HSGW Service Configuration Mode Commands


HSGW Service Configuration Mode Commands
 
 
The HSGW Service Configuration Mode is used to create and manage a configuration allowing the HSGW to communicate, send and receive call data, and session flows to/from a eAN/PCF in an eHRPD network.
 
Important: This appendix will be added to the CLI Reference when the product releases. Use this appendix in conjunction with the latest release of the Command Line Interface Reference.
 
associate
Associates accounting policies and QCI-QoS mapping parameters with this HSGW service.
Product
HSGW
Privilege
Administrator
Syntax
associate { accounting-policy name | qci-qos-mapping name }
no associate { accounting-policy [ name ] | qci-qos-mapping }
no
Removes the specified associated policy or mapping from the service.
accounting-policy name
Specifies the accounting policy to associate with the HSGW service. name must be an existing accounting policy and be from 1 to 63 alpha and/or numeric characters.
qci-qos-mapping name
Associates the HSGW service with QCI to QoS mapping parameters. name must be an existing QCI-QoS mapping configuration and be from 1 to 63 alpha and/ornumeric characters.
QCI-QoS mapping is configured through the qci-qos-mapping command in the Global Configuration Mode.
Usage
Use this command to associate an accounting policy with the HSGW service.
Example
The following command associates an accounting policy named acct2 to the HSGW service:
associate accounting-policy acct2
 
bind address
Binds the service to a logical IP interface serving as the A10 interface and specifies the maximum number of subscribers that can access this service over the configured interface.
Product
HSGW
Privilege
Administrator
Syntax
bind address ip_address [ max-subscribers num ]
no bind address
no
Removes the interface binding from this service.
ip_address
Specifies the IPv4 address of the interface configured as the A10/A11 interface. ip_address is specified in dotted decimal notation.
max-subscribers num
Default: 2500000
Specifies the maximum number of subscribers that can access this service on this interface. num must be configured to an integer between 0 and 2,500,000.
Important: The maximum number of subscribers supported is dependant on the license key installed and the number of active PSCs in the system. A fully loaded system with 13 active PSCs can support 3,000,000 total subscribers. Refer to the license key command and the Usage section (below) for additional information.
Usage
Associate the HSGW service to a specific logical IP address. The logical IP address or interface takes on the characteristics of an A10/A11 interface that provides the session connectivity to/from an eAN/PCF. Only one interface can be bound to a service. The interface should be configured prior to issuing this command.
This command also sets a limit as to the number of simultaneous subscribers sessions that can be facilitated by the service/interface at any given time.
When configuring the max-subscribers option, be sure to consider the following:
Taking these factors into account and distributing your subscriber session across all available interfaces will allow you to configure your interfaces to optimally handle sessions without degraded performance.
Example
The following command would bind the logical IP interface with the address of 112.334.556.778 to the HSGW service and specifies that a maximum of 200,000 simultaneous subscriber sessions can be facilitated by the interface/service at any given time:
bind address 112.334.556.778 max-subscribers 200000
 
context-retention-timer
Configures the maximum number of consecutive seconds that a UE session context (which includes the LCP, authentication and A10 session context for a given UE) is maintained by the HSGW before it is torn down.
Product
HSGW
Privilege
Administrator
Syntax
context-retention-timer timeout [ sec ]
[ default | no ] context-retention-timer timeout
default
Disables the timer.
no
Disables the timer.
timeout [ sec ]
Default: 60
Specifies the amount of time, in seconds, that the session context is maintained before it is disassembled. sec must be an integer value from 1 to 3600.
Usage
Use this command to configure a timer to retain session contexts for a specified amount of time before disassembling it.
Example
The following command allows the HSGW to maintain session contexts for 120 seconds before tearing them down:
context-retention-timer timeout 120
 
data-available-indicator
Enable sending Data Available Indicator extension in A10/A11 Registration Reply messages.
Product
HSGW
Privilege
Administrator
Syntax
data-available-indicator
Usage
Use this command to enable the sending of the Data Available Indicator extension in A10/A11 Registration Reply messages
 
data-over-signaling
Enable the data-over-signaling marking feature for A10 packets.
Product
HSGW
Privilege
Administrator
Syntax
[ default | no ] data-over-signaling
default
Enables the data-over signaling feature for A10 packets.
no
Disable the data-over signaling feature for A10 packets.
Usage
Use this command to enable or disable the data-over signaling feature for A10 packets.
 
dns-pgw
Identifies to the HSGW service the location of the DNS client. The DNS client is used to identify a FQDN for the peer P-GW. This command defaults to the same context as the HSGW service.
Product
HSGW
Privilege
Administrator
Syntax
dns-pgw context name
[ default | no ] dns-pgw context
default
Returns the command to its default setting of the current context.
no
Removes the configured DNS client context name from this service.
context name
Specifies the context in which the DNS client is configured. name must be an existing context and be from 1 to 63 alpha and/or numeric characters.
Usage
Use this command to identify to the HSGW service the context where the DNS client is configured.
Example
The following command identifies the context where the DNS client is configured as isp3:
dns-pgw context isp3
 
end
Exits the current mode and returns to the Exec Mode.
Product
All
Privilege
Security Administrator, Administrator
Syntax
end
Usage
Change the mode back to the Exec mode.
 
exit
Exits the current mode and returns to the previous mode.
Product
All
Privilege
Security Administrator, Administrator
Syntax
exit
Usage
Return to the previous mode.
 
fqdn
Configures the Fully Qualified Domain Name (FQDN) for this HSGW.
Product
HSGW
Privilege
Administrator
Syntax
fqdndomain_name
[ default | no ] fqdn
default
Returns the command to the default setting of “null”.
no
doamin_name
Specifies an FQGDN for the HSGW. domain_name must be from 1 to 256 alpha and/or numeric characters.
Usage
Use this command to configure an FQDN for this HSGW. The FQDN is used by a P-GW (APN FQDN) when selecting an HSGW.
Example
The following command configures this HSGW with an FQDN of abc123.com:
fqdnabc123.com
 
fragment
Enables/Disables PPP payload fragmentation.
Product
HSGW
Privilege
Administrator
Syntax
[ default | no ] fragment ppp-data
default
Returns the command to its default setting of enabled.
no
Disables PPP payload fragmentation.
Usage
Use this command to enable or disable PPP payload fragmentation.
 
gre
Configures Generic Routing Encapsulation (GRE) parameters for the A10 protocol within the HSGW service.
Product
HSGW
Privilege
Administrator
Syntax
gre { checksum | checksum-verify | flow control [ action { disconnect-session | resume-session } ] [ timeout msecs ] + | ip-header-dscp value { all-control-packets | setup-packets-only } | reorder-timeout msecs | segmentation | sequence-mode { none | reorder } | sequence-numbers | threegppp2-ext-headers qos-marking }
default gre { checksum | checksum-verify | flow-control | ip-header-dscp | reorder-timeout | sequence-mode | sequence-numbers | threegppp2-ext-headers qos-marking }
no gre { checksum | checksum-verify | flow-control | ip-header-dscp | segmentation | sequence-numbers | threegppp2-ext-headers qos-marking }
default
Restores the specified parameter to its default setting.
no
Disables the specified functionality.
checksum
Default: disabled
Enables the introduction of the checksum field in outgoing GRE packets.
checksum-verify
Default: disabled
Enables verification of the GRE checksum (if present) in incoming GRE packets.
flow-control [ action { disconnect-session | resume-session } ] [ timeout msecs ] +
Default: no GRE flow-control
Enables 3GPP2 GRE flow control which causes the HSGW to send flow control enabled Normal Vendor Specific Extensions (NVSE) in A11 RRPs.
action { disconnect-session | resume-session }:
Default: disconnect-session
Specifies the action to be taken when timeout is reached:
disconnect-session: Ends the session and releases the call.
resume-session: Switches flow control to XON and resumes delivery of packets to the RAN.
timeout msecs
Default: 1000 milliseconds (10 seconds)
Sets the amount of time wait for an XON indicator from the RAN (after receiving an XOFF). Also sets the action to be taken if the timeout limit is reached.
msecs: Specifies the amount of time in milliseconds before the timeout is reached. msecs must be an integer from 1 through 1000000.
ip-header-dscp value { all-control-packets | setup-packets-only }
Default: Disabled
Used to configure the QoS Differentiated Services Code Point (DSCP) marking for GRE packets.
value: Represents the DSCP setting. It represents the first six most-significant bits of the ToS field. It can be configured to any hex value from 0x0 through 0x3F.
all-control-packets : Dictates that the DSCP marking is to be provided in all GRE control packets.
setup-packets-only : Dictates that the DSCP marking is to be provided only in GRE setup packets.
reorder-timeout msecs
Default: 100
Configures max number of milliseconds to wait before processing reordered out-of-sequence GRE packets. msecs must be an integer from 0 through 5000.
segmentation
Default: disabled
Enables GRE Segmentation for the HSGW service.
sequence-mode { none | reorder}
Default: none
Configures handling of incoming out-of-sequence GRE packets.
none: Specifies that sequence numbers in packets are ignored and all arriving packets are processed in the order they arrive.
reorder: Specifies that out of sequence packets are stored in a sequencing queue until one of the conditions is met:
sequence-numbers
Enables insertion of GRE sequence numbers in data that is about to be transmitted over the A10 interface. Data coming into the system containing sequence numbers but that is out of sequence is not re-sequenced.
threegppp2-ext-headers qos-marking
When threegppp2-ext-headers qos-marking is enabled and the PCF negotiates capability in the A11 RRQ, the HSGW will include the QoS optional data attribute in the GRE 3gpp2 extension header.
The no keyword, enables qos-marking in the GRE header based on the tos value in the header.
Usage
Use the no gre sequence-numbers command to disable the inclusion of GRE sequence numbers in the A10 data path. More Usage....
Example
The following command configures the HSGW service to support the inclusion of GRE sequence numbers in outgoing traffic:
gre sequence-numbers
 
ip
Sets the use of Robust Header Compression (RoHC) and enters the HSGW Service ROHC Configuration Mode where RoHC parameters are configured for the service.
Configures the local User Datagram Protocol (UDP) port for the A10/A11 interface IP socket.
Sets the parameters for IP source validation. Source validation is useful if packet spoofing is suspected or for verifying packet routing and labeling within the network.
Source validation requires the source address of received packets to match the IP address assigned to the subscriber (either statically or dynamically) during the session.
Product
HSGW
Privilege
Administrator
Syntax
ip { header-compression rohc | local-port number | source-violation { clear-on-valid-packet | drop-limit num | period secs | reneg-limit num } }
default ip { local-port | source-violation drop-limit | period | reneg-limit }
no { header-compression rohc | ip source-violation clear-on-valid-packet }
default
Resets the keyword to its default value.
no
header-compression rohc: Removes the RoHC configuration from this service.
ip source-violation clear-on-valid-packet: Disables the ability of the service to reset the reneg-limit and drop-limit counters after receipt of a properly addressed packet.
header-compression rohc
Specifies that Robust Header Compression will be applied to sessions using this service and enters the HSGW Service RoHC Configuration Mode where RoHC parameters are configured.
local-por number
Default: 699
Specifies the UDP port number.
number can be any integer value between 1 and 65535.
source-violation { clear-on-valid-packet | drop-limit num | period secs | reneg-limit num }
clear-on-valid-packet
Default: disabled
Configures the service to reset the reneg-limit and drop-limit counters after receipt of a properly addressed packet.
drop-limit num
Default: 10
Sets the number of allowed source violations within a detection period before forcing a call disconnect. If num is not specified, the value is set to the default.
num can be any integer value from 1 to 1000000.
period secs
Default: 120
The length of time, in seconds, for a source violation detection period to last. drop-limit and reneg-limit counters are decremented each time this value is reached.
The counters are decremented in this manner: reneg-limit counter is reduced by one (1) each time the period value is reached until the counter is zero (0); drop-limit counter is halved each time the period value is reached until the counter is zero (0). If secs is not specified, the value is set to the default.
secs must be an integer value from 1 to1000000.
reneg-limit num
Default: 5
Sets the number of allowed source violations within a detection period before forcing a PPP renegotiation. If num is not specified, the value is set to the default.
num can be any integer value from 1 to 1000000.
Usage
Header Compression RoHC: Use this command to specify that sessions using this service will have Robust Header Compression applied and configure parameters supporting RoHC.
Entering this command results in the following prompt:
[context_name]hostname(config-ip-header-compression-rohc)#
HSGW Service RoHC Configuration Mode commands are defined in the HSGW Service RoHC Configuration Mode Commands chapter.
Local Port: Specify the UDP port that should be used for communications between the Packet Control Function (PCF) and the HSGW.
Important: The UDP port setting on the PCF must match the local-port setting for the HSGW service on the system in order for the two devices to communicate.
Source Violation: This function is intended to allow the operator to configure a network to prevent problems such as when a user gets handed back and forth between two HSGWs a number of times during a handoff scenario.
This function operates in the following manner:
When a subscriber packet is received with a source address violation, the system increments both the IP source-violation reneg-limit and drop-limit counters and starts the timer for the IP-source violation period. Every subsequent packet received with a bad source address during the IP-source violation period causes the reneg-limit and drop-limit counters to increment.
For example, if reneg-limit is set to 5, then the system allows 5 packets with a bad source address (source violations), but on the 5th packet, it re-negotiates PPP.
If the drop-limit is set to 10, the above process of receiving 5 source violations and renegotiating PPP occurs only once. After the second 5 source violations, the call is dropped. The period timer continues to count throughout this process.
If the configured source-violation period is exceeded at any time before the call is dropped, the reneg-limit counter is checked. If the reneg-limit counter is greater than zero (0), the reneg-limit is decremented by 1. If the reneg-limit counter equals zero, the drop-limit is decremented by half.
Example
The following command specifies a UDP port of 3950 for the HSGW service to use to communicate with the PCF on the A10/A11 interface:
ip local-port 3950
The following command sets the drop limit to 15 and leaves the other values at their defaults:
ip source-violation drop-limit 15
 
lifetime
Specifies the time that an A10 connection can exist before its registration is considered expired.
Product
HSGW
Privilege
Administrator
Syntax
lifetime time
[ default | no ] lifetime
default
Resets the lifetime value to the default setting of 1800 seconds.
no
Specifies that an A10 connection can exist for an infinite amount of time.
time
Default: 1800
Specifies the time that an A10 connection can exist before its registration is considered expired.
time is measured in seconds and can be configured to any integer value between 1 and 65534.
Usage
Use this command to set a limit to the amount of time that a subscriber session can remain up whether or not the session is active or dormant. If the lifetime timer expires before the subscriber terminates the session, the connection is terminated automatically.
Example
The following command specifies a time of 3600 seconds (1 hour) for subscriber sessions on this HSGW service:
lifetime 3600
 
max-retransmissions
Configures the maximum number of times the HSGW service will attempt to communicate with an eAN/PCF before it marks it as unreachable.
Product
HSGW
Privilege
Administrator
Syntax
max-retransmissions count
default max-retransmissions
default
Rests the maximum number of allowed retransmissions to the default value of 5.
count
Default: 5
Specifies the maximum number of times the HSGW service will attempt to communicate with an eAN/PCF before it marks it as unreachable.
count can be configured to any integer value between 1 and 1000000.
Usage
Use this command to limit the number of retransmissions to an eAN/PCF before marking it as unreachable. If the value configured is reached, the call is dropped.
Example
The following command configures the maximum number of retransmissions for the HSGW service to 3:
max-retransmissions 3
 
mobile-access-gateway
Identifies the mobile access gateway (MAG) context through which MIPv6 calls are to be routed.
Product
HSGW
Privilege
Administrator
Syntax
mobile-access-gateway context context_name [ mag-service service_name ]
no mobile-access-gateway context
no
Removes the configured MAG context route from this service.
context context_name [ mag-service service_name ]
Specifies the name of the context and, optionally, the service through which MIPv6 sessions are to be routed.
context_name must be an existing context and be from 1 to 79 alpha and/or numeric characters.
service_name must be an existing Mag service and be from 1 to 63 alpha and/or numeric characters.
Usage
Use this command to specify where MIPv6 sessions are routed through this service.
Example
The following command identifies the MAG context MAG1 as the context through which MIPv6 sessions are to be routed and further narrows the route by specifying the service name (mag_serv3):
mobile-access-gateway context MAG1 mag-service mag_serv3
 
plmn id
Configures Public Land Mobile Network identifiers used to determine if a mobile station is visiting, roaming, or belongs to this network.
Product
HSGW
Privilege
Administrator
Syntax
plmn id mcc number mnc number
mcc number mnc number
mcc number: Specifies the mobile country code (MCC) portion of the PLMN’s identifier. number is the PLMN MCC identifier and must be an integer value between 100 and 999.
mnc number: Specifies the mobile network code (MNC) portion of the PLMN’s identifier. number is the PLMN MNC identifier and can be configured to any 2 or 3 digit integer value between 00 and 999.
Usage
The PLMN identifier is used to aid the HSGW service in the determination of whether or not a mobile station is visiting, roaming, or home. Multiple P-GW services can be configured with the same PLMN identifier. Up to five PLMN IDs can be configured for each P-GW Service. The configured IDs are used in Diameter-EAP-Request messages (as a Visited-Network-Identifier AVP).
Example
The following command configures the PLMN identifier with an MCC of 462 and MNC of 2:
plmn id mcc 462 mnc 02
 
policy overload
Specifies how an HSGW service should handle overload conditions.
Product
HSGW
Privilege
Administrator
Syntax
policy overload { redirect address [ weight weight_num ] [ address2 [ weight weight_num ] ... address16 [ weight weight_num ] ] | reject [ use reject-code { admin-prohibite | insufficient-resources } ] }
default policy overload
no policy overload [ redirect address [ address2 ] ... [ address16 ]
default
Returns the command to it default setting of “reject” with the “admin-prohibited” code.
no
Removes a specified “redirect address” from this service.
redirect address [ weight weight_num ] [ address2 [ weight weight_num ] ... address16 [ weight weight_num ] ]
This option enables a redirect policy for overloading conditions. When a redirect policy is invoked, the HSGW service rejects new sessions with an A11 Registration Reply Code of 88H (unknown HSGW address) and provides the IP address of an alternate HSGW. This command can be issued multiple times.
address: The IP address of an alternate HSGW expressed in IPv4 dotted decimal notation. Up to 16 IP addresses can be specified either in one command or by issuing the redirect command multiple times. If you try to add more than 16 IP addresses to the redirect policy the CLI issues an error message. If you specify an IP address and weight that already exists in the redirect policy the new values override the existing values.
weight weight_num: When multiple addresses are specified, they are selected in a weighted round-robin scheme. Entries with higher weights are more likely to be chosen. If a weight is not specified, the entry is automatically assigned a weight of 1 (default). weight_num must be an integer value from 1 through 10.
reject [ use reject-code { admin-prohibite | insufficient-resources } ]
This option will cause any overload traffic to be rejected. The HSGW sends an A11 Registration Reply Code of 82H (insufficient resources).
use-reject-code admin-prohibited: When this keyword is specified and traffic is rejected, the error code admin prohibited is returned instead of the error code “insufficient resources”. This is the default behavior.
use-reject-code insufficient-resources: When this keyword is specified and traffic is rejected, the error code “insufficient resources” is returned instead of the error code admin prohibited.
Usage
Policies can be implemented to dictate HSGW service behavior for overload conditions.
The system invokes the overload policy if the number of calls currently being processed exceeds the licensed limit for the maximum number of sessions supported by the system.
The system automatically invokes the overload policy when an on-line software upgrade is started.
Use the no policy overload command to delete a previously configured policy. If after deleting the policy setting you desire to return the policy parameter to its default setting, use the default policy command.
The chassis is shipped from the factory with the policy options overload disabled
Example
The following command configures the HSGW service to redirect overload traffic to two IPv4 address, one priority weighted 1 and the other priority weighted 5:
policy overload redirect 1.2.3.4 weight 1 1.2.3.5 weight 5
 
profile-id-qci-mapping
Associates a configured mapping table for RP QoS Profile ID to LTE QoS Class Index (QCI) mapping with this service.
Product
HSGW
Privilege
Administrator
Syntax
profile-id-qci-mapping name
no profile-id-qci-mapping [ name ]
no
Removes all profile maps or a specific profile map from this service.
name
Specifies the name of the table to be associated with this service. name must be an existing Profile ID - QCI Mapping table and be from 1 to 63 alpha and/or numeric characters in length.
Usage
Use this command to associate the HSGW service with a configured Profile ID - QCI Mapping table. The table is configured in the Global Configuration Mode using the profile-id-qci-mapping-table command.
Example
The following command associates a Profile ID - QCI Mapping table named table3 with this service:
profile-id-qci-mapping table3
 
registration-deny
Configures parameters related to registration rejection.
Product
HSGW
Privilege
Administrator
Syntax
registration-deny { handoff connection-setup-record-absent | newcall connection-setup-record-absent } [ use-deny-code { poorly-formed-request | reason-unspecified } ]
handoff connection-setup-record-absent
When enabled, the HSGW denies or discards handoff sessions that do not have an Airlink Connection Setup record in the A11 Registration Request. Default is disabled. Default HSGW behavior is to accept such requests.
newcall connection-setup-record-absent
When enabled, the HSGW denies or discards new sessions that do not have the airlink connection setup record in the RRQ.
[ use-deny-code { poorly-formed-request | reason-unspecified } ]
Sets the specified Registration Deny Code when denying a new call or handoff because of a missing connection setup record.
Usage
Use this command to configure parameters relating to the rejection of registration requests.
Example
The following command denies registration for registration requests missing the connection setup record and replies with a use deny code of “poorly formed request”:
registration-deny handoff connection-setup-record-absent use-deny-code poorly-formed-request
 
retransmission-timeout
Configures the maximum allowable time for the HSGW service to wait for a response from the eAN/PCF before it attempts to communicate with the eAN/PCF again (if the system is configured to retry the PCF) or marks the eAN/PCF as unreachable.
Product
HSGW
Privilege
Administrator
Syntax
retransmission-timeouttime
{ default | no } retransmission-timeout
default
Resets the timeout setting to the default value of 3.
no
Deletes a previously configured timeout value.
time
Default: 3
Specifies the maximum allowable time, in seconds, for the HSGW service to wait for a response from the eAN/PCF before it: a) attempts to communicate with the eAN/PCF again (if the system is configured to retry the PCF) or b) marks the eAN/PCF as unreachable.
time must be an integer value between 1 and 1000000.
Usage
Use the retransmission timeout command in conjunction with the max-retransmissions command in order to configure the HSGW services behavior when it does not receive a response from a particular PCF.
Example
The following command configures a retransmission timeout value of 5 seconds:
retransmission-timeout 5
 
setup-timeout
The maximum amount of time allowed for session setup.
Product
HSGW
Privilege
Administrator
Syntax
setup-timeout seconds
[ default| no ] setup-timeout
default
Rests the command to the default value of enabled with a timeout of 60 seconds.
no
Disables the feature.
seconds
Default: 60
The maximum amount of time, in seconds, to allow for setup of a session in this service. seconds must be an integer value from 1 through 1000000.
Usage
Use this command to set the maximum amount of time allowed for setting up a session.
Example
The following command sets the maximum time allowed for setting up a session to 5 minutes (300 seconds):
setup-timeout 300
 
spi remote-address
Configures the security parameter index (SPI) between the HSGW service and the eAN/ePCF. This command also configures the redirection of call based on the PCF zone.
Product
HSGW
Privilege
Administrator
Syntax
spi remote-address {pcf_ip_address | ip_addr_mask_combo } spi-number number { encrypted secret enc_secret | secret secret } [ description string ] [ hash-algorithm { md5 | rfc2002-md5 } ] [ replay-protection { nonce | timestamp } ] [ timestamp-tolerance tolerance ] [ zone zone_id ]
no spi remote-address pcf_ip_address spi-number number
{ pcf_ip_address | ip_addr_mask_combo }
pcf_ip_address: Specifies the IP address of the ePCF. pcf_ip_address is an IP address expressed in IPv4 dotted decimal notation or IPv6 colon separated notation.
ip_addr_mask_combo: Specifies the IP address of the PCF and specifies the IP address network mask bits. ip_addr_mask_combo must be specified using the form ‘IP Address/Mask Bits’ where the IP address must either be an IPv4 address expressed in dotted decimal notation or an IPv6 address expressed in colon separated notation and the mask bits are a numeric value which is the number of bits in the subnet mask.
spi-number number
Specifies the SPI (number) which indicates a security context between the PCF and the HSGW.
number can be configured to any integer value between 256 and 4294967295.
encrypted secret enc_secret | secret secret
Configures the shared-secret between the HSGW service and the PCF. The secret can be either encrypted or non-encrypted.
encrypted secret enc_secret: Specifies the encrypted shared key (enc_secret) between the PCF and the HSGW service. enc_secret must be between 1 and 254 alpha and/or numeric characters and is case sensitive.
secret secret: Specifies the shared key (secret) between the PCF and the HSGW services. secret must be between 1 and 127 alpha and/or numeric characters and is case sensitive.
The encrypted keyword is intended only for use by the chassis while saving configuration scripts. The system displays the encrypted keyword in the configuration file as a flag that the variable following the secret keyword is the encrypted version of the plain text secret key. Only the encrypted secret key is saved as part of the configuration file.
description string
This is a description for the SPI. string must be an alpha and/or numeric string from 1 through 31 characters.
hash-algorithm { md5 | rfc2002-md5 }
Default: md5
Specifies the hash-algorithm used between the HSGW service and the PCF.
md5: Configures the hash-algorithm to implement MD5.
rfc2002-md5: Configures the hash-algorithm to implement keyed-MD5.
replay-protection { nonce | timestamp }
Default: timestamp
Specifies the replay-protection scheme that should be implemented by the HSGW service.
nonce: Configures replay protection to be implemented using NONCE.
timestamp: Configures replay protection to be implemented using timestamps.
timestamp-tolerance tolerance
Default: 60
Specifies the allowable difference (tolerance) in timestamps that is acceptable. If the difference is exceeded, then the session will be rejected. If this is set to 0, then time stamp tolerance checking is disabled at the receiving end.
tolerance is measured in seconds and can be configured to any integer value between 0 and 65535.
zone zone_id
Specifies the different PCF zones to configure in HSGW service. Mapping of a zone-number to a set of HSGWs can be done per HSGW service basis.
zone_id must be an integer value between 1 and 32. A maximum of 32 PCF zones can be configured for a HSGW service.
Usage
An SPI is a security mechanism configured and shared by the PCF and the HSGW service. Please refer to IOS 4.1 and RFC 2002 for additional information.
Multiple SPIs can be configured if the HSGW service is communicating with multiple eAN/PCFs.
Important: The SPI configuration on the PCF must match the SPI configuration for the HSGW service on the system in order for the two devices to communicate properly.
This command used with the zone keyword redirects all calls on the basis of PCF zone to the specific HSGW on the basis of parameters configured using the policy pcf-zone-match command.
Example
The following command configures the HSGW service to use an SPI of 256 when communicating with a PCF with the IP address 192.168.0.2. The key that would be shared between the PCF and the HSGW service is q397F65.
spi remote-address 192.168.0.2 spi-number 256 secret q397F65
The following command creates the configured SPI of 400 for an PCF with an IP address of 172.100.3.200 and zone id as 11:
spi remote-address 172.100.3.200 spi-number 400 zone 11
 
unauthorized-flows
Configures the service to wait a specified number of seconds before triggering a QoS update to downgrade an unauthorized flow.
Product
HSGW
Privilege
Administrator
Syntax
unauthorized-flows qos-update wait-timeout seconds
[ default | no ] unauthorized-flows qos-update wait-timeout
default
Returns the command to its default setting of
no
Removes the configure wait-timeout setting for this service.
qos-update wait-timeout seconds
Specifies the number of seconds to wait before triggering the QoS update to downgrade the unauthorized flow. seconds must be an integer value from 1 to 65534.
Usage
Use this command to specific a wait timeout trigger for flows that are unauthorized by policy rules received via the Gxa interface from the PCRF. When the wit timer expires, the HSGW triggers a QoS update to downgrade the unauthorized flow.
Example
The following command configures the HSGW service to apply the wait time of 30 seconds after receiving an flow unauthorized by the PCRF:
unauthorized-flow qos-update wait-timeout 30
 
 

Cisco Systems Inc.
Tel: 408-526-4000
Fax: 408-527-0883