APN Configuration Mode Commands


APN Configuration Mode Commands
 
 
The Access Point Name (APN) Configuration Mode is used to create and configure APN profiles within the current system context of a UMTS/LTE service.
 
Important: The commands or keywords/variables that are available are dependent on platform type, product version, and installed license(s).
 
aaa group
This command configures a AAA server group for the APN for AAA functionality.
Product
GGSN, P-GW
Privilege
Security Administrator, Administrator
Syntax
[ no ] aaa group group_name
default aaa group
no
Disables the specified AAA group for the specific APN.
default
Sets / restores default AAA group specified at the context level or in APN template.
group_name
The AAA group to configure for the APN.
group_name must be a string of 1 through 63 characters in length.
Usage
Instead of having a single list of servers per context, this feature configures multiple server groups within a context and applies individual server group for APNs in that context. Each server group consists of a list of AAA servers for each AAA function (accounting, authentication, charging, etc.).
Example
The following command applies the AAA server group star1 to an APN within the specific context:
aaa group star1
The following command disables the AAA group for the specific APN:
no aaa group group_name
 
access-link
Configures IP fragmentation processing over the Access-link (PPP, GTP etc).
Product
GGSN, P-GW
Privilege
Security Administrator, Administrator
Syntax
access-link ip-fragmentation { normal | df-ignore | df-fragment-and-icmp-notify }
df-ignore
Default: Disabled
Ignore the DF bit setting. Fragment and forward the packet over the access link.
df-fragment-and-icmp-notify
Default: Disabled
Partially ignore the DF bit. Fragment and forward the packet, but also return an ICMP error message to the source of the packet. The number of ICMP errors sent like this is rate-limited to 1 ICMP error packet per second per session.
normal
Default: Enabled
Normal processing. Drop the packet and send an ICMP unreachable message to the source of packet. This is the default behavior.
Usage
If the IP packet to be forwarded is larger than the access-link MTU and if the DF (Don't Fragment) bit is set for the packet, then the fragmentation behavior configured by this command is applied. Use this command to fragment packets even if they are larger than the access-link MTU.
Note that regardless of whether or not fragmentation is performed because of one of the above reasons, fragmentation may also occur for other reasons.
Payloads are encapsulated within IP/UDP/GTP before being sent to the SGSN. If that encapsulation causes the packet to exceed 1500 bytes, the inner IP payload is fragmented (even if it's not considered too-large by the above tests) into two payloads (if the DF bit is not set). If the DF bit is set (and access-link ip-fragmentation normal is configured), the system performs IP fragmentation of the entire packet (i.e., IP fragmentation in the outer IP header) rather than fragmenting the inner IP payload. Either way, the result is two packets, but in one case the MS would have to perform IP reassembly while in the other case the SGSN would have to perform reassembly.
Example
Set fragmentation so that the DF bit is ignored and the packet is forwarded anyway by entering the following command:
access-link ip-fragmentation df-ignore
 
accounting-mode
This command configures the protocol to be used for PDP context accounting by this APN.
Product
GGSN, ECS, P-GW
Privilege
Security Administrator, Administrator
Syntax
accounting-mode { gtpp | none | radius-diameter [ no-interims ] [ no-early-pdus ] }
default accounting-mode
default
Restores the command to its default setting.
gtpp
Configures the APN to use GPRS Tunneling Protocol Prime for accounting purposes. If used, accounting will begin as soon as the PDP context is established. This is the default setting.
Default: Enabled
Important: The system’s GTPP parameters must be configured prior to using this protocol for accounting. Refer to the gtpp commands in the Context Configuration Mode Commands chapter of this reference.
none
Disables accounting for PDP contexts using this APN.
When accounting mode is set to none, it indicates to the GTP stack at session manager to not generate the regular GTPP accounting triggers.
Default: Disabled.
radius-diameter
Configures the APN to use RADIUS/Diameter protocol for accounting purposes.
Default: Disabled
Important: The system’s RADIUS/Diameter accounting parameters must be configured prior to using either of the protocols for accounting. Refer to the radius/diameter commands in the Context Configuration Mode Commands and the AAA Server Group Configuration Mode Commands chapters of this reference.
no-early-pdus
Configures the GGSN to discard user traffic once the buffer is full until the RADIUS server has returned a response to the GGSN's accounting START request per 3GPP standards.
no-interims
Disables the generation of RADIUS interims per APN. If no-interims is specified, then it won't send any RADIUS INTERIM-UPDATEs for this APN, regardless of what is configured in the context that is used for RADIUS accounting.
Usage
This command specifies which protocol, if any, will be used to provide accounting for PDP contexts accessing the APN profile.
When the GTPP protocol is used, accounting messages are sent to the charging gateways (CGs) over the Ga interface. The Ga interface and GTPP functionality are typically configured within the system’s source context. As specified by the standards, a CDR is not generated when a session starts - CDRs are generated according to the interim triggers (configured using the cc command in the GGSN service configuration mode) and a CDR is generated when the session ends. For interim accounting, STOP/START pairs are sent based on configured triggers.
GTPP version 2 is always used. However, if version 2 is not supported by the CGF, the system reverts to using GTPP version 1. All subsequent CDRs are always fully-qualified partial CDRs. All CDR fields are R4.
If the radius-diameter option is used, either the RADIUS or the Diameter protocol is used as configured in the Context Configuration mode or the AAA Server Group Configuration mode.
If the RADIUS protocol is used, accounting messages can be sent over a AAA interface or the Gi to the RADIUS server. The AAA or Gi interface(s) and RADIUS functionality are typically configured with the system’s destination context along with the APN. RADIUS accounting begins immediately after an IP address is allocated for the MS. Interim accounting can be configured using the radius accounting interim interval. The radius accounting interim interval command sends INTERIM-UPDATE messages at specific intervals.
Keywords to this command can be used in combination to each other, depending on configuration requirements.
Important: If the accounting type in the APN is set to ‘none’ then G-CDRs will not be generated. If accounting type is left as default ’GTPP’ and ‘billing-records’ are configured in Rulebase configuration mode in ECS, then both G-CDRs and eG-CDRs would be generated.
Example
The following command configures the APN to use the RADIUS/Diameter protocol for accounting:
accounting-mode radius-diameter
accounting-mode radius-diameter no-interims no-early-pdus
accounting-mode radius-diameter no-early-pdus no-interims
 
active-charging bandwidth-policy
This command configures the bandwidth policy to be used for subscribers who use this APN.
Product
GGSN, ECS
Privilege
Security Administrator, Administrator
Syntax
active-charging bandwidth-policy bandwidth_policy
{ default | no } active-charging bandwidth-policy
default
Specifies that the default bandwidth policy configured in the rulebase be used for subscribers who use this APN.
no
Disables bandwidth control for the APN.
bandwidth_policy
Specifies the bandwidth policy name.
bandwidth_policy must be an alpha and/or numeric string from 1 through 63 characters in length.
Usage
Use this command to configure bandwidth policy to be used for subscribers who use this APN.
Example
The following command configures a bandwidth policy named standard for the APN:
active-charging bandwidth-policy standard
 
active-charging rulebase
This command specifies the name of the ACS rulebase to be used for subscribers who use this APN.
Product
GGSN, ECS, P-GW
Privilege
Security Administrator, Administrator
Syntax
active-charging rulebase rulebase_name
no active-charging rulebase
no
Removes the rulebase previously specified for this APN.
rulebase_name
Specifies the ACS rulebase name.
rulebase_name must be an alpha and/or numeric string of 1 through 63 characters in length.
Usage
Use this command to specify the name of the ACS rulebase to be used for subscribers who use the APN.
Example
The following command specifies the ACS rulebase rule1 for the APN:
active-charging rulebase rule1
 
apn-ambr
Configures the Aggregated Maximum Bit Rate (AMBR) for all PDNs using this APN.
Product
P-GW
Privilege
Administrator
Syntax
apn-ambr rate-limit direction { downlink | uplink } [ burst-size { auto-readjust duration seconds | bytes } | violate-action { drop | lower-ip-precedence | shape [ transmit-when-buffer-full ] | transmit } ]
[ default | no ] apn-ambr rate-limit direction { downlink | uplink }
default
Returns the selected command to it’s default setting of no APN-AMBR.
no
Disables the selected command.
rate-limit direction { downlink | uplink }
Specifies that the rate limit is to be applied to either the downlink traffic or the uplink traffic.
downlink: Applies the AMBR parameters to the downlink direction.
uplink: Applies the AMBR parameters to the uplink direction.
burst-size { auto-readjust duration seconds | bytes}
This parameter is used by policing and shaping algorithms to permit short bursts of traffic in order to not exceed the allowed data rates. It is the maximum size of the token bucket.
auto-readjust duration seconds: A duration, in seconds, used in this burst size calculation:
burst size = peak data rate/8 * auto-readjust duration
seconds must be an integer value from 1 to 30. Default is 1 second
bytes: Specifies the burst size in bytes allowed by this APN for the associated PDNs. bytes must be an integer value from 1 to 4294967295 (1 byte to 4 GB).
violate-action { drop | lower-ip-precedence | shape [ transmit-when-buffer-full ] | transmit }
The action that the P-GW will take when the data rate of the bearer context exceeds the AMBR.
drop: Violating packets are dropped.
lower-ip-precedence: The DSCP value is set to zero (“best effort”) for the violating packets.
shape [ transmit-when-buffer-full ]: Place all violating packets into a buffer and, optionally, packets are transmitted when the buffer is full.
transmit: Violating packets are transmitted. This is the default setting.
Usage
Use this command to enforce the AMBR for the APN on bearers that do not have a Guaranteed Bit Rate (GBR).
Example
The following command sets the downlink burst rate to use an auto-readjust duration of 2 seconds and lowers the IP precedence of violating packets:
apn-ambr rate-limit direction downlink burst-size auto-readjust duration 2 violate-action lower-ip-precedence
 
associte accounting-policy
Associates the APN with specific pre-configured policies configured in the same context.
Product
P-GW
Privilege
Administrator
Syntax
[ no ] associate accounting-policy name
no
Removes the selected association from this APN.
accounting-policyname
Associates the P-GW APN with an accounting policy configured in the same context. name must be an existing accounting policy and be from 1 to 63 alpha and/or numeric characters.
Accounting policies are configured through the policy accounting command in the Context Configuration Mode.
Usage
Use this command to associate the P-GW APN with an accounting policy configured in this context.
Example
The following command associates this P-GW APN with an accounting policy called acct1:
associate accounting-policy acct1
 
authentication
Configures the APN’s authentication parameters.
Product
GGSN, P-GW
Privilege
Security Administrator, Administrator
Syntax
authentication {[ msid-auth | imsi-auth [username-strip-apn] [password-use-pco] | msisdn-auth [username-strip-apn] [password-use-pco]]| [ allow-noauth ][ chap preference ][ mschap preference ] [ pap preference ]}
default authentication
default
Sets the default authentication type for this APN. By default allow-noauth is the type for authentication for an APN.
msid-auth
Obsolete. Use imsi-auth.
imsi-auth
Default: Disabled.
Configures the APN to attempt to authenticate the subscriber based on their International Mobile Subscriber Identification (IMSI) number.
msisdn-auth
Default: Disabled.
Configures the APN to attempt to authenticate the subscriber based on their Mobile Station International Integrated Services Digital Network (MSISDN) number as described in table in Usage section of this command.
username-strip-apn
Default: Disabled.
This keyword if enabled , eaither with msisdn-auth or imsi-auth strips the APN name from the user name msisdn@apn or imsi@apnreceived from AAA and make the user name as msisdn or imsi respectively.
password-use-pco
Default: Disabled.
This keyword, if enabled, uses the password received through Protocol Configuration Options (PCO) from AAA for authentication.
allow-noauth
Default: Enabled
Configures the APN to not perform authentication for PDP contexts as described in table in Usage section.
chap preference
Default: Disabled
Configures the APN to attempt to use the Challenge Handshake Authentication Protocol (CHAP) to authenticate the subscriber as described in table in Usage section of this command.
A preference must be specified in conjunction with this option. Priorities specify which authentication protocol should be attempted first, second, third and so on. preference must be an integer from 1 through 1000. The lower the integer, the higher the preference.
mschap preference
Default: Disabled
Configures the APN to attempt to use the Microsoft Challenge Handshake Authentication Protocol (MSCHAP) to authenticate the subscriber as described in table in Usage section of this command.
A preference can be specified in conjunction with this option. Priorities specify which authentication protocol should be attempted first, second, third and so on. preference must be an integer from 1 through 1000. The lower the integer, the higher the preference.
pap preference
Default: Disabled
Configures the APN to attempt to use the Password Authentication Protocol (PAP) to authenticate the subscriber as described in table in Usage section of this command.
A preference must be specified in conjunction with this option. Priorities specify which authentication protocol should be attempted first, second, third and so on. preference must be an integer from 1 through 1000. The lower the integer, the higher the preference.
Usage
Use this command to specify how the APN profile should handle PDP context authentication and what protocols to use (if any). The ability to configure this option is provided to accommodate the fact that not every MS will implement the same authentication protocols.
The authentication process varies depending on whether the PDP context is of type IP or PPP. Table given in this section describes these differences.
For IP PDP contexts, the authentication protocol and values will be passed from the SGSN as Protocol Configuration Options (PCOs) within the create PDP context PDU to the GGSN. The GGSN requires that the authentication protocol is specified by this command (with no regard to priority) and will use this information to authenticate the subscriber.
Authentication Process Variances Between PDP Context Type
If the there was no match and the aaa constructed-nai authentication parameter is enabled in the authentication context, the system attempts to determine a subscriber profile (via PAP with no password) using the subscriber’s MSISDN as the username.
If the aaa constructed-nai authentication parameter is enabled in the authentication context, the system attempts to determine a subscriber profile (via PAP with no password) using the subscriber’s MSISDN as the username.
If this protocol is used is specified and the allow-noauth parameter is disabled, the system will attempt to use the APN’s default username/password specified by the outbound command for authentication via PAP.
Obsolete. Use imsi-auth.
Obsolete. Use imsi-auth.
Example
The following command would configure the system to attempt subscriber authentication first using MSCHAP, then CHAP, and finally PAP. Since the allow-noauth command was also issued, if all attempts to authenticate the subscriber using these protocols fail, then the subscriber would be still be allowed access.
authentication mschap 1 chap 2 pap 3 allow-noauth
To enable imsi-auth or msisdn-auth, the following command instances must be issued:
authentication imsi-authauthentication msisdn-auth
 
bearer-control-mode
This command enables/disables the bearer control mode for network controlled QoS (NCQoS) through this APN. It also controls the sending of IE in GTP messages.
Product
GGSN, P-GW
Privilege
Security Administrator, Administrator
Syntax
bearer-control-mode [ ms-only | mixed | none ]
default bearer-control-mode
default
Sets the bearer control mode to default mode of “none”.
ms-only
Default: Disabled.
This keyword sets the bearer control mode to “MS-only” mode. In this mode bearer will be controlled by User Equipment (UE) side.
mixed
Default: Disabled.
This keyword sets the bearer control mode to “Mixed” mode. In this mode bearer will be controlled by User Equipment (UE) and network side (from GGSN) as well.
To enable network controlled QoS this option must be enabled.
none
Default: Enabled.
This keyword sets the bearer control mode to “none” mode.
With BCM mode as none, system will not send any BCM mode information, BCM IE and BCM information in protocol configuration option (PCO) IE, in GTPC messages sent by GGSN.
This command is useful in networks where AGWs/firewalls do not support unknown optional IEs in GTP message.
Usage
Use this command to enable the QoS through bearer control. This can be done either through MS side or from GGSN and MS both. To enable network requested QoS user need to enable “Mixed” mode for beaer control.
With this keyword operator can control sending of BCM information in GTPC messages from GGSN.
With MS-Only or Mixed options in this mode system sends BCM information element in every Create PDP Context Response & Unknown PDP Context Request and Response message.
It is possible in some networks that AGWs/Firewall drops/rejects GTPC message if there is an Unknown optional IE. To resolve this none option is used so operator can control sending of BCM IE and BCM information in PCO IE in GTPC messages from GGSN.
Example
The following command enables the bearer control from network and MS side for NCQoS.
bearer-control-mode mixed
 
cc-home
Configures the home subscriber charging characteristics (CC) used by the GGSN when those from the SGSN will not be accepted.
Product
GGSN, P-GW
Privilege
Security Administrator, Administrator
Syntax
cc-home behavior bits profile index
behavior bits
Specifies the behavior bit for the home subscriber charging characteristic.
bits can be configured to any unique bit from 001H to FFFH (0001 to 1111 1111 1111 bin) where the least-significant bit corresponds to B1 and the most-significant bit corresponds to B12.
profile index
Default: 8
Specifies the profile index for the home subscriber charging characteristic.
index can be configured to any integer value between 0 and 15.
Important: 3GPP standards suggest that profile index values of 1, 2, 4, and 8 be used for hot billing, flat rate billing, prepaid billing and normal billing, respectively. A single charging characteristics profile can contain multiple behavior settings.
Usage
When the GGSN is configured to reject the charging characteristics sent by the SGSN for “home” subscribers, it uses the profile index specified by this command to determine the appropriate CCs to use.
Multiple behavior bits can be configured for a single profile index by “Or”ing the bit strings together and convert the result to hexadecimal.
The properties of the actual CC profile index are configured as part of the GGSN service using the cc profile command. Refer to the GGSN Service Configuration Mode chapter of this reference for additional information on this command.
Example
The following command configures a behavior bit of 2 (0000 0000 0010) and a profile index of 10 for home subscribers charging characteristics:
cc-home behavior 2 profile 10
The following command configures the behavior bits 3 (0000 0000 0100) and 5 (0000 0001 0000 bin) and a profile index of 14 for home subscriber charging characteristics:
cc-home behavior 14 profile 14
 
cc-roaming
Configures the roaming subscriber charging characteristics (CC) used by the GGSN when those from the SGSN will not be accepted.
Product
GGSN, P-GW
Privilege
Security Administrator, Administrator
Syntax
cc-roaming behavior bits profile index
behavior bits
Specifies the behavior bit for the roaming subscriber charging characteristic.
bits can be configured to any unique bit from 001H to FFFH (0001 to 1111 1111 1111 bin) where the least-significant bit corresponds to B1 and the most-significant bit corresponds to B12.
profile index
Default: 8
Specifies the profile index for the roaming subscriber charging characteristic.
index can be configured to any integer value between 0 and 15.
Important: 3GPP standards suggest that profile index values of 1, 2, 4, and 8 be used for hot billing, flat rate billing, prepaid billing and normal billing, respectively. A single charging characteristics profile can contain multiple behavior settings.
Usage
When the GGSN is configured to reject the charging characteristics sent by the SGSN for “roaming” subscribers, it uses the profile index specified by this command to determine the appropriate CCs to use.
Multiple behavior bits can be configured for a single profile index by “Or”ing the bit strings together and convert the result to hexadecimal.
The properties of the actual CC profile index are configured as part of the GGSN service using the cc profile command. Refer to the GGSN Service Configuration Mode chapter of this reference for additional information on this command.
Example
The following command configures a behavior bit 10 (0010 0000 0000) and a profile index of 10 for roaming subscriber charging characteristics:
cc-roaming behavior 200 profile 10
The following command configures the behavior bits 9 (0001 0000 0000) and 6 (0000 0010 0000) and a profile index of 14 for roaming subscriber charging characteristics:
cc-roaming behavior 120 profile 14
 
cc-sgsn
Specifies the GGSN’s source for charging characteristics (CC) - those configured locally or those received from the SGSN.
Product
GGSN, P-GW
Privilege
Security Administrator, Administrator
Syntax
cc-sgsn { radius-returned | home-subscriber-use-GGSN | roaming-subscriber-use-GGSN | visiting-subscriber-use-GGSN } +
cc-sgsn { use-GGSN behavior bits profile index[ 0...15 ] [ radius-returned ] }
no cc-sgsn { { radius-returned | home-subscriber-use-GGSN | roaming-subscriber-use-GGSN | visiting-subscriber-use-GGSN } + | [ use-GGSN ] [ radius-returned ] }
no
Causes the GGSN to accept CCs from the SGSN(s) when the no cc-sgsn command is entered with all applicable keywords. Otherwise, no cc-sgsn can be used to turn off one or more of the GGSN sources of CC.
Before entering no cc-sgsn, it is helpful to determine which CC sources have been configured. This can be done with either show configuration or show apn name in Exec Command Mode.
home-subscriber-use-GGSN
Configures the GGSN to use the locally defined charging characteristics for home subscribers, as configured with the APN Configuration Mode cc-home command.
roaming-subscriber-use-GGSN
Configures the GGSN to use the locally defined charging characteristics for roaming subscribers, as configured with the APN Configuration Mode cc-roaming command.
visiting-subscriber-use-GGSN
Configures the GGSN to use the locally defined charging characteristics for visiting subscribers, as configured with the APN Configuration Mode cc-visiting command.
radius-returned
Configures the GGSN to accept charging characteristics returned from the RADIUS server for all subscribers for the APN.
use-GGSN [ behavior bits ] profile index[ 0...15 ]
Configures the GGSN to accept charging characteristics for all subscribers in the APN.
bits specifies the behavior bit for the charging characteristic. This variable can be configured to any unique bit from 001H to FFFH (0001 to 1111 1111 1111 bin) where the least-significant bit corresponds to B1 and the most-significant bit corresponds to B12.
index indicates which profile defined with cc profile, in GGSN Service Configuration mode, GGSN uses as a source for CCs. The index can be configured to any integer value from 0 to 15.
use-GGSN keyword can be entered alone or in conjunction with the radius-returned keyword. When entered, this keyword, overrides previous configuration using any of the home, roaming, and/or visiting keywords.
+
More than one of the above keywords can be entered within a single command.
Usage
This command specifies whether or not CCs received from the SGSN will be accepted. If they are not accepted, the GGSN will use those that have been configured locally.
The GGSN’s behavior can be configured for the following subscriber types:
Home: Subscribers belonging to the same Public Land Mobile Network (PLMN) as the one on which the GGSN is located.
Roaming: Subscribers that are serviced by a an SGSN belonging to a different PLMN than the one on which the GGSN is located.
Visiting: Subscribers belonging to a different PLMN than the one on which the GGSN is located.
Example
The following command instructs the GGSN to accept CCs for any subscriber in the APN based on local profile configurations of CCs.
cc-sgsn use-GGSN profile x
Assuming the CC source as defined with the previous command, the following command instructs the GGSN to accept CCs supplied by the SGSN(s) and disables the acceptance of CCs supplied by the GGSN for any subscriber within the APN:
no cc-sgsn use-GGSN
The following command instructs the GGSN to accept CCs for any subscriber in the APN based on CC information returned from the RADIUS server. This command can be issued after the previous command to expand the possible sources.
cc-sgsn radius-returned
The following command disables the acceptance of CCs supplied by the GGSN for visiting and roaming subscribers:
no cc-sgsn roaming-subscriber-use-GGSN visiting-subscriber-use-GGSN
 
cc-visiting
Configures the visiting subscriber charging characteristics (CC) used by the GGSN when those from the SGSN will not be accepted.
Product
GGSN, P-GW
Privilege
Security Administrator, Administrator
Syntax
cc-visiting behavior bits profile index
behavior bits
Specifies the behavior bit for the visiting subscriber charging characteristic.
bits can be configured to any unique bit from 001H to FFFH (0001 to 1111 1111 1111 bin) where the least-significant bit corresponds to B1 and the most-significant bit corresponds to B12.
profile index
Default: 8
Specifies the profile index for the visiting subscriber charging characteristic.
index can be configured to any integer value between 0 and 15.
Important: 3GPP standards suggest that profile index values of 1, 2, 4, and 8 be used for hot billing, flat rate billing, prepaid billing and normal billing, respectively. A single charging characteristics profile can contain multiple behavior settings.
Usage
When the GGSN is configured to reject the charging characteristics sent by the SGSN for “visiting” subscribers, it uses the profile index specified by this command to determine the appropriate CCs to use.
Multiple behavior bits can be configured for a single profile index by “Or”ing the bit strings together and convert the result to hexadecimal.
The properties of the actual CC profile index are configured as part of the GGSN service using the cc profile command. Refer to the GGSN Service Configuration Mode chapter of this reference for additional information on this command.
Example
The following command configures a behavior bit 7 (0000 0100 0000) and a profile index of 10 for visiting subscriber charging characteristics:
cc-visiting behavior 40 profile 10
The following command configures the behavior bits 1 (0000 0000 0001) and 12 (1000 0000 0000) and a profile index of 14 for visiting subscriber charging characteristics:
cc-visiting behavior 801 profile 14
 
content-filtering category
This command enables/disables the specified pre-configured Category Policy Identifier for Category-based Content Filtering support.
Product
All
Privilege
Security Administrator, Administrator
Syntax
content-filtering category policy-id cf_policy_id
no content-filtering category policy-id
no
Disables the previously configured category policy identifier for Content Filtering support to the APN. This is the default setting.
category policy-id cf_policy_id
This command applies the specified content filtering category policy ID, configured in Active Charging Configuration mode, to this APN.
cf_policy_id must be a preconfigured category policy ID in Active Charging Configuration Mode.
In case category policy identifier cf_policy_id used here is not configured in Active Charging Configuration Mode, all packets will be passed regardless of the categories determined for such packets.
Important: Category Policy Id configured through this mode overrides the Category Policy id configured through content-filtering category policy-id command in Rulebase Configuration Mode of Active Charging Service Configuration mode.
Usage
Use this command to enter the Content Filtering Policy Configuration mode and to enable or disable the Content Filtering Category Policy ID for an APN.
Important: If Content Filtering Category Policy ID is not specified here the similar command in ACS Rulebase Configuration Mode determines the policy.
Up to 64 different policy identifier can be defined in a Content Filtering support service.
Example
Following command enters the Content filtering Policy Configuration mode and enables the Category Policy Id 101 for Content Filtering support:
content-filtering category policy-id 101
 
credit-control-group
This command configures the Credit Control Group to be used for subscribers who use this APN.
Product
GGSN, ECS, P-GW
Privilege
Security Administrator, Administrator
Syntax
credit-control-group cc_group_name
no credit-control-group
no
Removes the previously configured Credit Control Group from the APN configuration.
cc_group_name
Specifies the Credit Control Group name.
cc_group_name must be a alpha and/or numeric string of 1 through 63 characters in length.
Usage
Use this command to configure the Credit Control Group for this APN.
Creating different credit control groups enables applying different credit control configurations (DCCA dictionary, failure-handling, session-failover, Diameter endpoint selection, etc.) to different subscribers on the same system.
Without credit control groups, only one credit control configuration is possible on a system. All the subscribers in the system will have to use the same configuration.
Example
The following command configures a Credit Control Group named testgroup12 to the current APN:
credit-control-group testgroup12
 
data-tunneling ignore df-bit
Controls the handling of the DF (Don't Fragment) bit present in the user IPv4/IPv6 packet for tunneling used for the Mobile IP data path.
Product
GGSN, P-GW
Privilege
Security Administrator, Administrator
Syntax
data-tunneling ignore df-bit
no data-tunneling ignore df-bit
no
Disables this option. The DF bit in the tunneled IP packet header is not ignored during tunneling. This is the default setting.
Usage
Use this command to configure a user so that during Mobile IP tunneling the DF bit is ignored and packets are fragmented.
If this feature is enabled, and fragmentation is required for the tunneled user IPv4/IPv6 packet, then the DF bit is ignored and the packet is fragmented. Also the DF bit is not copied to the outer header.
In the GGSN, this command also affects the other L3 tunneling options, IP-in-IP and GRE, but does not affect L2TP tunneling.
Example
To enable fragmentation of a subscribers packets over a MIP tunnel even when the DF bit is present, enter the following command:
data-tunneling ignore df-bit
 
data-tunnel mtu
Configures the Maximum Transmission Unit (MTU) for data sent on the IPv6 tunnel between the P-GW and the mobile node.
Product
P-GW
Privilege
Administrator
Syntax
data-tunnel mtu bytes
default data-tunnel mtu
default
Returns the command to the default value of 1500.
mtubytes
Default: 1500
Specifies the MTU for the IPv6 tunnel between the P-GW and the mobile node. bytes must be an integer between 1280 and 2000.
Usage
Use this command to set the MTU for data traffic on the IPv6 tunnel between the P-GW and the mobile node.
Example
The following command sets the MTU for IPv6 data traffic to 1400 bytes:
data-tunnel mtu1400
 
dcca origin endpoint
 
DescriptionThis command is obsolete. To configure the Diameter Credit Control Origin Endpoint, in the Credit Control Configuration mode, use the diameter origin endpoint command.
 
dcca peer-select
Specifies the Diameter credit control primary and secondary host for credit control.
Product
GGSN, ECS, P-GW
Privilege
Security Administrator, Administrator
Syntax
dcca peer-select peer host_name [ realm realm_name ] [ secondary-peer host_name [ realm realm_name ] ]
no dcca peer-select
no
Removes the previously configured Diameter credit control peer selection.
peer host_name
A unique name that you specify for the peer.
peer_name must be an alpha and/or numeric string of from 1 through 127 characters. peer_name allows punctuation marks.
secondary-peer host_name
Specifies a back-up host that is used for fail-over processing. When the route-table does not find an AVAILABLE route the secondary host performs a fail-over processing.
realm realm_name
The realm_name must be an alpha and/or numeric string of from 1 to 127 characters. The realm may typically be a company or service name. realm_name allows punctuation marks.
Usage
Use this command to select a Diameter credit control peer and realm.
Warning: This configuration completely overrides all instances of diameter peer-select that have been configured within the Credit Control Configuration Mode for an Active Charging service.
Example
The following command selects a Diameter credit control peer named test and a realm of companyx:
dcca peer-select test realm companyx
 
default
Sets/restores the default value assigned for the specified parameter.
Product
GGSN, P-GW
Privilege
Security Administrator, Administrator
Syntax
default { access-link ip-fragmentation | accounting-mode | authentication | cc-home | cc-roaming | cc-sgsn | cc-visiting | data-tunneling ignore df-bit | dhcp lease-expiration-policy | idle-timeout-activity (take condition off entry below when this clears too) | ip { address { allocation-method } | header-compression | multicast discard | qos-dscp | source-violation } | l3-to-l2-tunnel | loadbalance-tunnel-peers | long-duration-action | max-contexts | mobile ip { home-agent | mn-aaa-removal-indication | required | reverse-tunnel } | pdp-type | ppp { data-compression { mode | protocols } | keepalive | min-compression-size | mtu } | proxy-mip {required | null-username static-homeaddr} | selection-mode | sgsn payload-compression| timeout [ absolute | idle | long-duration | qos-renegotiate ] | tunnel load-balance }
access-link ip-fragmentation
Restores the APN access-link parameter to its default setting of normal.
accounting-mode
Restores the APN accounting-mode parameter to its default setting of gtpp.
authentication
Restores the APN authentication parameter to its default setting of allow-noauth.
cc-home
Restores the cc-home parameter to its default setting of the following:
cc-roaming
Restores the cc-roaming parameter to its default setting of the following:
cc-sgsn
Restores the cc-sgsn parameter to its default setting of the following:
cc-visiting
Restores the cc-visiting parameter to its default setting of the following:
data-tunneling ignore df-bit
Restores the data-tunneling parameter to its default setting of disabled.
dhcp lease-expiration-policy
Restores the dhcp lease-expiration-policy parameter to its default setting of auto-renew.
idle-timeout-activity
Sets or restores the session idle-timeout default so it is reset with both uplink and downlink packets.
ip { address { allocation-method } | header-compression | multicast discard | qos-dscp | source-violation }
Restores the APN ip parameters to the following default settings:
address allocation-method: local and allow-user-specified enabled
multicast discard: configures the default multicast settings which is to discard PDUs
qos-dscp: conversational ef streaming af11 interactive af21 background be
source-violation: check enabled, drop-limit 10
l3-to-l2-tunnel
Restores the layer 3-to-layer 2 tunnel address policy parameter to its default setting of validation with no allocation.
loadbalance-tunnel-peers
Restores the loadbalance-tunnel-peers parameter to its default setting of random.
long-duration-action
Restores the long-duration-action parameter to its default setting of detection.
max-contexts
Restores the max-contexts parameter to its default settings of:
primary: 1000000
total: 1000000
mobile ip { home-agent | mn-aaa-removal-indication | required | reverse-tunnel }
Restores the APN mobile-ip parameters to the following default settings:
home-agent : No HA address defined
required : Disabled
npu qos traffic priority
Restores the APN NPU QoS parameter to its default setting of Derive from packet DSCP.
pdp-type
Restores the APN pdp-type parameter to its default setting of ipv4.
ppp { data-compression { mode | protocols } | keepalive | min-compression-size | mtu }
Restores the APN ppp parameters to the following default settings:
data-compression protocols: stac, mppc, deflate
mtu: 1500
proxy-mip {required | null-username static-homeaddr}
Restores the APN proxy-mip required parameter to its default setting of Disabled.
required: Configures handling of RRQ to enable the acceptance without NAI extension in this APN. Default: Disabled.
null-username static-homeaddr: Configures handling of RRQ to enable the acceptance without NAI extension in this APN. Default: Disabled.
qos-renegotiate
This keyword is obsolete.
selection-mode
Restores the APN selection-mode parameter to its default setting of subscribed.
sgsn payload-compression
Configures payload compression by SGSN for this APN.
timeout [ absolute | idle | long-duration | qos-renegotiate]
Restores the APN timeout parameters to the following default settings:
qos-renegotiate : 180 - This keyword is obsolete.
This is the timeout value for the dampening timer during the dynamic QoS renegotiation.
Usage
After system parameters have been modified, this command is used to set/restore specific parameters to their default values.
Example
The following command restores the ppp min-compression-size parameter to its default setting of 128:
default ppp min-compression-size
 
dhcp context-name
Configures the name of the context on the system in which Dynamic Host Control Protocol (DHCP) functionality is configured.
Product
GGSN, P-GW
Privilege
Security Administrator, Administrator
Syntax
dhcp context-name name
no dhcp context-name name
no
Removes a previously configured context name.
name
The name of a context configured on the system in which one or more DHCP services are configured. It can be from 1 to 79 alpha and/or numeric characters in length and is case sensitive.
Usage
If the APN is to support dynamic address assignment via DHCP (either the proxy or relay mode), this parameter must be configured to point the APN to the name of a pre-configured context on the chassis in which one or more DHCP services are configured.
The command can be used to identify a single DHCP service instance within the specified context to use to facilitate the address assignment.
Example
The following command configures the APN to look for DHCP services in a context called dhcp-ctx:
dhcp context-name dhcp-ctx
 
dhcp lease-expiration-policy
Configures the system’s handling of PDP contexts whose DHCP assigned IP lease has expired.
Product
GGSN, P-GW
Privilege
Security Administrator, Administrator
Syntax
dhcp lease-expiration-policy { auto-renew | disconnect }
auto-renew
Default: Enabled
Configures the system to automatically renew an IP address’ lease when it is about to expire for PDP contexts facilitated by the APN.
disconnect
Default: Disabled
Configures the system to automatically release the PDP context when the lease for the IP address associated with that context expires.
Usage
Use this command to specify the action the system is to take when leases for IP addresses for PDP contexts that it are currently facilitated by the current APN are about to expire.
Example
The following command causes the system to release PDP contexts associated with the current APN when the lease for their DHCP-assigned IP address expires:
dhcp lease-expiration-policy disconnect
 
dhcp service-name
Configures the name of a specific DHCP service to use when dynamically assigning IP addresses to PDP contexts using the the Dynamic Host Control Protocol.
Product
GGSN, P-GW
Privilege
Security Administrator, Administrator
Syntax
dhcp service-name svc_name
no dhcp service-name svc_name
no
Removes a previously configured DHCP service name.
svc_name
Configures the name of the DHCP service instance that is to be used by the current APN for the dynamic assignment of IP addresses to PDP contexts.
The name can be from 1 to 63 alpha and/or numeric characters in length and it case sensitive.
Usage
Use this command to specify a pre-configured DHCP service instance that is to be used by the APN for IP address assignment when the Dynamic Host Control Protocol is used.
The name of the context in which the desired DHCP service is configured must be specified by the parameter.
Example
The following command instructs the APN to use a DHCP service called dhcp1:
dhcp service-name dhcp1
 
dns
Configures the Domain Name Service (DNS) servers that will be used by the APN for PPP.
Product
GGSN, P-GW
Privilege
Security Administrator, Administrator
Syntax
dns { primary | secondary } { address }
no dns { primary | secondary } [ dns_address ]
no
Deletes a previously configured DNS server.
primary
Configures the primary DNS server for the APN.
secondary
Configures the secondary DNS server for the APN. Only one secondary DNS server can be configured.
address
Default: primary = 0.0.0.0, secondary = 0.0.0.0
Configures the IP address of the DNS server. address must be expressed in dotted decimal notation.
dns_address
Specifies the IP address of the DNS server to remove. dns_address must be expressed in dotted decimal notation.
Usage
DNS servers are configured on a per-APN profile basis. This allows each APN profile to use specific servers in processing PDP contexts.
The configured DNS IP addresses are relayed to the subscriber within IPCP if the PDP type is PPP, or as PCOs (Protocol Configuration Options) if the PDP type is IP.
The DNS can be specified at the APN level in APN configuration as well as at the Context level in Context configuration mode with ip name-servers command, or it can be received from AAA server.
When DNS is requested in PCO configuration, the following preference will be followed for DNS value:
1. DNS Values received from LNS have the first preference.
2. DNS values received from RADIUS Server has the second preference.
3. DNS values locally configured with APN has the third preference.
4. DNS values configured at context level with ip name-servers command has the last preference.
Important: The same preference would be applicable for the NBNS servers to be negotiated via ICPC with the LNS.
Example
The following commands configure a primary DNS server address of 192.168.100.3 and a secondary DNS server address of 192.168.100.4:
dns primary 192.168.100.3
dns secondary 192.168.100.4
 
ehrpd-access
Configures the P-GW to exclude IPv6 traffic from being delivered to UEs, accessing PDNs from the eHRPD network, that do not have IPv6 capabilities.
Product
P-GW
Privilege
Administrator
Syntax
[ default | no ] ehrpd-access drop-ipv6-traffic
[ default | no ]
Resets this command to its default setting of disabled.
Usage
Use this command to exclude IPv6 traffic from being delivered to UEs on the eHRPD network that do not have IPv6 capabilities.
 
end
Exits the APN configuration mode and returns to the Administrator-Exec mode prompt.
Product
GGSN, P-GW
Privilege
Security Administrator, Administrator
Syntax
end
Usage
Change the mode back to the Administrator-Exec mode.
 
exit
Exits the APN configuration mode and returns to the context configuration mode.
Product
GGSN, P-GW
Privilege
Security Administrator, Administrator
Syntax
exit
Usage
Returns to the context configuration mode.
 
firewall policy
This command enables/disables Stateful Firewall support for the APN.
Product
All
Privilege
Security Administrator, Administrator
Syntax
firewall policy firewall-required
{ default | no } firewall policy
no
Disables Stateful Firewall support for this APN.
default
Configures the default setting for Stateful Firewall support.
Default: Disabled
firewall-required
Enables Stateful Firewall support for this APN.
Usage
Use this command to enable or disable Stateful Firewall support for this APN.
Important: This command is only available in StarOS 8.0. In StarOS 8.1 and later, this configuration is available in the Rulebase Configuration Mode.
Important: Unless Stateful Firewall support for this APN is enabled using this command, firewall processing for this APN is disabled.
Important: If firewall is enabled, and the rulebase has no firewall configuration, Stateful Firewall will cause all packets to be discarded.
Example
The following command enables Stateful Firewall support for this APN:
firewall policy firewall-required
The following command disables Stateful Firewall support for this APN:
no firewall policy
 
fw-and-nat policy
This command configures the Firewall-and-NAT policy to be used for subscribers who use this APN.
Product
FW, NAT
Privilege
Security Administrator, Administrator
Syntax
fw-and-nat policy fw_nat_policy
{ default | no } fw-and-nat policy
default
Specifies that the default Firewall-and-NAT policy configured in the rulebase be used for subscribers who use this APN.
no
Disables Firewall and NAT for the APN.
fw_nat_policy
Specifies the Firewall-and-NAT policy for the APN.
fw_nat_policy must be an alpha and/or numeric string of 1 through 63 characters in length. Note that this policy will override the default Firewall-and-NAT policy configured in the ACS rulebase.
Usage
Use this command to configure the Firewall-and-NAT policy for the APN. Note that the policy configured in the subscriber mode will override the default policy configured in the ACS rulebase. If a policy is not configured in the subscriber mode, the default policy configured in the ACS rulebase will be used.
Important: This command is customer-specific and is only available in StarOS 8.1.
Important: This command must be used to configure the Policy-based Firewall-and-NAT feature.
Example
The following command configures a Firewall-and-NAT policy named standard for the APN:
fw-and-nat policy standard
 
gsm-qos negotiate
Enables negotiation of QoS attribute Reliability Class based on the configuration provided for Service Data Unit (SDU) Error Ratio and Residual Bit Error Ratio (BER) attributes in the APN.
Product
GGSN, P-GW
Privilege
Security Administrator, Administrator
Syntax
gsm-qos negotiate sdu-error-ratio sdu-error-ratio-code [residual-ber residual-ber-code]
[no] gsm-qos negotiate sdu-error-ratio [sdu-error-ratio-code [residual-ber residual-ber-code]]
no
Disables the configuration for negotiation of QoS attribute reliability class.
sdu-error-ratio sdu-error-ratio-code
Enables the negotiation of QoS attribute reliability class based on Service Data Unit (SDU) Error Ratio attributes.
sdu-error-ratio-code corresponds to distinct SDU Error ratio values in integer between the range of 1 to 7.
residual-ber residual-ber-code
Enables the optional configuration of negotiation of QoS attribute reliability class based on Residual Bit Error Ratio (BER) attributes.
residual-ber-code corresponds to distinct Residual Bit Error Ratio values in integer between the range of 1 to 9.
Usage
This command configures the QoS attribute Reliability Class to be negotiated based on the configuration provided for SDU Error Ratio and Residual BER attributes. The derived Reliability Class and the configured values for SDU Error Ratio and Residual BER are sent back in CPC and UPC response.
The mapping for sdu-error-ratio-code is as follows:
Residual BER needs to be specified when SDU Error Ratio is set to codes 1, 2, 3 or 7 (Or, SDU Error Ratio is intended to be set to a value greater than 5*10-4), for determining the Reliability Class QoS attribute. Otherwise, the Residual BER value received in the Create PDP context request QoS (or UPC request) would be used. The mapping for residual-ber-code is as follows:
Example
The following commands configures the negotiation of QoS attribute Reliability Class based on Service Data Unit (SDU) Error Ratio 3 attributes in the APN:
gsm-qos negotiate sdu-error-ratio 3
 
gtpp group
This command enables a configured GTPP server group to an APN for CGF accounting functionality.
Product
GGSN, P-GW
Privilege
Security Administrator, Administrator
Syntax
gtpp group group_name [ accounting-context ac_context_name ]
[ no | default ] gtpp group group_name
no
Disables the applied GTPP group for specific APN.
default
Sets / Restores default GTPP server group specified at the context level or in APN template.
group_name
Specifies the name of server group that is used for authentication/accounting for specific APN.
group_name must be a string of size 1 to 63 character. It must be the same as configured earlier within the same context of APN.
accounting-context ac_context_name
Specifies the name of an accounting context on the system that processes accounting for PDP contexts handled by this GGSN service for accounting to specific APN.
ac_context_name specifies the name of the context to be used for accounting. The name must be between 1 and 79 alpha and/or numeric characters and is case sensitive.
Note that if accounting context is not specified here, it uses the GGSN service context or the context configured by the accounting context CLI command in GGSN Service Configuration Mode.
Usage
This feature provides the GTPP server configurables under GTPP group node. Instead of having a single list of servers per context, this feature configures multiple server groups within a context and applies individual GTPP server group for subscriber in that context. Each server group consists of a list of CGF accounting servers.
In case no GTPP group is applied for the said APN or default APN template, then the default GTPP server group available at context level is applicable for accounting of specific APN.
Example
The following command applies a previously configured GTPP server group named star1 to an APN within the specific context:
gtpp group star1
The following command disables the applied GTPP server group for the specific APN:
no gtpp group star1
 
gtpp secondary-group
This command enables/associates a preconfigured secondary GTPP server group to an APN for CGF accounting functionality. By default it is disabled.
Product
GGSN, P-GW
Privilege
Security Administrator, Administrator
Syntax
gtpp secondary-group group_name [accounting-context actt_ctxt_name]
[no | default] gtpp secondary-group group_name
no
Disables the configured/associated GTPP secondary group for specific APN.
default
Default: Enabled
Restores the default mode for secondary GTPP group for APN template.
group_name
Specifies the name of secondary GTPP server group that is used as an alternate for primary GTPP group associated with specific APN for storage of GTPP messages.
group_name must be a string of size 1 to 63 character. It must be the same as configured earlier within the same context of APN.
accounting-context actt_ctxt_name
Specifies the name of an accounting context on the system that processes accounting for PDP contexts handled by this GGSN service for accounting to specific APN.
ac_context_name specifies the name of the context to be used for accounting. The name must be between 1 and 79 alpha and/or numeric characters and is case sensitive.
Note that if accounting context is not specified here, it uses the GGSN service context or the context configured by the accounting context CLI command in GGSN Service Configuration Mode .
Usage
Use this feature to provide the secondary GTPP server group support for an APN.
When the secondary GTPP group is configured with this command, the GTPP messages will be duplicated to the secondary servers also.
This secondary group configuration is ignored, if configured group_name is same as the primary group.
It will also be ignored, if the configured GTPP group group_name and/or accounting context ac_context_name is invalid. In such a case, the call will be established successfully unlike the primary group configuration where the call drops.
In the absence of the configured ac_context_name context; by default the GGSN service context is chosen.
The secondary group messages are the low priority ones, and thus they are preferred to be purged when there is no room for the new messages.
For more information on GTPP group, refer gtpp group command in this guide.
Example
The following command applies a previously configured GTPP server group named star2 to as secondary GTPP group to an APN within the specific context:
gtpp secondary-group star2
The following command disables the applied secondary GTPP server group for the specific APN:
no gtpp secondary-group star2
 
idle-timeout-activity ignore-downlink
Configures a session idle-timeout to be reset with uplink packets only, or with both uplink and downlink packets.
Product
GGSN, P-GW
Privilege
Security Administrator, Administrator
Syntax
[no] idle-timeout-activity ignore-downlink
default idle-timeout-activity
no
This is the default setting. When set, the downlink traffic is also considered to be an idle timeout activity.
default
Sets or restores the command to the default setting.
Usage
If idle-timeout-activity ignore-downlink is configured, the downlink traffic will not be used to reset the idle-timeout. Only uplink packets will be able to reset the idle-timeout.
By default, ignore-downlink is negated by the no command so downlink traffic is also used to reset the idle-timeout.
Example
The following command causes both uplink and downlink traffic to reset a session idle-timeout:
default idle-timeout-activity
The following command causes the session idle-timeout to be reset with only uplink packets:
idle-timeout-activity ignore-downlink
 
ims-auth-service
It applies an IMS authorization service to a subscriber through APN for Gx interface support and functionality.
Product
GGSN, P-GW
Privilege
Security Administrator, Administrator
Syntax
ims-auth-service auth_svc_name
[ no | default ] ims-auth-service auth_svc_name
no
Disables the applied IMS authorization service for specific APN.
default
Sets / Restores default state of IMS authorization service, disabled or as specified at the context level or in APN template.
auth_svc_name
Specifies the name of IMS authorization service name that is used for Gx interface authentication for specific APN.
auth_svc_name must be a string of size 1 to 63 character preconfigured with in the same context of this APN.
Usage
This feature provides the IMS authorization service configuration for Gx interface in IMS service node.
Example
Following command applies a previously configured IMS authorization service named gx_interface1 to an APN within the specific context:
ims-auth-service gx_interface1
Following command disables the applied IMS authorization service gx_interface1 for the specific APN:
no ims-auth-service gx_interface1
 
ip access-group
Configures IPv4/IPv6 access group for the current APN profile.
Product
GGSN, ECS, P-GW
Privilege
Security Administrator, Administrator
Syntax
[no] ip access-group acl_group_name [in | out]
no
Removes a previously configured IPv4/IPv6 access group association.
acl_group_name
Specifies the name of the IPv4/IPv6 access group. acl_group_name is a configured ACL group and must be an alpha and/or numeric string of 1 to 79 characters.
in | out
Default: both (in and out)
Specifies the access-group as either inbound or outbound by the keywords in and out, respectively.
Usage
Use this command to apply a Single IPv4/IPv6 access control list to multiple subscribers via this APN for inbound or outbound IPv4/IPv6 traffic.
If no traffic direction specified the selected access control list will be applied to both direction of traffic.
Example
The following command associates the sampleipv4Group access group with the current APN profile for both inbound and outbound access.
ip access-group sampleipv4Group
The following removes the outbound access group flag for sampleipv4Group.
no ip access-group sampleipv4Group out
 
ip address alloc-method
Configures the method by which this APN will obtain IP addresses for PDP contexts.
Product
GGSN, P-GW
Privilege
Security Administrator, Administrator
Syntax
ip address allocation-method { dhcp-proxy [ prefer-dhcp-options ] | dhcp-relay | local | no-dynamic } [ allow-user-specified ]
dhcp-proxy
Default: Disabled
Configures the APN to assign an IP address received from a DHCP server.
Important: If this option is used, the system’s DHCP parameters must be configured.
dhcp-relay
Default: Disabled
Configures the APN to forward DHCP packets received from the MS to a DHCP server.
Important: If this option is used, the system’s DHCP parameters must be configured.
local
Default: Enabled
Configures the APN to allocate IP addresses from a pool configured in the destination context on the system.
Important: If this option is used, the name of the IP address pool from which to allocate addresses must be configured using the ip address pool-name command. If no pool name is specified, the system will attempt to allocate an address from any public pool configured in the destination context.
no-dynamic
Default: Disabled
Disables the dynamic assignment of IP addresses to PDP contexts using this APN.
If a PDP context needing an IP address is received by an APN with this option enabled, it will be rejected with a cause code of 220 (Unknown PDP address or PDP type).
prefer-dhcp-options
Default: Disabled
This keyword, when specified with dhcp-proxy for IP address allocation configuration, GGSN will prefer DHCP supplied parameters over values provided by AAA server or by local configuration. This keyword controls following parameters:
These values will be sent out in PCO IE of GTP Create PDP Response Message whenever MS Requests for them in Create PDP Request Message.
Important: This keyword is available only with dhcp-proxy ip allocation method as this functionality is implemented only for GGSN acting as DHCP proxy.
By default, this functionality is disabled. Hence, DNS and NBNS values, if received from DHCP server will not be considered by the GGSN.
allow-user-specified
Default: Enabled
Enables support for PDP contexts requesting the use of specific (static) addresses.
Important: If this option is not enabled, PDP contexts requesting the use of a static address will be rejected with a cause code of 220 (Unknown PDP address or PDP type).
Usage
Use this command to configure the method by which the APN profile will assign IP addresses to PDP contexts.
When the PDP context is being established and the APN name is determined, the system will examine the APN’s configuration profile. Part of that procedure is determining how to handle IP address allocation. Figure in Example section displays the process used by the system to determine how the address should be allocated.
Example
The following command configures the APN to dynamically assign an address from a DHCP server and reject PDP sessions with static IP addresses:
ip address alloc-method dhcp-proxy
The following command configures the APN to reject sessions requesting dynamically assigned addresses and only allow those with static addresses:
ip address alloc-method no-dynamic allow-user-specified
The following figure provides the IP address allocation process:
IP Address Allocation Process
 
ip address pool
Configures the name of a a private IP address pool configured on the system from which to assign an address for a PDP context.
Product
GGSN, P-GW
Privilege
Security Administrator, Administrator
Syntax
ip address pool name pool_name
no ip address pool name pool_name
no
Removes a previously configured pool name.
name pool_name
Specifies the name of the private pool configured on the system from which an IP address will be assigned.
The name can be from 1 to 31 alpha and/or numeric characters and is case sensitive.
Usage
If the ip address alloc-method command is configured to allow the assignment of IP addresses from a local pool configured on the system, this command instructs the system as to which pool should be used.
The pool specified by this command must be a private pool configured in the destination context on the system. Please refer to the ip pool command in the context configuration mode for information on configuring IP address pools.
Multiple APNs can use the same IP address pool if required. In addition, this command could be issued multiple times to allow a single APN to use different address pools.
Example
The following command configures the system to use a pool named private_pool1 for address allocation:
ip address pool private_pool1
 
ip context-name
Configures the name of the destination context to use for subscribers accessing this APN.
Product
GGSN, P-GW
Privilege
Security Administrator, Administrator
Syntax
ip context-name name
no ip context-name name
no
Removes a previously configured context name.
name
Specifies the name of the context through which subscriber data traffic will be routed. name must be from 1 to 79 alpha and/or numeric characters.
Usage
Use this command to specify the name of a destination context configured on the system through which to route all subscriber data traffic. This context will be used for subscribers accessing this APN. If no name is specified, the system will use the context in which the APN is configured as the destination context.
When the APN is used to support Mobile IP functionality, this command is used to indicate the context in which the FA service is configured. If no name is specified, the context in which the GGSN service facilitating the subscriber PDP context is used.
Example
The following command configures the system to route subscriber traffic for the APN through a context called isp1:
ip context-name isp1
 
ip header-compression
Configures IP packet header compression parameters for this APN.
Product
GGSN, P-GW
Privilege
Security Administrator, Administrator
Syntax
ip header-compression vj
no ip header-compression
no
Disables Van-Jacobson header compression.
vj
Default: Enabled
Enables Van-Jacobson header compression for IP packets.
Usage
IP header compression reduces packet header overhead resulting in more efficient utilization of available bandwidth.
Example
The following command disables packet header compression for the APN:
no ip header-compression
 
ip hide-service-address
This command is configured on a per-APN basis. It renders the IP address of the GGSN unreachable from MS's using this APN.
Product
GGSN, P-GW
Privilege
Security Administrator, Administrator
Syntax
[ no | default ] ip hide-service-address
no
Allows the mobile station to reach the GGSN’s IP address using this APN.
default
Does not allow the mobile station to reach the GGSN’s IP address using this APN.
Usage
This hides the GGSN’s IP address from the mobile station for security purposes.
Example
The following command allows the GGSN’s IP address to be viewed by the mobile station:
no ip hide-service-address
 
ip local-address
Configures the local-side IP address of the subscriber's point-to-point connection.
Product
GGSN, P-GW
Privilege
Security Administrator, Administrator
Syntax
ip local-address ip_address
no ip local-address
no
Removes a previously configured IP local-address.
ip_address
Specifies an IP address configured in a destination context on the system through which a packet data network can be accessed.
ip_address must be expressed in dotted-decimal notation.
Usage
This parameter specifies the IP address on the system that the MS uses as the remote-end of the PPP connection. If no local address is configured, the system uses an unnumbered scheme for local-side addresses.
Example
The following command configures a local address of 192.168.1.23 for the MS:
ip local-address 192.168.1.23
 
ip multicast discard
Configures the IP multicast discard packet behavior.
Product
GGSN, P-GW
Privilege
Security Administrator, Administrator
Syntax
[no] ip multicast discard
no
Removes a previously configured IP multicast discard.
Usage
This command specifies if IP multicast discard is enabled or disabled.
Example
The following command enables IP multicast discard for an APN:
ip multicast discard
 
ip qos-dscp
Configures the quality of service (QOS) differentiated service code point (DSCP) used when sending data packets over the Gi interface.
Product
GGSN, P-GW
Privilege
Security Administrator, Administrator
Syntax
ip qos-dscp { { allocation-retention-priority | background | conversational | interactive traffic_priority | streaming } { dscp}} +
no ip qos-dscp { allocation-retention-priority | background | conversational | interactive | streaming } +
no
Restores the QoS parameter to its default setting.
allocation-retention-priority
Specifies the DSCP for interactive class if the allocation priority is present in the QOS profile.
allocation-retention-priority can be the integers 1, 2, or 3.
DSCP values use the following matrix to map based on traffic handling priority and Alloc/Retention priority if the allocation priority is present in the QOS profile.
Following table shows the DSCP value matrix for allocation-retention-priority.
Default DSCP Value Matrix
Important: If you only configure DCSP marking for interactive traffic classes without specifying ARP, it may not properly take effect. The CLI allows this scenario for backward compatibility however, it is recommended that you configure all three values.
background
Specifies the QOS for traffic patterns in which the data transfer is not time-critical (for example email exchange). This traffic pattern should be the lowest QOS.
conversational
Specifies the QOS for traffic patterns in which there is an constant flow of packets in each direction, upstream and downstream. This traffic pattern should be the highest QOS.
interactive traffic_priority
Specifies the QOS for traffic patterns in which there is an intermittent flow of packets in each direction, upstream and downstream. This traffic pattern should be a higher QOS than the background pattern, but not as high as that for the streaming pattern.
traffic_priority is the 3GPP traffic handling priority and can be the integers 1,2 or 3.
streaming
Specifies the QOS for traffic patterns in which there is a constant flow of data in one direction, either upstream or downstream. This traffic pattern should be a higher QOS than the interactive pattern, but not as high as that for the conversational pattern.
dscp
Specifies the DSCP for the specified traffic pattern. dscp can be configured to any one of the following:
af11: Assured Forwarding 11 per-hop-behavior (PHB)
af33: Assured Forwarding 33 PHB
af12: Assured Forwarding 12 PHB
af41: Assured Forwarding 41 PHB
af13: Assured Forwarding 13 PHB
af42: Assured Forwarding 42 PHB
af21: Assured Forwarding 21 PHB
af43: Assured Forwarding 43 PHB
af22: Assured Forwarding 22 PHB
be: Best effort forwarding PHB
af23: Assured Forwarding 23 PHB
ef: Expedited forwarding PHB
af31: Assured Forwarding 31 PHB
pt: Pass through (ToS of user packet is not modified)
af32: Assured Forwarding 32 PHB
Default:
+
More than one of the above keywords can be entered within a single command.
Usage
DSCP levels can be assigned to specific traffic patterns in order to ensure that data packets are delivered according to the precedence with which they’re tagged. The diffserv markings are applied to the IP header of every subscriber data packet transmitted over the Gi interface(s).
The four traffic patterns have the following order of precedence: background (lowest), interactive, streaming, and conversational (highest). Data packets falling under the category of each of the traffic patterns are tagged with a DSCP that further indicate their precedence as shown in following tables respectively:
Class structure for assured forwarding (af) levels
The DSCP level can be configured for multiple traffic patterns within a single instance of this command.
Example
The following command configures the DSCP level for the streaming traffic pattern to be ef:
ip qos streaming ef
The following command configures the DSCP levels for the conversational, streaming, interactive and background traffic patterns to be ef, ef, af22, and af41, respectively:
ip qos-dscp conversational ef streaming ef interactive af22 background af41
 
ip source-violation
Enables/disables packet source validation for the current APN.
Product
GGSN, P-GW
Privilege
Security Administrator, Administrator
Syntaxip source-violation { ignore | check [ drop-limit limit ] } [ exclude-from-accounting ]
ignore
Default: Disabled
Disables source address checking for the APN.
check [ drop-limit limit ]
Default: Enabled, limit = 10
Enables the checking of source addresses received from subscribers for violations.
A drop-limit can be configured to set a limit on the number of invalid packets that can be received from a subscriber prior to their session being deleted. limit can be configured to any integer value between 0 and 1000000. A value of 0 indicates that all invalid packets will be discarded but the session will never be deleted by the system.
exclude-from-accounting
Default: Disabled
Excludes the packets identified with IP source violation from the stats generated for accounting records on a basis of configurables.
Usage
Source validation is useful if packet spoofing is suspected or for verifying packet routing and labeling within the network.
Source validation requires the source address of received packets to match the IP address assigned to the subscriber (either statically or dynamically) during the session.
Example
The following command enables source address validation for the APN and configures a drop-limit of 15:
ip source-violation check drop-limit 15
 
ip user-datagram-tos copy data-tunnel
This command controls copying of IP TOS octet value from user IPv4/IPv6 datagrams to IP header of GTP data tunnel header.
Product
GGSN, P-GW
Privilege
Security Administrator, Administrator
Syntax
[no | default] ip user-datagram-tos copy data-tunnel
no
Removes the preconfigured parameter for this command.
default
Sets the default behavior of this command. By default this function is disabled.
Usage
This command needs to copy TOS byte from inner IP header to the outer IP header for RP connection.
This functionality will enable SGSN to detect special TOS marking in the outer IP header of GTP tunnel packets and to identify certain packets as control messages.
Example
The following command will copy TOS octet in the IP header of datagram to IP header of GTP tunnel encapsulation:
ip user-datagram-tos copy data-tunnel
 
ipv6 access-group
This command configures IPv6 access group for the current APN profile which applies a Single ACL to Multiple Subscribers via APN for ipv6 traffic.
Product
GGSN, ECS, P-GW
Privilege
Security Administrator, Administrator
Syntax
[no] ipv6 access-group group_name [in | out]
no
Removes a previously configured IPv6 ACL applied to a particular APN for IPv6 traffic. As per your requirement at least one of the two {in | out} must be selected for which the ACL will be removed.
group_name
Specifies the name of the IPv6 access group. group_name must be an alpha and/or numeric string of 1 to 79 characters.
[in | out]
Default: both (in and out)
Specifies the access-group as either inbound or outbound by the keywords in and out, respectively.
If neither of any specified with the base command the specific IPv6 access control list will be applied to both the traffic (downlink and uplink).
Usage
Use this command to apply a single IPv6 access control list to multiple subscribers via an APN for inbound or outbound IPv6 traffic.
If no traffic direction specified the selected access control list will be applied to both direction of traffic.
Example
The following command associates the sampleipv6Group access group with the current APN profile for both inbound and outbound access:
ipv6 access-group sampleipv6Group
The following removes the outbound access group flag for sampleipv6Group:
no ipv6 access-group sampleipv6Group out
 
ipv6 address prefix-pool
Configures the IPv6 address prefix pool name to the subscriber session. User can configure up to a maximum of 4 pools per subscriber.
Product
GGSN, P-GW
Privilege
Security Administrator, Administrator
Syntax
ipv6 address prefix-pool value
value
Default: None
The value may be a string size of 1 to 31 characters.
Usage
Names the IPv6 address prefix pool.
Example
The following command will Configures the IPv6 address prefix pool name ap1_ipv6 to the subscriber session:
ipv6 address prefix-pool ap1_ip6
 
ipv6 dns
Configures the IPv6 Domain Name Service (DNS) servers.
Product
GGSN, P-GW
Privilege
Security Administrator, Administrator
Syntax
[no] ipv6 dns { primary | secondary } { ipv6_dns_address }
no
Deletes a previously configured DNS server.
primary
Configures the primary DNS server for the APN.
secondary
Configures the secondary DNS server for the APN. Only one secondary DNS server can be configured.
ipv6_dns_address
Configures the IP address of the DNS server.
Usage
DNS servers are configured on a per-APN profile basis. This allows each APN profile to use specific servers in processing PDP contexts.
The DNS can be specified at the APN level in APN configuration as well as at the Context level in Context configuration mode with ip name-servers command, or it can be received from AAA server.
When DNS is requested in PCO configuration, the following preference will be followed for DNS value:
1. DNS Values received from LNS have the first preference
2. DNS values received from RADIUS Server has the second preference
3. DNS values locally configured with APN has the third preference
4. DNS values configured at context level with ip name-servers command has the last preference.
Important: The same preference would be applicable for the NBNS servers to be negotiated via ICPC with the LNS.
Example
The following command provides an example of setting the primary DNS server:
ipv6 dns primary 1:1:1:1:1:1:1:1
 
ipv6 egress-address-filtering
Egress address filtering filters out packets not meant for the mobile interface ID. The GGSN records the source interface ID of all the packets received from the Mobile. When packets sent to the Mobile are received, the destination interface ID is compared against the list of recorded interface IDs and with the local interface-ID assigned to the Mobile during IPv6CP. If no match is found, the packet is dropped.
Product
GGSN, P-GW
Privilege
Security Administrator, Administrator
Syntax
[no] ipv6 egress-address-filtering
no
Disables IPv6 egress address filtering.
ipv6 egress-address-filtering
Enables IPv6 egress address filtering.
Usage
Used to filter packets that arrive from the internet to a particular site.
Example
The following command provides an example disabling egress address filtering:
no ipv6 egress-address-filtering
 
ipv6 initial-router-advt
Creates an IPv6 initial router advertisement interval for the current APN.
Product
GGSN, P-GW
Privilege
Security Administrator, Administrator
Syntax
ipv6 initial-router-advt { interval | num-advts } { value }
default ipv6 initial-router-advt { interval | num-advts }
default
Resets interval or num-advts to their default setting.
interval value
Default: 3000ms
The time interval the initial IPv6 router advertisement is sent to the mobile node in milliseconds.
value is an integer between 100 and 16000 milliseconds.
num-advts value
Default: 3
The number of initial IPv6 router advertisements sent to the mobile node.
value is an integer between 1 to 16.
Usage
This command is used to set the advertisement interval and the number of advertisements. Using a smaller advertisement interval increases the likelihood of router being discovered more quickly when it first becomes available.
Example
The following command specifies the initial ipv6 router interval to be 2000ms:
ipv6 initial-router-advt interval 2000
 
l3-to-l2-tunnel address policy
Configures the address allocation/validation policy, when subscriber L3 (IPv4/IPv6) sessions are tunneled using a L2 tunneling protocol, such as L2TP.
Product
GGSN, P-GW
Privilege
Security Administrator, Administrator
Syntax
l3-to-l2-tunnel address-policy { alloc-only | alloc-validate | no-alloc-validate }
alloc-only
Default: Disabled
Specifies that the system locally allocates and validates subscriber addresses.
alloc-validate
Default: Disabled
Specifies that the system allocates addresses for cases in which IP addresses are dynamically assigned. The system does not validate the address specified by the subscriber.
no-alloc-validate
Default: Enabled
Specifies that the system does not allocate or validate subscriber addresses locally for such sessions, it passes the address between remote tunnel terminator to the Mobile Node.
Usage
This command can be useful for such tunnels are MIP HA sessions tunneled from the system using a L2TP tunnels or GGSN PDP contexts of type IP tunneled using L2TP to a remote LNS.
Example
The following command configures the system to locally allocate and validate subscriber addresses:
l3-to-l2-tunnel address-policy alloc-only
 
loadbalance-tunnel-peers
Configures how tunnel-peers are selected for this APN.
Product
GGSN, P-GW
Privilege
Security Administrator, Administrator
Syntax
load-balancing { balanced | prioritized | random }
balanced
Default: Disabled
Tunnel-peer selection is made without regard to prioritization, but in a sequential order that balances the load across the total number of peer nodes available.
prioritized
Default: Disabled
Tunnel-peer selection is made based on the priority configured for the peer.
random
Default: Enabled
Tunnel-peer selection is random in order.
Usage
Use this command to configure the load-balancing algorithm that defines how the tunnel-peers are selected by the APN when multiple peers are configured in the APN.
Example
The following command sets the APN to connect to tunnel-peers in a sequential order:
load-balancing balanced
 
long-duration-action detection
This command sets the detection of a session that exceeds the long duration timer and sends notification.
Product
All
Privilege
Security Administrator, Administrator
Syntax
long-duration-action detection
detection
Default: Enabled
Detects long duration sessions and sends SNMP TRAP and CORBA notification. This is the default behavior.
Usage
Use this command to detect a session exceeds the limit set by the long duration timer.
Refer to the timeout idle and timeout long-duration command for information on setting the long duration timer.
Example
Use the following command to enable detecting the session that exceeds the long duration timer:
long-duration-action detection
 
long-duration-action disconnection
This command specifies what action is taken when the long duration timer expires.
Product
All
Privilege
Security Administrator, Administrator
Syntax
long-duration-action disconnection [ suppress-notification ] [ dormant-only ] +
disconnection
Default: Disabled
Detects a long duration session and disconnects the session after sending SNMP TRAP and CORBA notification.
suppress-notifiaction
Default: Disabled
Suppress the SNMP TRAP and CORBA notification after detecting and disconnecting a long duration session.
dormant only
Default: Disabled
Disconnects the dormant sessions after long duration timer and inactivity time with idle time-out duration expires. It sends the SNMP TRAP and CORBA notification after disconnecting a long duration session.
Usage
Use this command to determine what action is taken when a session exceeds the limit set by the long duration timer.
Refer to the timeout idle and timeout long-duration command for information on setting the long duration timer.
Example
Use the following command to enable disconnecting sessions that exceed the long duration timer:
long-duration-action disconnection
Use the following command to disconnect the session that exceed the long duration timer without sending SNMP TRAP and CORBA notification:
long-duration-action disconnection suppress-notification
Use the following command to disconnect the session that exceed the long duration timer and also inactivity timer for idle time-out duration and send SNMP TRAP and CORBA notification:
long-duration-action disconnection dormant-only
Use the following command to disconnect the session that exceed the long duration timer and also inactivity timer for idle time-out duration without sending any SNMP TRAP and CORBA notification. If the session is idle and the session-idle-time >= inactivity time the session gets disconnected. Even if session is idle when the long-duration timed-out and session-idle time < inactivity time the timer value is reset to idle-timeout time.
long-duration-action disconnection dormant-only suppress-notification
 
max-contexts
Configures the maximum number of PDP contexts (primary and secondary) that can be facilitated by the APN.
Product
GGSN, P-GW
Privilege
Security Administrator, Administrator
Syntax
max-contexts {[per-subscriber secondary secondary_ctx] [primary number total total_number]
[ default ] max-contexts
per-subscriber secondary secondary_ctx
This keyword specifies the maximum number of secondary PDP contexts that can be facilitated by the APN per primary context (per-subscriber). Subscribers can have primary PDP and secondary PDP contexts- the secondary contexts share the same IP address as the primary.
secondary_ctx can be configured to any integer value from 0 to 10.
Default: 10
primary number
This keyword specifies the maximum number of primary PDP contexts that can be facilitated by the APN. Subscribers can have primary PDP and secondary PDP contexts- the secondary contexts can be configured using per-subscriber secondary keyword.
number can be configured to any integer value from 1 to 4000000.
Default: 4000000
total total_number
Specifies the maximum total number of PDP contexts (primary and secondary) that can be facilitated by the APN.
total_number can be configured to any integer value from 1 to 4000000.
Default: 4000000
Usage
This parameter can be used to configure a “soft” limit on the number of PDP contexts supported by a single APN.
Soft limits are based on measurements gathered at regular short intervals (several times per minute) as opposed to measurements taken in real-time. Therefore the sampled measurement may not match the actual number of PDP contexts currently being processed. Every PDP context request received is compared against the result of the last sample. If the sample is less than the soft limit configured, the request will be processed. If it is more, the request will be rejected.
Example
The following command specifies that the maximum number of primary PDP contexts the APN can facilitate is 500,000 while the maximum total number is 750,000:
max-contexts primary 500000 total 750000
 
mbms bmsc-profile
It applies a configured Broadcast-Multicast Service Center (BM-SC) profile to subscribers through APN for Multimedia Broadcast Multicast Service (MBMS) support and functionality.
Product
GGSN, P-GW
Privilege
Security Administrator, Administrator
Syntax
mbms bmsc-profile name bmsc_profile_name
no mbms bmsc-profile
no
Deletes a previously associated BM-SC profile with this APN.
bmsc_profile_name
Specifies a name for the BM-SC profile already configured in BMSC configuration mode.
bmsc_profile_name can be from 1 to 62 alpha and/or numeric characters and is not case sensitive. It may also contain dots (.) and/or dashes (-).
Usage
Use this command to associate a configured BM-SC profile to use for MBMS contexts with this APN for MBMS feature support.
For more information on BM-SC profile configuration, refer BMSC Profile Configuration Mode.
This command also configures the specific BM-SC profile to use for Internet group Management Protocol (IGMP) JOIN requests received from PDP contexts with this APN.
Example
Following command applies a previously configured BM-SC profile named bm_sc_1 to an APN within the specific context.
mbms bmsc-profile name bm_sc_1
 
mbms bearer timeout
Configures the session timeout values for the MBMS bearer contexts with this MBMS APN.
Product
GGSN, P-GW
Privilege
Security Administrator, Administrator
Syntax
mbms bearer timeout { absolute | idle } time
[ no | default ] mbms bearer timeout { absolute | idle }
no
Returns the timeout parameter to its default setting. If neither the absolute or idle keywords are used in conjunction with this keyword, both timeout options will be returned to their default settings.
default
Set the default value for the followed option for MBMS bearer context timeout.
absolute
Default: Disabled
Configures the absolute maximum time an MBMS bearer context may exist in any state (active or idle).
idle
Default: Disabled
Configures the maximum amount of time an MBMS bearer context may be idle.
time
Default: 0
Measured in seconds, the time can be configured to any integer value between 0 and 4294967295.
A time of 0 disables timeouts for this APN.
Usage
Use this command to limit the amount of time that an MBMS bearer context session can remain connected.
Example
The following commands enables an absolute time timeout of 60000 seconds for MBMS bearer context:
mbms bearer timeout absolute 60000
 
mbms ue timeout
Configures the session timeout values for the MBMS user equipment (UE) contexts with this MBMS APN.
Product
GGSN, P-GW
Privilege
Security Administrator, Administrator
Syntax
mbms ue timeout { absolute | idle } time
[ no | default ] mbms ue timeout { absolute | idle }
no
Returns the timeout parameter to its default setting. If neither the absolute or idle keywords are used in conjunction with this keyword, both timeout options will be returned to their default settings.
default
Set the default value for the followed option for MBMS UE context timeout.
absolute
Default: Disabled
Configures the absolute maximum time an MBMS UE context may exist in any state (active or idle).
idle
Default: Disabled
Configures the maximum amount of time an MBMS UE context may be idle.
time
Default: 0
Measured in seconds, the time can be configured to any integer value between 0 and 4294967295.
A time of 0 disables timeouts for this APN.
Usage
Use this command to limit the amount of time that an MBMS UE context session can remain connected.
Example
The following commands enables an absolute time timeout of 60000 seconds for MBMS UE context:
mbms bearer timeout absolute 60000
 
mediation-device
Enables the use of a mediation device and specifies the system context to use for communicating with the device.
Product
GGSN, P-GW
Privilege
Security Administrator, Administrator
Syntax
mediation-device [context-name context-name] [delay-GTP-response] [no-early-pdus] [no interims] +
[ no | default ] mediation-device
+
Indicates that more than one of the options can be specified with a single execution of the command.
no
Deletes the mediation-device configuration.
default
Changes the mediation device to no context-name configured and restores the mediation device’s default properties.
context-name context-name
Default: The subscribers destination context.
Configures the mediation VPN context for this APN.
context-name can be from 1 to 79 alpha and/or numeric characters and is case sensitive.
If not specified, the mediation context is same as the destination context of the subscriber.
delay-GTP-response
Default: Disabled
When enabled, delays the CPC response until an Accounting Start response is received from the mediation device.
no-early-pdus
Default: Disabled
Specifies that the system delays PDUs from the MS until a response to the GGSN’s accounting start request is received from the mediation device. The PDUs are queued if possible, or discarded
If "no-early-PDUs" is enabled, the chassis shall not send uplink/downlink data from/to a MS till it receives the Acct-Rsp Start for the same--from the mediation device. On receiving the Acct-Rsp, pending PDUs are sent out. The chassis shall buffer up to 4 PDUs per call, before it flushes all the PDUs for that call. It is disabled by default.
no-interims
Default: Disabled
Disables sending of interims to the mediation device.
Usage
This command is used to enable mediation device support for the APN. Mediation devices can be either deep-packet inspection servers or transaction control servers.
Keywords to this command can be used in combination to each other, depending on configuration requirements.
Example
The following command enables mediation device support for the APN and uses the protocol configuration located in an system context called ggsn1:
mediation-device context-name ggsn1
mediation-device context-name ggsn1 no-interims no-early-pdus
mediation-device no-early-pdus no-interims
mediation-device no-interims no-early-pdus
The following command enables mediation device support for the APN and uses the protocol configuration located in the subscribers destination context:
mediation-device
 
mobile-ip home-agent
Configures the IP address of the home agent (HA) used by the current APN to facilitate subscriber Mobile IP sessions.
Product
GGSN, FA, P-GW
Privilege
Security Administrator, Administrator
Syntax
[no] mobile-ip home-agent ip_address
no
Removes a previously configured HA address.
ip_address
The IP address of the HA expressed in dotted-decimal notation.
Usage
If the APN is configured to support Mobile IP for all PDP contexts it is facilitating, this command specifies the IP address of the HA that is to be used.
Example
The following command configures an HA IP address of 192.168.1.15:
mobile-ip home-agent 192.168.1.15
 
mobile-ip mn-aaa-removal-indication
Configures the system to remove various information elements when relaying Registration Request messages to the HA.
Product
GGSN, FA, P-GW
Privilege
Security Administrator, Administrator
Syntax
[no] mobile-ip mn-aaa-removal-indication
no
Disables this functionality. This is the default setting.
Usage
When this functionality is enabled, the MN-FA challenge and MN-AAA authentication extensions are removed when relaying a Registration Request (RRQ) to the HA.
Example
The following command enables the system to remove information elements from RRQs relayed to the HA:
mobile-ip mn-aaa-removal-indication
 
mobile-ip mh-ha-hash-algorithm
Designates the encryption algorithm to use.
Product
GGSN, P-GW
Privilege
Security Administrator, Administrator
Syntax
mobile-ip mn-ha-hash-algorithm { hmac-md5 | md5 | rfc2002-md5 }
hmac-md5 | md5 | rfc-2002-md5
Default: hmac-md5
The encryption algorithms that may be used.
Usage
Provides security by encrypting the data.
Example
The following command sets encryption for md5:
mobile-ip mn-ha-hash-algorithm md5
 
mobile-ip mh-ha-shared-key
Configures the subscriber MN-HA shared key.
Product
GGSN, P-GW
Privilege
Security Administrator, Administrator
Syntax
mobile-ip mn-ha-shared-key key
no mobile-ip mn-ha-shared-key
no
Disables this functionality. This is the default setting.
key
The key must be entered as either a string or a hexadecimal number beginning with “0x”.
Usage
Configures a shared key for the APN.
Example
The following command configures a shared key of sfd23408imi9yn:
mobile-ip mn-ha-shared-key sfd23408imi9yn
 
mobile-ip mh-ha-spi
Configures the SPI number.
Product
GGSN, P-GW
Privilege
Security Administrator, Administrator
Syntax
mobile-ip mn-ha-spi spi_number
[no] mobile-ip mn-ha-spi
no
Disables this functionality. This is the default setting.
spi_number
The number must be an integer between 256 and 4294967295.
Usage
Configures an SPI number for the APN.
Example
The following command configures an SPI number of 428856:
mobile-ip mn-ha-spi 428856
 
mobile-ip required
Enables support for Mobile IP functionality for all PDP contexts facilitated by the current APN.
Product
GGSN, FA, P-GW
Privilege
Security Administrator, Administrator
Syntax
[no] mobile-ip required
no
Disables this functionality. This is the default setting.
Usage
Mobile IP functionality for IP PDP contexts is only supported at the APN-level. This command enables/disables Mobile IP support for the APN.
When Mobile IP is performed, the system authenticates the subscriber and the Mobile IP FA.
If this option is enabled, the system deletes all PDP contexts attempting to access the APN for which a Mobile IP session can not be established.
Example
The following command enables Mobile IP support for the current APN:
mobile-ip required
 
mobile-ip reverse-tunnel
Configures the system to support reverse-tunneling for Mobile IP sessions facilitated by the current APN.
Product
GGSN, FA, P-GW
Privilege
Security Administrator, Administrator
Syntax
[no] mobile-ip reverse-tunnel
no
Disables this functionality. The default is enabled.
Usage
Use this command to enable support for Mobile IP reverse tunneling for the APN. Reverse tunneling is enabled by default.
Example
The following command enables reverse-tunneling for the APN:
mobile-ip reverse-tunnel
 
nai-construction
Configures the NAI construction parameters on a per-APN basis only rather than by per-aaa-group when constructed NAI authentication is enabled.
Product
GGSN, P-GW
Privilege
Security Administrator, Administrator
Syntax
nai-construction {imsi | msisdn} [override-null-username] [ encrypted password string | use-shared-secret-password | password string ]
[default | no] nai-construction
default
Enables default method for NAI construction using International Mobile Subscriber Identity (IMSI) for authentication for a user. GGSN constructs NAI using IMSI when no user-name is received.
no
Disables the NAI construction at the APN level.
imsi
Default: Enabled.
Enables NAI construction using IMSI for authentication for a user. GGSN constructs NAI using IMSI when no user-name is received. This is the default setting.
msisdn
Enables NAI construction using Mobile Station International ISDN Number (MSISDN) for authentication for a user. GGSN constructs NAI using MSISDN when no user-name is received.
override-null-username
Enables NAI construction using IMSI/MSISDN for authentication for a user or when empty user name is received.
encrypted password
Specifies an encrypted password is to be used for this NAI-constructed user. string is a string from 0 - 63 characters.
password
Configures the authentication user-password for this NAI-constructed user. password is a string from 0 - 63 characters.
use-shared-secret-password
Specifies use of the RADIUS authentication shared secret password for this NAI-constructed user.
Usage
NAI-construction defines the behavior for construction at the APN level. If defined for a particular APN, this CLI both works independently and overwrites the behavior of aaa constructed-nai defined at the context level for calls involving this APN.
Note that NAI construction using IMSI or MSISDN, where ether no user name is received or a blank user name is received for authentication, is applicable only when NAI constructed authentication is enabled using aaa nai-construction authentication command in context configuration mode.
Example
The following command enables NAI-construction using IMSI as the authentication type with an encrypted password:
nai-construction imsi encrypted password string
 
nexthop-forwarding-address
Configures the next hop forwarding address for the APN.
Product
GGSN, P-GW
Privilege
Security Administrator, Administrator
Syntax
nexthop-forwarding-address ip_address
no nexthop-forwarding-address
no
Disables this function. This is the default setting.
ip_address
Configures the IP address of the nexthop forwarding address.
Usage
Use this command to configure the next hop forwarding address for the APN.
Example
The following command configures the next hop forwarding address to 1.1.1.1 using IPv4:
nexthop-forwarding-address 1.1.1.1
 
no
Enables/Disables the followed option.
Product
GGSN, P-GW
Privilege
Security Administrator, Administrator
Syntax
no { data-tunneling ignore | dhcp [ context-name | service-name ] | dns [ primary ip_address | secondary ip_address ] |
ip [ access-group access_group_name | address pool name pool_name | context-name | header-compression | hide-service-address | local-address | qos-dscp [ background | conversational | interactive interaction level | streaming ] | user-datagram-tos copy data-tunnel ] |
ipv6 [ address prefix pool | dns [ primary | secondary ] | egress-address-filtering ] | mediation-device |
mobile-ip [ home-agent | mn-aaa-removal-indication | mn-ha-shared-key | mn-ha-spi | required | reverse-tunnel ] |
nbns [ primary | secondary ] IPv4_address |
nexthop-forwarding-address | outbound [ password | username ]| ppp [ data-compression protocols | keepalive | mtu ] | proxy-mip required | qos-renegotiate | qos traffic-police direction [ downlink class | uplink class ] | timeout [ absolute | idle | long-duration ] | tunnel [ gre | ipip | l2tp [ peer-address <ipv4_address> | <cr> ]] | virtual-apn preference <value>}
data-tunneling
Configure parameters related subscriber data tunneling.
dhcp
Configures the DHCP related parameters for the APN.
dns
Disables use of Domain Name Service.
ip
Configures Internet Protocol (IP) parameters.
ipv6
Configures ipv6 related parameters
mediation-device
Configures Mediation Device Parameters.
mobile-ip
Configures mobile-ip for the APN.
nexthop-forwarding-address
Configure the nexthop forwarding address for this APN.
nbns
Disables use of NetBios Name Service
outbound
Configures designated apn host password for PDP Type PPP session authentication.
ppp
Disables PPP-related parameters.
proxy-mip
Enables APN's Proxy MIP setting
qos-renegotiate
This keyword is obsolete.
Disables the enabled dynamic QoS renegotiation for the APN.
qos
Configures QoS attributes related to all the PDP context for the APN.
timeout
Configures session timeout values for this APN.
tunnel
Configures layer 2 or layer 3 tunneling for the APN
virtual-apn
Configures virtual APN.
Usage
This key is used to disable or de-activate the configured commands.
Example
The following command disables the mobile IP support for specific APN:
no mobile-ip
 
nbns
Configures and Enables use of NetBios Name Service for the APN.
Product
GGSN, P-GW
Privilege
Security Administrator, Administrator
Syntax
[no] nbns { primary | secondary } IP_address
no
Removes/disables use of a previously configured NetBios Name Service.
primary
Designates primary NBNS server. Must be followed with IPv4 address in dotted-decimal notation.
secondary
Designates secondary/failover NBNS server. Must be followed with IPv4 address in dotted-decimal notation.
IP_address
Specifies the IPv4/IPv6 address expressed in standard notation.
Usage
This command specifies NBNS parameters. The NBNS option is present for both pdp type IP and pdp type PPP for GGSN.
The system can be configured to use NetBios Name Service for the APN.
Example
The following command configures the APN’s NetBios Name Service to primary IP 192.168.1.15.
nbns primary 192.168.1.15
 
npu qos
Configures an NPU QoS priority queue for packets facilitated by the APN.
Product
GGSN, P-GW
Privilege
Security Administrator, Administrator\
Syntax
[no] npu qos traffic priority { best-effort | bronze | derive-from-packet-dscp | gold | silver }
no
Removes a previously configured priority queue.
best-effort
Assigns the best-effort queue priority. This is the lowest priority.
bronze
Assigns the bronze queue priority. This is the third-highest priority.
derive-from-packet-dscp
Default: Enabled
Specifies that the priority is to be determined from the DSCP field in the packet's TOS octet.
gold
Assigns the gold queue priority. This is the highest priority.
silver
Assigns the silver queue priority. This is the second-highest priority.
Usage
This command is used in conjunction with the Network Processing Unit (NPU) Quality of Service (QoS) functionality.
The system can be configured to determine the priority of a subscriber packet either based on the configuration of theAPN, or from the differentiated service (DS) field in the packet's TOS octet (representing the differentiated service code point (DSCP) value).
Refer to the GGSN System Administration and Configuration Guide for additional information on NPU QoS functionality.
Example
The following command configures the APN’s priority queue to be gold:
npu qos traffic priority gold
 
outbound
Configures the APN host username and password.
Syntax
GGSN, P-GW
Privilege
Security Administrator, Administrator
Syntax
outbound { [ encrypted ] password pwd | username name}
no outbound password
no
Removes previously configured outbound information for the APN.
encrypted
The encrypted keyword is intended only for use by the chassis while saving configuration scripts. The system displays the encrypted keyword in the configuration file as a flag that the variable following the password keyword is the encrypted version of the plain text password. Only the encrypted password is saved as part of the configuration file.
password pwd
Specifies the password to use for session authentication.
pwd must be from 1 to 63 alpha and/or numeric characters and is case sensitive.
username name
Specifies the username to use for session authentication.
name must be from 1 to 63 alpha and/or numeric characters and is case sensitive.
Usage
This command can be used to provide a username and password for authentication when the subscriber doesn’t supply one in accordance with 3GPP standards. In addition, it can be used to create a PPP session when using L2TP to tunnel IP PDP contexts.
If only a username is specified using this command, the password is determined based on the setting of the aaa constructed-nai command in the Context Configuration mode. That command is also used to determine the password if an outbound username and password are configured for the APN when the imsi-auth keyword is specified for the authentication command in this mode.
Example
The following commands configures an APN username of isp1 and a password of secRet123.4.
outbound username isp1
outbound password secRet123.4
 
pdp-type
Configures the type of PDP contexts that are supported by this APN.
Product
GGSN, P-GW
Privilege
Security Administrator, Administrator
Syntax
pdp-type { ipv4 [ ipv6 ] | ipv6 [ ipv4 ] | ppp }
ipv4 [ ipv6 ]
Default: Enabled
Enables support for IPv4 PDP contexts. Also enables support for IPv6 if the IPv6 optional keyword is entered in this command.
Important: Entering both IPv4 and IPv6 in either order enables support for both.
ipv6 [ ipv4 ]
Default: Disabled
Enables support for IPv6 PDP contexts. Also enables support for IPv4 if the IPv6 optional keyword is entered in this command.
Important: Entering both IPv4 and IPv6 in either order enables support for both.
ppp
Default: Disabled
Enables support for PPP PDP contexts.
Usage
IP PDP context types are those in which the MS is communicating with a PDN such as the Internet or an intranet using IP. PPP PDP contexts are those in which PPP or PPP Network Control Protocol (NCP) frames from the MS are either terminated at, or forwarded by the GGSN.
If a session specifies a PDP type that is not supported by the APN, the system rejects the session with a cause code of 220 (DCH, Unknown PDP address or PDP type).
Example
The following command configures the APN to support PPP context types:
pdp-type ppp
 
ppp
Configures the Point-to-Point Protocol (PPP) options for the current APN.
Syntax
GGSN, P-GW
Privilege
Security Administrator, Administrator
Syntax
ppp { data-compression { protocols protocols | mode modes } | keepalive seconds | min-compression-size min_octets | mtu max_octets }
no ppp { data-compression protocols | keepalive seconds | mtu }
no
Resets the option specified to its default setting.
data-compression { mode modes | protocols protocols}
Default: all protocols enabled
Configures the data compression or the compression protocol to use for the APN.
mode modes: Sets the compression mode to one of the following:
normal: Packets are compressed using the packet history for automatic adjustment and for best compression.
stateless: Each packet is compressed individually.
protocols protocols: Sets the compression protocol to one of the following:
deflate: DEFLATE algorithm
mppc: Microsoft Point-to-Point Compression
stac: STAC LZS algorithm
keepalive seconds
Default: 30
Specifies the frequency of sending the Link Control Protocol (LCP) keep alive messages. seconds must be either 0 or in the range from 5 to 14400.
The special value 0 disables the keep alive messages entirely.
min-compression-size min_octets
Default: 128
Specifies the smallest packet to which compression may be applied. min_octets must be a value in the range from 0 to 2000.
mtu max_octets
Default: 1500
Specifies the maximum transmission unit (MTU) for packets accessing the APN. max_octets must be a value in the range from 100 to 2000.
Important: The MTU refers to the PPP payload which excludes the 2 PPP octets. Therefore, an MTU of 1500 corresponds to the 3GPP standard MTU of 1502 for GTP packets with PPP payloads.
Usage
Adjust packet sizes and compression to improve bandwidth utilization. Each network may have unique characteristics such that determining the best packet size and compression options may require system monitoring over an extended period of time.
Example
The following command configures the ppp data-compression mode for the APN to be stateless:
ppp data-compression mode stateless
The following command configures an MTU of 500 for the APN:
ppp mtu 500
 
proxy-mip
Configures support for Proxy Mobile IP functionality for the APN.
Product
GGSN, FA, P-GW
Privilege
Security Administrator, Administrator
Syntax
[no] proxy-mip { required | null-username static-homeaddr }
no
Disables this functionality. This is the default setting.
required
Default: Disabled.
Enables proxy-mip for all subscribers using this APN.
null-username
Default: Disabled.
Configures handling of RRQ to enable the acceptance without NAI extension in this APN.
Usage
This command requires that Proxy Mobile IP functionality be performed for all PDP contexts facilitated by the APN.
When Proxy Mobile IP is performed, the system performs subscriber authentication but not Mobile IP FA authentication. It can be configured to handling of RRQ without NAI extension in an APN.
More information about Proxy Mobile IP support for the GGSN can be found in the System Overview Guide.
Example
The following command causes the system to support Proxy Mobile IP for all PDP contexts facilitated by the APN:
proxy-mip required
The following command will enables the accepting of RRQ without NAI extensions in this APN.
proxy-mip null-username static-homeaddr
 
qos negotiate-limit
This command configure the QoS profile to provide the peak and committed data rate limits that the GGSN assigns to the APN, and sends to the SGSNs in response to GTP create/update PDP context requests for traffic shaping and policing functionality.
Product
GGSN, P-GW
Privilege
Security Administrator, Administrator
Syntax
qos negotiate-limit direction { downlink | uplink } [ class { background | conversational | interactive traffic_priority | streaming } ] [ peak-data-rate bps [ committed-data-rate bps ] | committed-data-rate [ peak-data-rate bps ]]
no negotiate-limit direction { downlink | uplink } [ class { background | conversational | interactive traffic_priority | streaming }]
no
Disables the QoS Profile for the APN.
Important: When no Qos Profile is configured, the system’s default behavior is to use the information provided by the SGSN.
downlink
Apply the specified limits and actions to the downlink ( to-Gn direction).
uplink
Apply the specified limits and actions to the uplink (to-Gi direction).
class { background | conversational | interactive traffic_priority | streaming }
Apply the specified limits and actions to PDP contexts of the specified UMTS traffic class. The following classes are supported:
background : Specifies the QOS for traffic patterns in which the data transfer is not time-critical (for example email exchange). This traffic pattern should be the lowest QOS.
conversational : Specifies the QOS for traffic patterns in which there is an constant flow of packets in each direction, upstream and downstream. This traffic pattern should be the highest QOS.
interactive traffic_priority : Specifies the QOS for traffic patterns in which there is an intermittent flow of packets in each direction, upstream and downstream. This traffic pattern should be a higher QOS than the background pattern, but not as high as that for the streaming pattern. traffic_priority is the 3GPP traffic handling priority and can be the integers 1,2 or 3.
streaming : Specifies the QOS for traffic patterns in which there is a constant flow of data in one direction, either upstream or downstream. This traffic pattern should be a higher QOS than the interactive pattern, but not as high as that for the conversational pattern.
Important: If this keyword is omitted, the same values are used for all classes.
committed-data-rate bps
Default: See Usage section for this command
The committed data rate (guaranteed-data-rate) in bps (bits per second).
bps must be an integer from 1 through 16000000 for the downlink direction or 1 through 8640000 for the uplink direction. The value must also correspond to one of the permitted values identified in table given in this chapter. Note that if a non-permitted value is entered for this parameter, then the system rounds the value to the nearest lower supported value, except in the case where value is less than 1,000 bps. In this case, the system rounds the value to 1,000 bps. In addition, if the configured committed rate is lower than the value configured for the peak-data-rate, then the system uses the configured peak rate for this parameter.
Important: System measurements for this value exclude the GTP and outer packet headers. In addition, some traffic classes have both a committed rate and a peak rate, while other traffic classes have just a peak rate. If a committed rate is not applicable (i.e., the traffic class is background or interactive), then an error occurs if this option is configured. If the committed-rate is applicable (i.e., the traffic class is conversational or streaming), the values supplied by the SGSN are used if this option is not configured.
peak-data-rate bps
Default: See Usage section for this command
Specifies the peak data-rate for the subscriber, in bps (bits per second).
bps must be an integer from 1 through 16000000 for the downlink direction or 1 through 8640000 for the uplink direction. The value must also correspond to one of the permitted values identified in table given in this chapter. Note that if a non-permitted value is entered for this parameter, then the system rounds the value to the nearest lower supported value, except in the case where value is less than 1,000 bps. In this case, the system rounds the value to 1,000 bps.
Usage
This command configures the APN’s quality of service (QoS) profile. This feature enables configuring and enforcing bandwidth limitations on individualPDP contexts of a particular traffic class. Traffic classes are defined in 3GPP TS 23.107 and are negotiated during PDP context activation. Bandwidth enforcement is configured and enforced independently on the downlink and the uplink directions.
The profile information is sent to the SGSN(s) in response to GTP Create/Update PDP Context Request messages. If the QoS profile requested by the SGSN is lower than the configured QoS profile configured, the profile requested by the SGSN is used. If the QoS profile requested by the SGSN is higher, the configured rates are used.
Note that the values for the uplink/downlink committed-data-rate and peak-data-rate parameters are exchanged in the GTP messages between the GGSN and the SGSN. Therefore, the values used may be lower than the configured values. When negotiating the rate with the SGSN(s), the system convert this to a value that is permitted by GTP as shown in table given in this chapter.
Permitted Values for Committed and Peak Data Rates in GTP Messages
The command can be entered multiple times to specify different combinations of direction and class. If this command is not configured at all, the GGSN does not perform traffic policing or QoS negotiation with the SGSN (i.e. it accepts all of the SGSN-provided values for the PDP context.
Important: This command should be used in conjunction with the max-contexts command to limit the maximum possible bandwidth consumption by the APN.
Additional information on the QoS traffic shaping functionality is located in the System Enhanced Feature Configuration Guide.
Default Values:
The following table displays the default values for each of the traffic classes:
 
Important: If a “Subscribed” traffic class is received, the system changes the class to “Background” and sets the following parameters: The uplink and downlink guaranteed data rates are set to 0. If the received uplink or downlink data rates are 0 and traffic policing is disabled, the default of 64 kbps is used. When enabled, the APN configured values are used. If the configured value for downlink max data rate is larger than can fit in an R4 QoS profile, the default of 64 kbps is used. If either the received uplink or downlink max data rates is non-zero, traffic policing is employed if enabled for the “Background” class. The received values are used for responses when traffic policing is disabled.
Example
The following command sets an uplink peak data rate of 128000 bps for QoS negotiation limit:
qos negotiate-limit direction uplink peak-data-rate 128000
 
qos rate-limit
Configure the action on subscriber traffic flow that violates or exceeds the peak/committed data rate under traffic policing/shaping functionality.
Product
GGSN, P-GW
Privilege
Security Administrator, Administrator
Syntax
qos rate-limit { downlink | uplink } [ class { background | conversational | interactive traffic_priority | streaming } ] [ burst-size { bytes | auto-readjust [ duration dur ] } ] [ exceed-action { drop | lower-ip-precedence | transmit } [ violate-action { drop | lower-ip-precedence | shape [transmit-when-buffer-full] | transmit }]] | [ violate-action { drop | lower-ip-precedence | shape [transmit-when-buffer-full] | transmit } [ exceed-action { drop | lower-ip-precedence | transmit }]] +
no qos rate-limit direction { downlink | uplink } [ class { background | conversational | interactive traffic_priority | streaming } ]
no
Disables the QoS data rate limit configuration for the APN.
Important: When no Qos Profile is configured, the system’s default behavior is to use the information provided by the SGSN.
downlink
Apply the specified limits and actions to the downlink (the Gn direction).
uplink
Apply the specified limits and actions to the uplink (the Gi direction).
class { background | conversational | interactive traffic_priority | streaming }
Apply the specified limits and actions to PDP contexts of the specified UMTS traffic class. The following classes are supported:
background : Specifies the QOS for traffic patterns in which the data transfer is not time-critical (for example email exchange). This traffic pattern should be the lowest QOS.
conversational : Specifies the QOS for traffic patterns in which there is an constant flow of packets in each direction, upstream and downstream. This traffic pattern should be the highest QOS.
interactive traffic_priority : Specifies the QOS for traffic patterns in which there is an intermittent flow of packets in each direction, upstream and downstream. This traffic pattern should be a higher QOS than the background pattern, but not as high as that for the streaming pattern. traffic_priority is the 3GPP traffic handling priority and can be the integers 1,2 or 3.
streaming : Specifies the QOS for traffic patterns in which there is a constant flow of data in one direction, either upstream or downstream. This traffic pattern should be a higher QOS than the interactive pattern, but not as high as that for the conversational pattern.
Important: If this keyword is omitted, the same values are used for all classes.
burst-size { bytes | auto-readjust [ duration dur ] }
Default: See Usage section for this command
The burst size allowed, in bytes for peak data rate and committed data rate.
bytes must be an integer from 1 through 6000000.
Important: It is recommended that the minimum value of this parameter be configured to the greater of the following two values: 1) 3 times greater than packet MTU for the subscriber connection, OR 2) 3 seconds worth of token accumulation within the “bucket” for the configured peak-data-rate. In addition, if the committed-data-rate parameter is specified, the burst-size is applied to both the committed and peak rates.
auto-readjust [ duration dur ] keyword provides the option to calcualte the Burst size dynamically while configuring rate-limit. Whenever this keyword is enabled to calculate burst size GGSN QoS negotiated rate to be enforced for this calculation.
Every time there is a change in the rates (due to update QoS), the burst sizes will be updated accordingly.
This keyword also provides two different burst sizes. One burst size for peak rate and another for committed rate.
By default this keyword is disabled.
duration dur describes the duration of burst in seconds. If duration is not specified this keyword will use 1 second as default value. dur must be an integer between 1 through 30.
exceed-action { drop | lower-ip-precedence | transmit }
Default: See Usage section for this command
The action to take on the packets that exceed the committed-data-rate but do not violate the peak-data-rate. The following actions are supported:
drop: Drop the packet
lower-ip-precedence: Transmit the packet after lowering the ip-precedence
transmit: Transmit the packet
violate-action { drop | lower-ip-precedence | shape [transmit-when-buffer-full] | transmit }
Default: See Usage section for this command
The action to take on the packets that exceed both the committed-data-rate and the peak-data-rate. The following actions are supported:
drop: Drop the packet
lower-ip-precedence: Transmit the packet after lowering the IP precedence
shape [transmit-when-buffer-full]: Enables the traffic shaping and provides the buffering of user packets when subscriber traffic violates the allowed peak/committed data rate. The [transmit-when-buffer-full] keyword allows the packet to be transimitted when buffer memory is full.
transmit: Transmit the packet
+
More than one of the above keywords can be entered within a single command.
Usage
This command configures the APN’s quality of service (QoS) data rate shaping through traffic policing/shaping. This command enables the actions on subscriber flow exceeding or violating peak/committed data rate allowed. The shaping function also provides an enhanced function to buffer the exceeded user packets in a buffer memory and sends them to the subscriber when subscriber traffic goes below the committed or peak data rate limit.
Important: The user packet buffer function in traffic shaping is not applicable for real-time traffic.
Important: If the exceed/violate action is set to “lower-ip-precedence”, this command may override the configuration of the ip qos-dscp command in the GGSN service configuration mode for packets from the GGSN to the SGSN. In addition, the GGSN service ip qos-dscp command configuration can override the APN setting for packets from the GGSN to the Internet. Therefore, it is recommended that command not be used in conjunction with this action.
The command can be entered multiple times to specify different combinations of direction and class. If this command is not configured at all, the GGSN does not perform traffic policing or QoS negotiation with the SGSN (i.e. it accepts all of the SGSN-provided values for the PDP context.
Important: This command should be used in conjunction with the max-contexts command to limit the maximum possible bandwidth consumption by the APN.
Additional information on the QoS traffic shaping and policing functionality is located in the System Enhanced Feature Configuration Guide.
Default Values:
The following table displays the default values for each of the traffic classes:
 
Important: If a “Subscribed” traffic class is received, the system changes the class to “Background” and sets the following parameters: The uplink and downlink guaranteed data rates are set to 0. If the received uplink or downlink data rates are 0 and traffic policing is disabled, the default of 64 kbps is used. When enabled, the APN configured values are used. If the configured value for downlink max data rate is larger than can fit in an R4 QoS profile, the default of 64 kbps is used. If either the received uplink or downlink max data rates is non-zero, traffic policing is employed if enabled for the “Background” class. The received values are used for responses when traffic policing is disabled.
To calculate the burst size dynamically a new optional keyword auto-readjust [ duration dur ] is provide with burst-size keyword. By default the burst size is fixed if defined in bytes with this command. In other words irrespective of the rate being enforced, burst-size fixed as given in the burst-size bytes parameter.
For the need of variable burst size depending on the rate being enforced this new keyword auto-readjust [ duration dur ] is provided. Use of this keyword enables the calculation of burst size as per token bucket algorithm calculation as T=B/R, where T is the time interval, B is the burst size and R is the Rate being enforced.
It also provides different burst size for Peak and Committed data rate-limiting.
If auto-readjust keyword is not used a fixed burst size must be defined which will be applicable for peak data rate and committed data rate irrespective of rate being enforced.
If auto-readjust keyword is provided without specifying the duration a default duration of 1 second will be taken for burst size calculation.
Example
The following command lowers the IP precedence when the committed-data-rate and the peak-data-rate are violated in uplink direction:
qos rate-limit direction uplink violate-action lower-ip-precedence
The following command buffers the excess user packets when the subscriber traffic violates the configured peak or committed data-rate bps in uplink direction. Once the peak/committed data rate for that subscriber goes below the configured limit it transmit them. It also transmits them if buffer memory is full:
qos rate-limit direction uplink violate-action shape transmit-when-buffer-full
 
qos-renegotiate
This keyword is obsolete.
 
 
qos traffic-police
Configure the maximum rates for PDP context negotiation and for Traffic Policing functionality.
This command is obsolete. This functionality is now supported through qos negotiate-limit and qos rate-limit commands.
 
radius
 
DescriptionThis command is obsoleted.
 
radius group
 
DescriptionThis command is obsoleted.
 
radius returned-framed-ip-address
This command sets the policy whether or not to reject a call when the RADIUS server supplies 255.255.255.255 as the framed IP address and the MS does not supply an address.
Product
GGSN, P-GW
Privilege
Security Administrator, Administrator
Syntax
radius returned-framed-ip-address 255.255.255.255-policy {accept-call-when-ms-ip-not-supplied | reject-call-when-ms-ip-not-supplied}
default radius returned-framed-ip-address 255.255.255.255-policy
default
Set the policy to its default of rejecting calls when the RADIUS server does not supply a framed IP address and the MS does not supply and address.
accept-call-when-ms-ip-not-supplied
Accept calls when the RADIUS server does not supply a framed IP address and the MS does not supply and address.
reject-call-when-ms-ip-not-supplied
Reject calls when the RADIUS server does not supply a framed IP address and the MS does not supply and address.
Usage
Use this command to set the behavior in the APN when the RADIUS server supplies 255.255.255.255 as the framed IP address and the MS does not supply an address.
Example
Use the following command to set the APN to reject calls when the RADIUS server does not supply a framed IP address and the MS does not supply and address:
radius returned-framed-ip-address 255.255.255.255-policy reject-call-when-ms-ip-not-supplied
 
radius returned-username
Product
This command configures the username that is returned in accounting messages. If the username is not available in the Protocol Configuration Options (PCO), then the radius returned username is preferred to the constructed username (imsi@apn, msisdn@apn, or outbound username).
Product
GGSN, P-GW
Privilege
Security Administrator, Administrator
Syntax
radius returned-username { override-constructed-username | prefer-constructed-username} default radius returned-username
override-constructed-username
If Radius Server returns a username in the Access-Accept message and username is not available in the Protocol Configuration Options (PCO) and then the new username from the radius server will be used.
prefer-constructed-username
If the username is not available in the PCO, constructed username (imsi@apn, msisdn@apn) will be used irrespective of the username for the Radius Server. This is the default.
default radius returned-username
The default value for the radius returned-username is prefer-constructed-username i.e. constructed username (imsi@apn, msisdn@apn) will be used.
Important: If the username is available in the PCO, then that username will be used irrespective of this CLI (radius returned-username).
Usage
Use this command to configure the username that is returned in accounting messages
Example
Following command sets the default value for the radius returned-username is prefer-constructed-username; i.e. constructed username (imsi@apn, msisdn@apn):
default radius returned-username
 
restriction-value
Configures the level of restriction to ensure controlled co-existence of the Primary PDP Contexts.
Product
GGSN, P-GW
Privilege
Security Administrator, Administrator
Syntax
restriction-valuevalue
[ default | no ] restriction-value
value
A unique number identifying the type of network supported for primary PDP contexts facilitated by this APN. The following values are supported:
1: Value used for WAP or MMS type of networks. This corresponds to APN type public-1.
2: Value used for Internet or PSPDN type of networks. This corresponds to APN type public-2.
3: Value used for corporate customers who use MMS. This corresponds to APN type private-1.
4: Value used for corporate who do not use MMS. his corresponds to APN type private-2.
default | no
Default: no restriction-value
Entering either default or no restriction-value sets the internal value to zero (0) so that connection to any APN is allowed.
Usage
Restricts the ability to have connections to public access and certain private APNs as required by the APN configuration. Also allows co-existence of the Primary PDP Contexts in a controlled manner.
It does not restrict total number of Primary PDP Context for the user. It also configures a method for preventing hackers in the public domain from using the UE as a router.
Access is provided based on the following rules:
If value = 1, then PDP contexts with restriction values of 0, 1, 2, and/or 3 are allowed
If value = 2, then PDP contexts with restriction values of 0, 1 and/or 2 are allowed
If value = 3, then PDP contexts with restriction values of 0 and/or 1 are allowed
If value = 4, then PDP contexts with no restriction values are allowed
If default or no syntax is entered, then no PDP contexts have restriction
In the event that a Maximum APN Restriction value is received from the SGSN as part of a PDP context Create (CPCR) or Update (UPCR) message, the GGSN allows the request based on the following matrix:
Refer to 3GPP 23.060 version 6.9.0 for more information.
Example
The following command sets the restriction value of the APN to 2:
restriction-value 2
 
secondary ip pool
This command specifies a secondary IP pool to be used as backup pool for NAT.
 
Product
NAT
Privilege
Security Administrator, Administrator
Syntax
secondary ip pool pool_name
no secondary ip pool
no
Removes the previous secondary IP pool configuration.
pool_name
Specifies the secondary IP pool name.
pool_name must be an alpha and/or numeric string of 1 through 31 characters in length.
Usage
Use this command to configure a secondary IP pool for NAT subscribers, which is not overwritten by the RADIUS supplied list. The secondary pool configured will be appended to the RADIUS supplied IP pool list / APN provided IP pool list whichever is applicable during call setup.
Important: This command is license dependent, requiring the 600-00-7871 NAT Bypass license. Please contact your local sales representative for more information.
Example
The following command configures a secondary IP pool named test123:
secondary ip pool test123
 
selection-mode
Configures the level of verification that will be used to ensure a MS’s subscription to use this APN.
Product
GGSN, P-GW
Privilege
Security Administrator, Administrator
Syntax
selection-mode { chosen-by-sgsn | sent-by-ms | subscribed } +
chosen-by-sgsn
Default: Disabled
The MS’s subscription will not be verified and the APN will be provided by the SGSN.
sent-by-ms
Default: Disabled
The MS’s subscription will not be verified and the APN will be provided by the MS.
subscribed
Default: Enabled
The MS’s subscription will be verified by the SGSN.
+
More than one of the above keywords can be entered within a single command.
Usage
Use this command to specify the level of verification that will be used to ensure a MS’s subscription to use this APN. This setting must mach the corresponding setting on the SGSN. If the two settings are not identical, the GGSN rejects the session with a cause code of 201 (D1H, User authentication failed).
Example
The following command specifies that the MS’s subscription will not be verified and that the APN name will be supplied by the SGSN:
selection-mode chosen-by-sgsn
 
timeout
Configures the session timeout values for this APN.
Product
GGSN, P-GW
Privilege
Security Administrator, Administrator
Syntax
timeout { absolute | qos-renegotiate } time
[ no | default ] timeout [ absolute | qos-renegotiate ]
no
Returns the timeout parameter to its default setting. If neither the absolute or idle keywords are used in conjunction with this keyword, both timeout options will be returned to their default settings.
default
Set the default value for the followed option.
absolute
Configures the absolute maximum time a session may exist in any state (active or idle).
qos-renegotiate
This keyword is obsolete.
time
Default:
Measured in seconds, the time can be configured to any integer value between 0 and 4294967295.
A time of 0 disables timeouts for this APN.
Usage
Use this command to limit the amount of time that a subscriber session can remain connected or QoS renegotiation dampening timer.
Example
The following commands enables an absolute time timeout of 60000 seconds:
timeout absolute 60000
 
timeout bearer-inactivity
This command configures the bearer inactivity timer and the threshold value of the traffic (uplink + downlink) through an APN.
Product
GGSN, P-GW
Privilege
Security Administrator, Administrator
Syntax
timeout bearer-inactivity time volume-threshold total bytes
[ no | default ] timeout bearer-inactivity
no
Removes the configured bearer inactivity timer values and traffic threshold limit.
default
Sets the bearer inactivity timer to disabled mode.
time
Specifies the timeout duration in second to check inactivity on the bearer.
time must be an integer value from 3600 through 2592000.
qos-renegotiate
Configures the dampening timeout value for the QoS renegotiation (in seconds).
In event of QoS upgrade specified timeout duration will be ignored and renegotiation will start immediately.
volume-threshold total bytes
The keyword sets the volume threshold in bytes to check the low activity on the bearer. This total volume is sum of the traffic in uplink and downlink direction
bytes must be an integer value from 1 through 4294967295.
Usage
Use this command to configures the bearer inactivity timer and the threshold value of the traffic (uplink + downlink) through an APN.
Example
The following commands enables the inactivity time on bearer with timeout duration of 7200 seconds and total traffic volume of 256000 bytes in uplink and downlink direction as threshold:
timeout bearer-inactivity 7200 volume-threshold total 256000
 
timeout idle
Configures the idle timeout duration for long duration timer for subscriber session.
Product
All
Privilege
Security Administrator, Administrator
Syntaxtimeout idle idle_dur
no timeout idle
no
Indicates the timeout specified is to be returned to its default behavior. If no specific timeout is specified then all are set to their default behavior.
idle_dur
Default: 0
Designates the maximum duration of the session, in seconds, after the expiry of which the system considers the session as dormant or idle and invokes the long duration timer action.
idle_dur must be a value in the range from 0 through 4294967295.
The special value 0 disables the timeout specified.
Usage
Use this command to set the idle time duration for subscriber session to determine the dormant session.
Refer to the long-duration-action detection and long-duration-action disconnection command in this chapter for additional information.
Example
Following command sets the idle timeout duration to 450 seconds.
timeout idle 450
 
timeout long-duration
Configures the long duration timeout and inactivity duration for subscriber session.
Product
All
Privilege
Security Administrator, Administrator
Syntax
timeout long-duration ldt_timeout [ inactivity-time inact_timeout ]
no timeout long-duration
no
Indicates the timeout specified is to be returned to its default behavior. If no specific timeout is specified then all are set to their default behavior.
long-duration ldt_timeout
Default: 0
Designates the maximum duration of the session, in seconds, before the system automatically reports/terminates the session.
Specifies the maximum amount of time, in seconds, before the specified timeout action is activated.
ldt_timeout must be a value in the range from 0 through 4294967295.
The special value 0 disables the timeout specified.
inactivity-time inact_timeout
Specifies the maximum amount of time, in seconds, before the specified session is marked as dormant.
inact_timeout must be a value in the range from 0 through 4294967295.
The special value 0 disables the inactivity time specified.
Usage
Use this command to set the long duration timeout period and inactivity timer for subscriber session. Reduce the idle timeout to free session resources faster for use by new requests.
Refer to the long-duration-action detection and long-duration-action disconnection command in this chapter for additional information.
Example
Following command sets the long duration timeout duration to 300 seconds and inactivity timer for subscriber session to 45 seconds.
timeout long-duration 300 inactivity-time 45
 
tunnel address-policy
This command specifies the address allocation / validation policy for all tunneled calls (IP-IP, IP-GRE) except L2TP calls. This means that GGSN IP address validation could be disabled for specified incoming calls.
Product
GGSN, P-GW
Privilege
Security Administrator, Administrator
Syntax
tunnel address-policy { alloc-only | alloc-validate | no-alloc-validate }
default tunnel address-policy
alloc-only
IP addresses are allocated locally and no validation is done.
alloc-validate
Default.
The VPN Manager allocates and validates all incoming IP addresses from a static pool of IP addresses.
no-alloc-validate
No IP address assignment or validation is done for calls coming in via L3 tunnels. Incoming static IP addresses are passed. This allows for the greatest flexibility.
default
Resets the tunnel address-policy to alloc-validate.
Usage
This command supports scalable solutions for Corporate APN deployment as many corporations handle their own IP address assignment. In some cases this is done to relieve the customer or the mobile operators from the necessity of reconfiguring the range of IP addresses for the IP pools at the GGSN.
For calls coming through L2TP tunnels, the command l3-to-l2-tunnel address policy as defined in the APN Configuration mode, will continue to be in effect.
Example
Use the following command to reset the IP address validation policy to validate against a static pool of address:
default tunnel address-policy
Use the following command to disable all IP address validation for calls coming through tunnels:
tunnel address-policy no-alloc-validate
 
tunnel gre
Configures Generic Routing Encapsulation (GRE) tunnel parameters between the GGSN and an external gateway for the APN.
Product
GGSN, P-GW
Privilege
Security Administrator, Administrator
Syntax
tunnel gre peer-address peer_address local-address local_addr [ preference num ]
no tunnel gre peer-address peer_address
no
Disables GRE tunneling for the APN.
peer-address peer_address
Specifies the IP address of the external gateway terminating the GRE tunnel.
peer_address must be expressed in dotted decimal notation.
local-address local_addr
Specifies the IP address of the interface in the destination context of the GGSN originating the GRE tunnel.
local_addr must be expressed in dotted decimal notation.
preference num
Default: 1
This option can be used to assign a preference to the tunnel.
preference can be configured to any integer value from 1 to 128.
Important: Only one GRE tunnel per APN is supported. Therefore, the preference should always be set to “1”.
Usage
Subscriber IP payloads are encapsulated with IP/GRE headers and tunneled by the GGSN to an external gateway.
Example
The following command configures the system to encapsulate subscriber traffic using GRE and tunnel it from a local address of 192.168.1.100 to a gateway with an IP address of 192.168.1.225:
tunnel gre peer-address 192.168.1.225 local-address 192.168.1.100 preference 1
 
tunnel ipip
Configures IP-in-IP tunnelling parameters between the GGSN and an external gateway for the APN.
Product
GGSN, P-GW
Privilege
Security Administrator, Administrator
Syntax
tunnel ipip peer-address peer_address local-address local_addr [ preference num ]
no tunnel ipip
no
Disables IP-in-IP tunneling for the APN.
peer-address peer_address
Specifies the IP address of the external gateway terminating the IP-in-IP tunnel.
peer_address must be expressed in dotted decimal notation.
local-address local_addr
Specifies the IP address of the interface in the destination context of the GGSN originating the IP-in-IP tunnel.
local_addr must be expressed in dotted decimal notation.
preference num
Default: 1
If multiple tunnels will be configured, this option can be used to assign a preference to the tunnel.
preference can be configured to any integer value from 1 to 128.
Usage
Subscriber IP payloads are encapsulated with IP-in-IP headers and tunneled by the GGSN to an external gateway.
Example
The following command configures the system to encapsulate subscriber traffic using IP-in-IP and tunnel it from a local address of 192.168.1.100 to a gateway with an IP address of 192.168.1.225:
tunnel ipip peer-address 192.168.1.225
local-address 192.168.1.100 preference 1
 
tunnel ipsec
This command configures sessions for the current APN to use an IPSEC tunnel based on the IP pool corresponding to the subscribers assigned ip address.
Product
GGSN
Privilege
Security Administrator, Administrator
Syntax
[no] tunnel ipsec use-policy-matching-ip-pool
no
Disables the use of the IPSEC policy that matches the IP pool that the assigned IP address relates to.
Usage
Use this command to set the APN to use an IPSEC policy that is assigned to the IP pool that the subscribers assigned IP address relates to.
Example
The following command enables the use of the policy that matches the IP pool address:
tunnel ipsec use-policy-matching-ip-pool
 
tunnel l2tp
Configures Layer 2 Tunnelling Protocol (L2TP) parameters between the GGSN and an external gateway for the APN.
Product
GGSN, P-GW
Privilege
Security Administrator, Administrator
Syntax
tunnel l2tp [peer-address lns-address [[encrypted] secret l2tp_secret] [preference num] [tunnel-context name] [local-address ip-address] [crypto-map map_name {[encrypted] isakmp-secret crypto_secret}] [local-hostname hostname]
no tunnel [peer-address lns-address]
no
Disables L2TP, or secure L2TP tunneling for the APN if a specific peer-address is not specified, or, if a peer-address is specified, this keyword removes the peer-address configuration from the APN.
l2tp
Configures the APN to support L2TP tunnels to a peer LNS.
peer-address lns-address
Specifies the IP address of the LNS node that the LAC service connects to.
lns-address must be expressed in dotted decimal notation.
Important: A maximum of four LNS peers can be configured per APN.
encrypted
This keyword is intended only for use by the system while saving configuration scripts. The system displays the encrypted keyword in the configuration file as a flag that the variable following the secret keyword is the encrypted version of the plain text secret. Only the encrypted secret is saved as part of the configuration file.
secret l2tp_secret
Specifies the shared secret (password) between the LAC service (configured on the system) and the LNS node.
l2tp_secret must be from 1 to 127 alpha and/or numeric characters and is case sensitive.
preference num
Default: 1
Specifies the preference of the tunnel if the LAC service communicates with multiple LNS nodes.
preference can be configured to any integer value from 1 to 128.
tunnel-context name
Specifies the name of the destination context on the system in which the LAC service(s) is configured.
name must be from 1 to 79 alpha and/or numeric characters and is case sensitive.
Important: If this option is not configured, the system will attempt to determine the name of the destination context from the ip context-name parameter configured for the APN.
local-address ip-address
Specifies the IP address of an interface that is bound to a LAC service. This is a mechanism to dictate which LAC service to use to facilitate the subscriber’s L2TP session.
address is the IP address of the interface in dotted decimal notation.
Important: If the address configured does not exist or is not bound to a LAC service, the system will automatically choose a LAC service to use.
local-hostname hostname
This keyword configures LAC-Hostname to be used for the communication with the LNS peer for this APN.
When Tunnel parameters are not received from the RADIUS Server, Tunnel parameters configured in APN are considered for the LNS peer selection. When APN Configuration is selected, local-hostname configured with “tunnel l2tp” command in the APN for the LNS peer will be used as a LAC Hostname.
Important: For this configuration to take effect allow aaa-assigned-hostname command, which is used to configure LAC-Hostname based on the “Tunnel-Client-Auth-ID” attribute received from the RADIUS Server, needs to be configured in the LAC Service Configuration mode.
hostname is name of the local host for the LNS peer and must be an alpha and/or numeric string of between 1 through 127 characters.
When Tunnel parameters are not received from the RADIUS Server, Tunnel parameters configured in APN will be considered for the LNS peer selection. When APN Configuration is selected, local hostname hostname configured with this command in the APN for the LNS peer will be used as a LAC Hostname.
crypto-map map_name { [ encrypted ] secret crypto_secret }
Configures the IPSec crypto-map policy that is to be associated with this L2TP tunnel configuration for secure L2TP.
map_name is the name of a crypto-map policy configured on the system and must be from 1 to 127 alpha and/or numeric characters and is case sensitive.
encrypted is intended only for use by the system while saving configuration scripts. The system displays the encrypted keyword in the configuration file as a flag that the variable following the secret keyword is the encrypted version of the plain text secret. Only the encrypted secret is saved as part of the configuration file.
secret specifies the secret associated with the crypto-map policy. crypto_secret can be from 0x to 255 bytes.
Usage
This command can be used to configure the GGSN to tunnel subscriber traffic to one or more peer LNSs using L2TP or L2TP with IPSec.
When using L2TP, the system functions as a L2TP access Concentrator (LAC) and tunnels traffic to a peer L2TP Network Server (LNS). LAC functionality is supported through the configuration of LAC Services defined in destination contexts configured on the system.
When using crypt-map policies, the system functions in the same fashion as with L2TP, with the exception that the encapsulated L2TP traffic is further encrypted using IPSec. IPSec functionality is supported through the definition of crypto maps configured in the same destination context as the LAC services.
A maximum of four LNS peers can be configured per APN. If no peer is specified, the system will use the LAC Service(s) configured in the same destination context as the APN.
Example
The following command configures L2TP support for the APN. It configures the APN to tunnel traffic to an LNS with an IP address of 192.168.1.50 through a LAC service bound to an interface with an IP address 192.168.1.201 configured in a destination context on the system called pdn1. The shared secret between the system and the LNS is 5496secRet. This will be the only LNS configured so the default preference of 1 will not be changed.
tunnel l2tp peer-address 192.168.1.50 secret 5496secRet tunnel-context pdn1 local-address 192.168.1.201
 
virtual-apn
Configures references (or links) to alternative APNs to be used for PDP context processing based on properties of the context. This command also configures the APN properties against which the PDP contexts are compared. This command supports roaming and visiting subscriber also.
Product
GGSN, P-GW
Privilege
Security Administrator, Administrator
Syntax
virtual-apn {gcdr apn-name-to-be-included {gn | virtual} | preference priority apn apn_name { domain domain_name | mcc mcc_number mnc mnc_number | ggsn-service svc-name | sgsn-address {ip_address |ip_address/mask } | roaming-mode { home | visiting | roaming } } }
no virtual-apn preference priority
no
Removes a previously configured “virtual” APN.
gcdr apn-name-to-be-included { gn | virtual }
If virtual APN to be used is configured, the virtual APN name is sent in G-CDRs. Provides an option to either send the virtual APN name or the Gn APN name (that comes from the SGSN) in G-CDRs.
gn: the APN received in the Create PDP Context Request message from SGSN
virtual: the APN selected by the GGSN. This is the default.
preference priority
Specifies the order in which the referenced APNs are compared by the system.
priority specifies the order and can be configured to any integer value from 1 (highest priority) to 1000 (lowest priority).
apn apn_name
Specifies the name of an alternative APN configured on the system that is to be used for PDP contexts with matching properties.
apn_name is the name of the alternative APN and can be from 1 to 62 alpha and/or numeric characters and is not case sensitive. It may also contain dots ( . ) and/or dashes ( - ).
domain domain_name
Specifies the subscriber’s domain name (realm).
domain_name must be a string of 1 through 79 characters in length, is case sensitive and can contain all special characters.
ggsn-service svc-name
Specifies the name of the GGSN service.
svc-name must be from 1 to 63 alpha and/or numeric characters and is case sensitive.
mcc mcc_number
Specifies the mobile country code (MCC) portion of the PLMN’s identifier.
mcc_number is the PLMN MCC identifier and can be configured to any integer value between 100 and 999.
mnc mnc_number
Specifies the mobile network code (MNC) portion of the PLMN’s identifier.
mnc_number is the PLMN MNC identifier and can be configured to any 2 or 3 digit integer value between 00 and 999.
sgsn-address {ip_address | ip_address/mask}
Specifies SGSN address (or network) for this virtual APN.
ip_address is the IP address of the SGSN in dotted decimal notation.
ip_address/mask is the IP address of the SGSN in dotted decimal notation with network-host mask separation.
roaming-mode { home | visiting | roaming }
Supports separate PDP context processing for roaming, visiting, and home subscribers. It supports separate rule type along with domain, imsi, and sgsn-address types.
Usage
This command simplifies the configuration process for mobile operators allowing them to provide subscribers with access to a large number of packet data networks, characterized by APN templates, while only having to configure a small number of APNs on the HLR.
Each “virtual” APN is a reference, or a link, to an alternate APN configured on the system. Each reference is configured with a rule that subscriber PDP contexts are compared against and a priority that dictates the comparison order. The references works as follows:
1. A Create PDP Context Request message is received by the GGSN. The message specifies an APN configured in the HLR.
2. The GGSN determine whether its own matching APN configuration contains “virtual” APN references.
3. The system determines the priority of the references and compares the associated information pertaining to the PDP context against the configured rules.
4. If the rule matches, the parameters in the APN specified by the reference are applied to the PDP context. If not, the rules in the reference with the next highest priority are compared against the PDP context. This occurs until a match is found. If none of the references match, then the parameters within the current APN are applied to the PDP context.
The GGSN supports a maximum of 1023 Virtual APN mapping configurations in a system. A single Gn APN can be configured with up to 1000 mapping rules. Multiple Gn APNs are supported - each requiring Virtual APN mapping configurations. The limit imposed is that the total virtual apn mappings across all Gn APNs should not exceed 1023.
The functionality provided by this command can also be used to restrict access to particular APNs. To restrict access based on a particular rule (either domain name or mobile country code/mobile network code), the “virtual” APN reference should refer to an APN that not is configured on the system and contain the desired rule. All PDP contexts matching the configured rule would then be denied with a reason code of 219 (DBH), Missing or Unknown APN.
Example
The following commands configure two “virtual” APNs, priority 1 references the bigco APN with a domain rule of bigco.com, priority 2 references the bigtown APN with a mobile country code rule of 100 and a mobile network code rule of 50.
virtual-apn preference 1 apn bigco domain bigco.com
virtual-apn preference 2 apn bigtown mcc 100 mnc 50
virtual-apn preference 3 apn bigco.com sgsn-address 192.168.62.2
virtual-apn preference 4 apn bigco.co.kr sgsn-address 192.168.60.2/24
 
 

Cisco Systems Inc.
Tel: 408-526-4000
Fax: 408-527-0883