ACS Configuration Mode Commands

The ACS Configuration Mode is used to manage active charging service (ACS)/enhanced charging service (ECS) configurations. ACS provides flexible, differentiated, and detailed billing to subscribers through Layer 3 through Layer 7 packet inspection and the ability to integrate with back-end billing mediation systems.

IMPORTANT:

In this release only one active charging service can be configured in a system.

IMPORTANT:

The commands or keywords/variables that are available are dependent on platform type, product version, and installed (s).

access-ruledef

This command allows you to create/configure/delete access rule definitions (ruledefs).

IMPORTANT:

This command is available only in StarOS 8.1 and in StarOS 9.0 and later releases, and must be used to configure the Policy-based Stateful Firewall and NAT features.

Platform:

ASR 5000

Product:

NAT, FW


Privilege:

Security Administrator, Administrator


Syntax
access-ruledef access_ruledef_name [ -noconfirm ]no access-ruledef access_ruledef_name
no

If previously configured, deletes the specified access ruledef.

access_ruledef_name

Specifies the access ruledef to add/configure/delete.

access_ruledef_name must be the name of an access ruledef, and must be an alphanumeric string of 1 through 63 characters, and can contain punctuation characters. Each access ruledef must have a unique name.

If the named access ruledef does not exist, it is created, and the CLI mode changes to the Firewall-and-NAT Access Ruledef Configuration Mode wherein the ruledef can be configured.

If the named access ruledef already exists, the CLI mode changes to the Firewall-and-NAT Access Ruledef Configuration Mode for that access ruledef.

-noconfirm

Specifies that the command must execute without prompting for confirmation.


Usage:

Use this command to create/configure/delete an access ruledef. A ruledef contains different conditions/criteria to permit, drop, or reject a packet/connection/traffic based on one or more parameters. The ruledef name must be unique within the service. Host pool, port map, IMSI pool, and access/firewall, routing, and charging ruledefs configured in the active charging service must all have unique names.

IMPORTANT:

An access ruledef can be referenced by multiple Stateful Firewall rulebases.

IMPORTANT:

Access ruledefs are different from ACS ruledefs.

On entering this command, the CLI prompt changes to:

[context_name]hostname(config-acs-fw-ruledef)#

Also see the Firewall-and-NAT Access Ruledef Configuration Mode Commands chapter.


Example:
The following command creates an access ruledef named ruledef1, and enters the Firewall-and-NAT Access Ruledef Configuration Mode:
access-ruledef ruledef1
bandwidth-policy

This command allows you to create/configure/delete bandwidth policies.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
bandwidth-policy bandwidth_policy_name [ -noconfirm ]no bandwidth-policy bandwidth_policy_name
no

If previously configured, deletes the specified bandwidth policy from the active charging service.

bandwidth_policy_name

Specifies the bandwidth policy to add/configure/delete.

bandwidth_policy_name must be the name of a bandwidth policy, and must be an alphanumeric string of 1 through 63 characters. Each bandwidth policy must have a unique name.

If the named bandwidth policy does not exist, it is created, and the CLI mode changes to the ACS Bandwidth Policy Configuration Mode wherein the bandwidth policy can be configured.

If the named bandwidth policy already exists, the CLI mode changes to the ACS Bandwidth Policy Configuration Mode for that bandwidth policy.

-noconfirm

Specifies that the command must execute without prompting for confirmation.


Usage:

Use this command to create/configure/delete a bandwidth policy.

On entering this command, the CLI prompt changes to:

[context_name]hostname(config-bandwidth-policy)#

Also see the ACS Bandwidth Policy Configuration Mode Commands chapter.


Example:
The following command creates a bandwidth policy named test73, and enters the ACS Bandwidth Policy Configuration Mode:
bandwidth-policy test73
buffering-limit

This command allows you to configure packet buffering limits.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
buffering-limit { flow-max-packets flow_max_packets | subscriber-max-packets subscriber_max_packets }{ default | no } buffering-limit { flow-max-packets | subscriber-max-packets }
default

Configures this command with its default setting.

Default: No limit, other than the maximum amount of available memory.

no

Disables the buffering limit configuration.

flow-max-packets flow_max_packets

Specifies the maximum number of packets that can be buffered per flow.

flow_max_packets must be an integer from 1 through 255.

subscriber-max-packets subscriber_max_packets

Specifies the maximum number of packets that can be buffered per subscriber.

subscriber_max_packets must be an integer from 1 through 255.


Usage:

Use this command to configure the limits for buffering packets sent by a subscriber, while waiting for a response from the Diameter server. Packets need to be buffered for various reasons, such as, waiting for Credit Control Authorization or waiting for the result of a content filtering rating request.


Example:
The following command sets the buffering limit per flow to 55:
buffering-limit flow-max-packets 55
charging-action

This command allows you to create/configure/delete ACS charging actions.

IMPORTANT:

A maximum of 2048 charging actions can be configured in the active charging service.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] charging-action charging_action_name [ -noconfirm ]
no

If previously configured, deletes the specified charging action from the active charging service.

charging_action_name

Specifies the charging action to add/configure/delete.

charging_action_name must be the name of a charging action, and must be an alphanumeric string of 1 through 63 characters and can contain punctuation characters. Each charging action must have a unique name.

If the named charging action does not exist, it is created, and the CLI mode changes to the ACS Charging Action Configuration Mode wherein the charging action can be configured.

If the named charging action already exists, the CLI mode changes to the ACS Charging Action Configuration Mode for that charging action.

-noconfirm

Specifies that the command must execute without prompting for confirmation.


Usage:

Use this command to create/configure/delete an ACS charging action.

A charging action represents actions to be taken when a configured rule is matched. Actions could range from generating an accounting record (for example, an EDR) to dropping the IP packet, etc. The charging action will also determine the metering principle—whether to count retransmitted packets and which protocol field to use for billing (L3/L4/L7 etc).

On entering this command, the CLI prompt changes to:

[context_name]hostname(config-charging-action)#

Also see the ACS Charging Action Configuration Mode Commands chapter.


Example:
The following command creates a charging action named action123 and changes to the ACS Charging Action Configuration Mode:
charging-action action123
content-filtering category match-method

This command allows you to specify the match method to look up URLs in the Category-based Content Filtering database.

Platform:

ASR 5000

Product:

CF


Privilege:

Security Administrator, Administrator


Syntax
content-filtering category
match-method { exact | generic }default content-filtering
category match-method
default

Configures this command with its default setting.

Default: generic

exact

Specifies the exact-match method, wherein URLs are rated only on exact match with URLs present in the Category-based Content Filtering database.

generic

Specifies the generic match method, wherein normalization, multi-lookups, and rollback algorithms are applied to URLs during look up. URLs are rated on generic match with URLs present in the Category-based Content Filtering database.


Usage:

Use this command to set the match method to look up URLs in the Category-based Content Filtering database.


Example:
The following command sets the exact-match method to look up URLs in the Category-based Content Filtering database:
content-filtering
category match-method exact
content-filtering category policy-id

This command allows you to create/configure/delete Content Filtering Category Policies for Category-based Content Filtering support.

IMPORTANT:

A maximum of 64 Content Filtering Category Policies can be configured in the active charging service.

Platform:

ASR 5000

Product:

CF


Privilege:

Security Administrator, Administrator


Syntax
content-filtering
category policy-id cf_policy_id [ description [ description_string ] ] [ -noconfirm ]no content-filtering
category policy-id cf_policy_id
no

If previously configured, deletes the specified Content Filtering Category Policy from the active charging service.

cf_policy_id

Specifies the Content Filtering Category Policy ID to add/configure/delete.

cf_policy_id must be an integer from 1 through 4294967295.

If the specified policy ID does not exist, it is created and the CLI mode changes to the Content Filtering Policy Configuration Mode, wherein the policy can be configured.

If the specified policy ID already exists, the CLI mode changes to the Content Filtering Policy Configuration Mode for that policy.

description [ description_string ]

Specifies a description for the Content Filtering Category Policy.

description_string must be an alphanumeric string of 1 through 31 characters.

Note that both description and description_string are optional.

description description_string” saves description_string as the new description.

description” removes the previously specified description.

This description is displayed in the output of the “show content-filtering category policy-id id id” and “show active-charging service name service_name” commands.

-noconfirm

Specifies that the command must execute without prompting for confirmation.


Usage:

Use this command to create/configure/delete a Content Filtering Category Policy.

On entering this command, the CLI prompt changes to:

[context_name]hostname(config-acs-content-filtering-policy)#

Also see the Content Filtering Policy Configuration Mode Commands chapter.


Example:
The following command creates a Content Filtering Policy with the ID 101, and enters the Content Filtering Policy Configuration Mode:
content-filtering category
policy-id 101
credit-control

This command allows you to enable/disable Prepaid Credit Control Configuration Mode.

Platform:

ASR 5000

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
[ no ] credit-control [ group cc_group_name ]
no

Disables the specified Prepaid Credit Control Application configuration.

group cc_group_name

IMPORTANT:

This option is only available in StarOS 8.1 and later releases.

Specifies the credit control group to add/configure/delete.

cc_group_name must be the name of a credit control group, and must be an alphanumeric string of 1 through 63 characters. Each credit control group must have a unique name.

If the named credit control group does not exist, it is created, and the CLI mode changes to the Credit Control Configuration Mode, wherein the credit control group can be configured.

If the named credit control group already exists, the CLI mode changes to the Credit Control Configuration Mode for that credit control group.

Creating different credit control groups enables applying different credit control configurations (DCCA dictionary, failure-handling, session-failover, Diameter endpoint selection, etc.) to different subscribers on the same system.

Without credit control groups, only one credit control configuration is possible on a system. All the subscribers in the system will have to use the same configuration.


Usage:

Use this command to enable/disable Prepaid Credit Control Configuration for RADIUS/Diameter charging mode.

On entering this command, the CLI prompt changes to:

[context_name]hostname(config-dcca)#

Also see the Credit Control Configuration Mode Commands chapter.


Example:
The following command enables prepaid credit control accounting to use RADIUS and/or Diameter interface mode.
credit-control
diameter credit-control

Description This command has been deprecated, and is replaced by the credit-control command.

edr-format

This command allows you to create/configure/delete ACS Event Data Record (EDR) formats.

IMPORTANT:

A maximum of 256 EDR plus UDR formats can be configured in the active charging service.

Platform:

ASR 5000

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
edr-format edr_format_name [ -noconfirm ]no edr-format edr_format_name
no

If previously configured, deletes the specified EDR format from the active charging service.

edr_format_name

Specifies the EDR format to add/configure/delete.

edr_format_name must be an alphanumeric string of 1 through 63 characters. Each EDR format must have a unique name.

If the named EDR format does not exist, it is created, and the CLI mode changes to the EDR Format Configuration Mode wherein the EDR format can be configured.

If the named EDR format already exists, the CLI mode changes to the EDR Format Configuration Mode for that EDR format.

-noconfirm

Specifies that the command must execute without prompting for confirmation.


Usage:

Use this command to create/configure/delete an EDR format.

On entering this command, the CLI prompt changes to:

[context_name]hostname(config-acs-edr)#

Also see the EDR Format Configuration Mode Commands chapter.


Example:
The following command creates an EDR format named edr_format1, and enters the EDR Format Configuration Mode:
edr-format edr_format1
edr-udr-flow-control

This command allows you to enable/disable flow control between Session Managers (SessMgrs) and the CDRMOD process.

Platform:

ASR 5000

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
edr-udr-flow-control [ unsent-queue-size unsent_queue_size ]{ default | no } edr-udr-flow-control 
no

If previously enabled, disables the flow control configuration.

default

Configures this command with its default setting.

Default: Flow control is enabled; unsent-queue-size: 375

unsent-queue-size unsent_queue_size

Specifies the flow control unsent queue size at Session Manager (SessMgr) level.

unsent_queue_size must be an integer from 1 through 2500.


Usage:

Use this command to enable Flow Control between SessMgr and the CDRMOD process, and configure the unsent queue size.


Example:
The following command enable Flow Control between SessMgrs and the CDRMOD process, and configure the unsent queue size to 1000:
edr-udr-flow-control
unsent-queue-size 1000
end

Exits the current configuration mode and returns to the Exec mode.

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
end

Usage:

Use this command to return to the Exec mode.

exit

Exits the current mode and returns to the parent configuration mode.

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
exit

Usage:

Use this command to return to the parent configuration mode.

fair-usage deact-margin

This command allows you to configure the deactivate margin for the Fair Usage feature.

Platform:

ASR 5000

Product:

ACS, ADC, CF, FW, NAT


Privilege:

Security Administrator, Administrator


Syntax
fair-usage deact-margin deactivate_margindefault fair-usage
deact-margin
default

Configures this command with its default setting.

Default: 5 percent

deactivate_margin

Specifies that Fair Usage monitoring must be disabled when the instance-level credit usage goes deactivate_margin percentage below usage_threshold.

deactivate_margin is a percentage value, and must be an integer from 1 through 100.


Usage:

Use this command to configure when to disable the Fair Usage feature, which enables SessMgr instance-level load balancing for in-line service features, and resource usage control for subscribers. For additional information, refer to the feature description in the Enhanced Charging Service Administration Guide.


Example:
The following command configures the deactivate margin to disable Fair Usage monitoring to 10% below the session resource usage threshold (65%):
fair-usage deact-margin 10
fair-usage threshold-percent

This command allows you to configure the usage threshold to start Fair Usage monitoring.

Platform:

ASR 5000

Product:

ACS, ADC, CF, FW, NAT


Privilege:

Security Administrator, Administrator


Syntax
fair-usage threshold-percent usage_thresholddefault fair-usage
threshold-percent
default

Configures this command with its default setting.

Default: 50 percent

usage_threshold

Specifies the threshold to start Fair Usage monitoring. Until the credit usage hits this threshold, all session resource allocation is allowed. On crossing this threshold, any new resource allocation request is evaluated before being allowed or denied.

usage_threshold is a percentage value, and must be an integer from 1 through 100.


Usage:

Use this command to configure the threshold to enable the Fair Usage feature, which enables SessMgr instance-level load balancing for in-line service features, and resource usage control for subscribers. For additional information, refer to the feature description in the Enhanced Charging Service Administration Guide.


Example:
The following command enables the Fair Usage feature, and configures the session resource usage threshold to start Fair Usage monitoring to 75%:
fair-usage threshold-percent 75
firewall flow-recovery

This command allows you to configure the Stateful Firewall’s Flow Recovery feature.

Platform:

ASR 5000

Product:

FW


Privilege:

Security Administrator, Administrator


Syntax
firewall flow-recovery { { downlink [ [ timeout timeout ] [ no-flow-creation ] + ] } | { uplink [ timeout timeout ] } }{ default | no } firewall
flow-recovery { downlink | uplink }
default

Configures this command with its default setting.

Default: Downlink and uplink flow recovery enabled, 300 seconds

no

Disables the flow recovery configuration.

downlink | uplink

Specifies the packets:

  • downlink: Enables flow recovery for packets from the downlink direction.
  • uplink: Enables flow recovery for packets from the uplink direction.
timeout timeout

Specifies the Stateful Firewall Flow Recovery Timeout setting, in seconds.

timeout must be an integer from 1 through 86400.

Default: 300 seconds

no-flow-creation

Specifies not to create data session/flow-related information for downlink-initiated packets (from the Internet to the subscriber) while the firewall downlink flow-recovery timer is running, but send to subscriber.


Usage:

Use this command to configure Stateful Firewall Flow Recovery feature.

IMPORTANT:

NAT flows will not be recovered.


Example:
The following command configures Stateful Firewall Flow Recovery for packets in downlink direction with a timeout setting of 600 seconds:
firewall flow-recovery
downlink timeout 600
firewall max-ip-packet-size

Description In StarOS 8.1 and later releases, for Rulebase-based Stateful Firewall this command is available in the ACS Rulebase Configuration Mode, and for Policy-based Stateful Firewall in the Firewall-and-NAT Policy Configuration Mode. In StarOS 8.3, this command is available in the ACS Rulebase Configuration Mode.

firewall mime-flood

Description In StarOS 8.1 and later releases, for Rulebase-based Stateful Firewall this command is available in the ACS Rulebase Configuration Mode, and for Policy-based Stateful Firewall in the Firewall-and-NAT Policy Configuration Mode. In StarOS 8.3, this command is available in the ACS Rulebase Configuration Mode.

firewall nat-alg

This command enables/disables Network Address Translation (NAT) Application Level Gateways (ALGs).

Platform:

ASR 5000

Product:

NAT


Privilege:

Security Administrator, Administrator


Syntax
[ default | no ] firewall
nat-alg { all | ftp | h323 | pptp | rtsp | sip }
default

Configures this command with the default setting for the specified parameter.

Default:

  • ftp: Enabled
  • h323: Enabled
  • pptp: Disabled
  • rtsp: Disabled
  • sip: Disabled
no

Disables all/ or the specified NAT ALG configuration. When disabled, the ALG(s) will not do any payload translation for NATd calls.

all | ftp | h323 | pptp | rtsp | sip

Specifies the NAT ALG to enable/disable.

  • all: Enables/disables all of the following NAT ALGs.
  • ftp: Enables/disables File Transfer Protocol (FTP) NAT ALG.
  • h323: Enables/disables H323 NAT ALG.
  • pptp: Enables/disables Point-to-Point Tunneling Protocol (PPTP) NAT ALG.
  • rtsp: Enables/disables Real Time Streaming Protocol (RTSP) ALG.
  • sip: Enables/disables Session Initiation Protocol (SIP) NAT ALG.

Usage:

Use this command to enable/disable NAT ALGs.

To enable NAT ALG processing, in addition to this configuration, ensure that the routing rule for that particular protocol is added in the rulebase.


Example:
The following command enables FTP NAT ALG:
firewall nat-alg ftp
The following command disables FTP NAT ALG:
no firewall nat-alg ftp
The following command enables FTP NAT ALG, and disables H.323, PPTP, RTSP, and SIP NAT ALGs:
default firewall nat-alg all
firewall no-ruledef-matches

Description In StarOS 8.1 and later releases, this command is available in the ACS Rulebase Configuration Mode.

firewall port-scan

This command allows you to configure Stateful Firewall’s Port Scan Detection algorithm.

Platform:

ASR 5000

Product:

FW


Privilege:

Security Administrator, Administrator


Syntax
firewall port-scan { connection-attempt-success-percentage { non-scanner | scanner } percentage | inactivity-timeout inactivity_timeout | protocol { tcp | udp } response-timeout response_timeout | scanner-policy { block
inactivity-timeout inactivity_timeout | log-only } }default firewall port-scan { connection-attempt-success- percentage { non-scanner | scanner } | inactivity-timeout | protocol { tcp | udp } response-timeout | scanner-policy }
default

Configures this command with its default setting.

connection-attempt-success-percentage { non-scanner | scanner } percentage

Specifies the connection attempt success percentage:

  • non-scanner: Specifies the connection attempt success percentage for a non-scanner.percentage must be an integer from 60 through 99.Default: 70%
  • scanner: Specifies the connection attempt success percentage for a scanner.percentage must be an integer from 1 through 40.Default: 30%
inactivity-timeout inactivity_timeout

Specifies the port scan inactivity timeout period, in seconds.

inactivity_timeout must be an integer from 60 through 1800.

Default: 300 seconds

protocol { tcp | udp } response-timeout response_timeout

Specifies transport protocol and response-timeout period:

  • tcp: Specifies response timeout for TCP.response_timeout must be an integer from 3 through 30.
  • udp: Specifies response timeout for UDP.response_timeout must be an integer from 3 through 60.

Default: 3 seconds

scanner-policy { block inactivity-timeout inactivity_timeout | log-only }

Specifies how to treat packets from a source address that has been detected as a scanner:

  • block inactivity-timeout inactivity_timeout: Specifies blocking any subsequent traffic from the scanner. If the scanner is found to be inactive for the inactivity-timeout period, then the scanner is no longer blocked, and traffic is allowed.inactivity_timeout specifies the scanner inactivity timeout period, in seconds, and must be an integer from 1 through 4294967295.
  • log-only: Specifies logging scanner information without blocking scanner traffic.

Default: log-only


Usage:

Use this command to configure the Stateful Firewall Port Scan Detection algorithm enabled by the firewall dos-protection port-scan CLI command.

This protection tracks all uplink source addresses, and the packets they initiate towards all subscribers that have this protection enabled.


Example:
The following command configures the Stateful Firewall Port Scan inactivity timeout setting to 900 seconds:
firewall port-scan
inactivity-timeout 900
firewall ruledef

This command allows you to create/configure/delete Stateful Firewall ruledefs.

IMPORTANT:

This command is available only in StarOS 8.1. This command must be used to configure the Rulebase-based Stateful Firewall and NAT features.

Platform:

ASR 5000

Product:

FW


Privilege:

Security Administrator, Administrator


Syntax
firewall ruledef firewall_ruledef_name [ -noconfirm ]no firewall ruledef firewall_ruledef_name
no

If previously configured, deletes the specified Stateful Firewall ruledef from the active charging service.

firewall_ruledef_name

Specifies the Stateful Firewall ruledef to add/configure/delete.

firewall_ruledef_name must be the name of a Stateful Firewall ruledef, and must be an alphanumeric string of 1 through 63 characters and can contain punctuation characters. Each ruledef must have a unique name.

If the named ruledef does not exist, it is created, and the CLI mode changes to the Firewall Ruledef Configuration Mode wherein the ruledef can be configured.

If the named Stateful Firewall ruledef already exists, the CLI mode changes to the Firewall Ruledef Configuration Mode for that ruledef.

-noconfirm

Specifies that the command must execute without prompting for confirmation.


Usage:

Use this command to create/configure/delete a Stateful Firewall ruledef. A Stateful Firewall ruledef contains different conditions to permit, drop, or reject a packet/connection/traffic based on one or more parameters. The ruledef name must be unique within the active charging service. Host pool, port map, IMSI pool, and Stateful Firewall, routing, and charging ruledefs must have unique names.

A Stateful Firewall ruledef can be referenced by multiple Stateful Firewall rulebases.

IMPORTANT:

The Stateful Firewall ruledefs are different from the ACS ruledefs.

Also see the Firewall-and-NAT Access Ruledef Configuration Mode Commands chapter.


Example:
The following command creates a Stateful Firewall ruledef named fw_ruledef1, and enters the Firewall Ruledef Configuration Mode:
firewall ruledef fw_ruledef1
firewall tcp-syn-flood-intercept

Description In StarOS 8.1 and later releases, for Rulebase-based Stateful Firewall this command is available in the ACS Rulebase Configuration Mode, and for Policy-based Stateful Firewall in the Firewall-and-NAT Policy Configuration Mode. In StarOS 8.3, this command is available in the ACS Rulebase Configuration Mode.

firewall track-list

This command allows you to configure the maximum number of server IP addresses to be tracked that are involved in any kind of denial-of-service (DoS) attacks.

Platform:

ASR 5000

Product:

FW


Privilege:

Security Administrator, Administrator


Syntax
firewall track-list
attacking-servers no_of_servers{ default | no } firewall
track-list attacking-servers
default

Configures this command with its default setting.

Default: 10 servers

no

IMPORTANT:

This command variant is available only in StarOS 8.3 and later releases.

If previously configured, deletes the configuration from the active charging service.

attacking-servers no_of_servers

Specifies the maximum number of servers to track.

no_of_servers must be an integer from 1 through 100.


Usage:

Use this command to configure the maximum number of server IP addresses to be tracked that are involved in any kind of DoS attacks.


Example:
The following command configures the maximum number of server IP addresses to be tracked that are involved in any kind of DoS attacks to 20:
firewall track-list
attacking-servers 20
fw-and-nat action

This command allows you to create/configure/delete Firewall-and-NAT actions.

IMPORTANT:

This command is available only in 11.0 and later releases. This command must be used to configure the Stateful Firewall and NAT Action.

Platform:

ASR 5000

Product:

FW, NAT


Privilege:

Security Administrator, Administrator


Syntax
fw-and-nat action action_name [ -noconfirm ]no fw-and-nat action action_name
no

If previously configured, deletes the specified Firewall-and-NAT action from the active charging service.

action_name

Specifies the Firewall-and-NAT action to add/configure/delete.

action_name must be the name of a Firewall-and-NAT action, and must be an alphanumeric string of 1 through 63 characters. Each Firewall-and-NAT action must have a unique name.

-noconfirm

Specifies that the command must execute without prompting for confirmation.


Usage:

Use this command to create/configure/delete a Firewall-and-NAT action.

On entering this command, the CLI prompt changes to:

[context_name]hostname(config-fw-and-nat-action)#

Also see the Firewall-and-NAT Action Configuration Mode Commands chapter.


Example:
The following command creates a Firewall-and-NAT action named test1, and changes to the Firewall-and-NAT Action Configuration Mode:
fw-and-nat action test1
fw-and-nat policy

This command allows you to create/configure/delete Firewall-and-NAT policies.

IMPORTANT:

This command is available only in StarOS 8.1 and in StarOS 9.0 and later releases. This command must be used to configure the Policy-based Stateful Firewall and NAT features.

Platform:

ASR 5000

Product:

FW, NAT


Privilege:

Security Administrator, Administrator


Syntax
fw-and-nat policy policy_name [ -noconfirm ]no fw-and-nat policy fw_nat_policy_name
no

If previously configured, deletes the specified Firewall-and-NAT policy from the active charging service.

IMPORTANT:

When a Firewall-and-NAT policy is deleted, for all subscribers using the policy, Stateful Firewall and NAT processing is disabled, also ACS sessions for the subscribers are dropped. In case of session recovery, the calls are recovered but with Stateful Firewall and NAT disabled.

fw_nat_policy_name

Specifies the Firewall-and-NAT policy to add/configure/delete.

fw_nat_policy_name must be the name of a Firewall-and-NAT policy, and must be an alphanumeric string of 1 through 63 characters. Each Firewall-and-NAT policy must have a unique name.

-noconfirm

Specifies that the command must execute without prompting for confirmation.


Usage:

Use this command to create/configure/delete a Firewall-and-NAT policy.

On entering this command, the CLI prompt changes to:

[context_name]hostname(config-fw-and-nat-policy)#

Also see the Firewall-and-NAT Policy Configuration Mode Commands chapter.


Example:
The following command creates a Firewall-and-NAT policy named test321, and changes to the Firewall-and-NAT Policy Configuration Mode:
fw-and-nat policy test321
group-of-objects

This command allows you to create/configure/delete an ACS group-of-objects.

IMPORTANT:

This command is available only in StarOS 10.2 and later releases.

IMPORTANT:

A maximum of 16 object groups can be configured in the active charging service. And a maximum of 128 objects can be configured within each object group.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
group-of-objects objects_group_name [ type string [ -noconfirm ] ]no group-of-objects objects_group_name
no

If previously configured, deletes the specified group-of-objects from the active charging service.

objects_group_name

Specifies the group-of-objects to add/configure/delete.

objects_group_name must be the name of a group-of-objects, and must be an alphanumeric string of 1 through 63 characters. Each group-of-objects must have a unique name.

If the named group-of-objects does not exist, it is created, and the CLI mode changes to the ACS Group-of-Objects Configuration Mode wherein the group can be configured.

If the named group-of-objects already exists, the CLI mode changes to the ACS Group-of-Objects Configuration Mode for that group.

type

Specifies the data type for the group-of-objects.

IMPORTANT:

“string” is the only data type supported in this release.

string

Specifies the data type as string.

When creating a group, specifying the data type is mandatory.

When modifying an existing group, specifying the data type is optional.

-noconfirm

Specifies that the command must execute without prompting for confirmation.


Usage:

Use this command to create/configure/delete a group-of-objects.

On entering this command, the CLI prompt changes to:

[context_name]hostname(config-acs-group-of-objects)#

Also see the ACS Group-of-Objects Configuration Mode Commands chapter.


Example:
The following command creates a group-of-objects named test4 with the data type string, and enters the ACS Group-of-Objects Configuration Mode:
group-of-objects test4
type string
group-of-prefixed-urls

This command allows you to create/configure/delete an ACS group-of-prefixed-URLs.

IMPORTANT:

This command is customer specific. For more information contact your Cisco account representative.

IMPORTANT:

A maximum of 64 group-of-prefixed-URL groups can be configured in the active charging service.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
group-of-prefixed-urls prefixed_urls_group_name [ -noconfirm ]no group-of-prefixed-urls prefixed_urls_group_name
no

If previously configured, deletes the specified group-of-prefixed-urls from the active charging service.

prefixed_urls_group_name

Specifies the group-of-prefixed-urls to add/configure/delete.

prefixed_urls_group_name must be the name of a group-of-prefixed-urls, and must be an alphanumeric string of 1 through 63 characters. Each group-of-prefixed-urls must have a unique name.

If the named group-of-prefixed-urls does not exist, it is created, and the CLI mode changes to the ACS Group-of-Prefixed-URLs Configuration Mode wherein the group can be configured.

If the named group-of-prefixed-urls already exists, the CLI mode changes to the ACS Group-of-Prefixed-URLs Configuration Mode for that group.

-noconfirm

Specifies that the command must execute without prompting for confirmation.


Usage:

Use this command to create/configure/delete a group-of-prefixed-URLs.

On entering this command, the CLI prompt changes to:

[context_name]hostname(config-acs-grp-of-prefixed-urls)#

Also see the ACS Group-of-Prefixed-URLs Configuration Mode Commands chapter.


Example:
The following command creates group-of-prefixed-urls named test5, and enters the ACS Group-of-Prefixed-URLs Configuration Mode:
group-of-prefixed-urls test5
group-of-ruledefs

This command allows you to create/configure/delete an ACS group-of-ruledefs.

IMPORTANT:

A maximum of 64 groups-of-ruledefs can be configured in the active charging service.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
group-of-ruledefs ruledefs_group_name [ -noconfirm ]no group-of-ruledefs ruledefs_group_name
no

If previously configured, deletes the specified group-of-ruledefs from the active charging service.

ruledefs_group_name

Specifies the group-of-ruledefs to add/configure/delete.

ruledefs_group_name must be unique within the active charging service, and must be an alphanumeric string of 1 through 63 characters. Each group-of-ruledefs must have a unique name.

If the named group-of-ruledefs does not exist, it is created, and the CLI mode changes to the ACS Group-of-Ruledefs Configuration Mode wherein the group can be configured.

If the named group-of-ruledefs already exists, the CLI mode changes to the ACS Group-of-Ruledefs Configuration Mode for that group.

-noconfirm

Specifies that the command must execute without prompting for confirmation.


Usage:

Use this command to create/configure/delete a group-of-ruledefs.

A group-of-ruledefs is a collection of rule definitions to use in access policy creation.

On entering this command, the CLI prompt changes to:

[context_name]hostname(config-group-of-ruledefs)#

Also see the ACS Group-of-Ruledefs Configuration Mode Commands chapter.


Example:
The following command creates a group-of-ruledefs named group1, and enters the ACS Group-of-Ruledefs Configuration Mode:
group-of-ruledefs group1
h323 time-to-live

This command allows you to configure the time period for which an endpoint’s registration to an H.323 gatekeeper is valid.

Platform:

ASR 5000

Product:

NAT


Privilege:

Security Administrator, Administrator


Syntax
h323 time-to-live timeoutdefault h323 time-to-live
default

Configures this command with its default setting.

Default: 3600 seconds

timeout

Specifies the timeout setting, in seconds.

timeout must be an integer from 1 through 2147483647.


Usage:

Use this command to configure the time period for which an endpoint’s registration to a gatekeeper is valid.


Example:
The following command configures the time for an endpoint registration with a timeout setting of 5 seconds:
h323 time-to-live 5
h323 timeout

This command allows you to configure the timeout intervals for various H.323 requests.

Platform:

ASR 5000

Product:

NAT


Privilege:

Security Administrator, Administrator


Syntax
h323 timeout { admission admission_timeout | discovery discovery_timeout | location location_timeout | registration registration_timeout | unregistration unregistration_timeout }default h323 timeout { admission | discovery | location | registration | unregistration }
default

Configures this command with the default setting for the specified parameters.

admission admission_timeout

Configures the timeout value for the admission request sent to the gatekeeper.

admission_timeout must be an integer from 1 through 20.

Default: 10 seconds

discovery discovery_timeout

Configures the timeout value for the gatekeeper request message sent to the Gatekeeper.

discovery_timeout must be an integer from 1 through 20.

Default: 10 seconds

location location_timeout

Configures the timeout value for the location request message sent to the Gatekeeper.

location_timeout must be an integer from 1 through 20.

Default: 10 seconds

registration registration_timeout

Configures the timeout value for the registration request message sent to the Gatekeeper.

registration_timeout must be an integer from 1 through 20.

Default: 6 seconds

unregistration unregistration_timeout

Configures the timeout value for the unregistration request message sent to the Gatekeeper.

unregistration_timeout must be an integer from 1 through 20.

Default: 3 seconds


Usage:

Use this command to configure the timeout interval for the various H.323 requests.


Example:
The following command configures the admission request message with a timeout value of 15 seconds:
h323 timeout admission 15
h323 tpkt

This command allows you to configure the maximum size of Transport Protocol Data Unit Packets (TPKT) that the H.323 Application Layer Gateway (ALG) can handle.

Platform:

ASR 5000

Product:

NAT


Privilege:

Security Administrator, Administrator


Syntax
h323 tpkt max_tpkt_sizedefault h323 tpkt
default

Configures this command with its default setting.

Default: 2048 bytes

max_tpkt_size

Specifies the maximum TPKT size, in bytes.

max_tpkt_size must be an integer from 4 through 4096.


Usage:

Use this command to configure the maximum packet size for the H.323 ALG.


Example:
The following command configures a maximum TPKT packet size of 100 bytes:
h323 tpkt 100
h323 version

This command allows you to configure the H.323 version number supported by an H.323 Application Layer Gateway (ALG).

Platform:

ASR 5000

Product:

NAT


Privilege:

Security Administrator, Administrator


Syntax
h323 version h323_version_numberdefault h323 version
default

Configures this command with its default setting.

Default: 5

h323_version_number

Specifies the H.323 version number.

h323_version_number must be an integer from 1 through 7.


Usage:

Use this command to configure the H.323 version number supported by the H.323 ALG.


Example:
The following command configures the H.323 version as 1:
h323 version 1
host-pool

This command allows you to create/configure/delete host pools.

Platform:

ASR 5000

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
host-pool host_pool_name [ -noconfirm ]no host-pool host_pool_name
no

If previously configured, deletes the specified host pool from the active charging service.

host_pool_name

Specifies the host pool to add/configure/delete.

host_pool_name must be the name of a host pool, and must be an alphanumeric string of 1 through 63 characters and can contain punctuation characters. Each host pool must have a unique name.

If the named host pool does not exist, it is created, and the CLI mode changes to the ACS Host Pool Configuration Mode wherein the host pool can be configured.

If the named host pool already exists, the CLI mode changes to the ACS Host Pool Configuration Mode for that host pool.

-noconfirm

Specifies that the command must execute without prompting for confirmation.


Usage:

Use this command to create/configure/delete ACS host pools.

A host pool is a collection of hosts and IP addresses to use in access policy creation. The host pool name must be unique with in the service. Host pool, port map, IMSI pool, and firewall, routing, and charging ruledefs must have unique names. A maximum of the 256 host pools can be created.

IMPORTANT:

Host pools configured in other ruledefs cannot be deleted.

On entering this command, the CLI prompt changes to:

[context_name]hostname(config-acs-host-pool)#

Also see the ACS Host Pool Configuration Mode Commands chapter.


Example:
The following command creates a host pool named hostpool1, and enters the ACS Host Pool Configuration Mode:
host-pool hostpool1
idle-timeout

This command allows you to configure the maximum duration a flow can remain idle for, after which the system automatically terminates the flow.

Platform:

ASR 5000

Product:

ACS, NAT, FW


Privilege:

Security Administrator, Administrator


Syntax
idle-timeout { alg-media | flow-mapping { tcp | udp } | icmp | tcp | udp } idle_timeout{ default | no } idle-timeout { alg-media | flow-mapping { tcp | udp } | icmp | tcp | udp }
default

Configures this command with the default setting for the specified parameter.

Default:

  • alg-media: 120 seconds
  • flow-mapping { tcp | udp }: 300 seconds for TCP and 0 seconds for UDP
  • icmp, tcp, udp: 300 seconds
no

Disables the idle-timeout configuration for the specified flow.

alg-media

Configures the ALG media for the specified flow.

flow-mapping { tcp | udp }

The Flow Mapping timer is an extension to the existing flow idle-timeout in ACS. This flow mapping timeout applies only for NAT enabled calls and is supported only for TCP and UDP flows. The purpose of this timer is to hold the resources (NAT IP, NAT port, Private IP NPU flow) associated with a 5-tuple flow until Mapping timeout expiry.

If the Flow Mapping timer is disabled, then the Mapping timeout will not get triggered for UDP/TCP idle timed out flows. The resources such as NAT mapping will be released along with the 5-tuple flow.

icmp

Configures the ICMP protocol for the specified flow.

tcp

Configures the TCP protocol for the specified flow.

udp

Configures the UDP protocol for the specified flow.

idle_timeout

Specifies the timeout duration, in seconds, and must be an integer from 0 through 86400.

For alg-media specifies the media inactivity timeout. The idle_timeout value gets applied on RTP and RTCP media flows that are created for SIP/H.323 calls. The timeout is applied only on those flows that actually match the RTP and RTCP media pinholes that are created by the SIP/H.323 ALG.

A value of 0 disables the idle-timeout setting.


Usage:

Use this command to configure the maximum duration a flow can remain idle, in seconds, after which the system automatically terminates the flow.

Setting the value to 0 will cause the idle-timeout setting to be disabled.

For flows other than TCP, UDP and ICMP, timeout value will always be 300 seconds (unless configured in the charging-action). Charging action’s flow idle-timeout will have precedence over ACS idle-timeout. If charging action’s flow idle-timeout is default, then flows will have the value configured in the active charging service.


Example:
The following command configures the maximum duration a TCP flow can remain idle to 3000 seconds, after which the system automatically terminates the flow:
idle-timeout tcp 3000
imsi-pool

This command allows you to create/configure/delete International Mobile Subscriber Identity (IMSI) pools.

Platform:

ASR 5000

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
imsi-pool imsi_pool_name [ -noconfirm ]no imsi-pool imsi_pool_name
no

If previously configured, deletes the specified IMSI pool from the active charging service.

imsi_pool_name

Specifies the IMSI pool to add/configure/delete.

imsi_pool_name must be the name of an IMSI pool, and must be an alphanumeric string of 1 through 63 characters, and can contain punctuation characters. Each IMSI pool must have a unique name.

If the named IMSI pool does not exist, it is created, and the CLI mode changes to the ACS IMSI Pool Configuration Mode wherein the IMSI pool can be configured.

If the named IMSI pool already exists, the CLI mode changes to the ACS IMSI Pool Configuration Mode for that IMSI pool.

-noconfirm

Specifies that the command must execute without prompting for confirmation.


Usage:

Use this command to create/configure/delete pools of International Mobile Subscriber Identifier (IMSI) numbers having group of single or range of IMSI numbers to use in access policy creation. The IMSI pool name must be unique with in the service. Host pool, port map, IMSI pool, and firewall, routing, and charging ruledefs must have unique names. A maximum of 256 IMSI pools can be created.

IMPORTANT:

IMSI pools configured in other ruledefs cannot be deleted.

On entering this command, the CLI prompt changes to:

[context_name]hostname(config-acs-imsi-pool)#

Also see the ACS IMSI Pool Configuration Mode Commands chapter.


Example:
The following command creates an IMSI pool named imsipool1, and enters the ACS IMSI Pool Configuration Mode:
imsi-pool imsipool1
ip max-fragments

This command allows you to limit the maximum number of IPv4/IPv6 fragments per fragment chain.

Platform:

ASR 5000

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
ip max-fragments max_fragmentsdefault ip max-fragments
default

Configures this command with its default setting.

Default: 45

max_fragments

Specifies the maximum number of IPv4/IPv6 fragments per fragment chain.

max_fragments must be an integer from 1 through 300.


Usage:

Use this command to limit the maximum number of IPv4/IPv6 fragments.


Example:
The following command limits the maximum number of IPv4/IPv6 fragments to 100:
ip max-fragments 100
label content-id

This command allows you to specify a label (text string) to associate with a content ID for UDRs/EDRs/eG-CDRs.

Platform:

ASR 5000

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
label content-id content_id text label_textno label content-id content_id
no

If previously configured, deletes the specified label.

content-id content_id

Specifies the content ID to associate with the label.

content_id must be an integer from 1 through 65535.

text label_text

Specifies the label to associate with the specified content ID.

label_text must be an alphanumeric string of 1 through 64 characters.


Usage:

Use this command to create a text label to associate with a content ID.

A maximum of 2048 labels can be configured in the active charging service.


Example:
The following command creates the label test_charge1 to be associated with the content ID 1378:
label content-id 1378
text test_charge1
nat allocation-failure

This command allows you to configure the action to take when NAT IP/Port allocation fails.

IMPORTANT:

This command is available only in StarOS 8.3 and later releases.

Platform:

ASR 5000

Product:

NAT


Privilege:

Security Administrator, Administrator


Syntax
nat allocation-failure
send-icmp-dest-unreachable{ default | no } nat
allocation-failure
default

Configures this command with its default setting.

Default: Packets are dropped silently

no

If previously enabled, disables the NAT Allocation Failure configuration. Packets are dropped silently.

nat allocation-failure send-icmp-dest-unreachable

Specifies to send ICMP Destination Unreachable message when NAT IP/Port allocation fails.


Usage:

Use this command to configure the action to take when NAT IP/port allocation fails—to send or not to send an “ICMP destination unreachable message” when a NAT IP/port cannot be assigned to a flow in data path.


Example:
The following command configures sending ICMP Destination Unreachable message when NAT IP/Port allocation fails:
nat allocation-failure
send-icmp-dest-unreachable
nat allocation-in-progress

This command allows you to configure the action to take on packets when NAT IP/NPU allocation is in progress.

IMPORTANT:

This command is available only in StarOS 8.3 and later releases.

Platform:

ASR 5000

Product:

NAT


Privilege:

Security Administrator, Administrator


Syntax
nat allocation-in-progress { buffer | drop }default nat allocation-in-progress
default

Configures this command with its default setting.

Default: buffer

buffer | drop

Specifies the action to take on packets when NAT IP/NPU allocation is in progress:

  • buffer: Buffers the packets.
  • drop:Drops the packets.

Usage:

In On-demand NAT IP allocation (wherein NAT IP address is allocated to the subscriber when a packet is being sent), if no free NAT IP address is available, a NAT-IP Alloc Request is sent to the VPNMgr to get NAT-IP. During that time packets are dropped. This command enables buffering the packets received when IP Alloc Request is sent to VPNMgr.


Example:
The following command specifies to buffer packets when NAT IP/NPU allocation is in progress:
nat allocation-in-progress buffer
nat tcp-2msl-timeout

This command allows you to configure the TCP 2MSL (Maximum Segment Lifetime) timeout value for NAT.

IMPORTANT:

This command is available only in StarOS 8.3 and later releases.

Platform:

ASR 5000

Product:

NAT


Privilege:

Security Administrator, Administrator


Syntax
nat tcp-2msl-timeout timeoutdefault nat tcp-2msl-timeout
default

Configures this command with its default setting.

Default: 60 seconds

timeout

Specifies the TCP 2MSL timeout period, in seconds.

timeout must be an integer from 30 through 240.


Usage:

Use this command to configure the TCP 2MSL timeout value for NAT.


Example:
The following command configures the TCP 2MSL timeout for NAT to 120 seconds:
nat tcp-2msl-timeout 120
p2p-detection protocol

This command enables/disables the detection of all or specified peer-to-peer (P2P) protocols.

Platform:

ASR 5000

Product:

ADC


Privilege:

Security Administrator, Administrator


Syntax
[ no ] p2p-detection
protocol [ actsync | aimini | all | applejuice | ares | armagettron | battlefld | bittorrent | blackberry | citrix | clubpenguin | crossfire | ddlink | directconnect | dofus | edonkey | facebook | facetime | fasttrack | feidian | fiesta | filetopia | florensia | freenet | fring | funshion | gadugadu | gamekit | gmail | gnutella | gtalk | guildwars | halflife2 | hamachivpn | iax | icecast | imesh | iptv | irc | isakmp | iskoot | itunes | jabber | kontiki | manolito | maplestory | meebo | mgcp | msn | mute | myspace | nimbuzz | octoshape | off | oovoo | openft | orb | oscar | paltalk | pando | pandora | popo | pplive | ppstream | ps3 | qq | qqgame | qqlive | quake | rdp | rfactor | rmstream | scydo | secondlife | shoutcast | skinny | skype | slingbox | sopcast | soulseek | splashfighter | ssdp | stealthnet | steam | stun | teamspeak | teamviewer | thunder | tor | truphone | tvants | tvuplayer | twitter | uusee | veohtv | viber | vpnx | vtun | warcft3 | whatsapp | wii | winmx | winny | wmstream | wofkungfu | wofwarcraft | xbox | xdcc | yahoo | yourfreetunnel | zattoo + ]
all

Specifies to detect all supported P2P protocols.

In 12.2 and earlier releases: Specifying all is the same as configuring each of the following protocols individually.

actsync

Specifies to detect ActiveSync protocol.

aimini

Specifies to detect Aimini protocol.

applejuice

Specifies to detect Applejuice protocol.

ares

Specifies to detect Ares Galaxy protocol.

armagettron

Specifies to detect Armagetron protocol.

battlefld

Specifies to detect Battlefield protocol.

bittorrent

Specifies to detect BitTorrent protocol.

blackberry

Specifies to detect BlackBerry protocol.

citrix

Specifies to detect Citrix Independent Computing Architecture (ICA) protocol.

clubpenguin

Specifies to detect Club Penguin protocol.

crossfire

Specifies to detect Crossfire protocol.

ddlink

Specifies to detect DDLink protocol.

directconnect

Specifies to detect Direct Connect protocol.

dofus

Specifies to detect DOFUS protocol.

edonkey

Specifies to detect eDonkey protocol.

facebook

Specifies to detect Facebook protocol.

facetime

Specifies to detect FaceTime protocol.

IMPORTANT:

The facetime protocol option is available only in 9.0 and in 11.0 and later releases.

fasttrack

Specifies to detect FastTrack protocol.

feidian

Specifies to detect Feidian protocol.

fiesta

Specifies to detect FIESTA protocol.

filetopia

Specifies to detect Filetopia protocol.

florensia

Specifies to detect Florensia protocol.

freenet

Specifies to detect Freenet protocol.

fring

Specifies to detect Fring SIP protocol.

funshion

Specifies to detect Funshion protocol.

gadugadu

Specifies to detect Gadu-Gadu protocol.

gamekit

Specifies to detect GameKit protocol.

IMPORTANT:

The gamekit protocol option is available only in 9.0 and in 11.0 and later releases.

gmail

Specifies to detect Gmail protocol.

gnutella

Specifies to detect Gnutella protocol.

gtalk

Specifies to detect Google Talk protocol.

guildwars

Specifies to detect GuildWars protocol.

halflife2

Specifies to detect Half-Life 2 protocol.

hamachivpn

Specifies to detect Hamachi VPN protocol.

iax

Specifies to detect Inter-Asterisk eXchange protocol.

icecast

Specifies to detect Icecast protocol.

imesh

Specifies to detect iMesh protocol.

iptv

Specifies to detect IPTV protocol.

irc

Specifies to detect Internet Relay Chat protocol.

isakmp

Specifies to detect Internet Security Association and Key Management Protocol.

iskoot

Specifies to detect iSkoot VoIP protocol.

itunes

Specifies to detect iTunes protocol.

jabber

Specifies to detect Jabber XMPP protocol.

kontiki

Specifies to detect Kontiki delivery protocol.

manolito

Specifies to detect MANOLITO protocol.

maplestory

Specifies to detect MapleStory protocol.

meebo

Specifies to detect Meebo protocol.

mgcp

Specifies to detect Media Gateway Control Protocol.

msn

Specifies to detect MSN Messenger protocol.

mute

Specifies to detect MUTE protocol.

myspace

Specifies to detect MySpace protocol.

nimbuzz

Specifies to detect Nimbuzz protocol.

octoshape

Specifies to detect Octoshape protocol.

off

Specifies to detect Off-The-Record protocol.

oovoo

Specifies to detect ooVoo protocol.

openft

Specifies to detect OpenFT protocol.

orb

Specifies to detect Internet Inter-ORB Protocol.

oscar

Specifies to detect Open System for CommunicAtion in Realtime protocol.

paltalk

Specifies to detect Paltalk protocol.

pando

Specifies to detect Pando protocol.

pandora

Specifies to detect Pandora protocol.

popo

Specifies to detect Popo protocol.

pplive

Specifies to detect PPlive protocol.

ppstream

Specifies to detect PPstream protocol.

ps3

Specifies to detect PS3 protocol.

qq

Specifies to detect Tencent QQ instant messaging protocol.

qqgame

Specifies to detect QQgame protocol.

qqlive

Specifies to detect QQlive protocol.

quake

Specifies to detect Quake network protocol.

rdp

Specifies to detect Remote Desktop protocol.

rfactor

Specifies to detect rFactor protocol.

rmstream

Specifies to detect RealMedia streaming protocol.

scydo

Specifies to detect Scydo VoIP protocol.

secondlife

Specifies to detect Second Life protocol.

shoutcast

Specifies to detect SHOUTcast protocol.

skinny

Specifies to detect Skinny Call Control Protocol (SCCP).

skype

Specifies to detect Skype protocol.

slingbox

Specifies to detect Slingbox protocol.

sopcast

Specifies to detect Sopcast streaming protocol.

soulseek

Specifies to detect Soulseek chat and file transfer protocol.

splashfighter

Specifies to detect SplashFighter protocol.

ssdp

Specifies to detect Simple Service Discovery Protocol.

stealthnet

Specifies to detect StealthNet RShare network protocol.

steam

Specifies to detect Steam file transfer protocol.

stun

Specifies to detect Session Traversal Utilities for NAT protocol.

teamspeak

Specifies to detect TeamSpeak VoIP gaming client protocol.

teamviewer

Specifies to detect TeamViewer remote control protocol.

thunder

Specifies to detect Thunder (Xunlei) download manager protocol.

tor

Specifies to detect Tor hidden service (anonymizer) protocol.

truphone

Specifies to detect Truphone WiFi VoIP protocol.

tvants

Specifies to detect TVAnts protocol.

tvuplayer

Specifies to detect TVUPlayer protocol.

twitter

Specifies to detect Twitter protocol.

uusee

Specifies to detect UUSee on-demand streaming protocol.

veohtv

Specifies to detect VeohTV television via Internet protocol.

viber

Specifies to detect Viber VoIP protocol.

vpnx

Specifies to detect VPN-X cross-platform protocol.

vtun

Specifies to detect VTun (Virtual Tunnel) protocol.

warcft3

Specifies to detect Warcraft 3 game protocol.

whatsapp

Specifies to detect WhatsApp messaging protocol.

wii

Specifies to detect Wii Remote Bluetooth protocol.

winmx

Specifies to detect WinMX Peer Network Protocol (WPNP).

winny

Specifies to detect Winny anonymizing protocol.

wmstream

Specifies to detect Windows Media HTTP Streaming Protocol.

wofkungfu

Specifies to detect wofkungfu protocol.

wofwarcraft

Specifies to detect World of Warcraft gaming protocol.

xbox

Specifies to detect Xbox protocol.

xdcc

Specifies to detect eXtended Direct Client-to-Client protocol.

yahoo

Specifies to detect Yahoo! Messenger protocol.

yourfreetunnel

Specifies to detect your free Tunnel chat protocol.

zattoo

Specifies to detect Zattoo IPTV protocol.

+

More than one of the above keywords can be entered within a single command.


Usage:

Use this command to configure the detection of all or specific P2P protocol(s). Multiple keywords can be specified in a single command.


Example:
The following command enables detection of all P2P protocols:
p2p-detection protocol all
packet-filter

This command allows you to create/configure/delete ACS packet filters.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
packet-filter packet_filter_name [ -noconfirm ]no packet-filter packet_filter_name
no

If previously configured, deletes the specified packet filter from the active charging service.

packet_filter_name

Specifies the packet filter to add/configure/delete.

packet_filter_name must be the name of a packet filter, and must be an alphanumeric string of 1 through 63 characters. Each packet filter must have a unique name.

If the named packet filter does not exist, it is created, and the CLI mode changes to the ACS Packet Filter Configuration Mode wherein the packet filter can be configured.

If the named packet filter already exists, the CLI mode changes to the ACS Packet Filter Configuration Mode for that packet filter.

-noconfirm

Specifies that the command must execute without prompting for confirmation.


Usage:

Use this command to create/configure/delete an ACS packet filter.

On entering this command, the CLI prompt changes to:

[context_name]hostname(config-packet-filter)#

Also see the ACS Packet Filter Configuration Mode Commands chapter.


Example:
The following command creates a packet filter named filter3, and enters the ACS Packet Filter Configuration Mode:
packet-filter filter3
passive-mode

This command allows you to configure the Active Charging Service to operate in passive mode, wherein ACS passively monitors copies of packets.

Platform:

ASR 5000

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
[ default | no ] passive-mode
no

If previously enabled, disables the passive mode configuration.

default

Configures this command with its default setting.

Default: Disabled


Usage:

Use this command to put the active charging service in/out of passive mode operation, wherein ACS passively monitors copies of packets.


Example:
The following command puts the active charging service into passive mode operation:
passive-mode
policy-control bind-default-bearer

For PCEF Bearer Binding in 3G and when BCM mode is UE only, this command allows you to enable/disable binding rules having QCI of default bearer to the default bearer and to not ignore/ignore other rules.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ default | no ] policy-control
bind-default-bearer
default

Configures this command with its default setting.

Default: Disables binding rules having QCI of default bearer to the default bearer and specifies to not ignore other rules.

no

Enables binding rules having QCI of default bearer to the default bearer and specifies to ignore other rules.


Usage:

For PCEF Bearer Binding in 3G and when BCM mode is UE only, use this command to enable/disable binding rules having QCI of default bearer to the default bearer and to not ignore/ignore other rules respectively.

policy-control burst-size

This command allows you to configure the burst size for bandwidth limiting per dynamic-rule or per bearer.

Platform:

ASR 5000

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
policy-control burst-size { auto-readjust [ duration duration ] | bytes bytes }{ default | no } policy-control
burst-size
default | no

Configures this command with its default setting.

Default: 65535 bytes

duration duration

Configures the burst size equal to <seconds> of traffic.

duration must be an integer from 1 through 20.

Default: In 12.1 and earlier releases, 10 seconds.

bytes bytes

Specifies the burst size, in bytes.

bytes must be an integer from 1 through 4000000000.


Usage:

Use this command to configure the burst size for bandwidth limiting per dynamic-rule or per bearer.


Example:
The following command configures the burst size for bandwidth limiting per dynamic-rule or per bearer equal to 10 seconds of traffic:
policy-control burst-size
auto-readjust
policy-control charging-rule-base-name

This command allows you to configure how the Charging-Rule-Base-Name AVP from PCRF is interpreted, either as ACS rulebase or ACS group-of-ruledefs.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
policy-control charging-rule-base-name { active-charging-group-of-ruledefs | active-charging-rulebase [ ignore-when-removed ] }default policy-control
charging-rule-base-name
default

Configures this command with its default setting(s).

Default:

  • charging-rule-base-name: active-charging-group-of-ruledefs
active-charging-group-of-ruledefs

Specifies interpreting Charging-Rule-Base-Name as ACS group-of-ruledefs.

active-charging-rulebase [ ignore-when-removed ]

Specifies interpreting Charging-Rule-Base-Name as ACS rulebase.

When Charging-Rule-Base-Name AVP is interpreted as ACS rulebase, if PCRF requests the removal of a Charging-Rule-Base-Name, which is the same as the rulebase used for that PDP context, the PDP context is terminated. This is because after removal of the rulebase, the PDP context will have no rulebase. This is the default behavior.

ignore-when-removed: Specifies to ignore PCRF request for removal of Charging-Rule-Base-Name, and take no action. If this keyword is not configured, the PDP context from which the rulebase is removed gets terminated.

For each call, this interpretation is decided at call setup, and will not be changed during the life of that call. Change will only apply to new calls coming up after the change.


Usage:

Use this command to configure interpretation of Charging-Rule-Base-Name AVP from PCRF either as ACS group-of-ruledefs or as ACS rulebase.


Example:
The following command configures interpreting of Charging-Rule-Base-Name AVP as ACS rulebase:
policy-control charging-rule-base-name
active-charging-rulebase
policy-control retransmissions-counted

This command allows you to enable/disable charging of retransmitted packets when they hit a dynamic rule.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ default | no ] policy-control
retransmissions-counted
default | no

Disables charging of retransmitted packets when they hit a dynamic rule.

Default: Disabled; no retransmissions counted.


Usage:

Use this command to enable/disable charging of retransmitted packets when they hit a dynamic rule.


Example:
The following command enables retransmissions to be charged when they hit a dynamic rule:
policy-control retransmissions-counted
policy-control update-default-bearer

For PCEF Bearer Binding in LTE, this command allows you to enable/disable sending updates that control the default bearer to the subscriber.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ default | no ] policy-control
update-default-bearer
default

Configures this command with its default setting.

Default: Enables sending updates towards subscriber on default bearer.

no

Disables sending updates towards subscriber on default bearer.


Usage:

For PCEF Bearer Binding in LTE, use this command to enable/disable sending updates like change in TFT, change in bit-rates, and so on towards the subscriber, in downlink direction, on default bearer.

port-map

This command allows you to create/configure/delete port maps.

Platform:

ASR 5000

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
port-map port_map_name [ -noconfirm ]no port-map port_map_name
no

If previously configured, deletes the specified port map from the active charging service.

port_map_name

Specifies the port map to add/configure/delete.

port_map_name must be the name of a port map, and must be an alphanumeric string of 1 through 63 characters, and can contain punctuation characters. Each port map must have a unique name.

If the named port map does not exist, it is created, and the CLI mode changes to the ACS Port Map Configuration Mode wherein the port map can be configured.

If the named port map already exists, the CLI mode changes to the ACS Port Map Configuration Mode for that port map.

-noconfirm

Specifies that the command must execute without prompting for confirmation.


Usage:

Use this command to create/configure/delete an ACS port map.

The port map name must be unique with in the service. Host pool, port map, IMSI pool, and firewall, routing, and charging ruledefs must have unique names. A maximum of the 256 port maps can be created.

IMPORTANT:

Port maps in use in other ruledefs cannot be deleted.

Also see the ACS Port Map Configuration Mode Commands chapter.


Example:
The following command creates a port map named portmap1, and enters the ACS Port Map Configuration Mode:
port-map portmap1
redirect user-agent

This command allows you to specify the user agent for conditional redirection of traffic flows.

Platform:

ASR 5000

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
[ no ] redirect
user-agent user_agent_name
no

If previously configured, deletes the specified user agent from the active charging service.

user_agent_name

Specifies the user agent to be used for redirecting traffic flow.

user_agent_name must be the name of a user agent, and must be an alphanumeric string of 1 through 32 characters.

A maximum of 16 user-agents can be configured in the active charging service.


Usage:

Use this command to redirect the traffic flow with conditions based on configured user-agent name. This user agent is used with flow action command in the ACS Charging Action Configuration Mode.


Example:
The following command specifies the redirect user agent user_rule1 for conditional redirection of traffic flow:
redirect user-agent user_rule1
rulebase

This command allows you to create/configure/delete ACS rulebases.

IMPORTANT:

A maximum of 512 rulebases can be configured in the active charging service.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
rulebase rulebase_name [ -noconfirm ]no rulebase rulebase_name
no

If previously configured, deletes the specified rulebase from the active charging service.

rulebase_name

Specifies the rulebase to add/configure/delete.

rulebase_name must be the name of an ACS rulebase, and must be an alphanumeric string of 1 through 63 characters, and can contain punctuation characters. Each rulebase must have a unique name.

If the named rulebase does not exist, it is created, and the CLI mode changes to the ACS Rulebase Configuration Mode wherein the rulebase can be configured.

If the named rulebase already exists, the CLI mode changes to the ACS Rulebase Configuration Mode for that rulebase.

-noconfirm

Specifies that the command must execute without prompting for confirmation.


Usage:

Use this command to create/configure/delete an ACS rulebase. A rulebase is a collection of protocol rules to match a flow and associated actions to be taken for matching flow.

The default rulebase is used when a subscriber/APN is not configured with a specific rulebase to use.

On entering this command, the CLI prompt changes to:

[context_name]hostname(config-rule-base)#

Also see the ACS Rulebase Configuration Mode Commands chapter.


Example:
The following command creates a rulebase named test1, and enters the ACS Rulebase Configuration Mode:
rulebase test1
ruledef

This command allows you to create/configure/delete ACS rule definitions.

IMPORTANT:

A maximum of 2048 ruledefs can be configured in the active charging service.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
ruledef ruledef_name [ -noconfirm ]no ruledef ruledef_name
no

If previously configured, deletes the specified ruledef from the active charging service.

ruledef_name

Specifies the ruledef to add/configure/delete.

ruledef_name must be the name of an ACS ruledef, and must be an alphanumeric string of 1 through 63 characters, and can contain punctuation characters. Each ruledef must have a unique name. Host pool, port map, IMSI pool, and firewall, routing, and charging ruledefs must have unique names.

If the named ruledef does not exist, it is created, and the CLI mode changes to the ACS Ruledef Configuration Mode wherein the ruledef can be configured.

If the named ruledef already exists, the CLI mode changes to the ACS Ruledef Configuration Mode for that ruledef.

-noconfirm

Specifies that the command must execute without prompting for confirmation.


Usage:

Use this command to create/configure/delete an ACS ruledef.

A ruledef represents a set of matching conditions across multiple L3 – L7 protocol based on protocol fields and state information. Each ruledef can be used across multiple rulebases within the active charging service.

On entering this command, the CLI prompt changes to:

[context_name]hostname(config-acs-ruledef)#

Also see the ACS Ruledef Configuration Mode Commands chapter.


Example:
The following command creates an ACS ruledef named test1, and enters the ACS Ruledef Configuration Mode:
ruledef test1
system-limit l4-flows

This command allows you to configure the system-wide Layer 4 flow limit.

IMPORTANT:

This command is customer specific. For more information contact your Cisco account representative.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
system-limit l4-flows limit{ default | no } system-limit
l4-flows
default

Configures this command with its default setting.

Default: Disabled; same as no system-limit l4-flows

no

Disables the limit checking configuration.

limit

Specifies the Layer 4 flows limit.

limit must be an integer from 1 through 2147483647.


Usage:

Use this command to configure the system-wide limit for Layer 4 flows.

The System-wide L4 Flow Limiting feature provides the capability to limit the number of TCP and UDP flow over the system. This limiting can be applied to all subscribers attaching to the system and to all APNs. This feature is compatible with the existing per-subscriber limiting (configured using the flow limit-for-flow-type charging action). Both limiting can be active in the same time.

System-wide flow limiting is implemented by comparing the “Effective Flows” periodically (~ every 10 seconds) against the configurable “System-wide Flow Limit”. Where “Effective Flows” is the number of active data sessions, each identified by the 5-tuple key. If the “Effective Flows” exceeds the “System-wide Flow Limit”, the Resource Manager indicates it to the active charging service. When ACS is aware of the “System-wide Flow Limit” being reached, no more data sessions are setup. The packets are discarded. While processing a successive flow-usage update from active charging service a change in behavior is indicated to active charging service to start accepting data sessions. As this relies on periodic reporting there is an inherent delay in the detection of “exceeding/returning once exceeded” to the flow limit.


Example:
The following command sets the system limit for L4 flows to 100:
system-limit l4-flows 100
timedef

This command allows you to create/configure/delete ACS Time Definitions (timedefs).

IMPORTANT:

This command is available only in StarOS 8.1 and in StarOS 9.0 and later releases.

IMPORTANT:

A maximum of 10 timedefs can be configured in the active charging service.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
timedef timedef_name [ -noconfirm ]no timedef timedef_name
no

If previously configured, deletes the specified timedef from the active charging service.

timedef_name

Specifies the timedef to add/configure/delete.

timedef_name must be the name of a timedef, and must be an alphanumeric string of 1 through 63 characters. Each timedef must have a unique name.

If the named timedef does not exist, it is created, and the CLI mode changes to the ACS Timedef Configuration Mode wherein timeslots for the timedef can be configured.

If the named timedef already exists, the CLI mode changes to the ACS Timedef Configuration Mode for that timedef.

-noconfirm

Specifies that the command must execute without prompting for confirmation.


Usage:

Use this command to create/configure/delete ACS timedefs for the Time-of-Day Activation/Deactivation of Rules feature. Timedefs enable activation/deactivation of ruledefs/groups-of-ruledefs such that they are available for rule matching only when they are active.

On entering this command, the CLI prompt changes to:

[context_name]hostname(config-acs-timedef)#

Also see the ACS Timedef Configuration Mode Commands chapter.


Example:
The following command creates a timedef named test1, and enters the ACS Timedef Configuration Mode:
timedef test1
tpo policy

This command allows you to create/configure/delete Traffic Performance Optimization (TPO) policies.

Platform:

ASR 5000

Product:

TPO


Privilege:

Security Administrator, Administrator


Syntax
tpo policy tpo_policy_name [ -noconfirm ]no tpo policy tpo_policy_name
no

If previously configured, deletes the specified TPO policy from the active charging service.

tpo_policy_name

Specifies the TPO policy to add/configure/delete.

tpo_policy_name must be the name of a TPO policy, and must be an alphanumeric string of 1 through 63 characters. Each TPO policy must have a unique name.

If the named TPO policy does not exist, it is created, and the CLI mode changes to the ACS TPO Policy Configuration Mode wherein the TPO policy can be configured.

If the named TPO policy already exists, the CLI mode changes to the ACS TPO Policy Configuration Mode for that TPO policy.

-noconfirm

Specifies that the command must execute without prompting for confirmation.


Usage:

IMPORTANT:

A maximum of 2048 TPO policies can be created in the active charging service.

Use this command to create/configure/delete TPO policies.

A TPO Policy contains the rules that determine which TPO profile is to be used.

On entering this command, the CLI prompt changes to:

[context_name]hostname(config-tpo-policy)#

Also see the ACS TPO Policy Configuration Mode Commands chapter.


Example:
The following command creates a TPO policy named tpo_policy_1, and enters the ACS TPO Policy Configuration Mode:
tpo policy tpo_policy_1
tpo profile

This command allows you to create/configure/delete Traffic Performance Optimization (TPO) profiles.

Platform:

ASR 5000

Product:

TPO


Privilege:

Security Administrator, Administrator


Syntax
tpo profile tpo_profile_name [ -noconfirm ]no tpo profile tpo_profile_name
no

If previously configured, deletes the specified TPO profile from the active charging service.

tpo_profile_name

Specifies the TPO profile to add/configure/delete.

tpo_profile_name must be the name of a TPO profile, and must be an alphanumeric string of 1 through 63 characters. Each TPO profile must have a unique name.

If the named TPO profile does not exist, it is created, and the CLI mode changes to the ACS TPO Profile Configuration Mode wherein the TPO profile can be configured.

If the named TPO profile already exists, the CLI mode changes to the ACS TPO Profile Configuration Mode for that TPO profile.

-noconfirm

Specifies that the command must execute without prompting for confirmation.


Usage:

IMPORTANT:

A maximum of 2048 TPO profiles can be created in the active charging service.

Use this command to create/configure/delete TPO profiles.

A TPO profile contains the optimization configuration to be used.

On entering this command, the CLI prompt changes to:

[context_name]hostname(config-tpo-profile)#

Also see the ACS TPO Profile Configuration Mode Commands chapter.


Example:
The following command creates a TPO profile named tpo_profile_1, and enters the ACS TPO Profile Configuration Mode:
tpo profile tpo_profile_1
udr-format

This command allows you to create/configure/delete a User Data Record (UDR) format.

IMPORTANT:

A maximum of 256 UDR plus EDR formats can be configured in the active charging service.

Platform:

ASR 5000

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
udr-format udr_format_name [ -noconfirm ]no udr-format udr_format_name
no

If previously configured, deletes the specified UDR format from the active charging service.

udr_format_name

Specifies the UDR format to add/configure/delete.

udr_format_name must be the name of a UDR format, and must be an alphanumeric string of 1 through 63 characters. Each UDR format must have a unique name.

If the named UDR format does not exist, it is created, and the CLI mode changes to the UDR Format Configuration Mode wherein the UDR format can be configured.

If the named UDR format already exists, the CLI mode changes to the UDR Format Configuration Mode for that UDR format.

-noconfirm

Specifies that the command must execute without prompting for confirmation.


Usage:

Use this command to create/configure/delete a UDR format in the active charging service.

On entering this command, the CLI prompt changes to:

[context_name]hostname(config-acs-udr)#

Also see the UDR Format Configuration Mode Commands chapter.


Example:
The following command creates an UDR format named udr_fromat1 and changes to the UDR Format Configuration Mode:
udr-format udr_format1
url-blacklisting match-method

This command allows you to specify the match method to look up URLs in the URL Blacklisting database.

Platform:

ASR 5000

Product:

CF


Privilege:

Security Administrator, Administrator


Syntax
url-blacklisting match-method { exact | generic }default url-blacklisting
match-method
default

Configures this command with its default setting.

Default: exact

exact

Specifies the exact-match method, wherein URL Blacklisting is performed only on exact match with a URL present in the URL Blacklisting database.

generic

Specifies the generic-match method, wherein URL Blacklisting is performed on a generic match with URLs present in the URL Blacklisting database.


Usage:

Use this command to set the match method to look up URLs in the URL Blacklisting database.


Example:
The following command sets the exact-match method to look up URLs in the URL Blacklisting database:
url-blacklisting match-method exact
xheader-format

This command allows you to create/configure/delete ACS extension-header (x-header) format specifications.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
xheader-format xheader_format_name [ -noconfirm ]no xheader-format xheader_format_name
no

If previously configured, deletes the specified x-header format from the active charging service.

xheader_format_name

Specifies the x-header format to add/configure/delete.

xheader_format_name must be the name of an xheader format, and must be an alphanumeric string of 1 through 63 characters. Each x-header format must have a unique name.

If the named x-header format does not exist, it is created, and the CLI mode changes to the ACS X-header Format Configuration Mode wherein the x-header format can be configured.

If the named x-header format already exists, the CLI mode changes to the ACS X-header Format Configuration Mode for that x-header format.

-noconfirm

Specifies that the command must execute without prompting for confirmation.


Usage:

Use this command to create/configure/delete an x-header format specification in the active charging service.

On entering this command, the CLI prompt changes to:

[context_name]hostname(config-acs-xheader)#

An x-header may be specified in a charging action to be inserted into HTTP GET and POST request packets. See xheader-insert CLI command in the ACS Charging Action Configuration Mode Commands chapter. Also see the ACS X-header Format Configuration Mode Commands chapter.


Example:
The following command creates an x-header format named test, and enters the ACS X-header Format Configuration Mode:
xheader-format test