Context Configuration Mode Commands


Context Configuration Mode Commands
 
 
The Context Configuration Mode is used to create and manage the contexts within the system. Contexts facilitate management of subscribers and services within a system.
 
 
aaa accounting
This command enables/disables accounting for subscribers and context-level administrative users for the current context.
Product
All
Privilege
Security Administrator, Administrator
Syntax
aaa accounting { administrator radius-diameter | subscriber [ radius-diameter ] }
default aaa accounting { administrator | subscriber }
no aaa accounting { administrator | subscriber } [ radius-diameter ]
default
Configures the default setting.
Default: RADIUS
no
Disables AAA accounting per the options specified.
administrator | subscriber
administrator: Enables/disables AAA accounting for context-level administrative users.
subscriber: Enables/disables AAA accounting for subscribers.
radius-diameter
Enables/disables RADIUS or Diameter accounting for administrator(s)/subscribers as specified.
Usage
Use this command to enable/disable accounting for subscribers and context-level administrative users for the current context.
To enable or disable accounting for individual local subscriber configurations refer to the accounting-mode command in the Subscriber Configuration Mode Commands chapter.
Important: The accounting parameters in the APN Configuration Mode take precedence over this command for subscriber sessions. Therefore, if accounting is disabled using this command but enabled within the APN configuration, accounting is performed for subscriber sessions.
Example
The following command disables AAA accounting for context-level administrative users:
no aaa accounting administrator
The following command enables AAA accounting for context-level administrative users:
aaa accounting administrator radius-diameter
 
aaa authentication
This command enables/disables authentication for subscribers and context-level administrative users for the current context.
Product
All
Privilege
Security Administrator, Administrator
Syntax
[ no ] aaa authentication { administrator | subscriber } { local | none | radius-diameter }
default aaa authentication { administrator | subscriber }
default
Configures the default setting.
administrator: Configures default administrator authentication (local+RADIUS).
subscriber: Configures AAA authentication for subscriber(s). This sets the default value, which is RADIUS.
no
Disables AAA authentication for administrator(s)/subscribers as specified.
local: Disables local authentication for current context.
radius-diameter: Disables RADIUS or Diameter-based authentication.
administrator | subscriber
administrator: Enables/disables authentication for administrative users.
subscriber: Enables/disables authentication for subscribers.
local | none | radius-diameter
Enables AAA authentication for administrator(s)/subscribers as specified.
local: Enables local authentication for current context.
none: Disables authentication for current context.
radius-diameter: Enables RADIUS or Diameter-based authentication.
Usage
Use this command to enable/disable AAA authentication during specific maintenance activities or during test periods. The authentication can then be enabled again for the entire context as needed.
Example
The following command disables RADIUS or Diameter-based authentication for subscribers for the current context:
no aaa authentication subscriber radius-diameter
The following command enables RADIUS or Diameter-based authentication for subscribers for the current context:
aaa authentication subscriber radius-diameter
 
aaa constructed-nai
Configures the password used during authentication for sessions using a constructed network access identifier (NAI) or an APN-specified user name.
Product
PDSN, GGSN
Privilege
Security Administrator, Administrator
Syntax
aaa constructed-nai authentication [ [ encrypted ] password user_password | use-shared-secret-password ]
no aaa constructed-nai authentication
no
Disables authentication based upon the constructed network access identifier.
[ [ encrypted ] password user_password ]
encrypted: Specifies that the specified password is an encrypted password.
password user_password: Configures an authentication user-password for the NAI-constructed user. user_password must be an alpha and/or numeric string of 0 through 63 characters in length.
use-shared-secret-password
Specifies using RADIUS shared secret as the password.
Default: No Password
Usage
This command is used to configure passwords for user sessions that utilize a constructed NAI assigned via a PDSN service or a user name assigned via the APN configuration.
For simple IP sessions facilitated by PDSN services in which the authentication allow-noauth and aaa constructed-nai commands are configured, this command provides a password used for the duration of the session.
For PDP contexts using an APN in which the outbound user name is configured with no password, this command is used to provide the password. Additionally, this command is also used to provide a password for situations in which an outbound username and password are configured and the authentication imsi-auth command has been specified.
The encrypted keyword is intended only for use by the system while saving configuration scripts. The system displays the encrypted keyword in the configuration file as a flag that the variable following the password keyword is the encrypted version of the plain text password. Only the encrypted password is saved as part of the configuration file.
If a password is configured with this keyword, then the specified password is used. Otherwise, an empty user-password attribute is sent.
Note that this configuration works in a different way for GGSN services. If a password is configured with this keyword for GGSN service, the specified password is used. Otherwise, if an outbound password is configured, that password is used. If no outbound password is configured, the RADIUS server secret is used as the user-password string to compute the user-password RADIUS attribute.
The NAI-construction consists of the subscriber’s MSID, a separator character, and a domain. The domain that is used is either the domain name supplied as part of the subscriber’s user name or a domain alias.
Important: The domain alias can be set with the nai-construction domain command in the PDSN Service Configuration mode, or the aaa default-domain subscriber command in the Global Configuration mode for other core network services.
The domain alias is determined according to the following rules:
If the domain alias is set by nai-construction domain, that value is always used and the aaa default-domain subscriber value is disregarded, if set. The NAI is of the form <msid><symbol><nai-construction domain>.
If the domain alias is not set by nai-construction domain, and the domain alias is set by aaa default-domain subscriber, the aaa default-domain subscriber value is used. The NAI is of the form <msid><symbol><aaa default-domain subscriber>.
If the domain alias is not set by nai-construction domain or aaa default-domain subscriber, the domain name alias is the name of the source context for the PDSN service. The NAI is of the form <msid><symbol><source context of PDSN Service>.
The special separator character can be one of the following six: @, -, %, \, -, /
The subscriber’s MSID is constructed in one of the formats displayed in the following figure.
 
Example
aaa constructed-nai authentication
aaa constructed-nai authentication use-shared-secret-password
 
aaa filter-id rulebase mapping
This command configures the system to use value of the Filter-Id AVP as the ACS rulebase name.
Product
ACS
Privilege
Security Administrator, Administrator
Syntax
[ no | default ] aaa filter-id rulebase mapping
no
Disables the mapping of Filter-Id AVP and ACS rulebase name.
default
Configures the default setting.
Default: Disabled; same as no aaa filter-id rulebase mapping
Usage
Use this command to enable the mapping of Filter-Id attribute’s value returned during RADIUS authentication as the ACS rulebase name.
This feature provides the flexibility for operator to transact between multi-charging-service support for postpaid and prepaid subscribers through Access Control Lists (ACLs) entered in AAA profiles in RADIUS server to single-charging-service system based on rulebase configuration for postpaid and prepaid subscribers.
This feature internally maps the received ACL in to rulebase name and configures subscriber for postpaid or prepaid services accordingly.
When this feature is enabled and ACS rulebase attribute is not received from RADIUS or not configured in local default subscriber template system copies the filter-id attribute value to ACS rulebase attribute.
This copying happens only if the filter-id is configured and received from RADIUS server and ACS rulebase is not configured in ACS or not received from RADIUS.
Example
Following command enables the mapping value of the Filter-Id attribute to ACS rulebase name:
aaa filter-id rulebase mapping
 
aaa group
This command enables creating/configuring/deleting AAA server groups in the context.
Product
All
Privilege
Security Administrator, Administrator
Syntax
aaa group group_name [ -noconfirm ]
no aaa group group_name
no
Deletes the specified AAA group.
group_name
Specifies the AAA group’s name.
If the specified AAA group does not exist, it is created, and the prompt changes to the AAA Server Group Configuration Mode, wherein the AAA group can be configured.
If the specified AAA group already exists, the prompt changes to the AAA Server Group Configuration Mode, wherein the AAA group can be configured.
group_name must be a string of 1 through 63 characters in length.
-noconfirm
Specifies that the command must execute without any prompt and confirmation from the user.
Usage
Use this command to create/configure/delete AAA server groups within the context. Also, refer to the AAA Server Group Configuration Mode chapter.
Example
The following command creates a AAA group named test321, and enters the AAA Group Configuration Mode:
aaa group test321
 
aaa nai-policy
This commands sets policies on how NAIs (Network Access Identifiers) are handled during the authentication process.
Product
PDSN, GGSN
Privilege
Security Administrator, Administrator
Syntax
[ default | no ] aaa nai-policy reformat-alg-hex-0-9
default
Sets the NAI policy back to its default setting which is to remap hexadecimal digits in NAIs and accept calls with embedded 0x00 hexadecimal digits.
no
Disable remapping of hexadecimal digits in the NAI and reject calls that have a 0x00 hexadecimal digit embedded in the NAI
reformat-alg-hex-0-9
Default: Enabled
This keyword controls remapping of NAIs that consist only of hex digits 0x00 through 0x09 or if a 0x00 hexadecimal digit is embedded in the NAI.
By default, the system remaps NAIs that consist solely of characters 0x00 through 0x09 to their ASCII equivalent. For example; 0x00 0x01 0x2 0x03 will get remapped to 123.
Also by default the system accepts an NAI containing one or more 0x00 characters within the NAI ignoring all characters after the first 0x00.
When this keyword is disabled NAIs are processed ad follows:
Usage
Use this command to disable or re-enable remapping of hexadecimal digits in the NAI.
Example
The following command disables the remapping of hexadecimal digits in the NAI:
no aaa nai-policy reformat-alg-hex-0-9
 
access-list undefined
Configures the behavior of access control for the current context when an undefined access control list is specified.
Product
All
Privilege
Security Administrator, Administrator
Syntax
access-list undefined { deny-all | permit-all }
no access-list undefined
no
Disables handling undefined access lists.
deny-all | permit-all
Specifies the handling of packets when an undefined access control list is specified.
deny-all: Specifies all packets will be dropped.
permit-all: Specifies all packets will be forwarded.
Usage
Use this command to specify the default behavior when an access control list specified does not exist.
When the security policies require strict access control the deny-all handling should be configured.
Example
The following command sets the packet handling to ignore (drop) all packets when an undefined ACL is specified.
access-list undefined deny-all
 
administrator
This command configures a user with security administrator privileges in the current context.
Product
All
Privilege
Security Administrator
Syntax
administrator user_name [ encrypted ] password password | [ ecs ] [ expiry-date date_time ] [ ftp ] [ li-administration ] [ nocli ] [ noecs ] [ timeout-absolute timeout_absolute ] [ timeout-min-absolute timeout_min_absolute ] [ timeout-idle timeout_idle ] [ timeout-min-idle timeout_min_idle ]
no administrator user_name
no
Removes security administrator privileges for the specified user name.
user_name
Specifies the user name for which security administrator privileges must be enabled in the current context. user_name must be an alpha and/or numeric string of 1 through 32 characters in length.
[ encrypted ] password password
Specifies password for the user name. Optionally, the encrypted keyword can be used to specify the password uses encryption.
Without encryption password must be an alpha and/or numeric string of 1 through 63 characters in length. With encryption password can be an alpha and/or numeric string of 1 through 127 characters in length.
The encrypted keyword is intended only for use by the system while saving configuration scripts. The system displays the encrypted keyword in the configuration file as a flag that the variable following the password keyword is the encrypted version of the plain text password. Only the encrypted password is saved as part of the configuration file.
ecs
Permits the user to use ACS-specific configuration commands.
Default: Permitted.
expiry-date date_time
Specifies the date and time that this login account expires.
Enter the date and time in the YYYY:MM:DD:HH:mm or YYYY:MM:DD:HH:mm:ss format. Where YYYY is the year, MM is the month, DD is the day of the month, HH is the hour, mm is minutes, and ss is seconds.
ftp
Permits the user to use FTP and SFTP .
Default: Not permitted.
li-administration
Permits the user to execute Lawful Intercept commands.
Important: Users who have Lawful Intercept privileges are only given those privileges when connected to the system through a Secure Shell (SSH). If this user connects through a Telnet session or through the console port, Lawful Intercept privileges are not enabled.
nocli
Default: Permitted.
Prevents the user from using the command line interface.
noecs
Prevents the user from accessing ACS-specific commands.
timeout-absolute timeout_absolute
Specifies the maximum time, in seconds, the security administrator may have a session active before the session is forcibly terminated. timeout_absolute must be an integer from 0 through 300000000.
The value 0 disables this timeout configuration.
Default: 0
timeout-min-absolute timeout_min_absolute
Specifies the maximum time, in minutes, the security administrator may have a session active before the session is forcibly terminated. timeout_min_absolute must be an integer from 0 through 525600 (365 days).
The value 0 disables this timeout configuration.
Default: 0
timeout-idle timeout_idle
Specifies the maximum time, in seconds, the security administrator may have a session active before the session is terminated. timeout_idle must be an integer from 0 through 300000000.
The value 0 disables the idle timeout configuration.
Default: 0
timeout-min-idle timeout_min_idle
Specifies the maximum time, in minutes, the security administrator may have a session active before the session is terminated. timeout_min_idle must be an integer from 0 through 525600 (365 days).
The value 0 disables the idle timeout configuration.
Default: 0
Usage
Use this command to create new security administrators or modify existing user’s settings.
Security Administrator users have read-write privileges and full access to all contexts and command modes. Refer to the Command Line Interface Overview chapter for more information.
Important: A maximum of 128 administrative users and/or subscribers may be locally configured per context.
Example
The following command creates a security administrator named user1 with access to ACS configuration commands:
administrator user1 password secretPassword
The following removes the security administrator account named user1:
no administrator user1
 
apn
Creates/deletes Access Point Name (APN) templates and enters the APN configuration mode within the current context.
Product
GGSN, P-GW
Privilege
Security Administrator, Administrator
Syntax
apnapn_name[-noconfirm ]
no apnapn_name[-noconfirm ]
no
Deletes a previously configured APN template.
apn_name
Specifies a name for the APN template.
apn_name can be from 1 to 62 alpha and/or numeric characters and is not case sensitive. It may also contain dots (.) and/or dashes (-).
-noconfirm
Indicates that the command is to execute without any additional prompt and confirmation from the user.
Warning: If this keyword option is used with no apn apn_name command the APN named apn_name will be deleted with all active/inactive subscribers without prompting any warning or confirmation.
Usage
This command creates an APN within the system and causes the CLI to enter the APN configuration mode.
The APN is a logical name for a packet data network and/or a service to which the system supports access. When a create PDP context request is received by the system, it examines the APN information element within the packet. The system determines if an APN with the identical name is configured. If so, the system uses the configuration parameters associated with that APN as a template for processing the request. If the names do not match, the request is rejected with a cause code of 219 (DBH, Missing or unknown APN).
APN templates should be created/configured within destination contexts on the system. Up to 1000 APNs can be configured.
Example
The following command creates an APN template called isp1:
apn isp1
 
asn-qos-descriptor
Creates/deletes/manages the Quality of Service (QoS) descriptor table identifier for Access Service Node Gateway (ASN-GW) service and enters the ASN QoS Descriptor Table Identifier Configuration mode within the source context.
Product
ASN-GW
Privilege
Security Administrator, Administrator
Syntax
asn-qos-descriptor idqos_table_id[default] dscp [be | af11 | af12 | af13 | af21 | af22 | af23 | af31 | af32 | af33 | af41 | af 42 | af 43 | ef][-noconfirm ]
no asn-qos-descriptorqos_table_id[default] dscp [be | af11 | af12 | af13 | af21 | af22 | af23 | af31 | af32 | af33 | af41 | af 42 | af 43 | ef][-noconfirm ]
no
Deletes a preciously configured ASN QoS descriptor table identifier.
qos_table_id
Specifies an unique identifier for ASN QoS descriptor table to create/configure.
qos_table_id must be an integer between 1 to 65535.
[default] dscp
Specifies DSCP marking for this QoS descriptor.
[be | af11 | af12 | af13 | af21 | af22 | af23 | af31 | af32 | af33 | af41 | af 42 | af 43 | ef]
The DSCP marking for this QoS descriptor. Deafault value is be (best effort).
-noconfirm
Indicates that the command is to execute without any additional prompt and confirmation from the user.
Warning: If this keyword option is used with no asn-qos-descriptor id qos_table_id command the ASN QoS descriptor table with identifier qos_table_id will be deleted with all active/inactive configurations without prompting any warning or confirmation.
Usage
Use this command to configure a QoS description table to manage QoS functionality for an ASN-GW service subscriber. This command creates and allows the configuration of QoS tables with in a context. This command is also used to remove previously configured ASN-GW services QoS descriptor table.
A maximum of 16 QoS Descriptor Tables can be configured per system.
Refer to the ASN QoS Descriptor Configuration Mode chapter of this reference for additional information.
Example
The following command creates a QoS descriptor table with identifier 1234 for the ASN-GW service subscribers:
asn-qos-descriptor id 1234
 
asn-service-profile
Creates/deletes/manages the Service Profiles Identifier for Access Service Node Gateway (ASN-GW) service subscribers and enters the ASN Service Profile Configuration mode within the current context.
Product
ASN-GW
Privilege
Administrator
Syntax
asn-service-profile idasn_profile_iddirection { bi-directional | downlink | uplink } [ -noconfirm ]
no asn-service-profile idasn_profile_id[ -noconfirm ]
no
Deletes a preciously configured ASN service profile identifier.
qos_table_id
Specifies an unique identifier for ASN QoS descriptor table to create/configure.
qos_table_id must be an integer between 1 to 65535.
direction { bi-directional | downlink | uplink }
Specifies the direction of data traffic to apply this service profile.
bi-directional: This keyword enables this service profile in both direction of uplink and downlink.
downlink: This keyword enables this service profile in downlink direction, towards the subscriber.
uplink: This keyword enables this service profile in uplink direction, towards the system.
-noconfirm
Indicates that the command is to execute without any additional prompt and confirmation from the user.
Warning: If this keyword option is used with no asn-service-profile id asn_profile_id command the ASN service profile with identifier asn_profile_id will be deleted with all active/inactive configurations without prompting any warning or confirmation.
Usage
Use this command to configure a service profile to apply the ASN-GW service subscribers. This command creates and allows the configuration of service profiles with in a context. This command is also used to remove previously configured ASN-GW services profiles.
A maximum of 32 ASN Service Profiles can be configured per context.
Refer to the ASN Service Profile Configuration Mode chapter of this reference for additional information.
Example
The following command creates an ASN Service Profile with identifier 1234 for the ASN-GW service subscribers:
asn-service-profile id 1234 direction uplink
 
asngw-service
Creates/deletes/manages an Access Service Node Gateway (ASN-GW) service and enters the ASN Gateway service configuration mode within the current context.
Product
ASN-GW
Privilege
Security Administrator, Administrator
Syntax
asngw-serviceasngw_name[-noconfirm ]
no asn-serviceasngw_name[-noconfirm ]
no
Deletes a previously configured ASN-GW service.
asngw_name
Specifies the name of the ASN-GW service to create/configure.
asngw_name must be from 1 to 63 alpha and/or numeric characters and is case sensitive.
-noconfirm
Indicates that the command is to execute without any additional prompt and confirmation from the user.
Warning: If this keyword option is used with no asn-service asngw_name command the ASN-GW service named asngw_name will be deleted with all active/inactive subscribers without prompting any warning or confirmation.
Usage
Services are configured within a context and enable certain functionality. This command creates and allows the configuration of services enabling the system to function as an ASN Gateway in a WiMAX network. This command is also used to remove previously configured ASN-GW services.
A maximum of 256 services (regardless of type) can be configured per system.
Caution: Large numbers of services greatly increase the complexity of management and may impact overall system performance (i.e. resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your local service representative for more information.
Refer to the ASN Gateway Service Configuration Mode chapter of this reference for additional information.
Example
The following command creates an ASN-GW service name asn-gw1:
asngw-service asn-gw1
 
asnpc-service
This command Creates/deletes/manages an ASN Paging Controller service to manage the ASN paging controller service and enters the ASN Paging Controller Configuration mode within the current context.
Product
ASN GW
Privilege
Security Administrator, Administrator
Syntax
[no] asnpc-serviceasn_pc_svc_name[-noconfirm]
no
Deletes a preciously configured ASN paging controller service.
asn_pc_svc_name
Specifies the name of the ASN Paging Controller Service to create and enable.
asn_pc_svc_name must be from 1 to 63 alpha and/or numeric characters and is case sensitive.
-noconfirm
Indicates that the command is to execute without any additional prompt and confirmation from the user.
Warning: If this keyword option is used with no asnpc-service asn_pc_svc_name command the ASN Paging Controller service named asn_pc_svc_name will be deleted and disabled with all active/inactive paging groups and paging agents configured in a context for ASN paging controller service without prompting any warning or confirmation.
Usage
Use this command to create and enable the ASN paging controller services in the system to provide functionality of an ASN Paging Controller service within a context. Additionally this command provides the access to the ASN Paging Controller Service Configuration mode and also used to remove previously configured ASN Paging Controller services.
A maximum of 256 services (regardless of type) can be configured per system.
Caution: Large numbers of services greatly increase the complexity of management and may impact overall system performance (i.e. resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your local service representative for more information.
Refer to the ASN Paging Controller Service Configuration Mode chapter of this reference for additional information.
Example
The following command creates an ASN paging controller service name asnpc_1:
asnpc-service asnpc_1
 
bmsc-profile
Creates/deletes Broadcast Multicast Service Center (BM-SC) profiles and enters the BMSC Profile configuration mode within the current context.
Product
GGSN
Privilege
Security Administrator, Administrator
Syntax
bmsc-profile namebmsc_profile_name[-noconfirm ]
no bmsc-profile namebmsc_profile_name[-noconfirm ]
no
Deletes a previously configured BM-SC profile.
bmsc_profile_name
Specifies a name for the BM-SC profile.
bmsc_profile_name can be from 1 to 62 alpha and/or numeric characters and is not case sensitive. It may also contain dots (.) and/or dashes (-).
-noconfirm
Indicates that the command is to execute without any additional prompt and confirmation from the user.
Warning: If this keyword option is used with no bmsc-profile name bmsc_profile_name command the BM-SC profile named bmsc_profile_name will be deleted with all active/inactive subscribers without prompting any warning or confirmation.
Usage
This command creates a BM-SC profile within the context and take the user to enter the BMSC profile configuration mode.
The BM-SC profile is a logical name for a Broadcast Multicast Service Center in Multimedia Broadcast and Multicast service.
BM-SC profile should be created/configured within contexts on the system. Up to 4 BM-SC profiles can be configured.
Example
The following command creates a BM-SC Profile called mbms_sc_1:
bmsc-profile name mbms_sc_1
 
busyout ip pool
This command makes addresses from an IP pool in the current context unavailable once they are free.
Product
PDSN, HA, GGSN, NAT
Privilege
Security Administrator, Administrator
Syntax
busyout ip pool { all | all-dynamic | all-static | name pool_name } [ address-range start_address end_address | lower-percentage percent | upper-percentage percent ]
no busyout ip pool { all | all-dynamic | all-static | name pool_name } [ address-range start_address end_address | lower-percentage percent | upper-percentage percent ]
no
Disable the busyout command specified.
all
This command applies to all IP pools in the current context.
all-dynamic
This command applies to all dynamic IP-pools in the current context.
all-static
This command applies to all static IP pools in the current context.
name pool_name
This is the name of an IP pool or IP pool group in the current context to which this command is applied. pool_name must be the name of an existing IP pool or IP pool group in the current context.
address-range start_address end_address
Busyout all addresses from start_address through end_address. start_address: The beginning IP address of the range of addresses to busyout. This IP address must exist in the pool specified and must be entered in IP v4 dotted decimal notation.
end_address: The ending IP address of the range of addresses to busyout. This IP address must exist in the pool specified and must be entered in IP v4 dotted decimal notation.
lower-percentage percent
Busyout the percentage of IP addresses specified, beginning at the lowest numbered IP address. This is a percentage of all of the IP addresses in the specified IP pool. percent must be an integer from 0 through 100.
upper-percentage percent
Busyout the percentage of IP addresses specified, beginning at the highest numbered IP address. This is a percentage of all of the IP addresses in the specified IP pool. percent must be an integer from 0 through 100.
Usage
Use this command to busyout IP addresses when resizing an IP pool.
Up to 32 instances of this command can be executed per context.
A single instance of this command can busy-out multiple IP address pools in the context through the use of the all, all-static, or all-dynamic keywords.
Example
Assume an IP pool named Pool10 with addresses from 192.168.100.1 through 192.168.100.254. To busy out the addresses from 192.168.100.50 through 192.169.100.100, enter the following command:
busyout ip pool name Pool10 address-range 92.168.100.50 192.169.100.100
To restore the IP addresses from the previous example and make them accessible again, enter the following command:
no busyout ip pool name Pool10 address-range 92.168.100.50 192.169.100.100
 
class-map
This command deletes/creates and enters the Class-Map configuration mode within the current destination context to configure the match rules for packet classification to flow-based traffic policing for a subscriber session flow.
Product
PDSN, HA, ASN-GW
Privilege
Security Administrator, Administrator
Syntax
[ no ] class-map name class_name [ match-all | match-any ]
no
Deletes configured Class-Map within the context.
class_name
Specifies the name of Class-Map rule and can consist of from 1 to 15 alpha and/or numeric characters in length and is case sensitive.
match-all
Default: Enabled.
Enables AND logic for all matching parameters configured in specific Class-Map to classify traffic flow/packets. It indicates to match all classification rules in specific Class-Map to consider the specified Class-Map as a match.
match-any
Default: Disabled.
Enables OR logic for matching parameters configured in specific Class-Map to classify traffic flow/packets. It indicates to match any of the classification rule in specific Class-Map to consider the specified Class-Map as a match.
Usage
Use this command to enter in Class-Map configuration mode to set classification parameters or filters in traffic policy for a subscriber session flow.
Important: In this mode classification rules added sequentially with match command to form a Class-Map. To change and/or delete or re-add a particular rule entire Class-Map is required to delete.
Example
Following command configures classification map class_map1 with option to match any condition in match rule.
class-map name class_map1 match-any
 
closedrp-rp handoff
This command enables session handoff between Closed-RP and RP connections. Default: Disabled
Product
PDSN
Privilege
Security Administrator, Administrator
Syntax
closedrp-rp handoff
[ default | no ] closedrp-rp handoff
default
Resets the command to it’s default setting of disabled.
no
Disables Closed-RP to RP session handoff.
Usage
Use this command to enable a PDSN service to handoff sessions between Closed-RP and RP connections.
Example
To enable Closed-RP to RP handoffs, use the following command:
closedrp-rp handoff
To disable Closed-RP to RP handoffs, use the following command:
no closedrp-rp handoff
 
config-administrator
Configures a context-level administrator account within the current context.
Product
All
Privilege
Security Administrator
Syntax
config-administrator user_name [ encrypted ] password pwd [ ecs ] [ expiry-datedate_time ] [ ftp ] [ li-administration ] [ nocli ] [ noecs ] [ timeout-absolute abs_seconds ] [ timeout-min-absolute abs_minutes ] [ timeout-idle idle_seconds ] [ timeout-min-idle idle_minutes ]
no config-administrator user_name
no
Removes a previously configured context-level administrator account.
user_name
Specifies the name for the account. user_name must be from 1 to 32 alpha and/or numeric characters.
[ encrypted ] password pwd
Specifies the password to use for the user which is being given context-level administrator privileges within the current context. The encrypted keyword indicates the password specified uses encryption.
The password specified as pwd must be from 1 to 63 alpha and/or numeric characters without encryption and must be from 1 to 127 alpha and/or numeric characters when encryption has been indicated.
The encrypted keyword is intended only for use by the system while saving configuration scripts. The system displays the encrypted keyword in the configuration file as a flag that the variable following the password keyword is the encrypted version of the plain text password. Only the encrypted password is saved as part of the configuration file.
ecs
Default: ACS-specific configuration commands allowed.
Permits the specific user to access ACS-specific configuration commands.
expiry-date date_time
The date and time that this account expires. Enter the date and time in the format YYYY:MM:DD:HH:mm or YYYY:MM:DD:HH:mm:ss.
Where YYYY is the year, MM is the month, DD is the day of the month, HH is the hour, mm is minutes, and ss is seconds.
ftp
Default: FTP and SFTP are not allowed.
Indicates the user gains FTP and SFTP access with the administrator privileges.
li-administration
Permits this user to execute Lawful Intercept commands.
Important: Users who have Lawful Intercept privileges are only given those privileges when connected to the system through a Secure Shell (SSH). If this user connects through a Telnet session or through the console port, Lawful Intercept privileges are not enabled.
nocli
Default: CLI access allowed.
Indicates the user is not allowed to access the command line interface.
noecs
Prevents the specific user to access ACS-specific configuration commands.
timeout-absolute abs_seconds
Default: 0
This keyword is obsolete. It has been left in place for backward compatibility. If used a warning is issued and the value entered is rounded to the nearest whole minute.
Specifies the maximum amount of time, in seconds, the administrator may have a session active before the session is forcibly terminated. abs_seconds must be a value in the range from 0 through 300000000.
The special value 0 disables the absolute timeout.
timeout-min-absolute abs_minutes
Default: 0
Specifies the maximum amount of time, in minutes, the context-level administrator may have a session active before the session is forcibly terminated. abs_minutes must be a value in the range from 0 through 525600 (365 days).
The special value 0 disables the absolute timeout.
timeout-idle idle_seconds
Default: 0
This keyword is obsolete. It has been left in place for backward compatibility. If used a warning is issued and the value entered is rounded to the nearest whole minute.
Specifies the maximum amount of idle time, in seconds, the context-level administrator may have a session active before the session is terminated. idle_seconds must be a value in the range from 0 through 300000000.
The special value 0 disables the idle timeout.
timeout-min-idle idle_minutes
Default: 0
Specifies the maximum amount of idle time, in minutes, the context-level administrator may have a session active before the session is terminated. idle_minutes must be a value in the range from 0 through 525600 (365 days).
The special value 0 disables the idle timeout.
Usage
Create new context-level administrators or modify existing administrator’s options, in particular, the timeout values.
Administrator users have read-write privileges and full access to all contexts and command modes (except for a few security functions). Refer to the Command Line Interface Overview chapter of this guide for more information.
Important: A maximum of 128 administrative users and/or subscribers may be locally configured per context.
Example
The following configures a context-level administration named user1 with ACS parameter control:
config-administrator user1 password secretPassword ecs
The following command removes a context-level administrator named user1:
no config-administrator user1
 
content-filtering
This command enables creating/configuring/deleting Content Filtering Server Groups (CFSG).
Product
CF
Privilege
Security Administrator, Administrator
Syntax
content-filtering server-group cf_server_group_name [ -noconfirm ]
no content-filtering server-group cf_server_group_name
no
Removes the specified CFSG previously configured in this context.
cf_server_group
Specifies the CFSG name.
cf_server_group_name must be an alpha and/or numeric string of 1 through 63 characters in length.
-noconfirm
Creates the specified CFSG without prompting for confirmation.
Usage
Use this command to create/configure/delete a CFSG.
Example
The following command creates a CFSG named CF_Server1:
content-filtering server-group CF_Server1
 
credit-control-service
This command enables creating/configuring/deleting credit-control services.
Product
All
Privilege
Security Administrator, Administrator
Syntax
credit-control-service service_name [ -noconfirm ]
no credit-control-service service_name
no
Deletes the specified credit-control service.
service_name
Specifies the credit-control service’s name.
service_name must be an alpha and/or numeric string of 1 through 63 characters in length.
If the named credit-control service does not exist, it is created, and the CLI mode changes to the Credit Control Service Configuration mode wherein the service can be configured.
If the named credit-control service already exists, the CLI mode changes to the Credit Control Service Configuration mode wherein the service can be configured.
-noconfirm
Specifies that the command must execute without any additional prompt and confirmation from the user.
Usage
Use this command to create/configure/delete credit-control services.
Example
The following command creates a credit-control service named test159, and enters the Credit control Service Configuration mode:
credit-control-service test159
 
crypto group
Creates a crypto group and enters the crypto configuration mode allowing the configuration of crypto group parameters.
Product
PDSN, PDIF, HA, GGSN, SCM
Privilege
Administrator, Config-Administrator
Syntax
crypto groupgroup_name
no crypto groupgroup_name
no
Deletes a previously configured crypto group.
group_name
The name of the crypto group and can consist of from 1 to 127 alpha and/or numeric characters in length and is case sensitive.
Important: A maximum of 32 crypto groups per context can be configured.
Usage
Use this command to enter the configuration mode allowing the configuration of crypto group parameters.
Crypto (tunnel) groups are used to support the Redundant IPSec Tunnel Fail-over feature and consist of two configured ISAKMP crypto maps. Each crypto map defines the IPSec policy for a tunnel. In the crypto group, one tunnel serves as the primary, the other as the secondary (redundant).
Example
The following command configures a crypto group called group1:
crypto group group1
 
crypto ipsec transform-set
Configures transform-sets on the system and enters the Crypto Trans Configuration Mode.
Product
PDSN, PDIF, HA, GGSN, SCM
Privilege
Security Administrator, Administrator
Syntax
crypto ipsec transform-settransform_name[ ah { hmac { md5-96 | none | sha1-96 } { esp { hmac { { md5-96 | sha1-96 } { cipher {des-cbc | 3des-cbc | aes-cbc } } | none } } } } ]
no crypto ipsec transform-settransform_name
no
Removes a previously configured transform set
transform_name
Configures the name by which the transform set will be recognized by the system.
transform_name must be from 1 to 127 alpha and/or numeric characters and is case sensitive.
ah hmac
Configures the Authentication Header (AH) hash message authentication codes (HMAC) parameter for the transform set to one of the following:
md5-96: Message Digest 5 truncated to 96 bits
none: Disables the use of the AH protocol for the transform set.
sha1-96: Secure Hash Algorithm-1 truncated to 96 bits
esp hmac
Configures the Encapsulating Security Payload (ESP) hash message authentication codes (HMAC) parameter for the transform set to one of the following:
md5-96: Message Digest 5 truncated to 96 bits
none: Disables the use of the AH protocol for the transform set.
sha1-96: Secure Hash Algorithm-1 truncated to 96 bits
cipher
If ESP is enabled, this option must be used to set the encapsulation cipher protocol to one of the following:
3des-cbc: Triple Data Encryption Standard (3DES) in chain block (CBC) mode
aes-cbc: Advanced Encryption Standard (AES) in CBC mode
des-cbc: DES in CBC mode
Usage
Use this command to create a transform set on the system.
Transform Sets are used to define IPSec security associations (SAs). IPSec SAs specify the IPSec protocols to use to protect packets.
Transform sets are used during Phase 2 of IPSec establishment. In this phase, the system and a peer security gateway negotiate one or more transform sets (IPSec SAs) containing the rules for protecting packets. This negotiation ensures that both peers can properly protect and process the packets.
Important: The ah and subsequent keywords are required when the transform set is initially configured.
Example
Create a transform set that has the name tset1, no authentication header, an encapsulating security protocol header hash message authentication code of md5, and a bulk payload encryption algorithm of des-cbc with the following command:
crypto ipsec transform-set tset1 ah hmac none esp hmac md5 cipher des-cbc
 
crypto map
Configures the name of the policy and enters either the specified Crypto Map Configuration Mode.
Product
PDSN, HA, GGSN, SCM, P-GW, PDIF
Privilege
Security Administrator, Administrator
Syntax
crypto map name[ ikev2-ipv6 | ipsec-dynamic | ipsec-ikev1 | ipsec-manual ] no crypto map name
no
Removes a previously configured crypto map.
name
The name by which the crypto map will be recognized by the system. name must be a string of from 1 through 127 alpha and/or numeric characters and is case sensitive.
ikev2-ipv6
Creates an IKEv2-IPv6 crypto map and enters the Crypto Map IKEv2-IPv6 configuration mode
ipsec-dynamic
Creates a dynamic crypto map and/or enters the Crypto Map Dynamic Configuration Mode.
ipsec-ikev1
Creates an IKEv1 crypto map and/or enters the Crypto Map IKEv1 Configuration Mode.
ipsec-manual
Creates a manual crypto map and/or enters the Crypto Map Manual Configuration Mode.
Usage
Crypto Maps define the policies that determine how IPSec is implemented for subscriber data packets. There are several types of crypto maps supported by the system. They are:
Manual crypto maps: These are static tunnels that use pre-configured information (including security keys) for establishment. Because they rely on statically configured information, once created, the tunnels never expire; they exist until their configuration is deleted.
Important: Because manual crypto map configurations require the use of static security keys (associations), they are not as secure as crypto maps that rely on dynamically configured keys. Therefore, it is recommended that they only be configured and used for testing purposes.
IKEv1 crypto maps: These tunnels are similar to manual crypto maps in that they require some statically configured information such as the IP address of a peer security gateway and that they are applied to specific system interfaces. However, IKEv1 crypto maps offer greater security because they rely on dynamically generated security associations through the use of the Internet Key Exchange (IKE) protocol.
IKEv2-IPv6 crypto maps: Used to protect X3 data between a P-GW and a Lawful Intercept server.
Dynamic crypto maps: These tunnels are used for protecting L2TP-encapsulated data between the system and an LNS/security gateway or Mobile IP data between an FA service configured on one system and an HA service configured on another.
Important: The crypto map type (dynamic, IKEv1, IKEv2-IPv6, or manual) is specified when the map is first created using this command.
Example
Create a dynamic crypto map named map1 and enter the Crypto Map Dynamic configuration mode by entering the following command:
crypto map map1 ipsec-dynamic
 
crypto node
Creates a crypto node.
Product
SCM
Privilege
Administrator, Config-Administrator
Syntax
crypto nodenode_namemapname
no crypto nodenode_name
node_name
The name of the crypto node and can consist of from 1 to 127 alpha and/or numeric characters in length and is case sensitive.
map name
Assigns a previously configured crypto map policy to this crypto node. name must be a string of from 1 through 127 alpha and/or numeric characters and is case sensitive.
no
Deletes a previously configured crypto node.
Usage
Use this command to configure a crypto node and assign policies (crypto maps) to the node.
Example
The following command configures a crypto node called node1 and assigns a policy named map1 to it:
crypto node node1 map map1
 
crypto template
Creates a new, or specifies an existing, crypto template and enters the Crypto Template Configuration Mode.
Product
PDIF, SCM
Privilege
Security Administrator, Administrator
Syntax
crypto template name { ikev2-pdif | ipsec-3gpp-cscf }
no crypto template name
name { ikev2-pdif | ipsec-3gpp-cscf }
Specifies the name of a new or existing crypto template. name must be from 1 to 127 alpha and/or numeric characters.
ikev2-pdif: Configure the Crypto Template to be used for configuring PDIF functionality.
Important: This keyword cannot be used with IPSec for the SCM.
ipsec-3gpp-cscf: Configure the Crypto Template to be used for configuring P-CSCF IPSec functionality.
Important: This keyword can only be used with IPSec for the SCM.
Usage
Use this command to create a new or enter an existing PDIF or P-CSCF crypto template.
Important: The CSCF crypto template should be configured in the same context in which the P-CSCF is configured.
Entering this command results in one of the following prompts:
[context_name]hostname(cfg-crypto-tmpl-ikev2-tunnel)#
[context_name]hostname(cfg-crypto-tmpl-ims-cscf-tunnel)#
Crypto Template Configuration Mode commands are defined in the Crypto Template Configuration Mode Commands and CSCF Crypto Template Configuration Mode Commands chapters.
Example
The following command configures a PDIF crypto template called crypto1 and enters the Crypto Template Configuration Mode:
crypto template crypto1 ikev2-pdif
The following command configures a P-CSCF crypto template called crypto2 and enters the CSCF Crypto Template Configuration Mode:
crypto template crypto2 ipsec-3gpp-cscf
 
cscf
The commands in this section are used for configuring parameters associated with the CSCF service.
 
cscf access-profile
Creates a new or enters an existing access profile used to set signaling compression for various network access types.
Product
SCM
Privilege
Administrator
Syntax
cscf access-profile { default | name profile_name [ -noconfirm ] }
no cscf access-profile name profile_name
default
Specifies that the system is to enter the Access Profile Configuration Mode for the default access profile.
name profile_name
Specifies a name for the access profile.
profile_name must be from 1 to 79 alpha and/or numeric characters.
-noconfirm
Indicates that the command is to execute without any additional prompt and confirmation from the user.
no cscf access-profile name profile_name
Removes the CSCF access profile from the context.
Usage
Use this command to create an access profile for the CSCF service and cause the system to enter the Access Profile Configuration Mode where parameters are configured for the profile.
Entering this command results in the following prompt:
[context_name]hostname(config-cscf-access-profile)#
Access Profile Configuration Mode commands are defined in the CSCF Access Profile Configuration Mode Commands chapter.
Example
The following command creates a CSCF Access Profile named profile2 and enters the Access Profile Configuration Mode:
cscf access-profile name profile2
 
cscf acl
Creates an access control list (ACL) and enters the ACL Configuration Mode.
Product
SCM
Privilege
Administrator
Syntax
cscf acl { default | name list_name [ -noconfirm ] }
no cscf acl name list_name
default
Specifies that the system is to enter the ACL Configuration Mode for the default ACL.
name list_name
Specifies a name for the ACL.
list_name must be from 1 to 47 alpha and/or numeric characters in length.
-noconfirm
Indicates that the command is to execute without any additional prompt and confirmation from the user.
no cscf acl name list_name
Removes the CSCF ACL from the context.
Usage
Use this command to create an access control list for the CSCF service and cause the system to enter the ACL Configuration Mode where parameters are configured for the new list.
Entering this command results in the following prompt:
[context_name]hostname(config-cscf-acl)#
ACL Configuration Mode commands are defined in the CSCF ACL Configuration Mode Commands chapter.
Use this command when configuring the following SCM components: P-CSCF, S-CSCF, and SIP Proxy.
Example
The following command creates a CSCF access control list named acl1 and enters the ACL Configuration Mode:
cscf acl name acl1
 
cscf ifc-filter-criteria
Creates Initial Filter Criteria (iFC) filter criteria for shared iFC functionality.
Product
SCM (S-CSCF, SIP Proxy)
Privilege
Administrator
Syntax
cscf ifc-filter-criteria name fc_name priority pri profile-part-indicator { registered | unregistered } app-server uri scheme { sip | sips } as as-default-handling { session-continue | session-terminate } [ -noconfirm ] | [ service-info info ][ trigger-point tp_name ] [ -noconfirm ] | [ trigger-point tp_name ] [ -noconfirm ]
no cscf ifc-filter-criteria name fc_name
name fc_name
Specifies a name for the iFC filter criteria.
fc_name must be from 1 to 39 alpha and/or numeric characters in length.
priority pri
Specifies the priority of the filter criteria, which is used to select a particular filter criteria from multiple ones present under an ISC template.
pri must be an integer from 0 through 1024.
profile-part-indicator { registered | unregistered }
Indicates whether the iFC is a part of the registered (registered) or unregistered (unregistered) user profile.
app-server uri scheme { sip | sips }
Determines the associated application server’s uri scheme.
sip: sip uri
sips: sips uri
as
Specifies an address for the associated application server.
as must be from 1 to 127 alpha and/or numeric characters in length.
as-default-handling { session-continue | session-terminate }
Determines whether the dialog should be released (session-terminate) or not (session-continue) if the application server could not be reached or on application server error return.
-noconfirm
Indicates that the command is to execute without any additional prompt and confirmation from the user.
service-info info
Specifies optional service information to be sent to the application server.
info must be from 1 to 63 alpha and/or numeric characters in length.
trigger-point tp_name
Assigns an iFC trigger point to the filter criteria.
tp_name must be from 1 to 39 alpha and/or numeric characters in length.
no cscf ifc-filter-criteria name fc_name
Removes the specified CSCF iFC filter criteria from the context.
Usage
Use this command to create a filter criteria name and associate an application server address to it. You may also define a trigger point name to be executed in order to select the application server. If no trigger point is specified, then the application server is selected unconditionally.
Important: Filter criteria is associated with an ISC template in the ISC Template Configuration Mode.
Important: Filter criteria can be assigned to more than one ISC template.
Example
The following command creates an iFC filter criteria named ifcfc1, which has a priority of 2 and is part of the registered user profile. ifcfc1 is assigned to a sip application server named appserver. The dialog will not be released if the application server can not be reached. ifcfc1 is also assigned a trigger point named tp2:
cscf ifc-filter-criteria name ifcfc1 priority 2 profile-part-indicator registered app-server uri scheme sip appserver as-default-handling session-continue trigger-point tp2
 
cscf ifc-spt-condition
Creates an Initial Filter Criteria (iFC) Service Point Trigger (SPT) condition for shared iFC functionality.
Product
SCM (S-CSCF, SIP Proxy)
Privilege
Administrator
Syntax
cscf ifc-spt-condition name cond_name { request-uri content uri_content | session-case { originating-registered | originating-unregistered | terminating-registered | terminating-unregistered } | session-description sdp [ content sdp_data ] | sip-header hdr [ content hdr_data ] | sip-method method } [ -noconfirm ] [ condition-negated ]
no cscf ifc-spt-condition name cond_name
name cond_name
Specifies a name for the iFC SPT condition.
cond_name must be from 1 to 39 alpha and/or numeric characters in length.
request-uri content uri_content
Specifies request uri content.
uri_content must be from 1 to 127 alpha and/or numeric characters in length.
Important: Wildcard Extended Regular Expressions (ERE) are supported for this value. For example, "sip.user[0-9]@192\\.168\\.176\\.150"
session-case {originating-registered | originating-unregistered | terminating-registered | terminating-unregistered}
Determines the type of session:
originating-registered: Session handling an originating end user.
originating-unregistered: Session handling an unregistered originating end user.
terminating-registered: Session handling a terminating registered end user.
terminating-unregistered: Session handling a terminating unregistered end user.
session-description sdp [ content sdp_data ]
Specifies an SDP line type.
sdp must be from 1 to 15 alpha and/or numeric characters in length.
content specifies content on the SDP line.
sdp_data must be from 1 to 127 alpha and/or numeric characters in length.
sip-header hdr [ content hdr_data ]
Specifies a header type.
hdr must be from 1 to 127 alpha and/or numeric characters in length.
content specifies content on the header.
hdr_data must be from 1 to 127 alpha and/or numeric characters in length.
sip-method method
Specifies a sip method.
method must be from 1 to 127 alpha and/or numeric characters in length.
-noconfirm
Indicates that the command is to execute without any additional prompt and confirmation from the user.
condition-negated
Negates the specified condition.
no cscf ifc-spt-condition name cond_name
Removes the specified CSCF iFC SPT condition from the context.
Usage
Use this command to create individual SPT conditions that are later associated with an SPT group in the iFC SPT Group Configuration Mode.
Important: An iFC SPT group may be associated with multiple SPT conditions.
Example
The following command creates an iFC SPT condition named cond2 which handles an originating end user:
cscf ifc-spt-condition name cond2 session-case originating-registered
The following command negates the condition created above:
cscf ifc-spt-condition name cond2 session-case originating-registered condition-negated
 
cscf ifc-spt-group
Creates an Initial Filter Criteria (iFC) Service Point Trigger (SPT) group for shared iFC functionality.
Product
SCM (S-CSCF, SIP Proxy)
Privilege
Administrator
Syntax
cscf ifc-spt-group name group_name [ [-noconfirm] | reg-type { de-registration | initial-registration | re-registration } [-noconfirm] ]
no cscf ifc-spt-group name group_name
name group_name
Specifies a name for the iFC SPT group.
group_name must be from 1 to 39 alpha and/or numeric characters in length.
-noconfirm
Indicates that the command is to execute without any additional prompt and confirmation from the user.
reg-type { de-registration| initial-registration | re-registration }
Defines whether the SPT condition matches to REGISTER messages that are related to:
no cscf ifc-spt-group name group_name
Removes the specified CSCF iFC SPT group from the context.
Usage
Use this command to create an iFC SPT group name and bind different SPT conditions under it.
Important: An iFC SPT group may be associated with multiple SPT conditions.
The SPT group can also specify the registration type that defines whether the SPT condition matches to REGISTER messages that are related to initial registrations, re-registrations, or de-registrations.
Entering this command results in the following prompt:
[context_name]hostname(config-cscf-ifc-spt-group)#
iFC SPT Group Configuration Mode commands are defined in the CSCF IFC SPT Group Configuration Mode Commands chapter.
Example
The following command creates an iFC SPT group named group2:
cscf ifc-spt-group name group2
 
cscf ifc-trigger-point
Creates an Initial Filter Criteria (iFC) trigger point for shared iFC functionality.
Product
SCM (S-CSCF, SIP Proxy)
Privilege
Administrator
Syntax
cscf ifc-trigger-point name tp_name condition-type { cnf | dnf } [ -noconfirm ]
no cscf ifc-trigger-point name tp_name
name tp_name
Specifies a name for the iFC trigger point.
tp_name must be from 1 to 39 alpha and/or numeric characters in length.
condition-type { cnf | dnf }
Defines the condition type of the iFC trigger point:
cnf: conjunctive normal form
dnf: disjunctive normal form
-noconfirm
Indicates that the command is to execute without any additional prompt and confirmation from the user.
no cscf ifc-trigger-point name tp_name
Removes the specified CSCF iFC trigger point from the context.
Usage
Use this command to create a trigger point name and bind different SPT groups under it.
Important: An iFC SPT group can be assigned to more than one iFC trigger point.
Entering this command results in the following prompt:
[context_name]hostname(config-cscf-ifc-trigger-point)#
IFC Trigger Point Configuration Mode commands are defined in the CSCF IFC Trigger Point Configuration Mode Commands chapter.
Example
The following command creates an iFC trigger point named tp_2 with a cnf condition type:
cscf ifc-trigger-point name tp_2 condition-type cnf
 
cscf isc-template
Creates an IMS Service Control (ISC) template and enters the ISC Template Configuration Mode.
Product
SCM (S-CSCF)
Privilege
Administrator
Syntax
[ no ] cscf isc-template name template_name
no
Removes the CSCF ISC template from the context.
name template_name
Specifies a name for the ISC template.
template_name must be from 1 to 39 alpha and/or numeric characters in length.
Usage
Use this command to create an ISC template for the CSCF service and cause the system to enter the ISC Template Configuration Mode where parameters are configured for the new template.
Entering this command results in the following prompt:
[context_name]hostname(config-cscf-isc-tmpl)#
ISC Template Configuration Mode commands are defined in the CSCF ISC Template Configuration Mode Commands chapter.
Use this command when configuring the following SCM component: S-CSCF.
Example
The following command creates an ISC template named template1 and enters the ISC Template Configuration Mode:
cscf isc-template name template1
 
cscf last-route-profile
Creates a last route profile, which will be specified on peer server configuration to select the Last Routing Option (LRO) number while forwarding an emergency call packet to a particular peering server, and enters the Last Route Profile Criteria Configuration Mode.
Product
SCM
Privilege
Administrator
Syntax
cscf last-route-profile name profile_name criteria {county-name | round-robin} [ -noconfirm ]no cscf last-route-profile name profile_name
name profile_name
Specifies the name of the last route profile.
profile_name must be from 1 to 79 alpha and/or numeric characters in length.
criteria { county-name | round-robin }
county-name: Profile specific to the county-name criteria.
Entering this command results in the following prompt:
[context_name]hostname(config-county-name-lro-profile)#
Last Route Profile Criteria Configuration Mode commands are defined in the CSCF Last Route Profile Criteria Configuration Mode Commands chapter.
round-robin: Profile specific to the round-robin criteria.
Entering this command results in the following prompt:
[context_name]hostname(config-round-robin-lro-profile)#
Last Route Profile Criteria Configuration Mode commands are defined in the CSCF Last Route Profile Criteria Configuration Mode Commands chapter.
-noconfirm
Indicates that the command is to execute without any additional prompt and confirmation from the user.
no cscf last-route-profile name profile
Removes the specified CSCF last route profile from the context.
Usage
Use this command to create a last route profile and enter the Last Route Profile Criteria Configuration Mode.
Important: Last route profiles are associated with peer servers in the CSCF Peer Server Monitoring Configuration Mode.
Use this command when configuring the following SCM components: S-CSCF and SIP Proxy.
Example
The following command creates a last route profile named lro1 and enters the CSCF Last Route Profile Criteria Configuration Mode to specify county name criteria:
cscf last-route-profile name lro1 criteria county-name
The following command creates a last route profile named lro2 and enters the CSCF Last Route Profile Criteria Configuration Mode to specify round robin criteria:
cscf last-route-profile name lro2 criteria round-robin
 
cscf peer-servers
Creates a peer server group type for next-hop session routing and enters the Peer Server Configuration Mode.
Product
SCM
Privilege
Administrator
Syntax
cscf peer-servers server_name type { bgcf | ibcf | icscf | mgcf | mrfc | pcscf | scscf | sip-as } [ -noconfirm ]
no cscf peer-servers server_name
server_name
Specifies the name of the peer server group.
server_name must be from 1 to 79 alpha and/or numeric characters in length.
type { bgcf | ibcf | icscf | mgcf | mrfc | pcscf | scscf | sip-as }
Specifies the type of peer server group to configure:
ibcf: Interconnect Border Control Function
-noconfirm
Indicates that the command is to execute without any additional prompt and confirmation from the user.
no cscf peer-servers server_name
Removes the specified CSCF peer server group from the context.
Usage
Use this command to create a specific peer server group and enter the Peer Server Configuration Mode where connectivity parameters can be entered.
Entering this command results in the following prompt:
[context_name]hostname(config-cscf-peer-servers)#
Peer Servers Configuration Mode commands are defined in the CSCF Peer Servers Configuration Mode Commands chapter.
Use this command when configuring the following SCM components: P-CSCF, S-CSCF, and SIP Proxy.
Example
The following command creates an I-CSCF server group type called icscf_group1 and enters the Peer Server Configuration Mode:
cscf peer-servers icscf_group1 type icscf
 
cscf policy
Creates a policy group for specific AoR profiles and enters the Policy Configuration Mode.
Product
SCM
Privilege
Administrator
Syntax
cscf policy { default | name policy_name [ -noconfirm ] }
no cscf policy name policy_name
default
Specifies that the system is to enter the AoR Policy Rules Configuration Mode for the default policy. The default policy uses AoR policy rules.
Entering this command results in the following prompt:
[context_name]hostname(config-aor-policy)#
Default (AoR) Policy Configuration Mode commands are defined in the CSCF AoR Policy Rules Configuration Mode Commands chapter.
name policy_name
Specifies the name of the policy group.
policy_name must be from 1 to 79 alpha and/or numeric characters in length.
Entering this command results in the following prompt:
[context_name]hostname(config-cscf-policy)#
Policy Configuration Mode commands are defined in the CSCF Policy Configuration Mode Commands chapter.
-noconfirm
Indicates that the command is to execute without any additional prompt and confirmation from the user.
no cscf policy name policy_name
Removes the specified CSCF policy group from the context.
Usage
Use this command to create a policy group and enter either the AoR Policy Rules Configuration Mode (default) or Policy Configuration Mode (name policy_name).
Use this command when configuring the following SCM components: P-CSCF, S-CSCF, and SIP Proxy.
Example
The following command creates a policy group named group2 and enters the CSCF Policy Configuration Mode:
cscf policy name group2
 
cscf routes
Creates a route group for specifying routing information and enters the Routes Configuration Mode.
Product
SCM
Privilege
Administrator
Syntax
cscf routes { default | name route_name [ -noconfirm ] }
no cscf routes name route_name
default
Specifies that the system is to enter the Routes Configuration Mode for the default route group.
name route_name
Specifies the name of the route group.
route_name must be from 1 to 79 alpha and/or numeric characters in length.
-noconfirm
Indicates that the command is to execute without any additional prompt and confirmation from the user.
no cscf routes name route_name
Removes the specified CSCF route group from the context.
Usage
Use this command to create a route group and enter the Routes Configuration Mode.
Entering this command results in the following prompt:
[context_name]hostname(config-cscf-route)#
Routes Configuration Mode commands are defined in the CSCF Routes Configuration Mode Commands chapter.
Use this command when configuring the following SCM components: P-CSCF, S-CSCF, SIP Proxy.
Example
The following command creates a route group named route_group5 and enters the Route Group Configuration Mode:
cscf routes name route_group5
 
cscf service
Creates a CSCF service or specifies an existing CSCF service and enters the CSCF service configuration mode for the current context.
Product
SCM
Privilege
Administrator
Syntax
cscf serviceservice_name [ -noconfirm ]
no cscf serviceservice_name
service_name
Specifies the name of the CSCF service. If service_name does not refer to an existing service, the new service is created if resources allow.
service_name must be from 1 to 63 alpha and/or numeric characters.
-noconfirm
Indicates that the command is to execute without any additional prompt and confirmation from the user.
no cscf service service_name
Removes the specified CSCF service from the context.
Usage
Enter the CSCF service configuration mode for an existing service or for a newly defined service. This command is also used to remove an existing service.
A maximum of 256 services (regardless of type) can be configured per system.
Caution: Large numbers of services greatly increase the complexity of management and may impact overall system performance (for example, resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your local service representative for more information.
Entering this command results in the following prompt:
[context_name]hostname(config-cscf-service)#
CSCF Service Configuration Mode commands are defined in the CSCF Service Configuration Mode Commands chapter.
Use this command when configuring the following SCM components: P-CSCF, S-CSCF, SIP Proxy.
Example
The following command enters the existing CSCF service configuration mode (or creates it if it doesn’t already exist) for the service named cscf-service1:
cscf service cscf-service1
The following command will remove cscf-service1 from the system:
no cscf service cscf-service1
 
cscf session-template
Creates a session template and/or enters the Session Template Configuration Mode.
Product
SCM
Privilege
Administrator
Syntax
cscf session-template { default | name template_name [ -noconfirm ] }
no cscf session-template name template_name
default
Specifies that the system is to enter the Session Template Configuration Mode for the default session template.
name template_name
Specifies a name for the template.
template_name must be from 1 to 79 alpha and/or numeric characters in length.
-noconfirm
Indicates that the command is to execute without any additional prompt and confirmation from the user.
no cscf session-template name template_name
Removes the specified CSCF session template from the context.
Usage
Use this command to create a new session template and enter the Session Template Configuration Mode or enter the mode for an existing template.
Entering this command results in the following prompt:
[context_name]hostname(config-cscf-session-template)#
Session Template Configuration Mode commands are defined in the CSCF Session Template Configuration Mode Commands chapter.
Use this command when configuring the following SCM components: P-CSCF, S-CSCF, SIP Proxy.
Example
The following command enters the Session Template Configuration Mode for a template named sess_temp4:
cscf session-template name sess_temp4
 
cscf translation
Creates/removes a translation list and/or enters the Translation Configuration Mode.
Product
SCM
Privilege
Administrator
Syntax
cscf translation { default | name list_name [ -noconfirm ] }
no cscf translation name list_name
default
Specifies that the system is to enter the Translation Configuration Mode for the default translation list.
name list_name
Specifies a name for the translation list.
list_name must be from 1 to 79 alpha and/or numeric characters in length.
-noconfirm
Indicates that the command is to execute without any additional prompt and confirmation from the user.
no cscf translation name list_name
Removes the specified CSCF translation list from the context.
Usage
Use this command to create a new translation list and enter the Translation Configuration Mode or enter the mode for an existing list.
Translation lists are used to modify or replace a request-URI such as an E.164 number. For example, a translation list can be configured to append digits to the end of a number or replace a domain name with another.
Entering this command results in the following prompt:
[context_name]hostname(config-cscf-translation)#
Translation Configuration Mode commands are defined in the CSCF Translation Configuration Mode Commands chapter.
Use this command when configuring the following SCM components: P-CSCF, S-CSCF, SIP Proxy.
Example
The following command enters the Translation Configuration Mode for a translation list named trans_list3:
cscf translation name trans_list3
 
cscf urn-service-list
Creates/removes a URN service list and/or enters the URN List Configuration Mode.
Product
SCM
Privilege
Administrator
Syntax
cscf urn-service-list { default | name list_name [ -noconfirm ] }
no cscf urn-service-list name list_name
default
Specifies that the system is to enter the URN List Configuration Mode for the default URN service list.
name list_name
Specifies a name for the URN service list.
list_name must be from 1 to 79 alpha and/or numeric characters.
-noconfirm
Indicates that the command is to execute without any additional prompt and confirmation from the user.
no cscf urn-service-list name list_name
Removes the specified CSCF URN service list from the context.
Usage
Use this command to create a URN service list name and enter the URN List Configuration Mode. URN lists contain URN to URI mappings used for emergency and location-based services. A URN service list is selected by a CSCF session template.
Entering this command results in the following prompt:
[context_name]hostname(config-cscf-service-urn)#
URN List Configuration Mode commands are defined in the CSCF URN List Configuration Mode Commands chapter.
Use this command when configuring the following SCM components: P-CSCF.
Example
The following command enters the URN List Configuration Mode for a URN list named urn_list1:
cscf urn-service-list name urn_list1
 
css server
 
This is a restricted command. In Release 9.0 and later, this command is obsoleted.
 
default aaa
Restores the system’s accounting and authentication parameters to default settings for the current context.
Product
All
Privilege
Security Administrator, Administrator
Syntax
default aaa { accounting {administrator | subscriber } | authentication { administrator | subscriber }
accounting { administrator | subscriber }
administrator: Restores the system default setting for RADIUS accounting for administrative user sessions.
subscriber: Restores the system default setting for RADIUS accounting for subscriber sessions.
authentication { administrator | subscriber }
subscriber: Restores the system default setting for RADIUS authentication for subscribers.
administrator: Restores the system default setting for RADIUS authentication for administrative users.
Usage
Use this command to restore the system’s accounting and authentication options to the default settings for the current context.
The system is shipped from the factory with the administrative user and subscriber RADIUS accounting enabled.
Example
default aaa accounting subscriberdefault aaa authentication default
 
default access-list
Restores the system default for packet handling when an undefined ACL is specified.
Product
PDSN, FA, HA, GGSN
Privilege
Security Administrator, Administrator
Syntax
default access-list undefined
undefined
Restores the system default for handling of packets when an undefined ACL is specified.
Usage
Restore the chassis to the system defaults.
Example
default access-list undefined
 
default gtpp
Restores gtpp parameter settings to their default values.
Product
GGSN
Privilege
Security Administrator, Administrator
Syntax
default gtpp { attribute { diagnostics | duration-ms | local-record-sequence-number | plmn-id } | algorithm | deadtime | detect-dead-server { consecutive-failures } | duplicate-hold-time | echo-interval | egcdr final-record { include-content-ids only-with-traffic closing-cause same-in-all-partials } | egcdr losdv-max-containers | egcdr lotdv-max-containers | egcdr service-idle-timeout | max-cdrs | max-pdu-size | max-retries | redirection-allowed | timeout | trigger}
attribute { diagnostics | duration-ms | local-record-sequence-number | plmn-id }
Restores the gtpp attribute parameter to the following default settings:
diagnostics: Disabled
duration-ms: Disabled
plmn-id: Enabled
algorithm
Restores the gtpp algorithm parameter to its default setting of first-server.
deadtime
Restores the gtpp deadtime parameter to its default setting of 120 seconds.
detect-dead-server { consecutive-failures }
Restores the gtpp detect-dead-server consecutive-failure parameter to its default setting of 5.
duplicate-hold-time
Restores the gtpp duplicate-hold-time parameter to its default setting of 60 minutes.
echo-interval
Restores the gtpp echo-interval parameter to its default setting of 60 seconds.
egcdr final-record { include-content-ids only-with-traffic closing-cause same-in-all-partials }
Restores the gtpp egcdr final record to the default settings to include content-ids with some data to report are included. Also sets the closing cause to the default of using the same closing cause for multiple final eGCDRs.
egcdr losdv-max-containers
Restores the gtpp egcdr maximum number of List of Service Data Volume (LoSDV) containers in one EGCDR to the default of 10.
egcdr lotdv-max-containers
Restores the gtpp egcdr maximum number of List of Traffic Data Volume (LoTDV) containers in one EGCDR to the default of 8.
egcdr service-idle-timeout
Restores the gtpp egcdr service-idle-timeout parameter to its default setting of 0.
max-cdrs
Restores the gtpp max-cdrs parameter to its default setting of 1 CDR per packet.
max-pdu-size
Restores the gtpp max-pdu-size parameter to its default setting of 4096 octets.
max-retries
Restores the gtpp max-retries parameter to its default setting of 4.
redirection-allowed
Restores the gtpp redirection-allowed parameter to its default setting of enabled.
timeout
Restores the gtpp timeout parameter to its default setting of 5.
trigger
Restores the gtpp triggers to their default settings.
Usage
After system parameters have been modified, this command is used to set/restore specific parameters to their default values.
Example
The following command restores the gtpp max-pdu-size to its default setting of 4096 octets:
default gtpp max-pdu-size
 
default mobile-ip
Sets the behavior of all HA services when a new call has a duplicate home address or IMSI.
Product
HA
Privilege
Security Administrator, Administrator
Syntax
defaultmobile-ip { hanewcall { duplicate-home-address | duplicate-imsi-session } | fa { multiple-dynamic-reg-per-nai | newcallduplicate-home-address } }
duplicate-home-address
Set HA or FA services to reject a new call that requests an IP address that is already assigned.
duplicate-imsi-session
Set HA services to accept new calls that have the same IMSI as a call that is already active.
multiple-dynamic-reg-per-nai
All FA services in the current context can not simultaneously setup multiple dynamic home address registrations that have the same NAI.
Usage
Use this command to reset the HA behavior for new calls.
Example
The following commands reset the HA and the FA to reject new calls that request a static IP address that is already in use from an IP pool in the same destination context:
default mobile-ip ha newcall duplicate-home-address
default mobile-ip fa newcall duplicate-home-address
 
default network-requested-pdp-context
Restores network-requested-pdp-context parameters to their default settings.
Product
GGSN
Privilege
Security Administrator, Administrator
Syntax
default network-requested-pdp-context { hold-down-time | sgsn-cache-time }
hold-down-time
Restores the hold-down-time parameter to its default setting of 60 seconds.
sgsn-cache-time
Restores the sgsn-cache-time parameter to its default setting of 300 seconds.
Usage
After system parameters have been modified, this command is used to set/restore specific parameters to their default values.
Example
The following command restores the network-requested-pdp-context hold-down-time parameter to its default setting:
default network-requested-pdp-context hold-down-time
 
default ppp
Restores the point-to-point protocol option defaults.
Product
All
Privilege
Security Administrator, Administrator
Syntax
default ppp { acfc { receive | transmit } | auth-retry suppress-aaa-auth | echo-max-retransmissions | echo-retransmit-timeout | first-lcp-retransmit-timeout | lcp-authentication-reject retry alternate | lcp start-delay | lcp-terminateconnect-state | lcp-terminate mip-lifetime-expiry | lcp-terminate mip-revocation | max-authentication-attempts | max-configuration-nak | max-retransmissions | max-terminate | mru | negotiate default-value-options | peer-authentication | pfc { receive | transmit } | reject-peer-authentication | retransmit-timeout|renegotiation retain-ip-address}
acfc { receive | transmit }
receive: Set the ACFC receive setting to the default, allow. The local PPP side indicates that it can process ACFC compressed PPP packets and compressed packets are allowed.
transmit: Set the ACFC transmit setting to the default, ignore. If the peer requests ACFC, the request is accepted, but ACFC is not applied for transmitted PPP packets.
auth-retry suppress-aaa-auth
Restores the system default and allows authentication retries to the AAA server after authorization has already been performed.
chap fixed-challenge-length
Disables a specified fixed PPP CHAP challenge length and sets the system back to the default of a random PPP CHAP challenge length from 17 to 32 bytes.
echo-max-retransmissions
Restores the system default for the maximum number of retransmissions of LCP ECHO_REQ before a session is terminated in an always-on session.
echo-retransmit-timeout
Restores the system default for the timeout before trying LCP ECHO_REQ for an always-on session.
first-lcp-retransmit-timeout
Sets the number of milliseconds to wait before the first retransmit of a control packet. to the system default.
lcp-authentication-reject retry-alternate
Default: Disabled. No alternate authentication option will be retried.
The action that is taken if the authentication option is rejected during LCP negotiation and retry the allowed alternate authentication option
lcp start-delay
Sets the delay before Line Control Protocol (LCP) starts to it’s default of 0 (zero) milliseconds.
lcp-terminate connect-state
This option enables sending an LCP terminate message to the Mobile Node when a PPP session is disconnected if the PPP session was already in a connected state.
Note that if the no keyword is used with this option, the PDSN must still send LCP Terminate in the event of an LCP/PCP negotiation failure or PPP authentication failure, which happens during connecting state.
Important: This option is not supported in conjunction with the GGSN product.
lcp-terminate mip-lifetime-expiry
This option configures the PDSN to send a LCP Terminate Request when a MIP Session is terminated due to MIP Lifetime expiry (default).
Note that if the no keyword is used with this option, the PDSN does not send a LCP Terminate Request when a MIP session is terminated due to MIP Lifetime expiry.
lcp-terminate mip-revocation
This option configures the PDSN to send a LCP Terminate Request when a MIP Session is terminated due to a Revocation being received from the HA (default).
Note that if the no keyword is used with this option, the PDSN does not send a LCP Terminate Request when a MIP session is terminated due to a Revocation being received from the HA.
max-authentication-attempts
Restores the maximum PPP authentication retry attempts possible from the peer, when the authentication attempts fail to the default of 1.
max-configuration-nak
Restores the maximum number of consecutive configuration NAKs to be sent to the peer before disconnecting the PPP session to the default of 10
max-retransmissions
Restores the system default for the maximum number of times to retransmit control packets.
max-terminate
Restore the maximum number of PPP LCP Terminate Requests transmitted to the Mobile Node to the system default of 2.
mru
Resets the maximum packet size than can be received to the default of 1500.
negotiate default-value-options
Disables the inclusion of configuration options with default values in PPP configuration requests.
peer-authentication
Sets the peer authentication user name and password to its system default.
pfc { receive | transmit }
receive: Sets the Protocol Field Compression (PFC) receive setting to the default, allow. The peer is allowed to request PFC during LCP negotiation.
transmit: Sets the PFC transmit setting to the default, ignore. If the peer requests PFC, it is accepted but PFC is not applied for transmitted packets.
reject-peer-authentication
Rejection of peer requests for authentication is enabled.
renegotiation retain-ip-address
Retain the currently allocated IP address for the session during PPP renegotiation (Simple IP) between FA and Mobile node.
retransmit-timeout
Restores the number of milliseconds to wait before retransmitting packets.
Usage
Restore the PPP settings for the current context to the system defaults.
Example
default ppp echo-max-retransmissions
default ppp echo-retransmit-timeout
default ppp max-retransmissions
default ppp peer-authentication
default ppp retransmit-timeout
 
default radius
This command restores the context’s RADIUS parameters to the system default settings.
Product
All
Privilege
Security Administrator, Administrator
Syntax
default radius { accounting { algorithm | deadtime | detect-dead-server consecutive-failures | max-outstanding | max-pdu-size | max-retries | timeout } | algorithm | attribute { nas-identifier } | deadtime | detect-dead-server consecutive-failures | dictionary | keepalive | max-outstanding | max-retries | max-transmissions | probe-interval | timeout }
accounting { algorithm | apn-to-be-included | archive | deadtime | detect-dead-server consecutive-failures | keepalive | max-outstanding | max-pdu-size | max-retries | max-transmissions | rp trigger-policy | timeout }
Restores the system default value for the RADIUS accounting option specified.
algorithm: restores the accounting server selection algorithm to the system default.
apn-to-be-included: configures the APN name to be included for radius accounting.
archive: enables archiving of RADIUS accounting messages.
deadtime: restores the default number of seconds before attempting to communicate an accounting server marked as unreachable.
detect-dead-server consecutive-failures: restores the default value for the number of consecutive failed attempts to reach an accounting server before it is marked as unreachable.
radius accounting ha policy: resets the HA accounting policy to the system default: session-start-stop. Send Accounting Start when the Session is connected, Send Accounting Stop when the session is disconnected.
keepalive: restores the default keepalive accounting related parameters values.
max-outstanding: restores the system default for the maximum number of outstanding messages to queue for a given accounting server.
max-pdu-size: restores the maximum size a packet data unit can be.
max-retries: restores the maximum number of times a packet will be retransmitted to the system default.
max-transmissions: disables the maximum transmissions limit.
rp trigger-policy: restores the RADIUS accounting R-P policy to the default of Airlink Usage.
timeout: restores the number of seconds to wait before retransmitting a PDU to the system default.
algorithm
Restores the RADIUS server selection algorithm to the system default.
attribute { nas-identifier }
nas-identifier: restores the network access server Id to the system default.
deadtime
Restores the default number of seconds before attempting to communicate an RADIUS server marked as unreachable.
detect-dead-server
Restores consecutive failures to the default of 4 and disables response-timeout.
dictionary
Restores the context’s dictionary to the system default.
keepalive [ calling-station-id id | consecutive-response number | encrypted | interval seconds | password | retries number | timeout seconds | username name | valid-response access-accept [ access-reject ] ]
calling-station-id id: restores the default calling-station-id to be used for the keepalive authentication.
consecutive-response number: restores the default number of consecutive authentication responses after which the server is marked as reachable.
interval seconds: restores the default time interval between the keepalive access requests.
password: restores the default password to be used for the authentication.
retries number: restores the default number of times the keepalive access request to be sent before marking the server as unreachable.
timeout seconds: restores the default time interval between each keepalive access request retries.
username name: restores the default username to be used for the authentication.
valid-response access-accept [ access-reject ]: restores the default valid response for the authentication request.
max-outstanding
Restores the system default for the maximum number of outstanding messages to queue for a given RADIUS server.
max-retries
Restores the maximum number of times a packet will be retransmitted to the system default.
probe-interval
Sets the amount of time to wait before sending another probe authentication request to a RADIUS server to the default setting of 60 seconds.
timeout
Restores the number of seconds to wait before retransmitting a message to the system default.
Usage
Restores RADIUS parameters to the system default settings.
Example
default radius accounting deadtimedefault radius accounting max-outstandingdefault radius algorithmdefault radius attribute nas-identifier
 
default radius authenticate null-username
Restores the system default for authenticating null, or blank, user names. The default behavior is to authenticate, send Access-Request messages to the AAA server, all user names including null user names.
Product
PDSN
Privilege
Security Administrator, Administrator
Syntax
default radius authenticate null-username
Usage
Use this command to return to the default behavior of authenticating, sending Access-Request messages to the AAA server, all user names, including NULL user names.
Example
Enter the following command to return username authentication to the default behavior:
default radius authenticate null-username
 
default threshold
Restores context-level thresholds to their default settings.
Product
All
Privilege
Security Administrator, Administrator
Syntax
default threshold { available-ip-pool-group | ip-pool-free | ip-pool-hold | ip-pool-release | ip-pool-used | monitoring available-ip-pool-group }
available-ip-pool-group
Restores the context-level IP address pool group utilization thresholds to their default values.
ip-pool-free
Default: 0
Restores to it’s default the thresholds for the percentage of the IP pool addresses that are in the free state.
ip-pool-hold
Default: 0
Restores to it’s default the thresholds for the percentage of the IP pool addresses that are in the hold state.
ip-pool-release
Default: 0
Restores to it’s default the thresholds for the percentage of IP pool address that are in the release state.
ip-pool-used
Default: 0
Restores to it’s default the thresholds for the percentage off the IP pool addresses that are used.
monitoring available-ip-pool-group
Restores the IP address pool threshold monitoring parameter to its default setting.
Usage
Use this command to restore IP address pool-related threshold parameters to their default settings.
Example
default threshold available-ip-pool-group
 
dhcp-service
Adds a Dynamic Host Control Protocol (DHCP) service instance to the current context and enters the configuration mode for that service.
Product
GGSN, ASN-GW
Privilege
Security Administrator, Administrator
Syntax
dhcp-serviceservice_name
no dhcp-serviceservice_name
no
Removes a previously configured DHCP service from the current context.
service_name
The name by which the DHCP service is to be recognized by the system. The name can be from 1 to 63 alpha and/or numeric characters in length and is case sensitive.
Usage
Use this command to add a DHCP service to a context configured on the system and enter the DHCP service configuration mode. A DHCP service is a logical grouping of external DHCP servers.
The DHCP configuration mode provides parameters that dictate the system’s communication with one or more of these DHCP servers.
A maximum of 256 services (regardless of type) can be configured per system.
Caution: Large numbers of services greatly increase the complexity of management and may impact overall system performance (i.e. resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your local service representative for more information.
Refer to the DHCP Service Configuration Mode chapter of this reference for additional information.
Example
The following command creates a DHCP service called DHCP1 and enter the DHCP service configuration mode:
dhcp-service dhcp1
 
diameter accounting
This command configures Diameter accounting related settings.
Product
All
Privilege
Security Administrator, Administrator
Syntax
diameter accounting { dictionary { aaa-custom1 | aaa-custom10 | aaa-custom2 | aaa-custom3 | aaa-custom4 | aaa-custom5 | aaa-custom6 | aaa-custom7 | aaa-custom8 | aaa-custom9 | nasreq | rf-plus } | endpoint endpoint_name | hd-mode fall-back-to-local | hd-storage-policy hd_policy | max-retries tries | max-transmissions transmissions | request-timeout duration | server host_name priority priority }
default diameter accounting { dictionary | hd-mode | max-retries | max-transmissions | request-timeout }
no diameter accounting { endpoint | hd-mode | hd-storage-policy | max-retries | max-transmissions | server host_name }
no diameter accounting { endpoint | hd-mode | hd-storage-policy | max-retries | max-transmissions | server host_name }
endpoint: Removes the currently configured accounting endpoint. The default accounting server configured in the default AAA group will be used.
hd-mode: Sends records to the Diameter server, if all Diameter servers are down or unreachable, then copies records to the local HDD and periodically retries the Diameter server.
hd-storage-policy: Disables use of the specified HD storage policy.
max-retries: Disables the retry attempts for Diameter accounting in this AAA group.
max-transmissions: Disables the maximum number of transmission attempts for Diameter accounting in this AAA group.
server host_name: Removes the Diameter host host_name from this AAA server group for Diameter accounting.
default diameter accounting { dictionary | hd-mode | max-retries | max-transmissions | request-timeout }
dictionary: Sets the context’s dictionary as the system default.
hd-mode: Sends records to the Diameter server, if all Diameter servers are down or unreachable, then copies records to the local HDD and periodically retries the Diameter server.
max-retries: Sets the retry attempts for Diameter accounting in this AAA group to default 0 (disable).
max-transmissions: Sets the maximum transmission attempts for Diameter accounting in this AAA group to default 0 (disable).
request-timeout: Sets the timeout duration, in seconds, for Diameter accounting requests in this AAA group to default (20).
dictionary { aaa-custom1 | aaa-custom10 | aaa-custom2 | aaa-custom3 | aaa-custom4 | aaa-custom5 | aaa-custom6 | aaa-custom7 | aaa-custom8 | aaa-custom9 | nasreq | rf-plus }
Specifies the Diameter accounting dictionary.
aaa-custom1 ... aaa-custom10: The custom dictionaries. Even though the CLI syntax supports several custom dictionaries, not necessarily all of them have been defined. If a custom dictionary that has not been implemented is selected, the default dictionary will be used.
nasreq: nasreq dictionary—the dictionary defined by RFC 4005.
rf-plus: RF Plus dictionary.
endpoint endpoint_name
Enables Diameter to be used for accounting, and specifies which Diameter endpoint to use.
endpoint_name must be a string of 1 through 63 characters in length.
hd-mode fall-back-to-local
Specifies that records be copied to the local HDD if the Diameter server is down or unreachable. CDF/CGF will pull the records through SFTP.
hd-storage-policy hd_policy
Specifies the HD Storage policy name.
hd_policy must be the name of a configured HD Storage policy, and must be a string of 1 through 63 alpha and/or numeric characters in length.
HD storage policies are configured through the Global Configuration Mode.
This and the hd-mode command are used to enable the storage of Rf Diameter Messages to HDD in case all Diameter Servers are down or unreachable.
max-retries tries
Specifies how many times a Diameter request should be retried with the same server, if the server fails to respond to a request.
tries specifies the maximum number of retry attempts. The value must be an integer from 1 through 1000.
Default: 0
max-transmissions transmissions
Specifies the maximum number of transmission attempts for a Diameter request. Use this in conjunction with the ”max-retries tries” option to control how many servers will be attempted to communicate with.
transmissions specifies the maximum number of transmission attempts for a Diameter request. The value must be an integer from 1 through 1000.
Default: 0
request-timeout duration
Specifies how long the system will wait for a response from a Diameter server before re-transmitting the request.
duration specifies the number of seconds the system will wait for a response from a Diameter server before re-transmitting the request. The value must be an integer from 1 to 3600.
Default: 20
server host_name priority priority
Specifies the current context Diameter accounting server’s host name and priority.
host_name specifies the Diameter host name, it must be a string of 1 through 63 characters in length.
priority specifies the relative priority of this Diameter host. The priority is used in server selection. The priority must be an integer from 1 through 1000.
Usage
Use this command to manage the Diameter accounting options according to the Diameter server used for the context.
Example
The following command specifies the Diameter accounting dictionary:
diameter accounting dictionary <dictionary>
The following command specifies the Diameter endpoint:
diameter accounting endpoint <endpoint_name>
The following commands specify the Diameter accounting options:
diameter accounting max-retries <tries>
diameter accounting max-transmissions <transmissions>
diameter accounting request-timeout <duration>
diameter accounting server <host_name> priority <priority>
The following commands disable/clear the options:
no diameter accounting endpoint
no diameter accounting server <host_name>
 
diameter authentication
Use this command to configure Diameter authentication related settings.
Product
All
Privilege
Security Administrator, Administrator
Syntax
diameter authentication { dictionary { aaa-custom1 | aaa-custom10 | aaa-custom11 | aaa-custom12 | aaa-custom13 | aaa-custom14 | aaa-custom15 | aaa-custom16 | aaa-custom17 | aaa-custom18 | aaa-custom19 | aaa-custom2 | aaa-custom20 | aaa-custom3 | aaa-custom4 | aaa-custom5 | aaa-custom6 | aaa-custom7 | aaa-custom8 | aaa-custom9 | nasreq } | endpoint endpoint_name | max-retries tries | max-transmissions transmissions | redirect-host-avp { just-primary | primary-then-secondary } | request-timeout duration | server host_name priority priority }
default diameter authentication { dictionary | max-retries | max-transmissions | redirect-host-avp | request-timeout }
no diameter authentication { endpoint | max-retries | max-transmissions | server host_name }
no diameter authentication { endpoint | max-retries | max-transmissions | server host_name }
endpoint: Removes the authentication endpoint. The default server configured in default AAA group will be used.
max-retries: Disables the retry attempts for Diameter authentication in this AAA group.
max-transmissions: Disables the maximum transmission attempts for Diameter authentication in this AAA group.
server host_name: Removes the Diameter host host_name from this AAA server group for Diameter authentication.
default diameter authentication { dictionary | max-retries | max-transmissions | redirect-host-avp | request-timeout }
dictionary: Sets the context’s dictionary as the system default.
max-retries: Sets the retry attempts for Diameter authentication requests in this AAA group to default 0 (disable).
max-transmissions: Sets the configured maximum transmission attempts for Diameter authentication in this AAA group to default 0 (disable).
redirect-host-avp: Sets the redirect choice to default (just-primary).
request-timeout: Sets the timeout duration, in seconds, for Diameter authentication requests in this AAA group to default (20).
dictionary { aaa-custom1 | aaa-custom10 | aaa-custom11 | aaa-custom12 | aaa-custom13 | aaa-custom14 | aaa-custom15 | aaa-custom16 | aaa-custom17 | aaa-custom18 | aaa-custom19 | aaa-custom2 | aaa-custom20 | aaa-custom3 | aaa-custom4 | aaa-custom5 | aaa-custom6 | aaa-custom7 | aaa-custom8 | aaa-custom9 | nasreq }
Specifies the Diameter authentication dictionary.
aaa-custom1 ... aaa-custom20: The custom dictionaries. Even though the CLI syntax supports several custom dictionaries, not necessarily all of them have been defined. If a custom dictionary that has not been implemented is selected, the default dictionary will be used.
Important: aaa-custom11 dictionary is only available in Release 8.1 and later. aaa-custom12 to aaa-custom20 dictionaries are only available in Release 9.0 and later releases.
nasreq: nasreq dictionary—the dictionary defined by RFC 4005.
endpoint endpoint_name
Enables Diameter to be used for authentication, and specifies which Diameter endpoint to use.
endpoint_name must be a string of 1 through 63 characters in length.
max-retries tries
Specifies how many times a Diameter authentication request should be retried with the same server, if the server fails to respond to a request.
tries specifies the maximum number of retry attempts, and must be an integer from 1 through 1000.
Default: 0
max-transmissions transmissions
Specifies the maximum number of transmission attempts for a Diameter authentication request. Use this in conjunction with the ”max-retries tries” option to control how many servers will be attempted to communicate with.
transmissions specifies the maximum number of transmission attempts, and must be an integer from 1 through 1000.
Default: 0
diameter authentication redirect-host-avp { just-primary | primary-then-secondary }
Specifies whether to use just one returned AVP, or use the first returned AVP as selecting the primary host and the second returned AVP as selecting the secondary host.
just-primary: Redirect only to primary host.
primary-then-secondary: Redirect to primary host, if fails then redirect to the secondary host.
Default: just-primary
request-timeout duration
Specifies how long the system will wait for a response from a Diameter server before re-transmitting the request.
duration specifies the number of seconds the system will wait for a response from a Diameter server before re-transmitting the request, and must be an integer from 1 through 3600.
Default: 20 seconds
server host_name priority priority
Specifies the current context Diameter authentication server’s host name and priority.
host_name specifies the Diameter host name, and must be a string of 1 through 63 characters in length.
priority specifies the relative priority of this Diameter host, and must be an integer from 1 through 1000. The priority is used in server selection.
Usage
Use this command to manage the Diameter authentication options according to the Diameter server used for the context.
Example
The following command specifies the Diameter authentication dictionary:
diameter authentication dictionary <dictionary>
The following command specifies the Diameter endpoint:
diameter authentication endpoint <endpoint_name>
The following commands specify Diameter authentication options:
diameter authentication max-retries <tries>
diameter authentication max-transmissions <transmissions>
diameter authentication redirect-host-avp primary-then-secondary
diameter authentication server <host_name> priority <priority>
diameter authentication request-timeout <duration>
The following commands disable/clear the options:
no diameter authentication endpoint
no diameter authentication server <host_name>
 
diameter authentication failure-handling
This command configures error handling for Diameter EAP requests.
Product
All
Privilege
Security Administrator, Administrator
Syntax
diameter authentication failure-handling { authorization-request | eap-request | eap-termination-request } { request-timeout action { continue | retry-and-terminate | terminate } | result-code result_code { [ to result_code ] action { continue | retry-and-terminate | terminate } } }
no diameter authentication failure-handling { authorization-request | eap-request | eap-termination-request } result-code result_code [ to result_code ]
default diameter authentication failure-handling { authorization-request | eap-request | eap-termination-request } request-timeout action
no
Disables Diameter authentication failure handling.
default
Configures the default Diameter authentication failure handling setting.
authorization-request
Specifies that failure handling is to be performed on Diameter authorization request messages (AAR/AAA).
eap-request
Specifies configuring failure handling for EAP requests.
eap-termination-request
Specifies configuring failure handling for EAP termination requests.
request-timeout action { continue | retry-and-terminate | terminate }
Specifies the action to be taken for failures:
continue: Continues the session
retry-and-terminate: First retries, if it fails then terminates the session
terminate: Terminates the session
result-code result_code { [ to result_code ] action { continue | retry-and-terminate | terminate } }
result_code: Specifies the result code number, must be an integer from 1 through 65535.
to result_code: Specifies the upper limit of a range of result codes. to result_code must be greater than result_code.
action { continue | retry-and-terminate | terminate }: Specifies action to be taken for failures:
continue: Continues the session
retry-and-terminate: First retries, if it fails then terminates the session
terminate: Terminates the session
Usage
Use this command to configure error handling for Diameter EAP, EAP-termination, and authorization requests. Specific actions (continue, retry-and-terminate, or terminate) can be associated with each possible result-code. Ranges of result codes can be defined with the same action, or actions can be specific on a per-result code basis.
Example
The following commands configure result codes 5001, 5002, 5004, and 5005 to use "action continue" and result code 5003 to use "action terminate”:
diameter authentication failure-handling eap-request result-code 5001 to 5005 action continue
diameter authentication failure-handling eap-request result-code 5003 action terminate
 
diameter dictionary
This command is deprecated and is replaced by the diameter accounting dictionary and diameter authentication dictionary commands. See diameter accounting and diameter authentication commands respectively.
 
diameter endpoint
This command enables creating/configuring/deleting a Diameter endpoint.
Product
All
Privilege
Security Administrator, Administrator
Syntax
diameter endpoint endpoint_name [ -noconfirm ]
no diameter endpoint endpoint_name
no
Removes the specified Diameter endpoint.
endpoint_name
Specifies the Diameter endpoint name.
endpoint_name must be an alpha and/or numeric string of 1 through 63 characters in length.
If the named endpoint does not exist, it is created, and the CLI mode changes to the Diameter Endpoint Configuration mode wherein the endpoint can be configured.
If the named endpoint already exists, the CLI mode changes to the Diameter Endpoint Configuration mode wherein the endpoint can be reconfigured.
-noconfirm
Indicates that the command is to execute without any additional prompt and confirmation from the user.
Usage
Use this command to create/configure/delete a Diameter origin endpoint.
Example
The following command creates a Diameter origin endpoint named test13:
diameter endpoint test13
 
diameter sctp
Configures Diameter SCTP parameters for all diameter endpoints within the context.
Product
All
Privilege
Security Administrator, Administrator
Syntax
diameter sctp { hearbeat-interval interval | path max-retransmissions retransmissions }
default diameter sctp { heartbeat-interval | path max-retransmissions }
default
Configures this command with the default settings.
heartbeat-interval: Sets the heartbeat interval to the default value.
path max-retransmissions: Sets the SCTP path maximum retransmissions to the default value.
hearbeat-interval interval
Specifies the time interval between heartbeat chunks sent to a destination transport address in seconds.
interval must be an integer from 1 through 255.
Default: 30 seconds
path max-retransmissions retransmissions
Specifies the maximum number of consecutive retransmissions over a destination transport address of a peer endpoint before it is marked as inactive.
retransmissions must be an integer from 1 through 10.
Default: 10
Usage
Use this command to configure Diameter SCTP parameters for all diameter endpoints within the context.
Example
The following command configures the heartbeat interval to 60 seconds:
diameter sctp hearbeat-interval 60
The following command configures the maximum number of consecutive retransmissions to 6, after which the endpoint is marked as inactive:
diameter sctp path max-retransmissions 6
 
diameter origin
 
This command is deprecated and is replaced by the diameter endpoint command.
 
dns-client
Creates a DNS client and/or enters the DNS Client Configuration Mode.
Product
SCM, SGSN
Privilege
Security Administrator, Administrator
Syntax
[ no ] dns-client name [ -noconfirm ]
no
Removes the specified DNS client from the context.
name
Specifies a name for the DNS client. name must be from 1 to 63 alpha and/or numeric characters in length.
Usage
Use this command to create a new DNS client and enter the DNS Client Configuration Mode or enter the mode for an existing client.
Entering this command results in the following prompt:
[context_name]hostname(config-dns-client)#
DNS Client Configuration Mode commands are defined in the DNS Client Configuration Mode Commands chapter.
Example
The following command enters the DNS Client Configuration Mode for a DNS client named dns1:
dns-client dns1
 
domain
Configures a domain alias for the current context.
Product
PDSN, HA
Privilege
Security Administrator, Administrator
Syntax
domain [ * ] domain_name [ default subscriber subs_temp_name ]
no domain [ * ] domain_name
no domain [ * ] domain_name
Indicates the domain specified is to be removed as an alias to the current context.
[ * ] domain_name
domain_name specifies the domain alias to create/remove from the current context. If the domain portion of a subscribers user name matches this value, the current context is used for that subscriber.
domain_name must be an alpha and/or numeric string of 1 through 79 characters in length. The domain name can contain all special characters, however note that the character * (wildcard character) is only allowed at the beginning of the domain name.
If the domain name is prefixed with * (wildcard character), and an exact match is not found for the domain portion of a subscriber’s user name, subdomains of the domain name are matched. For example, if the domain portion of a subscriber’s user name is abc.xyz.com and you use the domain command domain *xyz.com it matches. But if you do not use the wildcard (domain xyz.com) it does not match.
Important: The domain alias specified must not conflict with the name of any existing context or domain names.
default subscriber subs_temp_name
Specifies the name of the subscriber template to apply to subscribers using this domain alias. subs_temp_name must be an alpha and/or numeric string of 1 through 127 characters in length. If this keyword is not specified the default subscriber configuration in the current context is used.
Usage
Set a domain alias when a single context may be used to support multiple domains via aliasing.
Example
domain sampleDomain.net
no domain sampleDomain.net
 
eap-profile
Creates a new, or specifies an existing, Extensible Authentication Protocol (EAP) profile and enters the EAP Configuration Mode.
Product
ASN GW, PDIF
Privilege
Security Administrator, Administrator
Syntax
[ no ] eap-profile name
name
Specifies the name of a new or existing EAP profile. name must be from 1 to 256 alpha and/or numeric characters.
Usage
Use this command to create a new or enter an existing EAP profile.
Entering this command results in the following prompt:
[context_name]hostname(config-ctx-eap-profile)#
EAP Configuration Mode commands are defined in the EAP Configuration Mode Commands chapter.
Example
The following command configures an EAP profile called eap1 and enters the EAP Configuration Mode:
eap-profile eap1
 
edr-module active-charging-service
This command creates the Event Data Record (EDR) module and enters the EDR Module Active Charging Service Configuration Mode.
Product
ACS, GGSN, HA, LNS, PDSN
Privilege
Security Administrator, Administrator
Syntax
edr-module active-charging-service
Usage
Use this command to create the EDR module for the context and configure the EDR module for active charging service records. You must be in a non-local context when specifying this command, and you must use the same context when specifying the UDR module command.
Example
edr-module active-charging-service
 
egtp-service
Creates an eGTP service or specifies an existing eGTP service and enters the eGTP service configuration mode for the current context.
Product
MME, P-GW, S-GW
Privilege
Administrator
Syntax
egtp-serviceservice_name [-noconfirm ]
no egtp-serviceservice_name
service_name
Specifies the name of the eGTP service. If service_name does not refer to an existing service, the new service is created if resources allow.
service_name must be from 1 to 63 alpha and/or numeric characters.
-noconfirm
Indicates that the command is to execute without any additional prompt and confirmation from the user.
no egtp-service service_name
Removes the specified eGTP service from the context.
Usage
Enter the eGTP service configuration mode for an existing service or for a newly defined service. This command is also used to remove an existing service.
A maximum of 256 services (regardless of type) can be configured per system.
Caution: Large numbers of services greatly increase the complexity of management and may impact overall system performance (for example, resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your local service representative for more information.
Entering this command results in the following prompt:
[context_name]hostname(config-egtp-service)#
eGTP Service Configuration Mode commands are defined in the eGTP Service Configuration Mode Commands chapter.
Use this command when configuring the following GTP SAE components: MME, P-GW, and S-GW.
Example
The following command enters the existing eGTP service configuration mode (or creates it if it doesn’t already exist) for the service named egtp-service1:
egtp-service egtp-service1
The following command will remove egtp-service1 from the system:
no egtp-service egtp-service1
 
end
Exits the context configuration mode and returns to the Exec mode.
Product
All
Privilege
Security Administrator, Administrator
Syntax
end
Usage
Use this command to change to the Exec mode.
 
exit
Exits the context configuration mode and returns to the global configuration mode.
Product
All
Privilege
Security Administrator, Administrator
Syntax
exit
Usage
Use this command to return to the Global Configuration mode.
 
external-inline-server
 
This is a restricted command.
 
fa-service
Creates/deletes a foreign agent service or specifies an existing FA service for which to enter the foreign agent service configuration mode for the current context.
Product
PDSN, ASN-GW, FA
Privilege
Security Administrator, Administrator
Syntax
[ no ] fa-servicename
no
Indicates the foreign agent service specified is to be removed.
name
Specifies the name of the FA service to configure. If name does not refer to an existing service, the new service is created if resources allow. name must be from 1 to 63 alpha and/or numeric characters.
Usage
Enter the FA service configuration mode for an existing service or for a newly defined service. This command is also used to remove an existing service.
A maximum of 256 services (regardless of type) can be configured per system.
Caution: Large numbers of services greatly increase the complexity of management and may impact overall system performance (i.e. resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your local service representative for more information.
Example
The following command will enter the FA service configuration mode creating the service sampleService, if necessary.
fa-service sampleService
The following command will remove sampleService as being a defined FA service.
no fa-service sampleService
 
firewall max-associations
 
This command is obsolete.
 
ggsn-service
Creates/deletes a Gateway GPRS Support Node (GGSN) service and enters the GGSN service configuration mode within the current context.
Product
GGSN
Privilege
Security Administrator, Administrator
Syntax
ggsn-servicename [-noconfirm ]
no ggsn-servicename
no
Deletes a preciously configured GGSN service.
name
Specifies the name of the GGSN service to create/configure.
name must be from 1 to 63 alpha and/or numeric characters and is case sensitive.
-noconfirm
Indicates that the command is to execute without any additional prompt and confirmation from the user.
Usage
Services are configured within a context and enable certain functionality. This command creates and allows the configuration of services enabling the system to function as a GGSN in a GPRS or UMTS network. This command is also used to remove previously configured GGSN services.
A maximum of 256 services (regardless of type) can be configured per system.
Caution: Large numbers of services greatly increase the complexity of management and may impact overall system performance (i.e. resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your local service representative for more information.
Example
The following command creates a GGSN service name ggsn1:
ggsn-service ggsn1
 
gprs-service
This command creates a GPRS service instance and enters the GPRS Service configuration mode. This mode configures all of the parameters specific to the operation of an SGSN in a GPRS network.
 
Important: For details about the commands and parameters for this mode, check the GPRS Service Configuration Mode chapter.
Product
SGSN
Privilege
Security Administrator, Administrator
Syntax
gprs-service srvc_name
no gprs-service srvc_name
no
Remove the configuration for the specified IGPRS service from the configuration for the current context.
srvc_name
A unique string of 1 to 63 alphanumeric characters that identify the specific GPRS service.
Usage
Use this command to create or remove a GPRS service. Entering this command will move the system to the GPRS Service configuration mode and change the prompt to:
[context_name]hostname(config-gprs-service)#
Example
The following command creates an GPRS service named gprs1:
gprs-service gprs1
The following command removes the GPRS service named gprs1:
no gprs-service gprs1
 
gs-service
This command creates a Gs service instance and enters the Gs Service configuration mode. This mode configures the parameters specific to the Gs interface between the SGSN and the MSC/VLR.
Product
SGSN
Privilege
Security Administrator, Administrator
Syntax
gs-service svc_name [-noconfirm ]
no gs-service svc_name
no
Remove the configured Gs service from the current context.
svc_name
A unique string of 1 to 63 alphanumeric characters that identify the specific Gs service.
-noconfirm
Indicates that the command is to execute without any additional prompt and confirmation from the user.
Usage
Use this command to create, edit, or remove a Gs service.
A maximum of 32 Gs service can be configured in one context/system. This limit is subject to maximum of 256 services (regardless of type) can be configured per system.
Important: For details about the commands and parameters for this mode, refer Gs Service Configuration Mode chapter.
Example
The following command creates an Gs service named ‘gs1’:
gs-service gs1
The following command removes the Gs service named ‘gs1’:
no gs-service gs1
 
gtpp
The commands in this section change gtpp related parameters.
 
gtpp algorithm
Configures GTPP routing algorithms for the current context.
Product
GGSN
Privilege
Security Administrator, Administrator
Syntax
gtpp algorithm { first-server | round-robin | first-nn}
first-server
Default: Enabled
Specifies that accounting data is sent to the first available charging gateway function (CGF) based upon the relative priority of each configured CGF.
round-robin
Default: Disabled
Specifies that accounting data is transmitted in a circular queue fashion such that data is sent to the highest priority CGF first, then to the next available CGF of the highest priority, and so on. Ultimately, the queue returns to the CGF with the highest configured priority.
first-n n
Default: 1 (Disabled)
Specifies that the AGW must send accounting data to n (more than one) CGFs based on their priority. Response from any one of the n CGFs would suffice to proceed with the call. The full set of accounting data is sent to each of the n CGFs.
n is the number of CGFs to which accounting data will be sent, and must be an integer from 2 through 65535.
Usage
Use this command to control how G-CDR accounting data is routed among the configured CGFs.
Example
The following command configures the system to use the round-robin algorithm when transmitting G-CDR accounting data:
gtpp algorithm round-robin
 
gtpp attribute
This command allows the specification of the optional attributes to be present in the call detail records (CDRs) that the GPRS/UMTS access gateway generates. It also defines that how the information is presented in CDRs by encoding the attribute field values.
Product
GGSN, SGSN
Privilege
Security Administrator, Administrator
Syntax
gtpp attribute { cell-plmn-id | diagnostics | duration-ms | imei | local-record-sequence-number | msisdn | node-id-suffix suffix | plmn-id [ unknown-use uncode_value ] | rat | record-extensions rat | sms { destination-number | recording-entity | service-centre }
[ default ] gtpp attribute { cell-plmn-id | diagnostics | duration-ms | imei | local-record-sequence-number | msisdn | plmn-id | rat | record-extensions | sms { destination-number | recording-entity | service-centre }
[ no ] gtpp attribute { cell-plmn-id | diagnostics | duration-ms | imei | local-record-sequence-number | msisdn | node-id-suffix | plmn-id | rat | record-extensions rat | sms { destination-number | recording-entity | service-centre }
no
Removes the configured GTPP attributes from the CDRs.
defualt
Sets the default GTPP attributes in generated the CDRs. It also sets the default presentation of attribute values in generated CDRs.
cell-plmn-id
Default: Disabled
This keyword configures the SGSN to include the cell’s PLMN identifier (MCC and MNC) in generated CDRs (M-CDRs and/or the S-CDRs).
This keyword is applicable for SGSN only.
diagnostics
Default: Disabled
Includes the Diagnostic field in the CDR that is created when PDP contexts are released. The field will contain one of the following values:
36 - if the SGSN sends us "delete PDP context request".
38 - if the GGSN sends "delete PDP context request" due to GTP-C/GTP-U echo timeout with SGSN.
40 - if the GGSN sends "delete PDP context request" due to receiving a RADIUS Disconnect-Request message.
26 - if the GGSN sends "delete PDP context request" for any other reason (e.g., the operator types "clear subscribers" on the GGSN).
duration-ms
Default: Disabled
Specifies that the information contained in the mandatory Duration field be reported in milliseconds instead of seconds (as the standards require).
imei
Default: Disabled
This keyword configures the SGSN to include the International Mobile Equipment Id in generated CDRs (M-CDRs and/or the S-CDRs).
This keyword is applicable for SGSN only.
local-record-sequence-number
Default: Disabled
Includes the Node ID field in the CDR that is created when PDP contexts are released. The field consists of a AAA Manager identifier automatically appended to the name of the GGSN or SGSN service.
The name of the GGSN/SGSN service may be truncated, because the maximum length of the Node ID field is 20 bytes. Since each AAA Manager generates CDRs independently, this allows the Local Record Sequence Number and Node ID fields to uniquely identify a CDR.
msisdn
Default: Disabled
This keyword configures the SGSN to include the Mobile Subscribers Integrated Services Digital Network identifier in generated CDRs (M-CDRs and/or the S-CDRs).
This keyword is applicable for SGSN only.
node-id-suffix string
Default: Disabled
Specifies the string suffix to use in the NodeID field of GTPP CDRs. Each Session Manager task generates a unique NodeID string per GTPP context.
string: This is the configured Node-ID-Suffix having any string between 1 to16 characters.
Important: The NodeID field is a printable string of the ndddstring format: n: The first digit is the SessMgr restart counter having a value between 0 and 7. ddd: The number of SessMgr instances. Uses the specified NodeID-suffix in all CDRs. The “Node-ID” field is consists of SessMgr Recovery counter (1 digit) n + AAA Manager identifier (3 digits) ddd + the configured Node-Id-suffix (1 to 16 characters) string.
Important: If the centralized LRSN feature is enabled, the “Node-ID” field consists of only the specified NodeID-suffix. Otherwise GTPP group name is used. For default GTPP groups, GTPP context-name (truncated to 16 characters) is used.
Important: SessMgr recovery counter gets updated in case of “session recovery not enabled” If session recovery is enabled, the counter never updates. The node-id is displayed in the G-CDR irrespective of gtpp dictionary. The G-CDR is not decoded in monitor protocol for custom1 / custom3 dictionaries.
plmn-id [ unknown-use uncode_value ]
Default: Enabled
Includes the SGSN PLMN Identifier value (the RAI) in generated CDR (M-CDRs and/or the S-CDRs), if it is provided by the SGSN in the GTP create PDP context request. It is omitted if the SGSN does not supply one.
Important: For the GGSN it provides radio access identifier as the SGSN PLMN Id and for SGSN it includes the PLMN-id of RNC.
unknown-use uncode_value encodes the specified value for "SGSN PLMN Identifier" in the CDR if SGSN PLMN-ID information is unavailable.
Must be followed by the uncode_value value to be encoded.
uncode_value must be an hexadecimal value between 0x0 and 0xFFFFFF.
This keyword is applicable for SGSN only.
rat
Default: Disabled
This keyword configures the SGSN to include the radio access technology attribute in generated CDRs (M-CDRs and/or the S-CDRs).
This keyword is applicable for SGSN only.
record-extensions rat
Default: Disabled
This keyword configures the SGSN to include the radio access technology attribute in record extension field of generated CDRs (M-CDRs and/or the S-CDRs).
This keyword is applicable for SGSN only.
sms { destination-number | recording-entity | service-centre }
Default: Disabled
This keyword configures the SGSN to include the SMS related attributes in generated S-SMO-CDRs or S-SMT-CDRs.
destination-number: This keyword includes the destination-number information of SMS in generated S-SMO-CDRs or S-SMT-CDRs.
Note: This is the destination number of the short message subscriber.
recording-entity: This keyword includes the recording entity information of SMS in generated S-SMO-CDRs or S-SMT-CDRs.
Note: The recording entity is the E.164 number of the SGSN.
service-centre: This keyword includes the service-centre information of SMS in generated S-SMO-CDRs or S-SMT-CDRs.
Note: This is the E.164 address of the SMS-service centre.
This keyword is applicable for SGSN only.
Usage
Use this command to configure the type of optional information fields to include in generated CDRs (M-CDRs, S-CDRs, S-SMO-CDR, S-SMT-CDR from SGSN and G-CDRs, eG-CDRs from GGSN) by the AGW (SGSN and/or GGSN). In addition, it controls how the information for some of the mandatory fields are reported.
Fields described as optional by the standards but not listed above will always be present in the CDRs, except for Record Extensions (which will never be present).
Important: This command can be repeated multiple times with different keywords to configure multiple GTPP attributes.
Example
The following command configures the system to present the time provided in the Duration field of the CDR is reported in milliseconds:
gtpp attribute duration-ms
 
gtpp charging-agent
Configures the IP address and port of the system interface within the current context used to communicate with the CGF.
Product
GGSN, SGSN
Privilege
Security Administrator, Administrator
Syntax
gtpp charging-agent addressip_address[portport]
no gtpp charging-agent
no
Removes a previously configured charging agent address.
address ip_address
Specifies the IP address of the interface configured within the current context that is used to transmit CDR records (G-CDR/eGCRD/M-CDR/S-CDR) to the CGF.
ip_address must be configured using dotted decimal notation.
port port
It is an optional parameter. It specifies the Charging Agent UDP port.
If port is not defined IP will take default port number 49999.
port is a port number. Must be followed by an integer, ranging from 1 to 65535.
Important: Configuring gtpp charging-agent on port 3386 may interfere with ggsn-service configured with the same ip address.
Default: 49999
Usage
This command establishes a Ga interface for the system. For GTPP accounting, one or more Ga interfaces must be specified for communication with the CGF. These interfaces must exist in the same context in which GTPP functionality is configured (refer to the gtpp commands in this chapter).
This command instructs the system as to what interface to use. The IP address supplied is also the address by which the GSN is known to the CGF. Therefore, the IP address used for the Ga interface could be identical to one bound to a GSN service (a Gn interface).
If no GSN service is configured in the same context as the Ga interface, the address configured by this command is used to receive unsolicited GTPP packets.
Example
The following command configures the system to use the interface with an IP address of 192.168.13.10 as the accounting interface with port 20000 to the CGF:
gtpp charging-agent address 192.168.13.10
gtpp charging-agent address 192.168.13.10 port 20000
 
gtpp data-request sequence-numbers
Configures the range of sequence numbers to be used in the GTPP data record transfer record (DRT). Use this command to set the start value for the sequence number.
Product
GGSN, SGSN
Privilege
Security Administrator, Administrator
Syntax
gtpp data-request sequence-numbers start { 0 | 1 }
default gtpp data-request sequence-numbers start
default
Default is 0 (zero).
start { 0 | 1 }
Specifies the value of the start sequence number for the GTPP Data Record Transfer Request. Default: 0
Usage
When the GGSN/SGSN is configured to send GTPP echo request packets, the SGSN always uses 0 as the sequence number in those packets. Re-using 0 as a sequence number in the DRT packets is allowed by the 3GPP standards; however, this CLI command ensures the possibility of inter-operating with CGFs that can not properly handle the re-use of sequence number 0 in the echo request packets.
Example
The following command sets the sequence to start at 1.
gtpp data-request sequence-numbers start 1
 
gtpp dead-server suppress-cdrs
This command enables/disables CDR archival when a dead server is detected.
Important: This command is customer specific. For more information please contact your local service representative.
Product
GGSN
Privilege
Security Administrator, Administrator
Syntax
[ default | no ] gtpp dead-server suppress-cdrs
default
Configures the default setting.
Default: Disabled
no
Disables CDR archival.
Usage
Use this command to enable/disable CDR archival when a dead server is detected. With this CLI, once a server is detected as down, requests are purged. Also the requests generated for the period when the server is down are purged.
 
gtpp deadtime
Configures the amount of time to wait before attempting to communicate with a CGF that was previously marked as unreachable.
Product
GGSN
Privilege
Security Administrator, Administrator
Syntax
gtpp deadtimetime
time
Default: 120
Specifies the amount of time that must elapse before the system attempts to communicate with a CGF that was previously unreachable.
time is measured in seconds and can be configured to any integer value from 1 to 65535.
Usage
If the system is unable to communicate with a configured CGF, after a pre-configured number of failures the system marks the CGF as being down.
This command specifies the amount of time that the system waits prior to attempting to communicate with the downed CGF.
Refer to the gtpp detect-dead-server and gtpp max-retries commands for additional information on the process the system uses to mark a CGF as down.
Example
The following command configures the system to wait 60 seconds before attempting to re-communicate with a CGF that was marked as down:
gtpp deadtime 60
 
gtpp detect-dead-server
Configures the number of consecutive communication failures that could occur before the system marks a CGF as down.
Product
GGSN
Privilege
Security Administrator, Administrator
Syntax
gtpp detect-dead-server consecutive-failuresmax_number
consecutive-failures max_number
Default: 0
Specifies the number of failures that could occur before marking a CGF as down.
max_number could be configured to any integer value from 0 to 1000.
Usage
This command works in conjunction with the gtpp max-retries parameter to set a limit to the number of communication failures that can occur with a configured CGF.
The gtpp max-retries parameter limits the number of attempts to communicate with a CGF. Once that limit is reached, the system treats it as a single failure. The gtpp detect-dead-server parameter limits the number of consecutive failures that can occur before the system marks the CGF as down and communicate with the CGF of next highest priority.
If all of the configured CGFs are down, the system ignores the detect-dead-server configuration and attempt to communicate with highest priority CGF again.
If the system receives a GTPP Node Alive Request, Echo Request, or Echo Response message from a CGF that was previously marked as down, the system immediately treats it as being active.
Refer to the gtpp max-retries command for additional information.
Example
The following command configures the system to allow 8 consecutive communication failures with a CGF before it marks it as down:
gtpp detect-dead-server consecutive-failures 8
 
gtpp dictionary
This command designates specific dictionary used by GTPP for specific context.
Product
GGSN, SGSN
Privilege
Security Administrator, Administrator
Syntax
gtpp dictionary { custom1 | custom10 | custom11 | custom12 | custom13 | custom14 | custom15 | custom16 | custom17 | custom18 | custom19 | custom2 | custom20 | custom21 | custom22 | custom23 | custom24 | custom25 | custom26 | custom27 | custom28 | custom29 | custom3 | custom30 | custom4 | custom5 | custom6 | custom7 | custom8 | custom9 | standard }
default gtpp dictionary
default
Configures the default dictionary.
custom1
Custom-defined dictionary. It conforms to TS 32.015 v 3.6.0 for R99. It supports the encoding of IP addresses in text format for G-CDRs.
custom2
Custom-defined dictionary.
custom3
Custom-defined dictionary. It conforms to TS 32.015 v 3.6.0 for R99 except that it supports the encoding of IP addresses in Binary format for G-CDRs.
custom4
Custom-defined dictionary. It conforms to TS 32.015 v 3.6.0 for R99 except that:
custom5
Custom-defined dictionary.
custom6
Custom-defined dictionary for eG-CDR encoding.
custom7 ... custom30
Custom-defined dictionaries. These dictionary have default behavior or “standard” dictionary.
standard
Default: Enabled
A dictionary conforming to TS 32.215 v 4.6.0 for R4 (and also R5 - extended QoS format).
Usage
Use this command to designate specific dictionary used by GTPP for specific context.
Example
The following command configures the system to use custom3 dictionary to encode IP address in Binary format in G-CDRs:
gtpp dictionary custom3
 
gtpp duplicate-hold-time
This command configures the number of minutes to hold onto CDRs that are possibly duplicates while waiting for the primary CGF to come back up.
Product
GGSN, SGSN
Privilege
Security Administrator, Administrator
Syntax
gtpp duplicate-hold-time minutes
minutes
Default: 60
When the primary CGF is down, the number of minutes to hold onto CDRs that may be duplicates.
minutes must be an integer from 1 to 10080.
Usage
Use this command to configure how long to hold onto CDRs that are possibly duplicates while waiting for the primary CGF to come back up. If the GGSN determines that the primary CGF is down, CDRs that were sent to the primary CGF but not acknowledged are sent by the GSN to the secondary CGF as “possibly duplicates”. When the primary CGF comes back up, the GSN uses GTPP to determine whether the possibly duplicate CDRs were received by the primary CGF. Then the secondary CGF is told whether to release or cancel those CDRs. This command configures how long the system should wait for the primary CGF to come back up. As soon as the configured time expires, the secondary CGF is told to release all of the possibly duplicate CDRs.
Example
Use the following command to set the amount of time to hold onto CDRs to 2 hours (120 minutes);
gtpp duplicate-hold-time 120
 
gtpp echo-interval
Configures the frequency at which the system sends GTPP echo packets to configured CGFs.
Product
GGSN, SGSN
Privilege
Security Administrator, Administrator
Syntax
gtpp echo-intervaltime
no gtpp echo-interval
no
Disables the use of the echo protocol except for the scenarios described in the Usage section for this command.
time
Default: 60
Specifies the time interval for sending GTPP echo packets.
time is measured in seconds and can be configured to any integer value from 60 to 2147483647.
Usage
The GTPP echo protocol is used by the system to ensure that it can communicate with configured CGFs. The system initiates this protocol for each of the following scenarios:
Upon the configuration of a new CGF server on the system using the gtpp server command as described in this chapter
Upon the execution of the gtpp test accounting command as described in the Exec Mode Commands chapter of this reference
Upon the execution of the gtpp sequence-numbers private-extensions command as described in this chapter
The echo-interval command is used in conjunction with the gtpp max-retries and gtpp timeout commands as described in this chapter.
In addition to receiving an echo response for this echo protocol, if we receive a GTPP Node Alive Request message or a GTPP Echo Request message from a presumed dead CGF server, we will immediately assume the server is active again.
The alive/dead status of the CGFs is used by the AAA Managers to affect the sending of CDRs to the CGFs. If all CGFs are dead, the AAA Managers will still send CDRs, (refer to the gtpp deadtime command), albeit at a slower rate than if a CGF were alive. Also, AAA Managers independently determine if CGFs are alive/dead.
Example
The following command configures an echo interval of 120 seconds:
gtpp echo-interval 120
 
gtpp egcdr
Configures the eG-CDR parameters and triggers.
Product
GGSN
Privilege
Security Administrator, Administrator
Syntax
gtpp egcdr { final-record [ closing-cause [ same-in-all-partials | unique ] | include-content-ids { all | only-with-traffic } [ closing-cause { same-in-all-partials | unique } ] | losdv-max-containersnumber| lotdv-max-containersnumber| service-data-flow threshold [ interval seconds | volume { downlink | total | uplink }bytes ] | service-idle-timeoutseconds}
default gtpp egcdr { final-record include-content-ids only-with-traffic closing-cause same-in-all-partials | losdv-max-containers | lotdv-max-containers | service-idle-timeout 0 }
no gtpp egcdr service-data-flow threshold { interval | volume { downlink [ uplink ] | total | uplink [ downlink ] } }
final-record [ closing-cause [ same-in-all-partials | unique ] | include-content-ids [ all | only-with-traffic ] ]
Enables configuration of the final eG-CDR.
closing-cause - Configures closing cause for the final eG-CDR.
same-in-all-partials - Specifies that the same closing cause is to be included for multiple final eG-CDRs
unique - Specifies that the closing cause for final eG-CDRs is to be unique.
include-content-ids - Controls which content-ids are being included inthe final eG-CDR.
all - Specifies that all content-ids be included in the final eG-CDR.
only-with-traffic - Specifies that only content-ids with traffic be included in the final eG-CDRs.
losdv-max-containers number
The maximum number of List of Service Data Volume (LoSDV) containers in one eG-CDR. number can be configured to any integer value from 1 to 255.
Default: 10
lotdv-max-containers number
The maximum number of List of Traffic Data Volume (LoTDV) containers in one eG-CDR. number can be configured to any integer value from 1 to 8.
Default: 8
service-data-flow threshold [ interval seconds | volume { downlink | total | uplink } bytes ]
Configures the thresholds for closing a service data flow container within an eG-CDR.
A service data flow container has statistics for an individual content-id. When the threshold is reached, the service data flow container is closed.
Default: disabled
service-idle-timeout seconds
Specifies a time period where if no data is reported for a service flow, then the service container is closed and added to eG-CDR (as part of LOSDV container list) with service condition change as ServiceIdleOut.
seconds can be configured to any integer value from 10 to 86,400.
Default: 0. This means there is no service-idle-timeout trigger.
Usage
Use this command to configure individual triggers for eG-CDR generation.
Example
Use the following command to set the maximum number of LoSDV containers to 7.
gtpp egcdr losdv-max-containers 7
 
gtpp error-response
This command configures the response when the system receives an error response after transmitting a DRT (data record transfer) request.
Product
GGSN, SGSN
Privilege
Security Administrator, Administrator
Syntax
gtpp error-response { discard-cdr | retry-request }
default gtpp error-response
default
Resets the system’s configuration to the default value for error-response. Default is retry-request.
discard-cdr
Instructs the system to purge the request upon receipt of an error response and not to retry.
retry-request
Instructs the system to retry sending a DRT after receiving an error response. This is the default behavior.
Usage
This command configures the system’s response to receiving an error message after sending a DRT request.
Example
gtpp error-response discard-cdr
 
gtpp group
It configures GTPP server group in a context for the charging gateway function (CGF) accounting server(s) that the system is to communicate with.
Product
GGSN, SGSN
Privilege
Security Administrator, Administrator
Syntax
gtpp groupgroup_name[-noconfirm]
group_name
Specifies the name of GTPP server group that is used for charging and/or accounting in a specific context.
group_name must be a string of size 1 to 63 character.
A maximum of 8 GTPP server groups (excluding system created default GTPP server group “default”) can be configured with this command in a context.
no
Removes the previously configured GTPP group within a context.
When a GTPP group is removed accounting information is not generated for all calls using that group and all calls associated with that group are dropped. A warning message displays indicating the number of calls that will be dropped.
-noconfirm
Indicates that the command is to execute without any additional prompt and confirmation from the user.
Usage
This feature provides the charging gateway function (CGF) accounting server configurables for a group of servers. Instead of having a single list of CGF accounting servers per context, this feature configures multiple GTPP accounting server groups in a context and each server group is consist of list of CGF accounting servers.
In case no GTPP server group is configured in a context, a server group named “default” is available and all the CGF servers configured in a specific context for CGF accounting functionality will be part of this “default” server group.
Example
Following command configures a GTPP server group named star1 for charging gateway function accounting functionality and this server group is available for all subscribers with in that context.
gtpp group star1
 
gtpp max-cdrs
Configures the maximum number of charging data records (CDRs) included per packet.
Product
GGSN, SGSN
Privilege
Security Administrator, Administrator
Syntax
gtpp max-cdrsnumber_cdrs [ wait-time time ]
number_cdrs
Default: 1
Specifies the maximum number of CDRs to be insert in a single packet.
number_cdrs: any integer value from 1 to 255.
wait-time time
Default: disabled
Specifies the number of seconds the system waits for CDRs to be inserted into the packet before sending it.
time: any integer from 1 to 300.
Important: If the wait-time expires, the packet is sent as this keyword over-rides number_cdrs.
Usage
CDRs are placed into a GTPP packet as the CDRs close. The system stops placing CDRs into a packet when either the maximum number_cdrs is met, or the wait-time expires, or the value for the gtpp max-pdu-size command is met.
Example
The following command configures the system to place a maximum of 10 CDRs in a single GTPP packet before transmitting the packet.
gtpp max-cdrs 10
 
gtpp max-pdu-size
Configures the maximum payload size of a single GTPP packet that could be sent by the system.
Product
GGSN, SGSN
Privilege
Security Administrator, Administrator
Syntax
gtpp max-pdu-sizepdu_size
pdu_size
Default: 4096
Specifies the maximum payload size of the GTPP packet. The payload includes the CDR and the GTPP header.
pdu_size is measured in octets and can be configured to any integer value from 1024 to 65400.
Usage
The GTPP packet contains headers (layer 2, IP, UDP, and GTPP) followed by the CDR. Each CDR contains one or more volume containers. If a packet containing one CDR exceeds the configured maximum payload size, the system creates and send the packet containing the one CDR regardless.
The larger the packet data unit (PDU) size allowed, the more volume containers that can be fit into the CDR.
The system performs standard IP fragmentation for packets that exceed the system’s maximum transmission unit (MTU).
Important: The maximum size of an IPv4 PDU (including the IPv4 and subsequent headers) is 65,535. However, a slightly smaller limit is imposed by this command because the system’s max-pdu-size doesn't include the IPv4 and UDP headers, and because the system may need to encapsulate GTPP packets in a different/larger IP packet (for sending to a backup device).
Example
The following command configures a maximum PDU size of 2048 octets:
gtpp max-pdu-size 2048
 
gtpp max-retries
Configures the maximum number of times the system attempts to communicate with an unresponsive CGF.
Product
GGSN, SGSN
Privilege
Security Administrator, Administrator
Syntax
gtpp max-retriesmax_attempts
max_attempts
Default: 4
Specifies the number of times the system attempts to communicate with a CGF that is not responding.
max_attempts can be configured to any integer value from 1 to 15.
Usage
This command works in conjunction with the gtpp detect-dead-server and gtpp timeout parameters to set a limit to the number of communication failures that can occur with a configured CGF.
When the value specified by this parameter is met, a failure is logged. The gtpp detect-dead-server parameter specifies the number of consecutive failures that could occur before the server is marked as down.
In addition, the gtpp timeout command controls the amount of time between re-tries.
If the value for the max-retries is met, the system begins storing CDRs in Random Access Memory (RAM). The system allocates memory as a buffer, enough to store one million CDRs for a fully loaded chassis (a maximum of one outstanding CDR per PDP context). Archived CDRs are re-transmitted to the CGF until they are acknowledged or the system’s memory buffer is exceeded.
Refer to the gtpp detect-dead-server and gtpp timeout commands for additional information.
Example
The following command configures the maximum number of re-tries to be 8.
gtpp max-retries 8
 
gtpp node-id
This command configures the GTPP Node ID for all CDRs.
Product
GGSN, SGSN
Privilege
Security Administrator, Administrator
Syntax
gtpp node-id node_id
no gtpp node-id
no
Removes the previous gtpp node ID configuration.
node_id
Specifies the node ID for all CDRs.
node_id must be a string of 1 through 16 characters in length.
Usage
Use this command to configure the GTPP Node ID for all CDRs.
Example
The following command configures the GTPP Node ID as test123:
gtpp node-id test123
 
gtpp redirection-allowed
Configures the system to allow/disallow the redirection of CDRs when the primary CGF is unavailable.
Product
GGSN, SGSN
Privilege
Security Administrator, Administrator
Syntax
gtpp redirection-allowed
no gtpp redirection-allowed
Usage
This command allows operators to better handle erratic network links, without having to remove the configuration of the backup server(s) via the no gtpp server command.
This functionality is enabled by default.
If the no gtpp redirection-allowed command is executed, the system only sends CDRs to the primary CGF. If that CGF goes down, we will buffer the CDRs in memory until the CGF comes back or until the system runs out of buffer memory. In addition, if the primary CGF announces its intent to go down (with a GTPP Redirection Request message), the system responds to that request with an error response.
 
gtpp redirection-disallowed
 
This command has been obsoleted and replaced with the gtpp redirection-allowed command.
 
gtpp server
Configures the charging gateway function (CGF) accounting server(s) that the system is to communicate with.
Product
GGSN, SGSN
Privilege
Security Administrator, Administrator
Syntax
gtpp serverip_address[ maxmsgs] [ prioritypriority][ udp-portport] [ node-alive { enable | disable } ] [-noconfirm ]
no gtpp serverip_address
no
Deletes a previously configured CGF.
ip_address
Specifies the IP address of the CGF in dotted decimal notation for IPv4 or colon notation for IPv6.
max msgs
Default: 256
Specifies the maximum number of outstanding or unacknowledged GTPP packets (from any one AAA Manager task) allowed for this CGF before the system begins buffering the packets.
msgs can be configured to any integer value from 1 to 256.
priority priority
Default:1000
Specifies the relative priority of this CGF. When multiple CGFs are configured, the priority is used to determine which CGF server to send accounting data to.
priority can be configured to any integer value from 1 to 1000. When configuring two or more servers with the same priority you will be asked to confirm that you want to do this. If you use the -noconfirm option, you are not asked for confirmation and multiple servers could be assigned the same priority.
udp-port port
Default: 3386
Specifies the UDP port over which the GSN communicates with the CGF. port can be configured to any integer value between 1 and 65535.
node-alive { enable | disable }
Default: Disable.
This optional keyword allows operator to enable/disable GSN to send Node Alive Request to GTPP Server (i.e. CGF). This configuration can be done per GTPP Server basis.
-noconfirm
Indicates that the command is to execute without any additional prompt and confirmation from the user.
Usage
Use this command to configure the CGF(s) that the system sends CDR accounting data to.
Multiple CGFs can be configured using multiple instances of this command. Up to 12 CGFs can be configured per system context. Each configured CGF can be assigned a priority. The priority is used to determine which server to use for any given subscriber based on the routing algorithm that has been implemented. A CGF with a priority of “1” has the highest priority.
Important: The configuration of multiple CGFs with the same IP address but different port numbers is not supported.
Each CGF can also be configured with the maximum allowable number of unacknowledged GTPP packets. Since multiple AAA Manager tasks could be communicating with the same CGF, the maximum is based on any one AAA Manager instance. If the maximum is reached, the system buffers the packets Random Access Memory (RAM). The system allocates memory as a buffer, enough to store one million CDRs for a fully loaded chassis (a maximum of one outstanding CDR per PDP context).
Example
The following command configures a CGF with an IP address of 192.168.2.2 and a priority of 5.
gtpp server 192.168.2.2 priority 5
The following command deletes a previously configured CGF with an IP address of 100.10.35.7:
no gtpp server 100.10.35.7
 
gtpp source-port-validation
Toggles port checking for node alive/echo/redirection requests from the CGF.
Product
GGSN
Privilege
Security Administrator, Administrator
Syntax
gtpp source-port-validation
[no | default] gtpp source-port-validation
no
Disables CGF port checking. Only the IP address will be used to verify CGF requests.
default
Restores this parameter to its default setting of enabled.
Usage
This command is for enabling or disabling port checking on node alive/echo/redirection requests from the CGF. If the CGF sends messages on a non-standard port, it may be necessary to disable port checking in order to receive CGF requests. On the default setting, both IP and port are checked.
Example
The following command disables port checking for CGF requests:
no gtpp source-port-validation
 
gtpp storage-server
Configures information for the GTPP back-up storage server.
Product
GGSN, SGSN
Privilege
Security Administrator, Administrator
Syntax
gtpp storage-serverip-addressportport-num
no gtpp storage-serverip-addressportport-num
no
Removes a previously configured back-up storage server.
ip-address
The IP address of the back-up storage server expressed in dotted decimal notation.
port port-num
Default: 3386
Specifies the UDP port number over which the GSN communicates with the back-up storage server.
Usage
This command configures the information for the server to which GTPP packets are to be backed-up to in the event that all CGFs are unreachable.
One backup storage server can be configured per system context.
Important: This command only takes affect if gtpp single-source in the Global Configuration Mode is also configured. Additionally, this command is customer specific. Please contact your local sales representative for additional information.
Example
The following command configures a back-up server with an IP address of 192.168.1.2:
gtpp storage-server 192.168.1.2
 
gtpp storage-server local file
Configures the parameters for GTPP files stored locally on the GTPP storage server. This command is available for ASR 5000 platform only.
Product
GGSN, SGSN
Privilege
Security Administrator, Administrator
Syntax
gtpp storage-server local file { compression { gzip | none } | format { custom1 | custom2 | custom3 | custom4 | custom5 | custom6 } | name prefixprefix| purge-processed-files [ purge-intervalpurge_dur] | rotation { cdr-countcount| time-intervaltime| volume mbsize} }
default gtpp storage-server local file { compression | format | name prefix | purge-processed-files | rotation { cdr-count | time-interval | volume } }
no gtpp storage-server local file rotation { purge-processed-files | rotation { cdr-count | time-interval } }
no
Removes a previously configured parameters for local storage of CDR files on HDD on SMC card.
compression { gzip | none }
Configures the type of compression to be used on the files stored locally.
gzip — Enables Gzip file compression.
none — Disables Gzip file compression -this is the default value.
format (custom-n)
Configures the file format to be used to format files to be stored locally.
custom1 — File format custom1 - this is the default value.
custom2 — File format custom2.
custom3 — File format custom3.
custom4 — File format custom4.
custom5 — File format custom5.
custom6 — File format custom6 with a block size of 8K for CDR files.
name prefix prefix
Defines the prefix to be used for the file name. By default the file name prefix would be ‘GTPP-group-name + VPN-ID’.
prefix Enter a string of 1 to 64 alphanumeric characters.
purge-processed-files [ purge-interval purge_dur ]
Default: Disabled.
Enables the GSN to periodically (every 4 minutes) delete locally processed (*.p) CDR files from the HDD on the SMC card.
Important: This option is available only when GTPP server storage mode is configured for local storage of CDRs with the gtpp storage-server mode local command.
Optional keyword purge-interval purge_dur provides an option for user to control the purge interval duration in minutes by setting purge_dur.
purge_dur must be and integer between 1 through 259200. Which has a default value of 60 minutes.
rotation { cdr-count count | time-interval time | volume mb size }
Specifies rotation related configuration for GTPP files stored locally.
cdr-count count Configure the CDR count for the file rotation. Enter a value from 1000 to 65000. Default value 10000.
time-interval time Configure the time interval for file rotation. Enter a value in seconds ranging from 30 to 86400. Default value is 3600 seconds (1 hour).
volume mb size Configure the file volume, in MB, for file rotation. Enter a value ranging from 2 to 40. This trigger can not be disabled. Default value is 10MB.
Usage
This command configures the parameters for storage of GTPP packets as files on the local server - meaning the hard disk.
Example
The following command configures rotation for every 1.5 hours for locally stored files.
gtpp storage-server local file rotation time-interval 5400
 
gtpp storage-server max-retries
Configures the maximum number of times the system attempts to communicate with an unresponsive GTPP back-up storage server.
Product
GGSN
Privilege
Security Administrator, Administrator
Syntax
gtpp storage-server max-retriesmax_attempts
max_attempts
Default: 2
Specifies the number of times the system attempts to communicate with a GTPP back-up storage server that is not responding.
max_attempts can be configured to any integer value from 1 to 15.
Usage
This command works in conjunction with the gtpp storage-server timeout parameters to set a limit to the number of communication failures that can occur with a configured GTPP back-up storage server.
The gtpp storage-server timeout command controls the amount of time between re-tries.
Refer to the gtpp storage-server timeout command for additional information.
Example
The following command configures the maximum number of re-tries to be 8.
gtpp storage-server max-retries 8
 
gtpp storage-server mode
This command configures storage mode, local or remote, for CDRs. Local storage mode is available with ASR 5000 platforms only.
Product
GGSN, SGSN
Privilege
Security Administrator, Administrator
Syntax
gtpp storage-server mode { local | remote | streaming }
default gtpp storage-server mode
default
Returns the GTPP group configuration to the default ‘remote’ value for the GTPP storage server mode.
local
Default: Disabled
Specifies the use of the hard disk on the SMC for storing CDRs
remote
Specifies the use of an external server for storing CDRs. This is the default value.
streaming
Default: Disabled
This keyword allows the operator to configure “streaming” mode of operation for GTPP group. When this keyword is supplied the CDRs will be stored in following fashion:
Usage
This command configures whether the CDRs should be stored on the hard disk of the SMC or remotely, on an external server.
Example
The following command configures use of a hard disk for storing CDRs.
gtpp storage-server mode local
 
gtpp storage-server timeout
Configures the amount of time that must pass with no response before the system re-attempts to communicate with the GTPP back-up storage server.
Product
GGSN
Privilege
Security Administrator, Administrator
Syntax
gtpp storage-server timeoutduration
duration
Default: 30
Specifies the maximum amount of time the system waits for a response from the GTPP back-up storage server before assuming the packet is lost.
duration is measured in seconds and can be configured to any integer value from 30 to 120.
Usage
This command works in conjunction with the gtpp storage-server max-retries command to establish a limit on the number of times that communication with a GTPP back-up storage server is attempted before a failure is logged.
This parameter specifies the time between retries.
Example
The following command configures a retry timeout of 60 seconds:
gtpp storage-server timeout 60
 
gtpp suppress-cdrs zero-volume-and-duration
This command suppresses the CDRs created by session having zero duration and/or zero volume. By default this mode is ‘disabled’.
Product
GGSN, SGSN
Privilege
Security Administrator, Administrator
Syntax
gtpp suppress-cdrs zero-volume-and-duration { gcdrs [egcdrs] | egcdrs [gcdrs] }
default gtpp suppress-cdrs zero-volume-and-duration
default
Disables the CDR suppression mode.
gcdrs [egcdrs]
Specifies that this command will handle G-CDRs before eG-CDRs.
gcdrs [egcdrs]
Specifies that this command will handle eG-CDRs before G-CDRs.
Usage
Use this command to suppress the CDRs (G-CDRs and eG-CDRs) which were created due with zero-duration session and zero-volume session due to any reason. By default this command is disabled and system will not suppress any CDR.
Example
The following command configures the system to suppression the eG-CDRs created for a zero duration session or zero volume session::
gtpp suppress-cdrs zero-volume-and-duration egcdrs gcdrs
 
gtpp timeout
Configures the amount of time that must pass with no response before the system re-attempts to communicate with the CGF.
Product
GGSN, SGSN
Privilege
Security Administrator, Administrator
Syntax
gtpp timeouttime
time
Default: 20
Specifies the maximum amount of time the system waits for a response from the CGF before assuming the packet is lost.
time is measured in seconds and can be configured to any integer value from 1 to 60.
Usage
This command works in conjunction with the gtpp max-retries command to establish a limit on the number of times that communication with a CGF is attempted before a failure is logged.
This parameter specifies the time between retries.
Example
The following command configures a retry timeout of 30 seconds:
gtpp timeout 30
 
gtpp trigger
 
This command is left in place for backward compatibility. To disable and enable GTPP triggers you should use the gtpp trigger command in GTPP Server Group Configuration mode.
 
gtpp transport-layer
This commands selects the transport layer protocol for Ga interface for communication between AGW (GSNs) and GTPP servers.
Product
GGSN, SGSN
Privilege
Security Administrator, Administrator
Syntax
gtpp transport-layer { tcp | udp }
default gtpp transport-layer
default
Resets the transport layer protocol to GTPP servers to the default UDP.
tcp
Default: Disabled
Enables the system to implement TCP as transport layer protocol for communication with GTPP server.
udp
Default: Enabled
Enables the system to implement UDP as transport layer protocol for communication with GTPP server.
Usage
Use this command to select the TCP or UDP as the transport layer protocol for Ga interface communication between GTPP servers and AGWs (GSNs).
Example
The following command enables TCP as the transport layer protocol for the GSN’s Ga interface.
gtpp transport-layer tcp
 
gtpu-service
Creates a GTP-U service or specifies an existing GTP-U service and enters the GTP-U service configuration mode for the current context.
Product
GGSN, P-GW, S-GW
Privilege
Administrator
Syntax
gtpu-serviceservice_name [ -noconfirm ]
no gtpu-serviceservice_name
service_name
Specifies the name of the GTP-U service. If service_name does not refer to an existing service, a new service is created if resources allow.
service_name must be from 1 to 63 alpha and/or numeric characters.
-noconfirm
Indicates that the command is to execute without any additional prompt and confirmation from the user.
no gtpu-service service_name
Removes the specified GTP-U service from the context.
Usage
Enter the GTP-U service configuration mode for an existing service or for a newly defined service. This command is also used to remove an existing service.
A maximum of 256 services (regardless of type) can be configured per system.
Caution: Large numbers of services greatly increase the complexity of management and may impact overall system performance (for example, resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your local service representative for more information.
Entering this command results in the following prompt:
[context_name]hostname(config-gtpu-service)#
GTP-U Service Configuration Mode commands are defined in the GTP-U Service Configuration Mode Commands chapter.
Example
The following command enters the existing GTP-U service configuration mode (or creates it if it doesn’t already exist) for the service named gtpu-service1:
gtpu-service gtpu-service1
The following command will remove gtpu-service1 from the system:
no gtpu-service gtpu-service1
 
ha-service
Creates/deletes a home agent service or specifies an existing HA service for which to enter the home agent service configuration mode for the current context.
Product
HA
Privilege
Security Administrator, Administrator
Syntax
ha-servicename
no ha-servicename
no
Indicates the home agent service specified is to be removed.
name
Specifies the name of the HA service to configure. If name does not refer to an existing service, the new service is created if resources allow. name must be from 1 to 63 alpha and/or numeric characters.
Usage
Enter the HA service configuration mode for an existing service or for a newly defined service. This command is also used to remove an existing service.
A maximum of 256 services (regardless of type) can be configured per system.
Caution: Large numbers of services greatly increase the complexity of management and may impact overall system performance (i.e. resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your local service representative for more information.
Example
The following command will enter the HA service configuration mode creating the service sampleService, if necessary.
ha-service sampleService
The following command will remove sampleService as being a defined HA service.
no ha-service sampleService
 
hnbgw-service
This command creates/removes an Home NodeB Gateway (HNB-GW) service or configures an existing HNB-GW service and enters the HNB-GW service configuration mode for Femto UMTS access networks in the current context.
Product
HNB-GW
Privilege
Administrator
Syntax
hnbgw-service service_name [-noconfirm]
no hnbgw-service service_name
no
Removes the specified HNB-GW service from the context.
service_name
Specifies the name of the HNB-GW service. If service_name does not refer to an existing service, the new service is created if resources allow.
service_name must be from 1 to 63 alpha and/or numeric characters.
-noconfirm
Indicates that the command is to execute without any additional prompt and confirmation from the user.
Usage
Use this command to enter the HNB-GW service configuration mode for an existing service or for a newly defined service. This command is also used to remove an existing service.
A maximum of 8 HNB-GW service can be configured on a system which is further limited to a maximum of 256 services (regardless of type) can be configured per system.
Caution: Large numbers of services greatly increase the complexity of management and may impact overall system performance (for example, resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your local service representative for more information.
Entering this command results in the following prompt:
[context_name]hostname(config-hnbgw-service)#
The commands configured in this mode are defined in the HNB-GW Service Configuration Mode Commands chapter of Command Line Interface Reference.
Caution: This is a critical configuration. The HNB-GW service can not be configured without this configuration. Any change to this configuration would lead to restarting the HNB-GW service and removing or disabling this configuration will stop the HNB-GW service.
Example
The following command enters the existing HNB-GW service configuration mode (or creates it if it doesn’t already exist) for the service named hnb-service1:
hnbgw-service hnb-service1
The following command will remove hnb-service1 from the system:
no hnbgw-service hnb-service1
 
hsgw-service
Creates an HSGW service or specifies an existing HSGW service and enters the HSGW service configuration mode for the current context.
Product
HSGW
Privilege
Administrator
Syntax
hsgw-serviceservice_name [ -noconfirm ]
no hsgw-serviceservice_name
service_name
Specifies the name of the HSGW service. If service_name does not refer to an existing service, the new service is created if resources allow.
service_name must be from 1 to 63 alpha and/or numeric characters.
-noconfirm
Indicates that the command is to execute without any additional prompt and confirmation from the user.
no hsgw-service service_name
Removes the specified HSGW service from the context.
Usage
Enter the HSGW service configuration mode for an existing service or for a newly defined service. This command is also used to remove an existing service.
A maximum of 256 services (regardless of type) can be configured per system.
Caution: Large numbers of services greatly increase the complexity of management and may impact overall system performance (for example, resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your local service representative for more information.
Entering this command results in the following prompt:
[context_name]hostname(config-hsgw-service)#
HSGW Service Configuration Mode commands are defined in the HSGW Service Configuration Mode Commands chapter.
Use this command when configuring the following eHRPD components: HSGW.
Example
The following command enters the existing HSGW service configuration mode (or creates it if it doesn’t already exist) for the service named hsgw-service1:
hsgw-service hsgw-service1
The following command will remove hsgw-service1 from the system:
no hsgw-service hsgw-service1
 
ikev1 disable-phase1-rekey
This command configures the rekeying of Phase1 SA when the Internet Security Association and Key Management Protocol (ISAKMP) lifetime expires in Internet Key Exchange (IKE) v1 protocol.
Product
PDSN, HA, GGSN
Privilege
Security Administrator, Administrator
Syntax
[ no ] ikev1 disable-phase1-rekey
no
Disable this command which re-enables Phase 1 SAs when the ISAKMP lifetime expires.
Usage
Use this command to disable the rekeying of Phase 1 SAs when the ISAKMP lifetime expires in IKE v1 protocol.
Example
The following command disables rekeying of Phase1 SAs when the lifetime expires:
ikev1 disable-phase1-rekey
 
ikev1 keepalive dpd
This command configures the ISAKMP IPSec Dead Peer Detection (DPD) message parameters for IKE v1 protocol.
Product
PDSN, HA, GGSN
Privilege
Security Administrator, Administrator
Syntax
[ no ] ikev1 keepalive dpd intervalintervaltimeouttimenum-retryretries
no
Deletes previously configured IPSec DPD Protocol settings.
interval interval
The time interval at which IPSec DPD Protocol messages are sent.
interval is measured in seconds and can be configured to any integer value between 10 and 3600.
timeout time
The amount of time allowed for receiving a response from the peer security gateway prior to re-sending the message.
time is measured in seconds and can be configured to any integer value between 10 and 3600.
num-retry retries
The maximum number of times that the system should attempt to reach the peer security gateway prior to considering it unreachable.
retries can be configured to any integer value between 1 and 100.
Usage
Use this command to configure the ISAKMP dead peer detection parameters in IKE v1 protocol.
Tunnels belonging to crypto groups are perpetually kept “up” through the use of the IPSec Dead Peer Detection (DPD) packets exchanged with the peer security gateway.
Important: The peer security gateway must support RFC 3706 in order for this functionality to function properly.
This functionality is for use with the Redundant IPSec Tunnel Fail-over feature and to prevent IPSec tunnel state mismatches between the FA and HA when used in conjunction with Mobile IP applications.
Regardless of the application, DPD must be supported/configured on both security peers. If the system is configured with DPD but it is communicating with a peer that does not have DPD configured, IPSec tunnels still come up. However, the only indication that the remote peer does not support DPD exists in the output of the show crypto isakmp security associations summary dpd command.
Important: If DPD is enabled while IPSec tunnels are up, it will not take affect until all of the tunnels are cleared.
Example
The following command configures IPSec DPD Protocol parameters to have an interval of 15, a timeout of 10, to retry each attempt 5 times:
ikev1 keepalive dpd interval 15 timeout 10 num-retry 5
 
ikev1 policy
This command configures/creates an ISAKMP policy with the specified priority and enters ISAKMP Configuration Mode for IKE v1 protocol.
Product
PDSN, HA, GGSN
Privilege
Security Administrator, Administrator
Syntax
[ no ] ikev1policypriority
no
Removes a previously configured ISAKMP policy for IKE v1 protocol.
priority
Default: 0
This must be an integer from 0 through 100. ISAKMP policies for IKE v1 protocol with lower priority numbers take precedence over policies with higher priorities. “0” is the highest priority.
Usage
Use this command to create ISAKMP policies to regulate how IPSec key negotiation is performed for IKE v1 protocol.
Internet Security Association Key Management Protocol (ISAKMP) policies are used to define Internet Key Exchange (IKE) SAs. The IKE SAs dictate the shared security parameters (i.e. which encryption parameters to use, how to authenticate the remote peer, etc.) between the system and a peer security gateway.
During Phase 1 of IPSec establishment, the system and a peer security gateway negotiate IKE SAs. These SAs are used to protect subsequent communications between the peers including the IPSec SA negotiation process.
Multiple ISAKMP policies can be configured in the same context and are used in an order determined by their priority number.
Example
Use the following command to create an ISAKMP policy with the priority 1 and enter the ISAKMP Configuration Mode:
ikev1 policy 1
 
ikev2-ikesa
Creates a new, or specifies an existing, IKEv2 security association transform set and enters the IKEv2 Security Association Configuration Mode.
Product
PDIF
Privilege
Security Administrator, Administrator
Syntax
[ no ] ikev2-ikesa transform-set name
name
Specifies the name of a new or existing security association transform set. name must be from 1 to 127 alpha and/or numeric characters.
Usage
Use this command to create a new or enter an existing IKEv2 security association transform-set. A list of up to four separate transform-sets can be created.
Entering this command results in the following prompt:
[context_name]hostname(cfg-ctx-ikev2ikesa-tran-set)#
IKEv2 Security Association Configuration Mode commands are defined in the IKEv2 Security Association Configuration Mode Commands chapter.
Example
The following command configures an IKEv2 security association transform set called ikesa3 and enters the IKEv2 Security Association Configuration Mode:
ikev2-ikesa transform-set ikesa3
 
ims-auth-service
This command creates the specified IMS authorization service, and enters the IMS Authorization Service Configuration Mode within the current context for Gx/Ty interface support to a subscriber session for IMS authorization and flow-based charging procedures.
Product
PDSN, GGSN, HA
Privilege
Security Administrator, Administrator
Syntax
ims-auth-serviceauth_svc_name [ -noconfirm ]
[ no | default ] ims-auth-serviceauth_svc_name
no
Deletes the specified IMS authorization service with in specific context.
default
Restores default state of IMS authorization service, disabled for specific context.
auth_svc_name
Specifies the unique name of IMS authorization service across the system to be configured for Gx/Ty interface authentication within specific context.
auth_svc_name must be a unique string of 1 through 63 characters in length.
A maximum of 16 authorization services can be configured globally in the system. There is also a system limit for the maximum number of total configured services.
-noconfirm
Specifies that the command is to execute without any additional prompt and confirmation from the user.
Usage
Use this command to create/delete an IMS authorization service for Gx/Ty interface for a subscriber.
Example
The following command configures an IMS authorization service ims_interface1 with in this context:
ims-auth-service ims_interface1
 
ims-sh-service
This command creates the specified IMS Sh service name to allow configuration of Sh service.
Product
PDIF, SCM
Privilege
Administrator
Syntax
ims-sh-service name
no ims-sh-service name
no
Removes a previously configured IMS-Sh-service.
name
Name of the IMS-Sh-service to be configured. name must be from 1 to 63 alpha and/or numeric characters.
Usage
The IMS-Sh-service is named in the pdif-service and/or cscf-service. Use this command to enter the IMS Sh Service Configuration Mode.
Entering this command results in the following prompt:
[context_name]hostname(config-ims-sh-service)#
IMS Sh Service Configuration Mode commands are defined in the IMS Sh Service Configuration Mode Commands chapter in this guide.
Example
The following example names a service to be configured:
ims-sh-service ims-1
 
inspector
Configures a context-level inspector account within the current context.
Product
All
Privilege
Security Administrator
Syntax
inspector user_name [ encrypted ] password pwd [ ecs | noecs ] [ expiry-datedate_time ] [ li-administration ] [ noecs ] [ timeout-absolute abs_seconds ] [ timeout-min-absolute abs_minutes ] [ timeout-idle idle_seconds ] [ timeout-min-idle idle_minutes ]
no inspectoruser_name
no
Removes a previously configured inspector account.
user_name
Specifies a name for the context-level inspector account. user_name must be from 1 to 32 alpha and/or numeric characters.
[ encrypted ] password pwd
Specifies the password to use for the user which is being given context-level inspector privileges within the current context. The encrypted keyword indicates the password specified uses encryption.
The password specified as pwd must be from 1 to 63 alpha and/or numeric characters without encryption and must be from 1 to 127 alpha and/or numeric characters when encryption has been indicated.
The encrypted keyword is intended only for use by the system while saving configuration scripts. The system displays the encrypted keyword in the configuration file as a flag that the variable following the password keyword is the encrypted version of the plain text password. Only the encrypted password is saved as part of the configuration file.
[ ecs | noecs
Default: noecs
ecs - Permits the specific user to access ACS-specific configuration commands.
noecs - Prevents the specific user to access ACS-specific configuration commands.
expiry-date date_time
The date and time that this account expires. Enter the date and time in the format YYYY:MM:DD:HH:mm or YYYY:MM:DD:HH:mm:ss.
Where YYYY is the year, MM is the month, DD is the day of the month, HH is the hour, mm is minutes, and ss is seconds.
li-administration
Permits this user to execute Lawful Intercept commands.
Important: Users who have Lawful Intercept privileges are only given those privileges when connected to the system through a Secure Shell (SSH). If this user connects through a Telnet session or through the console port, Lawful Intercept privileges are not enabled.
timeout-absolute abs_seconds
Default: 0
This keyword is obsolete. It has been left in place for backward compatibility. If used a warning is issued and the value entered is rounded to the nearest whole minute.
Specifies the maximum amount of time, in seconds, the context-level inspector may have a session active before the session is forcibly terminated. abs_seconds must be a value in the range from 0 through 300000000.
The special value 0 disables the absolute timeout.
timeout-min-absolute abs_minutes
Default: 0
Specifies the maximum amount of time, in minutes, the context-level inspector may have a session active before the session is forcibly terminated. abs_minutes must be a value in the range from 0 through 525600 (365 days).
The special value 0 disables the absolute timeout.
timeout-idle idle_seconds
Default: 0
This keyword is obsolete. It has been left in place for backward compatibility. If used a warning is issued and the value entered is rounded to the nearest whole minute.
Specifies the maximum amount of idle time, in seconds, the context-level inspector may have a session active before the session is terminated. idle_seconds must be a value in the range from 0 through 300000000.
The special value 0 disables the idle timeout.
timeout-min-idle idle_minutes
Default: 0
Specifies the maximum amount of idle time, in minutes, the context-level inspector may have a session active before the session is terminated. idle_minutes must be a value in the range from 0 through 525600 (365 days).
The special value 0 disables the idle timeout.
Usage
Create new context-level inspector or modify existing inspector’s options, in particular, the timeout values.
Inspector users have minimal read-only privileges. Refer to the Command Line Interface Overview chapter of Cisco ASR 5000 Series Command Line Interface Reference for more information.
Important: A maximum of 128 administrative users and/or subscribers may be locally configured per context.
Example
The following command creates a context-level inspector account named user1:
inspector user1 password secretPassword
The following command removes a context-level inspector account named user1:
no inspector user1
 
interface
Creates/deletes an interface or specifies an existing interface. By identifying an interface, the mode changes to configure this interface in the current context.
Product
All
Privilege
Security Administrator, Administrator
Syntax
interfacename [ broadcast | loopback| point-to-point | tunnel ]
no interfacename
no
Indicates the interface specified is to be removed.
name
Specifies the name of the interface to configure. If name does not refer to an existing interface, the new interface is created if resources allow. name must be from 1 to 79 alpha and/or numeric characters.
broadcast
Default: Enabled
Creates an Ethernet broadcast (IP) interface and enters the Ethernet configuration mode.
Important: Refer to the Ethernet interface Configuration Mode Command chapter for more information.
loopback
Default: Disabled
Creates an internal IP address that can be reached by any interface configured in the current context. The interface must be configured for loopback when configuring Interchassis Session Recovery. A total of 256 loopback interfaces can be configured.
Important: Refer to the Loopback Interface Configuration Mode Command chapter for more information.
point-to-point
Creates a permanent virtual connection (PVC) in the current context and enters the PVC configuration mode. Currently, this type of interface is only used with an optical (ATM) line card.
Important: Refer to the PVC interface Configuration Mode Command chapter for more information.
tunnel
Creates a tunnel interface to support the various tunnel interfaces. Currently only IPv6-over-IPv4 and GRE tunnel interface is supported.
Important: Refer to the Tunnel Interface Configuration Mode Command chapter for more information.
Usage
Use this command to enter/create the interface configuration mode for an existing interface or for a newly defined interface. This command is also used to remove an existing interface when it longer is needed.
Important: If no keyword is specified, broadcast is assumed and the interface is Ethernet by default.
For IPv6-over-IPv4 or GRE tunneling user need to specify the interface type as tunnel.
Example
The following command enters the Ethernet Interface Configuration mode creating the interface sampleService, if necessary.
interface sampleInterface
The following command removes sampleService as being a defined interface.
no interface sampleInterface
The following command enters the Tunnel Interface Configuration mode creating the interface GRE_tunnel1, if necessary.
interface GRE_tunnel1 tunnel
 
ip
The commands in this section set context level IP parameters.
 
ip access-group
Configures access group with access control list (ACL) for IP traffic for the current context.
Product
All
Privilege
Security Administrator, Administrator
Syntax
ip access-group name [ in | out ] [ priority_value ]
no ip access-group name [ in | out ]
no
Indicates the specified ACL rule is to be removed from the group.
name
Specifies the ACL rule to be added/removed from the group.
In Release 8.1 and later, name must be an alpha and/or numeric string of 1 through 47 characters in length.
In Release 8.0, name must be an alpha and/or numeric string of 1 through 79 characters in length.
Important: Up to 8 ACLs can be applied to a group provided that the number of rules configured within the ACL(s) does not exceed the 256 rule limit for the context.
in | out
The in and out keywords are deprecated and are only present for backward compatibility. The Context-level ACL are applied only to outgoing packets.
priority_value
Default: 0
Specifies the priority of the access group. 0 is the highest priority. If priority_value is not specified, the priority is set to 0. priority_value must be an integer from 0 through 4294967295.
If access groups in the list have the same priority, the last one entered is used first.
Usage
Use this command to add IP access lists (refer to the ip access-list command) configured with in the same context to an ACL group.
Refer to the Access Control Lists chapter of the System Enhanced Feature Configuration Guide for more information ACLs and ACL rules.
Example
The following commands add sampleGroup to the context-level ACL with a priority of 0.
ip access-group sampleGroup 0
 
ip access-list
This command enables creating/configuring/deleting an IP Access List in the current context.
Product
All
Privilege
Security Administrator, Administrator
Syntax
ip access-listname
[ default | no ] ip access-listname
default
Sets the context’s default access control list to that specified by name.
no
Removes the specified access list.
name
Specifies the access list name.
In Release 8.0, name must be an alpha and/or numeric string of 1 through 79 characters in length.
In Release 8.1 and later, name must be an alpha and/or numeric string of 1 through 47 characters in length.
If the named access list does not exist, it is created, and the CLI mode changes to the Access Control List Configuration Mode, wherein the access list can be configured.
If the named access list already exists, the CLI mode changes to the Access Control List Configuration mode, wherein the access list can be reconfigured.
Usage
Executing this command enters the Access Control List Configuration Mode in which rules and criteria are defined for the ACL.
Important: A maximum of 64 rules can be configured per ACL. The maximum number of ACLs that can be configured per context is limited by the amount of available memory in the VPN Manager software task; it's typically less then 200.
The no version of this command deletes the ACL.
Refer to the Configuring and Applying Access Control Lists chapter of the System Administration Guide for more information on ACLs and ACL rules.
Example
The following command creates an access list named sampleList, and enters the Access List configuration mode:
ip access-list sampleList
 
ip arp
Configures the address resolution protocol options for the current context.
Product
All
Privilege
Security Administrator, Administrator
Syntax
ip arpip_address mac_address[vrf vrf_name]
no ip arpip_address
no
Indicates the ARP configuration data for the IP address specified is to be removed from the configuration.
ip_address
Specifies the IP address to configure the ARP options where ip_address must be specified using the standard IPv4 dotted decimal notation.
mac_address
Specifies the media-specific access control layer address for the IP address. mac_address must be specified as a an 6-byte hexadecimal number with each byte separated by a colon, e.g., ‘AA:12:bb:34:f5:0E’.
vrf vrf_name
This keyword associates a Virtual Routing and Forwarding (VRF) context with this static ARP entry.
vrf_name is name of a preconfigured virtual routing and forwarding (VRF) context configured in Context configuration mode through ip vrf command.
Usage
Manage the IP address mapping which is a logical/virtual identifier to the more lower layer addressing used for address resolution in ICMP messages.
For tunnel-based interface, network IP pool can have overlapping ip-addresses across VRFs. To manage it adding a preconfigured VRF context is required to associate with an static ARP entry. By default, the ARP is added in the given context. If the VRF name is specified, then the ARP is added to the VRF ARP table.
Example
The following commands set the IP and MAC address for the current context then remove it from the configuration.
ip arp 1.2.3.4 F1:E2:D4:C5:B6:A7
no ip arp 1.2.3.4
The following commands set the IP and MAC address for a VRF context GRE_vrf1 in the configuration.
ip arp 1.2.3.4 F1:E2:D4:C5:B6:A7 vrf GRE_vrf1
 
ip as-path access-list
Defines BGP AS Path access lists.
Product
HA
Privilege
Security Administrator, Administrator
Syntax
ip as-path access-listlist_name[{deny | permit}reg_expr]
no ip as-path access-listlist_name[{deny | permit}reg_expr]
no
Remove the specified regular expression from the AS path access list.
list_name
To add new rules to an existing list, enter the list name. list_name must be a string of alpha numerical characters from 1 through 79 characters.
{deny | permit}
deny: Deny access to AS paths that match the regular expression.
permit: Allow access to AS paths that match the regular expression.
reg_expr
A regular expression to define the AS paths to match. reg_expr must be a string containing 1 through 254 alpha and/or numeric characters.
Important: The ? (question mark) character is not supported in regular expressions for this command.
Usage
Use this command to define AS path access lists for the BGP router in the current context. The chassis supports a maximum of 64 access lists per context.
Example
The following command creates an AS access list named ASlist1 and permits access to AS paths.
ip as-path access-list ASlist1 permit
 
ip dns-proxy source-address
Enables the proxy DNS functionality and identifies this context as the destination context for all redirected DNS requests.
 
Important: This command must be entered in the destination context for the subscriber. If there are multiple destination contexts for different subscribers, the command must be entered in each context.
Product
HA
Privilege
Security Administrator, Administrator
Syntax
[ no ] ip dns-proxy source-address ip_address
no
Removes the address in this context as a destination for redirected DNS packets.
ip dns-proxy source-address ip_address
Specifies an interface in this context used for redirected DNS packets. ip_address must be specified using the standard IPv4 dotted decimal notation.
Usage
Use this command to identify the interface in this context where redirected DNS packets are sent to the home DNS. The system uses this address as the source address of the DNS packets when forwarding the intercepted DNS request to the home DNS server. For a more detailed explanation of the proxy DNS intercept feature, see the proxy-dns intercept-list command.
Example
The following command identifies an interface with an address of 1.23.456.456 in a destination context where the system forwards all intercepted DNS requests:
ip dns-proxy source-address 1.23.456.456
 
ip domain-lookup
Enables/disables domain name lookup via domain name servers for the current context.
Product
All
Privilege
Security Administrator, Administrator
Syntax
ip domain-lookup
no ip domain-lookup
no
Disables domain name lookup.
Usage
Domain name look up is necessary if the subscribers configured for the context are to be allowed to use logical host names for services which requires the host name resolution via DNS.
Example
ip domain-lookup
no ip domain-lookup
 
ip domain-name
Configures/removes the logical domain name for the current context.
Product
All
Privilege
Security Administrator, Administrator
Syntax
ip domain-namename
no ip domain-namename
no
Indicates the logical domain name for the current context is to be removed.
name
Specifies the logical domain name to use for domain name server address resolution. name must be from 1 to 1023 alpha and/or numeric characters formatted to be a valid IP domain name.
Usage
Set a logical domain name if the context is to be accessed by logical domain name in addition to direct IP address.
Example
ip domain-name sampleName.org
 
ip forward
This command configures an IP forwarding policy to forward outgoing pool packets whose flow lookup fails to the default-gateway.
By default the behavior is to either send an ICMP Unreachable message or to discard the packet depending on the configuration of the IP pool.
Pool packets coming from the linecard whose flow lookup fails are discarded or ICMP unreachable is sent irrespective of whether the above command is configured or not.
Product
All
Privilege
Security Administrator, Administrator
Syntax
[no] ip forward outbound unused-pool-dest-address default-gateway
no
Disable forwarding to the default gateway.
Usage
Use this command to set an IP forwarding policy that forwards outgoing pool packets whose flow lookup fails to the default-gateway.
Example
To enable this functionality, enter the following command:
ip forward outbound unused-pool-dest-address default-gateway
To disable this functionality, enter the following command:
no ip forward outbound unused-pool-dest-address default-gateway
 
ip identification packet-size-threshold
Configures the packet size above which system will assign unique IP header identification.
Product
PDSN
Privilege
Security Administrator, Administrator
Syntax
ip identification packet-size-thresholdsize
default ip identification packet-size-threshold
default
Restores default value of 576 bytes to IP packet size for fragmentation threshold.
size
Default: 576 bytes.
Specifies the size of IP packet in bytes above which system will assign unique IP header identification for system generated IP encapsulation headers. (such as MIP data tunnel).
size can be configured to any integer value from 0 to 2000.
Usage
This configuration is used to set the upper limit of the IP packet size. All packets above that size limit will be considered ‘fragmentable’, and an unique non-zero identifier will be assigned.
Example
The following commands set the IP packet size to 1024 bytes as threshold. above this limit system will assign unique IP header identification for system generated IP encapsulation headers:
ip identification packet-size-threshold 1024
 
ip localhost
Configures or removes the static local host logical name to IP address mapping for the current context.
Product
All
Privilege
Security Administrator, Administrator
Syntax
ip localhostname ip_address
no ip localhostname ip_address
no
Indicates the static mapping is to be removed.
name
Specifies the logical host name for the local machine the current context resides on. name must be from 1 to 1023 alpha and/or numeric characters formatted to be a valid IP host name.
ip_address
Specifies the IP address for the static mapping. ip_address must be specified using the standard IPv4 dotted decimal notation.
Usage
Avoid excessive DNS lookups across the network by statically mapping the logical host name to the local host’s context.
Example
ip localhost localHostName 1.2.3.4
no ip localhost localHostName 1.2.3.4
 
ip name-servers
Modifies the list of domain name servers the current context may use for logical host name resolution.
Product
All
Privilege
Security Administrator, Administrator
Syntax
ip name-serversip_address secondary_ip_address
no ip name-serversip_address
no
Indicates the name server specified is to be removed from the list of name servers for the current context.
ip_address
Specifies the IP address of a domain name server. ip_address must be specified using the standard IPv4 dotted decimal notation.
secondary_ip_address
Specifies the IP address of a secondary domain name server. secondary_ip_address must be specified using the standard IPv4 dotted decimal notation.
Usage
Manage the list of name servers the current context may use in resolving logical host names.
The DNS can be specified at the Context level in Context configuration as well as at the APN level in APN configuration mode with dns and ipv6 dns commands, or it can be received from AAA server.
When DNS is requested in PCO configuration, the following preference will be followed for DNS value:
1. DNS Values received from LNS have the first preference.
2. DNS values received from RADIUS Server has the second preference.
3. DNS values locally configured with APN with dns and ipv6 dns commands has the third preference.
4. DNS values configured at context level has the last preference.
Important: The same preference would be applicable for the NBNS servers to be negotiated via ICPC with the LNS.
Example
ip name-servers 1.2.3.4
 
ip pool
This command enables to add/configure/delete IP address pools in the current context.
Product
All
Privilege
Security Administrator, Administrator
Syntax
ip pool pool_name { ip_address subnet_mask | ip_address_mask_combo | range start_ip_address end_ip_address } [ address-hold-timer address_hold_timer ] [ advertise-if-used ] [ alert-threshold [ group-available | pool-free | pool-hold | pool-release | pool-used ] low_thresh [ clear high_thresh ] ] [ explicit-route-advertise ] [ group-name group_name ] [ include-nw-bcast ] [ napt-users-per-ip-address users_per_ip [ alert-threshold { { pool-free | pool-hold | pool-release | pool-used } low_thresh [ clear high_thresh ] } + ] [ max-chunks-per-user max_chunks_per_user [ nat-binding-timer nat_binding_timer ] [ nexthop-forwarding-address ip_address ] [ on-demand ] [ port-chunk-size port_chunk_size ] [ port-chunk-threshold port_chunk_threshold ] [ send-nat-binding-update ] + ] [ nat priority ] [ nat-one-to-one [ alert-threshold { { pool-free | pool-hold | pool-release | pool-used } low_thresh [ clear high_thresh ] } + ] [ nat-binding-timer nat_binding_timer ] [ nexthop-forwarding-address ip_address ] [ on-demand ] [ send-nat-binding-update ] + ] [ nat-realm users-per-nat-ip-address users [ on-demand [ address-hold-timer address_hold_timer ] ] ] [ nexthop-forwarding-address ip_address [ overlap vlanid vlan_id ] [ respond-icmp-echo ip_address ] ] [ nw-reachability server server_name ] [ policy allow-static-allocation ] [ private priority ] [ public priority ] [ resource priority ] [ send-icmp-dest-unreachable ] [ srp-activate ] [ static ] [ suppress-switchover-arps ] [ tag { none | pdif-setup-addr } ] [ unicast-gratuitous-arp-address ip_address ] [ vrf vrf_name { [ mpls-label input in_label_value | output out_label_value1 [ out_label_value2 ] } ] +
no ip pool pool_name [ address-hold-timer ] [ advertise-if-used ] [ alert-threshold [ [ group-available ] [ pool-free ] [ pool-hold ] [ pool-release ] [ pool-used ] + ] [ explicit-route-advertise ] [ group-name ] [ include-nw-bcast ] [ nexthop-forwarding-address [ respond-icmp-echo ] ] [ nw-reachability server ] [ policy allow-static-allocation ] [ send-icmp-dest-unreachable ] [ srp-activate ] [ suppress-switchover-arps ] [ tag { none | pdif-setup-addr } ] [ unicast-gratuitous-arp-address ] + [ send-nat-binding-update ]
no
Removes the specified IP address pool from the current context’s configuration, or disables the specified option(s) for the specified IP pool.
no alert-threshold
This command without any optional keywords disables all alert thresholds.
name
Specifies the logical name of the IP address pool. name must be an alpha and/or numeric string of 1 through 31 characters in length.
Important: An error message displays if the ip pool name and the group name in the configuration are the same. An error message displays if the ip pool name or group name are already used in the context.
ip_address
Specifies the beginning IP address of the IP address pool. ip_address can either be an IPv4 address expressed in dotted decimal notation, or an IPv6 address expressed in colon notation.
subnet_mask
Specifies the IP address mask bits to determine the number of IP addresses in the pool. ip_mask must be specified using the standard IPv4 dotted decimal notation.
1 bits in the ip_mask indicate that bit position in the ip_address must also have a value of 1.
0 bits in the ip_mask indicate that bit position in the ip_address does not need to match, i.e., the bit can be either a 0 or a 1.
For example, if the IP address and mask are specified as 172.168.10.0 and 255.255.255.224, respectively, the pool will contain IP addresses in the range 172.168.10.0 through 172.168.10.31 for a total of 32 addresses.
ip_address_mask_combo
Specifies a combined IP address subnet mask bits to indicate what IP addresses the route applies to. ip_address_mask_combo must be specified using the form ‘IP Address/Mask Bits’ where the IP address is specified using the standard IPv4 dotted decimal notation and the mask bits are a numeric value which is the number of bits in the subnet mask.
range start_ip_address end_ip_address
Specifies the IP addresses for the IP pool as a range of addresses.
start_ip_address specifies the beginning of the range of addresses for the IP pool.
end_ip_address specifies the end of the range of addresses for the IP pool.
The IP address range must be specified using the standard IPv4 dotted decimal notation.
For example, if start_ip_address is specified as 172.168.10.0 and end_ip_address is specified as 172.168.10.31 the IP pool will contain addresses in the range 172.168.10.0 through 172.168.10.31 for a total of 32 addresses.
private [ priority ]
Address pool may only be used by mobile stations which have requested an IP address from a specified pool. When private pools are part of an IP pool group, they are used in a priority order according to the precedence setting. priority must be a value in the range from 0 through 10 with 0 being the highest priority. The default value is 0.
public [ priority ]
Address pool is used in priority order for assigning IP addresses to mobile stations which have not requested a specific address pool. priority must be a value in the range from 0 through 10 with 0 being the highest priority. The default value is 0.
static
Address pool is used for statically assigned mobile stations. Statically assigned mobile stations are those with a fixed IP address at all times.
tag { none | pdif-setup-addr }
Default: none
none: default tag for all IP address pools
pdif-setup-addr: pool with this tag should only be used for PDIF calls.
address-hold-timer seconds
When this is enabled, and an active subscriber is disconnected, the IP address is held, or condsidered still in use, and is not returned to the free state until the address-hold-timer expires. This enables subscribers who reconnect within the length of time specified (in seconds) to obtain the same IP address from the IP pool.
seconds is the time in seconds and must be an integer from 0 through 31556926.
alert-threshold { group-available | pool-free | pool-hold | pool-release | pool-used } low_thresh [ clear high_thresh ]
Default: All thresholds are disabled.
Configures IP address pool-level utilization thresholds. These thresholds take precedence over context-level IP pool thresholds.
group-available: Set an alert based on the available percentage of IP addresses for the entire IP pool group.
pool-free: Set an alert based on the percentage of IP addresses that are unassigned in this IP pool.
pool-hold: Set an alert based on the percentage of IP addresses from this IP pool that are on hold.
pool-release: Set an alert based on the percentage of IP addresses from this IP pool that are in the release state.
pool-used: This command sets an alert based on the percentage of IP addresses that have been assigned from this IP pool.
Important: Refer to the threshold available-ip-pool-group and threshold monitoring commands in this chapter for additional information on IP pool utilization thresholding.
low_thresh: The IP pool utilization percentage that must be met or exceeded within the polling interval to generate an alert or alarm. It can be configured to any integer value between 0 and 100.
clear high_thresh : The IP pool utilization percentage that maintains a previously generated alarm condition. If the utilization percentage rises above the high threshold within the polling interval, a clear alarm is generated. It may be configured to any integer value between 0 and 100.
Important: This value is ignored for the Alert model. In addition, if this value is not configured for the Alarm model, the system assumes it is identical to the low threshold.
group-name group_name
Assigns preconfigured one or more IP pools to the IP pool group group_name. group_name is case sensitive and must be a string of 1 to 31 characters. One or more IP pool groups are assigned to a context and one IP pool group consists one or more IP pool(s).
IP pool group name is used in place of an IP pool name. When specifying a desired pool group in a configuration the IP pool with the highest precedence is used first. When that IP pool’s addresses are exhausted the pool with the next highest precedence is used.
include-nw-bcast
Includes the network and broadcast addresses as part of the pool.
To remove the include-nw-bcast option from the ip pool, use the no ip pool test include-nw-bcast command.
napt-users-per-ip-address users_per_ip [ alert-threshold { { pool-free | pool-hold | pool-release | pool-used } low_thresh [ clear high_thresh ] } + ] [ max-chunks-per-user max_chunks_per_user [ nat-binding-timer nat_binding_timer ] [ nexthop-forwarding-address ip_address ] [ on-demand ] [ port-chunk-size port_chunk_size ] [ port-chunk-threshold port_chunk_threshold ] [ send-nat-binding-update ] +
Important: In UMTS deployments this keyword is available in Release 9.0 and later releases. In CDMA deployments this keyword is available in Release 8.3 and later releases.
Important: In UMTS deployments, on upgrading from Release 8.1 to Release 9.0, and in CDMA deployments, on upgrading from Release 8.1 to 8.3, all NAT realms configured in Release 8.1 using the nat-realm keyword must be reconfigured using either the nat-one-to-one (for one-to-one NAT realms) or the napt-users-per-ip-address (for many-to-one NAT realms) keywords.
Configures many-to-one NAT realms.
users_per_ip: Specifies how many users can share a single NAT IP address. users_per_ip must be an integer from 2 through 2016.
alert-threshold: Specifies alert threshold for the pool:
Important: Thresholds configured using the alert-threshold keyword are specific to the pool that they are configured in. Thresholds configured using the threshold ip-pool-* commands in the Context Configuration Mode apply to all IP pools in that context, and override the threshold configurations set within individual pools.
pool-free: Percentage free alert threshold for this pool
pool-hold: Percentage hold alert threshold for this pool
pool-release: Percentage released alert threshold for this pool
pool-used: Percentage used alert threshold for this pool
low_thresh: The IP pool utilization percentage that must be met or exceeded within the polling interval to generate an alert or alarm. low_thresh must be an integer from 0 through 100.
clear high_thresh : The IP pool utilization percentage that maintains a previously generated alarm condition. If the utilization percentage rises above the high threshold within the polling interval, a clear alarm is generated. high_thresh must be an integer from 0 through 100.
Important: The high_thresh value is ignored for the Alert model. In addition, if this value is not configured for the Alarm model, the system assumes it is identical to the low threshold.
max-chunks-per-user max_chunks_per_user: Specifies the maximum number of port chunks to be allocated per subscriber in the many-to-one NAT pool. max_chunks_per_user must be an integer from 1 through 2016. Default: 1
nat-binding-timer binding_timer: Specifies NAT Binding Timer for the NAT pool. timer must be an integer from 0 through 31556926. If set to 0, is disabled. Default: 0
nexthop-forwarding-address address: Specifies the nexthop forwarding address for this pool. address must be a standard IPv4 or IPv6 address. If configured for a NAT pool, packets that are NATed using that NAT pool will be routed based on the configured nexthop address.
Important: The nexthop-forwarding-address support for NAT IP pools is functional only in later releases of Release 9.0 and in Release 10.0 and later releases.
on-demand: Specifies allocating IP when matching data traffic begins.
port-chunk-size size: Specifies NAT port chunk size (number of NAT ports per chunk) for many-to-one NAT pool. size must be an integer from 32 through 32256.
Important: The port-chunk-size configuration is only available for many-to-one NAT pools.
port-chunk-threshold chunk_threshold: Specifies NAT port chunk threshold in percentage of number of chunks for many-to-one NAT pool. chunk_threshold must be an integer from 1 through 100. Default: 100%
Important: The port-chunk-threshold configuration is only available for many-to-one NAT pools.
send-nat-binding-update: Specifies sending NAT binding updates to AAA for this realm. Default: Disabled
Important: send-nat-binding-update is not supported for many-to-one realms.
The following IP pool configuration keywords can also be used in the many-to-one NAT pool configuration:
group-name group_name : This keyword is available for NAT pool configuration only in Release 10.0 and later releases.
Specifies the pool group name. The grouping enables to bind discontigous IP address blocks in individual NAT IP pools to a single pool group.
NAT pool and NAT pool group names must be unique.
group_name must be an alpha and/or numeric string of 1 through 31 characters in length, and is case sensitive .
nat priority
Designates the IP address pool as a Network Address Translation (NAT) address pool.
priority specifies the priority of the NAT pool. 0 is the highest priority. If priority is not specified, the priority is set to 0.
Must be a value from 0 (default) to 10.
Important: This functionality is currently supported for use with systems configured as an A-BG or P-CSCF.
nat-one-to-one [ alert-threshold { { pool-free | pool-hold | pool-release | pool-used } low_thresh [ clear high_thresh ] } + ] [ nat-binding-timer nat_binding_timer ] [ nexthop-forwarding-address ip_address ] [ on-demand ] [ send-nat-binding-update ] +
Important: In UMTS deployments this keyword is available in Release 9.0 and later releases. In CDMA deployments this keyword is available in Release 8.3 and later releases.
Important: In UMTS deployments, on upgrading from Release 8.1 to Release 9.0, and in CDMA deployments, on upgrading from Release 8.1 to Release 8.3, all NAT realms configured in Release 8.1 using the nat-realm keyword must be reconfigured using either the nat-one-to-one (for one-to-one NAT realms) or the napt-users-per-ip-address (for many-to-one NAT realms) keywords.
Configures one-to-one NAT realm.
alert-threshold: Specifies alert threshold for this pool:
Important: Thresholds configured using the alert-threshold keyword are specific to the pool that they are configured in. Thresholds configured using the threshold ip-pool * commands in the Context Configuration Mode apply to all IP pools in the context, and override the threshold configurations set within individual pools.
pool-free: Percentage free alert threshold for this pool
pool-hold: Percentage hold alert threshold for this pool
pool-release: Percentage released alert threshold for this pool
pool-used: Percentage used alert threshold for this pool
low_thresh: The IP pool utilization percentage that must be met or exceeded within the polling interval to generate an alert or alarm. low_thresh must be an integer from 0 through 100.
clear high_thresh : The IP pool utilization percentage that maintains a previously generated alarm condition. If the utilization percentage rises above the high threshold within the polling interval, a clear alarm is generated. high_thresh must be an integer from 0 through 100.
Important: The high_thresh value is ignored for the Alert model. In addition, if this value is not configured for the Alarm model, the system assumes it is identical to the low threshold.
nat-binding-timer nat_binding_timer: Specifies NAT binding timer for the NAT pool. binding_timer must be an integer from 0 through 31556926. If set to 0, is disabled.
Important: For many-to-one NAT pools, the default NAT binding timer value is 60 seconds. For one-to-one NAT pools, it is 0. I.e., by default, the feature is disabled—the IP addresses/ port-chunks once allocated will never be freed.
nexthop-forwarding-address ip_address: Specifies the nexthop forwarding address for this pool. address must be a standard IPv4 or IPv6 address. If configured for a NAT pool, packets that are NATed using that NAT pool will be routed based on the configured nexthop address.
Important: The nexthop-forwarding-address support for NAT IP pools is functional only in later releases of Release 9.0 and in Release 10.0 and later releases.
on-demand: Specifies allocating IP address when matching data traffic begins.
send-nat-binding-update: Specifies sending NAT binding updates to AAA for this realm. Default: Disabled
Important: send-nat-binding-update is not supported for many-to-one realms.
The following IP pool configuration keywords can also be used in the one-to-one NAT pool configurations:
address-hold-timer address_hold_timer
group-name group_name : This keyword is available for NAT pool configuration only in Release 10.0 and later releases.
Specifies the pool group name. The grouping enables to bind discontigous IP address blocks in individual NAT IP pools to a single pool group.
NAT pool and NAT pool group names must be unique.
group_name must be an alpha and/or numeric string of 1 through 31 characters in length, and is case sensitive .
nat-realm users-per-nat-ip-address users [ on-demand [ address-hold-timer address_hold_timer ] ]
Important: The nat-realm keyword is only available in Release 8.1.
Important: In Release 8.1, the NAT On-demand feature is not supported.
Important: This functionality is currently supported for use with systems configured as an A-BG or P-CSCF.
Designates the IP address pool as a Network Address Translation (NAT) realm pool.
users-per-nat-ip-address users: Specifies the number of users sharing a single NAT IP address. users must be an integer from 1 through 5000.
on-demand: Specifies to allocate IP when matching data traffic begins.
address-hold-timer address_hold_timer: Specifies the address hold timer for this pool, in seconds. address_hold_timer must be an integer from 0 through 31556926. If set to 0, the address hold timer is disabled.
nexthop-forwarding-address ip_address
A subscriber that is assigned an IP address from this pool is forwarded to the next hop gateway with the specified IP address.
overlap vlanid vlan_id
When a nexthop forwarding address is configured, this keyword can be configured to enable over-lapping IP address pool support and associates the pool with the specified virtual LAN (VLAN).
For more information on configuring VLANs, refer to the System Enhanced Features Guide.
vlan_id is the identification number of a VLAN assigned to a physical port and can be configured to any integer value from 1 to 4095.
Important: This functionality is currently supported for use with systems configured as an HA, or as a PDSN for Simple IP, or as a GGSN. This keyword can only be issued for pools of type private or static and must be associated with a different nexthop forwarding address and VLAN. A maximum of 256 over-lapping pools can be configured per context and a maximum of 256 over-lapping pools can be configured per HA or simple IP PDSN. For GGSNs, the total number of pools is limited by the number of VLANs defined but the maximum number per context is 256. Additional network considerations and configuration outside of the system may be required.
nw-reachability server server_name
Bind the name of a configured network reachability server to the IP pool and enable network reachability detection for the IP pool. This takes precedence over any network reachability server settings in a subscriber configuration.
server_name: Specifies the name of a network reachabile server that has been defined in the current context, and must be a string of 1 through 16 characters in length.
Important: Also see the following commands for more information: Refer to the policy nw-reachability-fail command in the HA Configuration Mode to configure the action that should be taken when network reachability fails. Refer to the nw-reachability server command in this chapter to configure network reachability servers. Refer to the nw-reachability-server command in the Subscriber Configuration Mode to bind a network reachability server to a specific subscriber.
respond-icmp-echo ip_address
Pings the first IP address from overlapping IP address pools.
Important: In order for this functionality to work, all of the pools should contain an initial IP address that can be pinged.
resource
Default: Disabled
Specifies this IP pool as a resource pool. The IP addresses in resource pools may have IP addresses that exist in other resource pools. IP addresses from a resource pool should not be used for IP connectivity within the system where the pool is defined. These IP addresses should be allocated for sessions which are L3 tunneled through the system (IP-in-IP or GRE). It is possible for resource pools in the same context to have overlapping addresses when the terminating network elements for the L3 tunnels are in different VPNs.
Also refer to the subscriber configuration mode l3-to-l2-tunnel address-policy command.
send-icmp-dest-unreachable
Default: Disabled
When enabled, this generates an ICMP destination unreachable PDU when the system receives a PDU destined for an unused address within the pool.
explicit-route-advertise
Default: Enabled
When enabled, the show ip pool verbose output includes the total number of explicit host routes.
srp-activate
Activates the IP pool for Interchassis Session Redundancy.
suppress-switchover-arp
Default: Disabled
Suppress corresponding gratuitous ARP generation when a line card switchover occurs.
unicast-gratuitous-arp-address ip_address
Default: Perform broadcast gratuitous ARP.
Perform a unicast gratuitous ARP to the specified IP address rather than broadcast gratuitous ARP when gratuitous ARP generation is required.
vrf vrf_name { [ mpls-label input in_label_value | output out_label_value1 [ out_label_value2 ] }
This keyword associates a preconfigured Virtual Routing and Forwarding (VRF) context instance with this IP pool and configures the other MPLS label parameters like values of In and Out labels.
Important: This command must be used with next-hop paramters.
vrf_name is name of a preconfigured virtual routing and forwarding (VRF) context configured in Context configuration mode through ip vrf command.
in_label_value is the MPLS label that identifies the inbound traffic destined for this pool.
The out_label_value1 and out_label_value2 identify the MPLS labels to be added to the outgoing packets sent for subscriber from this pool. Where out_label_value1 is the inner output label and out_label_value2 is the outer output label.
MPLS label values must be an integer from 16 to 1048575.
By default, the pools configured are bound to the default VRF unless specified with a VRF name.
Important: You cannot have overlapping pool addresses using the same VRF. Also you cannot have two pools using different VRF’s but the same in-label irrespective of whether the pools are overlapping or not. The pool must be private or static pool in-order to be associated with a certain VRF. If the VRF with such a name is not configured, then the pool configuration would return an error prompting to add the VRF before configuring a pool.
policy allow-static-allocation
Configures static address allocation policy for dynamic IP pool. This keyword enables a dynamic IP pool to accept a static address for allocation.
Important: In static allocation scenario, the pool group name is returned by AAA in the attribute SN1-IP-Pool-Name, and the IP address to use will be returned in the Framed-IP-Address attribute.
+
Indicates that more than one of the previous keywords can be entered within a single command.
Usage
Define one or more pools of IP addresses for the context to use in assigning IPs to mobile stations. This command is also useful in resizing existing IP pools to expand or contract the number of addresses allocated. If you resize an IP pool, the change is effective immediately.
When using the ip pool command to resize an IP pool, the type must be specified since by default the command assumes the type as public. In other words, the CLI syntax to resize an ip pool is the same syntax used to create the pool. See examples below.
ip pool pool1 100.1.1.0/24 static
Then the syntax to resize that pool would be
ip pool pool1 100.1.1.0/25 static
A pool which is deleted will be marked as such. No new IP addresses will be assigned from a deleted pool. Once all assigned IP addresses from a deleted pool have been released, the pool, and all associated resources, are freed.
Important: If an IP address pool is matched to a ISAKMP crypto map and is resized, removed, or added, the corresponding security association must be cleared in order for the change to take effect. Refer to the clear crypto command in the Exec mode for information on clearing security associations.
Over-lapping IP Pools - The system supports the configuration of over-lapping IP address pools within a particular context. Over-lapping pools are configured using either the resource or overlap keywords.
The resource keyword allows over-lapping addresses tunneled to different VPN end points.
The overlap keyword allows over-lapping addresses each associated with a specific virtual LAN (VLAN) configured for an egress port. It uses the VLAN ID and the nexthop address to determine how to forward subscriber traffic with addresses from the pool thus resolving any conflicts with overlapping addresses.
Note that if an overlapping IP Pool is bound to an IPSec Tunnel (refer to the match ip pool command in the Crypto Group Configuration Mode chapter), that tunnel carries the traffic ignoring the nexthop configuration. Therefore, the IPSec Tunnel takes precedence over the nexthop configuration. (Thus, one can configure the overlapping IP Pool with fake VLAN ID and nexthop and still be able to bind it to an IPSec Tunnel for successful operation.
The overlap keyword allows over-lapping addresses each associated with a specific VLAN can only be issued for pools of type private or static and must be associated with a different nexthop forwarding address and VLAN. A maximum of 128 over-lapping pools can be configured per context and a maximum of 256 over-lapping pools can be configured per system.
Important: Overlapping IP address functionality is currently supported for use with systems configured as an HA for Mobile IP, or as a PDSN for Simple IP, or as a GGSN. For deployments in which subscriber traffic is tunneled from the FA to the HA using IP-in-IP, a separate HA service must be configured for each over-lapping pool.
IP Pool Address Assignment Method - IP addresses can be dynamically assigned from a single pool or from a group of pools. The addresses are placed into a queue in each pool. An address is assigned from the head of the queue and, when released, returned to the end. This method is known as least recently used (LRU).
When a group of pools have the same priority, an algorithm is used to determine a probability for each pool based on the number of available addresses, then a pool is chosen based on the probability. This method, over time, allocates addresses evenly from the group of pools.
Important: Note that setting different priorities on each individual pool in a group can cause addresses in some pools to be used more frequently.
Example
The following commands define a private IP address pool, a public IP address pool and a static address pool, respectively.
ip pool samplePool1 1.2.3.0 255.255.255.0 private
ip pool samplePool2 1.3.0.0 255.255.0.0 public 1
ip pool samplePool3 1.4.5.0 255.255.255.0 static
 
The following command defines a private IP pool specified with a range of IP addresses. The pool has 101 addresses.
ip pool samplePool4 range 1.5.5.0 1.5.5.100 private
The following command sets the address hold timer on the pool to 60 minutes (3600 seconds):
ip pool samplePool4 address-hold-timer 3600
The following command removes the IP address pool from the configuration:
no ip pool samplePool1
The following command creates a static IP pool:
ip pool pool1 100.1.1.0/24 static
The following command resizes the static IP pool created in the previous example:
ip pool pool1 100.1.1.0/25 static
 
ip prefix-list
Creates an IP prefix list for filtering routes.
Product
PDSN, HA, GGSN
Privilege
Security Administrator, Administrator
Syntax
ipprefix-list namelist_name [ seqseq_number ] { deny | permit } { any | network_address/net_mask [ gege_value ] [ lele_value ]
noipprefix-listlist_name [ seqseq_number ] { deny | permit } { any | network_address/net_mask [ gege_value ] [ lele_value ]
no
Delete the specified prefix-list entry.
name list_name
Specifies a name for the prefix list. list_name must be a string of 1 through 79 characters in length.
seq seq_number
Assign the specified sequence number to the prefix list entry. seq_number must be an integer from 1 through 4294967295.
deny
Specify prefixes to deny.
permit
Specify prefixes to permit.
any
Match any prefix.
network_address/net_mask [ ge ge_value ] [ le le_value ]
The prefix to match.
network_address/net_mask : the IP address and the length, in bits, of the network mask that defines the prefix. This must be an IP address entered in dotted decimal notation and a mask (192.168.0/24). When neither ge or le are specified an exact match is assumed.
ge ge_value: The minimum prefix length to match. This must be an integer from 0 through 32. If only the ge value is specified, the range is from the ge value to 32. The ge value must be greater than net_mask and less than the le value.
le le_value: The maximum prefix length to match. This must be an integer from 0 through 32. If only the le value is specified, the range is from the net_mask to the le value. The le value must be less than or equal to 32.
The following equation describes the conditions that ge and le values must satisfy :
net_mask < ge_value < le_value <= 32
Usage
Use this command to filter routes by their IP prefix.
Example
ip prefix-list name prelist10 seq 5 permit 192.168.100.0/8 ge 12 le 24
 
ip prefix-list sequence-number
This enables and disables the inclusion of IP prefix list sequence numbers in the configuration file. This is enabled by default.
Product
PDSN, HA, GGSN
Privilege
Security Administrator, Administrator
Syntax
ip prefix-list sequence-number
no ip prefix-list sequence-number
no
Disable listing IP prefix list sequence numbers in the configuration file.
Usage
Use this command to enable and disable the inclusion of IP prefix list sequence numbers in the configuration file.
Example
To disable the inclusion of IP prefix list sequence numbers in the configuration file, enter the following command:
no ip prefix-list sequence-number
 
ip route
Adds/removes routing information from the current context’s configuration.
Product
All
Privilege
Administrator
Syntax
[ no ] ip route {ip_address/ip_mask | ip_address ip_mask} { gateway_ip_address | next-hop next_hop_ip_address | point-to-point | tunnel} egress_intrfc_name [ costcost ] [ precedenceprecedence ] [vrf vrf_name] +
no
Indicates the route specified by this options is to be removed from the configuration.
ip_address/ip_mask | ip_address ip_mask
Specifies a destination IP address or group of addresses that will use this route.
ip_address/ip_mask: Specifies a combined IP address subnet mask bits to indicate what IP addresses to which the route applies. ip_address/ip_mask must be specified using the form ‘IP Address/Mask Bits’ where the IP address is specified using the standard IPv4 dotted decimal notation and the mask bits are a numeric value which is the number of bits in the subnet mask.
ip_address ip_mask: Specifies an IP address and the networking (subnet) mask pair which is used to identify the set of IP addresses to which the route applies. ip_address must be specified using the standard IPv4 dotted decimal notation. ip_mask must be specified using the standard IPv4 dotted decimal notation as network mask for subnets.
The mask as specified by ip_mask or resulting from ip_address/ip_mask is used to determine the network for packet routing.
0’s in the resulting mask indicate the corresponding bit in the IP address is not significant in determining the network for packet routing.
1’s in the resulting mask indicate the corresponding bit in the IP address is significant in determining the network.
gateway_ip_address | next-hop next_hop_ip_address | point-to-point | tunnel
Specifies which device or network to use when forwarding packets.
gateway_ip_address: Specifies the IP address of the network gateway to which to forward packets. The address must be entered in IPv4 dotted decimal notation (###.###.###.###).
next-hop next_hop_ip_address: The next-hop IP address to which to forward packets. The address must be entered in IPv4 dotted decimal notation (###.###.###.###).
point-to-point: Specifies that the egress port is an ATM point-to-point interface.
tunnel: This keyword sets the static route for this egress interfaceas tunnel type. i.e. IPv6-over-IPv4 or GRE.
egress_intrfc_name
Specifies the name of the egress (out-bound) interface name in the current context. egress_intrfc_name must be from 1 to 79 alpha and/or numeric characters.
cost cost
Default: 0
Specifies the relative cost of the route. cost must be a value in the range 0 through 255 where 255 is the most expensive.
precedence precedence
Default: 1
Specifies the selection order precedence for this routing information. precedence must be a value in the range from 1through 254 where 1 is the highest precedence.
vrf vrf_name
This keyword associates a Virtual Routing and Forwarding (VRF) context with this static route configuration.
vrf_name is name of a preconfigured virtual routing and forwarding (VRF) context configured in Context configuration mode through ip vrf command.
Usage
Use this command to configure the IP route parameters. Precedence and cost options are used to tailor the route selections such that routes of the same precedence are grouped together then lowest cost is selected first. This results in route’s being selected first by lower precedence then the cost is used if multiple route’s are defined with the same precedence.
Important: A maximum of 1200 static routes may be configured per context.
Virtual Routing and Forwarding (VRF) context can be associated with static IP route for GRE tunneling support.
Example
The following command adds a route using the combined IP address and subnet mask form:
ip route 1.2.3.0/32 192.168.1.2 egressSample1 precedence 160
The following configures route options for a route specified using the distinct IP address and subnet mask form:
ip route 1.2.3.4 255.224.0.0 10.1.2.3 egressSample2 cost 43
The following deletes the two routes configured above:
no ip route 1.2.3.0/32 192.168.1.2 egressSample1 precedence 160
no ip route 1.2.3.4 255.224.0.0 10.1.2.3 egressSample2 cost 43
The following command adds a route using the combined IP address and subnet mask form and specifies the egress interface as tunnel type:
ip route 1.2.3.0/32 tunnel egressSample1 precedence 160 vrf GRE_vrf1
 
ip routing maximum-paths
This command enables Equal Cost Multiple Path (ECMP) routing support and specifies the maximum number of ECMP paths that can be submitted by a routing protocol in the current context.
Product
PDSN, GGSN
Privilege
Security Administrator, Administrator
Syntax
ip routing maximum-paths[max_no]
[ default | no ] ip routing maximum-paths
default
Resets the command to it’s default setting of 4.
no
Disables ECMP for the current context.
max_no
Default: 4
The maximum number of ECMP paths that can be submitted by a routing protocol. max_no must be an integer from 1 through 10.
Usage
Use this command to enable ECMP for routing and set the maximum number of ECMP paths that can be submitted by a routing protocol.
Example
To enable ECMP and set the maximum number of paths that may be submitted by a routing protocol in the current context to 10, enter the following command:
ip routing maximum-paths 10
To disable ECMP in the current context, enter the following command:
no ip routing maximum-paths
 
ip routing overlap-pool
Configures the routing behavior for overlap-pool addresses.
Product
PDSN
Privilege
Security Administrator, Administrator
Syntax
[ no | default ] ip routing overlap-pool
default
Resets the command to it’s default setting of disabled.
no
Disables the routing behavior for overlap-pool addresses for the current context.
Usage
Default: disabled
Use this command configuration to advertise overlap-pool addresses in dynamic routing protocols when overlap pools are configured using vlan-ids. If the “ip routing overlap-pool” is configured, then the overlap-addresses are added as interface addresses and advertised.
 
ip vrf
This command creats a Virtual Routing and Forwarding (VRF) context instance, assigns a VTF id, and configures the VRF parameters for BGP MPLS VPN and GRE tunnel interface configuration.
Product
All
Privilege
Security Administrator, Administrator
Syntax
ip vrf vrf_name
no ip vrf
no
Disables IP Virtual Routing and Forwarding (VRF) parameters.
vrf_name
Specifies the name of the virtual routing and forwarding interface.
vrf_name must be an alpha and/or neumeric string of 1 t o 79 characters.
Usage
Use this command to create a VRF context and assigns a VRF id to this instance. This command used when system works as a BGP router with MPLS VPN and binds a MPLS VPN to system or to facilitate GRE tunnelling. The addresses that assigned to this interface are visible in the VRF routing table.
This command swithces the command mode to IP VRF Context Configuraiton Mode and prompt will be changed to the following:
[context_name>]host_name(config-context-vrf)#
If required, this command creates IP Virtual Routing and Forwarding context configuration mode instance.
While using this command user must take note of the following:
Kindly refer IP VRF Context Configuration Mode Commands chapter for parameter configurations.
Example
Following command configures the virtual routing and forwarding context instance GRE_vrf1 in a context:
ip vrf GRE_vrf1
 
ipms
Enables/disables/manages an intelligent packet monitoring system (IPMS) client service and enters the IPMS client configuration mode within the current context.
Important: The IPMS is a license enabled external application support. Refer to the IPMS Installation and Administration Guide for more information on this product.
Product
IPMS
Privilege
Security Administrator, Administrator
Syntax
[ no ] ipms[-noconfirm ]
no
Deletes a previously configured IPMs client service.
-noconfirm
Indicates that the command is to execute without any additional prompt and confirmation from the user.
Warning: If this keyword option is used with no ipms command the IPMS client service will be deleted with all active/inactive IPMS sessions without prompting any warning or confirmation.
Usage
Use this command to enable/disable/manage the IPMS client service within a context and configure certain functionality. This command enables and allows the configuration of service enabling the system to function as an IPMS-enabled Access Gateway in a network. This command is also used to remove previously configured IPMS client service.
A maximum of 1 IPMS client can be configured per system.
Refer to the IPMS Installation and Administration Guide and IPMS Configuration Mode chapter of this reference for additional information.
Example
The following command creates an IPMS client service name within the context:
ipms
 
ipsec
Creates a new, or specifies an existing, IPSec transform set and enters the IPSec Transform Set Configuration Mode for the current context.
Product
PDIF
Privilege
Security Administrator, Administrator
Syntax
[ no ] ipsec transform-set name
name
Specifies the name of a new or existing transform set. name must be from 1 to 127 alpha and/or numeric characters.
Usage
Use this command to create an new or enter an existing IPSec transform-set. Up to four transform-sets can be created.
Entering this command results in the following prompt:
[context_name]hostname(cfg-ctx-ipsec-tran-set)#
IPSec Transform Set Configuration Mode commands are defined in the IPSec Transform Set Configuration Mode Commands chapter.
Example
The following command configures an IPSec transform set called ipsec12 and enters the IPSec Transform Set Configuration Mode:
ipsec transfrom-set ipsec12
 
ipsg-service
Creates an IP Services Gateway service, or specifies an existing IPSG service, in the current context and enters the IPSG RADIUS Snoop or IPSG RADIUS Server Configuration Mode.
Product
IPSG
Privilege
Security Administrator, Administrator
Syntax
ipsg-service name [ mode { radius-server | radius-snoop } ] [ -noconfirm ]
no ipsg-service name [ mode { radius-server | radius-snoop } ]
no
Removes the IPSG service from the system.
name
Specifies the name of the IPSG service to be configured. If name does not refer to an existing service, the new service is created if resources allow. name must be an alpha and/or numeric string of 1 through 63 characters in length.
mode { radius-server | radius-snoop }
Configures the IPSG to perform as either a RADIUS server or as a device to extract user information from RADIUS accounting request messages (snoop). If the mode optional keyword is not entered, the system defaults to radius-server.
radius-server: Creates an IP Services Gateway RADIUS Server service in the context and enters the IPSG RADIUS Server Configuration Mode.
radius-snoop: Creates an IP Services Gateway RADIUS Snoop service in the context and enters the IPSG RADIUS Snoop Configuration Mode.
-noconfirm
Indicates that the command is to execute without an additional prompt and confirmation from the user.
Usage
Enter the IPSG RADIUS Snoop or IPSG RADIUS Server Configuration Mode for an existing service or for a newly defined service. This command is also used to remove an existing service.
A maximum of one IPSG service can be configured per context.
Entering this command results in the following prompt (RADIUS Server shown):
[context_name-service_name]hostname(config-radius-server)#
IPSG service commands are defined in the IPSG RADIUS Snoop Configuration Mode Commands chapter or the IPSG RADIUS Server Configuration Mode Commands chapter of the Cisco ASR 5000 Series Command Line Interface Reference.
A maximum of 256 services (regardless of type) can be configured per system.
Caution: A large number of services greatly increases the complexity of system management and may impact overall system performance (i.e., resulting from system handoffs). Do not configure a large number of services unless your application requires it. Contact your local service representative for more information.
Important: IP Services Gateway functionality is a license-controlled feature. A valid feature license must be installed prior to configuring an IPSG service. If you have not previously purchased this feature, contact your sales representative for more information.
For more information about the IP Services Gateway, refer to the IP Services Gateway Configuration Guide.
Example
The following command configures an IPSG RADIUS Snoop service named ipsg1 and enters the IPSG RADIUS Snoop Configuration Mode:
ipsg-service ipsg1 mode radius-snoop
 
ipv6 access-group
Configures the IPv6 Access group.
Product
PDSN
Privilege
Security Administrator, Administrator
Syntax
ipv6 access-group group name { priority_value }
group_name
Specifies the name of the access group. group_name must be an alpha and/or numeric string of 1 to 79 characters.
priority_value
Default: 0
Specifies the priority of the access group. 0 is the highest priority. If priority_value is not specified the priority is set to 0. priority_value must be a value from 0 to 4294967295.
If access groups in the list have the same priority, the last one entered is used first.
Usage
Use this command to specify Ipv6 access group name and priority. Use a lower value to indicate a higher priority for the group.
Example
ipv6 access-group group_1
 
ipv6 access-list
Configures access list (or packet filter) name and enters the IPv6 access list configuration mode.
Product
PDSN
Privilege
Security Administrator, Administrator
Syntax
[ no ] ipv6 access-list name
no
Indicates the access list specified is to be removed from the configuration.
name
Specifies the access list for which to enter the access list configuration mode or the list to remove. name must be from 1 to 79 alpha and/or numeric characters.
Usage
Executing this command enters the Access Control List Configuration Mode in which rules and criteria are defined for the ACL.
Example
ipv6 access-list samplelist
no ipv6 access-list samplelist
 
ipv6 dns-proxy
Configures the domain name server proxy for the context.
Product
PDSN
Privilege
Security Administrator, Administrator
Syntax
ipv6 dns-proxy source-ipv4-addressip_address
no ipv6 dns-proxy source-ipv4-addressip_address
no
Removes the predefined IP address for local interface in the destination context.
source-ipv4-address
Enables the IPv6 proxy DNs functionality for a context. It makes PDSN to use this address as the source address of the IPv4 packets.
Default: no address is configured.
ip_address
Specifies the IPv4 address of one of the local interface in the destination context to configure the IPv6 DNS proxy where ip_address must be specified using the standard IPv4 dotted decimal notation.
Usage
The IPv6 DNS proxy source IPv4 address is used as the source IP address for the DNS proxy transaction.
Example
The following command provides an example of configuring a IPv6 DNS proxy of 192.168.23.1:
ipv6 dns-proxy source-ipv4-address 192.168.23.1
 
ipv6 neighbor
Add a static IPv6 neighbor entry into the neighbor discovery table.
Product
PDIF
Privilege
Administrator, Security Administrator
Syntax
[ no ] ipv6 neighbor ipv6_address hardware_address
no
Removes the specified address.
ipv6 neighbor ipv6_address hardware_address
ipv6_address is the IP address of node to be added to the table.
hardware_address is the associated 48-bit MAC address.
Usage
Add a static IPv6 neighbor entry into the neighbor discovery table.
Example
Add the ipv6 address fe80::210:83ff:fef7:7a9d::/24 and associated 48 bit MAC address 0:10:83:f7:7a:9d to the table.
ipv6 neighbor fe80::210:83ff:fef7:7a9d::/24 0:10:83:f7:7a:9d
 
ipv6 pool
Modifies the current context’s IP address pools by adding, updating, or deleting a pool. Also use this command to resize an existing IP pool.
Product
All
Privilege
Security Administrator, Administrator
Syntax
ipv6 poolname{ 6to4 local-endpointipv4_address[ default-relay-routerrouter_address] | alert threshold | group-namename| policy { allow-static-allocation | dup-addr-detection} | prefixip_address/len[ 6to4-tunnel local-endpointip_address| default-relay-routerrouter_address] | rangestart_address end_address| suppress-switchover-arps } [ privatepriority] [ publicpriority] [ sharedpriority] [ staticpriority] [group-namename]
no ipv6 poolname
no
Deletes the previously configured ipv6 pool.
name
Specifies the logical name of the IP address pool. name must be from 1 to 31 alpha and/or numeric characters.
6to4-tunnel local-endpoint ip_address
Specifies the IPv4 Address of the local interface to be used for 6to4 compatible pool address construction.
alert threshold { 6to4 local-endpoint ipv4_address | alert threshold | group-available | group-name name | policy { allow-static-allocation | dup-addr-detection} | pool-free | pool-used | prefix | range start_address end_address }
Default: All thresholds are disabled.
Configures IP address pool-level utilization thresholds. These thresholds take precedence over context-level IPv6 pool thresholds.
6to4 - Sets an alert based on the IPv6 Pool for 6to4 compatible address type.
alert-threshold - Sets an alert based on the percentage free alert threshold for this group.
group-available - Sets an alert based on the percentage free alert threshold for this group.
group-name - Sets an alert based on the IPv6 Pool Group.
policy allow-static-allocation- Sets an alert based on the address allocation policy.
pool-free - Sets an alert based on the percentage free alert threshold for this pool.
pool-used - Sets an alert based on the percentage used alert threshold for this pool.
prefix - Sets an alert based on the IPv6 Pool address prefix.
range - Sets an alert based on the IPv6 address pool range of addresses.
suppress-switchover-arps - Sets an alert based on the Suppress Gratuitous ARPS when performing a line card switchover.
group name name
IPv6 Pool Group.
The following options are available:
ipv4_address
Specifies the beginning IPv4 address of the IPv4 address pool. ipv4_address must be specified using the standard IPv4 dotted decimal notation.
default-relay-router router address
Specifies the default relay router for the tunnel.
policy allow-static-allocation
Allows a dynamic pool to accept a static address allocation.
The following options are available:
policy dup-addr-detection
Default: Disabled.
This command is valid for IPv6 shared pools only (Sample syntax: ipv6 pool name prefix ip_address/len shared policy dup-addr-detection). When this policy is enabled, the IPv6 shared pool allows a prefix to be shared in different call sessions with different interface IDs for an IPv6 address. This allows the tracking of interface IDs per prefix and the detection of duplicated IDs.
With this policy disabled, the IPv6 shared pool will allow a prefix to be shared across different call sessions. The interface ID is not considered for any duplicate address detection.
The following options are available:
prefix ip_address/len
Specifies the beginning IPv6 address of the IPv6 address pool. ip_address/len must be specified using colon notation.
range start_address end_address
Configures IPv6 address pool to use a range of addresses.
start_address specifies the beginning of the range of addresses for the IPv6 pool.
end_address specifies the end of the range of addresses for the IPv6 pool.
suppress-switchover-arps
Suppresses Gratuitous ARPS when performing a line card switchover.
The following options are available:
private priority | public priority | shared priority | static priority
Default: public
private priority: address pool may only be used by mobile stations which have requested an IP address from a specified pool. When private pools are part of an IP pool group, they are used in a priority order according to the precedence setting. priority must be a value in the range from 0 through 10 with 0 being the highest. The default is 0.
public priority: address pool is used in priority order for assigning IP addresses to mobile stations which have not requested a specific address pool. priority must be a value in the range from 0 through 10 with 0 being the highest and with a default of 0.
shared priority: address pool that may be used by more than one session at any time. priority must be a value in the range from 0 through 10 with 0 being the highest and with a default of 0.
static priority: address pool is used for statically assigned mobile stations. Statically assigned mobile stations are those with a fixed IP address at all times. priority must be a value in the range from 0 through 10 with 0 being the highest and with a default of 0.
group-name name
This keyword is used to group the IPv6 pools in to different groups. The subscribers/domain can be configured with the group-name instead of the prefix-pool names.
name is the name of the group by which the IPv6 pool is to be configured and must be a string having 1 to 79 alpha and/or numeric characters.
Usage
Use this command to modify the current context’s IP address pools by adding, updating, or deleting a pool. Also use this command to resize an existing IP pool.
Example
Following command provides an example of adding IPv6 pool named ip6Star.
ipv6 pool ip6Star
 
ipv6 route
Configures a static IPv6 route to the next-hop router.
Product
All
Privilege
Administrator
Syntax
[ no ] ipv6 route ipv6_address/prefix_length { interface name | next-hop ipv6_address interface name } [ cost cost ] [ precedence precedence ]
no
Removes the specified static route.
ipv6_address/prefix_length
Specifies a destination IPv6 address or group of addresses that will use this route.
ipv6_address/prefix_length must be specified in IPv6 colon separated notation.
interface name
Specifies the name of the interface on this system associated with the specified route or next-hop address. name must be an existing interface name on the system and be from 1 to 79 alpha and/or numeric characters.
next-hop ipv6_address
The IPv6 address of the directly connected next hop device. ipv6_address must be specified in IPv6 colon separated notation.
cost cost
Default: 0
Defines the number of hops to the next gateway. cost must be an integer value from 0 to 255.
precedence precedence
Default: 1
Indicates the administrative preference of the route. A low precedence specifies that this route takes preference over the route with a higher precedence. precedence must be an integer value from 1 to 254.
Usage
Use this command to create a static route and send data traffic to a next-hop device.
Example
Use the following example to configure a static route with ipv6 prefix/length 2001:0db8:3c4d:0015:0000:0000:abcd:ef12/24 to the next hop interface egress1:
ipv6 route 2001:0db8:3c4d:0015:0000:0000:abcd:ef12/24 interface egress1
 
isakmp disable-phase1-rekey
This command is deprecated. Use ikev1 disable-phase1-rekey command to configure the parameters for Phase1 SA rekeying when ISAKMP lifetime expires for IKE v1 protocol.
 
isakmp keepalive
 
This command is deprecated. Use ikev1 keepalive dpd command to configure ISAKMP IPSec Dead Peer Detection (DPD) message parameters for IKE v1 protocol.
 
isakmp policy
 
This command is deprecated. Use ikev1 policy command to create/configure an ISAKMP policy with the specified priority for IKE v1 protocol.
 
iups-service
This command creates an Iu-PS service instance and enters the Iu-PS Service configuration mode. This mode defines the configuration and usage of Iu-PS interfaces between the SGSN and the RNCs in the UMTS radio access network (UTRAN) and defines both the control plane (GTP-C) and the data plane (GTP-U) between these nodes.
 
Important: For details about the commands and parameters for this mode, check the IuPS Service Configuration Mode chapter.
Product
SGSN
Privilege
Security Administrator, Administrator
Syntax
iups-service srvc_name
no iups-service srvc_name
no
Remove the configuration for the specified Iu-PS service from the configuration for the current context.
srvc_name
A unique string of 1 to 63 alphanumeric characters that identify the specific IuPS service.
Usage
Use this command to create, edit, or remove an Iu-PS service. Add up to 8 definitions to be used with a single SGSN service so the SGSN can support multiple PLMNs.
Example
The following command creates an Iu-PS service named iu-ps1:
iups-service iu-ps1
The following command removes the Iu-PS service named iu-ps1:
no iups-service iu-ps1
 
l2tp peer-dead-time
Configures a delay for attempting to tunnel to a specific peer which is initially unreachable due to reasons such as a network issue or temporarily having reached its capacity.
Product
All
Privilege
Security Administrator, Administrator
Syntax
l2tp peer-dead-time seconds
default l2tp peer-dead-time
default
Rests the command to it’s default setting of 60.
peer-dead-time
seconds: Must be an integer value from 5 to 64,000.
Default: 60
Usage
The time to wait before trying to establish a tunnel to a known peer after the initial attempt was unsuccessful.
Example
The following example configures the delay in attempting to tunnel to a temporarily unreachable peer. The delay is set to 120 seconds in this example.
l2tp peer-dead-time 120
 
lac-service
Enters the lac-service configuration mode, or is used to add or remove a specified LAC service.
Product
All
Privilege
Security Administrator, Administrator
Syntax
lac-servicename
no lac-servicename
no
Removes the specified lac-service from the current context.
name
Specifies the name of a LAC service to configure, add, or remove. It can be from 1 to 63 alpha and/or numeric characters in length and is case-sensitive.
Usage
Enter the LAC service configuration mode for an existing service or for a newly defined service. This command is also used to remove an existing service.
A maximum of 256 services (regardless of type) can be configured per system.
Caution: Large numbers of services greatly increase the complexity of management and may impact overall system performance (i.e. resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your local service representative for more information.
Example
To add a new LAC service named LAC1and enter the lac-service configuration mode, enter the following commands:
lac-service LAC1
Are you sure? [Yes|No]: Yes
To configure an existing LAC service named LAC2, enter the following command:
lac-service LAC2
To delete an existing LAC service named LAC3, enter the following command:
no lac-service LAC3
 
lma-service
Creates an Local Mobility Anchor (LMA) service or specifies an existing LMA service and enters the LMA service configuration mode for the current context.
Product
P-GW
Privilege
Administrator
Syntax
lma-serviceservice_name [ -noconfirm ]
no lma-serviceservice_name
service_name
Specifies the name of the LMA service. If service_name does not refer to an existing service, the new service is created if resources allow.
service_name must be from 1 to 63 alpha and/or numeric characters.
-noconfirm
Indicates that the command is to execute without any additional prompt and confirmation from the user.
no lma-service service_name
Removes the specified LMA service from the context.
Usage
Enter the LMA service configuration mode for an existing service or for a newly defined service. This command is also used to remove an existing service.
A maximum of 256 services (regardless of type) can be configured per system.
Caution: Large numbers of services greatly increase the complexity of management and may impact overall system performance (for example, resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your local service representative for more information.
Entering this command results in the following prompt:
[context_name]hostname(config-lma-service)#
LMA Service Configuration Mode commands are defined in the LMA Service Configuration Mode Commands chapter.
Use this command when configuring the following eHRPD and PMIP SAE components: P-GW.
Example
The following command enters the existing LMA service configuration mode (or creates it if it doesn’t already exist) for the service named lma-service1:
lma-service lma-service1
The following command will remove lma-service1 from the system:
no lma-service lma-service1
 
lns-service
Enters the lac-service configuration mode, or is used to add or remove a specified LNS service.
Product
All
Privilege
Security Administrator, Administrator
Syntax
lns-servicename
no lns-servicename
no
Removes the specified lac-service from the current context.
name
Specifies the name of a LNS service to configure, add, or remove. It can be from 1 to 63 alpha and/or numeric characters in length and is case-sensitive.
Usage
Enter the LNS service configuration mode for an existing service or for a newly defined service. This command is also used to remove an existing service.
A maximum of 256 services (regardless of type) can be configured per system.
Caution: Large numbers of services greatly increase the complexity of management and may impact overall system performance (i.e. resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your local service representative for more information.
Example
To add a new LNS service named LNS1and enter the lns-service configuration mode, enter the following commands:
lns-service LNS1
Are you sure? [Yes|No]: Yes
To configure an existing LNS service named LNS2, enter the following command:
lns-service LNS2
To delete an existing LNS service named LNS3, enter the following command:
no lns-service LNS3
 
lawful-intercept
This command defines the acknowledgement parameters for the UDP event delivery interface. It also specifies the interface IP address(es) that go into the headers of the content and event delivery messages going to the DF.
Product
PDSN, HA, GGSN, PDIF,SGSN, ASN-GW, SCM
Privilege
Security Administrator, Administrator with LI-Administrator privileges
Syntax
lawful-intercept { acked-udp [ num-retry number ] [ timeout time] | event-attributes bsid | hand-off-policy send-start-intercept-with-pdp-active-iri | interception-point-policy { { sms-mo | sms-mt } { message-delivered | request-received } } | reprovision-target-policy resend-pdp-context-active-iri | src-ip-addr ip_address | sms-content-policy { exclude-content | include-content } | tcp tcp_option | unack-format use-service-address }
default lawful-intercept { acked-udp { num-retry | timeout } | event-attributes bsid | hand-off-policy send-start-intercept-with-pdp-active-iri | interception-point-policy { sms-mo | sms-mt } | reprovision-target-policy resend-pdp-context-active-iri | sms-content-policy | tcp tcp_option | unack-format use-service-address }
no lawful-intercept { event-attributes bsid | hand-off-policy send-start-intercept-with-pdp-active-iri | reprovision-target-policy resend-pdp-context-active-iri | src-ip-addr ip_address | tcp tcp_option | unack-format use-service-address}
no
Disables the configuration parameters for selected keyword(s) for the Lawful Intercept configuration.
default
Sets the behavior of command/keyword to its default setting.
acked-udp
Entering this keyword, enables the acknowledged-UDP interface. After enter acked-udp, one or both of the following options can be entered:
num-retry number: Enter an integer between 1 and 100 to define the maximum number of retries for sending an unacknowledged message. Default is 20.
timeout time: Enter an integer between 1 and 100 to define the maximum number of seconds that the system waits before retransmitting an unacknowledged message. Default is 3.
event-attributes bsid
This keyword enables the transmission of base-station id in event attributes for intercepted PDSN.
By default this keyword is disabled.
hand-off-policy send-start-intercept-with-pdp-active-iri
This optional keyword enables a policy for hand-off in the case of ISRAU (inter-SGSN routing area update) and sends a ‘start intercept’ message with the PDP context LI event to the mediation server.
Default: Disabled.
This keyword is only applicable to the SGSN.
interception-point-policy
Configures the point of interception and the time of interception for an SMS. One of the following options must be selected to specify the point of interception include:
sms-mo: point of interception for a mobile-originated SMS
After configuring the point of interception, one of the following options must be selected to configure the point in time for the interception:
message-delivered: intercept when the SGSN receives notification from the SMSC/MS. This is the default for either SMS-MO or SMS-MT.
request-received: intercept when the SGSN receives the request.
This keyword is only applicable to the SGSN.
reprovision-target-policy resend-pdp-context-active-iri
Reprovisions the target identity in case of duplicates and sends a PDP context active LI IRI event to the mediation server.
This keyword is only applicable to the SGSN.
sms-content-policy {exclude-content | include-content}
This optional keyword is used to define the SMS content policy and used to configure to send only the SMS header or SMS header and content in SMS IRI event. The delivery from/to the mobile subscriber a SMS event, which contains the content and header of the SMS, is generated and sent via the Delivery Function 2 to the LEA in the same way as the IRI. LEA can configure the SMS policy if an SMS event shall contain only SMS header, or SMS header and SMS content.
Default behaviour is to send SMS header and Content in SMS IRI.
Following options can be configured:
exclude-content: Sets the policy to send only SMS header in IRI.
include-content: Sets the policy to send SMS header and content both in IRI.
By default it is enabled.
src-ip-address
ip_address: This is known as the source-address. It is an IPv4 address that identifies the system’s interface, in the current context, from which the intercepted messages are forwarded to the DF according to the event delivery or content delivery provisioning done in the Exec configuration mode.
tcp tcp_option
Enables the use of TCP (in place of UDP) as the transport for sending the intercepted information to the DF. One of the following options must be configured:
application-heartbeat-messages timout minute dur - In firewall enabled scenrio TCP connections get dropped by because of the connections being idle most of the time. This keyword enables the SGSN to send application level heart beat messages to the mediation server to keep connection live. This keyword is used to enable/disable sending of heart beat messages. By default this mode is disabled
timout minutedur sets the timeout duration for heartbeat timer. By default heart beat timer value is 5 minutes.
connection-retry-timer time - configures the maximum time to wait before retrying to connect, in seconds. Default is 2 seconds. time: enter any integer from 1 to 65535.
content-delivery dest-addr ip_address - configures the destination IP address of the DF3 to send the intercepted content (ie: data/CC). ip_address: enter an address in standard IPv4/IPv6 format. Must be followed by:
dest-port port_num - configures the destination port where the intercepted information is to be forwarded. port_num: enter any integer from 1 to 65535.
event-delivery dest-addr ip_address - configures the destination address of the DF2 to send the intercepted events information (ie: IRI). ip_address: enter an address in standard IPv4/IPv6 format. Must be followed by:
dest-port port_num - configures the destination port where the intercepted information is to be forwarded. port_num: enter any integer from 1 to 65535.
unack-format use-service-address
This set of keywords instructs the system to use the service-address, in place of the source-address in the ip-headers of the intercepted messages that are forwarded to the DF according to the content delivery provisioning done in the Exec configuration mode. The service-address is an IPv4 address that identifies on which of the system’s interfaces the intercept was received.
Important: This function requires that the Lawful Intercept provisioning (done in the Exec configuration mode) include the udp-unack-format-1 for the content delivery keyword. Changing the configuration and the provisioning to enable/disable this feature can be done on the fly.
Usage
Use this command to configure the parameters controlling the forwarding of the intercepted messages to the DF.
For details on provisioning the Lawful Intercepts, refer to the Exec configuration mode.
For details on using the Lawful Intercept capability of the system, refer to System Administration and Configuration Guide.
Important: When monitoring for calls that are not yet active, the source-address information does not need to be configured immediately. However, it must be configured as soon as the call becomes active in order for Lawful Interception to function properly.
Example
To set the source-address in the current context to 198.162.100.10, use the following command:
lawful-intercept src-ip-addr 198.162.100.10
 
lawful-intercept dictionary
This command configures LI dictionary to support customer specific LI requirements.
Product
All
Privilege
Security Administrator, Administrator
Syntax
lawful-intercept dictionary {standard |cust_dict }
[default] lawful-intercept dictionary
default
Sets the LI dictionary to default; i.e. standard.
standard
Specifies the standard dictionary to be used for LI session.
cust_dict
Specifies the customer specific dictionaries; custom1 through custom10, to be used to provision/interception for configured LI context.
Usage
Use this command to configure the LI dictionary to be used for LI requirements. LI dictionaries are context specific and will be applicable to provisions / interceptions for configured LI context.
Example
The following command specifies the standard LI dictionary to be used for LI requirements:
default lawful-intercept dictionary
 
mobile-ip ha reconnect
Sets the behavior of all HA services to reconnect dropped calls.
Product
HA
Privilege
Security Administrator, Administrator
Syntax
mobile-ip { ha reconnect [ static-homeaddr [ dynamic-pool-allocation ] ] }
no mobile-ip { ha reconnect [ static-homeaddr [ dynamic-pool-allocation ] ] }
static-homeaddr
The home address is a static IP address.
dynamic-pool-allocation
Allows a dynamic pool to accept a static address allocation.
Usage
Use this command to reset the HA behavior for new calls.
Example
mobile-ip ha reconnect
mobile-ip ha reconnect static-homeaddr
mobile-ip ha reconnect static-homeaddr dynamic-pool-allocation
no mobile-ip ha reconnect
no mobile-ip ha reconnect static-homeaddr
 
mag-service
Creates an Mobile Access Gateway (MAG) service or specifies an existing MAG service and enters the MAG service configuration mode for the current context.
Product
HSGW, S-GW
Privilege
Administrator
Syntax
mag-serviceservice_name [ -noconfirm ]
no mag-serviceservice_name
service_name
Specifies the name of the MAG service. If service_name does not refer to an existing service, the new service is created if resources allow.
service_name must be from 1 to 63 alpha and/or numeric characters.
-noconfirm
Indicates that the command is to execute without any additional prompt and confirmation from the user.
no mag-service service_name
Removes the specified MAG service from the context.
Usage
Enter the MAG service configuration mode for an existing service or for a newly defined service. This command is also used to remove an existing service.
A maximum of 256 services (regardless of type) can be configured per system.
Caution: Large numbers of services greatly increase the complexity of management and may impact overall system performance (for example, resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your local service representative for more information.
Entering this command results in the following prompt:
[context_name]hostname(config-mag-service)#
MAG Service Configuration Mode commands are defined in the MAG Service Configuration Mode Commands chapter.
Use this command when configuring the following eHRPD and PMIP SAE components: HSGW and S-GW.
Example
The following command enters the existing MAG service configuration mode (or creates it if it doesn’t already exist) for the service named mag-service1:
mag-service mag-service1
The following command will remove mag-service1 from the system:
no mag-service mag-service1
 
map-service
This command creates a Mobile Application Part (MAP) Service instance and enters the MAP Service configuration mode to define or edit the MAP service parameters.
MAP is the SS7 protocol that provides the application layer required by some of the nodes in GPRS/UMTS networks to communicate with each other in order to provide services to mobile phone users. MAP is used by the serving GPRS support node (SGSN) to access SS7 network nodes such as a home location register (HLR) or a radio access network (RAN).
Product
SGSN
Privilege
Security Administrator, Administrator
Syntax
map-service srvc_name
no map-service srvc_name
no
Remove the specified MAP service from the configuration for the current context.
srvc_name
A unique string of 1 to 63 alphanumeric characters that identify the specific MAP service.
Usage
Use this command to create, edit, or remove a MAP service configuration.
Important: For details about the commands and parameters, check the MAP Service Configuration Mode chapter.
Example
The following command creates a MAP service named map-1:
map-service map-1
The following command removes the configuration for a MAP service named map-1 from the configuration for the current context:
no map-service map-1
 
mme-hss-service
Creates an Mobility Management Entity (MME)-HSS service or configures an existing MME HSS service and enters the MME-HSS service configuration mode for EPC network in the current context.
Product
MME
Privilege
Administrator
Syntax
mme-hss-serviceservice_name [-noconfirm]
no mme-hss-serviceservice_name
service_name
Specifies the name of the MME HSS service. If service_name does not refer to an existing service, the new service is created if resources allow.
service_name must be from 1 to 63 alpha and/or numeric characters.
-noconfirm
Indicates that the command is to execute without any additional prompt and confirmation from the user.
no mme-hss-service service_name
Removes the specified MME HSS service from the context.
Usage
Enter the MME HSS service configuration mode for an existing service or for a newly defined service. This command is also used to remove an existing service.
A maximum of 256 services (regardless of type) can be configured per system.
Caution: Large numbers of services greatly increase the complexity of management and may impact overall system performance (for example, resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your local service representative for more information.
Entering this command results in the following prompt:
[context_name]hostname(config-mme-hss-service)#
MME HSS Service Configuration Mode commands are defined in the MME HSS Service Configuration Mode Commands chapter.
Use this command when configuring the eGTP SAE component(s); i.e. MME.
Example
The following command enters the existing MME HSS service configuration mode (or creates it if it doesn’t already exist) for the service named mme-hss-service1:
mme-hss-service mme-hss-service1
The following command will remove mme-hss-service1 from the system:
no mme-hss-service mme-hss-service1
 
mme-service
Creates an Mobility Management Entity (MME) service or configures an existing MME service and enters the MME service configuration mode for EPC networks in the current context.
Product
MME
Privilege
Administrator
Syntax
mme-serviceservice_name [-noconfirm]
no mme-serviceservice_name
no
Removes the specified MME service from the context.
service_name
Specifies the name of the MME service. If service_name does not refer to an existing service, the new service is created if resources allow.
service_name must be from 1 to 63 alpha and/or numeric characters.
-noconfirm
Indicates that the command is to execute without any additional prompt and confirmation from the user.
Usage
Enter the MME service configuration mode for an existing service or for a newly defined service. This command is also used to remove an existing service.
A maximum of 8 MME service can be configured on a system which is further limited to a maximum of 256 services (regardless of type) can be configured per system.
Caution: Large numbers of services greatly increase the complexity of management and may impact overall system performance (for example, resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your local service representative for more information.
Entering this command results in the following prompt:
[context_name]hostname(config-mme-service)#
MME Service Configuration Mode commands are defined in the MME Service Configuration Mode Commands chapter.
Caution: This is a critical configuration. The MME service can not be configured without this configuration. Any change to this configuration would lead to restarting the MME service and removing or disabling this configuration will stop the MME service.
Example
The following command enters the existing MME service configuration mode (or creates it if it doesn’t already exist) for the service named mme-service1:
mme-service mme-service1
The following command will remove mme-service1 from the system:
no mme-service mme-service1
 
mobile-ip
The commands in this section are used for configuring mobile IP parameters.
 
mobile-ip fa newcall
Configures settings that effect all FA services in the current context.
Product
FA
Privilege
Security Administrator, Administrator
Syntax
mobile-ipfa { multiple-dynamic-reg-per-nai | newcallduplicate-home-address { accept | reject }
no mobile-ipfa { multiple-dynamic-reg-per-nai | newcallduplicate-home-address }
no mobile-ip fa { multiple-dynamic-reg-per-nai | newcall duplicate-home-address }
multiple-dynamic-reg-per-nai: Disables all FA services in the current context from simultaneously setting up multiple dynamic home address registrations that have the same NAI.
newcall duplicate-home-address: Reset this option to it’s default of reject.
multiple-dynamic-reg-per-nai
This keyword allows all FA services in the current context to simultaneously setup multiple dynamic home address registrations that have the same NAI.
duplicate-home-address { accept | reject }
Default: reject
accept: The new call is accepted and the existing call is dropped.
reject: The new call is rejected with an Admin Prohibited code.
Usage
Use this command to set the behavior of all FA services in the current context.
Example
To configure all FA services to accept new calls and drop the existing call when the new call requests an IP address that is already in use by an existing call, enter the following command:
mobile-ip fa newcall duplicate-home-address accept
To enable all FA services in the current context to allow all FA services in the current context to simultaneously setup multiple dynamic home address registrations that have the same NAI, enter the following command:
mobile-ip fa multiple-dynamic-reg-per-nai
 
mobile-ip ha assignment-table
This command creates a Mobile IP HA assignment table and enters Mobile IP HA Assignment Table Configuration Mode.
Product
HA
Privilege
Security Administrator, Administrator
Syntax
mobile-ip ha assignment-tableatable_name[ -noconfirm]
no mobile-ip ha assignment-table atable_name
no
This keyword deletes the specified assignment table
atable_name
The name of the MIP HA assignment table to create or edit.
-noconfirm
This keyword specifies that the assignment table should be created with no further confirmation by the user.
Usage
Use this command to create a new MIP HA assignment table or edit an existing MIP HA assignment table.
Important: A maximum of 8 MIP HA assignment tables can be configured per context with a maximum of 8 MIP HA assignment tables across all contexts.
Important: A maximum of 256 non-overlapping hoa-ranges can be configured per MIP HA Assignment table with a maximum of 256 non-overlapping hoa-ranges across all MIP HA Assignment tables.
Example
The following command creates a new MIP HA assignment table name MIPHAtable1 and enters MIP HA Assignment Table configuration mode without asking for confirmation from the user:
mobile-ip ha assignment-table MIPHAtable1
 
mobile-ip ha newcall
Configures the behavior of all HA services when duplicate home addresses and duplicate IMSI sessions occur for new calls.
Product
HA
Privilege
Security Administrator, Administrator
Syntax
mobile-iphanewcall { duplicate-home-address { accept | reject } | duplicate-imsi-session { allow | disallow | global-disallow } }
no mobile-iphanewcall { duplicate-home-address | duplicate-imsi-session }
no mobile-ip ha newcall { duplicate-home-address | duplicate-imsi-session }
duplicate-home-address: Reset the option to it’s default of reject.
duplicate-imsi-session: Reset the option to its default of allow.
duplicate-home-address { accept | reject }
Default: reject
Configures the HA to either accept or reject new calls if the new call requests a static IP home address that is already assigned to an existing call from an IP address pool in the same destination context.
accept: The new call is accepted and the existing call is dropped.
reject: The new call is rejected with an Admin Prohibited code.
duplicate-imsi-session { allow | disallow | global-disallow }
Default: allow
Configures the HA to either permit or not permit multiple sessions for the same IMSI.
allow: Allows multiple sessions for the same IMSI.
disallow: If a Mobile node already has an active session and a new sessions is requested using the same IMSI, the currently active session is dropped and the new session is accepted.
global-disallow: Enables HA services in this context to accept a new session and disconnect any other session(s) having the same IMSI being processed in this context. In addition, a request is sent to all other contexts containing HA services to do the same.
Important: In order to ensure a single session per IMSI across all contexts containing HA services, the global-disallow option must be configured in every context.
Usage
Use this command to set the behavior of all HA services for new calls.
Example
To configure all HA services to accept new calls when the new call requests a static IP that is already assigned from an IP pool in the same destination context, enter the following command:
mobile-ip ha newcall duplicate-home-address accept
To configure all HA services to drop an active call and accept a new one that uses the same IMSI, enter the following command:
mobile-ip ha newcall duplicate-imsi-session disallow
 
mobile-ip ha reconnect
Sets the behavior of all HA services to reconnect dropped calls.
Product
HA
Privilege
Security Administrator, Administrator
Syntax
mobile-ip { ha reconnect [ static-homeaddr [ dynamic-pool-allocation ] ] }
no mobile-ip { ha reconnect [ static-homeaddr [ dynamic-pool-allocation ] ] }
static-homeaddr
The home address is a static IP address.
dynamic-pool-allocation
Allows a dynamic pool to accept a static address allocation.
Usage
Use this command to reset the HA behavior for new calls.
Example
mobile-ip ha reconnect
mobile-ip ha reconnect static-homeaddr
mobile-ip ha reconnect static-homeaddr dynamic-pool-allocation
no mobile-ip ha reconnect
no mobile-ip ha reconnect static-homeaddr
 
mpls bgp forwarding
This command globally enables the MPLS BGP forwarding.
Product
All
Privilege
Security Administrator, Administrator
Syntax
[no] mpls bgp forwarding
no
Disables MPLS BGP forwarding configured on the system.
Usage
Use this command to globally enable the MPLS BGP forwarding. By enabling this command, the BGP VPNv4 routes need not have an underlying LSP to forward the IP packets. If this command is not enabled, then the nexthop for the BGP routes must be reachable via LDP.
Caution: This command should be enabled ONLY when all the BGP peering where VPNv4 routes are exchanged are one hop away.
Example
Following command enables the MPLS BGP forwarding on system:
mpls bgp forwarding
 
nw-reachability server
This command adds/deletes a reachability-detect server and configures parameters for retrying the failure-detection process. When network reachability is enabled, a ping request is sent to this device. If there is no response after a specified number of retries, the network is deemed failed. Execute this command multiple times to configure multiple network reachability servers.
Product
HA
Privilege
Security Administrator, Administrator
Syntax
nw-reachabilityserverserver_name [ intervalseconds ] [ local-addrip_addr ] [ num-retrynum ] [ remote-addrip_addr ] [ timeoutseconds ]
nonw-reachabilityserverserver_name
no
Delete the reference to the specified network reachability server.
server_name
A name for the network device that is sent ping packets to test for network reachability.
interval seconds
Default: 60 seconds
Specifies the frequency in seconds for sending ping requests.seconds must be an integer from 1 through 3600.
local-addr ip_addr
Specifies the IP address to be used as the source address of the ping packets; If this is unspecified, an arbitrary IP address that is configured in the context is used. ip_addr must be an IP v4 address in dotted decimal notation.
num-retry num
Default: 5
Specifies the number of retries before deciding that there is a network-failure. num must be an integer from 0 through 100.
remote-addr ip_addr
Specifies the IP address of a network element to use as the destination to send the ping packets for detecting network failure or reachability. ip_addr must be an IP v4 address in dotted decimal notation.
timeout seconds
Default: 3 seconds
Specifies how long to wait, in seconds, before retransmitting a ping request to the remote address. seconds must be an integer from 1 through 10.
Usage
Use this command to set up a network device on a destination network that is used ensure that Mobile IP sessions can reach the required network from the HA.
Important: Refer to the HA configuration mode command policy nw-reachability-fail to configure the action that should be taken when network reachability fails.
Important: Refer to the subscriber config mode command nw-reachability-server to bind the network reachability to a specific subscriber.
Important: Refer to the nw-reachability server server_name keyword of the ip pool command in this chapter to bind the network reachability server to an IP pool.
Example
To set a network device called InternetDevice with the IP address of 192.168.100.10 as the remote address that is pinged to determine network reachability and use the address 192.168.200.10 as the origination address of the ping packets sent, enter the following command:
nw-reachability server InternetDevice local-addr 192.168.200.10 remote-addr 192.168.100.10
 
network-requested-pdp-context
The commands in this section are used for configuring Network Requested PDDP Context functionality.
 
network-requested-pdp-context activate
Configures the mobile station(s) (MSs) for which network initiated PDP contexts are supported.
Product
GGSN
Privilege
Security Administrator, Administrator
Syntax
network-requested-pdp-context activate addressip_addressdst-contextcontext_nameimsiimsiapnapn_name
nonetwork-requested-pdp-context activate{ addressip_addressdst-contextcontext_name}
no
Disables the system’s ability to accept network-requested PDP contexts on the specified interface.
address ip_address
Specifies the static IP address of the MS.
ip_address must be expressed in dotted decimal notation.
dst-context context_name
Specifies the name of the destination context configured on the system containing the static IP address pool in which the MS’s IP address is configured.
context_name must be from 1 to 79 alpha and/or numeric characters and is case sensitive.
imsi imsi
Specifies the International Mobile Subscriber Identity (IMSI) of the MS.
imsi must be from 1 to 15 numeric characters.
apn apn_name
Specifies the Access Point Name (APN) that is passed to the SGSN by the system.
apn_name must be from 1 to 63 alpha and/or numeric characters and is case sensitive.
Usage
Use this command to specify the MS(s) for which network initiated PDP contexts are supported.
When a packet is received for an MS that does not currently have a PDP context established, the system checks the configuration of this parameter to determine if the destination IP address specified in the packet is specified by this parameter. If the address is not specified, then the system discards the packet. If the address is specified, the system uses the configured IMSI and APN to determine the appropriate SGSN from the Home Location Register (HLR). The system communicates with the HLR through the interworking node configured using the network-requested-pdp-context gsn-map command.
Once the session is established, the destination context specified by this command is used in place of the one either configured within the specified APN template or returned by a RADIUS server during authentication.
This command can be issued multiple times supporting network initiated PDP contexts for up to 1000 configured addresses per system context.
Example
The following command enables support for network initiated PDP contexts for an MS with a static IP address of 20.13.5.40 from a pool configured in the destination context pdn1 with an IMSI of 3319784450 that uses an APN template called isp1:
network-requested-pdp-context activate address 20.13.5.40 dst-context pdn1 imsi 3319784450 apn isp1
 
network-requested-pdp-context gsn-map
Configures the IP address of the interworking node that is used by the system to communicate with the HLR and optionally sets the GTP version to use.
Product
GGSN
Privilege
Security Administrator, Administrator
Syntax
network-requested-pdp-context gsn-map ip_address [ gtp-version { 0 | 1 } ]
nonetwork-requested-pdp-context gsn-map
no
Deletes a previously configured gsn-map node.
ip_address
Specifies the IP address of the gsn-map node.
ip_address must be an IPv4 or IPv6 IP address entered using dotted decimal notation or an IPv6 IP address using colon (:) separated notation.
[gtp-version { 0 | 1 } ]
Default: 1
Specifies the gtp version used.
Usage
Communications from the system to the HLR must go through a GSN-map interworking node that performs the protocol conversion from GTPC to SS7.
The UDP port for this communication is 2123.
Support for network requested PDP contexts must be configured within source contexts on the system. Only one gsn-map node can be configured per source context.
The source context also contains the GGSN service configuration that specifies the IP address of the Gn interface. If multiple GGSN services are configured in the source context, one is selected at random for initiating the Network Requested PDP Context Activation procedure.
Communication with the gsn-map node is done over the Gn interface configured for the GGSN service. The IP address of that interface is used as the system’s source address.
Example
The following command configures the system to communicate with a gsn-map node having an IP address of 192.168.2.5:
network-requested-pdp-context gsn-map 192.168.2.5
 
network-requested-pdp-context hold-down-time
Configures the time duration to that the system will wait after the SGSN rejects an attempt for a network-requested PDP context creation for the subscriber.
Product
GGSN
Privilege
Security Administrator, Administrator
Syntax
network-requested-pdp-context hold-down-timetime
time
Default: 60
The time interval is measured in seconds and can be configured to any integer value between 0 and 86400.
Usage
Packets received during this time period would be discarded, rather than being used to cause another network-requested PDP context creation attempt for the same subscriber. After the time period has expired, any subsequent packets received would cause another network-requested PDP context creation procedure to begin.
Example
The following command configures a hold-down-time of 120 seconds:
network-requested-pdp-context hold-down-time 120
 
network-requested-pdp-context interval
Configures the minimum amount of time that must elapse between the deletion of a network initiated PDP context and the creation of a new one for the same MS.
Product
GGSN
Privilege
Security Administrator, Administrator
Syntax
network-requested-pdp-context intervaltime
time
Default: 60
Specifies the minimum amount of time that must pass before the system allows another network-requested PDP context for a specific MS after the previous context was deleted.
time is measured in seconds and can be configured to any integer value from 0 to 86400.
Usage
Once an MS deletes a PDP context that initiated from the network, the system automatically waits the amount of time configured by this parameter before allowing another network initiated PDP context for the same MS.
Example
The following command specifies that the system waits 120 seconds before allowing another network requested PDP context for an MS:
network-requested-pdp-context interval 120
 
network-requested-pdp-context sgsn-cache-time
Configures the time duration that the GGSN keeps the SGSN/subscriber pair cached in its local memory.
Product
GGSN
Privilege
Security Administrator, Administrator
Syntax
network-requested-pdp-context sgsn-cache-timetime
time
Default: 300
The time interval is measured in seconds and can be configured to any integer value between 0 and 86400.
Usage
For an initial network-requested PDP context creation, the system contacts the HLR (via the GSN-MAP interworking node) to learn which SGSN is currently servicing the subscriber. The system keeps that information in cache memory for the configured time, so that future network-requested PDP context creations for that subscriber can be initiated without having to contact the HLR again.
Example
The following command configures an sgsn-cache-time of 500 seconds:
network-requested-pdp-context sgsn-cache-time 500
 
operator
Configures a context-level operator account within the current context.
Product
All
Privilege
Security Administrator
Syntax
operatoruser_name [ encrypted ] passwordpwd [ ecs ] [ expiry-datedate_time ] [ li-administration ] [ noecs ] [ timeout-absoluteabs_seconds ] [ timeout-min-absoluteabs_minutes ] [ timeout-idleidle_seconds ] [ timeout-min-idleidle_minutes ]
no operatoruser_name
no
Removes a previously configured context-level operator account.
user_name
Specifies a name for the account. user_name must be from 1 to 32 alpha and/or numeric characters.
[ encrypted ] password pwd
Specifies the password to use for the user which is being given context-level operator privileges within the current context. The encrypted keyword indicates the password specified uses encryption.
The password specified as pwd must be from 1 to 63 alpha and/or numeric characters without encryption and must be from 1 to 127 alpha and/or numeric characters when encryption has been indicated.
The encrypted keyword is intended only for use by the system while saving configuration scripts. The system displays the encrypted keyword in the configuration file as a flag that the variable following the password keyword is the encrypted version of the plain text password. Only the encrypted password is saved as part of the configuration file.
ecs
Default: ACS-specific configuration commands not allowed.
Permits the specific user to access ACS-specific configuration commands from Executive mode only.
expiry-date date_time
The date and time that this account expires. Enter the date and time in the format YYYY:MM:DD:HH:mm or YYYY:MM:DD:HH:mm:ss.
Where YYYY is the year, MM is the month, DD is the day of the month, HH is the hour, mm is minutes, and ss is seconds.
li-administration
Permits this user to execute Lawful Intercept commands.
Important: Users who have Lawful Intercept privileges are only given those privileges when connected to the system through a Secure Shell (SSH). If this user connects through a Telnet session or through the console port, Lawful Intercept privileges are not enabled.
noecs
Default: Enabled.
Prevents the specific user to access ACS-specific configuration commands.
timeout-absolute abs_seconds
Default: 0
This keyword is obsolete. It has been left in place for backward compatibility. If used a warning is issued and the value entered is rounded to the nearest whole minute.
Specifies the maximum amount of time, in seconds, the context-level operator may have a session active before the session is forcibly terminated. abs_seconds must be a value in the range from 0 through 300000000.
The special value 0 disables the absolute timeout.
timeout-min-absolute abs_minutes
Default: 0
Specifies the maximum amount of time, in minutes, the context-level operator may have a session active before the session is forcibly terminated. abs_minutes must be a value in the range from 0 through 300000000.
The special value 0 disables the absolute timeout.
timeout-idle idle_seconds
Default: 0
This keyword is obsolete. It has been left in place for backward compatibility. If used a warning is issued and the value entered is rounded to the nearest whole minute.
Specifies the maximum amount of idle time, in seconds, the context-level operator may have a session active before the session is terminated. idle_seconds must be an integer from 0 through 300000000.
The special value 0 disables the idle timeout.
timeout-min-idle idle_minutes
Default: 0
Specifies the maximum amount of idle time, in minutes, the context-level operator may have a session active before the session is terminated. idle_minutes must be a value in the range from 0 through 300000000.
The special value 0 disables the idle timeout.
Usage
Create new context-level operator or modify existing operator’s options, in particular, the timeout values.
Operator users have read-only privileges. They can maneuver across multiple contexts, but cannot perform configuration operations. Refer to the Command Line Interface Overview chapter of this guide for more information.
Important: A maximum of 128 administrative users and/or subscribers may be locally configured per context.
Example
The following command creates a context-level operator account called user1 with ACS parameter control:
operator user1 password secretPassword ecs
The following command removes a previously configured context-level operator account called user1:
no operator user1
 
optimize pdsn inter-service-handoff
Controls the optimization of the system’s handling of inter-PDSN handoffs.
Product
PDSN
Privilege
Security Administrator, Administrator
Syntax
optimize pdsn inter-service-handoff
[ default | no ] optimize pdsn inter-service-handoff
default
Resets the command to it’s default setting of enabled.
no
Disables the feature.
Usage
When more than one PDSN service is defined in a context, each PDSN-Service acts as an independent PDSN. When a Mobile Node (MN) moves from one PDSN service to another PDSN service, by rule, it is an inter-PDSN handoff. This command optimizes PDSN handoffs between PDSN Services that are defined in the same context in the system.
The default for this parameter is enabled. The no keyword disables this functionality.
When enabled, the system treats handoffs happening between two PDSN services in the same context as an inter-PDSN handoff. Existing PPP session states and connection information is reused. If the inter-PDSN handoff requires a PPP restart, then PPP is restarted. The optimized inter-service-handoff may not restart the PPP during handoffs allowing the MN to keep the same IP address for the Simple IP session.
Example
optimize pdsn inter-service-handoff
 
pdg-service
Creates a new PDG service or specifies an existing PDG service and enters the PDG Service Configuration Mode. A maximum of 16 PDG services can be created. This limit applies per ASR 5000 chassis and per context.
Product
PDG/TTG
Privilege
Security Administrator, Administrator
Syntax
pdg-service name
no pdg-service name
pdg-service name
Specifies the name of a new or existing PDG service.
name must be from 1 to 63 alpha and/or numeric characters and must be unique across all FNG services within the same context and across all contexts.
no pdg-service name
Deletes the specified PDG service.
Usage
Use this command in Context Configuration Mode to create a new PDG service or modify an existing one. Executing this command enters the PDG Service Configuration Mode.
Example
The following command configures an PDG service named pdg_service_1 and enters the PDG Service Configuration Mode:
pdg-service pdg_service_1
 
pdif-service
Creates a new, or specifies an existing, PDIF service and enters the PDIF Service Configuration Mode.
Product
PDIF
Privilege
Security Administrator, Administrator
Syntax
[ no ] pdif-service name [ -noconfirm ]
name
Specifies the name of a new or existing PDIF service. name must be from 1 to 63 alpha and/or numeric characters.
Usage
Use this command to create a new or enter an existing PDIF service.
Entering this command results in the following prompt:
[context_name]hostname(config-pdif-service)#
PDIF Service Configuration Mode commands are defined in the PDIF Service Configuration Mode Commands chapter.
Example
The following command configures a PDIF service called pdif2 and enters the PDIF Service Configuration Mode:
pdif-service pdif2
 
pdsn-service
Creates/deletes a packet data service or specifies an existing PDSN service for which to enter the packet data service configuration mode for the current context.
Product
PDSN
Privilege
Security Administrator, Administrator
Syntax
pdsn-servicename
no pdsn-servicename
no
Indicates the packet data service specified is to be removed.
name
Specifies the name of the PDSN service to configure. If name does not refer to an existing service, the new service is created if resources allow. name must be from 1 to 63 alpha and/or numeric characters.
Usage
Enter the PDSN service configuration mode for an existing service or for a newly defined service. This command is also used to remove an existing service.
A maximum of 256 services (regardless of type) can be configured per system.
Caution: Large numbers of services greatly increase the complexity of management and may impact overall system performance (i.e. resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your local service representative for more information.
Example
The following command will enter the PDSN service configuration mode creating the service sampleService, if necessary.
pdsn-service sampleService
The following command will remove sampleService as being a defined PDSN service.
no pdsn-service sampleService
 
pgw-service
Creates an P-GW service or specifies an existing P-GW service and enters the P-GW service configuration mode for the current context.
Product
P-GW
Privilege
Administrator
Syntax
pgw-serviceservice_name [ -noconfirm ]
no pgw-serviceservice_name
service_name
Specifies the name of the P-GW service. If service_name does not refer to an existing service, the new service is created if resources allow.
service_name must be from 1 to 63 alpha and/or numeric characters.
-noconfirm
Indicates that the command is to execute without any additional prompt and confirmation from the user.
no pgw-service service_name
Removes the specified P-GW service from the context.
Usage
Enter the P-GW service configuration mode for an existing service or for a newly defined service. This command is also used to remove an existing service.
A maximum of 256 services (regardless of type) can be configured per system.
Caution: Large numbers of services greatly increase the complexity of management and may impact overall system performance (for example, resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your local service representative for more information.
Entering this command results in the following prompt:
[context_name]hostname(config-pgw-service)#
P-GW Service Configuration Mode commands are defined in the P-GW Service Configuration Mode Commands chapter.
Use this command when configuring the following eHRPD and SAE components: P-GW.
Example
The following command enters the existing P-GW service configuration mode (or creates it if it doesn’t already exist) for the service named pgw-service1:
pgw-service pgw-service1
The following command will remove pgw-service1 from the system:
no pgw-service pgw-service1
 
policy
Enters an existing accounting policy or creates a new one where accounting parameters are configured.
Product
HSGW, P-GW, S-GW
Privilege
Administrator
Syntax
[no] policy accounting name
no
Removes the specified accounting policy from the context.
name
Specifies the name of the existing or new accounting policy. name must be from 1 to 63 alpha and/or numeric characters.
Usage
Use this command to enter the Accounting Policy Configuration mode to edit an existing accounting policy or configure an new policy.
Entering this command results in the following prompt:
[context_name]hostname(config-accounting-policy)#
Accounting Policy Configuration Mode commands are defined in the Accounting Policy Configuration Mode Commands chapter.
Example
The following command enters the Accounting Policy Configuration Mode for a policy named acct5:
policy accounting acct5
 
policy-group
This command deletes/creates and enters the Policy-Group configuration mode within the current destination context for flow-based traffic policing to a subscriber session flow.
Product
PDSN, HA, ASN-GW
Privilege
Security Administrator, Administrator
Syntax
[ no ] policy-group name policy_group
no
Deletes configured policy group within the context.
policy_group
Specifies the name of Policy-Group and can consist of from 1 to 15 alpha and/or numeric characters in length and is case sensitive.
Usage
Use this command to form a policy group from a set of configured Policy-Maps. A policy group supports up to 16 policies for a subscriber session flow.
Example
Following command configures a policy group policy_group1 for a subscriber session flow.
policy-group name policy_group1
 
policy-map
This command deletes/creates and enters the Traffic Policy-Map configuration mode within the current destination context to configure the flow-based traffic policing for a subscriber session flow.
Product
PDSN, HA, ASN-GW
Privilege
Security Administrator, Administrator
Syntax
[ no ] policy-map name policy_name
no
Deletes configured Policy-Map within the context.
policy_name
Specifies the name of Policy-Map and must consist of from 1 to 15 alpha and/or numeric characters in length and is case sensitive.
Usage
Use this command to enter Traffic Policy-Map configuration mode and to set the Class-Map and corresponding traffic flow treatment to traffic policy for a subscriber session flow.
Example
Following command configures a policy map policy1 w where other flow treatments is configured.
policy-map name policy1
 
ppp
Configures point-to-point protocol parameters for the current context.
Product
PDSN, GGSN
Privilege
Security Administrator, Administrator
Syntax
ppp { acfc { receive { allow | deny } | transmit { apply | ignore | reject} } | auth-retrysuppress-aaa-auth | chap fixed-challenge-lengthlength | dormantsend-lcp-terminate | echo-max-retransmissionsnum_retries | echo-retransmit-timeoutmsec | first-lcp-retransmit-timeoutmilliseconds | lcp-authentication-discard retry-alternatenum_discard| lcp-authentication-reject retry-alternate | lcp-start-delaydelay | lcp-terminateconnect-state | lcp-terminate mip-lifetime-expiry | lcp-terminate mip-revocation | max-authentication-attemptsnum | max-configuration-naknum | max-retransmissionsnumber | max-terminatenumber | mrupacket_size | negotiate default-value-options | peer-authenticationuser_name [ encrypted ] passwordpassword ] | pfc { receive { allow | deny } | transmit { apply | ignore | reject} } | reject-peer-authentication | renegotiation retain-ip-address|retransmit-timeoutmilliseconds }
no ppp { auth-retrysuppress-aaa-auth | chap fixed-challenge-length | dormant send-lcp-terminate | lcp-authentication-descard retry-alternatenum_discard | lcp-authentication-reject retry-alternate | lcp-start-delay | lcp-terminateconnect-state | reject-peer-authentication | renegotiation retain-ip-address }
default lcp-authentication-descard retry-alternatenum_discard
default
Restores the system defaults for the specific command/keyword.
no ppp {auth-retry suppress-aaa-auth | chap fixed-challenge-length | dormant send-lcp-terminate |lcp-authentication-discard retry-alternate num_discard | lcp-authentication-reject retry-alternate | lcp-start-delay | lcp-terminate connect-state | lcp-terminate mip-lifetime-expiry | lcp-terminate mip-revocation | negotiate default-value-options | reject-peer-authentication | renegotiation retain-ip-address}
Disables, deletes, or resets the specified option.
In case of no ppp renegotiation retain-ip-address, the initially allocated IP address will be released and a new IP address will be allocated during PPP renegotiation.
acfc { receive { allow | deny } | transmit { apply | ignore | reject} }
Configures PPP Address and Control Field Compression (ACFC) parameters.
receive { allow | deny }
Default: allow
This keyword specifies whether to allow Address and Control Field Compressed PPP packets received from the Peer. During LCP negotiation, the local PPP side indicates whether it can handle ACFC compressed PPP packets.
When allow is specified, the local PPP side indicates that it can process ACFC compressed PPP packets and compressed packets are allowed. When deny is specified, the local PPP side indicates that it cannot handle ACFC compressed packets and compressed packets are not allowed.
transmit { apply | ignore | reject}
Default: ignore
Specifies how Address and Control Field Compression should be applied for PPP packets transmitted to the Peer. During LCP negotiation, the Peer indicates whether it can handle ACFC compressed PPP packets.
When apply is specified, if the peer requests ACFC, the request is accepted and ACFC is applied for transmitted PPP packets. When ignore is specified, if the peer requests ACFC, the request is accepted, but ACFC is not applied for transmitted PPP packets. When reject is specified, if the peer requests ACFC, the request is rejected and ACFC is not applied to transmitted packets.
auth-retry suppress-aaa-auth
Default: no auth-retry suppress-aaa-auth
This option does not allow PPP authentication retries to the AAA server after the AAA server has already authenticated a session. PPP locally stores the username and password, or challenge response, after a successful PPP authentication. If the Mobile Node retries the PAP request or CHAP-Response packet to the PDSN, PPP locally compares the incoming username, password or Challenge Response with the information stored from the previous successful authentication. If it matches, PAP ACK or CHAP Success is sent back to the Mobile Node, without performing AAA authentication. If the incoming information does not match with what is stored locally, then AAA authentication is attempted. The locally stored PPP authentication information is cleared once the session reaches a connected state.
Important: This option is not supported in conjunction with the GGSN product.
chap fixed-challenge-length length
Default: Disabled. PAP CHAP uses a random challenge length.
Normally PPP CHAP uses a random challenge length from 17 to 32 bytes. This command allows you to configure a specific fixed challenge length of from 4 through 32 bytes.
length must be an integer from 4 through 32.
dormant send-lcp-terminate
Indicates a link control protocol (LCP) terminate message is enabled for dormant sessions.
Important: This option is not supported in conjunction with the GGSN product.
echo-max-retransmissions num_retries
Default: 3
Configures the maximum number of retransmissions of LCP ECHO_REQ before a session is terminated in an always-on session.
num_retries must be a value in the range of 1 to 16.
echo-retransmit-timeout msec
Default: 3000
Configures the timeout, in milliseconds, before trying LCP ECHO_REQ for an always-on session.
msec must be a value in the range of 100 to 5000.
first-lcp-retransmit-timeout milliseconds
Default: 3000
Specifies the number of milliseconds to wait before attempting to retransmit control packets. This value configures the first retry. All subsequent retries are controlled by the value configured for the ppp retransmit-timeout keyword.
milliseconds must be a value in the range 100 through 5000.
lcp-authentication-discard retry-alternate num_discard
Default: Disabled.
This keyword sets the number of discards up to which authentication option is discarded during LCP negotiation and retries starts to allow alternate authentication option.
num_discard must be an integer from 0 through 5. Recommended value is 2.
lcp-authentication-reject retry-alternate
Default: Disabled. No alternate authentication option will be retried.
The action that is taken if the authentication option is rejected during LCP negotiation and retry the allowed alternate authentication option.
lcp-start-delay delay
Default: 0
The delay in milliseconds before link control protocol (LCP) is started. delay must be an integer from 0 through 5000.
lcp-terminate connect-state
This option enables sending an LCP terminate message to the Mobile Node when a PPP session is disconnected if the PPP session was already in a connected state.
Note that if the no keyword is used with this option, the PDSN must still send LCP Terminate in the event of an LCP/PCP negotiation failure or PPP authentication failure, which happens during connecting state.
Important: This option is not supported in conjunction with the GGSN product.
lcp-terminate mip-lifetime-expiry
This option configures the PDSN to send a LCP Terminate Request when a MIP Session is terminated due to MIP Lifetime expiry (default).
Note that if the no keyword is used with this option, the PDSN does not send a LCP Terminate Request when a MIP session is terminated due to MIP Lifetime expiry.
lcp-terminate mip-revocation
This option configures the PDSN to send a LCP Terminate Request when a MIP Session is terminated due to a Revocation being received from the HA (default).
Note that if the no keyword is used with this option, the PDSN does not send a LCP Terminate Request when a MIP session is terminated due to a Revocation being received from the HA.
max-authentication-attempts num
Default: 1
Configures the maximum number of time the PPP authentication attempt is allowed.
num must be an integer in the range from 1 through 10.
max-configuration-nak num
Default: 10
This command configures the maximum number of consecutive configuration REJ/NAKs that can be sent during CP negotiations, before the CP is terminated.
num must be an integer in the range from 1 through 20.
max-retransmission number
Default: 5
Specifies the maximum number of times control packets will be retransmitted. number must be a value from 1 to 16.
max-terminate number
Default: 2
Sets the maximum number of PPP LCP Terminate Requests transmitted to the Mobile Node. number must be an integer from 0 through 16.
Important: This option is not supported in conjunction with the GGSN product.
mru packet_size
Default: 1500
Specifies the maximum packet size that can be received in bytes. packet_size must be an integer from 128 to 1500.
negotiate default-value-options
Default: Disabled
Enable the inclusion of configuration options with default values in PPP configuration requests.
The PPP standard states that configuration options with default values should not be included in Configuration Request (LCP, IPCP etc) packets. If the option is missing in the Configuration Request, the peer PPP assumes the default value for that configuration option.
When negotiate default-value-options is enabled, configuration options with default values are included in the PPP configuration Requests.
peer-authenticate user_name [ [ encrypted ] password password ]
Specifies the user name and an optional password required for point-to-point protocol peer connection authentications. user_name must be from 1 to 63 alpha and/or numeric characters. The keyword password is optional and if specified password must be from 1 to 63 alpha and/or numeric characters. The password specified must be in an encrypted format if the optional keyword encrypted was specified.
The encrypted keyword is intended only for use by the system while saving configuration scripts. The system displays the encrypted keyword in the configuration file as a flag that the variable following the password keyword is the encrypted version of the plain text password. Only the encrypted password is saved as part of the configuration file.
pfc { receive { allow | deny } | transmit { apply | ignore | reject} }
Configures Protocol Field Compression (PFC) parameters.
receive { allow | deny }
Default: allow
This keyword specifies whether to allow Protocol Field Compression (PFC) for PPP packets received from the Peer. During LCP negotiation, the local PPP side indicates whether it can handle Protocol Field Compressed PPP packets.
When allow is specified, the peer is allowed to request PFC during LCP negotiation. When deny is specified, the Peer is not allowed to request PFC during LCP negotiation.
transmit { apply | ignore | reject}
Default: ignore
This keyword specifies how Protocol field Compression should be applied for PPP packets transmitted to the Peer. During LCP negotiation, the Peer indicates whether it can handle PFC compressed PPP packets.
When apply is specified, if the peer requests PFC, it is accepted and PFC is applied for transmitted PPP packets. When ignore is specified, If the peer requests PFC, it is accepted but PFC is not applied for transmitted packets. When reject is specified, all requests for PCF from the peer are rejected.
reject-peer-authentication
Default: Enabled
If disabled, re-enables the system to reject peer requests for authentication.
renegotiation retain-ip-address
Default: Enabled
If enable retain the currently allocated IP address for the session during PPP renegotiation (Simple IP) between FA and Mobile node.
If disabled, the initially allocated IP address will be released and a new IP address will be allocated during PPP renegotiation.
retransmit-timeout milliseconds
Default: 3000
Specifies the number of milliseconds to wait before attempting to retransmit control packets. milliseconds must be a value in the range 100 through 5000.
Usage
Modify the context PPP options to ensure authentication and communication for PPP sessions have fewer dropped sessions.
Example
The following commands set various PPP options.
ppp dormant send-lcp-terminate
ppp max-retransmission 3
ppp peer-authenticate user1 password secretPwd
ppp peer-authenticate user1
ppp retransmit-timeout 1000
The following command disables the sending of LCP terminate messages for dormant sessions.
no ppp dormant send-lcp-terminate
 
ppp magic-number
This command manages magic number checking during LCP Echo message handling.
Product
PDSN, GGSN
Privilege
Security Administrator, Administrator
Syntax
ppp magic-number receive ignore
[ no | default ] ppp magic-number receive ignore
no
Disable the specified behavior.
default
Restores the system defaults for the specific command/keyword.
receive ignore
Default: Disabled.
Ignores the checking of magic number at PDSN during LCP Echo message handling.
If a valid magic numbers were negotiated for the PPP endpoints during LCP negotiation and LCP Echo Request/Response have invalid magic numbers, enabling of this command will ignore the checking of magic number during LCP Echo message handling.
Usage
Use this command to allow the system to ignore invalid magic number during LCP Echo Request/Response handling.
Example
The following command allows the invalid magic number during LCP Echo Request/Response negotiation:
ppp magic-number receive ignore
 
ppp statistics
This command changes the manor in which some PPP statistics are calculated.
Product
PDSN, GGSN
Privilege
Security Administrator, Administrator
Syntax
ppp statistics success-sessions { lcp-max-retry | misc-reasons | remote-terminated}
no ppp statistics success-sessions { lcp-max-retry | misc-reasons | remote-terminated}
no
Disable the specified behavior.
lcp-max-retry
Alters statistics calculations so that statistic ppp successful session is the sum of successful sessions and lcp-max-retry.
misc-reasons
Alters statistics calculations so that statistic ppp successful session is the sum of successful sessions and misc-reasons.
remote-terminated
Alters statistics calculations so that statistic ppp successful session is the sum of successful sessions and remote-terminated.
Usage
Use this command to alter how certain PPP statistics are calculated.
Caution: Use caution when using this command. This command alters the way that some PPP statistics are calculated. Please consult your designated service representative before using this command
Example
The following command alters the statistic ppp successful session so that it displays the sum of successful sessions and lcp-max-retry:
ppp statistics success-sessions lcp-max-retry
The following command disables the alteration of the statistic ppp successful session:
no ppp statistics success-sessions lcp-max-retry
 
proxy-dns intercept-list
Enters the HA Proxy DNS Configuration Mode and defines a name of a redirect rules list for the domain name servers associated with a particular FA or group of FAs.
 
Important: HA Proxy DNS Intercept is a license-enabled feature.
Product
HA
Privilege
Security Administrator, Administrator
Syntax
[ no ] proxy-dns intercept-list name
no
Removes the intercept list from the system.
proxy-dns intercept-list name
Defines the rules list and enters the Proxy DNS Configuration Mode.
name must be a string from 1 to 63 characters in length.
Usage
Use this command to define a name for a list of rules pertaining to the IP addresses associated with the foreign network’s DNS. Up to 128 rules of any type can be configured per rules list.
Upon entering the command, the system switches to the HA Proxy DNS Configuration Mode where the lists can be defines. Up to 64 separate rules lists can be configured in a single AAA context.
This command and the commands in the HA Proxy DNS Configuration Mode provide a solution to the Mobile IP problem that occurs when a MIP subscriber, with a legacy MN or MN that does not support IS-835D, receives a DNS server address from a foreign network that is unreachable from the home network. The following flow shows the steps that occur when this feature is enabled:
By configuring the Proxy DNS feature on the Home Agent, the foreign DNS address is intercepted and replaced with a home DNS address while the call is being handled by the home network.
Example
The following command creates a proxy DNS rules list named list1 and places the CLI in the HA Proxy DNS Configuration Mode:
proxy-dns intercept-list list1
 
radius accounting
Configures the current context’s RADIUS accounting function options.
Product
All
Privilege
Security Administrator, Administrator
Syntax
radius accounting { archive[ stop-only ]| deadtimedead_minutes| detect-dead-server { consecutive-failurescount| keepalive | response-timeoutseconds} | interim intervalseconds| max-outstandingmsgs| max-pdu-sizeoctets| max-retriestries| max-transmissionstrans| timeoutidle_seconds| unestablished-sessions }
no radius accounting { archive | detect-dead-server | interim interval| max-transmissions| unestablished-sessions }
default radius accounting { deadtime| detect-dead-server | interim intervalseconds| max-outstanding| max-pdu-size | max-retries| max-transmissions| timeout }
no
Removes earlier configuration for the specified keyword.
default
Configures this command with the default settings.
archive [ stop-only ]
Default: enabled
Enables archiving of RADIUS Accounting messages in the system after the accounting message has exhausted retries to all available RADIUS Accounting servers. All RADIUS Accounting messages generated by a session are delivered to the RADIUS Accounting server in serial. That is, previous RADIUS Accounting messages from the same call must be delivered and acknowledged by the RADIUS Accounting server before the next RADIUS Accounting message is sent to the RADIUS Accounting server.
stop-only specifies archiving of STOP accounting messages only.
deadtime dead_minutes
Default: 10
Specifies the number of minutes to wait before attempting to communicate with a server which has been marked as unreachable. dead_minutes must be an integer from 0 through 65535.
detect-dead-server { consecutive-failures count | keepalive | response-timeout seconds }
consecutive-failures count: Default: 4. Specifies the number of consecutive failures, for each AAA manager, before a server is marked as unreachable. count must be an integer from 0 through 1000.
keepalive: Enables the AAA server alive-dead detect mechanism based on sending keepalive authentication messages to all authentication servers. Default is disabled.
response-timeout seconds: Specifies the number of seconds for each AAA manager to wait for a response to any message before a server is detected as failed, or in a down state. seconds must be an integer from 1 through 65535.
Important: If both consecutive-failures and response-timeout are configured, then both parameters have to be met before a server is considered unreachable, or dead.
interim interval seconds
Default: Disabled
Specifies the time interval (in seconds) for sending accounting INTERIM-UPDATE records.
seconds must be an integer from 50 through 40000000.
Important: If RADIUS is used as the accounting protocol for the GGSN product, other commands are used to trigger periodic accounting updates. However, these commands would cause RADIUS STOP/START packets to be sent as opposed to INTERIM-UPDATE packets. Also note that accounting interim interval settings received from a RADIUS server take precedence over those configured on the system.
max-outstanding msgs
Default: 256
Specifies the maximum number of outstanding messages a single AAA manager instance will queue.
msgs must be an integer from 1 through 4000.
max-pdu-size octets
Default: 4096
Specifies the maximum sized packet data unit which can be accepted/generated in bytes (octets). octets must be an integer from 512 through 4096.
max-retries tries
Default: 5
Specifies the maximum number of times communication with a AAA server will be attempted before it is marked as unreachable and the detect dead servers consecutive failures count is incremented. tries must be an integer from 0 through 65535.
Once the maximum number of retries is reached this is considered a single failure for the consecutive failures count for detecting dead servers.
max-transmissions trans
Default: Disabled
Sets the maximum number of transmissions for a RADIUS Accounting message before the message is declared as failed. trans must be an integer from 1 through 65535.
timeout seconds
Default: 3
Specifies the amount of time to wait for a response from a RADIUS server before retransmitting a request. seconds must be an integer from 1 through 65535.
unestablished-sessions
Indicates RADIUS STOP events are to be generated for sessions which were initiated but never fully established.
Usage
Manage the RADIUS accounting options according to the RADIUS server used for the context.
Example
The following commands specify accounting options.
radius accounting detect-dead-server consecutive-failures 5
radius accounting max-pdu-size 1024
radius accounting timeout 16
The following commands disable/clear the options.
no radius accounting interim interval 10
no radius accounting unestablished-sessions
 
radius accounting algorithm
This command specifies the fail-over/load-balancing algorithm to select the RADIUS accounting server(s) to which accounting data must be sent.
Product
All
Privilege
Security Administrator, Administrator
Syntax
radius accounting algorithm { first-n n | first-server | round-robin }
default radius accounting algorithm
default
Configures this command with the default settings.
Default: first-server
first-n n
Default: 1 (Disabled)
Specifies that the AGW must send accounting data to n (more than one) AAA servers based on their priority. The full set of accounting data is sent to each of the n AAA servers. Response from any one of the servers would suffice to proceed with the call. On receiving an ACK from any one of the servers, all retries are stopped.
n is the number of AAA servers to which accounting data will be sent, and must be an integer from 2 through 128.
first-server
Specifies that the context must send accounting data to the RADIUS server with the highest configured priority. In the event that this server becomes unreachable, accounting data is sent to the server with the next-highest configured priority. This is the default algorithm.
round-robin
Specifies that the context must load balance sending accounting data among all of the defined RADIUS servers. Accounting data is sent in a circular queue fashion on a per Session Manager task basis, where data is sent to the next available server and restarts at the beginning of the list of configured servers. The order of the list is based upon the configured relative priority of the servers.
Usage
Use this command to specify the algorithm to select the RADIUS accounting server(s) to which accounting data must be sent.
Example
The following command specifies to use the round-robin algorithm to select the RADIUS server:
radius accounting algorithm round-robin
 
radius accounting apn-to-be-included
Configures the APN name to be included for RADIUS accounting.
Product
GGSN
Privilege
Security Administrator, Administrator
Syntax
radius accounting apn-to-be-included { gi | gn }
default radius accounting apn-to-be-included
default
Configures this command with the default settings.
gi
Specifies the usage of Gi APN name in the RADIUS accounting request. Gi APN represents the APN received in the Create PDP context request message from the SGSN.
gn
Specifies the usage of Gn APN name in the RADIUS accounting request. Gn APN represents the APN selected by the GGSN.
Usage
Use this command to configure the APN name for RADIUS Accounting. This can be set to either gi or gn.
Example
The following command specifies the usage of Gn APN name in the RADIUS accounting request:
radius accounting apn-to-be-included gn
 
radius accounting billing-version
This command configures billing-system version of RADIUS accounting servers.
Product
All
Privilege
Security Administrator, Administrator
Syntax
radius accounting billing-version version
default radius accounting billing-version
default
Configures this command with the default setting.
Default: 0
version
Specifies the billing-system version, and must be an integer from 0 through 4294967295.
Usage
Use this command to configure the billing-system version of RADIUS accounting servers.
Example
The following command configures the billing-system version of RADIUS accounting servers as 10:
radius accounting billing-version 10
 
radius accounting gtp trigger-policy
This command configures the RADIUS accounting trigger policy for GTP messages.
Product
GGSN
Privilege
Security Administrator, Administrator
Syntax
radius accounting gtp trigger-policy [ standard | ggsn-preservation-mode ]
default radius accounting gtp trigger-policy
default
Resets the RADIUS accounting trigger policy to standard behavior for GTP session.
standard
This keyword sets the RADIUS accounting trigger policy to standard behavior which is configured for GTP session for GGSN service.
ggsn-preservation-mode
This keyword sends RADIUS Accounting Start when the GTP message with private extension of preservation mode is received from SGSN.
Important: This is a customer-specific keyword and needs customer-specific license to use this feature. For more information on GGSN preservation mode, refer GGSN Service Mode Commands chapter.
Usage
Use this command to set the trigger policy for the AAA accounting for a GTP session.
Example
The following command sets the RADIUS accounting trigger policy for GTP session to standard:
default radius accounting gtp trigger-policy
 
radius accounting ha policy
Configures the RADIUS accounting policy for HA sessions.
Product
HA
Privilege
Security Administrator, Administrator
Syntax
radius accounting ha policy { session-start-stop | custom1-aaa-res-mgmt }
session-start-stop
Specifies to send Accounting Start when the session is connected, and send Accounting Stop when the session is disconnected. This is the default behavior.
custom1-aaa-res-mgmt
Accounting Start/Stop messages are generated to assist special resource management done by AAA servers. It is similar to the session-start-stop accounting policy, except for the following differences:
Usage
Use this command to set the behavior of the AAA accounting for an HA session.
Example
Use the following command to set the HA accounting policy to custom1-aaa-res-mgmt:
radius accounting ha policy custom1-aaa-res-mgmt
 
radius accounting interim volume
This command configures the volume of uplink and downlink volume octet counts that triggers RADIUS interim accounting.
Product
GGSN, PDSN, HA
Privilege
Security Administrator, Administrator
Syntax
radius accounting interim volume { downlink bytes uplink bytes | total bytes | uplink bytes downlink bytes }
no radius accounting interim volume
no
Disables volume based RADIUS accounting.
downlink bytes uplink bytes
Specifies the downlink to uplink volume limit for RADIUS Interim accounting, in bytes.
bytes must be an integer from 100000 through 4000000000.
total bytes
Specifies the total volume limit for RADIUS interim accounting in bytes.
bytes must be an integer from 100000 through 4000000000.
uplink bytes downlink bytes
Specifies the uplink to downlink volume limit for RADIUS interim accounting in bytes.
bytes must be an integer from 100000 through 4000000000.
Usage
Use this command to trigger RADIUS interim accounting based on the volume of uplink and downlink bytes.
Example
The following command triggers RADIUS interim accounting when the total volume of uplink and downlink bytes reaches 110000:
radius accounting interim volume total 110000
 
radius accounting ip remote-address
This command configures IP remote address-based RADIUS accounting parameters.
Product
PDSN, HA
Privilege
Security Administrator, Administrator
Syntax
[ no ] radius accounting ip remote-address { collection | list list_id }
no
Removes earlier configuration for the specified keyword.
collection
Enables collecting and reporting Remote-Address-Based accounting in RADIUS Accounting. This should be enabled in the AAA Context. It is disabled by default.
list list_id
Enters the Remote Address List configuration mode. This mode configures a list of remote addresses that can be referenced by the subscriber's profile.
list_id must be an integer from 1 through 65535.
Usage
This command is used as part of the Remote Address-based Accounting feature to both configure remote IP address lists and enable the collection of accounting data for the addresses in those lists on a per-subscriber basis.
Individual subscriber can be associated to remote IP address lists through the configuration/specification of an attribute in their local or RADIUS profile. (Refer to the radius accounting command in the Subscriber Configuration mode.) When configured/specified, accounting data is collected pertaining to the subscriber’s communication with any of the remote addresses specified in the list.
Once this functionality is configured on the system and in the subscriber profiles, it must be enabled by executing this command with the collection keyword.
Example
radius accounting ip remote-address collection
 
radius accounting keepalive
Configures the keepalive authentication parameters for the RADIUS accounting server.
Product
All
Privilege
Security Administrator, Administrator
Syntax
radius accounting keepalive { calling-station-id id | consecutive-response number | framed-ip-address ip_address | interval seconds | retries number | timeout seconds | username name }
no radius accounting keepalive framed-ip-address
default radius accounting keepalive { calling-station-id | consecutive-response | interval | retries | timeout | username }
no
Removes configuration for the specified keyword.
default
Configures this command with the default settings.
calling-station-id id
Configures the Calling-Station-Id to be used for the keepalive authentication.
id must be an alpha and/or numeric string of 1 through 15 characters in length.
Default: 000000000000000
consecutive-response number
Configures the number of consecutive authentication response after which the server is marked as reachable.
number must be an integer from 1 through 5.
Default: 1
framed-ip-address ip_address
Configures the framed-ip-address to be used for the keepalive accounting.
ip_address must be specified using the standard IPv4 dotted decimal notation.
interval seconds
Configures the time interval between the two keepalive access requests.
Default: 30 seconds
retries number
Configures the number of times the keepalive access request to be sent before marking the server as unreachable.
number must be an integer from 3 through 10.
Default: 3
timeout seconds
Configures the time interval between each keepalive access request retries.
seconds must be an integer from 1 through 30.
Default: 3
username name
Configures the username to be used for the authentication.
name must be an alpha and/or numeric string of 1 through 127 characters in length.
Default: Test-Username
Usage
Configures the keepalive authentication parameters for the RADIUS accounting server.
Example
The following command sets the username for the radius keepalive access requests:
radius accounting keepalive username Test-Username2
The following command sets the number of retries to 4.
radius accounting keepalive retries 4
 
radius accounting rp
Configures the current context’s RADIUS accounting R-P originated call options.
Product
PDSN
Privilege
Security Administrator, Administrator
Syntax
radius accounting rp { handoff-stop { immediate | wait-active-stop } | tod minute hour | trigger-event { active-handoff | active-start-param-change | active-stop } | trigger-policy { airlink-usage [ counter-rollover ] | custom [ active-handoff | active-start-param-change | active-stop ] | standard } | trigger-stop-start }
no radius accounting rp { tod minute hour | trigger-event { active-handoff | active-start-param-change | active-stop } | trigger-stop-start }
default radius accounting rp { handoff-stop | trigger-policy }
no
Removes earlier configuration for the specified keyword.
default
Configures this command with the default settings.
handoff-stop { immediate | wait-active-stop }
Default: wait-active-stop
Specifies the behavior of generating accounting STOP when handoff occurs.
immediate: Indicates that accounting STOP should be generated immediately on handoff, i.e. not to wait active-stop from the old PCF.
wait-active-stop: Indicates that accounting STOP is generated only when active-stop received from the old PCF when handoff occurs.
tod minute hour
Specifies the time of day a RADIUS event is to be generated for accounting. Up to four different times of the day may be specified through separate commands.
minute must be an integer from 0 through 59.
hour must be an integer from 0 through 23.
trigger-event { active-handoff | active-start-param-change | active-stop }
Default:active-handoff: Disabled
active-start-param-change: Enabled
active-stop: Disabled
Configures the events for which a RADIUS event is generated for accounting as one of the following:
active-handoff: Disables a single R-P event (and therefore a RADIUS accounting event) when an Active PCF-to-PFC Handoff occurs. Instead, two R-P events occur (one for the Connection Setup, and the second for the Active-Start).
active-start-param-change: Disables an R-P event (and therefore a RADIUS accounting event) when an Active-Start is received from the PCF and there has been a parameter change.
active-stop: Disables an R-P event (and therefore a RADIUS accounting event) when an Active-Stop is received from the PCF.
Important: This keyword has been obsoleted by the trigger-policy keyword. Note that if this command is used, if the context configuration is displayed, radius accounting rp configuration is represented in terms of the trigger-policy.
trigger-policy { airlink-usage [ counter-rollover ] | custom [ active-handoff | active-start-param-change | active-stop ] | standard }
Default:airlink-usage: Disabled
custom:
active-handoff = Disabled
active-start-param-change = Disabled
active-stop = Disabled
standard: Enabled
Configures the overall accounting policy for R-P sessions as one of the following:
airlink-usage [ counter-rollover ]: Designates the use of Airlink-Usage RADIUS accounting policy for R-P, which generates a start on Active-Starts, and a stop on Active-Stops.
If the counter-rollover option is enabled, the system generates a STOP/START pair before input/output data octet counts (or input/output data packet counts) become larger than (2^32 - 1) in value. This setting is used to guarantee that a 32-bit octet count in any STOP message has not wrapped to larger than 2^32 thus ensuring the accuracy of the count. The system, may, at its discretion, send the STOP/START pair at any time, so long as it does so before the 32-bit counter has wrapped. Note that a STOP/START pair is never generated unless the subscriber RP session is in the Active state, since octet/packet counts are not accumulated when in the Dormant state.
custom: Specifies the use of custom RADIUS accounting policy for R-P. The custom policy can consist of the following:
active-handoff: Enables a single R-P event (and therefore a RADIUS accounting event) when an Active PCF-to-PFC Handoff occurs. Normally two R-P events will occur (one for the Connection Setup, and the second for the Active-Start).
active-start-param-change: Enables an R-P event (and therefore a RADIUS accounting event) when an Active-Start is received from the PCF and there has been a parameter change.
Important: Note that a custom trigger policy with only active-start-param-change enabled is identical to the standard trigger-policy.
active-stop: Enables an R-P event (and therefore a RADIUS accounting event) when an Active-Stop is received from the PCF.
Important: If the radius accounting rp trigger-policy custom command is executed without any of the optional keywords, all custom options are disabled.
standard: Specifies the use of Standard RADIUS accounting policy for R-P in accordance with IS-835B.
trigger-stop-start
Specifies that a stop/start RADIUS accounting pair should be sent to the RADIUS server when an applicable R-P event occurs.
Usage
Use this command to configure the events for which a RADIUS event is sent to the server when the accounting procedures vary between servers.
Example
The following command enables an R-P event (and therefore a RADIUS accounting event) when an Active-Stop is received from the PCF:
radius accounting rp trigger-event active-stop
The following command generates the STOP only when active-stop received from the old PCF when handoff occurs:
default radius accounting rp handoff-stop
 
radius accounting server
Configures RADIUS accounting server(s) in the current context for accounting.
Product
All
Privilege
Security Administrator, Administrator
Syntax
radius [ mediation-device ] accounting server ip_address [ encrypted ] key value [ acct-on { enable | disable } ] [ acct-off { enable | disable } ] [ max msgs ] [ oldports ] [ port port_number ] [ priority priority ] [ type { mediation-device | standard } ] [ admin-status { enable | disable } ] [ -noconfirm ]
no radius [ mediation-device ] accounting server ip_address [ oldports | port port_number ]
no
Removes the server or server port(s) specified from the list of configured servers.
mediation-device
Enables mediation-device specific AAA transactions use to communicate with this RADIUS server.
Important: If this option is not used, the system, by default, enables standard AAA transactions.
ip_address
Specifies the IP address of the accounting server. ip_address must be specified in dotted decimal notation for IPv4 or colon notation for IPv6. A maximum of 128 RADIUS servers can be configured per context. This limit includes accounting and authentication servers.
[ encrypted ] keyvalue
Specifies the shared secret key used to authenticate the client to the servers. The encrypted keyword indicates the key specified is encrypted. The key value must be a string of 1 to 15 alpha and/or numeric characters or a string of 1 to 30 alpha and/or numeric characters when encrypted.
The encrypted keyword is intended only for use by the system while saving configuration scripts. The system displays the encrypted keyword in the configuration file as a flag that the variable following the key keyword is the encrypted version of the plaint text key. Only the encrypted key is saved as part of the configuration file.
acct-on { enable | disable }
Default: disable
Enables and disables sending of the Accounting-On message when a new RADIUS server is added to the configuration.
When enabled, the Accounting-On message is sent when a new RADIUS server is added in the configuration. However, if for some reason the Accounting-On message cannot be sent at the time of server configuration (for example, if the interface is down), then the message is sent as soon as possible. Once the Accounting-On message is sent, if it is not responded to after the configured RADIUS accounting timeout, the message is retried the configured number of RADIUS accounting retries. Once all retries have been exhausted, the system no longer attempts to send the Accounting-On message for this server.
acct-off { enable | disable }
Default: enable
Disables and enables the sending of the Accounting-Off message when a RADIUS server is removed from the configuration.
The Accounting-Off message is sent when a RADIUS server is removed from the configuration, or when there is an orderly shutdown. However, if for some reason the Accounting-On message cannot be sent at this time, it is never sent. The Accounting-Off message is sent only once, regardless of how many accounting retries are enabled.
max msgs
Default: 0
Specifies the maximum number of outstanding messages that may be allowed to the server. msgs must be an integer from 1 through 256.
oldports
Sets the UDP communication port to the out of date standardized default for RADIUS communications to 1646.
port port_number
Default: 1813
Specifies the port number to use for communications. port_number must be an integer from 0 through 65535.
priority priority
Default: 1000
Specifies the relative priority of this accounting server. The priority is used in server selection for determining which server to send accounting data to. priority must be an integer from 1 through 1000, where 1 is the highest priority. When configuring two or more servers with the same priority you will be asked to confirm that you want to do this. If you use the -noconfirm option, you are not asked for confirmation and multiple servers could be assigned the same priority.
type { mediation-device | standard }
Default: standard
mediation-device: Obsolete keyword.
Specifies the type of AAA transactions to use to communicate with this RADIUS server.
standard: Use standard AAA transactions.
admin-status { enable | disable }
Enables or disables the RADIUS { authentication | accounting | charging } server functionality and saves the status setting in the configuration file to re-establish the set status at reboot.
-noconfirm
Indicates that the command is to execute without any additional prompt and confirmation from the user.
Usage
This command is used to configure the RADIUS accounting servers with which the system is to communicate for accounting.
Up to 128 RADIUS servers can be configured per context. The servers can be configured as Accounting, Authentication, charging servers, or any combination thereof.
Example
radius accounting server 1.2.3.4 key sharedKey port 1024 max 127
radius accounting server 1.2.5.6 encrypted key scrambledKey oldports priority10
no radius accounting server 1.2.5.6
Following command sets the accounting server with mediation device transaction for AAA server 1.2.4.6:
radius mediation-device accounting server 1.2.3.4 key sharedKey port 1024 max 127
 
radius algorithm
Configures the RADIUS authentication server selection algorithm for the current context.
Product
All
Privilege
Security Administrator, Administrator
Syntax
radius algorithm { first-server | round-robin }
default radius algorithm
default
Configures this command with the default settings.
first-server | round-robin
Default: first-server
first-server: Authentication data is sent to the first available server based upon the relative priority of each configured server.
round-robin: Authentication data is sent in a circular queue fashion on a per Session Manager task basis where data is sent to the next available server and restarts at the beginning of the list of configured servers. The order of the list is based upon the configure relative priority of the servers.
Usage
Set the context’s RADIUS server selection algorithm to ensuring proper load distribution through the servers available.
Example
radius algorithm first-server
radius algorithm round-robin
 
radius allow
Sets the system behavior for allowing subscriber sessions when RADIUS accounting and/or authentication is unavailable.
Product
All
Privilege
Security Administrator, Administrator
Syntax
[ no ] radius allow { accounting-down | authentication-down }
no
Removes earlier configuration for the specified keyword.
authentication-down
Default: Disabled
Allows sessions while authentication is not available (down).
accounting-down
Default: Enabled
Allows sessions while accounting is unavailable (down).
Usage
Allow sessions during system troubles when the risk of IP address and/or subscriber spoofing is minimal. The denial of sessions may cause dissatisfaction with subscribers at the cost/expense of verification and/or accounting data.
Example
radius allow authentication-down
no radius allow authentication-down
radius allow accounting-down
no radius allow accounting-down
 
radius attribute
Configures the system’s RADIUS identification parameters.
Product
All
Privilege
Security Administrator, Administrator
Syntax
radius attribute { nas-identifier id | nas-ip-address address primary_address [ backupsecond_address ] [ nexthop-forwarding-address nexthop_address ] [ vlan vlan_id ] [ mpls-label input in_label_value output out_label_value1 out_label_value1 ] }
no radius attribute { nas-identifier | nas-ip-address }
default radius attribute nas-identifier
no
Removes earlier configuration for the specified keyword.
default
Configures this command with the default settings.
nas-identifier id
Specifies the attribute name by which the system will be identified in Access-Request messages. id must be a case-sensitive alpha and/or numeric string of 1 through 32 characters in length.
nas-ip-address address primary_address
Specifies the AAA interface IP address(es) to used to identify the system. Up to two addresses can be configured.
primary_address : The IP address of the primary interface to use in the current context. This must be specified in dotted decimal notation for IPv4 or colon notation for IPv6.
backup second_address
Specifies the IP address of the secondary interface to use in the current context. This must be in dotted decimal notation for IPv4 or colon notation for IPv6.
mpls-label input in_label_value | output out_label_value1 [ out_label_value2 ]
This command configures the traffic from the specified AAA client NAS IP address to use the specified MPLS labels.
in_label_value is the MPLS label that identifies inbound traffic destined for the configured NAS IP address.
out_label_value1 & out_label_value2 identify the MPLS labels to be added to the packets sent from the specified NAS IP address.
out_label_value1 is the inner output label.
out_label_value2 is the outer output label.
MPLS label values must be an integer from 16 to 1048575.
nexthop-forwarding-address nexthop_address
Configures the next hop IP address for this NAS IP address.
nexthop_address must be an IPv4 address or an IPv6 address in standard format.
vlan vlan_id
Configures VLAN ID to be associated with the next-hop IP address.
vlan_id must be an integer from 1 through 4094.
Usage
This is necessary for NetWare Access Server usage such as the system must be identified to the NAS.
The system supports the concept of the active nas-ip-address. The active nas-ip-address is defined as the current source ip address for RADIUS messages being used by the system. This is the content of the nas-ip-address attribute in each RADIUS message.
The system will always have exactly one active nas-ip-address. The active nas-ip-address will start as the primary nas-ip-address. However, the active nas-ip-address may switch from the primary to the backup, or the backup to the primary. The following events will occur when the active nas-ip-address is switched:
The system uses a revertive algorithm when transitioning active NAS IP addresses as described below:
Example
radius attribute nas-ip-address 1.2.3.4
no radius attribute nas-identifier sampleID
 
radius authenticate
Enables (allows) and disables (prevents) the authentication of user names that are blank or empty. This is enabled by default.
Product
PDSN
Privilege
Security Administrator, Administrator
Syntax
[ no | default ] radius authenticate null-username
default
Configures this command with the default settings for authenticating, sending Access-Request messages to the AAA server, all user names, including NULL user names.
no
Disables sending an Access-Request message to the AAA server for user names (NAI) that are blank.
Usage
Use this command to disable, or re-enable, sending Access-Request messages to the AAA server for user names (NAI) that are blank (NULL).
Example
To disable sending Access-Request messages for user names (NAI) that are blank, enter the following command:
no radius authenticate null-username
To re-enable sending Access-Request messages for user names (NAI) that are blank, enter the following command:
radius authenticate null-username
 
radius authenticate apn-to-be-included
Configures the APN name to be included for RADIUS authentication.
Product
GGSN
Privilege
Security Administrator, Administrator
Syntax
[ default ] radius authenticate apn-to-be-included { gi | gn }
default
Configures this command with the default settings.
gi
Specifies the usage of Gi APN name in the RADIUS authentication request. Gi APN represents the APN received in the Create PDP context request message from the SGSN.
gn
Specifies the usage of Gn APN name in the RADIUS authentication request. Gn APN represents the APN selected by the GGSN.
Usage
Use this command to configure the APN name for RADIUS authentication. This can be set to either gi or gn.
Example
The following command specifies the usage of Gn APN name in the RADIUS authentication request.
radius authenticate apn-to-be-included gn
 
radius authenticator-validation
Enables (allows) and disables (prevents) the MD5 authentication of RADIUS user. This is enabled by default.
Product
PDSN
Privilege
Security Administrator, Administrator
Syntax
[ no | default ] radius authenticator-validation
no
Disables MD5 authentication validation for an Access-Request message to the AAA server.
default
Enables MD5 authentication validation for an Access-Request message to the AAA server.
no
Disable sending an Access-Request message to the AAA server for usernames (NAI) that are blank.
Usage
Use this command to disable, or re-enable, sending Access-Request messages to the AAA server for MD5 validation.
Example
To disable MD5 authentication validation for Access-Request messages for usernames (NAI), enter the following command:
no radius authenticator-validation
To enable MD5 authentication validation for Access-Request messages for usernames (NAI), enter the following command:
radius radius authenticator-validation
 
radius change-authorize-nas-ip
Defines the NAS IP address and UDP port on which the current context will listen for Change of Authorization (COA) messages and Disconnect Messages (DM). If the NAS IP address is not defined with this command, any COA or DM messages from the RADIUS server are returned with a Destination Unreachable error.
Product
PDSN, FA, HA, GGSN, LNS
Privilege
Security Administrator, Administrator
Syntax
[ no ] radius change-authorize-nas-ip ip_address [ encrypted ] key value [ port port ] [ event-timestamp-window window ] [ no-nas-identification-check] [ no-reverse-path-forward-check ] [ mpls-label input in_label_value | output out_label_value1 [ out_label_value2 ]
no
Deletes the NAS IP address information which disables the system from receiving and responding to COA and DM messages from the RADIUS server.
ip_address
Specifies the NAS IP address of the current context’s AAA interface that was defined with the radius attribute command.
ip_Address can either be an IPv4 address expressed in dotted decimal notation, or an IPv6 address expressed in colon notation.
[ encrypted ] keyvalue
Specifies the shared secret key used to authenticate the client to the servers. The encrypted keyword indicates the key specified is encrypted. The key value must be a string of 1 to 15 alpha and/or numeric characters or a string of 1 to 30 alpha and/or numeric characters when encrypted.
The encrypted keyword is intended only for use by the system while saving configuration scripts. The system displays the encrypted keyword in the configuration file as a flag that the variable following the key keyword is the encrypted version of the plain text key. Only the encrypted key is saved as part of the configuration file.
port port
Default: 3799
The UDP port on which to listen for COA and DM messages.
event-timestamp-window window
Default: 300 seconds
window must be an integer from 0 through 4294967295.
When a COA or DM request is received with an event-time-stamp, if the current-time is greater than received-pkt-event-time-stamp plus event-time-stamp-window, the packet is silently discarded
When a COA or DM request is received without the event-timestamp attribute, the packet is silently discarded.
If window is specified as 0 (zero), this feature is disabled; the event-time-stamp attribute in COA or DM messages is ignored and the event-time-stamp attribute is not included in NAK or ACK messages.
no-nas-identification-check
Disables the context from checking the NAS Identifier/ NAS IP Address while receiving the CoA/DM requests.
By default this check is enabled.
no-reverse-path-forward-check
Disables the context from checking whether received COA or DM packets are from one of the AAA servers configured in the current context. Only the src-ip address in the received COA or DM request is validated and the port and key are ignored.
reverse-path-forward-check is enabled by default.
When reverse-path-forward-check is disabled, CoA and DM messages are accepted from any AAA server.
mpls-label input in_label_value | output out_label_value1 [ out_label_value2 ]
This command configures COA traffic to use the specified MPLS labels.
in_label_value is the MPLS label that identifies inbound COA traffic.
out_label_value1 & out_label_value2 identify the MPLS labels to be added to COA response.
out_label_value1 is the inner output label.
out_label_value2 is the outer output label.
MPLS label values must be an integer from 16 to 1048575.
Usage
Use this command to enable the current context to listen for COA and DM messages.
Any one of the following RADIUS attributes may be used to identify the subscriber:
3GPP-IMSI: The IMSI of the subscriber. It may include the 3GPP-NSAPI attribute to delete a single PDP context rather than all of the PDP contexts of the subscriber when used with the GGSN product.
Framed-IP-address: The IP address of the subscriber.
Acct-Session-Id: Identifies a subscriber session or PDP context;
Important: For the GGSN product, the value for Acct-Session-Id that is mandated by 3GPP is used instead of the special value for Acct-Session-Id that we use in the RADIUS messages we exchange with a RADIUS accounting server.
Important: When this command is used in conjunction with the GGSN, CoA functionality is not supported.
Example
Specify the IP address 192.168.100.10 as the NAS IP address, a key value of 123456 and use the default port of 3799, by entering the following command:
radius change-authorize-nas-ip 192.168.100.10 key 123456
Following disables the nas-identification-check for the above parameters:
radius change-authorize-nas-ip 192.168.100.10 key 123456 no-nas-identification-check
 
radius charging
Configures basic RADIUS options for Active Charging Services.
Product
All
Privilege
Security Administrator, Administrator
Syntax
[ no | default ] radius charging { deadtime dead_minutes | detect-dead-server { consecutive-failures count | response-timeout seconds } | max-outstanding msgs | max-retries tries | max-transmissions transmissions | timeout idle_seconds }
no
Removes configuration for the specified keyword.
default
Configures this command with the default settings.
deadtime dead_minutes
Default: 10
Specifies the number of minutes to wait before attempting to communicate with a server which has been marked as unreachable. dead_minutes must be an integer from 0 through 65535.
detect-dead-server { consecutive-failures count | response-timeout seconds}
consecutive-failures count: Default: 4. Specifies the number of consecutive failures, for each AAA manager, before a server is marked as unreachable. count must be an integer from 0 through 1000.
response-timeout seconds: Specifies the number of seconds for each AAA manager to wait for a response to any message before a server is detected as failed, or in a down state.
max-outstanding msgs
Default: 256
Specifies the maximum number of outstanding messages a single AAA manager instance will queue.
msgs must be an integer from 1 through 4000.
max-retries tries
Default: 5
Specifies the maximum number of times communication with a AAA server will be attempted before it is marked as unreachable and the detect dead servers consecutive failures count is incremented. tries must be an integer from 0 through 65535.
max-transmissions transmissions
Default: Disabled
Sets the maximum number of re-transmissions for RADIUS authentication requests. This limit is used in conjunction with the max-retries for each server.
When failing to communicate with a RADIUS sever, the subscriber is failed once all of the configured RADIUS servers have been exhausted or once the configured number of maximum transmissions is reached.
For example, if 3 servers are configured and if the configured max-retries is 3 and max-transmissions is 12, then the primary server is tried 4 times (once plus 3 retries), the secondary server is tried 4 times, and then a third server is tried 4 times. If there is a fourth server, it is not tried because the maximum number of transmissions (12) has been reached.
transmissions must be an integer from 1 through 65535.
timeout idle_seconds
Default: 3
Specifies the number of seconds to wait for a response from the RADIUS server before re-sending the messages. idle_seconds must be an integer from 1 through 65535.
Usage
Manage the basic Charging Service RADIUS options according to the RADIUS server used for the context.
Example
radius charging detect-dead-server consecutive-failures 6
radius charging timeout 300
 
radius charging accounting algorithm
This command specifies the fail-over/load-balancing algorithm to be used for selecting RADIUS servers for charging services.
Product
PDSN, GGSN
Privilege
Security Administrator, Administrator
Syntax
radius charging accounting algorithm { first-n n | first-server | round-robin }
first-n n
Default: 1 (Disabled)
Specifies that the AGW must send accounting data to n (more than one) AAA servers based on their priority. Response from any one of the n AAA servers would suffice to proceed with the call. The full set of accounting data is sent to each of the n AAA servers.
n is the number of AAA servers to which accounting data will be sent, and must be an integer from 2 through 128.
first-server
Specifies that the context must send accounting data to the RADIUS server with the highest configured priority. In the event that this server becomes unreachable, accounting data is sent to the server with the next-highest configured priority. This is the default algorithm.
round-robin
Specifies that the context must load balance sending accounting data among all of the defined RADIUS servers. Accounting data is sent in a circular queue fashion on a per Session Manager task basis, where data is sent to the next available server and restarts at the beginning of the list of configured servers. The order of the list is based upon the configured relative priority of the servers.
Usage
Use this command to specify the accounting algorithm to use to select RADIUS servers for charging services configured in the current context.
Example
The following command specifies to use the round-robin algorithm to select the RADIUS server:
radius charging accounting algorithm round-robin
 
radius charging accounting server
Configures RADIUS charging accounting servers in the current context for Active Charging Services prepaid accounting.
Product
All
Privilege
Security Administrator, Administrator
Syntax
radius charging accounting server ip_address [ encrypted ] key value [ max msgs ] [ max-rate max_rate ] [ oldports ] [ port port_number ] [ priority priority ] [ admin-status { enable | disable } ] [ -noconfirm ]
no radius charging accounting server ip_address [ oldports | port port_number ]
no
Removes the server or server port(s) specified from the list of configured servers.
ip_address
Specifies IP address of the accounting server. ip_address must be specified using the standard IPv4 dotted decimal notation. A maximum of 128 RADIUS servers can be configured per context. This limit includes accounting and authentication servers.
[ encrypted ] keyvalue
Specifies the shared secret key used to authenticate the client to the servers. The encrypted keyword indicates the key specified is encrypted. The key value must be a string of 1 to 15 alpha and/or numeric characters, or when encrypted a string of 1 to 30 alpha and/or numeric characters.
The encrypted keyword is intended only for use by the system while saving configuration scripts. The system displays the encrypted keyword in the configuration file as a flag that the variable following the key keyword is the encrypted version of the plaint text key. Only the encrypted key is saved as part of the configuration file.
max msgs
Default: 0
Specifies the maximum number of outstanding messages that may be allowed to the server.
msgs must be integer from 0 through 4000.
max-rate max_rate
Default: Disabled
Specifies the rate (number of messages per second), at which the authentication messages should be sent to the RADIUS server.
max_rate must be an integer from 1 through 1000.
oldports
Sets the UDP communication port to the out of date standardized default for RADIUS communications to 1646.
port port_number
Default: 1813
Specifies the port number to use for communications. port_number must be an integer from 0 through 65535.
priority priority
Default: 1000
Specifies the relative priority of this accounting server. The priority is used in server selection for determining which server to send accounting data to. priority must be a value in the range 1 through 1000 where 1 is the highest priority.
admin-status { enable | disable }
Enables or disables the RADIUS { authentication | accounting | charging } server functionality and saves the status setting in the configuration file to re-establish the set status at reboot.
-noconfirm
Indicates that the command is to execute without any additional prompt and confirmation from the user.
Usage
This command is used to configure the RADIUS charging accounting server(s) with which the system is to communicate for Active Charging Services prepaid accounting requests.
Example
Up to 128 AAA servers can be configured per context when the system is functioning as a PDSN and/or HA. Up to 16 servers are supported per context when the system is functioning as a GGSN.
radius charging accounting server 1.2.3.4 key sharedKey port 1024 max 127
radius charging accounting server 1.2.5.6 encrypted key scrambledKey oldports priority10 ]
no radius charging accounting server 1.2.5.6
 
radius charging algorithm
Configures the RADIUS authentication server selection algorithm for Active Charging Services for the current context.
Product
All
Privilege
Security Administrator, Administrator
Syntax
radius charging algorithm { first-server | round-robin }
default radius charging algorithm
default
Configures this command with the default settings.
Default: first-server
first-server
Accounting data is sent to the first available server based upon the relative priority of each configured server.
round-robin
Accounting data is sent in a circular queue fashion on a per Session Manager task basis where data is sent to the next available server and restarts at the beginning of the list of configured servers. The order of the list is based upon the configured relative priority of the servers.
Usage
Set the context’s RADIUS server selection algorithm for Active Charging Services to ensure proper load distribution through the servers available.
Example
radius algorithm first-server
radius algorithm round-robin
 
radius charging server
Configures the RADIUS charging server(s) in the current context for Active Charging Services prepaid authentication.
Product
All
Privilege
Security Administrator, Administrator
Syntax
radius charging server ip_address [ encrypted ] key value [ max msgs ] [ max-rate max_rate ] [ oldports ] [ port port_number ] [ priority priority ] [ admin-status { enable | disable } ] [ -noconfirm ]
no radius charging server ip_address [ oldports | port port_number ]
no
Removes the server or server port(s) specified from the list of configured servers.
ip_address
Specifies the IP address of the server. ip_address must be specified using the standard IPv4 dotted decimal notation. A maximum of 128 RADIUS servers can be configured per context. This limit includes accounting and authentication servers.
[ encrypted ] keyvalue
Specifies the shared secret key used to authenticate the client to the servers. The encrypted keyword indicates the key specified is encrypted. The key value must be a string of 1 to 15 alpha and/or numeric characters, or when encrypted a string of 1 to 30 alpha and/or numeric characters.
The encrypted keyword is intended only for use by the system while saving configuration scripts. The system displays the encrypted keyword in the configuration file as a flag that the variable following the key keyword is the encrypted version of the plain text key. Only the encrypted key is saved as part of the configuration file.
max msgs
Default: 256
Specifies the maximum number of outstanding messages that may be allowed to the server.
msgs must be an integer from 0 through 4000.
max-rate max_rate
Default: Disabled
Specifies the rate (number of messages per second), at which the authentication messages should be sent to the RADIUS server.
max_rate must be an integer from 1 through 1000.
oldports
Sets the UDP communication port to the old default for RADIUS communications to 1645.
portport_number
Default: 1812
Specifies the port number to use for communications. port_number must be an integer from 0 through 65535.
priority priority
Default: 1000
Specifies the relative priority of this accounting server. The priority is used in server selection for determining which server to send accounting data to. priority must be a value in the range 1 through 1000 where 1 is the highest priority.
admin-status { enable | disable }
Enables or disables the RADIUS { authentication | accounting | charging } server functionality and saves the status setting in the configuration file to re-establish the set status at reboot.
-noconfirm
Indicates that the command is to execute without any additional prompt and confirmation from the user.
Usage
This command is used to configure the RADIUS charging server(s) with which the system is to communicate for Active Charging Services prepaid authentication requests.
Example
Up to 128 AAA servers can be configured per context when the system is functioning as a PDSN and/or HA. Up to 16 servers are supported per context when the system is functioning as a GGSN.
radius charging server 1.2.3.4 key sharedKey port 1024 max 127
radius charging server 1.2.5.6 encrypted key scrambledKey oldports priority 10 ]
no radius server 1.2.5.6
 
radius dictionary
This command configures the RADIUS dictionary for RADIUS prepaid charging.
Product
All
Privilege
Security Administrator, Administrator
Syntax
radius dictionary dictionary
default radius dictionary
default
Configures this command with the default setting.
dictionary dictionary
Specifies the dictionary to use.
The possible values are described in the following table.
 
XX is the integer value of the custom dictionary.
Important: RADIUS dictionary custom23 should be used in conjunction with Active Charging Service (ACS). Refer to the Enhanced Charging Service Configuration and Reference Guide for more information.
Usage
Use this command to assign the RADIUS dictionary according to the RADIUS server used for the context.
Example
The following command sets custom23 as dictionary for prepaid charging:
radius dictionary custom23
 
radius group
 
This command has been deprecated and is replaced by AAA Server Group configurations. See the AAA Server Group Configuration Mode Commands chapter.
 
radius ip vrf
This command associates the default AAA group with a Virtual Routing and Forwarding (VRF) Context instance for GRE tunnel interface configuration. By default the VRF is NULL, which means that default AAA group is associated with global routing table.
Product
All
Privilege
Security Administrator, Administrator
Syntax
radius ip vrf vrf_name
no radius ip vrf
no
Removes/disassociates configured IP Virtual Routing and Forwarding (VRF) context instance.
vrf_name
Specifies the name of a pre-configured VRF context instance.
vrf_name is name of a pre-configured virtual routing and forwarding (VRF) context configured in Context configuration mode through ip vrf command.
Usage
Use this command to associate/disassociate a pre-configured VRF context for a GRE tunnel interface.
By default the VRF is NULL, which means that default AAA group is associated with global routing table.
Example
Following command associates VRF context instance GRE_vrf1 with this AAA group:
radius ip vrf GRE_vrf1
 
radius keepalive
Configures the keepalive authentication parameters for the RADIUS server.
Product
All
Privilege
Security Administrator, Administrator
Syntax
[ default ] radius keepalive [ calling-station-id id | consecutive-response number | encrypted | interval seconds | password | retries number | timeout seconds | username name | valid-response access-accept [ access-reject ] ]
default
Configures this command with the default settings.
calling-station-id id
Configures the Calling-Station-Id to be used for the keepalive authentication. id must be an alpha and/or numeric string of 1 through 15 characters in length.
Default: 000000000000000
consecutive-response number
Configures the number of consecutive authentication response after which the server is marked as reachable. number must be integer from 1 through 5.
Default: 1
encrypted password
Designates use of encryption for the password. password must be an alpha and/or numeric string of 1 through 64 characters in length.
Default: Test-Password
interval seconds
Configures the time interval between the two keepalive access requests.
Default: 30 seconds
password
Configures the password to be used for the authentication. password must be an alpha and/or numeric string of 1 through 64 characters in length.
Default: Test-Password
retries number
Configures the number of times the keepalive access request to be sent before marking the server as unreachable. number must be an integer from 3 through 10.
Default: 3
timeout seconds
Configures the time interval between each keepalive access request retries. seconds must be an integer from 1 through 30.
Default: 3 seconds
username name
Configures the username to be used for the authentication. name must be an alpha and/or numeric string of 1 through 127 characters in length.
Default: Test-Username
valid-response access-accept [ access-reject ]
Configures the valid response for the authentication request.
If access-reject is configured, then both access-accept and access-reject are considered as success for the keepalive authentication request.
If access-reject is not configured, then only access-accept is considered as success for the keepalive access request.
Default: keepalive valid-response access-accept
Usage
Configures the keepalive authentication parameters for the RADIUS server.
Example
The following command sets the user name for the RADIUS keepalive access requests:
radius keepalive username Test-Username2
The following command sets the number of retries to 4.
radius keepalive retries 4
 
radius mediation-device
See the radius accounting server command.
 
radius probe-interval
Configures the interval duration between two RADIUS authentication probes.
Product
GGSN, HA
Privilege
Security Administrator, Administrator
Syntax
radius probe-interval seconds
default radius probe-interval
default
Configures this command with the default settings.
seconds
Default: 3
Specifies the amount of time in seconds to wait before sending another probe authentication request to a RADIUS server. seconds must be an integer from 1 through 65535.
Usage
Use this command for Home Agent Geographical Redundancy (HAGR) support to set the duration between two authentication probes to the RADIUS serve.
Example
Following command sets the authentication probe interval to 30 seconds.
radius probe-interval 30
 
radius probe-max-retries
Configures the number of retries for RADIUS authentication probe response.
Product
GGSN, HA
Privilege
Security Administrator, Administrator
Syntax
radius probe-max-retries retries
default radius probe-max-retries
default
Configures this command with the default settings.
retries
Default: 5
Specifies the number of retries for RADIUS authentication probe response before the authentication is declared as failed.
retries must be an integer from 1 through 65535.
Usage
Use this command for Interchassis Session Recovery (ICSR) support to set the number of attempts to send RADIUS authentication probe without a response before the authentication is declared as failed.
Example
The following command sets the maximum number of retries to 6:
radius probe-max-retries 6
 
radius probe-timeout
Configures the timeout duration to wait for a response for RADIUS authentication probes.
Product
GGSN, HA
Privilege
Security Administrator, Administrator
Syntax
radius probe-timeout idle_seconds
default radius probe-timeout
default
Configures this command with the default settings.
idle_seconds
Default: 3
Specifies the number of seconds to wait for response from the RADIUS server before resending the authentication probe.
idle_seconds must be an integer from 1 through 65535.
Usage
Use this command for Interchassis Session Recovery (ICSR) support to set the duration to wait for response before re-sending the RADIUS authentication probe to the RADIUS server.
Example
The following command sets the authentication probe timeout to 120 seconds:
radius probe-timeout 120
 
radius server
Configures RADIUS authentication server(s) in the current context for authentication.
Product
All
Privilege
Security Administrator, Administrator
Syntax
radius server ip_address [ encrypted ] key value [ max msgs ] [ max-rate max_rate ] [ oldports ] [ port port_number ] [ priority priority ] [ probe | no-probe ] [ probe-username user_name ] [ probe-password [ encrypted ] password password ] [ type { mediation-device | standard } ] [ admin-status { enable | disable } ] [ -noconfirm ]
no radius server ip_address [ oldports | port port_number ]
no
Removes the server or server port(s) specified from the list of configured servers.
ip_address
Specifies the IP address of the server. ip_address must be specified in dotted decimal notation for IPv4 or colon notation for IPv6. A maximum of 128 RADIUS servers can be configured per context. This limit includes accounting and authentication servers.
[ encrypted ] keyvalue
Specifies the shared secret key used to authenticate the client to the servers. The encrypted keyword indicates the key specified is encrypted. The key value must be a string of 1 to 15 alpha and/or numeric characters or a string of 1 to 30 alpha and/or numeric characters when encrypted.
The encrypted keyword is intended only for use by the system while saving configuration scripts. The system displays the encrypted keyword in the configuration file as a flag that the variable following the key keyword is the encrypted version of the plain text key. Only the encrypted key is saved as part of the configuration file.
max msgs
Default: 256
Specifies the maximum number of outstanding messages that may be allowed to the server.
msgs must be an integer from 0 through 4000.
max-rate max_rate
Specifies the rate (number of messages per second), at which the authentication messages should be sent to the RADIUS server.
max_rate must be an integer from 1 through 1000.
Default: disabled
oldports
Sets the UDP communication port to the old default for RADIUS communications to 1645.
port port_number
Default: 1812
Specifies the port number to use for communications.
port_number must be an integer from 1 through 65535.
priority priority
Default: 1000
Specifies the relative priority of this accounting server. The priority is used in server selection for determining which server to send accounting data to. priority must be a value in the range 1 through 1000 where 1 is the highest priority. When configuring two or more servers with the same priority you will be asked to confirm that you want to do this. If you use the -noconfirm option, you are not asked for confirmation and multiple servers could be assigned the same priority.
probe
Enable probe messages to be sent to the specified RADIUS server.
no-probe
Disable probe messages from being sent to the specified RADIUS server. This is the default behavior.
probe-username username
The user name sent to the RADIUS server to authenticate probe messages. user_name must be an alpha and/or numeric string of 1 through 127 characters in length.
probe-password [ encrypted ] password password
The password sent to the RADIUS server to authenticate probe messages.
encrypted: This keyword is intended only for use by the system while saving configuration scripts. The system displays the encrypted keyword in the configuration file as a flag that the variable following the password keyword is the encrypted version of the plain text password. Only the encrypted password is saved as part of the configuration file.
password password: Specifies the probe-user password for authentication. password must be an alpha and/or numeric string of 1 through 63 characters in length.
type { mediation-device | standard }
Specifies the type of transactions the RADIUS server accepts.
mediation-device: Specifies mediation-device specific AAA transactions. This device is available if you purchased a transaction control services license. Contact your local sales representative for licensing information.
standard - Specifies standard AAA transactions. (Default)
admin-status { enable | disable }
Enables or disables the RADIUS { authentication | accounting | charging } server functionality and saves the status setting in the configuration file to re-establish the set status at reboot.
-noconfirm
Indicates that the command is to execute without any additional prompt and confirmation from the user.
Usage
This command is used to configure the RADIUS authentication server(s) with which the system is to communicate for authentication.
Up to 128 RADIUS servers can be configured per context. The servers can be configured as Accounting, Authentication, charging servers, or any combination thereof.
Example
radius server 1.2.3.4 key sharedKey port 1024 max 127
radius server 1.2.5.6 encrypted key scrambledKey oldports priority 10
no radius server 1.2.5.6
 
route-access-list extended
This command configures an access list for filtering routes based on a specified range of IP addresses.
Product
PDSN, HA, GGSN
Privilege
Security Administrator, Administrator
Syntax
route-access-listextendedidentifier { deny | permit } ip { network_parameter } { mask_parameter }
no route-access-listextendedidentifier { deny | permit } ip { network_parameter } { mask_parameter }
no
Deletes the specified route access list.
identifier
A value to identify the route access list.
identifier must be an integer from 100 through 999.
deny
Deny routes that match the specified criteria.
permit
Permit routes that match the specified criteria.
network_parameter
This specifies the network portion of the route to match. The network portion of the route is mandatory and must be expressed in one of the following ways:
ip_address wildcard_mask: A network address and wildcard mask expressed in IPv4 dotted decimal notation. (192.168.100.0   0.0.0.255)
any : Match any network address.
host network_address : Match the specified network address exactly. network_address must be an IPv4 address specified in dotted decimal notation.
mask_parameter
This specifies the mask portion of the route to match. The mask portion of the route is mandatory and must be expressed in one of the following ways;
mask_address wildcard_mask: A mask address and wildcard mask expressed in IPv4 dotted decimal notation. (255.255.255.0   0.0.0.255)
any : Match any network mask.
host mask_address : Match the specified mask address exactly. mask_address must be an IPv4 address specified in dotted decimal notation.
Usage
Use this command to create an extended route-access-list that matches routes based on network addresses and masks.
Example
Use the following command to create an extended route-access-list:
route-access-list extended 100 permit ip 192.168.100.0 0.0.0.255 255.255.255.0 0.0.0.255
 
route-access-list named
This command configures an access list for filtering routes based on a network address and net mask.
Product
PDSN, HA, GGSN
Privilege
Security Administrator, Administrator
Syntax
route-access-listnamedlist_name { deny | permit } { ip_address/mask | any } [ exact-match ]
no route-access-listnamedlist_name { deny | permit } { ip_address/mask | any } [ exact-match ]
no
Deletes the specified route access list.
list_name
A name that identifies the route access list. list_name must be a string of 1 through 79 alphanumeric characters in length.
deny
Deny routes that match the specified criteria.
permit
Permit routes that match the specified criteria.
ip_address/mask
The IP address (in dotted-decimal notation) and the number of subnet bits, representing the subnet mask in shorthand. This variable must be entered in the dotted-decimal notation/subnet bits format (1.1.1.1/24).
any
Match any route.
exact-match
Match the IP address prefix exactly.
Usage
Use this command to create route-access lists that specify routes that are accepted.
Example
Use the following command to create a route access list named list27 that permits routes that match 192.168.1.0/24 exactly:
route-access-list named list27 permit 192.168.1.0/24 exact-match
To delete the list, use the following command:
no route-access-list named list27 permit 192.168.1.0/24 exact-match
 
route-access-list standard
This command configures an access-list for filtering routes based on network addresses.
Product
PDSN, HA, GGSN
Privilege
Security Administrator, Administrator
Syntax
route-access-liststandardidentifier { permit | deny } { ip_addresswildcard_mask | any | hostnetwork_address }
no route-access-liststandardidentifier { permit | deny } { ip_addresswildcard_mask | any | hostnetwork_address }
no
Deletes the specified route access list.
identifier
This is a value that identifies the route-access-list. This must be an integer from 1 through 99.
deny
Deny routes that match the specified criteria.
permit
Permit routes that match the specified criteria.
ip_address wildcard_mask
The IP address and subnet mask to match for routes. Both ip_address and wildcard_mask must be entered in IPv4 dotted decimal notation. (192.168.100.0 255.255.255.0)
any
Match any route.
host network_address
Routes must match the specified network address as if it had a 32-bit network mask. network_address must be an IPv4 address specified in dotted decimal notation.
Usage
Use this command to create route-access-lists that specify routes that are accepted.
Example
Use the following command to create a route access list with an identifier of 10 that permits routes:
route-access-list standard 10 permit 192.168.1.0 255.255.255.0
To delete the list, use the following command:
no route-access-list standard 10 permit 192.168.1.0 255.255.255.0
 
route-map
This command creates a route-map that is used by the routing features and enters Route-map Configuration mode. A route-map allows redistribution of routes. A routemap has a list of match and set commands associated with it. The match commands specify the conditions under which redistribution is allowed and the set commands specify the particular redistribution actions to be performed if the criteria specified by match commands are met. Route-maps are used for detailed control over route distribution between routing processes. Up to eight route-maps can be created in each context. Refer to the Route-map Configuration mode commands for more information.
Product
PDSN, HA, GGSN
Privilege
Security Administrator, Administrator
Syntax
route-mapmap_name { deny | permit } seq_number
no route-mapmap_name
no
Deletes the specified route-map.
map_name
The name of the route-map to create or edit. This is a string of characters from 1 through 69 characters long.
deny
If the deny parameter is specified and the match command criteria are met, the route is not redistributed and any other route maps with the same map name are not examined. Set commands have no affect on deny route-maps.
permit
If the permit parameter is specified, and the match criteria are met, the route is redistributed as specified by set actions. If the match criteria are not met, the next route map with the same name is tested.
seq_number
The sequence number that indicates the position a new route map is to have in the list of route maps already configured with the same name. Route maps with the same name are tested in ascending order of their sequence numbers. This must be an integer from 1 through 65535.
Usage
Use this command to create route maps that allow redistribution of routes based on specified criteria and set parameters for the routes that get redistributed. The chassis supports a maximum of 64 route maps per context.
Example
To create a route map named map1 that permits routes that match the specified criteria, use the following command:
route-map map1 permit 10
To delete the route-map, enter the following command:
no route-map map1 permit 10
 
router
This command enables the OSPF routing functionality and enters the OSPF Configuration mode. Refer to the OSPF Configuration Mode Commands chapter for details on OSPF Configuration mode commands.
Product
PDSN, HA, GGSN
Privilege
Security Administrator, Administrator
Syntax
router {ospf | bgpas_number}
no router {ospf | bgpas_number}
no
Disables the specified routing support in the current context.
ospf
Enable OSPF routing in this context and enter OSPF Configuration mode.
bgp as_number
Enable a BGP routing service for this context and assign it the specified AS number. as_number must be an integer from 1 through 65535.
Important: BGP routing is supported only for use with the HA.
Usage
Use this command to enable and configure OSPF and BGP routing in the current context.
Important: You must obtain and install a valid OSPF or BGP-4 feature use license key to use OSPF and BGP routing features. Refer to the System Administration and Configuration Guide for details on obtaining and installing feature use license keys.
Example
The following command enables the OSPF routing functionality and enters the OSPF Configuration mode:
router ospf
The following command enables a BGP routing service with an AS number of 100, and enters the BGP configuration mode:
router bgp 100
 
server
Configures remote server access protocols for the current context. This command is used to enter the specified protocols configuration mode.
Product
All
Privilege
Security Administrator, Administrator
Syntax
server { ftpd | named | sshd | telnetd | tftpd }
no server { ftpd | named | sshd | telnetd | tftpd } [ kill ]
no
Disables the specified service.
ftpd
Enters the ftpd server configuration mode.
Important: The FTPD server can only be configured in the local context.
named
Starts the named server.
sshd
Enters the sshd server configuration mode.
Important: The SSH server allows only three unsuccessful login attempts before closing a login session attempt.
telnetd
Enters the telnetd server configuration mode.
Important: The TELNET server allows only three unsuccessful login attempts before closing a login session attempt.
tftpd
Enters the tftpd server configuration mode.
Important: The TFTPDD server can only be configured in the local context.
kill
Indicates all instances of the server are to be stopped.
This option only works with the ftpd, sshd, telnetd, and tftpd commands.
Usage
Enter the context configuration mode for the appropriate, previously defined context, to set the server option(s). Repeat the command as needed to enable/disable more than one option server daemon.
Example
server ftpd
server named
no server tftpd
server sshd
server telnetd
no server telnetd kill
 
service-redundancy-protocol
Configures Interchassis Session Redundancy services for the current context. This command is used to enter the service redundancy protocol configuration mode.
Product
All
Privilege
Security Administrator, Administrator
Syntax
service-redundancy-protocol
Usage
Enter the configuration mode to set the service redundancy protocol options.
Example
The following command enters service redundancy protocol mode.
service-redundancy-protocol
 
sgw-service
Creates an S-GW service or specifies an existing S-GW service and enters the S-GW service configuration mode for the current context.
Product
S-GW
Privilege
Administrator
Syntax
sgw-serviceservice_name [ -noconfirm ]
no sgw-serviceservice_name
service_name
Specifies the name of the S-GW service. If service_name does not refer to an existing service, the new service is created if resources allow.
service_name must be from 1 to 63 alpha and/or numeric characters.
-noconfirm
Indicates that the command is to execute without any additional prompt and confirmation from the user.
no sgw-service service_name
Removes the specified S-GW service from the context.
Usage
Enter the S-GW service configuration mode for an existing service or for a newly defined service. This command is also used to remove an existing service.
A maximum of 256 services (regardless of type) can be configured per system.
Caution: Large numbers of services greatly increase the complexity of management and may impact overall system performance (for example, resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your local service representative for more information.
Entering this command results in the following prompt:
[context_name]hostname(config-sgw-service)#
S-GW Service Configuration Mode commands are defined in the S-GW Service Configuration Mode Commands chapter.
Use this command when configuring the following SAE components: S-GW.
Example
The following command enters the existing S-GW service configuration mode (or creates it if it doesn’t already exist) for the service named sgw-service1:
sgw-service sgw-service1
The following command will remove spgw-service1 from the system:
no sgw-service sgw-service1
 
sgsn-service
This command creates an SGSN service instance and enters the SGSN Service Configuration Mode. This mode configures or edits the configuration for an SGSN service which controls the SGSN functionality.
An SGSN mediates access to GPRS/UMTS network resources on behalf of user equipment (UE) and implements the packet scheduling policy between different QoS classes. It is responsible for establishing the packet data protocol (PDP) context with the GGSN.
Important: For details about the commands and parameters, check the SGSN Service Configuration Mode chapter.
Product
SGSN
Privilege
Security Administrator, Administrator
Syntax
sgsn-service srvc_name
no sgsn-service srvc_name
no
Remove the configuration for the specified SGSN service from the configuration of the current context.
srvc_name
A unique string of 1 to 63 alphanumeric characters that identify the specific SGSN service.
Usage
Use this command to create, edit, or remove an SGSN service
Example
The following command creates an SGSN service named sgsn1 in the current context:
sgsn-service sgsn1
The following command removes the sgsn service named sgsn1 from the configuration for the current context:
no sgsn-service sgsn1
 
sgtp-service
This command creates an SGTP service instance and enters the SGTP Service Configuration Mode. This mode configures the GPRS Tunneling Protocol (GTP) related settings required by the SGSN to support GTP-C (control plane) messaging and GTP-U (user data plane) messaging.
Product
SGSN
Privilege
Security Administrator, Administrator
Syntax
sgtp-service svc_name
no sgtp-service svc_name
no
Remove the configuration for the specified SGTP service from the configuration of the current context.
svc_name
A unique string of 1 to 63 alphanumeric characters that identify the specific SGTP service.
Usage
Use this command to create, edit, or remove an SGTP service
Example
The following command creates an SGTP service named sgtp1 in the current context:
sgtp-service sgtp1
The following command removes the sgsn service named sgtp1 from the configuration for the current context:
no sgtp-service sgtp1
 
ssh
Generates public and private keys for use with the configured SSH server for the current context and sets the public/private key pair to specified values.
Product
All
Privilege
Security Administrator, Administrator
Syntax
ssh { generate key | keydatalengthoctets } [ type { v1-rsa | v2-rsa | v2-dsa } ]
no ssh key [ type { v1-rsa | v2-rsa | v2-dsa } ]
no ssh key [ type { v1-rsa | v2-rsa | v2-dsa } ]
This command clears configured SSH keys. If type is not specified, all SSH keys are cleared.
generate key
This command generates a public/private key pair which is to be used by the SSH server. The generated key pair is in use until the command is issued again.
key data length octets
This command sets the public/private key pair to be used by the system where data is the encrypted key and length is the length of the encrypted key in octets. data must be an alpha and/or numeric string of 1 to 1023 characters and octets must be a value in the range of 0 through 65535.
[ type { v1-rsa | v2-rsa | v2-dsa } ]
Specifies the type of SSH key to generate. If type is not specified, all three key types types are generated.
v1-rsa: SSH v1 RSA host key only
v2-rsa: SSH v2 DSA host key only
v2-dsa: SSH v2 RSA host key only
Important: For maximum security, it is recommended that only SSH v2 be used. v2-rsa is the recommended key type.
Usage
Generate secure shell keys for use in public key authentication.
Example
ssh generate key
ssh key g6j93fw59cx length 128
 
subscriber
Configures the specified subscriber for the current context.
Product
All
Privilege
Security Administrator, Administrator
Syntax
subscriber { default | nameuser_name }
no subscriber { default | nameuser_name }
no
Indicates the subscriber specified is to be removed from the list of allowed users for the current context.
default | name user_name
default: enters the subscriber configuration mode for the context’s default subscriber settings.
name user_name: specifies the user which is to be allowed to use the services of the current context. user_name must be from 1 to 127 alpha and/or numeric characters.
Usage
Enter the subscriber configuration mode for actual users as well as for a default subscriber for the current context.
Important: A maximum of 128 subscribers and/or administrative users may be locally configured per context.
Example
subscriber default
no subscriber default
subscriber name user1
no subscriber name user1
 
threshold
The commands in this section set context level threshold parameters.
 
threshold available-ip-pool-group
Configures context-level thresholds for IP pool utilization for the system.
Product
All
Privilege
Security Administrator, Administrator
Syntax
threshold available-ip-pool-grouplow_thresh[ clearhigh_thresh]
low_thresh
Default: 10
The low threshold IP pool utilization percentage that must be met or exceeded within the polling interval to generate an alert or alarm.
low_thresh can be configured to any integer value between 0 and 100.
clear high_thresh
Default: 10
The high threshold IP pool utilization percentage that maintains a previously generated alarm condition. If the utilization percentage rises above the high threshold within the polling interval, a clear alarm will be generated.
high_thresh can be configured to any integer value between 0 and 100. The default is 10
Important: This value is ignored for the Alert model. In addition, if this value is not configured for the Alarm model, the system assumes it is identical to the low threshold.
Usage
When IP address pools are configured on the system, they can be assigned to a group. IP address pool utilization thresholds generate alerts or alarms based on the utilization percentage of all IP address contained in the pool group during the specified polling interval.
All configured public IP address pools that were not assigned to a group are treated as belonging to the same group. Individual configured static or private pools are each treated as their own group.
Alerts or alarms are triggered for IP address pool utilization based on the following rules:
Enter condition: Actual IP address utilization percentage per pool group £ Low Threshold
Clear condition: Actual IP address utilization percentage per pool group > High Threshold
If a trigger condition occurs within the polling interval, the alert or alarm will not be generated until the end of the polling interval.
The following table describes the possible methods for configuring IP pool utilization thresholds:
 
Example
The following command configures a context-level IP pool utilization low threshold percentage of 10 and a high threshold of 35 for an system using the Alarm thresholding model:
threshold available-ip-pool-group 10 clear 35
 
threshold ha-service init-rrq-rcvd-rate
Set an alarm or alert based on the average number of calls setup per second for an HA service.
Product
All
Privilege
Security Administrator, Administrator
Syntax
threshold ha-service init-rrq-rcvd-ratehigh_thresh[ clearlow_thresh]
no threshold ha-service init-rrq-rcvd-rate
no
Deletes the alert or alarm.
high_thresh
Default: 0
The high threshold average number of calls setup per second must be met or exceeded within the polling interval to generate an alert or alarm. It can be configured to any integer value between 0 and 1000000.
clear low_thresh
Default:0
The low threshold average number of calls setup per second that must be met or exceeded within the polling interval to clear an alert or alarm. It can be configured to any integer value between 0 and 1000000.
Important: This value is ignored for the Alert model. In addition, if this value is not configured for the Alarm model, the system assumes it is identical to the high threshold.
Usage
Use this command to set an alert or an alarm when the average number of calls setup per second is equal to or less than a specified number of calls per second.
Alerts or alarms are triggered for the number of calls setup per second based on the following rules:
Enter condition: Actual number of calls setup per second > High Threshold
Clear condition: Actual number of calls setup per second £ Low Threshold
Example
The following command configures a number of calls setup per second threshold of 1000 and a low threshold of 500 for a system using the Alarm thresholding model:
threshold ha-service init-rrq-rcvd-rate 1000 clear 500
 
threshold ip-pool-free
Set an alarm or alert based on the percentage of IP addresses that are unassigned in an IP pool. This command affects all IP pools in the current context.
Product
All
Privilege
Security Administrator, Administrator
Syntax
threshold ip-pool-freelow_thresh[ clearhigh_thresh]
low_thresh
Default: 0
The low threshold percentage of addresses available in an IP pool that must be met or exceeded within the polling interval to generate an alert or alarm. It can be configured to any integer value between 0 and 100.
clear high_thresh
Default:0
The high threshold percentage of addresses available in an IP pool that maintains a previously generated alarm condition. If the utilization percentage rises above the high threshold within the polling interval, a clear alarm will be generated. It may be configured to any integer value between 0 and 100.
Important: This value is ignored for the Alert model. In addition, if this value is not configured for the Alarm model, the system assumes it is identical to the low threshold.
Usage
Use this command to set an alert or an alarm when the number of unassigned IP addresses in any pool is equal to or less than a specified percentage of the total number of addresses in the pool.
Alerts or alarms are triggered for percentage of IP address pool free based on the following rules:
Enter condition: Actual percentage of IP addresses free per pool £ Low Threshold
Clear condition: Actual percentage of IP addresses free per pool > High Threshold
Important: This command is overridden by the settings of the alert-threshold keyword of the ip pool command.
Example
The following command configures a context-level IP pool percentage of IP addresses that are unused low threshold percentage of 10 and a high threshold of 35 for an system using the Alarm thresholding model:
threshold ip-pool-free 10 clear 35
 
threshold ip-pool-hold
Set an alert based on the percentage of IP addresses from an IP pool that are on hold. This command affects all IP pools in the current context.
Product
All
Privilege
Security Administrator, Administrator
Syntax
threshold ip-pool-holdhigh_thresh[ clearlow_thresh]
high_thresh
Default: 0
The high threshold percentage of addresses on hold in an IP pool that must be met or exceeded within the polling interval to generate an alert or alarm. It can be configured to any integer value between 0 and 100.
clear low_thresh
Default:0
The low threshold percentage of addresses on hold in an IP pool that maintains a previously generated alarm condition. If the utilization percentage rises below the low threshold within the polling interval, a clear alarm will be generated. It may be configured to any integer value between 0 and 100.
Important: This value is ignored for the Alert model. In addition, if this value is not configured for the Alarm model, the system assumes it is identical to the high threshold.
Usage
Use this command to set an alert or an alarm when the percentage of IP addresses on hold in any pool is equal to or greater than a specified percentage of the total number of addresses in the pool.
Alerts or alarms are triggered for percentage of IP address pool addresses on hold based on the following rules:
Enter condition: Actual percentage of IP addresses on hold per pool > High Threshold
Clear condition: Actual percentage of IP addresses on hold per pool £ Low Threshold
Important: This command is overridden by the settings of the alert-threshold keyword of the ip pool command.
Example
The following command configures a context-level IP pool percentage of IP addresses that are on hold high threshold percentage of 10 and a low threshold of 35 for an system using the Alarm thresholding model:
threshold ip-pool-hold 35 clear 10
 
threshold ip-pool-release
Set an alert based on the percentage of IP addresses from an IP pool that are in the release state. This command affects all IP pools in the current context.
Product
All
Privilege
Security Administrator, Administrator
Syntax
threshold ip-pool-releasehigh_thresh[ clearlow_thresh]
high_thresh
Default: 0
The high threshold percentage of addresses in the release state in an IP pool that must be met or exceeded within the polling interval to generate an alert or alarm. It can be configured to any integer value between 0 and 100.
clear low_thresh
Default:0
The low threshold percentage of addresses in the release state in an IP pool that maintains a previously generated alarm condition. If the utilization percentage rises below the low threshold within the polling interval, a clear alarm will be generated. It may be configured to any integer value between 0 and 100.
Important: This value is ignored for the Alert model. In addition, if this value is not configured for the Alarm model, the system assumes it is identical to the low threshold.
Usage
Use this command to set an alert or an alarm when the number of IP addresses the release state in any pool is equal to or greater than a specified percentage of the total number of addresses in the pool.
Alerts or alarms are triggered for percentage of IP address pool addresses in the release state based on the following rules:
Enter condition: Actual percentage of IP addresses in the release state per pool > High Threshold
Clear condition: Actual percentage of IP addresses in the release state per pool £ Low Threshold
Important: This command is overridden by the settings of the alert-threshold keyword of the ip pool command.
Example
The following command configures a context-level IP pool percentage of IP addresses that are in the release state high threshold percentage of 35 and a low threshold of 10 for an system using the Alarm thresholding model:
threshold ip-pool-release 35 clear 10
 
threshold ip-pool-used
This command sets an alert based on the percentage of IP addresses that have been assigned from an IP pool. This command affects all IP pools in the current context.
Product
All
Privilege
Security Administrator, Administrator
Syntax
threshold ip-pool-usedhigh_thresh[ clearlow_thresh]
high_thresh
Default: 0
The high threshold percentage of addresses assigned from an IP pool that must be met or exceeded within the polling interval to generate an alert or alarm. It can be configured to any integer value between 0 and 100.
clear low_thresh
Default:0
The low threshold percentage of addresses assigned from an IP pool that maintains a previously generated alarm condition. If the utilization percentage rises above the high threshold within the polling interval, a clear alarm will be generated. It may be configured to any integer value between 0 and 100.
Important: This value is ignored for the Alert model. In addition, if this value is not configured for the Alarm model, the system assumes it is identical to the low threshold.
Usage
Use this command to set an alert or an alarm when the number of IP addresses assigned from any pool is equal to or greater than a specified percentage of the total number of addresses in the pool.
Alerts or alarms are triggered for percentage of IP address pool addresses used based on the following rules:
Enter condition: Actual percentage of IP addresses used per pool > High Threshold
Clear condition: Actual percentage of IP addresses used per pool £ Low Threshold
Important: This command is overridden by the settings of the alert-threshold keyword of the ip pool command.
Example
The following command configures a context-level IP pool percentage of IP addresses that are used high threshold percentage of 35 and a low threshold of 10 for an system using the Alarm thresholding model:
threshold ip-pool-used 35 clear 10
 
threshold monitoring
Enables thresholding.
Product
All
Privilege
Security Administrator, Administrator
Syntax
[no] threshold monitoring available-ip-pool-group
no
Disables threshold monitoring for the specified value.
available-ip-pool-group
Enables threshold monitoring for IP pool thresholds at the context level and the IP address pool-level.
Refer to the threshold available-ip-pool-group command, the threshold ip-pool-x commands and the alert-threshold keyword of the ip pool command for additional information on these values.
Usage
Thresholding on the system is used to monitor the system for conditions that could potentially cause errors or outage. Typically, these conditions are temporary (i.e high CPU utilization, or packet collisions on a network) and are quickly resolved. However, continuous or large numbers of these error conditions within a specific time interval may be indicative of larger, more severe issues. The purpose of thresholding is to help identify potentially severe conditions so that immediate action can be taken to minimize and/or avoid system downtime.
Thresholding reports conditions using one of the following mechanisms:
SNMP traps: SNMP traps have been created that indicate the condition (high threshold crossing and/or clear) of each of the monitored values. Complete descriptions and other information pertaining to these traps is located in the starentMIB(8164).starentTraps(2) section of the SNMP MIB Reference.
The generation of specific traps can be enabled or disabled on the system allowing you to view only those traps that are most important to you.
Logs: The system provides a facility called threshold for which active and event logs can be generated. As with other system facilities, logs are generated Log messages pertaining to the condition of a monitored value are generated with a severity level of WARNING.
Alarm System: High threshold alarms generated within the specified polling interval are considered “outstanding” until a the condition no longer exists and/or a condition clear alarm is generated.
“Outstanding” alarms are reported to through the system’s alarm subsystem and are viewable through the system’s CLI.
The following table indicates the reporting mechanisms supported by each of the above models.
Thresholding Reporting Mechanisms by Model
Refer to the threshold poll command in Global Configuration Mode Commands for information on configuring the polling interval over which IP address pool utilization is monitored.
Example
the following command enables threshold monitoring for IP pool thresholds at the context level and the IP address pool-level:
threshold monitoring available-ip-pool-group
 
threshold pdsn-service init-rrq-rcvd-rate
Set an alarm or alert based on the average number of calls setup per second for a PDSN service.
Product
All
Privilege
Security Administrator, Administrator
Syntax
threshold pdsn-service init-rrq-rcvd-ratehigh_thresh [ clear low_thresh ]
no threshold pdsn-service init-rrq-rcvd-rate
no
Deletes the alert or alarm.
high_thresh
Default: 0
The high threshold average number of calls setup per second must be met or exceeded within the polling interval to generate an alert or alarm. It can be configured to any integer value between 0 and 1000000.
clear low_thresh
Default:0
The low threshold average number of calls setup per second that must be met or exceeded within the polling interval to clear an alert or alarm. It can be configured to any integer value between 0 and 1000000.
Important: This value is ignored for the Alert model. In addition, if this value is not configured for the Alarm model, the system assumes it is identical to the high threshold.
Usage
Use this command to set an alert or an alarm when the average number of calls setup per second is equal to or less than a specified number of calls per second.
Alerts or alarms are triggered for the number of calls setup per second based on the following rules:
Enter condition: Actual number of calls setup per second > High Threshold
Clear condition: Actual number of calls setup per second £ Low Threshold
Example
The following command configures a number of calls setup per second threshold of 1000 and a low threshold of 500 for a system using the Alarm thresholding model:
threshold pdsn-service init-rrq-rcvd-rate 1000 clear 500
 
udr-module active-charging-service
This command creates the User Data Record (UDR) module and enters the UDR Module Active Charging Service Configuration Mode.
Product
All
Privilege
Security Administrator, Administrator
Syntax
udr-module active-charging-service
Usage
Use this command to create the UDR module for the context, and configure the UDR module for active charging service records. You must be in a non-local context when specifying this command, and you must use the same context when specifying the EDR module command.
Example
udr-module active-charging-service
 

Cisco Systems Inc.
Tel: 408-526-4000
Fax: 408-527-0883