Subscriber Configuration Mode Commands


Subscriber Configuration Mode Commands
 
 
The Subscriber Configuration Mode is used to create local subscribers as well as to set default subscriber options for the current context.
 
 
aaa group
Configures a AAA server group for AAA functionality at the subscriber level.
Product
All
Privilege
Security Administrator, Administrator
Syntax
[ no ] aaa group group_name
default aaa group
group_name
The AAA group to configure for authentication and/or accounting for the specific subscriber.
group_name must be a string of length between one to 63 characters.
no
Disables the specified AAA group for the specific subscriber.
default
Sets/restores default AAA group specified at the context level or default subscriber profile.
Usage
Instead of having a single list of servers per context, this feature configures multiple server groups within a context and applies individual server group for subscribers in that context. Each server group consists of a list of AAA servers for each AAA function (accounting, authentication, charging, etc.).
Example
The following command applies the AAA server group star1 to a subscriber within the specific context:
aaa group star1
The following command disables the AAA group for the specific subscriber:
no aaa group group_name
 
access-link ip-fragmentation
Configures IP fragmentation processing over the Access-link (\, GTP etc).
Product
All
Privilege
Security Administrator, Administrator
Syntax
access-link ip-fragmentation { normal | df-ignore | df-fragment-and-icmp-notify }
df-ignore
Default: Enabled
Ignore the DF bit setting. Fragment and forward the packet over the access link.
df-fragment-and-icmp-notify
Default: Disabled
Partially ignore the DF bit. Fragment and forward the packet, but also return an ICMP error message to the source of the packet. The number of ICMP errors sent like this is rate-limited to 1 ICMP error packet per second per session.
normal
Default: Disabled
Normal processing. Drop the packet and send an ICMP unreachable message to the source of packet. This is the default behavior.
Usage
If the IP packet to be forwarded is larger than the access-link MTU and if the DF (Don't Fragment) bit is set for the packet, then the fragmentation behavior configured by this command is applied. Use this command to fragment packets even if they are larger than the access-link MTU.
Example
Set fragmentation so that the DF bit is ignored and the packet is forwarded anyway by entering the following command:
access-link ip-fragmentation df-ignore
 
accounting-mode
This command sets the accounting mode for the current local subscriber configuration.
Product
PDSN, HA, ASN GW, S-GW
Privilege
Administrator
Syntax
accounting-mode { flow-based | gtpp [ radius-diameter ] | none | radius-diameter [ gtpp ] | rf-style }
default accounting-mode
default
Sets the type of accounting to be performed for the current local subscriber to the default setting.
Default: radius-diameter
flow-based
Diameter flow-based accounting is enabled for the current local subscriber.
gtpp [ radius-diameter ]
GTPP CDR RADIUS accounting is enabled for the current local subscriber. The radius-diameter keyword is available if both GTPP RADIUS and RADIUS-Diameter accounting are to be used.
none
Accounting is disabled for the current local subscriber and no charging records will be generated.
radius-diameter [ gtpp ]
RADIUS-Diameter accounting is enabled for the current local subscriber. The gtpp keyword is available if both GTPP RADIUS and RADIUS-Diameter accounting are to be used.
rf-style
Diameter Rf interface accounting is enabled for the current local subscriber.
Usage
This command specifies which protocol, if any, will be used to provide accounting for PDP contexts accessing the APN profile.
Use this command to enable or disable RADIUS/Diameter accounting for any subscribers that use the current local subscriber configuration.
If the gtpp option is used, then GTPP RADIUS is used as configured in the Context Configuration mode or the AAA Server Group Configuration mode and GTPP charging records will be enabled.
If the radius-diameter option is used, either the RADIUS or the Diameter protocol is used as configured in the Context Configuration mode or the AAA Server Group Configuration mode.
RADIUS accounting can also be enabled and disabled at the context level with the aaa accounting command in the Context Configuration Mode. If RADIUS accounting is enabled at the context level, the accounting-mode command can be used to disable RADIUS accounting for individual local subscriber configurations.
If the accounting mode is set to rf-style, then BM will generate accounting records corresponding to AIMS RF.
Example
To disable accounting for the current subscriber, enter the following command:
accounting-mode none
 
active-charging bandwidth-policy
This command configures the bandwidth policy to be used for the subscriber.
Product
ECS
Privilege
Security Administrator, Administrator
Syntax
active-charging bandwidth-policy bandwidth_policy
{ default | no } active-charging bandwidth-policy
default
Specifies that the default bandwidth policy configured in the rulebase be used for this subscriber.
no
Disables bandwidth control for this subscriber.
bandwidth_policy
Specifies the bandwidth policy name.
bandwidth_policy must be an alpha and/or numeric string from 1 through 63 characters in length.
Usage
Use this command to configure bandwidth policy to be used for subscribers.
Example
The following command configures a bandwidth policy named standard for the subscriber:
active-charging bandwidth-policy standard
 
active-charging rulebase
This command specifies the name of the rulebase to be used for this subscriber.
Product
ECS
Privilege
Security Administrator, Administrator
Syntax
active-charging rulebase rulebase_name
no active-charging rulebase
no
Removes the previously specified rulebase for the subscriber.
rulebase_name
Name of the specific active charging service rulebase.
rulebase_name must be an alpha and/or numeric string of 1 through 63 characters in length.
Usage
This command specifies the name of the rulebase for specific subscriber (reals).
If the specified rulebase does not exist in the Active Charging service, the call will be rejected.
Example
Following command specifies the active charging rulebase rule1 for specified subscriber.
active-charging rulebase rule1
 
always-on
Once the idle timeout limit is reached, keep the current subscriber session connected as long as the subscriber is reachable.
Caution: When always-on is enabled, the subscriber must have an idle time-out period configured (default is 0, no time-out). Failure to configure an idle time-out results in a subscriber session that is indefinite in length.
 
Two timers and a counter are associated with this feature. Refer to the timeout command in this chapter and the ppp echo-retransmit-timeout msec and ppp echo-max-retransmissions num_retries commands.
Default: Disabled.
Product
PDSN, ASN GW
Privilege
Security Administrator, Administrator
Syntax
always-on
no always-on
no
Disables always-on. The user is disconnected after the idle time expires.
Usage
If this parameter is enabled for a subscriber, when the idle time-out limit is reached the subscribers IP/PPP session remains connected as long as the subscriber is reachable. This is true even if the airlink between the mobile device and the RN (Radio Node) is moved from active to dormant (inactive) status. When the idle timeout limit is reached, the PDSN determines availability using LCP keepalive messages. A response to these messages indicates that the “always-on” status should be maintained. Failure to respond to a predetermined number of LCP keepalive messages causes the PDSN to tear-down (disconnect) the subscriber session.
Example
Enable always on for the current subscriber by entering the following command:
always-on
 
asn-pdfid
This command configures the identifiers for packet data flow, service data flow, and service profile in an ASN-GW service.
Product
ASN-GW
Privilege
Security Administrator, Administrator
Syntax
[ no ] asn-pdfid pdf_id asn-service-profile-id svc_profile_id asn-sdfid sdf_id
no
Removes/disables the configured identifiers for this subscriber in ASN-GW service.
asn-pdfid pdf_id
Specifies the an unique ASN Packet Data Flow identifier for this subscriber.
pdf_id must be an integer between 1 and 65535.
asn-service-profile-id svc_profile_id
Specifies an unique ASN Service Profile Identifier for this subscriber.
svc_profile_id is a preconfigured Service Profile Identifier configured in the Context Configuration Mode.
asn-sdfid sdf_id
Specifies the an unique ASN Service Data Flow identifier for this subscriber.
sdf_id must be an integer between 1 and 65535.
Usage
Use this command to configure subscriber profile for QoS parameters in an ASN-GW service.
A maximum of 4 QoS profiles can be configured for a subscriber.
Example
The following command configures the QoS profile for a subscriber as PDF id 1, Service Profile id 3, and Service Data Flow id 2:
asn-pdfid 1 asn-service-profile-id 3 asn-sdfid 2
 
asn-policy
This command configures the identifiers for packet data flow, service data flow, and service profile in an ASN GW service.
Product
ASN GW
Privilege
Security Administrator, Administrator
Syntax
asn-policy {classifiers downlink {strict | loose} | idle-mode {allow | disallow}}
[no | default] asn-policy idle-mode
[default] asn-policy classifiers downlink
no
Removes/disables the configured policy for this subscriber in ASN GW service.
default
Sets the ASN policy to default for this subscriber.
For downlink traffic classifier default policy is “loos” and for idle mode policy the default action is to allow idle mode operation in an ASN GW service.
idle-mode
Sets the idle mode policy for this subscriber in an ASN GW service.
allow
Default: enabled
Enables the policy for this subscriber to allow idle mode operation in an ASN GW service.
disallow
Default: disabled
Enable the policy for this subscriber to disallow idle mode operation in an ASN GW service.
classifiers downlink
Sets the classifier policy for all service flows coming from HA to FA for this subscriber’s matching classifier.
strict
Default: disabled
This option discards all the service flows coming from HA to FA and any other packets not matching to any of the classifiers set for this subscriber.
loose
Default: enabled
This option allows all the service flows coming from HA to FA and any other packet does not matching to any of the classifiers set for this subscriber and sent to the BS/MS over downlink flow
Usage
Use this command to configure subscriber policy to allow/disallow the idle mode operation or the downlink traffic flow for a subscriber in an ASN GW service.
This command allows MS to transition to idle mode with an ASN GW.
Example
The following command configures the policy to allow the idle mode for an MS with an ASN GW:
default asn-policy idle-mode
 
authorized-flow-profile-id
When a profile ID is requested by the Mobile Node (MN), this command sets the value that is authorized by the AGW.
Product
PDSN, ASN GW
Privilege
Security Administrator, Administrator
Syntax
authorized-flow-profile-id profile_id direction { bidirectional | forward | reverse }
no authorized-flow-profile-id profile_id
no
Remove the existing profile ID setting specified by profile_id. profile_id must be an integer from 0 through 65535.
profile_id
The profile ID number that is authorized for the current subscriber. profile_id must be an integer from 0 through 65535.
direction { bidirectional | forward | reverse }
This specifies in which data direction the profile ID should be applied.
Usage
Use this command to set the profile ID that the AGW will authorize for a subscriber.
Example
Set the profile ID for both directions to 3 for the current subscriber by entering the following command
authorized-flow-profile-id 3 direction bidirectional
 
content-filtering category
This command enables/disables the specified preconfigured Category Policy Identifier for policy based Content Filtering support to the subscriber.
Product
All
Privilege
Security Administrator, Administrator
Syntax
content-filtering category policy-id cf_policy_id
no content-filtering category policy-id
no
Disables the configured category policy identifier for Content Filtering support to the subscriber. This is the default setting.
category policy-id cf_policy_id
This command applies the content filtering category policy ID, configured in Active Charging Configuration mode, to this subscriber.
cf_policy_id must be a preconfigured category policy id in Active Charging Configuration Mode.
In case category policy identifier cf_policy_id used here is not configured in Active Charging Configuration Mode, all packets will be passed regardless of the categories determined for such packets.
Important: Category Policy Id configured through this mode overrides the Category Policy id configured through content-filtering category policy-id command in Rulebase Configuration Mode of Active Charging Service Configuration mode.
Usage
Use this command to enter the Content Filtering Policy Configuration mode and to enable or disable the Content Filtering Category Policy ID for a Subscriber.
Important: If Content Filtering Category Policy ID is not specified here the similar command in Rulebase Configuration Mode of Active Charging Configuration Mode determines the policy.
Up to 64 different policy identifier can be defined in a Content Filtering support service.
Example
Following command enters the Content filtering Policy Configuration mode and enables the Category Policy Id 101 for Content Filtering support.
content-filtering category policy-id 101
 
cscf core-service
CSCF/A-BG core service that maps to the current domain.
Product
SCM (CSCF, A-BG)
Privilege
Security Administrator, Administrator
Syntax
cscf core-service name name
no cscf core-service
cscf core-service name name
Specifies the name of the CSCF/A-BG core service.
name must be from 1 to 63 alpha and/or numeric characters.
no cscf core-service
Removes the CSCF/A-BG core service from the domain.
Usage
Use this command to map a CSCF/A-BG core service to the current domain.
Example
The following command creates a CSCF core service named cs1:
cscf core-service name cs1
The following command removes the CSCF core service from this domain:
no cscf core-service
 
cscf county-name
Assigns a Last Routing Option (LRO) profile county name to the subscriber for finding the correct Public Safety Answering Point (PSAP) during emergency calls.
Product
SCM (S-CSCF)
Privilege
Security Administrator, Administrator
Syntax
[ no ] cscf county-name name
cscf county-name name
Specifies the LRO profile county name of the subscriber.
name must be an existing LRO profile county name and be from 1 to 127 alpha and/or numeric characters.
no
Removes the LRO profile county name from the subscriber.
Usage
Use this command to assign an LRO profile county name to the subscriber.
Example
The following command assigns county name norfolk to the subscriber:
cscf county-name norfolk
The following command removes county name norfolk from the subscriber:
no cscf county-name norfolk
 
cscf nat-applicable
Indicates if NAT (Network Address Translation) processing is required for this domain.
Product
SCM (CSCF/A-SBC)
Privilege
Security Administrator, Administrator
Syntax
[ no ] cscf nat-applicable
no
Disables NAT processing for this domain.
Usage
Use this command to indicate whether NAT processing is required for this domain.
Example
The following command indicates NAT processing is required for this domain:
cscf nat-applicable
The following command disables NAT processing for this domain:
no cscf nat-applicable
 
cscf private-user-id
Assigns a private user identity to the subscriber.
Product
SCM (P-CSCF, S-CSCF, SIP Proxy)
Privilege
Security Administrator, Administrator
Syntax
[ no ] cscf private-user-id user_id
no
Removed the private user identity of the subscriber.
cscf private-user-id user_id
Specifies the private user identity of the subscriber.
user_id must be from 1 to 127 alpha and/or numeric characters.
Usage
Use this command to assign a private user identity to the subscriber.
Example
The following command assigns a private user identity named user007 to the subscriber:
cscf private-user-id user007
The following command removes private user identity named user007 from the subscriber:
no cscf private-user-id user007
 
cscf session-template
Assigns a CSCF session template to the subscriber profile.
Product
SCM (P-CSCF, S-CSCF, SIP Proxy)
Privilege
Security Administrator, Administrator
Syntax
cscf session-template name name
no cscf session-template
cscf session-template name name
Specifies the name of the CSCF session template.
name must be an existing CSCF session template name and be from 1 to 79 alpha and/or numeric characters.
no cscf session-template
Removes the assignment of a session template to the subscriber profile.
Usage
Use this command to bind a CSCF session template to a subscriber profile.
Example
The following command assigns a CSCF session template named template4 to the subscriber profile:
cscf session-template name template4
The following command removes the assignment of a session template to the subscriber profile:
no cscf session-template
 
data-tunneling ignore df-bit
This command controls the handling of the DF (Don't Fragment) bit present in the user IPv4/IPv6 packet for GRE, IP-in-IP tunneling used for the MIP data path. If this feature is enabled, and fragmentation is required for the tunneled user IPv4/IPv6 packet, then the DF bit is ignored and the packet is fragmented. Also the DF bit is not copied to the outer header. Default is enabled.
Product
PDSN, HA, FA, ASN GW
Privilege
Security Administrator, Administrator
Syntax
data-tunneling ignore df-bit
no data-tunneling ignore df-bit
no
Disable this option. The DF bit in the tunneled IP packet header is not ignored during tunneling.
Usage
Use this command to configure a user so that during Mobile IP tunneling the DF bit is not ignored and packets are not fragmented.
Example
To disable fragmentation of a subscribers packets over a MIP tunnel even when the DF bit is present, enter the following command:
no data-tunneling ignore df-bit
 
dcca origin host
 
Important: This command has been deprecated, and is replaced by the dcca origin endpoint command.
 
dcca origin endpoint
 
Important: This command is obsolete. To configure the Diameter Credit Control Origin Endpoint, in the Credit Control Configuration mode, use the diameter origin endpoint command.
 
dcca peer-select
Specifies the Diameter credit control primary and secondary peer for credit control.
Product
ECS
Privilege
Security Administrator, Administrator
Syntax
dcca peer-select peer host_name [ realm realm_name ] [ secondary-peer host_name [ realm realm_name ] ]
no dcca peer-select
no
Removes the previously configured Diameter credit control peer selection.
peer host_name
A unique name that you specify for the peer.
peer_name must be an alpha and/or numeric string of from 1 through 127 characters. peer_name allows punctuation marks.
secondary-peer host_name
Specifies a back-up host that is used for fail-over processing. When the route-table does not find an AVAILABLE route the secondary host performs a fail-over processing.
realm realm_name
The realm_name must be an alpha and/or numeric string of 1 through 127 characters in length. The realm may typically be a company or service name. realm_name allows punctuation characters.
Usage
Use this command to select a Diameter credit control peer and realm.
Warning: This configuration completely overrides all instances of diameter peer-select that have been configured with in the Credit Control Configuration Mode for an Active Charging service.
Example
The following command selects a Diameter credit control peer named test and a realm of companyx:
dcca peer-select peer test realm companyx
 
default
Restores the default value for the option specified for the current subscriber.
Product
All
Privilege
Security Administrator, Administrator
Syntax
default { access-link ip-fragmentation | accounting-mode | data-tunneling ignore df-bit | idle-timeout-activity dormant-downlink-data | inter-pdsn-handoff | ip { alloc-method | allowed-dscp | header-compression | hide-service-address | multicast discard | qos-dscp | source-validation } | loadbalanace-tunnel-peers | long-duration-action | mobile-ip { home-agent | mn-aaa-removal-indication | mn-ha-hash-algorithm | reverse-tunnel | security-level | send { dns-address | terminal-verification } } | permission | ppp { always-on-vse-packet | data-compression { mode | protocols } | keepalive | min-compression-size | mtu } | radius accounting interim interval-timeout | timeout { absolute | idle } }
access-link ip-fragmentation
Sets the method for fragmenting packets over the MN access link to its default of normal. Drop the packet and send ICMP unreachable to the source of packet.
accounting-mode
Enables Radius accounting for the current local subscriber configuration.
data-tunneling ignore df-bit
Sets this option to the default behavior, which is to send an ICMP unreachable - need to frag message back to the sender and drop the packet, in the case that fragmentation is required but the DF bit is set.
idle-timeout-activity dormant-downlink-data
Sets this option to the default behavior. When downlink data packets are transmitted to the Mobile node and the session is in dormant mode the session idle timer is reset.
inter-pdsn-handoff
During a handoff from one PDSN to another, if the Mobile requests an IP address of 0.0.0.0 or a mismatched IP address the PDSN will not disconnect the session immediately. The PDSN tries to assign the proposed address of the session in the IPCP configuration NAK.
ip { | allowed-dscp | header-compression | hide-service-address | multicast discard | qos-dscp | source-validation | user-datagram-tos copy }
allowed-dscp: resets the allowed DSCP parameters to the system defaults: class none, max-class be.
hide-service-address: specifies the default setting for hide the ip-address of the service from the subscriber. Default is Disabled
multicast discard: configures the default multicast settings which is to discard PDUs
qos-dscp: sets the quality of service setting to the system default.
source-validation: Specifies the default IP source validation. Default is Enabled.
user-datagram-tos copy: Disable copying of the IP TOS octet value to all tunnel encapsulation IP headers.
loadbalance-tunnel-peers
Sets the tunnel load balancing algorithm to the system default.
long-duration-action
Sets the action that is taken when the long duration timer expires to the default: detection.
mobile-ip { home-agent | mn-aaa-removal-indication | mn-ha-hash-algorithm | reverse-tunnel | security-level | send { dns-address | terminal-verification } }
allow-aaa-address-assignment: Disables the FA from accepting a home address assigned by an AAA server.
home-agent:Sets home agent IP address to its default of 0.0.0.0.
match-aaa-assigned-address: Disables the FA validating the home address in the RRQ against the one assigned by AAA server.
mn-aaa-removal-indication:Sets this parameter to its default of disabled.
mn-ha-hash-algorithm: Sets the encryption algorithm to the default of hmac-md5.
reverse-tunnel:Sets this parameter to its default of enabled.
security-level:Sets this parameter to its default of none.
send dns-address: Disables the HA from sending the DNS address NVSE in the RRP.
send terminal-verification: Disables the FA from sending the terminal verification NVSE in the RRQ.
permission
Restores the subscriber’s service usage defaults.
ppp { always-on-vse-packet | data-compression { mode | protocols } | ip-header-compression negotiation | keepalive | min-compression-size | mtu }
Sets the point-to-point protocol option defaults.
always-on-vse-packet: Re-enables the PDSN to send special 3GPP2 VSE PPP packets to the Mobile Node with a max inactivity timer value for always on sessions. This configuration is applicable only for PDSNsessions.
data-compression { mode | protocols }: restores the default value for either the data compression mode or compression protocols as follows:
ip-header-compression negotiation: sets the IP header compressions negotiation to the system default: force.
keepalive: sets the subscriber’s PPP keep alive option to the system default: 30 seconds.
min-compression-size: restores the PPP minimum packet size for compression: 128 octets.
mtu: sets the maximum message transfer unit packet size to the system default: 1500 octets.
radius accounting interim interval-timeout
Disables the RADIUS accounting interim interval for the current subscriber.
timeout [ absolute | idle | long-duration ]
When a keyword is entered, this command resets the specified timeout to the system default: 0. When no keyword is specified, all timeouts are reset to the system defaults: 0.
Usage
Reset subscriber data to the system defaults. This is useful in setting the subscriber back to the basic values to possibly aid in trouble shooting or tuning a subscriber’s access and options.
Example
default ip qos-dscp
default permission
default data-compression mode
 
dns
Configures the domain name servers for the current subscriber.
Product
All
Privilege
Security Administrator, Administrator
Syntax
[ no ] dns { primary | secondary } ip_address
no
Indicates the IP address is to be removed as either a primary or secondary domain name server.
primary | secondary
primary: Indicates the primary domain name server for the subscriber is to be updated.
secondary: Indicates the secondary domain name server for the subscriber is to be updated.
ip_address
Specifies the IP address of the domain name server.
Usage
Set the subscriber DNS server lists as not all users will have the same set of servers.
Example
dns primary 1.2.3.4
no dns primary 1.2.3.4
dns secondary 1.2.5.6
no dns secondary 1.2.5.6
 
eap
This command specifies the lifetime for a master session key (MSK) for extensible authentication protocol (EAP) authentication.
Product
ASN GW
Privilege
Security Administrator, Administrator
Syntax
[default] eap msk-lifetime dur
default
Sets the lifetime duration to default value of 3600 seconds for master session key.
msk-lifetime dur
Specifies the lifetime duration on Master session key (MSK) in seconds for a WiMAX subscriber EAP authentication.
dur is the lifetime value in seconds and must be an integer from 60 through 65535.
Usage
This command is used to set the lifetime for MSK in EAP authentication for WiMAX subscriber.
Example
The following command sets the lifetime for MSK key to 4800 seconds for a WiMAX subscriber through EAP authentication:
eap msk-lifetime 4800
 
encrypted password
Designates use of password encryption.
Product
All
Privilege
Security Administrator, Administrator
Syntax
encrypted password password
password
password is the encrypted password and must be an alpha and/or numeric string of from 1 to 63 characters.
Usage
This command is normally used only inside configuration files.
Example
The following command sets an encrypted password of qsdf12d4:
encrypted password qsdf12d4
 
end
Exits the subscriber configuration mode and returns to the Exec mode.
Product
All
Privilege
Security Administrator, Administrator
Syntax
end
Usage
Change the mode back to the Exec mode.
 
exit
Exits the subscriber configuration mode and returns to the context configuration mode.
Product
All
Privilege
Security Administrator, Administrator
Syntax
exit
Usage
Return to the context configuration mode.
 
external-inline-server
 
This is a restricted command.
 
firewall policy
Important: This command is only available in StarOS 8.0. In StarOS 8.1 and later, this configuration is available in the Rulebase Configuration Mode.
This command enables/disables Stateful Firewall support for the subscriber.
Product
All
Privilege
Security Administrator, Administrator
Syntax
firewall policy firewall-required
{ default | no } firewall policy
no
Disables Stateful Firewall support for this subscriber.
default
Configures the default setting for Stateful Firewall support.
Default: Disabled
firewall-required
Enables Stateful Firewall support for this subscriber.
Usage
Use this command to enable or disable Stateful Firewall support for this subscriber.
Important: Unless Stateful Firewall support for this subscriber is enabled using this command, firewall processing for this subscriber is disabled.
Important: If firewall is enabled, and the rulebase has no firewall configuration, Stateful Firewall will cause all packets to be discarded.
Example
The following command enables Stateful Firewall support for this subscriber:
firewall policy firewall-required
The following command disables Stateful Firewall support for this subscriber:
no firewall policy
 
fw-and-nat policy
Important: This command is customer-specific and is only available in StarOS 8.1. This command must be used to configure the Policy-based Firewall-and-NAT feature.
This command configures the Firewall-and-NAT policy for the subscriber.
Product
FW, NAT
Privilege
Security Administrator, Administrator
Syntax
fw-and-nat policy fw_nat_policy
{ default | no } fw-and-nat policy
default
Specifies that the default Firewall-and-NAT policy configured in the rulebase be used for the subscriber.
no
Disables Firewall and NAT processing for the subscriber.
fw_nat_policy
Specifies the Firewall-and-NAT policy for the subscriber.
fw_nat_policy must be an alpha and/or numeric string of 1 through 63 characters in length. Note that this policy will override the default Firewall-and-NAT policy configured in the ACS rulebase.
Usage
Use this command to configure the Firewall-and-NAT policy for subscribers. Note that the policy configured in the subscriber mode will override the default policy configured in the ACS rulebase. If a policy is not configured in the subscriber mode, the default policy configured in the ACS rulebase will be applied.
Example
The following command configures a Firewall-and-NAT policy named standard for the subscriber:
fw-and-nat policy standard
 
idle-timeout-activity
Defines whether downlink (towards Mobile Node) data packets transmitted when the session is dormant is treated as activity for the idle-timer (inactivity timer).
By default, downlink data transmitted over a dormant session restarts the idle-timer for that session (it is treated as activity for the session).
Product
PDSN
Privilege
Security Administrator, Administrator
Syntax
[ no ] idle-timeout-activity dormant-downlink-data
no
Dormant mode downlink data is not treated as activity for the session idle-timer. The session idle timer is not reset.
Usage
Use this command to disable or re-enable restarting the session idle timer when downlink data packets are transmitted to the Mobile Node when the session is in dormant mode.
Example
Use the following command to disable restarting the session idle timer when downlink data packets are transmitted to the Mobile Node when the session is in dormant mode:
idle-timeout-activity dormant-downlink-data
Use the following command to re-enable restarting the session idle timer when downlink data packets are transmitted to the Mobile Node when the session is in dormant mode:
no idle-timeout-activity dormant-downlink-data
 
ims application-manager
Specifies the application manager for the subscriber.
Product
PDSN
Privilege
Security Administrator, Administrator
Syntax
[ no ] ims application-manager { domain-name domain-name | ipv4-address ipv4-address }
no
Disables the IMS application manager for this subscriber.
domain-name domain-name
Specifies the domain name of the application manager.
domain-name must be from 1 to 63 alpha and/or numeric characters.
ipv4-address ipv4-address
Specifies the IPv4/IPv6 address of the application manager.
Usage
The ims application manager address is returned by HA to MN in DHCP Ack when it receives the DHCP inform from an AIMS subscriber.
Example
ims application-manager domain-name domain23ims application-manager ipv4-address 192.168.23.1
 
ims-auth-service
It applies an IMS authorization service to a subscriber in a network access service (PDSN or GGSN service) for Gx/Ty interface support and functionality.
Product
PDSN, GGSN
Privilege
Security Administrator, Administrator
Syntax
[ default | no ] ims-auth-service auth_svc_name
default
Sets / Restores default state of IMS authorization service, disabled or as specified at the context or network access service level or in subscriber template.
no
Disables the applied IMS authorization service for specific subscriber.
auth_svc_name
Specifies the name of IMS authorization service name that is used for Ty interface support for specific subscriber.
auth_svc_name must be from 1 to 63 alpha and/or numeric characters preconfigured within the same context of this subscriber.
Usage
This feature provides the IMS authorization service configuration for Gx/Ty interface in IMS service node.
Example
Following command applies a previously configured IMS authorization service named ims_interface1 to a subscriber within the specific context.
ims-auth-service ims_interface1
 
inter-pdsn-handoff
Configure the system to enforce the MN’s use of its assigned IP address during IPCP negotiations resulting from inter-PDSN handoffs.
Product
PDSN
Privilege
Security Administrator, Administrator
Syntax
[ no ] inter-pdsn-handoff require ip-address
no
Disables the rejecting of sessions when the MN uses a non-allocated IP address during IPCP re-negotiations.
Usage
This command is used to configure the system to reject sessions that are re-negotiating IPCP after an inter-PDSN handoff if the IP address they propose does not match the one initially provided by the PDSN. The session would be rejected even if the proposed address was 0.0.0.0.
If this parameter is disabled, the PDSN will attempt to re-assign the IP address initially provided.
Example
To set the PDSN to not allow a mismatched IP address during a PDSN to PDSN handoff of a MIP call, use the following command:
inter-pdsn-handoff require ip-address
To set the PDSN so that it will not disconnect the session immediately, if the Mobile requests an IP address of 0.0.0.0 or a mismatched IP address after inter-pdsn handoff, use the following command:
no inter-pdsn-handoff require ip-address
 
ip access-group
Configures IP access group for the current subscriber.
Product
All
Privilege
Security Administrator, Administrator
Syntax
[ no ] ip access-group group_name [ in | out ]
no
Indicates the access group specified is to be cleared from the subscribers configuration.
group_name
Specifies the name of the IPv4/IPv6 access group. acl_group_name is a configured ACL group and must be an alpha and/or numeric string of 1 to 79 characters.
in | out
Default: both (in and out)
Specifies the access-group as either inbound or outbound by the keywords in and out, respectively. If neither of these key words is specified, the command associates the group_name access group with the current subscriber for both inbound and outbound access.
Usage
Set the subscriber access group to manage the access control for subscribers as a logical group.
Example
The following command associates the sampleGroup access group with the current subscriber for both inbound and outbound access:
ip access-group sampleGroup
The following removes the outbound access group flag for sampleGroup:
no ip access-group sampleGroup out
 
ip address
Configures a static IP address for use by the subscriber.
Product
PDSN, GGSN, HA, ASN GW
Privilege
Security Administrator, Administrator
Syntax
[ no ] ip address ip_address netmask
no
Removes a previously configured IP address assignment.
ip_address
The IP address assigned to the subscriber.
netmask
The subnet mask that corresponds to the assigned IP address.
Usage
Use this command to assign a static IP address to the subscriber. This address will be used each time the subscriber establishes data sessions.
Example
The following command configures a static IP address of 192.168.1.15 with a subnet mask of 255.255.255.0 to the subscriber:
ip address 192.168.1.15 255.255.255.0
 
ip address pool
Configures IP address pool properties for the subscriber.
Product
PDSN, GGSN, HA, ASN GW
Privilege
Security Administrator, Administrator
Syntax
[ no ] ip address pool name pool_name
no
Removes a previously configured static address.
name pool_name
Specifies the IP address pool or IP address pool group from which the subscribers IP address is assigned.
pool_name must be the name of an existing IP pool or IP pool group and from 1 to 31 alpha and/or numeric characters.
Usage
Use this command to specify the name of an IP address pool configured on the system from which IP addresses are to be dynamically assigned to sessions from this subscriber.
This command can be issued multiple times to specify multiple address pools for the subscriber. If multiple pools are specified, addresses are assigned for subscriber sessions from the pools based on the order in which the pools were configured.
If an address can not be provided from the first-specified pool for whatever reason, the system attempts to assign an address from the second-specified pool, and so on. This operation is independent of the priorities configured for the pools. For example, if pool1 was specified for the subscriber first, and pool2 second, the system always attempts to assign addresses from pool1. If an address can not be assigned from pool1 (i.e. all addresses are in use), the system then attempts to assign an address from pool2.
Example
The following command configures the subscriber to receive IP addresses from an IP address pool named public1:
ip address pool name public1
 
ip address secondary-pool
Configures secondary IP address pool properties for the subscriber to provide multiple IP host configuration behind one WiMAX CPE.
Product
ASN GW
Privilege
Security Administrator, Administrator
Syntax
ip address secondary-pool nameaux_pool_name
no ip address secondary-pool nameaux_pool_name
no
Removes a previously configured auxiliary pool named aux_pool_name for multiple host support in ASN GW service.
name aux_pool_name
Specifies the secondary/auxiliary IP address pool or IP address pool group from which the IP address is assigned to host behind a WiMAX CPE having primary IP address.
pool_name must be the name of an existing IP pool or IP pool group and from 1 to 31 alpha and/or numeric characters.
Usage
Use this command to specify the name of an IP address pool configured on the system from which IP addresses are to be dynamically assigned to host behind a WiMAX CPE for multiple host session support.
This command designates the IP address to secondary hosts from locally configured secondary IP address pool. To enable multiple host support behind a WiMAX CPE and configure maximum number of supported hosts use secondary-ip-host command in ASN Gateway Service Configuration mode.
Example
The following command configures the subscriber to receive IP addresses from a secondary IP address pool named auxiliary1 for secondary hosts behind the WiMAX CPE:
ip address secondary-pool name auxiliary
 
ip allowed-dscp
This command sets the Quality of Service (QoS) Differentiated Services (DiffServ) marking that a subscriber session is allowed. This is disabled by default.
Product
All
Privilege
Security Administrator, Administrator
Syntax
ip allowed-dscp class class max-class maxclass [ rt-marking marking ]
no ip allowed-dscp class
no ip allowed-dscp class
Resets the parameters to the defaults: class none, max-class be. This indicates that all packets are let through without any dscp checking
class class
This parameter specifies the Differentiated Services Codepoint (DSCP) class that the subscriber session may mark its packets with. If the subscriber sessions packets request a code point class higher than the code point class specified, the PDSN service re-marks the packets with the QOS-DSCP value specified by the ip qos-dscp command.
Default: none
class must be one of the following;
a: packets with AF DSCPs are allowed
e: packets with EF DSCP are allowed
o: packets for experimental or local use are allowed
ae: packets with AF and EF DSCPs are allowed
ao: packets with AF DSCPs or packets for experimental or local use are allowed
eo: packets with EF DSCPs or packets for experimental or local use are allowed
aeo: packets with AF or EF DSCPs or packets for experimental or local use are allowed
none: only the be and sc1 through sc7 code points are allowed
max-class maxclass
This parameter specifies the maximum code point that a subscriber session may mark its packets with. The subscriber sessions packets must be marked with a code point equal to or less than the code point specified. If the subscriber sessions packets request a code point higher than the code point specified, the PDSN service re-marks the packets with the QOS-DSCP value specified by the lower of the max-class and the ip qos-dscp command.
The list below lists the code points from lowest to highest precedence. For example, if the maxclass is set to af22, that becomes the maximum code point that the subscriber session may mark it’s packets with and only be, af13, af12, af11,af23, and af22 are allowed. If a subscriber session marks its packets with anything after af22 in this list, the PDSN service re-marks the packets with the QOS-DSCP value specified by the lower of the maxclass and the ip qos-dscp command.
If class is set to none only the be and sc1 through sc7 codepoints are allowed. For example; if class is set to none and you set max-class to sc1, only the sc1 and be codepoints are allowed.
Default: be
maxclass must be one of the following;
be: best effort forwarding
af13: assured Forwarding 13
af12: assured Forwarding 12
af11: assured Forwarding 11
af23: assured Forwarding 23
af22: assured Forwarding 22
af21: assured Forwarding 21
af31: assured Forwarding 31
af32: assured Forwarding 32
af33: assured Forwarding 33
af41: assured Forwarding 41
af42: assured Forwarding 42
af43: assured Forwarding 43
ef: expedited forwarding
sc1: selector class 1
sc2: selector class 2
sc3: selector class 3
sc4: selector class 4
sc5: selector class 5
sc6: selector class 6
sc7: selector class 7
rt-marking marking
This parameter is used for Mobile IP (MIP) reverse tunnels. When a MIP sessions packets do not have a DSCP marking, the Foreign Agent (FA) marks the packets with the value specified by rt-marking marking.
If the MIP sessions packets have a DSCP marking, the marking is subjected to the conformance rules for the values of class and max-class, then the final DSCP marking is copied from the inner IP header to the outer IP header.
Default: be
marking must be one of the following;
be: best effort forwarding
af11: assured Forwarding 11
af12: assured Forwarding 12
af13: assured Forwarding 13
af21: assured Forwarding 21
af22: assured Forwarding 22
af23: assured Forwarding 23
af31: assured Forwarding 31
af32: assured Forwarding 32
af33: assured Forwarding 33
af41: assured Forwarding 41
af42: assured Forwarding 42
af43: assured Forwarding 43
ef: expedited forwarding
sc1: selector class 1
sc2: selector class 2
sc3: selector class 3
sc4: selector class 4
sc5: selector class 5
sc6: selector class 6
sc7: selector class 7
Usage
Use this command to configure Quality of Service (QoS) for a subscriber session to allow a Differentiated Services (DiffServ) Code Point (DSCP) marker in the header of each IP packet that prompts network routers to apply differentiated grades of service to various packet streams.
This command uses class and type of marker (rt-marking for reverse tunnels) for configuration with max-class maximum code point that a subscriber session may mark its packets with.
Example
The following command will allow o packets for experimental or local use with best effort forwarding be:
ip allowed-dscp class o max-class be
 
ip context-name
Configures context to assign the subscriber to upon authentication. The context assigned to is considered the destination context which provides the configuration options for the services the subscriber is allowed to access.
Product
All
Privilege
Security Administrator, Administrator
Syntax
[ no ] ip context-name name
no
Removes the current assigned context from the subscriber’s data.
name
Specifies the name of the context to assign the subscriber to once authenticated. name must be from 1 to 79 alpha and/or numeric characters.
Usage
Set the subscriber IP context to a common context when all subscribers from one or more contexts will use the same egress context.
Example
ip context-name sampleName
no ip context-name sampleName
 
ip header-compression
Configures the IP packet header compression options for the current subscriber. Although this command configures IP header compression algorithms, the IPCP negotiations determine when the header compression algorithm is applied.
Product
All
Privilege
Security Administrator, Administrator
Syntax
ip header-compression { rohc [ any [ mode { optimistic | reliable | unidirectional } ] | cid-mode { { large | small } [ marked-flows-only | max-cid | max-hdr value | mrru value ] } | marked flows-only | max-hdr value | mrru value | downlink | uplink ] | vj }+
[ default | no ] ip header-compression
default
Restores this command’s default setting to the Van Jacobsen (VJ) header compression algorithm.
no
Disables all IP header compression.
rohc [ any [ mode { optimistic | reliable | unidirectional } ] | cid-mode { { large | small } [ marked-flows-only | max-cid | max-hdr value | mrru value ] } } | marked flows-only | max-hdr value | mrru value | downlink | uplink ]
Specifies that the Robust Header Compression (ROHC) algorithms is used for data.
Important: ROHC is only supported for use with the PDSN.
any: Apply ROHC header compression in both the uplink and downlink directions.
mode { optimistic | reliable | unidirectional }:
optimistic: Sets the ROHC mode to Bidirectional Optimistic mode (O-mode). In this mode packets are sent in both directions. A feedback channel is used to send error recovery requests and (optionally) acknowledgments of significant context updates from decompressor to compressor. Periodic refreshes are not used in the Bidirectional Optimistic mode.
reliable: Sets the ROHC mode to Bidirectional Reliable mode (R-mode). This mode applies an intensive usage of a feedback channel and a strict logic at both the compressor and the decompressor that prevents loss of context synchronization between the compressor and the decompressor. Feedback is sent to acknowledge all context updates, including updates of the sequence number field.
unidirectional: Sets the ROHC mode to Unidirectional mode (U-mode). With this mode packets are sent in one direction only, from the compressor to the decompressor. This mode therefore makes ROHC usable over links where a return path from the decompressor to the compressor is unavailable or undesirable.
cid-mode { { large | small } [ marked-flows-only | dm | max-hdr value | mrru value ] }: Specifies the ROHC packet type to be used.
large | small [ marked-flows-only | max-cid | max-hdr value | mrru value ]: Defines the ROHC packet type as large or small and optionally sets the following parameters for the packet type selected:
marked-flows-only: Specifies that ROHC is to be applied only to marked flows.
max-cid integer: Default: 0 The highest context ID number to be used by the compressor. integer must be an integer from 0 through 15 when small packet size is selected and must be an integer from 0 through 31 when large packet size is selected.
max-hdr value: Specifies the maximum header size to use. Default: 168. value must be an Integer from 0 through 65535.
mrru value: Specifies the maximum reconstructed reception unit to use. Default: 65535. value must be an Integer from 0 through 65535.
marked-flows-only: Specifies that ROHC is to be applied only to marked flows.
max-hdr value: Specifies the maximum header size to use. Default: 168. value must be an Integer from 0 through 65535.
mrru value: Specifies the maximum reconstructed reception unit to use. Default: 65535. value must be an Integer from 0 through 65535.
downlink: Apply the ROHC algorithm only in the downlink direction.
uplink: Apply the ROHC algorithm only in the uplink direction.
Important: When ROHC is enabled for downlink or uplink only the operational mode is Unidirectional.
vj
Specifies that the VJ algorithm is used for header compression.
+
Either one or both of the keywords may be entered in a single command.
If both vj and rohc are specified, vj must be specified first.
Important: If both VJ and ROHC header compression are specified, the optimum header compression algorithm for the type of data being transferred is used for data in the downlink direction.
Usage
Header compression can be used to provide a higher level of security in IP traffic enhance bandwidth usage and lower bit errors.
By default the header compression algorithm is set to vj.
Example
The following command disables all IP packet header compression:
no ip header-compression
The following command sets IP header compression to default vj algorithm:
default ip header-compression
The following command also sets the IP header compression to the vj algorithm:
ip header-compression vj
The following command enables the Internet Protocol Control Protocol (IPCP) to determine which protocol is the optimum algorithm for data in the downlink direction and use either VJ or ROHC as needed:
ip header-compression vj rohc
The following command enables ROHC for the downlink direction only:
ip header-compression rohc downlink
The following command enables ROHC in any direction using Bidirectional Optimistic mode:
ip header-compression rohc any mode Optimistic
 
ip hide-service-address
Hide the IP address of the service from the subscriber.
Product
All
Privilege
Security Administrator, Administrator
Syntax
[ no ] ip hide-service-address
no
Disable this commands function. This is the default behavior.
Usage
Use this command to prevent subscribers from using traceroute to discover the network addresses that are in the public domain and configured on services. This prevent users from pinging such addresses.
Example
To prevent subscribers from discovering IP addresses, enter the following command:
 
ip local-address
Configures the local-side IP address of the subscriber's point-to-point connection.
Product
All
Privilege
Security Administrator, Administrator
Syntax
ip local-address ip_address
no ip local-address
no
Removes a previously configured IP local-address.
ip_address
Specifies an IP address configured in a destination context on the system through which a packet data network can be accessed.
Usage
This parameter specifies the IP address on the system that the MS uses as the remote-end of the PPP connection. If no local address is configured, the system uses an "unnumbered" scheme for local-side addresses.
Example
The following command configures a local address of 192.168.1.23 for the MS:
local-address 192.168.1.23
 
ip multicast discard
Configures the IP multicast discard packet behavior.
Product
GGSN
Privilege
Security Administrator, Administrator
Syntax
[ no ] ip multicast discard
no
Removes a previously configured IP multicast discard.
Usage
This command specifies if IP multicast discard is enabled or disabled.
Example
The following command enables IP multicast discard for an APN:
ip multicast discard
 
ip qos-dscp
Configures quality of service options for the current subscriber using the differentiated services code point method. This is disabled by default.
Product
All
Privilege
Security Administrator, Administrator
Syntax
ip qos-dscp option
no ip qos-dscp
no
Sets the quality of service option to its default value.
option
Default: be
Specifies the subscriber’s per hop quality of service setting as one of:
Usage
Set the quality of service for a subscriber based upon the service level agreements.
Example
ip qos-dscp ef
no ip qos-dscp
 
ip route
Configures the static route to use to reach the subscriber’s network.
Product
All
Privilege
Security Administrator, Administrator
Syntax
[ no ] ip route ip_address ip_mask [ gateway_address ]
no
Removes the configured route information from the subscriber data.
ip_address
Specifies the target IP address for which the route information applies.
ip_mask
Specifies the networking mask for the route.
1 bits in the ip_mask indicate that bit position in the ip_address must also have a value of 1.
0 bits in the ip_mask indicate that bit position in the ip_address does not need to match, i.e., the bit can be either a 0 or a 1.
For example, if the IP address and mask were specified as 172.168.10.0 and 255.255.255.224, respectively, the network mask will be 172.168.0.0 (obtained by logically ANDing the IP address with the IP mask).
gateway_address
Default: assigned remote IP address will be used as the gateway address.
Specifies the IP address of the next hop gateway for the route.
Usage
The static routes are also known as framed IP routes for subscribers. Static routes are typically applicable for subscribers connecting via other networks or when the mobile device acts as a gateway to a network on the far side of the device.
For example, if the mobile device is assigned IP address 1.2.3.4 and it acts as a gateway for the network 10.2.3.0 (with a network mask of 255.255.255.0) a static route would be configured with the ip_address being 10.2.3.0, ip_mask being 255.255.255.0, and gateway_address being 1.2.3.4.
Example
no ip route 1.2.3.4 1.2.0.0
no ip route 1.2.3.4 1.2.0.0 1.2.255.254
 
ip source-validation
Enables/disables packet source validation for the current subscriber. Source validation requires the source address of received packets to match the IP address assigned to the subscriber (either statically or dynamically) during the session.
If an incorrect source address is received from the mobile node, the system attempts to renegotiate the PPP session. The parameters for IPsource validation can be set by the ip source-violation command.
Product
All
Privilege
Security Administrator, Administrator
Syntax
[ no ] ip source-validation
no
Disables source validation.
Usage
Source validation is useful if packet spoofing is suspected or for verifying packet routing and labeling within the network.
Example
The following command enables IP source validation:
ip source-validation
The following command disables IP source validation:
no ip source-validation
 
ip user-datagram-tos copy
This CLI controls copying of IP TOS octet value from IPv4/IPv6 datagrams to the IP header in tunnel encapsulation. This is disabled by default.
Product
PDSN, HA
Privilege
Security Administrator, Administrator
Syntax
ip user-datagram-tos copy [access-link-tunnel | both | data-tunnel]
no ip user-datagram-tos copy
no
Disable copying of the IP TOS octet value to all tunnel encapsulation IP headers.
access-link-tunnel
Copy the IP TOS octet value to the tunnel encapsulation IP header on the access side (RP) tunnel.
both
Use both access-link-tunnel and data-tunnel.
data-tunnel
Copy the IP TOS octet value to the tunnel encapsulation IP header on the MIP data tunnel or L3 tunnel (IP-in-IP, GRE).
Usage
Use this command to enable the copying of the IP TOS octet value to the tunnel encapsulation IP header.
This functionality will enable PCF to detect special TOS marking in the outer IP header of A11 packets and to identify certain packets as QChat control messages. The BSC/PCF must give higher priority to QChat control messages.
Example
Enable copying of the IP TOS octet value to the tunnel encapsulation IP header for the access side tunnel by entering the following command;
ip user-datagram-tos copy access-link-tunnel
Disable copying of the IP TOS octet value to all tunnel encapsulation IP headers by entering the following command;
no ip user-datagram-tos copy
 
ip vlan
Configures subscriber-to-Virtual LAN (VLAN) associations.
Product
PDSN, HA
Privilege
Security Administrator, Administrator
Syntax
ip vlan vlan-id
[ default | no ] ip vlan
default
Resets the vlan ID to the default setting.
no
Disables the vlan ID for the subscriber.
vlan-id
Is the vlan ID that is associated with the IP address for that session. vlan-id is an integer between 1 and 4094.
Usage
This command configures the subscriber vlan ID which is used with the assigned address for the subscriber session to receive packets. If the IP pool from which the address is assigned is configured with a vlan ID, then this subscriber configured vlan ID overrides it.
Subscriber traffic can be routed to specific VLANs based on the configuration of their user profile. Using this functionality provides a mechanism for routing all traffic from a subscriber over the specified VLAN. All packets destined for the subscriber must also be sent using only IP addresses valid on the VLAN or they will be dropped.
Example
Set the vlan ID to the default setting by entering the following command;
default ip vlan
 
ipv6 access-group
Configures the IPv6 access group for a subscriber.
Product
PDSN, GGSN, ASN GW
Privilege
Security Administrator, Administrator
Syntax
ipv6 access-group name [ in | out ]
in
Defines the access group as inbound.
out
Defines the access group as outbound.
Usage
Used to create an access group for a subscriber.
Example
The following command provides an example of an IPv6 access group with the name list_1:
ipv6 access-group list_1
 
ipv6 address
Configures a static IP address for use by the subscriber.
Product
PDSN, GGSN, ASN GW
Privilege
Security Administrator, Administrator
Syntax
[ no ] ipv6 address { prefix address | prefix-pool name }
no
Deletes a previously configured ipv6 address.
prefix
Specifies a static IPv6 address.
prefix-pool
Specifies an IPv6 prefix pool name.
Usage
Use this command to assign a static IPv6 address to the subscriber. This address will be used each time the subscriber establishes data sessions.
Example
The following command configures a static IP address of 1:1:1:1:1:1:1:1 with a length of 24 to the subscriber:
ipv6 address 1:1:1:1:1:1:1:1/24
 
ipv6 dns
Configures the IPv6 Domain Name Service (DNS) servers.
Product
PDSN, GGSN, ASN GW
Privilege
Security Administrator, Administrator
Syntax
[ no ] ipv6 dns { primary | secondary } { ipv6_dns_address }
no
Deletes a previously configured DNS server.
primary
Configures the primary DNS server for the subscriber.
secondary
Configures the secondary DNS server for the subscriber. Only one secondary DNS server can be configured.
ipv6_dns_address
Configures the IP address of the DNS server.
Usage
DNS servers are configured on a per subscriber basis. This allows each subscriber to use specific servers.
Example
The following command provides an example of setting the primary IPv6 DNS server:
ipv6 dns primary 1:1:1:1:1:1:1:1
 
ipv6 dns-proxy
Configures the domain name server proxy for the current subscriber.
Product
PDSN, GGSN, ASN GW
Privilege
Security Administrator, Administrator
Syntax
[ default | no ] ipv6 dns-proxy
default
Disables the IPv6 DNs proxy functionality for a subscriber.
no
Removes the pre-enabled functionality of IPv6 DNS proxy for subscriber.
dns-proxy
Enables IPv6 DNS proxy functionality for a subscriber. If the functionality enabled, PDSN will act as a proxy DNS server.
Default: disabled.
Usage
Used to enable/disable IPv6 DNS proxy for the subscriber. When enabled, the PDSN acts as a proxy DNS server for DNS IPv6 queries coming from the mobile station to the PDSN’s local PPP link address.
Example
The following command provides an example of disabling an IPv6 DNS proxy for the subscriber:
no ipv6 dns-proxy
 
ipv6 egress-address-filtering
Configures the egress address filtering for the subscriber.
Product
PDSN, GGSN, ASN GW
Privilege
Security Administrator, Administrator
Syntax
[ no ] ipv6 egress-address-filtering
no
Disables IPv6 egress address filtering.
ipv6 egress-address-filtering
Enables IPv6 egress address filtering.
Usage
Used to filter packets that arrive from the internet to a particular site.
Example
The following command provides an example disabling egress address filtering:
no ipv6 egress-address-filtering
 
ipv6 initial-router-advt
Creates an IPv6 initial router advertisement interval for the subscriber.
Product
PDSN, GGSN, ASN GW
Privilege
Security Administrator, Administrator
Syntax
ipv6 initial-router-advt { interval value | num-advts value }
default ipv6 initial-router-advt { interval | num-advts }
default
Resets interval or num-advts to their default setting.
interval value
Default: 3000ms
The time interval the initial IPv6 router advertisement is sent to the mobile node in milliseconds.
value is an integer between 100 and 16000 milliseconds.
num-advts value
Default: 3
The number of initial IPv6 router advertisements sent to the mobile node.
value is an integer between 1 to 16.
Usage
This command is used to set the advertisement interval and the number of advertisements. Using a smaller advertisement interval increases the likelihood of router being discovered more quickly when it first becomes available.
Example
The following command specifies the initial ipv6 router interval to be 2000ms:
ipv6 initial-router-advt interval 2000
 
ipv6 interface-id
Provides an IPv6 interface ID for the subscriber.
Product
PDSN, GGSN, ASN GW
Privilege
Security Administrator, Administrator
Syntax
ipv6 interface-id ifid
[ default | no ] ipv6 interface-id
default
No interface id set for IPv6CP negotiation to subscriber.
no
Deletes a previously configured ipv6 interface id.
interface-id ifid
It is a interface ID assigned to the Mobile during IPv6CP negotiation.
ifid is a 64 bit unsigned integer.
Usage
Used to provide a IPv6 ifid for the subscriber when using 6to4 routing.
Example
The following command provides an example of assigning an IPv6 interface ID of 00-00-00-05-47-00-37-44 to the subscriber:
ipv6 interface-id 00-00-00-05-47-00-37-44
 
ipv6 minimum-link-mtu
Configures the IPv6 minimum-link-MTU value.
Product
PDSN, GGSN, ASN GW
Privilege
.Security Administrator, Administrator
Syntax
ipv6 minimum-link-mtu value
default ipv6 minimum-link-mtu
default
Resets minimum lint MTU to their default setting.
Default : 1280
value
Default: 1280
value is an integer between 100 and 2000 MTUs.
Usage
Used to override the IPv6 minimum link MTU values recommended by the standard.
Example
The following command provides an example of assigning an IPv6 minimum link MTU to 1580 to the subscriber:
ipv6 minimum-link-mtu 1580
 
ipv6 secondary-address
Configures additional IPv6 4-bit prefixes to the subscriber session.
Product
PDSN, GGSN, ASN GW
Privilege
Security Administrator, Administrator
Syntax
[ no ] ipv6 secondary-address { prefix ipv6_address_prefix | prefix-pool pool_name }
no
Deletes a previously configured ipv6 secondary address.
ipv6_address_prefix
The IPv6 secondary address and must be specified using colon notation.
pool_name
The name given to the secondary address prefix pool (a string size from 1 to 31 characters).
Usage
An IPv6 prefix pool name may be configured for a dynamic prefix, while the prefix is static. This command may be executed multiple times to configure multiple prefixes.
Example
The following command provides an example of assigning an IPv6 secondary address prefix-pool name of eastcoast to the subscriber:
ipv6 secondary-address prefix-pool eastcoast
 
l2tp send accounting-correlation-info
This command enables the L2TP LAC to send accounting correlation information (Correlation-Id, NAS-IP-Address and NAS-ID) in L2TP control message (ICRQ) during session setup to LNS.
Product
PDSN, LNS, LAC
Privilege
Security Administrator, Administrator
Syntax
[no | default] l2tp send accounting-correlation-info
no
Disbales the command and sets the setting to default mode for this subscriber.
default
Sets the setting to default mode of disbale.
Usage
Use this command to enable the L2TP LAC to send accounting correlation information (Correlation-Id, NAS-IP-Address and NAS-ID) in L2TP control message (ICRQ) during session setup to LNS for this subscriber. LNS can be configured to include this information in ECS billing records, so that billing servers can easily correlate accounting records from PDSN/LAC and LNS.
By default, this mode is disbled.
Example
Following command disbales the inclusion of accounting correlation informaiton in control messages during session setup to LNS for a subsciber:
default l2tp send accounting-correlation-info
 
l3-to-l2-tunnel address-policy
Configure the subscriber address allocation/validation policy, when subscriber L3 (IPV4) sessions are tunneled using an L2 tunneling protocol (e.g. L2TP).
Product
HA, GGSN
Privilege
Security Administrator, Administrator
Syntax
l3-to-l2-tunnel address-policy { alloc-only | alloc-validate | no-alloc-validate }
default l3-to-l2-tunnel address-policy
default
Restores the default value for l3-tol2-tunnel address-policy.
alloc-only
Only allocate an address in the case of dynamic address assignment. Do not validate static addresses.
alloc-validate
Locally allocate and validate subscriber addresses.
no-alloc-validate
Do not allocate or validate subscriber addresses locally in the system for the current subscribers sessions. Pass the address between the remote tunnel terminator and the Mobile Node. This is the default behavior.
Usage
Use this command to configure the L3 to L2 tunnel address policy for MIP HA sessions tunneled from the system using L2TP tunnels or for GGSN IP Context sessions tunneled using L2TP to a remote LNS. Also refer to the resource keyword of the context configuration mode ip pool command.
Example
To set the L3 to L2 tunnel address policy so that the current subscriber must have IP addresses allocated and validated locally on the system, enter the following command:
l3-to-l2-tunnel address-policy alloc-validate
 
loadbalance-tunnel-peers
Configures the load balancing of traffic bound for L2TP tunnels configured on the system for the selected subscriber.
Product
L2TP
Privilege
Security Administrator, Administrator
Syntax
loadbalance-tunnel-peers { balanced | prioritized | random }
balanced
Enables the equal use of all configured tunnel peers (LNSs) for the selected subscriber.
prioritized
Enables the use of all configured tunnel peers (LNSs) for the selected subscriber based on the preference number assigned to the peer address.
random
Default: Enabled
Enables the random use of all configured tunnel peers (LNSs) for the selected subscriber.
Usage
Use to manage traffic loads on LAC ports and their respective L2TP Network Servers.
Example
Use the following command to randomly use all configured tunnel peers (LNSs):
loadbalance-tunnel peers random
 
long-duration-action
This command specifies what action is taken when the long duration timer expires.
Product
All
Privilege
Administrator
Syntax
long-duration-action { detection | disconnection [ dormant-only ] [ suppress-notification ] }
detection
Default: Enabled
Detects long duration sessions and sends SNMP TRAP and CORBA notification. This is the default behavior.
Use this command to detect a session exceeding the limit set by the long duration timer.
disconnection [ dormant-only ] [ suppress-notification ]
Default: Disabled
Detects a long duration session and disconnects the session after sending SNMP TRAP and CORBA notification.
suppress-notifiaction: Suppress the SNMP TRAP and CORBA notification after detecting and disconnecting a long duration session. Default: Disabled
dormant only: Disconnects the dormant sessions after long duration timer and inactivity time with idle time-out duration expires. If the long duration timeout is fired and the call is not dormant, the call is disconnected when the call later moves to dormancy.
Important: For HA calls, the inactivity-time is considered as gauge for dormancy.
It sends the SNMP TRAP and CORBA notification after disconnecting a long duration session. Default: Disabled
Usage
Use this command to determine what action is taken when a session exceeds the limit set by the long duration timer.
Example
Use the following command to enable disconnecting sessions that exceed the long duration timer:
long-duration-action disconnection
Use the following command to disconnect the session that exceed the long duration timer without sending SNMP TRAP and CORBA notification:
long-duration-action disconnection suppress-notification
Use the following command to disconnect the session that is in dormant and exceed the long duration timer and send SNMP TRAP and CORBA notification:
long-duration-action disconnection dormant-only
Note that in case of HA calls, the inactivity-time is considered as gauge for dormancy.
 
mobile-ip
Enables/disables the subscriber for mobile IP services and access.
Product
HA, FA
Privilege
Security Administrator, Administrator
Syntax
[no] mobile-ip { allow-aaa-address-assignment | dns-address source-priority { aaa | home-agent } | gratuitous-arp aggressive | home-agentip_address[alternate] | match-aaa-assigned-address | mn-aaa-removal-indication | mn-ha-hash-algorithm { hmac-md5 | md5 | rfc2002-md5 } | mn-ha-shared-keykey | mn-ha-spispi_num | reverse-tunnel | security-level { ipsec | none } | send { accounting-correlation-info | dns-address | imsi | terminal-verification } }
no
Disables the mobile IP option specified.
allow-aaa-address-assignment
Default: Disabled.
Enables the FA to accept a home address assigned by an AAA server. This should only be configured on the FA side.
dns-address source-priority { aaa | home-agent }
Sets the priority behavior on the FA to use either the DNS IP address information from the HA or the AAA server to include in the the RRP to the MN.
When the no keyword is used in conjunction with the dns-address keyword, information received from both the home-agent and the AAA server is sent if available.
DNS IP address information from the HA comes from the DNS NVSE in the RRP.
DNS IP address information from the AAA server is in the access accept message.
home-agent: If the DNS address is received from the home-agent only that information is sent to the MN. Otherwise the DNS address received from the AAA server is sent.
aaa: If the DNS address is received from the AAA server only that information is sent to MN. Otherwise the DNS address received from the home-agent issent.
gratuitous-arp aggressive
Default: Disabled.
When enabled, this mode will cause the HA to send out gratuitous ARP messages for all Mobile IP (MIP) registration renewals and handoffs.
To disable this mode, use the no form of this command.
Important: This mode will only work for IP addresses that have been assigned from a static IP address pool.
home-agent ip_address [alternate]
Specifies the IP address of the mobile IP user’s home agent. ip_address must be a an IPv4/IPv6 address.
alternate - Specifies the secondary, or alternate, Home Agent to use when Proxy Mobile IP HA Failover is enabled.
match-aaa-assigned-address
Default: Disabled.
Enables the FA to validate the home address in the RRQ against the one assigned by AAA server. This should only be configured on the FA side.
mn-aaa-removal-indication
Default: Disabled.
When enabled, the MN-FA challenge and MN-AAA Authentication extensions are removed when relaying a Registration Request (RRQ) to the Home Agent (HA)
mn-ha-hash-algorithm { hmac-md5 | md5 | rfc2002-md5 }
Speechifies the encryption algorithm to use.
Default: hmac-md5
hmac-md5: Use HMAC-MD5 hash algorithm, as defined in RFC-2002bis. This is the default algorithm.
md5: Use the MD-5 hash algorithm.
rfc2002-md5: Use the MD-5 hash algorithm variant as defined in RFC-2002.
mn-ha-shared-key key
This is the used to verify the MN-HA Authentication for a local subscriber in the current context. A string or a Hexadecimal number beginning with "0x" up to 127 bytes
mn-ha-spi spi_num
Specifies the SPI number. spi_num must be an integer from 256 through 4294967295.
reverse-tunnel
Default: enabled.
Enables the mobile IP user’s for reverse IP tunnels. The no keyword is used to disable this option.
security-level { ipsec | none }
Default: none
The security-level option configures the security level needed for the subscriber's traffic.
ipsec: both MIP control and data traffic are secured with IPSEC
none: none of the traffic is secured
Important: This keyword corresponds to the 3GPP2-Security-Level RADIUS attribute. This attribute indicates the type of security that the home network mandates on the visited network.
Important: For this attribute, integer value: 3 : Enables IPSec for tunnels and registration messages 4 : Disables IPSec
send { accounting-correlation-info | dns-address | imsi | terminal-verification }
accounting-correlation-info: Configures whether the FA sends the correlation info to the NVSE in the RRQ. Default is disabled.
dns-address: Enables the HA to send the DNS address NVSE in the RRP. Default is disabled. This should only be enabled on the HA side.
imsi: Configures sending the IMSI NVSE in the RRQ. Default is sending IMSI in custom-1 format.
terminal-verification: Enables the FA to send the terminal verification NVSE in the RRQ. Default is disabled. This should only be enabled on the FA side.
Important: send dns-address is a proprietary feature developed for a specific purpose and requires the MN to be able to renegotiate IPCP for DNS addresses and reregister MIP if necessary. Since this feature needs the MN to support certain PPP/MIP behavior, and not all MNs may support that particular behavior, send dns-address should be enabled only after careful consideration.
Usage
Use as subscriber service contracts change.
Example
mobile-ip home-agent 1.2.3.4
no mobile-ip reverse-tunnel
 
mobile-ip ha
Accommodates two MIP HA options in subscriber mode.
Product
PDSN, HA, ASN GW
Privilege
Security Administrator, Administrator
Syntax
[ no ] mobile-ip ha { assignment-tablename | ignore-unknown-ha-addr-error }
no
Disables the mobile IP HA option specified.
assignment-table name
The name of an existing MIP HA Assignment table.
name must be a string of alphanumeric characters from 1 through 63 characters in length.
ignore-unknown-ha-addr-error
Default is disabled.
Enables or disables the HA to accept or reject the RRQ from a particular subscriber.
Usage
Use this command to assign a MIP HA Assignment table to the current subscriber.
Use this command to disable or enable the HA to accept or reject the RRQ from a particular subscriber when the HA address in the incoming MIP RRQ is not the same as the HA service address. The feature is off by default which causes the RRQ to be rejected with the error code UNKNOWN_HOME_AGENT.
Example
The following command assigns the MIP HA Assignment table named Atable1 to the current subscriber:
mobile-ip ha assignment-table Atable1
The following command sets ignore-unknown-ha-addr-error to its default disabled state:
no mobile-ip ha ignore-unknown-ha-addr-error.
 
mobile-ip reg-lifetime-override
This command overrides the mobile IP registration lifetime from HA with value configured for subscriber.
Product
PDSN, HA, ASN-GW
Privilege
Security Administrator, Administrator
Syntax
mobile-ip reg-lifetime-override [dur| infinite ]
[ default | no ] mobile-ip reg-lifetime-override
dur
Default: 100 secs.
This the configurable value in seconds.
dur must be an integer from 1 through 65534.
infinite
Sets the mobile IP registration lifetime override value to infinite for a particular subscriber.
default
Sets the value of mobile IP registration lifetime override option to 100 seconds.
no
Disables the mobile IP registration lifetime override option specified.
Usage
Use this command to configure MIP registration-lifetime per realm/domain. This value overrides the default lifetime configured under HA service.
Example
The following command overrides the mobile IP registration lifetime value from HA service and assigns the MIP registration lifetime to 100 seconds for the current subscriber:
default mobile-ip reg-lifetime-override
 
mobile-ip send accounting-correlation-info
Enables the sending call correlation information NVSE’s to the HA in MIP RRQ.
Product
PDSN, HA, ECS
Privilege
Security Administrator, Administrator
Syntax
[ default | no ] mobile-ip send accounting-correlation-info
default
Disables the support for sending call correlation information NCSE’s to the HA in MIP RRQ.
This is the default mode.
no
Removes the configured support for sending call correlation information.
Usage
Use this command to support PDSN-Correlation-ID VSE and send the call correlation information.
Example
The following command enables sending call correlation information NVSE’s to the HA in MIP RRQ
mobile-ip send accounting-correlation-info
 
mobile-ipv6
Configures Mobile IPv6 related parameters for a subscriber.
Product
PDSN
Privilege
Security Administrator, Administrator
Syntax
[ default | no ] mobile-ipv6 { home-address ipv6_address | home-agent ipv6_address | home-link-prefix ipv6_address | tunnel mtu value }
default
Disables the support for sending call correlation information NCSE’s to the HA in MIP RRQ.
This is the default mode.
no
Removes the configured support for sending call correlation information.
home-address ipv6_address
Specifies the home address for the subscriber. ipv6_address must be a an IPv6 address in colon notation.
home-agent ipv6_address
Specifies the IPv6 address of the mobile IP user’s home agent. ipv6_address must be a an IPv6 address in colon notation.
home-link-prefix ipv6_address
Specifies the IPv6 address of the mobile IP user’s home link. ipv6_address must be a an IPv6 address in colon notation.
tunnel mtu value
Configures the tunnel MTU for the IPv6 tunnel between the HA and the mobile node. value must be an integer between 1024 and 2000. The default is 1500.
Usage
This command sets the mobile-ipv6 parameters for a subscriber. Use this command to set the home-address, home-agent, and home-link prefix
Example
Use the following command to set the tunnel value to 1800:
mobile-ipv6 tunnel mtu 1800
 
nai-construction-domain
After authentication, the domain name set by this command replaces the NAI constructed domain for subscriber.
Product
All
Privilege
Security Administrator, Administrator
Syntax
nai-construction-domain domain_name
no nai-construction-domain
domain_name
Defines the domain name to use to replace the NAI constructed domain name. This must be a string of 1 to 79 characters.
no
Deletes the defined domain name.
Usage
Define or delete a domain name to use to replace the NAI constructed domain name after authentication.
Example
To set the domain name to private1 use the following command:
nai-construction-domain private1
To delete the previously configured domain name, use the following command:
no nai-construction-domain
 
nbns
Configures and Enables use of NetBios Name Service for the subscriber.
Product
GGSN
Privilege
Security Administrator, Administrator
Syntax
nbns { primary IPv4-address | secondary IPv4-address }
no nbns { primary [ IPv4-address ] | secondary [ IPv4-address ] }
primary
Designates primary NBNS server. Must be followed with IPv4 address in dotted-decimal notation.
secondary
Designates secondary/failover NBNS server. Must be followed with IPv4 address in dotted-decimal notation.
IPv4-address
Specifies the IPv4 address used for this service.
no
Removes/disables use of a previously configured NetBios Name Service.
Usage
This command specifies NBNS parameters. The NBNS option is present for both pdp type IP and pdp type PPP for GGSN.
The system can be configured to use of NetBios Name Service for the APN.
Example
The following command configures the subscriber’s NetBios Name Service to primary IP 192.168.1.15:
nbns primary 192.168.1.15
 
nexthop-forwarding-address
Configures the next hop forwarding address for the subscriber.
Product
PDSN, GGSN, ASN GW
Privilege
Security Administrator, Administrator
Syntax
nexthop-forwarding-address ip_address
no nexthop-forwarding-address
ip_address
Configures the IP address of the nexthop forwarding address.
no
Disables this function. This is the default setting.
Usage
Use this command to configure the next hop forwarding address for the subscriber.
Example
The following command configures the next hop forwarding address to 1.1.1.1using IPv4:
nexthop-forwarding-address 1.1.1.1
 
npu qos
Configures an NPU QoS priority queue for packets from the subscriber.
Product
PDSN, GGSN, ASN GW
Privilege
Security Administrator, Administrator
Syntax
npu qos traffic priority { best-effort | bronze | derive-from-packet-dscp | gold | silver }
best-effort
Assigns the best-effort queue priority. This is the lowest priority.
bronze
Assigns the bronze queue priority. This is the third-highest priority.
derive-from-packet-dscp
Default: Enabled
Specifies that the priority is to be determined from the DS field in the packet's TOS octet.
gold
Assigns the gold queue priority. This is the highest priority.
silver
Assigns the silver queue priority. This is the second-highest priority.
Usage
This command is used in conjunction with the Network Processing Unit (NPU) Quality of Service (QoS) functionality.
The system can be configured to determine the priority of a subscriber packet either based on the configuration of thesubscriber, or from the differentiated service (DS) field in the packet's TOS octet (representing the differentiated service code point (DSCP) value).
Refer to the System Administration and Configuration Guide for additional information on NPU QoS functionality.
Important: This functionality is not supported for use with the PDSN at this time.
Example
The following command configures the subscriber’s priority queue to be gold:
npu qos traffic priority gold
 
nw-reachability-server
Bind the name of a configured network reachability server to the current subscriber and enable network reachability detection.
Product
HA
Privilege
Security Administrator, Administrator
Syntax
nw-reachability server server_name
no nw-reachability server
server_name
The name of a network reachability server that has been defined in the current context. This is a string of from 1 through 16 characters.
no nw-reachability server
Delete the name of the network reachability server from the current subscribers configuration and disable network reachability failure detection for the current subscriber.
Usage
Use this command to define the network reachability server for the current subscriber and enable network reachability failure detection for the current subscriber. If a network reachability server is defined in an IP pool, that setting takes precedence over this command.
Important: Refer to the HA configuration mode command policy nw-reachability-fail to configure the action that should be taken when network reachability fails.
Important: Refer to the context configuration mode command nw-reachability server to configure network reachability servers.
Important: Refer to the nw-reachability server server_name keyword of the ip pool command in the context configuration mode chapter to bind the network reachability server to an IP pool.
Example
To bind a network reachability server named InternetDevice to the current subscriber, enter the following command:
nw-reachability server InternetDevice
 
outbound
Configures the subscriber host password for use in authentication of PPP sessions.
Product
All
Privilege
Security Administrator, Administrator
Syntax
outbound [ encrypted ] password pwd
no outbound password
[ encrypted ] password pwd
Specifies the password to use for point-to-point protocol session host authentication. The encrypted keyword indicates the password specified uses encryption.
The password specified as pwd must be from 1 to 63 alpha and/or numeric characters without encryption and must be from 1 to 127 alpha and/or numeric characters when encryption has been indicated.
The encrypted keyword is intended only for use by the chassis while saving configuration scripts. The system displays the encrypted keyword in the configuration file as a flag that the variable following the password keyword is the encrypted version of the plain text password. Only the encrypted password is saved as part of the configuration file.
no outbound password
Used to clear the outbound password configuration from the subscriber data.
Usage
Set the outbound (egress) password for increased security.
Example
outbound password secretPwdoutbound encrypted password scrambledPwdno outbound password
 
overload-disconnect
Sets the threshold parameter for overload disconnect.
Product
ASN GW, HA,PDIF, PDSN,PHS GWPDG/TTG
Privilege
Security Administrator, Administrator
Syntax
overload-disconnect [ threshold { inactivity-time inactivity_time_threshold | connect-time connect_time_threshold } ]
[ default | no ] overload-disconnect [threshold { inactivity-time | threshhold connect-time } ]
threshold inactivity-time inactivity_time_threshold
Sets the inactivity time threshold in seconds. This value must be from 0 to 4294967295. The default value of zero disables this feature. If inactivity-time for the subscriber’s session is greater than inactivity_time_threshold, the session becomes a candidate for disconnection.
threshold connect-time connect_time_threshold
Sets the connection time threshold in seconds. This value must be from 0 to 4294967295. A value of zero disables this feature. If connect-time for the subscriber’s session is greater than connect_time_threshold, the session becomes a candidate for disconnection.
default
This command enables the default condition for this subscriber.
no
Disables the overload disconnect feature for this subscriber. This is the default condition for PDIF.
Usage
Set a subscriber’s overload disconnect threshold in seconds, based on either inactivity or connection time. When this threshold is exceeded during a session, the subscriber’s session becomes a candidate for disconnection. To set overload-disconnect policies for the entire chassis, see congestion-control overload-disconnect in Global Configuration Mode Commands.
Example
overload-disconnect threshold inactivity-time inactivity_time_thresholddefault overload disconnect threshold connect-timeno overload-disconnect threshold connect-timeno overload disconnect
 
password
Configures the subscribers password for the current context.
Product
All
Privilege
Security Administrator, Administrator
Syntax
[ encrypted ] passwordpwd
no password
encrypted
Indicates the password provided is encrypted.
The encrypted keyword is intended only for use by the chassis while saving configuration scripts. The system displays the encrypted keyword in the configuration file as a flag that the variable following the password keyword is the encrypted version of the plain text password. Only the encrypted password is saved as part of the configuration file.
pwd
Specifies the users password for authentication. pwd must be from 1 to 63 alpha and/or numeric characters or from 1 to 127 characters if the encrypted keyword was specified. A “null” password is allowed and is entered as consecutive quotes (""). See Example(s) for correct syntax.
Important: Subscribers configured with a null password will be authenticated using PAP and CHAP (MD5) only. Subscribers configured without a password (no password) will only be able to access services if the service is configured to allow no authentication.
no
Used to clear the subscriber password configuration from the subscriber data.
Important: Subscribers with no password will only be able to access services if the service is configured to allow no authentication.
Usage
Password management is critical to system security and all precautions should be taken to ensure passwords are not shared or to easily deciphered.
Example
password secretPwdpassword ““no password
 
pdif mobile-ip
Configures PDIF subscriber call setup parameters.
Product
PDIF
Privilege
Security Administrator, Administrator
Syntax
[ default | no ] pdif mobile-ip { release-tia | required | simple-ip-fallback }
[ default | no ]
Disables the option specified.
release-tia
Specifies that after subscriber call setup is complete, the tunnel inner address (TIA) is released. If SImple IP is enabled, the TIA becomes the principal communications tunnel and the restriction that it is only to be used to set up a Mobile-IP call is lifted. This parameter is disabled by default.
required
Specifies that Mobile IP is required for this subscriber whenever a call is set up. This parameter is disabled by default.
simple-ip-fallback
Specifies that Simple IP should be used when Mobile IP could not be established. This parameter is disabled by default.
Usage
Use this command to configure specific behavior for the PDIF subscriber during call setup.
Example
The following command enables the system to fall back to Simple IP when Mobile IP fails for this subscriber during call setup:
pdif mobile-ip simple-ip-fallback
 
permission
Enables/disables the ability to access wireless data services for the current subscriber.
Product
PDSN, HA
Privilege
Security Administrator, Administrator
Syntax
[ no ] permission { ha-mobile-ip | pdsn-mobile-ip | pdsn-simple-ip }
no
Disables the usage of the specified service.
ha-mobile-ip | pdsn-mobile-ip | pdsn-simple-ip
ha-mobile-ip: enable/disable the home agent support for mobile IP service.
pdsn-mobile-ip: enable/disable the packet data and foreign agent support for mobile IP service.
pdsn-simple-ip: enable/disable the packet data support for simple IP service.
Usage
This is necessary per the services the subscriber is allowed to access in the current context.
Example
permission pdsn-mobile-ipno permission ha-mobile-ip
 
policy ipv6 tunnel
Tunnel MTU for IPv6 Tunnel between HA and Mobile Node.
Product
PDSN, HA
Privilege
Security Administrator, Administrator
Syntax
policy ipv6 tunnel mtu exceed { fragment | notify-sender }
mtu exceed {fragment | notify-sender }
fragment:Adjust Tunnel MTU and Fragment Packets
notfiy-sender:Send a ICMPv6 Packet Too Big the original sender
Usage
Use this command to configure Tunnel MTU for IPv6 Tunnel between HA and Mobile Node.
Example
policy ipv6 tunnel mtu exceed fragment
 
policy-group
This command assigns/removes a flow-based traffic policy group to a subscriber.
Product
PDSN, HA, ASN GW
Privilege
Security Administrator, Administrator
Syntax
[ no ] policy-group policy_group_name direction { in | out }
no
Removes assigned policy group from a subscriber configuration.
policy_group_name
Specifies the traffic policy group name for a subscriber session flow pre-configured within a destination context .
policy_group_name consist of from 1 to 15 alpha and/or numeric characters in length and is case sensitive.
direction { in | out }
Specifies the direction of flow in which the traffic policies need to be applied.
in: specifies the incoming traffic
out: specifies the outgoing traffic
Usage
Use this command to assign traffic policy group to a subscriber for traffic policing.
Example
policy-group traffic_policy_group1 direction in
 
ppp
Configures the point-to-point protocol options for the current subscriber.
Product
PDSN, GGSN
Privilege
Security Administrator, Administrator
Syntax
ppp { accept-peer-ipv6-ifid| always-on-vse-packet | data-compression { mode { normal | stateless } | protocols {protocols[protocols] } | ip-header-compression negotiation { detect | force | vj compress-slot-id { both | none | receive | transmit } } | ipv4 { disable | enable | passive } | ipv6 { disable | enable | passive } | keepaliveseconds| min-compression-sizemin_octets| mtumax_octets| remote-renegotiation disconnect { always | nai-prefix-msid-mismatch } }
default ppp { accept-peer-ipv6-ifid | always-on-vse-packet | data-compression { mode | protocols } | ip-header-compression negotiation [ vj compress-slot-id ] | ipv4 | ipv6 | keepalive | min-compression-size | mtu | remote-renegotiation disconnect }
no ppp { accept-peer-ipv6-ifid | always-on-vse-packet | data-compression protocols | ipv4 | ipv6 | keepalive | mtu | remote-renegotiation disconnect }
default
Restores the default value for the option specified.
no
Resets the option specified to its default.
always-on-vse-packet
Default: Enabled
If the always-on feature is enabled for a session, this keyword enables the PDSN to send special 3GPP2 VSE PPP packets to the Mobile Node with a max inactivity timer value. This configuration is applicable only for PDSNsessions.
accept-ipv6-peer-ifield
Default: None
This is used to configure a 6to4 tunnel. It controls the behavior of IPv6CP negotiation for Interface ID.
If enabled, PDSN will accept a valid interface-id proposed by the peer.
data-compression { mode { normal | stateless } | protocols { protocols [ protocols ] }
Default: all protocols enabled.
Specifies the subscribers mode of data compression or the compression protocol to use.
mode: sets the mode of compression where modes must be one of:
protocols protocols: sets the compression protocol where protocols must be one of:
ip-header-compression negotiation { detect | force | vj compress-slot-id { both | none | receive | transmit } }
Default: force
PPP IP compression Van Jacobson (VJ) negotiation scheme. This command is applicable only if IP header compression is enabled for the subscriber.
detect: The local side does not include the VJ Compression option in its IPCP configuration request unless the peer sends an IPCP NAK including a VJ compression option. If the peer requests the VJ compression option in its IPCP request the local side will ACK/NAK.
force: The IP header compression negotiation in IPCP happens normally. The local side requests the VJ compression option in its IPCP configure request. If the peer side requests VJ compression in its IPCP request, the local side will ACK/NAK the option.
vj compress-slot-id [ both | none | receive | transmit ]: This keyword configures the direction in which VJ slotid compression should be negotiated.
both - If the client proposes VJ slotid compression, accept it and propose slotid compression for downlink and uplink.
none - If the client proposes VJ slotid compression, NAK the offer,do not propose slotid compression for downlink.
receive - (Default) If the client proposes VJ slotid compression in the uplink direction accept the configuration.
transmit - Propose VJ slotid compression for uplink.
ipv4 { disable | enable | passive }
Default: enable
Controls IPCP negotiation during PPP negotiation.
disable: The PDSN does not negotiate IPCP with the mobile.
enable: The PDSN negotiates IPCP with the mobile.
passive: The PDSN initiates IPCP only when the mobile sends an IPCP request.
ipv6 { disable | enable | passive }
Default: enable
Controls IPv6CP negotiation during PPP negotiation.
disable: The PDSN does not negotiate IPCP with the mobile.
enable: The PDSN negotiates IPCP with the mobile.
passive: The PDSN initiates IPCP only when the mobile sends an IPCP request.
keepalive seconds
Default: 30
Specifies the frequency of sending the Link Control Protocol keep alive messages. seconds must be either 0 or in the range from 5 to 14400.
The special value 0 disables the keep alive messages entirely.
min-compression-size min_octets
Default: 128
Specifies the smallest packet to which compression may be applied. min_octets must be a value in the range from 0 to 2000.
mtu max_octets
Default: 1500
Specifies the maximum size in octets the message transfer unit packets can reach. max_octets must be a value in the range from 100 to 2000.
remote-renegotiation disconnect { always | nai-prefix-msid-mismatch }
Default: Disabled
Terminates the already established PPP sessions if they are renegotiated by the remote side by sending LCP Conf-req/nak/ack. The following termination conditions are available:
always: The session is automatically disconnected.
nai-prefix-msid-mismatch: The session is disconnected only if the MSID of the session does not match NAI-Prefix (prefix before “@” for the NAI). The configuration of the renegotiated (new) NAI is used for the matching process.
Usage
Adjust packet sizes and compression to improve bandwidth utilization. Each network may have unique characteristics such that determining the best packet size and compression options may require system monitoring over an extended period of time.
Example
ppp data-compression protocols mode statelessppp mtu 500no ppp data-compression protocolsno ppp keepalive
 
prepaid 3gpp2
Enables 3GPP2 compliant prepaid billing support for a subscriber to be configured by 3GPP2 attributes sent from a RADIUS server. If not enabled, prepaid attributes received from the RADIUS server are ignored.
Product
HA, PDSN
Privilege
Security Administrator, Administrator
Syntax
prepaid3gpp2 { accounting [ no-final-access-request ] | duration-quota final-duration-algorithm { current-time | last-airlink-activity-time | last-user-layer3-activity-time } | preference { duration | volume } }
default prepaid 3gpp2 { duration-quota final-duration-algorithm | preference }
noprepaid3gpp2accounting
default prepaid 3gpp2 { duration-quota final-duration-algorithm | preference }
Sets the 3GPP2 Pre-paid settings to the default values.
duration-quota final-duration-algorithm: Reset the end of billing duration quota algorithm to the default of current-time.
preference: Reset the preference to duration, If both duration and volume attributes are present.
no prepaid 3gpp2 accounting
Disables 3GPP2 prepaid accounting. All 3GPP2 Prepaid attributes received from a RADIUS server are ignored.
accounting [ no-final-access-request ]
Default: Disabled
Enabled 3GPP2 prepaid accounting behavior.
Sets the low-watermark for remaining byte credits. percentage is a percentage of the subscriber sessions total credits. When the low-watermark is reached a new RADIUS access-request is sent to the RADIUS server to retrieve more credits. percentage must be an integer from 1 to 99.
no-final-access-request: Stops sending final online access-request on termination of 3GPP2 prepaid sessions. By default, this option is disabled.
duration-quota final-duration-algorithm { current-time | last-airlink-activity-time | last-user-layer3-activity-time }
Define what behavior specifies the end of the billing duration for duration-based quota usage accounting. The default behavior is the duration quota algorithm set to current-time.
Default: current-time
current-time: Selects the duration quota as the difference between the session termination timestamp and the session setup timestamp.
last-airlink-activity-time: Selects the duration quota as the difference between the last-user-activity timestamp (G17) and the session setup timestamp.
last-user-layer3-activity-time: Selects the duration quota as the difference between the timestamp of the last layer-3 packet sent to or received from the user and the session setup timestamp.
preference { duration | volume }
If both duration and volume RADIUS attributes are present this keyword specifies which attribute has precedence.
Default: duration
duration: The duration attribute takes precedence.
volume: The volume attribute takes precedence
Usage
Use this command to enable prepaid support for a default user or for the default user of a domain alias.
Example
The following command enables 3GPP2 prepaid support for the default user:
prepaid 3gpp2 accounting
 
prepaid custom
Enables custom prepaid billing support for a subscriber to be configured by attributes sent from a RADIUS server. If not enabled, prepaid attributes received from the RADIUS server are ignored. The keywords are to set prepaid values that are used if the corresponding RADIUS attribute is not present. If the RADIUS attribute is present it takes precedence over these values.
Product
HA, PDSN
Privilege
Security Administrator, Administrator
Syntax
prepaidcustom { accounting | byte-count compressed | low-watermarkpercentpercentage | renewalintervalseconds } | preference { duration | volume }
defaultprepaidcustom { byte-count | low-watermark }
noprepaidcustom { accounting | byte-count compressed | low-watermark | renewal }
default prepaid custom { byte-count | low-watermark }
Resets custom prepaid settings to the default values.
byte-count: Reset to the default of basing the prepaid byte credits on the flow of uncompressed traffic.
low-watermark: Disable sending an access request to retrieve more credits when a low watermark is reached.
no prepaid custom { accounting | byte-count compressed | low-watermark | renewal}
byte-count compressed: The prepaid byte credits are based on the flow of uncompressed traffic. This is the default.
low-watermark: Disables the low watermark feature. An access-request isn’t sent to the RADIUS server until the credits granted for the subscriber session are depleted.
renewal: Disables time-based renewals for prepaid accounting.
accounting
Default: Disabled
Enabled custom prepaid accounting behavior.
byte-count compressed
Default: uncompressed.
When compression is used, the prepaid byte credits are based on the flow of compressed traffic. The default is to base the prepaid byte credits on the flow of uncompressed traffic.
low-watermark percent percentage
Default: Disabled.
Sets the low-watermark for remaining byte credits. percentage is a percentage of the subscriber sessions total credits. When the low-watermark is reached a new RADIUS access-request is sent to the RADIUS server to retrieve more credits. percentage must be an integer from 1 to 99.
renewal interval seconds
Default:
The time in seconds to wait before sending a new RADIUS access-request to the RADIUS server to retrieve more credits. seconds must be an integer from 60 through 65535.
preference { duration | volume }
If both duration and volume RADIUS attributes are present this keyword specifies which attribute has precedence.
Default: duration
duration: The duration attribute takes precedence.
volume: The volume attribute takes precedence
Usage
Use this command to enable prepaid support for a default user or for the default user of a domain alias.
Example
The following command enables custom prepaid support for the default user:
prepaid custom accounting
 
prepaid unclassify
This command provides customer specific functionality.
 
prepaid voice-push
This command provides customer specific functionality.
 
prepaid wimax
Enables WiMAX prepaid accounting for this subscriber. This feature is disabled by default.
Product
ASN GW
Privilege
Administrator
Syntax
[ no ] prepaid wimax accounting
no
Disables WiMAX prepaid accounting for this subscriber.
Usage
Use this command to enable WiMAX prepaid accounting for this subscriber.
 
proxy-dns intercept list-name
Identifies a proxy DNS intercept rules list for the selected subscriber.
Product
HA
Privilege
Security Administrator, Administrator
Syntax
[ no ] proxy-dns intercept list-name name
no
Remove the intercept list from the subscribers profile.
proxy-dns intercept list-name name
Specifies a name of a proxy DNS intercept list used for the selected subscriber.
name is the name of the intercept list and must be a string from 1 to 63 characters in length.
Usage
Use this command to identify a proxy DNS rules list for the selected subscriber. For a more detailed explanation of the HA Proxy DNS Intercept feature, see the proxy-dns intercept-list command in the Context Configuration Mode Commands chapter.
 
proxy-mip
Configures support for Proxy Mobile IP for the subscriber.
Product
PDSN, GGSN, ASN GW, PDIF
Privilege
Security Administrator, Administrator
Syntax
[ no ] proxy-mip required
no
Disables support for Proxy Mobile IP.
required
Enables support for Proxy Mobile IP.
Usage
When enabled through the session license and feature use key, the system supports Proxy Mobile IP to provide a mobility solution for subscribers with mobile nodes (MNs) capable of supporting only Simple IP.
For subscriber sessions using Proxy Mobile IP, R-P and PPP sessions get established as they would for a Simple IP session. However, the AGW/FA performs Mobile IP operations with an HA (identified by information stored in the subscriber’s profile) on behalf of the MN while the MN performs only Simple IP processes.
Example
The following command enables proxy mobile IP for the current subscriber:
proxy-mip required
 
qos rate-limit
Configure the action on subscriber traffic flow that violates or exceeds the peak/committed data rate under traffic policing functionality. When configured, the PDG/TTG performs traffic policing for the subscriber session. If the GGSN changes the QoS via an Update PDP Context Request, the PDG/TTG uses the new QoS values for traffic policing.
Product
PDG/TTG
Privilege
Security Administrator, Administrator
Syntax
qos rate-limit direction { downlink | uplink } [ class { background | conversational | interactive traffic_priority| streaming } ]
[ exceed-action { drop | lower-ip-precedence | transmit } ][ violate-action { drop | lower-ip-precedence | transmit } ]
noqosrate-limit direction{ downlink | uplink } [ class { background | conversational | interactivetraffic_priority| streaming } ]
no
Disables the QoS data rate limit configuration for the APN.
downlink
Apply the specified limits and actions to the downlink (to the data coming from the GGSN over the Gn’ interface).
uplink
Apply the specified limits and actions to the uplink (to the data coming from the UE over the IPSec tunnel).
class { background | conversational | interactive traffic_priority | streaming }
Apply the specified limits and actions to the PDP contexts of the specified UMTS traffic class. The following classes are supported:
background: Specifies the QoS for traffic patterns in which the data transfer is not time-critical (for example, e-mail exchanges). This traffic pattern should be the lowest QoS.
conversational: Specifies the QoS for traffic patterns in which there is a constant flow of packets in each direction, upstream and downstream. This traffic pattern should be the highest QoS.
interactive traffic_priority: Specifies the QoS for traffic patterns in which there is an intermittent flow of packets in each direction, upstream and downstream. This traffic pattern should be a higher QoS than the background pattern, but not as high as that for the streaming pattern. traffic_priority is the 3GPP traffic handling priority and can be the integers 1,2, or 3.
streaming: Specifies the QoS for traffic patterns in which there is a constant flow of data in one direction, either upstream or downstream. This traffic pattern should be a higher QoS than the interactive pattern, but not as high as that for the conversational pattern.
Important: If this keyword is omitted, the same values are used for all classes.
exceed-action { drop | lower-ip-precedence | transmit }
Default: See Usage section for this command
The action to take on the packets that exceed the committed-data-rate but do not violate the peak-data-rate. The following actions are supported:
drop: Drop the packet.
lower-ip-precedence: Transmit the packet after lowering the ip-precedence.
transmit: Transmit the packet.
violate-action { drop | lower-ip-precedence | transmit }
Default: See Usage section for this command
The action to take on the packets that exceed both the committed-data-rate and the peak-data-rate. The following actions are supported:
drop: Drop the packet.
lower-ip-precedence: Transmit the packet after lowering the IP precedence.
transmit: Transmit the packet.
Usage
This command configures the APN’s quality of service (QoS) data rate shaping through traffic policing. This command enables the actions on subscriber flow exceeding or violating peak/committed data rate allowed. The shaping function also provides an enhanced function to buffer the exceeded user packets in a buffer memory and sends them to the subscriber when subscriber traffic goes below the committed or peak data rate limit.
Important: The user packet buffer function in traffic shaping is not applicable for real-time traffic.
Important: If the exceed/violate action is set to “lower-ip-precedence”, this command may override the configuration of the ip qos-dscp command in the GGSN service configuration mode for packets from the GGSN to the PDG/TTG. In addition, the GGSN service ip qos-dscp command configuration can override the APN setting for packets from the GGSN to the Internet. Therefore, it is recommended that command not be used in conjunction with this action.
The command can be entered multiple times to specify different combinations of direction and class. If this command is not configured at all, the GGSN does not perform traffic policing or QoS negotiation with the PDG/TTG (i.e., it accepts all of the PDG/TTG-provided values for the PDP context.
Important: This command should be used in conjunction with the max-contexts command to limit the maximum possible bandwidth consumption by the APN.
Additional information on the QoS traffic shaping and policing functionality is located in the System Enhanced Feature Configuration Guide.
Default values:
The following table displays the default values for each of the traffic classes:
Example
The following command lowers the IP precedence when the committed-data-rate and the peak-data-rate are violated in uplink direction:
qos rate-limit direction uplink violate-action lower-ip-precedence
 
qos traffic-police
Enables and configures traffic policing through the bandwidth limits and action for the subscriber traffic if it exceeds/violates the peak or committed data rate. Uplink and downlink limits are configured separately.
Product
PDSN, HA, GGSN, ASN GW
Privilege
Security Administrator, Administrator
Syntax
qos traffic-police direction { downlink | uplink } [ burst-size bytes ] [ committed-data-rate bps ] [ exceed-action { drop | lower-ip-precedence | transmit } ] [ peak-data-rate bps ] [ violate-action { drop | lower-ip-precedence | transmit } ]
no qos traffic-police direction { downlink | uplink }
downlink
Apply the specified limits and actions to the downlink (data to the subscriber).
uplink
Apply the specified limits and actions to the uplink (data from the subscriber).
burst-size bytes
Default: 3000
The peak burst size allowed, in bytes.
bytes must be an integer from 0 through 4294967295.
Important: It is recommended that this parameter be configured to at least the greater of the following two values: 1) 3 times greater than packet MTU for the subscriber connection, OR 2) 3 seconds worth of token accumulation within the “bucket” for the configured peak-data-rate.
committed-data-rate bps
Default: 144000
The committed data rate (guaranteed-data-rate) in bps (bits per second).
bps must be an integer from 0 through 4294967295).
exceed-action { drop | lower-ip-precedence | transmit }
Default: lower-ip-precedence
The action to take on the packets that exceed the committed-data-rate but do not violate the peak-data-rate. The following actions are supported:
drop: Drop the packet
lower-ip-precedence: Transmit the packet after lowering the ip-precedence
transmit: Transmit the packet
peak-data-rate bps
Default: 256000
Specifies the peak data-rate for the subscriber, in bps (bits per second).
bps must be an integer from 0 through 4294967295).
violate-action { drop | lower-ip-precedence | transmit }
Default: drop
The action to take on the packets that exceed both the committed-data-rate and the peak-data-rate. The following actions are supported:
drop: Drop the packet
lower-ip-precedence: Transmit the packet after lowering the IP precedence
transmit: Transmit the packet
no
Disable traffic policing for the specified direction for the current subscriber.
Usage
Use this command to limit the bandwidth a subscriber uses in the uplink and downlink directions.
Important: If the exceed/violate action is set to “lower-ip-precedence”, the TOS value for the outer packet becomes “best effort” for packets that exceed/violate the traffic limits regardless of what the ip user-datagram-tos copy command is configured to. In addition, the “lower-ip-precedence” option may also override the configuration of the ip qos-dscp command. Therefore, it is recommended that command not be used when specifying this option.
Details on the QoS traffic policing functionality is located in the System Enhanced Feature Configuration Guide.
Example
The following command sets an uplink peak data rate of 128000 bps and lowers the IP precedence when the committed-data-rate and the peak-data-rate are exceeded:
qos traffic-police direction uplink peak-data-rate 128000 violate-action lower-ip-precedence
The following command sets a downlink peak data rate of 256000 bps and drops packets when the committed-data-rate and the peak-data-rate are exceeded:
qos traffic-police direction downlink peak-data-rate 256000 violate-action drop
 
qos traffic-shape
Enables and configures traffic shaping functionality to provide the traffic shaping by means of buffering the data packets during congestion or when subscriber exceeds the configured peak or committed data rate limit. It buffers the data packets instead of discarding instantaneous burst and deliver it to subscriber when traffic flow is below the peak or committed data rate. Uplink and downlink traffic shaping are configured separately.
 
Important: This feature is NOT supported for real-time traffic.
Product
PDSN, HA, GGSN, ASN GW
Privilege
Security Administrator, Administrator
Syntax
qos traffic-shape direction { downlink | uplink } [ burst-size bytes ] [ committed-data-rate bps ] [ exceed-action { drop | lower-ip-precedence | transmit } ] [ peak-data-rate bps ] [ violate-action { drop | lower-ip-precedence | buffer [transmit-when-buffer-full] | transmit } ] +
no qos traffic-shape direction { downlink | uplink }
downlink
Apply the specified limits and actions to the downlink (data to the subscriber).
uplink
Apply the specified limits and actions to the uplink (data from the subscriber).
burst-size bytes
Default: 3000
The peak burst size allowed, in bytes.
bytes must be an integer from 0 through 4294967295.
Important: It is recommended that this parameter be configured to at least the greater of the following two values: 1) 3 times greater than packet MTU for the subscriber connection, OR 2) 3 seconds worth of token accumulation within the “bucket” for the configured peak-data-rate.
committed-data-rate bps
Default: 144000
The committed data rate (guaranteed-data-rate) in bps (bits per second).
bps must be an integer from 0 through 4294967295).
exceed-action { drop | lower-ip-precedence | transmit }
Default: lower-ip-precedence
The action to take on the packets that exceed the committed-data-rate but do not violate the peak-data-rate. The following actions are supported:
drop: Drop the packet
lower-ip-precedence: Transmit the packet after lowering the ip-precedence
transmit: Transmit the packet
peak-data-rate bps
Default: 256000
Specifies the peak data-rate for the subscriber, in bps (bits per second).
bps must be an integer from 0 through 4294967295).
violate-action { drop | lower-ip-precedence | buffer [transmit-when-buffer-full] | transmit }
Default: See Usage section for this command
The action to take on the packets that exceed both the committed-data-rate and the peak-data-rate. The following actions are supported:
drop: Drop the packet
lower-ip-precedence: Transmit the packet after lowering the IP precedence
buffer [transmit-when-buffer-full]: Enables the traffic shaping and provides the buffering of user packets when subscriber traffic violates the allowed peak/committed data rate. The [transmit-when-buffer-full] keyword allows the packet to be transimitted when buffer memory is full.
transmit: Transmit the packet
+
More than one of the above keywords can be entered within a single command.
no
Disable traffic policing for the specified direction for the current subscriber.
Usage
Use this command to provide the traffic shaping function to a subscriber in the uplink and downlink directions. This feature is providing a traffic flow control different to QoS traffic policing. When a subscriber violates or exceeds the peak data rate instead of dropping the packets, as in QoS traffic policing, this feature provides the buffering facility of subscriber data packets and it sends the buffered data when the traffic flow is low or not in congestion state.
Important: If the exceed/violate action is set to “lower-ip-precedence”, the TOS value for the outer packet becomes “best effort” for packets that exceed/violate the traffic limits regardless of what the ip user-datagram-tos copy command is configured to. In addition, the “lower-ip-precedence” option may also override the configuration of the ip qos-dscp command. Therefore, it is recommended that command not be used when specifying this option.
Details on the QoS traffic policing functionality is located in the System Enhanced Feature Configuration Guide.
Example
The following command sets an uplink peak data rate of 128000 bps and lowers the IP precedence when the committed-data-rate and the peak-data-rate are exceeded:
qos traffic-shape direction uplink peak-data-rate 128000 violate-action lower-ip-precedence
The following command buffers the excess user packets when the subscriber traffic violates the configured peak-data-rate 256000 bps in downlink direction. Once the peak/committed data rate for that subscriber goes below the configured limit it transmit them. It also transmits them if buffer memory is full:
qos traffic-shape direction downlink peak-data-rate 256000 violate-action buffer transmit-when-buffer-full
 
radius accounting
Sets the RADIUS accounting parameters for the subscriber or domain. This command takes precedence over the similar context configuration command. This command is disabled by default.
Product
All
Privilege
Administrator
Syntax
radiusaccounting { interim { interval-timeouttimeout| normal | suppress } | ip remote-address list-id list_id| mode { session-based | access-flow-based { none |auxillary-flows |all-flows| main-a10-only} } | start { normal | suppress } | stop { normal | suppress } }
no radius accounting { ip remote-address list-id list_id | interim [ interval-timeout ] }
interim { interval-timeout timeout | normal | suppress }
interval-timeout timeout: Indicates the time (in seconds) between updates to session counters (log file on RADIUS or AAA event log) during the session. timeout must be an integer from 50 to 40000000.
Caution: Interim interval settings received from the RADIUS server take precedence over this setting on the system. While the low limit of this setting on the system is a minimum of 50 seconds, the low limit setting on the RADIUS server can be as little as 1 second. To avoid increasing network traffic unnecessarily and potentially reducing network and system performance, do not set this parameter to a value less than 50 on the RADIUS server.
normal: If RADIUS accounting is enabled, send this Acct-Status-Type message when required by normal operation
suppress: If RADIUS accounting is enabled, suppress the sending of this Acct-Status-Type message.
ip remote-address list-id list_id
Specifies the identification number of the IP address list to use for the subscriber for remote address-based accounting.
list_id: Specifies the RADIUS accounting remote IP address list identifier for remote-address accounting for the subscriber. list_id must be an integer from 1 through 65535.
This command is used as part of the Remote Address-based accounting feature and associates the subscriber with a list of remote addresses. Remote address accounting data is collected each time the subscriber communicates with any of the addresses specified in the list.
Remote address lists are configured using the list keyword in the radius accounting ip remote-address command in the Context Configuration mode.
mode { session-based | access-flow-based { none | auxillary-flows | all-flows | main-a10-only } }
Default: session-based
Specifies if the radius accounting mode is either session-based or access-flow-based.
session-based: configures session-based RADIUS accounting behavior for the subscriber - which means a single radius accounting message generated for the subscriber session not separate accounting messages for individual A10 connections or flows.
access-flow-based: configures access-flow-based RADIUS accounting behavior for the subscriber. This offers flexibility by generating separate accounting messages for flows and A10 sessions.
all-flows: Generates separate RADIUS accounting messages per access flow. Separate accounting messages are not generated for data path connections. (For example, separate messages are not sent for the main A10 or auxilliary connections.).
auxillary-flows: Generates RADIUS accounting records for the main data path connection and for access-flows for all auxiliary data connections. (For example, separate RADIUS accounting messages are generated for the main A10 session and for access-flows within auxiliary A10 connections. The main A10 session accounting does not include octets or other accounting information from the auxiliary flows.)
none: Separate RADIUS accounting messages are generated for all data path connections (for example, PDSN main or auxiliary A10 connections) but not for individual access-flows. This is essentially A10 connection-based accounting.
start { normal | suppress }
normal: If RADIUS accounting is enabled, send this Acct-Status-Type message when required by normal operation
suppress: If RADIUS accounting is enabled, suppress the sending of this Acct-Status-Type message.
stop { normal | suppress }
normal: If RADIUS accounting is enabled, send this Acct-Status-Type message when required by normal operation
suppress: If RADIUS accounting is enabled, suppress the sending of this Acct-Status-Type message.
no
ip remote-address list-id list_id: Deletes the entry for the specified list_id.
interim [ interval-timeout ]: Disables the interim interval setting.
Usage
Use this command to allow a per-domain setting for the RADIUS accounting.
Example
Set the accounting interim interval to one minute (60 seconds) for all sessions that use the current subscriber configuration:
radius accounting interim interval-timeout 60
Do not send RADIUS interim accounting messages:
radius accounting interim suppress
Sets the accounting message start normal for main A-10 flows only.
radius accounting mode main-a10-only start normal
 
radius group
It applies a RADIUS server group at the subscriber level for AAA functionality.
Product
All
Privilege
Security Administrator, Administrator
Syntax
radius group group_name
[ default| no ] radius group
group_name
Specifies the name of the server group that is used for authentication and/or accounting for the specific subscriber.
group_name must be a string of size 1 to 63 character. It must be the same as configured earlier within the same context of subscriber.
default
Sets / Restores default RADIUS server group specified at the context level or default subscriber profile.
no
Disables the applied RADIUS group for specific subscriber.
Usage
This feature provides the RADIUS configurables under radius group node. Instead of having a single list of servers per context, this feature configures multiple server groups within a context and applies individual RADIUs server group for subscriber in that context. Each server group consists of a list of AAA servers.
In case no RADIUS group is applied for the said subscriber or default subscriber profile, then the default server group available at context level is applicable for accounting and authentication of specific subscriber.
Example
Following command applies a previously configured RADIUS server group named star1 to a subscriber within the specific context:
radius group star1
Following command disables the applied RADIUS server group for the specific subscriber.
no radius group
 
radius returned-framed-ip-address
Sets the policy whether or not to reject a call when the RADIUS server supplies 255.255.255.255 as the framed IP address and the MS does not supply an address.
Product
GGSN
Privilege
Security Administrator, Administrator
Syntax
radius returned-framed-ip-address 255.255.255.255-policy {accept-call-when-ms-ip-not-supplied | reject-call-when-ms-ip-not-supplied}
default radius returned-framed-ip-address 255.255.255.255-policy
accept-call-when-ms-ip-not-supplied
Accept calls when the RADIUS server does not supply a framed IP address and the MS does not supply and address.
reject-call-when-ms-ip-not-supplied
Reject calls when the RADIUS server does not supply a framed IP address and the MS does not supply and address.
default
Set the policy to its default of rejecting calls when the RADIUS server does not supply a framed IP address and the MS does not supply and address.
Usage
Use this command to set the behavior for the current subscriber when the RADIUS server supplies 255.255.255.255 as the framed IP address and the MS does not supply an address.
Example
Use the following command to set the subscriber profile to reject calls when the RADIUS server does not supply a framed IP address and the MS does not supply and address:
radius returned-framed-ip-address 255.255.255.255-policy reject-call-when-ms-ip-not-supplied
 
rohc-profile-name
Identifies the RoHC profile configuration to be applied to bearer sessions belonging to this subscriber.
Product
HSGW,PDSN
Privilege
Administrator
Syntax
rohc-profile-name name
name
Specifies the name of the RoHC profile this subscriber will use to apply header compression and decompression parameters to bearer session data. name must be an existing RoHC profile and be from 1 to 63 alpha and/or numeric characters.
Usage
Use this command to specify a RoHC configuration profile to be applied to bearer sessions belonging to this subscriber. RoHC profiles are configured through the Global Configuration Mode using the rohc-profile command.
Example
The following command specifies that the RoHC profile named rohc-cfg1 is to be applied to all bearer sessions belonging to this subscriber:
rohc-profile-name rohc-cfg1
 
secondary ip pool
This command specifies a secondary IP pool to be used as backup pool for NAT.
Important: This command is license dependent, requiring the 600-00-7871 NAT Bypass license. Please contact your local sales representative for more information.
Product
NAT
Privilege
Security Administrator, Administrator
Syntax
secondary ip pool pool_name
no secondary ip pool
no
Removes the previous secondary IP pool configuration.
pool_name
Specifies the secondary IP pool name.
pool_name must be an alpha and/or numeric string of 1 through 31 characters in length.
Usage
Use this command to configure a secondary IP pool for NAT subscribers, which is not overwritten by the RADIUS supplied list. The secondary pool configured will be appended to the RADIUS supplied IP pool list / subscriber template provided IP pool list whichever is applicable during call setup.
Example
The following command configures a secondary IP pool named test123:
secondary ip pool test123
 
simultaneous
Enables/disables the simultaneous use of both Mobile and Simple IP services.
Product
PDSN, FA, HA, ASN-GW
Privilege
Security Administrator, Administrator
Syntax
[ no ] simultaneous simple-and-mobile-ip
no
Disables the simultaneous use.
Usage
Subscribers with mobile devices supporting mobile and simple IP services concurrently require this option to be set.
Example
no simultaneous simple-and-mobile-ip
simultaneous simple-and-mobile-ip
 
timeout
Configures the subscriber session timeouts.
Product
All
Privilege
Security Administrator, Administrator
Syntax
timeout { absolute | idle } seconds
no timeout [ absolute | idle ]
absolute
Default: 0
The absolute maximum time a session may exist in any state (active or dormant).
idle
Default: 0
The maximum duration of the session, in seconds, before the system automatically terminates the session due to inactivity.
seconds
Specifies the maximum amount of time, in seconds, before the specified timeout action is activated. seconds must be a value in the range from 0 through 4294967295.
The special value 0 disables the timeout specified.
no
Indicates the timeout specified is to be returned to its default behavior. If no specific timeout is specified then all are set to their default behavior.
Usage
Reduce the idle timeout to free session resources faster for use by new requests.
Example
timeout absolute 1800
no timeout
 
timeout idle-time
This command configures the idle timeout configuration timer for subscriber session.
Product
All
Privilege
Security Administrator, Administrator
Syntax
timeoutidle-timeidle_timeout
no timeout idle-time
idle_timeout
Default: 0
Designates the maximum duration of the session, in seconds, after the expiry of which the system disconnects the subscriber.
idle_timeout must be a value in the range from 0 through 4294967295.
The special value 0 disables the timeout specified.
no
Indicates the timeout specified is to be returned to its default behavior. If no specific timeout is specified then all are set to their default behavior.
Usage
Use this command to set the idle time after which the call has to be disconnected.
Example
Following command sets the idle timeout duration to 450 seconds.
timeout idle-timeout 450
 
timeout long-duration
Configures the long duration timeout and optionally the inactivity duration of HA subscriber session.
Product
All
Privilege
Security Administrator, Administrator
Syntax
timeoutlong-durationldt_timeout[ inactivity-timeinact_timeout]
[ no | default ]timeoutlong-duration
no
Indicates the timeout specified is to be returned to its default behavior. If no specific
timeout is specified then all are set to their default behavior.
long-duration ldt_timeout
Default: 0
Designates the maximum duration of the session, in seconds, before the system automatically reports/terminates the session.
ldt_timeout must be a value in the range from 0 through 4294967295.
The special value 0 disables the timer.
inactivity-time inact_timeout
Specifies the maximum amount of time, in seconds, before the specified session is
marked as dormant.
inact_timeout must be a value in the range from 0 through 4294967295.
The special value 0 disables the inactivity time specified.
Usage
Use this command to set the long duration timeout period and inactivity timer for subscriber sessions. Reduce the idle timeout to free session resources faster for use by new requests.
Refer to the long-duration-action detection and long-duration-action disconnection section for more information.
Example
Following command sets the long duration timeout duration to 300 seconds and inactivity timer for subscriber session to 45 seconds.
timeout long-duration 300 inactivity-time 45
 
tunnel address-policy
This command specifies the policy for address allocation and validation for all tunneled calls (IP-IP, IP-GRE) except L2TP calls. This means that GGSN IP address validation could be disabled for specified incoming calls.
For GGSN systems, this command can also be specified in the APN Configuration mode (tunnel address-policy) which would mean the system defers to the old l3-to-l2-tunnel address policy command for calls coming through L2TP tunnels.
Product
PDSN, GGSN
Privilege
Security Administrator, Administrator
Syntax
tunnel address-policy { alloc-only | alloc-validate | no-alloc-validate }
default tunnel address-policy
alloc-only
IP addresses are allocated locally and no validation is done.
alloc-validate
Default.
The VPN Manager allocates and validates all incoming IP addresses from a static pool of IP addresses.
no-alloc-validate
No IP address assignment or validation is done for calls coming in via L3 tunnels. Incoming static IP addresses are passed. This allows for the greatest flexibility.
default
Resets the tunnel address-policy to alloc-validate.
Usage
This command supports scalable solutions for Corporate APN deployment as many corporations handle their own IP address assignment. In some cases this is done to relieve the customer or the mobile operators from the necessity of reconfiguring the range of IP addresses for the IP pools at the GGSN.
Example
Use the following command to reset the IP address validation policy to validate against a static pool of address:
default tunnel address-policy
Use the following command to disable all IP address validation for calls coming through tunnels:
tunnel address-policy no-alloc-validate
 
tunnel gre
Configures Generic Routing Encapsulation (GRE) tunnel parameters for the current subscriber.
Product
PDSN, GGSN, ASN-GW
Privilege
Security Administrator, Administrator
Syntax
tunnel gre peer-addresspeer_addresslocal-addresslocal_addr
no tunnel gre peer-addresspeer_address
peer-address peer_address
Specifies the IP address of the external gateway terminating the GRE tunnel.
local-address local_addr
Specifies the IP address of the interface in the destination context originating the GRE tunnel.
no
Disables GRE tunneling for the current subscriber.
Usage
Subscriber IP payloads are encapsulated with IP/GRE headers and tunneled by the AGW to an external gateway.
Example
The following command configures the system to encapsulate subscriber traffic using GRE and tunnel it from a local address of 192.168.1.100 to a gateway with an IP address of 192.168.1.225:
tunnel gre peer-address 192.168.1.225 local-address 192.168.1.100
 
tunnel ipip
Configures IP-in-IP tunnelling parameters for the current subscriber.
Product
PDSN, GGSN
Privilege
Security Administrator, Administrator
Syntax
tunnel ipip peer-addresspeer_addresslocal-addresslocal_addr]
no tunnel ipip
peer-address peer_address
Specifies the IP address of the external gateway terminating the IP-in-IP tunnel.
local-address local_addr
Specifies the IP address of the interface in the destination context originating the IP-in-IP tunnel.
no
Disables IP-in-IP tunneling for the current subscriber.
Usage
Subscriber IP payloads are encapsulated with IP-in-IP headers and tunneled by the GGSN or PDSN to an external gateway.
Example
The following command configures the system to encapsulate subscriber traffic using IP-in-IP and tunnel it from a local address of 192.168.1.100 to a gateway with an IP address of 192.168.1.225:
tunnel ipip peer-address 192.168.1.225
local-address 192.168.1.100
 
tunnel ipsec
This command configures sessions for the current subscriber to use an IPSEC tunnel based on the IP pool corresponding to the subscribers assigned ip address.
Product
PDSN, GGSN
Privilege
Security Administrator, Administrator
Syntax
tunnel ipsec use-policy-matching-ip-pooler-address
no tunnel ipsec [ use-policy-matching-ip-pooler-address ]
no
Disables the use of the IPSEC policy that matches the IP pool that the assigned IP address relates to.
Usage
Use this command to set the current subscribers sessions to use an IPSEC policy that is assigned to the IP pool that the subscribers assigned IP address relates to.
Example
The following command enables the use of the policy that matches the IP pool address:
tunnel ipsec use-policy-matching-ip-pooler-address
 
tunnel l2tp
Configures the L2TP tunnel for the subscriber.
Product
L2TP
Privilege
Security Administrator, Administrator
Syntax
tunnell2tp [ peer-addressip address [ [ encrypted ] [secretsecret] ] [ preferencenumber] [ tunnel-contextcontext ] [ local-addressip_address ] [ crypto-mapmap_name { [ encrypted ] isakmp-secretsecret } ] ]
no tunnel l2tp [ peer-addressip_address ]
peer-address ip_address
A peer L2TP Network Server (LNS) associated with this LAC (L2TP Access Concentrator). ip_address must be an IP address in IPv4/IPv6 format.
[ encrypted ] secret secret
The shared key (secret) between the L2TP Network Server (LNS) associated with this LAC (L2TP Access Concentrator). secret must be between 1 and 63 alpha and/or numeric characters and is case sensitive.
encrypted: The encrypted shared key between the L2TP Network Server (LNS) associated with this LAC (L2TP Access Concentrator). secret must be between 1 and 128 alpha and/or numeric characters and is case sensitive.
The encrypted keyword is intended only for use by the system while saving configuration scripts. The system displays the encrypted keyword in the configuration file as a flag that the variable following the secret keyword is the encrypted version of the plain text secret. Only the encrypted secret is saved as part of the configuration file.
preference number
Default: 1
The order in which a group of tunnels configured for this subscriber will be tried. number must be an integer between 1 and 65535.
tunnel-context context
The name of the context containing ports through which this subscriber’s data traffic is to be communicated between this LAC and the LNS. context must be between 1 and 79 alpha and/or numeric characters.
local-address ip_address
A LAC service bind address which is given as a hint used to select a particular LAC service. ip_address must be an IP address in IPv4/IPv6 format.
crypto-map map_name { [encrypted] isakmp-secret secret }
map_name is the name of a crypto map that has been configured in the current context. map_name must be a string from 1 to 127 alphanumeric characters.
isakmp-secret secret: The pre-shared key for IKE. secret must be a string from 1 to 127 alphanumeric characters.
encrypted isakmp-secret secret: The pre-shared key for IKE. Encryption must be used when sending the key. secret must be a string from 1 to 127 alphanumeric characters.
no
Disables tunneling for the current subscriber. When peer-address is included, the tunneling for that specific L2TP Network Server (LNS) is disabled but tunneling to other configured LNSs is still enabled.
Usage
Use this command to configure specific L2TP tunneling parameters for the current subscriber.
Example
To specify L2tp tunneling to the LNS peer at the IP address 198.162.10.100 with a shared secret of bigco and preference of 1, enter the following command:
tunnel l2tp peer-address 198.162.10.100 secret bigco preference 1
 
 

Cisco Systems Inc.
Tel: 408-526-4000
Fax: 408-527-0883