.e. resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your local service representative for more information.
lawful-intercept { acked-udp [ num-retry number ] [ timeout
time] | event-attributes bsid | hand-off-policy send-start-intercept-with-pdp-active-iri | interception-point-policy { { sms-mo | sms-mt } { message-delivered | request-received } } | reprovision-target-policy resend-pdp-context-active-iri | src-ip-addr
ip_address | sms-content-policy { exclude-content | include-content } | tcp
tcp_option | unack-format use-service-address }
num-retry number: Enter an integer between 1 and 100 to define the maximum number of retries for sending an unacknowledged message. Default is 20.
timeout time: Enter an integer between 1 and 100 to define the maximum number of seconds that the system waits before retransmitting an unacknowledged message. Default is 3.
•
|
sms-mo: point of interception for a mobile-originated SMS
|
•
|
message-delivered: intercept when the SGSN receives notification from the SMSC/MS. This is the default for either SMS-MO or SMS-MT.
|
•
|
include-content: Sets the policy to send SMS header and content both in IRI.
|
ip_address: This is known as the source-address. It is an IPv4 address that identifies the system’s interface, in the current context, from which the intercepted messages are forwarded to the DF according to the event delivery or content delivery provisioning done in the Exec configuration mode.
•
|
application-heartbeat-messages timout minute dur - In firewall enabled scenrio TCP connections get dropped by because of the connections being idle most of the time. This keyword enables the SGSN to send application level heart beat messages to the mediation server to keep connection live. This keyword is used to enable/disable sending of heart beat messages. By default this mode is disabled
|
timout minutedur sets the timeout duration for heartbeat timer. By default heart beat timer value is 5 minutes.
•
|
connection-retry-timer time - configures the maximum time to wait before retrying to connect, in seconds. Default is 2 seconds. time: enter any integer from 1 to 65535.
|
•
|
content-delivery dest-addr ip_address - configures the destination IP address of the DF3 to send the intercepted content (ie: data/CC). ip_address: enter an address in standard IPv4/IPv6 format. Must be followed by:
|
•
|
dest-port port_num - configures the destination port where the intercepted information is to be forwarded. port_num: enter any integer from 1 to 65535.
|
•
|
event-delivery dest-addr ip_address - configures the destination address of the DF2 to send the intercepted events information (ie: IRI). ip_address: enter an address in standard IPv4/IPv6 format. Must be followed by:
|
•
|
dest-port port_num - configures the destination port where the intercepted information is to be forwarded. port_num: enter any integer from 1 to 65535.
|
Important: This function requires that the Lawful Intercept provisioning (done in the Exec configuration mode) include the
udp-unack-format-1 for the
content delivery keyword. Changing the configuration and the provisioning to enable/disable this feature can be done on the fly.
Important: When monitoring for calls that are not yet active, the source-address information does not need to be configured immediately. However, it must be configured as soon as the call becomes active in order for Lawful Interception to function properly.
Specifies the customer specific dictionaries; custom1 through
custom10, to be used to provision/interception for configured LI context.
Specifies the name of the MAG service. If service_name does not refer to an existing service, the new service is created if resources allow.
service_name must be from 1 to 63 alpha and/or numeric characters.
Caution: Large numbers of services greatly increase the complexity of management and may impact overall system performance (for example, resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your local service representative for more information.
[context_name]
hostname(config-mag-service)#
Important: For details about the commands and parameters, check the MAP Service Configuration Mode chapter.
Specifies the name of the MME HSS service. If service_name does not refer to an existing service, the new service is created if resources allow.
service_name must be from 1 to 63 alpha and/or numeric characters.
Caution: Large numbers of services greatly increase the complexity of management and may impact overall system performance (for example, resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your local service representative for more information.
[context_name]
hostname(config-mme-hss-service)#
The following command will remove mme-hss-service1 from the system:
Specifies the name of the MME service. If service_name does not refer to an existing service, the new service is created if resources allow.
service_name must be from 1 to 63 alpha and/or numeric characters.
Caution: Large numbers of services greatly increase the complexity of management and may impact overall system performance (for example, resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your local service representative for more information.
[context_name]
hostname(config-mme-service)#
Caution: This is a critical configuration. The MME service can not be configured without this configuration. Any change to this configuration would lead to restarting the MME service and removing or disabling this configuration will stop the MME service.
multiple-dynamic-reg-per-nai: Disables all FA services in the current context from simultaneously setting up multiple dynamic home address registrations that have the same NAI.
newcall duplicate-home-address: Reset this option to it’s default of reject.
accept: The new call is accepted and the existing call is dropped.
reject: The new call is rejected with an Admin Prohibited code.
Important: A maximum of 8 MIP HA assignment tables can be configured per context with a maximum of 8 MIP HA assignment tables across all contexts.
Important: A maximum of 256 non-overlapping hoa-ranges can be configured per MIP HA Assignment table with a maximum of 256 non-overlapping hoa-ranges across all MIP HA Assignment tables.
duplicate-home-address: Reset the option to it’s default of reject.
duplicate-imsi-session: Reset the option to its default of allow.
accept: The new call is accepted and the existing call is dropped.
reject: The new call is rejected with an Admin Prohibited code.
allow: Allows multiple sessions for the same IMSI.
disallow: If a Mobile node already has an active session and a new sessions is requested using the same IMSI, the currently active session is dropped and the new session is accepted.
global-disallow: Enables HA services in this context to accept a new session and disconnect any other session(s) having the same IMSI being processed in this context. In addition, a request is sent to all other contexts containing HA services to do the same.
Important: In order to ensure a single session per IMSI across all contexts containing HA services, the global-disallow option must be configured in every context.
Caution: This command should be enabled ONLY when all the BGP peering where VPNv4 routes are exchanged are one hop away.
nw-reachabilityserverserver_name [ intervalseconds ] [ local-addrip_addr ] [ num-retrynum ] [ remote-addrip_addr ] [ timeoutseconds ]
Important: Refer to the HA configuration mode command
policy nw-reachability-fail to configure the action that should be taken when network reachability fails.
Important: Refer to the subscriber config mode command
nw-reachability-server to bind the network reachability to a specific subscriber.
Important: Refer to the
nw-reachability server server_name keyword of the
ip pool command in this chapter to bind the network reachability server to an IP pool.
ip_address must be expressed in dotted decimal notation.
context_name must be from 1 to 79 alpha and/or numeric characters and is case sensitive.
imsi must be from 1 to 15 numeric characters.
apn_name must be from 1 to 63 alpha and/or numeric characters and is case sensitive.
ip_address must be an IPv4 or IPv6 IP address entered using dotted decimal notation or an IPv6 IP address using colon (:) separated notation.
time is measured in seconds and can be configured to any integer value from 0 to 86400.
operatoruser_name [ encrypted ] passwordpwd [ ecs ] [ expiry-datedate_time ] [ li-administration ] [ noecs ] [ timeout-absoluteabs_seconds ] [ timeout-min-absoluteabs_minutes ] [ timeout-idleidle_seconds ] [ timeout-min-idleidle_minutes ]
Specifies a name for the account. user_name must be from 1 to 32 alpha and/or numeric characters.
The password specified as pwd must be from 1 to 63 alpha and/or numeric characters without encryption and must be from 1 to 127 alpha and/or numeric characters when encryption has been indicated.
The encrypted keyword is intended only for use by the system while saving configuration scripts. The system displays the
encrypted keyword in the configuration file as a flag that the variable following the
password keyword is the encrypted version of the plain text password. Only the encrypted password is saved as part of the configuration file.
Important: Users who have Lawful Intercept privileges are only given those privileges when connected to the system through a Secure Shell (SSH). If this user connects through a Telnet session or through the console port, Lawful Intercept privileges are not enabled.
timeout-idle idle_seconds
Important: A maximum of 128 administrative users and/or subscribers may be locally configured per context.
name must be from 1 to 63 alpha and/or numeric characters and must be unique across all FNG services within the same context and across all contexts.
The following command configures an PDG service named pdg_service_1 and enters the PDG Service Configuration Mode:
Specifies the name of a new or existing PDIF service. name must be from 1 to 63 alpha and/or numeric characters.
[context_name]
hostname(config-pdif-service)#
The following command configures a PDIF service called pdif2 and enters the PDIF Service Configuration Mode:
Specifies the name of the PDSN service to configure. If name does not refer to an existing service, the new service is created if resources allow.
name must be from 1 to 63 alpha and/or numeric characters.
Caution: Large numbers of services greatly increase the complexity of management and may impact overall system performance (i.e. resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your local service representative for more information.
The following command will remove sampleService as being a defined PDSN service.
Specifies the name of the P-GW service. If service_name does not refer to an existing service, the new service is created if resources allow.
service_name must be from 1 to 63 alpha and/or numeric characters.
Caution: Large numbers of services greatly increase the complexity of management and may impact overall system performance (for example, resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your local service representative for more information.
[context_name]
hostname(config-pgw-service)#
[context_name]
hostname(config-accounting-policy)#
ppp { acfc { receive { allow | deny } | transmit { apply | ignore | reject} } | auth-retrysuppress-aaa-auth | chap fixed-challenge-lengthlength | dormantsend-lcp-terminate | echo-max-retransmissionsnum_retries | echo-retransmit-timeoutmsec | first-lcp-retransmit-timeoutmilliseconds | lcp-authentication-discard retry-alternatenum_discard| lcp-authentication-reject retry-alternate | lcp-start-delaydelay | lcp-terminateconnect-state | lcp-terminate mip-lifetime-expiry | lcp-terminate mip-revocation | max-authentication-attemptsnum | max-configuration-naknum | max-retransmissionsnumber | max-terminatenumber | mrupacket_size | negotiate default-value-options | peer-authenticationuser_name [ encrypted ] passwordpassword ] | pfc { receive { allow | deny } | transmit { apply | ignore | reject} } | reject-peer-authentication | renegotiation retain-ip-address|retransmit-timeoutmilliseconds }
no ppp {auth-retry suppress-aaa-auth | chap fixed-challenge-length | dormant send-lcp-terminate |lcp-authentication-discard retry-alternate num_discard | lcp-authentication-reject retry-alternate | lcp-start-delay | lcp-terminate connect-state | lcp-terminate mip-lifetime-expiry | lcp-terminate mip-revocation | negotiate default-value-options | reject-peer-authentication | renegotiation retain-ip-address}
In case of no ppp renegotiation retain-ip-address, the initially allocated IP address will be released and a new IP address will be allocated during PPP renegotiation.
transmit {
apply |
ignore |
reject}
Default: no auth-retry suppress-aaa-auth
Important: This option is not supported in conjunction with the GGSN product.
length must be an integer from 4 through 32.
Important: This option is not supported in conjunction with the GGSN product.
milliseconds must be a value in the range 100 through 5000.
num_discard must be an integer from 0 through 5. Recommended value is 2.
Important: This option is not supported in conjunction with the GGSN product.
num must be an integer in the range from 1 through 10.
num must be an integer in the range from 1 through 20.
Important: This option is not supported in conjunction with the GGSN product.
peer-authenticate user_name [ [ encrypted ] password password ]
Specifies the user name and an optional password required for point-to-point protocol peer connection authentications. user_name must be from 1 to 63 alpha and/or numeric characters. The keyword
password is optional and if specified
password must be from 1 to 63 alpha and/or numeric characters. The password specified must be in an encrypted format if the optional keyword
encrypted was specified.
The encrypted keyword is intended only for use by the system while saving configuration scripts. The system displays the
encrypted keyword in the configuration file as a flag that the variable following the
password keyword is the encrypted version of the plain text password. Only the encrypted password is saved as part of the configuration file.
transmit {
apply |
ignore |
reject}
ppp peer-authenticate user1 password secretPwd
ppp peer-authenticate user1
ppp retransmit-timeout 1000
Caution: Use caution when using this command. This command alters the way that some PPP statistics are calculated. Please consult your designated service representative before using this command
Important: HA Proxy DNS Intercept is a license-enabled feature.
name must be a string from 1 to 63 characters in length.
The following command creates a proxy DNS rules list named list1 and places the CLI in the HA Proxy DNS Configuration Mode:
radius accounting { archive[ stop-only ]| deadtimedead_minutes| detect-dead-server { consecutive-failurescount| keepalive | response-timeoutseconds} | interim intervalseconds| max-outstandingmsgs| max-pdu-sizeoctets| max-retriestries| max-transmissionstrans| timeoutidle_seconds| unestablished-sessions }
stop-only specifies archiving of STOP accounting messages only.
detect-dead-server { consecutive-failures count | keepalive | response-timeout seconds }
consecutive-failures count: Default: 4. Specifies the number of consecutive failures, for each AAA manager, before a server is marked as unreachable.
count must be an integer from 0 through 1000.
keepalive: Enables the AAA server alive-dead detect mechanism based on sending keepalive authentication messages to all authentication servers. Default is disabled.
response-timeout seconds: Specifies the number of seconds for each AAA manager to wait for a response to any message before a server is detected as failed, or in a down state.
seconds must be an integer from 1 through 65535.
Important: If both
consecutive-failures and
response-timeout are configured, then both parameters have to be met before a server is considered unreachable, or dead.
seconds must be an integer from 50 through 40000000.
Important: If RADIUS is used as the accounting protocol for the GGSN product, other commands are used to trigger periodic accounting updates. However, these commands would cause RADIUS STOP/START packets to be sent as opposed to INTERIM-UPDATE packets. Also note that accounting interim interval settings received from a RADIUS server take precedence over those configured on the system.
msgs must be an integer from 1 through 4000.
Specifies that the AGW must send accounting data to n (more than one) AAA servers based on their priority. The full set of accounting data is sent to each of the
n AAA servers. Response from any one of the servers would suffice to proceed with the call. On receiving an ACK from any one of the servers, all retries are stopped.
n is the number of AAA servers to which accounting data will be sent, and must be an integer from 2 through 128.
Important: This is a customer-specific keyword and needs customer-specific license to use this feature. For more information on GGSN preservation mode, refer GGSN Service Mode Commands chapter.
downlink bytes uplink bytes
bytes must be an integer from 100000 through 4000000000.
bytes must be an integer from 100000 through 4000000000.
uplink bytes downlink bytes
bytes must be an integer from 100000 through 4000000000.
list_id must be an integer from 1 through 65535.
Individual subscriber can be associated to remote IP address lists through the configuration/specification of an attribute in their local or RADIUS profile. (Refer to the radius accounting command in the Subscriber Configuration mode.) When configured/specified, accounting data is collected pertaining to the subscriber’s communication with any of the remote addresses specified in the list.
id must be an alpha and/or numeric string of 1 through 15 characters in length.
number must be an integer from 1 through 5.
ip_address must be specified using the standard IPv4 dotted decimal notation.
number must be an integer from 3 through 10.
seconds must be an integer from 1 through 30.
name must be an alpha and/or numeric string of 1 through 127 characters in length.
Default: wait-active-stop
•
|
immediate: Indicates that accounting STOP should be generated immediately on handoff, i.e. not to wait active-stop from the old PCF.
|
•
|
wait-active-stop: Indicates that accounting STOP is generated only when active-stop received from the old PCF when handoff occurs.
|
minute must be an integer from 0 through 59.
hour must be an integer from 0 through 23.
Default:active-handoff: Disabled
•
|
active-handoff: Disables a single R-P event (and therefore a RADIUS accounting event) when an Active PCF-to-PFC Handoff occurs. Instead, two R-P events occur (one for the Connection Setup, and the second for the Active-Start).
|
•
|
active-start-param-change: Disables an R-P event (and therefore a RADIUS accounting event) when an Active-Start is received from the PCF and there has been a parameter change.
|
•
|
active-stop: Disables an R-P event (and therefore a RADIUS accounting event) when an Active-Stop is received from the PCF.
|
Important: This keyword has been obsoleted by the
trigger-policy keyword. Note that if this command is used, if the context configuration is displayed, radius accounting rp configuration is represented in terms of the trigger-policy.
Default:airlink-usage: Disabled
•
|
airlink-usage [ counter-rollover ]: Designates the use of Airlink-Usage RADIUS accounting policy for R-P, which generates a start on Active-Starts, and a stop on Active-Stops.
|
If the counter-rollover option is enabled, the system generates a STOP/START pair before input/output data octet counts (or input/output data packet counts) become larger than (2^32 - 1) in value. This setting is used to guarantee that a 32-bit octet count in any STOP message has not wrapped to larger than 2^32 thus ensuring the accuracy of the count. The system, may, at its discretion, send the STOP/START pair at any time, so long as it does so before the 32-bit counter has wrapped. Note that a STOP/START pair is never generated unless the subscriber RP session is in the Active state, since octet/packet counts are not accumulated when in the Dormant state.
•
|
custom: Specifies the use of custom RADIUS accounting policy for R-P. The custom policy can consist of the following:
|
•
|
active-handoff: Enables a single R-P event (and therefore a RADIUS accounting event) when an Active PCF-to-PFC Handoff occurs. Normally two R-P events will occur (one for the Connection Setup, and the second for the Active-Start).
|
•
|
active-start-param-change: Enables an R-P event (and therefore a RADIUS accounting event) when an Active-Start is received from the PCF and there has been a parameter change.
|
Important: Note that a custom trigger policy with only
active-start-param-change enabled is identical to the
standard trigger-policy.
•
|
active-stop: Enables an R-P event (and therefore a RADIUS accounting event) when an Active-Stop is received from the PCF.
|
Important: If the
radius accounting rp trigger-policy custom command is executed without any of the optional keywords, all custom options are disabled.
•
|
standard: Specifies the use of Standard RADIUS accounting policy for R-P in accordance with IS-835B.
|
radius [ mediation-device ] accounting server ip_address [ encrypted ] key value [ acct-on { enable | disable } ] [ acct-off { enable | disable } ] [ max msgs ] [ oldports ] [ port port_number ] [ priority priority ] [ type { mediation-device | standard } ] [ admin-status { enable | disable } ] [ -noconfirm ]
Important: If this option is not used, the system, by default, enables standard AAA transactions.
Specifies the IP address of the accounting server. ip_address must be specified in dotted decimal notation for IPv4 or colon notation for IPv6. A maximum of 128 RADIUS servers can be configured per context. This limit includes accounting and authentication servers.
Specifies the shared secret key used to authenticate the client to the servers. The encrypted keyword indicates the key specified is encrypted. The key
value must be a string of 1 to 15 alpha and/or numeric characters or a string of 1 to 30 alpha and/or numeric characters when encrypted.
The encrypted keyword is intended only for use by the system while saving configuration scripts. The system displays the
encrypted keyword in the configuration file as a flag that the variable following the
key keyword is the encrypted version of the plaint text key. Only the encrypted key is saved as part of the configuration file.
Specifies the port number to use for communications. port_number must be an integer from 0 through 65535.
Specifies the relative priority of this accounting server. The priority is used in server selection for determining which server to send accounting data to. priority must be an integer from 1 through 1000, where 1 is the highest priority. When configuring two or more servers with the same priority you will be asked to confirm that you want to do this. If you use the
-noconfirm option, you are not asked for confirmation and multiple servers could be assigned the same priority.
mediation-device: Obsolete keyword.
standard: Use standard AAA transactions.
first-server: Authentication data is sent to the first available server based upon the relative priority of each configured server.
round-robin: Authentication data is sent in a circular queue fashion on a per Session Manager task basis where data is sent to the next available server and restarts at the beginning of the list of configured servers. The order of the list is based upon the configure relative priority of the servers.
primary_address : The IP address of the primary interface to use in the current context. This must be specified in dotted decimal notation for IPv4 or colon notation for IPv6.
mpls-label input in_label_value | output out_label_value1 [ out_label_value2 ]
•
|
in_label_value is the MPLS label that identifies inbound traffic destined for the configured NAS IP address.
|
•
|
out_label_value1 & out_label_value2 identify the MPLS labels to be added to the packets sent from the specified NAS IP address.
|
nexthop_address must be an IPv4 address or an IPv6 address in standard format.
vlan_id must be an integer from 1 through 4094.
[ no ] radius change-authorize-nas-ip ip_address [ encrypted ] key
value [ port
port ] [ event-timestamp-window
window ] [ no-nas-identification-check] [ no-reverse-path-forward-check ] [ mpls-label input
in_label_value | output
out_label_value1 [
out_label_value2 ]
ip_Address can either be an IPv4 address expressed in dotted decimal notation, or an IPv6 address expressed in colon notation.
Specifies the shared secret key used to authenticate the client to the servers. The encrypted keyword indicates the key specified is encrypted. The key
value must be a string of 1 to 15 alpha and/or numeric characters or a string of 1 to 30 alpha and/or numeric characters when encrypted.
The encrypted keyword is intended only for use by the system while saving configuration scripts. The system displays the
encrypted keyword in the configuration file as a flag that the variable following the
key keyword is the encrypted version of the plain text key. Only the encrypted key is saved as part of the configuration file.
window must be an integer from 0 through 4294967295.
If window is specified as 0 (zero), this feature is disabled; the event-time-stamp attribute in COA or DM messages is ignored and the event-time-stamp attribute is not included in NAK or ACK messages.
mpls-label input in_label_value | output out_label_value1 [ out_label_value2 ]
•
|
in_label_value is the MPLS label that identifies inbound COA traffic.
|
•
|
out_label_value1 & out_label_value2 identify the MPLS labels to be added to COA response.
|
•
|
3GPP-IMSI: The IMSI of the subscriber. It may include the 3GPP-NSAPI attribute to delete a single PDP context rather than all of the PDP contexts of the subscriber when used with the GGSN product.
|
Important: For the GGSN product, the value for Acct-Session-Id that is mandated by 3GPP is used instead of the special value for Acct-Session-Id that we use in the RADIUS messages we exchange with a RADIUS accounting server.
Important: When this command is used in conjunction with the GGSN, CoA functionality is not supported.
Specify the IP address 192.168.100.10 as the NAS IP address, a key value of
123456 and use the default port of
3799, by entering the following command:
[ no | default ] radius charging { deadtime dead_minutes | detect-dead-server { consecutive-failures count | response-timeout seconds } | max-outstanding msgs | max-retries tries | max-transmissions transmissions | timeout idle_seconds }
consecutive-failures count: Default: 4. Specifies the number of consecutive failures, for each AAA manager, before a server is marked as unreachable.
count must be an integer from 0 through 1000.
response-timeout seconds: Specifies the number of seconds for each AAA manager to wait for a response to any message before a server is detected as failed, or in a down state.
msgs must be an integer from 1 through 4000.
transmissions must be an integer from 1 through 65535.
Specifies that the AGW must send accounting data to n (more than one) AAA servers based on their priority. Response from any one of the
n AAA servers would suffice to proceed with the call. The full set of accounting data is sent to each of the
n AAA servers.
n is the number of AAA servers to which accounting data will be sent, and must be an integer from 2 through 128.
radius charging accounting server ip_address [ encrypted ] key value [ max msgs ] [ max-rate max_rate ] [ oldports ] [ port port_number ] [ priority priority ] [ admin-status { enable | disable } ] [ -noconfirm ]
Specifies IP address of the accounting server. ip_address must be specified using the standard IPv4 dotted decimal notation. A maximum of 128 RADIUS servers can be configured per context. This limit includes accounting and authentication servers.
Specifies the shared secret key used to authenticate the client to the servers. The encrypted keyword indicates the key specified is encrypted. The key
value must be a string of 1 to 15 alpha and/or numeric characters, or when encrypted a string of 1 to 30 alpha and/or numeric characters.
The encrypted keyword is intended only for use by the system while saving configuration scripts. The system displays the
encrypted keyword in the configuration file as a flag that the variable following the
key keyword is the encrypted version of the plaint text key. Only the encrypted key is saved as part of the configuration file.
msgs must be integer from 0 through 4000.
max_rate must be an integer from 1 through 1000.
Specifies the port number to use for communications. port_number must be an integer from 0 through 65535.
radius charging server ip_address [ encrypted ] key value [ max msgs ] [ max-rate max_rate ] [ oldports ] [ port port_number ] [ priority priority ] [ admin-status { enable | disable } ] [ -noconfirm ]
Specifies the IP address of the server. ip_address must be specified using the standard IPv4 dotted decimal notation. A maximum of 128 RADIUS servers can be configured per context. This limit includes accounting and authentication servers.
Specifies the shared secret key used to authenticate the client to the servers. The encrypted keyword indicates the key specified is encrypted. The key
value must be a string of 1 to 15 alpha and/or numeric characters, or when encrypted a string of 1 to 30 alpha and/or numeric characters.
The encrypted keyword is intended only for use by the system while saving configuration scripts. The system displays the
encrypted keyword in the configuration file as a flag that the variable following the
key keyword is the encrypted version of the plain text key. Only the encrypted key is saved as part of the configuration file.
msgs must be an integer from 0 through 4000.
max_rate must be an integer from 1 through 1000.
Specifies the port number to use for communications. port_number must be an integer from 0 through 65535.
|
|
|
|
|
|
|
|
|
XX is the integer value of the custom dictionary.
Important: RADIUS dictionary custom23 should be used in conjunction with Active Charging Service (ACS). Refer to the Enhanced Charging Service Configuration and Reference Guide for more information.
|
|
|
|
|
|
|
|
|
|
|
The following command sets custom23 as dictionary for prepaid charging:
vrf_name is name of a pre-configured virtual routing and forwarding (VRF) context configured in Context configuration mode through
ip vrf command.
Configures the Calling-Station-Id to be used for the keepalive authentication. id must be an alpha and/or numeric string of 1 through 15 characters in length.
Designates use of encryption for the password. password must be an alpha and/or numeric string of 1 through 64 characters in length.
Configures the password to be used for the authentication. password must be an alpha and/or numeric string of 1 through 64 characters in length.
Configures the username to be used for the authentication. name must be an alpha and/or numeric string of 1 through 127 characters in length.
If access-reject is configured, then both access-accept and access-reject are considered as success for the keepalive authentication request.
If access-reject is not configured, then only access-accept is considered as success for the keepalive access request.
Default: keepalive valid-response access-accept
See the radius accounting server command.
retries must be an integer from 1 through 65535.
idle_seconds must be an integer from 1 through 65535.
radius server ip_address [ encrypted ] key value [ max msgs ] [ max-rate max_rate ] [ oldports ] [ port port_number ] [ priority priority ] [ probe | no-probe ] [ probe-username user_name ] [ probe-password [ encrypted ] password password ] [ type { mediation-device | standard } ] [ admin-status { enable | disable } ] [ -noconfirm ]
Specifies the IP address of the server. ip_address must be specified in dotted decimal notation for IPv4 or colon notation for IPv6. A maximum of 128 RADIUS servers can be configured per context. This limit includes accounting and authentication servers.
Specifies the shared secret key used to authenticate the client to the servers. The encrypted keyword indicates the key specified is encrypted. The key
value must be a string of 1 to 15 alpha and/or numeric characters or a string of 1 to 30 alpha and/or numeric characters when encrypted.
The encrypted keyword is intended only for use by the system while saving configuration scripts. The system displays the
encrypted keyword in the configuration file as a flag that the variable following the
key keyword is the encrypted version of the plain text key. Only the encrypted key is saved as part of the configuration file.
msgs must be an integer from 0 through 4000.
max_rate must be an integer from 1 through 1000.
port_number must be an integer from 1 through 65535.
Specifies the relative priority of this accounting server. The priority is used in server selection for determining which server to send accounting data to. priority must be a value in the range 1 through 1000 where 1 is the highest priority. When configuring two or more servers with the same priority you will be asked to confirm that you want to do this. If you use the
-noconfirm option, you are not asked for confirmation and multiple servers could be assigned the same priority.
The user name sent to the RADIUS server to authenticate probe messages. user_name must be an alpha and/or numeric string of 1 through 127 characters in length.
encrypted: This keyword is intended only for use by the system while saving configuration scripts. The system displays the
encrypted keyword in the configuration file as a flag that the variable following the
password keyword is the encrypted version of the plain text password. Only the encrypted password is saved as part of the configuration file.
password password: Specifies the probe-user password for authentication.
password must be an alpha and/or numeric string of 1 through 63 characters in length.
mediation-device: Specifies mediation-device specific AAA transactions. This device is available if you purchased a transaction control services license. Contact your local sales representative for licensing information.
standard - Specifies standard AAA transactions. (Default)
radius server 1.2.5.6 encrypted key scrambledKey oldports priority 10
identifier must be an integer from 100 through 999.
ip_address wildcard_mask: A network address and wildcard mask expressed in IPv4 dotted decimal notation. (192.168.100.0 0.0.0.255)
any : Match any network address.
host network_address : Match the specified network address exactly.
network_address must be an IPv4 address specified in dotted decimal notation.
mask_address wildcard_mask: A mask address and wildcard mask expressed in IPv4 dotted decimal notation. (255.255.255.0 0.0.0.255)
any : Match any network mask.
host mask_address : Match the specified mask address exactly.
mask_address must be an IPv4 address specified in dotted decimal notation.
A name that identifies the route access list. list_name must be a string of 1 through 79 alphanumeric characters in length.
The IP address and subnet mask to match for routes. Both ip_address and
wildcard_mask must be entered in IPv4 dotted decimal notation. (192.168.100.0 255.255.255.0)
route-mapmap_name { deny | permit } seq_number
Important: BGP routing is supported only for use with the HA.
Important: You must obtain and install a valid OSPF or BGP-4 feature use license key to use OSPF and BGP routing features. Refer to the System Administration and Configuration Guide for details on obtaining and installing feature use license keys.
Important: The FTPD server can only be configured in the local context.
Important: The SSH server allows only three unsuccessful login attempts before closing a login session attempt.
Important: The TELNET server allows only three unsuccessful login attempts before closing a login session attempt.
Important: The TFTPDD server can only be configured in the local context.
This option only works with the ftpd,
sshd, telnetd, and tftpd commands.
Specifies the name of the S-GW service. If service_name does not refer to an existing service, the new service is created if resources allow.
service_name must be from 1 to 63 alpha and/or numeric characters.
Caution: Large numbers of services greatly increase the complexity of management and may impact overall system performance (for example, resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your local service representative for more information.
[context_name]
hostname(config-sgw-service)#
Important: For details about the commands and parameters, check the SGSN Service Configuration Mode chapter.
The following command removes the sgsn service named sgtp1 from the configuration for the current context:
This command sets the public/private key pair to be used by the system where data is the encrypted key and
length is the length of the encrypted key in octets.
data must be an alpha and/or numeric string of 1 to 1023 characters and
octets must be a value in the range of 0 through 65535.
v1-rsa: SSH v1 RSA host key only
v2-rsa: SSH v2 DSA host key only
v2-dsa: SSH v2 RSA host key only
Important: For maximum security, it is recommended that only SSH v2 be used.
v2-rsa is the recommended key type.
ssh key g6j93fw59cx length 128
default: enters the subscriber configuration mode for the context’s default subscriber settings.
name user_name: specifies the user which is to be allowed to use the services of the current context. user_name must be from 1 to 127 alpha and/or numeric characters.
Important: A maximum of 128 subscribers and/or administrative users may be locally configured per context.
low_thresh can be configured to any integer value between 0 and 100.
high_thresh can be configured to any integer value between 0 and 100. The default is 10
Important: This value is ignored for the Alert model. In addition, if this value is not configured for the Alarm model, the system assumes it is identical to the low threshold.
•
|
Enter condition: Actual IP address utilization percentage per pool group £ Low Threshold
|
•
|
Clear condition: Actual IP address utilization percentage per pool group > High Threshold
|
Important: This value is ignored for the Alert model. In addition, if this value is not configured for the Alarm model, the system assumes it is identical to the high threshold.
Important: This value is ignored for the Alert model. In addition, if this value is not configured for the Alarm model, the system assumes it is identical to the low threshold.
•
|
Enter condition: Actual percentage of IP addresses free per pool £ Low Threshold
|
•
|
Clear condition: Actual percentage of IP addresses free per pool > High Threshold
|
Important: This command is overridden by the settings of the
alert-threshold keyword of the
ip pool command.
Important: This value is ignored for the Alert model. In addition, if this value is not configured for the Alarm model, the system assumes it is identical to the high threshold.
•
|
Enter condition: Actual percentage of IP addresses on hold per pool > High Threshold
|
•
|
Clear condition: Actual percentage of IP addresses on hold per pool £ Low Threshold
|
Important: This command is overridden by the settings of the
alert-threshold keyword of the
ip pool command.
Important: This value is ignored for the Alert model. In addition, if this value is not configured for the Alarm model, the system assumes it is identical to the low threshold.
•
|
Enter condition: Actual percentage of IP addresses in the release state per pool > High Threshold
|
•
|
Clear condition: Actual percentage of IP addresses in the release state per pool £ Low Threshold
|
Important: This command is overridden by the settings of the
alert-threshold keyword of the
ip pool command.
Important: This value is ignored for the Alert model. In addition, if this value is not configured for the Alarm model, the system assumes it is identical to the low threshold.
•
|
Enter condition: Actual percentage of IP addresses used per pool > High Threshold
|
•
|
Clear condition: Actual percentage of IP addresses used per pool £ Low Threshold
|
Important: This command is overridden by the settings of the
alert-threshold keyword of the
ip pool command.
Refer to the threshold available-ip-pool-group command, the threshold ip-pool-x commands and the alert-threshold keyword of the
ip pool command for additional information on these values.
•
|
SNMP traps: SNMP traps have been created that indicate the condition (high threshold crossing and/or clear) of each of the monitored values. Complete descriptions and other information pertaining to these traps is located in the starentMIB(8164).starentTraps(2) section of the SNMP MIB Reference.
|
•
|
Logs: The system provides a facility called threshold for which active and event logs can be generated. As with other system facilities, logs are generated Log messages pertaining to the condition of a monitored value are generated with a severity level of WARNING.
|
•
|
Alarm System: High threshold alarms generated within the specified polling interval are considered “outstanding” until a the condition no longer exists and/or a condition clear alarm is generated.
|
Refer to the threshold poll command in Global Configuration Mode Commands for information on configuring the polling interval over which IP address pool utilization is monitored.
Important: This value is ignored for the Alert model. In addition, if this value is not configured for the Alarm model, the system assumes it is identical to the high threshold.