Subscriber Configuration Mode Commands

The Subscriber Configuration Mode is used to create local subscribers as well as to set default subscriber options for the current context.

IMPORTANT:

The commands or keywords/variables that are available are dependent on platform type, product version, and installed license(s).

aaa

This command configures authentication, authorization and accounting (AAA) functionality at the subscriber level.

Platform:

ASR 5000

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
[ no ] aaa { accounting
interim { interval-timeout interval_timeout | normal | suppress } | group aaa_group_name | secondary-group aaa_secondary_group_name }default aaa { accounting
interim [ interval-timeout ] | group | secondary-group }no aaa { accounting
interim [ interval-timeout ] | group [ aaa_group_name ] | secondary-group }
default

Configures the default setting for the specified parameter.

  • accounting: Enables AAA accounting for subscribers.
  • group: Uses the default AAA group—the one specified at the context level or in the default subscriber profile.
  • secondary-group: Removes the secondary AAA group from the subscriber configuration.
no
  • accounting: Disables AAA accounting for subscribers.
  • group: Uses the default AAA group—the one specified at the context level or in the default subscriber profile.
  • secondary-group: Removes the secondary AAA group from the subscriber configuration.
accounting interim { interval-timeout interval_timeout | normal | suppress }

Specifies when system should send an interim accounting record to the server.

  • interval-timeout: Specifies the time interval (in seconds) at which to send an interim accounting record.interval_timeout must be an integer from 50 through 40000000.
  • normal: If RADIUS accounting is enabled, send this Acct-Status-Type message when normally required by operation.
  • suppress: If RADIUS accounting is enabled, suppress the sending of Acct-Status-Type message.
group aaa_group_name

Specifies the AAA server group for the subscriber for authentication and/or accounting.

aaa_group_name must be an alphanumeric string of 1 through 63 characters.

secondary-group aaa_secondary_group_name

Specifies the secondary AAA server group for the subscriber.

aaa_secondary_group_name must be an alphanumeric string of 1 through 63 characters.


Usage:

Use this command to configure AAA functionality at the subscriber level.

Instead of having a single list of servers per context, this feature configures multiple server groups within a context and applies individual server group for subscribers in that context. Each server group consists of a list of AAA servers for each AAA function (accounting, authentication, charging, etc.).

The AAA secondary server group supports the No-ACK RADIUS Targets feature in conjunction with PDSN/HA for secondary accounting (with different RADIUS accounting group configuration) to the RADIUS servers without expecting the acknowledgement from the server, in addition to standard RADIUS accounting. This secondary accounting will be an exact copy of all the standard RADIUS accounting message (RADIUS Start/Interim/Stop) sent to the standard AAA RADIUS server.

If the same AAA group is configured with both the aaa group aaa_group_name and the aaa secondary-group aaa_group_name commands, then this configuration will have no effect and secondary accounting will not happen.

The AAA secondary server group configuration takes effect only when used with subscriber accounting-mode set to radius-diameter. The RADIUS accounting triggers for both standard RADIUS accounting and secondary accounting will be taken from the AAA group configured with the aaa group aaa_group_name command. On the fly change of this configuration is not supported. Any change to the configuration will have effect only for new calls.


Example:
The following command applies the AAA server group star1 to subscribers:
aaa group star1
access-link ip-fragmentation

Configures IP fragmentation processing over the Access-link.

Platform:

ASR 5000

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
access-link ip-fragmentation { normal | df-ignore | df-fragment-and-icmp-notify }
df-ignore

Default: Enabled

Ignores the DF (Don’t Fragment) bit setting. Fragments and forwards the packet over the access link.

df-fragment-and-icmp-notify

Default: Disabled

Partially ignores the DF bit. Fragments and forwards the packet, but also returns an ICMP error message to the source of the packet. The number of ICMP errors sent like this is rate-limited to one ICMP error packet per second per session.

normal

Default: Disabled

Normal processing. Drops the packet and sends an ICMP unreachable message to the source of packet. This is the default behavior.


Usage:

If the IP packet to be forwarded is larger than the access-link MTU and if the DF (Don't Fragment) bit is set for the packet, then the fragmentation behavior configured by this command is applied. Use this command to fragment packets even if they are larger than the access-link MTU.


Example:

Set fragmentation so that the DF bit is ignored and the packet is forwarded anyway by entering the following command:

access-link ip-fragmentation
df-ignore
accounting-mode

Sets the accounting mode for the current local subscriber configuration.

Platform:

ASR 5000

Product:

PDSN, HA, ASN-GW, S-GW


Privilege:

Administrator


Syntax
accounting-mode { flow-based | gtpp [ radius-diameter ] | none | radius-diameter [ gtpp ] | rf-style }default accounting-mode
default

Sets the type of accounting to be performed for the current local subscriber to the default setting.

Default: radius-diameter

flow-based

Diameter flow-based accounting is enabled for the current local subscriber.

gtpp [ radius-diameter ]

GTPP CDR RADIUS accounting is enabled for the current local subscriber. The radius-diameter keyword is available if both GTPP RADIUS and RADIUS-Diameter accounting are to be used.

none

Accounting is disabled for the current local subscriber and no charging records will be generated.

radius-diameter [ gtpp ]

RADIUS-Diameter accounting is enabled for the current local subscriber. The gtpp keyword is available if both GTPP RADIUS and RADIUS-Diameter accounting are to be used.

rf-style

Diameter Rf interface accounting is enabled for the current local subscriber.


Usage:

This command specifies which protocol, if any, will be used to provide accounting for PDP contexts accessing the APN profile.

Use this command to enable or disable RADIUS/Diameter accounting for any subscribers that use the current local subscriber configuration.

If the gtpp option is used, then GTPP RADIUS is used as configured in the Context Configuration mode or the AAA Server Group Configuration mode and GTPP charging records will be enabled.

If the radius-diameter option is used, either the RADIUS or the Diameter protocol is used as configured in the Context Configuration mode or the AAA Server Group Configuration mode.

RADIUS accounting can also be enabled and disabled at the context level with the aaa accounting command in the Context Configuration Mode. If RADIUS accounting is enabled at the context level, the accounting-mode command can be used to disable RADIUS accounting for individual local subscriber configurations.

If the accounting mode is set to rf-style, then BM will generate accounting records corresponding to AIMS RF.


Example:
To disable accounting for the current subscriber, enter the following command:
accounting-mode none
active-charging bandwidth-policy

Configures the bandwidth policy to be used for the subscriber.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
active-charging bandwidth-policy bandwidth_policy_name{ default | no } active-charging
bandwidth-policy
default

Specifies that the default bandwidth policy configured in the rulebase be used for this subscriber.

no

Disables bandwidth control for this subscriber.

active-charging bandwidth-policy bandwidth_policy_name

Specifies name of the bandwidth policy.

bandwidth_policy_name must be an alphanumeric string of 1 through 63 characters.


Usage:

Use this command to configure bandwidth policy to be used for subscribers.


Example:
The following command configures a bandwidth policy named standard for the subscriber:
active-charging bandwidth-policy
standard 
active-charging link-monitor tcp

Enables the TCP link monitoring feature on the Mobile Video Gateway. This command can be configured in either APN Configuration Mode or Subscriber Configuration Mode.

Platform:

ASR 5000

Product:

MVG


Privilege:

Security Administrator, Administrator


Syntax
[ default | no ] active-charging
link-monitor tcp [ log [ rtt [ histogram | time-series ] [ bitrate [ histogram | time-series ] ] | bitrate [ histogram | time-series ] [ rtt [ histogram | time-series ] ] ] ][ -noconfirm ]
default

Sets TCP link monitoring to its default value, which is the same as [ no ].

no

Deletes the TCP link monitoring settings and disables TCP link monitoring if previously configured.

active-charging link-monitor tcp

Enables the TCP link monitoring feature on the Mobile Video Gateway. Note that TCP link monitoring is not enabled by default. Also note that when this command is configured without the log option, TCP link monitoring is enabled without logging, and the output from TCP link monitoring is only used by the dynamic translating feature.

log [ rtt [ histogram | time-series ] [ bitrate [ histogram | time-series ] ] | bitrate [ histogram | time-series ] [ rtt [ histogram | time-series ] ] ]

This option enables statistical logging for TCP link monitoring.

The rtt option can be used to enable either histogram or time-series logging for round-trip time (RTT).

Similarly, the bitrate option can be used to enable either histogram or time-series logging for bit rate.

When rtt and bitrate options are used without additional options, histogram and time-series logging are enabled for round-trip time (RTT) and/or bit rate respectively.

-noconfirm

Specifies that the command must execute without prompting for confirmation.


Usage:

Use this command to enable TCP link monitoring on the Mobile Video Gateway.


Examples:
The following command enables TCP link monitoring with statistical logging, with histogram and time-series logging enabled for both RTT and bit rate:
active-charging link-monitor
tcp log
The following command enables TCP link monitoring with statistical logging, with histogram and time-series logging enabled for RTT:
active-charging link-monitor
tcp log rtt
The following command enables TCP link monitoring with statistical logging, with histogram logging enabled for RTT:
active-charging link-monitor
tcp log rtt histogram
The following command enables TCP link monitoring with statistical logging, with histogram logging enabled for RTT and time-series logging enabled for bit rate:
active-charging link-monitor
tcp log rtt histogram bitrate time-series
active-charging rulebase

Specifies the rulebase to be used for this subscriber.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
active-charging rulebase rulebase_nameno active-charging rulebase
no

Removes the previously configured rulebase for the subscriber.

active-charging rulebase rulebase_name

Specifies name of the ACS rulebase.

rulebase_name must be the name of an ACS rulebase expressed as an alphanumeric string of 1 through 63 characters.


Usage:

This command specifies the name of the rulebase for specific subscriber (reals).

If the specified rulebase does not exist in the Active Charging service, the call will be rejected.


Example:
The following command configures the ACS rulebase named rule1 for the subscriber:
active-charging rulebase rule1
always-on

Once the idle timeout limit is reached, keeps the current subscriber session connected as long as the subscriber is reachable.

CAUTION:

When always-on is enabled, the subscriber must have an idle time-out period configured (default is 0, no time-out). Failure to configure an idle time-out results in a subscriber session that is indefinite.

Two timers and a counter are associated with this feature. Refer to the timeout command in this chapter and the ppp echo-retransmit-timeout msec and ppp echo-max-retransmissions num_retries commands.

Default: Disabled.

Platform:

ASR 5000

Product:

PDSN, ASN-GW


Privilege:

Security Administrator, Administrator


Syntax
always-onno always-on
always-on

Specifies that the user will remain connected after the idle time expires.

no

Disables always-on. The user is disconnected after the idle time expires.


Usage:

If this parameter is enabled for a subscriber, when the idle time-out limit is reached the subscribers IP/PPP session remains connected as long as the subscriber is reachable. This is true even if the airlink between the mobile device and the RN (Radio Node) is moved from active to dormant (inactive) status. When the idle timeout limit is reached, the PDSN determines availability using link control protocol (LCP) keepalive messages. A response to these messages indicates that the “always-on” status should be maintained. Failure to respond to a predetermined number of LCP keepalive messages causes the PDSN to tear-down (disconnect) the subscriber session.


Example:
Enable always on for the current subscriber by entering the following command:
always-on
asn-header-compression-rohc

Negotiates Robust Header Compression (ROHC) support for subscriber calls with AAA and WiMAX. This configuration indicates the type of header compression supported and enabled on the ASN.

Platform:

ASR 5000

Product:

ASN-GW


Privilege:

Security Administrator, Administrator


Syntax
[ no | default ] asn-header-compression
rohc 
no

Removes or disables the configured identifiers for ROHC in ASN-GW service.

default

The default is disabled.


Usage:

Network Attached Storage (NAS) uses this configuration to indicate and pack ROHC support the subscriber TLV in the WiMAX-capability attribute in the Access Request. The ROHC header compression is applied only when the ROHC is supported on the ASNGW and ROHC support is indicated by the AAA.

asn nspid

Specifies the network service provider (NSP) associated with a WiMAX subscriber in an ASN-GW service. When configured, the NSP ID is sent in the Access-Request and Accounting messages.

Platform:

ASR 5000

Product:

ASN-GW


Privilege:

Security Administrator, Administrator


Syntax
[ no ] asn
nspid nsp_id
no

Removes or disables the configured identifiers for this network service provider in ASN-GW service.

asn nspid nsp_id

Specifies the network service provider for this subscriber. This enables the MS to discover all accessible NSPs, and to indicate the NSP selection during connectivity to the ASN.


Usage:

Use this command to specify the NSP associated with a subscriber in an ASN-GW service.

nsp_id is three bytes in hexadecimal format. For example: FF-EE-01


Example:
The following command specifies the NSP for a subscriber in an ASN service:
asn nspid 0F-01-FE
asn-pdfid

Configures the identifiers for packet data flow, service data flow, and service profile in an ASN-GW service.

Platform:

ASR 5000

Product:

ASN-GW


Privilege:

Security Administrator, Administrator


Syntax
[ no ] asn-pdfid pdf_id asn-service-profile-id svc_profile_id asn-sdfid sdf_id
no

Removes/disables the configured identifiers for this subscriber in ASN-GW service.

asn-pdfid pdf_id

Specifies the an unique ASN Packet Data Flow identifier for this subscriber.

pdf_id must be an integer from 1 through 65535.

asn-service-profile-id svc_profile_id

Specifies a unique ASN Service Profile Identifier for this subscriber.

svc_profile_id is a Service Profile Identifier configured in the Context Configuration Mode.

asn-sdfid sdf_id

Specifies the an unique ASN Service Data Flow identifier for this subscriber.

sdf_id must be an integer from 1 through 65535.


Usage:

Use this command to configure subscriber profile for QoS parameters in an ASN-GW service.

A maximum of four QoS profiles can be configured for a subscriber.


Example:
The following command configures the QoS profile for a subscriber as PDF id 1, Service Profile id 3, and Service Data Flow id 2:
asn-pdfid 1 asn-service-profile-id
3 asn-sdfid 2
asn-policy

Configures the identifiers for packet data flow, service data flow, and service profile in an ASN-GW service.

Platform:

ASR 5000

Product:

ASN-GW


Privilege:

Security Administrator, Administrator


Syntax
asn-policy [classifiers downlink { strict | loose} | idle-mode { allow | disallow } | notification-idle-mode {allow | disallow} | notification-handoff { allow | disallow }auth-only {allow | disallow } | ms-requested-classifiers {allow | dissalow}][ default ] asn-policy classifiers downlinkidle-mode
no

Removes or disables the configured policy for this subscriber in ASN-GW service.

default

Sets the ASN policy to default for this subscriber.

For downlink traffic classifier default policy is “loos” and for idle mode policy the default action is to allow idle mode operation in an ASN-GW service.

idle-mode

Sets the idle mode policy for this subscriber in an ASN-GW service. If enabled, Interim-Update is sent with the BSID and WiMAX-Idle_Mode Transition as Idle. If disabled, the Interim can be sent when the call is in the idle mode based on the interim timer. At this point, the last known BSID is reported to the RADIUS server.

notification-idle-mode

Default: allow

Use to enable or disable Idle-Mode-Notification capabilities. When you enable this command, when the call moves from active to idle, or idle to active, Accounting Interim is sent.

notification-handoff

Default: allow

If enabled, the Interim-Update is sent with the BSID and SN-Handoff-Indicator as Active Handoff.

allow

Default: enabled

Enables the policy for this subscriber to allow idle mode operation in an ASN-GW service.

disallow

Default: disabled

Enable the policy for this subscriber to disallow idle mode operation in an ASN-GW service.

classifiers downlink

Sets the classifier policy for all service flows coming from HA to FA for this subscriber’s matching classifier.

strict

Default: disabled

This option discards all the service flows coming from HA to FA and any other packets not matching to any of the classifiers set for this subscriber.

loose

Default: enabled

This option allows all the service flows coming from HA to FA and any other packet does not matching to any of the classifiers set for this subscriber and sent to the BS/MS over downlink flow

auth-only

Specifies whether the call is Auth only or not.

allow

Enables the policy for this subscriber to allow auth-only in an ASN-GW service.

disallow

Default

Disables the policy for this subscriber to allow auth-only in an ASN-GW service.

Default: allow

By default ASNGW allows dynamic addition of classifiers by the MS during MS-initiated service flow creation or modification.


Usage:

Use this command to configure subscriber policy to allow/disallow the idle mode operation or the downlink traffic flow for a subscriber in an ASN-GW service.

For authentication configuration, the ASN-GW supports the Initial Network Entry (INE) for Ethernet CS calls. The base station supports Ethernet CS traffic to the network. The INE procedure includes the Authentication of the service flows and IP-Address allocation through DHCP. Authentication is based on the Extensible Authentication Protocol (EAP).

This command allows MS to transition to idle mode with an ASN-GW.


Example:
The following command configures the policy to allow the idle mode for an MS with an ASN-GW:
default asn-policy
idle-mode
authorized-flow-profile-id

When a profile ID is requested by the Mobile Node (MN), this command sets the value that is authorized by the Access Gateway (AGW).

Platform:

ASR 5000

Product:

PDSN, ASN-GW


Privilege:

Security Administrator, Administrator


Syntax
authorized-flow-profile-id profile_id direction { bidirectional | forward | reverse }no authorized-flow-profile-id profile_id
no

Removes the existing profile ID setting specified by profile_id. profile_id must be an integer from 0 through 65535.

authorized-flow-profile-id profile_id

The profile ID number that is authorized for the current subscriber. profile_id must be an integer from 0 through 65535.

direction { bidirectional | forward | reverse }
This specifies in which data direction the profile ID should be applied.
  • bidirectional: This profile ID pertains to both the forward and reverse directions.
  • forward: This profile ID pertains to data going to the MN.
  • reverse: This profile ID pertains to data coming from the MN.

Usage:

Use this command to set the profile ID that the AGW will authorize for a subscriber.


Example:
Set the profile ID for both directions to 3 for the current subscriber by entering the following command:
authorized-flow-profile-id
3 direction bidirectional
content-filtering category

Enables or disables the specified preconfigured Category Policy Identifier for policy-based Content Filtering support to the subscriber.

Platform:

ASR 5000

Product:

CF


Privilege:

Security Administrator, Administrator


Syntax
content-filtering category
policy-id cf_policy_idno content-filtering
category policy-id
no

Disables the configured category policy ID for content filtering support to the subscriber. This is the default setting.

content-filtering category policy-id cf_policy_id

Applies the content filtering category policy ID, configured in ACS Configuration Mode, to this subscriber.

cf_policy_id must be a category policy ID expressed as an integer from 1 through 4294967295.

If the specified category policy ID is not configured in the ACS Configuration Mode, all packets will be passed regardless of the categories determined for such packets.

IMPORTANT:

Category Policy ID configured through this mode overrides the Category Policy ID configured using the content-filtering category policy-id command in the ACS Rulebase Configuration Mode.


Usage:

Use this command to enter the Content Filtering Policy Configuration Mode and enable or disable the Content Filtering Category Policy ID for a subscriber.

IMPORTANT:

If Content Filtering Category Policy ID is not specified here, the similar command in the ACS Rulebase Configuration Mode determines the policy.

Up to 64 different policy identifier can be defined in a Content Filtering support service.


Example:
The following command enters the Content filtering Policy Configuration Mode and enables the Category Policy ID 101 for Content Filtering support:
content-filtering category
policy-id 101 
credit-control-group

Configures the credit-control group for this subscriber.

Platform:

ASR 5000

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
credit-control-group cc_group_nameno credit-control-group
no

Removes the credit-control group from the subscriber configuration, if configured.

credit-control-group cc_group_name

Specifies name of the credit-control group.

cc_group_name must be an alphanumeric string of 1 through 63 characters.


Usage:

Use this command to configure the credit-control group for the subscriber.


Example:
The following command configures the credit-control group named test12 for the subscriber:
credit-control-group test12
credit-control-service

Configures the credit-control service for this subscriber.

Platform:

ASR 5000

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
[ no ] credit-control-service cc_service_name
no

Disables the credit-control service, if configured.

credit-control-service cc_service_name

Specifies the name of the credit-control service.

cc_service_name must be an alphanumeric string of 1 through 63 characters.


Usage:

Use this command to configure the credit-control service for subscribers.


Example:
The following command configures the credit-control service named test12 for the subscriber:
credit-control-service test12
cscf core-service

CSCF/A-BG core service that maps to the current domain.

Platform:

ASR 5000

Product:

SCM (CSCF, A-BG)


Privilege:

Security Administrator, Administrator


Syntax
cscf core-service name nameno cscf core-service
cscf core-service name name

Specifies the name of the CSCF/A-BG core service.

name must be an alphanumeric string of 1 through 63 characters.

no cscf core-service

Removes the CSCF/A-BG core service from the domain.


Usage:

Use this command to map a CSCF/A-BG core service to the current domain.


Example:
The following command creates a CSCF core service named cs1:
cscf core-service
name cs1
The following command removes the CSCF core service from this domain:
no cscf core-service
cscf county-name

Assigns a Last Routing Option (LRO) profile county name to the subscriber for finding the correct Public Safety Answering Point (PSAP) during emergency calls.

Platform:

ASR 5000

Product:

SCM (S-CSCF)


Privilege:

Security Administrator, Administrator


Syntax
[ no ] cscf
county-name name
cscf county-name name

Specifies the LRO profile county name of the subscriber.

name must be an existing LRO profile county name expressed as an alphanumeric string of 1 through 127 characters.

no

Removes the LRO profile county name from the subscriber.


Usage:

Use this command to assign an LRO profile county name to the subscriber.


Example:
The following command assigns county name norfolk to the subscriber:
cscf county-name norfolk
The following command removes county name norfolk from the subscriber:
no cscf county-name norfolk
cscf nat-applicable

Indicates if NAT (Network Address Translation) processing is required for this domain.

Platform:

ASR 5000

Product:

SCM (CSCF/A-SBC)


Privilege:

Security Administrator, Administrator


Syntax
[ no ] cscf
nat-applicable
no

Disables NAT processing for this domain.

cscf nat-applicable

Enables NAT processing for this domain.


Usage:

Use this command to indicate whether NAT processing is required for this domain.


Example:
The following command indicates NAT processing is required for this domain:
cscf nat-applicable
The following command disables NAT processing for this domain:
no cscf nat-applicable
cscf private-user-id

Assigns a private user identity to the subscriber.

Platform:

ASR 5000

Product:

SCM (P-CSCF, S-CSCF, SIP Proxy)


Privilege:

Security Administrator, Administrator


Syntax
[ no ] cscf
private-user-id user_id
no

Removed the private user identity of the subscriber.

cscf private-user-id user_id

Specifies the private user identity of the subscriber.

user_id must be an alphanumeric string of 1 through 127 characters.


Usage:

Use this command to assign a private user identity to the subscriber.


Example:
The following command assigns a private user identity named user007 to the subscriber:
cscf private-user-id user007
The following command removes private user identity named user007 from the subscriber:
no cscf private-user-id user007
cscf session-template

Assigns a CSCF session template to the subscriber profile.

Platform:

ASR 5000

Product:

SCM (P-CSCF, S-CSCF, SIP Proxy)


Privilege:

Security Administrator, Administrator


Syntax
cscf session-template
name nameno cscf session-template
cscf session-template name name

Specifies the name of the CSCF session template.

name must be an existing CSCF session template name expressed as an alphanumeric string of 1 through 79 characters.

no cscf session-template

Removes the assignment of a session template to the subscriber profile.


Usage:

Use this command to bind a CSCF session template to a subscriber profile.


Example:
The following command assigns a CSCF session template named template4 to the subscriber profile:
cscf session-template
name template4
The following command removes the assignment of a session template to the subscriber profile:
no cscf session-template
data-tunneling ignore df-bit

Controls the handling of the DF (Don't Fragment) bit present in the user IPv4/IPv6 packet for GRE, IP-in-IP tunneling used for the MIP data path. If this feature is enabled, and fragmentation is required for the tunneled user IPv4/IPv6 packet, then the DF bit is ignored and the packet is fragmented. Also the DF bit is not copied to the outer header. Default is enabled.

Platform:

ASR 5000

Product:

PDSN, HA, FA, ASN-GW


Privilege:

Security Administrator, Administrator


Syntax
data-tunneling ignore
df-bitno data-tunneling ignore
df-bit
no

Disables this option. The DF bit in the tunneled IP packet header is not ignored during tunneling.

data-tunneling ignore df-bit

Ignores the DF bit in the tunneled IP packet header.


Usage:

Use this command to configure a user so that during Mobile IP tunneling the DF bit is not ignored and packets are not fragmented.


Example:
To disable fragmentation of a subscribers packets over a MIP tunnel even when the DF bit is present, enter the following command:
no data-tunneling ignore
df-bit
dcca origin host

This command is obsolete. Refer to the dcca origin endpoint command.

dcca origin endpoint

This command is obsolete. To configure the Diameter Credit Control Origin Endpoint, in the Credit Control Configuration Mode, use the diameter origin endpoint command.

dcca peer-select

Specifies the Diameter credit control primary and secondary peer for credit control.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
dcca peer-select peer host_name [ realm realm_name ] [ secondary-peer host_name [ realm realm_name ] ]no dcca peer-select
no

Removes the previously configured Diameter credit control peer selection.

peer host_name

Specifies a unique name for the peer. peer_name must be an alphanumeric string of 1 through 63 characters that allows punctuation marks.

secondary-peer host_name

Specifies a back-up host that is used for fail-over processing. When the route-table does not find an available route, the secondary host performs a fail-over processing. host_name must be an alphanumeric string of 1 through 63 characters that allows punctuation marks.

realm realm_name

The realm_name must be an alphanumeric string of 1 through 63 characters that allows punctuation marks. The realm may typically be a company or service name.


Usage:

Use this command to select a Diameter credit control peer and realm.

DANGER:

This configuration completely overrides all instances of diameter peer-select that have been configured with in the Credit Control Configuration Mode for an Active Charging service.


Example:
The following command selects a Diameter credit control peer named test and a realm of companyx:
dcca peer-select peer
test realm companyx
default

Restores the default value for the option specified for the current subscriber.

Platform:

ASR 5000

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
default { access-link
ip-fragmentation | accounting-mode | data-tunneling
ignore df-bit | idle-timeout-activity dormant-downlink-data | inter-pdsn-handoff | ip { alloc-method | allowed-dscp | header-compression | hide-service-address | multicast
discard | qos-dscp | source-validation } | loadbalanace-tunnel-peers | long-duration-action | mobile-ip
 { home-agent | mn-aaa-removal-indication | mn-ha-hash-algorithm | reverse-tunnel | security-level | send { dns-address | terminal-verification } } | permission | ppp { always-on-vse-packet | data-compression { mode | protocols } | keepalive | min-compression-size | mtu } | radius
accounting interim interval-timeout | timeout { absolute | idle } }
access-link ip-fragmentation

Sets the method for fragmenting packets over the MN access link to its default of normal. Drop the packet and send ICMP unreachable to the source of packet.

accounting-mode

Enables Radius accounting for the current local subscriber configuration.

data-tunneling ignore df-bit

Sets this option to the default behavior, which is to send an ICMP unreachable - need to frag message back to the sender and drop the packet, in the case that fragmentation is required but the DF bit is set.

idle-timeout-activity dormant-downlink-data

Sets this option to the default behavior. When downlink data packets are transmitted to the Mobile node and the session is in dormant mode the session idle timer is reset.

inter-pdsn-handoff

During a handoff from one PDSN to another, if the Mobile requests an IP address of 0.0.0.0 or a mismatched IP address the PDSN will not disconnect the session immediately. The PDSN tries to assign the proposed address of the session in the IPCP configuration NAK.

ip { | allowed-dscp | dhcp-relay | header-compression | hide-service-address | multicast discard | qos-dscp | source-validation | user-datagram-tos copy }

allowed-dscp: resets the allowed DSCP parameters to the system defaults: class none, max-class be.

hide-service-address: specifies the default setting for hide the ip-address of the service from the subscriber. Default is Disabled

dhcp-relay: Configured with the DHCP server address during MS authentication. The AAA server sends the address of the DHCP server in the Access-Accept message. The DHCP relay uses this address to relay the DHCP messages from the MS to the DHCP server.

multicast discard: Configures the default multicast settings which is to discard PDUs

qos-dscp: Sets the quality of service setting to the system default.

source-validation: Specifies the default IP source validation. Default is Enabled.

user-datagram-tos copy: Disables copying of the IP TOS octet value to all tunnel encapsulation IP headers.

loadbalance-tunnel-peers

Sets the tunnel load balancing algorithm to the system default.

long-duration-action

Sets the action that is taken when the long duration timer expires to the default: detection.

mobile-ip { home-agent | mn-aaa-removal-indication | mn-ha-hash-algorithm | reverse-tunnel | security-level | send { dns-address | terminal-verification } }

allow-aaa-address-assignment: Disables the FA from accepting a home address assigned by an AAA server.

home-agent: Sets home agent IP address to its default of 0.0.0.0.

match-aaa-assigned-address: Disables the FA validating the home address in the RRQ against the one assigned by AAA server.

mn-aaa-removal-indication: Sets this parameter to its default of disabled.

mn-ha-hash-algorithm: Sets the encryption algorithm to the default of hmac-md5.

reverse-tunnel: Sets this parameter to its default of enabled.

security-level: Sets this parameter to its default of none.

send dns-address: Disables the HA from sending the DNS address NVSE in the RRP.

send terminal-verification: Disables the FA from sending the terminal verification NVSE in the RRQ.

permission

Restores the subscriber’s service usage defaults.

ppp { always-on-vse-packet | data-compression { mode | protocols } | ip-header-compression negotiation | keepalive | min-compression-size | mtu }

Sets the point-to-point protocol option defaults.

always-on-vse-packet: Re-enables the PDSN to send special 3GPP2 VSE PPP packets to the Mobile Node with a max inactivity timer value for always on sessions. This configuration is applicable only for PDSNsessions.

data-compression { mode | protocols }: restores the default value for either the data compression mode or compression protocols as follows:
  • mode stateless
  • all protocols enabled

ip-header-compression negotiation: Sets the IP header compressions negotiation to the system default: force.

keepalive: sets the subscriber’s PPP keep alive option to the system default: 30 seconds.

min-compression-size: Restores the PPP minimum packet size for compression: 128 octets.

mtu: Sets the maximum message transfer unit packet size to the system default: 1500 octets.

radius accounting interim interval-timeout

Disables the RADIUS accounting interim interval for the current subscriber.

timeout [ absolute | idle | long-duration ]

When a keyword is entered, this command resets the specified timeout to the system default: 0. When no keyword is specified, all timeouts are reset to the system defaults: 0.


Usage:

Use this keyword to reset subscriber data to the system defaults. This is useful in setting the subscriber back to the basic values to possibly aid in trouble shooting or tuning a subscriber’s access and options.


Example:
default ip qos-dscp
default permission
default data-compression mode
dhcp dhcpv6

Specifies the DHCPv6 service to be used for this subscriber.

Platform:

ASR 5000

Product:

GGSN, P-GW


Privilege:

Security Administrator, Administrator


Syntax
dhcp dhcpv6 service-name service_nameno dhcp dhcpv6 service-name
no

Removes the DHCPv6 service for the subscriber.

dhcpv6 service-name service_name

Specifies the name of an existing DHCPv6 service to be used for this subscriber.

service_name must be the name of a DHCPv6 service expressed as an alphanumeric string of 1 through 63 characters.


Usage:

Use this command to apply or remove an existing DHCPv6 service to a subscriber template.


Example:
The following command applies a previously configured DHCPv6 service named dhcpv6_1 to a subscriber template:
dhcp dhcpv6 service-name dhcpv6_1
dhcp options

Specifies the DHCP options which can be sent from the DHCP server for this subscriber.

Platform:

ASR 5000

Product:

GGSN, P-GW


Privilege:

Security Administrator, Administrator


Syntax
dhcp options code 43
hex-values hex_valuesno dhcp options
no

Removes the DHCP options for the subscriber.

options code 43 hex-values hex_values

Specifies hex values for DHCP option 43.

hex_values must be a dash-delimited list of hex data of size smaller than 506 datum.


Usage:

Use this command to specify the DHCP options which can be sent from the DHCP server for this subscriber.


Example:
The following command applies hex values ff-fe for DHCP option 43:
dhcp options code 43
hex-values ff-fe
dns

Configures the domain name servers for the current subscriber.

Platform:

ASR 5000

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
[ no ] dns { primary | secondary } ip_address
no

Indicates the IP address is to be removed as either a primary or secondary domain name server.

dns primary | secondary

dns primary: Updates the primary domain name server for the subscriber.

dns secondary: Updates the secondary domain name server for the subscriber.

ip_address

Specifies the IP address of the domain name server using IPv4 dotted-decimal notation.


Usage:

Set the subscriber DNS server lists as not all users will have the same set of servers.


Example:
dns primary 10.2.3.4
no dns primary 10.2.3.4
dns secondary 10.2.5.6
no dns secondary 10.2.5.6
eap

Specifies the lifetime for a master session key (MSK) for extensible authentication protocol (EAP) authentication.

Platform:

ASR 5000

Product:

ASN-GW


Privilege:

Security Administrator, Administrator


Syntax
[ default ] eap
msk-lifetime dur
default

Sets the lifetime duration to default value of 3600 seconds for master session key.

msk-lifetime dur

Specifies the lifetime duration (in seconds) on Master Session Key (MSK) in seconds for a WiMAX subscriber EAP authentication.

dur is an integer from 60 through 65535.


Usage:

This command is used to set the lifetime for MSK in EAP authentication for WiMAX subscriber.


Example:
The following command sets the lifetime for MSK key to 4800 seconds for a WiMAX subscriber through EAP authentication:
eap msk-lifetime 4800
encrypted password

Designates use of password encryption.

Platform:

ASR 5000

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
encrypted password password
encrypted password password

password is the encrypted password and must be an alphanumeric string of 1 through 132 characters.


Usage:

This command is normally used only inside configuration files.


Example:
The following command sets an encrypted password of qsdf12d4:
encrypted password qsdf12d4
end

Exits the current configuration mode and returns to the Exec mode.

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
end

Usage:

Use this command to return to the Exec mode.

exit

Exits the current mode and returns to the parent configuration mode.

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
exit

Usage:

Use this command to return to the parent configuration mode.

external-inline-server

This is a restricted command.

firewall policy

IMPORTANT:

This command is only available in StarOS 8.0. In StarOS 8.1 and later releases, this configuration is available in the ACS Rulebase Configuration Mode.

This command enables or disables Stateful Firewall support for the subscriber.

Platform:

ASR 5000

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
firewall policy firewall-required{ default | no } firewall policy
no

Disables Stateful Firewall support for this subscriber.

default

Configures the default setting for Stateful Firewall support.

Default: Disabled

firewall-required

Enables Stateful Firewall support for this subscriber.


Usage:

Use this command to enable or disable Stateful Firewall support for this subscriber.

IMPORTANT:

Unless Stateful Firewall support for this subscriber is enabled using this command, firewall processing for this subscriber is disabled.

IMPORTANT:

If firewall is enabled, and the rulebase has no firewall configuration, Stateful Firewall will cause all packets to be discarded.


Example:
The following command enables Stateful Firewall support for this subscriber:
firewall policy firewall-required
The following command disables Stateful Firewall support for this subscriber:
no firewall policy
fw-and-nat policy

IMPORTANT:

This command is only available in StarOS 8.1. This customer-specific command must be used to configure the Policy-based Firewall-and-NAT feature.

Platform:

ASR 5000

Product:

FW, NAT


Privilege:

Security Administrator, Administrator


Syntax
fw-and-nat policy fw_nat_policy{ default | no } fw-and-nat policy
default

Specifies that the default Firewall-and-NAT policy configured in the rulebase be used for the subscriber.

no

Disables Firewall and NAT processing for the subscriber.

fw_nat_policy

Specifies the Firewall-and-NAT policy for the subscriber.

fw_nat_policy must be an alphanumeric string of 1 through 63 characters. Note that this policy will override the default Firewall-and-NAT policy configured in the ACS rulebase.


Usage:

Use this command to configure the Firewall-and-NAT policy for subscribers. Note that the policy configured in the subscriber mode will override the default policy configured in the ACS rulebase. If a policy is not configured in the subscriber mode, the default policy configured in the ACS rulebase will be applied.


Example:
The following command configures a Firewall-and-NAT policy named standard for the subscriber:
fw-and-nat policy standard
idle-timeout-activity

Defines whether downlink (towards Mobile Node) data packets transmitted when the session is dormant are treated as activity for the idle-timer (inactivity timer).

By default, downlink data transmitted over a dormant session restarts the idle-timer for that session; it is treated as activity for the session.

Platform:

ASR 5000

Product:

PDSN


Privilege:

Security Administrator, Administrator


Syntax
[ no ] idle-timeout-activity
dormant-downlink-data
no

Dormant mode downlink data is not treated as activity for the session idle-timer. The session idle timer is not reset.

idle-timeout-activity dormant-downlink-data

Treats dormant mode downlink data as activity for the session idle-timer. The session idle timer is reset.


Usage:

Use this command to disable or re-enable restarting the session idle timer when downlink data packets are transmitted to the Mobile Node when the session is in dormant mode.


Example:
Use the following command to disable restarting the session idle timer when downlink data packets are transmitted to the Mobile Node when the session is in dormant mode:
no idle-timeout-activity
dormant-downlink-data
Use the following command to re-enable restarting the session idle timer when downlink data packets are transmitted to the Mobile Node when the session is in dormant mode:
idle-timeout-activity
dormant-downlink-data
ims application-manager

Specifies the IP Multimedia Subsystem (IMS) application manager for the subscriber.

Platform:

ASR 5000

Product:

PDSN


Privilege:

Security Administrator, Administrator


Syntax
[ no ] ims
application-manager { domain-name domain-name | ipv4-address ipv4_address }
no

Disables the IMS application manager for this subscriber.

ims application-manager

Enables the IMS application manager for this subscriber.

domain-name domain-name

Specifies the domain name of the application manager.

domain-name must be an alphanumeric string of 1 through 63 characters.

ipv4-address ipv4_address

Specifies the IP address of the application manager using IPv4 dotted-decimal notation.


Usage:

The IMS application manager address is returned by HA to MN in DHCP Ack when it receives the DHCP inform from an AIMS subscriber.


Example:
ims application-manager
domain-name domain23ims application-manager
ipv4-address 192.168.23.1
ims-auth-service

Enables IP Multimedia Subsystem (IMS) authorization support for subscriber. The specified IMSA service will be used for performing IMS authorization and flow-based charging procedures.

Platform:

ASR 5000

Product:

PDSN, GGSN, P-GW


Privilege:

Security Administrator, Administrator


Syntax
[ default | no ] ims-auth-service auth_svc_name
default

Configures default setting.

Default: Disabled or as specified at the context or network access service level or in subscriber template.

no

Removes the specified IMS authorization service from the subscriber configuration.

ims-auth-service auth_svc_name

Specifies name of the IMS authorization service.

auth_svc_name must be an alphanumeric string of 1 through 63 characters preconfigured within the same context of this subscriber.


Usage:

This feature provides the IMS authorization service configuration for Gx interface in IMS service node.


Example:
Following command applies a previously configured IMS authorization service named ims_interface1 to a subscriber within the specific context.
ims-auth-service ims_interface1
inter-pdsn-handoff

Configure the system to force the MN to use its assigned IP address during Internet Protocol Control Protocol (IPCP) negotiations resulting from inter-PDSN handoffs.

Platform:

ASR 5000

Product:

PDSN


Privilege:

Security Administrator, Administrator


Syntax
[ no ] inter-pdsn-handoff
require ip-address
no

Disables the rejecting of sessions when the MN uses a non-allocated IP address during IPCP re-negotiations.

inter-pdsn-handoff require ip-address

Rejects sessions when the MN uses a non-allocated IP address during IPCP re-negotiations.


Usage:

This command is used to configure the system to reject sessions that are re-negotiating IPCP after an inter-PDSN handoff if the IP address they propose does not match the one initially provided by the PDSN. The session would be rejected even if the proposed address was 0.0.0.0.

If this parameter is disabled, the PDSN will attempt to re-assign the IP address initially provided.


Example:
To set the PDSN to not allow a mismatched IP address during a PDSN to PDSN handoff of a MIP call, use the following command:
inter-pdsn-handoff require
ip-address
To set the PDSN so that it will not disconnect the session immediately, if the Mobile requests an IP address of 0.0.0.0 or a mismatched IP address after inter-pdsn handoff, use the following command:
no inter-pdsn-handoff
require ip-address
ip access-group

Configures IP access group for the current subscriber.

Platform:

ASR 5000

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
[ no ] ip
access-group group_name [ in | out ]
no

Indicates the access group specified is to be cleared from the subscribers configuration.

ip access-group group_name

Specifies the name of the IPv4/IPv6 access group. acl_group_name is a configured ACL group expressed as an alphanumeric string of 1 through 79 characters.

in | out

Default: both (in and out)

Specifies the access-group as either inbound or outbound by the keywords in and out, respectively. If neither of these key words is specified, the command associates the group_name access group with the current subscriber for both inbound and outbound access.


Usage:

Set the subscriber access group to manage the access control for subscribers as a logical group.


Example:
The following command associates the sampleGroup access group with the current subscriber for both inbound and outbound access:
ip access-group sampleGroup
The following removes the outbound access group flag for sampleGroup:
no ip access-group
sampleGroup out
ip address

Configures a static IPv4 address for use by the subscriber.

Platform:

ASR 5000

Product:

PDSN, GGSN, HA, ASN-GW, P-GW


Privilege:

Security Administrator, Administrator


Syntax
[ no ] ip
address ip_address netmask
no

Removes a previously configured IP address assignment.

ip address ip_address

Specifies the IP address assigned to the subscriber using IPv4 dotted-decimal notation.

netmask

The subnet mask that corresponds to the assigned IPv4 address.


Usage:

Use this command to assign a static IPv4 address to the subscriber. This address will be used each time the subscriber establishes data sessions.


Example:
The following command configures a static IP address of 192.168.1.15 with a subnet mask of 255.255.255.0 to the subscriber:
ip address 192.168.1.15 255.255.255.0
ip address pool

Configures IP address pool properties for the subscriber.

Platform:

ASR 5000

Product:

PDSN, GGSN, HA, ASN-GW, P-GW


Privilege:

Security Administrator, Administrator


Syntax
[ no ] ip
address pool name pool_name
no

Removes a previously configured static address.

ip address pool name pool_name

Specifies the IP address pool or IP address pool group from which the subscribers IP address is assigned.

pool_name must be the name of an existing IP pool or IP pool group expressed as an alphanumeric string of 1 through 31 characters.


Usage:

Use this command to specify the name of an IP address pool configured on the system from which IP addresses are to be dynamically assigned to sessions from this subscriber.

This command can be issued multiple times to specify multiple address pools for the subscriber. If multiple pools are specified, addresses are assigned for subscriber sessions from the pools based on the order in which the pools were configured.

If an address cannot be provided from the first-specified pool for whatever reason, the system attempts to assign an address from the second-specified pool, and so on. This operation is independent of the priorities configured for the pools. For example, if pool1 was specified for the subscriber first, and pool2 second, the system always attempts to assign addresses from pool1. If an address can not be assigned from pool1 (i.e. all addresses are in use), the system then attempts to assign an address from pool2.


Example:
The following command configures the subscriber to receive IP addresses from an IP address pool named public1:
ip address pool name public1
ip address secondary-pool

Configures secondary IP address pool properties for the subscriber to provide multiple IP host configuration behind one WiMAX Customer Premise Equipment (CPE).

Platform:

ASR 5000

Product:

ASN-GW


Privilege:

Security Administrator, Administrator


Syntax
[ no ] ip
address secondary-pool name aux_pool_name
no

Removes a previously configured auxiliary pool named aux_pool_name for multiple host support in ASN-GW service.

ip address secondary-pool name aux_pool_name

Specifies the secondary/auxiliary IP address pool or IP address pool group from which the IP address is assigned to host behind a WiMAX CPE having primary IP address.

pool_name must be the name of an existing IP pool or IP pool group expressed as an alphanumeric string of 1 through 31 characters.


Usage:

Use this command to specify the name of an IP address pool configured on the system from which IP addresses are to be dynamically assigned to host behind a WiMAX CPE for multiple host session support.

This command designates the IP address to secondary hosts from locally configured secondary IP address pool. To enable multiple host support behind a WiMAX CPE and configure maximum number of supported hosts use secondary-ip-host command in ASN Gateway Service Configuration mode.


Example:
The following command configures the subscriber to receive IP addresses from a secondary IP address pool named auxiliary1 for secondary hosts behind the WiMAX CPE:
ip address secondary-pool
name auxiliary1
ip allowed-dscp

Sets the Quality of Service (QoS) Differentiated Services (DiffServ) marking that a subscriber session is allowed. The DSCP is disabled by default.

Platform:

ASR 5000

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
ip allowed-dscp class class max-class maxclass [ rt-marking marking ]no ip allowed-dscp class
no

Resets the parameters to the defaults: class none, max-class be. This indicates that all packets are let through without any dscp checking

ip allowed-dscp class class

Specifies the Differentiated Services Codepoint (DSCP) class with which the subscriber session may mark its packets. If the subscriber sessions packets request a code point class higher than the code point class specified, the PDSN service re-marks the packets with the QOS-DSCP value specified by the ip qos-dscp command.

Default: none

class must be one of the following;

a: allow packets with AF DSCPs

e: allow packets with EF DSCP

o: allow packets for experimental or local use

ae: allow packets with AF and EF DSCPs

ao: allow packets with AF DSCPs or packets for experimental or local use

eo: allow packets with EF DSCPs or packets for experimental or local use

aeo: allow packets with AF or EF DSCPs or packets for experimental or local use

none: allow only the be and sc1 through sc7 code points

max-class maxclass

This parameter specifies the maximum code point with which a subscriber session may mark its packets. The subscriber sessions packets must be marked with a code point equal to or less than the code point specified. If the subscriber sessions packets request a code point higher than the code point specified, the PDSN service re-marks the packets with the QOS-DSCP value specified by the lower of the max-class and the ip qos-dscp command.

The list below identifies the code points from lowest to highest precedence. For example, if the maxclass is set to af22, that becomes the maximum code point that the subscriber session may mark it’s packets with and only be, af13, af12, af11,af23, and af22 are allowed. If a subscriber session marks its packets with anything after af22 in this list, the PDSN service re-marks the packets with the QOS-DSCP value specified by the lower of the maxclass and the ip qos-dscp command.

If class is set to none only the be and sc1 through sc7 codepoints are allowed. For example; if class is set to none and you set max-class to sc1, only the sc1 and be codepoints are allowed.

Default: be

maxclass must be one of the following;

be: best effort forwarding

af13: assured Forwarding 13

af12: assured Forwarding 12

af11: assured Forwarding 11

af23: assured Forwarding 23

af22: assured Forwarding 22

af21: assured Forwarding 21

af31: assured Forwarding 31

af32: assured Forwarding 32

af33: assured Forwarding 33

af41: assured Forwarding 41

af42: assured Forwarding 42

af43: assured Forwarding 43

ef: expedited forwarding

sc1: selector class 1

sc2: selector class 2

sc3: selector class 3

sc4: selector class 4

sc5: selector class 5

sc6: selector class 6

sc7: selector class 7

rt-marking marking

This parameter is used for Mobile IP (MIP) reverse tunnels. When MIP session packets do not have a DSCP marking, the Foreign Agent (FA) marks the packets with the value specified by rt-marking marking.

If MIP sessions packets have a DSCP marking, the marking is subjected to the conformance rules for the values of class and max-class; the final DSCP marking is then copied from the inner IP header to the outer IP header.

Default: be

marking must be one of the following;

be: best effort forwarding

af11: assured Forwarding 11

af12: assured Forwarding 12

af13: assured Forwarding 13

af21: assured Forwarding 21

af22: assured Forwarding 22

af23: assured Forwarding 23

af31: assured Forwarding 31

af32: assured Forwarding 32

af33: assured Forwarding 33

af41: assured Forwarding 41

af42: assured Forwarding 42

af43: assured Forwarding 43

ef: expedited forwarding

sc1: selector class 1

sc2: selector class 2

sc3: selector class 3

sc4: selector class 4

sc5: selector class 5

sc6: selector class 6

sc7: selector class 7


Usage:

Use this command to configure Quality of Service (QoS) for a subscriber session to allow a Differentiated Services (DiffServ) Code Point (DSCP) marker in the header of each IP packet that prompts network routers to apply differentiated grades of service to various packet streams.

This command uses class and type of marker (rt-marking for reverse tunnels) for configuration with max-class maximum code point that a subscriber session may mark its packets with.


Example:
The following command will allow o packets for experimental or local use with best effort forwarding be:
ip allowed-dscp class
o max-class be
ip context-name

Configures the context to which the subscriber is assigned upon authentication. The assigned context is considered the destination context that provides the configuration options for the services the subscriber is allowed to access.

Platform:

ASR 5000

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
[ no ] ip
context-name  name
no

Removes the current assigned context from the subscriber’s data.

ip context-name name

Specifies the name of the context to assign the subscriber to once authenticated. name must be an alphanumeric string of 1 trough 79 characters.


Usage:

Set the subscriber IP context to a common context when all subscribers from one or more contexts will use the same egress context.


Example:
ip context-name sampleName
no ip context-name sampleName
ip header-compression

Configures the IP packet header compression options for the current subscriber. Although this command configures IP header compression algorithms, the Internet Protocol Control Protocol (IPCP) negotiations determine when the header compression algorithm is applied.

Platform:

ASR 5000

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
ip header-compression { rohc [ any [ mode { optimistic | reliable | unidirectional } ] | cid-mode { { large | small } [ marked-flows-only | max-cid | max-hdr value |  mrru value ] } | marked
flows-only | max-hdr value | mrru value | downlink | uplink ] | vj } +[ default | no ] ip
header-compression
default

Restores this command’s default setting to the Van Jacobsen (VJ) header compression algorithm.

no

Disables all IP header compression.

ip header-compression { rohc [ any [ mode { optimistic | reliable | unidirectional } ] | cid-mode { { large | small } [ marked-flows-only | max-cid | max-hdr value | mrru value ] } } | marked flows-only | max-hdr value | mrru value | downlink | uplink ] | vj }

Specifies that the Robust Header Compression (ROHC) algorithms is used for data.

IMPORTANT:

ROHC is only supported for use with the PDSN.

any: Apply ROHC header compression in both the uplink and downlink directions.

mode { optimistic | reliable | unidirectional }:
  • optimistic: Sets the ROHC mode to Bidirectional Optimistic mode (O-mode). In this mode packets are sent in both directions. A feedback channel is used to send error recovery requests and (optionally) acknowledgments of significant context updates from decompressor to compressor. Periodic refreshes are not used in the Bidirectional Optimistic mode.
  • reliable: Sets the ROHC mode to Bidirectional Reliable mode (R-mode). This mode applies an intensive usage of a feedback channel and a strict logic at both the compressor and the decompressor that prevents loss of context synchronization between the compressor and the decompressor. Feedback is sent to acknowledge all context updates, including updates of the sequence number field.
  • unidirectional: Sets the ROHC mode to Unidirectional mode (U-mode). With this mode packets are sent in one direction only, from the compressor to the decompressor. This mode therefore makes ROHC usable over links where a return path from the decompressor to the compressor is unavailable or undesirable.
cid-mode { { large | small } [ marked-flows-only | dm | max-hdr value | mrru value ] }: Specifies the ROHC packet type to be used.
  • large | small [ marked-flows-only | max-cid | max-hdr value | mrru value ]: Defines the ROHC packet type as large or small and optionally sets the following parameters for the packet type selected:
  • marked-flows-only: Specifies that ROHC is to be applied only to marked flows.
  • max-cid integer: Default: 0 The highest context ID number to be used by the compressor. integer must be an integer from 0 through 15 when small packet size is selected and must be an integer from 0 through 31 when large packet size is selected.
  • max-hdr value: Specifies the maximum header size to use. Default: 168. value must be an Integer from 0 through 65535.
  • mrru value: Specifies the maximum reconstructed reception unit to use. Default: 65535. value must be an Integer from 0 through 65535.

marked-flows-only: Specifies that ROHC is to be applied only to marked flows.

max-hdr value: Specifies the maximum header size to use. Default: 168. value must be an Integer from 0 through 65535.

mrru value: Specifies the maximum reconstructed reception unit to use. Default: 65535. value must be an Integer from 0 through 65535.

downlink: Apply the ROHC algorithm only in the downlink direction.

uplink: Apply the ROHC algorithm only in the uplink direction.

IMPORTANT:

When ROHC is enabled for downlink or uplink only the operational mode is Unidirectional.

vj

Specifies that the VJ algorithm is used for header compression.

+

Either one or both of the keywords may be entered in a single command.

If both vj and rohc are specified, vj must be specified first.

IMPORTANT:

If both VJ and ROHC header compression are specified, the optimum header compression algorithm for the type of data being transferred is used for data in the downlink direction.


Usage:

Header compression can be used to provide a higher level of security in IP traffic enhance bandwidth usage and lower bit errors.

By default the header compression algorithm is set to vj.


Example:
The following command disables all IP packet header compression:
no ip header-compression
The following command sets IP header compression to default vj algorithm:
default ip header-compression
The following command also sets the IP header compression to the vj algorithm:
ip header-compression vj
The following command enables the Internet Protocol Control Protocol (IPCP) to determine which protocol is the optimum algorithm for data in the downlink direction and use either VJ or ROHC as needed:
ip header-compression
vj rohc
The following command enables ROHC for the downlink direction only:
ip header-compression
rohc downlink
The following command enables ROHC in any direction using Bidirectional Optimistic mode:
ip header-compression
rohc any mode Optimistic
ip hide-service-address

Hide the IP address of the service from the subscriber.

Platform:

ASR 5000

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
[ no ] ip
hide-service-address
no

Does not hide the IP address of the service from the subscriber. This is the default behavior.

ip hide-service-address

Hides the IP address of the service from the subscriber.


Usage:

Use this command to prevent subscribers from using traceroute to discover the network addresses that are in the public domain and configured on services. This prevent users from pinging such addresses.

ip local-address

Configures the local-side IP address of the subscriber's point-to-point connection.

Platform:

ASR 5000

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
ip local-address ip_addressno ip local-address
no

Removes a previously configured IP local-address.

ip_address ip_address

Specifies an IP address configured in a destination context on the system through which a packet data network can be accessed. ip_address is entered using IPv4 dotted-decimal notation.


Usage:

This parameter specifies the IPv4 address on the system that the MS uses as the remote-end of the PPP connection. If no local address is configured, the system uses an "unnumbered" scheme for local-side addresses.


Example:
The following command configures a local address of 192.168.1.23 for the MS:
local-address 192.168.1.23
ip multicast discard

Configures the IP multicast discard packet behavior.

Platform:

ASR 5000

Product:

GGSN


Privilege:

Security Administrator, Administrator


Syntax
[ no ] ip
multicast discard
no

Does not discard IP multicast packets.

ip multicast discard

Discards IP multicast packets.


Usage:

This command specifies if IP multicast packets will be discarded.

ip qos-dscp

Configures quality of service (QoS) options for the current subscriber using the differentiated services code point (DSCP) method. This functionality is disabled by default.

Platform:

ASR 5000

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
ip qos-dscp optionno ip qos-dscp
no

Sets the quality of service option to its default value.

ip qos-dscp option

Default: be (Best Effort)

Specifies the subscriber’s per hop quality of service setting as one of:
  • af11: assured Forwarding 11
  • af12: assured Forwarding 12
  • af13: assured Forwarding 13
  • af21: assured Forwarding 21
  • af22: assured Forwarding 22
  • af23: assured Forwarding 23
  • af31: assured Forwarding 31
  • af32: assured Forwarding 32
  • af33: assured Forwarding 33
  • af41: assured Forwarding 41
  • af42: assured Forwarding 42
  • af43: assured Forwarding 43
  • be: best effort forwarding
  • ef: expedited forwarding

Usage:

Set the quality of service for a subscriber based upon the service level agreements.


Example:
ip qos-dscp ef
no ip qos-dscp
ip route

Configures the static route to use to reach the subscriber’s network.

Platform:

ASR 5000

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
[ no ] ip
route ip_address ip_mask [ gateway_address ]
no

Removes the configured route information from the subscriber data.

ip route ip_address

Specifies the target IP address for which the route information applies using IPv4 dotted-decimal notation.

ip_mask

Specifies the networking mask for the route.

1 bits in the ip_mask indicate that bit position in the ip_address must also have a value of 1.

0 bits in the ip_mask indicate that bit position in the ip_address does not need to match, such as the bit can be either a 0 or a 1.

For example, if the IP address and mask were specified as 172.168.10.0 and 255.255.255.224, respectively, the network mask will be 172.168.0.0 (obtained by logically ANDing the IP address with the IP mask).

gateway_address

Default: assigned remote IP address will be used as the gateway address.

Specifies the IP address of the next hop gateway for the route using IPv4 dotted-decimal notation.


Usage:

The static routes are also known as framed IP routes for subscribers. Static routes are typically applicable for subscribers connecting via other networks or when the mobile device acts as a gateway to a network on the far side of the device.

For example, if the mobile device is assigned IP address 10.2.3.4 and it acts as a gateway for the network 10.2.3.0 (with a network mask of 255.255.255.0) a static route would be configured with the ip_address being 10.2.3.0, ip_mask being 255.255.255.0, and gateway_address being 10.2.3.4.


Example:
no ip route 10.2.3.4 255.255.255.0
ip source-validation

Enables or disables packet source validation for the current subscriber. Source validation requires that the source address of the received packets match the IP address assigned to the subscriber (either statically or dynamically) during the session.

If an incorrect source address is received from the mobile node, the system attempts to renegotiate the PPP session. The parameters for IP source validation can be set by the ip source-violation command.

Platform:

ASR 5000

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
[ no ] ip
source-validation
no

Disables source validation.

ip source-validation

Enables source validation.


Usage:

Source validation is useful if packet spoofing is suspected or for verifying packet routing and labeling within the network.


Example:
The following command enables IP source validation:
ip source-validation
The following command disables IP source validation:
no ip source-validation
ip user-datagram-tos copy

Controls copying of the IP TOS octet value from IPv4/IPv6 datagrams to the IP header in tunnel encapsulation. This is disabled by default.

Platform:

ASR 5000

Product:

PDSN, HA


Privilege:

Security Administrator, Administrator


Syntax
ip user-datagram-tos
copy [ access-link-tunnel | both |  data-tunnel ]
no ip user-datagram-tos copy
no

Disable copying of the IP TOS octet value to all tunnel encapsulation IP headers.

ip user-datagram-tos copy

Enables copying of the IP TOS octet value to all tunnel encapsulation IP headers.

access-link-tunnel

Copies the IP TOS octet value to the tunnel encapsulation IP header on the access side (RP) tunnel.

both

Uses both the access-link-tunnel and data-tunnel.

data-tunnel

Copies the IP TOS octet value to the tunnel encapsulation IP header on the MIP data tunnel or L3 tunnel (IP-in-IP, GRE).


Usage:

Use this command to enable the copying of the IP TOS octet value to the tunnel encapsulation IP header.

This functionality allows PCF to detect special TOS marking in the outer IP header of A11 packets and to identify certain packets as QChat control messages. The Base Station Controller/Packet Control Function (BSC/PCF) must give higher priority to QChat control messages.


Example:
The following command enables copying of the IP TOS octet value to the tunnel encapsulation IP header for the access side tunnel:
ip user-datagram-tos
copy access-link-tunnel
The following command disables copying of the IP TOS octet value to all tunnel encapsulation IP headers:
no ip user-datagram-tos copy
ip vlan

Configures subscriber-to-Virtual LAN (VLAN) associations.

Platform:

ASR 5000

Product:

PDSN, HA


Privilege:

Security Administrator, Administrator


Syntax
ip vlan vlan-id
[ default | no ] ip vlan
default

Resets the VLAN ID to the default setting.

no

Disables the VLAN ID for the subscriber.

ip vlan vlan-id

Specifies the VLAN ID that is associated with the IP address for that session. vlan-id is an integer from 1 through 4094.


Usage:

This command configures the subscriber vlan ID which is used with the assigned address for the subscriber session to receive packets. If the IP pool from which the address is assigned is configured with a VLAN ID, this subscriber configured VLAN ID overrides it.

Subscriber traffic can be routed to specific VLANs based on the configuration of their user profile. Using this functionality provides a mechanism for routing all traffic from a subscriber over the specified VLAN. All packets destined for the subscriber must also be sent using only IP addresses valid on the VLAN or they will be dropped.


Example:
Set the vlan ID to the default setting by entering the following command:
default ip vlan
ipv6 access-group

Configures the IPv6 access group for a subscriber.

Platform:

ASR 5000

Product:

PDSN, GGSN, ASN-GW, P-GW


Privilege:

Security Administrator, Administrator


Syntax
ipv6 access-group name [ in | out ]
ipv6 access-group name

Defines the access group name. name is an alphanumeric string of 1 through 47 characters.

in

Defines the access group as inbound.

out

Defines the access group as outbound.


Usage:

Used to create an access group for a subscriber.


Example:
The following command provides an example of an IPv6 access group with the name list_1:
ipv6 access-group list_1
ipv6 address

Configures a static IP address for use by the subscriber.

Platform:

ASR 5000

Product:

PDSN, GGSN, ASN-GW, P-GW


Privilege:

Security Administrator, Administrator


Syntax
[ no ] ipv6
address { prefix address | prefix-pool name }
no

Deletes a previously configured ipv6 address.

ipv6 address address

Specifies an IPv6 address. address is entered using IPv6 colon-separated-hexadecimal notation.

prefix

Specifies a static IPv6 address.

prefix-pool name

Specifies an IPv6 prefix pool name. name is an alphanumeric string of 1 through 31 characters.


Usage:

Use this command to assign a static IPv6 address to the subscriber. This address will be used each time the subscriber establishes data sessions.


Example:
The following command configures a static IP address of 2001:4A2B::1f3F with a mask length of 24 to the subscriber:
ipv6 address 2001:4A2B::1f3F/24
ipv6 dns

Configures the IPv6 Domain Name Service (DNS) servers.

Platform:

ASR 5000

Product:

PDSN, GGSN, ASN-GW, P-GW


Privilege:

Security Administrator, Administrator


Syntax
[ no ] ipv6
dns { primary | secondary } { ipv6_dns_address }
no

Deletes a previously configured DNS server.

ipv6 dns ipv6_dns_address

Specifies an IP address for the DNS server. ipv6_dns_address is entered using IPv6 colon-separated-hexadecimal notation.

primary

Configures the primary DNS server for the subscriber.

secondary

Configures the secondary DNS server for the subscriber. Only one secondary DNS server can be configured.

ipv6_dns_address

Configures the IP address of the DNS server.


Usage:

DNS servers are configured on a per subscriber basis. This allows each subscriber to use specific servers.


Example:
The following command provides an example of setting the primary IPv6 DNS server:
ipv6 dns primary fe80::c0a8:a04
ipv6 dns-proxy

Configures the system to act as a domain name server proxy for the current subscriber.

Platform:

ASR 5000

Product:

PDSN, GGSN, ASN-GW, P-GW


Privilege:

Security Administrator, Administrator


Syntax
[ default | no ] ipv6
dns-proxy
default

Disables IPv6 DNS proxy functionality for a subscriber.

no

Removes the pre-enabled functionality of IPv6 DNS proxy for a subscriber.

ipv6 dns-proxy

Enables IPv6 DNS proxy functionality for a subscriber. If enabled, the system will act as a proxy DNS server.

Default: disabled.


Usage:

Used to enable or disable IPv6 DNS proxy for the subscriber. When enabled, the PDSN acts as a proxy DNS server for DNS IPv6 queries coming from the mobile station to the PDSN’s local PPP link address.


Example:
The following command disables the IPv6 DNS proxy function for the subscriber:
no ipv6 dns-proxy
ipv6 egress-address-filtering

Configures the system to perform egress address filtering for the subscriber.

Platform:

ASR 5000

Product:

PDSN, GGSN, ASN-GW, P-GW


Privilege:

Security Administrator, Administrator


Syntax
[ no ] ipv6
egress-address-filtering
no

Disables IPv6 egress address filtering.

ipv6 egress-address-filtering

Enables IPv6 egress address filtering.


Usage:

Used to enable the filtering of packets that arrive from the Internet to a particular site.


Example:
The following command disables egress address filtering:
no ipv6 egress-address-filtering
ipv6 initial-router-advt

Creates an IPv6 initial router advertisement interval for the subscriber.

Platform:

ASR 5000

Product:

PDSN, GGSN, ASN-GW


Privilege:

Security Administrator, Administrator


Syntax
ipv6 initial-router-advt { interval value | num-advts value }default ipv6 initial-router-advt { interval | num-advts }
default

Resets the command to its default settings.

no ipv6 initial-router-advt router-solicit-wait-timeout

Disables running timer to wait for router solicit and sends the initial router advertisement immediately once session is up.

ipv6 initial-router-advt

Enables an initial router advertisement interval in milliseconds.

interval value

Default: 3000

The time interval the initial IPv6 router advertisement is sent to the mobile node in milliseconds.

value is an integer between 100 and 16000 milliseconds.

num-advts value value

Default: 3

The number of initial IPv6 router advertisements sent to the mobile node. value is an integer between 1 to 16.


Usage:

This command is used to set the advertisement interval and the number of advertisements. Using a smaller advertisement interval increases the likelihood of router being discovered more quickly when it first becomes available.


Example:
The following command specifies the initial ipv6 router interval to be 2000ms:
ipv6 initial-router-advt
interval 2000
ipv6 interface-id

Provides an IPv6 interface identifier for the subscriber.

Platform:

ASR 5000

Product:

PDSN, GGSN, ASN-GW, P-GW


Privilege:

Security Administrator, Administrator


Syntax
ipv6 interface-id ifid[ default | no ] ipv6
interface-id
default

No interface ID set for IPv6CP negotiation to subscriber.

no

Deletes a previously configured IPv6 interface ID.

interface-id ifid

Specifies the interface ID assigned to the Mobile during IPv6 Control Protocol (IPv6CP) negotiation. ifid is a 64-bit unsigned integer.


Usage:

Used to provide a IPv6 ifid for the subscriber when using IPv6-to-IPv4 (6to4 )routing.


Example:
The following command provides an example of assigning an IPv6 interface ID of 00-00-00-05-47-00-37-44 to the subscriber:
ipv6 interface-id 00-00-00-05-47-00-37-44
ipv6 minimum-link-mtu

Configures the IPv6 minimum link maximum transmission unit (MTU) value.

Platform:

ASR 5000

Product:

PDSN, GGSN, ASN-GW, P-GW


Privilege:

Security Administrator, Administrator


Syntax
ipv6 minimum-link-mtu valuedefault ipv6 minimum-link-mtu
default

Resets minimum link MTU to its default setting: 1280.

ipv6 minimum-link-mtu value

Specifies the MTU (in bytes) as a minimum link value. value is an integer between 100 and 2000.


Usage:

Used to override the IPv6 minimum link MTU values recommended by the standard.


Example:
The following command provides an example of assigning an IPv6 minimum link MTU to 1580 to the subscriber:
ipv6 minimum-link-mtu 1580
ipv6 secondary-address

Configures additional IPv6 4-bit prefixes to the subscriber session.

Platform:

ASR 5000

Product:

PDSN, GGSN, ASN-GW, P-GW


Privilege:

Security Administrator, Administrator


Syntax
[ no ] ipv6
secondary-address { prefix ipv6_address_prefix | prefix-pool pool_name }
no

Deletes a previously configured ipv6 secondary address.

ipv6 secondary-address ipv6_address_pref

Specified the secondary IPv6 address using IPv6 colon-separated-hexadecimal notation.

pool_name

Specifies the name given to the secondary address prefix pool as an alphanumeric string of of 1 through 31 characters.


Usage:

An IPv6 prefix pool name may be configured for a dynamic prefix, while the prefix is static. This command may be executed multiple times to configure multiple prefixes.


Example:
The following command assigns an IPv6 secondary address prefix-pool name of eastcoast to the subscriber:
ipv6 secondary-address
prefix-pool eastcoast
l2tp send accounting-correlation-info

Enables the sending of accounting correlation information (Correlation-Id, NAS-IP-Address and NAS-ID) by the L 2TP Access Concentrator (LAC) in L2TP control messages (ICRQ) during session setup to an L2TP Network Server (LNS).

Platform:

ASR 5000

Product:

PDSN


Privilege:

Security Administrator, Administrator


Syntax
[ no | default ] l2tp
send accounting-correlation-info
no

Disables the sending of accounting correlation information by the LAC.

default

Sets the setting to default mode: disable.

l2tp send accounting-correlation-info

Enables the sending of accounting correlation information by the LAC.


Usage:

Use this command to enable the LAC to send accounting correlation information (Correlation-Id, NAS-IP-Address and NAS-ID) in L2TP control message (ICRQ) during session setup to LNS for this subscriber. LNS can be configured to include this information in ACS billing records, so that billing servers can easily correlate accounting records from PDSN/LAC and LNS.

By default, this mode is disabled.


Example:
The following command disables the inclusion of accounting correlation information in control messages during session setup to an LNS for a subscriber:
default l2tp send accounting-correlation-info
l3-to-l2-tunnel address-policy

Configure the subscriber address allocation/validation policy, when subscriber Layer 3 (IPv4) sessions are tunneled using Layer 2 tunneling protocol (L2TP).

Platform:

ASR 5000

Product:

HA, GGSN


Privilege:

Security Administrator, Administrator


Syntax
l3-to-l2-tunnel address-policy { alloc-only | alloc-validate | no-alloc-validate }default l3-to-l2-tunnel
address-policy
default

Restores the default value for Layer 3-to-Layer 2 tunnel addressing: no-alloc-validate.

l3-to-l2-tunnel address-policy

Sets the policy for Layer 3-to-Layer 2 sessions to one of the following options.

alloc-only

Only allocates an address in the case of dynamic address assignment. Does not validate static addresses.

alloc-validate

Locally allocates and validates the subscriber addresses.

no-alloc-validate

Does not allocate or validate subscriber addresses locally for current subscribers sessions. Passes the address between the remote tunnel terminator and the Mobile Node. This is the default behavior.


Usage:

Use this command to configure the L3 to L2 tunnel address policy for MIP HA sessions tunneled from the system using L2TP tunnels or for GGSN IP Context sessions tunneled using L2TP to a remote LNS. Also refer to the resource keyword of the Context Configuration mode ip pool command.


Example:
the following command sets the L3-to-L2 tunnel address policy so that the current subscriber must have IP addresses allocated and validated locally on the system:
l3-to-l2-tunnel address-policy
alloc-validate
loadbalance-tunnel-peers

Configures the load balancing of traffic bound for L2TP tunnels configured on the system for the selected subscriber.

Platform:

ASR 5000

Product:

L2TP


Privilege:

Security Administrator, Administrator


Syntax
loadbalance-tunnel-peers { balanced | prioritized | random }
loadbalance-tunnel-peers

Enables load balancing of L2TP traffic using one of the methods described below.

balanced

Enables the equal use of all configured tunnel peers (LNSs) for the selected subscriber.

prioritized

Enables the use of all configured tunnel peers (LNSs) for the selected subscriber based on the preference number assigned to the peer address.

random

Default: Enabled

Enables the random use of all configured tunnel peers (LNSs) for the selected subscriber.


Usage:

Use to manage traffic loads on L2TP Access Concentrator (LAC) ports and their respective L2TP Network Servers (LNSs).


Example:
Use the following command to randomly use all configured tunnel peers (LNSs):
loadbalance-tunnel peers random
long-duration-action

Specifies what action is taken when the long duration timer expires.

Platform:

ASR 5000

Product:

All


Privilege:

Administrator


Syntax
long-duration-action { detection | disconnection  [ dormant-only ] [ suppress-notification ] }
detection

Default: Enabled

Detects long duration sessions and sends SNMP TRAP and CORBA notification. This is the default behavior.

Use this command to detect a session exceeding the limit set by the long duration timer.

disconnection [ dormant-only ] [ suppress-notification ]

Default: Disabled

Detects a long duration session and disconnects the session after sending SNMP trap and CORBA notification.

suppress-notifiaction: Suppresses the SNMP trap and CORBA notification after detecting and disconnecting a long duration session. Default: Disabled

dormant only: Disconnects the dormant sessions after long duration timer and inactivity time with idle time-out duration expires. If the long duration timeout is fired and the call is not dormant, the call is disconnected when the call later moves to dormancy.

IMPORTANT:

For HA calls, the inactivity-time is considered as gauge for dormancy.

It sends the SNMP trap and CORBA notification after disconnecting a long duration session. Default: Disabled


Usage:

Use this command to determine what action is taken when a session exceeds the limit set by the long duration timer.


Example:
Use the following command to enable disconnecting sessions that exceed the long duration timer:
long-duration-action disconnection
Use the following command to disconnect the session that exceed the long duration timer without sending SNMP trap and CORBA notification:
long-duration-action
disconnection suppress-notification
Use the following command to disconnect the session that is in dormant and exceed the long duration timer and send SNMP trap and CORBA notification:
long-duration-action
disconnection dormant-only

Note that in case of HA calls, the inactivity-time is considered as gauge for dormancy.

mediation-device

Enables the use of a mediation device for subscribers, and specifies the system context to use for communicating with the device. A mediation device can be the initial point of contact for all IT systems that need to receive Charging Data Records (CDRs). Mediation devices can also be deep-packet inspection servers or transaction control servers.

Platform:

ASR 5000

Product:

GGSN, P-GW, PDG/TTG


Privilege:

Security Administrator, Administrator


Syntax
mediation-device context-name <context-name>  [ no interims ] 
[ no | default ] mediation-device
no

Deletes the mediation-device configuration.

default

Changes the mediation device to no context-name configured and restores the mediation device’s default properties.

mediation-device context-name context-name

Default: The subscriber’s destination context.

Configures the mediation VPN context for the subscriber.

context-name must be an alphanumeric string of 1 through 79 characters that is case sensitive. If not specified, the mediation context is same as the destination context of the subscriber.

no-interims

Disables sending of Interim messages to the mediation device.

Default: Disabled


Usage:

This command is used to enable mediation device support for subscribers.

Keywords to this command can be used in combination to each other, depending on configuration requirements.


Example:
The following command enables mediation device support for the subscriber and uses the protocol configuration located in an system context called ggsn1:
mediation-device context-name ggsn1
mobile-ip

Enables or disables access to mobile IP services by the subscriber.

Platform:

ASR 5000

Product:

HA, FA


Privilege:

Security Administrator, Administrator


Syntax
[ no ] mobile-ip { allow-aaa-address-assignment | dns-address
source-priority { aaa | home-agent } | gratuitous-arp
aggressive | home-agent ip_address [alternate] | match-aaa-assigned-address | mn-aaa-removal-indication | mn-ha-hash-algorithm { hmac-md5 | md5 | rfc2002-md5 } | mn-ha-shared-key key | mn-ha-spi spi_num | reverse-tunnel | security-level { ipsec | none } | send {access-technology | accounting-correlation-info bsid | dns-address | host-config | imsi | terminal-verification } }
no

Disables the mobile IP option specified.

allow-aaa-address-assignment

Default: Disabled.

Enables the FA to accept a home address assigned by an AAA server. This should only be configured on the FA side.

dns-address source-priority { aaa | home-agent }

Sets the priority behavior on the FA to use either the DNS IP address information from the HA or the AAA server to include in the RRP to the MN.

When the no keyword is used in conjunction with the dns-address keyword, information received from both the home-agent and the AAA server is sent if available.

DNS IP address information from the HA comes from the DNS Normal Vendor/Organization Specific Extension (NVSE) in the Registry Registrar Protocol (RRP).

DNS IP address information from the AAA server is in the access accept message.

home-agent: If the DNS address is received from the home-agent only that information is sent to the MN. Otherwise the DNS address received from the AAA server is sent.

aaa: If the DNS address is received from the AAA server only that information is sent to MN. Otherwise the DNS address received from the home-agent is sent.

gratuitous-arp aggressive

Default: Disabled.

When enabled, this mode will cause the HA to send out gratuitous ARP (Address Resolution Protocol) messages for all Mobile IP (MIP) registration renewals and handoffs.

To disable this mode, use the no form of this command.

IMPORTANT:

This mode will only work for IP addresses that have been assigned from a static IP address pool.

home-agent ip_address [alternate]

Specifies the IP address of the mobile IP user’s home agent. ip_address must be entered using IPv4 dotted-decimal or IPv6 colon -separated notation.

alternate - Specifies the secondary, or alternate, Home Agent to use when Proxy Mobile IP HA Failover is enabled.

match-aaa-assigned-address

Default: Disabled.

Enables the FA to validate the home address in the RRQ against the one assigned by AAA server. This should only be configured on the FA side.

mn-aaa-removal-indication

Default: Disabled.

When enabled, the MN-FA challenge and MN-AAA Authentication extensions are removed when relaying a Registration Request (RRQ) to the Home Agent (HA)

mn-ha-hash-algorithm { hmac-md5 | md5 | rfc2002-md5 }

Speechifies the encryption algorithm to use.

Default: hmac-md5

hmac-md5: Uses HMAC-MD5 hash algorithm, as defined in RFC-2002bis. This is the default algorithm.

md5: Uses the MD-5 hash algorithm.

rfc2002-md5: Uses the MD-5 hash algorithm variant as defined in RFC-2002.

mn-ha-shared-key key

Verifies the MN-HA Authentication for a local subscriber in the current context. key is an alphanumeric string or a hexadecimal number beginning with "0x" up to 127 bytes

mn-ha-spi spi_num

Specifies the Security Parameter Index (SPI) number. spi_num must be an integer from 256 through 4294967295.

reverse-tunnel

Default: enabled.

All the mobile IP user to use reverse IP tunnels. The no keyword disables this option.

security-level { ipsec | none }

Default: none

Configures the security level needed for the subscriber's traffic.

ipsec: secures both MIP control and data traffic with IPSec.

none: none of the traffic is secured

IMPORTANT:

This keyword corresponds to the 3GPP2-Security-Level RADIUS attribute. This attribute indicates the type of security that the home network mandates on the visited network.

IMPORTANT:

For this attribute, the integer value “3” enables IPSec for tunnels and registration messages, “4“ Disables IPSec

send {access-technology | accounting-correlation-info bsid | dns-address | host-config | imsi | terminal-verification }

access-technology: Configures FA to sends the access-technology type extension in the RRQ, by default it is disabled.

accounting-correlation-info: Configures whether the FA sends the correlation info to the NVSE in the RRQ. Default is disabled.

dns-address: Enables the HA to send the DNS address NVSE in the RRP. Default is disabled. This should only be enabled on the HA side.

host-config: Configures by sending the Host Config NVSE in RRQ. By default it is disabled.

imsi: Configures sending the IMSI NVSE in the RRQ. Default is sending IMSI in custom-1 format.

terminal-verification: Enables the FA to send the terminal verification NVSE in the RRQ. Default is disabled. This should only be enabled on the FA side.

IMPORTANT:

send dns-address is a proprietary feature developed for a specific purpose and requires the MN to be able to renegotiate IPCP for DNS addresses and reregister MIP if necessary. Since this feature needs the MN to support certain PPP/MIP behavior, and not all MNs support that particular behavior, send dns-address should be enabled only after careful consideration.


Usage:

Use as subscriber service contracts change.


Example:
mobile-ip home-agent 10.2.3.4
no mobile-ip reverse-tunnel
mobile-ip ha

Accommodates two Mobile IP (MIP) Home Agent (HA) options in subscriber mode.

Platform:

ASR 5000

Product:

PDSN, HA, ASN-GW


Privilege:

Security Administrator, Administrator


Syntax
[ no ] mobile-ip
ha { assignment-table name | ignore-unknown-ha-addr-error }
no

Disables the mobile IP HA option specified.

assignment-table name

Specifies the name of an existing MIP HA Assignment table. name must be an alphanumeric string of 1 through 63 characters.

ignore-unknown-ha-addr-error

Default is disabled.

Enables or disables the HA to accept or reject the RRQ from a particular subscriber.


Usage:

Use this command to assign a MIP HA Assignment table to the current subscriber.

Use this command to disable or enable the HA to accept or reject the RRQ from a particular subscriber when the HA address in the incoming MIP RRQ is not the same as the HA service address. The feature is off by default which causes the RRQ to be rejected with the error code UNKNOWN_HOME_AGENT.


Example:
The following command assigns the MIP HA Assignment table named Atable1 to the current subscriber:
mobile-ip ha assignment-table Atable1
The following command sets ignore-unknown-ha-addr-error to its default disabled state:
no mobile-ip ha ignore-unknown-ha-addr-error
mobile-ip reg-lifetime-override

Overrides the Mobile IP (MIP) registration lifetime from HA with value configured for subscriber.

Platform:

ASR 5000

Product:

PDSN, HA, ASN-GW


Privilege:

Security Administrator, Administrator


Syntax
mobile-ip reg-lifetime-override [ dur | infinite ][ default | no ] mobile-ip
reg-lifetime-override
mobile-ip reg-lifetime-overridedur

Default: 100 seconds.

Overrides the MIP registration lifetime from HA for the specified period of time in seconds. dur must be an integer from 1 through 65534.

infinite

Sets the MIP registration lifetime override value to infinite for a particular subscriber.

default

Sets the value of mobile IP registration lifetime override option to 100 seconds.

no

Disables the MIP registration lifetime override option.


Usage:

Use this command to configure MIP registration-lifetime per realm/domain. This value overrides the default lifetime configured under HA service.


Example:
The following command overrides the MIP registration lifetime value from HA service and defaults the MIP registration lifetime to 100 seconds for the current subscriber:
default mobile-ip reg-lifetime-override
mobile-ip send accounting-correlation-info

Enables the sending call correlation information Normal Vendor/Organization Specific Extensions (NVSEs) to the HA in the MIP Registry Registrar Protocol (RRP).

Platform:

ASR 5000

Product:

PDSN, HA


Privilege:

Security Administrator, Administrator


Syntax
[ default | no ] mobile-ip
send accounting-correlation-info
default

Disables the support for sending call correlation information NVSEs to the HA in MIP RRQ.

This is the default mode.

no

Removes the configured support for sending call correlation information.


Usage:

Use this command to support PDSN-Correlation-ID VSE and send the call correlation information.


Example:
The following command enables sending call correlation information NVSEs to the HA in MIP RRQ
mobile-ip send accounting-correlation-info
mobile-ipv6

Configures Mobile IPv6 related parameters for a subscriber.

Platform:

ASR 5000

Product:

PDSN


Privilege:

Security Administrator, Administrator


Syntax
[ default | no ] mobile-ipv6 { home-address ipv6_address | home-agent ipv6_address | home-link-prefix ipv6_address | tunnel
mtu value }
default

Disables the support for sending call correlation information NVSEs to the HA in MIP RRQ.

This is the default mode.

no

Removes the configured support for sending call correlation information.

home-address ipv6_address

Specifies the home address for the subscriber. ipv6_address must be entered using IPv6 colon-separated-hexadecimal notation.

home-agent ipv6_address

Specifies the IPv6 address of the mobile IP user’s home agent. ipv6_address must be entered using IPv6 colon-separated-hexadecimal notation.

home-link-prefix ipv6_address

Specifies the IPv6 address of the mobile IP user’s home link. ipv6_address must be entered using IPv6 colon-separated-hexadecimal notation.

tunnel mtu value

Configures the tunnel MTU (in bytes) for the IPv6 tunnel between the HA and the mobile node. value must be an integer from 1024 through 2000. The default is 1500.


Usage:

This command sets the mobile-ipv6 parameters for a subscriber. Use this command to set the home-address, home-agent, and home-link prefix


Example:
Use the following command to set the tunnel MTU value to 1800:
mobile-ipv6 tunnel
mtu 1800
nai-construction-domain

After authentication, the domain name specified by this command replaces the Network Access Identifier (NAI) constructed for the subscriber.

Platform:

ASR 5000

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
nai-construction-domain domain_nameno nai-construction-domain
nai-construction-domain domain_name

Defines the domain name to use to replace the NAI constructed domain name. domain_name must be an alphanumeric string of 1 through 79 characters.

no

Deletes the defined domain name.


Usage:

Define or delete a domain name to use to replace the NAI constructed domain name after authentication.


Example:
the following command sets the domain name to private1:
nai-construction-domain private1
To delete the previously configured domain name, use the following command:
no nai-construction-domain
nbns

Configures and enables use of NetBIOS Name Service for the subscriber.

Platform:

ASR 5000

Product:

GGSN


Privilege:

Security Administrator, Administrator


Syntax
nbns { primary IPv4-address | secondary IPv4-address }no nbns { primary [ IPv4-address ] | secondary [ IPv4-address ] }
nbns primary

Designates primary NBNS server. Must be followed with IPv4 address in dotted-decimal notation.

nbns secondary

Designates secondary/failover NBNS server. Must be followed with IPv4 address in dotted-decimal notation.

IPv4-address

Specifies the IP address used for this service using IPv4 dotted-decimal notation.

no

Removes/disables use of a previously configured NetBios Name Service.


Usage:

This command specifies NBNS parameters. The NBNS option is present for both PDP type IP and PDP type PPP for GGSN.

The system can be configured to use of NetBIOS Name Service for the Access Point Name (APN).


Example:
The following command configures the subscriber’s NetBIOS Name Service to primary IP 192.168.1.15:
nbns primary 192.168.1.15
nexthop-forwarding-address

Configures the next hop forwarding address for the subscriber.

Platform:

ASR 5000

Product:

PDSN, GGSN, ASN-GW, P-GW


Privilege:

Security Administrator, Administrator


Syntax
nexthop-forwarding-address ip_addressno nexthop-forwarding-address
nexthop-forwarding-address ip_address

Configures the IP address of the nexthop forwarding address. ip_address must be entered using IPv4 dotted-decimal or IPv6 colon-separated-hexadecimal notation.

no

Disables this function. This is the default setting.


Usage:

Use this command to configure the next hop forwarding address for the subscriber.


Example:
The following command configures the next hop forwarding address to 10.1.1.1 (IPv4):
nexthop-forwarding-address 10.1.1.1
npu qos

Configures an Network Processing Unit (NPU) QoS priority queue for packets from the subscriber.

Platform:

ASR 5000

Product:

PDSN, GGSN, ASN-GW, P-GW


Privilege:

Security Administrator, Administrator


Syntax
npu qos traffic priority { best-effort | bronze | derive-from-packet-dscp | gold | silver }
best-effort

Assigns the best-effort queue priority. This is the lowest priority.

bronze

Assigns the bronze queue priority. This is the third-highest priority.

derive-from-packet-dscp

Default: Enabled

Specifies that the priority is to be determined from the DS field in the packet's TOS octet.

gold

Assigns the gold queue priority. This is the highest priority.

silver

Assigns the silver queue priority. This is the second-highest priority.


Usage:

This command is used in conjunction with the Network Processing Unit (NPU) Quality of Service (QoS) functionality.

The system can be configured to determine the priority of a subscriber packet either based on the configuration of the subscriber, or from the differentiated service (DS) field in the packet's TOS octet (representing the differentiated service code point (DSCP) value).

Refer to the System Administration Guide for additional information on NPU QoS functionality.

IMPORTANT:

This functionality is not supported for use with the PDSN at this time.


Example:
The following command configures the subscriber’s priority queue to be gold:
npu qos traffic priority gold
nw-reachability-server

Binds the name of a configured network reachability server to the current subscriber and enables network reachability detection.

Platform:

ASR 5000

Product:

HA


Privilege:

Security Administrator, Administrator


Syntax
nw-reachability server server_nameno nw-reachability server
nw-reachability server server_name

Specifies the name of a network reachability server that has been defined in the current context. server_name is an alphanumeric string of 1 through 16 characters.

no nw-reachability server

Deletes the name of the network reachability server from the current subscribers configuration and disable network reachability failure detection for the current subscriber.


Usage:

Use this command to define the network reachability server for the current subscriber and enable network reachability failure detection for the current subscriber. If a network reachability server is defined in an IP pool, that setting takes precedence over this command.

IMPORTANT:

Refer to the HA configuration mode command policy nw-reachability-fail to configure the action that should be taken when network reachability fails.

IMPORTANT:

Refer to the context configuration mode command nw-reachability server to configure network reachability servers.

IMPORTANT:

Refer to the nw-reachability server server_name keyword of the ip pool command in the Context Configuration Mode Commands chapter to bind the network reachability server to an IP pool.


Example:
To bind a network reachability server named InternetDevice to the current subscriber, enter the following command:
nw-reachability server InternetDevice
outbound

Configures the subscriber host password for use when authenticating PPP sessions.

Platform:

ASR 5000

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
outbound [ encrypted ] password pwdno outbound password
[ outbound encrypted ] password pwd

Specifies the password to use for point-to-point protocol session host authentication. The encrypted keyword indicates the password specified uses encryption.

The password specified as pwd must be an alphanumeric string of 1 through 63 characters without encryption, or 1 through 127 characters with encryption.

The encrypted keyword is intended only for use by the chassis while saving configuration scripts. The system displays the encrypted keyword in the configuration file as a flag that the variable following the password keyword is the encrypted version of the plain text password. Only the encrypted password is saved as part of the configuration file.

no outbound password

Clears the outbound password configuration from the subscriber data.


Usage:

Sets the outbound (egress) password for increased security.


Example:
outbound password secretPwd
outbound encrypted password scrambledPwd
no outbound password
overload-disconnect

Sets the threshold parameter for overload disconnect.

Platform:

ASR 5000

Product:

ASN-GW, HA, PDIF, PDSN, PHS GW, PDG/TTG


Privilege:

Security Administrator, Administrator


Syntax
overload-disconnect [ threshold { inactivity-time inactivity_time_threshold | connect-time connect_time_threshold } ][ default | no ] overload-disconnect [ threshold
 { inactivity-time | threshhold connect-time } ]
threshold inactivity-time inactivity_time_threshold

Sets the inactivity time threshold (in seconds) as an integer from 0 through 4294967295. The default value of zero disables this feature. If inactivity-time for the subscriber’s session is greater than inactivity_time_threshold, the session becomes a candidate for disconnection.

threshold connect-time connect_time_threshold

Sets the connection time threshold (in seconds) as an integer from 0 through 4294967295. A value of zero disables this feature. If connect-time for the subscriber’s session is greater than connect_time_threshold, the session becomes a candidate for disconnection.

default

Enables the default condition for this subscriber.

no

Disables the overload disconnect feature for this subscriber. This is the default condition for PDIF.


Usage:

Set a subscriber’s overload disconnect threshold in seconds, based on either inactivity or connection time. When this threshold is exceeded during a session, the subscriber’s session becomes a candidate for disconnection. To set overload-disconnect policies for the entire chassis, see congestion-control overload-disconnect in the Global Configuration Mode Commands chapter.


Example:
overload-disconnect
threshold inactivity-time 120
default overload disconnect
threshold connect-time
no overload-disconnect
threshold connect-time
no overload disconnect
password

Configures the subscribers password for the current context.

Platform:

ASR 5000

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
[ encrypted ] password pwdno password
encrypted

Indicates the password provided is encrypted.

The encrypted keyword is intended only for use by the chassis while saving configuration scripts. The system displays the encrypted keyword in the configuration file as a flag that the variable following the password keyword is the encrypted version of the plain text password. Only the encrypted password is saved as part of the configuration file.

pwd

Specifies the user’s password for authentication. pwd must be an alphanumeric string of 1 through 63 characters without encryption, or from 1 through 127 characters with encryption. A “null” password is allowed and is entered as consecutive double quotes (" "). See Example(s) for correct syntax.

IMPORTANT:

Subscribers configured with a null password will be authenticated using PAP and CHAP (MD5) only. Subscribers configured without a password (no password) will only be able to access services if the service is configured to allow no authentication.

no

Used to clear the subscriber password configuration from the subscriber data.

IMPORTANT:

Subscribers with no password will only be able to access services if the service is configured to grant access with no authentication.


Usage:

Password management is critical to system security and all precautions should be taken to ensure passwords are not shared or to easily deciphered.


Example:
password secretPwd
password “”
no password
pdif mobile-ip

Configures PDIF subscriber call setup parameters.

Platform:

ASR 5000

Product:

PDIF


Privilege:

Security Administrator, Administrator


Syntax
[ default | no ] pdif
mobile-ip { release-tia | required | simple-ip-fallback }
[ default | no ]

Disables the option specified.

release-tia

Specifies that after subscriber call setup is complete, the tunnel inner address (TIA) is released. If SImple IP is enabled, the TIA becomes the principal communications tunnel and the restriction that it is only to be used to set up a Mobile-IP call is lifted. This parameter is disabled by default.

required

Specifies that Mobile IP is required for this subscriber whenever a call is set up. This parameter is disabled by default.

simple-ip-fallback

Specifies that Simple IP should be used when Mobile IP could not be established. This parameter is disabled by default.


Usage:

Use this command to configure specific behavior for the PDIF subscriber during call setup.


Example:
The following command enables the system to fall back to Simple IP when Mobile IP fails for this subscriber during call setup:
pdif mobile-ip simple-ip-fallback
permission

Enables or disables the subscriber’s ability to access wireless data services.

Platform:

ASR 5000

Product:

PDSN, HA


Privilege:

Security Administrator, Administrator


Syntax
[ no ] permission { ha-mobile-ip | pdsn-mobile-ip | pdsn-simple-ip }
no

Disables the usage of the specified service.

ha-mobile-ip | pdsn-mobile-ip | pdsn-simple-ip

ha-mobile-ip: enables or disables the Home Agent (HA) support for Mobile IP (MIP) service.

pdsn-mobile-ip: enables or disables packet data and Foreign Agent (FA) support for MIP service.

pdsn-simple-ip: enables or disables packet data support for simple IP service.


Usage:

Grants the subscriber access to services in the current context.


Example:
permission pdsn-mobile-ip
no permission ha-mobile-ip
policy ipv6 tunnel

Sets maximum transmission unit (MTU) behavior for the IPv6 tunnel between the HA and Mobile Node.

Platform:

ASR 5000

Product:

PDSN, HA


Privilege:

Security Administrator, Administrator


Syntax
policy ipv6 tunnel mtu
exceed { fragment | notify-sender }
mtu exceed { fragment | notify-sender }

fragment: Adjusts tunnel MTU and fragment packets

notify-sender: Sends an ICMPv6 Packet Too Big message to the original sender


Usage:

Use this command to configure MTU behavior for an IPv6 tunnel between the HA and Mobile Node.


Example:
policy ipv6 tunnel mtu
exceed fragment
policy-group

Assigns or removes a flow-based traffic policy group to a subscriber.

Platform:

ASR 5000

Product:

PDSN, HA, ASN-GW, HSGW


Privilege:

Security Administrator, Administrator


Syntax
[ no ] policy-group policy_group_name direction { in | out }
no

Removes assigned policy group from a subscriber configuration.

policy-group policy_group_name

Specifies the traffic policy group name for a subscriber session flow pre-configured within a destination context. policy_group_name is an alphanumeric string of 1 through 15 characters that is case sensitive.

direction { in | out }
Specifies the direction of flow in which the traffic policies need to be applied.
  • in: specifies the incoming traffic
  • out: specifies the outgoing traffic

Usage:

Use this command to assign a traffic policy group to a subscriber for traffic policing.


Example:
policy-group traffic_policy_group1 direction
in
ppp

Configures the point-to-point protocol (PPP) options for the current subscriber.

Platform:

ASR 5000

Product:

PDSN, GGSN


Privilege:

Security Administrator, Administrator


Syntax
ppp { accept-peer-ipv6-ifid | always-on-vse-packet | data-compression { mode { normal | stateless } | 
protocols { protocols [ protocols ] } | ip-header-compression
negotiation { detect | force | vj compress-slot-id { both | none | receive | transmit } } | ipv4 { disable | enable | passive } | ipv6 { disable | enable | passive } | keepalive seconds | min-compression-size min_octets | mtu max_octets | remote-renegotiation
disconnect { always | nai-prefix-msid-mismatch } }default ppp { accept-peer-ipv6-ifid | always-on-vse-packet | data-compression { mode | protocols } | ip-header-compression
negotiation [ vj compress-slot-id ] | ipv4 | ipv6 | keepalive | min-compression-size | mtu | remote-renegotiation
disconnect }no ppp { accept-peer-ipv6-ifid | always-on-vse-packet | data-compression
protocols | ipv4 | ipv6 | keepalive | mtu | remote-renegotiation
disconnect }
default

Restores the default value for the option specified.

no

Resets the option specified to its default.

always-on-vse-packet

Default: Enabled

If this feature is enabled, the PDSN sends special 3GPP2 VSE PPP packets to the Mobile Node with a maximum inactivity timer value. This configuration is applicable only for PDSNsessions.

accept-ipv6-peer-ifield

Default: None

Configures an IPv6-to-IPv4 (6to4) tunnel and controls the behavior of IPv6CP negotiation for the Interface ID. If enabled, PDSN will accept a valid interface-id proposed by the peer.

data-compression { mode { normal | stateless } | protocols { protocols [ protocols ] }

Default: all protocols enabled.

Specifies the subscriber’s mode of data compression or the compression protocol to use.

mode: sets the mode of compression where modes must be one of:
  • normal: Packets are compressed using the packet history for automatic adjustment for best compression.
  • stateless: Each packet is compressed individually.
protocols protocols: sets the compression protocol where protocols must be one of:
  • deflate: DEFLATE algorithm
  • mppc: Microsoft PPP algorithm
  • stac: STAC algorithm
ip-header-compression negotiation { detect | force | vj compress-slot-id { both | none | receive | transmit } }

Default: force

detect: The local side does not include the Van Jacobson (VJ) Compression option in its IPCP configuration request unless the peer sends an Internet Protocol Control Protocol (IPCP) NAK including a VJ compression option. If the peer requests the VJ compression option in its IPCP request the local side will ACK/NAK.

force: The IP header compression negotiation in IPCP happens normally. The local side requests the VJ compression option in its IPCP configure request. If the peer side requests VJ compression in its IPCP request, the local side will ACK/NAK the option.

vj compress-slot-id [ both | none | receive | transmit ]: Configures the direction in which VJ slotid compression should be negotiated.
  • both - If the client proposes VJ slotid compression, accept it and propose slotid compression for the downlink and uplink.
  • none - If the client proposes VJ slotid compression, NAK the offer, do not propose slotid compression for the downlink.
  • receive - (Default) If the client proposes VJ slotid compression in the uplink direction accept the configuration.
  • transmit - Propose VJ slotid compression for uplink.
ipv4 { disable | enable | passive }

Default: enable

Controls IPCP negotiation during PPP negotiation.

disable: The PDSN does not negotiate IPCP with the mobile.

enable: The PDSN negotiates IPCP with the mobile.

passive: The PDSN initiates IPCP only when the mobile sends an IPCP request.

ipv6 { disable | enable | passive }

Default: enable

Controls IPv6CP negotiation during PPP negotiation.

disable: The PDSN does not negotiate IPCP with the mobile.

enable: The PDSN negotiates IPCP with the mobile.

passive: The PDSN initiates IPCP only when the mobile sends an IPCP request.

keepalive seconds

Default: 30

Specifies the frequency of sending the Link Control Protocol keepalive messages. seconds must be either 0 or an integer from 5 through 14400. The special value 0 disables the keepalive messages entirely.

min-compression-size min_octets

Default: 128

Specifies the smallest packet (in octets) to which compression may be applied. min_octets must be an integer from 0 through 2000.

mtu max_octets

Default: 1500

Specifies the maximum transmission unit (MTU) [in octets] for packets. max_octets must be an integer from 100 through 2000.

remote-renegotiation disconnect { always | nai-prefix-msid-mismatch }

Default: Disabled

Terminates the already established PPP sessions if they are renegotiated by the remote side by sending LCP Conf-req/nak/ack. The following termination conditions are available:
  • always: Automatically disconnects the session.
  • nai-prefix-msid-mismatch: Disconnects the session only if the MSID of the session does not match NAI-Prefix (prefix before “@” for the NAI). The configuration of the renegotiated (new) NAI is used for the matching process.

Usage:

Adjust packet sizes and compression to improve bandwidth utilization. Each network may have unique characteristics such that determining the best packet size and compression options may require system monitoring over an extended period of time.


Example:
ppp data-compression
protocols mode stateless
ppp mtu 500
no ppp data-compression protocols
no ppp keepalive
prepaid 3gpp2

Enables 3GPP2 compliant prepaid billing support for a subscriber to be configured by 3GPP2 attributes sent from a RADIUS server. If not enabled, prepaid attributes received from the RADIUS server are ignored.

Platform:

ASR 5000

Product:

PDSN, HA


Privilege:

Security Administrator, Administrator


Syntax
prepaid 3gpp2 { accounting [ no-final-access-request ] | duration-quota
final-duration-algorithm { current-time | last-airlink-activity-time | last-user-layer3-activity-time } | preference { duration | volume } }default prepaid 3gpp2 { duration-quota
final-duration-algorithm | preference }no prepaid 3gpp2 accounting
default prepaid 3gpp2 { duration-quota final-duration-algorithm | preference }

Sets the 3GPP2 Pre-paid settings to the default values.

duration-quota final-duration-algorithm: Resets the end of billing duration quota algorithm to the default of current-time.

preference: Resets the preference to duration, If both duration and volume attributes are present.

no prepaid 3gpp2 accounting

Disables 3GPP2 prepaid accounting. All 3GPP2 Prepaid attributes received from a RADIUS server are ignored.

accounting [ no-final-access-request ]

Default: Disabled

Enables 3GPP2 prepaid accounting behavior.

Sets the low-watermark for remaining byte credits. percentage is a percentage of the subscriber sessions total credits. When the low-watermark is reached a new RADIUS access-request is sent to the RADIUS server to retrieve more credits. percentage must be an integer from 1 through 99.

no-final-access-request: Stops sending final online access-request on termination of 3GPP2 prepaid sessions. By default, this option is disabled.

duration-quota final-duration-algorithm { current-time | last-airlink-activity-time | last-user-layer3-activity-time }

Defines what behavior marks the end of the billing duration for duration-based quota usage accounting. The default behavior sets the duration quota algorithm to current-time.

Default: current-time

current-time: Selects the duration quota as the difference between the session termination timestamp and the session setup timestamp.

last-airlink-activity-time: Selects the duration quota as the difference between the last-user-activity timestamp (G17) and the session setup timestamp.

last-user-layer3-activity-time: Selects the duration quota as the difference between the timestamp of the last layer-3 packet sent to or received from the user and the session setup timestamp.

preference { duration | volume }

If both duration and volume RADIUS attributes are present this keyword specifies which attribute has precedence.

Default: duration

duration: The duration attribute takes precedence.

volume: The volume attribute takes precedence


Usage:

Use this command to enable prepaid support for a default user or for the default user of a domain alias.


Example:
The following command enables 3GPP2 prepaid support for the default user:
prepaid 3gpp2 accounting
prepaid custom

Enables custom prepaid billing support for a subscriber to be configured by attributes sent from a RADIUS server. If not enabled, prepaid attributes received from the RADIUS server are ignored. The keywords set prepaid values that are used if the corresponding RADIUS attribute is not present. If the RADIUS attribute is present, it takes precedence over these values.

Platform:

ASR 5000

Product:

PDSN, HA


Privilege:

Security Administrator, Administrator


Syntax
prepaid custom { accounting | byte-count compressed | low-watermark
percent percentage | renewal
interval seconds } | preference { duration | volume }default prepaid custom { byte-count | low-watermark }no prepaid custom { accounting | byte-count
compressed | low-watermark | renewal }
default prepaid custom { byte-count | low-watermark }

Resets custom prepaid settings to the default values.

byte-count: Resets to the default of basing the prepaid byte credits on the flow of uncompressed traffic.

low-watermark: Disables sending an access request to retrieve more credits when a low watermark is reached.

no prepaid custom { accounting | byte-count compressed | low-watermark | renewal}

byte-count compressed: The prepaid byte credits are based on the flow of uncompressed traffic. This is the default.

low-watermark: Disables the low watermark feature. An access-request is not sent to the RADIUS server until the credits granted for the subscriber session are depleted.

renewal: Disables time-based renewals for prepaid accounting.

accounting

Default: Disabled

Enables custom prepaid accounting behavior.

byte-count compressed

Default: uncompressed.

When compression is used, the prepaid byte credits are based on the flow of compressed traffic. The default is to base the prepaid byte credits on the flow of uncompressed traffic.

low-watermark percent percentage

Default: Disabled.

Sets the low-watermark for remaining byte credits. percentage is a percentage of the subscriber sessions total credits. When the low-watermark is reached a new RADIUS access-request is sent to the RADIUS server to retrieve more credits. percentage must be an integer from 1 through 99.

renewal interval seconds

Default:

The time in seconds to wait before sending a new RADIUS access-request to the RADIUS server to retrieve more credits. seconds must be an integer from 60 through 65535.

preference { duration | volume }

If both duration and volume RADIUS attributes are present this keyword specifies which attribute has precedence.

Default: duration

duration: The duration attribute takes precedence.

volume: The volume attribute takes precedence


Usage:

Use this command to enable prepaid support for a default user or for the default user of a domain alias.


Example:
The following command enables custom prepaid support for the default user:
prepaid custom accounting
prepaid unclassify

This command provides customer specific functionality.

prepaid voice-push

This command provides customer specific functionality.

prepaid wimax

Enables WiMAX prepaid accounting for this subscriber. This feature is disabled by default.

Platform:

ASR 5000

Product:

ASN-GW


Privilege:

Administrator


Syntax
[ no ] prepaid
wimax accounting
no

Disables WiMAX prepaid accounting for this subscriber.


Usage:

Use this command to enable WiMAX prepaid accounting for this subscriber.

proxy-dns intercept list-name

Identifies a proxy DNS intercept rules list for the selected subscriber.

Platform:

ASR 5000

Product:

HA


Privilege:

Security Administrator, Administrator


Syntax
[ no ] proxy-dns
intercept list-name name
no

Removes the intercept list from the subscribers profile.

proxy-dns intercept list-name name

Specifies a name of a proxy DNS intercept list used for the selected subscriber.

name is the name of the intercept list expressed as an alphanumeric string of 1 through 63 characters.


Usage:

Use this command to identify a proxy DNS rules list for the selected subscriber. For a more detailed explanation of the HA Proxy DNS Intercept feature, see the proxy-dns intercept-list command in the Context Configuration Mode Commands chapter.

proxy-mip

Configures support for Proxy Mobile IP for the subscriber.

Platform:

ASR 5000

Product:

PDSN, GGSN, ASN-GW, PDIF


Privilege:

Security Administrator, Administrator


Syntax
[ no ] proxy-mip required
no

Disables support for Proxy Mobile IP.

required

Enables support for Proxy Mobile IP.


Usage:

When enabled through the session license and feature use key, the system supports Proxy Mobile IP to provide a mobility solution for subscribers with mobile nodes (MNs) capable of supporting only Simple IP.

For subscriber sessions using Proxy Mobile IP, R-P and PPP sessions are established as they would for a Simple IP session. However, the AGW/FA performs Mobile IP operations with an HA (identified by information stored in the subscriber’s profile) on behalf of the MN while the MN performs only Simple IP processes.


Example:
The following command enables proxy mobile IP for the current subscriber:
proxy-mip required
qos rate-limit

Configure the action on subscriber traffic flow that violates or exceeds the peak/committed data rate under traffic policing functionality. When configured, the PDG/TTG performs traffic policing for the subscriber session. If the GGSN changes the QoS via an Update PDP Context Request, the PDG/TTG uses the new QoS values for traffic policing.

Platform:

ASR 5000

Product:

PDG/TTG


Privilege:

Security Administrator, Administrator

Syntax

qos rate-limit { downlink | uplink }  [ qci qci_val ]  [ burst-size { bytes | auto-readjust [ duration dur ] } ] [ exceed-action { drop | lower-ip-precedence | transmit } [ violate-action { drop | lower-ip-precedence | shape [ transmit-when-buffer-full ] | transmit } ] ] | [ violate-action { drop | lower-ip-precedence | shape [ transmit-when-buffer-full ] | transmit } [ exceed-action { drop | lower-ip-precedence | transmit } ] ] +no qos rate-limit direction { downlink | uplink } [ qci qci_val ]

no

Disables the QoS data rate limit configuration for the subscriber.

downlink

Applies the specified limits and actions to the downlink (to the data coming from the GGSN over the Gn’ interface).

uplink

Applies the specified limits and actions to the uplink (to the data coming from the UE over the IPSec tunnel).

IMPORTANT:

If this keyword is omitted, the same values are used for all classes.

qci qci_val

qci_val is the QoS Class identifier (QCI) for which the negotiate limit is being set expressed as an integer from 1 through 9. If no qci-val is configured, it will be taken as undefined-qci (same as undefined-qos class).

burst-size { bytes | auto-readjust [ duration dur ] }

Default: See the Usage section for this command

The burst size allowed (in bytes) for peak data rate and committed data rate.

bytes must be an integer from 1 through 6000000.

IMPORTANT:

The minimum value of this parameter should be configured to the greater of the following two values: 1) three times greater than the packet MTU for the subscriber connection, OR 2) three seconds worth of token accumulation within the “bucket” for the configured peak-data-rate. If the committed-data-rate parameter is specified, the burst-size is applied to both the committed and peak rates.

auto-readjust [ duration dur ] provides the option to calculate the Burst size dynamically while configuring rate-limit. When enabled. the system calculates the burst size using the GGSN QoS-negotiated rate that will be enforced.

Every time there is a change in the rates (due to an updated QoS), the burst sizes will be updated accordingly.

This keyword also provides two different burst sizes. One burst size for peak rate and another for committed rate.

By default this keyword is disabled.

duration dur specifies the duration of burst in seconds. If the duration is not specified, the default is 1 second. dur must be an integer from 1 through 30.

exceed-action { drop | lower-ip-precedence | transmit }

Default: See the Usage section for this command

Specifies the action to take on packets that exceed the committed-data-rate but do not violate the peak-data-rate. The following actions are supported:
  • drop: Drops the packets.
  • lower-ip-precedence: Transmits the packets after lowering the ip-precedence.
  • transmit: Transmits the packets.
violate-action { drop | lower-ip-precedence | transmit }

Default: See the Usage section for this command

Specifies the action to take on packets that exceed both the committed-data-rate and the peak-data-rate. The following actions are supported:
  • drop: Drops the packets.
  • lower-ip-precedence: Transmits the packets after lowering the IP precedence.
  • transmit: Transmits the packet after lowering the IP precedence.

shape [transmit-when-buffer-full]: Enables traffic shaping and buffers user packets when subscriber traffic violates the allowed peak/committed data rate. The [transmit-when-buffer-full] keyword allows the packets to be transmitted when buffer memory is full.

transmit: Transmits the packet

Usage

This command configures APN quality of service (QoS) data rate shaping through traffic policing. This command specifies the actions to take on subscriber flows exceeding or violating allowed peak or committed data rates. The shaping function also provides an enhanced function to buffer the excessive user packets and send them to the subscriber when subscriber traffic drops below the committed or peak data rate limit.

IMPORTANT:

The buffering of user packets in traffic shaping does not apply for real-time traffic.

IMPORTANT:

If the exceed/violate action is set to “lower-ip-precedence”, this command may override the configuration of the ip qos-dscp command in the GGSN service Configuration mode for packets from the GGSN to the PDG/TTG. In addition, the GGSN service ip qos-dscp command configuration can override the APN setting for packets from the GGSN to the Internet. Therefore, it is recommended that this command not be used in conjunction with this action.

The command can be entered multiple times to specify different combinations of direction and class. If this command is not configured at all, the GGSN does not perform traffic policing or QoS negotiation with the PDG/TTG; it accepts all of the PDG/TTG-provided values for the PDP context.

IMPORTANT:

This command should be used in conjunction with the max-contexts command to limit the maximum possible bandwidth consumption by the APN.

For additional information on QoS traffic shaping and policing, see the System Administration Guide.

Default Values

The following table displays the default values for each of the traffic classes:

Class: Conversational

Downlink Traffic: Disabled

Peak Data Rate (in bps): 16000000

Committed Data Rate (in bps): 16000000

Exceed Action: lower-ip-precedence

Violate Action: drop

Uplink Traffic: Disabled

Peak Data Rate (in bps): 8640000

Committed Data Rate (in bps): 8640000

Exceed Action: lower-ip-precedence

Violate Action: drop

Class: Streaming

Downlink Traffic: Disabled

Peak Data Rate (in bps): 16000000

Committed Data Rate (in bps): 16000000

Exceed Action: lower-ip-precedence

Violate Action: drop

Uplink Traffic: Disabled

Peak Data Rate (in bps): 8640000

Committed Data Rate (in bps): 8640000

Exceed Action: lower-ip-precedence

Violate Action: drop

Class: Interactive, Traffic Handling Priority: 1

Downlink Traffic: Disabled

Peak Data Rate (in bps): 16000000

Committed Data Rate (in bps): n/a

Exceed Action: n/a

Violate Action: drop

Uplink Traffic: Disabled

Peak Data Rate (in bps): 8640000

Committed Data Rate (in bps): n/a

Exceed Action: n/a

Violate Action: drop

Class: Interactive, Traffic Handling Priority: 2

Downlink Traffic: Disabled

Peak Data Rate (in bps): 16000000

Committed Data Rate (in bps): n/a

Exceed Action: n/a

Violate Action: drop

Uplink Traffic: Disabled

Peak Data Rate (in bps): 8640000

Committed Data Rate (in bps): n/a

Exceed Action: n/a

Violate Action: drop

Class: Interactive, Traffic Handling Priority: 3

Downlink Traffic: Disabled

Peak Data Rate (in bps): 16000000

Committed Data Rate (in bps): n/a

Exceed Action: n/a

Violate Action: drop

Uplink Traffic: Disabled

Peak Data Rate (in bps): 8640000

Committed Data Rate (in bps): n/a

Exceed Action: n/a

Violate Action: drop

Class: Background

Downlink Traffic: Disabled

Peak Data Rate (in bps): 16000000

Committed Data Rate (in bps): n/a

Exceed Action: n/a

Violate Action: drop

Uplink Traffic: Disabled

Peak Data Rate (in bps): 8640000

Committed Data Rate (in bps): n/a

Exceed Action: n/a

Violate Action: drop



Usage

This command configures the APN quality of service (QoS) data rate shaping through traffic policing/shaping. This command specifies the actions to take on subscriber flows exceeding or violating allowed peak/committed data rates. The shaping function also provides an enhanced function to buffer the excessive user packets and send them to the subscriber when subscriber traffic drops below the committed or peak data rate limit.

IMPORTANT:

The buffering of user packets in traffic shaping does not apply for real-time traffic.

IMPORTANT:

If the exceed/violate action is set to “lower-ip-precedence”, this command may override the configuration of the ip qos-dscp command in the GGSN service configuration mode for packets from the GGSN to the SGSN. In addition, the GGSN service ip qos-dscp command configuration can override the APN setting for packets from the GGSN to the Internet. Therefore, it is recommended that command not be used in conjunction with this action.

The command can be entered multiple times to specify different combinations of direction and class. If this command is not configured at all, the GGSN does not perform traffic policing or QoS negotiation with the SGSN (i.e. it accepts all of the SGSN-provided values for the PDP context.

IMPORTANT:

This command should be used in conjunction with the max-contexts command to limit the maximum possible bandwidth consumption by the APN.

Default Values:

To calculate the burst size dynamically a new optional keyword auto-readjust [ duration dur ] is provided with burst-size keyword. By default the burst size is fixed if defined in bytes with this command. In other words irrespective of the rate being enforced, burst-size fixed as given in the burst-size bytes parameter.

For the need of variable burst size depending on the rate being enforced this new keyword auto-readjust [ duration dur ] is provided. Use of this keyword enables the calculation of burst size as per token bucket algorithm calculation as T=B/R, where T is the time interval, B is the burst size and R is the Rate being enforced.

It also provides different burst size for Peak and Committed data rate-limiting.

If auto-readjust keyword is not used a fixed burst size must be defined which will be applicable for peak data rate and committed data rate irrespective of rate being enforced.

If auto-readjust keyword is provided without specifying the duration a default duration of 1 second will be taken for burst size calculation.


Example:
The following command lowers the IP precedence when the committed-data-rate and the peak-data-rate are violated in uplink direction:
qos rate-limit direction
uplink violate-action lower-ip-precedence
The following command buffers the excess user packets when the subscriber traffic violates the configured peak or committed data-rate bps in uplink direction. Once the peak/committed data rate for that subscriber goes below the configured limit it transmit them. It also transmits them if buffer memory is full:
qos rate-limit direction
uplink violate-action shape transmit-when-buffer-full
qos traffic-police

Enables and configures traffic policing through bandwidth limitations and action for the subscriber traffic if it exceeds or violates the peak or committed data rate. Uplink and downlink limits are configured separately.

Platform:

ASR 5000

Product:

PDSN, HA, GGSN, ASN-GW


Privilege:

Security Administrator, Administrator


Syntax
qos traffic-police direction { downlink | uplink } [ burst-size bytes ] [ committed-data-rate bps ] [ exceed-action { drop | lower-ip-precedence | transmit } ] [ peak-data-rate bps ] [ violate-action { drop | lower-ip-precedence | transmit } ]no qos traffic-police
direction { downlink | uplink }
downlink

Applies the specified limits and actions to the downlink (data to the subscriber).

uplink

Apply the specified limits and actions to the uplink (data from the subscriber).

burst-size bytes

Default: 3000

Specifies the allowed peak burst size allowed in bytes.

bytes must be an integer from 0 through 4294967295.

IMPORTANT:

This parameter should be configured to at least the greater of the following two values: 1) three times greater than packet MTU for the subscriber connection, OR 2) three seconds worth of token accumulation within the “bucket” for the configured peak-data-rate.

committed-data-rate bps

Default: 144000

Specifies the committed data rate (guaranteed-data-rate) in bits per second (bps).

bps must be an integer from 0 through 4294967295).

exceed-action { drop | lower-ip-precedence | transmit }

Default: lower-ip-precedence

Specifies the action to take on packets that exceed the committed-data-rate but do not violate the peak-data-rate. The following actions are supported:

drop: Drops the packet

lower-ip-precedence: Transmits the packet after lowering the ip-precedence

transmit: Transmits the packet

peak-data-rate bps

Default: 256000

Specifies the peak data-rate for the subscriber in bits per second (bps).

bps must be an integer from 0 through 4294967295).

violate-action { drop | lower-ip-precedence | transmit }

Default: drop

Specifies the action to take on packets that exceed both the committed-data-rate and the peak-data-rate. The following actions are supported:

drop: Drops the packet

lower-ip-precedence: Transmits the packet after lowering the IP precedence

transmit: Transmits the packet

no

Disables traffic policing in the specified direction for the current subscriber.


Usage:

Use this command to limit the bandwidth a subscriber uses in the uplink and downlink directions.

IMPORTANT:

If the exceed/violate action is set to “lower-ip-precedence”, the TOS value for the outer packet becomes “best effort” for packets that exceed/violate the traffic limits regardless of what the ip user-datagram-tos copy command is configured to. In addition, the “lower-ip-precedence” option may also override the configuration of the ip qos-dscp command. Therefore, it is recommended that command not be used when specifying this option.

Details on the QoS traffic policing can be found in the System Administration Guide.


Example:
The following command sets an uplink peak data rate of 128000 bps and lowers the IP precedence when the committed-data-rate and the peak-data-rate are exceeded:
qos traffic-police direction
uplink peak-data-rate 128000 violate-action lower-ip-precedence
The following command sets a downlink peak data rate of 256000 bps and drops packets when the committed-data-rate and the peak-data-rate are exceeded:
qos traffic-police direction
downlink peak-data-rate 256000 violate-action drop
qos traffic-shape

Enables and configures traffic shaping functionality when buffering the data packets during congestion or when the subscriber exceeds the configured peak or committed data rate limit. The system buffers the data packets during an instantaneous burst and deliver them to the subscriber when traffic flow drops below the peak or committed data rate. Uplink and downlink traffic shaping are configured separately.

IMPORTANT:

This feature is NOT supported for real-time traffic.

Platform:

ASR 5000

Product:

PDSN, HA, GGSN, ASN-GW


Privilege:

Security Administrator, Administrator


Syntax
qos traffic-shape direction { downlink | uplink } [ burst-size bytes ] [ committed-data-rate bps ] [ exceed-action { drop | lower-ip-precedence | transmit } ] [ peak-data-rate bps ] [ violate-action { drop | lower-ip-precedence | buffer [ transmit-when-buffer-full ] | transmit } ] +no qos traffic-shape
direction { downlink | uplink }
downlink

Applies the specified limits and actions to the downlink (data to the subscriber).

uplink

Applies the specified limits and actions to the uplink (data from the subscriber).

burst-size bytes

Default: 3000

Specifies the allowed peak burst size in bytes.

bytes must be an integer from 0 through 4294967295.

IMPORTANT:

It is recommended that this parameter be configured to at least the greater of the following two values: 1) three times greater than packet MTU for the subscriber connection, OR 2) three seconds worth of token accumulation within the “bucket” for the configured peak-data-rate.

committed-data-rate bps

Default: 144000

Specifies the committed data rate (guaranteed-data-rate) in bits per second (bps).

bps must be an integer from 0 through 4294967295).

exceed-action { drop | lower-ip-precedence | transmit }

Default: lower-ip-precedence

Specifies the action to take on packets that exceed the committed-data-rate but do not violate the peak-data-rate. The following actions are supported:

drop: Drops the packet

lower-ip-precedence: Transmits the packet after lowering the ip-precedence

transmit: Transmits the packet

peak-data-rate bps

Default: 256000

Specifies the peak data-rate for the subscriber in bits per second (bps).

bps must be an integer from 0 through 4294967295).

violate-action { drop | lower-ip-precedence | buffer [transmit-when-buffer-full] | transmit }

Default: See the Usage section for this command

The action to take on the packets that exceed both the committed-data-rate and the peak-data-rate. The following actions are supported:

drop: Drops the packet

lower-ip-precedence: Transmits the packet after lowering the IP precedence

buffer [transmit-when-buffer-full]: Enables traffic shaping and buffers user packets when subscriber traffic violates the allowed peak/committed data rate. The [transmit-when-buffer-full] keyword allows the packet to be transmitted when buffer memory is full.

transmit: Transmits the packet

+

More than one of the above keywords can be entered within a single command.

no

Disables traffic policing for the specified direction for the current subscriber.


Usage:

Use this command to provide the traffic shaping function to a subscriber in the uplink and downlink directions. This feature is providing a traffic flow control different to QoS traffic policing. When a subscriber violates or exceeds the peak data rate instead of dropping the packets, as in QoS traffic policing, this feature buffers subscriber data packets and sends the buffered data when the traffic flow is low or not in congestion state.

IMPORTANT:

If the exceed or violate action is set to “lower-ip-precedence”, the TOS value for the outer packet becomes “best effort” for packets that exceed or violate the traffic limits regardless how the ip user-datagram-tos copy command is configured. In addition, the “lower-ip-precedence” option may also override the configuration of the ip qos-dscp command. Therefore, this command should not be used when specifying this option.

Details on the QoS traffic policing functionality is located in the System Administration Guide.


Example:
The following command sets an uplink peak data rate of 128000 bps and lowers the IP precedence when the committed-data-rate and the peak-data-rate are exceeded:
qos traffic-shape direction
uplink peak-data-rate 12800 violate-action lower-ip-precedence
The following command buffers the excess user packets when the subscriber traffic violates the configured peak-data-rate 256000 bps in downlink direction. Once the peak/committed data rate for that subscriber goes below the configured limit it transmit them. It also transmits them if buffer memory is full:
qos traffic-shape direction
downlink peak-data-rate 256000 violate-action buffer transmit-when-buffer-full
radius accounting

Sets the RADIUS accounting parameters for the subscriber or domain. This command takes precedence over the similar Context Configuration command and is disabled by default.

Platform:

ASR 5000

Product:

All


Privilege:

Administrator


Syntax
radius accounting { interim { interval-timeout timeout | normal | suppress } | ip remote-address
list-id list_id | mode { session-based | access-flow-based { none | auxillary-flows | all-flows | main-a10-only } } | start { normal | suppress } | stop { normal | suppress } }no radius accounting { ip
remote-address list-id list_id | interim [ interval-timeout ] }
interim { interval-timeout timeout | normal | suppress }

interval-timeout timeout: Indicates the time (in seconds) between updates to session counters (log file on RADIUS or AAA event log) during the session. timeout must be an integer from 50 to 40000000.

CAUTION:

Interim interval settings received from the RADIUS server take precedence over this setting on the system. While the low limit of this setting on the system is a minimum of 50 seconds, the low limit setting on the RADIUS server can be as little as 1 second. To avoid increasing network traffic unnecessarily and potentially reducing network and system performance, do not set this parameter to a value less than 50 on the RADIUS server.

normal: If RADIUS accounting is enabled, sends this Acct-Status-Type message when required by normal operation

suppress: If RADIUS accounting is enabled, suppresses the sending of this Acct-Status-Type message.

ip remote-address list-id list_id

Specifies the identification number of the IP address list to use for the subscriber for remote address-based accounting.

list_id: Specifies the RADIUS accounting remote IP address list identifier for remote-address accounting for the subscriber. list_id must be an integer from 1 through 65535.

This command is used as part of the Remote Address-based accounting feature and associates the subscriber with a list of remote addresses. Remote address accounting data is collected each time the subscriber communicates with any of the addresses specified in the list.

Remote address lists are configured using the list keyword in the radius accounting ip remote-address command in the Context Configuration mode.

mode { session-based | access-flow-based { none | auxillary-flows | all-flows | main-a10-only } }

Default: session-based

Specifies if the radius accounting mode is either session-based or access-flow-based.

session-based: configures session-based RADIUS accounting behavior for the subscriber - which means a single radius accounting message generated for the subscriber session not separate accounting messages for individual A10 connections or flows.

access-flow-based: configures access-flow-based RADIUS accounting behavior for the subscriber. This offers flexibility by generating separate accounting messages for flows and A10 sessions.
  • all-flows: Generates separate RADIUS accounting messages per access flow. Separate accounting messages are not generated for data path connections. (For example, separate messages are not sent for the main A10 or auxiliary connections.).
  • auxillary-flows: Generates RADIUS accounting records for the main data path connection and for access-flows for all auxiliary data connections. (For example, separate RADIUS accounting messages are generated for the main A10 session and for access-flows within auxiliary A10 connections. The main A10 session accounting does not include octets or other accounting information from the auxiliary flows.)
  • main-a10-only: Configures access-flow-based single accounting messages (for example only single start/interim/stop) are generated for the main A-10 flows only.
  • none: Generates separate RADIUS accounting messages for all data path connections (for example, PDSN main or auxiliary A10 connections) but not for individual access-flows. This is essentially A10 connection-based accounting.
start { normal | suppress }

normal: If RADIUS accounting is enabled, sends this Acct-Status-Type message when required by normal operation

suppress: If RADIUS accounting is enabled, suppresses the sending of this Acct-Status-Type message.

stop { normal | suppress }

normal: If RADIUS accounting is enabled, sends this Acct-Status-Type message when required by normal operation

suppress: If RADIUS accounting is enabled, suppresses the sending of this Acct-Status-Type message.

no

ip remote-address list-id list_id: Deletes the entry for the specified list_id.

interim [ interval-timeout ]: Disables the interim interval setting.


Usage:

Use this command to allow a per-domain setting for the RADIUS accounting.


Example:
Set the accounting interim interval to one minute (60 seconds) for all sessions that use the current subscriber configuration:
radius accounting interim
interval-timeout 60
Do not send RADIUS interim accounting messages:
radius accounting interim suppress
Sets the accounting message start normal for main A-10 flows only.
radius accounting mode
main-a10-only start normal
radius group

Applies a RADIUS server group at the subscriber level for AAA functionality.

Platform:

ASR 5000

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
radius group group_name{ default | no } radius group
radius group_name

Specifies the name of the server group that is used for authentication and/or accounting for the specific subscriber. group_name must be an alphanumeric string of 1 through 63 characters. It must have been preconfigured within the same context of subscriber.

default

Sets or restores the default RADIUS server group specified at the context level or in the default subscriber profile.

no

Disables the applied RADIUS group for specific subscriber.


Usage:

This feature provides the RADIUS configurables under radius group node. Instead of having a single list of servers per context, this feature configures multiple server groups within a context and applies individual RADIUS server group for subscriber in that context. Each server group consists of a list of AAA servers.

IF no RADIUS group is applied for this subscriber or the default subscriber profile, the default server group available at context level is used for accounting and authentication of the subscriber.


Example:
Following command applies a previously configured RADIUS server group named star1 to a subscriber within the specific context:
radius group star1
Following command disables the applied RADIUS server group for the specific subscriber.
no radius group
radius returned-framed-ip-address

Sets the policy whether or not to reject a call when the RADIUS server supplies 255.255.255.255 as the framed IP address and the MS does not supply an address.

Platform:

ASR 5000

Product:

GGSN


Privilege:

Security Administrator, Administrator


Syntax
radius returned-framed-ip-address 255.255.255.255-policy { accept-call-when-ms-ip-not-supplied | reject-call-when-ms-ip-not-supplied }default radius returned-framed-ip-address
255.255.255.255-policy
accept-call-when-ms-ip-not-supplied

Accepts calls when the RADIUS server does not supply a framed IP address and the MS does not supply an address.

reject-call-when-ms-ip-not-supplied

Rejects calls when the RADIUS server does not supply a framed IP address and the MS does not supply an address.

default

Sets the policy to its default of rejecting calls when the RADIUS server does not supply a framed IP address and the MS does not supply an address.


Usage:

Use this command to set the behavior for the current subscriber when the RADIUS server supplies 255.255.255.255 as the framed IP address and the MS does not supply an address.


Example:
The following command sets the subscriber profile to reject calls when the RADIUS server does not supply a framed IP address and the MS does not supply an address:
radius returned-framed-ip-address 255.255.255.255-policy
reject-call-when-ms-ip-not-supplied
rohc-profile-name

Identifies the robust header compression (RoHC) profile configuration that will be applied to bearer sessions belonging to this subscriber.

Platform:

ASR 5000

Product:

HSGW,PDSN


Privilege:

Administrator


Syntax
rohc-profile-name name
name

Specifies the name of the RoHC profile that the system will use to apply header compression and decompression parameters to bearer session data for this subscriber. name must be an existing RoHC profile expressed as an alphanumeric string of 1 through 63 characters.


Usage:

Use this command to specify a RoHC configuration profile to be applied to bearer sessions belonging to this subscriber. RoHC profiles are configured through the Global Configuration Mode using the rohc-profile command.


Example:
The following command specifies that the RoHC profile named rohc-cfg1 is to be applied to all bearer sessions belonging to this subscriber:
rohc-profile-name rohc-cfg1
secondary ip pool

Specifies a secondary IP pool to be used as backup pool for Network Address Translation (NAT).

IMPORTANT:

This command requires the purchase and installation of a license. Please contact your Cisco sales representative for more information.

Platform:

ASR 5000

Product:

NAT


Privilege:

Security Administrator, Administrator


Syntax
secondary ip pool pool_nameno secondary ip pool
no

Removes the previous secondary IP pool configuration.

secondary ip pool pool_name

Specifies the secondary IP pool name.

pool_name must be an alphanumeric string of 1 through 31 characters.


Usage:

Use this command to configure a secondary IP pool for NAT subscribers, which is not overwritten by the RADIUS supplied list. The secondary pool will be appended to the RADIUS supplied IP pool list or subscriber template provided IP pool list, as applicable, during call setup.


Example:
The following command configures a secondary IP pool named test123:
secondary ip pool test123
simultaneous

Enables or disables the simultaneous use of both Mobile and Simple IP services.

Platform:

ASR 5000

Product:

PDSN, FA, HA, ASN-GW


Privilege:

Security Administrator, Administrator


Syntax
[ no ] simultaneous
simple-and-mobile-ip
no

Disables the simultaneous use.


Usage:

Subscribers with mobile devices that concurrently support mobile and simple IP services require this option to be set.


Example:
no simultaneous simple-and-mobile-ip
simultaneous simple-and-mobile-ip
timeout

Configures the subscriber session timeouts.

Platform:

ASR 5000

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
timeout { absolute | idle } secondsno timeout [ absolute | idle ]
timeout absolute

Default: 0

Specifies the absolute maximum time a session may exist (in seconds) in any state (active or dormant).

timeout idle

Default: 0

Specifies the maximum duration of the session (in seconds) before the system automatically terminates the session due to inactivity.

seconds

Specifies the maximum amount of time (in seconds) before the specified timeout action is activated. seconds must be an integer from 0 through 4294967295. The special value 0 disables the timeout specified.

no

Indicates the timeout specified is to be returned to its default behavior. If a timeout value is not specified, all timeouts are set to their default values.


Usage:

Reduce the idle timeout to free session resources faster for use by new requests.


Example:
timeout absolute 18000
no timeout
timeout long-duration

Configures the long duration timeout and optionally the inactivity duration of HA subscriber session.

Platform:

ASR 5000

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
timeout long-duration ldt_timeout [ inactivity-time inact_timeout ][ no | default ]timeout
long-duration
no

Indicates the timeout specified is to be returned to its default behavior. If no specific

timeout is specified then all are set to their default behavior.

long-duration ldt_timeout

Default: 0

Designates the maximum duration of the session (in seconds) before the system automatically reports/terminates the session.

ldt_timeout must be a value in the range from 0 through 4294967295. The special value 0 disables the timer.

inactivity-time inact_timeout

Specifies the maximum amount of time (in seconds) before the specified session is marked as dormant.

inact_timeout must be a value in the range from 0 through 4294967295. The special value 0 disables the inactivity time specified.


Usage:

Use this command to set the long duration timeout period and inactivity timer for subscriber sessions. Reduce the idle timeout to free session resources faster for use by new requests.

Refer to the long-duration-action detection and long-duration-action disconnection commands for more information.


Example:
The following command sets the long duration timeout duration to 300 seconds and inactivity timer for subscriber session to 45 seconds:
timeout long-duration
300 inactivity-time 45
tpo policy

Specifies the Traffic Performance Optimization (TP)) policy for subscribers.

Platform:

ASR 5000

Product:

TPO


Privilege:

Security Administrator, Administrator


Syntax
tpo policy tpo_policy_name{ default | no } tpo policy
default

Configures the default setting.

Default: Use the default TPO policy configured in the rulebase.

no

Deletes TPO policy from the subscriber configuration.

tpo policy tpo_policy_name

Specifies the name of the TPO policy as an alphanumeric string of 1 through 63 characters.


Usage:

Use this command to specify the TPO policy for the subscriber template.


Example:
The following command specifies to use the TPO policy named tpo_policy_110:
tpo policy tpo_policy_110
tunnel address-policy

Specifies the policy for address allocation and validation for all tunneled calls (IP-IP, IP-GRE) except L2TP calls. With this command enabled, GGSN IP address validation could be disabled for specified incoming calls.

For GGSN systems, this command can also be specified in the APN Configuration mode (tunnel address-policy) which would mean the system defers to the old l3-to-l2-tunnel address policy command for calls coming through L2TP tunnels.

Platform:

ASR 5000

Product:

PDSN, GGSN


Privilege:

Security Administrator, Administrator


Syntax
tunnel address-policy { alloc-only | alloc-validate | no-alloc-validate }default tunnel address-policy
alloc-only

Allocates IP addresses locally without validation.

alloc-validate

Default.

The VPN Manager allocates and validates all incoming IP addresses from a static pool of IP addresses.

no-alloc-validate

No IP address assignment or validation is done for calls coming in via L3 tunnels. Incoming static IP addresses are passed. This option allows for the greatest flexibility.

default

Resets the tunnel address-policy to alloc-validate.


Usage:

This command supports scalable solutions for Corporate APN deployment as many corporations handle their own IP address assignments. In some cases this is done to relieve the customer or the mobile operators from the necessity of reconfiguring the range of IP addresses for the IP pools at the GGSN.


Example:
The following command resets the IP address validation policy to validate against a static pool of address:
default tunnel address-policy
The following command disables IP address validation for calls coming through tunnels:
tunnel address-policy
no-alloc-validate
tunnel ipip

Configures IP-in-IP tunnelling parameters for the current subscriber.

Platform:

ASR 5000

Product:

PDSN, GGSN


Privilege:

Security Administrator, Administrator


Syntax
tunnel ipip peer-address peer_address local-address local_addr ]no tunnel ipip
peer-address peer_address

Specifies the IP address of the external gateway terminating the IP-in-IP tunnel.

local-address local_addr

Specifies the IP address of the interface in the destination context originating the IP-in-IP tunnel.

no

Disables IP-in-IP tunneling for the current subscriber.


Usage:

Subscriber IP payloads are encapsulated with IP-in-IP headers and tunneled by the GGSN or PDSN to an external gateway.


Example:
The following command configures the system to encapsulate subscriber traffic using IP-in-IP and tunnel it from a local address of 192.168.1.100 to a gateway with an IP address of 192.168.1.225:
tunnel ipip peer-address
192.168.1.225 local-address 192.168.1.100 preference 1
tunnel ipsec

Configures sessions for the current subscriber to use an IPSec tunnel based on the IP pool corresponding to the subscriber’s assigned IP address.

Platform:

ASR 5000

Product:

PDSN, GGSN


Privilege:

Security Administrator, Administrator


Syntax
tunnel ipsec use-policy-matching-ip-pooler-addressno tunnel ipsec use-policy-matching-ip-pooler-address
no

Disables the use of the IPSec policy that matches the IP pool that the assigned IP address relates to.


Usage:

Use this command to set the current subscribers sessions to use an IPSec policy that is assigned to the IP pool that the subscribers assigned IP address relates to.


Example:
The following command enables the use of the policy that matches the IP pool address:
tunnel ipsec use-policy-matching-ip-pooler-address
tunnel l2tp

Configures L2TP tunnel parameters for the subscriber.

Platform:

ASR 5000

Product:

All products supporting L2TP


Privilege:

Security Administrator, Administrator


Syntax
tunnel l2tp [ peer-address ip address [ [ encrypted ] [secret secret] ] [ preference number] [ tunnel-context context ]  [ local-address ip_address ] [ crypto-map map_name { [ encrypted ] isakmp-secret secret } ] ]no tunnel l2tp [ peer-address ip_address ]
peer-address ip_address

A peer L2TP Network Server (LNS) associated with this LAC (L2TP Access Concentrator). ip_address must be an IP address entered using IPv4 dotted-decimal or IPv6 colon-separated-hexadecimal format.

[ encrypted ] secret secret

Specifies the shared key (secret) between the L2TP Network Server (LNS) associated with this LAC (L2TP Access Concentrator). secret must be an alphanumeric string of 1 through 63 characters that is case sensitive.

encrypted: Specifies the encrypted shared key between the L2TP Network Server (LNS) associated with this LAC (L2TP Access Concentrator). secret must be an alphanumeric string of 1 through 128 characters that is case sensitive.

The encrypted keyword is intended only for use by the system while saving configuration scripts. The system displays the encrypted keyword in the configuration file as a flag that the variable following the secret keyword is the encrypted version of the plain text secret. Only the encrypted secret is saved as part of the configuration file.

preference number

Default: 1

Specifies the order in which a group of tunnels configured for this subscriber will be tried. number must be an integer from 1 through 65535.

tunnel-context context

Specifies the name of the context containing ports through which this subscriber’s data traffic is to be communicated between this LAC and the LNS. context must be an alphanumeric string of 1 through 79 characters.

local-address ip_address

Specifies a LAC service bind address which is given as a hint that is used to select a particular LAC service. ip_address must be an IP address entered using IPv4 dotted-decimal or IPv6 colon-separated-hexadecimal notation.

crypto-map map_name { [encrypted] isakmp-secret secret }

Specifies the name of a crypto map that has been configured in the current context. map_name must be an alphanumeric string from 1 to 127 alphanumeric characters.

isakmp-secret secret: Specifies the pre-shared key for the Internet Key Exchange (IKE). secret must be an alphanumeric string of 1 through 127 characters.

encrypted isakmp-secret secret: Specifies the pre-shared key for IKE. Encryption must be used when sending the key. secret must be an alphanumeric string of 1 through 127 characters.

no

Disables tunneling for the current subscriber. When peer-address is included, the tunneling for that specific L2TP Network Server (LNS) is disabled but tunneling to other configured LNSs is still enabled.


Usage:

Use this command to configure specific L2TP tunneling parameters for the current subscriber.


Example:
To specify L2tp tunneling to the LNS peer at the IP address 198.162.10.100 with a shared secret of bigco and preference of 1, enter the following command:
tunnel l2tp peer-address
198.162.10.100 secret bigco preference 1