Cisco IOS Mobile Wireless Command Reference, Release 12.3 T
Mobile Wireless Commands: aaa accounting -- gprs canonical-qos
Download this chapter
Mobile Wireless Commands: aaa accounting -- gprs canonical-qosMobile Wireless Commands: aaa accounting -- gprs canonical-qos
give_us_feedback

Table Of Contents

Cisco IOS Mobile Wireless Commands

aaa-accounting

aaa-group

access-mode

access-point

access-point-name

access-type

access-violation deactivate-pdp-context

aggregate

anonymous user

block count

block-foreign-ms

cdma pdsn a10 ahdlc engine

cdma pdsn a10 gre sequencing

cdma pdsn a10 init-ppp-after-airlink-start airlink-start-timeout

cdma pdsn a10 max-lifetime

cdma pdsn a11 dormant ppp-idle-timeout send-termreq

cdma pdsn a11 mandate presence airlink-setup

cdma pdsn accounting local-timezone

cdma pdsn accounting send

cdma pdsn accounting send cdma-ip-tech

cdma pdsn accounting time-of-day

cdma pdsn age-idle-users

cdma pdsn cluster controller

cdma pdsn cluster controller session-high

cdma pdsn cluster controller session-low

cdma pdsn cluster member

cdma pdsn compliance iosv4.1 session-reference

cdma pdsn compliance is835a esn-optional

cdma pdsn failure-history

cdma pdsn ingress-address-filtering

cdma pdsn maximum pcf

cdma pdsn maximum sessions

cdma pdsn mobile-advertisement-burst

cdma pdsn msid-authentication

cdma pdsn retransmit a11-update

cdma pdsn secure cluster

cdma pdsn secure pcf

cdma pdsn selection interface

cdma pdsn selection keepalive

cdma pdsn selection load-balancing

cdma pdsn selection session-table-size

cdma pdsn send-agent-adv

cdma pdsn timeout a11-update

cdma pdsn timeout mobile-ip-registration

cdma pdsn virtual-template

clear cdma pdsn cluster controller session records age

clear cdma pdsn selection

clear cdma pdsn session

clear cdma pdsn statistics

clear gprs access-point statistics

clear gprs charging cdr

clear gprs gtp pdp-context

clear gprs gtp statistics

clear gprs gtp-director statistics

clear ip mobile host-counters

clear ip mobile secure

clear ip mobile visitor

clear ip rtp header-compression

clear ppp mux

clear radius local-server

crypto map (global IPSec)

dhcp-gateway-address

dhcp-server

dns primary

encapsulation gtp

gprs access-point-list

gprs canonical-qos best-effort bandwidth-factor

gprs canonical-qos gsn-resource-factor

gprs canonical-qos map tos

gprs canonical-qos premium mean-throughput-deviation


Cisco IOS Mobile Wireless Commands

This book documents all of the Cisco IOS software commands in Cisco IOS Release 12.3(11)T for the Gateway GPRS Support Node (GGSN), GTP Director Module (GDM), and Packet Data Serving Node (PDSN), in alphabetical order.

aaa-accounting

To enable or disable accounting for a particular access point on the GGSN, use the aaa-accounting access-point configuration command.

aaa-accounting [enable | disable | interim update]

Syntax Description

enable

(Optional) Enables accounting on the APN. When you configure an APN for non-transparent access, this is the default value.

disable

(Optional) Disables accounting on the APN. When you configure an APN for transparent access, this is the default value.

interim update

(Optional) Enables interim accounting records to be sent to an accounting server when a routing area update (resulting in an SGSN change) or QoS change has occurred.


Defaults

enable—For non-transparent APNs

disable—For transparent APNs

Interim accounting is disabled.

Command Modes

Access-point configuration

Command History

Release
Modification

12.2(4)MX

This command was introduced.

12.2(8)YD

This command was incorporated in Cisco IOS Release 12.2(8)YD.

12.2(8)B

This command was incorporated in Cisco IOS Release 12.2(8)B.

12.2(8)YY

This command was incorporated in GGSN 3.1 and the ability to enable interim accounting records was added.

12.3(4)T

This command was incorporated in Cisco IOS Release 12.3(4)T.

12.3(8)T

This command was incorporated in Cisco IOS Release 12.3(8)T.


Usage Guidelines

You can configure AAA accounting services at an access point. However, for accounting to occur, you also must complete the configuration by specifying the following other configuration elements on the GGSN:

Enable AAA services using the aaa new-model global configuration command.

Define a server group with the IP addresses of the RADIUS servers in that group using the aaa group server global configuration command.

Configure the following AAA services:

AAA authentication using the aaa authentication global configuration command

AAA authorization using the aaa authorization global configuration command

AAA accounting using the aaa accounting global configuration command

Assign the type of services that the AAA server group should provide. If you only want the server group to support accounting services, then you need to configure the server for accounting only. You can assign the AAA services to the AAA server groups either at the GPRS global configuration level using the gprs default aaa-group command, or at the APN using the aaa-group command.

Configure the RADIUS servers using the radius-server host command.

Note For more information about AAA and RADIUS global configuration commands, see the Cisco IOS Security Command Reference.

You can verify whether AAA accounting services are configured at an APN using the show gprs access-point command.

There is not a no form of this command.

Enabling and Disabling Accounting Services for an Access Point

The Cisco Systems GGSN has different defaults for enabling and disabling accounting services for transparent and non-transparent access points:

If you configure an APN for non-transparent access using the access-mode command, the GGSN automatically enables accounting with authentication at the APN.

If you configure an APN for transparent access, which is the default access mode, the GGSN automatically disables accounting at the APN.

To selectively disable accounting at specific APNs where you do not want that service, use the aaa-accounting disable access-point configuration command.

Configuring Interim Accounting for an Access Point

Using the aaa-accounting interim access-point configuration command, you can configure the GGSN to send Interim-Update Accounting requests to the AAA server when a routing area update (resulting in an SGSN change) or QoS change has occurred for a PDP context. These changes are conveyed to the GGSN by an Update PDP Context request.

Note Interim accounting support requires that accounting services be enabled for the APN and that the aaa accounting update newinfo global configuration command be configured.

There is not a no form of this command.

Examples

Example 1

The following configuration example disables accounting at access-point 1: 

interface virtual-template 1

 gprs access-point-list abc

!

gprs access-point-list abc

 access-point 1

  access-point-name gprs.pdn.com 
  access-mode non-transparent

  aaa-accounting disable

Example 2

The following configuration example enables accounting on transparent access-point 4. Accounting is disabled on access-point 5 because it is configured for transparent mode and the aaa-accounting enable command is not explicitly configured.

Accounting is automatically enabled on access-point 1 because it has been configured for non-transparent access mode. Accounting is explicitly disabled at access-point 3, because accounting is automatically enabled for non-transparent access mode.

An example of some of the AAA and RADIUS global configuration commands are also shown: 

aaa new-model

!

aaa group server radius foo

 server 10.2.3.4

 server 10.6.7.8

aaa group server radius foo1

 server 10.10.0.1

aaa group server radius foo2

 server 10.2.3.4

 server 10.10.0.1

aaa group server foo3

 server 10.6.7.8

 server 10.10.0.1

!

aaa authentication ppp foo group foo

aaa authentication ppp foo2 group foo2

aaa authorization network default group radius 

aaa accounting exec default start-stop group foo

aaa accounting network foo1 start-stop group foo1

aaa accounting network foo2 start-stop group foo2

!

gprs access-point-list gprs

 access-point 1

  access-mode non-transparent

  access-point-name www.pdn1.com

  aaa-group authentication foo

!

 access-point 3

  access-point-name www.pdn2.com

  access-mode non-transparent

  aaa-accounting disable

  aaa-group authentication foo

!

 access-point 4

  access-point-name www.pdn3.com

  aaa-accounting enable

  aaa-group accounting foo1

!

 access-point 5

  access-point-name www.pdn4.com

!

gprs default aaa-group authentication foo2

gprs default aaa-group accounting foo3

!

radius-server host 10.2.3.4 auth-port 1645 acct-port 1646 non-standard

radius-server host 10.6.7.8 auth-port 1645 acct-port 1646 non-standard

radius-server host 10.10.0.1 auth-port 1645 acct-port 1646 non-standard

radius-server key ggsntel

Related Commands

Command
Description

aaa accounting

Enables AAA accounting of requested services for billing or security purposes.

aaa authorization

Sets parameters that restrict user access to a network.

aaa group server

Groups different server hosts into distinct lists and distinct methods.

aaa-group

Specifies a RADIUS server group and assigns the type of AAA services to be supported by the server group for a particular access point on the GGSN.

gprs default aaa-group

Specifies a default RADIUS server group and assigns the type of AAA services to be supported by the server group for all access points on the GGSN.

radius-server host

Specifies a RADIUS server host.

show gprs access-point

Displays information about access points on the GGSN.


aaa-group

To specify a AAA server group and assign the type of AAA services to be supported by the server group for a particular access point on the GGSN, use the aaa-group access-point configuration command. To remove a AAA server group, use the no form of this command.

aaa-group {authentication | accounting} server-group

no aaa-group {authentication | accounting} server-group

Syntax Description

authentication

Assigns the selected server group for authentication services on the APN.

accounting

Assigns the selected server group for accounting services only on the APN.

server-group

Specifies the name of a AAA server group to be used for AAA services on the APN.

Note The name of the AAA server group that you specify must correspond to a server group that you configure using the aaa group server command.


Defaults

No default behavior or values.

Command Modes

Access-point configuration

Command History

Release
Modification

12.2(4)MX

This command was introduced.

12.2(8)YD

This command was incorporated in Cisco IOS Release 12.2(8)YD.

12.2(8)B

This command was incorporated in Cisco IOS Release 12.2(8)B.

12.3(4)T

This command was incorporated in Cisco IOS Release 12.3(4)T.

12.3(8)T

This command was incorporated in Cisco IOS Release 12.3(8)T.


Usage Guidelines

The Cisco Systems GGSN supports authentication and accounting at APNs using AAA server groups. By using AAA server groups, you gain the following benefits:

You can selectively implement groups of servers for authentication and accounting at different APNs.

You can configure different server groups for authentication services and accounting services in the same APN.

You can control which RADIUS services you want to enable at a particular APN, such as AAA accounting.

The GGSN supports the implementation of AAA server groups at both the global and access-point configuration levels. You can minimize your configuration by specifying the configuration that you want to support across most APNs, at the global configuration level. Then, at the access-point configuration level, you can selectively modify the services and server groups that you want to support at a particular APN. Therefore, you can override the AAA server global configuration at the APN configuration level.

To configure a default AAA server group to be used for all APNs on the GGSN, use the gprs default aaa-group global configuration command. To specify a different AAA server group to be used at a particular APN for authentication or accounting, use the aaa-group access-point configuration command.

If accounting is enabled on the APN, then the GGSN looks for an accounting server group to be used for the APN in the following order:

First, at the APN for an accounting server group—configured in the aaa-group accounting command.

Second, for a global GPRS default accounting server group—configured in the gprs default aaa-group accounting command.

Third, at the APN for an authentication server group—configured in the aaa-group authentication command.

Last, for a global GPRS default authentication server group—configured in the gprs default aaa-group authentication command.

If none of the above commands are configured on the GGSN, then AAA accounting is not performed.

If authentication is enabled on the APN, then the GGSN first looks for an authentication server group at the APN, configured in the aaa-group authentication command. If an authentication server group is not found at the APN, then the GGSN looks for a globally configured, GPRS default authentication server group, configured in the gprs default aaa-group authentication command.

To complete the configuration, you also must specify the following configuration elements on the GGSN:

Enable AAA services using the aaa new-model global configuration command.

Configure the RADIUS servers using the radius-server host command.

Define a server group with the IP addresses of the RADIUS servers in that group using the aaa group server global configuration command.

Configure the following AAA services:

AAA authentication using the aaa authentication global configuration command

AAA authorization using the aaa authorization global configuration command

AAA accounting using the aaa accounting global configuration command

Enable the type of AAA services (accounting and authentication) to be supported on the APN.

The GGSN enables accounting by default for non-transparent APNs.

You can enable or disable accounting services at the APN using the aaa-accounting command.

Authentication is enabled by default for non-transparent APNs. There is not any specific command to enable or disable authentication. Authentication cannot be enabled for transparent APNs.

You can verify the AAA server groups that are configured for an APN using the show gprs access-point command.

Note For more information about AAA and RADIUS global configuration commands, see the Cisco IOS Security Command Reference.

Examples

The following configuration example defines four AAA server groups on the GGSN: foo, foo1, foo2, and foo3, shown by the aaa group server commands.

Using the gprs default aaa-group command, two of these server groups are globally defined as default server groups: foo2 for authentication, and foo3 for accounting.

At access-point 1, which is enabled for authentication, the default global authentication server group of foo2 is overridden and the server group named foo is designated to provide authentication services on the APN. Notice that accounting services are not explicitly configured at that access point, but are automatically enabled because authentication is enabled. Because there is a globally defined accounting server-group defined, the server named foo3 will be used for accounting services.

At access-point 2, which is enabled for authentication, the default global authentication server group of foo2 is used. Because there is a globally defined accounting server-group defined, the server named foo3 will be used for accounting services.

At access-point 4, which is enabled for accounting using the aaa-accounting enable command, the default accounting server group of foo3 is overridden and the server group named foo1 is designated to provide accounting services on the APN.

Access-point 5 does not support any AAA services because it is configured for transparent access mode, and accounting is not enabled. 

aaa new-model

!

aaa group server radius foo

 server 10.2.3.4

 server 10.6.7.8

aaa group server radius foo1

 server 10.10.0.1

aaa group server radius foo2

 server 10.2.3.4

 server 10.10.0.1

aaa group server foo3

 server 10.6.7.8

 server 10.10.0.1

!

aaa authentication ppp foo group foo

aaa authentication ppp foo2 group foo2

aaa authorization network default group radius 

aaa accounting exec default start-stop group foo

aaa accounting network foo1 start-stop group foo1

aaa accounting network foo2 start-stop group foo2

aaa accounting network foo3 start-stop group foo3

!

gprs access-point-list gprs

 access-point 1

  access-mode non-transparent

  access-point-name www.pdn1.com

  aaa-group authentication foo

!

 access-point 2

  access-mode non-transparent

  access-point-name www.pdn2.com

!

 access-point 4

  access-point-name www.pdn4.com

  aaa-accounting enable

  aaa-group accounting foo1

!

 access-point 5

  access-point-name www.pdn5.com

!

gprs default aaa-group authentication foo2

gprs default aaa-group accounting foo3

!

radius-server host 10.2.3.4 auth-port 1645 acct-port 1646 non-standard

radius-server host 10.6.7.8 auth-port 1645 acct-port 1646 non-standard

radius-server host 10.10.0.1 auth-port 1645 acct-port 1646 non-standard

radius-server key ggsntel

Related Commands

Command
Description

aaa accounting

Enables AAA accounting of requested services for billing or security purposes.

aaa authorization

Sets parameters that restrict user access to a network.

aaa group server

Groups different server hosts into distinct lists and distinct methods.

aaa-accounting

Enables or disables accounting for a particular access point on the GGSN.

gprs default aaa-group

Specifies a default RADIUS server group and assigns the type of AAA services to be supported by the server group for all access points on the GGSN.

radius-server host

Specifies a RADIUS server host.

show gprs access-point

Displays information about access points on the GGSN.


access-mode

To specify whether the GGSN requests user authentication at the access point to a PDN, use the access-mode access-point configuration command. To remove an access mode and return to the default value, use the no form of this command.

access-mode {transparent | non-transparent}

no access-mode {transparent | non-transparent}

Syntax Description

transparent

Specifies that the users who access the PDN through the access point associated with the current virtual template are allowed access without authorization or authentication.

non-transparent

Specifies that the users who access the PDN through the current virtual template must be authenticated by the GGSN acting as a proxy for the authentication.


Defaults

transparent

Command Modes

Access-point configuration

Command History

Release
Modification

12.1(1)GA

This command was introduced.

12.1(5)T

This command was integrated in Cisco IOS Release 12.1(5)T.

12.2(4)MX

This command was incorporated in Cisco IOS Release 12.2(4)MX.

12.2(8)YD

This command was incorporated in Cisco IOS Release 12.2(8)YD.

12.2(8)B

This command was incorporated in Cisco IOS Release 12.2(8)B.

12.3(4)T

This command was incorporated in Cisco IOS Release 12.3(4)T.

12.3(8)T

This command was incorporated in Cisco IOS Release 12.3(8)T.


Usage Guidelines

Use the access-mode command to specify whether users accessing a PDN through a particular access point associated with the virtual template interface have transparent or non-transparent access to the network.

Transparent access means that users who access the PDN through the current virtual template are granted access without further authentication.

Non-transparent access means that users who access the PDN through the current virtual template must be authenticated by the GGSN. You must configure non-transparent access to support RADIUS services at an access point. Authentication is performed by the GGSN while establishing the PDP context.

Examples

Example 1

The following example specifies non-transparent access to the PDN, gprs.pdn.com, through access-point 1: 

interface virtual-template 1

 gprs access-point-list abc

!

gprs access-point-list abc

 access-point 1

  access-point-name gprs.pdn.com 
  access-mode non-transparent

Example 2

The following example specifies transparent access to the PDN, gprs.pdn2.com, through access-point 2: 

interface virtual-template 1

 gprs access-point-list abc

!

gprs access-point-list abc

 access-point 2

  access-point-name gprs.pdn2.com

Note Because transparent is the default access mode, it does not appear in the output of the show running-configuration command for the access point.

Related Commands

Command
Description

aaa-group

Specifies a AAA server group and assigns the type of AAA services to be supported by the server group for a particular access point on the GGSN.

access-point

Specifies an access-point number and enters access-point configuration mode.

gprs default aaa-group

Specifies a default AAA server group and assigns the type of AAA services to be supported by the server group for all access points on the GGSN.


access-point

To specify an access point number and enter access-point configuration mode, use the access-point access-point list configuration command. To remove an access point number, use the no form of this command.

access-point access-point-index

no access-point access-point-index

Syntax Description

access-point-index

Integer from 1 to 65535 that identifies a GPRS access point.


Defaults

No default behavior or values.

Command Modes

Access-point list configuration

Command History

Release
Modification

12.1(1)GA

This command was introduced.

12.1(5)T

This command was integrated in Cisco IOS Release 12.1(5)T.

12.2(4)MX

This command was incorporated in Cisco IOS Release 12.2(4)MX.


12.2(8)YD

This command was incorporated in Cisco IOS Release 12.2(8)YD.

12.2(8)B

This command was incorporated in Cisco IOS Release 12.2(8)B.

12.3(4)T

This command was incorporated in Cisco IOS Release 12.3(4)T.

12.3(8)T

This command was incorporated in Cisco IOS Release 12.3(8)T.


Usage Guidelines

Use the access-point command to create an access point to a PDN.

To configure an access point, first set up an access-point list using the gprs access-point-list command and then add the access point to the access-point list.

You can specify access point numbers in any sequence.

Note Memory constraints might occur if you define a large number of access points to support VPN Routing and Forwarding (VRF).

Examples

The following example configures an access point with an index number of 7 in an access-point-list named "abc" on the GGSN: 

gprs access-point-list abc

 access-point 7

Related Commands

Command
Description

access-point-name

Specifies the network (or domain) name for a PDN that users can access from the GGSN at a defined access point.

gprs access-point-list

Configures an access point list that you use to define PDN access points on the GGSN.


access-point-name

To specify the network (or domain) name for a PDN that users can access from the GGSN at a defined access point, use the access-point-name access-point configuration command. To remove an access point name, use the no form of this command.

access-point-name apn-name

no access-point-name apn-name

Syntax Description

apn-name

Specifies the network or domain name of the private data network that can be accessed through the current access point.


Defaults

There is no default value for this command.

Command Modes

Access-point configuration

Command History

Release
Modification

12.1(1)GA

This command was introduced.

12.1(5)T

This command was integrated in Cisco IOS Release 12.1(5)T.

12.2(4)MX

This command was incorporated in Cisco IOS Release 12.2(4)MX.

12.2(8)YD

This command was incorporated in Cisco IOS Release 12.2(8)YD.

12.2(8)B

This command was incorporated in Cisco IOS Release 12.2(8)B.

12.3(4)T

This command was incorporated in Cisco IOS Release 12.3(4)T.

12.3(8)T

This command was incorporated in Cisco IOS Release 12.3(8)T.


Usage Guidelines

Use the access-point-name command to specify the PDN name of a network that can be accessed through a particular access point. An access-point name is mandatory for each access point.

To configure an access point, first set up an access-point list using the gprs access-point-list command and then add the access point to the access-point list.

The access-point name typically is the domain name of the service provider that users access, for example, www.isp.com.

Examples

The following example specifies the access-point name for a network: 

 access-point 1

  access-point-name www.isp.com

  exit

Related Commands

Command
Description

access-point

Specifies an access point number and enters access-point configuration mode.


access-type

To specify whether an access point is real or virtual on the GGSN, use the access-type access-point configuration command. To return to the default value, use the no form of this command.

access-type {virtual | real}

no access-type {virtual | real}

Syntax Description

virtual

Specifies an APN type that is not associated with any specific physical target network on the GGSN.

real

Specifies an APN type that corresponds to an external physical network to a PDN on the GGSN. This is the default value.


Defaults

real

Command Modes

Access-point configuration

Command History

Release
Modification

12.2(4)MX

This command was introduced.

12.2(8)YD

This command was incorporated in Cisco IOS Release 12.2(8)YD.

12.2(8)B

This command was incorporated in Cisco IOS Release 12.2(8)B.

12.3(4)T

This command was incorporated in Cisco IOS Release 12.3(4)T.

12.3(8)T

This command was incorporated in Cisco IOS Release 12.3(8)T.


Usage Guidelines

Use the access-type command to specify whether an access point is real or virtual on the GGSN. You only need to configure this command for virtual access types.

Virtual access types are used to configure virtual APN support on the Cisco Systems GGSN to minimize provisioning issues in other GPRS network entities that require configuration of APN information. Using the virtual APN feature on the Cisco Systems GGSN, HLR subscription data can simply provide the name of the virtual APN. User's can still request access to specific target networks that are accessible by the GGSN without requiring each of those destination APNs to be provisioned at the HLR.

The default keyword, real, identifies a physical target network that the GGSN can reach. Real APNs must always be configured on the GGSN to reach external networks. Virtual APNs can be configured in addition to real access points to ease provisioning in the GPRS PLMN.

No other access-point configuration commands are applicable if the access type is virtual.

Examples

The following example shows configuration of a virtual access point type and a real access point type: 

 access-point 1

  access-point-name corporate

  access-type virtual

  exit

 access-point 2

  access-point-name corporatea.com

  ip-address-pool dhcp-client

  dhcp-server 10.21.21.1

Related Commands

Command
Description

access-point

Specifies an access point number and enters access-point configuration mode.

access-point-name

Specifies the network (or domain) name for a PDN that users can access from the GGSN at a defined access point.


access-violation deactivate-pdp-context

To specify that a user's session be ended and the user packets discarded when a user attempts unauthorized access to a PDN through an access point, use the access-violation deactivate-pdp-context command. To return to the default value, use the no form of this command.

access-violation deactivate-pdp-context

no access-violation deactivate-pdp-context

Syntax Description

This command has no arguments or keywords.

Defaults

The user's session remains active and the user packets are discarded.

Command Modes

Access-point configuration

Command History

Release
Modification

12.1(1)GA

This command was introduced.

12.1(5)T

This command was integrated in Cisco IOS Release 12.1(5)T.

12.2(4)MX

This command was incorporated in Cisco IOS Release 12.2(4)MX.

12.2(8)YD

This command was incorporated in Cisco IOS Release 12.2(8)YD.

12.2(8)YW

This command was incorporated in Cisco IOS Release 12.2(8)YW and the discard-packets option was removed.

12.2(8)YY

This command was incorporated in Cisco IOS Release 12.2(8)YY.

12.3(4)T

This command was incorporated in Cisco IOS Release 12.3(4)T.

12.3(8)T

This command was incorporated in Cisco IOS Release 12.3(8)T.


Usage Guidelines

Use the access-violation deactivate-pdp-context command to specify the action that is taken if a user attempts unauthorized access through the specified access point.

The default is that the GGSN simply drops user packets when an unauthorized access is attempted. However, if you specify access-violation deactivate-pdp-context, the GGSN terminates the user's session in addition to discarding the packets.

Examples

The following example shows deactivation of a user's access in addition to discarding the user packets: 

 access-point 1

  access-point-name pdn.aaaa.com

  ip-access-group 101 in

  access-violation deactivate-pdp-context

  exit

Related Commands

Command
Description

access-point-name

Specifies the network (or domain) name for a PDN that users can access from the GGSN at a defined access point.


aggregate

To configure the GGSN to create an aggregate route in its IP routing table, when receiving PDP requests from MSs on the specified network, for a particular access point on the GGSN, use the aggregate access-point configuration command. To remove an aggregate route, use the no form of this command.

aggregate {auto | ip-network-prefix{/mask-bit-length | ip-mask}}

no aggregate {auto | ip-network-prefix{/mask-bit-length | ip-mask}}

Syntax Description

auto

IP address mask sent by the DHCP or RADIUS server is used by the access point for route aggregation.

ip-network-prefix

Dotted decimal notation of the IP network address to be used by the GGSN for route aggregation, in the format a.b.c.d.

/mask-bit-length

Number of bits (as an integer) that represent the network portion of the specified IP network address. A forward slash is required before the integer.

Note There is no space between the ip-network-prefix and the slash (/).

ip-mask

Dotted decimal notation of the IP network mask (in the format e.f.g.h.), which represents the network and host portion of the specified IP network address.


Defaults

No default behavior or values.

Command Modes

Access-point configuration

Command History

Release
Modification

12.2(4)MX

This command was introduced.

12.2(8)YD

This command was incorporated in Cisco IOS Release 12.2(8)YD.

12.2(8)B

This command was incorporated in Cisco IOS Release 12.2(8)B.

12.3(4)T

This command was incorporated in Cisco IOS Release 12.3(4)T.

12.3(8)T

This command was incorporated in Cisco IOS Release 12.3(8)T.


Usage Guidelines

The GGSN uses a static host route to forward user data packets received from the Gi interface to the Gn interface using the virtual template interface of the GTP tunnel.

Without the aggregate command or gprs default aggregate command, the GGSN creates a static host route for each PDP context. For example, for 45,000 PDP contexts supported, the GGSN creates 45,000 static host routes in its IP routing table.

You can use the aggregate command to reduce the number of static routes implemented by the GGSN for PDP contexts at a particular access point. The aggregate command allows you to specify an IP network prefix to combine the routes of PDP contexts from the same network as a single route on the GGSN.

To configure the GGSN to automatically aggregate routes that are returned by a DHCP or RADIUS server, use the aggregate auto command at the APN. Automatic route aggregation can be configured at the access-point configuration level only on the GGSN. The gprs default aggregate global configuration command does not support the auto option; therefore, you cannot configure automatic route aggregation globally on the GGSN.

You can specify multiple aggregate commands at each access point to support multiple network aggregates. However, if you use the aggregate auto command at the APN, you cannot specify any other aggregate route ranges at the APN. If you need to handle other static route cases at the APN, then you will have to use the gprs default aggregate global configuration command.

To globally define an aggregate IP network address range for all access points on the GGSN for statically derived addresses, you can use the gprs default aggregate command. Then, you can use the aggregate command to override this default address range at a particular access point.

The GGSN responds in the following manner to manage routes for MSs through an access point, when route aggregation is configured in the following scenarios:

No aggregation is configured on the GGSN, at the APN or globally—The GGSN inserts the 32-bit host route of the MS into its routing table as a static route.

A default aggregate route is configured globally, but no aggregation is configured at the APN:

If a statically or dynamically derived address for an MS matches the default aggregate route range, the GGSN inserts an aggregate route into its routing table.

If the MS address does not match the default aggregate route, the GGSN inserts the 32-bit host route as a static route into the routing table.

A default aggregate route is configured globally, and automatic route aggregation is configured at the APN:

If a statically derived address for an MS matches the default aggregate route range, the GGSN inserts an aggregate route into its routing table.

If a statically derived address for an MS does not match the default aggregate route, the GGSN inserts the 32-bit host route as a static route into its routing table.

If a dynamically derived address for an MS is received, the GGSN aggregates the route based on the address and mask returned by the DHCP or RADIUS server.

A default aggregate route is configured globally, and an aggregate route is also configured at the APN:

If a statically or dynamically derived address for an MS matches the aggregate range at the APN through which it was processed, or otherwise matches the default aggregate range, the GGSN inserts an aggregate route into its routing table.

If a statically or dynamically derived address for an MS does not match either the aggregate range at the APN, or the global default aggregate range, the GGSN inserts the 32-bit host route as a static route into its routing table.

Use care when assigning IP addresses to an MS before you configure the aggregation ranges on the GGSN. A basic guideline is to aggregate as many addresses as possible, but to minimize your use of aggregation with respect to the total amount of IP address space being used by the access point.

Note The aggregate command and gprs default aggregate commands affect routing on the GGSN. Use care when planning and configuring IP address aggregation.

Use the show gprs access-point command to display information about the aggregate routes that are configured on the GGSN. The aggregate output field appears only when aggregate routes have been configured on the GGSN, or the auto option is configured.

Use the show ip route command to verify whether the static route is in the current IP routing table on the GGSN. The static route created for any PDP requests (aggregated or non-aggregated) appears with the code "U" in the routing table indicating a per-user static route.

Note The show ip route command only displays a static route for aggregated PDP contexts if PDP contexts on that network have been created on the GGSN. If you configure route aggregation on the GGSN, but no PDP requests have been received for that network, the static route does not appear.

Examples

Example 1

The following example specifies two aggregate network address ranges for access point 8. The GGSN will create aggregate routes for PDP context requests received from MSs with IP addresses on the networks 172.16.0.0 and 10.0.0.0: 

gprs access-point-list gprs

 access-point 8

   access-point-name pdn.aaaa.com

   aggregate 172.16.0.0/16

   aggregate 10.0.0.0/8

Note Regardless of the format in which you configure the aggregate command, the output from the show running-configuration command always displays the network in the dotted decimal/integer notation.

Example 2

The following example shows a route aggregation configuration for access point 8 using DHCP on the GGSN, along with the associated output from the show gprs gtp pdp-context all command and the show ip route commands.

Notice that the aggregate auto command is configured at the access point where DHCP is being used. The dhcp-gateway-address command specifies the subnet addresses to be returned by the DHCP server. This address should match the IP address of a loopback interface on the GGSN. In addition, to accommodate route aggregation for another subnet 10.80.0.0, the gprs default aggregate global configuration command is used.

In this example, the GGSN aggregates routes for dynamically derived addresses for MSs through access point 8 based upon the address and mask returned by the DHCP server. For PDP context requests received for statically derived addresses on the 10.80.0.0 network, the GGSN also implements an aggregate route into its routing table, as configured by the gprs default aggregate command. 

interface Loopback0

 ip address 10.80.0.1 255.255.255.255

!

interface Loopback2

 ip address 10.88.0.1 255.255.255.255

!

gprs access-point-list gprs

 access-point 8

   access-point-name pdn.aaaa.com

   ip-address-pool dhcp-proxy-client

   aggregate auto

   dhcp-server 172.16.43.35

   dhcp-gateway-address 10.88.0.1

   exit

!

gprs default aggregate 10.80.0.0 255.255.255.0

In the following output for the show gprs gtp pdp-context all command, 5 PDP context requests are active on the GGSN for pdn.aaaa.com from the 10.88.0.0/24 network: 

router# show gprs gtp pdp-context all

TID              MS Addr         Source  SGSN Addr       APN

6161616161610001 10.88.0.1       DHCP    172.16.123.1    pdn.aaaa.com

6161616161610002 10.88.0.2       DHCP    172.16.123.1    pdn.aaaa.com

6161616161610003 10.88.0.3       DHCP    172.16.123.1    pdn.aaaa.com

6161616161610004 10.88.0.4       DHCP    172.16.123.1    pdn.aaaa.com

6161616161610005 10.88.0.5       DHCP    172.16.123.1    pdn.aaaa.com

The following output for the show ip route command shows a single static route in the IP routing table for the GGSN, which routes the traffic for the 10.88.0.0/24 subnet through the virtual template (or Virtual-Access1) interface: 

Router# show ip route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter

area

       * - candidate default, U - per-user static route, o - ODR

       P - periodic downloaded static route


Gateway of last resort is not set


     10.80.0.0/16 is subnetted, 1 subnets

C       10.80.0.0 is directly connected, Loopback0

     10.113.0.0/16 is subnetted, 1 subnets

C       10.113.0.0 is directly connected, Virtual-Access1

     172.16.0.0/16 is variably subnetted, 3 subnets, 3 masks

C       172.16.43.192/28 is directly connected, FastEthernet0/0

S       172.16.43.0/24 is directly connected, FastEthernet0/0

S       172.16.43.35/32 is directly connected, Ethernet2/3

     10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

U       10.88.0.0/24 [1/0] via 0.0.0.0, Virtual-Access1

C       10.88.0.0/16 is directly connected, Loopback2

Related Commands

Command
Description

gprs default aggregate

Configures the GGSN to create an aggregate route in its IP routing table when receiving PDP requests from MSs on the specified network for any access point on the GGSN.

show gprs access-point

Displays information about access points on the GGSN.

show ip route

Displays all static IP routes, or those installed using the AAA route download function.


anonymous user

To configure anonymous user access at an access point, use the anonymous user access-point configuration command. To remove the username configuration, use the no form of this command.

anonymous user username [password]

no anonymous user username [password]

Syntax Description

username

Alphanumeric string identifying user. The username argument can be only one word. It can contain any combination of numbers and characters.

password

Alphanumeric string. The password argument can be only one word. It can contain any combination of numbers and characters.


Defaults

No default behavior or values.

Command Modes

Access-point configuration

Command History

Release
Modification

12.2(4)MX

This command was introduced.

12.2(8)YD

This command was incorporated in Cisco IOS Release 12.2(8)YD.

12.2(8)B

This command was incorporated in Cisco IOS Release 12.2(8)B.

12.3(4)T

This command was incorporated in Cisco IOS Release 12.3(4)T.

12.3(8)T

This command was incorporated in Cisco IOS Release 12.3(8)T.


Usage Guidelines

Use this command to allow a mobile station (MS) to access a non-transparent mode APN without supplying the username and password in the GTP protocol configuration option (PCO) information element (IE) of the create PDP context request message. The GGSN will use the username and password configured on the APN for the user session.

This command enables anonymous access, which means that a PDP context can be created by an MS to a specific host without specifying a username and password.

Examples

The following example specifies the username george and the password abcd123 for anonymous access at access point 49: 

gprs access-point-list abc

 access-point 49

   access-point-name www.pdn.com

   anonymous user george abcd123

block count

To lock out group members for a length of time after a set number of incorrect passwords, use the block count command in local RADIUS server group configuration mode. To remove the user block after invalid login attempts, use the no form of this command.

block count count time {seconds | infinite}

no block count count time {seconds | infinite}

Syntax Description

count

Number of failed passwords that triggers a lockout.

time

Time that the lockout should last.

seconds

Number of seconds that the lockout should last.

infinite

Length of time for the lockout is indefinite until an administrator manually unblocks the locked username.


Defaults

No default behavior or values

Command Modes

Local RADIUS server group configuration

Command History

Release
Modification

12.2(11)JA

This command was introduced on Cisco Aironet Access Point 1100 and Cisco Aironet Access Point 1200.

12.3(11)T

This command was implemented on the following platforms: Cisco 2600XM, Cisco 2691, Cisco 2811, Cisco 2821, Cisco 2851, Cisco 3700, and Cisco 3800 series routers.


Usage Guidelines

If a setting of infinite is entered, an administrator must manually unblock the locked username.

Examples

The following command locks out group members for 120 seconds after 3 incorrect passwords are entered: 

block count 3 time 120

Related Commands

Command
Description

clear radius local-server

Clears the statistics display or unblocks a user.

debug radius local-server

Displays the debug information for the local server.

group

Enters user group configuration mode and configures shared setting for a user group.

nas

Adds an access point or router to the list of devices that use the local authentication server.

radius-server host

Specifies the remote RADIUS server host.