APN Configuration
Mode Commands
The Access Point
Name (APN) Configuration Mode is used to create and configure APN
prfofiles within the current system context of an UMTS/LTE
service.
IMPORTANT:
The commands or keywords/variables
that are available are dependent on platform type, product version,
and installed license(s).
aaa
This command configures
Authentication, Authorization, and Accounting (AAA) functionality
at the Access Point Name (APN) level.
Privilege:
Security Administrator,
Administrator
Syntax
aaa { group aaa_group_name | secondary-group aaa_group_name }
default aaa { group | secondary-group aaa_group_name }
no aaa { group aaa_group_name | secondary-group }
no aaa
Disables the specified
AAA group for the specific APN.
no aaa { group | secondary-group }
- group: Uses
the default AAA group.
-
secondary-group:
Removes the secondary AAA group from the APN’s configuration.
default aaa { group | secondary-group }
Configures the default
setting for the specified parameter.
- group: Uses
the default AAA group—the one specified at the context
level or in the APN template.
-
secondary-group:
Removes the secondary AAA group from the APN configuration.
aaa_group_name
Specifies the AAA server
group for the APN.
aaa_group_name must
be an alphanumeric string of 1 through 63 characters.
secondary-group aaa_group_name
Specifies the secondary
AAA server group for the APN.
aaa_group_name must
be an alphanumeric string of 1 through 63 characters.
Usage:
Use this command to
configure AAA functionality at the APN level.
Instead of having a
single list of servers per context, this feature configures multiple
server groups within a context and applies individual server group
for APNs in that context. Each server group consists of a list of
AAA servers for each AAA function (accounting, authentication, charging,
etc.).
The AAA secondary server
group supports the RADIUS Fire-and-Forget feature in conjunction
with GGSN for secondary accounting (with different RADIUS accounting
group configuration) to the RADIUS servers without expecting acknowledgement
from the server, in addition to standard RADIUS accounting. This
secondary accounting will be an exact copy of all the standard RADIUS
accounting message (RADIUS Start / Interim / Stop)
sent to the standard AAA RADIUS server.
If the same AAA group
is configured with both the aaa group aaa_group_name and
the aaa secondary-group aaa_group_name commands, then
this configuration will have no effect and secondary accounting
will not happen.
The
AAA secondary server group configuration takes effect only when
used with APN accounting-mode set to radius-diameter (or) with mediation-acct
enabled. The RADIUS accounting triggers for both standard RADIUS
accounting and secondary accounting will be taken from the AAA group
configured with the aaa
group aaa_group_name command.
On the fly change of this configuration is not supported. Any change
to the configuration will have effect only for new calls.
Example:
The following command
applies the AAA server group
star1 to an
APN within the specific context:
aaa group star1
access-link
Configures IP fragmentation
processing over the Access-link (PPP, GTP etc.).
Privilege:
Security Administrator,
Administrator
Syntax
access-link ip-fragmentation { normal | df-ignore | df-fragment-and-icmp-notify }
default access-link ip-fragmentation
normal
Default: Enabled
Drops the packet and
sends an ICMP unreachable message to the source of packet. This
is the default behavior.
df-ignore
Default: Disabled
Ignores the DF (Don’t
Fragment) bit setting; fragments and forwards the packet over the access
link.
df-fragment-and-icmp-notify
Default: Disabled
Partially ignorse the
DF bit; fragments and forwards the packet, but also returns an ICMP error
message to the source of the packet. The number of ICMP errors sent
like this is rate-limited to one ICMP error packet per second per
session.
Usage:
If the IP packet to
be forwarded is larger than the access-link MTU and if the DF (Don't Fragment)
bit is set for the packet, then the fragmentation behavior configured
by this command is applied. Use this command to fragment packets
even if they are larger than the access-link MTU.
Fragmentation may also
occur for other reasons, regardless of whether or not fragmentation
is performed because of one of the above reasons.
Payloads are encapsulated
within IP/UDP/GTP before being sent to the SGSN.
If that encapsulation causes the packet to exceed 1500 bytes, the
inner IP payload is fragmented (even if it's not considered too-large
by the above tests) into two payloads (if the DF bit is not set).
If the DF bit is set (and access-link ip-fragmentation normal is
configured), the system performs IP fragmentation of the entire
packet (i.e., IP fragmentation in the outer IP header) rather than fragmenting
the inner IP payload. Either way, the result is two packets, but
in one case the MS would have to perform IP reassembly while in
the other case the SGSN would have to perform reassembly.
Example:
Set fragmentation so
that the DF bit is ignored and the packet is forwarded anyway by entering
the following command:
access-link ip-fragmentation
df-ignore
accounting-mode
Configures the protocol
to be used for PDP context accounting by this APN.
Privilege:
Security Administrator,
Administrator
Syntax
accounting-mode { gtpp | none | radius-diameter [ no-interims ] [ no-early-pdus ] }
default accounting-mode
default
Restores the command
to its default setting.
gtpp
Configures the APN to
use GPRS Tunneling Protocol Prime for accounting purposes. If used,
accounting will begin as soon as the PDP context is established.
This is the default setting. Default: Enabled
IMPORTANT:
The system’s
GTPP parameters must be configured prior to using this protocol
for accounting. Refer to the gtpp commands
in the Context Configuration Mode
Commands chapter.
none
Disables accounting
for PDP contexts using this APN.
When accounting mode
is set to none, it indicates to the GTP stack at session manager
to not generate the regular GTPP accounting triggers. Default: Disabled.
radius-diameter
Configures the APN to
use RADIUS/Diameter protocol for accounting purposes. Default: Disabled
IMPORTANT:
The system’s
RADIUS/Diameter accounting parameters must be configured
prior to using either of the protocols for accounting. Refer to
the radius/diameter commands
in the Context Configuration
Mode Commands and the AAA
Server Group Configuration Mode Commands chapters.
no-early-pdus
Configures the GGSN
to discard user traffic once the buffer is full until the RADIUS
server has returned a response to the GGSN's accounting START request
per 3GPP standards.
Configures
the GGSN to delay PDUs from/to MS until the RADIUS server
returns a response to the GGSN's accounting START request as per
3GPP standards. The GGSN buffers up to two PDUs per call. Additional
PDUs disable the queuing. On receiving the Accounting response message,
the GGSN forwards all the subsequent PDUs for that call.
IMPORTANT:
For StarOS 10.0 and
earlier releases, the system buffers up to four PDUs and queues
or discards the remaining PDUs.
IMPORTANT:
For StarOS 11.0 and
later releases, the system is configured so that none of the PDUs
are discarded.
no-interims
Disables the generation
of RADIUS interims per APN.
When configured, RADIUS
interim updates for this APN will not be sent, regardless of what is
configured in the context that is used for RADIUS accounting.
IMPORTANT:
Different CLI commands
are used to disable RADIUS interims for RADIUS accounting and mediation
accounting. To disable RADIUS interims for RADIUS accounting, use
the following command: accounting-mode
radius-diameter no-interims. To disable RADIUS interims
for mediation accounting, use the following command: mediation-device context-name context_name no-interims.
Usage:
This command specifies
which protocol, if any, will be used to provide accounting for PDP
contexts accessing the APN profile.
When the GTPP protocol
is used, accounting messages are sent to the charging gateways (CGs)
over the Ga interface. The Ga interface and GTPP functionality are
typically configured within the system’s source context.
As specified by the standards, a CDR is not generated when a session
starts - CDRs are generated according to the interim triggers (configured
using the cc command
in the GGSN service configuration mode) and a CDR is generated when the
session ends. For interim accounting, STOP/START pairs
are sent based on configured triggers.
GTPP version 2 is always
used. However, if version 2 is not supported by the CGF, the system
reverts to using GTPP version 1. All subsequent CDRs are always
fully-qualified partial CDRs. All CDR fields are R4.
If the radius-diameter option
is used, either the RADIUS or the Diameter protocol is used as configured
in the Context Configuration mode or the AAA Server Group Configuration
mode.
If the RADIUS protocol
is used, accounting messages can be sent over a AAA interface or the
Gi to the RADIUS server. The AAA or Gi interface(s) and RADIUS functionality
are typically configured with the system’s destination
context along with the APN. RADIUS accounting begins immediately
after an IP address is allocated for the MS. Interim accounting can
be configured using the radius
accounting interim interval. The radius accounting interim interval command
sends INTERIM-UPDATE messages at specific intervals.
Keywords to this command
can be used in combination to each other, depending on configuration
requirements.
IMPORTANT:
If the accounting type
in the APN is set to ‘none’ then G-CDRs will not
be generated. If accounting type is left as default “GTPP” and “billing-records” are
configured in the ACS Rulebase Configuration Mode, then both G-CDRs
and eG-CDRs would be generated.
Example:
The following command
configures the APN to use the RADIUS/Diameter protocol
for accounting:
accounting-mode radius-diameter
accounting-mode radius-diameter
no-interims no-early-pdus
accounting-mode radius-diameter
no-early-pdus no-interims
active-charging bandwidth-policy
Configures the bandwidth
policy to be used for subscribers who use this APN.
Privilege:
Security Administrator,
Administrator
Syntax
active-charging bandwidth-policy bandwidth_policy_name
{ default | no } active-charging
bandwidth-policy
default
Configures the default
setting.
Default: The default
bandwidth policy configured in the rulebase is used for subscribers
who use this APN.
no
Disables bandwidth control
for the APN.
bandwidth-policy bandwidth_policy_name
Specifies the bandwidth
policy name. bandwidth_policy_name must
be an alphanumeric string from 1 through 63 characters.
Usage:
Use this command to
configure bandwidth policy to be used for subscribers who use this APN.
Example:
The following command
configures a bandwidth policy named
standard for
the APN:
active-charging bandwidth-policy standard
active-charging
link-monitor tcp
Enables the TCP link
monitoring feature on the Mobile Video Gateway. This command can
be configured in either APN Configuration Mode or Subscriber Configuration Mode.
Privilege:
Security Administrator,
Administrator
Syntax
[ default | no ] active-charging
link-monitor tcp [ log [ rtt [ histogram | time-series ] [ bitrate [ histogram | time-series ] ] | bitrate [ histogram | time-series ] [ rtt [ histogram | time-series ] ] ] ] [ -noconfirm ]
default
Sets TCP link monitoring
to its default value, which is the same as no.
no
Deletes the TCP link
monitoring settings and disables TCP link monitoring if previously configured.
link-monitor tcp
Enables the TCP link
monitoring feature on the Mobile Video Gateway. Note that TCP link monitoring
is not enabled by default. Also note that when this command is configured
without the log option,
TCP link monitoring is enabled without logging, and the output from
TCP link monitoring is only used by the dynamic translating feature.
log [ rtt [ histogram | time-series ] [ bitrate [ histogram | time-series ] ] | bitrate [ histogram | time-series ] [ rtt [ histogram | time-series ] ] ]
This option enables
statistical logging for TCP link monitoring.
The rtt option
can be used to enable either histogram or time-series logging
for RTT.
Similarly, the bitrate option
can be used to enable either histogram or time-series logging
for bit rate.
When rtt and bitrate options
are used without additional options, histogram and time-series logging
are enabled for RTT and/or bit rate respectively.
-noconfirm
Specifies that the
command must execute without prompting for confirmation.
Usage:
Use this command to
enable TCP link monitoring on the Mobile Video Gateway.
Examples:
The following command
enables TCP link monitoring with statistical logging, with histogram
and time-series logging enabled for both RTT and bit rate:
active-charging link-monitor
tcp log
The following command
enables TCP link monitoring with statistical logging, with histogram
and time-series logging enabled for RTT:
active-charging link-monitor
tcp log rtt
The following command
enables TCP link monitoring with statistical logging, with histogram
logging enabled for RTT:
active-charging link-monitor
tcp log rtt histogram
The following command
enables TCP link monitoring with statistical logging, with histogram
logging enabled for RTT and time-series logging enabled for bit
rate:
active-charging link-monitor
tcp log rtt histogram bitrate time-series
active-charging rulebase
Specifies the name of
the Active Charging Service (ACS) rulebase to be used for subscribers
who use this APN.
Privilege:
Security Administrator,
Administrator
Syntax
active-charging rulebase rulebase_name
no active-charging rulebase
no
Removes the rulebase
previously configured for this APN.
rulebase_name
Specifies the name of
the ACS rulebase as an alphanumeric string of 1 through 63 characters.
Usage:
Use this command to
specify the ACS rulebase to be used for subscribers who use the APN.
Example:
The following command
specifies the ACS rulebase named
rule1 for
the APN:
active-charging rulebase rule1
apn-ambr
Configures
the Aggregated Maximum Bit Rate (AMBR) for all PDNs using this APN.
Syntax
apn-ambr rate-limit
direction { downlink | uplink } [ burst-size { auto-readjust
duration seconds | bytes } | violate-action { drop | lower-ip-precedence | shape [ transmit-when-buffer-full ] | transmit } ]
[ default | no ] apn-ambr
rate-limit direction { downlink | uplink }
default
Returns the selected
command to it’s default setting of no APN-AMBR.
no
Disables the selected
command.
rate-limit direction { downlink | uplink }
Specifies that the
rate limit is to be applied to either the downlink (network to subscriber) traffic
or the uplink (subscriber to network) traffic.
downlink:
Applies the AMBR parameters to the downlink direction.
uplink:
Applies the AMBR parameters to the uplink direction.
burst-size { auto-readjust
duration seconds | bytes}
This parameter is
used by policing and shaping algorithms to permit short bursts of
traffic in order to not exceed the allowed data rates. It is the
maximum size of the token bucket.
auto-readjust duration seconds:
The duration (in seconds) used in this burst size calculation: burst
size = peak data rate/8 * auto-readjust
duration
seconds must
be an integer value from 1 to 30. Default is 1 second
bytes: Specifies
the burst size in bytes allowed by this APN for the associated PDNs.
It must be an integer from 1 to 4294967295 (1 byte to 4 GB).
violate-action { drop | lower-ip-precedence | shape [ transmit-when-buffer-full ] | transmit }
The action that the
P-GW will take when the data rate of the bearer context exceeds
the AMBR.
drop: Drops
violating packets.
lower-ip-precedence:
Sets the DSCP value to zero (“best effort”) for
violating packets.
shape [ transmit-when-buffer-full ]:
Places all violating packets into a buffer and, optionally, transmits
the packets when the buffer is full.
IMPORTANT:
The shape keyword
and optional transmit-when-buffer-full are
only available in StarOS v12.0 and earlier releases. P-GW does not
currently support traffic shaping for APN-AMBR.
transmit:
Transmits violating packets. This is the default setting.
Usage:
Use this command to
enforce the AMBR for the APN on bearers that do not have a Guaranteed
Bit Rate (GBR).
Example:
The following command
sets the downlink burst rate to use an auto-readjust duration of
2 seconds and lowers the IP precedence of violating packets:
apn-ambr rate-limit
direction downlink burst-size auto-readjust duration 2 violate-action
lower-ip-precedence
associate accounting-policy
Associates the APN with
specific pre-configured policies configured in the same context.
Syntax
[ no ] associate
accounting-policy name
no
Removes the selected
association from this APN.
name
Associates the P-GW
APN with an accounting policy configured in the same context. name must
be an existing accounting policy expressed as a string of 1 through
63 characters.
Accounting policies
are configured through the policy accounting command
in the Context Configuration mode.
Usage:
Use this command to
associate the P-GW APN with an accounting policy configured in this
context.
Example:
The following command
associates this P-GW APN with an accounting policy called
acct1:
associate accounting-policy
acct1
authentication
Configures the APN’s
authentication parameters.
Privilege:
Security Administrator,
Administrator
Syntax
authentication [ [ msid-auth | imsi-auth [ password-use-pco | username-strip-apn | prefer-chap-pco ] | msisdn-auth [ password-use-pco | username-strip-apn | prefer-chap-pco ] | eap initial-access-request [ authenticate-authorize | authenticate-only ] | [ allow-noauth ] [ chap preference ] [ mschap preference ] [ pap preference ] ]
default authentication
default
Sets the default authentication
type for this APN. By default allow-noauth is
the type for authentication for an APN.
msid-auth
Obsolete. Use imsi-auth.
imsi-auth
Default: Disabled.
Configures the APN to
attempt to authenticate the subscriber based on their International Mobile
Subscriber Identification (IMSI) number.
msisdn-auth
Default: Disabled.
Configures the APN to
attempt to authenticate the subscriber based on their Mobile Station International
Integrated Services Digital Network (MSISDN) number as described
in the Usage section
of this command.
username-strip-apn
Default: Disabled.
This keyword if enabled,
either with msisdn-auth or imsi-auth strips
the APN name from the user name msisdn@apn or imsi@apn received
from AAA and makes the user name as msisdn or imsi respectively.
password-use-pco
Default: Disabled.
This keyword, if enabled,
uses the password received through Protocol Configuration Options
(PCO) from AAA for authentication.
prefer-chap-pco
Default: Disabled.
If this keyword along
with msisdn-auth/imsi-auth is enabled, GGSN performs Challenge Handshake
Authentication Protocol (CHAP) authentication, if CHAP parameters
are received in Protocol Configuration Options (PCO). However, chap
username would be constructed as msisdn@apn / imsi@apn and chap
challenge, chap response parameters should be used as it is from
CHAP parameters received in the PCO IE. If CHAP parameters are not
received in the PCO IE of the CPC Request, GGSN does normal Password
Authentication Protocol (PAP) authentication with PAP username as msisdn@apn / imsi@apn (ignoring
any PAP username if received).
eap initial-access-request
Default: Enabled
Configures the type
of initial access request to be used in Diameter EAP (Extensible Authentication
Protocol) request. This feature is applicable to only Diameter-based
AAA interface and not applicable to RADIUS or any other type of
AAA interface.
authenticate-authorize
Default: Enabled
Configures the “authenticate
and authorize” type of initial access request to be used
in a Diameter EAP request.
authenticate-only
Default: Disabled
Configures the “authenticate
only” type of initial access request to be used in a Diameter EAP
request.
allow-noauth
Default: Enabled
Configures the APN to
not perform authentication for PDP contexts as described in the Usage section.
chap preference
Default: Disabled
Configures the APN to
attempt to use CHAP to authenticate the subscriber as described
in the Usage section
of this command.
A preference must
be specified in conjunction with this option. Priorities specify
which authentication protocol should be attempted first, second,
third and so on. It must be an integer from 1 through 1000. The
lower the integer, the higher the preference.
mschap preference
Default: Disabled
Configures the APN to
attempt to use the Microsoft Challenge Handshake Authentication Protocol
(MSCHAP) to authenticate the subscriber as described in the Usage section
of this command.
A preference can
be specified in conjunction with this option. Priorities specify
which authentication protocol should be attempted first, second,
third and so on. It must be an integer from 1 through 1000. The
lower the integer, the higher the preference.
pap preference
Default: Disabled
Configures the APN to
attempt to use PAP to authenticate the subscriber as described in
the Usage section
of this command.
A preference must
be specified in conjunction with this option. Priorities specify
which authentication protocol should be attempted first, second,
third and so on. It must be an integer from 1 through 1000. The
lower the integer, the higher the preference.
Usage:
Use this command to
specify how the APN profile should handle PDP context authentication
and what protocols to use (if any). The ability to configure this
option is provided to accommodate the fact that not every MS will
implement the same authentication protocols.
The authentication process
varies depending on whether the PDP context is of type IP or PPP.
Table given in this section describes these differences.
For IP PDP contexts,
the authentication protocol and values will be passed from the SGSN as
Protocol Configuration Options (PCOs) within the create PDP context
PDU to the GGSN. The GGSN requires that the authentication protocol
is specified by this command (with no regard to priority) and will
use this information to authenticate the subscriber.
Table 1. Authentication Process
Variances Between PDP Context Type
Authentication Mechanism |
IP
PDP Context Behavior |
PPP
PDP Context Behavior |
allow-noauth
|
Allows the session even
if the PCOs do not match any of the configured algorithms.
If the there was no
match and the aaa
constructed-nai authentication parameter is enabled in
the authentication context, the system attempts to determine a subscriber profile
(via PAP with no password) using the subscriber’s MSISDN
as the username.
|
Allows the session with
no authentication algorithm selected.
If the aaa constructed-nai authentication parameter
is enabled in the authentication context, the system attempts to
determine a subscriber profile (via PAP with no password) using
the subscriber’s MSISDN as the username.
|
chap
|
If also specified in
the PCOs, this protocol will be used to authenticate the subscriber.
|
Attempts this protocol
according to its configured priority.
If accepted by the remote
end of the PPP connection, this protocol will be used to provide
authentication.
|
mschap
|
If also specified in
the PCOs, this protocol will be used to authenticate the subscriber.
|
Attempts this protocol
according to its configured priority.
If accepted by the remote
end of the PPP connection, this protocol will be used to provide
authentication.
|
pap
|
If also specified in
the PCOs, this protocol will be used to authenticate the subscriber.
If this protocol is
used is specified and the allow-noauth parameter
is disabled, the system will attempt to use the APN’s default
username/password specified by the outbound command
for authentication via PAP.
|
Attempts this protocol
according to its configured priority.
If accepted by the remote
end of the PPP connection, this protocol will be used to provide
authentication.
|
msid-auth
|
Obsolete. Use imsi-auth.
|
Obsolete. Use imsi-auth.
|
imsi-auth
|
Values in the PCOs are
ignored.
The subscriber’s
IMSI is used as the username for PAP authentication. No password
is used.
|
The subscriber’s
IMSI is used as the username for PAP authentication. No password
is used.
|
msisdn-auth
|
Values in the PCOs are
ignored.
The subscriber’s
MSISDN is used as the username for PAP authentication. No password
is used.
|
Option not available.
|
Example:
The following command
would configure the system to attempt subscriber authentication first
using MSCHAP, then CHAP, and finally PAP. Since the
allow-noauth command
was also issued, if all attempts to authenticate the subscriber using
these protocols fail, then the subscriber would be still be allowed
access.
authentication mschap
1 chap 2 pap 3 allow-noauth
To enable
imsi-auth or
msisdn-auth,
the following command instances must be issued:
authentication imsi-auth
authentication msisdn-auth
bearer-control-mode
Enables or disables
the bearer control mode for network controlled QoS (NCQoS) through
this APN. It also controls the sending of an IE in GTP messages.
Privilege:
Security Administrator,
Administrator
Syntax
bearer-control-mode [ mixed | ms-only | none [ prefer-local-value ] ]
default bearer-control-mode
default
Sets the bearer control
mode to default mode of “none”.
mixed
Default: Disabled.
This keyword indicates
that the bearer will be controlled by User Equipment (UE) and network
side (from GGSN) as well.
To enable network controlled
QoS this option must be enabled.
ms-only
Default: Disabled.
This keyword indicates
that the bearer will be controlled by the UE side.
none
Default: Enabled.
This keyword indicates
that the system will not send any BCM mode information, BCM IE and
BCM information in the protocol configuration option (PCO) IE within
GTPC messages sent by the GGSN. This option is useful in networks
where AGWs or firewalls do not support unknown optional IEs in GTP
messages.
prefer-local-value
Default: Disabled.
This keyword indicates
that the APN configured with “none” option for
bearer control mode will not be overridden by any other interface
(e.g. Gx interface towards PCRF). As a result it is ensured that
BCM IE is never sent in GTP message.
IMPORTANT:
When bearer control
mode is set to “none” with the keyword set “prefer-local-value”,
even PCRF provided values will not override APN config and therefore
sending of BCM mode IE and BCM in PCO IE in CPC Response is supressed.
Usage:
Use this command to
enable the QoS through bearer control. This can be done either through
the MS side or from both the GGSN and MS. To enable network requested
QoS user need to enable “Mixed” mode for bearer
control.
With this keyword the
operator can control sending of BCM information in GTPC messages
from the GGSN.
With MS-Only or Mixed
options in this mode, the system sends the BCM information element
in every Create PDP Context Response and Unknown PDP Context Request
and Response message.
In some networks AGWs/Firewall
drop/reject GTPC messages if there is an Unknown optional
IE. To resolve this, the operator can use the “none” option
to control sending of BCM IE and BCM information in the PCO IE within
GTPC messages from the GGSN.
Example:
The following command
enables the bearer control from network and MS side for NCQoS.
bearer-control-mode mixed
cc-home
Configures the home
subscriber charging characteristics (CC) used by the GGSN when those
from the SGSN will not be accepted.
Privilege:
Security Administrator,
Administrator
Syntax
cc-home { behavior bits | profile index }
default cc-home
default
Restores the cc-home
parameter to its default setting of the following:
- behavior bits: 0x00
- profile index: 8
behavior bits
Specifies the behavior
bit for the home subscriber charging characteristic. bits can be
configured to any unique bit from 001H to FFFH (0001 to 1111 1111
1111 bin) where the least-significant bit corresponds to B1 and
the most-significant bit corresponds to B12.
profile index
Specifies the profile
index for the home subscriber charging characteristic. index can
be configured to any integer value between 0 and 15. Default: 8
IMPORTANT:
3GPP standards suggest
that profile index values of 1, 2, 4, and 8 be used for hot billing,
flat rate billing, prepaid billing and normal billing, respectively.
A single charging characteristics profile can contain multiple behavior
settings.
Usage:
When the GGSN is configured
to reject the charging characteristics sent by the SGSN for “home” subscribers,
it uses the profile index specified by this command to determine
the appropriate CCs to use.
Multiple behavior bits
can be configured for a single profile index by ORing the bit strings together
and converting the result to hexadecimal.
The properties of the
actual CC profile index are configured as part of the GGSN service using
the cc profile command.
Refer to the GGSN Service Configuration
Mode chapter of this reference for additional information on
this command.
Example:
The following command
configures a behavior bit of 2 (0000 0000 0010) and a profile index of
10 for home
subscribers charging characteristics:
cc-home behavior 2 profile 10
The following command
configures the behavior bits
3 (0000 0000
0100) and 5 (0000 0001 0000 bin) and a profile index of
14 for home
subscriber charging characteristics:
cc-home behavior 14
profile 14
cc-roaming
Configures the roaming
subscriber charging characteristics (CC) used by the GGSN when those
from the SGSN will not be accepted.
Privilege:
Security Administrator,
Administrator
Syntax
cc-roaming { behavior bits | profile index }
default cc-roaming
default
Restores the cc-roaming
parameter to its default setting of the following:
- behavior bits: 0x00
- profile index: 8
behavior bits
Specifies the behavior
bit for the roaming subscriber charging characteristic. bits can be
configured to any unique bit from 001H to FFFH (0001 to 1111 1111
1111 bin) where the least-significant bit corresponds to B1 and
the most-significant bit corresponds to B12.
profile index
Specifies the profile
index for the roaming subscriber charging characteristic. index can
be configured to any integer value between 0 and 15. Default: 8
IMPORTANT:
3GPP standards suggest
that profile index values of 1, 2, 4, and 8 be used for hot billing,
flat rate billing, prepaid billing and normal billing, respectively.
A single charging characteristics profile can contain multiple behavior
settings.
Usage:
When the GGSN is configured
to reject the charging characteristics sent by the SGSN for “roaming” subscribers,
it uses the profile index specified by this command to determine
the appropriate CCs to use.
Multiple behavior bits
can be configured for a single profile index by ORing the bit strings together
and convert the result to hexadecimal.
The properties of the
actual CC profile index are configured as part of the GGSN service using
the cc profile command. Refer to the GGSN Service Configuration
Mode chapter of this reference for additional information on this
command.
Example:
The following command
configures a behavior bit 10 (0010 0000 0000) and a profile index of
10 for roaming
subscriber charging characteristics:
cc-roaming behavior
200 profile 10
The following command
configures the behavior bits 9 (0001 0000 0000) and 6 (0000 0010 0000)
and a profile index of
14 for
roaming subscriber charging characteristics:
cc-roaming behavior
120 profile 14
cc-sgsn
Specifies the GGSN’s
source for charging characteristics (CC) - those configured locally
or those received from the SGSN.
Privilege:
Security Administrator,
Administrator
Syntax
cc-sgsn { home-subscriber-use-GGSN | radius-returned | roaming-subscriber-use-GGSN | visiting-subscriber-use-GGSN } +
cc-sgsn { use-GGSN behavior bits profile index[ 0...15 ] [ radius-returned ] }
default cc-sgsn
no cc-sgsn { { radius-returned | home-subscriber-use-GGSN | roaming-subscriber-use-GGSN | visiting-subscriber-use-GGSN } + | [ use-GGSN ] [ radius-returned ] }
default cc-sgsn
Restores the cc-sgsn
parameter to its default setting of the following:
- home-subscriber-use-GGSN: Disabled
- roaming-subscriber-use-GGSN:
Disabled
- visiting-subscriber-use-GGSN: Disabled
no cc-sgsn
Causes the GGSN to accept
CCs from the SGSN(s) when the
no cc-sgsn command
is entered with all applicable keywords. Otherwise,
no cc-sgsn can
be used to turn off one or more of the GGSN sources of CC.
- roaming-subscriber-use-GGSN
- home-subscriber-use-GGSN
- roaming-subscriber-use-GGSN
- visiting-subscriber-use-GGSN
Before entering no cc-sgsn,
it is helpful to determine which CC sources have been configured.
This can be done with either show configuration or show apn name in
Exec Mode.
home-subscriber-use-GGSN
Configures the GGSN
to use the locally defined charging characteristics for home subscribers,
as configured with the APN Configuration Mode cc-home command.
radius-returned
Configures the GGSN
to accept charging characteristics returned from the RADIUS server for
all subscribers for the APN.
roaming-subscriber-use-GGSN
Configures the GGSN
to use the locally defined charging characteristics for roaming subscribers,
as configured with the APN Configuration Mode cc-roaming command.
visiting-subscriber-use-GGSN
Configures the GGSN
to use the locally defined charging characteristics for visiting subscribers,
as configured with the APN Configuration Mode cc-visiting command.
use-GGSN [ behavior bits ] profile index[ 0...15 ]
Configures the GGSN
to accept charging characteristics for all subscribers in the APN.
bits specifies
the behavior bit for the charging characteristic. This variable
can be configured to any unique bit from 001H to FFFH (0001 to 1111
1111 1111 bin) where the least-significant bit corresponds to B1
and the most-significant bit corresponds to B12.
index indicates
which profile defined with cc profile in
GGSN Service Configuration mode, the GGSN will use as a source for
CCs. The index can be configured to an integer from 0 to 15.
The use-GGSN keyword
can be entered alone or in conjunction with the radius-returned keyword.
When entered, this keyword overrides the previous configuration
using any of the home, roaming, and/or visiting keywords.
+
More than one of the
above keywords can be entered within a single command.
Usage:
This command specifies
whether or not CCs received from the SGSN will be accepted. If they
are not accepted, the GGSN will use those that have been configured
locally.
The GGSN’s
behavior can be configured for the following subscriber types:
- Home: Subscribers
belonging to the same Public Land Mobile Network (PLMN) as the one
on which the GGSN is located.
- Roaming: Subscribers
that are serviced by a an SGSN belonging to a different PLMN than
the one on which the GGSN is located.
- Visiting: Subscribers
belonging to a different PLMN than the one on which the GGSN is
located.
- Any subscriber in the
APN.
Example:
The following command
instructs the GGSN to accept CCs for any subscriber in the APN based
on local profile configurations of CCs.
cc-sgsn use-GGSN profile x
Assuming the CC source
as defined with the previous command, the following command instructs
the GGSN to accept CCs supplied by the SGSN(s) and disables the
acceptance of CCs supplied by the GGSN for any subscriber within
the APN:
no cc-sgsn use-GGSN
The following command
instructs the GGSN to accept CCs for any subscriber in the APN based
on CC information returned from the RADIUS server. This command
can be issued after the previous command to expand the possible
sources.
cc-sgsn radius-returned
The following command
disables the acceptance of CCs supplied by the GGSN for visiting and
roaming subscribers:
no cc-sgsn roaming-subscriber-use-GGSN visiting-subscriber-use-GGSN
cc-visiting
Configures the visiting
subscriber charging characteristics (CC) used by the GGSN when those
from the SGSN will not be accepted.
Privilege:
Security Administrator,
Administrator
Syntax
cc-visiting behavior bits profile index
default cc-visiting
default
Restores the cc-visiting
parameter to its default setting of the following:
- behavior bits: 0x00
- profile index: 8
behavior bits
Specifies the behavior
bit for the visiting subscriber charging characteristic. bits can be
configured to any unique bit from 001H to FFFH (0001 to 1111 1111
1111 bin) where the least-significant bit corresponds to B1 and
the most-significant bit corresponds to B12.
profile index
Specifies the profile
index for the visiting subscriber charging characteristic. index can
be configured to any integer value between 0 and 15. Default: 8
IMPORTANT:
3GPP standards suggest
that profile index values of 1, 2, 4, and 8 be used for hot billing,
flat rate billing, prepaid billing and normal billing, respectively.
A single charging characteristics profile can contain multiple behavior
settings.
Usage:
When the GGSN is configured
to reject the charging characteristics sent by the SGSN for “visiting” subscribers,
it uses the profile index specified by this command to determine
the appropriate CCs to use.
Multiple behavior bits
can be configured for a single profile index by ORing the bit strings together
and convert the result to hexadecimal.
The properties of the
actual CC profile index are configured as part of the GGSN service using
the cc profile command. Refer to the GGSN Service Configuration
Mode chapter of this reference for additional information on this
command.
Example:
The following command
configures a behavior bit 7 (0000 0100 0000) and a profile index
of 10 for visiting subscriber charging characteristics:
cc-visiting behavior
40 profile 10
The following command
configures the behavior bits 1 (0000 0000 0001) and 12 (1000 0000 0000)
and a profile index of 14 for visiting subscriber charging characteristics:
cc-visiting behavior
801 profile 14
content-filtering
category
Enables or disables
the specified pre-configured Category Policy Identifier for Category-based
Content Filtering support.
Privilege:
Security Administrator,
Administrator
Syntax
content-filtering category
policy-idcf_policy_id
no content-filtering
category policy-id
no
Disables the previously
configured category policy identifier for Content Filtering support
to the APN. This is the default setting.
policy-id cf_policy_id
Applies the specified
content filtering category policy ID, configured in the ACS Configuration
Mode, to this APN.
cf_policy_id must
be a category policy ID entered as an integer from 1 through 4294967295.
If the specified category
policy ID is not configured in the ACS Configuration Mode, all packets
will be passed regardless of the categories determined for such
packets.
IMPORTANT:
Category Policy ID configured
through this mode overrides the Category Policy ID configured through content-filtering category
policy-id command in the ACS Rulebase Configuration Mode.
Usage:
Use this command to
enter the Content Filtering Policy Configuration Mode and to enable or
disable the Content Filtering Category Policy ID for an APN.
IMPORTANT:
If Content Filtering
Category Policy ID is not specified here the similar command in
the ACS Rulebase Configuration Mode determines the policy.
Up to 64 different policy
IDs can be defined.
Example:
The following command
enters the Content Filtering Policy Configuration Mode and enables
the Category Policy ID
101 for
Content Filtering support:
content-filtering category
policy-id 101
credit-control-group
Configures the credit
control group to be used for subscribers who use this APN.
Privilege:
Security Administrator,
Administrator
Syntax
credit-control-group cc_group_name
no credit-control-group
no
Removes the previously
configured credit control group from the APN configuration.
cc_group_name
Specifies name of the
credit control group as an alphanumeric string of 1 through 63 characters.
Usage:
Use this command to
configure the credit control group for this APN.
Creating different credit
control groups enables applying different credit control configurations
(DCCA dictionary, failure-handling, session-failover, Diameter endpoint selection,
etc.) to different subscribers on the same system.
Without credit control
groups, only one credit control configuration is possible on a system.
All the subscribers in the system will have to use the same configuration.
Example:
The following command
configures a credit control group named
testgroup12 for
the current APN:
credit-control-group testgroup12
data-tunnel mtu
Configures the Maximum
Transmission Unit (MTU) for data sent on the IPv6 tunnel between
the P-GW and the mobile node.
Syntax
data-tunnel mtubytes
default data-tunnel mtu
default
Returns the command
to the default value of 1500.
bytes
Specifies the MTU for
the IPv6 tunnel between the P-GW and the mobile node. bytes must
be an integer between 1280 and 2000. Default: 1500
Usage:
Use this command to
set the MTU for data traffic on the IPv6 tunnel between the P-GW and
the mobile node.
Example:
The following command
sets the MTU for IPv6 data traffic to
1400 bytes:
data-tunnel mtu 1400
data-tunneling ignore
df-bit
Controls the handling
of the DF (Don't Fragment) bit present in the user IPv4/IPv6
packet for tunneling used for the Mobile IP data path.
Privilege:
Security Administrator,
Administrator
Syntax
[ default | no ] data-tunneling ignore
df-bit
default
Restores the data-tunneling
parameter to its default setting of disabled.
no
Disables this option.
The DF bit in the tunneled IP packet header is not ignored during tunneling.
This is the default setting.
ignore df-bit
Ignores the DF bit in
the tunneled IP packet header during tunneling. This is the default setting.
Usage:
Use this command to
configure a user so that during Mobile IP tunneling the DF bit is ignored
and packets are fragmented.
If this feature is enabled,
and fragmentation is required for the tunneled user IPv4/IPv6 packet,
then the DF bit is ignored and the packet is fragmented. Also the
DF bit is not copied to the outer header.
In the GGSN, this command
also affects the other L3 tunneling options, IP-in-IP and GRE, but
does not affect L2TP tunneling.
Example:
To enable fragmentation
of a subscribers packets over a MIP tunnel even when the DF bit
is present, enter the following command:
data-tunneling ignore
df-bit
dcca origin endpoint
This command is obsolete.
To configure the Diameter Credit Control Origin Endpoint, in the
Credit Control Configuration Mode, use the diameter origin endpoint command.
dcca peer-select
Specifies the Diameter
credit control primary and secondary host for credit control.
Privilege:
Security Administrator,
Administrator
Syntax
dcca peer-select peer host_name [ realm realm_name ] [ secondary-peer host_name ]
no dcca peer-select
no
Removes the previously
configured Diameter credit control peer selection.
host_name
Specifies a unique name
for the peer as an alphanumeric string of 1 through 63 characters that
allows punctuation marks.
realm realm_name
Specifies the ream as
an alphanumeric string of from 1 through 127 characters that allows punctuation
marks. The realm may typically be a company or service name.
secondary-peer host_name
Specifies a back-up
host that is used for fail-over processing as an alphanumeric string
of from 1 through 63 characters. When the route-table does not find
an AVAILABLE route, the secondary host performs fail-over processing.
Usage:
Use this command to
select a Diameter credit control peer and realm.
DANGER:
This configuration completely
overrides all instances of diameter peer-select that
have been configured within the Credit Control Configuration Mode
for an Active Charging Service.
Example:
The following command
selects a Diameter credit control peer named test and a realm of
companyx:
dcca peer-select test
realm companyx
dhcp context-name
Configures the name
of the context on the system in which Dynamic Host Control Protocol
(DHCP) functionality is configured.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] dhcp context-name name
no
Removes a previously
configured context name.
name
Specifies the name of
a context configured on the system in which one or more DHCP services
are configured. name is
an alphanumeric string of 1 through 79 characters that is case sensitive.
Usage:
If the APN is to support
dynamic address assignment via DHCP (either the proxy or relay mode),
this parameter must be configured to point the APN to the name of
a pre-configured context on the chassis in which one or more DHCP
services are configured.
The command can be used to identify a single
DHCP service instance within the specified context to use to facilitate
the address assignment.
Example:
The following command
configures the APN to look for DHCP services in a context called
dhcp-ctx:
dhcp context-name dhcp-ctx
dhcp lease-expiration-policy
Configures the system’s
handling of PDP contexts whose DHCP assigned IP lease has expired.
Privilege:
Security Administrator,
Administrator
Syntax
dhcp lease-expiration-policy { auto-renew | disconnect }
default dhcp lease-expiration-policy
default
Restores the dhcp lease-expiration-policy
parameter to its default setting of auto-renew.
auto-renew
Configures the system
to automatically renew an IP address’ lease when it is
about to expire for PDP contexts facilitated by the APN. Default:
Enabled
disconnect
Configures the system
to automatically release the PDP context when the lease for the
IP address associated with that context expires. Default: Disabled
Usage:
Use this command to
specify the action the system is to take when leases for IP addresses for
PDP contexts that it are currently facilitated by the current APN
are about to expire.
Example:
The following command
causes the system to release PDP contexts associated with the current
APN when the lease for their DHCP-assigned IP address expires:
dhcp lease-expiration-policy disconnect
dhcp service-name
Configures the name
of a specific DHCP service to use when dynamically assigning IP
addresses to PDP contexts using the Dynamic Host Control Protocol.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] dhcp service-name service_name
no
Removes a previously
configured DHCP service name.
service_name
Configures the name
of the DHCP service instance that is to be used by the current APN
for the dynamic assignment of IP addresses to PDP contexts. The
name can be an alphanumeric string of 1 through 63 characters that
is case sensitive.
Usage:
Use this command to
specify a pre-configured DHCP service instance that is to be used
by the APN for IP address assignment when the Dynamic Host Control
Protocol is used.
The name of the context
in which the desired DHCP service is configured must be specified
by the dhcp context-name command.
Example:
The following command
instructs the APN to use a DHCP service called
dhcp1:
dhcp service-name dhcp1
dns
Configures the Domain
Name Service (DNS) servers that will be used by the APN for PPP.
Privilege:
Security Administrator,
Administrator
Syntax
dns { primary | secondary } { address }
no dns { primary | secondary } [ dns_address ]
no
Deletes a previously
configured DNS server.
primary
Configures the primary
DNS server for the APN.
secondary
Configures the secondary
DNS server for the APN. Only one secondary DNS server can be configured.
address
Configures the IP address
of the DNS server expressed in IPv4 dotted-decimal notation.
Default: primary = 0.0.0.0,
secondary = 0.0.0.0
dns_address
Specifies the IP address
of the DNS server to remove, expressed in IPv4 dotted-decimal notation.
Usage:
DNS servers are configured
on a per-APN profile basis. This allows each APN profile to use
specific servers in processing PDP contexts.
The configured DNS IP
addresses are relayed to the subscriber within IPCP if the PDP type
is PPP, or as PCOs (Protocol Configuration Options) if the PDP type
is IP.
The DNS can be specified
at the APN level in APN configuration as well as at the Context level
in Context configuration mode with ip name-servers command,
or it can be received from AAA server.
When DNS is requested
in PCO configuration, the following preference will be followed for
DNS value:
1. DNS Values received
from LNS have the first preference.
2. DNS values received
from RADIUS Server has the second preference.
3. DNS values locally
configured with APN has the third preference.
4. DNS values configured
at context level with ip
name-servers command has the last preference.
IMPORTANT:
The same preference
would be applicable for the NBNS (NetBIOS Name Service) servers
to be negotiated via ICPC (Initial Connection Protocol Control)
with the LNS (L2TP Network Server).
Example:
The following commands
configure a primary DNS server address of
192.168.100.3 and
a secondary DNS server address of
192.168.100.4:
dns primary 192.168.100.3
dns secondary 192.168.100.4
ehrpd-access
Configures the P-GW
to exclude IPv6 traffic from being delivered to UEs, accessing PDNs
from the eHRPD network that do not have IPv6 capabilities.
Syntax
[ default | no ] ehrpd-access drop-ipv6-traffic
[ default | no ]
Resets this command
to its default setting of disabled.
drop-ipv6-traffic
Excludes IPv6 traffic
from being delivered to UEs, accessing PDNs from the eHRPD network
that do not have IPv6 capabilities.
Usage:
Use this command to
exclude IPv6 traffic from being delivered to UEs on the eHRPD network
that do not have IPv6 capabilities.
end
Exits the current
configuration mode and returns to the Exec mode.
Privilege:
Security Administrator,
Administrator
Usage:
Use this command to
return to the Exec mode.
exit
Exits the current
mode and returns to the parent configuration mode.
Privilege:
Security Administrator,
Administrator
Usage:
Use this command to
return to the parent configuration mode.
firewall policy
Eenables or disables
Stateful Firewall support for the APN.
Privilege:
Security Administrator,
Administrator
Syntax
firewall policy firewall-required
{ default | no } firewall policy
no
Disables Stateful Firewall
support for this APN.
default
Configures the default
setting for Stateful Firewall support.
Default: Disabled
Usage:
Use this command to
enable or disable Stateful Firewall support for this APN.
IMPORTANT:
This command is only
available in StarOS 8.0. In StarOS 8.1 and later, this configuration
is available in the ACS Rulebase Configuration Mode.
IMPORTANT:
Unless Stateful Firewall
support for this APN is enabled using this command, firewall processing
for this APN is disabled.
IMPORTANT:
If firewall is enabled,
and the rulebase has no firewall configuration, Stateful Firewall
will cause all packets to be discarded.
Example:
The following command
enables Stateful Firewall support for an APN:
firewall policy firewall-required
The following command
disables Stateful Firewall support for an APN:
no firewall policy
fw-and-nat policy
Specifies the Firewall-and-NAT
policy to be used for subscribers who use this APN.
Privilege:
Security Administrator,
Administrator
Syntax
fw-and-nat policy fw_nat_policy
{ default | no } fw-and-nat policy
default
Configures the default
setting.
Default: The default
Firewall-and-NAT policy configured in the rulebase is used for subscribers
who use this APN.
no
Disables Firewall and
NAT for the APN.
fw_nat_policy
Specifies the Firewall-and-NAT
policy for the APN as an alphanumeric string of 1 through 63 characters.
Note that this policy will override the default Firewall-and-NAT
policy configured in the ACS rulebase.
Usage:
Use this command to
configure the Firewall-and-NAT policy for the APN. Note that the policy
configured in the subscriber mode will override the default policy
configured in the ACS rulebase. If a policy is not configured in
the subscriber mode, the default policy configured in the ACS rulebase
will be used.
IMPORTANT:
This command is customer-specific
and is only available in StarOS 8.1.
IMPORTANT:
This customer-specific
command must be used to configure the Policy-based Firewall-and-NAT
feature.
Example:
The following command
configures a Firewall-and-NAT policy named
standard for
the APN:
fw-and-nat policy standard
gsm-qos negotiate
Enables negotiation
of the QoS Reliability Class attribute based on the configuration
provided for Service Data Unit (SDU) Error Ratio and Residual Bit
Error Ratio (BER) attributes in the APN.
Privilege:
Security Administrator,
Administrator
Syntax
gsm-qos negotiate sdu-error-ratio sdu-error-ratio-code [ residual-ber residual-ber-code ]
[ no ] gsm-qos negotiate sdu-error-ratio [ sdu-error-ratio-code [ residual-ber residual-ber-code ] ]
no
Disables negotiation
of the QoS Reliability Class attribute.
sdu-error-ratio sdu-error-ratio-code
Enables the negotiation
of the QoS Reliability Class attribute based on Service Data Unit (SDU)
Error Ratio attributes. sdu-error-ratio-code corresponds to
distinct SDU Error ratio values within an integer range of 1 to
7.
residual-ber residual-ber-code
Enables the optional
configuration of negotiation of the QoS Reliability Class attribute based
on Residual Bit Error Ratio (BER) attributes. residual-ber-code corresponds
to distinct Residual Bit Error Ratio values within an integer range of
1 to 9.
Usage:
This command configures
the QoS attribute Reliability Class to be negotiated based on the configuration
provided for SDU Error Ratio and Residual BER attributes. The derived Reliability
Class and the configured values for SDU Error Ratio and Residual
BER are sent back in CPC and UPC response.
The mapping for
sdu-error-ratio-code is
as follows:
Code |
Value |
1
|
10-2
|
2
|
7*10-3
|
3
|
10-3
|
4
|
10-4
|
5
|
10-5
|
6
|
10-6
|
7
|
10-1
|
Residual BER needs to
be specified when SDU Error Ratio is set to codes 1, 2, 3 or 7 (Or, SDU
Error Ratio is intended to be set to a value greater than 5*10-4),
for determining the Reliability Class QoS attribute. Otherwise,
the Residual BER value received in the Create PDP context request
QoS (or UPC request) would be used. The mapping for
residual-ber-code is
as follows:
Code |
Value |
1
|
5*10-2
|
2
|
10-2
|
3
|
5*10-3
|
4
|
4*10-3
|
5
|
10-3
|
6
|
10-4
|
7
|
10-5
|
8
|
10-6
|
9
|
6*10-8
|
Example:
The following commands
configures the negotiation of QoS attribute Reliability Class based on
Service Data Unit (SDU) Error Ratio
3 attributes
in the APN:
gsm-qos negotiate sdu-error-ratio 3
gtpp group
Enables a configured
GTPP server group to an APN for CGF accounting functionality.
IMPORTANT:
In Releases prior to
11.0, only one GTPP group is allowed to be configured per APN. In
Releases 11.0 and later, this CLI can be used to configure up to
a maximum of 32 GTPP groups for each APN.
Privilege:
Security Administrator,
Administrator
Syntax
gtpp group group_name [ accounting-context ac_context_name ]
default gtpp group
no gtpp group group_name
no
Removes all the configured
GTPP groups for the specific APN.
group_name
Specifies the name of
server group that is used for authentication/accounting
for specific APN. group_name must
be an alphanumeric string of 1 to 63 characters. It must be identical
to the one configured earlier within the same APN context.
IMPORTANT:
In Release 11.0 and
later, if you have mistakenly configured a GTPP group, you should remove
the initially configured group and configure the new desired group.
However, in Releases prior to 11.0, there is no need to remove the
incorrect configuration; instead you can directly reconfigure the desired
GTPP group.
IMPORTANT:
If a GTPP group entry
is invalid, this GTPP group will be ignored and the next valid GTPP group
in the APN will be used. If no valid GTTP group exists, then the
default GTPP group in the accounting context specified by the GGSN
service will be used.
accounting-context ac_context_name
Specifies the name of
an accounting context on the system that processes accounting for PDP
contexts handled by this GGSN service for accounting to specific
APN.
ac_context_name must
be an alphanumeric string of 1 through 79 characters that is case
sensitive.
Note that if an accounting
context is not specified here, the system uses the GGSN service context
or the context configured by the accounting context command
in the GGSN Service Configuration mode.
Usage:
This feature provides
the GTPP server configurables under a GTPP group node. Instead of having
a single list of servers per context, this feature configures multiple
server groups within a context and applies individual an GTPP server
group for subscribers in that context. Each server group consists
of a list of CGF (Charging Group Function) accounting servers.
In case no GTPP group
is applied for the said APN or default APN template, then the default
GTPP server group available at the context level is applicable for
accounting of a specific APN.
IMPORTANT:
When multiple GTPP groups
are applied to the same APN, the load will be shared across these
GTPP groups. Sessions for this APN will use all the configured GTPP
groups in a round robin fashion.
Once a GTPP group is
selected for a subscriber session, the GTPP group will never change under
any circumstances. A request is initially sent to primary CGF server
configured in that group. When the primary fails to respond, the
request is sent to secondary CGF server.
The process of failover
from primary to secondary is per the 3GPP standards. Multiple GTPP
groups configuration is actually supported only for load sharing
of sessions within an APN and not used for failover. When all CGFs
are down in a GTPP group, the requests are archived either in hard
disk or main memory depending on whether or not streaming is enabled.
Example:
The following command
applies a previously configured GTPP server group named
star1 to an
APN within the specific context:
gtpp group star1
The following command
disables the applied GTPP server group for the specific APN:
no gtpp group star1
gtpp secondary-group
Enables or associates
a preconfigured secondary GTPP server group to an APN for CGF (Charging
Group Function) accounting functionality. By default it is disabled.
Privilege:
Security Administrator,
Administrator
Syntax
gtpp secondary-group group_name [ accounting-context actt_ctxt_name ]
[ default | no ] gtpp secondary-group group_name
default
Default: Enabled
Restores the default
mode for secondary GTPP group for APN template.
no
Disables the configured/associated
GTPP secondary group for specific APN.
group_name
Specifies the name of
secondary GTPP server group that is used as an alternate for the primary
GTPP group associated with a specific APN for storage of GTPP messages. group_name must
be an alphanumeric string of 1 through 63 characters. It must be
the same name as configured earlier within the same APN context.
accounting-context actt_ctxt_name
Specifies the name of
an accounting context on the system that processes accounting for PDP
contexts handled by this GGSN service for accounting to a specific
APN.
actt_ctxt_name specifies
the name of the context to be used for accounting as an alphanumeric
string of 1 through 79 characters that is case sensitive.
Note that if an accounting
context is not specified here, the system uses the GGSN service context
or the context configured by the accounting context command
in the GGSN Service Configuration mode.
Usage:
Use this feature to
provide the secondary GTPP server group support for an APN.
When the secondary GTPP
group is configured with this command, the GTPP messages will also
be mirrored to the secondary servers.
This secondary group
configuration is ignored, if the configured group_name is
the same as the primary group. It will also be ignored, if the configured
GTPP group_name and/or
accounting context ac_context_name is
invalid. In such cases, the call will be established successfully
(unlike the primary group configuration where the call drops).
In the absence of a configured ac_context_name context,
the GGSN service context is chosen by default.
The secondary group
messages are low priority and thus are purged when there is no room for
the new messages.
For more information
on GTPP group, refer the description of the gtpp group command.
Example:
The following command
applies a previously configured GTPP server group named
star2 to as
secondary GTPP group to an APN within the specific context:
gtpp secondary-group star2
The following command
disables the applied secondary GTPP server group for the specific APN:
no gtpp secondary-group star2
idle-timeout-activity
Configures a session
idle-timeout to be reset with uplink packets only, or with both
uplink and downlink packets.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] idle-timeout-activity
ignore-downlink
default idle-timeout-activity
default
Sets or restores the
command to the default setting.
ignore-downlink
Sets
the system to ignore the downlink traffic for consideration as activity
for idle-timeout.
Usage:
If idle-timeout-activity
ignore-downlink is configured, the downlink (network to
subscriber) traffic will not be used to reset the idle-timeout.
Only uplink (subscriber to network) packets will be able to reset
the idle-timeout.
By default, ignore-downlink is
negated by the no command
so downlink traffic is also used to reset the idle-timeout.
Example:
The following command
causes both uplink and downlink traffic to reset a session idle-timeout:
default idle-timeout-activity
The following command
causes the session idle-timeout to be reset with only uplink packets:
idle-timeout-activity
ignore-downlink
ims-auth-service
Applies an IMS (IP Multimedia
Subsystem) authorization service to a subscriber through APN for
Gx interface support and functionality.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] ims-auth-service auth_service_name
no
Disables the applied
IMS authorization service for a specific APN.
auth_service_name
Specifies the name of
the IMS authorization service name that is used for Gx interface authentication
for a specific APN. auth_service_name must
be a alphanumeric string of 1 through 63 characters preconfigured
within the same context as this APN.
Usage:
This feature provides
the IMS authorization service configuration for Gx interface in
IMS service node.
Example:
The following command
applies a previously configured IMS authorization service named
gx_interface1 to
an APN within the specific context:
ims-auth-service gx_interface1
The following command
disables the applied IMS authorization service
gx_interface1 for
the specific APN:
no ims-auth-service gx_interface1
ip access-group
Configures an IPv4/IPv6
access group for the current APN profile.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] ip access-group acl_group_name [ in | out ]
no
Removes a previously
configured IPv4/IPv6 access group association.
acl_group_name
Specifies the name of
the IPv4/IPv6 access group. acl_group_name is
a previously configured ACL group expressed as an alphanumeric string
of 1 to 79 characters.
in | out
Default: both (in and
out)
Specifies the access-group
as either inbound or outbound by the keywords in and out, respectively.
Usage:
Use this command to
apply a single IPv4/IPv6 access control list to multiple
subscribers via this APN for inbound or outbound IPv4/IPv6
traffic.
If no traffic direction
is specified, the selected access control list will be applied to
both directions.
Example:
The following command
associates the
sampleipv4Group access
group with the current APN profile for both inbound and outbound
access.
ip access-group sampleipv4Group
The following command
removes the outbound access group flag for
sampleipv4Group.
no ip access-group sampleipv4Group out
ip address alloc-method
Configures the method
by which this APN will obtain IP addresses for PDP contexts.
Privilege:
Security Administrator,
Administrator
Syntax
ip address alloc-method { dhcp-proxy [ allow-deferred ] [ prefer-dhcp-options ] | dhcp-relay | local [ allow-deferred ] | no-dynamic [ allow-deferred ] } [ allow-user-specified ]
default ip address allocation-method
default
Restores the APN ip
parameters to the following default settings.
dhcp-proxy
Default: Disabled
Configures the APN to
assign an IP address received from a DHCP server.
IMPORTANT:
If this option is used,
the system’s DHCP parameters must be configured.
dhcp-relay
Configures the APN to
forward DHCP packets received from the MS to a DHCP server. Default:
Disabled
IMPORTANT:
If this option is used,
the system’s DHCP parameters must be configured.
local
Configures the APN to
allocate IP addresses from a pool configured in the destination context
on the system. Default: Enabled
IMPORTANT:
If this option is used,
the name of the IP address pool from which to allocate addresses
must be configured using the ip address pool-name command.
If no pool name is specified, the system will attempt to allocate
an address from any public pool configured in the destination context.
no-dynamic
Disables the dynamic
assignment of IP addresses to PDP contexts using this APN. Default: Disabled
If a PDP context needing
an IP address is received by an APN with this option enabled, it will
be rejected with a cause code of 220 (Unknown PDP address or PDP
type).
prefer-dhcp-options
If this keyword is specified
with
dhcp-proxy for
IP address allocation configuration, the GGSN will prefer DHCP-supplied
parameters over values provided by AAA server or by local configuration.
This keyword controls the following parameters:
- primary and secondary
Domain Name Server (DNS) addresses
- primary and secondary
NetBIOS Name Server (NBNS) addresses
These values will be
sent out in the PCO IE of a GTP Create PDP Response Message whenever
the MS Requests them in A Create PDP Request Message.
Default: Disabled
IMPORTANT:
This keyword is available
only with dhcp-proxy ip allocation method as this functionality
is implemented only for GGSN acting as DHCP proxy.
By default, this functionality
is disabled. Hence, DNS and NBNS values received from a DHCP server
will not be considered by the GGSN.
allow-deferred
Enables support for
P-GW deferred address allocation. Default: Disabled
allow-user-specified
Enables support for
PDP contexts requesting the use of specific (static) addresses.
Default: Enabled
IMPORTANT:
If this option is not
enabled, PDP contexts requesting the use of a static address will
be rejected with a cause code of 220 (Unknown PDP address or PDP
type).
Usage:
Use this command to
configure the method by which the APN profile will assign IP addresses
to PDP contexts.
When the PDP context
is being established and the APN name is determined, the system will
examine the APN’s configuration profile. Part of that procedure
is determining how to handle IP address allocation. The figure in
the Example section below displays the process used by the system
to determine how the address should be allocated.
Example:
The following command
configures the APN to dynamically assign an address from a DHCP
server and reject PDP sessions with static IP addresses:
ip address alloc-method
dhcp-proxy
The following command
configures the APN to reject sessions requesting dynamically assigned
addresses and only allow those with static addresses:
ip address alloc-method
no-dynamic allow-user-specified
The following figure
provides the IP address allocation process:
Figure 1. IP Address Allocation Process
ip address pool
Configures the name
of a a private IP address pool configured on the system from which
to assign an address for a PDP context.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] ip address pool name pool_name
no
Removes a previously
configured pool name.
pool_name
Specifies the name of
the private pool configured on the system from which an IP address will
be assigned. The name is expressed as an alphanumeric string of
1 through 31 characters that is case sensitive.
Usage:
If the ip address alloc-method command
is configured to allow the assignment of IP addresses from a local
pool configured on the system. It command instructs the system as to
which pool should be used.
The pool specified by
this command must be a private pool configured in the destination context
on the system. Please refer to the ip pool command
in the Context Configuration
Mode Commands chapter for information on configuring IP address
pools.
Multiple APNs can use
the same IP address pool if required. In addition, this command could
be issued multiple times to allow a single APN to use different
address pools.
Example:
The following command
configures the system to use a pool named
private_pool1 for
address allocation:
ip address pool private_pool1
ip context-name
Configures the name
of the destination context to use for subscribers accessing this
APN.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] ip context-name ctxt_name
no
Removes a previously
configured context name.
ctxt_name
Specifies the name of
the context through which subscriber data traffic will be routed. ctxt_name must
be an alphanumeric string from 1 to 79 characters.
Usage:
Use this command to
specify the name of a destination context configured on the system through
which to route all subscriber data traffic. This context will be
used for subscribers accessing this APN. If no name is specified,
the system will use the context in which the APN is configured as
the destination context.
When the APN is used
to support Mobile IP functionality, this command is used to indicate
the context in which the FA (foreign Agent) service is configured.
If no name is specified, the context in which the GGSN service facilitating
the subscriber PDP context is used.
Example:
The following command
configures the system to route subscriber traffic for the APN through
a context called isp1:
ip context-name isp1
ip header-compression
Configures IP packet
header compression parameters for this APN.
Privilege:
Security Administrator,
Administrator
Syntax
ip header-compression
vj
default ip header-compression
no ip header-compression
default
Disables Van-Jacobson
header compression.
no
Disables Van-Jacobson
header compression.
vj
Enables Van-Jacobson
header compression for IP packets. Default: Enabled
Usage:
IP header compression
reduces packet header overhead resulting in more efficient utilization
of available bandwidth.
Example:
The following command
disables packet header compression for the APN:
no ip header-compression
ip hide-service-address
Renders the IP address
of the GGSN unreachable from mobile stations (MSs) using this APN.
This command is configured on a per-APN basis.
Privilege:
Security Administrator,
Administrator
Syntax
[ default | no ] ip hide-service-address
default
Does not allow the mobile
station to reach the GGSN IP address using this APN.
no
Allows the mobile station
to reach the GGSN IP address using this APN.
Usage:
This hides the GGSN
IP address from the mobile station for security purposes.
Example:
The following command
allows the GGSN’s IP address to be viewed by the mobile
station:
no ip hide-service-address
ip local-address
Configures the local-side
IP address of the subscriber's point-to-point connection.
Privilege:
Security Administrator,
Administrator
Syntax
ip local-address ip_address
no ip local-address
no
Removes a previously
configured IP local-address.
ip_address
Specifies an IP address
configured in a destination context on the system through which
a packet data network can be accessed. ip_address must
be expressed in IPv4 dotted-decimal notation.
Usage:
This parameter specifies
the IP address on the system that the MS uses as the remote-end of
the PPP connection. If no local address is configured, the system
uses an unnumbered scheme for local-side addresses.
Example:
The following command
configures a local address of 192.168.1.23 for the MS:
ip local-address 192.168.1.23
ip multicast discard
Configures the IP multicast
discard packet behavior.
Privilege:
Security Administrator,
Administrator
Syntax
[ default | no ] ip multicast discard
default
Restores the APN IP
parameters to the default multicast settings, which is to discard PDUs.
no
Removes a previously
configured IP multicast discard.
Usage:
This command specifies
if IP multicast discard is enabled or disabled.
Example:
The following command
enables IP multicast discard for an APN:
ip multicast discard
ip qos-dscp
Configures the quality
of service (QoS) differentiated service code point (DSCP) used when
sending data packets of a particular 3GPP QoS class over the Gi interface.
Privilege:
Security Administrator,
Administrator
Syntax
ip qos-dscp { qci { 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 } { dscp } } +
default ip qos-dscp
no ip qos-dscp { qci { 1 | 2 | 3 | 4 | 5 { allocation-retention-priority { 1..3 } } | 6 { allocation-retention-priority { 1..3 } } | 7 { allocation-retention-priority { 1..3 } } | 8 { allocation-retention-priority { 1..3 } } | 9 } } } +
default
Restores the APN IP
parameters to the default setting conversational ef streaming
af11 interactive af21 background be.
no
Restores the QoS parameter
to its default setting.
allocation-retention-priority
Specifies the DSCP
for interactive class if the allocation priority is present in the
QoS profile.
allocation-retention-priority can
be the integers 1, 2, or 3.
DSCP values use the
following matrix to map based on traffic handling priority and Alloc/Retention
priority if the allocation priority is present in the QoS profile.
Following table shows
the DSCP value matrix for allocation-retention-priority.
Table 2. Default DSCP Value
Matrix
Allocation Priority |
1 |
2 |
3 |
Traffic Handling Priority |
. |
. |
. |
1 |
ef |
ef |
ef |
2 |
ef |
ef |
ef |
3 |
af21 |
af21 |
af21 |
4 |
af21 |
af21 |
af21 |
IMPORTANT:
If you only configure
DCSP marking for interactive traffic classes without specifying
ARP, it may not properly take effect. The CLI allows this scenario
for backward compatibility. However, it is recommended that you
configure all three values.
qci
Configures the QoS
Class Identifier (QCI) attribute of QoS. Here the qci_val is
the QCI for which the negotiate limit is being set; it ranges from
1 to 9.
dscp
Specifies the DSCP
for the specified traffic pattern.
dscp can
be configured to any one of the following:
- af11: Assured Forwarding
11 per-hop-behavior (PHB)
|
- af33: Assured Forwarding 33
PHB
|
- af12: Assured Forwarding
12 PHB
|
- af41: Assured Forwarding 41
PHB
|
- af13: Assured Forwarding
13 PHB
|
- af42: Assured Forwarding 42
PHB
|
- af21: Assured Forwarding
21 PHB
|
- af43: Assured Forwarding 43
PHB
|
- af22: Assured Forwarding
22 PHB
|
- be: Best effort
forwarding PHB
|
- af23: Assured Forwarding
23 PHB
|
- ef: Expedited forwarding PHB
|
- af31: Assured Forwarding
31 PHB
|
- pt: Pass through
(ToS of user packet is not modified)
|
- af32: Assured Forwarding
32 PHB
|
|
Default: QCI:
- 1: ef
- 2: ef
- 3: af11
- 4: af11
- 5: ef
- 6: ef
- 7: af21
- 8: af21
- 9: be
+
More than one of the
above keywords can be entered within a single command.
Usage:
DSCP levels can be
assigned to specific traffic patterns in order to ensure that data
packets are delivered according to the precedence with which they’re
tagged. The diffserv markings are applied to the IP header of every
subscriber data packet transmitted over the Gi interface(s).
The traffic patterns
are defined by QCI (1 to 9). Data packets falling under the category
of each of the traffic patterns are tagged with a DSCP that further
indicate their precedence as shown in following tables respectively:
Table 3. Class structure
for assured forwarding (af) levels
Drop Precedence |
Class |
Class 1 |
Class 2 |
Class 3 |
Class
4 |
Low
|
af11
|
af21
|
af31
|
af41
|
Medium
|
af12
|
af22
|
af32
|
af41
|
High
|
af13
|
af23
|
af33
|
af43
|
Precedence (low to
high) |
DSCP |
1
|
Best Effort (be)
|
2
|
Class 1
|
3
|
Class 2
|
4
|
Class 3
|
5
|
Class 4
|
6
|
Express Forwarding
(ef)
|
The DSCP level can
be configured for multiple traffic patterns within a single instance
of this command.
IMPORTANT:
If a GGSN service
is associated with a P-GW service, then the GGSN service will use
the QCI-QoS mapping tables specified in the qci-qos-mapping command
and assigned to its associated P-GW service.
Example:
The following command
configures the DSCP level for QCI to be Expedited Forwarding,
ef:
ip qos-dscp qci 1 ef
ip source-violation
Enables or disables
packet source validation for the current APN.
Privilege:
Security Administrator,
Administrator
Syntax
ip source-violation { ignore | check [ drop-limit limit ] } [ exclude-from-accounting ]
default ip source-violation
default
Restores the APN ip
parameters to the default settings check enabled, drop-limit 10.
ignore
Default: Disabled
Disables source address
checking for the APN.
check [ drop-limit limit ]
Default: Enabled, limit = 10
Enables the checking
of source addresses received from subscribers for violations.
A drop-limit can
be configured to set a limit on the number of invalid packets that
can be received from a subscriber prior to their session being deleted. limit can
be configured to any integer value between 0 and 1000000. A value
of 0 indicates that all invalid packets will be discarded but the
session will never be deleted by the system.
exclude-from-accounting
Default: Disabled
Excludes the packets
identified with IP source violation from the statistics generated
for accounting records.
Usage:
Source validation is
useful if packet spoofing is suspected or for verifying packet routing and
labeling within the network.
Source validation requires
the source address of received packets to match the IP address assigned
to the subscriber (either statically or dynamically) during the
session.
Example:
The following command
enables source address validation for the APN and configures a drop-limit
of
15:
ip source-violation
check drop-limit 15
ip user-datagram-tos
copy
Controls the copying
of the IP ToS octet value from user IPv4/IPv6 datagrams into
the IP header of GTP tunnel encapsulations.
Privilege:
Security Administrator,
Administrator
Syntax
[ default | no ] ip user-datagram-tos
copy
default
Sets the default behavior
of this command. By default this function is disabled.
no
Removes the preconfigured
parameter for this command.
Usage:
This command enables
or disables the copying of the ToS byte from the inner IP header
to the outer IP header for an RP connection.
When this function
is enabled, the SGSN can detect the special ToS marking in the outer IP
header of GTP tunnel packets and identify certain packets as control messages.
ipv6 access-group
Configures the IPv6
access group for the current APN profile which applies a single
Access Control List (ACL) to multiple subscribers via the APN for
IPv6 traffic.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] ipv6 access-group group_name [ in | out ]
no
Removes a previously
configured IPv6 ACL applied to a particular APN for IPv6 traffic.
If at least one of the two { in | out } options
is not selected for the ACL that will be removed, the ACL will be
removed for both directions.
group_name
Specifies the name
of the IPv6 access group as an alphanumeric string of 1 through
79 characters.
[ in | out ]
Default: both (in and
out)
Specifies the access-group
as either inbound or outbound by the keywords in and out, respectively.
If no direction is
supplied in the base command, the specified IPv6 access control
list will be applied to both directions.
Usage:
Use this command to
apply a single IPv6 access control list to multiple subscribers
via an APN for inbound or outbound IPv6 traffic.
If no traffic direction
is specified, the selected access control list will be applied to
both traffic directions.
Example:
The following command
associates the
sampleipv6Group access
group with the current APN profile for both inbound and outbound
access:
ipv6 access-group sampleipv6Group
The following removes
the outbound access group flag for
sampleipv6Group:
no ipv6 access-group
sampleipv6Group out
ipv6 dns
Configures primary
and secondary IPv6 Domain Name Service (DNS) servers.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] ipv6 dns { primary | secondary } { ipv6_dns_address }
no
Deletes a previously
configured DNS server.
primary
Configures the IPv6
address of primary DNS server for the APN.
secondary
Configures IPv6 address
of the secondary DNS server for the APN. Only one secondary DNS
server can be configured.
ipv6_dns_address
The IP address of the
DNS server entered using IPv6 colon-separated-hexadecimal notation.
Usage:
DNS servers are configured
on a per-APN profile basis. This allows each APN profile to use
specific servers in processing PDP contexts.
The DNS can be specified
at the APN level in APN configuration as well as at the Context level
in Context configuration mode with ip name-servers command,
or it can be received from AAA server.
When DNS is requested
in PCO configuration, the following preference will be followed for
DNS value:
1. DNS Values received
from LNS have the first preference
2. DNS values received
from RADIUS Server has the second preference
3. DNS values locally
configured with APN has the third preference
4. DNS values configured
at context level with ip
name-servers command has the last preference.
IMPORTANT:
The same preference
would be applicable for the NBNS (NetBIOS Name Service) servers
to be negotiated via ICPC (Initial Connection Protocol Control)
with the LNS (L2TP Network Server).
Example:
The following command
provides an example of setting the primary DNS server:
ipv6 dns primary fe80::c0a8:a04
ipv6 egress-address-filtering
Enables or disable
IIPv6 egress address filtering. This function filters out packets not
meant for the mobile interface ID. The GGSN records the source interface
ID of all the packets received from the mobile node. When packets
sent to the mobile node are received, the destination interface
ID is compared against the list of recorded interface IDs and with
the local interface-ID assigned to the MS during IPv6CP. If no match
is found, the packet is dropped.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] ipv6 egress-address-filtering
no
Disables IPv6 egress
address filtering.
Usage:
Used to filter packets
that arrive from the internet to a particular site.
Example:
The following command
provides an example disabling egress address filtering:
no ipv6 egress-address-filtering
ipv6 initial-router-advt
Creates an IPv6 initial
router advertisement interval for the current APN.
Privilege:
Security Administrator,
Administrator
Syntax
ipv6 initial-router-advt { interval int_value | num-advts num_value }
[ default ] ipv6 initial-router-advt { interval | num-advts }
default
Resets interval or
num-advts to their default setting.
interval int_value
Specifies the time
interval (in milliseocnds) when the initial IPv6 router advertisement
is sent to the mobile node as an integer from 100 through 16000.
Default: 3000ms
value is .
num-advts value num_value
Specifies the number
of initial IPv6 router advertisements sent to the mobile node as
an integer from 1 through 16. Default: 3
Usage:
This command is used
to set the advertisement interval and the number of advertisements. Using
a smaller advertisement interval increases the likelihood of router
being discovered more quickly when it first becomes available.
Example:
The following command
specifies the initial ipv6 router interval to be 2000ms:
ipv6 initial-router-advt
interval 2000
l3-to-l2-tunnel
address-policy
Configures the address
allocation/validation policy, when subscriber L3 (IPv4/IPv6)
sessions are tunneled using an L2 tunneling protocol, such as L2TP.
Privilege:
Security Administrator,
Administrator
Syntax
l3-to-l2-tunnel address-policy { alloc-only | alloc-validate | no-alloc-validate }
default l3-to-l2-tunnel
address-policy
default
Restores the layer 3-to-layer
2 tunnel address policy parameter to the default setting of validation
with no allocation.
alloc-only
Specifies that the
system locally allocates and validates subscriber addresses. Default: Disabled
alloc-validate
Specifies that the
system allocates addresses when IP addresses are dynamically assigned. The
system does not validate the address specified by the subscriber.
Default: Disabled
no-alloc-validate
Specifies that the
system does not allocate or validate subscriber addresses locally
for such sessions; it passes the address between remote tunnel terminator
to the mobile node. Default: Enabled
Usage:
This command can be
useful for MIP HA sessions tunneled from the system using L2TP tunnels,
or GGSN PDP contexts of type IP tunneled using L2TP to a remote LNS.
Example:
The following command
configures the system to locally allocate and validate subscriber addresses:
l3-to-l2-tunnel address-policy
alloc-only
loadbalance-tunnel-peers
Configures how tunnel-peers
are selected for this APN.
Privilege:
Security Administrator,
Administrator
Syntax
loadbalance-tunnel-peers { balanced | prioritized | random }
default loadbalance-tunnel-peers
default
Restores the loadbalance-tunnel-peers
parameter to the default setting of random.
balanced
Tunnel-peer selection
is made without regard to prioritization, but in a sequential order
that balances the load across the total number of peer nodes available.
Default: Disabled
prioritized
Tunnel-peer selection
is made based on the priority configured for the peer. Default: Disabled
random
Tunnel-peer selection
is random in order. Default: Enabled
Usage:
Use this command to
configure the load-balancing algorithm that defines how the tunnel-peers
are selected by the APN when multiple peers are configured in the
APN.
Example:
The following command
sets the APN to connect to tunnel-peers in a sequential order:
load-balancing balanced
long-duration-action
detection
Sets the detection
of a session that exceeds the long duration timer and sends notification.
Privilege:
Security Administrator,
Administrator
Syntax
long-duration-action detection
default long-duration-action
default
Restores the long-duration-action
parameter to its default setting of detection.
long-duration-action
detection
Detects long duration
sessions and sends
SNMP
TRAP and CORBA notification. This is the default behavior.
Default: Enabled
Usage:
Use this command to
detect a session that exceeds the limit set by the long duration timer.
Refer to the timeout idle and timeout long-duration commands
for information on setting the long duration timer.
Example:
Use the following command
to enable detecting the session that exceeds the long duration timer:
long-duration-action detection
long-duration-action
disconnection
Specifies what action
is taken when the long duration timer expires.
Privilege:
Security Administrator,
Administrator
Syntax
long-duration-action
disconnection [ suppress-notification ] [ dormant-only ] +
long-duration-action
disconnection
Detects a long duration
session and disconnects the session after sending
SNMP TRAP and CORBA
notification. Default: Disabled
suppress-notifiaction
Suppress the
SNMP TRAP and CORBA
notification after detecting and disconnecting a long duration session.
Default: Disabled
dormant only
Disconnects the dormant
sessions after long duration timer and inactivity time with idle time-out
duration expires. It sends the
SNMP
TRAP and CORBA notification after disconnecting a long duration
session. Default: Disabled
Usage:
Use this command to
determine what action is taken when a session exceeds the limit
set by the long duration timer.
Refer to the timeout idle and timeout long-duration command
for information on setting the long duration timer.
Example:
Use the following command
to enable disconnecting sessions that exceed the long duration timer:
long-duration-action disconnection
Use the following command
to disconnect the session that exceed the long duration timer without
sending
SNMP TRAP and CORBA
notification:
long-duration-action
disconnection suppress-notification
Use the following command
to disconnect the session that exceed the long duration timer and
also inactivity timer for idle time-out duration and send
SNMP TRAP and CORBA
notification:
long-duration-action
disconnection dormant-only
Use the following command
to disconnect the session that exceed the long duration timer and
also inactivity timer for idle time-out duration without sending
any
SNMP TRAP and CORBA
notification. If the session is idle and the session-idle-time >= inactivity
time the session gets disconnected. Even if session is idle when
the long-duration timed-out and session-idle time < inactivity
time the timer value is reset to idle-timeout time.
long-duration-action
disconnection dormant-only suppress-notification
max-contexts
Configures the maximum
number of PDP contexts (primary and secondary) that can be facilitated
by the APN.
Privilege:
Security Administrator,
Administrator
Syntax
max-contexts [ per-subscriber
secondary secondary_ctx ] [ primary number total total_number ]
default max-contexts
default
Restores the max-contexts
parameter to its default settings of:
- primary: 1000000
- total: 1000000
per-subscriber secondary secondary_ctx
This keyword specifies
the maximum number of secondary PDP contexts that can be facilitated
by the APN per primary context (per-subscriber). Subscribers can
have primary PDP and secondary PDP contexts; the secondary contexts
share the same IP address as the primary.
secondary_ctx is
an integer from 0 through 10. Default: 10
primary number
This keyword specifies
the maximum number of primary PDP contexts that can be facilitated
by the APN. Subscribers can have primary PDP and secondary PDP contexts;
the secondary contexts can be configured using the per-subscriber secondary keyword.
number isbe
an integer value from 1 to 4000000. Default: 4000000
total total_number
Specifies the maximum
total number of PDP contexts (primary and secondary) that can be facilitated
by the APN. total_number can
be configured to any integer value from 1 to 4000000. Default: 4000000
Usage:
This parameter can
be used to configure a “soft” limit on the number
of PDP contexts supported by a single APN.
Soft limits are based
on measurements gathered at regular short intervals (several times
per minute) as opposed to measurements taken in real-time. Therefore
the sampled measurement may not match the actual number of PDP contexts
currently being processed. Every PDP context request received is
compared against the result of the last sample. If the sample is
less than the soft limit configured, the request will be processed.
If it is more, the request will be rejected.
Example:
The following command
specifies that the maximum number of primary PDP contexts the APN
can facilitate is 500,000 while the maximum total number is 750,000:
max-contexts primary
500000 total 750000
mbms bmsc-profile
Applies a configured
Broadcast-Multicast Service Center (BM-SC) profile to subscribers
through APN for Multimedia Broadcast Multicast Service (MBMS) support
and functionality.
Privilege:
Security Administrator,
Administrator
Syntax
mbms bmsc-profile name bmsc_profile_name
[ default | no ] mbms
bmsc-profile
default
Applies the default
BMSC profile to the subscribers through the APN.
no
Deletes a previously
associated BM-SC profile with this APN.
name bmsc_profile_name
Specifies a name for
the BM-SC profile already configured in BMSC configuration mode. bmsc_profile_name is
an alphanumeric string of 1 through 79 characters that may contain
dots (.) and/or dashes (-).
Usage:
Use this command to
associate a configured BM-SC profile to use for MBMS contexts with
this APN for MBMS feature support.
For more information
on BM-SC profile configuration, refer to the BMSC Profile Configuration
Mode Commands chapter.
This command also configures
the specific BM-SC profile to use for Internet Group Management
Protocol (IGMP) JOIN requests received from PDP contexts with this APN.
Example:
Following command applies
a previously configured BM-SC profile named
bm_sc_1 to
an APN within the specific context.
mbms bmsc-profile name bm_sc_1
mbms bearer timeout
Configures the session
timeout values for the Multimedia Broadcast Multicast Service (MBMS)
bearer contexts with this MBMS APN.
Privilege:
Security Administrator,
Administrator
Syntax
mbms bearer timeout { absolute | idle } time
[ default | no ] mbms
bearer timeout { absolute | idle }
default
Sets the default value
for the followed option for MBMS bearer context timeout.
no
Returns the timeout
parameter to its default setting. If neither the absolute or idle
keywords are used in conjunction with this keyword, both timeout
options will be returned to their default settings.
absolute
Configures the absolute
maximum time (in seconds) an MBMS bearer context may exist in any
state (active or idle). Default: Disabled
idle
Default: Disabled
Configures the maximum
amount of time (in seconds) an MBMS bearer context may be idle.
time
time can be
any integer value between 0 and 4294967295. A time of 0 disables
timeouts for this APN. Default: 0
Usage:
Use this command to
limit the amount of time that an MBMS bearer context session can remain
connected.
Example:
The following commands
enables an absolute time timeout of
60000 seconds
for MBMS bearer context:
mbms bearer timeout
absolute 60000
mbms ue timeout
Configures the session
timeout values for the Multimedia Broadcast Multicast Service (MBMS)
user equipment (UE) contexts with this MBMS APN.
Privilege:
Security Administrator,
Administrator
Syntax
mbms ue timeout absolute time
[ default | no ] mbms
ue timeout absolute
default
Set the default value
for the followed option for MBMS UE context timeout.
no
Returns the timeout
parameter to its default setting. If neither the absolute or idle
keywords are used in conjunction with this keyword, both timeout
options will be returned to their default settings.
absolute time
Configures the absolute
maximum time (in seconds) an MBMS UE context may exist in any state
(active or idle). time can
be any integer value between 0 and 4294967295. A time of 0 disables
timeouts for this APN. Default: 0
Usage:
Use this command to
limit the amount of time that an MBMS UE context session can remain
connected.
Example:
The following commands
enables an absolute time timeout of
60000 seconds
for MBMS UE context:
mbms bearer timeout
absolute 60000
mediation-device
Enables the use of
a mediation device and specifies the system context to use for communicating
with the device.
Privilege:
Security Administrator,
Administrator
Syntax
mediation-device [ context-name context_name ] [ delay-GTP-response ] [ no-early-PDUs ] [ no
interims ] +
[ default | no ] mediation-device
+
Indicates that more
than one of the options can be specified with a single execution
of the command.
default
Changes the mediation
device to no context-name configured and restores the mediation device’s
default properties.
no
Deletes the mediation-device
configuration.
context-name context_name
Configures the mediation
VPN context for this APN as an alphanumeric string of 1 through 79
characters that is case sensitive. If not specified, the mediation
context is the same as the destination context of the subscriber.
Default: The subscribers destination context.
delay-GTP-response
When enabled, delays
the CPC response until an Accounting Start response is received
from the mediation device. Default: Disabled
no-early-pdus
Specifies that the
system delays PDUs from the MS until a response to the GGSN accounting
start request is received from the mediation device. The PDUs are
queued, not discarded. Default: Disabled
If “no-early-PDUs” is
enabled, the chassis does not send uplink/downlink data
from/to a MS until it receives the Acct-Rsp Start for the
same from the mediation device. On receiving the Acct-Rsp, pending
PDUs are forwarded. The chassis buffers up to two PDUs per call.
As soon as the third PDU comes, the buffering is disabled and all
the PDUs are forwarded for that call.
Configures the system
to queue up to two PDUs until the mediation device returns a response
to the system's accounting START request per 3GPP standards. On
receiving the Accounting response message, the system forwards the
subsequent PDUs without discarding any of the packets.
IMPORTANT:
For StarOS 10.0 and
earlier releases, the system buffers up to four PDUs and queues
or discards the remaining PDUs.
IMPORTANT:
For StarOS 11.0 and
later releases, the system is configured so that none of the PDUs
are discarded.
no-interims
Disables sending interims
to the mediation server. Default: Disabled
IMPORTANT:
Different commands are
used to disable RADIUS interims for RADIUS accounting and mediation
accounting. To disable RADIUS interims for mediation accounting,
use the following command: mediation-device context-name context_name no-interims. To
disable RADIUS interims for RADIUS accounting, use the following
command: accounting-mode
radius-diameter no-interims.
Usage:
This command enables
mediation device support for the APN. Mediation devices can be either
deep-packet inspection servers or transaction control servers.
Keywords to this command
can be used in combination to each other, depending on configuration
requirements.
Example:
The following command
enables mediation device support for the APN and uses the protocol
configuration located in an system context called
ggsn1:
mediation-device context-name ggsn1
mediation-device context-name
ggsn1 no-interims no-early-pdus
mediation-device no-early-pdus
no-interims
mediation-device no-interims
no-early-pdus
The following command
enables mediation device support for the APN and uses the protocol
configuration located in the subscribers destination context:
mediation-device
mobile-ip home-agent
Configures the IP address
of the home agent (HA) used by the current APN to facilitate subscriber
Mobile IP sessions.
Privilege:
Security Administrator,
Administrator
Syntax
mobile-ip home-agent ip_address [ alternate ]
no mobile-ip home-agent ip_address alternate
default mobile ip home-agent
default
Restores the APN mobile-ip
parameters to the default setting, no HA address defined.
no
Removes a previously
configured HA address.
ip_address
Specifies the IP address
of the HA expressed in IPv4 dotted-decimal notation.
alternate
Designates this Mobile
IP HA as the alternate that will be used in the event of a fail-over.
Usage:
If the APN is configured
to support Mobile IP for all PDP contexts it is facilitating, this command
specifies the IP address of the HA that is to be used.
Example:
The following command
configures an HA IP address of 192.168.1.15:
mobile-ip home-agent 192.168.1.15
mobile-ip mn-aaa-removal-indication
Configures the system
to remove various information elements when relaying Registration
Request messages to the HA.
Privilege:
Security Administrator,
Administrator
Syntax
[ default | no ] mobile-ip
mn-aaa-removal-indication
default
Sets the default setting
for mobile IP MN-AAA-Removal-Indication.
no
Disables this functionality.
This is the default setting.
Usage:
When this functionality
is enabled, the MN-FA challenge and MN-AAA authentication extensions
are removed when relaying a Registration Request (RRQ) to the HA.
mobile-ip mn-ha-hash-algorithm
Designates the encryption
algorithm to use for Hash-based Message Authentication Code (HMAC).
Privilege:
Security Administrator,
Administrator
Syntax
mobile-ip mn-ha-hash-algorithm { hmac-md5 | md5 | rfc2002-md5 }
default mobile-ip mn-ha-hash-algorithm
default
Designates the default
encryption algorithm to use.
hmac-md5 | md5 | rfc-2002-md5
Default: hmac-md5
The encryption algorithms
that may be used.
Usage:
Provides security by
encrypting the data.
Example:
The following command
sets encryption for md5:
mobile-ip mn-ha-hash-algorithm md5
mobile-ip mn-ha-shared-key
Configures the subscriber
MobileNode-Home Agent (MN-HA) shared key.
Privilege:
Security Administrator,
Administrator
Syntax
mobile-ip mn-ha-shared-key key
no mobile-ip mn-ha-shared-key
no
Disables this functionality.
This is the default setting.
key
Specifies the subscriber
MN-HA shared key as either an alphanumeric string or a hexadecimal
number sequence beginning with “0x”. The string
or sequence consists of 16 to 127 characters.
Usage:
Configures a shared
key for the APN.
Example:
The following command
configures a shared key as the alphanumeric string
sfd23408imi9yn:
mobile-ip mn-ha-shared-key sfd23408imi9yn
mobile-ip mn-ha-spi
Configures the Mobile
IP Security Parameter Index (SPI).
Privilege:
Security Administrator,
Administrator
Syntax
mobile-ip mn-ha-spi spi_number
no mobile-ip mn-ha-spi
no
Disables this functionality.
This is the default setting.
spi_number
Specifies the SPI as
an integer from 256 through 4294967295.
Usage:
Configures an SPI for
the APN.
Example:
The following command
configures an SPI of
15111111111111111111111111111111:
mobile-ip mn-ha-spi 15111111111111111111111111111111
mobile-ip required
Enables support for
Mobile IP functionality for all PDP contexts facilitated by the
current APN.
Privilege:
Security Administrator,
Administrator
Syntax
[ default | no ]
mobile-ip required
default
Applies the default
setting for mobile-ip for the APN. Default is disabled.
no
Disables mobile-ip
for the APN.
Usage:
Mobile IP functionality
for IP PDP contexts is only supported at the APN-level. This command
enables or disables Mobile IP support for the APN.
When Mobile IP is performed,
the system authenticates the subscriber and the Mobile IP FA.
If this option is enabled,
the system deletes all PDP contexts attempting to access the APN for
which a Mobile IP session can not be established.
mobile-ip reverse-tunnel
Configures the system
to support reverse-tunneling for Mobile IP sessions facilitated
by the current APN.
Privilege:
Security Administrator,
Administrator
Syntax
[ default | no ] mobile-ip
reverse-tunnel
default
Designates the default
reverse tunnel for the APN. The default is enabled.
no
Disables this functionality.
Usage:
Use this command to
enable support for Mobile IP reverse tunneling for the APN. Reverse tunneling
is enabled by default.
nai-construction
Configures the Network
Access Identifier (NAI) construction parameters on a per-APN basis
only, rather than by per-aaa-group when constructed NAI authentication
is enabled.
Privilege:
Security Administrator,
Administrator
Syntax
nai-construction { imsi | msisdn } [ override-null-username ] [ encrypted
password encrypt_password | use-shared-secret-password | password password ]
no nai-construction
no
Disables the NAI construction
at the APN level.
imsi
Enables NAI construction
using IMSI for authentication for a user. GGSN constructs NAI using
IMSI when no user-name is received. This is the default setting.
Default: Enabled
msisdn
Enables NAI construction
using Mobile Station International ISDN Number (MSISDN) for authentication
for a user. GGSN constructs NAI using MSISDN when no user-name is received.
override-null-username
Enables NAI construction
using IMSI/MSISDN for authentication for a user or when
empty user name is received.
encrypted password
Specifies an encrypted
password is to be used for this NAI-constructed user. string is an
alphanumeric string of 0 through 63 characters.
password
Configures the authentication
user-password for this NAI-constructed user. password is
an alphanumeric string of 0 through 63 characters.
use-shared-secret-password
Specifies use of the
RADIUS authentication shared secret password for this NAI-constructed
user.
Usage:
NAI-construction defines
the behavior for construction at the APN level. If defined for a particular
APN, this command works independently and overwrites the behavior
of aaa constructed-nai defined at the context level for calls involving
this APN.
Note that NAI construction
using IMSI or MSISDN, where either no user name is received or a
blank user name is received for authentication, is applicable only
when NAI constructed authentication is enabled using the aaa nai-construction authentication command
in Context Configuration Mode.
Example:
The following command
enables NAI-construction using IMSI as the authentication type with
an encrypted password:
nai-construction imsi
encrypted password s1289sf980333jwwdo97342
nbns
Configures and enables
use of NetBios Name Service (NBNS) for the APN.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] nbns { primary | secondary } IP_address
no
Removes/disables
use of a previously configured NetBios Name Service.
primary
Designates primary
NBNS server. Must be followed with an IPv4 address in dotted-decimal notation.
secondary
Designates secondary/failover
NBNS server. Must be followed with an IPv4 address in dotted-decimal
notation.
IP_address
Specifies the IP address
in IPv4 dotted-decimal notation.
Usage:
This command specifies
NBNS parameters. The NBNS option is present for both pdp type IP
and pdp type PPP for GGSN.
The system can be configured
to use NetBios Name Service for the APN.
Example:
The following command
configures the APN’s NetBios Name Service to primary IP 192.168.1.15.
nbns primary 192.168.1.15
nexthop-forwarding-address
Configures the next
hop forwarding address for the APN.
Privilege:
Security Administrator,
Administrator
Syntax
nexthop-forwarding-address ip_address
no nexthop-forwarding-address
no
Disables this function.
This is the default setting.
ip_address
Specifies the IP address
of the nexthop forwarding address in IPv4 dotted-decimal or IPv6 colon-separated-hexadecimal
notation.
Usage:
Use this command to
configure the next hop forwarding address for the APN.
Example:
The following command
configures the next hop forwarding address to 10.1.1.1:
nexthop-forwarding-address 10.1.1.1
npu qos
Configures an NPU QoS
priority queue for packets facilitated by the APN.
Privilege:
Security Administrator,
Administrator\
Syntax
npu qos traffic priority { best-effort | bronze | derive-from-packet-dscp | gold | silver }
default npu qos traffic priority
default
Configures the default
NPU QoS traffic priority.
traffic priority { best-effort | bronze | derive-from-packet-dscp | gold | silver }
best-effort:
Assigns the best-effort queue priority. This is the lowest priority.
bronze: Assigns
the bronze queue priority. This is the third-highest priority.
derive-from-packet-dscp:
Specifies that the priority is to be determined from the DSCP (Differentiated
Services Code Point) field in the packet's TOS octet. Default: Enabled
gold: Assigns
the gold queue priority. This is the highest priority.
silver: Assigns
the silver queue priority. This is the second-highest priority.
Usage:
This command is used
in conjunction with the Network Processing Unit (NPU) Quality of Service
(QoS) functionality.
The system can be configured
to determine the priority of a subscriber packet either based on
the configuration of the APN, or from the differentiated service
(DS) field in the packet's TOS octet (representing the differentiated
service code point (DSCP) value).
Refer to the GGSN Administration
Guide for additional information on NPU QoS functionality.
Example:
The following command
configures the APN’s priority queue to be
gold:
npu qos traffic priority gold
outbound
Configures the APN
host username and password.
Privilege:
Security Administrator,
Administrator
Syntax
outbound { [ encrypted ] password pwd | username name }
no outbound password | username
no
Removes previously
configured outbound information for the APN.
encrypted
The encrypted keyword
is intended only for use by the chassis while saving configuration
scripts. The system displays the encrypted keyword
in the configuration file as a flag that the variable following
the password keyword
is the encrypted version of the plain text password. Only the encrypted
password is saved as part of the configuration file.
password pwd
Specifies the password
to use for session authentication as an alphanumeric string of 1 through
132 characters that is case sensitive.
username name
Specifies the username
to use for session authentication as an alphanumeric string of 1
to 127 characters that is case sensitive.
Usage:
This command can be
used to provide a username and password for authentication when the
subscriber does not supply one in accordance with 3GPP standards.
In addition, it can be used to create a PPP session when using L2TP
to tunnel IP PDP contexts.
If only a username
is specified using this command, the password is determined based
on the setting of the aaa
constructed-nai command in the Context Configuration mode.
That command is also used to determine the password if an outbound
username and password are configured for the APN when the imsi-auth
keyword is specified for the authentication command
in this mode.
Example:
The following commands
configures an APN username of
isp1 and
a password of
secRet123.
outbound username isp1
outbound password secRet123
pdp-type
Configures the type
of PDP contexts that are supported by this APN.
Privilege:
Security Administrator,
Administrator
Syntax
pdp-type { ipv4 [ ipv6 ] | ipv6 [ ipv4 ] | ppp }
default pdp-type
default
Configures the default
PDP type, IPv4, for the APN.
ipv4 [ ipv6 ]
Enables support for
IPv4 PDP contexts. Also enables support for IPv6 if the IPv6 optional keyword
is entered in this command. Default: Enabled
IMPORTANT:
Entering both IPv4
and IPv6 in either order enables support for both.
ipv6 [ ipv4 ]
Enables support for
IPv6 PDP contexts. Also enables support for IPv4 if the IPv6 optional keyword
is entered in this command. Default: Disabled
IMPORTANT:
Entering both IPv4
and IPv6 in either order enables support for both.
ppp
Enables support for
PPP PDP contexts. Default: Disabled
Usage:
IP PDP context types
are those in which the MS is communicating with a PDN such as the Internet
or an intranet using IP. PPP PDP contexts are those in which PPP
or PPP Network Control Protocol (NCP) frames from the MS are either
terminated at, or forwarded by the GGSN.
If a session specifies
a PDP type that is not supported by the APN, the system rejects
the session with a cause code of 220 (DCH, Unknown PDP address or
PDP type).
CAUTION:
For the IPv6 calls
to work, the destination context must have at least one IPv6 interface configured.
Example:
The following command
configures the APN to support PPP context types:
pdp-type ppp
permission
Enables the ability
to use network mobility service (NEMO) functionality for the current
APN.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] permission
nemo
default permission
no | default
Disables the ability
to use NEMO functionality.
nemo
Enables the ability
to use NEMO functionality.
Usage:
Use this command to
enable support for NEMO functionality on the APN. NEMO is disabled
by default.
Example:
The following command
enables NEMO functionality:
permission nemo
The following command
disables NEMO functionality:
no permission nemo
policy
Configures the Mobile
IPv6 policy to set the action to be taken when IPv4/IPv6 subscriber
packets need to be tunneled and the encapsulated packets exceed
the tunnel maximum transmission unit (MTU).
Privilege:
Security Administrator,
Administrator
Syntax
policy ipv6 tunnel
mtu exceed { fragment [ inner ] | notify-sender }
[ default | no ] policy
ipv6 tunnel mtu exceed
default
IPv6: System will
do a Path MTU (PMTU) discovery and send “ICMPv6 Packet Too
Big” to the original sender if the subscriber packet exceeds
MTU after encapsulation.
IPv4: System will
do an outer IPv6 fragmentation if the packet exceeds MTU after encapsulation.
no
Disables this functionality.
ipv6 tunnel mtu exceed { fragment [ inner ] | notify-sender }
fragment:
System will do an outer IPv6 fragmentation if the subscriber packet
exceeds MTU after encapsulation.
inner:
IPv6: System will
do a PMTU discovery and send “ICMPv6 Packet Too Big” to the
original sender if the subscriber packet exceeds MTU after encapsulation.
IPv4: If packet
will exceed tunnel MTU after encapsulation, based on DF bit and ignore-df
config, the original IPv4 packet will be fragmented and then encapsulated
so that it will not exceed MTU, or ICMP Error will be sent if IPv4
packet fragmentation is not allowed.
notify-sender:
IPv6: System will
do a PMTU discovery and send “ICMPv6 Packet Too Big” to the
original sender if subscriber packet exceeds MTU after encapsulation.
IPv4: System will
do an outer IPv6 fragmentation if packet exceeds MTU after encapsulation.
Usage:
This command sets the
Mobile IPv6 policy for the action to be taken when IPv4/IPv6 subscriber
packets need to be tunneled and the encapsulated packets exceed
tunnel MTU size.
Example:
The following command
causes the system to do outer IPv6 fragmentation if the subscriber packet
exceeds MTU after encapsulation:
policy ipv6 tunnel
mtu exceed fragment
ppp
Configures the Point-to-Point
Protocol (PPP) options for the current APN.
Privilege:
Security Administrator,
Administrator
Syntax
ppp { data-compression { protocols protocols | mode modes } | keepalive seconds | min-compression-size min_octets | mtu max_octets }
default ppp { data-compression protocols | keepalive | min-compression-size | mtu }
no ppp { data-compression protocols | keepalive seconds | mtu }
default
Configures the default
PPP parameters for the specified APN.
no
Resets the option specified
to its default setting.
data-compression { mode modes | protocols protocols}
Configures the data
compression or the compression protocol to use for the APN. Default: all
protocols enabled
mode modes: Sets
the compression mode to one of the following:
- normal: Packets
are compressed using the packet history for automatic adjustment
and for best compression.
- stateless:
Each packet is compressed individually.
protocols protocols:
Sets the compression protocol to one of the following:
- deflate: DEFLATE
algorithm
- mppc: Microsoft
Point-to-Point Compression
- stac: STAC
LZS algorithm
keepalive seconds
Specifies the frequency
of sending the Link Control Protocol (LCP) keep alive messages. seconds must
be either 0 or an intgeger from 5 through 14400. The special value
0 disables the keep alive messages entirely. Default: 30
min-compression-size min_octets
Specifies the smallest
packet to which compression may be applied as an integer from 0 through
2000. Default: 128
mtu max_octets
Specifies the maximum
transmission unit (MTU) for packets accessing the APN as an integer
from 100 through 2000. Default: 1500
IMPORTANT:
The MTU refers to the
PPP payload which excludes the two PPP octets. Therefore, an MTU of
1500 corresponds to the 3GPP standard MTU of 1502 for GTP packets
with PPP payloads.
Usage:
Adjust packet sizes
and compression to improve bandwidth utilization. Each network may have
unique characteristics such that determining the best packet size
and compression options may require system monitoring over an extended
period of time.
Example:
The following command
configures the ppp data-compression mode for the APN to be
stateless:
ppp data-compression
mode stateless
The following command
configures an MTU of
500 for
the APN:
ppp mtu 500
proxy-mip
Configures support
for Proxy Mobile IP functionality for the APN.
Privilege:
Security Administrator,
Administrator
Syntax
[ default | no ] proxy-mip { required | null-username static-homeaddr }
default
Configures the default
proxy MIP setting for the specified APN
no
Disables this functionality.
required
Default: Disabled.
Enables proxy-mip for
all subscribers using this APN.
null-username static-homeaddr
Configures handling
of RRQ to enable the acceptance without an NAI extension in this APN.
Default: Disabled
Usage:
This command requires
that Proxy Mobile IP functionality be performed for all PDP contexts
facilitated by the APN.
When Proxy Mobile IP
is performed, the system performs subscriber authentication but not
Mobile IP FA authentication. It can be configured to handling of
RRQ without NAI extension in an APN.
More information about
Proxy Mobile IP support for the GGSN can be found in the GGSN Administration Guide.
Example:
The following command
causes the system to support Proxy Mobile IP for all PDP contexts facilitated
by the APN:
proxy-mip required
The following command
will enables the accepting of RRQ without NAI extensions in this APN.
proxy-mip null-username
static-homeaddr
qos negotiate-limit
Cconfigures the QoS
profile to provide the peak and committed data rate limits that
the GGSN assigns to the APN. The GGSN sends the QoS profile to the
SGSNs in response to GTP Create/Update PDP Context requests
for traffic shaping and policing functionality.
Privilege:
Security Administrator,
Administrator
Syntax
qos negotiate-limit
direction { downlink | uplink } [ qci qci_val ] [ peak-data-rate bps [ committed-data-rate bps ] | committed-data-rate [ peak-data-rate bps ] ]
no qos negotiate-limit
direction { downlink | uplink } [ qci qci_val ] }
no
Disables the QoS Profile
for the APN.
IMPORTANT:
When no QoS Profile
is configured, the system’s default behavior is to use
the information provided by the SGSN.
direction { downlink | uplink }
downlink:
Apply the specified limits and actions to the downlink (to-Gn direction).
uplink: Apply
the specified limits and actions to the uplink (to-Gi direction).
qci qci_val
qci_val is
the QoS Class Identifier (QCI) for which the negotiate limit is
being set. QCI ranges from 1 to 9. If no qci-val is configured,
it will be handled as an undefined-qci (same as undefined-qos class).
committed-data-rate bps
Default: See the Usage section for
this command
The committed data
rate (guaranteed-data-rate) in bps (bits per second).
bps must
be an integer from 1 through 16000000 for the downlink direction
or 1 through 8640000 for the uplink direction. The value must also
correspond to one of the permitted values identified the tables
below. If a non-permitted value is entered for this parameter, the
system rounds the value to the nearest lower supported value, except
in the case where value is less than 1,000 bps. In this case, the
system rounds the value to 1,000 bps. In addition, if the configured
committed rate is lower than the value configured for the peak-data-rate,
the system uses the configured peak rate for this parameter.
IMPORTANT:
System measurements
for this value exclude the GTP and outer packet headers. In addition, some
traffic classes have both a committed rate and a peak rate, while
other traffic classes have just a peak rate. If a committed rate
is not applicable (such as, the traffic class is background or interactive), an
error occurs if this option is configured. If the committed-rate
is applicable (such as, the traffic class is conversational or streaming), the
values supplied by the SGSN are used if this option is not configured.
peak-data-rate bps
Default: See the Usage section for
this command
Specifies the peak
data-rate for the subscriber in bps (bits per second).
bps must
be an integer from 1 through 16000000 for the downlink direction
or 1 through 8640000 for the uplink direction. The value must also
correspond to one of the permitted values identified in the tables
below. If a non-permitted value is entered for this parameter, the
system rounds the value to the nearest lower supported value, except
in the case where value is less than 1,000 bps. In this case, the
system rounds the value to 1,000 bps.
Usage:
This command configures
the APN quality of service (QoS) profile. This feature enables configuring
and enforcing bandwidth limitations on individual PDP contexts of
a particular traffic class. Traffic classes are defined in 3GPP
TS 23.107 and are negotiated during PDP context activation. Bandwidth
enforcement is configured and enforced independently for the downlink
and the uplink directions.
The profile information
is sent to the SGSN(s) in response to GTP Create/Update
PDP Context Request messages. If the QoS profile requested by the
SGSN is lower than the configured QoS profile configured, the profile
requested by the SGSN is used. If the QoS profile requested by the
SGSN is higher, the configured rates are used.
Note that the values
for the uplink/downlink committed-data-rate and peak-data-rate parameters
are exchanged in the GTP messages between the GGSN and the SGSN.
Therefore, the values used may be lower than the configured values.
When negotiating the rate with the SGSN(s), the system convert this
to a value that is permitted by GTP as shown in the tables below.
Table 4. Permitted Values
for Committed and Peak Data Rates in GTP Messages
Value
(bps) |
Increment
Granularity (bps) |
From 1000 to 63,000
|
1,000 (e.g 1000, 2000,
3000, ... 63000)
|
From 64,000 to 568,000
|
8,000 (e.g. 64000,
72000, 80000, ... 568000)
|
From 57,6000 to 8,640,000
|
64,000 (e.g. 576000,
640000, 704000, ... 86400000)
|
From 8,700,000 to 16,000,000
|
100,000 bps (e.g. 8700000,
8800000, 8900000, ... 16000000)
|
The command can be
entered multiple times to specify different combinations of direction and
class. If this command is not configured at all, the GGSN does not
perform traffic policing or QoS negotiation with the SGSN (such
as, it accepts all of the SGSN-provided values for the PDP context.
IMPORTANT:
This command should
be used in conjunction with the max-contexts command
to limit the maximum possible bandwidth consumption by the APN.
Additional information
on the QoS traffic shaping functionality is located in the System Administration
Guide.
Default Values:
Example:
The following command
sets an uplink peak data rate of 128000 bps for QoS negotiation limit:
qos negotiate-limit
direction uplink peak-data-rate 128000
qos rate-limit
Configures the action
on a subscriber traffic flow that violates or exceeds the peak/committed
data rate under traffic policing/shaping functionality.
Privilege:
Security Administrator,
Administrator
Syntax
qos rate-limit direction { downlink | uplink } [ qci qci_val ] [ burst-size { bytes | auto-readjust [ duration dur ] } ] [ exceed-action { drop | lower-ip-precedence | transmit } [ violate-action { drop | lower-ip-precedence | shape [ transmit-when-buffer-full ] | transmit } ] ] | [ violate-action { drop | lower-ip-precedence | shape [ transmit-when-buffer-full ] | transmit } [ exceed-action { drop | lower-ip-precedence | transmit } ] ] +
no qos rate-limit direction { downlink | uplink } [ qci qci_val ]
no
Disables the QoS data
rate limit configuration for the APN.
IMPORTANT:
When no Qos Profile
is configured, the system defaults to using the information provided
by the SGSN.
qos rate-limit direction { downlink | uplink }
downlink:
Apply the specified limits and actions to the downlink (the Gn direction).
uplink: Apply
the specified limits and actions to the uplink (the Gi direction).
qci qci_val
qci_val is
the QoS Class Identifier (QCI) for which the negotiate limit is
being set. QCI ranges from 1 to 9. If no qci-val is configured,
it will be handled as an undefined-qci (same as undefined-qos class).
burst-size { bytes | auto-readjust [ duration dur ] }
Default: See Usage
section for this command
The burst size allowed,
in bytes for peak data rate and committed data rate.
bytes must
be an integer from 1 through 6000000.
IMPORTANT:
It is recommended that
the minimum value of this parameter be configured to the greater
of the following two values: 1) three times greater than packet
MTU for the subscriber connection, OR 2) 3 seconds worth
of token accumulation within the “bucket” for
the configured peak-data-rate. In addition, if the committed-data-rate
parameter is specified, the burst-size is applied to both the committed
and peak rates.
auto-readjust [ duration dur ] keyword
provides the option to calculate the Burst size dynamically while
configuring the rate-limit. Whenever this keyword is enabled to
calculate burst size, the GGSN QoS negotiated rate is enforced for
this calculation.
Whenever there is a
change in the rates (due to a QoS update), the burst sizes will
be updated accordingly.
This keyword also provides
two different burst sizes. One burst size for peak rate and another
for committed rate.
By default this keyword
is disabled.
duration dur describes
the duration of burst in seconds. If duration is not specified this
keyword will use 1 second as default value. dur must
be an integer between 1 through 30.
exceed-action { drop | lower-ip-precedence | transmit }
Default: See the Usage section for
this command
The action to take
on the packets that exceed the committed-data-rate but do not violate
the peak-data-rate. The following actions are supported:
- drop: Drop
the packet
- lower-ip-precedence:
Transmit the packet after lowering the ip-precedence
- transmit:
Transmit the packet
violate-action { drop | lower-ip-precedence | shape [ transmit-when-buffer-full ] | transmit }
Default: See he Usage section for
this command
The action to take
on the packets that exceed both the committed-data-rate and the
peak-data-rate. The following actions are supported:
drop: Drop
the packet
lower-ip-precedence:
Transmit the packet after lowering the IP precedence
shape [ transmit-when-buffer-full ]:
Enables traffic shaping and provides the buffering of user packets
when subscriber traffic violates the allowed peak/committed
data rate. The transmit-when-buffer-full keyword
allows the packet to be transmitted when buffer memory is full.
transmit:
Transmit the packet
+
More than one of the
above keywords can be entered within a single command.
Usage:
This command configures
APN quality of service (QoS) data rate shaping through traffic policing/shaping.
This command enables the actions on subscriber flows exceeding or
violating the allowed peak/committed data rate. The shaping
function also provides an enhanced function that buffers the excessive
user packets and sends them to the subscriber when subscriber traffic goes
below the committed or peak data rate limit.
IMPORTANT:
The user packet buffer
function in traffic shaping is not applicable for real-time traffic.
IMPORTANT:
If the exceed/violate
action is set to “lower-ip-precedence”, this command
may override the configuration of the ip qos-dscp command
in the GGSN Service Configuration mode for packets from the GGSN
to the SGSN. In addition, the GGSN service ip qos-dscp command
configuration can override the APN setting for packets from the
GGSN to the Internet. Therefore, it is recommended that this command
not be used in conjunction with this action.
The command can be
entered multiple times to specify different combinations of direction and
class. If this command is not configured at all, the GGSN does not
perform traffic policing or QoS negotiation with the SGSN. (It accepts
all of the SGSN-provided values for the PDP context.)
IMPORTANT:
This command should
be used in conjunction with the max-contexts command
to limit the maximum possible bandwidth consumption by the APN.
To calculate the burst
size dynamically an optional keyword auto-readjust [ duration dur ] is
provided with the burst-size keyword.
By default the burst size is fixed if defined in bytes with this command.
Regardless of the rate being enforced, burst-size is fixed as set
by the burst-size bytes parameter.
The auto-readjust [ duration dur ] keyword
enables variable burst size depending on the rate being enforced.
the system calculates burst size using a per token bucket algorithm
calculation as T=B/R, where T is the time interval,
B is the burst size and R is the Rate being enforced. It also provides
different burst size for Peak and Committed data rate-limiting.
If the auto-readjust keyword
is not used, a fixed burst size must be defined which will be applicable
for peak data rate and committed data rate regardless of the rate
being enforced.
If the auto-readjust keyword
is provided without specifying the duration, a default duration
of 1 second will be used for burst size calculation.
Example:
The following command
lowers the IP precedence when the committed-data-rate and the peak-data-rate
are violated in uplink direction:
qos rate-limit direction
uplink violate-action lower-ip-precedence
The following command
buffers the excess user packets when the subscriber traffic violates the
configured peak or committed data-rate bps in uplink direction.
Once the peak/committed data rate for that subscriber goes
below the configured limit, the system transmits the packets. It
also transmits them if buffer memory is full:
qos rate-limit direction
uplink violate-action shape transmit-when-buffer-full
qos-renegotiate
This keyword is obsolete.
qos traffic-police
This command is obsolete.
This functionality is now supported through qos negotiate-limit and qos rate-limit commands.
radius
This command is obsolete.
radius group
This command is obsolete.
radius returned-framed-ip-address
Sets the policy whether
or not to reject a call when the RADIUS server supplies 255.255.255.255
as the framed IP address and the MS does not supply an address.
Privilege:
Security Administrator,
Administrator
Syntax
radius returned-framed-ip-address 255.255.255.255-policy { accept-call-when-ms-ip-not-supplied | reject-call-when-ms-ip-not-supplied }
default radius returned-framed-ip-address
255.255.255.255-policy
default
Set the policy to its
default of rejecting calls when the RADIUS server does not supply
a framed IP address and the MS does not supply an address.
{ accept-call-when-ms-ip-not-supplied | reject-call-when-ms-ip-not-supplied }
accept-call-when-ms-ip-not-supplied:
Accept calls when the RADIUS server does not supply a framed IP
address and the MS does not supply and address.
reject-call-when-ms-ip-not-supplied:
Reject calls when the RADIUS server does not supply a framed IP
address and the MS does not supply an address.
Usage:
Use this command to
set the behavior in the APN when the RADIUS server supplies 255.255.255.255
as the framed IP address and the MS does not supply an address.
Example:
Use the following command
to set the APN to reject calls when the RADIUS server does not supply
a framed IP address and the MS does not supply an address:
radius returned-framed-ip-address 255.255.255.255-policy
reject-call-when-ms-ip-not-supplied
radius returned-username
Configures the
username that is returned in accounting messages. If the username is
not available in the Protocol Configuration Options (PCO), the RADIUS
returned username is preferred to the constructed username (imsi@apn,
msisdn@apn, or outbound username).
Privilege:
Security Administrator,
Administrator
Syntax
radius returned-username { override-constructed-username | prefer-constructed-username }
default radius returned-username
default
The default value for
the RADIUS returned-username is prefer-constructed-username. The constructed
username (imsi@apn, msisdn@apn) will be used.
IMPORTANT:
If the username is
available in the PCO, that username will be used regardless of the
setting for this command (radius returned-username).
override-constructed-username
If the RADIUS server
returns a username in the Access-Accept message and that username is
not available in the Protocol Configuration Options (PCO), the new
username from the RADIUS server will be used.
prefer-constructed-username
If the username is
not available in the PCO, a constructed username (imsi@apn, msisdn@apn)
will be used regardless of the username from the RADIUS server.
This is the default.
Usage:
Use this command to
configure the username that is returned in accounting messages
Example:
Following command sets
the default value for the RADIUS returned-username is prefer-constructed-username [constructed
username (imsi@apn, msisdn@apn)]:
default radius returned-username
restriction-value
Configures the level
of restriction to ensure controlled co-existence of the Primary
PDP Contexts.
Privilege:
Security Administrator,
Administrator
Syntax
restriction-value value
[ default | no ] restriction-value
default | no
Default: no restriction-value
Entering either default or no restriction-value sets
the internal value to zero (0) so that connection to any APN is
allowed.
value
Specifies a unique
number that identifies the type of network supported for primary
PDP contexts facilitated by this APN. The following values are supported:
- 1: Value
used for Wireless Application Protocol (WAP) or Multimedia Messaging
Service (MMS) type of networks. This corresponds to APN type public-1.
- 2: Value
used for Internet or Packet-Switched Public Data Network (PSPDN)
type of networks. This corresponds to APN type public-2.
- 3: Value
used for corporate customers who use MMS. This corresponds to APN
type private-1.
- 4: Value
used for corporate who do not use MMS. This corresponds to APN type
private-2.
Usage:
Restricts the ability
to have connections to public access and certain private APNs as required
by the APN configuration. Also allows co-existence of the Primary
PDP Contexts in a controlled manner.
It does not restrict
the total number of Primary PDP Contexts for the user. It also configures
a method for preventing hackers in the public domain from using
the UE as a router.
Access is provided
based on the following rules:
- If value = 1,
then PDP contexts with restriction values of 0, 1, 2, and/or
3 are allowed
- If value = 2,
then PDP contexts with restriction values of 0, 1 and/or
2 are allowed
- If value = 3,
then PDP contexts with restriction values of 0 and/or 1
are allowed
- If value = 4,
then PDP contexts with no restriction values are allowed
- If default or no syntax
is entered, then no PDP contexts have restriction
In the event that a
Maximum APN Restriction value is received from the SGSN as part
of a PDP Context Create (CPCR) or Update (UPCR) message, the GGSN
allows the request based on the following matrix:
- If maximum = 0,
then allow connection to any APN
- If maximum = 1,
then allow APN Restriction values of 0, 1, 2, and/or 3
- If maximum = 2,
then allow APN Restriction values of 0, 1 and/or 2
- If maximum = 3,
the allow APN Restriction values of 0 and/or 1
- If maximum = 4,
then always reject
- If maximum = anything
else, then allow all APN Restriction values (1, 2, 3, and/or 4)
Refer to 3GPP 23.060
version 6.9.0 for more information.
Example:
The following command
sets the restriction value of the APN to
2:
restriction-value 2
secondary ip pool
This command specifies
a secondary IP pool to be used as backup pool for Network Address
Translation (NAT).
IMPORTANT:
This command is license
dependent. For more information please contact your Cisco account
representative.
Privilege:
Security Administrator,
Administrator
Syntax
secondary ip pool pool_name
no secondary ip pool
no
Removes the previous
secondary IP pool configuration.
pool_name
Specifies the secondary
IP pool name.
pool_name must
be an alphanumeric string of 1 through 31 characters.
Usage:
Use this command to
configure a secondary IP pool for NAT subscribers, which is not overwritten
by the RADIUS supplied list. The secondary pool configured will
be appended to the RADIUS supplied IP pool list / APN provided
IP pool list whichever is applicable during call setup.
Example:
The following command
configures a secondary IP pool named
test123:
secondary ip pool test123
selection-mode
Configures the level
of verification that will be used to ensure a mobile station’s subscription
to use this APN.
Privilege:
Security Administrator,
Administrator
Syntax
selection-mode { chosen-by-sgsn | sent-by-ms | subscribed } +
default selection-mode
default
Sets the default selection
mode as “subscribed”.
chosen-by-sgsn
Default: Disabled
The MS’s subscription
will not be verified and the APN will be provided by the SGSN.
sent-by-ms
Default: Disabled
The MS’s subscription
will not be verified and the APN will be provided by the MS.
subscribed
Default: Enabled
The MS’s subscription
will be verified by the SGSN.
+
More than one of the
above keywords can be entered within a single command.
Usage:
Use this command to
specify the level of verification that will be used to ensure a
MS’s subscription to use this APN. This setting must mach
the corresponding setting on the SGSN. If the two settings are not
identical, the GGSN rejects the session with a cause code of 201
(D1H, User authentication failed).
Example:
The following command
specifies that the MS’s subscription will not be verified
and that the APN name will be supplied by the SGSN:
selection-mode chosen-by-sgsn
timeout
Configures the session
timeout values for this APN.
Privilege:
Security Administrator,
Administrator
Syntax
timeout { absolute | qos-renegotiate } time
[ default | no ] timeout [ absolute | qos-renegotiate ]
default
Set the default value
for the followed option.
no
Returns the timeout
parameter to its default setting. If neither the absolute or idle
keywords are used in conjunction with this keyword, both timeout
options will be returned to their default settings.
absolute
Configures the absolute
maximum time a session may exist in any state (active or idle).
qos-renegotiate
This keyword is obsolete.
time
Default:
- absolute = 0
(Disabled)
- qos-renegotiation = 300
Measured in seconds,
the time can be configured to any integer value between 0 and 4294967295.
A time of 0 disables
timeouts for this APN.
Usage:
Use this command to
limit the amount of time that a subscriber session can remain connected
or as a QoS renegotiation dampening timer.
Example:
The following commands
enables an absolute time timeout of
60000 seconds:
timeout absolute 60000
timeout bearer-inactivity
This command configures
the bearer inactivity timer and the threshold value of the traffic
(uplink + downlink) through an APN.
Privilege:
Security Administrator,
Administrator
Syntax
timeout bearer-inactivity time volume-threshold total bytes
[ default | no ] timeout
bearer-inactivity
default
Sets the bearer inactivity
timer to disabled mode.
no
Removes the configured
bearer inactivity timer values and traffic threshold limit.
time
Specifies the timeout
duration in second to check inactivity on the bearer.
time must
be an integer value from 3600 through 2592000.
qos-renegotiate
Configures the dampening
timeout value for the QoS renegotiation (in seconds).
In the event of a QoS
upgrade, the specified timeout duration will be ignored and renegotiation
will start immediately.
volume-threshold total bytes
The keyword sets the
volume threshold in bytes to check the low activity on the bearer.
This total volume is the sum of the traffic in uplink and downlink
directions.
bytes must
be an integer value from 1 through 4294967295.
Usage:
Use this command to
configure the bearer inactivity timer and the threshold value of
the traffic (uplink + downlink) through an APN.
Example:
The following command
enables the inactivity time on the bearer with a timeout duration
of
7200 seconds
and the total traffic volume of
256000 bytes
in uplink and downlink directions as thresholds:
timeout bearer-inactivity
7200 volume-threshold total 25600
timeout idle
Configures the idle
timeout duration for the long duration timer associated with a subscriber
session.
Privilege:
Security Administrator,
Administrator
Syntax
timeout idle
idle_dur
no timeout idle
no
Indicates the timeout
specified is to be returned to its default behavior. If no specific
timeout is specified then all are set to their default behavior.
idle_dur
Default: 0
Designates the maximum
duration of the session (in seconds). After expiry the system considers
the session as dormant or idle and invokes the long duration timer
action.
idle_dur must
be an integer value in the range from 0 through 4294967295.
The special value 0
disables the timeout specified.
Usage:
Use this command to
set the idle time duration for subscriber session to determine the dormant
session.
Refer to the long-duration-action
detection and long-duration-action
disconnection command in this chapter for additional information.
Example:
Following command sets
the idle timeout duration to
450 seconds.
timeout idle 450
timeout long-duration
Configures the long
duration timeout and inactivity duration for subscriber sessions.
Privilege:
Security Administrator,
Administrator
Syntax
timeout long-duration ldt_timeout [ inactivity-time inact_timeout ]
no timeout long-duration
no
Indicates the timeout
specified is to be returned to its default behavior. If no specific
timeout is specified then all timeouts are set to their default
behavior.
ldt_timeout
Default: 0
Designates the maximum
duration of the session (in seconds) before the system automatically
reports/terminates the session.
Specifies the maximum
amount of time (in seconds) before the specified timeout action
is initiated.
ldt_timeout must
be an integer value in the range from 0 through 4294967295.
The special value 0
disables the timeout specified.
inactivity-time inact_timeout
Specifies the maximum
amount of time (in seconds) before the specified session is marked as
dormant.
inact_timeout must
be an integer value in the range from 0 through 4294967295.
The special value 0
disables the inactivity time specified.
Usage:
Use this command to
set the long duration timeout period and inactivity timer for subscriber
sessions. Reduce the idle timeout to free session resources faster
for use by new requests.
Refer to the long-duration-action
detection and long-duration-action
disconnection commands in this chapter for additional
information.
Example:
The following command
sets the long duration timeout duration to
300 seconds
and the inactivity timer for subscriber session to
45 seconds.
timeout long-duration
300 inactivity-time 45
tpo policy
Specifies the Traffic
Performance Optimization (TPO) policy for the APN.
Privilege:
Security Administrator,
Administrator
Syntax
tpo policy tpo_policy_name
{ default | no } tpo policy
default
Configures the default
setting.
Default: Use the default
TPO policy configured in the rulebase.
no
Removes the TPO policy
from the APN configuration.
tpo_policy_name
Specifies the TPO policy
for the APN as an alphanumeric string of 1 through 63 characters.
Usage:
Use this command to
specify the TPO policy for the APN.
Example:
The following command
specifies to use the TPO policy named
tpo_policy_110:
tpo policy tpo_policy_110
tunnel address-policy
This command specifies
the address allocation/validation policy for all tunneled calls
(IP-IP, IP-GRE) except L2TP calls. This means that GGSN IP address
validation could be disabled for specified incoming calls.
Privilege:
Security Administrator,
Administrator
Syntax
tunnel address-policy { alloc-only | alloc-validate | no-alloc-validate }
default tunnel address-policy
default
Resets the tunnel address-policy
to alloc-validate.
alloc-only
IP addresses are allocated
locally and no validation is done.
alloc-validate
Default.
The VPN Manager allocates
and validates all incoming IP addresses from a static pool of IP addresses.
no-alloc-validate
No IP address assignment
or validation is done for calls arriving via L3 tunnels. Incoming static
IP addresses are passed. This allows for the greatest flexibility.
Usage:
This command supports
scalable solutions for Corporate APN deployment as many corporations
handle their own IP address assignments. In some cases this is done
to relieve the customer or the mobile operators from the necessity
of reconfiguring the range of IP addresses for the IP pools at the
GGSN.
For calls coming through
L2TP tunnels, the command l3-to-l2-tunnel address
policy as defined in the APN Configuration mode, will
be in effect.
Example:
Use the following command
to reset the IP address validation policy to validate against a static
pool of address:
default tunnel address-policy
Use the following command
to disable all IP address validation for calls coming through tunnels:
tunnel address-policy
no-alloc-validate
tunnel gre
Configures Generic
Routing Encapsulation (GRE) tunnel parameters between the GGSN and
an external gateway for the APN.
Privilege:
Security Administrator,
Administrator
Syntax
tunnel gre peer-address peer_address local-address local_addr [ preference num ]
no tunnel gre peer-address peer_address
no
Disables GRE tunneling
for the APN.
peer-address peer_address
Specifies the IP address
of the external gateway terminating the GRE tunnel.
peer_address must
be expressed in dotted decimal notation.
local-address local_addr
Specifies the IP address
of the interface in the destination context of the GGSN originating the
GRE tunnel.
local_addr must
be expressed in IPv4 dotted-decimal notation.
preference num
Default: 1
This option can be
used to assign a preference to the tunnel.
preference can
be configured to any integer value from 1 to 128.
IMPORTANT:
Only one GRE tunnel
per APN is supported. Therefore, the preference should always be
set to “1”.
Usage:
Subscriber IP payloads
are encapsulated with IP/GRE headers and tunneled by the
GGSN to an external gateway.
Example:
The following command
configures the system to encapsulate subscriber traffic using GRE and
tunnel it from a local address of
192.168.1.100 to
a gateway with an IP address of
192.168.1.225:
tunnel gre peer-address
192.168.1.225 local-address 192.168.1.100 preference 1
tunnel ipip
Configures IP-in-IP
tunnelling parameters between the GGSN and an external gateway for
the APN.
Privilege:
Security Administrator,
Administrator
Syntax
tunnel ipip peer-address peer_address local-address local_addr [ preference num ]
no tunnel ipip
no
Disables IP-in-IP tunneling
for the APN.
peer-address peer_address
Specifies the IP address
of the external gateway terminating the IP-in-IP tunnel.
peer_address must
be expressed in IPv4 dotted-decimal notation.
local-address local_addr
Specifies the IP address
of the interface in the destination context of the GGSN originating the
IP-in-IP tunnel.
local_addr must
be expressed in IPv4 dotted-decimal notation.
preference num
Default: 1
If multiple tunnels
will be configured, this option can be used to assign a preference
to the tunnel.
preference can
be configured to any integer value from 1 to 128.
Usage:
Subscriber IP payloads
are encapsulated with IP-in-IP headers and tunneled by the GGSN to
an external gateway.
Example:
The following command
configures the system to encapsulate subscriber traffic using IP-in-IP
and tunnel it from a local address of
192.168.1.100 to
a gateway with an IP address of
192.168.1.225:
tunnel ipip peer-address
192.168.1.225 local-address 192.168.1.100 preference 1
tunnel ipsec
This command configures
sessions for the current APN to use an Internet Protocol Security
(IPSec) tunnel based on the IP pool corresponding to the subscribers
assigned IP address.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] tunnel
ipsec use-policy-matching-ip-pool
no
Disables the use of
the IPSec policy that matches the IP pool that the assigned IP address relates
to.
Usage:
Use this command to
set the APN to use an IPSec policy that is assigned to the IP pool
that the subscribers assigned IP address relates to.
Example:
The following command
enables the use of the policy that matches the IP pool address:
tunnel ipsec use-policy-matching-ip-pool
tunnel l2tp
Configures Layer 2
Tunnelling Protocol (L2TP) parameters between the GGSN and an external
gateway for the APN.
Privilege:
Security Administrator,
Administrator
Syntax
tunnel l2tp [ peer-address lns-address [ [ encrypted ] secret l2tp_secret ] [ preference num ] [ tunnel-context name ] [ local-address ip-address ] [ crypto-map map_name { [ encrypted ] isakmp-secret crypto_secret } ] [ local-hostname hostname ]
no tunnel [ peer-address lns-address]
no
Disables L2TP, or secure
L2TP tunneling for the APN if a specific peer-address is not specified,
or, if a peer-address is specified, this keyword removes the peer-address
configuration from the APN.
peer-address lns-address
Specifies the IP address
of the LNS node that the LAC service connects to.
lns-address must be
expressed in IPv4 dotted-decimal notation.
IMPORTANT:
A maximum of four LNS
peers can be configured per APN.
encrypted
This keyword is intended
only for use by the system while saving configuration scripts. The system
displays the encrypted keyword in the configuration file as a flag
that the variable following the secret keyword is the encrypted
version of the plain text secret. Only the encrypted secret is saved
as part of the configuration file.
secret l2tp_secret
Specifies the shared
secret (password) between the L2TP Access Concentrator (LAC) service
(configured on the system) and the LNS node.
l2tp_secret must
be an alphanumeric string of 1 through 127 characters and is case
sensitive.
preference num
Default: 1
Specifies the preference
of the tunnel if the LAC service communicates with multiple LNS nodes.
preference can
be configured to any integer value from 1 to 128.
tunnel-context name
Specifies the name
of the destination context on the system in which the LAC service(s)
is configured.
name must
be an alphanumeric string of 1 through 79 characters and is case
sensitive.
IMPORTANT:
If this option is not
configured, the system will attempt to determine the name of the destination
context from the ip
context-name parameter configured for the APN.
local-address ip-address
Specifies the IP address
of an interface that is bound to a LAC service. This is a mechanism to
dictate which LAC service to use to facilitate the subscriber’s
L2TP session.
address is
the IP address of the interface in IPv4 dotted-decimal notation.
IMPORTANT:
If the address configured
does not exist or is not bound to a LAC service, the system will automatically
choose a LAC service to use.
local-hostname hostname
This keyword configures
LAC-Hostname to be used for the communication with the LNS peer
for this APN.
When Tunnel parameters
are not received from the RADIUS server, Tunnel parameters configured
in APN are considered for the LNS peer selection. When APN Configuration
is selected, local-hostname configured with the “tunnel
l2tp” command in the APN for the LNS peer will be used
as a LAC Hostname.
IMPORTANT:
For this configuration
to take effect allow
aaa-assigned-hostname command, which is used to configure
LAC-Hostname based on the “Tunnel-Client-Auth-ID” attribute
received from the RADIUS server, needs to be configured in the LAC
Service Configuration mode.
hostname is
name of the local host for the LNS peer and must be an alphanumeric
string of 1 through 127 characters.
When Tunnel parameters
are not received from the RADIUS Server, Tunnel parameters configured
in APN will be considered for the LNS peer selection. When APN Configuration
is selected, the local hostname hostname configured
with this command in the APN for the LNS peer will be used as a
LAC Hostname.
crypto-map map_name { [ encrypted ] secret crypto_secret }
Configures the IPSec
crypto-map policy that is to be associated with this L2TP tunnel configuration
for secure L2TP.
map_name is
the name of a crypto-map policy configured on the system expressed
as an alphanumeric string of 1 through 127 characters and is case sensitive.
encrypted is
intended only for use by the system while saving configuration scripts.
The system displays the encrypted keyword in the configuration file as
a flag that the variable following the secret keyword is the encrypted
version of the plain text secret. Only the encrypted secret is saved
as part of the configuration file.
secret specifies
the secret associated with the crypto-map policy. crypto_secret can
be from 0 to 255 bytes.
Usage:
This command can be
used to configure the GGSN to tunnel subscriber traffic to one or more
peer LNSs using L2TP or L2TP with IPSec.
When using L2TP, the
system functions as a L2TP access Concentrator (LAC) and tunnels traffic
to a peer L2TP Network Server (LNS). LAC functionality is supported
through the configuration of LAC Services defined in destination
contexts configured on the system.
When using crypt-map
policies, the system functions in the same fashion as with L2TP, with
the exception that the encapsulated L2TP traffic is further encrypted
using IPSec. IPSec functionality is supported through the definition
of crypto maps configured in the same destination context as the
LAC services.
A maximum of four LNS
peers can be configured per APN. If no peer is specified, the system
will use the LAC Service(s) configured in the same destination context
as the APN.
Example:
The following command
configures L2TP support for the APN. It configures the APN to tunnel
traffic to an LNS with an IP address of 192.168.1.50 through a LAC
service bound to an interface with an IP address 192.168.1.201 configured
in a destination context on the system called pdn1. The shared secret
between the system and the LNS is 5496secRet. This will be the only
LNS configured so the default preference of 1 will not be changed.
tunnel l2tp peer-address
192.168.1.50 secret 5496secRet tunnel-context pdn1 local-address 192.168.1.201
virtual-apn
Configures references
(or links) to alternative APNs to be used for PDP context processing
based on properties of the context. This command also configures
the APN properties against which the PDP contexts are compared.
It also supports roaming and visiting subscribers.
Privilege:
Security Administrator,
Administrator
Syntax
virtual-apn { gcdr
apn-name-to-be-included { Gn | virtual } | preference priority apn apn_name [ access-gw-address { ip_address | ip_address/mask } | bearer-access-service service_name | cc-profile cc_profile_index [ rat-type { eutran | gan | geran | hspa | utran | wlan } ] | domain domain_name | mcc mcc_number mnc mnc_number [ cc-profile cc_profile_index ] | [ msin-range from msin_range_from to msin_range_to ] | [ rat-type { eutran | gan | geran | hspa | utran | wlan } ] | msisdn-range { from msisdn_start_range to msisdn_to_range | rat-type { eutran | gan | geran | hspa | utran | wlan } } | rat-type { eutran | gan | geran | hspa | utran | wlan } | roaming-mode { home | roaming | visiting } ] }
default virtual-apn
gcdr apn-name-to-be-included
no virtual-apn preference priority
default
The virtual APN name
is sent in G-CDRs.
no
Removes a previously
configured “virtual” APN.
gcdr apn-name-to-be-included { gn | virtual }
If virtual APN
to be used is configured, the virtual APN name is sent in G-CDRs.
Provides an option to either send the virtual APN name or the Gn
APN name (that comes from the SGSN) in G-CDRs.
Gn: The APN
received in the Create PDP Context Request message from SGSN.
virtual:
The APN selected by the GGSN/P-GW. This is the default.
preference priority
Specifies the order
in which the referenced APNs are compared by the system.
priority specifies
the order and can be configured to any integer value from 1 (highest
priority) to 1000 (lowest priority).
apn apn_name
Specifies the name
of an alternative APN configured on the system that is to be used
for PDP contexts with matching properties.
apn_name is
the name of the alternative APN expressed as an alphanumeric string
of 1 through 62 alphanumeric characters and is case insensitive.
It may also contain dots ( . ) and/or dashes ( - ).
access-gw-address { ip_address |ip_address/mask }
Specifies the Access
Gateway (SGSN/SGW/Others) address for the virtual
APN.
ip_address must
be an IPv4 address in dotted-decimal or an IPv6 address in colon-separated-hexadecimal
notation.
ip_address/mask must
be an IPv4 address in dotted-decimal or an IPv6 address in colon-separated-hexadecimal
notation with network-host mask separation.
bearer-access-service service_name
IMPORTANT:
Specifies the Bearer
Access Service name for the virtual APN. This service name is unique across
the context.
service_name must
be an alphanumeric string of 1 through 63 characters.
cc-profile cc_profile_index
IMPORTANT:
Specifies the APN for
charging characteristics (CC)-profile index.
cc_profile_index must
be an integer from 1 to 15.
domain domain_name
IMPORTANT:
Specifies the subscriber’s
domain name (realm).
domain_name must
be an alphanumeric string of 1 through 79 characters, is case sensitive
and can contain all special characters.
mcc mcc_number
IMPORTANT:
Specifies the mobile
country code (MCC) portion of the PLMN’s identifier.
mcc_number is
the PLMN MCC identifier and can be configured to any 3-digit integer
value between 100 and 999.
mnc mnc_number
IMPORTANT:
Specifies the mobile
network code (MNC) portion of the PLMN’s identifier.
mnc_number is
the PLMN MNC identifier and can be configured to any 2- or 3-digit
integer value between 00 and 999.
msin-range { from msin_range_from to msin_range_to | rat-type { eutran | gan | geran | hspa | utran | wlan } }
IMPORTANT:
This option is supported
only for the GGSN.
Specifies the APN for
this IMSI MSIN range
or
the radio access technology (RAT) type.
msin_range_from is
the start prefix of the IMSI MSIN range and can be configured between
0 and 9999999999.
msin_range_to is
the end prefix of the IMSI MSIN range and can be configured as a
string of size 1 to 10 digits between 0 and 9999999999.
msin-range should
follow the following rules:
- Start prefix (such
as msin_range_from)
and end prefix (such as msin_range_from)
must be of the same length.
- Total length of mcc + mnc + msin-range
<= 15 digits.
- For a given combination
of mcc + mnc + msin-range (start-end prefix),
overlapping range is not allowed.
rat-type is
the type of the radio access technology based on which the APN would
be specified.
msisdn-range from msisdn_start_range to msisdn_to_range
IMPORTANT:
Specifies the MSISDN
range for this APN.
msisdn_start_range is
the starting MSISDN number which a string of size 2 to 15 and its
value ranges between 00 and 999999999999999.
msisdn_to_range is
the ending MSISDN number which is also a string of size 2 to 15
and its value ranges between 00 and 999999999999999.
rat-type { eutran | gan | geran | hspa | utran | wlan }
IMPORTANT:
The type of the Radio
Access Technology (RAT) based on which the APN would be specified.
The available options
include:
-
eutran
-
gan
-
geran
-
hspa
-
utran
-
wlan
roaming-mode { home | roaming | visiting }
IMPORTANT:
Supports separate PDP
context processing for roaming, visiting, and home subscribers.
It supports separate rule type along with domain, imsi, and sgsn-address
types.
Usage:
This command simplifies
the configuration process for mobile operators allowing them to provide
subscribers with access to a large number of packet data networks,
characterized by APN templates, while only having to configure a
small number of APNs on the HLR.
Each “virtual” APN
is a reference, or a link, to an alternate APN configured on the
system. Each reference is configured with a rule that subscriber
PDP contexts are compared against and a priority that dictates the
comparison order.
GGSN
The references works
as follows:
1. A Create PDP Context
Request message is received by the GGSN. The message specifies an
APN configured in the HLR.
2. The GGSN determine
whether its own matching APN configuration contains “virtual” APN
references.
3. The system determines
the priority of the references and compares the associated information
pertaining to the PDP context against the configured rules.
4. If the rule matches,
the parameters in the APN specified by the reference are applied
to the PDP context. If not, the rules in the reference with the
next highest priority are compared against the PDP context. This
occurs until a match is found. If none of the references match, then
the parameters within the current APN are applied to the PDP context.
The GGSN supports a
maximum of 1023 Virtual APN mapping configurations in a system.
A single Gn APN can be configured with up to 1000 mapping rules.
Multiple Gn APNs are supported - each requiring Virtual APN mapping
configurations. The limit imposed is that the total virtual APN
mappings across all Gn APNs should not exceed 1023.
For information on
how virtual APN configuration can be used in eWAG deployments, refer
to the Enhanced Wireless
Access Gateway Administration Guide.
P-GW
Virtual APNs allow differentiated
services within a single APN.
The Virtual APN feature
allows a carrier to use a single APN to configure differentiated services.
The APN that is supplied by the MME is evaluated by the P-GW in
conjunction with multiple configurable parameters. Then, the P-GW
selects an APN configuration based on the supplied APN and those
configurable parameters.
APN configuration dictates
all aspects of a session at the P-GW. Different policies imply different
APNS. After basic APN selection, however, internal re-selection
can occur based on the following parameters:
- Service name
- Subscriber type
- MCC-MNC of IMSI
- Domain name part of username
(user@domain)
- S-GW address
In StarOS v12.x and
earlier, the P-GW supports a maximum of 1024 Virtual APNs in a system.
The functionality provided
by this command can also be used to restrict access to particular
APNs. To restrict access based on a particular rule (either domain
name or mobile country code/mobile network code), the “virtual” APN
reference should refer to an APN that is not configured on the system
and contains the desired rule. All PDP contexts matching the configured
rule would then be denied with a reason code of 219 (DBH), Missing
or Unknown APN.
Example:
The following commands
configure two “virtual” APNs, priority 1 references
the
bigco APN with
a domain rule of
bigco.com,
priority 2 references the
bigtown APN
with a mobile country code rule of
100 and a mobile
network code rule of
50.
virtual-apn preference
1 apn bigco domain bigco.com
virtual-apn preference
2 apn bigtown mcc 100 mnc 50 msin-range from 4000000000
to 4999999999
virtual-apn preference
3 apn bigco.com sgsn-address 192.168.62.2
virtual-apn preference
4 apn bigco.co.kr sgsn-address 192.168.60.2/24