APN Configuration Mode Commands

The Access Point Name (APN) Configuration Mode is used to create and configure APN prfofiles within the current system context of an UMTS/LTE service.

IMPORTANT:

The commands or keywords/variables that are available are dependent on platform type, product version, and installed license(s).

aaa

This command configures Authentication, Authorization, and Accounting (AAA) functionality at the Access Point Name (APN) level.

Platform:

ASR 5000

Product:

GGSN, P-GW


Privilege:

Security Administrator, Administrator


Syntax
aaa { group aaa_group_name | secondary-group aaa_group_name }default aaa { group | secondary-group aaa_group_name }no aaa { group aaa_group_name  | secondary-group }
no aaa

Disables the specified AAA group for the specific APN.

no aaa { group | secondary-group }
  • group: Uses the default AAA group.
  • secondary-group: Removes the secondary AAA group from the APN’s configuration.
default aaa { group | secondary-group }

Configures the default setting for the specified parameter.

  • group: Uses the default AAA group—the one specified at the context level or in the APN template.
  • secondary-group: Removes the secondary AAA group from the APN configuration.
aaa_group_name

Specifies the AAA server group for the APN.

aaa_group_name must be an alphanumeric string of 1 through 63 characters.

secondary-group aaa_group_name

Specifies the secondary AAA server group for the APN.

aaa_group_name must be an alphanumeric string of 1 through 63 characters.


Usage:

Use this command to configure AAA functionality at the APN level.

Instead of having a single list of servers per context, this feature configures multiple server groups within a context and applies individual server group for APNs in that context. Each server group consists of a list of AAA servers for each AAA function (accounting, authentication, charging, etc.).

The AAA secondary server group supports the RADIUS Fire-and-Forget feature in conjunction with GGSN for secondary accounting (with different RADIUS accounting group configuration) to the RADIUS servers without expecting acknowledgement from the server, in addition to standard RADIUS accounting. This secondary accounting will be an exact copy of all the standard RADIUS accounting message (RADIUS Start / Interim / Stop) sent to the standard AAA RADIUS server.

If the same AAA group is configured with both the aaa group aaa_group_name and the aaa secondary-group aaa_group_name commands, then this configuration will have no effect and secondary accounting will not happen.

The AAA secondary server group configuration takes effect only when used with APN accounting-mode set to radius-diameter (or) with mediation-acct enabled. The RADIUS accounting triggers for both standard RADIUS accounting and secondary accounting will be taken from the AAA group configured with the aaa group aaa_group_name command. On the fly change of this configuration is not supported. Any change to the configuration will have effect only for new calls.


Example:
The following command applies the AAA server group star1 to an APN within the specific context:
aaa group star1
access-link

Configures IP fragmentation processing over the Access-link (PPP, GTP etc.).

Platform:

ASR 5000

Product:

GGSN, P-GW


Privilege:

Security Administrator, Administrator


Syntax
access-link ip-fragmentation { normal | df-ignore | df-fragment-and-icmp-notify }default access-link ip-fragmentation
normal

Default: Enabled

Drops the packet and sends an ICMP unreachable message to the source of packet. This is the default behavior.

df-ignore

Default: Disabled

Ignores the DF (Don’t Fragment) bit setting; fragments and forwards the packet over the access link.

df-fragment-and-icmp-notify

Default: Disabled

Partially ignorse the DF bit; fragments and forwards the packet, but also returns an ICMP error message to the source of the packet. The number of ICMP errors sent like this is rate-limited to one ICMP error packet per second per session.


Usage:

If the IP packet to be forwarded is larger than the access-link MTU and if the DF (Don't Fragment) bit is set for the packet, then the fragmentation behavior configured by this command is applied. Use this command to fragment packets even if they are larger than the access-link MTU.

Fragmentation may also occur for other reasons, regardless of whether or not fragmentation is performed because of one of the above reasons.

Payloads are encapsulated within IP/UDP/GTP before being sent to the SGSN. If that encapsulation causes the packet to exceed 1500 bytes, the inner IP payload is fragmented (even if it's not considered too-large by the above tests) into two payloads (if the DF bit is not set). If the DF bit is set (and access-link ip-fragmentation normal is configured), the system performs IP fragmentation of the entire packet (i.e., IP fragmentation in the outer IP header) rather than fragmenting the inner IP payload. Either way, the result is two packets, but in one case the MS would have to perform IP reassembly while in the other case the SGSN would have to perform reassembly.


Example:
Set fragmentation so that the DF bit is ignored and the packet is forwarded anyway by entering the following command:
access-link ip-fragmentation
df-ignore
accounting-mode

Configures the protocol to be used for PDP context accounting by this APN.

Platform:

ASR 5000

Product:

GGSN, P-GW,


Privilege:

Security Administrator, Administrator


Syntax
accounting-mode { gtpp | none | radius-diameter [ no-interims ] [ no-early-pdus ] }default accounting-mode
default

Restores the command to its default setting.

gtpp

Configures the APN to use GPRS Tunneling Protocol Prime for accounting purposes. If used, accounting will begin as soon as the PDP context is established. This is the default setting. Default: Enabled

IMPORTANT:

The system’s GTPP parameters must be configured prior to using this protocol for accounting. Refer to the gtpp commands in the Context Configuration Mode Commands chapter.

none

Disables accounting for PDP contexts using this APN.

When accounting mode is set to none, it indicates to the GTP stack at session manager to not generate the regular GTPP accounting triggers. Default: Disabled.

radius-diameter

Configures the APN to use RADIUS/Diameter protocol for accounting purposes. Default: Disabled

IMPORTANT:

The system’s RADIUS/Diameter accounting parameters must be configured prior to using either of the protocols for accounting. Refer to the radius/diameter commands in the Context Configuration Mode Commands and the AAA Server Group Configuration Mode Commands chapters.

no-early-pdus

Configures the GGSN to discard user traffic once the buffer is full until the RADIUS server has returned a response to the GGSN's accounting START request per 3GPP standards.

Configures the GGSN to delay PDUs from/to MS until the RADIUS server returns a response to the GGSN's accounting START request as per 3GPP standards. The GGSN buffers up to two PDUs per call. Additional PDUs disable the queuing. On receiving the Accounting response message, the GGSN forwards all the subsequent PDUs for that call.

IMPORTANT:

For StarOS 10.0 and earlier releases, the system buffers up to four PDUs and queues or discards the remaining PDUs.

IMPORTANT:

For StarOS 11.0 and later releases, the system is configured so that none of the PDUs are discarded.

no-interims

Disables the generation of RADIUS interims per APN.

When configured, RADIUS interim updates for this APN will not be sent, regardless of what is configured in the context that is used for RADIUS accounting.

IMPORTANT:

Different CLI commands are used to disable RADIUS interims for RADIUS accounting and mediation accounting. To disable RADIUS interims for RADIUS accounting, use the following command: accounting-mode radius-diameter no-interims. To disable RADIUS interims for mediation accounting, use the following command: mediation-device context-name context_name no-interims.


Usage:

This command specifies which protocol, if any, will be used to provide accounting for PDP contexts accessing the APN profile.

When the GTPP protocol is used, accounting messages are sent to the charging gateways (CGs) over the Ga interface. The Ga interface and GTPP functionality are typically configured within the system’s source context. As specified by the standards, a CDR is not generated when a session starts - CDRs are generated according to the interim triggers (configured using the cc command in the GGSN service configuration mode) and a CDR is generated when the session ends. For interim accounting, STOP/START pairs are sent based on configured triggers.

GTPP version 2 is always used. However, if version 2 is not supported by the CGF, the system reverts to using GTPP version 1. All subsequent CDRs are always fully-qualified partial CDRs. All CDR fields are R4.

If the radius-diameter option is used, either the RADIUS or the Diameter protocol is used as configured in the Context Configuration mode or the AAA Server Group Configuration mode.

If the RADIUS protocol is used, accounting messages can be sent over a AAA interface or the Gi to the RADIUS server. The AAA or Gi interface(s) and RADIUS functionality are typically configured with the system’s destination context along with the APN. RADIUS accounting begins immediately after an IP address is allocated for the MS. Interim accounting can be configured using the radius accounting interim interval. The radius accounting interim interval command sends INTERIM-UPDATE messages at specific intervals.

Keywords to this command can be used in combination to each other, depending on configuration requirements.

IMPORTANT:

If the accounting type in the APN is set to ‘none’ then G-CDRs will not be generated. If accounting type is left as default “GTPP” and “billing-records” are configured in the ACS Rulebase Configuration Mode, then both G-CDRs and eG-CDRs would be generated.


Example:
The following command configures the APN to use the RADIUS/Diameter protocol for accounting:
accounting-mode radius-diameter
accounting-mode radius-diameter
no-interims no-early-pdus
accounting-mode radius-diameter
no-early-pdus no-interims
active-charging bandwidth-policy

Configures the bandwidth policy to be used for subscribers who use this APN.

Platform:

ASR 5000

Product:

ACS, GGSN


Privilege:

Security Administrator, Administrator


Syntax
active-charging bandwidth-policy bandwidth_policy_name{ default | no } active-charging
bandwidth-policy
default

Configures the default setting.

Default: The default bandwidth policy configured in the rulebase is used for subscribers who use this APN.

no

Disables bandwidth control for the APN.

bandwidth-policy bandwidth_policy_name

Specifies the bandwidth policy name. bandwidth_policy_name must be an alphanumeric string from 1 through 63 characters.


Usage:

Use this command to configure bandwidth policy to be used for subscribers who use this APN.


Example:
The following command configures a bandwidth policy named standard for the APN:
active-charging bandwidth-policy standard
active-charging link-monitor tcp

Enables the TCP link monitoring feature on the Mobile Video Gateway. This command can be configured in either APN Configuration Mode or Subscriber Configuration Mode.

Platform:

ASR 5000

Product:

MVG


Privilege:

Security Administrator, Administrator


Syntax
[ default | no ] active-charging
link-monitor tcp [ log [ rtt [ histogram | time-series ] [ bitrate [ histogram | time-series ] ] | bitrate [ histogram | time-series ] [ rtt [ histogram | time-series ] ] ] ] [ -noconfirm ]
default

Sets TCP link monitoring to its default value, which is the same as no.

no

Deletes the TCP link monitoring settings and disables TCP link monitoring if previously configured.

link-monitor tcp

Enables the TCP link monitoring feature on the Mobile Video Gateway. Note that TCP link monitoring is not enabled by default. Also note that when this command is configured without the log option, TCP link monitoring is enabled without logging, and the output from TCP link monitoring is only used by the dynamic translating feature.

log [ rtt [ histogram | time-series ] [ bitrate [ histogram | time-series ] ] | bitrate [ histogram | time-series ] [ rtt [ histogram | time-series ] ] ]

This option enables statistical logging for TCP link monitoring.

The rtt option can be used to enable either histogram or time-series logging for RTT.

Similarly, the bitrate option can be used to enable either histogram or time-series logging for bit rate.

When rtt and bitrate options are used without additional options, histogram and time-series logging are enabled for RTT and/or bit rate respectively.

-noconfirm

Specifies that the command must execute without prompting for confirmation.


Usage:

Use this command to enable TCP link monitoring on the Mobile Video Gateway.


Examples:
The following command enables TCP link monitoring with statistical logging, with histogram and time-series logging enabled for both RTT and bit rate:
active-charging link-monitor
tcp log
The following command enables TCP link monitoring with statistical logging, with histogram and time-series logging enabled for RTT:
active-charging link-monitor
tcp log rtt
The following command enables TCP link monitoring with statistical logging, with histogram logging enabled for RTT:
active-charging link-monitor
tcp log rtt histogram
The following command enables TCP link monitoring with statistical logging, with histogram logging enabled for RTT and time-series logging enabled for bit rate:
active-charging link-monitor
tcp log rtt histogram bitrate time-series
active-charging rulebase

Specifies the name of the Active Charging Service (ACS) rulebase to be used for subscribers who use this APN.

Platform:

ASR 5000

Product:

ACS, GGSN, MVG, P-GW


Privilege:

Security Administrator, Administrator


Syntax
active-charging rulebase rulebase_nameno active-charging rulebase
no

Removes the rulebase previously configured for this APN.

rulebase_name

Specifies the name of the ACS rulebase as an alphanumeric string of 1 through 63 characters.


Usage:

Use this command to specify the ACS rulebase to be used for subscribers who use the APN.


Example:
The following command specifies the ACS rulebase named rule1 for the APN:
active-charging rulebase rule1
apn-ambr

Configures the Aggregated Maximum Bit Rate (AMBR) for all PDNs using this APN.

Platform:

ASR 5000

Product:

P-GW


Privilege:

Administrator


Syntax
apn-ambr rate-limit
direction { downlink | uplink } [ burst-size { auto-readjust
duration seconds | bytes } | violate-action { drop | lower-ip-precedence | shape [ transmit-when-buffer-full ] | transmit } ][ default | no ] apn-ambr
rate-limit direction { downlink | uplink }
default

Returns the selected command to it’s default setting of no APN-AMBR.

no

Disables the selected command.

rate-limit direction { downlink | uplink }

Specifies that the rate limit is to be applied to either the downlink (network to subscriber) traffic or the uplink (subscriber to network) traffic.

downlink: Applies the AMBR parameters to the downlink direction.

uplink: Applies the AMBR parameters to the uplink direction.

burst-size { auto-readjust duration seconds | bytes}

This parameter is used by policing and shaping algorithms to permit short bursts of traffic in order to not exceed the allowed data rates. It is the maximum size of the token bucket.

auto-readjust duration seconds: The duration (in seconds) used in this burst size calculation: burst size = peak data rate/8 * auto-readjust duration

seconds must be an integer value from 1 to 30. Default is 1 second

bytes: Specifies the burst size in bytes allowed by this APN for the associated PDNs. It must be an integer from 1 to 4294967295 (1 byte to 4 GB).

violate-action { drop | lower-ip-precedence | shape [ transmit-when-buffer-full ] | transmit }

The action that the P-GW will take when the data rate of the bearer context exceeds the AMBR.

drop: Drops violating packets.

lower-ip-precedence: Sets the DSCP value to zero (“best effort”) for violating packets.

shape [ transmit-when-buffer-full ]: Places all violating packets into a buffer and, optionally, transmits the packets when the buffer is full.

IMPORTANT:

The shape keyword and optional transmit-when-buffer-full are only available in StarOS v12.0 and earlier releases. P-GW does not currently support traffic shaping for APN-AMBR.

transmit: Transmits violating packets. This is the default setting.


Usage:

Use this command to enforce the AMBR for the APN on bearers that do not have a Guaranteed Bit Rate (GBR).


Example:
The following command sets the downlink burst rate to use an auto-readjust duration of 2 seconds and lowers the IP precedence of violating packets:
apn-ambr rate-limit
direction downlink burst-size auto-readjust duration 2 violate-action
lower-ip-precedence
associate accounting-policy

Associates the APN with specific pre-configured policies configured in the same context.

Platform:

ASR 5000

Product:

P-GW


Privilege:

Administrator


Syntax
[ no ] associate
accounting-policy name
no

Removes the selected association from this APN.

name

Associates the P-GW APN with an accounting policy configured in the same context. name must be an existing accounting policy expressed as a string of 1 through 63 characters.

Accounting policies are configured through the policy accounting command in the Context Configuration mode.


Usage:

Use this command to associate the P-GW APN with an accounting policy configured in this context.


Example:
The following command associates this P-GW APN with an accounting policy called acct1:
associate accounting-policy
acct1 
authentication

Configures the APN’s authentication parameters.

Platform:

ASR 5000

Product:

GGSN, P-GW, PDG


Privilege:

Security Administrator, Administrator


Syntax
authentication [ [ msid-auth | imsi-auth [ password-use-pco | username-strip-apn | prefer-chap-pco ] | msisdn-auth [ password-use-pco | username-strip-apn | prefer-chap-pco ] | eap initial-access-request [ authenticate-authorize | authenticate-only ] | [ allow-noauth ] [ chap preference ] [ mschap preference ] [ pap preference ] ]default authentication
default

Sets the default authentication type for this APN. By default allow-noauth is the type for authentication for an APN.

msid-auth

Obsolete. Use imsi-auth.

imsi-auth

Default: Disabled.

Configures the APN to attempt to authenticate the subscriber based on their International Mobile Subscriber Identification (IMSI) number.

msisdn-auth

Default: Disabled.

Configures the APN to attempt to authenticate the subscriber based on their Mobile Station International Integrated Services Digital Network (MSISDN) number as described in the Usage section of this command.

username-strip-apn

Default: Disabled.

This keyword if enabled, either with msisdn-auth or imsi-auth strips the APN name from the user name msisdn@apn or imsi@apn received from AAA and makes the user name as msisdn or imsi respectively.

password-use-pco

Default: Disabled.

This keyword, if enabled, uses the password received through Protocol Configuration Options (PCO) from AAA for authentication.

prefer-chap-pco

Default: Disabled.

If this keyword along with msisdn-auth/imsi-auth is enabled, GGSN performs Challenge Handshake Authentication Protocol (CHAP) authentication, if CHAP parameters are received in Protocol Configuration Options (PCO). However, chap username would be constructed as msisdn@apn / imsi@apn and chap challenge, chap response parameters should be used as it is from CHAP parameters received in the PCO IE. If CHAP parameters are not received in the PCO IE of the CPC Request, GGSN does normal Password Authentication Protocol (PAP) authentication with PAP username as msisdn@apn / imsi@apn (ignoring any PAP username if received).

eap initial-access-request

Default: Enabled

Configures the type of initial access request to be used in Diameter EAP (Extensible Authentication Protocol) request. This feature is applicable to only Diameter-based AAA interface and not applicable to RADIUS or any other type of AAA interface.

authenticate-authorize

Default: Enabled

Configures the “authenticate and authorize” type of initial access request to be used in a Diameter EAP request.

authenticate-only

Default: Disabled

Configures the “authenticate only” type of initial access request to be used in a Diameter EAP request.

allow-noauth

Default: Enabled

Configures the APN to not perform authentication for PDP contexts as described in the Usage section.

chap preference

Default: Disabled

Configures the APN to attempt to use CHAP to authenticate the subscriber as described in the Usage section of this command.

A preference must be specified in conjunction with this option. Priorities specify which authentication protocol should be attempted first, second, third and so on. It must be an integer from 1 through 1000. The lower the integer, the higher the preference.

mschap preference

Default: Disabled

Configures the APN to attempt to use the Microsoft Challenge Handshake Authentication Protocol (MSCHAP) to authenticate the subscriber as described in the Usage section of this command.

A preference can be specified in conjunction with this option. Priorities specify which authentication protocol should be attempted first, second, third and so on. It must be an integer from 1 through 1000. The lower the integer, the higher the preference.

pap preference

Default: Disabled

Configures the APN to attempt to use PAP to authenticate the subscriber as described in the Usage section of this command.

A preference must be specified in conjunction with this option. Priorities specify which authentication protocol should be attempted first, second, third and so on. It must be an integer from 1 through 1000. The lower the integer, the higher the preference.


Usage:

Use this command to specify how the APN profile should handle PDP context authentication and what protocols to use (if any). The ability to configure this option is provided to accommodate the fact that not every MS will implement the same authentication protocols.

The authentication process varies depending on whether the PDP context is of type IP or PPP. Table given in this section describes these differences.

For IP PDP contexts, the authentication protocol and values will be passed from the SGSN as Protocol Configuration Options (PCOs) within the create PDP context PDU to the GGSN. The GGSN requires that the authentication protocol is specified by this command (with no regard to priority) and will use this information to authenticate the subscriber.


Table 1. Authentication Process Variances Between PDP Context Type
Authentication Mechanism IP PDP Context Behavior PPP PDP Context Behavior

allow-noauth

Allows the session even if the PCOs do not match any of the configured algorithms.

If the there was no match and the aaa constructed-nai authentication parameter is enabled in the authentication context, the system attempts to determine a subscriber profile (via PAP with no password) using the subscriber’s MSISDN as the username.

Allows the session with no authentication algorithm selected.

If the aaa constructed-nai authentication parameter is enabled in the authentication context, the system attempts to determine a subscriber profile (via PAP with no password) using the subscriber’s MSISDN as the username.

chap

If also specified in the PCOs, this protocol will be used to authenticate the subscriber.

Attempts this protocol according to its configured priority.

If accepted by the remote end of the PPP connection, this protocol will be used to provide authentication.

mschap

If also specified in the PCOs, this protocol will be used to authenticate the subscriber.

Attempts this protocol according to its configured priority.

If accepted by the remote end of the PPP connection, this protocol will be used to provide authentication.

pap

If also specified in the PCOs, this protocol will be used to authenticate the subscriber.

If this protocol is used is specified and the allow-noauth parameter is disabled, the system will attempt to use the APN’s default username/password specified by the outbound command for authentication via PAP.

Attempts this protocol according to its configured priority.

If accepted by the remote end of the PPP connection, this protocol will be used to provide authentication.

msid-auth

Obsolete. Use imsi-auth.

Obsolete. Use imsi-auth.

imsi-auth

Values in the PCOs are ignored.

The subscriber’s IMSI is used as the username for PAP authentication. No password is used.

The subscriber’s IMSI is used as the username for PAP authentication. No password is used.

msisdn-auth

Values in the PCOs are ignored.

The subscriber’s MSISDN is used as the username for PAP authentication. No password is used.

Option not available.




Example:
The following command would configure the system to attempt subscriber authentication first using MSCHAP, then CHAP, and finally PAP. Since the allow-noauth command was also issued, if all attempts to authenticate the subscriber using these protocols fail, then the subscriber would be still be allowed access.
authentication mschap
1 chap 2 pap 3 allow-noauth 
To enable imsi-auth or msisdn-auth, the following command instances must be issued:
authentication imsi-auth
authentication msisdn-auth
bearer-control-mode

Enables or disables the bearer control mode for network controlled QoS (NCQoS) through this APN. It also controls the sending of an IE in GTP messages.

Platform:

ASR 5000

Product:

GGSN, P-GW


Privilege:

Security Administrator, Administrator


Syntax
bearer-control-mode [ mixed | ms-only | none [ prefer-local-value ] ]default bearer-control-mode
default

Sets the bearer control mode to default mode of “none”.

mixed

Default: Disabled.

This keyword indicates that the bearer will be controlled by User Equipment (UE) and network side (from GGSN) as well.

To enable network controlled QoS this option must be enabled.

ms-only

Default: Disabled.

This keyword indicates that the bearer will be controlled by the UE side.

none

Default: Enabled.

This keyword indicates that the system will not send any BCM mode information, BCM IE and BCM information in the protocol configuration option (PCO) IE within GTPC messages sent by the GGSN. This option is useful in networks where AGWs or firewalls do not support unknown optional IEs in GTP messages.

prefer-local-value

Default: Disabled.

This keyword indicates that the APN configured with “none” option for bearer control mode will not be overridden by any other interface (e.g. Gx interface towards PCRF). As a result it is ensured that BCM IE is never sent in GTP message.

IMPORTANT:

When bearer control mode is set to “none” with the keyword set “prefer-local-value”, even PCRF provided values will not override APN config and therefore sending of BCM mode IE and BCM in PCO IE in CPC Response is supressed.


Usage:

Use this command to enable the QoS through bearer control. This can be done either through the MS side or from both the GGSN and MS. To enable network requested QoS user need to enable “Mixed” mode for bearer control.

With this keyword the operator can control sending of BCM information in GTPC messages from the GGSN.

With MS-Only or Mixed options in this mode, the system sends the BCM information element in every Create PDP Context Response and Unknown PDP Context Request and Response message.

In some networks AGWs/Firewall drop/reject GTPC messages if there is an Unknown optional IE. To resolve this, the operator can use the “none” option to control sending of BCM IE and BCM information in the PCO IE within GTPC messages from the GGSN.


Example:
The following command enables the bearer control from network and MS side for NCQoS.
bearer-control-mode mixed
cc-home

Configures the home subscriber charging characteristics (CC) used by the GGSN when those from the SGSN will not be accepted.

Platform:

ASR 5000

Product:

GGSN, P-GW


Privilege:

Security Administrator, Administrator


Syntax
cc-home { behavior bits | profile index }default cc-home
default
Restores the cc-home parameter to its default setting of the following:
  • behavior bits: 0x00
  • profile index: 8
behavior bits

Specifies the behavior bit for the home subscriber charging characteristic. bits can be configured to any unique bit from 001H to FFFH (0001 to 1111 1111 1111 bin) where the least-significant bit corresponds to B1 and the most-significant bit corresponds to B12.

profile index

Specifies the profile index for the home subscriber charging characteristic. index can be configured to any integer value between 0 and 15. Default: 8

IMPORTANT:

3GPP standards suggest that profile index values of 1, 2, 4, and 8 be used for hot billing, flat rate billing, prepaid billing and normal billing, respectively. A single charging characteristics profile can contain multiple behavior settings.


Usage:

When the GGSN is configured to reject the charging characteristics sent by the SGSN for “home” subscribers, it uses the profile index specified by this command to determine the appropriate CCs to use.

Multiple behavior bits can be configured for a single profile index by ORing the bit strings together and converting the result to hexadecimal.

The properties of the actual CC profile index are configured as part of the GGSN service using the cc profile command. Refer to the GGSN Service Configuration Mode chapter of this reference for additional information on this command.


Example:
The following command configures a behavior bit of 2 (0000 0000 0010) and a profile index of 10 for home subscribers charging characteristics:
cc-home behavior 2 profile 10
The following command configures the behavior bits 3 (0000 0000 0100) and 5 (0000 0001 0000 bin) and a profile index of 14 for home subscriber charging characteristics:
cc-home behavior 14
profile 14
cc-roaming

Configures the roaming subscriber charging characteristics (CC) used by the GGSN when those from the SGSN will not be accepted.

Platform:

ASR 5000

Product:

GGSN, P-GW


Privilege:

Security Administrator, Administrator


Syntax
cc-roaming { behavior bits | profile index }default cc-roaming
default
Restores the cc-roaming parameter to its default setting of the following:
  • behavior bits: 0x00
  • profile index: 8
behavior bits

Specifies the behavior bit for the roaming subscriber charging characteristic. bits can be configured to any unique bit from 001H to FFFH (0001 to 1111 1111 1111 bin) where the least-significant bit corresponds to B1 and the most-significant bit corresponds to B12.

profile index

Specifies the profile index for the roaming subscriber charging characteristic. index can be configured to any integer value between 0 and 15. Default: 8

IMPORTANT:

3GPP standards suggest that profile index values of 1, 2, 4, and 8 be used for hot billing, flat rate billing, prepaid billing and normal billing, respectively. A single charging characteristics profile can contain multiple behavior settings.


Usage:

When the GGSN is configured to reject the charging characteristics sent by the SGSN for “roaming” subscribers, it uses the profile index specified by this command to determine the appropriate CCs to use.

Multiple behavior bits can be configured for a single profile index by ORing the bit strings together and convert the result to hexadecimal.

The properties of the actual CC profile index are configured as part of the GGSN service using the cc profile command. Refer to the GGSN Service Configuration Mode chapter of this reference for additional information on this command.


Example:
The following command configures a behavior bit 10 (0010 0000 0000) and a profile index of 10 for roaming subscriber charging characteristics:
cc-roaming behavior
200 profile 10
The following command configures the behavior bits 9 (0001 0000 0000) and 6 (0000 0010 0000) and a profile index of 14 for roaming subscriber charging characteristics:
cc-roaming behavior
120 profile 14
cc-sgsn

Specifies the GGSN’s source for charging characteristics (CC) - those configured locally or those received from the SGSN.

Platform:

ASR 5000

Product:

GGSN, P-GW


Privilege:

Security Administrator, Administrator


Syntax
cc-sgsn { home-subscriber-use-GGSN | radius-returned | roaming-subscriber-use-GGSN | visiting-subscriber-use-GGSN } +cc-sgsn { use-GGSN behavior bits profile index[ 0...15 ] [ radius-returned ] }default cc-sgsnno cc-sgsn { { radius-returned | home-subscriber-use-GGSN | roaming-subscriber-use-GGSN | visiting-subscriber-use-GGSN } + | [ use-GGSN ] [ radius-returned ] }
default cc-sgsn
Restores the cc-sgsn parameter to its default setting of the following:
  • home-subscriber-use-GGSN: Disabled
  • roaming-subscriber-use-GGSN: Disabled
  • visiting-subscriber-use-GGSN: Disabled
no cc-sgsn
Causes the GGSN to accept CCs from the SGSN(s) when the no cc-sgsn command is entered with all applicable keywords. Otherwise, no cc-sgsn can be used to turn off one or more of the GGSN sources of CC.
  • roaming-subscriber-use-GGSN
  • home-subscriber-use-GGSN
  • roaming-subscriber-use-GGSN
  • visiting-subscriber-use-GGSN

Before entering no cc-sgsn, it is helpful to determine which CC sources have been configured. This can be done with either show configuration or show apn name in Exec Mode.

home-subscriber-use-GGSN

Configures the GGSN to use the locally defined charging characteristics for home subscribers, as configured with the APN Configuration Mode cc-home command.

radius-returned

Configures the GGSN to accept charging characteristics returned from the RADIUS server for all subscribers for the APN.

roaming-subscriber-use-GGSN

Configures the GGSN to use the locally defined charging characteristics for roaming subscribers, as configured with the APN Configuration Mode cc-roaming command.

visiting-subscriber-use-GGSN

Configures the GGSN to use the locally defined charging characteristics for visiting subscribers, as configured with the APN Configuration Mode cc-visiting command.

use-GGSN [ behavior bits ] profile index[ 0...15 ]

Configures the GGSN to accept charging characteristics for all subscribers in the APN.

bits specifies the behavior bit for the charging characteristic. This variable can be configured to any unique bit from 001H to FFFH (0001 to 1111 1111 1111 bin) where the least-significant bit corresponds to B1 and the most-significant bit corresponds to B12.

index indicates which profile defined with cc profile in GGSN Service Configuration mode, the GGSN will use as a source for CCs. The index can be configured to an integer from 0 to 15.

The use-GGSN keyword can be entered alone or in conjunction with the radius-returned keyword. When entered, this keyword overrides the previous configuration using any of the home, roaming, and/or visiting keywords.

+

More than one of the above keywords can be entered within a single command.


Usage:

This command specifies whether or not CCs received from the SGSN will be accepted. If they are not accepted, the GGSN will use those that have been configured locally.

The GGSN’s behavior can be configured for the following subscriber types:
  • Home: Subscribers belonging to the same Public Land Mobile Network (PLMN) as the one on which the GGSN is located.
  • Roaming: Subscribers that are serviced by a an SGSN belonging to a different PLMN than the one on which the GGSN is located.
  • Visiting: Subscribers belonging to a different PLMN than the one on which the GGSN is located.
  • Any subscriber in the APN.

Example:
The following command instructs the GGSN to accept CCs for any subscriber in the APN based on local profile configurations of CCs.
cc-sgsn use-GGSN profile x
Assuming the CC source as defined with the previous command, the following command instructs the GGSN to accept CCs supplied by the SGSN(s) and disables the acceptance of CCs supplied by the GGSN for any subscriber within the APN:
no cc-sgsn use-GGSN
The following command instructs the GGSN to accept CCs for any subscriber in the APN based on CC information returned from the RADIUS server. This command can be issued after the previous command to expand the possible sources.
cc-sgsn radius-returned
The following command disables the acceptance of CCs supplied by the GGSN for visiting and roaming subscribers:
no cc-sgsn roaming-subscriber-use-GGSN visiting-subscriber-use-GGSN
cc-visiting

Configures the visiting subscriber charging characteristics (CC) used by the GGSN when those from the SGSN will not be accepted.

Platform:

ASR 5000

Product:

GGSN, P-GW


Privilege:

Security Administrator, Administrator


Syntax
cc-visiting behavior bits profile indexdefault cc-visiting
default
Restores the cc-visiting parameter to its default setting of the following:
  • behavior bits: 0x00
  • profile index: 8
behavior bits

Specifies the behavior bit for the visiting subscriber charging characteristic. bits can be configured to any unique bit from 001H to FFFH (0001 to 1111 1111 1111 bin) where the least-significant bit corresponds to B1 and the most-significant bit corresponds to B12.

profile index

Specifies the profile index for the visiting subscriber charging characteristic. index can be configured to any integer value between 0 and 15. Default: 8

IMPORTANT:

3GPP standards suggest that profile index values of 1, 2, 4, and 8 be used for hot billing, flat rate billing, prepaid billing and normal billing, respectively. A single charging characteristics profile can contain multiple behavior settings.


Usage:

When the GGSN is configured to reject the charging characteristics sent by the SGSN for “visiting” subscribers, it uses the profile index specified by this command to determine the appropriate CCs to use.

Multiple behavior bits can be configured for a single profile index by ORing the bit strings together and convert the result to hexadecimal.

The properties of the actual CC profile index are configured as part of the GGSN service using the cc profile command. Refer to the GGSN Service Configuration Mode chapter of this reference for additional information on this command.


Example:
The following command configures a behavior bit 7 (0000 0100 0000) and a profile index of 10 for visiting subscriber charging characteristics:
cc-visiting behavior
40 profile 10 
The following command configures the behavior bits 1 (0000 0000 0001) and 12 (1000 0000 0000) and a profile index of 14 for visiting subscriber charging characteristics:
cc-visiting behavior
801 profile 14
content-filtering category

Enables or disables the specified pre-configured Category Policy Identifier for Category-based Content Filtering support.

Platform:

ASR 5000

Product:

CF


Privilege:

Security Administrator, Administrator


Syntax
content-filtering category
policy-idcf_policy_idno content-filtering
category policy-id
no

Disables the previously configured category policy identifier for Content Filtering support to the APN. This is the default setting.

policy-id cf_policy_id

Applies the specified content filtering category policy ID, configured in the ACS Configuration Mode, to this APN.

cf_policy_id must be a category policy ID entered as an integer from 1 through 4294967295.

If the specified category policy ID is not configured in the ACS Configuration Mode, all packets will be passed regardless of the categories determined for such packets.

IMPORTANT:

Category Policy ID configured through this mode overrides the Category Policy ID configured through content-filtering category policy-id command in the ACS Rulebase Configuration Mode.


Usage:

Use this command to enter the Content Filtering Policy Configuration Mode and to enable or disable the Content Filtering Category Policy ID for an APN.

IMPORTANT:

If Content Filtering Category Policy ID is not specified here the similar command in the ACS Rulebase Configuration Mode determines the policy.

Up to 64 different policy IDs can be defined.


Example:
The following command enters the Content Filtering Policy Configuration Mode and enables the Category Policy ID 101 for Content Filtering support:
content-filtering category
policy-id 101
credit-control-group

Configures the credit control group to be used for subscribers who use this APN.

Platform:

ASR 5000

Product:

GGSN, ACS, P-GW


Privilege:

Security Administrator, Administrator


Syntax
credit-control-group cc_group_nameno credit-control-group
no

Removes the previously configured credit control group from the APN configuration.

cc_group_name

Specifies name of the credit control group as an alphanumeric string of 1 through 63 characters.


Usage:

Use this command to configure the credit control group for this APN.

Creating different credit control groups enables applying different credit control configurations (DCCA dictionary, failure-handling, session-failover, Diameter endpoint selection, etc.) to different subscribers on the same system.

Without credit control groups, only one credit control configuration is possible on a system. All the subscribers in the system will have to use the same configuration.


Example:
The following command configures a credit control group named testgroup12 for the current APN:
credit-control-group testgroup12
data-tunnel mtu

Configures the Maximum Transmission Unit (MTU) for data sent on the IPv6 tunnel between the P-GW and the mobile node.

Platform:

ASR 5000

Product:

P-GW


Privilege:

Administrator


Syntax
data-tunnel mtubytes
default data-tunnel mtu
default

Returns the command to the default value of 1500.

bytes

Specifies the MTU for the IPv6 tunnel between the P-GW and the mobile node. bytes must be an integer between 1280 and 2000. Default: 1500


Usage:

Use this command to set the MTU for data traffic on the IPv6 tunnel between the P-GW and the mobile node.


Example:
The following command sets the MTU for IPv6 data traffic to 1400 bytes:
data-tunnel mtu 1400
data-tunneling ignore df-bit

Controls the handling of the DF (Don't Fragment) bit present in the user IPv4/IPv6 packet for tunneling used for the Mobile IP data path.

Platform:

ASR 5000

Product:

GGSN, P-GW


Privilege:

Security Administrator, Administrator


Syntax
[ default | no ] data-tunneling ignore
df-bit
default

Restores the data-tunneling parameter to its default setting of disabled.

no

Disables this option. The DF bit in the tunneled IP packet header is not ignored during tunneling. This is the default setting.

ignore df-bit

Ignores the DF bit in the tunneled IP packet header during tunneling. This is the default setting.


Usage:

Use this command to configure a user so that during Mobile IP tunneling the DF bit is ignored and packets are fragmented.

If this feature is enabled, and fragmentation is required for the tunneled user IPv4/IPv6 packet, then the DF bit is ignored and the packet is fragmented. Also the DF bit is not copied to the outer header.

In the GGSN, this command also affects the other L3 tunneling options, IP-in-IP and GRE, but does not affect L2TP tunneling.


Example:
To enable fragmentation of a subscribers packets over a MIP tunnel even when the DF bit is present, enter the following command:
data-tunneling ignore
df-bit
dcca origin endpoint

This command is obsolete. To configure the Diameter Credit Control Origin Endpoint, in the Credit Control Configuration Mode, use the diameter origin endpoint command.

dcca peer-select

Specifies the Diameter credit control primary and secondary host for credit control.

Platform:

ASR 5000

Product:

GGSN, ACS, P-GW


Privilege:

Security Administrator, Administrator


Syntax
dcca peer-select peer host_name [ realm realm_name ] [ secondary-peer host_name ]no dcca peer-select
no

Removes the previously configured Diameter credit control peer selection.

host_name

Specifies a unique name for the peer as an alphanumeric string of 1 through 63 characters that allows punctuation marks.

realm realm_name

Specifies the ream as an alphanumeric string of from 1 through 127 characters that allows punctuation marks. The realm may typically be a company or service name.

secondary-peer host_name

Specifies a back-up host that is used for fail-over processing as an alphanumeric string of from 1 through 63 characters. When the route-table does not find an AVAILABLE route, the secondary host performs fail-over processing.


Usage:

Use this command to select a Diameter credit control peer and realm.

DANGER:

This configuration completely overrides all instances of diameter peer-select that have been configured within the Credit Control Configuration Mode for an Active Charging Service.


Example:
The following command selects a Diameter credit control peer named test and a realm of companyx:
dcca peer-select test
realm companyx
dhcp context-name

Configures the name of the context on the system in which Dynamic Host Control Protocol (DHCP) functionality is configured.

Platform:

ASR 5000

Product:

GGSN, P-GW


Privilege:

Security Administrator, Administrator


Syntax
[ no ] dhcp context-name name
no

Removes a previously configured context name.

name

Specifies the name of a context configured on the system in which one or more DHCP services are configured. name is an alphanumeric string of 1 through 79 characters that is case sensitive.


Usage:

If the APN is to support dynamic address assignment via DHCP (either the proxy or relay mode), this parameter must be configured to point the APN to the name of a pre-configured context on the chassis in which one or more DHCP services are configured.

The command can be used to identify a single DHCP service instance within the specified context to use to facilitate the address assignment.


Example:
The following command configures the APN to look for DHCP services in a context called dhcp-ctx:
dhcp context-name dhcp-ctx
dhcp lease-expiration-policy

Configures the system’s handling of PDP contexts whose DHCP assigned IP lease has expired.

Platform:

ASR 5000

Product:

GGSN, P-GW


Privilege:

Security Administrator, Administrator


Syntax
dhcp lease-expiration-policy { auto-renew | disconnect }default dhcp lease-expiration-policy
default

Restores the dhcp lease-expiration-policy parameter to its default setting of auto-renew.

auto-renew

Configures the system to automatically renew an IP address’ lease when it is about to expire for PDP contexts facilitated by the APN. Default: Enabled

disconnect

Configures the system to automatically release the PDP context when the lease for the IP address associated with that context expires. Default: Disabled


Usage:

Use this command to specify the action the system is to take when leases for IP addresses for PDP contexts that it are currently facilitated by the current APN are about to expire.


Example:
The following command causes the system to release PDP contexts associated with the current APN when the lease for their DHCP-assigned IP address expires:
dhcp lease-expiration-policy disconnect
dhcp service-name

Configures the name of a specific DHCP service to use when dynamically assigning IP addresses to PDP contexts using the Dynamic Host Control Protocol.

Platform:

ASR 5000

Product:

GGSN, P-GW


Privilege:

Security Administrator, Administrator


Syntax
[ no ] dhcp service-name service_name
no

Removes a previously configured DHCP service name.

service_name

Configures the name of the DHCP service instance that is to be used by the current APN for the dynamic assignment of IP addresses to PDP contexts. The name can be an alphanumeric string of 1 through 63 characters that is case sensitive.


Usage:

Use this command to specify a pre-configured DHCP service instance that is to be used by the APN for IP address assignment when the Dynamic Host Control Protocol is used.

The name of the context in which the desired DHCP service is configured must be specified by the dhcp context-name command.


Example:
The following command instructs the APN to use a DHCP service called dhcp1:
dhcp service-name dhcp1
dns

Configures the Domain Name Service (DNS) servers that will be used by the APN for PPP.

Platform:

ASR 5000

Product:

GGSN, P-GW


Privilege:

Security Administrator, Administrator


Syntax
dns { primary | secondary } { address }
no dns { primary | secondary } [ dns_address ]
no

Deletes a previously configured DNS server.

primary

Configures the primary DNS server for the APN.

secondary

Configures the secondary DNS server for the APN. Only one secondary DNS server can be configured.

address

Configures the IP address of the DNS server expressed in IPv4 dotted-decimal notation.

Default: primary = 0.0.0.0, secondary = 0.0.0.0

dns_address

Specifies the IP address of the DNS server to remove, expressed in IPv4 dotted-decimal notation.


Usage:

DNS servers are configured on a per-APN profile basis. This allows each APN profile to use specific servers in processing PDP contexts.

The configured DNS IP addresses are relayed to the subscriber within IPCP if the PDP type is PPP, or as PCOs (Protocol Configuration Options) if the PDP type is IP.

The DNS can be specified at the APN level in APN configuration as well as at the Context level in Context configuration mode with ip name-servers command, or it can be received from AAA server.

When DNS is requested in PCO configuration, the following preference will be followed for DNS value:

1. DNS Values received from LNS have the first preference.

2. DNS values received from RADIUS Server has the second preference.

3. DNS values locally configured with APN has the third preference.

4. DNS values configured at context level with ip name-servers command has the last preference.

IMPORTANT:

The same preference would be applicable for the NBNS (NetBIOS Name Service) servers to be negotiated via ICPC (Initial Connection Protocol Control) with the LNS (L2TP Network Server).


Example:
The following commands configure a primary DNS server address of 192.168.100.3 and a secondary DNS server address of 192.168.100.4:
dns primary 192.168.100.3
dns secondary 192.168.100.4
ehrpd-access

Configures the P-GW to exclude IPv6 traffic from being delivered to UEs, accessing PDNs from the eHRPD network that do not have IPv6 capabilities.

Platform:

ASR 5000

Product:

P-GW


Privilege:

Administrator


Syntax
[ default | no ] ehrpd-access drop-ipv6-traffic
[ default | no ]

Resets this command to its default setting of disabled.

drop-ipv6-traffic

Excludes IPv6 traffic from being delivered to UEs, accessing PDNs from the eHRPD network that do not have IPv6 capabilities.


Usage:

Use this command to exclude IPv6 traffic from being delivered to UEs on the eHRPD network that do not have IPv6 capabilities.

end

Exits the current configuration mode and returns to the Exec mode.

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
end

Usage:

Use this command to return to the Exec mode.

exit

Exits the current mode and returns to the parent configuration mode.

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
exit

Usage:

Use this command to return to the parent configuration mode.

firewall policy

Eenables or disables Stateful Firewall support for the APN.

Platform:

ASR 5000

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
firewall policy firewall-required
{ default | no } firewall policy
no

Disables Stateful Firewall support for this APN.

default

Configures the default setting for Stateful Firewall support.

Default: Disabled


Usage:

Use this command to enable or disable Stateful Firewall support for this APN.

IMPORTANT:

This command is only available in StarOS 8.0. In StarOS 8.1 and later, this configuration is available in the ACS Rulebase Configuration Mode.

IMPORTANT:

Unless Stateful Firewall support for this APN is enabled using this command, firewall processing for this APN is disabled.

IMPORTANT:

If firewall is enabled, and the rulebase has no firewall configuration, Stateful Firewall will cause all packets to be discarded.


Example:
The following command enables Stateful Firewall support for an APN:
firewall policy firewall-required
The following command disables Stateful Firewall support for an APN:
no firewall policy
fw-and-nat policy

Specifies the Firewall-and-NAT policy to be used for subscribers who use this APN.

Platform:

ASR 5000

Product:

FW, NAT


Privilege:

Security Administrator, Administrator


Syntax
fw-and-nat policy fw_nat_policy
{ default | no } fw-and-nat policy
default

Configures the default setting.

Default: The default Firewall-and-NAT policy configured in the rulebase is used for subscribers who use this APN.

no

Disables Firewall and NAT for the APN.

fw_nat_policy

Specifies the Firewall-and-NAT policy for the APN as an alphanumeric string of 1 through 63 characters. Note that this policy will override the default Firewall-and-NAT policy configured in the ACS rulebase.


Usage:

Use this command to configure the Firewall-and-NAT policy for the APN. Note that the policy configured in the subscriber mode will override the default policy configured in the ACS rulebase. If a policy is not configured in the subscriber mode, the default policy configured in the ACS rulebase will be used.

IMPORTANT:

This command is customer-specific and is only available in StarOS 8.1.

IMPORTANT:

This customer-specific command must be used to configure the Policy-based Firewall-and-NAT feature.


Example:
The following command configures a Firewall-and-NAT policy named standard for the APN:
fw-and-nat policy standard
gsm-qos negotiate

Enables negotiation of the QoS Reliability Class attribute based on the configuration provided for Service Data Unit (SDU) Error Ratio and Residual Bit Error Ratio (BER) attributes in the APN.

Platform:

ASR 5000

Product:

GGSN, P-GW


Privilege:

Security Administrator, Administrator


Syntax
gsm-qos negotiate sdu-error-ratio sdu-error-ratio-code [ residual-ber residual-ber-code ]
[ no ] gsm-qos negotiate sdu-error-ratio [ sdu-error-ratio-code [ residual-ber residual-ber-code ] ]
no

Disables negotiation of the QoS Reliability Class attribute.

sdu-error-ratio sdu-error-ratio-code

Enables the negotiation of the QoS Reliability Class attribute based on Service Data Unit (SDU) Error Ratio attributes. sdu-error-ratio-code corresponds to distinct SDU Error ratio values within an integer range of 1 to 7.

residual-ber residual-ber-code

Enables the optional configuration of negotiation of the QoS Reliability Class attribute based on Residual Bit Error Ratio (BER) attributes. residual-ber-code corresponds to distinct Residual Bit Error Ratio values within an integer range of 1 to 9.


Usage:

This command configures the QoS attribute Reliability Class to be negotiated based on the configuration provided for SDU Error Ratio and Residual BER attributes. The derived Reliability Class and the configured values for SDU Error Ratio and Residual BER are sent back in CPC and UPC response.

The mapping for sdu-error-ratio-code is as follows:
Code Value

1

10-2

2

7*10-3

3

10-3

4

10-4

5

10-5

6

10-6

7

10-1



Residual BER needs to be specified when SDU Error Ratio is set to codes 1, 2, 3 or 7 (Or, SDU Error Ratio is intended to be set to a value greater than 5*10-4), for determining the Reliability Class QoS attribute. Otherwise, the Residual BER value received in the Create PDP context request QoS (or UPC request) would be used. The mapping for residual-ber-code is as follows:
Code Value

1

5*10-2

2

10-2

3

5*10-3

4

4*10-3

5

10-3

6

10-4

7

10-5

8

10-6

9

6*10-8




Example:
The following commands configures the negotiation of QoS attribute Reliability Class based on Service Data Unit (SDU) Error Ratio 3 attributes in the APN:
gsm-qos negotiate sdu-error-ratio 3
gtpp group

Enables a configured GTPP server group to an APN for CGF accounting functionality.

IMPORTANT:

In Releases prior to 11.0, only one GTPP group is allowed to be configured per APN. In Releases 11.0 and later, this CLI can be used to configure up to a maximum of 32 GTPP groups for each APN.

Platform:

ASR 5000

Product:

GGSN, P-GW


Privilege:

Security Administrator, Administrator


Syntax
gtpp group group_name [ accounting-context ac_context_name ]
default gtpp group
no gtpp group group_name
no

Removes all the configured GTPP groups for the specific APN.

group_name

Specifies the name of server group that is used for authentication/accounting for specific APN. group_name must be an alphanumeric string of 1 to 63 characters. It must be identical to the one configured earlier within the same APN context.

IMPORTANT:

In Release 11.0 and later, if you have mistakenly configured a GTPP group, you should remove the initially configured group and configure the new desired group. However, in Releases prior to 11.0, there is no need to remove the incorrect configuration; instead you can directly reconfigure the desired GTPP group.

IMPORTANT:

If a GTPP group entry is invalid, this GTPP group will be ignored and the next valid GTPP group in the APN will be used. If no valid GTTP group exists, then the default GTPP group in the accounting context specified by the GGSN service will be used.

accounting-context ac_context_name

Specifies the name of an accounting context on the system that processes accounting for PDP contexts handled by this GGSN service for accounting to specific APN.

ac_context_name must be an alphanumeric string of 1 through 79 characters that is case sensitive.

Note that if an accounting context is not specified here, the system uses the GGSN service context or the context configured by the accounting context command in the GGSN Service Configuration mode.


Usage:

This feature provides the GTPP server configurables under a GTPP group node. Instead of having a single list of servers per context, this feature configures multiple server groups within a context and applies individual an GTPP server group for subscribers in that context. Each server group consists of a list of CGF (Charging Group Function) accounting servers.

In case no GTPP group is applied for the said APN or default APN template, then the default GTPP server group available at the context level is applicable for accounting of a specific APN.

IMPORTANT:

When multiple GTPP groups are applied to the same APN, the load will be shared across these GTPP groups. Sessions for this APN will use all the configured GTPP groups in a round robin fashion.

Once a GTPP group is selected for a subscriber session, the GTPP group will never change under any circumstances. A request is initially sent to primary CGF server configured in that group. When the primary fails to respond, the request is sent to secondary CGF server.

The process of failover from primary to secondary is per the 3GPP standards. Multiple GTPP groups configuration is actually supported only for load sharing of sessions within an APN and not used for failover. When all CGFs are down in a GTPP group, the requests are archived either in hard disk or main memory depending on whether or not streaming is enabled.


Example:
The following command applies a previously configured GTPP server group named star1 to an APN within the specific context:
gtpp group star1
The following command disables the applied GTPP server group for the specific APN:
no gtpp group star1
gtpp secondary-group

Enables or associates a preconfigured secondary GTPP server group to an APN for CGF (Charging Group Function) accounting functionality. By default it is disabled.

Platform:

ASR 5000

Product:

GGSN, P-GW


Privilege:

Security Administrator, Administrator


Syntax
gtpp secondary-group group_name [ accounting-context actt_ctxt_name ]
[ default | no ] gtpp secondary-group group_name
default

Default: Enabled

Restores the default mode for secondary GTPP group for APN template.

no

Disables the configured/associated GTPP secondary group for specific APN.

group_name

Specifies the name of secondary GTPP server group that is used as an alternate for the primary GTPP group associated with a specific APN for storage of GTPP messages. group_name must be an alphanumeric string of 1 through 63 characters. It must be the same name as configured earlier within the same APN context.

accounting-context actt_ctxt_name

Specifies the name of an accounting context on the system that processes accounting for PDP contexts handled by this GGSN service for accounting to a specific APN.

actt_ctxt_name specifies the name of the context to be used for accounting as an alphanumeric string of 1 through 79 characters that is case sensitive.

Note that if an accounting context is not specified here, the system uses the GGSN service context or the context configured by the accounting context command in the GGSN Service Configuration mode.


Usage:

Use this feature to provide the secondary GTPP server group support for an APN.

When the secondary GTPP group is configured with this command, the GTPP messages will also be mirrored to the secondary servers.

This secondary group configuration is ignored, if the configured group_name is the same as the primary group. It will also be ignored, if the configured GTPP group_name and/or accounting context ac_context_name is invalid. In such cases, the call will be established successfully (unlike the primary group configuration where the call drops).

In the absence of a configured ac_context_name context, the GGSN service context is chosen by default.

The secondary group messages are low priority and thus are purged when there is no room for the new messages.

For more information on GTPP group, refer the description of the gtpp group command.


Example:
The following command applies a previously configured GTPP server group named star2 to as secondary GTPP group to an APN within the specific context:
gtpp secondary-group star2
The following command disables the applied secondary GTPP server group for the specific APN:
no gtpp secondary-group star2
idle-timeout-activity

Configures a session idle-timeout to be reset with uplink packets only, or with both uplink and downlink packets.

Platform:

ASR 5000

Product:

GGSN, P-GW


Privilege:

Security Administrator, Administrator


Syntax
[ no ] idle-timeout-activity
ignore-downlink
default idle-timeout-activity
default

Sets or restores the command to the default setting.

ignore-downlink

Sets the system to ignore the downlink traffic for consideration as activity for idle-timeout.


Usage:

If idle-timeout-activity ignore-downlink is configured, the downlink (network to subscriber) traffic will not be used to reset the idle-timeout. Only uplink (subscriber to network) packets will be able to reset the idle-timeout.

By default, ignore-downlink is negated by the no command so downlink traffic is also used to reset the idle-timeout.


Example:
The following command causes both uplink and downlink traffic to reset a session idle-timeout:
default idle-timeout-activity
The following command causes the session idle-timeout to be reset with only uplink packets:
idle-timeout-activity
ignore-downlink
ims-auth-service

Applies an IMS (IP Multimedia Subsystem) authorization service to a subscriber through APN for Gx interface support and functionality.

Platform:

ASR 5000

Product:

GGSN, P-GW


Privilege:

Security Administrator, Administrator


Syntax
[ no ] ims-auth-service auth_service_name
no

Disables the applied IMS authorization service for a specific APN.

auth_service_name

Specifies the name of the IMS authorization service name that is used for Gx interface authentication for a specific APN. auth_service_name must be a alphanumeric string of 1 through 63 characters preconfigured within the same context as this APN.


Usage:

This feature provides the IMS authorization service configuration for Gx interface in IMS service node.


Example:
The following command applies a previously configured IMS authorization service named gx_interface1 to an APN within the specific context:
ims-auth-service gx_interface1
The following command disables the applied IMS authorization service gx_interface1 for the specific APN:
no ims-auth-service gx_interface1
ip access-group

Configures an IPv4/IPv6 access group for the current APN profile.

Platform:

ASR 5000

Product:

ACS, GGSN, P-GW


Privilege:

Security Administrator, Administrator


Syntax
[ no ] ip access-group acl_group_name [ in | out ]
no

Removes a previously configured IPv4/IPv6 access group association.

acl_group_name

Specifies the name of the IPv4/IPv6 access group. acl_group_name is a previously configured ACL group expressed as an alphanumeric string of 1 to 79 characters.

in | out

Default: both (in and out)

Specifies the access-group as either inbound or outbound by the keywords in and out, respectively.


Usage:

Use this command to apply a single IPv4/IPv6 access control list to multiple subscribers via this APN for inbound or outbound IPv4/IPv6 traffic.

If no traffic direction is specified, the selected access control list will be applied to both directions.


Example:
The following command associates the sampleipv4Group access group with the current APN profile for both inbound and outbound access.
ip access-group sampleipv4Group
The following command removes the outbound access group flag for sampleipv4Group.
no ip access-group sampleipv4Group out
ip address alloc-method

Configures the method by which this APN will obtain IP addresses for PDP contexts.

Platform:

ASR 5000

Product:

GGSN, P-GW


Privilege:

Security Administrator, Administrator


Syntax
ip address alloc-method { dhcp-proxy [ allow-deferred ] [ prefer-dhcp-options ] | dhcp-relay | local [ allow-deferred ] | no-dynamic [ allow-deferred ] } [ allow-user-specified ]default ip address allocation-method
default

Restores the APN ip parameters to the following default settings.

dhcp-proxy

Default: Disabled

Configures the APN to assign an IP address received from a DHCP server.

IMPORTANT:

If this option is used, the system’s DHCP parameters must be configured.

dhcp-relay

Configures the APN to forward DHCP packets received from the MS to a DHCP server. Default: Disabled

IMPORTANT:

If this option is used, the system’s DHCP parameters must be configured.

local

Configures the APN to allocate IP addresses from a pool configured in the destination context on the system. Default: Enabled

IMPORTANT:

If this option is used, the name of the IP address pool from which to allocate addresses must be configured using the ip address pool-name command. If no pool name is specified, the system will attempt to allocate an address from any public pool configured in the destination context.

no-dynamic

Disables the dynamic assignment of IP addresses to PDP contexts using this APN. Default: Disabled

If a PDP context needing an IP address is received by an APN with this option enabled, it will be rejected with a cause code of 220 (Unknown PDP address or PDP type).

prefer-dhcp-options
If this keyword is specified with dhcp-proxy for IP address allocation configuration, the GGSN will prefer DHCP-supplied parameters over values provided by AAA server or by local configuration. This keyword controls the following parameters:
  • primary and secondary Domain Name Server (DNS) addresses
  • primary and secondary NetBIOS Name Server (NBNS) addresses

These values will be sent out in the PCO IE of a GTP Create PDP Response Message whenever the MS Requests them in A Create PDP Request Message.

Default: Disabled

IMPORTANT:

This keyword is available only with dhcp-proxy ip allocation method as this functionality is implemented only for GGSN acting as DHCP proxy.

By default, this functionality is disabled. Hence, DNS and NBNS values received from a DHCP server will not be considered by the GGSN.

allow-deferred

Enables support for P-GW deferred address allocation. Default: Disabled

allow-user-specified

Enables support for PDP contexts requesting the use of specific (static) addresses. Default: Enabled

IMPORTANT:

If this option is not enabled, PDP contexts requesting the use of a static address will be rejected with a cause code of 220 (Unknown PDP address or PDP type).


Usage:

Use this command to configure the method by which the APN profile will assign IP addresses to PDP contexts.

When the PDP context is being established and the APN name is determined, the system will examine the APN’s configuration profile. Part of that procedure is determining how to handle IP address allocation. The figure in the Example section below displays the process used by the system to determine how the address should be allocated.


Example:
The following command configures the APN to dynamically assign an address from a DHCP server and reject PDP sessions with static IP addresses:
ip address alloc-method
dhcp-proxy
The following command configures the APN to reject sessions requesting dynamically assigned addresses and only allow those with static addresses:
ip address alloc-method
no-dynamic allow-user-specified
The following figure provides the IP address allocation process:
Figure 1. IP Address Allocation Process
ip address pool

Configures the name of a a private IP address pool configured on the system from which to assign an address for a PDP context.

Platform:

ASR 5000

Product:

GGSN, P-GW


Privilege:

Security Administrator, Administrator


Syntax
[ no ] ip address pool name pool_name
no

Removes a previously configured pool name.

pool_name

Specifies the name of the private pool configured on the system from which an IP address will be assigned. The name is expressed as an alphanumeric string of 1 through 31 characters that is case sensitive.


Usage:

If the ip address alloc-method command is configured to allow the assignment of IP addresses from a local pool configured on the system. It command instructs the system as to which pool should be used.

The pool specified by this command must be a private pool configured in the destination context on the system. Please refer to the ip pool command in the Context Configuration Mode Commands chapter for information on configuring IP address pools.

Multiple APNs can use the same IP address pool if required. In addition, this command could be issued multiple times to allow a single APN to use different address pools.


Example:
The following command configures the system to use a pool named private_pool1 for address allocation:
ip address pool private_pool1
ip context-name

Configures the name of the destination context to use for subscribers accessing this APN.

Platform:

ASR 5000

Product:

GGSN, P-GW


Privilege:

Security Administrator, Administrator


Syntax
[ no ] ip context-name ctxt_name
no

Removes a previously configured context name.

ctxt_name

Specifies the name of the context through which subscriber data traffic will be routed. ctxt_name must be an alphanumeric string from 1 to 79 characters.


Usage:

Use this command to specify the name of a destination context configured on the system through which to route all subscriber data traffic. This context will be used for subscribers accessing this APN. If no name is specified, the system will use the context in which the APN is configured as the destination context.

When the APN is used to support Mobile IP functionality, this command is used to indicate the context in which the FA (foreign Agent) service is configured. If no name is specified, the context in which the GGSN service facilitating the subscriber PDP context is used.


Example:
The following command configures the system to route subscriber traffic for the APN through a context called isp1:
ip context-name isp1
ip header-compression

Configures IP packet header compression parameters for this APN.

Platform:

ASR 5000

Product:

GGSN, P-GW


Privilege:

Security Administrator, Administrator


Syntax
ip header-compression
vjdefault ip header-compressionno ip header-compression
default

Disables Van-Jacobson header compression.

no

Disables Van-Jacobson header compression.

vj

Enables Van-Jacobson header compression for IP packets. Default: Enabled


Usage:

IP header compression reduces packet header overhead resulting in more efficient utilization of available bandwidth.


Example:
The following command disables packet header compression for the APN:
no ip header-compression
ip hide-service-address

Renders the IP address of the GGSN unreachable from mobile stations (MSs) using this APN. This command is configured on a per-APN basis.

Platform:

ASR 5000

Product:

GGSN, P-GW


Privilege:

Security Administrator, Administrator


Syntax
[ default | no ] ip hide-service-address
default

Does not allow the mobile station to reach the GGSN IP address using this APN.

no

Allows the mobile station to reach the GGSN IP address using this APN.


Usage:

This hides the GGSN IP address from the mobile station for security purposes.


Example:
The following command allows the GGSN’s IP address to be viewed by the mobile station:
no ip hide-service-address
ip local-address

Configures the local-side IP address of the subscriber's point-to-point connection.

Platform:

ASR 5000

Product:

GGSN, P-GW


Privilege:

Security Administrator, Administrator


Syntax
ip local-address ip_addressno ip local-address
no

Removes a previously configured IP local-address.

ip_address

Specifies an IP address configured in a destination context on the system through which a packet data network can be accessed. ip_address must be expressed in IPv4 dotted-decimal notation.


Usage:

This parameter specifies the IP address on the system that the MS uses as the remote-end of the PPP connection. If no local address is configured, the system uses an unnumbered scheme for local-side addresses.


Example:
The following command configures a local address of 192.168.1.23 for the MS:
ip local-address 192.168.1.23
ip multicast discard

Configures the IP multicast discard packet behavior.

Platform:

ASR 5000

Product:

GGSN, P-GW


Privilege:

Security Administrator, Administrator


Syntax
[ default | no ] ip multicast discard
default

Restores the APN IP parameters to the default multicast settings, which is to discard PDUs.

no

Removes a previously configured IP multicast discard.


Usage:

This command specifies if IP multicast discard is enabled or disabled.


Example:
The following command enables IP multicast discard for an APN:
ip multicast discard
ip qos-dscp

Configures the quality of service (QoS) differentiated service code point (DSCP) used when sending data packets of a particular 3GPP QoS class over the Gi interface.

Platform:

ASR 5000

Product:

GGSN


Privilege:

Security Administrator, Administrator


Syntax
ip qos-dscp { qci { 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 } { dscp } } +default ip qos-dscpno ip qos-dscp { qci { 1 | 2 | 3 | 4 | 5 { allocation-retention-priority { 1..3 } } | 6 { allocation-retention-priority { 1..3 } } | 7 { allocation-retention-priority { 1..3 } } | 8 { allocation-retention-priority { 1..3 } } | 9 } } } +
default

Restores the APN IP parameters to the default setting conversational ef streaming af11 interactive af21 background be.

no

Restores the QoS parameter to its default setting.

allocation-retention-priority

Specifies the DSCP for interactive class if the allocation priority is present in the QoS profile.

allocation-retention-priority can be the integers 1, 2, or 3.

DSCP values use the following matrix to map based on traffic handling priority and Alloc/Retention priority if the allocation priority is present in the QoS profile.

Following table shows the DSCP value matrix for allocation-retention-priority.


Table 2. Default DSCP Value Matrix

Allocation Priority 1 2 3
Traffic Handling Priority . . .
1 ef ef ef
2 ef ef ef
3 af21 af21 af21
4 af21 af21 af21



IMPORTANT:

If you only configure DCSP marking for interactive traffic classes without specifying ARP, it may not properly take effect. The CLI allows this scenario for backward compatibility. However, it is recommended that you configure all three values.

qci

Configures the QoS Class Identifier (QCI) attribute of QoS. Here the qci_val is the QCI for which the negotiate limit is being set; it ranges from 1 to 9.

dscp
Specifies the DSCP for the specified traffic pattern. dscp can be configured to any one of the following:
  • af11: Assured Forwarding 11 per-hop-behavior (PHB)
  • af33: Assured Forwarding 33 PHB
  • af12: Assured Forwarding 12 PHB
  • af41: Assured Forwarding 41 PHB
  • af13: Assured Forwarding 13 PHB
  • af42: Assured Forwarding 42 PHB
  • af21: Assured Forwarding 21 PHB
  • af43: Assured Forwarding 43 PHB
  • af22: Assured Forwarding 22 PHB
  • be: Best effort forwarding PHB
  • af23: Assured Forwarding 23 PHB
  • ef: Expedited forwarding PHB
  • af31: Assured Forwarding 31 PHB
  • pt: Pass through (ToS of user packet is not modified)
  • af32: Assured Forwarding 32 PHB




Default: QCI:
  • 1: ef
  • 2: ef
  • 3: af11
  • 4: af11
  • 5: ef
  • 6: ef
  • 7: af21
  • 8: af21
  • 9: be
+

More than one of the above keywords can be entered within a single command.


Usage:

DSCP levels can be assigned to specific traffic patterns in order to ensure that data packets are delivered according to the precedence with which they’re tagged. The diffserv markings are applied to the IP header of every subscriber data packet transmitted over the Gi interface(s).

The traffic patterns are defined by QCI (1 to 9). Data packets falling under the category of each of the traffic patterns are tagged with a DSCP that further indicate their precedence as shown in following tables respectively:


Table 3. Class structure for assured forwarding (af) levels

Drop Precedence Class
Class 1 Class 2 Class 3 Class 4

Low

af11

af21

af31

af41

Medium

af12

af22

af32

af41

High

af13

af23

af33

af43





Precedence (low to high) DSCP

1

Best Effort (be)

2

Class 1

3

Class 2

4

Class 3

5

Class 4

6

Express Forwarding (ef)




The DSCP level can be configured for multiple traffic patterns within a single instance of this command.

IMPORTANT:

If a GGSN service is associated with a P-GW service, then the GGSN service will use the QCI-QoS mapping tables specified in the qci-qos-mapping command and assigned to its associated P-GW service.


Example:
The following command configures the DSCP level for QCI to be Expedited Forwarding,ef:
ip qos-dscp qci 1 ef
ip source-violation

Enables or disables packet source validation for the current APN.

Platform:

ASR 5000

Product:

GGSN, P-GW


Privilege:

Security Administrator, Administrator


Syntax
ip source-violation { ignore | check [ drop-limit limit ] } [ exclude-from-accounting ]default ip source-violation
default

Restores the APN ip parameters to the default settings check enabled, drop-limit 10.

ignore

Default: Disabled

Disables source address checking for the APN.

check [ drop-limit limit ]

Default: Enabled, limit = 10

Enables the checking of source addresses received from subscribers for violations.

A drop-limit can be configured to set a limit on the number of invalid packets that can be received from a subscriber prior to their session being deleted. limit can be configured to any integer value between 0 and 1000000. A value of 0 indicates that all invalid packets will be discarded but the session will never be deleted by the system.

exclude-from-accounting

Default: Disabled

Excludes the packets identified with IP source violation from the statistics generated for accounting records.


Usage:

Source validation is useful if packet spoofing is suspected or for verifying packet routing and labeling within the network.

Source validation requires the source address of received packets to match the IP address assigned to the subscriber (either statically or dynamically) during the session.


Example:
The following command enables source address validation for the APN and configures a drop-limit of 15:
ip source-violation
check drop-limit 15 
ip user-datagram-tos copy

Controls the copying of the IP ToS octet value from user IPv4/IPv6 datagrams into the IP header of GTP tunnel encapsulations.

Platform:

ASR 5000

Product:

GGSN, P-GW


Privilege:

Security Administrator, Administrator


Syntax
[ default | no ] ip user-datagram-tos
copy
default

Sets the default behavior of this command. By default this function is disabled.

no

Removes the preconfigured parameter for this command.


Usage:

This command enables or disables the copying of the ToS byte from the inner IP header to the outer IP header for an RP connection.

When this function is enabled, the SGSN can detect the special ToS marking in the outer IP header of GTP tunnel packets and identify certain packets as control messages.

ipv6 access-group

Configures the IPv6 access group for the current APN profile which applies a single Access Control List (ACL) to multiple subscribers via the APN for IPv6 traffic.

Platform:

ASR 5000

Product:

GGSN, ACS, P-GW


Privilege:

Security Administrator, Administrator


Syntax
[ no ] ipv6 access-group group_name [ in | out ]
no

Removes a previously configured IPv6 ACL applied to a particular APN for IPv6 traffic. If at least one of the two { in | out } options is not selected for the ACL that will be removed, the ACL will be removed for both directions.

group_name

Specifies the name of the IPv6 access group as an alphanumeric string of 1 through 79 characters.

[ in | out ]

Default: both (in and out)

Specifies the access-group as either inbound or outbound by the keywords in and out, respectively.

If no direction is supplied in the base command, the specified IPv6 access control list will be applied to both directions.


Usage:

Use this command to apply a single IPv6 access control list to multiple subscribers via an APN for inbound or outbound IPv6 traffic.

If no traffic direction is specified, the selected access control list will be applied to both traffic directions.


Example:
The following command associates the sampleipv6Group access group with the current APN profile for both inbound and outbound access:
ipv6 access-group sampleipv6Group
The following removes the outbound access group flag for sampleipv6Group:
no ipv6 access-group
sampleipv6Group out
ipv6 dns

Configures primary and secondary IPv6 Domain Name Service (DNS) servers.

Platform:

ASR 5000

Product:

GGSN, P-GW


Privilege:

Security Administrator, Administrator


Syntax
[ no ] ipv6 dns { primary | secondary } { ipv6_dns_address }
no

Deletes a previously configured DNS server.

primary

Configures the IPv6 address of primary DNS server for the APN.

secondary

Configures IPv6 address of the secondary DNS server for the APN. Only one secondary DNS server can be configured.

ipv6_dns_address

The IP address of the DNS server entered using IPv6 colon-separated-hexadecimal notation.


Usage:

DNS servers are configured on a per-APN profile basis. This allows each APN profile to use specific servers in processing PDP contexts.

The DNS can be specified at the APN level in APN configuration as well as at the Context level in Context configuration mode with ip name-servers command, or it can be received from AAA server.

When DNS is requested in PCO configuration, the following preference will be followed for DNS value:

1. DNS Values received from LNS have the first preference

2. DNS values received from RADIUS Server has the second preference

3. DNS values locally configured with APN has the third preference

4. DNS values configured at context level with ip name-servers command has the last preference.

IMPORTANT:

The same preference would be applicable for the NBNS (NetBIOS Name Service) servers to be negotiated via ICPC (Initial Connection Protocol Control) with the LNS (L2TP Network Server).


Example:
The following command provides an example of setting the primary DNS server:
ipv6 dns primary fe80::c0a8:a04
ipv6 egress-address-filtering

Enables or disable IIPv6 egress address filtering. This function filters out packets not meant for the mobile interface ID. The GGSN records the source interface ID of all the packets received from the mobile node. When packets sent to the mobile node are received, the destination interface ID is compared against the list of recorded interface IDs and with the local interface-ID assigned to the MS during IPv6CP. If no match is found, the packet is dropped.

Platform:

ASR 5000

Product:

GGSN, P-GW


Privilege:

Security Administrator, Administrator


Syntax
[ no ] ipv6 egress-address-filtering
no

Disables IPv6 egress address filtering.


Usage:

Used to filter packets that arrive from the internet to a particular site.


Example:
The following command provides an example disabling egress address filtering:
no ipv6 egress-address-filtering
ipv6 initial-router-advt

Creates an IPv6 initial router advertisement interval for the current APN.

Platform:

ASR 5000

Product:

GGSN, P-GW


Privilege:

Security Administrator, Administrator


Syntax
ipv6 initial-router-advt { interval int_value | num-advts num_value }
[ default ] ipv6 initial-router-advt { interval | num-advts } 
default

Resets interval or num-advts to their default setting.

interval int_value

Specifies the time interval (in milliseocnds) when the initial IPv6 router advertisement is sent to the mobile node as an integer from 100 through 16000. Default: 3000ms

value is .

num-advts value num_value

Specifies the number of initial IPv6 router advertisements sent to the mobile node as an integer from 1 through 16. Default: 3


Usage:

This command is used to set the advertisement interval and the number of advertisements. Using a smaller advertisement interval increases the likelihood of router being discovered more quickly when it first becomes available.


Example:
The following command specifies the initial ipv6 router interval to be 2000ms:
ipv6 initial-router-advt
interval 2000 
l3-to-l2-tunnel address-policy

Configures the address allocation/validation policy, when subscriber L3 (IPv4/IPv6) sessions are tunneled using an L2 tunneling protocol, such as L2TP.

Platform:

ASR 5000

Product:

GGSN, P-GW


Privilege:

Security Administrator, Administrator


Syntax
l3-to-l2-tunnel address-policy { alloc-only | alloc-validate | no-alloc-validate }default l3-to-l2-tunnel
address-policy
default

Restores the layer 3-to-layer 2 tunnel address policy parameter to the default setting of validation with no allocation.

alloc-only

Specifies that the system locally allocates and validates subscriber addresses. Default: Disabled

alloc-validate

Specifies that the system allocates addresses when IP addresses are dynamically assigned. The system does not validate the address specified by the subscriber. Default: Disabled

no-alloc-validate

Specifies that the system does not allocate or validate subscriber addresses locally for such sessions; it passes the address between remote tunnel terminator to the mobile node. Default: Enabled


Usage:

This command can be useful for MIP HA sessions tunneled from the system using L2TP tunnels, or GGSN PDP contexts of type IP tunneled using L2TP to a remote LNS.


Example:
The following command configures the system to locally allocate and validate subscriber addresses:
l3-to-l2-tunnel address-policy
alloc-only
loadbalance-tunnel-peers

Configures how tunnel-peers are selected for this APN.

Platform:

ASR 5000

Product:

GGSN, P-GW


Privilege:

Security Administrator, Administrator


Syntax
loadbalance-tunnel-peers { balanced | prioritized | random }default loadbalance-tunnel-peers
default

Restores the loadbalance-tunnel-peers parameter to the default setting of random.

balanced

Tunnel-peer selection is made without regard to prioritization, but in a sequential order that balances the load across the total number of peer nodes available. Default: Disabled

prioritized

Tunnel-peer selection is made based on the priority configured for the peer. Default: Disabled

random

Tunnel-peer selection is random in order. Default: Enabled


Usage:

Use this command to configure the load-balancing algorithm that defines how the tunnel-peers are selected by the APN when multiple peers are configured in the APN.


Example:
The following command sets the APN to connect to tunnel-peers in a sequential order:
load-balancing balanced
long-duration-action detection

Sets the detection of a session that exceeds the long duration timer and sends notification.

Platform:

ASR 5000

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
long-duration-action detectiondefault long-duration-action
default

Restores the long-duration-action parameter to its default setting of detection.

long-duration-action detection

Detects long duration sessions and sends SNMP TRAP and CORBA notification. This is the default behavior. Default: Enabled


Usage:

Use this command to detect a session that exceeds the limit set by the long duration timer.

Refer to the timeout idle and timeout long-duration commands for information on setting the long duration timer.


Example:
Use the following command to enable detecting the session that exceeds the long duration timer:
long-duration-action detection
long-duration-action disconnection

Specifies what action is taken when the long duration timer expires.

Platform:

ASR 5000

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
long-duration-action
disconnection [ suppress-notification ] [ dormant-only ] +
long-duration-action disconnection

Detects a long duration session and disconnects the session after sending SNMP TRAP and CORBA notification. Default: Disabled

suppress-notifiaction

Suppress the SNMP TRAP and CORBA notification after detecting and disconnecting a long duration session. Default: Disabled

dormant only

Disconnects the dormant sessions after long duration timer and inactivity time with idle time-out duration expires. It sends the SNMP TRAP and CORBA notification after disconnecting a long duration session. Default: Disabled


Usage:

Use this command to determine what action is taken when a session exceeds the limit set by the long duration timer.

Refer to the timeout idle and timeout long-duration command for information on setting the long duration timer.


Example:
Use the following command to enable disconnecting sessions that exceed the long duration timer:
long-duration-action disconnection
Use the following command to disconnect the session that exceed the long duration timer without sending SNMP TRAP and CORBA notification:
long-duration-action
disconnection suppress-notification
Use the following command to disconnect the session that exceed the long duration timer and also inactivity timer for idle time-out duration and send SNMP TRAP and CORBA notification:
long-duration-action
disconnection dormant-only
Use the following command to disconnect the session that exceed the long duration timer and also inactivity timer for idle time-out duration without sending any SNMP TRAP and CORBA notification. If the session is idle and the session-idle-time >= inactivity time the session gets disconnected. Even if session is idle when the long-duration timed-out and session-idle time < inactivity time the timer value is reset to idle-timeout time.
long-duration-action
disconnection dormant-only suppress-notification
max-contexts

Configures the maximum number of PDP contexts (primary and secondary) that can be facilitated by the APN.

Platform:

ASR 5000

Product:

GGSN, P-GW


Privilege:

Security Administrator, Administrator


Syntax
max-contexts [ per-subscriber
secondary secondary_ctx ] [ primary number total  total_number ]
default max-contexts
default
Restores the max-contexts parameter to its default settings of:
  • primary: 1000000
  • total: 1000000
per-subscriber secondary secondary_ctx

This keyword specifies the maximum number of secondary PDP contexts that can be facilitated by the APN per primary context (per-subscriber). Subscribers can have primary PDP and secondary PDP contexts; the secondary contexts share the same IP address as the primary.

secondary_ctx is an integer from 0 through 10. Default: 10

primary number

This keyword specifies the maximum number of primary PDP contexts that can be facilitated by the APN. Subscribers can have primary PDP and secondary PDP contexts; the secondary contexts can be configured using the per-subscriber secondary keyword.

number isbe an integer value from 1 to 4000000. Default: 4000000

total total_number

Specifies the maximum total number of PDP contexts (primary and secondary) that can be facilitated by the APN. total_number can be configured to any integer value from 1 to 4000000. Default: 4000000


Usage:

This parameter can be used to configure a “soft” limit on the number of PDP contexts supported by a single APN.

Soft limits are based on measurements gathered at regular short intervals (several times per minute) as opposed to measurements taken in real-time. Therefore the sampled measurement may not match the actual number of PDP contexts currently being processed. Every PDP context request received is compared against the result of the last sample. If the sample is less than the soft limit configured, the request will be processed. If it is more, the request will be rejected.


Example:
The following command specifies that the maximum number of primary PDP contexts the APN can facilitate is 500,000 while the maximum total number is 750,000:
max-contexts primary
500000 total 750000 
mbms bmsc-profile

Applies a configured Broadcast-Multicast Service Center (BM-SC) profile to subscribers through APN for Multimedia Broadcast Multicast Service (MBMS) support and functionality.

Platform:

ASR 5000

Product:

GGSN, P-GW


Privilege:

Security Administrator, Administrator


Syntax
mbms bmsc-profile name bmsc_profile_name
[ default | no ] mbms
bmsc-profile
default

Applies the default BMSC profile to the subscribers through the APN.

no

Deletes a previously associated BM-SC profile with this APN.

name bmsc_profile_name

Specifies a name for the BM-SC profile already configured in BMSC configuration mode. bmsc_profile_name is an alphanumeric string of 1 through 79 characters that may contain dots (.) and/or dashes (-).


Usage:

Use this command to associate a configured BM-SC profile to use for MBMS contexts with this APN for MBMS feature support.

For more information on BM-SC profile configuration, refer to the BMSC Profile Configuration Mode Commands chapter.

This command also configures the specific BM-SC profile to use for Internet Group Management Protocol (IGMP) JOIN requests received from PDP contexts with this APN.


Example:
Following command applies a previously configured BM-SC profile named bm_sc_1 to an APN within the specific context.
mbms bmsc-profile name bm_sc_1
mbms bearer timeout

Configures the session timeout values for the Multimedia Broadcast Multicast Service (MBMS) bearer contexts with this MBMS APN.

Platform:

ASR 5000

Product:

GGSN, P-GW


Privilege:

Security Administrator, Administrator


Syntax
mbms bearer timeout { absolute | idle } time
[ default | no ] mbms
bearer timeout { absolute | idle }
default

Sets the default value for the followed option for MBMS bearer context timeout.

no

Returns the timeout parameter to its default setting. If neither the absolute or idle keywords are used in conjunction with this keyword, both timeout options will be returned to their default settings.

absolute

Configures the absolute maximum time (in seconds) an MBMS bearer context may exist in any state (active or idle). Default: Disabled

idle

Default: Disabled

Configures the maximum amount of time (in seconds) an MBMS bearer context may be idle.

time

time can be any integer value between 0 and 4294967295. A time of 0 disables timeouts for this APN. Default: 0


Usage:

Use this command to limit the amount of time that an MBMS bearer context session can remain connected.


Example:
The following commands enables an absolute time timeout of 60000 seconds for MBMS bearer context:
mbms bearer timeout
absolute 60000
mbms ue timeout

Configures the session timeout values for the Multimedia Broadcast Multicast Service (MBMS) user equipment (UE) contexts with this MBMS APN.

Platform:

ASR 5000

Product:

GGSN, P-GW


Privilege:

Security Administrator, Administrator


Syntax
mbms ue timeout absolute time
[ default | no ] mbms
ue timeout absolute
default

Set the default value for the followed option for MBMS UE context timeout.

no

Returns the timeout parameter to its default setting. If neither the absolute or idle keywords are used in conjunction with this keyword, both timeout options will be returned to their default settings.

absolute time

Configures the absolute maximum time (in seconds) an MBMS UE context may exist in any state (active or idle). time can be any integer value between 0 and 4294967295. A time of 0 disables timeouts for this APN. Default: 0


Usage:

Use this command to limit the amount of time that an MBMS UE context session can remain connected.


Example:
The following commands enables an absolute time timeout of 60000 seconds for MBMS UE context:
mbms bearer timeout
absolute 60000
mediation-device

Enables the use of a mediation device and specifies the system context to use for communicating with the device.

Platform:

ASR 5000

Product:

GGSN, P-GW


Privilege:

Security Administrator, Administrator


Syntax
mediation-device [ context-name context_name ] [ delay-GTP-response ] [ no-early-PDUs ] [ no
interims ] +
[ default | no ] mediation-device
+

Indicates that more than one of the options can be specified with a single execution of the command.

default

Changes the mediation device to no context-name configured and restores the mediation device’s default properties.

no

Deletes the mediation-device configuration.

context-name context_name

Configures the mediation VPN context for this APN as an alphanumeric string of 1 through 79 characters that is case sensitive. If not specified, the mediation context is the same as the destination context of the subscriber. Default: The subscribers destination context.

delay-GTP-response

When enabled, delays the CPC response until an Accounting Start response is received from the mediation device. Default: Disabled

no-early-pdus

Specifies that the system delays PDUs from the MS until a response to the GGSN accounting start request is received from the mediation device. The PDUs are queued, not discarded. Default: Disabled

If “no-early-PDUs” is enabled, the chassis does not send uplink/downlink data from/to a MS until it receives the Acct-Rsp Start for the same from the mediation device. On receiving the Acct-Rsp, pending PDUs are forwarded. The chassis buffers up to two PDUs per call. As soon as the third PDU comes, the buffering is disabled and all the PDUs are forwarded for that call.

Configures the system to queue up to two PDUs until the mediation device returns a response to the system's accounting START request per 3GPP standards. On receiving the Accounting response message, the system forwards the subsequent PDUs without discarding any of the packets.

IMPORTANT:

For StarOS 10.0 and earlier releases, the system buffers up to four PDUs and queues or discards the remaining PDUs.

IMPORTANT:

For StarOS 11.0 and later releases, the system is configured so that none of the PDUs are discarded.

no-interims

Disables sending interims to the mediation server. Default: Disabled

IMPORTANT:

Different commands are used to disable RADIUS interims for RADIUS accounting and mediation accounting. To disable RADIUS interims for mediation accounting, use the following command: mediation-device context-name context_name no-interims. To disable RADIUS interims for RADIUS accounting, use the following command: accounting-mode radius-diameter no-interims.


Usage:

This command enables mediation device support for the APN. Mediation devices can be either deep-packet inspection servers or transaction control servers.

Keywords to this command can be used in combination to each other, depending on configuration requirements.


Example:
The following command enables mediation device support for the APN and uses the protocol configuration located in an system context called ggsn1:
mediation-device context-name ggsn1
mediation-device context-name
ggsn1 no-interims no-early-pdus
mediation-device no-early-pdus
no-interims
mediation-device no-interims
no-early-pdus
The following command enables mediation device support for the APN and uses the protocol configuration located in the subscribers destination context:
mediation-device
mobile-ip home-agent

Configures the IP address of the home agent (HA) used by the current APN to facilitate subscriber Mobile IP sessions.

Platform:

ASR 5000

Product:

GGSN, FA, P-GW


Privilege:

Security Administrator, Administrator


Syntax
mobile-ip home-agent ip_address [ alternate ]
no mobile-ip home-agent ip_address alternate
default mobile ip home-agent
default

Restores the APN mobile-ip parameters to the default setting, no HA address defined.

no

Removes a previously configured HA address.

ip_address

Specifies the IP address of the HA expressed in IPv4 dotted-decimal notation.

alternate

Designates this Mobile IP HA as the alternate that will be used in the event of a fail-over.


Usage:

If the APN is configured to support Mobile IP for all PDP contexts it is facilitating, this command specifies the IP address of the HA that is to be used.


Example:
The following command configures an HA IP address of 192.168.1.15:
mobile-ip home-agent 192.168.1.15
mobile-ip mn-aaa-removal-indication

Configures the system to remove various information elements when relaying Registration Request messages to the HA.

Platform:

ASR 5000

Product:

GGSN, FA, P-GW


Privilege:

Security Administrator, Administrator


Syntax
[ default | no ] mobile-ip
mn-aaa-removal-indication
default

Sets the default setting for mobile IP MN-AAA-Removal-Indication.

no

Disables this functionality. This is the default setting.


Usage:

When this functionality is enabled, the MN-FA challenge and MN-AAA authentication extensions are removed when relaying a Registration Request (RRQ) to the HA.

mobile-ip mn-ha-hash-algorithm

Designates the encryption algorithm to use for Hash-based Message Authentication Code (HMAC).

Platform:

ASR 5000

Product:

GGSN, P-GW


Privilege:

Security Administrator, Administrator


Syntax
mobile-ip mn-ha-hash-algorithm { hmac-md5 | md5 | rfc2002-md5 }
default mobile-ip mn-ha-hash-algorithm
default

Designates the default encryption algorithm to use.

hmac-md5 | md5 | rfc-2002-md5

Default: hmac-md5

The encryption algorithms that may be used.


Usage:

Provides security by encrypting the data.


Example:
The following command sets encryption for md5:
mobile-ip mn-ha-hash-algorithm md5
mobile-ip mn-ha-shared-key

Configures the subscriber MobileNode-Home Agent (MN-HA) shared key.

Platform:

ASR 5000

Product:

GGSN, P-GW


Privilege:

Security Administrator, Administrator


Syntax
mobile-ip mn-ha-shared-key key
no mobile-ip mn-ha-shared-key
no

Disables this functionality. This is the default setting.

key

Specifies the subscriber MN-HA shared key as either an alphanumeric string or a hexadecimal number sequence beginning with “0x”. The string or sequence consists of 16 to 127 characters.


Usage:

Configures a shared key for the APN.


Example:
The following command configures a shared key as the alphanumeric string sfd23408imi9yn:
mobile-ip mn-ha-shared-key sfd23408imi9yn
mobile-ip mn-ha-spi

Configures the Mobile IP Security Parameter Index (SPI).

Platform:

ASR 5000

Product:

GGSN, P-GW


Privilege:

Security Administrator, Administrator


Syntax
mobile-ip mn-ha-spi spi_number
no mobile-ip mn-ha-spi
no

Disables this functionality. This is the default setting.

spi_number

Specifies the SPI as an integer from 256 through 4294967295.


Usage:

Configures an SPI for the APN.


Example:
The following command configures an SPI of 15111111111111111111111111111111:
mobile-ip mn-ha-spi 15111111111111111111111111111111
mobile-ip required

Enables support for Mobile IP functionality for all PDP contexts facilitated by the current APN.

Platform:

ASR 5000

Product:

GGSN, FA, P-GW


Privilege:

Security Administrator, Administrator


Syntax
[ default | no ] 
mobile-ip required
default

Applies the default setting for mobile-ip for the APN. Default is disabled.

no

Disables mobile-ip for the APN.


Usage:

Mobile IP functionality for IP PDP contexts is only supported at the APN-level. This command enables or disables Mobile IP support for the APN.

When Mobile IP is performed, the system authenticates the subscriber and the Mobile IP FA.

If this option is enabled, the system deletes all PDP contexts attempting to access the APN for which a Mobile IP session can not be established.

mobile-ip reverse-tunnel

Configures the system to support reverse-tunneling for Mobile IP sessions facilitated by the current APN.

Platform:

ASR 5000

Product:

GGSN, FA, P-GW


Privilege:

Security Administrator, Administrator


Syntax
[ default | no ] mobile-ip
reverse-tunnel
default

Designates the default reverse tunnel for the APN. The default is enabled.

no

Disables this functionality.


Usage:

Use this command to enable support for Mobile IP reverse tunneling for the APN. Reverse tunneling is enabled by default.

nai-construction

Configures the Network Access Identifier (NAI) construction parameters on a per-APN basis only, rather than by per-aaa-group when constructed NAI authentication is enabled.

Platform:

ASR 5000

Product:

GGSN, P-GW


Privilege:

Security Administrator, Administrator


Syntax
nai-construction { imsi | msisdn } [ override-null-username ] [ encrypted
password encrypt_password | use-shared-secret-password | password password ]
no nai-construction
no

Disables the NAI construction at the APN level.

imsi

Enables NAI construction using IMSI for authentication for a user. GGSN constructs NAI using IMSI when no user-name is received. This is the default setting. Default: Enabled

msisdn

Enables NAI construction using Mobile Station International ISDN Number (MSISDN) for authentication for a user. GGSN constructs NAI using MSISDN when no user-name is received.

override-null-username

Enables NAI construction using IMSI/MSISDN for authentication for a user or when empty user name is received.

encrypted password

Specifies an encrypted password is to be used for this NAI-constructed user. string is an alphanumeric string of 0 through 63 characters.

password

Configures the authentication user-password for this NAI-constructed user. password is an alphanumeric string of 0 through 63 characters.

use-shared-secret-password

Specifies use of the RADIUS authentication shared secret password for this NAI-constructed user.


Usage:

NAI-construction defines the behavior for construction at the APN level. If defined for a particular APN, this command works independently and overwrites the behavior of aaa constructed-nai defined at the context level for calls involving this APN.

Note that NAI construction using IMSI or MSISDN, where either no user name is received or a blank user name is received for authentication, is applicable only when NAI constructed authentication is enabled using the aaa nai-construction authentication command in Context Configuration Mode.


Example:
The following command enables NAI-construction using IMSI as the authentication type with an encrypted password:
nai-construction imsi
encrypted password s1289sf980333jwwdo97342
nbns

Configures and enables use of NetBios Name Service (NBNS) for the APN.

Platform:

ASR 5000

Product:

GGSN, P-GW


Privilege:

Security Administrator, Administrator


Syntax
[ no ] nbns { primary | secondary } IP_address
no

Removes/disables use of a previously configured NetBios Name Service.

primary

Designates primary NBNS server. Must be followed with an IPv4 address in dotted-decimal notation.

secondary

Designates secondary/failover NBNS server. Must be followed with an IPv4 address in dotted-decimal notation.

IP_address

Specifies the IP address in IPv4 dotted-decimal notation.


Usage:

This command specifies NBNS parameters. The NBNS option is present for both pdp type IP and pdp type PPP for GGSN.

The system can be configured to use NetBios Name Service for the APN.


Example:
The following command configures the APN’s NetBios Name Service to primary IP 192.168.1.15.
nbns primary 192.168.1.15
nexthop-forwarding-address

Configures the next hop forwarding address for the APN.

Platform:

ASR 5000

Product:

GGSN, P-GW


Privilege:

Security Administrator, Administrator


Syntax
nexthop-forwarding-address ip_address
no nexthop-forwarding-address
no

Disables this function. This is the default setting.

ip_address

Specifies the IP address of the nexthop forwarding address in IPv4 dotted-decimal or IPv6 colon-separated-hexadecimal notation.


Usage:

Use this command to configure the next hop forwarding address for the APN.


Example:
The following command configures the next hop forwarding address to 10.1.1.1:
nexthop-forwarding-address 10.1.1.1
npu qos

Configures an NPU QoS priority queue for packets facilitated by the APN.

Platform:

ASR 5000

Product:

GGSN, P-GW


Privilege:

Security Administrator, Administrator\


Syntax
npu qos traffic priority { best-effort | bronze | derive-from-packet-dscp | gold | silver }default npu qos traffic priority
default

Configures the default NPU QoS traffic priority.

traffic priority { best-effort | bronze | derive-from-packet-dscp | gold | silver }

best-effort: Assigns the best-effort queue priority. This is the lowest priority.

bronze: Assigns the bronze queue priority. This is the third-highest priority.

derive-from-packet-dscp: Specifies that the priority is to be determined from the DSCP (Differentiated Services Code Point) field in the packet's TOS octet. Default: Enabled

gold: Assigns the gold queue priority. This is the highest priority.

silver: Assigns the silver queue priority. This is the second-highest priority.


Usage:

This command is used in conjunction with the Network Processing Unit (NPU) Quality of Service (QoS) functionality.

The system can be configured to determine the priority of a subscriber packet either based on the configuration of the APN, or from the differentiated service (DS) field in the packet's TOS octet (representing the differentiated service code point (DSCP) value).

Refer to the GGSN Administration Guide for additional information on NPU QoS functionality.


Example:
The following command configures the APN’s priority queue to be gold:
npu qos traffic priority gold
outbound

Configures the APN host username and password.

Platform:

ASR 5000

Product:

GGSN, P-GW


Privilege:

Security Administrator, Administrator


Syntax
outbound { [ encrypted ] password pwd | username name }no outbound password | username
no

Removes previously configured outbound information for the APN.

encrypted

The encrypted keyword is intended only for use by the chassis while saving configuration scripts. The system displays the encrypted keyword in the configuration file as a flag that the variable following the password keyword is the encrypted version of the plain text password. Only the encrypted password is saved as part of the configuration file.

password pwd

Specifies the password to use for session authentication as an alphanumeric string of 1 through 132 characters that is case sensitive.

username name

Specifies the username to use for session authentication as an alphanumeric string of 1 to 127 characters that is case sensitive.


Usage:

This command can be used to provide a username and password for authentication when the subscriber does not supply one in accordance with 3GPP standards. In addition, it can be used to create a PPP session when using L2TP to tunnel IP PDP contexts.

If only a username is specified using this command, the password is determined based on the setting of the aaa constructed-nai command in the Context Configuration mode. That command is also used to determine the password if an outbound username and password are configured for the APN when the imsi-auth keyword is specified for the authentication command in this mode.


Example:
The following commands configures an APN username of isp1 and a password of secRet123.
outbound username isp1
outbound password secRet123
pdp-type

Configures the type of PDP contexts that are supported by this APN.

Platform:

ASR 5000

Product:

GGSN, P-GW


Privilege:

Security Administrator, Administrator


Syntax
pdp-type { ipv4 [ ipv6 ] | ipv6 [ ipv4 ] | ppp }default pdp-type
default

Configures the default PDP type, IPv4, for the APN.

ipv4 [ ipv6 ]

Enables support for IPv4 PDP contexts. Also enables support for IPv6 if the IPv6 optional keyword is entered in this command. Default: Enabled

IMPORTANT:

Entering both IPv4 and IPv6 in either order enables support for both.

ipv6 [ ipv4 ]

Enables support for IPv6 PDP contexts. Also enables support for IPv4 if the IPv6 optional keyword is entered in this command. Default: Disabled

IMPORTANT:

Entering both IPv4 and IPv6 in either order enables support for both.

ppp

Enables support for PPP PDP contexts. Default: Disabled


Usage:

IP PDP context types are those in which the MS is communicating with a PDN such as the Internet or an intranet using IP. PPP PDP contexts are those in which PPP or PPP Network Control Protocol (NCP) frames from the MS are either terminated at, or forwarded by the GGSN.

If a session specifies a PDP type that is not supported by the APN, the system rejects the session with a cause code of 220 (DCH, Unknown PDP address or PDP type).

CAUTION:

For the IPv6 calls to work, the destination context must have at least one IPv6 interface configured.


Example:
The following command configures the APN to support PPP context types:
pdp-type ppp
permission

Enables the ability to use network mobility service (NEMO) functionality for the current APN.

Platform:

ASR 5000

Product:

P-GW


Privilege:

Security Administrator, Administrator


Syntax
[ no ] permission
nemodefault permission
no | default

Disables the ability to use NEMO functionality.

nemo

Enables the ability to use NEMO functionality.


Usage:

Use this command to enable support for NEMO functionality on the APN. NEMO is disabled by default.


Example:
The following command enables NEMO functionality:
permission nemo
The following command disables NEMO functionality:
no permission nemo
policy

Configures the Mobile IPv6 policy to set the action to be taken when IPv4/IPv6 subscriber packets need to be tunneled and the encapsulated packets exceed the tunnel maximum transmission unit (MTU).

Platform:

ASR 5000

Product:

P-GW


Privilege:

Security Administrator, Administrator


Syntax
policy ipv6 tunnel
mtu exceed { fragment [ inner ] | notify-sender }[ default | no ] policy
ipv6 tunnel mtu exceed
default

IPv6: System will do a Path MTU (PMTU) discovery and send “ICMPv6 Packet Too Big” to the original sender if the subscriber packet exceeds MTU after encapsulation.

IPv4: System will do an outer IPv6 fragmentation if the packet exceeds MTU after encapsulation.

no

Disables this functionality.

ipv6 tunnel mtu exceed { fragment [ inner ] | notify-sender }

fragment: System will do an outer IPv6 fragmentation if the subscriber packet exceeds MTU after encapsulation.

inner:

IPv6: System will do a PMTU discovery and send “ICMPv6 Packet Too Big” to the original sender if the subscriber packet exceeds MTU after encapsulation.

IPv4: If packet will exceed tunnel MTU after encapsulation, based on DF bit and ignore-df config, the original IPv4 packet will be fragmented and then encapsulated so that it will not exceed MTU, or ICMP Error will be sent if IPv4 packet fragmentation is not allowed.

notify-sender:

IPv6: System will do a PMTU discovery and send “ICMPv6 Packet Too Big” to the original sender if subscriber packet exceeds MTU after encapsulation.

IPv4: System will do an outer IPv6 fragmentation if packet exceeds MTU after encapsulation.


Usage:

This command sets the Mobile IPv6 policy for the action to be taken when IPv4/IPv6 subscriber packets need to be tunneled and the encapsulated packets exceed tunnel MTU size.


Example:
The following command causes the system to do outer IPv6 fragmentation if the subscriber packet exceeds MTU after encapsulation:
policy ipv6 tunnel
mtu exceed fragment
ppp

Configures the Point-to-Point Protocol (PPP) options for the current APN.

Platform:

ASR 5000

Product:

GGSN, P-GW


Privilege:

Security Administrator, Administrator


Syntax
ppp { data-compression { protocols protocols | mode modes } | keepalive seconds | min-compression-size min_octets | mtu max_octets }default ppp { data-compression protocols | keepalive | min-compression-size | mtu }no ppp { data-compression protocols | keepalive seconds | mtu }
default

Configures the default PPP parameters for the specified APN.

no

Resets the option specified to its default setting.

data-compression { mode modes | protocols protocols}

Configures the data compression or the compression protocol to use for the APN. Default: all protocols enabled

mode modes: Sets the compression mode to one of the following:
  • normal: Packets are compressed using the packet history for automatic adjustment and for best compression.
  • stateless: Each packet is compressed individually.
protocols protocols: Sets the compression protocol to one of the following:
  • deflate: DEFLATE algorithm
  • mppc: Microsoft Point-to-Point Compression
  • stac: STAC LZS algorithm
keepalive seconds

Specifies the frequency of sending the Link Control Protocol (LCP) keep alive messages. seconds must be either 0 or an intgeger from 5 through 14400. The special value 0 disables the keep alive messages entirely. Default: 30

min-compression-size min_octets

Specifies the smallest packet to which compression may be applied as an integer from 0 through 2000. Default: 128

mtu max_octets

Specifies the maximum transmission unit (MTU) for packets accessing the APN as an integer from 100 through 2000. Default: 1500

IMPORTANT:

The MTU refers to the PPP payload which excludes the two PPP octets. Therefore, an MTU of 1500 corresponds to the 3GPP standard MTU of 1502 for GTP packets with PPP payloads.


Usage:

Adjust packet sizes and compression to improve bandwidth utilization. Each network may have unique characteristics such that determining the best packet size and compression options may require system monitoring over an extended period of time.


Example:
The following command configures the ppp data-compression mode for the APN to be stateless:
ppp data-compression
mode stateless
The following command configures an MTU of 500 for the APN:
ppp mtu 500
proxy-mip

Configures support for Proxy Mobile IP functionality for the APN.

Platform:

ASR 5000

Product:

GGSN, FA, P-GW


Privilege:

Security Administrator, Administrator


Syntax
[ default | no ] proxy-mip { required | null-username static-homeaddr }
default

Configures the default proxy MIP setting for the specified APN

no

Disables this functionality.

required

Default: Disabled.

Enables proxy-mip for all subscribers using this APN.

null-username static-homeaddr

Configures handling of RRQ to enable the acceptance without an NAI extension in this APN. Default: Disabled


Usage:

This command requires that Proxy Mobile IP functionality be performed for all PDP contexts facilitated by the APN.

When Proxy Mobile IP is performed, the system performs subscriber authentication but not Mobile IP FA authentication. It can be configured to handling of RRQ without NAI extension in an APN.

More information about Proxy Mobile IP support for the GGSN can be found in the GGSN Administration Guide.


Example:
The following command causes the system to support Proxy Mobile IP for all PDP contexts facilitated by the APN:
proxy-mip required
The following command will enables the accepting of RRQ without NAI extensions in this APN.
proxy-mip null-username
static-homeaddr
qos negotiate-limit

Cconfigures the QoS profile to provide the peak and committed data rate limits that the GGSN assigns to the APN. The GGSN sends the QoS profile to the SGSNs in response to GTP Create/Update PDP Context requests for traffic shaping and policing functionality.

Platform:

ASR 5000

Product:

GGSN, P-GW


Privilege:

Security Administrator, Administrator


Syntax
qos negotiate-limit
direction { downlink | uplink } [ qci qci_val ] [ peak-data-rate bps [ committed-data-rate bps ] | committed-data-rate [ peak-data-rate bps ] ]no qos negotiate-limit
direction { downlink | uplink } [ qci qci_val ] }
no

Disables the QoS Profile for the APN.

IMPORTANT:

When no QoS Profile is configured, the system’s default behavior is to use the information provided by the SGSN.

direction { downlink | uplink }

downlink: Apply the specified limits and actions to the downlink (to-Gn direction).

uplink: Apply the specified limits and actions to the uplink (to-Gi direction).

qci qci_val

qci_val is the QoS Class Identifier (QCI) for which the negotiate limit is being set. QCI ranges from 1 to 9. If no qci-val is configured, it will be handled as an undefined-qci (same as undefined-qos class).

committed-data-rate bps

Default: See the Usage section for this command

The committed data rate (guaranteed-data-rate) in bps (bits per second).

bps must be an integer from 1 through 16000000 for the downlink direction or 1 through 8640000 for the uplink direction. The value must also correspond to one of the permitted values identified the tables below. If a non-permitted value is entered for this parameter, the system rounds the value to the nearest lower supported value, except in the case where value is less than 1,000 bps. In this case, the system rounds the value to 1,000 bps. In addition, if the configured committed rate is lower than the value configured for the peak-data-rate, the system uses the configured peak rate for this parameter.

IMPORTANT:

System measurements for this value exclude the GTP and outer packet headers. In addition, some traffic classes have both a committed rate and a peak rate, while other traffic classes have just a peak rate. If a committed rate is not applicable (such as, the traffic class is background or interactive), an error occurs if this option is configured. If the committed-rate is applicable (such as, the traffic class is conversational or streaming), the values supplied by the SGSN are used if this option is not configured.

peak-data-rate bps

Default: See the Usage section for this command

Specifies the peak data-rate for the subscriber in bps (bits per second).

bps must be an integer from 1 through 16000000 for the downlink direction or 1 through 8640000 for the uplink direction. The value must also correspond to one of the permitted values identified in the tables below. If a non-permitted value is entered for this parameter, the system rounds the value to the nearest lower supported value, except in the case where value is less than 1,000 bps. In this case, the system rounds the value to 1,000 bps.


Usage:

This command configures the APN quality of service (QoS) profile. This feature enables configuring and enforcing bandwidth limitations on individual PDP contexts of a particular traffic class. Traffic classes are defined in 3GPP TS 23.107 and are negotiated during PDP context activation. Bandwidth enforcement is configured and enforced independently for the downlink and the uplink directions.

The profile information is sent to the SGSN(s) in response to GTP Create/Update PDP Context Request messages. If the QoS profile requested by the SGSN is lower than the configured QoS profile configured, the profile requested by the SGSN is used. If the QoS profile requested by the SGSN is higher, the configured rates are used.

Note that the values for the uplink/downlink committed-data-rate and peak-data-rate parameters are exchanged in the GTP messages between the GGSN and the SGSN. Therefore, the values used may be lower than the configured values. When negotiating the rate with the SGSN(s), the system convert this to a value that is permitted by GTP as shown in the tables below.


Table 4. Permitted Values for Committed and Peak Data Rates in GTP Messages
Value (bps) Increment Granularity (bps)

From 1000 to 63,000

1,000 (e.g 1000, 2000, 3000, ... 63000)

From 64,000 to 568,000

8,000 (e.g. 64000, 72000, 80000, ... 568000)

From 57,6000 to 8,640,000

64,000 (e.g. 576000, 640000, 704000, ... 86400000)

From 8,700,000 to 16,000,000

100,000 bps (e.g. 8700000, 8800000, 8900000, ... 16000000)



The command can be entered multiple times to specify different combinations of direction and class. If this command is not configured at all, the GGSN does not perform traffic policing or QoS negotiation with the SGSN (such as, it accepts all of the SGSN-provided values for the PDP context.

IMPORTANT:

This command should be used in conjunction with the max-contexts command to limit the maximum possible bandwidth consumption by the APN.

Additional information on the QoS traffic shaping functionality is located in the System Administration Guide.

Default Values:


Example:
The following command sets an uplink peak data rate of 128000 bps for QoS negotiation limit:
qos negotiate-limit
direction uplink peak-data-rate 128000
qos rate-limit

Configures the action on a subscriber traffic flow that violates or exceeds the peak/committed data rate under traffic policing/shaping functionality.

Platform:

ASR 5000

Product:

GGSN, P-GW


Privilege:

Security Administrator, Administrator


Syntax
qos rate-limit direction { downlink | uplink } [ qci qci_val ] [ burst-size { bytes | auto-readjust [ duration dur ] } ] [ exceed-action { drop | lower-ip-precedence | transmit } [ violate-action { drop | lower-ip-precedence | shape [ transmit-when-buffer-full ] | transmit } ] ] | [ violate-action { drop | lower-ip-precedence | shape [ transmit-when-buffer-full ] | transmit } [ exceed-action { drop | lower-ip-precedence | transmit } ] ] +no qos rate-limit direction { downlink | uplink } [ qci qci_val ]
no

Disables the QoS data rate limit configuration for the APN.

IMPORTANT:

When no Qos Profile is configured, the system defaults to using the information provided by the SGSN.

qos rate-limit direction { downlink | uplink }

downlink: Apply the specified limits and actions to the downlink (the Gn direction).

uplink: Apply the specified limits and actions to the uplink (the Gi direction).

qci qci_val

qci_val is the QoS Class Identifier (QCI) for which the negotiate limit is being set. QCI ranges from 1 to 9. If no qci-val is configured, it will be handled as an undefined-qci (same as undefined-qos class).

burst-size { bytes | auto-readjust [ duration dur ] }

Default: See Usage section for this command

The burst size allowed, in bytes for peak data rate and committed data rate.

bytes must be an integer from 1 through 6000000.

IMPORTANT:

It is recommended that the minimum value of this parameter be configured to the greater of the following two values: 1) three times greater than packet MTU for the subscriber connection, OR 2) 3 seconds worth of token accumulation within the “bucket” for the configured peak-data-rate. In addition, if the committed-data-rate parameter is specified, the burst-size is applied to both the committed and peak rates.

auto-readjust [ duration dur ] keyword provides the option to calculate the Burst size dynamically while configuring the rate-limit. Whenever this keyword is enabled to calculate burst size, the GGSN QoS negotiated rate is enforced for this calculation.

Whenever there is a change in the rates (due to a QoS update), the burst sizes will be updated accordingly.

This keyword also provides two different burst sizes. One burst size for peak rate and another for committed rate.

By default this keyword is disabled.

duration dur describes the duration of burst in seconds. If duration is not specified this keyword will use 1 second as default value. dur must be an integer between 1 through 30.

exceed-action { drop | lower-ip-precedence | transmit }

Default: See the Usage section for this command

The action to take on the packets that exceed the committed-data-rate but do not violate the peak-data-rate. The following actions are supported:
  • drop: Drop the packet
  • lower-ip-precedence: Transmit the packet after lowering the ip-precedence
  • transmit: Transmit the packet
violate-action { drop | lower-ip-precedence | shape [ transmit-when-buffer-full ] | transmit }

Default: See he Usage section for this command

The action to take on the packets that exceed both the committed-data-rate and the peak-data-rate. The following actions are supported:

drop: Drop the packet

lower-ip-precedence: Transmit the packet after lowering the IP precedence

shape [ transmit-when-buffer-full ]: Enables traffic shaping and provides the buffering of user packets when subscriber traffic violates the allowed peak/committed data rate. The transmit-when-buffer-full keyword allows the packet to be transmitted when buffer memory is full.

transmit: Transmit the packet

+

More than one of the above keywords can be entered within a single command.


Usage:

This command configures APN quality of service (QoS) data rate shaping through traffic policing/shaping. This command enables the actions on subscriber flows exceeding or violating the allowed peak/committed data rate. The shaping function also provides an enhanced function that buffers the excessive user packets and sends them to the subscriber when subscriber traffic goes below the committed or peak data rate limit.

IMPORTANT:

The user packet buffer function in traffic shaping is not applicable for real-time traffic.

IMPORTANT:

If the exceed/violate action is set to “lower-ip-precedence”, this command may override the configuration of the ip qos-dscp command in the GGSN Service Configuration mode for packets from the GGSN to the SGSN. In addition, the GGSN service ip qos-dscp command configuration can override the APN setting for packets from the GGSN to the Internet. Therefore, it is recommended that this command not be used in conjunction with this action.

The command can be entered multiple times to specify different combinations of direction and class. If this command is not configured at all, the GGSN does not perform traffic policing or QoS negotiation with the SGSN. (It accepts all of the SGSN-provided values for the PDP context.)

IMPORTANT:

This command should be used in conjunction with the max-contexts command to limit the maximum possible bandwidth consumption by the APN.

To calculate the burst size dynamically an optional keyword auto-readjust [ duration dur ] is provided with the burst-size keyword. By default the burst size is fixed if defined in bytes with this command. Regardless of the rate being enforced, burst-size is fixed as set by the burst-size bytes parameter.

The auto-readjust [ duration dur ] keyword enables variable burst size depending on the rate being enforced. the system calculates burst size using a per token bucket algorithm calculation as T=B/R, where T is the time interval, B is the burst size and R is the Rate being enforced. It also provides different burst size for Peak and Committed data rate-limiting.

If the auto-readjust keyword is not used, a fixed burst size must be defined which will be applicable for peak data rate and committed data rate regardless of the rate being enforced.

If the auto-readjust keyword is provided without specifying the duration, a default duration of 1 second will be used for burst size calculation.


Example:
The following command lowers the IP precedence when the committed-data-rate and the peak-data-rate are violated in uplink direction:
qos rate-limit direction
uplink violate-action lower-ip-precedence
The following command buffers the excess user packets when the subscriber traffic violates the configured peak or committed data-rate bps in uplink direction. Once the peak/committed data rate for that subscriber goes below the configured limit, the system transmits the packets. It also transmits them if buffer memory is full:
qos rate-limit direction
uplink violate-action shape transmit-when-buffer-full
qos-renegotiate

This keyword is obsolete.

Platform:

ASR 5000

qos traffic-police

This command is obsolete. This functionality is now supported through qos negotiate-limit and qos rate-limit commands.

radius

This command is obsolete.

radius group

This command is obsolete.

radius returned-framed-ip-address

Sets the policy whether or not to reject a call when the RADIUS server supplies 255.255.255.255 as the framed IP address and the MS does not supply an address.

Platform:

ASR 5000

Product:

GGSN, P-GW


Privilege:

Security Administrator, Administrator


Syntax
radius returned-framed-ip-address 255.255.255.255-policy { accept-call-when-ms-ip-not-supplied | reject-call-when-ms-ip-not-supplied }default radius returned-framed-ip-address
255.255.255.255-policy
default

Set the policy to its default of rejecting calls when the RADIUS server does not supply a framed IP address and the MS does not supply an address.

{ accept-call-when-ms-ip-not-supplied | reject-call-when-ms-ip-not-supplied }

accept-call-when-ms-ip-not-supplied: Accept calls when the RADIUS server does not supply a framed IP address and the MS does not supply and address.

reject-call-when-ms-ip-not-supplied: Reject calls when the RADIUS server does not supply a framed IP address and the MS does not supply an address.


Usage:

Use this command to set the behavior in the APN when the RADIUS server supplies 255.255.255.255 as the framed IP address and the MS does not supply an address.


Example:
Use the following command to set the APN to reject calls when the RADIUS server does not supply a framed IP address and the MS does not supply an address:
radius returned-framed-ip-address 255.255.255.255-policy
reject-call-when-ms-ip-not-supplied
radius returned-username

Configures the username that is returned in accounting messages. If the username is not available in the Protocol Configuration Options (PCO), the RADIUS returned username is preferred to the constructed username (imsi@apn, msisdn@apn, or outbound username).

Platform:

ASR 5000

Product:

GGSN, P-GW


Privilege:

Security Administrator, Administrator


Syntax
radius returned-username { override-constructed-username | prefer-constructed-username }default radius returned-username
default

The default value for the RADIUS returned-username is prefer-constructed-username. The constructed username (imsi@apn, msisdn@apn) will be used.

IMPORTANT:

If the username is available in the PCO, that username will be used regardless of the setting for this command (radius returned-username).

override-constructed-username

If the RADIUS server returns a username in the Access-Accept message and that username is not available in the Protocol Configuration Options (PCO), the new username from the RADIUS server will be used.

prefer-constructed-username

If the username is not available in the PCO, a constructed username (imsi@apn, msisdn@apn) will be used regardless of the username from the RADIUS server. This is the default.


Usage:

Use this command to configure the username that is returned in accounting messages


Example:
Following command sets the default value for the RADIUS returned-username is prefer-constructed-username [constructed username (imsi@apn, msisdn@apn)]:
default radius returned-username
restriction-value

Configures the level of restriction to ensure controlled co-existence of the Primary PDP Contexts.

Platform:

ASR 5000

Product:

GGSN, P-GW


Privilege:

Security Administrator, Administrator


Syntax
restriction-value  value
[ default | no ] restriction-value
default | no

Default: no restriction-value

Entering either default or no restriction-value sets the internal value to zero (0) so that connection to any APN is allowed.

value
Specifies a unique number that identifies the type of network supported for primary PDP contexts facilitated by this APN. The following values are supported:
  • 1: Value used for Wireless Application Protocol (WAP) or Multimedia Messaging Service (MMS) type of networks. This corresponds to APN type public-1.
  • 2: Value used for Internet or Packet-Switched Public Data Network (PSPDN) type of networks. This corresponds to APN type public-2.
  • 3: Value used for corporate customers who use MMS. This corresponds to APN type private-1.
  • 4: Value used for corporate who do not use MMS. This corresponds to APN type private-2.

Usage:

Restricts the ability to have connections to public access and certain private APNs as required by the APN configuration. Also allows co-existence of the Primary PDP Contexts in a controlled manner.

It does not restrict the total number of Primary PDP Contexts for the user. It also configures a method for preventing hackers in the public domain from using the UE as a router.

Access is provided based on the following rules:
  • If value = 1, then PDP contexts with restriction values of 0, 1, 2, and/or 3 are allowed
  • If value = 2, then PDP contexts with restriction values of 0, 1 and/or 2 are allowed
  • If value = 3, then PDP contexts with restriction values of 0 and/or 1 are allowed
  • If value = 4, then PDP contexts with no restriction values are allowed
  • If default or no syntax is entered, then no PDP contexts have restriction
In the event that a Maximum APN Restriction value is received from the SGSN as part of a PDP Context Create (CPCR) or Update (UPCR) message, the GGSN allows the request based on the following matrix:
  • If maximum = 0, then allow connection to any APN
  • If maximum = 1, then allow APN Restriction values of 0, 1, 2, and/or 3
  • If maximum = 2, then allow APN Restriction values of 0, 1 and/or 2
  • If maximum = 3, the allow APN Restriction values of 0 and/or 1
  • If maximum = 4, then always reject
  • If maximum = anything else, then allow all APN Restriction values (1, 2, 3, and/or 4)

Refer to 3GPP 23.060 version 6.9.0 for more information.


Example:
The following command sets the restriction value of the APN to 2:
restriction-value 2
secondary ip pool

This command specifies a secondary IP pool to be used as backup pool for Network Address Translation (NAT).

IMPORTANT:

This command is license dependent. For more information please contact your Cisco account representative.

Platform:

ASR 5000

Product:

NAT


Privilege:

Security Administrator, Administrator


Syntax
secondary ip pool pool_nameno secondary ip pool
no

Removes the previous secondary IP pool configuration.

pool_name

Specifies the secondary IP pool name.

pool_name must be an alphanumeric string of 1 through 31 characters.


Usage:

Use this command to configure a secondary IP pool for NAT subscribers, which is not overwritten by the RADIUS supplied list. The secondary pool configured will be appended to the RADIUS supplied IP pool list / APN provided IP pool list whichever is applicable during call setup.


Example:
The following command configures a secondary IP pool named test123:
secondary ip pool test123
selection-mode

Configures the level of verification that will be used to ensure a mobile station’s subscription to use this APN.

Platform:

ASR 5000

Product:

GGSN, P-GW


Privilege:

Security Administrator, Administrator


Syntax
selection-mode { chosen-by-sgsn | sent-by-ms | subscribed } +
default selection-mode
default

Sets the default selection mode as “subscribed”.

chosen-by-sgsn

Default: Disabled

The MS’s subscription will not be verified and the APN will be provided by the SGSN.

sent-by-ms

Default: Disabled

The MS’s subscription will not be verified and the APN will be provided by the MS.

subscribed

Default: Enabled

The MS’s subscription will be verified by the SGSN.

+

More than one of the above keywords can be entered within a single command.


Usage:

Use this command to specify the level of verification that will be used to ensure a MS’s subscription to use this APN. This setting must mach the corresponding setting on the SGSN. If the two settings are not identical, the GGSN rejects the session with a cause code of 201 (D1H, User authentication failed).


Example:
The following command specifies that the MS’s subscription will not be verified and that the APN name will be supplied by the SGSN:
selection-mode chosen-by-sgsn
timeout

Configures the session timeout values for this APN.

Platform:

ASR 5000

Product:

GGSN, P-GW


Privilege:

Security Administrator, Administrator


Syntax
timeout { absolute | qos-renegotiate } time
[ default | no ] timeout [ absolute | qos-renegotiate ]
default

Set the default value for the followed option.

no

Returns the timeout parameter to its default setting. If neither the absolute or idle keywords are used in conjunction with this keyword, both timeout options will be returned to their default settings.

absolute

Configures the absolute maximum time a session may exist in any state (active or idle).

qos-renegotiate

This keyword is obsolete.

time
Default:
  • absolute = 0 (Disabled)
  • qos-renegotiation = 300

Measured in seconds, the time can be configured to any integer value between 0 and 4294967295.

A time of 0 disables timeouts for this APN.


Usage:

Use this command to limit the amount of time that a subscriber session can remain connected or as a QoS renegotiation dampening timer.


Example:
The following commands enables an absolute time timeout of 60000 seconds:
timeout absolute 60000
timeout bearer-inactivity

This command configures the bearer inactivity timer and the threshold value of the traffic (uplink + downlink) through an APN.

Platform:

ASR 5000

Product:

GGSN, P-GW


Privilege:

Security Administrator, Administrator


Syntax
timeout bearer-inactivity time volume-threshold total bytes
[ default | no ] timeout
bearer-inactivity
default

Sets the bearer inactivity timer to disabled mode.

no

Removes the configured bearer inactivity timer values and traffic threshold limit.

time

Specifies the timeout duration in second to check inactivity on the bearer.

time must be an integer value from 3600 through 2592000.

qos-renegotiate

Configures the dampening timeout value for the QoS renegotiation (in seconds).

In the event of a QoS upgrade, the specified timeout duration will be ignored and renegotiation will start immediately.

volume-threshold total bytes

The keyword sets the volume threshold in bytes to check the low activity on the bearer. This total volume is the sum of the traffic in uplink and downlink directions.

bytes must be an integer value from 1 through 4294967295.


Usage:

Use this command to configure the bearer inactivity timer and the threshold value of the traffic (uplink + downlink) through an APN.


Example:
The following command enables the inactivity time on the bearer with a timeout duration of 7200 seconds and the total traffic volume of 256000 bytes in uplink and downlink directions as thresholds:
timeout bearer-inactivity
7200 volume-threshold total 25600
timeout idle

Configures the idle timeout duration for the long duration timer associated with a subscriber session.

Platform:

ASR 5000

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
timeout idle idle_dur
no timeout idle
no

Indicates the timeout specified is to be returned to its default behavior. If no specific timeout is specified then all are set to their default behavior.

idle_dur

Default: 0

Designates the maximum duration of the session (in seconds). After expiry the system considers the session as dormant or idle and invokes the long duration timer action.

idle_dur must be an integer value in the range from 0 through 4294967295.

The special value 0 disables the timeout specified.


Usage:

Use this command to set the idle time duration for subscriber session to determine the dormant session.

Refer to the long-duration-action detection and long-duration-action disconnection command in this chapter for additional information.


Example:
Following command sets the idle timeout duration to 450 seconds.
timeout idle 450
timeout long-duration

Configures the long duration timeout and inactivity duration for subscriber sessions.

Platform:

ASR 5000

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
timeout long-duration ldt_timeout [ inactivity-time inact_timeout ]
no timeout long-duration
no

Indicates the timeout specified is to be returned to its default behavior. If no specific timeout is specified then all timeouts are set to their default behavior.

ldt_timeout

Default: 0

Designates the maximum duration of the session (in seconds) before the system automatically reports/terminates the session.

Specifies the maximum amount of time (in seconds) before the specified timeout action is initiated.

ldt_timeout must be an integer value in the range from 0 through 4294967295.

The special value 0 disables the timeout specified.

inactivity-time inact_timeout

Specifies the maximum amount of time (in seconds) before the specified session is marked as dormant.

inact_timeout must be an integer value in the range from 0 through 4294967295.

The special value 0 disables the inactivity time specified.


Usage:

Use this command to set the long duration timeout period and inactivity timer for subscriber sessions. Reduce the idle timeout to free session resources faster for use by new requests.

Refer to the long-duration-action detection and long-duration-action disconnection commands in this chapter for additional information.


Example:
The following command sets the long duration timeout duration to 300 seconds and the inactivity timer for subscriber session to 45 seconds.
timeout long-duration
300 inactivity-time 45
tpo policy

Specifies the Traffic Performance Optimization (TPO) policy for the APN.

Platform:

ASR 5000

Product:

TPO


Privilege:

Security Administrator, Administrator


Syntax
tpo policy tpo_policy_name{ default | no } tpo policy
default

Configures the default setting.

Default: Use the default TPO policy configured in the rulebase.

no

Removes the TPO policy from the APN configuration.

tpo_policy_name

Specifies the TPO policy for the APN as an alphanumeric string of 1 through 63 characters.


Usage:

Use this command to specify the TPO policy for the APN.


Example:
The following command specifies to use the TPO policy named tpo_policy_110:
tpo policy tpo_policy_110
tunnel address-policy

This command specifies the address allocation/validation policy for all tunneled calls (IP-IP, IP-GRE) except L2TP calls. This means that GGSN IP address validation could be disabled for specified incoming calls.

Platform:

ASR 5000

Product:

GGSN, P-GW


Privilege:

Security Administrator, Administrator


Syntax
tunnel address-policy { alloc-only | alloc-validate | no-alloc-validate }default tunnel address-policy
default

Resets the tunnel address-policy to alloc-validate.

alloc-only

IP addresses are allocated locally and no validation is done.

alloc-validate

Default.

The VPN Manager allocates and validates all incoming IP addresses from a static pool of IP addresses.

no-alloc-validate

No IP address assignment or validation is done for calls arriving via L3 tunnels. Incoming static IP addresses are passed. This allows for the greatest flexibility.


Usage:

This command supports scalable solutions for Corporate APN deployment as many corporations handle their own IP address assignments. In some cases this is done to relieve the customer or the mobile operators from the necessity of reconfiguring the range of IP addresses for the IP pools at the GGSN.

For calls coming through L2TP tunnels, the command l3-to-l2-tunnel address policy as defined in the APN Configuration mode, will be in effect.


Example:
Use the following command to reset the IP address validation policy to validate against a static pool of address:
default tunnel address-policy
Use the following command to disable all IP address validation for calls coming through tunnels:
tunnel address-policy
no-alloc-validate
tunnel gre

Configures Generic Routing Encapsulation (GRE) tunnel parameters between the GGSN and an external gateway for the APN.

Platform:

ASR 5000

Product:

GGSN, P-GW


Privilege:

Security Administrator, Administrator


Syntax
tunnel gre peer-address peer_address local-address local_addr [ preference num ]no tunnel gre peer-address peer_address
no

Disables GRE tunneling for the APN.

peer-address peer_address

Specifies the IP address of the external gateway terminating the GRE tunnel.

peer_address must be expressed in dotted decimal notation.

local-address local_addr

Specifies the IP address of the interface in the destination context of the GGSN originating the GRE tunnel.

local_addr must be expressed in IPv4 dotted-decimal notation.

preference num

Default: 1

This option can be used to assign a preference to the tunnel.

preference can be configured to any integer value from 1 to 128.

IMPORTANT:

Only one GRE tunnel per APN is supported. Therefore, the preference should always be set to “1”.


Usage:

Subscriber IP payloads are encapsulated with IP/GRE headers and tunneled by the GGSN to an external gateway.


Example:
The following command configures the system to encapsulate subscriber traffic using GRE and tunnel it from a local address of 192.168.1.100 to a gateway with an IP address of 192.168.1.225:
tunnel gre peer-address
192.168.1.225 local-address 192.168.1.100 preference 1
tunnel ipip

Configures IP-in-IP tunnelling parameters between the GGSN and an external gateway for the APN.

Platform:

ASR 5000

Product:

GGSN, P-GW


Privilege:

Security Administrator, Administrator


Syntax
tunnel ipip peer-address peer_address local-address local_addr [ preference num ]no tunnel ipip
no

Disables IP-in-IP tunneling for the APN.

peer-address peer_address

Specifies the IP address of the external gateway terminating the IP-in-IP tunnel.

peer_address must be expressed in IPv4 dotted-decimal notation.

local-address local_addr

Specifies the IP address of the interface in the destination context of the GGSN originating the IP-in-IP tunnel.

local_addr must be expressed in IPv4 dotted-decimal notation.

preference num

Default: 1

If multiple tunnels will be configured, this option can be used to assign a preference to the tunnel.

preference can be configured to any integer value from 1 to 128.


Usage:

Subscriber IP payloads are encapsulated with IP-in-IP headers and tunneled by the GGSN to an external gateway.


Example:
The following command configures the system to encapsulate subscriber traffic using IP-in-IP and tunnel it from a local address of 192.168.1.100 to a gateway with an IP address of 192.168.1.225:
tunnel ipip peer-address
192.168.1.225 local-address 192.168.1.100 preference 1
tunnel ipsec

This command configures sessions for the current APN to use an Internet Protocol Security (IPSec) tunnel based on the IP pool corresponding to the subscribers assigned IP address.

Platform:

ASR 5000

Product:

GGSN


Privilege:

Security Administrator, Administrator


Syntax
[ no ] tunnel
ipsec use-policy-matching-ip-pool
no

Disables the use of the IPSec policy that matches the IP pool that the assigned IP address relates to.


Usage:

Use this command to set the APN to use an IPSec policy that is assigned to the IP pool that the subscribers assigned IP address relates to.


Example:
The following command enables the use of the policy that matches the IP pool address:
tunnel ipsec use-policy-matching-ip-pool
tunnel l2tp

Configures Layer 2 Tunnelling Protocol (L2TP) parameters between the GGSN and an external gateway for the APN.

Platform:

ASR 5000

Product:

GGSN, P-GW


Privilege:

Security Administrator, Administrator


Syntax
tunnel l2tp [ peer-address lns-address [ [ encrypted ] secret l2tp_secret  ] [ preference num  ] [ tunnel-context name ] [ local-address ip-address ] [ crypto-map map_name { [ encrypted ] isakmp-secret crypto_secret } ] [ local-hostname hostname ]no tunnel [ peer-address lns-address]
no

Disables L2TP, or secure L2TP tunneling for the APN if a specific peer-address is not specified, or, if a peer-address is specified, this keyword removes the peer-address configuration from the APN.

peer-address lns-address

Specifies the IP address of the LNS node that the LAC service connects to.

lns-address must be expressed in IPv4 dotted-decimal notation.

IMPORTANT:

A maximum of four LNS peers can be configured per APN.

encrypted

This keyword is intended only for use by the system while saving configuration scripts. The system displays the encrypted keyword in the configuration file as a flag that the variable following the secret keyword is the encrypted version of the plain text secret. Only the encrypted secret is saved as part of the configuration file.

secret l2tp_secret

Specifies the shared secret (password) between the L2TP Access Concentrator (LAC) service (configured on the system) and the LNS node.

l2tp_secret must be an alphanumeric string of 1 through 127 characters and is case sensitive.

preference num

Default: 1

Specifies the preference of the tunnel if the LAC service communicates with multiple LNS nodes.

preference can be configured to any integer value from 1 to 128.

tunnel-context name

Specifies the name of the destination context on the system in which the LAC service(s) is configured.

name must be an alphanumeric string of 1 through 79 characters and is case sensitive.

IMPORTANT:

If this option is not configured, the system will attempt to determine the name of the destination context from the ip context-name parameter configured for the APN.

local-address ip-address

Specifies the IP address of an interface that is bound to a LAC service. This is a mechanism to dictate which LAC service to use to facilitate the subscriber’s L2TP session.

address is the IP address of the interface in IPv4 dotted-decimal notation.

IMPORTANT:

If the address configured does not exist or is not bound to a LAC service, the system will automatically choose a LAC service to use.

local-hostname hostname

This keyword configures LAC-Hostname to be used for the communication with the LNS peer for this APN.

When Tunnel parameters are not received from the RADIUS server, Tunnel parameters configured in APN are considered for the LNS peer selection. When APN Configuration is selected, local-hostname configured with the “tunnel l2tp” command in the APN for the LNS peer will be used as a LAC Hostname.

IMPORTANT:

For this configuration to take effect allow aaa-assigned-hostname command, which is used to configure LAC-Hostname based on the “Tunnel-Client-Auth-ID” attribute received from the RADIUS server, needs to be configured in the LAC Service Configuration mode.

hostname is name of the local host for the LNS peer and must be an alphanumeric string of 1 through 127 characters.

When Tunnel parameters are not received from the RADIUS Server, Tunnel parameters configured in APN will be considered for the LNS peer selection. When APN Configuration is selected, the local hostname hostname configured with this command in the APN for the LNS peer will be used as a LAC Hostname.

crypto-map map_name { [ encrypted ] secret crypto_secret }

Configures the IPSec crypto-map policy that is to be associated with this L2TP tunnel configuration for secure L2TP.

map_name is the name of a crypto-map policy configured on the system expressed as an alphanumeric string of 1 through 127 characters and is case sensitive.

encrypted is intended only for use by the system while saving configuration scripts. The system displays the encrypted keyword in the configuration file as a flag that the variable following the secret keyword is the encrypted version of the plain text secret. Only the encrypted secret is saved as part of the configuration file.

secret specifies the secret associated with the crypto-map policy. crypto_secret can be from 0 to 255 bytes.


Usage:

This command can be used to configure the GGSN to tunnel subscriber traffic to one or more peer LNSs using L2TP or L2TP with IPSec.

When using L2TP, the system functions as a L2TP access Concentrator (LAC) and tunnels traffic to a peer L2TP Network Server (LNS). LAC functionality is supported through the configuration of LAC Services defined in destination contexts configured on the system.

When using crypt-map policies, the system functions in the same fashion as with L2TP, with the exception that the encapsulated L2TP traffic is further encrypted using IPSec. IPSec functionality is supported through the definition of crypto maps configured in the same destination context as the LAC services.

A maximum of four LNS peers can be configured per APN. If no peer is specified, the system will use the LAC Service(s) configured in the same destination context as the APN.


Example:
The following command configures L2TP support for the APN. It configures the APN to tunnel traffic to an LNS with an IP address of 192.168.1.50 through a LAC service bound to an interface with an IP address 192.168.1.201 configured in a destination context on the system called pdn1. The shared secret between the system and the LNS is 5496secRet. This will be the only LNS configured so the default preference of 1 will not be changed.
tunnel l2tp peer-address
192.168.1.50 secret 5496secRet tunnel-context pdn1 local-address 192.168.1.201
virtual-apn

Configures references (or links) to alternative APNs to be used for PDP context processing based on properties of the context. This command also configures the APN properties against which the PDP contexts are compared. It also supports roaming and visiting subscribers.

Platform:

ASR 5000

Product:

GGSN, IPSG, P-GW


Privilege:

Security Administrator, Administrator


Syntax
virtual-apn { gcdr
apn-name-to-be-included { Gn | virtual } | preference priority apn apn_name [ access-gw-address { ip_address | ip_address/mask } | bearer-access-service service_name | cc-profile cc_profile_index [ rat-type { eutran | gan | geran | hspa | utran | wlan } ] | domain domain_name | mcc mcc_number mnc mnc_number [ cc-profile cc_profile_index ] | [ msin-range from msin_range_from to msin_range_to ] | [ rat-type { eutran | gan | geran | hspa | utran | wlan } ] | msisdn-range { from msisdn_start_range to msisdn_to_range | rat-type { eutran | gan | geran | hspa | utran | wlan } } | rat-type { eutran | gan | geran | hspa | utran | wlan } | roaming-mode { home | roaming | visiting } ] }default virtual-apn
gcdr apn-name-to-be-includedno virtual-apn preference priority
default

The virtual APN name is sent in G-CDRs.

no

Removes a previously configured “virtual” APN.

gcdr apn-name-to-be-included { gn | virtual }

If virtual APN to be used is configured, the virtual APN name is sent in G-CDRs. Provides an option to either send the virtual APN name or the Gn APN name (that comes from the SGSN) in G-CDRs.

Gn: The APN received in the Create PDP Context Request message from SGSN.

virtual: The APN selected by the GGSN/P-GW. This is the default.

preference priority

Specifies the order in which the referenced APNs are compared by the system.

priority specifies the order and can be configured to any integer value from 1 (highest priority) to 1000 (lowest priority).

apn apn_name

Specifies the name of an alternative APN configured on the system that is to be used for PDP contexts with matching properties.

apn_name is the name of the alternative APN expressed as an alphanumeric string of 1 through 62 alphanumeric characters and is case insensitive. It may also contain dots ( . ) and/or dashes ( - ).

access-gw-address { ip_address |ip_address/mask }

Specifies the Access Gateway (SGSN/SGW/Others) address for the virtual APN.

ip_address must be an IPv4 address in dotted-decimal or an IPv6 address in colon-separated-hexadecimal notation.

ip_address/mask must be an IPv4 address in dotted-decimal or an IPv6 address in colon-separated-hexadecimal notation with network-host mask separation.

bearer-access-service service_name

IMPORTANT:

Specifies the Bearer Access Service name for the virtual APN. This service name is unique across the context.

service_name must be an alphanumeric string of 1 through 63 characters.

cc-profile cc_profile_index

IMPORTANT:

Specifies the APN for charging characteristics (CC)-profile index.

cc_profile_index must be an integer from 1 to 15.

domain domain_name

IMPORTANT:

Specifies the subscriber’s domain name (realm).

domain_name must be an alphanumeric string of 1 through 79 characters, is case sensitive and can contain all special characters.

mcc mcc_number

IMPORTANT:

Specifies the mobile country code (MCC) portion of the PLMN’s identifier.

mcc_number is the PLMN MCC identifier and can be configured to any 3-digit integer value between 100 and 999.

mnc mnc_number

IMPORTANT:

Specifies the mobile network code (MNC) portion of the PLMN’s identifier.

mnc_number is the PLMN MNC identifier and can be configured to any 2- or 3-digit integer value between 00 and 999.

msin-range { from msin_range_from to msin_range_to | rat-type { eutran | gan | geran | hspa | utran | wlan } }

IMPORTANT:

This option is supported only for the GGSN.

Specifies the APN for this IMSI MSIN range or the radio access technology (RAT) type.

msin_range_from is the start prefix of the IMSI MSIN range and can be configured between 0 and 9999999999.

msin_range_to is the end prefix of the IMSI MSIN range and can be configured as a string of size 1 to 10 digits between 0 and 9999999999.

msin-range should follow the following rules:

  • Start prefix (such as msin_range_from) and end prefix (such as msin_range_from) must be of the same length.
  • Total length of mcc + mnc + msin-range <= 15 digits.
  • For a given combination of mcc + mnc + msin-range (start-end prefix), overlapping range is not allowed.

rat-type is the type of the radio access technology based on which the APN would be specified.

msisdn-range from msisdn_start_range to msisdn_to_range

IMPORTANT:

Specifies the MSISDN range for this APN.

msisdn_start_range is the starting MSISDN number which a string of size 2 to 15 and its value ranges between 00 and 999999999999999.

msisdn_to_range is the ending MSISDN number which is also a string of size 2 to 15 and its value ranges between 00 and 999999999999999.

rat-type { eutran | gan | geran | hspa | utran | wlan }

IMPORTANT:

The type of the Radio Access Technology (RAT) based on which the APN would be specified.

The available options include:

  • eutran
  • gan
  • geran
  • hspa
  • utran
  • wlan
roaming-mode { home | roaming | visiting }

IMPORTANT:

Supports separate PDP context processing for roaming, visiting, and home subscribers. It supports separate rule type along with domain, imsi, and sgsn-address types.


Usage:

This command simplifies the configuration process for mobile operators allowing them to provide subscribers with access to a large number of packet data networks, characterized by APN templates, while only having to configure a small number of APNs on the HLR.

Each “virtual” APN is a reference, or a link, to an alternate APN configured on the system. Each reference is configured with a rule that subscriber PDP contexts are compared against and a priority that dictates the comparison order.

GGSN

The references works as follows:

1. A Create PDP Context Request message is received by the GGSN. The message specifies an APN configured in the HLR.

2. The GGSN determine whether its own matching APN configuration contains “virtual” APN references.

3. The system determines the priority of the references and compares the associated information pertaining to the PDP context against the configured rules.

4. If the rule matches, the parameters in the APN specified by the reference are applied to the PDP context. If not, the rules in the reference with the next highest priority are compared against the PDP context. This occurs until a match is found. If none of the references match, then the parameters within the current APN are applied to the PDP context.

The GGSN supports a maximum of 1023 Virtual APN mapping configurations in a system. A single Gn APN can be configured with up to 1000 mapping rules. Multiple Gn APNs are supported - each requiring Virtual APN mapping configurations. The limit imposed is that the total virtual APN mappings across all Gn APNs should not exceed 1023.

For information on how virtual APN configuration can be used in eWAG deployments, refer to the Enhanced Wireless Access Gateway Administration Guide.

P-GW

Virtual APNs allow differentiated services within a single APN.

The Virtual APN feature allows a carrier to use a single APN to configure differentiated services. The APN that is supplied by the MME is evaluated by the P-GW in conjunction with multiple configurable parameters. Then, the P-GW selects an APN configuration based on the supplied APN and those configurable parameters.

APN configuration dictates all aspects of a session at the P-GW. Different policies imply different APNS. After basic APN selection, however, internal re-selection can occur based on the following parameters:
  • Service name
  • Subscriber type
  • MCC-MNC of IMSI
  • Domain name part of username (user@domain)
  • S-GW address

In StarOS v12.x and earlier, the P-GW supports a maximum of 1024 Virtual APNs in a system.

The functionality provided by this command can also be used to restrict access to particular APNs. To restrict access based on a particular rule (either domain name or mobile country code/mobile network code), the “virtual” APN reference should refer to an APN that is not configured on the system and contains the desired rule. All PDP contexts matching the configured rule would then be denied with a reason code of 219 (DBH), Missing or Unknown APN.


Example:
The following commands configure two “virtual” APNs, priority 1 references the bigco APN with a domain rule of bigco.com, priority 2 references the bigtown APN with a mobile country code rule of 100 and a mobile network code rule of 50.
virtual-apn preference
1 apn bigco domain bigco.com 
virtual-apn preference
2 apn bigtown mcc 100 mnc 50 msin-range from 4000000000
to 4999999999
virtual-apn preference
3 apn bigco.com sgsn-address 192.168.62.2
virtual-apn preference
4 apn bigco.co.kr sgsn-address 192.168.60.2/24