Context Configuration Mode Commands

The Context Configuration Mode is used to create and manage contexts in the system. Contexts facilitate management of subscribers and services in the system.

IMPORTANT:

The commands or keywords/variables that are available are dependent on platform type, product version, and installed license(s).

aaa accounting

This command enables/disables accounting for subscribers and context-level administrative users for the current context.

Platform:

ASR 5000

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
aaa accounting { administrator
radius-diameter | subscriber [ radius-diameter ] }default aaa accounting { administrator | subscriber }no aaa accounting { administrator | subscriber } [ radius-diameter ]
default

Configures the default setting.

Default: RADIUS

no

Disables AAA accounting per the options specified.

radius-diameter

Enables AAA accounting for context-level administrative users.

subscriber

Enables AAA accounting for subscribers.

radius-diameter

Enables RADIUS or Diameter accounting for subscribers.


Usage:

Use this command to enable/disable accounting for subscribers and context-level administrative users for the current context.

To enable or disable accounting for individual local subscriber configurations refer to the accounting-mode command in the Subscriber Configuration Mode Commands chapter.

IMPORTANT:

The accounting parameters in the APN Configuration Mode take precedence over this command for subscriber sessions. Therefore, if accounting is disabled using this command but enabled within the APN configuration, accounting is performed for subscriber sessions.


Example:

The following command disables AAA accounting for context-level administrative users:

no aaa accounting administrator

The following command enables AAA accounting for context-level administrative users:

aaa accounting administrator
radius-diameter
aaa authentication

This command enables/disables authentication for subscribers and context-level administrative users for the current context.

Platform:

ASR 5000

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
[ no ] aaa
authentication { administrator | subscriber } { local | none | radius-diameter }default aaa authentication { administrator | subscriber }
default

Configures the default setting for the specified parameter.

  • administrator: local+RADIUS
  • subscriber: RADIUS
no

Disables AAA authentication for administrator(s)/subscribers as specified.

  • local: Disables local authentication for current context.
  • none: Disables NULL authentication for current context, which enables both local and RADIUS-based authentication.
  • radius-diameter: Disables RADIUS or Diameter-based authentication.
administrator | subscriber
  • administrator: Enables authentication for administrative users.
  • subscriber: Enables authentication for subscribers.
local | none | radius-diameter

Enables AAA authentication for administrator(s)/subscribers as specified.

  • local: Enables local authentication for the current context.
  • none: Disables authentication for the current context.
  • radius-diameter: Enables RADIUS or Diameter-based authentication.

Usage:

Use this command to enable/disable AAA authentication during specific maintenance activities or during test periods. The authentication can then be enabled again for the entire context as needed.


Example:
The following command disables RADIUS or Diameter-based authentication for subscribers for the current context:
no aaa authentication
subscriber radius-diameter
The following command enables RADIUS or Diameter-based authentication for subscribers for the current context:
aaa authentication
subscriber radius-diameter
aaa constructed-nai

This command configures the password used during authentication for sessions using a Constructed Network Access Identifier (NAI) or an APN-specified user name.

Platform:

ASR 5000

Product:

PDSN, GGSN


Privilege:

Security Administrator, Administrator


Syntax
aaa constructed-nai
authentication [ [ encrypted ] password user_password | use-shared-secret-password ]no aaa constructed-nai authentication
no

Disables authentication based upon the constructed NAI.

[ encrypted ] password user_password

encrypted: Specifies that the user password should be encrypted.

password user_password: Specifies an authentication password for the NAI-constructed user.

In 12.1 and earlier releases, the user_password must be an alphanumeric string of 0 through 63 characters with or without encryption.

use-shared-secret-password

Specifies using RADIUS shared secret as the password. Default: No password


Usage:

This command configures passwords for user sessions that utilize a constructed NAI assigned via a PDSN service or a user name assigned via the APN configuration.

For simple IP sessions facilitated by PDSN services in which the authentication allow-noauth and aaa constructed-nai commands are configured, this command provides a password used for the duration of the session.

For PDP contexts using an APN in which the outbound user name is configured with no password, this command is used to provide the password. Additionally, this command is also used to provide a password for situations in which an outbound username and password are configured and the authentication imsi-auth command has been specified.

The encrypted keyword is intended only for use by the system while saving configuration scripts. The system displays the encrypted keyword in the configuration file as a flag that the variable following the password keyword is the encrypted version of the plain text password. Only the encrypted password is saved as part of the configuration file.

If a password is configured with this keyword, then the specified password is used. Otherwise, an empty user-password attribute is sent.

Note that this configuration works in a different way for GGSN services. If a password is configured with this keyword for GGSN service, the specified password is used. Otherwise, if an outbound password is configured, that password is used. If no outbound password is configured, the RADIUS server secret is used as the user-password string to compute the user-password RADIUS attribute.

The NAI-construction consists of the subscriber’s MSID, a separator character, and a domain. The domain that is used is either the domain name supplied as part of the subscriber’s user name or a domain alias.

IMPORTANT:

The domain alias can be set with the nai-construction domain command in the PDSN Service Configuration mode, or the aaa default-domain subscriber command in the Global Configuration mode for other core network services.

The domain alias is determined according to the following rules:

  • If the domain alias is set by nai-construction domain, that value is always used and the aaa default-domain subscriber value is disregarded, if set. The NAI is of the form <msid><symbol><nai-construction domain>.
  • If the domain alias is not set by nai-construction domain, and the domain alias is set by aaa default-domain subscriber, the aaa default-domain subscriber value is used. The NAI is of the form <msid><symbol><aaa default-domain subscriber>.
  • If the domain alias is not set by nai-construction domain or aaa default-domain subscriber, the domain name alias is the name of the source context for the PDSN service. The NAI is of the form <msid><symbol><source context of PDSN Service>.

The special separator character can be one of the following six: @, -, %, \, -, /

The subscriber’s MSID is constructed in one of the formats displayed in the following figure.


Example:
The following command configures the authentication password for the NAI-constructed user.
aaa constructed-nai authentication
aaa filter-id rulebase mapping

This command configures the system to use the value of the Filter-Id AVP as the ACS rulebase name.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no | default ] aaa
filter-id rulebase mapping
no

Disables the mapping of Filter-Id AVP and ACS rulebase name.

default

Configures the default setting. Default: Disabled


Usage:

Use this command to enable the mapping of Filter-Id attribute’s value returned during RADIUS authentication as the ACS rulebase name.

This feature provides the flexibility for operator to transact between multi-charging-service support for postpaid and prepaid subscribers through Access Control Lists (ACLs) entered in AAA profiles in RADIUS server to single-charging-service system based on rulebase configuration for postpaid and prepaid subscribers.

This feature internally maps the received ACL in to rulebase name and configures subscriber for postpaid or prepaid services accordingly.

When this feature is enabled and ACS rulebase attribute is not received from RADIUS or not configured in local default subscriber template system copies the filter-id attribute value to ACS rulebase attribute.

This copying happens only if the filter-id is configured and received from RADIUS server and ACS rulebase is not configured in ACS or not received from RADIUS.


Example:
The following command enables the mapping value of the Filter-Id attribute to ACS rulebase name:
aaa filter-id rulebase mapping
aaa group

This command enables/disables the creation, configuration or deletion of AAA server groups in the context.

Platform:

ASR 5000

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
aaa group group_name [ -noconfirm ]no aaa group group_name
no

Deletes the specified AAA group.

group_name

Specifies name of the AAA group.

If the specified AAA group does not exist, it is created, and the prompt changes to the AAA Server Group Configuration Mode, wherein the AAA group can be configured.

If the specified AAA group already exists, the prompt changes to the AAA Server Group Configuration Mode, wherein the AAA group can be configured.

group_name must be an alphanumeric string of 1 through 63 characters.

-noconfirm

Executes the command without any prompt and confirmation from the user.


Usage:

Use this command to create/configure/delete AAA server groups within the context. Also, refer to the AAA Server Group Configuration Mode Commands chapter.


Example:
The following command enters the AAA Server Group Configuration Mode for a AAA group named test321:
aaa group test321 
aaa nai-policy

This command sets policies on how Network Access Identifiers (NAIs) are handled during the authentication process.

Platform:

ASR 5000

Product:

PDSN, GGSN


Privilege:

Security Administrator, Administrator


Syntax
[ default | no ] aaa
nai-policy reformat-alg-hex-0-9
default

Sets the NAI policy back to its default setting which is to remap hexadecimal digits in NAIs and accept calls with embedded 0x00 hexadecimal digits.

no

Disable remapping of hexadecimal digits in the NAI and reject calls that have a 0x00 hexadecimal digit embedded in the NAI.

reformat-alg-hex-0-9

Default: Enabled

Controls remapping of NAIs that consist only of hex digits 0x00 through 0x09 or if a 0x00 hexadecimal digit is embedded in the NAI.

By default, the system remaps NAIs that consist solely of characters 0x00 through 0x09 to their ASCII equivalent. For example; 0x00 0x01 0x2 0x03 will get remapped to 123.

Also by default the system accepts an NAI containing one or more 0x00 characters within the NAI ignoring all characters after the first 0x00.

When this keyword is disabled NAIs are processed as follows:

  • Remapping of hexadecimal digits 0x00 through 0x09 within the user-provided NAI is disabled.
  • When the NAI has an embedded 0x00 character anywhere within it (including if there is an extra 0x00 character at the end) the call is rejected.

Usage:

Use this command to disable or re-enable remapping of hexadecimal digits in the NAI.


Example:
The following command disables the remapping of hexadecimal digits in the NAI:
no aaa nai-policy
reformat-alg-hex-0-9
access-list undefined

Configures the behavior of access control for the current context when an undefined access control list is specified.

Platform:

ASR 5000

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
access-list undefined { deny-all | permit-all }{ default | no } access-list undefined
default

Configures the default setting.

no

Disables handling undefined access lists.

deny-all

Specifies to drop all packets when an undefined ACL is specified.

permit-all

Specifies to forward all packets when an undefined ACL is specified.


Usage:

Use this command to specify the default behavior when an ACL specified does not exist.

When the security policies require strict access control the deny-all handling should be configured.


Example:
The following command sets the packet handling to ignore (drop) all packets when an undefined ACL is specified.
access-list undefined
deny-all
administrator

Configures a user with Security Administrator privileges in the current context.

Platform:

ASR 5000

Product:

All


Privilege:

Security Administrator


Syntax
administrator user_name [ encrypted ] password password | [ ecs ] [ expiry-date date_time ] [ ftp ] [ li-administration ] [ nocli ] [ noecs ]  [ timeout-absolute timeout_absolute  ] [ timeout-min-absolute timeout_min_absolute ] [ timeout-idle timeout_idle ][ timeout-min-idle timeout_min_idle ]no administrator user_name
no

Removes Security Administrator privileges for the specified user name.

user_name

Specifies the user name for which Security Administrator privileges must be enabled in the current context. user_name must be an alphanumeric string of 1 through 32 characters.

[ encrypted ] password password

Specifies password for the user name. Optionally, the encrypted keyword can be used to specify the password uses encryption.

password must be an alphanumeric string of 1 through 63 characters without encryption, and 1 through 132 characters with encryption.

The encrypted keyword is intended only for use by the system while saving configuration scripts. The system displays the encrypted keyword in the configuration file as a flag that the variable following the password keyword is the encrypted version of the plain text password. Only the encrypted password is saved as part of the configuration file.

ecs

Permits the user to use ACS-specific configuration commands. Default: Permitted

expiry-date date_time

Specifies the date and time that this login account expires.

Enter the date and time in the YYYY:MM:DD:HH:mm or YYYY:MM:DD:HH:mm:ss format. Where YYYY is the year, MM is the month, DD is the day of the month, HH is the hour, mm is minutes, and ss is seconds.

ftp

Permits the user to use FTP and SFTP. Default: Not permitted

li-administration

Refer to the Lawful Intercept Configuration Guide for a description of this parameter.

nocli

Prevents the user from using the command line interface. Default: Permitted

noecs

Prevents the user from accessing ACS-specific commands.

timeout-absolute timeout_absolute

IMPORTANT:

This keyword is obsolete. It has been left in place for backward compatibility. If used, a warning is issued and the value entered is rounded to the nearest whole minute.

Specifies the maximum time, in seconds, the Security Administrator may have a session active before the session is forcibly terminated. timeout_absolute must be an integer from 0 through 300000000.

The value 0 disables this timeout configuration.

Default: 0

timeout-min-absolute timeout_min_absolute

Specifies the maximum time (in minutes) the Security Administrator may have a session active before the session is forcibly terminated. timeout_min_absolute must be an integer from 0 through 525600. The value 0 disables this timeout configuration. Default: 0

timeout-idle timeout_idle

IMPORTANT:

This keyword is obsolete. It has been left in place for backward compatibility. If used a warning is issued and the value entered is rounded to the nearest whole minute.

Specifies the maximum time, in seconds, the Security Administrator may have a session active before the session is terminated. timeout_idle must be an integer from 0 through 300000000.

The value 0 disables the idle timeout configuration.

Default: 0

timeout-min-idle timeout_min_idle

Specifies the maximum time, in minutes, the Security Administrator may have a session active before the session is terminated. timeout_min_idle must be an integer from 0 through 525600. The value 0 disables the idle timeout configuration. Default: 0


Usage:

Use this command to create new Security Administrators or modify existing user’s settings.

Security Administrator users have read-write privileges and full access to all contexts and command modes. Refer to the Command Line Interface Overview chapter for more information.

IMPORTANT:

A maximum of 128 administrative users and/or subscribers may be locally configured per context.


Example:
The following command creates a Security Administrator account named user1 with access to ACS configuration commands:
administrator user1
password secretPassword 
The following removes the Security Administrator account named user1:
no administrator user1 
apn

Creates or deletes Access Point Name (APN) templates and enters the APN Configuration Mode within the current context.

Platform:

ASR 5000

Product:

GGSN, P-GW


Privilege:

Security Administrator, Administrator


Syntax
[ no ] apn apn_name [ -noconfirm ]
no

Deletes a previously configured APN template.

apn_name

Specifies a name for the APN template as an alphanumeric string of 1 through 62 characters that is case insensitive. It may also contain dots (.) and/or dashes (-).

-noconfirm

Executes the command without any additional prompt and confirmation from the user.

DANGER:

If this keyword option is used with the no apn apn_name command, the APN named apn_name will be deleted with all active/inactive subscribers without prompting any warning or confirmation.


Usage:

This command creates an APN within the system and causes the CLI to enter the APN Configuration Mode.

The APN is a logical name for a packet data network and/or a service to which the system supports access. When a create PDP context request is received by the system, it examines the APN information element within the packet. The system determines if an APN with the identical name is configured. If so, the system uses the configuration parameters associated with that APN as a template for processing the request. If the names do not match, the request is rejected with a cause code of 219 (DBH, Missing or unknown APN).

APN templates should be created/configured within destination contexts on the system.
  • Up to 1000 APNs can be configured in the GGSN.
  • In StarOS v12.x and earlier, up to 1024 APNs can be configured in the P-GW.

Example:
The following command creates an APN template called isp1:
apn isp1 
asn-qos-descriptor

Creates, deletes or manages the Quality of Service (QoS) descriptor table identifier for Access Service Node Gateway (ASN-GW) service and enters the ASN QoS Descriptor Table Identifier Configuration mode within the source context.

Platform:

ASR 5000

Product:

ASN-GW


Privilege:

Security Administrator, Administrator


Syntax
asn-qos-descriptor
id qos_table_id [ default ] dscp [ be | af11 | af12 | af13 | af21 | af22 | af23 | af31 | af32 | af33 | af41 | af
42 | af 43 | ef ] [ -noconfirm ]no asn-qos-descriptor qos_table_id [ default ] dscp [ be | af11 | af12 | af13 | af21 | af22 | af23 | af31 | af32 | af33 | af41 | af
42 | af 43 | ef ] [ -noconfirm ]
no

Deletes a preciously configured ASN QoS descriptor table identifier.

id qos_table_id

Specifies a unique identifier for ASN QoS descriptor table to create/configure. qos_table_id must be an integer from 1 through 65535.

[ default ] dscp

Specifies DSCP marking for this QoS descriptor.

[ be | af11 | af12 | af13 | af21 | af22 | af23 | af31 | af32 | af33 | af41 | af 42 | af 43 | ef ]

The DSCP marking for this QoS descriptor. Default value is be (best effort).

-noconfirm

Executes the command without any additional prompt and confirmation from the user.

DANGER:

If this keyword option is used with no asn-qos-descriptor id qos_table_id command the ASN QoS descriptor table with identifier qos_table_id will be deleted with all active/inactive configurations without prompting any warning or confirmation.


Usage:

Use this command to configure a QoS description table to manage QoS functionality for an ASN-GW service subscriber. This command creates and allows the configuration of QoS tables with in a context. This command is also used to remove previously configured ASN-GW services QoS descriptor table.

A maximum of 16 QoS Descriptor Tables can be configured per system.

Refer to the ASN QoS Descriptor Configuration Mode Commands chapter of this reference for additional information.


Example:
The following command creates a QoS descriptor table with identifier 1234 for the ASN-GW service subscribers:
asn-qos-descriptor
id 1234 
asn-service-profile

Creates, deletes or manages the Service Profiles Identifier for Access Service Node Gateway (ASN-GW) service subscribers and enters the ASN Service Profile Configuration mode within the current context.

Platform:

ASR 5000

Product:

ASN-GW


Privilege:

Administrator


Syntax
asn-service-profile
id asn_profile_id direction { bi-directional | downlink | uplink } [activation-trigger {activate | admit | dynamic-reservation | provisioned } [ -noconfirm ]no asn-service-profile
id asn_profile_id [ -noconfirm ]
no

Deletes a preciously configured ASN service profile identifier.

id asn-profile_id

Specifies a unique identifier for ASN profile to create/configure.

direction { bi-directional | downlink | uplink }

Specifies the direction of data traffic to apply this service profile.

bi-directional: Enables this service profile in both direction of uplink and downlink.

downlink: Enables this service profile in downlink direction, towards the subscriber.

uplink: Enables this service profile in uplink direction, towards the system.

activation-trigger {activate | admit | dynamic-reservation | provisioned

Use this option to configure the activation-trigger for the asn-service-profile. Default: provisioned | admit | activate

-noconfirm

Executes the command without any additional prompt and confirmation from the user.

DANGER:

If this keyword option is used with no asn-service-profile id asn_profile_id command the ASN service profile with identifier asn_profile_id will be deleted with all active/inactive configurations without prompting any warning or confirmation.


Usage:

Use this command to configure a service profile to apply the ASN-GW service subscribers. This command creates and allows the configuration of service profiles with in a context. This command is also used to remove previously configured ASN-GW services profiles.

A maximum of 32 ASN Service Profiles can be configured per context.

Refer to the ASN Service Profile Configuration Mode Commands chapter of this reference for additional information.


Example:
The following command creates an ASN Service Profile with identifier 1234 for the ASN-GW service subscribers:
asn-service-profile
id 1234 direction uplink 
asngw-service

Creates, deletes or manages an Access Service Node Gateway (ASN-GW) service and enters the ASN Gateway Service Configuration Mode within the current context.

Platform:

ASR 5000

Product:

ASN-GW


Privilege:

Security Administrator, Administrator


Syntax
asngw-service asngw_name [ -noconfirm ]no asn-service asngw_name 
no

Deletes a previously configured ASN-GW service.

asngw_name

Specifies the name of the ASN-GW service to create/configure as an alphanumeric string of 1 through 63 characters that is case sensitive.

-noconfirm

Executes the command without any additional prompt and confirmation from the user.

DANGER:

If this keyword option is used with no asn-service asngw_name command the ASN-GW service named asngw_name will be deleted with all active/inactive subscribers without prompting any warning or confirmation.


Usage:

Services are configured within a context and enable certain functionality. This command creates and allows the configuration of services enabling the system to function as an ASN Gateway in a WiMAX network. This command is also used to remove previously configured ASN-GW services.

A maximum of 256 services (regardless of type) can be configured per system.

CAUTION:

Large numbers of services greatly increase the complexity of management and may impact overall system performance (i.e. resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your local service representative for more information.

Refer to the ASN Gateway Service Configuration Mode Commands chapter of this reference for additional information.


Example:
The following command creates an ASN-GW service name asn-gw1:
asngw-service asn-gw1
asnpc-service

Creates, deletes or manages an ASN Paging Controller service to manage the ASN paging controller service and enters the ASN Paging Controller Configuration mode within the current context.

Platform:

ASR 5000

Product:

ASN-GW


Privilege:

Security Administrator, Administrator


Syntax
[ no ] asnpc-service asn_pc_svc_name [ -noconfirm ]
no

Deletes a preciously configured ASN paging controller service.

asnpc-service asn_pc_svc_name

Specifies the name of the ASN Paging Controller Service to create and enable as an alphanumeric string of 1 through 63 characters that is case sensitive.

-noconfirm

Executes the command without any additional prompt and confirmation from the user.

DANGER:

If this keyword option is used with no asnpc-service asn_pc_svc_name command the ASN Paging Controller service named asn_pc_svc_name will be deleted and disabled with all active/inactive paging groups and paging agents configured in a context for ASN paging controller service without prompting any warning or confirmation.


Usage:

Use this command to create and enable the ASN paging controller services in the system to provide functionality of an ASN Paging Controller service within a context. Additionally this command provides the access to the ASN Paging Controller Service Configuration mode and also used to remove previously configured ASN Paging Controller services.

A maximum of 256 services (regardless of type) can be configured per system.

CAUTION:

Large numbers of services greatly increase the complexity of management and may impact overall system performance (i.e. resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your local service representative for more information.

Refer to the ASN Paging Controller Service Configuration Mode Commands chapter of this reference for additional information.


Example:
The following command creates an ASN paging controller service name asnpc_1:
asnpc-service asnpc_1 
bfd-protocol

Enables or disables Bidirectional Forwarding Detection (BFD) protocol and enters the BFD Configuration mode.

Platform:

ASR 5000

Product

All

Privilege

Security Administrator, Administrator

Syntax

[ no ] bfd-protocol

Usage:

Use this command to set configuration parameters for detecting faults in paths established with BFD-enabled routers.

Refer to the BFD Configuration Mode Commands chapter for additional information.

Example

Example
The following command enables BFD Configuration mode:
bfd-protocol
bgp extended-asn-cap

Enables or disables the router to send 4-octet ASN capabilities.

Platform:

ASR 5000

Product

All

Privilege

Security Administrator, Administrator

Syntax

[ no ] bgp
extended-asn-cap

no

Disables the ability of the router to send 4-octet ASN capabilities.

Example

Example
The following command enables the router to send 4-octet ASN Capabilities:
bgp extended-asn-cap
bmsc-profile

Creates or deletes Broadcast Multicast Service Center (BM-SC) profiles and enters the BMSC Profile Configuration Mode within the current context.

Platform:

ASR 5000

Product:

GGSN


Privilege:

Security Administrator, Administrator


Syntax
[ no ] bmsc-profile
name bmsc_profile_name [ -noconfirm ]
no

Deletes a previously configured BM-SC profile.

name bmsc_profile_name

Specifies a name for the BM-SC profile as an alphanumeric string of 1 through 62 characters that is case insensitive. It may also contain dots (.) and/or dashes (-).

-noconfirm

Executes the command without any additional prompt and confirmation from the user.

DANGER:

If this keyword option is used with no bmsc-profile name bmsc_profile_name command the BM-SC profile named bmsc_profile_name is deleted with all active/inactive subscribers without prompting any warning or confirmation.


Usage:

Use this command to create a BM-SC profile within the context and take the user to enter the BMSC Profile Configuration Mode.

The BM-SC profile is a logical name for a Broadcast Multicast Service Center in Multimedia Broadcast and Multicast service.

BM-SC profile should be created/configured within contexts on the system. Up to four BM-SC profiles can be configured.


Example:
The following command creates a BM-SC Profile called mbms_sc_1:
bmsc-profile name
mbms_sc_1 
busyout ip pool

Makes addresses from an IP pool in the current context unavailable once they are free.

Platform:

ASR 5000

Product:

PDSN, HA, GGSN, NAT


Privilege:

Security Administrator, Administrator


Syntax
busyout ip pool { all | all-dynamic | all-static | name pool_name } [ address-range start_address
end_address | lower-percentage percent | upper-percentage percent ]no busyout ip pool { all | all-dynamic | all-static | name pool_name } [ address-range start_address
end_address | lower-percentage percent | upper-percentage percent ]
no

Disables the busyout command specified.

all

Applies to all IP pools in the current context.

all-dynamic

Applies to all dynamic IP-pools in the current context.

all-static

Applies to all static IP pools in the current context.

name pool_name

Applies the named IP pool or IP pool group in the current context. pool_name must be the name of an existing IP pool or IP pool group in the current context.

address-range start_address end_address

Busyout all addresses from start_address through end_address. start_address: The beginning IP address of the range of addresses to busyout. This IP address must exist in the pool specified and entered in IPv4 dotted-decimal notation.

end_address: The ending IP address of the range of addresses to busyout. This IP address must exist in the pool specified and entered in IPv4 dotted-decimal notation.

lower-percentage percent

Busyout the percentage of IP addresses specified, beginning at the lowest numbered IP address. This is a percentage of all of the IP addresses in the specified IP pool. percent must be an integer from 0 through 100.

upper-percentage percent

Busyout the percentage of IP addresses specified, beginning at the highest numbered IP address. This is a percentage of all of the IP addresses in the specified IP pool. percent must be an integer from 0 through 100.


Usage:

Use this command to busyout IP addresses when resizing an IP pool.

Up to 32 instances of this command can be executed per context.

A single instance of this command can busy-out multiple IP address pools in the context through the use of the all, all-static, or all-dynamic keywords.


Example:
Assume an IP pool named Pool10 with addresses from 192.168.100.1 through 192.168.100.254. To busy out the addresses from 192.168.100.50 through 192.169.100.100, enter the following command:
busyout ip pool name
Pool10 address-range 92.168.100.50 192.169.100.100
To restore the IP addresses from the previous example and make them accessible again, enter the following command:
no busyout ip pool
name Pool10 address-range 92.168.100.50 192.169.100.100
cae-group

Creates a CAE group, which is a CAE server cluster that services TCP video requests from the Mobile Video Gateway. The Mobile Video Gateway uses the configured CAE group for CAE load balancing. The CAE (Content Adaptation Engine) is an optional component of the Mobile Videoscape.

Platform:

ASR 5000

Product:

MVG


Privilege:

Security Administrator, Administrator


Syntax
[ no ] cae-group cae_group_name [ -noconfirm ]
nocae_group_name

Deletes the CAE group if previously configured.

cae_group_name

Creates the specified CAE group and enters the Video Group Configuration Mode. cae_group_name is an alphanumeric string of 1 through 79 characters.

-noconfirm

Executes the command without any prompt and confirmation from the user.


Usage:

Use this command to create a CAE group and enter the Video Group Configuration Mode. This command gets issued from the Context Configuration Mode.


Example:
The following command creates a CAE group named group_1 and enters the Video Group Configuration Mode:
cae-group group_!
 
camel-service

Creates an instance of the Customized Applications for Mobile Enhanced Logic (CAMEL) service and enters the CAMEL service configuration mode. This mode configures or edits the configuration for the parameters which control the CAMEL functionality on the SGSN.

IMPORTANT:

For details about the commands and parameters, check the CAMEL Service Configuration Mode chapter.

Platform:

ASR 5000

Product:

SGSN


Privilege:

Security Administrator, Administrator


Syntax
[ no ] camel-service srvc_name
no

Remove the configuration for the specified SGSN service from the configuration of the current context.

srvc_name

Creates a CAMEL service instance having a unique name expressed as an alphanumeric string of 1 through 63 characters.


Usage:

Use this command to create, edit, or remove an CAMEL service


Example:
The following command creates an CAMEL service named camel1 in the current context:
camel-service camel1
The following command removes the CAMEL service named camel2 from the configuration for the current context:
no camel-service camel2
cipher-suite

Creates a new SSL cipher suite or specifies an existing cipher suite and enters the Cipher Suite Configuration Mode.

Platform:

ASR 5000

Product:

SCM


Privilege:

Administrator


Syntax
[ no ] cipher-suite name
no

Removes the specified SSL cipher suite from the context.

name

Specifies the name of a new or existing SSL cipher suite as n alphanumeric string of 1 through 127 characters that must be unique across all CSCF services within the same context and across all contexts.


Usage:

Use this command to create a new SSL cipher suite or modify an existing one.

IMPORTANT:

One SSL cipher suite can be created per SSL template.

A cipher suite contains the cryptographic algorithms supported by the client, and defines a key exchange and a cipher spec, which specifies the encryption and hash algorithms used during authentication. SSL cipher suites allow operators to select levels of security and to enable communication between devices with different security requirements.

Entering this command results in the following prompt:

[context_name]hostname(cfg-ctx-cipher-suite)#

Cipher Suite Configuration Mode commands are defined in the Cipher Suite Configuration Mode Commands chapter.


Example:
The following command specifies the SSL cipher suite cipher_suite_1 and enters the Cipher Suite Configuration Mode:
cipher-suite cipher_suite_1 
class-map

Creates or deletes a class map. If the class-map is newly created, the system enters the Class-Map Configuration Mode within the current destination context to configure the match rules for packet classification to flow-based traffic policing for a subscriber session flow.

Platform:

ASR 5000

Product:

PDSN, HA, ASN-GW


Privilege:

Security Administrator, Administrator


Syntax
[ no ] class-map
name class_name [ match-all | match-any ]
no

Deletes configured Class-Map within the context.

class_name

Specifies the name of Class-Map rule as an alphanumeric string of 1 through 15 characters and is case sensitive.

match-all

Default: Enabled.

Enables AND logic for all matching parameters configured in specific Class-Map to classify traffic flow/packets. It indicates to match all classification rules in specific Class-Map to consider the specified Class-Map as a match.

match-any

Default: Disabled.

Enables OR logic for matching parameters configured in specific Class-Map to classify traffic flow/packets. It indicates to match any of the classification rule in specific Class-Map to consider the specified Class-Map as a match.


Usage:

Use this command to enter in Class-Map Configuration Mode to set classification parameters or filters in traffic policy for a subscriber session flow.

IMPORTANT:

In this mode classification rules added sequentially with match command to form a Class-Map. To change and/or delete or re-add a particular rule entire Class-Map is required to delete.


Example:
Following command configures classification map class_map1 with option to match any condition in match rule.
class-map name class_map1
match-any 
closedrp-rp handoff

Enables or disables session handoff between Closed-RP and RP connections. Default: Disabled

Platform:

ASR 5000

Product:

PDSN


Privilege:

Security Administrator, Administrator


Syntax
closedrp-rp handoff[ default | no ] closedrp-rp handoff
default

Resets the command to its default setting of disabled.

no

Disables Closed-RP to RP session handoff.


Usage:

Use this command to enable a PDSN service to handoff sessions between Closed-RP and RP connections.


Example:
To enable Closed-RP to RP handoffs, use the following command:
closedrp-rp handoff
To disable Closed-RP to RP handoffs, use the following command:
no closedrp-rp handoff
config-administrator

Configures a context-level administrator account within the current context.

Platform:

ASR 5000

Product:

All


Privilege:

Security Administrator


Syntax
config-administrator user_name [ encrypted ] password password [ ecs ] [ expiry-date date_time ] [ ftp ] [ li-administration ] [ nocli ] [ noecs ] [ timeout-absolute abs_seconds ] [ timeout-min-absolute abs_minutes ] [ timeout-idle timeout_duration  ] [ timeout-min-idle idle_minutes ]no config-administrator user_name
no

Removes a previously configured context-level administrator account.

user_name

Specifies the name for the account as an alphanumeric string of 1 through 32 characters.

[ encrypted ] password password

Specifies the password to use for the user which is being given context-level administrator privileges within the current context. The encrypted keyword indicates the password specified uses encryption.

password is an alphanumeric string of 1 through 63 characters without encryption, or 1 through 127 characters with encryption.

The encrypted keyword is intended only for use by the system while saving configuration scripts. The system displays the encrypted keyword in the configuration file as a flag that the variable following the password keyword is the encrypted version of the plain text password. Only the encrypted password is saved as part of the configuration file.

ecs

Permits the user access to ACS-specific configuration commands. Default: Enhanced Charging Service (ECS / ACS) specific configuration commands allowed.

expiry-date date_time

Specifies the date and time that this account expires in the format YYYY:MM:DD:HH:mm or YYYY:MM:DD:HH:mm:ss.

Where YYYY is the year, MM is the month, DD is the day of the month, HH is the hour, mm is minutes, and ss is seconds.

ftp

Indicates the user gains FTP and SFTP access with the administrator privileges. Default: FTP and SFTP are not allowed.

li-administration

Refer to the Lawful Intercept Configuration Guide for a description of this parameter.

nocli

Indicates the user is not allowed to access the command line interface. Default: CLI access allowed.

noecs

Prevents the specific user from accessing ACS-specific configuration commands.

timeout-absolute abs_seconds

IMPORTANT:

This keyword is obsolete. It has been left in place for backward compatibility. If used a warning is issued and the value entered is rounded to the nearest whole minute.

Specifies the maximum amount of time (in seconds) that the administrator may have a session active before the session is forcibly terminated. abs_seconds must be an integer from 0 through 300000000. The value 0 disables the absolute timeout. Default: 0

timeout-min-absolute abs_minutes

Specifies the maximum amount of time (in minutes) the context-level administrator may have a session active before the session is forcibly terminated. abs_minutes must be an integer from 0 through 525600 (365 days). The value 0 disables the absolute timeout. Default: 0

timeout-idle timeout_duration

IMPORTANT:

This keyword is obsolete. It has been left in place for backward compatibility. If used a warning is issued and the value entered is rounded to the nearest whole minute.

Specifies the maximum amount of idle time, in seconds, the context-level administrator may have a session active before the session is terminated. timeout_duration must be a value in the range from 0 through 300000000. The value 0 disables the idle timeout. Default: 0

timeout-min-idle idle_minutes

Specifies the maximum amount of idle time, in minutes, the context-level administrator may have a session active before the session is terminated. idle_minutes must be a value in the range from 0 through 525600 (365 days). The value 0 disables the idle timeout. Default: 0


Usage:

Create new context-level administrators or modify existing administrator’s options, in particular, the timeout values.

Administrator users have read-write privileges and full access to all contexts and command modes (except for a few security functions). Refer to the Command Line Interface Overview chapter of this guide for more information.

IMPORTANT:

A maximum of 128 administrative users and/or subscribers may be locally configured per context.


Example:
The following configures a context-level administration named user1 with ACS parameter control:
config-administrator
user1 password secretPassword ecs
The following command removes a context-level administrator named user1:
no config-administrator
user1 
content-filtering

Enables or disables the creation, configuration or deletion of Content Filtering Server Groups (CFSG).

Platform:

ASR 5000

Product:

CF


Privilege:

Security Administrator, Administrator


Syntax
content-filtering
server-group cf_server_group_name [ -noconfirm ]no content-filtering
server-group cf_server_group_name
no

Removes the specified CFSG previously configured in this context.

server-group cf_server_group_name

Specifies the name of the CFSG as an alphanumeric string of 1 through 63 characters.

-noconfirm

Executes the command without any prompt and confirmation from the user.


Usage:

Use this command to create/configure/delete a CFSG.


Example:
The following command creates a CFSG named CF_Server1:
content-filtering
server-group CF_Server1 
credit-control-service

Enables or disables the creation, configuration or deletion of credit-control services.

Platform:

ASR 5000

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
credit-control-service service_name [ -noconfirm ]no credit-control-service service_name
no

Deletes the specified credit-control service.

service_name

Specifies name of the credit-control service as an alphanumeric string of 1 through 63 characters.

If the named credit-control service does not exist, it is created, and the CLI mode changes to the Credit Control Service Configuration Mode wherein the service can be configured.

If the named credit-control service already exists, the CLI mode changes to the Credit Control Service Configuration Mode wherein the service can be configured.

-noconfirm

Executes the command without any additional prompt and confirmation from the user.


Usage:

Use this command to create, configure or delete credit-control services.

Entering this command results in the following prompt:

[context_name]hostname(config-credit-control-service)

Credit control service configuration commands are described in the Credit Control Service Configuration Mode Commands chapter.


Example:
The following command enters the Credit Control Service Configuration Mode for a credit-control service named test159:
credit-control-service test159
crypto group

Creates or deletes a crypto group and enters the Crypto Configuration Mode allowing the configuration of crypto group parameters.

Platform:

ASR 5000

Product:

PDSN, PDIF, HA, GGSN


Privilege:

Administrator, Config-Administrator


Syntax
[ no ] crypto
group group_name
no

Deletes a previously configured crypto group.

group_name

Specifies the name of the crypto group as an alphanumeric string of 1 through 127 characters that is case sensitive.

IMPORTANT:

A maximum of 32 crypto groups per context can be configured.


Usage:

Use this command to enter the configuration mode allowing the configuration of crypto group parameters.

Crypto (tunnel) groups are used to support the Redundant IPSec Tunnel Fail-over feature and consist of two configured ISAKMP crypto maps. Each crypto map defines the IPSec policy for a tunnel. In the crypto group, one tunnel serves as the primary, the other as the secondary (redundant).


Example:
The following command configures a crypto group called group1:
crypto group group1
crypto ipsec transform-set

Configures transform-sets on the system and enters the Crypto Trans Configuration Mode.

Platform:

ASR 5000

Product:

PDSN, PDIF, HA, GGSN


Privilege:

Security Administrator, Administrator


Syntax
crypto ipsec transform-set transform_name [ ah { hmac { md5-96 | none | sha1-96 } { esp { hmac { { md5-96 | sha1-96 } { cipher { 3des-cbc | aes-cbc-128 | aes-cbc-256 | des-cbc } } | none } } } } ]no crypto ipsec transform-set transform_name
no

Removes a previously configured transform set

transform_name

Specifies the name of the transform set as an alphanumeric string of 1 through 127 characters that is case sensitive.

ah hmac

Configures the Authentication Header (AH) hash message authentication codes (HMAC) parameter for the transform set to one of the following:

  • md5-96: Message Digest 5 truncated to 96 bits
  • none: Disables the use of the AH protocol for the transform set.
  • sha1-96: Secure Hash Algorithm-1 truncated to 96 bits
esp hmac

Configures the Encapsulating Security Payload (ESP) hash message authentication codes (HMAC) parameter for the transform set to one of the following:

  • md5-96: Message Digest 5 truncated to 96 bits
  • none: Disables the use of the AH protocol for the transform set.
  • sha1-96: Secure Hash Algorithm-1 truncated to 96 bits
cipher

If ESP is enabled, this option must be used to set the encapsulation cipher protocol to one of the following:

  • 3des-cbc: Triple Data Encryption Standard (3DES) in chain block (CBC) mode.
  • aes-cbc-128: Advanced Encryption Standard (AES) in CBC mode with a 128-bit key.
  • aes-cbc-256: Advanced Encryption Standard (AES) in CBC mode with a 256-bit key.
  • des-cbc: DES in CBC mode.

Usage:

Use this command to create a transform set on the system.

Transform Sets are used to define IPSec security associations (SAs). IPSec SAs specify the IPSec protocols to use to protect packets.

Transform sets are used during Phase 2 of IPSec establishment. In this phase, the system and a peer security gateway negotiate one or more transform sets (IPSec SAs) containing the rules for protecting packets. This negotiation ensures that both peers can properly protect and process the packets.

This command applies to IKEv1. Please check ipsec transform-set command for configuration for IKEv2.

IMPORTANT:

The ah and subsequent keywords are required when the transform set is initially configured.


Example:
Create a transform set that has the name tset1, no authentication header, an encapsulating security protocol header hash message authentication code of md5, and a bulk payload encryption algorithm of des-cbc with the following command:
crypto ipsec transform-set
tset1 ah hmac none esp hmac md5 cipher des-cbc
crypto map

Configures the name of the policy and enters the specified Crypto Map Configuration mode.

Platform:

ASR 5000

Product:

PDSN, HA, GGSN, P-GW, PDIF


Privilege:

Security Administrator, Administrator


Syntax
crypto map name [ ikev2-ipv6 | ipsec-dynamic | ipsec-ikev1 | ipsec-manual ]no crypto map name
no

Removes a previously configured crypto map.

name

Specifies the name of the crypto map as an alphanumeric string of 1 through 127 characters that is case sensitive.

ikev2-ipv6

Refer to the Lawful Intercept Configuration Guide for a description of this parameter.

ipsec-dynamic

Creates a dynamic crypto map and/or enters the Crypto Map Dynamic Configuration Mode.

ipsec-ikev1

Creates an IKEv1 crypto map and/or enters the Crypto Map IKEv1 Configuration Mode.

ipsec-manual

Creates a manual crypto map and/or enters the Crypto Map Manual Configuration Mode.


Usage:

Crypto Maps define the policies that determine how IPSec is implemented for subscriber data packets. There are several types of crypto maps supported by the system. They are:

  • Manual crypto maps: These are static tunnels that use pre-configured information (including security keys) for establishment. Because they rely on statically configured information, once created, the tunnels never expire; they exist until their configuration is deleted.

IMPORTANT:

Because manual crypto map configurations require the use of static security keys (associations), they are not as secure as crypto maps that rely on dynamically configured keys. Therefore, it is recommended that they only be configured and used for testing purposes.

  • IKEv1 crypto maps: These tunnels are similar to manual crypto maps in that they require some statically configured information such as the IP address of a peer security gateway and that they are applied to specific system interfaces. However, IKEv1 crypto maps offer greater security because they rely on dynamically generated security associations through the use of the Internet Key Exchange (IKE) protocol.
  • IKEv2-IPv6 crypto maps: Refer to the Lawful Intercept Configuration Guide for a description of this parameter.
  • Dynamic crypto maps: These tunnels are used for protecting L2TP-encapsulated data between the system and an LNS/security gateway or Mobile IP data between an FA service configured on one system and an HA service configured on another.

IMPORTANT:

The crypto map type (dynamic, IKEv1, IKEv2-IPv6, or manual) is specified when the map is first created using this command.


Example:
Create a dynamic crypto map named map1 and enter the Crypto Map Dynamic Configuration Mode by entering the following command:
crypto map map1 ipsec-dynamic
crypto template

Creates a new or specifies an existing crypto template and enters the Crypto Template Configuration Mode.

Platform:

ASR 5000

Product:

ePDG, PDIF, S-GW


Privilege:

Security Administrator, Administrator


Syntax
crypto template name ikev2-dynamicno crypto template name
no

Deletes a previously configured crypto template.

name ikev2-pdif

Specifies the name of a new or existing crypto template as an alphanumeric string of 1 through 127 characters.

ikev2-dynamic

Configures the Crypto Template to be used for configuring IPSec functionality.


Usage:

Use this command to create a new or enter an existing crypto template.

Entering this command results in the following prompt:

[context_name]hostname(cfg-crypto-tmpl-ikev2-tunnel)#

Crypto Template Configuration Mode commands are defined in the Crypto Template Configuration Mode Commands chapter.


Example:
The following command configures a IKEv2 dynamic crypto template called crypto1 and enters the Crypto Template Configuration Mode:
crypto template crypto1
ikev2-dynamic
cscf access-profile

Creates a new or enters an existing access profile used to set signaling compression for various network access types.

Platform:

ASR 5000

Product:

SCM


Privilege:

Administrator


Syntax
cscf access-profile { default | name profile_name } [ -noconfirm ]no cscf access-profile
name profile_name
no

Removes the CSCF access profile from the context.

default

Specifies that the system is to enter the Access Profile Configuration Mode for the default access profile.

name profile_name

Specifies a name for the access profile as an alphanumeric string of 1 through 79 characters.

-noconfirm

Executes the command without any additional prompt and confirmation from the user.


Usage:

Use this command to create an access profile for the CSCF service and cause the system to enter the Access Profile Configuration Mode where parameters are configured for the profile.

Entering this command results in the following prompt:

[context_name]hostname(config-cscf-access-profile)#

Access Profile Configuration Mode commands are defined in the CSCF Access Profile Configuration Mode Commands chapter.


Example:
The following command creates a CSCF Access Profile named profile2 and enters the Access Profile Configuration Mode:
cscf access-profile
name profile2
cscf acl

Creates an Access Control List (ACL) and enters the ACL Configuration Mode.

Platform:

ASR 5000

Product:

SCM


Privilege:

Administrator


Syntax
cscf acl { default | name list_name } [ -noconfirm ]no cscf acl name list_name
no

Removes the CSCF ACL from the context.

default

Specifies that the system is to enter the ACL Configuration Mode for the default ACL.

name list_name

Specifies a name for the ACL as an alphanumeric string of 1 through 47 characters.

-noconfirm

Executes the command without any additional prompt and confirmation from the user.


Usage:

Use this command to create an access control list for the CSCF service and cause the system to enter the ACL Configuration Mode where parameters are configured for the new list.

Entering this command results in the following prompt:

[context_name]hostname(config-cscf-acl)#

ACL Configuration Mode commands are defined in the CSCF ACL Configuration Mode Commands chapter.

Use this command when configuring the following SCM components: P-CSCF, S-CSCF, and SIP Proxy.


Example:
The following command creates a CSCF access control list named acl1 and enters the ACL Configuration Mode:
cscf acl name acl1
cscf ifc-filter-criteria

Creates Initial Filter Criteria (iFC) filter criteria for shared iFC functionality.

Platform:

ASR 5000

Product:

SCM (S-CSCF, SIP Proxy)


Privilege:

Administrator


Syntax
cscf ifc-filter-criteria
id fc_id priority pri [ profile-part-indicator
 { registered | unregistered } ] app-server
uri scheme { sip | sips } as as-default-handling { session-continue | session-terminate } [ -noconfirm ] |  [ service-info info ] [ trigger-point tp_name ] [ -noconfirm ] | [ trigger-point tp_id ] [ -noconfirm ]no cscf ifc-filter-criteria
id fc_id
no

Removes the specified CSCF iFC filter criteria from the context.

id fc_id

Specifies an ID for the iFC filter criteria as an integer from 1 through 200.

priority pri

Specifies the priority of the filter criteria, which is used to select a particular filter criteria from multiple ones present under an ISC template. pri must be an integer from 0 through 1024.

profile-part-indicator { registered | unregistered }

Indicates whether the iFC is a part of the registered or unregistered user profile. If a value is not specified, then the configuration will be applied to both registered and unregistered subscribers.

app-server uri scheme { sip | sips }

Determines the associated application server’s URI scheme.

sip: SIP URI

sips: SIPS URI (TLS)

as

Specifies an address for the associated application server as an alphanumeric string of 1 through 127 characters.

as-default-handling { session-continue | session-terminate }

Determines whether the dialog should be released (session-terminate) or not (session-continue) when the application server could not be reached or on application server error is returned.

-noconfirm

Executes command without any additional prompt and confirmation from the user.

service-info info

Specifies optional service information to be sent to the application server. info is an alphanumeric string of 1 trough 63 characters.

trigger-point tp_id

Assigns an iFC trigger point to the filter criteria as an integer from 1 through 200.


Usage:

Use this command to create a filter criteria ID and associate an application server address to it. You may also define a trigger point ID to be executed in order to select the application server. If no trigger point is specified, then the application server is selected unconditionally.

IMPORTANT:

Filter criteria is associated with an ISC template in the ISC Template Configuration Mode.

IMPORTANT:

Filter criteria can be assigned to more than one ISC template.


Example:
The following command creates a iFC filter criteria 15, which has a priority of 2 and is part of the registered user profile. Filter criteria 15 is assigned to a sip application server named appserver. The dialog will not be released if the application server can not be reached. Filter criteria 15 is also assigned trigger point 12:
cscf ifc-filter-criteria
id 15 priority 2 profile-part-indicator registered app-server uri
scheme sip appserver as-default-handling session-continue trigger-point 12
cscf ifc-spt-condition

Creates an Initial Filter Criteria (iFC) Service Point Trigger (SPT) condition for shared iFC functionality.

Platform:

ASR 5000

Product:

SCM (S-CSCF, SIP Proxy)


Privilege:

Administrator


Syntax
cscf ifc-spt-condition
id cond_id { request-uri
content uri_content | session-case { originating-registered | originating-unregistered | terminating-registered | terminating-unregistered } | session-description sdp [ content sdp_data ] | sip-header hdr [ content hdr_data ] | sip-method method } [ -noconfirm ] [ condition-negated ]no cscf ifc-spt-condition
id cond_id
no

Removes the specified CSCF iFC SPT condition from the context.

id cond_id

Specifies an ID for the iFC SPT condition as an integer from 1 through 200.

request-uri content uri_content

Specifies request URI content as an alphanumeric string of 1 through 127 characters.

IMPORTANT:

Wildcard Extended Regular Expressions (ERE) are supported for this value. For example, "sip.user[0-9]@192\\.168\\.176\\.150"

session-case { originating-registered | originating-unregistered | terminating-registered | terminating-unregistered }

Determines the type of session:

  • originating-registered: Session handling an originating end user.
  • originating-unregistered: Session handling an unregistered originating end user.
  • terminating-registered: Session handling a terminating registered end user.
  • terminating-unregistered: Session handling a terminating unregistered end user.
session-description sdp [ content sdp_data ]

Specifies an SDP line type.

sdp is an alphanumeric string of 1 through 15 characters.

content specifies content on the SDP line.

sdp_data is an alphanumeric string of 1 through 127 characters.

sip-header hdr [ content hdr_data ]

Specifies a header type.

hdr is an alphanumeric string of 1 through 127 characters.

content specifies content on the header.

hdr_data is an alphanumeric string of 1 through 127 characters.

sip-method method

Specifies a sip method.

method is an alphanumeric string of 1 through 127 characters.

-noconfirm

Executes the command without any additional prompt and confirmation from the user.

condition-negated

Negates the specified condition.


Usage:

Use this command to create individual SPT conditions that are later associated with an SPT group in the iFC SPT Group Configuration Mode.

IMPORTANT:

An iFC SPT group may be associated with multiple SPT conditions.


Example:
The following command creates iFC SPT condition 10 which handles an originating end user:
cscf ifc-spt-condition
id 10 session-case originating-registered 
The following command negates the condition created above:
cscf ifc-spt-condition
id 10 session-case originating-registered condition-negated
cscf ifc-spt-group

Creates an Initial Filter Criteria (iFC) Service Point Trigger (SPT) group for shared iFC functionality.

Platform:

ASR 5000

Product:

SCM (S-CSCF, SIP Proxy)


Privilege:

Administrator


Syntax
cscf ifc-spt-group
id group_id [ [ -noconfirm ] | 
reg-type { de-registration | initial-registration | re-registration } [ -noconfirm ] ]no cscf ifc-spt-group
id group_id
no

Removes the specified CSCF iFC SPT group from the context.

id group_id

Specifies an ID for the iFC SPT group as an integer from 1 through 200.

-noconfirm

Executes the command without any additional prompt and confirmation from the user.

reg-type { de-registration| initial-registration | re-registration }

Defines whether the SPT condition matches to REGISTER messages that are related to:

  • de-registration
  • initial-registration
  • re-registration

Usage:

Use this command to create an iFC SPT group ID and bind different SPT conditions under it.

IMPORTANT:

An iFC SPT group may be associated with multiple SPT conditions.

The SPT group can also specify the registration type that defines whether the SPT condition matches to REGISTER messages that are related to initial registrations, re-registrations, or de-registrations.

Entering this command results in the following prompt:

[context_name]hostname(config-cscf-ifc-spt-group)#

iFC SPT Group Configuration Mode commands are defined in the CSCF IFC SPT Group Configuration Mode Commands chapter.


Example:
The following command creates iFC SPT group 21:
cscf ifc-spt-group
id 21
cscf ifc-trigger-point

Creates an Initial Filter Criteria (iFC) trigger point for shared iFC functionality.

Platform:

ASR 5000

Product:

SCM (S-CSCF, SIP Proxy)


Privilege:

Administrator


Syntax
cscf ifc-trigger-point
id tp_id condition-type { cnf | dnf } [ -noconfirm ]no cscf ifc-trigger-point
id tp_id
no

Removes the specified CSCF iFC trigger point from the context.

id tp_id

Specifies an ID for the iFC trigger point as an integer from 1 through 200.

condition-type { cnf | dnf }

Defines the condition type of the iFC trigger point:

cnf: conjunctive normal form

dnf: disjunctive normal form

-noconfirm

Executes the command without any additional prompt and confirmation from the user.


Usage:

Use this command to create a trigger point ID and bind different SPT groups under it.

IMPORTANT:

An iFC SPT group can be assigned to more than one iFC trigger point.

Entering this command results in the following prompt:

[context_name]hostname(config-cscf-ifc-trigger-point)#

IFC Trigger Point Configuration Mode commands are defined in the CSCF IFC Trigger Point Configuration Mode Commands chapter.


Example:
The following command creates iFC trigger point 11 with a cnf condition type:
cscf ifc-trigger-point
id 11 condition-type cnf
cscf isc-template

Creates an IMS Service Control (ISC) template and enters the ISC Template Configuration Mode.

Platform:

ASR 5000

Product:

SCM (S-CSCF)


Privilege:

Administrator


Syntax
[ no ] cscf
isc-template id template_id
no

Removes the CSCF ISC template from the context.

cscf isc-template id template_id

Specifies an ID for the ISC template as an integer from 1 through 200.


Usage:

Use this command to create an ISC template for the CSCF service and cause the system to enter the ISC Template Configuration Mode where parameters are configured for the new template.

Entering this command results in the following prompt:

[context_name]hostname(config-cscf-isc-tmpl)#

ISC Template Configuration Mode commands are defined in the CSCF ISC Template Configuration Mode Commands chapter.

Use this command when configuring the following SCM component: S-CSCF.


Example:
The following command creates ISC template 10 and enters the ISC Template Configuration Mode:
cscf isc-template id 10
cscf last-route-profile

Creates a last route profile, which will be specified on peer server configuration to select the Last Routing Option (LRO) number while forwarding an emergency call packet to a particular peering server, and enters the Last Route Profile Criteria Configuration Mode.

Platform:

ASR 5000

Product

SCM

Privilege

Administrator


Syntax
cscf last-route-profile
name profile_name criteria { county-name | round-robin } [ -noconfirm ]no cscf last-route-profile
name profile_name
no

Removes the specified CSCF last route profile from the context.

name profile_name

Specifies the name of the last route profile as an alphanumeric string of 1 through 79 characters.

criteria { county-name | round-robin }

county-name: Profile specific to the county-name criteria.

Entering this command results in the following prompt:

[context_name]hostname(config-county-name-lro-profile)#

Last Route Profile Criteria Configuration Mode commands are defined in the CSCF Last Route Profile Criteria Configuration Mode Commands chapter.

round-robin: Profile specific to the round-robin criteria.

Entering this command results in the following prompt:

[context_name]hostname(config-round-robin-lro-profile)#

Last Route Profile Criteria Configuration Mode commands are defined in the CSCF Last Route Profile Criteria Configuration Mode Commands chapter.

-noconfirm

Executes the command without any additional prompt and confirmation from the user.


Usage:

Use this command to create a last route profile and enter the Last Route Profile Criteria Configuration Mode.

IMPORTANT:

Last route profiles are associated with peer servers in the CSCF Peer Server Monitoring Configuration Mode.

Use this command when configuring the following SCM components: S-CSCF and SIP Proxy.


Example:
The following command creates a last route profile named lro1 and enters the CSCF Last Route Profile Criteria Configuration Mode to specify county name criteria:
cscf last-route-profile
name lro1 criteria county-name
The following command creates a last route profile named lro2 and enters the CSCF Last Route Profile Criteria Configuration Mode to specify round robin criteria:
cscf last-route-profile
name lro2 criteria round-robin
cscf peer-servers

Creates a peer server type for next-hop session routing and enters the Peer Servers Configuration Mode.

Platform:

ASR 5000

Product:

SCM


Privilege:

Administrator


Syntax
cscf peer-servers server_name type { type } [ -noconfirm ]no cscf peer-servers server_name
no

Removes the specified CSCF peer server from the context.

server_name

Specifies the name of the peer server as an alphanumeric string of 1 through 79 characters.

type { type }

Specifies the type of peer server to configure:

  • bgcf: Border Gateway Control Function
  • ecscf: Emergency Call/Session Control Function
  • ibcf: Interconnect Border Control Function
  • icscf: Interrogating Call/Session Control Function
  • mgcf: Media Gateway Control Function
  • mrfc: Media Resource Function Controller
  • other: Other Function
  • pcscf: Proxy Call/Session Control Function
  • scscf: Serving Call/Session Control Function
  • sip-as: Session Initiation Protocol-Application Server
-noconfirm

Executes the command without any additional prompt and confirmation from the user.


Usage:

Use this command to create a specific peer server and enter the Peer Servers Configuration Mode where connectivity parameters can be entered.

Entering this command results in the following prompt:

[context_name]hostname(config-cscf-peer-servers)#

Peer Servers Configuration Mode commands are defined in the CSCF Peer Servers Configuration Mode Commands chapter.

Use this command when configuring the following SCM components: E-CSCF, P-CSCF, S-CSCF, and SIP Proxy.


Example:
The following command creates an I-CSCF server type called icscf_peer1 and enters the Peer Servers Configuration Mode:
cscf peer-servers
icscf_peer1 type icscf
cscf policy

Creates a policy group for specific AoR profiles and enters the Policy Configuration Mode.

Platform:

ASR 5000

Product:

SCM


Privilege:

Administrator


Syntax
cscf policy { default | name policy_name [ -noconfirm ] }no cscf policy name policy_name
no

Removes the specified CSCF policy group from the context.

default

Specifies that the system is to enter the AoR Policy Rules Configuration Mode for the default policy. The default policy uses AoR policy rules.

Entering this command results in the following prompt:

[context_name]hostname(config-aor-policy)#

Default (AoR) Policy Configuration Mode commands are defined in the CSCF AoR Policy Rules Configuration Mode Commands chapter.

name policy_name

Specifies the name of the policy group as an alphanumeric string of 1 through 79 characters.

Entering this command results in the following prompt:

[context_name]hostname(config-cscf-policy)#

Policy Configuration Mode commands are defined in the CSCF Policy Configuration Mode Commands chapter.

-noconfirm

Executes the command without any additional prompt and confirmation from the user.


Usage:

Use this command to create a policy group and enter either the AoR Policy Rules Configuration Mode (default) or Policy Configuration Mode (name policy_name).

Use this command when configuring the following SCM components: P-CSCF, S-CSCF, and SIP Proxy.


Example:
The following command creates a policy group named group2 and enters the CSCF Policy Configuration Mode:
cscf policy name group2
cscf routes

Creates a route group for specifying routing information and enters the Routes Configuration Mode.

Platform:

ASR 5000

Product:

SCM


Privilege:

Administrator


Syntax
cscf routes { default | name route_name [ -noconfirm ] }no cscf routes name route_name
no

Removes the specified CSCF route group from the context.

default

Specifies that the system is to enter the Routes Configuration Mode for the default route group.

name route_name

Specifies the name of the route group as an alphanumeric string of 1 through 79 characters.

-noconfirm

Executes the command without any additional prompt and confirmation from the user.


Usage:

Use this command to create a route group and enter the Routes Configuration Mode.

Entering this command results in the following prompt:

[context_name]hostname(config-cscf-route)#

Routes Configuration Mode commands are defined in the CSCF Routes Configuration Mode Commands chapter.

Use this command when configuring the following SCM components: P-CSCF, S-CSCF, SIP Proxy.


Example:
The following command creates a route group named route_group5 and enters the Route Group Configuration Mode:
cscf routes name route_group5
cscf service

Creates a CSCF service or specifies an existing CSCF service and enters the CSCF Service Configuration Mode for the current context.

Platform:

ASR 5000

Product:

SCM


Privilege:

Administrator


Syntax
[ no ] cscf
service service_name [ -noconfirm ]
no

Removes the specified CSCF service from the context.

service_name

Specifies the name of the CSCF service. If service_name does not refer to an existing service, the new service is created if resources allow.

service_name is an alphanumeric string of 1 through 63 characters.

-noconfirm

Executes the command without any additional prompt and confirmation from the user.


Usage:

Enter the CSCF Service Configuration Mode for an existing service or for a newly defined service. This command is also used to remove an existing service.

A maximum of 256 services (regardless of type) can be configured per system.

CAUTION:

Large numbers of services greatly increase the complexity of management and may impact overall system performance (for example, resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your local service representative for more information.

Entering this command results in the following prompt:

[context_name]hostname(config-cscf-service)#

CSCF Service Configuration Mode commands are defined in the CSCF Service Configuration Mode Commands chapter.

Use this command when configuring the following SCM components: P-CSCF, S-CSCF, SIP Proxy.


Example:
The following command enters the existing CSCF Service Configuration Mode (or creates it if it does not already exist) for the service named cscf-service1:
cscf service cscf-service1
The following command will remove cscf-service1 from the system:
no cscf service cscf-service1
cscf session-template

Creates a session template and/or enters the Session Template Configuration Mode.

Platform:

ASR 5000

Product:

SCM


Privilege:

Administrator


Syntax
cscf session-template { default | name template_name [ -noconfirm ] }no cscf session-template
name template_name
no

Removes the specified CSCF session template from the context.

default

Specifies that the system is to enter the Session Template Configuration Mode for the default session template.

name template_name

Specifies a name for the template as an alphanumeric string of 1 through 79 characters.

-noconfirm

Executes the command without any additional prompt and confirmation from the user.


Usage:

Use this command to create a new session template and enter the Session Template Configuration Mode or enter the mode for an existing template.

Entering this command results in the following prompt:

[context_name]hostname(config-cscf-session-template)#

Session Template Configuration Mode commands are defined in the CSCF Session Template Configuration Mode Commands chapter.

Use this command when configuring the following SCM components: P-CSCF, S-CSCF, SIP Proxy.


Example:
The following command enters the Session Template Configuration Mode for a template named sess_temp4:
cscf session-template
name sess_temp4
cscf subdomain-routes

Creates subdomain-route list and enters the Subdomain-route List Configuration Mode.

Platform:

ASR 5000

Product:

SCM (I-CSCF)


Privilege:

Administrator


Syntax
[ no ] cscf
subdomain-routes
no

Removes the CSCF subdomain-route list from the context.


Usage:

Use this command to create a subdomain-route list and enter the Subdomain-route List Configuration Mode.

I-CSCF, upon receiving the terminating request, checks the subdomain-route list for matches. If a match is found, the routing will happen based on it. Otherwise, I-CSCF performs a User Location Query (Location-Information-Request) before proceeding.

Entering this command results in the following prompt:

[context_name]hostname(config-cscf-subdomain-route)#

Subdomain-route List Configuration Mode commands are defined in the CSCF Subdomain-route List Configuration Mode Commands chapter.


Example:
The following command enters the Subdomain-route List Configuration Mode:
cscf subdomain-routes
cscf translation

Creates a translation list and enters the Translation Configuration Mode.

Platform:

ASR 5000

Product:

SCM


Privilege:

Administrator


Syntax
cscf translation { default | name list_name [ -noconfirm ] }no cscf translation
name list_name
no

Removes the specified CSCF translation list from the context.

default

Specifies that the system is to enter the Translation Configuration Mode for the default translation list.

name list_name

Specifies a name for the translation list as an alphanumeric string of 1 through 79 characters.

-noconfirm

Executes the command without any additional prompt and confirmation from the user.


Usage:

Use this command to create a new translation list and enter the Translation Configuration Mode or enter the mode for an existing list.

Translation lists are used to modify or replace a request-URI such as an E.164 number. For example, a translation list can be configured to append digits to the end of a number or replace a domain name with another.

Entering this command results in the following prompt:

[context_name]hostname(config-cscf-translation)#

Translation Configuration Mode commands are defined in the CSCF Translation Configuration Mode Commands chapter.

Use this command when configuring the following SCM components: P-CSCF, S-CSCF, SIP Proxy.


Example:
The following command enters the Translation Configuration Mode for a translation list named trans_list3:
cscf translation name trans_list3
cscf urn-service-list

Creates a URN service list and enters the URN List Configuration Mode.

Platform:

ASR 5000

Product:

SCM


Privilege:

Administrator


Syntax
cscf urn-service-list { default | name list_name [ -noconfirm ] }no cscf urn-service-list
name list_name
no

Removes the specified CSCF URN service list from the context.

default

Specifies that the system is to enter the URN List Configuration Mode for the default URN service list.

name list_name

Specifies a name for the URN service list as an alphanumeric string of 1 through 79 characters.

-noconfirm

Executes the command without any additional prompt and confirmation from the user.


Usage:

Use this command to create a URN service list name and enter the URN List Configuration Mode. URN lists contain URN to URI mappings used for emergency and location-based services. A URN service list is selected by a CSCF session template.

Entering this command results in the following prompt:

[context_name]hostname(config-cscf-service-urn)#

URN List Configuration Mode commands are defined in the CSCF URN List Configuration Mode Commands chapter.

Use this command when configuring the following SCM components: P-CSCF.


Example:
The following command enters the URN List Configuration Mode for a URN list named urn_list1:
cscf urn-service-list
name urn_list1
css server

In StarOS 9.0 and later releases, this command is obsolete. And, in earlier releases, this command is restricted.

dhcp-service

Adds a Dynamic Host Control Protocol (DHCP) service instance to the current context and enters the configuration mode for that service.

Platform:

ASR 5000

Product:

GGSN, ASN-GW


Privilege:

Security Administrator, Administrator


Syntax
dhcp-service service_name [ no ] allow
dhcp-relay-agent-auth-suboption[ -noconfirm ]no dhcp-service service_name
no

Removes a previously configured DHCP service from the current context.

service_name

Specifies the name of the DHCP service as an alphanumeric string of 1 through 63 characters that is case sensitive.

allow dhcp-relay-agent-auth-suboption

The DHCP Relay Agent Information Option conveys information between a DHCP Relay Agent and a DHCP server. This specification defines an authentication suboption for that option, containing a keyed hash in its payload. The suboption supports data integrity and replay protection for relayed DHCP messages.

-noconfirm

Executes the command without any additional prompt and confirmation from the user.

DANGER:

If this keyword option is used with no dhcp-service service_name command the DHCP service named service_name is deleted with all active/inactive subscribers without prompting any warning or confirmation.


Usage:

Use this command to add a DHCP service to a context configured on the system and enter the DHCP Service Configuration Mode. A DHCP service is a logical grouping of external DHCP servers.

The DHCP Configuration Mode provides parameters that dictate the system’s communication with one or more of these DHCP servers.

A maximum of 256 services (regardless of type) can be configured per system.

CAUTION:

Large numbers of services greatly increase the complexity of management and may impact overall system performance (i.e. resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your local service representative for more information.

Refer to the DHCP Service Configuration Mode chapter of this reference for additional information.


Example:
The following command creates a DHCP service called dhcp1 and enter the DHCP Service Configuration Mode:
dhcp-service dhcp1
diameter accounting

This command configures Diameter accounting related settings.

Platform:

ASR 5000

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
diameter accounting { dictionary { aaa-custom1 | aaa-custom10 | aaa-custom2 | aaa-custom3 | aaa-custom4 | aaa-custom5 | aaa-custom6 | aaa-custom7 | aaa-custom8 | aaa-custom9 | nasreq | rf-plus } | endpoint endpoint_name | hd-mode fall-back-to-local | hd-storage-policy hd_policy | max-retries max_retries | max-transmissions transmissions | request-timeout duration | server host_name priority priority }default diameter accounting { dictionary | hd-mode | max-retries | max-transmissions | request-timeout }no diameter accounting { endpoint | hd-mode | hd-storage-policy | max-retries | max-transmissions | server host_name  }
no diameter accounting { endpoint | hd-mode | hd-storage-policy | max-retries | max-transmissions | server host_name }

endpoint: Removes the currently configured accounting endpoint. The default accounting server configured in the default AAA group will be used.

hd-mode: Sends records to the Diameter server, if all Diameter servers are down or unreachable, then copies records to the local HDD and periodically retries the Diameter server.

hd-storage-policy: Disables use of the specified HD storage policy.

max-retries: Disables the retry attempts for Diameter accounting in this AAA group.

max-transmissions: Disables the maximum number of transmission attempts for Diameter accounting in this AAA group.

server host_name: Removes the Diameter host host_name from this AAA server group for Diameter accounting.

default diameter accounting { dictionary | hd-mode | max-retries | max-transmissions | request-timeout }

dictionary: Sets the context’s dictionary to the default.

hd-mode: Sends records to the Diameter server, if all Diameter servers are down or unreachable, then copies records to the local HDD and periodically retries the Diameter server.

max-retries: 0 (disabled)

max-transmissions: 0 (disabled)

request-timeout: 20 seconds

dictionary { aaa-custom1 | aaa-custom10 | aaa-custom2 | aaa-custom3 | aaa-custom4 | aaa-custom5 | aaa-custom6 | aaa-custom7 | aaa-custom8 | aaa-custom9 | nasreq | rf-plus }

Specifies the Diameter accounting dictionary.

aaa-custom1 ... aaa-custom10: Configures the custom dictionaries. Even though the CLI syntax supports several custom dictionaries, not necessarily all of them have been defined. If a custom dictionary that has not been implemented is selected, the default dictionary will be used.

nasreq: nasreq dictionary—the dictionary defined by RFC 3588.

rf-plus: RF Plus dictionary.

endpoint endpoint_name

Enables Diameter to be used for accounting, and specifies which Diameter endpoint to use.

endpoint_name is an alphanumeric string of 1 through 63 characters.

hd-mode fall-back-to-local

Specifies that records be copied to the local HDD if the Diameter server is down or unreachable. CDF/CGF will pull the records through SFTP.

hd-storage-policy hd_policy

Specifies the HD Storage policy name.

hd_policy must be the name of a configured HD Storage policy, expressed as an alphanumeric string of 1 through 63 characters.

HD storage policies are configured through the Global Configuration Mode.

This and the hd-mode command are used to enable the storage of Rf Diameter Messages to HDD in case all Diameter Servers are down or unreachable.

max-retries max_retries

Specifies how many times a Diameter request should be retried with the same server, if the server fails to respond to a request.

max_retries specifies the maximum number of retry attempts. The value must be an integer from 1 through 1000.

Default: 0

max-transmissions transmissions

Specifies the maximum number of transmission attempts for a Diameter request. Use this in conjunction with the “max-retries max_retries” option to control how many servers will be attempted to communicate with.

transmissions specifies the maximum number of transmission attempts for a Diameter request. The value must be an integer from 1 through 1000. Default: 0

request-timeout duration

Specifies how long the system will wait for a response from a Diameter server before re-transmitting the request.

duration specifies the number of seconds the system will wait for a response from a Diameter server before re-transmitting the request. This value must be an integer from 1 through 3600. Default: 20

server host_name priority priority

Specifies the current context Diameter accounting server’s host name and priority.

host_name specifies the Diameter host name, expressed as an alphanumeric string of 1 through 63 characters.

priority specifies the relative priority of this Diameter host. The priority is used in server selection. The priority must be an integer from 1 through 1000.


Usage:

Use this command to manage the Diameter accounting options according to the Diameter server used for the context.


Example:
The following command configures the Diameter accounting dictionary as aaa-custom4:
diameter accounting
dictionary aaa-custom4
The following command configures the Diameter endpoint named aaaa_test:
diameter accounting
endpoint aaaa_test 
diameter authentication

This command configures Diameter authentication related settings.

Platform:

ASR 5000

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
diameter authentication { dictionary { aaa-custom1 | aaa-custom10 | aaa-custom11 | aaa-custom12 | aaa-custom13 | aaa-custom14 | aaa-custom15 | aaa-custom16 | aaa-custom17 | aaa-custom18 | aaa-custom19 | aaa-custom2 | aaa-custom20 | aaa-custom3 | aaa-custom4 | aaa-custom5 | aaa-custom6 | aaa-custom7 | aaa-custom8 | aaa-custom9 | nasreq } | endpoint endpoint_name | max-retries max_retries | max-transmissions transmissions | redirect-host-avp { just-primary | primary-then-secondary } | request-timeout duration | server host_name priority priority }default diameter authentication { dictionary | max-retries | max-transmissions | redirect-host-avp | request-timeout }no diameter authentication { endpoint | max-retries | max-transmissions | server host_name }
no diameter authentication { endpoint | max-retries | max-transmissions | server host_name }
  • endpoint: Removes the authentication endpoint. The default server configured in default AAA group will be used.
  • max-retries: Disables the retry attempts for Diameter authentication in this AAA group.
  • max-transmissions: Disables the maximum transmission attempts for Diameter authentication in this AAA group.
  • server host_name: Removes the Diameter host host_name from this AAA server group for Diameter authentication.
default diameter authentication { dictionary | max-retries | max-transmissions | redirect-host-avp | request-timeout }

Configures default setting for specified parameter.

  • dictionary: Sets the context’s dictionary to the default.
  • max-retries: Sets the retry attempts for Diameter authentication requests in this AAA group to default 0 (disable).
  • max-transmissions: Sets the configured maximum transmission attempts for Diameter authentication in this AAA group to default 0 (disable).
  • redirect-host-avp: Sets the redirect choice to default (just-primary).
  • request-timeout: Sets the timeout duration, in seconds, for Diameter authentication requests in this AAA group to default (20).
dictionary { aaa-custom1 | aaa-custom10 | aaa-custom11 | aaa-custom12 | aaa-custom13 | aaa-custom14 | aaa-custom15 | aaa-custom16 | aaa-custom17 | aaa-custom18 | aaa-custom19 | aaa-custom2 | aaa-custom20 | aaa-custom3 | aaa-custom4 | aaa-custom5 | aaa-custom6 | aaa-custom7 | aaa-custom8 | aaa-custom9 | nasreq }

Specifies the Diameter authentication dictionary.

aaa-custom1 ... aaa-custom8, aaa-custom10 ... aaa-custom20: Configures the custom dictionaries. Even though the CLI syntax supports several custom dictionaries, not necessarily all of them have been defined. If a custom dictionary that has not been implemented is selected, the default dictionary will be used.

IMPORTANT:

aaa-custom11 dictionary is only available in Release 8.1 and later. aaa-custom12 to aaa-custom20 dictionaries are only available in Release 9.0 and later releases.

aaa-custom9: Configures the STa standard dictionary.

nasreq: nasreq dictionary—the dictionary defined by RFC 3588.

endpoint endpoint_name

Enables Diameter to be used for authentication, and specifies which Diameter endpoint to use.

endpoint_name is an alphanumeric string of 1 through 63 characters.

max-retries max_retries

Specifies how many times a Diameter authentication request should be retried with the same server, if the server fails to respond to a request.

max_retries specifies the maximum number of retry attempts, and must be an integer from 1 through 1000. Default: 0

max-transmissions transmissions

Specifies the maximum number of transmission attempts for a Diameter authentication request. Use this in conjunction with the “max-retries max_retries” option to control how many servers will be attempted to communicate with.

transmissions specifies the maximum number of transmission attempts, and must be an integer from 1 through 1000. Default: 0

diameter authentication redirect-host-avp { just-primary | primary-then-secondary }

Specifies whether to use just one returned AVP, or use the first returned AVP as selecting the primary host and the second returned AVP as selecting the secondary host.

just-primary: Redirect only to primary host.

primary-then-secondary: Redirect to primary host, if fails then redirect to the secondary host.

Default: just-primary

request-timeout duration

Specifies how long the system will wait for a response from a Diameter server before re-transmitting the request.

duration specifies the number of seconds the system will wait for a response from a Diameter server before re-transmitting the request, and must be an integer from 1 through 3600. Default: 20

server host_name priority priority

Specifies the current context Diameter authentication server’s host name and priority.

host_name specifies the Diameter host name, expressed as an alphanumeric string of 1 through 63 characters.

priority specifies the relative priority of this Diameter host, and must be an integer from 1 through 1000. The priority is used in server selection.


Usage:

Use this command to manage the Diameter authentication configurations according to the Diameter server used for the context.


Example:
The following command configures the Diameter authentication dictionary aaa-custom14:
diameter authentication
dictionary aaa-custom14
The following command configures the Diameter endpoint named aaau1:
diameter authentication
endpoint aaau1
diameter authentication failure-handling

This command configures error handling for Diameter EAP requests.

Platform:

ASR 5000

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
diameter authentication
failure-handling { authorization-request | eap-request | eap-termination-request } { request-timeout
action { continue | retry-and-terminate | terminate } | result-code result_code { [ to end_result_code ] action { continue | retry-and-terminate | terminate } } }no diameter authentication
failure-handling { authorization-request | eap-request | eap-termination-request } result-code result_code [ to end_result_code ]default diameter authentication
failure-handling { authorization-request | eap-request | eap-termination-request } request-timeout
action
no

Disables Diameter authentication failure handling.

default

Configures the default Diameter authentication failure handling setting.

authorization-request

Specifies that failure handling is to be performed on Diameter authorization request messages (AAR/AAA).

eap-request

Specifies configuring failure handling for EAP requests.

eap-termination-request

Specifies configuring failure handling for EAP termination requests.

request-timeout action { continue | retry-and-terminate | terminate }

Specifies the action to be taken for failures:

  • continue: Continues the session
  • retry-and-terminate: First retries, if it fails then terminates the session
  • terminate: Terminates the session
result-code result_code { [ to end_result_code ] action { continue | retry-and-terminate | terminate } }

result_code: Specifies the result code, must be an integer from 1 through 65535.

to end_result_code: Specifies the upper limit of a range of result codes. end_result_code must be greater than result_code.

action { continue | retry-and-terminate | terminate }: Specifies action to be taken for failures:

  • continue: Continues the session
  • retry-and-terminate: First retries, if it fails then terminates the session
  • terminate: Terminates the session

Usage:

Use this command to configure error handling for Diameter EAP, EAP-termination, and authorization requests. Specific actions (continue, retry-and-terminate, or terminate) can be associated with each possible result-code. Ranges of result codes can be defined with the same action, or actions can be specific on a per-result code basis.


Example:
The following commands configure result codes 5001, 5002, 5004, and 5005 to use action continue and result code 5003 to use action terminate:
diameter authentication
failure-handling eap-request result-code 5002 to 5005 action continue
diameter authentication
failure-handling eap-request result-code 5003 action terminate
diameter dictionary

This command is deprecated and is replaced by the diameter accounting dictionary and diameter authentication dictionary commands. See diameter accounting and diameter authentication commands respectively.

diameter endpoint

This command enables the creation, configuration or deletion of a Diameter endpoint.

Platform:

ASR 5000

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
[ no ] diameter
endpoint endpoint_name [ -noconfirm ]
no

Removes the specified Diameter endpoint.

endpoint_name

Specifies name of the Diameter endpoint as an alphanumeric string of 1 through 63 characters that should be unique within the system.

If the named endpoint does not exist, it is created, and the CLI mode changes to the Diameter Endpoint Configuration Mode wherein the endpoint can be configured.

If the named endpoint already exists, the CLI mode changes to the Diameter Endpoint Configuration Mode wherein the endpoint can be reconfigured.

-noconfirm

Executes the command without any additional prompt and confirmation from the user.


Usage:

Use this command to create/configure/delete a Diameter origin endpoint.

Entering this command results in the following prompt:

[context_name]hostname(config-ctx-diameter)

Diameter origin endpoint configuration commands are described in the Diameter Endpoint Configuration Mode Commands chapter.


Example:
The following command changes to the Diameter Endpoint Configuration CLI mode for Diameter origin endpoint named test13:
diameter endpoint test13
diameter sctp

This command configures Diameter SCTP parameters for all Diameter endpoints within the context.

Platform:

ASR 5000

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
diameter sctp { hearbeat-interval interval | path max-retransmissions retransmissions }default diameter sctp { heartbeat-interval | path
max-retransmissions }
default

Configures this command with the default settings.

  • heartbeat-interval: Sets the heartbeat interval to the default value.
  • path max-retransmissions: Sets the SCTP path maximum retransmissions to the default value.
hearbeat-interval interval

Specifies the time interval between heartbeat chunks sent to a destination transport address in seconds.

interval must be an integer from 1 through 255.

Default: 30 seconds

path max-retransmissions retransmissions

Specifies the maximum number of consecutive retransmissions over a destination transport address of a peer endpoint before it is marked as inactive.

retransmissions must be an integer from 1 through 10.

Default: 10


Usage:

Use this command to configure Diameter SCTP parameters for all diameter endpoints within the context.


Example:
The following command configures the heartbeat interval to 60 seconds:
diameter sctp hearbeat-interval
60 
The following command configures the maximum number of consecutive retransmissions to 6, after which the endpoint is marked as inactive:
diameter sctp path
max-retransmissions 6
diameter origin

This command is deprecated and is replaced by the diameter endpoint command.

dns-client

Creates a DNS client and/or enters the DNS Client Configuration Mode.

Platform:

ASR 5000

Product:

ePDG, SCM, SGSN, MME, P-GW


Privilege:

Security Administrator, Administrator


Syntax
[ no ] dns-client name [ -noconfirm ]
no

Removes the specified DNS client from the context.

dns-client name

Specifies a name for the DNS client as an alphanumeric string of 1 through 63 characters.


Usage:

Use this command to create a new DNS client and enter the DNS Client Configuration Mode or enter the mode for an existing client.

Entering this command results in the following prompt:

[context_name]hostname(config-dns-client)#

DNS Client Configuration Mode commands are defined in the DNS Client Configuration Mode Commands chapter.


Example:
The following command enters the DNS Client Configuration Mode for a DNS client named dns1:
dns-client dns1
domain

Configures a domain alias for the current context.

Platform:

ASR 5000

Product:

PDSN, HA


Privilege:

Security Administrator, Administrator


Syntax
domain [ * ]domain_name [ default
subscriber subscriber_template_name ]no domain [ * ]domain_name
no

Indicates the domain specified is to be removed as an alias to the current context.

[ * ]domain_name

domain_name specifies the domain alias to create/remove from the current context. If the domain portion of a subscribers user name matches this value, the current context is used for that subscriber.

domain_name must be an alphanumeric string of 1 through 79 characters. The domain name can contain all special characters, however note that the character * (wildcard character) is only allowed at the beginning of the domain name.

If the domain name is prefixed with * (wildcard character), and an exact match is not found for the domain portion of a subscriber’s user name, subdomains of the domain name are matched. For example, if the domain portion of a subscriber’s user name is abc.xyz.com and you use the domain command domain *xyz.com it matches. But if you do not use the wildcard (domain xyz.com) it does not match.

IMPORTANT:

The domain alias specified must not conflict with the name of any existing context or domain names.

default subscriber subscriber_template_name

Specifies the name of the subscriber template to apply to subscribers using this domain alias.

subscriber_template_name must be an alphanumeric string of 1 through 127 characters. If this keyword is not specified the default subscriber configuration in the current context is used.


Usage:

Use this comand to configure a domain alias when a single context may be used to support multiple domains via aliasing.


Example:
domain sampleDomain.net
no domain sampleDomain.net
eap-profile

Creates a new, or specifies an existing, Extensible Authentication Protocol (EAP) profile and enters the EAP Configuration Mode.

Platform:

ASR 5000

Product:

ASN-GW,ePDG,PDIF


Privilege:

Security Administrator, Administrator


Syntax
[ no ] eap-profile name
name

Specifies the name of a new or existing EAP profile as an alphanumeric string of 1 through 256 characters.


Usage:

Use this command to create a new or enter an existing EAP profile.

Entering this command results in the following prompt:

[context_name]hostname(config-ctx-eap-profile)#

EAP Configuration Mode commands are defined in the EAP Configuration Mode Commands chapter.


Example:
The following command configures an EAP profile called eap1 and enters the EAP Configuration Mode:
eap-profile eap1
edr-module active-charging-service

Enables the creation, configuration, or deletion of the Event Data Record (EDR) module for this context.

Platform:

ASR 5000

Product:

ACS, GGSN, HA, LNS, PDSN, SGSN


Privilege:

Security Administrator, Administrator


Syntax
[ no ] edr-module
active-charging-service  
no

Removes the EDR module configuration for the current context.


Usage:

Use this command to create the EDR module for the context, and configure the EDR module for active charging service records. You must be in a non-local context when specifying this command, and you must use the same context when specifying the UDR module command.

On entering the command with the chargingkeyword or without any keywords, the CLI prompt changes to:

[context_name]hostname(config-edr)#

On entering the command with the reportingkeyword, the CLI prompt changes to:

[context_name]hostname(config-redr)#


Example:
The following command creates the EDR module for the context , and enters the EDR Module Configuration Mode:
edr-module active-charging-service
egtp-service

Creates an eGTP service or specifies an existing eGTP service and enters the eGTP Service Configuration Mode for the current context.

Platform:

ASR 5000

Product:

MME, P-GW, S-GW


Privilege:

Administrator


Syntax
[ no ] egtp-service service_name [ -noconfirm ]
egtp-service service_name

Specifies the name of the eGTP service as an alphanumeric string of 1 through 63 characters. If service_name does not refer to an existing service, the new service is created if resources allow.

-noconfirm

Executes the command without any additional prompt and confirmation from the user.

no egtp-service service_name

Removes the specified eGTP service from the context.


Usage:

Enter the eGTP Service Configuration Mode for an existing service or for a newly defined service. This command is also used to remove an existing service.

A maximum of 256 services (regardless of type) can be configured per system.

CAUTION:

Large numbers of services greatly increase the complexity of management and may impact overall system performance (for example, resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your local service representative for more information.

Entering this command results in the following prompt:

[context_name]hostname(config-egtp-service)#

eGTP Service Configuration Mode commands are defined in the eGTP Service Configuration Mode Commands chapter.

Use this command when configuring the following GTP SAE components: MME, P-GW, and S-GW.


Example:
The following command enters the existing eGTP Service Configuration Mode (or creates it if it does not already exist) for the service named egtp-service1:
egtp-service egtp-service1
The following command will remove egtp-service1 from the system:
no egtp-service egtp-service1
end

Exits the current configuration mode and returns to the Exec mode.

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
end

Usage:

Use this command to return to the Exec mode.

exit

Exits the current mode and returns to the parent configuration mode.

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
exit

Usage:

Use this command to return to the parent configuration mode.

external-inline-server

This is a restricted command.

fa-service

Creates or deletes a foreign agent (FA) service or specifies an existing FA service for which to enter the FA Service Configuration Mode for the current context.

Platform:

ASR 5000

Product:

ASN-GW, PDSN, FA


Privilege:

Security Administrator, Administrator


Syntax
[ no ] fa-service name [ -noconfirm ]
no

Indicates the foreign agent service specified is to be removed.

name

Specifies the name of the FA service to configure as an alphanumeric string of 1 through 63 characters. If name does not refer to an existing service, the new service is created if resources allow.

-noconfirm

Executes the command without any additional prompt and confirmation from the user.


Usage:

Enter the FA Service Configuration Mode for an existing service or for a newly defined service. This command is also used to remove an existing service.

A maximum of 256 services (regardless of type) can be configured per system.

CAUTION:

Large numbers of services greatly increase the complexity of management and may impact overall system performance (i.e. resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your local service representative for more information.


Example:
The following command will enter the FA Service Configuration Mode creating the service sampleService, if necessary.
fa-service sampleService
The following command will remove sampleService as being a defined FA service.
no fa-service sampleService
firewall max-associations

This command is obsolete.

fng-service

Creates a new, or specifies an existing FNG service and enters the FNG Service Configuration Mode. A maximum of 16 FNG services can be created. This limit applies per ASR 5000 chassis and per context.

Platform:

ASR 5000

Product:

FNG


Privilege:

Security Administrator, Administrator


Syntax
fng-service name [ -noconfirm ]no fng-service name
fng-service name

Specifies the name of a new or existing FNG service as an alphanumeric string of 1 through 63 characters that must be unique across all FNG services within the same context and across all contexts.

no fng-service name

Deletes the specified FNG service.


Usage:

Use this command in Context Configuration Mode to create a new FNG service or modify an existing one. Executing this command enters the FNG Service Configuration Mode.


Example:
The following command configures an FNG service named fng1 and enters the FNG Service Configuration Mode:
fng-service fmg1
ggsn-service

Creates or deletes a Gateway GPRS Support Node (GGSN) service and enters the GGSN Service Configuration Mode within the current context to configure it.

Platform:

ASR 5000

Product:

GGSN


Privilege:

Security Administrator, Administrator


Syntax
ggsn-service svc_name [ -noconfirm ]no ggsn-service svc_name
no

Deletes a preciously configured GGSN service.

svc_name

Specifies the name of the GGSN service to create/configure as an alphanumeric string of 1 through 63 characters that is case sensitive.

-noconfirm

Executes the command without any additional prompt and confirmation from the user.


Usage:

Services are configured within a context and enable certain functionality. This command creates and allows the configuration of services enabling the system to function as a GGSN in a GPRS or UMTS network. This command is also used to remove previously configured GGSN services.

A maximum of 256 services (regardless of type) can be configured per system.

CAUTION:

Large numbers of services greatly increase the complexity of management and may impact overall system performance (i.e. resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your local service representative for more information.


Example:
The following command creates a GGSN service named ggsn1:
ggsn-service ggsn1
gprs-service

Creates a GPRS service instance and enters the GPRS Service Configuration Mode. This mode configures all of the parameters specific to the operation of an SGSN in a GPRS network.

IMPORTANT:

For details about the commands and parameters for this mode, check the GPRS Service Configuration Mode chapter.

Platform:

ASR 5000

Product:

SGSN


Privilege:

Security Administrator, Administrator


Syntax
gprs-service srvc_name [ -noconfirm ]no gprs-service srvc_name
no

Removes the configuration for the specified IGPRS service from the configuration for the current context.

srvc_name

Specifies the name of the GPRS service as a unique alphanumeric string of 1 through 63 characters.

-noconfirm

Executes the command without any additional prompt and confirmation from the user.


Usage:

Use this command to create or remove a GPRS service. Entering this command will move the system to the GPRS Service Configuration Mode and change the prompt to:

[context_name]hostname(config-gprs-service)#

Example:
The following command creates an GPRS service named gprs1:
gprs-service gprs1
The following command removes the GPRS service named gprs1:
no gprs-service gprs1
gs-service

Creates a Gs service instance and enters the Gs Service Configuration Mode. This mode configures the parameters specific to the Gs interface between the SGSN and the MSC/VLR.

Platform:

ASR 5000

Product:

SGSN


Privilege:

Security Administrator, Administrator


Syntax
gs-service svc_name [ -noconfirm ]no gs-service svc_name
no

Remove the configured Gs service from the current context.

svc_name

Specifies the Gs service as a unique alphanumeric string of 1 through 63 characters.

-noconfirm

Executes the command without any additional prompt and confirmation from the user.


Usage:

Use this command to create, edit, or remove a Gs service.

A maximum of 32 Gs service can be configured in one context/system. This limit is subject to maximum of 256 services (regardless of type) can be configured per system.

IMPORTANT:

For details about the commands and parameters for this mode, refer Gs Service Configuration Mode chapter.


Example:
The following command creates an Gs service named gs1:
gs-service gs1
The following command removes the Gs service named gs1:
no gs-service gs1
gtpp algorithm

Configures GTPP routing algorithms for the current context.

Platform:

ASR 5000

Product:

GGSN, P-GW


Privilege:

Security Administrator, Administrator


Syntax
gtpp algorithm { first-server | round-robin | first-n count }
first-server

Specifies that accounting data is sent to the first available charging gateway function (CGF) based upon the relative priority of each configured CGF. Default: Enabled

round-robin

Specifies that accounting data is transmitted in a circular queue fashion such that data is sent to the highest priority CGF first, then to the next available CGF of the highest priority, and so on. Ultimately, the queue returns to the CGF with the highest configured priority. Default: Disabled

first-n count

Specifies that the AGW must send accounting data to count (more than one) CGFs based on their priority. Response from any one of the count CGFs would suffice to proceed with the call. The full set of accounting data is sent to each of the count CGFs.

count is the number of CGFs to which accounting data will be sent, and must be an integer from 2 through 65535. Default: 1 (Disabled)


Usage:

Use this command to control how G-CDR/P-CDR accounting data is routed among the configured CGFs.


Example:
The following command configures the system to use the round-robin algorithm when transmitting G-CDR/P-CDR accounting data:
gtpp algorithm round-robin
gtpp attribute

Allows the specification of the optional attributes to be present in the call detail records (CDRs) that the GPRS/PDN/UMTS access gateway generates. It also defines that how the information is presented in CDRs by encoding the attribute field values.

Platform:

ASR 5000

Product:

GGSN, SGSN, P-GW


Privilege:

Security Administrator, Administrator


Syntax
gtpp attribute { apn-ni | apn-selection-mode | charging-characteristic-selection-mode | cell-plmn-id | diagnostics | duration-ms | dynamic flag | imei | local-record-sequence-number | losdv | ms-timezone | msisdn | |node-id | | node-id-suffix suffix | pdn-connection-id | pdp-address | pdp-type | pgw-plm-id  | plmn-id [ unknown-use uncode_value ] | rat | record-extensions
rat | served-mnai | served-pdp-pdn-address-extension | sms { destination-number | recording-entity | service-centre }  | start time  | stop time  | uli }default gtpp attribute { apn-ni | apn-selection-mode | charging-characteristic-selection-mode | cell-plmn-id | diagnostics | duration-ms | dynamic flag | imei | local-record-sequence-number | losdv | ms-timezone | msisdn | node-id | pdn-connection-id | pdp-address | pdp-type | pgw-plm-id | plmn-id | rat | record-extensions | served-mnai | served-pdp-pdn-address-extension | sms { destination-number | recording-entity | service-centre }  | start time  | stop time  | uli }no gtpp attribute { apn-ni | apn-selection-mode | charging-characteristic-selection-mode | cell-plmn-id | diagnostics | duration-ms | dynamic flag | imei | local-record-sequence-number | losdv | ms-timezone | msisdn | node-id | node-id-suffix | pdn-connection-id | pdp-address | pdp-type | pgw-plm-id | plmn-id | rat | record-extensions | served-mnai | served-pdp-pdn-address-extension | sms { destination-number | recording-entity | service-centre }  | start time  | stop time  | uli }
default

Sets the default GTPP attributes in generated the CDRs. It also sets the default presentation of attribute values in generated CDRs.

no

Removes the configured GTPP attributes from the CDRs.

apn-ni

Default: Enabled

Includes the APN field in the CDR that is created.

This keyword is applicable for P-GW and GGSN only.

apn-selection-mode

Default: Enabled

Includes the APN Selection Mode field in the CDR that is created.

This keyword is applicable for P-GW and GGSN only.

charging-characteristics-selection-mode

Default: Enabled

Includes the Charging Characteristic Selection Mode field in the CDR that is created.

This keyword is applicable for P-GW and GGSN only.

cell-plmn-id

Default: Disabled

This keyword configures the SGSN to include the cell’s PLMN identifier (MCC and MNC) in generated CDRs (M-CDRs and/or the S-CDRs).

This keyword is applicable for SGSN only.

diagnostics

Default: Disabled

Includes the Diagnostic field in the CDR that is created when PDP contexts are released. The field will contain one of the following values:

  • 36: if the SGSN sends us “delete PDP context request”.
  • 38: if the GGSN sends “delete PDP context request” due to GTP-C/GTP-U echo timeout with SGSN.
  • 40: if the GGSN sends “delete PDP context request” due to receiving a RADIUS Disconnect-Request message.
  • 26: if the GGSN sends “delete PDP context request” for any other reason (e.g., the operator types “clear subscribers” on the GGSN).
duration-ms

Default: Disabled

Specifies that the information contained in the mandatory Duration field be reported in milliseconds instead of seconds (as the standards require).

dynamic-flag

Default: Enabled

Includes the Dynamic Flag field in the CDR that is created.

This keyword is applicable for P-GW and GGSN only.

imei

Default: Disabled

This keyword configures the SGSN to include the International Mobile Equipment Identifier (IM EI) in generated CDRs (M-CDRs and/or the S-CDRs).

This keyword is applicable for SGSN only.

local-record-sequence-number

Default: Disabled

Includes the Node ID field in the CDR that is created when PDP contexts are released. The field consists of a AAA Manager identifier automatically appended to the name of the GGSN or SGSN service.

The name of the GGSN/SGSN service may be truncated, because the maximum length of the Node ID field is 20 bytes. Since each AAA Manager generates CDRs independently, this allows the Local Record Sequence Number and Node ID fields to uniquely identify a CDR.

losdv

Default: Enabled

Includes the List of Service Data field in the CDR that is created.

This keyword is applicable for P-GW and GGSN only.

ms-timezone

Default: Enabled

Includes the MS-Timezone field in the CDR that is created.

This keyword is applicable for P-GW and GGSN only.

msisdn

Default: Disabled

This keyword configures the SGSN to include the Mobile Subscribers Integrated Services Digital Network identifier in generated CDRs (M-CDRs and/or the S-CDRs).

This keyword is applicable for SGSN only.

node-id

Default: Enabled

Includes the Node ID field in the CDR that is created.

This keyword is applicable for P-GW and GGSN only.

node-id-suffix string

Default: Disabled

Specifies the string suffix to use in the NodeID field of GTPP CDRs. Each Session Manager task generates a unique NodeID string per GTPP context.

string: This is the configured Node-ID-Suffix having any string of 1 through 16 characters.

IMPORTANT:

The NodeID field is a printable string of the ndddstring format: n: The first digit is the SessMgr restart counter having a value between 0 and 7. ddd: The number of SessMgr instances. Uses the specified NodeID-suffix in all CDRs. The “Node-ID” field is consists of SessMgr Recovery counter (1 digit) n + AAA Manager identifier (3 digits) ddd + the configured Node-Id-suffix (1 to 16 characters) string.

IMPORTANT:

If the centralized LRSN feature is enabled, the “Node-ID” field consists of only the specified NodeID-suffix. Otherwise GTPP group name is used. For default GTPP groups, GTPP context-name (truncated to 16 characters) is used.

IMPORTANT:

SessMgr recovery counter gets updated in case of “session recovery not enabled” If session recovery is enabled, the counter never updates. The node-id is displayed in the G-CDR irrespective of gtpp dictionary. The G-CDR is not decoded in monitor protocol for custom1 / custom3 dictionaries.

pdn-connections-id

Default: Enabled

Includes the PDN Connection ID field in the CDR that is created.

This keyword is applicable for P-GW and GGSN only.

pdp-address

Default: Enabled

Includes the PDP Address field in the CDR that is created.

This keyword is applicable for P-GW and GGSN only.

pdp-type

Default: Enabled

Includes the PDP Type field in the CDR that is created.

This keyword is applicable for P-GW and GGSN only.

pgw-plm-id

Default: Enabled

Includes the PGW PLMN-ID field in the CDR that is created.

This keyword is applicable for P-GW and GGSN only.

plmn-id [ unknown-use uncode_value ]

Default: Enabled

Includes the SGSN PLMN Identifier value (the RAI) in generated CDR (M-CDRs and/or the S-CDRs), if it is provided by the SGSN in the GTP create PDP context request. It is omitted if the SGSN does not supply one.

IMPORTANT:

For the GGSN it provides radio access identifier as the SGSN PLMN Id and for SGSN it includes the PLMN-id of RNC.

unknown-use uncode_value encodes the specified value for “SGSN PLMN Identifier” in the CDR if SGSN PLMN-ID information is unavailable.

Must be followed by the uncode_value value to be encoded.

uncode_value must be an hexadecimal value between 0x0 and 0xFFFFFF.

This keyword is applicable for SGSN only.

rat

Default: Disabled

This keyword configures the SGSN to include the radio access technology attribute in generated CDRs (M-CDRs and/or the S-CDRs).

This keyword is applicable for SGSN only.

record-extensions rat

Default: Disabled

This keyword configures the SGSN to include the radio access technology attribute in record extension field of generated CDRs (M-CDRs and/or the S-CDRs).

This keyword is applicable for SGSN only.

served-mnai

Default: Enabled

Includes the Served MNAI field in the CDR that is created.

This keyword is applicable for P-GW and GGSN only.

sms { destination-number | recording-entity | service-centre }

Default: Disabled

This keyword configures the SGSN to include the SMS related attributes in generated S-SMO-CDRs or S-SMT-CDRs.

destination-number: This keyword includes the destination-number information of SMS in generated S-SMO-CDRs or S-SMT-CDRs.

Note: This is the destination number of the short message subscriber.

recording-entity: This keyword includes the recording entity information of SMS in generated S-SMO-CDRs or S-SMT-CDRs.

Note: The recording entity is the E.164 number of the SGSN.

service-centre: This keyword includes the service-centre information of SMS in generated S-SMO-CDRs or S-SMT-CDRs.

Note: This is the E.164 address of the SMS-service centre.

This keyword is applicable for SGSN only.

start-time

Default: Enabled

Includes the Start-Time field in the CDR that is created.

This keyword is applicable for P-GW and GGSN only.

stop-time

Default: Enabled

Includes the Stop-Time field in the CDR that is created.

This keyword is applicable for P-GW and GGSN only.

uli

Default: Enabled

Includes the User Location Information field in the CDR that is created.

This keyword is applicable for P-GW and GGSN only.


Usage:

Use this command to configure the type of optional information fields to include in generated CDRs (M-CDRs, S-CDRs, S-SMO-CDR, S-SMT-CDR from SGSN and G-CDRs, eG-CDRs from GGSN) by the AGW (SGSN/GGSN/P-GW). In addition, it controls how the information for some of the mandatory fields are reported.

Fields described as optional by the standards but not listed above will always be present in the CDRs, except for Record Extensions (which will never be present).

IMPORTANT:

This command can be repeated multiple times with different keywords to configure multiple GTPP attributes.


Example:
The following command configures the system to present the time provided in the Duration field of the CDR is reported in milliseconds:
gtpp attribute duration-ms
gtpp charging-agent

Configures the IP address and port of the system interface within the current context used to communicate with the Charging Gateway Function (CGF).

Platform:

ASR 5000

Product:

GGSN, SGSN, P-GW


Privilege:

Security Administrator, Administrator


Syntax
gtpp charging-agent
address ip_address [ port port ]no gtpp charging-agent
no

Removes a previously configured charging agent address.

address ip_address

Specifies the IP address of the interface configured within the current context that is used to transmit CDR records (G-CDR/eGCRD/M-CDR/S-CDR) to the CGF. ip_address must be entered using IPV4 dotted-decimal notation.

port port

Specifies the Charging Agent UDP port. as an integer from 1 through 65535.

If port is not defined, IP will take the default port number 49999.

IMPORTANT:

Configuring gtpp charging-agent on port 3386 may interfere with a ggsn-service configured with the same ip address.


Usage:

This command establishes a Ga interface for the system. For GTPP accounting, one or more Ga interfaces must be specified for communication with the CGF. These interfaces must exist in the same context in which GTPP functionality is configured (refer to the gtpp commands in this chapter).

This command instructs the system as to what interface to use. The IP address supplied is also the address by which the GSN is known to the CGF. Therefore, the IP address used for the Ga interface could be identical to one bound to a GSN service (a Gn interface).

If no GSN service is configured in the same context as the Ga interface, the address configured by this command is used to receive unsolicited GTPP packets.


Example:
The following command configures the system to use the interface with an IP address of 192.168.13.10 as the accounting interface with port 20000 to the CGF:
gtpp charging-agent
address 192.168.13.10 port 20000
gtpp data-request sequence-numbers

Configures the range of sequence numbers to be used in the GTPP data record transfer record (DRT). Use this command to set the start value for the sequence number.

Platform:

ASR 5000

Product:

GGSN, SGSN, P-GW


Privilege:

Security Administrator, Administrator


Syntax
gtpp data-request sequence-numbers
start { 0 | 1 }default gtpp data-request
sequence-numbers start
default

Default is 0 (zero).

{ 0 | 1 }

Specifies the value of the start sequence number for the GTPP Data Record Transfer Request. Default: 0

  • 0: Designates the start sequence number as 0.
  • 1: Designates the start sequence number as 1.

Usage:

When the GGSN/P-GW/SGSN is configured to send GTPP echo request packets, the SGSN always uses 0 as the sequence number in those packets. Re-using 0 as a sequence number in the DRT packets is allowed by the 3GPP standards; however, this CLI command ensures the possibility of inter-operating with CGFs that can not properly handle the re-use of sequence number 0 in the echo request packets.


Example:
The following command sets the sequence to start at 1.
gtpp data-request sequence-numbers
start 1
gtpp dead-server suppress-cdrs

Enables or disables CDR archiving when a dead server is detected.

IMPORTANT:

This command is customer specific. For more information please contact your local Cisco service representative.

Platform:

ASR 5000

Product:

GGSN, P-GW


Privilege:

Security Administrator, Administrator


Syntax
[ default | no ] gtpp
dead-server suppress-cdrs
default

Configures the default setting.

Default: Disabled

no

Re-enables CDR archiving.


Usage:

Use this command to enable/disable CDR archiving when a dead server is detected. With this CLI, once a server is detected as down, requests are purged. Also the requests generated for the period when the server is down are purged.

gtpp deadtime

Configures the amount of time to wait before attempting to communicate with a Charging Gateway Function (CGF) that was previously marked as unreachable.

Platform:

ASR 5000

Product:

GGSN, P-GW


Privilege:

Security Administrator, Administrator


Syntax
gtpp deadtime timedefault gtpp deadtime
default

Configures this command with the default setting.

Default: 120 seconds

time

Specifies the amount of time (in seconds) that must elapse before the system attempts to communicate with a CGF that was previously unreachable. time is an integer from 1 through 65535.


Usage:

If the system is unable to communicate with a configured CGF, after a pre-configured number of failures the system marks the CGF as being down.

This command specifies the amount of time that the system waits prior to attempting to communicate with the downed CGF.

Refer to the gtpp detect-dead-server and gtpp max-retries commands for additional information on the process the system uses to mark a CGF as down.


Example:
The following command configures the system to wait 60 seconds before attempting to re-communicate with a CGF that was marked as down:
gtpp deadtime 60
gtpp detect-dead-server

Configures the number of consecutive communication failures that could occur before the system marks a Charging Gateway Function (CGF) as down.

Platform:

ASR 5000

Product:

GGSN, P-GW


Privilege:

Security Administrator, Administrator


Syntax
gtpp detect-dead-server
consecutive-failures max_numberdefault gtpp detect-dead-server
consecutive-failures
default

Configures this command with the default setting.

Default: 0

consecutive-failures max_number

Specifies the number of failures that could occur before marking a CGF as down. max_number is an integer from 0 through 1000.


Usage:

This command works in conjunction with the gtpp max-retries parameter to set a limit to the number of communication failures that can occur with a configured CGF.

The gtpp max-retries parameter limits the number of attempts to communicate with a CGF. Once that limit is reached, the system treats it as a single failure. The gtpp detect-dead-server parameter limits the number of consecutive failures that can occur before the system marks the CGF as down and communicate with the CGF of next highest priority.

If all of the configured CGFs are down, the system ignores the detect-dead-server configuration and attempt to communicate with highest priority CGF again.

If the system receives a GTPP Node Alive Request, Echo Request, or Echo Response message from a CGF that was previously marked as down, the system immediately treats it as being active.

Refer to the gtpp max-retries command for additional information.


Example:
The following command configures the system to allow 8 consecutive communication failures with a CGF before it marks it as down:
gtpp detect-dead-server
consecutive-failures 8
gtpp dictionary

Designates a dictionary used by GTPP for a specific context.

Platform:

ASR 5000

Product:

GGSN, SGSN, P-GW, S-GW


Privilege:

Security Administrator, Administrator


Syntax
gtpp dictionary { custom1 | custom10 | custom11 | custom12 | custom13 | custom14 | custom15 | custom16 | custom17 | custom18 | custom19 | custom2 | custom20 | custom21 | custom22 | custom23 | custom24 | custom25 | custom26 | custom27 | custom28 | custom29 | custom3 | custom30 | custom31 | custom32 | custom33 | custom34 | custom35 | custom36 | custom37 | custom38 | custom39 | custom4 | custom40 | custom5 | custom6 |  custom7 | custom8 | custom9 | standard }default gtpp dictionary
default

Configures the default dictionary.

custom1

This is a custom-defined dictionary that conforms to TS 32.015 v 3.6.0 for R99. It supports the encoding of IP addresses in text format for G-CDRs.

custom2

Custom-defined dictionary.

custom3

This is a custom-defined dictionary that conforms to TS 32.015 v 3.6.0 for R99 except that it supports the encoding of IP addresses in binary format for G-CDRs.

custom4

This is a custom-defined dictionary that conforms to TS 32.015 v 3.6.0 for R99 except that:

  • IP addresses are encoded in binary format.
  • The Data Record Format Version information element contains 0x1307 instead of 0x1308.
  • QoSRequested is not present in the LoTV containers.
  • QoSnegotiated is added only for the first container and the container after a QoS change.
custom5

Custom-defined dictionary.

custom6

This is a custom-defined dictionary for eG-CDR encoding.

custom7 ... custom30

These custom-defined dictionary have default behavior or “standard” dictionary.

custom31

This is a custom-defined dictionary for S-CDR encoding that is based on 3GPP TS 32.298 v6.4.1 with a special field appended for the PLMN-ID.

custom33
This ia a custom-defined dictionary for S-CDR encoding that is based on the 3GPP TS 32.298 v6.4.1 with the following exceptions:
  • Proprietary PLMN-ID field is present.
  • It is a SEQUENCE and not a SET.
  • Diagnostics and SGSN-Change fields are not supported.
  • Indefinite length encoding is used.
  • Booleans are encoded as 0x01(3GPP it is 0xff).
  • IMEISV shall be sent if available else IMEI should be sent.
  • Record Sequence Number is Mandatory.
  • APN OI and NI part is length encoded.
  • Cause for Record closure should be “RAT Change” instead of “intra-SGSN inter-system”.
standard

Default: Enabled

This dictionary conforms to TS 32.215 v 4.6.0 for R4 (and also R5 - extended QoS format).


Usage:

Use this command to designate specific dictionary used by GTPP for specific context.


Example:
The following command configures the system to use custom3 dictionary to encode IP address in Binary format in G-CDRs:
gtpp dictionary custom3
gtpp duplicate-hold-time

Configures the number of minutes to hold onto CDRs that are possibly duplicates while waiting for the primary Charging Gateway Function (CGF) to come back up.

Platform:

ASR 5000

Product:

GGSN, SGSN, P-GW


Privilege:

Security Administrator, Administrator


Syntax
gtpp duplicate-hold-time minutesdefault gtpp duplicate-hold-time
default

Configures this command with the default setting.

Default: 60 minutes

minutes

Specifies the number of minutes to hold onto CDRs that may be duplicates whenever the primary CGF is down, minutes must be an integer from 1 through 10080.


Usage:

Use this command to configure how long to hold onto CDRs that are possibly duplicates while waiting for the primary CGF to come back up. If the GGSN/P-GW determines that the primary CGF is down, CDRs that were sent to the primary CGF but not acknowledged are sent by the GSN to the secondary CGF as “possibly duplicates”. When the primary CGF comes back up, the GSN uses GTPP to determine whether the possibly duplicate CDRs were received by the primary CGF. Then the secondary CGF is told whether to release or cancel those CDRs. This command configures how long the system should wait for the primary CGF to come back up. As soon as the configured time expires, the secondary CGF is told to release all of the possibly duplicate CDRs.


Example:
Use the following command to set the amount of time to hold onto CDRs to 2 hours (120 minutes);
gtpp duplicate-hold-time 120
gtpp echo-interval

Configures the frequency at which the system sends GTPP echo packets to configured CGFs.

Platform:

ASR 5000

Product:

GGSN, SGSN, P-GW


Privilege:

Security Administrator, Administrator


Syntax
gtpp echo-interval time{ default | no } gtpp
echo-interval
default

Configures the default setting for this command,

Default: 60 seconds

no

Disables the use of the echo protocol except for the scenarios described in the Usage section for this command.

time

Specifies the time interval (in seconds) for sending GTPP echo packets as an integer from 60 through 2147483647. Default: 60


Usage:

The GTPP echo protocol is used by the system to ensure that it can communicate with configured CGFs. The system initiates this protocol for each of the following scenarios:

  • Upon system boot
  • Upon the configuration of a new CGF server on the system using the gtpp server command as described in this chapter
  • Upon the execution of the gtpp test accounting command as described in the Exec Mode Commands chapter of this reference
  • Upon the execution of the gtpp sequence-numbers private-extensions command as described in this chapter

The echo-interval command is used in conjunction with the gtpp max-retries and gtpp timeout commands as described in this chapter.

In addition to receiving an echo response for this echo protocol, if we receive a GTPP Node Alive Request message or a GTPP Echo Request message from a presumed dead CGF server, we will immediately assume the server is active again.

The alive/dead status of the CGFs is used by the AAA Managers to affect the sending of CDRs to the CGFs. If all CGFs are dead, the AAA Managers will still send CDRs, (refer to the gtpp deadtime command), albeit at a slower rate than if a CGF were alive. Also, AAA Managers independently determine if CGFs are alive/dead.


Example:
The following command configures an echo interval of 120 seconds:
gtpp echo-interval 120
gtpp egcdr

Configures the eG-CDR and P-CDR (P-GW CDR) parameters and triggers.

Platform:

ASR 5000

Product:

GGSN, P-GW


Privilege:

Security Administrator, Administrator


Syntax
gtpp egcdr { final-record [ [ include-content-ids { all | only-with-traffic } ] [ closing-cause { same-in-all-partials | unique } ] ] | losdv-max-containers max_losdv_containers | lotdv-max-containers max_lotdv_containers | rulebase-max-length rulebase_name_max_length | service-data-flow
threshold { interval interval | volume { downlink bytes [ uplink bytes ] | total bytes | uplink bytes [ downlink bytes ] } } | service-idle-timeout { 0 | service_idle_timeout } }default gtpp egcdr { final-record
include-content-ids only-with-traffic closing-cause same-in-all-partials | losdv-max-containers | lotdv-max-containers | service-idle-timeout
0 }no gtpp egcdr { rulebase-max-length | service-data-flow threshold { interval | volume { downlink [ uplink ] | total | uplink [ downlink ] } } }
final-record [ [ include-content-ids { all | only-with-traffic } ] [ closing-cause { same-in-all-partials | unique } ] ]

Enables configuration of the final eG-CDR/P-CDR.

Default: Restores the GTPP eG-CDR/P-CDR final record to the default setting to include content IDs with some data to report are included. Also, sets the closing cause to the default of using the same closing cause for multiple final eG-CDR/P-CDRs.

  • include-content-ids: Controls which content IDs are being included in the final eG-CDR/P-CDR.
    • all: Specifies that all content IDs be included in the final eG-CDR/P-CDR.
    • only-with-traffic: Specifies that only content-IDs with traffic be included in the final eG-CDR/P-CDRs.
  • closing-cause: Configures closing cause for the final eG-CDR/P-CDR.
    • same-in-all-partials: Specifies that the same closing cause is to be included for multiple final eG-CDR/P-CDRs
    • unique: Specifies that the closing cause for final eG-CDR/P-CDRs is to be unique.
losdv-max-containers max_losdv_containers

The maximum number of List of Service Data Volume (LoSDV) containers in one eG-CDR/P-CDR.

max_losdv_containers must be an integer from 1 through 255.

Default: 10

lotdv-max-containers max_lotdv_containers

The maximum number of List of Traffic Data Volume (LoTDV) containers in one eG-CDR/P-CDR.

max_lotdv_containers must be an integer from 1 through 8.

Default: 8

rulebase-max-length rulebase_name_max_length

Specifies the maximum character length of charging rulebase name in LOSDVs of eG- CDR/P-CDR.

rulebase_name_max_length must be an integer from 0 through 63. Zero (0) means the rulebase name is added as-is.

Default: None. That is, full (un-truncated) charging rulebase name will go in LOSDVs of eG-CDR/P-CDR.

service-data-flow threshold { interval interval | volume { downlink bytes [ uplink bytes ] | total bytes | uplink bytes [ downlink bytes ] } }

Configures the thresholds for closing a service data flow container within an eG-CDR/P-CDR.

  • interval interval: Specifies the time interval, in seconds, to close the eG-CDR/P-CDR if the minimum time duration thresholds for service data flow containers satisfied in flow-based charging.interval must be an integer from 60 through 40000000.Default: Disabled
  • volume { downlink bytes [ uplink bytes ] | total bytes | uplink bytes [ downlink bytes ] }: Specifies the volume octet counts for the generation of the interim eG-CDR/P-CDRs to service data flow container in FBC.
    • downlink bytes: Specifies the limit for the number of downlink octets after which the eG-CDR/P-CDR is closed.
    • total bytes: Specifies the limit for the total number of octets (uplink+downlink) after which the eG-CDR/P-CDR is closed.
    • uplink bytes: Specifies the limit for the number of uplink octets after which the eG-CDR/P-CDR is closed.
    • bytes must be an integer from 10000 through 400000000.

A service data flow container has statistics for an individual content ID. When the threshold is reached, the service data flow container is closed.

service-idle-timeout { 0 | service_idle_timeout }

Specifies a time period where if no data is reported for a service flow, the service container is closed and added to eG-CDR/P-CDR (as part of LOSDV container list) with service condition change as ServiceIdleOut.

service_idle_timeout must be an integer from 10 through 86400.

0: Specifies no service-idle-timeout trigger.

Default: 0


Usage:

Use this command to configure individual triggers for eG-CDR/P-CDR generation.

Use the service-data-flow threshold option to configure the thresholds for closing a service data flow container within an eG-CDR (eG-CDRs for GGSN and P-CDRs for PGW) during flow-based charging (FBC). A service data flow container has statistics regarding an individual content ID.

Thresholds can be specified for time interval and for data volume, by entering the command twice (once with interval and once with volume). When either configured threshold is reached, the service data flow container will be closed. The volume trigger can be specified for uplink or downlink or the combined total (uplink + downlink) byte thresholds.

When the PDP context is terminated, all service data flow containers will be closed regardless of whether the thresholds have been reached.

An eG-CDR/P-CDR will have at most ten service data flow containers. Multiple eG-CDR/P-CDRs will be created when there are more than ten.


Example:
Use the following command to set the maximum number of LoSDV containers to 7:
gtpp egcdr losdv-max-containers 7
The following command sets an eG-CDR threshold interval of 6000 seconds:
gtpp egcdr service-data-flow
threshold interval 6000
gtpp error-response

Configures the response when the system receives an error response after transmitting a DRT (data record transfer) request.

Platform:

ASR 5000

Product:

GGSN, SGSN, P-GW


Privilege:

Security Administrator, Administrator


Syntax
gtpp error-response { discard-cdr | retry-request }default gtpp error-response
default

Configures this command with the default setting.

Default: retry-request

discard-cdr

Instructs the system to purge the request upon receipt of an error response and not to retry.

retry-request

Instructs the system to retry sending a DRT after receiving an error response. This is the default behavior.


Usage:

This command configures the system’s response to receiving an error message after sending a DRT request.


Example:
gtpp error-response
discard-cdr
gtpp group

Configures GTPP server group in a context for the Charging Gateway Function (CGF) accounting server(s) that the system is to communicate with.

Platform:

ASR 5000

Product:

GGSN, SGSN, P-GW


Privilege:

Security Administrator, Administrator


Syntax
[ no ] gtpp
group group_name [ -noconfirm ]
group_name

Specifies the name of GTPP server group that is used for charging and/or accounting in a specific context. group_name must be an alphanumeric string of 1 through 63 character.

A maximum of eight GTPP server groups (excluding system created default GTPP server group “default”) can be configured with this command in a context.

no

Removes the previously configured GTPP group within a context.

When a GTPP group is removed accounting information is not generated for all calls using that group and all calls associated with that group are dropped. A warning message displays indicating the number of calls that will be dropped.

-noconfirm

Executes the command without any additional prompt and confirmation from the user.


Usage:

This feature provides the charging gateway function (CGF) accounting server configurable for a group of servers. Instead of having a single list of CGF accounting servers per context, this feature configures multiple GTPP accounting server groups in a context and each server group is consist of list of CGF accounting servers.

In case no GTPP server group is configured in a context, a server group named “default” is available and all the CGF servers configured in a specific context for CGF accounting functionality will be part of this “default” server group.


Example:
The following command configures a GTPP server group named star1 for CGF accounting functionality. This server group is available for all subscribers within that context.
gtpp group star1
gtpp max-cdrs

Configures the maximum number of charging data records (CDRs) included per packet.

Platform:

ASR 5000

Product:

GGSN, P-GW, SGSN


Privilege:

Security Administrator, Administrator


Syntax
gtpp max-cdrs max_cdrs [ wait-time wait_time ]default gtpp max-cdrs
default

Configures this command with the default setting.

Default: One CDR per packet; disables wait-time

max_cdrs

Specifies the maximum number of CDRs to be inserted in a single packet as an integer from 1 through 255. Default: 1

wait-time wait_time

Specifies the number of seconds the system waits for CDRs to be inserted into the packet before sending it. wait_time must be an integer from 1 through 300. Default: Disabled

IMPORTANT:

If the wait-time expires, the packet is sent as this keyword over-rides max_cdrs.


Usage:

CDRs are placed into a GTPP packet as the CDRs close. The system stops placing CDRs into a packet when either the maximum max_cdrs is met, or the wait-time expires, or the value for the gtpp max-pdu-size command is met.


Example:
The following command configures the system to place a maximum of 10 CDRs in a single GTPP packet before transmitting the packet:
gtpp max-cdrs 10
gtpp max-pdu-size

Configures the maximum payload size of a single GTPP packet that could be sent by the system.

Platform:

ASR 5000

Product:

GGSN, P-GW, SGSN


Privilege:

Security Administrator, Administrator


Syntax
gtpp max-pdu-size pdu_sizedefault gtpp max-pdu-size
default

Configures this command with the default setting.

Default: 65400 bytes

pdu_size

Specifies the maximum payload size (in octets) of the GTPP packet as an integer from 1024 to 65400. The payload includes the CDR and the GTPP header.

CAUTION:

This command is effective only when GTPP single-source is configured, otherwise this command has no effect.


Usage:

The GTPP packet contains headers (layer 2, IP, UDP, and GTPP) followed by the CDR. Each CDR contains one or more volume containers. If a packet containing one CDR exceeds the configured maximum payload size, the system creates and send the packet containing the one CDR regardless.

The larger the packet data unit (PDU) size allowed, the more volume containers that can be fit into the CDR.

The system performs standard IP fragmentation for packets that exceed the system’s maximum transmission unit (MTU).

IMPORTANT:

The maximum size of an IPv4 PDU (including the IPv4 and subsequent headers) is 65,535. However, a slightly smaller limit is imposed by this command because the system’s max-pdu-size doesn't include the IPv4 and UDP headers, and because the system may need to encapsulate GTPP packets in a different/larger IP packet (for sending to a backup device).


Example:
The following command configures a maximum PDU size of 2048 octets:
gtpp max-pdu-size 2048
gtpp max-retries

Configures the maximum number of times the system attempts to communicate with an unresponsive Charging Gateway Function (CGF).

Platform:

ASR 5000

Product:

GGSN, P-GW, SGSN


Privilege:

Security Administrator, Administrator


Syntax
gtpp max-retries max_attemptsdefault gtpp max-retries
default

Configures this command with the default setting.

Default: 4

max_attempts

Specifies the number of times the system attempts to communicate with a CGF that is not responding. max_attempts is an integer from 1 through 15.


Usage:

This command works in conjunction with the gtpp detect-dead-server and gtpp timeout parameters to set a limit to the number of communication failures that can occur with a configured CGF.

When the value specified by this parameter is met, a failure is logged. The gtpp detect-dead-server parameter specifies the number of consecutive failures that could occur before the server is marked as down.

In addition, the gtpp timeout command controls the amount of time between re-tries.

If the value for the max-retries is met, the system begins storing CDRs in Random Access Memory (RAM). The system allocates memory as a buffer, enough to store one million CDRs for a fully loaded chassis (a maximum of one outstanding CDR per PDP context). Archived CDRs are re-transmitted to the CGF until they are acknowledged or the system’s memory buffer is exceeded.

Refer to the gtpp detect-dead-server and gtpp timeout commands for additional information.


Example:
The following command configures the maximum number of re-tries to be 8:
gtpp max-retries 8
gtpp node-id

Configures the GTPP Node ID for all CDRs.

Platform:

ASR 5000

Product:

GGSN, P-GW, SGSN


Privilege:

Security Administrator, Administrator


Syntax
gtpp node-id node_idno gtpp node-id
no

Removes the previous gtpp node ID configuration.

node_id

Specifies the node ID for all CDRs as an alphameric string of 1 through 16 characters.


Usage:

Use this command to configure the GTPP Node ID for all CDRs.


Example:
The following command configures the GTPP Node ID as test123:
gtpp node-id test123
gtpp redirection-allowed

Configures the system to allow or disallow the redirection of CDRs when the primary Charging Gateway Function (CGF) is unavailable.

Platform:

ASR 5000

Product:

GGSN, P-GW, SGSN


Privilege:

Security Administrator, Administrator


Syntax
gtpp redirection-allowed{ default | no } gtpp
redirection-allowed
default

Configures this command with the default setting. Default: Enabled

no

Deletes the command from the configuration.


Usage:

This command allows operators to better handle erratic network links, without having to remove the configuration of the backup server(s) via the no gtpp server command.

This functionality is enabled by default.

If the no gtpp redirection-allowed command is executed, the system only sends CDRs to the primary CGF. If that CGF goes down, we will buffer the CDRs in memory until the CGF comes back or until the system runs out of buffer memory. In addition, if the primary CGF announces its intent to go down (with a GTPP Redirection Request message), the system responds to that request with an error response.

gtpp redirection-disallowed

This command has been obsoleted and is replaced by the gtpp redirection-allowed command.

gtpp server

Configures the Charging Gateway Function (CGF) accounting server(s) with which the system will communicate.

Platform:

ASR 5000

Product:

GGSN, P-GW, SGSN


Privilege:

Security Administrator, Administrator


Syntax
gtpp server ip_address [ max max_messages ] [ priority priority   ] [ node-alive { enable | disable } ] [ -noconfirm ]no gtpp server ip_address
no

Deletes a previously configured CGF.

ip_address

Specifies the IP address of the CGF in IPv4 dotted-decimal or IPV6 colon-separated-hexadecimal notation.

max max_messages

Default: 256

Specifies the maximum number of outstanding or unacknowledged GTPP packets (from any one AAA Manager task) allowed for this CGF before the system begins buffering the packets.

max_messages can be configured as an integer from 1 through 256.

priority priority

Default:1000

Specifies the relative priority of this CGF. When multiple CGFs are configured, the priority is used to determine which CGF server to send accounting data to.

priority can be configured as an integer from 1 through 1000. When configuring two or more servers with the same priority you will be asked to confirm that you want to do this. If you use the -noconfirm option, you are not asked for confirmation and multiple servers could be assigned the same priority.

port port

Default: 3386

Specifies the port the CGF is using. port can be configured as an integer from 1 through 65535. Default value for port is 3286.

node-alive { enable | disable }

Default: Disable.

This optional keyword allows operator to enable/disable GSN to send Node Alive Request to GTPP Server (i.e. CGF). This configuration can be done per GTPP Server basis.

-noconfirm

Executes the command without any additional prompt and confirmation from the user.


Usage:

Use this command to configure the CGF(s) that the system sends CDR accounting data to.

Multiple CGFs can be configured using multiple instances of this command. Up to 12 CGFs can be configured per system context. Each configured CGF can be assigned a priority. The priority is used to determine which server to use for any given subscriber based on the routing algorithm that has been implemented. A CGF with a priority of “1” has the highest priority.

IMPORTANT:

The configuration of multiple CGFs with the same IP address but different port numbers is not supported.

Each CGF can also be configured with the maximum allowable number of unacknowledged GTPP packets. Since multiple AAA Manager tasks could be communicating with the same CGF, the maximum is based on any one AAA Manager instance. If the maximum is reached, the system buffers the packets Random Access Memory (RAM). The system allocates memory as a buffer, enough to store one million CDRs for a fully loaded chassis (a maximum of one outstanding CDR per PDP context).


Example:
The following command configures a CGF with an IP address of 192.168.2.2 and a priority of 5.
gtpp server 192.168.2.2
priority 5
The following command deletes a previously configured CGF with an IP address of 100.10.35.7:
no gtpp server 100.10.35.7 
gtpp source-port-validation

Toggles port checking for node alive/echo/redirection requests from the CGF.

Platform:

ASR 5000

Product:

GGSN, P-GW


Privilege:

Security Administrator, Administrator


Syntax
[ default | no ] gtpp
source-port-validation
default

Configures this command with the default setting.

Default: Enabled

no

Disables CGF port checking. Only the IP address will be used to verify CGF requests.


Usage:

This command is for enabling or disabling port checking on node alive/echo/redirection requests from the CGF. If the CGF sends messages on a non-standard port, it may be necessary to disable port checking in order to receive CGF requests. On the default setting, both IP and port are checked.


Example:
The following command disables port checking for CGF requests:
no gtpp source-port-validation
gtpp storage-server

Configures information for the GTPP back-up storage server.

Platform:

ASR 5000

Product:

GGSN, P-GW, SGSN


Privilege:

Security Administrator, Administrator


Syntax
[ no ] gtpp
storage-server ip-address port port-num
no

Removes a previously configured back-up storage server.

ip-address

Specifies the IP address of the back-up storage server expressed in IPv4 dotted-decimal notation.

port port-num

Specifies the UDP port number over which the GSN communicates with the back-up storage server. Default: 3386


Usage:

This command configures the information for the server to which GTPP packets are to be backed-up to in the event that all CGFs are unreachable.

One backup storage server can be configured per system context.

IMPORTANT:

This command only takes affect if gtpp single-source in the Global Configuration Mode is also configured. Additionally, this command is customer specific. Please contact your local sales representative for additional information.


Example:
The following command configures a back-up server with an IP address of 192.168.1.2:
gtpp storage-server 192.168.1.2
gtpp storage-server local file

Configures the parameters for GTPP files stored locally on the GTPP storage server. This command is available for the ASR 5000 platform only.

Platform:

ASR 5000

Product:

GGSN, P-GW, SGSN


Privilege:

Security Administrator, Administrator


Syntax
gtpp storage-server
local file { compression { gzip | none } | format { custom1 | custom2 | custom3 | custom4 | custom5 | custom6 | custom7 | custom8 } | name { format string [ max-file-seq-num seq_number ] | prefix prefix } | purge-processed-files [ file-name-pattern file_pattern | purge-interval purge_dur ] | rotation { cdr-count count | time-interval time [ force-file-rotation ] | volume
mb size } }default gtpp storage-server
local file { compression | format | name { format | prefix } | purge-processed-files | rotation { cdr-count | time-interval | volume } }no gtpp storage-server
local file { purge-processed-files | rotation { cdr-count | time-interval } }
default

Configures default setting for the specified parameter.

no

Removes a previously configured parameters for local storage of CDR files on HDD on SMC card.

compression { gzip | none }

Configures the type of compression to be used on the files stored locally.

  • gzip: Enables Gzip file compression.
  • none: Disables Gzip file compression -this is the default value.

Default: Disabled

format { custom-n }

Configures the file format to be used to format files to be stored locally.

custom1: File format custom1—this is the default value.

custom2: File format custom2.

custom3: File format custom3.

custom4: File format custom4.

custom5: File format custom5.

custom6: File format custom6 with a block size of 8K for CDR files.

custom7: File format custom7 is a customer specific CDR file format.

custom8: File format custom8 is a customer specific CDR file format. It uses node-id-suffix_date_time_fixed-length-seq-num.u format for file naming.

Default: custom1

name { format | prefix prefix }

Allows the format of the CDR filenames to be configured independently from the file format.so that the name format contains the file name with conversion specifications.

prefix Enter an alphanumeric string of 1 through 127 characters. The string must begin with the % (percent sign).
  • %y: = year as a decimal number without century (range 00 to 99).
  • %Y: year as a decimal number with century.
  • %m: month as a decimal number (range 01 to 12).
  • %d: day of the month as a decimal number (range 01 to 31).
  • %H: hour as a decimal number 24-hour format (range 00 to 23).
  • %h: hour as a decimal number 12-hour format (range 01 to 12).
  • %M: minute as a decimal number (range 00 to 59).
  • %S: second as a decimal number (range 00 to 60). (The range is up to 60 to allow occasional leap seconds.)
  • %Q: File sequence number. Field width may be specified between the % and the Q. If the natural size of the field is smaller than this width, then the result string is padded (on the left) to the specified width with 0s
  • %N: No of CDRs in the file. Field width may be specified between the % and the N. If the natural size of the field is smaller than this width, then the result string is padded (on the left) to the specified width with 0s
  • max-file-seq-no: This can be configured optionally. It indicates the maximum value of sequence number in file name (starts from 1). Once the configured max-file-seq-no limit is reached, the sequence number will restart from 1. If no max-file-seq-no is specified then file sequence number ranges from 1 – 4294967295.

By default the above keyword is not configured (default gtpp storage-server local file name format). In which case the CDR filenames are generated based on the file format as before (maintains backward compatibility).

purge-processed-files [ file-name-pattern file_pattern | purge-interval purge_dur ]

Enables the GSN to periodically (every 4 minutes) delete locally processed (*.p) CDR files from the HDD on the SMC card. Default: Disabled

IMPORTANT:

This option is available only when GTPP server storage mode is configured for local storage of CDRs with the gtpp storage-server mode local command.

Optional keyword file-name-pattern file_pattern provides an option for user to control the pattern of files. file_pattern must be mentioned in *.p format in a string of size 1 through 127, which is also the default format. Wild cards * and : (synonymous to |) are allowed.

Optional keyword purge-interval purge_dur provides an option for user to control the purge interval duration (in minutes). purge_dur must be an integer from 1 through 259200. Default value 60.

rotation { cdr-count count | time-interval time | volume mb size }

Specifies rotation related configuration for GTPP files stored locally.

cdr-count count: Configures the CDR count for the file rotation as an integer from 1000 through 65000. Default value 10000.

time-interval time: Configures the time interval (in seconds) for file rotation as an integer from 30 through 86400. Default value 3600 (1 hour).

volume mb size: Configure the file volume (in MB) for file rotation. Enter an integer from 2 to 40. This trigger cannot be disabled. Default value is 4MB.


Usage:

This command configures the parameters for storage of GTPP packets as files on the local server—meaning the hard disk.


Example:
The following command configures rotation for every 1.5 hours (5400 seconds) for locally stored files.
gtpp storage-server
local file rotation time-interval 5400 start-file-seq-num 20 recover-file-seq-num
gtpp storage-server max-retries

Configures the maximum number of times the system attempts to communicate with an unresponsive GTPP back-up storage server.

Platform:

ASR 5000

Product:

GGSN, P-GW


Privilege:

Security Administrator, Administrator


Syntax
gtpp storage-server
max-retries max_attemptsdefault gtpp storage-server
max-retries
default

Configures this command with the default setting.

Default: 2

max_attempts

Specifies the number of times the system attempts to communicate with a GTPP back-up storage server that is not responding. max_attempts enter an integer from 1 through 15.


Usage:

This command works in conjunction with the gtpp storage-server timeout parameters to set a limit to the number of communication failures that can occur with a configured GTPP back-up storage server.

The gtpp storage-server timeout command controls the amount of time between re-tries.


Example:
The following command configures the maximum number of re-tries to be 8:
gtpp storage-server
max-retries 8
gtpp storage-server mode

Configures storage mode, local or remote, for CDRs. Local storage mode is available with ASR 5000 platforms only.

Platform:

ASR 5000

Product:

GGSN, P-GW, SGSN


Privilege:

Security Administrator, Administrator


Syntax
gtpp storage-server
mode { local | remote | streaming }default gtpp storage-server mode
default

Configures this command with the default setting.

Default: remote

local

Default: Disabled

Specifies the use of the hard disk on the SMC for storing CDRs

remote

Specifies the use of an external server for storing CDRs. This is the default value.

streaming

Default: Disabled

Allows the operator to configure “streaming” mode of operation for GTPP group. When this keyword is supplied the CDRs will be stored in following fashion:

  • When GTPP link is active with CGF, CDRs are sent to a CGF via GTPP and local hard disk is NOT used as long as every record is acknowledged in time.
  • If the GTPP connection is considered to be down, all streaming CDRs will be saved temporarily on the local hard disk and once the connection is restored, unacknowledged records will be retrieved from the hard disk and sent to the CGF.

Usage:

This command configures whether the CDRs should be stored on the hard disk of the SMC or remotely, on an external server.


Example:
The following command configures use of a hard disk for storing CDRs:
gtpp storage-server
mode local
gtpp storage-server timeout

Configures the amount of time that must pass with no response before the system re-attempts to communicate with the GTPP back-up storage server.

Platform:

ASR 5000

Product:

GGSN, P-GW


Privilege:

Security Administrator, Administrator


Syntax
gtpp storage-server
timeout durationdefault gtpp storage-server timeout
default

Configures this command with the default setting.

Default: 30 seconds

duration

Specifies the maximum amount of time (in seconds) the system waits for a response from the GTPP back-up storage server before assuming the packet is lost. duration is an integer from 30 through 120.


Usage:

This command works in conjunction with the gtpp storage-server max-retries command to establish a limit on the number of times that communication with a GTPP back-up storage server is attempted before a failure is logged. This parameter specifies the time between retries.


Example:

The following command configures a retry timeout of 60 seconds:

gtpp storage-server
timeout 60
gtpp suppress-cdrs zero-volume-and-duration

Suppresses the CDRs created by sessions having zero duration and/or zero volume. By default this mode is disabled.

Platform:

ASR 5000

Product:

GGSN, P-GW, SGSN


Privilege:

Security Administrator, Administrator


Syntax
gtpp suppress-cdrs zero-volume-and-duration { gcdrs [ egcdrs ] | egcdrs [ gcdrs ] }default gtpp suppress-cdrs
zero-volume-and-duration
default

Configures this command with the default setting.

Default: Disabled.

gcdrs [ egcdrs ]

Suppresses G-CDRs before eG-CDRs.

egcdrs [ gcdrs ]

Suppresses eG-CDRs before G-CDRs.


Usage:

Use this command to suppress the CDRs (G-CDRs and eG-CDRs) which were created when zero-duration sessions and zero-volume sessions are encountered due to any reason. By default this command is disabled and system will not suppress any CDR.


Example:
The following command configures the system to suppress the eG-CDRs created for a zero duration session or zero volume session:
gtpp suppress-cdrs
zero-volume-and-duration egcdrs gcdrs
gtpp timeout

Configures the amount of time that must pass with no response before the system re-attempts to communicate with the Charging Gateway Function (CGF).

Platform:

ASR 5000

Product:

GGSN, SGSN, P-GW


Privilege:

Security Administrator, Administrator


Syntax
gtpp timeout timedefault gtpp timeout
default

Configures this command with the default setting. Default: 20 seconds

time

Specifies the maximum amount of time (in seconds) the system waits for a response from the CGF before assuming the packet is lost. time is an integer from 1 through 60.


Usage:

This command works in conjunction with the gtpp max-retries command to establish a limit on the number of times that communication with a CGF is attempted before a failure is logged.

This parameter specifies the time between retries.


Example:
The following command configures a retry timeout of 30 seconds:
gtpp timeout 30
gtpp trigger

This command is left in place for backward compatibility. To disable and enable GTPP triggers you should use the gtpp trigger command in GTPP Server Group Configuration Mode.

gtpp transport-layer

Selects the transport layer protocol for the Ga interface for communication between the access gateways (GSNs) and GTPP servers.

Platform:

ASR 5000

Product:

GGSN, P-GW, SGSN


Privilege:

Security Administrator, Administrator


Syntax
gtpp transport-layer { tcp | udp }default gtpp transport-layer
default

Configures this command with the default setting.

Default: udp

tcp

Default: Disabled

Enables the system to implement TCP as transport layer protocol for communication with GTPP server.

udp

Default: Enabled

Enables the system to implement UDP as transport layer protocol for communication with GTPP server.


Usage:

Use this command to select the TCP or UDP as the transport layer protocol for Ga interface communication between GTPP servers and AGWs (GSNs).


Example:
The following command enables TCP as the transport layer protocol for the GSN’s Ga interface.
gtpp transport-layer tcp
gtpu-service

Creates a GTP-U service or specifies an existing GTP-U service and enters the GTP-U Service Configuration Mode for the current context.

Platform:

ASR 5000

Product:

GGSN, P-GW, S-GW


Privilege:

Administrator


Syntax
gtpu-service service_name [ -noconfirm ]no gtpu-service service_name
gtpu-service service_name

Specifies the name of the GTP-U service. If service_name does not refer to an existing service, a new service is created if resources allow. service_name is an alphanumeric string of 1 through 63 characters.

-noconfirm

Executes the command without any additional prompt and confirmation from the user.

no gtpu-service service_name

Removes the specified GTP-U service from the context.


Usage:

Enter the GTP-U Service Configuration Mode for an existing service or for a newly defined service. This command is also used to remove an existing service.

A maximum of 256 services (regardless of type) can be configured per system.

CAUTION:

Large numbers of services greatly increase the complexity of management and may impact overall system performance (for example, resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your local service representative for more information.

Entering this command results in the following prompt:

[context_name]hostname(config-gtpu-service)#

GTP-U Service Configuration Mode commands are defined in the GTP-U Service Configuration Mode Commands chapter.


Example:
The following command enters the existing GTP-U Service Configuration Mode (or creates it if it does not already exist) for the service named gtpu-service1:
gtpu-service gtpu-service1
The following command will remove gtpu-service1 from the system:
no gtpu-service gtpu-service1
ha-service

Creates/deletes a home agent service or specifies an existing HA service for which to enter the Home Agent Service Configuration Mode for the current context.

Platform:

ASR 5000

Product:

HA


Privilege:

Security Administrator, Administrator


Syntax
ha-service name [ -noconfirm ]no ha-service name
no

Indicates the home agent service specified is to be removed.

name

Specifies the name of the HA service to configure. If name does not refer to an existing service, the new service is created if resources allow. name is an alphanumeric string of 1 through 63 characters.

-noconfirm

Executes the command without any additional prompt and confirmation from the user.


Usage:

Enter the HA Service Configuration Mode for an existing service or for a newly defined service. This command is also used to remove an existing service.

A maximum of 256 services (regardless of type) can be configured per system.

CAUTION:

Large numbers of services greatly increase the complexity of management and may impact overall system performance (i.e. resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your local service representative for more information.


Example:
The following command will enter, or create and enter, the HA service sampleService:
ha-service sampleService
The following command will remove sampleService as being a defined HA service:
no ha-service sampleService
hnbgw-service

Creates or removes an Home NodeB Gateway (HNB-GW) service or configures an existing HNB-GW service and enters the HNB-GW Service Configuration Mode for Femto UMTS access networks configuration in the current context.

Platform:

ASR 5000

Product:

HNB-GW


Privilege:

Administrator


Syntax
hnbgw-service hnbgw_svc_name [ -noconfirm ]no hnbgw-service hnbgw_svc_name
no

Removes the specified HNB-GW service from the context.

hnbgw_svc_name

Specifies the name of the HNB-GW service. If service_name does not refer to an existing service, the new service is created if resources allow. hnbgw_svc_name is an alphanumeric string of 1 through 63 characters.

-noconfirm

Executes the command without any additional prompt and confirmation from the user.


Usage:

Use this command to enter the HNB-GW Service Configuration Mode for an existing service or for a newly defined service. This command is also used to remove an existing service.

A maximum of one HNB-GW service which is further limited to a maximum of 256 services (regardless of type) can be configured per system.

CAUTION:

Large numbers of services greatly increase the complexity of management and may impact overall system performance (for example, resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your local service representative for more information.

Entering this command results in the following prompt:

[context_name]hostname(config-hnbgw-service)#

The commands available in this mode are defined in the HNB-GW Service Configuration Mode Commands chapter of Command Line Interface Reference.

CAUTION:

This is a critical configuration. The HNB-GW service can not be configured without this configuration. Any change to this configuration would lead to restarting the HNB-GW service and removing or disabling this configuration will stop the HNB-GW service.


Example:
The following command enters the existing HNB-GW Service Configuration Mode (or creates it if it does not already exist) for the service named hnb-service1:
hnbgw-service hnb-service1
The following command will remove hnb-service1 from the system:
no hnbgw-service hnb-service1
hsgw-service

Creates an HSGW service or specifies an existing HSGW service and enters the HSGW Service Configuration Mode for the current context.

Platform:

ASR 5000

Product:

HSGW


Privilege:

Administrator


Syntax
hsgw-service service_name [ -noconfirm ]no hsgw-service service_name
no

Removes the specified HSGW service from the context.

service_name

Specifies the name of the HSGW service. If service_name does not refer to an existing service, the new service is created if resources allow. service_name is an alphanumeric string of 1 through 63 characters.

-noconfirm

Executes the command without any additional prompt and confirmation from the user.


Usage:

Enter the HSGW Service Configuration Mode for an existing service or for a newly defined service. This command is also used to remove an existing service.

A maximum of 256 services (regardless of type) can be configured per system.

CAUTION:

Large numbers of services greatly increase the complexity of management and may impact overall system performance (for example, resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your local service representative for more information.

Entering this command results in the following prompt:

[context_name]hostname(config-hsgw-service)#

HSGW Service Configuration Mode commands are defined in the HSGW Service Configuration Mode Commands chapter.

Use this command when configuring the following eHRPD components: HSGW.


Example:
The following command enters the existing HSGW Service Configuration Mode (or creates it if it does not already exist) for the service named hsgw-service1:
hsgw-service hsgw-service1
The following command will remove hsgw-service1 from the system:
no hsgw-service hsgw-service1
hss-peer-service

Creates a Home Subscriber Service (HSS) peer service or configures an existing HSS peer service and enters the HSS Peer Service Configuration Mode.

Platform:

ASR 5000

Product:

MME,


Privilege:

Administrator


Syntax
hss-peer-service service_name [ -noconfirm ]no hss-peer-service service_name
no

Removes the specified HSS peer service from the context.

service_name

Specifies the name of the HSS peer service. If service_name does not refer to an existing service, a new service is created if resources allow. service_name is an alphanumeric string of 1 through 63 characters.

-noconfirm

Executes the command without any additional prompt and confirmation from the user.


Usage:

Enter the HSS Peer Service Configuration Mode for an existing service or for a newly defined service. This command is also used to remove an existing service.

A maximum of 256 services (regardless of type) can be configured per system.

CAUTION:

Large numbers of services greatly increase the complexity of management and may impact overall system performance (for example, resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your local service representative for more information.

Entering this command results in the following prompt:

[context_name]hostname(config-hss-peer-service)#

HSS Peer Service Configuration Mode commands are defined in the HSS Peer Service Configuration Mode Commands chapter.


Example:
The following command enters the existing HSS Peer Service Configuration Mode (or creates it if it does not already exist) for the service named hss-peer1:
hss-peer-service hss-peer1
The following command will remove hss-peer1 from the system:
no hss-peer-service
hss-peer1
ikev1 disable-initial-contact

Disables the sending of the INITIAL-CONTACT message in the IKEv1 protocol after the node creates a new Phase1 SA, caused either by Dead Peer Detection or by a rekey.

Platform:

ASR 5000

Product:

GGSN


Privilege:

Security Administrator, Administrator


Syntax
[ no ] ikev1
disable-initial-contact
no

Disables this command, which re-enables the sending of the INITIAL-CONTACT message.


Usage:

Use this command to disable the sending of the INITIAL-CONTACT message in the IKE v1 protocol.


Example:
The following command disables the sending of the INITIAL-CONTACT message:
ikev1 disable-initial-contact
ikev1 disable-phase1-rekey

Configures the rekeying of Phase1 SA when the Internet Security Association and Key Management Protocol (ISAKMP) lifetime expires in Internet Key Exchange (IKE) v1 protocol.

Platform:

ASR 5000

Product:

PDSN, HA, GGSN


Privilege:

Security Administrator, Administrator


Syntax
[ no ] ikev1
disable-phase1-rekey
no

Re-enables Phase 1 SAs when the ISAKMP lifetime expires.


Usage:

Use this command to disable the rekeying of Phase 1 SAs when the ISAKMP lifetime expires in IKE v1 protocol.


Example:
The following command disables rekeying of Phase1 SAs when the lifetime expires:
ikev1 disable-phase1-rekey
ikev1 keepalive dpd

Configures the ISAKMP IPSec Dead Peer Detection (DPD) message parameters for IKE v1 protocol.

Platform:

ASR 5000

Product:

PDSN, HA, GGSN


Privilege:

Security Administrator, Administrator


Syntax
[ no ] ikev1
keepalive dpd interval interval timeout time num-retry retries
no

Deletes previously configured IPSec DPD Protocol settings.

dpd interval interval

Specifies the time interval (in seconds) at which IPSec DPD Protocol messages are sent. interval is an integer from 10 through 3600.

timeout time

Specifies the amount of time (in seconds) allowed for receiving a response from the peer security gateway prior to re-sending the message. time is an integer from 10 through 3600.

num-retry retries

Specifies the maximum number of times that the system should attempt to reach the peer security gateway prior to considering it unreachable. retries is an integer from 1 through 100.


Usage:

Use this command to configure the ISAKMP dead peer detection parameters in IKE v1 protocol.

Tunnels belonging to crypto groups are perpetually kept “up” through the use of the IPSec Dead Peer Detection (DPD) packets exchanged with the peer security gateway.

IMPORTANT:

The peer security gateway must support RFC 3706 in order for this functionality to function properly.

This functionality is for use with the Redundant IPSec Tunnel Fail-over feature and to prevent IPSec tunnel state mismatches between the FA and HA when used in conjunction with Mobile IP applications.

Regardless of the application, DPD must be supported/configured on both security peers. If the system is configured with DPD but it is communicating with a peer that does not have DPD configured, IPSec tunnels still come up. However, the only indication that the remote peer does not support DPD exists in the output of the show crypto isakmp security associations summary dpd command.

IMPORTANT:

If DPD is enabled while IPSec tunnels are up, it will not take affect until all of the tunnels are cleared.


Example:
The following command configures IPSec DPD Protocol parameters to have an interval of 15, a timeout of 10, to retry each attempt 5 times:
ikev1 keepalive dpd
interval 15 timeout 10 num-retry 5
ikev1 policy

Configures or creates an ISAKMP policy with the specified priority and enters ISAKMP Configuration Mode for IKE v1 protocol.

Platform:

ASR 5000

Product:

PDSN, HA, GGSN


Privilege:

Security Administrator, Administrator


Syntax
[ no ] ikev1
policy priority
no

Removes a previously configured ISAKMP policy for IKE v1 protocol.

priority

Specifies the priority of an ISAKMP policy as an integer from 0 through 100. ISAKMP policies for IKE v1 protocol with lower priority numbers take precedence over policies with higher priorities. “0” is the highest priority. Default: 0


Usage:

Use this command to create ISAKMP policies to regulate how IPSec key negotiation is performed for IKE v1 protocol.

Internet Security Association Key Management Protocol (ISAKMP) policies are used to define Internet Key Exchange (IKE) SAs. The IKE SAs dictate the shared security parameters (i.e. which encryption parameters to use, how to authenticate the remote peer, etc.) between the system and a peer security gateway.

During Phase 1 of IPSec establishment, the system and a peer security gateway negotiate IKE SAs. These SAs are used to protect subsequent communications between the peers including the IPSec SA negotiation process.

Multiple ISAKMP policies can be configured in the same context and are used in an order determined by their priority number.


Example:
Use the following command to create an ISAKMP policy with the priority 1 and enter the ISAKMP Configuration Mode:
ikev1 policy 1
ikev2-ikesa

Creates a new, or specifies an existing, IKEv2 security association transform set and enters the IKEv2 Security Association Configuration Mode.

Platform:

ASR 5000

Product:

ePDG, PDIF


Privilege:

Security Administrator, Administrator


Syntax
[ no ] ikev2-ikesa
transform-set name
no

Removes the entered IKEv2 security association transform set from the system.

name

Specifies the name of a new or existing security association transform set as an alphanumeric string of 1 through 127 characters.


Usage:

Use this command to create a new or enter an existing IKEv2 security association transform-set. A list of up to four separate transform-sets can be created.

Entering this command results in the following prompt:

[context_name]hostname(cfg-ctx-ikev2ikesa-tran-set)#

IKEv2 Security Association Configuration Mode commands are defined in the IKEv2 Security Association Configuration Mode Commands chapter.


Example:
The following command configures an IKEv2 security association transform set called ikesa3 and enters the IKEv2 Security Association Configuration Mode:
ikev2-ikesa transform-set ikesa3
ims-auth-service

This command enables the creation, configuration or deletion of an IMS authorization service in the current context.

Platform:

ASR 5000

Product:

GGSN, HA, IPSG, PDSN, P-GW


Privilege:

Security Administrator, Administrator


Syntax
ims-auth-service auth_svc_name [ -noconfirm ]{ no | default } ims-auth-service auth_svc_name
no

Deletes the specified IMS authorization service within the current context.

default

Restores default state of IMS authorization service, disabled for a specific context.

auth_svc_name

Specifies name of the IMS authorization service as a unique alphanumeric string of 1 through 63 characters.

A maximum of 16 authorization services can be configured globally in the system. There is also a system limit for the maximum number of total configured services.

-noconfirm

Executes the command without any additional prompt and confirmation from the user.


Usage:

Use this command to create/configure/delete an IMS authorization service for Gx interface support in the current context.

Entering this command results in the following prompt:

[context_name]hostname(config-imsa-service)

IMS authorization service configuration commands are described in the IMS Authorization Service Configuration Mode Commands chapter.


Example:
The following command configures an IMS authorization service named ims_interface1 within the current context:
ims-auth-service ims_interface1
ims-sh-service

Creates the specified IP Multimedia Subsystem (IMS) Sh service name to allow configuration of an Sh service.

Platform:

ASR 5000

Product:

PDIF, SCM


Privilege:

Administrator


Syntax
ims-sh-service nameno ims-sh-service name
no

Removes a previously configured IMS-Sh-service.

name

Specifies the name of the IMS-Sh-service to be configured as an alphanumeric string of 1 through 63 characters.


Usage:

The IMS-Sh-service is named in the pdif-service and/or cscf-service. Use this command to enter the IMS Sh Service Configuration Mode.

Entering this command results in the following prompt:

[context_name]hostname(config-ims-sh-service)#

IMS Sh Service Configuration Mode commands are defined in the IMS Sh Service Configuration Mode Commands chapter in this guide.


Example:
The following example creates or enters an IMS Sh service named ims-1:
ims-sh-service ims-1
inspector

Configures a context-level inspector account within the current context.

Platform:

ASR 5000

Product:

All


Privilege:

Security Administrator


Syntax
inspector user_name [ encrypted ] password password [ ecs | noecs ] [ expiry-date date_time ] [ li-administration ] [ noecs ] [ timeout-absolute abs_seconds ] [ timeout-min-absolute abs_minutes ] [ timeout-idle timeout_duration ] [ timeout-min-idle idle_minutes ]no inspector user_name
no

Removes a previously configured inspector account.

user_name

Specifies a name for the context-level inspector account as an alphanumeric string of 1 through 32 characters.

[ encrypted ] password password

Specifies the password to use for the user which is being given context-level inspector privileges within the current context. The encrypted keyword indicates the password specified uses encryption.

password is an alphanumeric string of 1 through 63 characters without encryption, or 1 through 127 characters with encryption.

The encrypted keyword is intended only for use by the system while saving configuration scripts. The system displays the encrypted keyword in the configuration file as a flag that the variable following the password keyword is the encrypted version of the plain text password. Only the encrypted password is saved as part of the configuration file.

ecs | noecs

Default: noecs

ecs: Permits the specific user to access ACS-specific configuration commands.

noecs: Prevents the specific user to access ACS-specific configuration commands.

expiry-date date_time

Specifies the date and time that this account expires. Enter the date and time in the format YYYY:MM:DD:HH:mm or YYYY:MM:DD:HH:mm:ss.

Where YYYY is the year, MM is the month, DD is the day of the month, HH is the hour, mm is minutes, and ss is seconds.

li-administration

Refer to the Lawful Intercept Configuration Guide for a description of this parameter.

timeout-absolute abs_seconds

This keyword is obsolete. It has been left in place for backward compatibility. If used a warning is issued and the value entered is rounded to the nearest whole minute.

Specifies the maximum amount of time (in seconds) the context-level inspector may have a session active before the session is forcibly terminated. abs_seconds must be an integer from 0 through 300000000. The value 0 disables the absolute timeout. Default: 0

timeout-min-absolute abs_minutes

Specifies the maximum amount of time (in minutes) the context-level inspector may have a session active before the session is forcibly terminated. abs_minutes must be an integer from 0 through 525600 (365 days). The value 0 disables the absolute timeout. Default: 0

timeout-idle timeout_duration

This keyword is obsolete. It has been left in place for backward compatibility. If used a warning is issued and the value entered is rounded to the nearest whole minute.

Specifies the maximum amount of idle time (in seconds) the context-level inspector may have a session active before the session is terminated. timeout_duration must be an integer from 0 through 300000000. The value 0 disables the idle timeout. Default: 0

timeout-min-idle idle_minutes

Specifies the maximum amount of idle time (in minutes) the context-level inspector may have a session active before the session is terminated. idle_minutes must be an integer from 0 through 525600 (365 days). The value 0 disables the idle timeout. Default: 0


Usage:

Create new context-level inspector or modify existing inspector’s options, in particular, the timeout values.

Inspector users have minimal read-only privileges. Refer to the Command Line Interface Overview chapter for more information.

IMPORTANT:

A maximum of 128 administrative users and/or subscribers may be locally configured per context.


Example:
The following command creates a context-level inspector account named user1:
inspector user1 password secretPassword
The following command removes a context-level inspector account named user1:
no inspector user1
interface

Creates or deletes an interface or specifies an existing interface. By identifying an interface, the mode changes to configure this interface in the current context.

Platform:

ASR 5000

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
interface name [ broadcast | loopback | point-to-point | tunnel ]no interface name
no

Indicates the interface specified is to be removed.

name

Specifies the name of the interface to configure. If name does not refer to an existing interface, the new interface is created if resources allow. name is an alphanumeric string of 1 through 79 characters.

broadcast

Creates an Ethernet broadcast (IP) interface and enters the Ethernet Configuration Mode. Default: Enabled

IMPORTANT:

Refer to the Ethernet Interface Configuration Mode Command chapter for more information.

loopback

Creates an internal IP address that is always UP, is not bound to any physical card/port, and can be reached by any interface configured in the current context. As a loopback interface uses all available physical ports, this type of interface is particularly useful for load-balancing. The interface must be configured for loopback when configuring Interchassis Session Recovery (ICSR). A total of 256 loopback interfaces can be configured. Default: Disabled

This loopback option is not used to setup a diagnostic test port so it should not be confused with the loopback option used in the various card/port configuration modes.

IMPORTANT:

Refer to the Loopback Interface Configuration Mode Command chapter for more information.

point-to-point

Creates a permanent virtual connection (PVC) in the current context and enters the PVC Configuration Mode. Currently, this type of interface is only used with an optical (ATM) line card.

IMPORTANT:

Refer to the PVC Interface Configuration Mode Command chapter for more information.

tunnel

Creates a tunnel interface to support the various tunnel interfaces. Currently only IPv6-over-IPv4 and GRE tunnel interfaces are supported.

IMPORTANT:

Refer to the Tunnel Interface Configuration Mode Commands chapter for more information.


Usage:

Use this command to enter or create the interface configuration mode for an existing interface or for a newly defined interface. This command is also used to remove an existing interface when it longer is needed.

IMPORTANT:

If no keyword is specified, broadcast is assumed and the interface is Ethernet by default.

For IPv6-over-IPv4 or GRE tunneling, you need to specify the interface type as tunnel.


Example:
The following command enters the Ethernet Interface Configuration Mode creating the interface sampleService, if necessary:
interface sampleInterface
The following command removes sampleService as being a defined interface:
no interface sampleInterface

The following command enters the Tunnel Interface Configuration Mode creating the interface GRE_tunnel1, if necessary:

interface GRE_tunnel1 tunnel
ip access-group

Configures an access group with an Access Control List (ACL) for IP traffic for the current context. The Context-level ACL is applied only to outgoing packets.

Platform:

ASR 5000

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
ip access-group name [ in | out ] [ priority_value ]no ip access-group name [ in | out ]
no

Indicates the specified ACL rule is to be removed from the group.

name

Specifies the ACL rule to be added/removed from the group.

In Release 8.1 and later, name is an alphanumeric string of 1 through 47 characters.

In Release 8.0, name is an alphanumeric string of 1 through 79 characters.

IMPORTANT:

Up to eight ACLs can be applied to a group provided that the number of rules configured within the ACL(s) does not exceed the 256-rule limit for the context.

in | out

The in and out keywords are deprecated and are only present for backward compatibility. The Context-level ACL are applied only to outgoing packets.

priority_value

Specifies the priority of the access group. 0 is the highest priority. If priority_value is not specified, the priority is set to 0. priority_value must be an integer from 0 through 4294967295. Default: 0

If access groups in the list have the same priority, the last one entered is used first.


Usage:

Use this command to add IP access lists (refer to the ip access-list command) configured with in the same context to an ACL group.

Refer to the Access Control Lists appendix of the System Administration Guide for more information on ACLs.


Example:
The following commands add sampleGroup to the context-level ACL with a priority of 0:
ip access-group sampleGroup 0
ip access-list

Enables creation, configuration or deletion of an IP Access List in the current context.

Platform:

ASR 5000

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
ip access-list name{ default | no } ip
access-list name
default

Sets the context’s default access control list to that specified by name.

no

Removes the specified access list.

name

Specifies the access list name.

In Release 8.0, name is an alphanumeric string of 1 through 79 characters.

In Release 8.1 and later, name is an alphanumeric string of 1 through 47 characters.

If the named access list does not exist, it is created, and the CLI mode changes to the ACL Configuration Mode, wherein the access list can be configured.

If the named access list already exists, the CLI mode changes to the ACL Configuration Mode, wherein the access list can be reconfigured.


Usage:

Executing this command enters the ACL Configuration Mode in which rules and criteria are defined for the ACL.

IMPORTANT:

A maximum of 64 rules can be configured per ACL. The maximum number of ACLs that can be configured per context is limited by the amount of available memory in the VPN Manager software task; it is typically less then 200.

The no version of this command deletes the ACL.

Refer to the Access Control Lists appendix of the System Administration Guide for more information on ACLs.


Example:
The following command creates an access list named sampleList, and enters the ACL Configuration Mode:
ip access-list sampleList
ip arp

Configures the allocation retention priority (ARP) options for the current context.

Platform:

ASR 5000

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
ip arp ip_address mac_address [ vrf vrf_name ]no ip arp ip_address mac_address
no

Removes the ARP configuration data for the specified IP address from the configuration.

ip_address

Specifies the IP address for which to configure the ARP options where ip_address is an IP address expressed in IPv4 dotted-decimal notation.

mac_address

Specifies the media-specific access control layer address for the IP address. mac_address must be specified as a an 6-byte hexadecimal number with each byte separated by a colon, for example., “AA:12:bb:34:f5:0E”.

vrf vrf_name

Associates a Virtual Routing and Forwarding (VRF) context with this static ARP entry.

vrf_name is name of a preconfigured virtual routing and forwarding (VRF) context configured in Context Configuration Mode via the ip vrf command.


Usage:

Manage the IP address mapping which is a logical/virtual identifier to the more lower layer addressing used for address resolution in ICMP messages.

For tunnel-based interface, network IP pool can have overlapping ip-addresses across Verve. To manage it adding a preconfigured VRF context is required to associate with an static ARP entry. By default, the ARP is added in the given context. If the VRF name is specified, then the ARP is added to the VRF ARP table.


Example:
The following commands set the IP and MAC address for the current context then remove it from the configuration:
ip arp 10.2.3.4 F1:E2:D4:C5:B6:A7  
no ip arp 10.2.3.4 

The following commands set the IP and MAC address for a VRF context vrf1 in the configuration:

ip arp 10.2.3.4 F1:E2:D4:C5:B6:A7
vrf vrf1
ip as-path access-list

Defines Border Gateway Protocol (BGP) Autonomous System (AS) Path access lists.

Platform:

ASR 5000

Product:

HA


Privilege:

Security Administrator, Administrator


Syntax
[ no ] ip
as-path access-list list_name [ { deny | permit } reg_expr ]
no

Remove the specified regular expression from the AS path access list.

list_name

Specifies the name of an AS path list as an alphanumeric string of 1 through 79 characters.

{ deny | permit }

deny: Denies access to AS paths that match the regular expression.

permit: Allows access to AS paths that match the regular expression.

reg_expr

A regular expression to define the AS paths to match. reg_expr is an alphanumeric string of 1 through 254 characters.

IMPORTANT:

The ? (question mark) character is not supported in regular expressions for this command.


Usage:

Use this command to define AS path access lists for the BGP router in the current context. The chassis supports a maximum of 64 access lists per context.


Example:
The following command creates an AS access list named ASlist1 and permits access to AS paths:
ip as-path access-list
ASlist1 permit
ip dns-proxy source-address

Enables the proxy DNS functionality and identifies this context as the destination context for all redirected DNS requests.

IMPORTANT:

This command must be entered in the destination context for the subscriber. If there are multiple destination contexts for different subscribers, the command must be entered in each context.

Platform:

ASR 5000

Product:

HA


Privilege:

Security Administrator, Administrator


Syntax
[ no ] ip
dns-proxy source-address ip_address
no

Removes the address in this context as a destination for redirected DNS packets.

ip_address

Specifies an interface in this context used for redirected DNS packets. ip_address must be entered using IPv4 dotted-decimal notation.


Usage:

Use this command to identify the interface in this context where redirected DNS packets are sent to the home DNS. The system uses this address as the source address of the DNS packets when forwarding the intercepted DNS request to the home DNS server. For a more detailed explanation of the proxy DNS intercept feature, see the proxy-dns intercept-list command.


Example:
The following command identifies an interface with an address of 10.23.255.255 in a destination context where the system forwards all intercepted DNS requests:
ip dns-proxy source-address 10.23.255.255
ip domain-lookup

Enables or disables domain name lookup via domain name servers for the current context.

Platform:

ASR 5000

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
ip domain-lookupno ip domain-lookup
no

Disables domain name lookup.


Usage:

Domain name look up is necessary if the subscribers configured for the context are to be allowed to use logical host names for services which requires the host name resolution via DNS.


Example:
ip domain-lookup
no ip domain-lookup
ip domain-name

Configures or removes a logical domain name for the current context.

Platform:

ASR 5000

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
[ no ] ip
domain-name name
no

Indicates the logical domain name for the current context is to be removed.

name

Specifies the logical domain name to use for domain name server address resolution. name is an alphanumeric string of 1 through 1023 characters formatted to be a valid IP domain name.


Usage:

Set a logical domain name if the context is to be accessed by logical domain name in addition to direct IP address.


Example:
ip domain-name sampleName.org
ip forward

Configures an IP forwarding policy to forward outgoing pool packets whose flow lookup fails to the default-gateway.

Platform:

ASR 5000

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
[ no ] ip
forward outbound unused-pool-dest-address default-gateway
no

Disables forwarding to the default gateway.

outbound unused-pool-dest-address default-gateway

Enables forwarding to the default gateway.


Usage:

Use this command to set an IP forwarding policy that forwards outgoing pool packets whose flow lookup fails to the default gateway. By default, the behavior is to either send an ICMP Unreachable message or to discard the packet depending on the configuration of the IP pool.

Pool packets coming from the linecard or MIO card whose flow lookup fails are discarded or ICMP unreachable is sent irrespective of whether this command is configured or not.


Example:
To enable this functionality, enter the following command:
ip forward outbound
unused-pool-dest-address default-gateway
To disable this functionality, enter the following command:
no ip forward outbound
unused-pool-dest-address default-gateway
ip identification packet-size-threshold

Configures the packet size above which system will assign unique IP header identification.

Platform:

ASR 5000

Product:

PDSN


Privilege:

Security Administrator, Administrator


Syntax
ip identification packet-size-threshold sizedefault ip identification
packet-size-threshold
default

Restores default value of 576 bytes to IP packet size for fragmentation threshold.

size

Specifies the size of IP packet in bytes above which system will assign unique IP header identification for system generated IP encapsulation headers (such as MIP data tunnel). size is an integer from 0 through 2000. Default: 576


Usage:

This configuration is used to set the upper limit of the IP packet size. All packets above that size limit will be considered “fragmentable”, and an unique non-zero identifier will be assigned.


Example:
The following commands set the IP packet size to 1024 bytes as threshold. above this limit system will assign unique IP header identification for system generated IP encapsulation headers:
ip identification packet-size-threshold 1023
ip igmp profile

Configures an Internet Group Management Protocol (IGMP) profile and moves to the IGMP Profile Configuration mode.

Platform:

ASR 5000

Product:

PDSN, GGSN, SDSN


Privilege:

Security Administrator, Administrator


Syntax
[ no ] ip
igmp profile name
no

Removes the specified IGMP profile.

name

Specifies the name of an IGMP profile as an alphanumeric string of 1 through 63 characters. If this is not the name of an existing profile, you are prompted to create the new profile.


Usage:

Configure and existing IGMP profile or create a new one. When this command is executed you are moved to the IGMP Profile Configuration mode. For additional information, refer to the IGMP Profile Configuration Mode Commands chapter.


Example:
ip igmp profile default 
ip localhost

Configures or removes the static local host logical name to IP address mapping for the current context.

Platform:

ASR 5000

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
[ no ] ip
localhost name ip_address
no

Specifies that the static mapping must be removed.

name

Specifies the logical host name (DNS) for the local machine on which the current context resides. name is an alphanumeric string of 1 through 1023 characters formatted to be a valid IP host name.

ip_address

Specifies the IP address for the static mapping. ip_address must be expressed in IPv4 dotted-decimal or IPv6 colon-separated-hexadecimal notation.


Usage:

Avoid excessive DNS lookups across the network by statically mapping the logical host name to the local host’s context.


Example:
ip localhost localHostName 10.2.3.4
no ip localhost localHostName 10.2.3.4
ip name-servers

Modifies the list of domain name servers the current context may use for logical host name resolution.

Platform:

ASR 5000

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
ip name-servers ip_address secondary_ip_addressno ip name-servers ip_address
no

Indicates the name server specified is to be removed from the list of name servers for the current context.

ip_address

Specifies the IP address of a domain name server using IPv4 dotted-decimal or IPv6 colon-separated-hexadecimal notation.

secondary_ip_address

Specifies the IP address of a secondary domain name server using either IPv4 dotted-decimal or IPv6 colon-separated-hexadecimal notation.


Usage:

Manage the list of name servers the current context may use in resolving logical host names.

The DNS can be specified at the Context level in Context configuration as well as at the APN level in APN Configuration Mode with dns and ipv6 dns commands, or it can be received from AAA server.

When DNS is requested in PCO configuration, the following preference will be followed for DNS value:

  1. DNS Values received from LNS have the first preference.
  2. DNS values received from RADIUS Server has the second preference.
  3. DNS values locally configured with APN with dns and ipv6 dns commands has the third preference.
  4. DNS values configured at context level has the last preference.

IMPORTANT:

The same preference would be applicable for the NBNS servers to be negotiated via ICPC with the LNS.


Example:
ip name-servers 10.2.3.4
ip pool

Enables creation, configuration or deletion of IP address pools in the current context.

Platform:

ASR 5000

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
ip pool pool_name { ip_address
subnet_mask | ip_address_mask_combo | range start_ip_address
end_ip_address } [ address-hold-timer address_hold_timer ] [ advertise-if-used ] [ alert-threshold [ group-available | pool-free | pool-hold | pool-release | pool-used ] low_thresh [ clear high_thresh ] ] [ explicit-route-advertise ] [ group-name group_name ] [ include-nw-bcast ] [ napt-users-per-ip-address users_per_ip [ alert-threshold { { pool-free | pool-hold | pool-release | pool-used } low_thresh [ clear high_thresh ] } + ] [ max-chunks-per-user max_chunks_per_user [ nat-binding-timer nat_binding_timer ] [ nexthop-forwarding-address ip_address ] [ on-demand ] [ port-chunk-size port_chunk_size ] [ port-chunk-threshold port_chunk_threshold ] [ send-nat-binding-update ] + ] [ nat priority ] [ nat-one-to-one [ alert-threshold { { pool-free | pool-hold | pool-release | pool-used } low_thresh [ clear high_thresh] } + ] [ nat-binding-timer nat_binding_timer ] [ nexthop-forwarding-address ip_address ] [ on-demand ] [ send-nat-binding-update ] + ] [ nat-realm users-per-nat-ip-address users [ on-demand [ address-hold-timer address_hold_timer ] ] ] [ nexthop-forwarding-address ip_address [ overlap vlanid vlan_id ] [ respond-icmp-echo ip_address ] ] [ nw-reachability server server_name ] [ policy allow-static-allocation ] [ private priority ] [ public priority ] [ resource priority ] [ send-icmp-dest-unreachable ] [ srp-activate ] [ static ] [ suppress-switchover-arps ] [ tag { none | pdif-setup-addr } ] [ unicast-gratuitous-arp-address ip_address ] [ vrf vrf_name { [ mpls-label input in_label_value | output out_label_value1 [ out_label_value2 ] } ] +no ip pool pool_name [ address-hold-timer ] [ advertise-if-used ] [ alert-threshold [ [ group-available ] [ pool-free ] [ pool-hold ] [ pool-release ] [ pool-used ] + ] [ explicit-route-advertise ] [ group-name ] [ include-nw-bcast ] [ nexthop-forwarding-address [ respond-icmp-echo ] ] [ nw-reachability
server ] [ policy allow-static-allocation ] [ send-icmp-dest-unreachable ] [ srp-activate ] [ suppress-switchover-arps ] [ tag { none | pdif-setup-addr } ] [ unicast-gratuitous-arp-address ] + [ send-nat-binding-update ]
no

Removes the specified IP address pool from the current context’s configuration, or disables the specified option(s) for the specified IP pool.

no alert-threshold

This command without any optional keywords disables all alert thresholds.

name

Specifies the logical name of the IP address pool. name must be an alphanumeric string of 1 through 31 characters.

IMPORTANT:

An error message displays if the ip pool name and the group name in the configuration are the same. An error message displays if the ip pool name or group name are already used in the context.

ip_address

Specifies the beginning IP address of the IP address pool using IPv4 dotted-decimal.

subnet_mask

Specifies the IP address mask bits to determine the number of IP addresses in the pool. ip_mask must be specified using IPv4 dotted-decimal notation.

1 bits in the ip_mask indicate that bit position in the ip_address must also have a value of 1.

0 bits in the ip_mask indicate that bit position in the ip_address does not need to match – the bit can be either a 0 or a 1.

For example, if the IP address and mask are specified as 172.168.10.0 and 255.255.255.224, respectively, the pool will contain IP addresses in the range 172.168.10.0 through 172.168.10.31 for a total of 32 addresses.

ip_address_mask_combo

Specifies a combined IP address subnet mask bits to indicate what IP addresses the route applies to. ip_address_mask_combo must be specified using CIDR notation where the IP address is specified using IPv4 dotted-decimal notation and the mask bits are a numeric value which is the number of bits in the subnet mask.

range start_ip_address end_ip_address

Specifies the IP addresses for the IP pool as a range of addresses.

start_ip_address specifies the beginning of the range of addresses for the IP pool.

end_ip_address specifies the end of the range of addresses for the IP pool.

The IP address range must be specified using IPv4 dotted-decimal notation.

For example, if start_ip_address is specified as 172.168.10.0 and end_ip_address is specified as 172.168.10.31 the IP pool will contain addresses in the range 172.168.10.0 through 172.168.10.31 for a total of 32 addresses.

private [ priority ]

Address pool may only be used by mobile stations which have requested an IP address from a specified pool. When private pools are part of an IP pool group, they are used in a priority order according to the precedence setting. priority must be an integer from 0 through 10 with 0 being the highest priority. The default value is 0.

public [ priority ]

Address pool is used in priority order for assigning IP addresses to mobile stations which have not requested a specific address pool. priority must be an integer from 0 through 10 with 0 being the highest priority. The default value is 0.

static

Address pool is used for statically assigned mobile stations. Statically assigned mobile stations are those with a fixed IP address at all times.

tag { none | pdif-setup-addr }

Default: none

none: default tag for all IP address pools

pdif-setup-addr: pool with this tag should only be used for PDIF calls.

address-hold-timer seconds

When this is enabled, and an active subscriber is disconnected, the IP address is held or considered still in use, and is not returned to the free state until the address-hold-timer expires. This enables subscribers who reconnect within the length of time specified (in seconds) to obtain the same IP address from the IP pool.

seconds is the time in seconds and must be an integer from 0 through 31556926.

alert-threshold { group-available | pool-free | pool-hold | pool-release | pool-used } low_thresh [ clear high_thresh ]

Default: All thresholds are disabled.

Configures IP address pool-level utilization thresholds. These thresholds take precedence over context-level IP pool thresholds.

group-available: Set an alert based on the available percentage of IP addresses for the entire IP pool group.

pool-free: Set an alert based on the percentage of IP addresses that are unassigned in this IP pool.

pool-hold: Set an alert based on the percentage of IP addresses from this IP pool that are on hold.

pool-release: Set an alert based on the percentage of IP addresses from this IP pool that are in the release state.

pool-used: This command sets an alert based on the percentage of IP addresses that have been assigned from this IP pool.

IMPORTANT:

Refer to the threshold available-ip-pool-group and threshold monitoring commands in this chapter for additional information on IP pool utilization thresholding.

low_thresh: The IP pool utilization percentage that must be met or exceeded within the polling interval to generate an alert or alarm. It can be configured as an integer between 0 and 100.

clear high_thresh: The IP pool utilization percentage that maintains a previously generated alarm condition. If the utilization percentage rises above the high threshold within the polling interval, a clear alarm is generated. It may be configured as an integer between 0 and 100.

IMPORTANT:

This value is ignored for the Alert model. In addition, if this value is not configured for the Alarm model, the system assumes it is identical to the low threshold.

group-name group_name

Assigns one or more preconfigured IP pools to the IP pool group. group_name is case sensitive and must be an alphanumeric string of 1 through 31 characters. One or more IP pool groups are assigned to a context and one IP pool group consists one or more IP pool(s).

IP pool group name is used in place of an IP pool name. When specifying a desired pool group in a configuration the IP pool with the highest precedence is used first. When that IP pool’s addresses are exhausted the pool with the next highest precedence is used.

include-nw-bcast

Includes the network and broadcast addresses as part of the pool.

To remove the include-nw-bcast option from the ip pool, use the no ip pool test include-nw-bcast command.

napt-users-per-ip-address users_per_ip [ alert-threshold { { pool-free | pool-hold | pool-release | pool-used } low_thresh [ clear high_thresh ] } + ] [ max-chunks-per-user max_chunks_per_user [ nat-binding-timer nat_binding_timer ] [ nexthop-forwarding-address ip_address ] [ on-demand ] [ port-chunk-size port_chunk_size ] [ port-chunk-threshold port_chunk_threshold ] [ send-nat-binding-update ] +

IMPORTANT:

In UMTS deployments this keyword is available in 9.0 and later releases. In CDMA deployments this keyword is available in 8.3 and later releases.

IMPORTANT:

In UMTS deployments, on upgrading from Release 8.1 to Release 9.0, and in CDMA deployments, on upgrading from Release 8.1 to 8.3, all NAT realms configured in Release 8.1 using the nat-realm keyword must be reconfigured using either the nat-one-to-one (for one-to-one NAT realms) or the napt-users-per-ip-address (for many-to-one NAT realms) keywords.

Configures many-to-one NAT realms.

  • users_per_ip: Specifies how many users can share a single NAT IP address as an integer from 2 through 2016.
  • alert-threshold: Specifies the alert threshold for the pool:

IMPORTANT:

Thresholds configured using the alert-threshold keyword are specific to the pool that they are configured in. Thresholds configured using the threshold ip-pool-* commands in the Context Configuration Mode apply to all IP pools in that context, and override the threshold configurations set within individual pools.

  • pool-free: Percentage free alert threshold for this pool
  • pool-hold: Percentage hold alert threshold for this pool
  • pool-release: Percentage released alert threshold for this pool
  • pool-used: Percentage used alert threshold for this pool
  • low_thresh: The IP pool utilization percentage that must be met or exceeded within the polling interval to generate an alert or alarm. low_thresh must be an integer from 0 through 100.
  • clear high_thresh: The IP pool utilization percentage that maintains a previously generated alarm condition. If the utilization percentage rises above the high threshold within the polling interval, a clear alarm is generated. high_thresh must be an integer from 0 through 100.

IMPORTANT:

The high_thresh value is ignored for the Alert model. In addition, if this value is not configured for the Alarm model, the system assumes it is identical to the low threshold.

  • max-chunks-per-user max_chunks_per_user: Specifies the maximum number of port chunks to be allocated per subscriber in the many-to-one NAT pool. max_chunks_per_user must be an integer from 1 through 2016. Default: 1
  • nat-binding-timer binding_timer: Specifies NAT Binding Timer for the NAT pool. timer must be an integer from 0 through 31556926. If set to 0, is disabled. Default: 0
  • nexthop-forwarding-address address: Specifies the nexthop forwarding address for this pool. address must be an IPv4 or IPv6 address. If configured for a NAT pool, packets that are NATed using that NAT pool will be routed based on the configured nexthop address.

IMPORTANT:

The nexthop-forwarding-address support for NAT IP pools is functional only in later releases of Release 9.0 and in 10.0 and later releases.

  • on-demand: Specifies allocating IP when matching data traffic begins.
  • port-chunk-size size: Specifies NAT port chunk size (number of NAT ports per chunk) for many-to-one NAT pool. size must be an integer from 32 through 32256.

IMPORTANT:

The port-chunk-size configuration is only available for many-to-one NAT pools.

  • port-chunk-threshold chunk_threshold: Specifies NAT port chunk threshold in percentage of number of chunks for many-to-one NAT pool. chunk_threshold must be an integer from 1 through 100. Default: 100%

IMPORTANT:

The port-chunk-threshold configuration is only available for many-to-one NAT pools.

  • send-nat-binding-update: Specifies sending NAT binding updates to AAA for this realm. Default: Disabled

IMPORTANT:

send-nat-binding-update is not supported for many-to-one realms.

The following IP pool configuration keywords can also be used in the many-to-one NAT pool configuration:
  • group-name group_name: Specifies the pool group name. The grouping enables to bind discontiguous IP address blocks in individual NAT IP pools to a single pool group.This keyword is available for NAT pool configuration only in Release 10.0 and later.NAT pool and NAT pool group names must be unique.group_name is an alphanumeric string of 1 through 31 characters that is case sensitive.
  • srp-activateActivates the IP pool for Interchassis Session Recovery (ICSR).
nat priority

Designates the IP address pool as a Network Address Translation (NAT) address pool.

priority specifies the priority of the NAT pool. 0 is the highest priority. If priority is not specified, the priority is set to 0.

Must be a value from 0 (default) to 10.

IMPORTANT:

This functionality is currently supported for use with systems configured as an A-BG or P-CSCF.

nat-one-to-one [ alert-threshold { { pool-free | pool-hold | pool-release | pool-used } low_thresh [ clear high_thresh ] } + ] [ nat-binding-timer nat_binding_timer ] [ nexthop-forwarding-address ip_address ] [ on-demand ] [ send-nat-binding-update ] +

IMPORTANT:

In UMTS deployments this keyword is available in Release 9.0 and later releases. In CDMA deployments this keyword is available in Release 8.3 and later releases.

IMPORTANT:

In UMTS deployments, on upgrading from Release 8.1 to Release 9.0, and in CDMA deployments, on upgrading from Release 8.1 to Release 8.3, all NAT realms configured in Release 8.1 using the nat-realm keyword must be reconfigured using either the nat-one-to-one (for one-to-one NAT realms) or the napt-users-per-ip-address (for many-to-one NAT realms) keywords.

Configures one-to-one NAT realm.

  • alert-threshold: Specifies alert threshold for this pool:

IMPORTANT:

Thresholds configured using the alert-threshold keyword are specific to the pool in which they are configured. Thresholds configured using the threshold ip-pool * commands in the Context Configuration Mode apply to all IP pools in the context, and override the threshold configurations set within individual pools.

  • pool-free: Percentage free alert threshold for this pool
  • pool-hold: Percentage hold alert threshold for this pool
  • pool-release: Percentage released alert threshold for this pool
  • pool-used: Percentage used alert threshold for this pool
  • low_thresh: The IP pool utilization percentage that must be met or exceeded within the polling interval to generate an alert or alarm. low_thresh must be an integer from 0 through 100.
  • clear high_thresh: The IP pool utilization percentage that maintains a previously generated alarm condition. If the utilization percentage rises above the high threshold within the polling interval, a clear alarm is generated. high_thresh must be an integer from 0 through 100.

IMPORTANT:

The high_thresh value is ignored for the Alert model. In addition, if this value is not configured for the Alarm model, the system assumes it is identical to the low threshold.

  • nat-binding-timer nat_binding_timer: Specifies NAT Binding Timer for the NAT pool. binding_timer must be an integer from 0 through 31556926. If set to 0, is disabled.

IMPORTANT:

For many-to-one NAT pools, the default NAT Binding Timer value is 60 seconds. For one-to-one NAT pools, it is 0. By default, the feature is disabled—the IP addresses/ port-chunks once allocated will never be freed.

  • nexthop-forwarding-address ip_address: Specifies the nexthop forwarding address for this pool. address must be an IPv4 or IPv6 address. If configured for a NAT pool, packets that are NATed using that NAT pool will be routed based on the configured nexthop address.

IMPORTANT:

The nexthop-forwarding-address support for NAT IP pools is functional only in later releases of Release 9.0 and in Release 10.0 and later releases.

  • on-demand: Specifies allocating IP address when matching data traffic begins.
  • send-nat-binding-update: Specifies sending NAT binding updates to AAA for this realm. Default: Disabled

IMPORTANT:

send-nat-binding-update is not supported for many-to-one realms.

The following IP pool configuration keywords can also be used in the one-to-one NAT pool configurations:

  • address-hold-timer address_hold_timer
  • group-name group_name: Specifies the pool group name. The grouping enables to bind discontiguous IP address blocks in individual NAT IP pools to a single pool group. NAT pool and NAT pool group names must be unique. group_name is an alphanumeric string of 1 through 31 characters that is case sensitive. This keyword is available for NAT pool configuration only in StarOS 10.0 and later releases.
  • srp-activate: Activates the IP pool for Interchassis Session Recovery (ICSR).
nat-realm users-per-nat-ip-address users [ on-demand [ address-hold-timer address_hold_timer ] ]

IMPORTANT:

The nat-realm keyword is only available in Release 8.1.

IMPORTANT:

In Release 8.1, the NAT On-demand feature is not supported.

IMPORTANT:

This functionality is currently supported for use with systems configured as an A-BG or P-CSCF.

Designates the IP address pool as a Network Address Translation (NAT) realm pool.

users-per-nat-ip-address users: Specifies the number of users sharing a single NAT IP address as an integer from 1 through 5000.

on-demand: Specifies to allocate IP when matching data traffic begins.

address-hold-timer address_hold_timer: Specifies the address hold timer (in seconds) for this pool as an integer from 0 through 31556926. If set to 0, the address hold timer is disabled.

nexthop-forwarding-address ip_address

A subscriber that is assigned an IP address from this pool is forwarded to the next hop gateway with the specified IP address.

overlap vlanid vlan_id

When a nexthop forwarding address is configured, this keyword can be configured to enable over-lapping IP address pool support and associates the pool with the specified virtual LAN (VLAN). vlan_id is the identification number of a VLAN assigned to a physical port and can be configured to any integer from 1 through 4095.

For more information on configuring VLANs, refer to the System Administration Guide.

IMPORTANT:

This functionality is currently supported for use with systems configured as an HA, or as a PDSN for Simple IP, or as a GGSN. This keyword can only be issued for pools of type private or static and must be associated with a different nexthop forwarding address and VLAN. A maximum of 256 over-lapping pools can be configured per context and a maximum of 256 over-lapping pools can be configured per HA or simple IP PDSN. For GGSNs, the total number of pools is limited by the number of VLANs defined but the maximum number per context is 256. Additional network considerations and configuration outside of the system may be required.

nw-reachability server server_name

Binds the name of a configured network reachability server to the IP pool and enables network reachability detection for the IP pool. This takes precedence over any network reachability server settings in a subscriber configuration.

server_name: Specifies the name of a network reachable server that has been defined in the current context, expressed as an alphanumeric string of 1 through 16 characters.

IMPORTANT:

Also see the following commands for more information: Refer to the policy nw-reachability-fail command in the HA Configuration Mode to configure the action that should be taken when network reachability fails. Refer to the nw-reachability server command in this chapter to configure network reachability servers. Refer to the nw-reachability-server command in the Subscriber Configuration Mode to bind a network reachability server to a specific subscriber.

respond-icmp-echo ip_address

Pings the first IP address from overlapping IP address pools.

IMPORTANT:

In order for this functionality to work, all of the pools should contain an initial IP address that can be pinged.

resource

Specifies this IP pool as a resource pool. The IP addresses in resource pools may have IP addresses that also exist in other resource pools. IP addresses from a resource pool should not be used for IP connectivity within the system where the pool is defined. These IP addresses should be allocated for sessions which are L3 tunneled through the system (IP-in-IP or GRE). It is possible for resource pools in the same context to have overlapping addresses when the terminating network elements for the L3 tunnels are in different VPNs. Default: Disabled

Also refer to the Subscriber Configuration Mode Commands chapter for a description of the l3-to-l2-tunnel address-policy command.

send-icmp-dest-unreachable

When enabled, this generates an ICMP destination unreachable PDU when the system receives a PDU destined for an unused address within the pool. Default: Disabled

explicit-route-advertise

When enabled, the output of show ip pool verbose includes the total number of explicit host routes. Default: Enabled

srp-activate

Activates the IP pool for Interchassis Session Recovery (ICSR).

suppress-switchover-arp

Suppress corresponding gratuitous ARP generation when a line card or MIO card switchover occurs. Default: Disabled

unicast-gratuitous-arp-address ip_address

Perform a unicast gratuitous ARP to the specified IP address rather than broadcast gratuitous ARP when gratuitous ARP generation is required. Default: Perform broadcast gratuitous ARP.

vrf vrf_name { [ mpls-label input in_label_value | output out_label_value1 [ out_label_value2 ] }

Associates a preconfigured Virtual Routing and Forwarding (VRF) context instance with this IP pool and configures the other MPLS label parameters like values of In and Out labels.

IMPORTANT:

This command must be used with next-hop parameters.

vrf_name is name of a preconfigured virtual routing and forwarding (VRF) context configured in Context Configuration Mode through ip vrf command.

  • in_label_value is the MPLS label that identifies the inbound traffic destined for this pool.
  • The out_label_value1 and out_label_value2 identify the MPLS labels to be added to the outgoing packets sent for subscriber from this pool. Where out_label_value1 is the inner output label and out_label_value2 is the outer output label.

MPLS label values must be an integer from 16 through 1048575.

By default, the pools configured are bound to the default VRF unless specified with a VRF name.

IMPORTANT:

You cannot have overlapping pool addresses using the same VRF. Also you cannot have two pools using different VRFs but the same in-label irrespective of whether the pools are overlapping or not. The pool must be private or static pool in-order to be associated with a certain VRF. If the VRF with such a name is not configured, then the pool configuration would return an error prompting to add the VRF before configuring a pool.

policy allow-static-allocation

Configures static address allocation policy for dynamic IP pool. This keyword enables a dynamic IP pool to accept a static address for allocation.

IMPORTANT:

In static allocation scenario, the pool group name is returned by AAA in the attribute SN1-IP-Pool-Name, and the IP address to use will be returned in the Framed-IP-Address attribute.

+

Indicates that more than one of the previous keywords can be entered within a single command.


Usage:

Define one or more pools of IP addresses for the context to use in assigning IPs to mobile stations. This command is also useful in resizing existing IP pools to expand or contract the number of addresses allocated. If you resize an IP pool, the change is effective immediately.

When using the ip pool command to resize an IP pool, the type must be specified since by default the command assumes the type as public. In other words, the CLI syntax to resize an IP pool is the same syntax used to create the pool. See examples below.
ip pool pool1 100.1.1.0/24 static
The syntax to resize that pool would be:
ip pool pool1 100.1.1.0/25 static

A pool which is deleted will be marked as such. No new IP addresses will be assigned from a deleted pool. Once all assigned IP addresses from a deleted pool have been released, the pool, and all associated resources, are freed.

IMPORTANT:

If an IP address pool is matched to a ISAKMP crypto map and is resized, removed, or added, the corresponding security association must be cleared in order for the change to take effect. Refer to the clear crypto command in the Exec mode for information on clearing security associations.

Over-lapping IP Pools: The system supports the configuration of over-lapping IP address pools within a particular context. Over-lapping pools are configured using either the resource or overlap keywords.

The resource keyword allows over-lapping addresses tunneled to different VPN end points.

The overlap keyword allows over-lapping addresses each associated with a specific virtual LAN (VLAN) configured for an egress port. It uses the VLAN ID and the nexthop address to determine how to forward subscriber traffic with addresses from the pool thus resolving any conflicts with overlapping addresses.

Note that if an overlapping IP Pool is bound to an IPSec Tunnel (refer to the match ip pool command in the Crypto Group Configuration Mode chapter), that tunnel carries the traffic ignoring the nexthop configuration. Therefore, the IPSec Tunnel takes precedence over the nexthop configuration. (Thus, one can configure the overlapping IP Pool with fake VLAN ID and nexthop and still be able to bind it to an IPSec Tunnel for successful operation.

The overlap keyword allows over-lapping addresses each associated with a specific VLAN can only be issued for pools of type private or static and must be associated with a different nexthop forwarding address and VLAN. A maximum of 128 over-lapping pools can be configured per context and a maximum of 256 over-lapping pools can be configured per system.

IMPORTANT:

Overlapping IP address functionality is currently supported for use with systems configured as an HA for Mobile IP, or as a PDSN for Simple IP, or as a GGSN. For deployments in which subscriber traffic is tunneled from the FA to the HA using IP-in-IP, a separate HA service must be configured for each over-lapping pool.

IP Pool Address Assignment Method: IP addresses can be dynamically assigned from a single pool or from a group of pools. The addresses are placed into a queue in each pool. An address is assigned from the head of the queue and, when released, returned to the end. This method is known as least recently used (LRU).

When a group of pools have the same priority, an algorithm is used to determine a probability for each pool based on the number of available addresses, then a pool is chosen based on the probability. This method, over time, allocates addresses evenly from the group of pools.

IMPORTANT:

Note that setting different priorities on each individual pool in a group can cause addresses in some pools to be used more frequently.

IMPORTANT:

In NAT IP pool configurations, the minimum number of public IP addresses that must be allocated to each NAT pool must be greater than or equal to the number of Session Managers (SessMgrs) available on the system. On the ASR 5000, it is >= 84 public IP addresses. This can be met by a range of 84 host addresses from a single Class C. The remaining space from the Class C can be used for other allocations.


Example:
The following commands define a private IP address pool, a public IP address pool, and a static address pool, respectively.
ip pool samplePool1
1.2.3.0 255.255.255.0 private
ip pool samplePool2
1.3.0.0 255.255.0.0 public
ip pool samplePool3
1.4.5.0 255.255.255.0 static
The following command defines a private IP pool specified with a range of IP addresses. The pool has 101 addresses.
ip pool samplePool4
range 10.5.5.0 10.5.5.100 private
The following command sets the address hold timer on the pool to 60 minutes (3600 seconds):
ip pool samplePool4
address-hold-timer 3600
The following command removes the IP address pool from the configuration:
no ip pool samplePool1
The following command creates a static IP pool:
ip pool pool1 100.1.1.0/24 static
The following command resizes the static IP pool created in the previous example:
ip pool pool1 100.1.1.0/25 static
ip prefix-list

Creates an IP prefix list for filtering routes.

Platform:

ASR 5000

Product:

PDSN, HA, GGSN


Privilege:

Security Administrator, Administrator


Syntax
ip prefix-list name list_name [ seq seq_number ] { deny | permit } { any | network_address/net_mask [ ge ge_value ] [ le le_value ]no ip prefix-list list_name [ seq seq_number ] { deny | permit } { any | network_address/net_mask [ ge ge_value ] [ le le_value ]
no

Delete the specified prefix-list entry.

name list_name

Specifies a name for the prefix list as an alphanumeric string of 1 through 79 characters.

seq seq_number

Assigns the specified sequence number to the prefix list entry as an integer from 1 through 4294967295.

deny

Specifies prefixes to deny.

permit

Specifies prefixes to permit.

any

Matches any prefix.

network_address/net_mask [ ge ge_value ] [ le le_value ]

Specifies the prefix to match.

network_address/net_mask: the IP address and the length, in bits, of the network mask that defines the prefix. The IP address and mask must be entered in IPv4 dotted-decimal notation. When neither ge (greater than or equal to) or le (less than or equal to) are specified an exact match is assumed.

ge ge_value: Specifies the minimum prefix length to match as an integer from 0 through 32. If only the ge value is specified, the range is from the ge value to 32. The ge value must be greater than net_mask and less than the le value.

le le_value: Specifies the maximum prefix length to match as an integer from 0 through 32. If only the le value is specified, the range is from the net_mask to the le value. The le value must be less than or equal to 32.

The following equation describes the conditions that ge and le values must satisfy:

net_mask < ge_value < le_value <= 32


Usage:

Use this command to filter routes by their IP prefix.


Example:
ip prefix-list name prelist10
seq 5 permit 192.168.100.0/8 ge 12 le 24
ip prefix-list sequence-number

Enables or disables the inclusion of IP prefix list sequence numbers in the configuration file. This option is enabled by default.

Platform:

ASR 5000

Product:

PDSN, HA, GGSN


Privilege:

Security Administrator, Administrator


Syntax
[ no ] ip
prefix-list sequence-number
no

Disables the listing of IP prefix list sequence numbers in the configuration file.


Usage:

Use this command to enable and disable the inclusion of IP prefix list sequence numbers in the configuration file.


Example:
To disable the inclusion of IP prefix list sequence numbers in the configuration file, enter the following command:
no ip prefix-list sequence-number
ip route

Adds or removes routing information from the current context’s configuration.

Platform:

ASR 5000

Product:

All


Privilege:

Administrator


Syntax
[ no ] ip
route ( ip_address | static bfd } [ no ] ip
route { ip_address/ip_mask | ip_address
ip_mask } { gateway_ip_address | next-hop next_hop_ip_address | point-to-point | tunnel } egress_intrfc_name [ cost cost ] [ precedence precedence ] [ vrf vrf_name] +[ no ] ip
route static bfd if-name gateway_ip_address 
no

Indicates the route specified by this options is to be removed from the configuration.

ip_address/ip_mask | ip_address ip_mask

Specifies a destination IP address or group of addresses that will use this route.

ip_address/ip_mask: Specifies a combined IP address subnet mask bits to indicate what IP addresses to which the route applies. ip_address must be entered using IPv4 dotted-decimal or IPv6 colon-separated-hexadecimal notation. ip_mask/ is entered using CIDR notation; the mask bits are a numeric value which is the number of bits in the subnet mask.

ip_address ip_mask: Specifies an IP address and the networking (subnet) mask pair which is used to identify the set of IP addresses to which the route applies. ip_address must be specified using the standard IPv4 dotted decimal notation. ip_mask must be specified using the standard IPv4 dotted decimal notation as network mask for subnets.

The mask as specified by ip_mask or resulting from ip_address/ip_mask is used to determine the network for packet routing.

0’s in the resulting mask indicate the corresponding bit in the IP address is not significant in determining the network for packet routing.

1’s in the resulting mask indicate the corresponding bit in the IP address is significant in determining the network.

gateway_ip_address | next-hop next_hop_ip_address | point-to-point | tunnel

Specifies which device or network to use when forwarding packets.

gateway_ip_address: Specifies the IP address of the network gateway to which to forward packets. The address must be entered in IPv4 dotted-decimal notation (###.###.###.###).

next-hop next_hop_ip_address: Specifies the next-hop IP address to which packets are to be forwarded. The address must be entered in IPv4 dotted-decimal notation.

point-to-point: Specifies that the egress port is an ATM point-to-point interface.

tunnel: Sets the static route for this egress interface as tunnel type, such as IPv6-over-IPv4 or GRE.

egress_intrfc_name

Specifies the name of the egress (out-bound) interface name in the current context as an alphanumeric string of 1 through 79 characters.

cost cost

Specifies the relative cost of the route. cost must be an integer from 0 through 255 where 255 is the most expensive. Default: 0

precedence precedence

Specifies the selection order precedence for this routing information. precedence must be an integer from 1 through 254 where 1 is the highest precedence. Default: 1

vrf vrf_name

Associates a Virtual Routing and Forwarding (VRF) context with this static route configuration.

vrf_name is the name of a preconfigured VRF context configured in Context Configuration Mode via the ip vrf command.

ip route static bfdif-name gateway_ip_address

Creates a static IP route that will be associated with Bidirectional Forwarding Detection (BFD). For additional information, see the BFD Configuration Mode Commands chapter.

if-name: Specifies the interface Name of the Interface to which the static BFD neighbor is bound as an alphanumeric string of 1 through 79 characters.

gateway_ip_address : Specifies the gateway address of the BFD neighbor in IPv4 dotted-decimal notation.


Usage:

Use this command to configure IP route parameters. Precedence and cost options tailor the route selections such that routes of the same precedence are grouped together then lowest cost is selected first. This results in route’s being selected first by lower precedence then the cost is used if multiple route’s are defined with the same precedence.

This command also configures static IP routes when implementing Bidirectional Forwarding Detection (BFD).

IMPORTANT:

A maximum of 1,200 static routes may be configured per context.

Virtual Routing and Forwarding (VRF) context can be associated with static IP route for BGP/MPLS, GRE, or IPSec tunnel support.


Example:
The following command adds a route using the combined IP address and subnet mask form:
ip route 10.2.3.0/32
192.168.1.2 egressSample1 precedence 160
The following configures route options for a route specified using the distinct IP address and subnet mask form:
ip route 10.2.3.4 255.224.0.0
10.1.2.3 egressSample2 cost 43
The following deletes the two routes configured above:
no ip route 10.2.3.0/32
192.168.1.2 egressSample1 precedence 160 
no ip route 10.2.3.4
255.224.0.0 10.1.2.3 egressSample2 cost 43

The following command adds a route using the combined IP address and subnet mask form and specifies the egress interface as tunnel type:

ip route 10.2.3.0/32
tunnel egressSample1 precedence 160 vrf vrf1
ip routing maximum-paths

Enables Equal Cost Multiple Path (ECMP) routing support and specifies the maximum number of ECMP paths that can be submitted by a routing protocol in the current context.

Platform:

ASR 5000

Product:

PDSN, GGSN


Privilege:

Security Administrator, Administrator


Syntax
ip routing maximum-paths [ max_num ][ default | no ] ip
routing maximum-paths
default

Resets the command to its default setting of 4.

no

Disables ECMP for the current context.

max_num

The maximum number of ECMP paths that can be submitted by a routing protocol. max_num must be an integer from 1 through 10. Default: 4


Usage:

Use this command to enable ECMP for routing and set the maximum number of ECMP paths that can be submitted by a routing protocol.


Example:
To enable ECMP and set the maximum number of paths that may be submitted by a routing protocol in the current context to 10, enter the following command:
ip routing maximum-paths 10
To disable ECMP in the current context, enter the following command:
no ip routing maximum-paths
ip routing overlap-pool

Configures the routing behavior for overlap-pool addresses.

Platform:

ASR 5000

Product:

PDSN


Privilege:

Security Administrator, Administrator


Syntax
[ no | default ] ip
routing overlap-pool
default

Resets the command to its default setting of disabled.

no

Disables the routing behavior for overlap-pool addresses for the current context.


Usage:

Use this command configuration to advertise overlap-pool addresses in dynamic routing protocols when overlap pools are configured using vlan-ids. If the “ip routing overlap-pool” is configured, then the overlap-addresses are added as interface addresses and advertised.

ip vrf

Creates a Virtual Routing and Forwarding (VRF) context instance, assigns a VTF id, and configures the VRF parameters for BGP/MPLS VPN, GRE tunnel, and IPSec interface configuration.

Platform:

ASR 5000

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
ip vrf vrf_nameno ip vrf
no

Disables IP Virtual Routing and Forwarding (VRF) parameters.

vrf_name

Specifies the name of the virtual routing and forwarding interface as an alphanumeric string of 1 through 79 characters.


Usage:

Use this command to create a VRF context and assigns a VRF id for BGP/MPLS VPN, IPSec, GRE tunnel configuration in this context instance. This command used when system works as a BGP router with MPLS VPN and binds a MPLS VPN to system or to facilitate GRE or IPSec tunnelling. The addresses that assigned to this interface are visible in the VRF routing table.

This command switches the command mode to IP VRF Context Configuration Mode and changes the CLI prompt to:
[context_name>]host_name(config-context-vrf)#

If required, this command creates IP VRF Context Configuration Mode instance.

While using this command user must take note of the following:

  • A VRF context instance must be created and configured before referring, associating, or binding the same with any command or mode.
  • If interface binding to a VRF context instance is changed or any IP address assigned to the interface is deleted a warning will be displayed.
  • All interface bound with a VRF context instance will be deleted when that VRF is removed/deleted.
  • An interface can be bound to only one VRF context instance.
  • A maximum of 100 VRF context instances can be configured on a system.

Refer to the IP VRF Context Configuration Mode Commands chapter for parameter configuration.


Example:
The following command configures the virtual routing and forwarding context instance vrf1 in a context:
ip vrf vrf1 
ipms

Enables/disables/manages an intelligent packet monitoring system (IPMS) client service and enters the IPMS Client Configuration Mode within the current context.

Platform:

ASR 5000

Product:

IPMS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] ipms [ -noconfirm ]
no

Deletes a previously configured IPMS client service.

-noconfirm

Executes the command without any additional prompt and confirmation from the user.

DANGER:

If this keyword option is used with no ipms command the IPMS client service will be deleted with all active/inactive IPMS sessions without prompting any warning or confirmation.


Usage:

Use this command to enable/disable/manage the IPMS client service within a context and configure certain functionality. This command enables and allows the configuration of service enabling the system to function as an IPMS-enabled Access Gateway in a network. This command is also used to remove previously configured IPMS client service.

A maximum of 1 IPMS client can be configured per system.

IMPORTANT:

The IPMS is a license enabled external application support. Refer to the IPMS Installation and Administration Guide for more information on this product.

Refer to the IPMS Installation and Administration Guide and IPMS Configuration Mode chapter of this reference for additional information.


Example:
The following command creates an IPMS client service name within the context:
ipms

ipsec replay:

Configures IKEv2 IPSec specific anti-replay.

Platform:

ASR 5000

Product:

ePDG, PDIF, SCM


Privilege:

Security Administrator, Administrator


Syntax
[ no ] ipsec   [   ] 
no

Disables this option.


Usage:

Use this command to Configure IKEv2 IPSec specific anti-replay.


Example:


The following command sets the window size to 256:
ipsec replay window-size 256 
ipsec transform-set

Creates a new or specifies an existing IPSec transform set and enters the IPSec Transform Set Configuration Mode for the current context.

Platform:

ASR 5000

Product:

ePDG, PDIF, SCM


Privilege:

Security Administrator, Administrator


Syntax
[ no ] ipsec     
no

Removes an existing transform set from the system.

transform-set name

Specifies the name of a new or existing transform set as an alphanumeric string of 1 through 127 characters.


Usage:

Use this command to Configure IKEv2 IPsec child security association transform set parameters. Up to four transform-sets can be created.

Entering this command results in the following prompt:

[context_name]hostname(cfg-ctx-ipsec-tran-set)#

This command applies to IKEv2. Please check crypto ipsec transform-set command for ipsec transform-set configuration for IKEv1.


Example:
The following command configures an IPSec transform set called ipsec12 and enters the IPSec Transform Set Configuration Mode:
ipsec transform-set ipsec12 
ipsg-service

This command allows you to create/modify/delete an IP Services Gateway (IPSG) service in the current context.

Platform:

ASR 5000

Product:

IPSG


Privilege:

Security Administrator, Administrator


Syntax
ipsg-service ipsg_service_name [ mode { radius-server | radius-snoop } ] [ -noconfirm ]no ipsg-service ipsg_service_name [ mode { radius-server | radius-snoop } ]
no

If previously configured, deletes the specified IPSG service.

ipsg_service_name

Specifies the name of the IPSG service.

ipsg_service_name must be an alphanumeric string of 1 through 63 characters.

mode { radius-server | radius-snoop }

Configures the IPSG to perform as either a RADIUS server or as a device to extract user information from RADIUS accounting request messages (snoop). If the optional keyword mode is not entered, the system defaults to radius-server.

  • radius-server: Creates the named IPSG RADIUS Server service in the current context and/or enters the IPSG RADIUS Server Configuration Mode.
  • radius-snoop: Creates the named IPSG RADIUS Snoop service in the current context and/or enters the IPSG RADIUS Snoop Configuration Mode.
-noconfirm

Specifies to execute the command without additional prompt or confirmation.


Usage:

Use this command to create/configure/delete an IPSG service.

A maximum of one IPSG service can be configured per context.

IPSG service commands are defined in the IPSG RADIUS Snoop Configuration Mode Commands chapter and the IPSG RADIUS Server Configuration Mode Commands chapters.

A maximum of 256 services (regardless of type) can be configured per system.

CAUTION:

A large number of services greatly increases the complexity of system management and may impact overall system performance (i.e., resulting from system handoffs). Do not configure a large number of services unless your application requires it. Contact your Cisco account representative for more information.

IMPORTANT:

IP Services Gateway functionality is a license-controlled feature. A valid feature license must be installed prior to configuring an IPSG service. Contact your Cisco account representative for more information.

On entering the command with the radius-server mode or without any mode, the CLI prompt changes to:

[context_name]hostname(config-ipsg-service-radius-server)#

On entering the command with the radius-snoop mode, the CLI prompt changes to:

[context_name]hostname(config-ipsg-service-radius-snoop)#

For more information about the IP Services Gateway, refer to the IP Services Gateway Administration Guide.


Example:
The following command configures an IPSG RADIUS Snoop service named ipsg1 and enters the IPSG RADIUS Snoop Configuration Mode:
ipsg-service ipsg1 mode
radius-snoop
ipv6 access-group

Configures the IPv6 Access group.

Platform:

ASR 5000

Product:

PDSN


Privilege:

Security Administrator, Administrator


Syntax
ipv6 access-group group name { priority_value }
group_name

Specifies the name of the access group as an alphanumeric string of 1 through 79 characters.

priority_value

Specifies the priority of the access group. 0 is the highest priority. If priority_value is not specified the priority is set to 0. priority_value must be an integer from 0 through 4294967295. Default: 0

If access groups in the list have the same priority, the last one entered is used first.


Usage:

Use this command to specify IPv6 access group name and priority. Use a lower value to indicate a higher priority for the group.


Example:
ipv6 access-group group_1
ipv6 access-list

Configures access list (or packet filter) name and enters the IPv6 ACL Configuration Mode.

Platform:

ASR 5000

Product:

PDSN


Privilege:

Security Administrator, Administrator


Syntax
[ no ] ipv6
access-list name
no

Indicates the access list specified is to be removed from the configuration.

name

Specifies the access list for which to enter the IPv6 ACL Configuration Mode or the list to remove. name is an alphanumeric string of1 through 79 characters.


Usage:

Executing this command enters the IPv6 ACL Configuration Mode in which rules and criteria are defined for the ACL.


Example:
ipv6 access-list samplelist
no ipv6 access-list samplelist
ipv6 dns-proxy

Configures the domain name server proxy for the context.

Platform:

ASR 5000

Product:

PDSN


Privilege:

Security Administrator, Administrator


Syntax
[ no ] ipv6
dns-proxy source-ipv4-address ip_address
no

Removes the predefined IP address for local interface in the destination context.

ip_address

Specifies the IPv4 address of one of the local interface in the destination context to configure the IPv6 DNS proxy where ip_address must be specified using IPv4 dotted-decimal notation.


Usage:

The IPv6 DNS proxy source IPv4 address is used as the source IP address for the DNS proxy transaction.


Example:
The following command provides an example of configuring a IPv6 DNS proxy of 192.168.23.1:
ipv6 dns-proxy source-ipv4-address 192.168.23.1
ipv6 neighbor

Adds a static IPv6 neighbor entry into the neighbor discovery table.

Platform:

ASR 5000

Product:

PDIF


Privilege:

Administrator, Security Administrator


Syntax
[ no ] ipv6
neighbor ipv6_address hardware_address
no

Removes the specified address.

ipv6_address hardware_address

ipv6_address is the IP address of node to be added to the table.

hardware_address is the associated 48-bit MAC address.


Usage:

Add a static IPv6 neighbor entry into the neighbor discovery table.


Example:
Add the ipv6 address fe80::210:83ff:fef7:7a9d::/24 and associated 48 bit MAC address 0:10:83:f7:7a:9d to the table.
ipv6 neighbor fe80::210:83ff:fef7:7a9d::/24 0:10:83:f7:7a:9d
ipv6 pool

Modifies the current context’s IP address pools by adding, updating or deleting a pool. This command also resizes an existing IP pool.

Platform:

ASR 5000

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
ipv6 pool name { 6to4 local-endpoint ipv4_address [ default-relay-router router_address ] | alert
threshold | group-name name | policy { allow-static-allocation | dup-addr-detection} | prefix ip_address/len [ 6to4-tunnel
local-endpoint ip_address | default-relay-router router_address ] | range start_address
end_address | suppress-switchover-arps } [ private priority ] [ public priority ] [ shared priority ] [ static priority ] [ group-name name ]no ipv6 pool name
no

Deletes the previously configured IPv6 pool.

name

Specifies the logical name of the IP address pool as an alphanumeric string of 1 through 31 characters.

6to4-tunnel local-endpoint ip_address

Specifies the IPv4 address of the local interface to be used for IPv6-to-IPv4 compatible pool address construction.

alert threshold { 6to4 local-endpoint ipv4_address | alert threshold | group-available | group-name name | policy { allow-static-allocation | dup-addr-detection } | pool-free | pool-used | prefix | range start_address end_address }

Default: All thresholds are disabled.

Configures IP address pool-level utilization thresholds. These thresholds take precedence over context-level IPv6 pool thresholds.

  • 6to4: Sets an alert based on the IPv6 Pool for an IPv6-to-IPv4 compatible address type.
  • alert-threshold: Sets an alert based on the percentage free alert threshold for this group.
  • group-available: Sets an alert based on the percentage free alert threshold for this group.
  • group-name: Sets an alert based on the IPv6 Pool Group.
  • policy allow-static-allocation: Sets an alert based on the address allocation policy.
  • pool-free: Sets an alert based on the percentage free alert threshold for this pool.
  • pool-used: Sets an alert based on the percentage used alert threshold for this pool.
  • prefix: Sets an alert based on the IPv6 Pool address prefix.
  • range: Sets an alert based on the IPv6 address pool range of addresses.
  • suppress-switchover-arps: Sets an alert based on the Suppress Gratuitous ARPs when performing a line card or an MIO switchover.
group name name

IPv6 Pool Group.

The following options are available:

  • 6to4: IPv6 Pool for IPv6-to-IPv4 compatible address type
  • alert-threshold: Percentage free alert threshold for this group
  • group-name: IPv6 Pool Group
  • policy: Configure an address allocation policy
  • prefix: IPv6 Pool address prefix
  • range: Configures IPv6 address pool to use a range of addresses
  • suppress-switchover-arps: Suppress gratuitous ARPs when performing a line card or an MIO switchover
ipv4_address

Specifies the beginning IPv4 address of the IPv4 address pool. ipv4_address must be specified using IPv4 dotted-decimal notation.

default-relay-router router address

Specifies the default relay router for the tunnel.

policy allow-static-allocation

Allows a dynamic pool to accept a static address allocation.

The following options are available:

  • 6to4: IPv6 Pool for IPv6- to-IPv4 compatible address type
  • alert-threshold: Percentage free alert threshold for this group
  • group-name: IPv6 Pool Group
  • policy: Configure an address allocation policy
  • prefix: IPv6 Pool address prefix
  • range: Configures IPv6 address pool to use a range of addresses
  • suppress-switchover-arps: Suppress gratuitous ARPs when performing a line card or an MIO switchover
policy dup-addr-detection

This command is valid for IPv6 shared pools only (Sample syntax: ipv6 pool name prefix ip_address/len shared policy dup-addr-detection). When this policy is enabled, the IPv6 shared pool allows a prefix to be shared in different call sessions with different interface IDs for an IPv6 address. This allows the tracking of interface IDs per prefix and the detection of duplicated IDs.

With this policy disabled, the IPv6 shared pool will allow a prefix to be shared across different call sessions. The interface ID is not considered for any duplicate address detection. Default: Disabled

The following options are available:

  • 6to4: IPv6 pool for IPv6-to-IPv4 compatible address type
  • alert-threshold: Percentage free alert threshold for this group
  • group-name: IPv6 pool group
  • policy: Configure an address allocation policy
  • prefix: IPv6 pool address prefix
  • range: Configures IPv6 address pool to use a range of addresses
  • suppress-switchover-arps: Suppress gratuitous ARPs when performing a line card or an MIO switchover
prefix ip_address/len

Specifies the beginning IPv6 address of the IPv6 address pool. ip_address/len must be specified using IPv6 colon-separated-hexadecimal with CIDR notation.

range start_address end_address

Configures an IPv6 address pool to use a range of addresses.

start_address specifies the beginning of the range of addresses for the IPv6 pool. It must be specified using IPv6 colon-separated-hexadecimal notation.

end_address specifies the end of the range of addresses for the IPv6 pool. It must be specified using IPv6 colon-separated-hexadecimal notation.

suppress-switchover-arps

Suppresses gratuitous ARPs when performing a line card switchover.

The following options are available:

  • 6to4: IPv6 Pool for IPv6-to-IPv4 compatible address type
  • alert-threshold: Percentage free alert threshold for this group
  • group-name: IPv6 Pool Group
  • policy: Configure an address allocation policy
  • prefix: IPv6 Pool address prefix
  • range: Configures IPv6 address pool to use a range of addresses
  • suppress-switchover-arps: Suppress gratuitous ARPs when performing a line card or an MIO switchover
private priority | public priority | shared priority | static priority

Default: public

private priority: Specifies that the address pool may only be used by mobile stations which have requested an IP address from a specified pool. When private pools are part of an IP pool group, they are used in a priority order according to the precedence setting. priority must be an integer from 0 through 10 with 0 being the highest. The default is 0.

public priority: Specifies that the address pool is used in priority order for assigning IP addresses to mobile stations which have not requested a specific address pool. priority must be n integer from 0 through 10 with 0 being the highest and with a default of 0.

shared priority: Specifies that the address pool that may be used by more than one session at any time. priority must be an integer from 0 through 10 with 0 being the highest and with a default of 0.

static priority: Specifies that the address pool is used for statically assigned mobile stations. Statically assigned mobile stations are those with a fixed IP address at all times. priority must be an integer from 0 through 10 with 0 being the highest and with a default of 0.

group-name name

Groups the IPv6 pools in to different groups. The subscribers/domain can be configured with the group-name instead of the prefix-pool names. name is the name of the group by which the IPv6 pool is to be configured expressed as an alphanumeric string of 1 through 79 characters.


Usage:

Use this command to modify the current context’s IP address pools by adding, updating, or deleting a pool. Also use this command to resize an existing IP pool.


Example:
The following command adds an IPv6 pool named ip6Star:
ipv6 pool ip6Star
ipv6 prefix-list

Creates an IPv6 prefix list for filtering routes.

Platform:

ASR 5000

Product:

PDSN, HA, GGSN


Privilege:

Security Administrator, Administrator


Syntax
ipv6 prefix-list name list_name [ seq seq_number ] { deny | permit } { any | network_address/net_mask [ ge ge_value ] [ le le_value ]no ipv6 prefix-list list_name [ seq seq_number ] { deny | permit } { any | network_address/net_mask [ ge ge_value ] [ le le_value ]
no

Delete the specified prefix-list entry.

name list_name

Specifies a name for the prefix list as an alphanumeric string of 1 through 79 characters.

seq seq_number

Assigns the specified sequence number to the prefix list entry as an integer from 1 through 4294967295.

deny

Specifies prefixes to deny.

permit

Specifies prefixes to permit.

any

Matches any prefix.

network_address/net_mask [ ge ge_value ] [ le le_value ]

Specifies the prefix to match.

network_address/net_mask: the IP address and the length, in bits, of the network mask that defines the prefix. The IP address and mask must be entered in IPv6 colon-separated-hexadecimal-hexadecimal notation. When neither ge (greater than or equal to) or le (less than or equal to) are specified an exact match is assumed.

ge ge_value: Specifies the minimum prefix length to match as an integer from 0 through 128. If only the ge value is specified, the range is from the ge value to 128. The ge value must be greater than net_mask and less than the le value.

le le_value: Specifies the maximum prefix length to match as an integer from 0 through 128. If only the le value is specified, the range is from the net_mask to the le value. The le value must be less than or equal to 128.

The following equation describes the conditions that ge and le values must satisfy:

net_mask < ge_value < le_value <= 128


Usage:

Use this command to filter routes by their IPv6 prefix.


Example:
ipv6 prefix-list name
prelistv6-10 seq 5 permit 2002::123.45.67.89/122 
ipv6 prefix-list sequence-number

Enables or disables the inclusion of IPv6 prefix list sequence numbers in the configuration file. This option is enabled by default.

Platform:

ASR 5000

Product:

PDSN, HA, GGSN


Privilege:

Security Administrator, Administrator


Syntax
[ no ] ipv6
prefix-list sequence-number
no

Disables the listing of IPv6 prefix list sequence numbers in the configuration file.


Usage:

Use this command to enable and disable the inclusion of IPv6 prefix list sequence numbers in the configuration file.


Example:
To disable the inclusion of IPv6 prefix list sequence numbers in the configuration file, enter the following command:
no ipv6 prefix-list
sequence-number
ipv6 route

Configures a static IPv6 route to the next-hop router.

Platform:

ASR 5000

Product:

All


Privilege:

Administrator


Syntax
[ no ] ipv6
route ipv6_address/prefix_length { interface name | next-hop ipv6_address interface name } [ cost cost ] [ precedence precedence ]
no

Removes the specified static route.

ipv6_address/prefix_length

Specifies a destination IPv6 address or group of addresses that will use this route.

ipv6_address/prefix_length must be specified using IPv6 colon-separated-hexadecimal with CIDR notation.

interface name

Specifies the name of the interface on this system associated with the specified route or next-hop address. name must be an existing interface name on the system expressed as an alphanumeric string of 1 through 79 characters.

next-hop ipv6_address

The IPv6 address of the directly connected next hop device in IPv6 colon-separated-hexadecimal notation.

cost cost

Defines the number of hops to the next gateway as an integer from 0 through 255. Default: 0

precedence precedence

Indicates the administrative preference of the route. A low precedence specifies that this route takes preference over the route with a higher precedence. precedence must be an integer from 1 through 254. Default: 1


Usage:

Use this command to create a static route and send data traffic to a next-hop device.


Example:
T the following example configures a static route with IPv6 prefix/length 2001:0db8:3c4d:0015:0000:0000:abcd:ef12/24 to the next hop interface egress1:
ipv6 route 2001:0db8:3c4d:0015:0000:0000:abcd:ef12/24
interface egress1
ipv6 route-access-list

Configures an IPv6 route access list for filtering routes.

Platform:

ASR 5000

Product:

PDSN, HA, GGSN


Privilege:

Security Administrator, Administrator


Syntax
ipv6 route-access-list
named list_name ] { deny | permit } network_address/net_mask [ exact-match ] no ipv6 prefix-list list_name ] { deny | permit } { any | network_address/net_mask [ exact-match ]
no

Delete the specified prefix-list entry.

name list_name

Specifies a name for the prefix list as an alphanumeric string of 1 through 79 characters.

deny

Specifies prefixes to deny.

permit

Specifies prefixes to permit.

network_address/net_mask [ exact-match ]

Specifies the prefix to match.

network_address/net_mask: the IP address and the length, in bits, of the network mask that defines the prefix. The IP address and mask must be entered in IPv6 colon-separated-hexadecimal-hexadecimal notation.

exact-match le_value: Specifies that only an exact match will initiate access list deny/permit function.


Usage:

Use this command to filter routes by their IPv6 prefix.


Example:
ipv6 route-access-list
name routelistv6 seq 5 permit 2002::123.45.67.89/122 
isakmp disable-phase1-rekey

This command is deprecated. Use ikev1 disable-phase1-rekey command to configure the parameters for Phase1 SA rekeying when ISAKMP lifetime expires for IKE v1 protocol.

isakmp keepalive

This command is deprecated. Use ikev1 keepalive dpd command to configure ISAKMP IPSec Dead Peer Detection (DPD) message parameters for IKE v1 protocol.

isakmp policy

This command is deprecated. Use ikev1 policy command to create/configure an ISAKMP policy with the specified priority for IKE v1 protocol.

iups-service

Creates an Iu-PS service instance and enters the Iu-PS Service Configuration Mode. This mode defines the configuration and usage of Iu-PS interfaces between the SGSN and the RNCs in the UMTS radio access network (UTRAN). It defines both the control plane (GTP-C) and the data plane (GTP-U) between these nodes.

IMPORTANT:

For details about the commands and parameters for this mode, check the IuPS Service Configuration Mode Commands chapter.

Platform:

ASR 5000

Product:

SGSN


Privilege:

Security Administrator, Administrator


Syntax
[ no ] iups-service srvc_name
no

Remove the configuration for the specified Iu-PS service from the configuration for the current context.

srvc_name

Specifies the IuPS service name as a unique alphanumeric string of 1 through 63 characters.


Usage:

Use this command to create, edit, or remove an Iu-PS service. Add up to eight definitions to be used with a single SGSN service so the SGSN can support multiple PLMNs.


Example:
The following command creates an Iu-PS service named iu-ps1:
iups-service iu-ps1
The following command removes the Iu-PS service named iu-ps1:
no iups-service iu-ps1
l2tp peer-dead-time

Configures a delay when attempting to tunnel to a specific peer which is initially unreachable due to reasons such as a network issue or temporarily having reached its capacity.

Platform:

ASR 5000

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
l2tp peer-dead-time secondsdefault l2tp peer-dead-time
default

Rests the command to its default setting of 60.

seconds

Specifies the interval (in seconds) to wait before attempting to tunnel to a specific peer which is initially unreachable as an integer from 5 through 64,000. Default: 60


Usage:

The time to wait before trying to establish a tunnel to a known peer after the initial attempt was unsuccessful.


Example:
The following example configures the delay in attempting to tunnel to a temporarily unreachable peer. The delay is set to 120 seconds in this example.
l2tp peer-dead-time 120
lac-service

Enters the LAC Service Configuration Mode, or is used to add or remove a specified L2TP Access Concentrator (LAC) service.

Platform:

ASR 5000

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
[ no ] lac-service name
no

Removes the specified lac-service from the current context.

name

Specifies the name of a LAC service to configure, add, or remove as an alphanumeric string of 1 through 63 characters that is case-sensitive.


Usage:

Enter the LAC Service Configuration Mode for an existing service or for a newly defined service. This command is also used to remove an existing service.

A maximum of 256 services (regardless of type) can be configured per system.

CAUTION:

Large numbers of services greatly increase the complexity of management and may impact overall system performance (i.e. resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your local service representative for more information.


Example:
To add a new LAC service named LAC1 and enter the LAC Service Configuration Mode, enter the following command:
lac-service LAC1
To configure an existing LAC service named LAC2, enter the following command:
lac-service LAC2
To delete an existing LAC service named LAC3, enter the following command:
no lac-service LAC3
lawful-intercept

Refer to the Lawful Intercept Configuration Guide for a description of this command.

lawful-intercept dictionary

Refer to the Lawful Intercept Configuration Guide for a description of this command.

lma-service

Creates an Local Mobility Anchor (LMA) service or specifies an existing LMA service and enters the LMA Service Configuration Mode for the current context.

Platform:

ASR 5000

Product:

P-GW


Privilege:

Administrator


Syntax
lma-service service_name [ -noconfirm ]no lma-service service_name
no

Removes the specified LMA service from the context.

service_name

Specifies the name of the LMA service. If service_name does not refer to an existing service, the new service is created if resources allow.

service_name is an alphanumeric string of 1 through 63 characters.

-noconfirm

Executes the command without any additional prompt and confirmation from the user.


Usage:

Enter the LMA Service Configuration Mode for an existing service or for a newly defined service. This command is also used to remove an existing service.

A maximum of 256 services (regardless of type) can be configured per system.

CAUTION:

Large numbers of services greatly increase the complexity of management and may impact overall system performance (for example, resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your local service representative for more information.

Entering this command results in the following prompt:

[context_name]hostname(config-lma-service)#

LMA Service Configuration Mode commands are defined in the LMA Service Configuration Mode Commands chapter.

Use this command when configuring the following eHRPD and PMIP SAE components: P-GW.


Example:
The following command enters the existing LMA Service Configuration Mode (or creates it if it does not already exist) for the service named lma-service1:
lma-service lma-service1
The following command will remove lma-service1 from the system:
no lma-service lma-service1
lns-service

Enters the LNS Service Configuration Mode, or is used to add or remove a specified L2TP Network Server (LNS) service.

Platform:

ASR 5000

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
[ no ] lns-service name
no

Removes the specified lac-service from the current context.

name

Specifies the name of a LNS service to configure, add or remove as an alphanumeric string of 1 through 63 characters that is case-sensitive.


Usage:

Enter the LNS Service Configuration Mode for an existing service or for a newly defined service. This command is also used to remove an existing service.

A maximum of 256 services (regardless of type) can be configured per system.

CAUTION:

Large numbers of services greatly increase the complexity of management and may impact overall system performance (i.e. resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your local service representative for more information.


Example:
To add a new LNS service named LNS1 and enter the LNS Service Configuration Mode, enter the following commands:
lns-service LNS1
To configure an existing LNS service named LNS2, enter the following command:
lns-service LNS2
To delete an existing LNS service named LNS3, enter the following command:
no lns-service LNS3
logging

Modifies the logging options for a specified system log server for the current context.

Platform:

ASR 5000

Product:

All


Privilege:

Administrator


Syntax
[ no ] logging
syslog ip_address [ event-verbosity { min | concise | full } ] [ facility facilities ] [ pdu-data { none | hex | hex-ascii } ] [ pdu-verbosity pdu_level ] [ rate value ]
no

Indicates that internal logging is to be disabled for the options specified.

syslog ip_address

Specifies the IP address of a system log server on the network in IPv4 dotted-decimal or IPv6 colon-separated-hexadecimal notation.

event-verbosity { min | concise | full }
Specifies the level of detail to use in logging of events. Detail level must be one of the following:
  • min: Displays minimal detail.
  • concise: Displays summary detail.
  • full: Displays full detail.
facility facilities

Default: local7

Specifies the local facility for which the system logging server’s logging options shall be applied. Local facility must be one of the following:

  • local0
  • local1
  • local2
  • local3
  • local4
  • local5
  • local6
  • local7

Multiple system log servers can share the logging options of a given local facility. This allows for the logical grouping of system log servers and the options which affect all of those associated with the same local facility.

pdu-data { none | hex | hex-ascii }
Specifies output format for packet data units when logged. Format must be one of the following:
  • none: Displays data in raw format.
  • hex: Displays data in hexadecimal format.
  • hex-ascii: Displays data in hexadecimal and ASCII format (similar to a main-frame dump).
pdu-verbosity pdu_level

Specifies the level of verboseness to use in logging of packet data units as a value from 1 through 5, where 5 is the most detailed.

rate value

Specifies the rate at which log entries are allowed to be sent to the system log server. No more than the number specified by value will be sent to a system log server within any given one-second interval.

value must be an integer from 0 through 100000. Default: 1000


Usage:

Set the log servers to enable remote review of log data.


Example:
The following sets the logging for events to the maximum for the local7 facility:
logging syslog 10.2.3.4
event-verbosity full
The following command sets the logging for packet data units to level 3 and sets the output format to the main-frame style hex-ascii for the local3 facility:
logging syslog 10.2.3.4
facility local3 pdu-data hex-ascii pdu-verbosity 3
The following sets the rate of information for the local1 facility:
logging syslog 10.2.3.4
facility local1 rate 100
The following disables internal logging to the system log server specified:
no logging syslog 10.2.3.4
mag-service

Creates a Mobile Access Gateway (MAG) service or specifies an existing MAG service and enters the MAG Service Configuration Mode for the current context.

Platform:

ASR 5000

Product:

HSGW, S-GW


Privilege:

Administrator


Syntax
mag-service service_name [ -noconfirm ]no mag-service service_name
no

Removes the specified MAG service from the context.

service_name

Specifies the name of the MAG service. If service_name does not refer to an existing service, the new service is created if resources allow.

service_name is an alphanumeric string of 1 through 63 characters.

-noconfirm

Executes the command without any additional prompt and confirmation from the user.


Usage:

Enter the MAG Service Configuration Mode for an existing service or for a newly defined service. This command is also used to remove an existing service.

A maximum of 256 services (regardless of type) can be configured per system.

CAUTION:

Large numbers of services greatly increase the complexity of management and may impact overall system performance (for example, resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your Cisco service representative for more information.

Entering this command results in the following prompt:
[context_name]hostname(config-mag-service)#

MAG Service Configuration Mode commands are defined in the MAG Service Configuration Mode Commands chapter.

Use this command when configuring the following eHRPD and PMIP SAE components: HSGW and S-GW.


Example:
The following command enters the existing MAG Service Configuration Mode (or creates it if it does not already exist) for the service named mag-service1:
mag-service mag-service1
The following command will remove mag-service1 from the system:
no mag-service mag-service1
map-service

Creates a Mobile Application Part (MAP) Service instance and enters the MAP Service Configuration mode to define or edit the MAP service parameters.

MAP is the SS7 protocol that provides the application layer required by some of the nodes in GPRS/UMTS networks to communicate with each other in order to provide services to mobile phone users. MAP is used by the serving GPRS support node (SGSN) to access SS7 network nodes such as a home location register (HLR) or a radio access network (RAN).

Platform:

ASR 5000

Product:

SGSN


Privilege:

Security Administrator, Administrator


Syntax
map-service srvc_nameno map-service srvc_name
no

Remove the specified MAP service from the configuration for the current context.

srvc_name

Specifies the name of the MAP service as a unique alphanumeric string of 1 through 63 characters.


Usage:

Use this command to create, edit, or remove a MAP service configuration.

IMPORTANT:

For details about the commands and parameters, check the MAP Service Configuration Mode Commands chapter.


Example:
The following command creates a MAP service named map_1:
map-service map_1
The following command removes the configuration for a MAP service named map_1 from the configuration for the current context:
no map-service map_1
mipv6ha-service

Creates a Mobile IPv6 Home Agent (MIPv6-HA) service instance and enters the MIPv6 HA Service Configuration mode to define or edit the MIPv6-HA service parameters.

Platform:

ASR 5000

Product:

PDSN, HA


Privilege:

Security Administrator, Administrator


Syntax
mipv6ha-service srvc_nameno mipv6ha-service srvc_name
no

Remove the specified MIPv6-HA service from the configuration for the current context.

srvc_name

Specifies the name of the MIPv6-HA service as a unique alphanumeric string of 1 through 63 characters.


Usage:

Use this command to create, edit, or remove a MIPv6-HA service configuration.

IMPORTANT:

For details about the commands and parameters, check the MIPv6 HA Service Configuration Mode Commands chapter.


Example:
The following command creates a MIPv6-HA service named mipv6ha_1:
mipv6ha-service mipv6ha_1
The following command removes the configuration for a MIPv6-HA service named mipv6ha_1 from the configuration for the current context:
no mipv6ha-service mipv6ha_1
mme-service

Creates an Mobility Management Entity (MME) service or configures an existing MME service and enters the MME Service Configuration Mode for Evolved Packet Core (EPC) networks in the current context.

Platform:

ASR 5000

Product:

MME


Privilege:

Administrator


Syntax
mme-service service_name [ -noconfirm ]no mme-service service_name
no

Removes the specified MME service from the context.

service_name

Specifies the name of the MME service. If service_name does not refer to an existing service, the new service is created if resources allow.

service_name is an alphanumeric string of 1 through 63 characters.

-noconfirm

Executes the command without any additional prompt and confirmation from the user.


Usage:

Enter the MME Service Configuration Mode for an existing service or for a newly defined service. This command is also used to remove an existing service.

A maximum of 8 MME service can be configured on a system which is further limited to a maximum of 256 services (regardless of type) can be configured per system.

CAUTION:

Large numbers of services greatly increase the complexity of management and may impact overall system performance (for example, resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your local service representative for more information.

Entering this command results in the following prompt:

[context_name]hostname(config-mme-service)#

MME Service Configuration Mode commands are defined in the MME Service Configuration Mode Commands chapter.

CAUTION:

This is a critical configuration. The MME service cannot be configured without this configuration. Any change to this configuration would lead to restarting the MME service and removing or disabling this configuration will stop the MME service.


Example:
The following command enters the existing MME Service Configuration Mode (or creates it if it does not already exist) for the service named mme-service1:
mme-service mme-service1
The following command will remove mme-service1 from the system:
no mme-service mme-service1
mobile-ip fa

Configures settings that effect all FA services in the current context.

Platform:

ASR 5000

Product:

FA


Privilege:

Security Administrator, Administrator


Syntax
mobile-ip fa { multiple-dynamic-reg-per-nai | newcall
duplicate-home-address { accept | reject } }{ default | no } mobile-ip
fa { multiple-dynamic-reg-per-nai | newcall duplicate-home-address }
default

Configures the default setting for the specified parameter.

  • multiple-dynamic-reg-per-nai: All FA services in the current context can not simultaneously setup multiple dynamic home address registrations that have the same NAI.
  • newcall duplicate-home-address: reject
no
  • multiple-dynamic-reg-per-nai: Disables all FA services in the current context from simultaneously setting up multiple dynamic home address registrations that have the same NAI.
  • newcall duplicate-home-address: Resets this option to its default of reject.
multiple-dynamic-reg-per-nai

This keyword allows all FA services in the current context to simultaneously setup multiple dynamic home address registrations that have the same NAI.

newcall duplicate-home-address { accept | reject }
  • accept: The new call is accepted and the existing call is dropped.
  • reject: The new call is rejected with an Admin Prohibited code.

Usage:

Use this command to set the behavior of all FA services in the current context.


Example:
To configure all FA services to accept new calls and drop the existing call when the new call requests an IP address that is already in use by an existing call, enter the following command:
mobile-ip fa newcall
duplicate-home-address accept
To enable all FA services in the current context to allow all FA services in the current context to simultaneously setup multiple dynamic home address registrations that have the same NAI, enter the following command:
mobile-ip fa multiple-dynamic-reg-per-nai
mobile-ip ha assignment-table

Creates a Mobile IP HA assignment table and enters Mobile IP HA Assignment Table Configuration Mode.

Platform:

ASR 5000

Product:

HA


Privilege:

Security Administrator, Administrator


Syntax
mobile-ip ha assignment-table atable_name [ -noconfirm ]no mobile-ip ha assignment-table atable_name
no

This keyword deletes the specified assignment table

atable_name

Specifies the name of the MIP HA assignment table to create or edit as an alphanumeric string of 1 through 63 characters.

-noconfirm

Executes the command without any additional prompt and confirmation from the user.


Usage:

Use this command to create a new MIP HA assignment table or edit an existing MIP HA assignment table.

IMPORTANT:

A maximum of eight MIP HA assignment tables can be configured per context with a maximum of 8 MIP HA assignment tables across all contexts.

IMPORTANT:

A maximum of 256 non-overlapping hoa-ranges can be configured per MIP HA Assignment table with a maximum of 256 non-overlapping hoa-ranges across all MIP HA Assignment tables.


Example:
The following command creates a new MIP HA assignment table name MIPHAtable1 and enters MIP HA Assignment Table Configuration Mode without asking for confirmation from the user:
mobile-ip ha assignment-table MIPHAtable1
mobile-ip ha newcall

Configures the behavior of all HA services when duplicate home addresses and duplicate IMSI sessions occur for new calls.

Platform:

ASR 5000

Product:

HA


Privilege:

Security Administrator, Administrator


Syntax
mobile-ip ha newcall { duplicate-home-address { accept | reject } | duplicate-imsi-session { allow | disallow | global-disallow } | wimax-session-overwrite {allow | disallow }{ default | no } mobile-ip
ha newcall { duplicate-home-address | duplicate-imsi-session | wimax-session-overwrite
    }
default

Configures the default setting for the specified parameter.

  • duplicate-home-address: reject—sets HA services to reject a new call that requests an IP address that is already assigned.
  • duplicate-imsi-session: allow—sets HA services to accept new calls that have the same IMSI as a call that is already active.
  • wimax-session-overwrite:disallow—disable session overwrite feature for WiMax mobile-ip calls on the HA.
no

Configures the default setting for the specified parameter.

duplicate-home-address { accept | reject }

Configures the HA to either accept or reject new calls if the new call requests a static IP home address that is already assigned to an existing call from an IP address pool in the same destination context.

  • accept: The new call is accepted and the existing call is dropped.
  • reject: The new call is rejected with an Admin Prohibited code.
duplicate-imsi-session { allow | disallow | global-disallow }

Configures the HA to either permit or not permit multiple sessions for the same IMSI.

  • allow: Allows multiple sessions for the same IMSI.
  • disallow: If a mobile node already has an active session and a new sessions is requested using the same IMSI, the currently active session is dropped and the new session is accepted.
  • global-disallow: Enables HA services in this context to accept a new session and disconnect any other session(s) having the same IMSI being processed in this context. In addition, a request is sent to all other contexts containing HA services to do the same.

IMPORTANT:

In order to ensure a single session per IMSI across all contexts containing HA services, the global-disallow option must be configured in every context.

wimax-session-overwrite { allow | disallow }

Use this command to enable or disable the overwrite feature for WiMAX mobile ip (MIPv4) calls on the HA.


Usage:

Use this command to set the behavior of all HA services for new calls.


Example:
To configure all HA services to accept new calls when the new call requests a static IP that is already assigned from an IP pool in the same destination context, enter the following command:
mobile-ip ha newcall
duplicate-home-address accept
To configure all HA services to drop an active call and accept a new one that uses the same IMSI, enter the following command:
mobile-ip ha newcall
duplicate-imsi-session disallow
mobile-ip ha reconnect

Sets the behavior of all HA services to reconnect dropped calls.

Platform:

ASR 5000

Product:

HA


Privilege:

Security Administrator, Administrator


Syntax
[ no ] mobile-ip
ha reconnect [ static-homeaddr [ dynamic-pool-allocation ] ] }
static-homeaddr

Specifies that the home address as a static IP address.

dynamic-pool-allocation

Allows a dynamic pool to accept a static address allocation.


Usage:

Use this command to reset the HA behavior for new calls.


Example:
mobile-ip ha reconnect
mobile-ip ha reconnect
static-homeaddr
mobile-ip ha reconnect
static-homeaddr dynamic-pool-allocation
no mobile-ip ha reconnect
no mobile-ip ha reconnect
static-homeaddr
mpls bgp forwarding

Globally enables Multiprotocol Label Switching (MPLS) Border Gateway Protocol (BGP) forwarding.

Platform:

ASR 5000

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
[ no ] mpls
bgp forwarding
no

Disables MPLS BGP forwarding.


Usage:

Use this command to globally enable the MPLS BGP forwarding. By enabling this command, the BGP VPNv4 routes need not have an underlying LSP to forward the IP packets. If this command is not enabled, then the nexthop for the BGP routes must be reachable via LDP.

CAUTION:

This command should be enabled ONLY when all the BGP peering where VPNv4 routes are exchanged are one hop away.


Example:
The following command enables the MPLS BGP forwarding on the system:
mpls bgp forwarding 
mpls ip

Globally enables the Multiprotocol Label Switching (MPLS) forwarding of IPv4 packets along normally routed paths.

Platform:

ASR 5000

Product:

GGSN, HA, P-GW


Privilege:

Security Administrator, Administrator


Syntax
[ no ] mpls ip
no

Disables MPLS forwarding of IPv4 packets configured on the system. no mpls ip stops dynamic label distribution on all the interfaces regardless of interface configuration.


Usage:

Globally enables the MPLS forwarding of IPv4 packets along normally routed paths for the entire context.

It does not start label distribution over an interface until MPLS has been enabled for the interface as well. Refer to the Ethernet Interface Configuration Mode Commands chapter for additional information.

CAUTION:

This feature is not enabled by default.


Example:
Following command enables (but does not start) MPLS forwarding of IPv4 packets along normally routed paths:
mpls ip
nw-reachability server

Adds or deletes a reachability-detect server and configures parameters for retrying the failure-detection process. When network reachability is enabled, an ICMP ping request is sent to this device. If there is no response after a specified number of retries, the network is deemed failed. Execute this command multiple times to configure multiple network reachability servers.

Platform:

ASR 5000

Product:

HA


Privilege:

Security Administrator, Administrator


Syntax
nw-reachability server server_name [ interval seconds ] [ local-addr ip_addr ] [ num-retry num ] [ remote-addr ip_addr ] [ timeout seconds]no nw-reachability server server_name
no

Delete the reference to the specified network reachability server.

server_name

Specifies the name for the network device that is sent ping packets to test for network reachability.

interval seconds

Specifies the frequency in seconds for sending ping requests. as an integer from 1 through 3600. Default: 60

local-addr ip_addr

Specifies the IP address to be used as the source address of the ping packets; If this is unspecified, an arbitrary IP address that is configured in the context is used. ip_addr must be entered using IPv4 dotted-decimal notation.

num-retry num

Specifies the number of retries before deciding that there is a network-failure. as an integer from 0 through 100. Default: 5

remote-addr ip_addr

Specifies the IP address of a network element to use as the destination to send the ping packets for detecting network failure or reachability. ip_addr must be entered using IPv4 dotted-decimal notation.

timeout seconds

Specifies how long to wait (in seconds) before retransmitting a ping request to the remote address as an integer from 1 through 1. Default: 3


Usage:

Use this command to set up a network device on a destination network that is used ensure that Mobile IP sessions can reach the required network from the HA.

IMPORTANT:

Refer to the HA Configuration Mode command policy nw-reachability-fail to configure the action that should be taken when network reachability fails.

IMPORTANT:

Refer to the Subscriber Config Mode command nw-reachability-server to bind the network reachability to a specific subscriber.

IMPORTANT:

Refer to the nw-reachability server server_name keyword of the ip pool command in this chapter to bind the network reachability server to an IP pool.


Example:
To set a network device called InternetDevice with the IP address of 192.168.100.10 as the remote address that is pinged to determine network reachability and use the address 192.168.200.10 as the origination address of the ping packets sent, enter the following command:
nw-reachability server
InternetDevice local-addr 192.168.200.10 remote-addr 192.168.100.10
network-requested-pdp-context activate

Configures the mobile station(s) (MSs) for which network initiated PDP contexts are supported.

Platform:

ASR 5000

Product:

GGSN


Privilege:

Security Administrator, Administrator


Syntax
network-requested-pdp-context
activate address ip_address dst-context context_name imsi imsi apn apn_nameno network-requested-pdp-context
activate address ip_address dst-context context_name
no

Disables the system’s ability to accept network-requested PDP contexts on the specified interface.

ip_address

Specifies the static IP address of the MS n IPv4 dotted-decimal notation.

dst-context context_name

Specifies the name of the destination context configured on the system containing the static IP address pool in which the MS’s IP address is configured. context_name is an alphanumeric string of 1 through 79 characters that is case sensitive.

imsi imsi

Specifies the International Mobile Subscriber Identity (IMSI) of the MS as a string of 1 through 15 numeric characters

apn apn_name

Specifies the Access Point Name (APN) that is passed to the SGSN by the system. apn_name is an alphanumeric string of 1 through 63 characters that is case sensitive.


Usage:

Use this command to specify the MS(s) for which network initiated PDP contexts are supported.

When a packet is received for an MS that does not currently have a PDP context established, the system checks the configuration of this parameter to determine if the destination IP address specified in the packet is specified by this parameter. If the address is not specified, then the system discards the packet. If the address is specified, the system uses the configured IMSI and APN to determine the appropriate SGSN from the Home Location Register (HLR). The system communicates with the HLR through the interworking node configured using the network-requested-pdp-context gsn-map command.

Once the session is established, the destination context specified by this command is used in place of the one either configured within the specified APN template or returned by a RADIUS server during authentication.

This command can be issued multiple times supporting network initiated PDP contexts for up to 1,000 configured addresses per system context.


Example:
The following command enables support for network initiated PDP contexts for an MS with a static IP address of 20.13.5.40 from a pool configured in the destination context pdn1 with an IMSI of 3319784450 that uses an APN template called isp1:
network-requested-pdp-context
activate address 20.13.5.40 dst-context pdn1 imsi 3319784450 apn isp1
network-requested-pdp-context gsn-map

Configures the IP address of the interworking node that is used by the system to communicate with the Home Location Register (HLR), and optionally sets the GTP version to use.

Platform:

ASR 5000

Product:

GGSN


Privilege:

Security Administrator, Administrator


Syntax
network-requested-pdp-context
gsn-map ip_address [ gtp-version { 0 | 1 } ]no network-requested-pdp-context
gsn-map
no

Deletes a previously configured gsn-map node.

ip_address

Specifies the IP address of the gsn-map node in Pv4 dotted-decimal or IPv6 colon-separated-hexadecimal notation.

gtp-version { 0 | 1 }

Specifies the gtp version used. Default: 1


Usage:

Communications from the system to the HLR must go through a GSN-map interworking node that performs the protocol conversion from GTPC to SS7.

The UDP port for this communication is 2123.

Support for network requested PDP contexts must be configured within source contexts on the system. Only one gsn-map node can be configured per source context.

The source context also contains the GGSN service configuration that specifies the IP address of the Gn interface. If multiple GGSN services are configured in the source context, one is selected at random for initiating the Network Requested PDP Context Activation procedure.

Communication with the gsn-map node is done over the Gn interface configured for the GGSN service. The IP address of that interface is used as the system’s source address.


Example:
The following command configures the system to communicate with a gsn-map node having an IP address of 192.168.2.5:
network-requested-pdp-context
gsn-map 192.168.2.5
network-requested-pdp-context hold-down-time

Configures the time duration to that the system will wait after the SGSN rejects an attempt for a network-requested PDP context creation for the subscriber.

Platform:

ASR 5000

Product:

GGSN


Privilege:

Security Administrator, Administrator


Syntax
network-requested-pdp-context
hold-down-time timedefault network-requested-pdp-context
hold-down-time
default

Configures the default setting.

Default: 60 seconds

time

Specifies the time interval (in seconds) as an integer from 0 through 86400.


Usage:

Packets received during this time period would be discarded, rather than being used to cause another network-requested PDP context creation attempt for the same subscriber. After the time period has expired, any subsequent packets received would cause another network-requested PDP context creation procedure to begin.


Example:
The following command configures a hold-down-time of 120 seconds:
network-requested-pdp-context
hold-down-time 120
network-requested-pdp-context interval

Configures the minimum amount of time that must elapse between the deletion of a network initiated PDP context and the creation of a new one for the same MS.

Platform:

ASR 5000

Product:

GGSN


Privilege:

Security Administrator, Administrator


Syntax
network-requested-pdp-context
interval timedefault network-requested-pdp-context interval
default

Returns the command to its default setting of 60.

time

Specifies the minimum amount of time (in seconds) that must pass before the system allows another network-requested PDP context for a specific MS after the previous context was deleted. time is an integer from 0 through 86400. Default: 60


Usage:

Once an MS deletes a PDP context that initiated from the network, the system automatically waits the amount of time configured by this parameter before allowing another network initiated PDP context for the same MS.


Example:
The following command specifies that the system waits 120 seconds before allowing another network requested PDP context for an MS:
network-requested-pdp-context
interval 120
network-requested-pdp-context sgsn-cache-time

Configures the time duration that the GGSN keeps the SGSN/subscriber pair cached in its local memory.

Platform:

ASR 5000

Product:

GGSN


Privilege:

Security Administrator, Administrator


Syntax
network-requested-pdp-context
sgsn-cache-time timedefault network-requested-pdp-context
sgsn-cache-time
default

Configures the default setting.

Default: 300 seconds

time

Specifies the time interval (in seconds) as an integer from 0 through 86400.


Usage:

For an initial network-requested PDP context creation, the system contacts the HLR (via the GSN-MAP interworking node) to learn which SGSN is currently servicing the subscriber. The system keeps that information in cache memory for the configured time, so that future network-requested PDP context creations for that subscriber can be initiated without having to contact the HLR again.


Example:
The following command configures an sgsn-cache-time of 500 seconds:
network-requested-pdp-context
sgsn-cache-time 500
operator

Configures a context-level operator account within the current context.

Platform:

ASR 5000

Product:

All


Privilege:

Security Administrator


Syntax
operator user_name [ encrypted ] password password [ ecs ] [ expiry-date date_time ] [ li-administration ] [ noecs ] [ timeout-absolute abs_seconds  ] [ timeout-min-absolute abs_minutes ] [ timeout-idle timeout_duration  ] [ timeout-min-idle idle_minutes ]no operator user_name
no

Removes a previously configured context-level operator account.

user_name

Specifies a name for the account as an alphanumeric string of 1 through 32 characters.

[ encrypted ] password password

Specifies the password to use for the user which is being given context-level operator privileges within the current context. The encrypted keyword indicates the password specified uses encryption.

password is an alphanumeric string of 1 through 63 characters without encryption, or 1 through 127 with encryption.

The encrypted keyword is intended only for use by the system while saving configuration scripts. The system displays the encrypted keyword in the configuration file as a flag that the variable following the password keyword is the encrypted version of the plain text password. Only the encrypted password is saved as part of the configuration file.

ecs

Permits the specific user to access ACS-specific configuration commands from Exec Mode only. Default: ACS-specific configuration commands are not allowed.

expiry-date date_time

Specifies the date and time that this account expires. Enter the date and time in the format YYYY:MM:DD:HH:mm or YYYY:MM:DD:HH:mm:ss.

Where YYYY is the year, MM is the month, DD is the day of the month, HH is the hour, mm is minutes, and ss is seconds.

li-administration

Refer to the Lawful Intercept Configuration Guide for a description of this parameter.

noecs

Prevents the user from accessing ACS-specific configuration commands. Default: Enabled

timeout-absolute abs_seconds

This keyword is obsolete. It has been left in place for backward compatibility. If used a warning is issued and the value entered is rounded to the nearest whole minute.

Specifies the maximum amount of time (in seconds) the context-level operator may have a session active before the session is forcibly terminated. abs_seconds must be a value in the range from 0 through 300000000. The value 0 disables the absolute timeout. Default: 0

timeout-min-absolute abs_minutes

Specifies the maximum amount of time (in minutes) the context-level operator may have a session active before the session is forcibly terminated. abs_minutes must be an integer from 0 through 300000000. The value 0 disables the absolute timeout. Default: 0

timeout-idle timeout_duration

This keyword is obsolete. It has been left in place for backward compatibility. If used a warning is issued and the value entered is rounded to the nearest whole minute.

Specifies the maximum amount of idle time (in seconds) the context-level operator may have a session active before the session is terminated. timeout_duration must be an integer from 0 through 300000000. The value 0 disables the idle timeout. Default: 0

timeout-min-idle idle_minutes

Specifies the maximum amount of idle time (in minutes) the context-level operator may have a session active before the session is terminated. idle_minutes must be an integer from 0 through 300000000. The value 0 disables the idle timeout. Default: 0


Usage:

Use this command to create new context-level operator or modify existing operator’s options, in particular, the timeout values.

Operators have read-only privileges. They can maneuver across multiple contexts, but cannot perform configuration operations. Refer to the Command Line Interface Overview chapter for more information.

IMPORTANT:

A maximum of 128 administrative users and/or subscribers may be locally configured per context.


Example:
The following command creates a context-level operator account named user1 with ACS control:
operator user1 password
secretPassword ecs
The following command removes a previously configured context-level operator account named user1:
no operator user1
optimize pdsn inter-service-handoff

Controls the optimization of the system’s handling of inter-PDSN handoffs.

Platform:

ASR 5000

Product:

PDSN


Privilege:

Security Administrator, Administrator


Syntax
[ default | no ] optimize
pdsn inter-service-handoff
default

Resets the command to its default setting of enabled.

no

Disables the feature.


Usage:

When more than one PDSN service is defined in a context, each PDSN-Service acts as an independent PDSN. When a Mobile Node (MN) moves from one PDSN service to another PDSN service, by rule, it is an inter-PDSN handoff. This command optimizes PDSN handoffs between PDSN Services that are defined in the same context in the system.

The default for this parameter is enabled. The no keyword disables this functionality.

When enabled, the system treats handoffs happening between two PDSN services in the same context as an inter-PDSN handoff. Existing PPP session states and connection information is reused. If the inter-PDSN handoff requires a PPP restart, then PPP is restarted. The optimized inter-service-handoff may not restart the PPP during handoffs allowing the MN to keep the same IP address for the Simple IP session.


Example:
optimize pdsn inter-service-handoff
pdg-service

Creates a new PDG service or specifies an existing PDG service and enters the PDG Service Configuration Mode. A maximum of 16 PDG services can be created. This limit applies per ASR 5000 chassis and per context.

Platform:

ASR 5000

Product:

PDG/TTG


Privilege:

Security Administrator, Administrator


Syntax
[ no ] pdg-service name
noname

Deletes the specified PDG service.

name

Specifies the name of a new or existing PDG service as an alphanumeric string 1 through 63 characters that must be unique across all FNG services within the same context and across all contexts.


Usage:

Use this command in Context Configuration Mode to create a new PDG service or modify an existing one. Executing this command enters the PDG Service Configuration Mode.


Example:
The following command configures an PDG service named pdg_service_1 and enters the PDG Service Configuration Mode:
pdg-service pdg_service_1
pdif-service

Creates a new, or specifies an existing, Packet Data Interworking Function (PDIF) service and enters the PDIF Service Configuration Mode.

Platform:

ASR 5000

Product:

PDIF


Privilege:

Security Administrator, Administrator


Syntax
[ no ] pdif-service name [ -noconfirm ]
name

Specifies the name of a new or existing PDIF service as an alphanumeric string of 1 through 63 characters.


Usage:

Use this command to create a new or enter an existing PDIF service.

Entering this command results in the following prompt:

[context_name]hostname(config-pdif-service)#

PDIF Service Configuration Mode commands are defined in the PDIF Service Configuration Mode Commands chapter.


Example:
The following command configures a PDIF service called pdif2 and enters the PDIF Service Configuration Mode:
pdif-service pdif2
pdsn-service

Creates or deletes a packet data service or specifies an existing PDSN service for which to enter the Packet Data Service Configuration Mode for the current context.

Platform:

ASR 5000

Product:

PDSN


Privilege:

Security Administrator, Administrator


Syntax
[ no ] pdsn-service name
no

Indicates the packet data service specified is to be removed.

name

Specifies the name of the PDSN service to configure. If name does not refer to an existing service, the new service is created if resources allow. name is an alphanumeric string of 1 through 63 characters.


Usage:

Enter the PDSN Service Configuration Mode for an existing service or for a newly defined service. This command is also used to remove an existing service.

A maximum of 256 services (regardless of type) can be configured per system.

CAUTION:

Large numbers of services greatly increase the complexity of management and may impact overall system performance (resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your Cisco service representative for more information.


Example:
The following command will enter the PDSN Service Configuration Mode creating the service sampleService, if necessary.
pdsn-service sampleService
The following command will remove sampleService as being a defined PDSN service.
no pdsn-service sampleService
pgw-service

Creates a PDN-Gateway (P-GW) service or specifies an existing P-GW service and enters the P-GW Service Configuration Mode for the current context.

Platform:

ASR 5000

Product:

P-GW


Privilege:

Administrator


Syntax
pgw-service service_name [ -noconfirm ]no pgw-service service_name
service_name

Specifies the name of the P-GW service. If service_name does not refer to an existing service, the new service is created if resources allow. service_name is an alphanumeric string of 1 through 63 characters.

-noconfirm

Executes the command without any additional prompt and confirmation from the user.

no pgw-service service_name

Removes the specified P-GW service from the context.


Usage:

Enter the P-GW Service Configuration Mode for an existing service or for a newly defined service. This command is also used to remove an existing service.

A maximum of 256 services (regardless of type) can be configured per system.

CAUTION:

Large numbers of services greatly increase the complexity of management and may impact overall system performance (for example, resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your local service representative for more information.

Entering this command results in the following prompt:

[context_name]hostname(config-pgw-service)#

P-GW Service Configuration Mode commands are defined in the P-GW Service Configuration Mode Commands chapter.

Use this command when configuring the following eHRPD and SAE components: P-GW.


Example:
The following command enters the existing P-GW Service Configuration Mode (or creates it if it does not already exist) for the service named pgw-service1:
pgw-service pgw-service1
The following command will remove pgw-service1 from the system:
no pgw-service pgw-service1
policy

Enters an existing accounting policy or creates a new one where accounting parameters are configured.

Platform:

ASR 5000

Product:

HSGW, P-GW, S-GW


Privilege:

Administrator


Syntax
[ no ] policy
accounting name
no

Removes the specified accounting policy from the context.

name

Specifies the name of the existing or new accounting policy as an alphanumeric string of 1 through 63 characters.


Usage:

Use this command to enter the Accounting Policy Configuration mode to edit an existing accounting policy or configure an new policy.

Entering this command results in the following prompt:

[context_name]hostname(config-accounting-policy)#

Accounting Policy Configuration Mode commands are defined in the Accounting Policy Configuration Mode Commands chapter.


Example:
The following command enters the Accounting Policy Configuration Mode for a policy named acct5:
policy accounting acct5
policy-group

Creates or deletes a policy group. It enters the Policy-Group Configuration Mode within the current destination context for flow-based traffic policing to a subscriber session flow.

Platform:

ASR 5000

Product:

PDSN, HA, ASN-GW, HSGW


Privilege:

Security Administrator, Administrator


Syntax
[ no ] policy-group
name policy_group
no

Deletes configured policy group within the context.

name policy_group

Specifies the name of Policy-Group as an alphanumeric string of 1 through 15 characters that is case sensitive.


Usage:

Use this command to form a policy group from a set of configured Policy-Maps. A policy group supports up to 16 policies for a subscriber session flow.


Example:
The following command configures a policy group policy_group1 for a subscriber session flow:
policy-group name policy_group1
policy-map

Creates or deletes a policy map. It enters the Traffic Policy-Map Configuration Mode within the current destination context to configure the flow-based traffic policing for a subscriber session flow.

Platform:

ASR 5000

Product:

PDSN, HA, ASN-GW, HSGW


Privilege:

Security Administrator, Administrator


Syntax
[ no ] policy-map
name policy_name
no

Deletes configured Policy-Map within the context.

name policy_name

Specifies the name of Policy-Map as an alphanumeric string of 1 through 15 characters that is case sensitive.


Usage:

Use this command to enter Traffic Policy-Map Configuration Mode and to set the Class-Map and corresponding traffic flow treatment to traffic policy for a subscriber session flow.


Example:
Following command configures a policy map policy1 where other flow treatments is configured.
policy-map name policy1
ppp

Configures point-to-point protocol parameters for the current context.

Platform:

ASR 5000

Product:

PDSN, GGSN


Privilege:

Security Administrator, Administrator


Syntax
ppp { acfc { receive { allow | deny } | transmit { apply | ignore | reject} } | auth-retry
suppress-aaa-auth | chap fixed-challenge-length length | dormant send-lcp-terminate | echo-max-retransmissions num_retries | echo-retransmit-timeout msec | first-lcp-retransmit-timeout milliseconds | lcp-authentication-discard
retry-alternate num_discard | lcp-authentication-reject
retry-alternate | lcp-start-delay delay | lcp-terminate
connect-state | lcp-terminate mip-lifetime-expiry | lcp-terminate
mip-revocation | max-authentication-attempts num | max-configuration-nak num | max-retransmissions number | max-terminate number | mru packet_size | negotiate
default-value-options | peer-authentication user_name [ encrypted ] password password ] | pfc { receive { allow | deny } | transmit { apply | ignore | reject} } | reject-peer-authentication | renegotiation
retain-ip-address | retransmit-timeout milliseconds }no ppp { auth-retry
suppress-aaa-auth | chap fixed-challenge-length | dormant
send-lcp-terminate | lcp-authentication-descard retry-alternate num_discard | lcp-authentication-reject
retry-alternate | lcp-start-delay | lcp-terminate connect-state | reject-peer-authentication | renegotiation
retain-ip-address }default lcp-authentication-descard
retry-alternate num_discard
default

Restores the system defaults for the specific command/keyword.

no

Disables, deletes, or resets the specified option.

For no ppp renegotiation retain-ip-address the initially allocated IP address will be released and a new IP address will be allocated during PPP renegotiation.

acfc { receive { allow | deny } | transmit { apply | ignore | reject} }

Configures PPP Address and Control Field Compression (ACFC) parameters.

receive { allow | deny }

This keyword specifies whether to allow Address and Control Field Compressed PPP packets received from the Peer. During LCP negotiation, the local PPP side indicates whether it can handle ACFC compressed PPP packets. Default: allow

When allow is specified, the local PPP side indicates that it can process ACFC compressed PPP packets and compressed packets are allowed. When deny is specified, the local PPP side indicates that it cannot handle ACFC compressed packets and compressed packets are not allowed.

transmit { apply | ignore | reject }

Specifies how Address and Control Field Compression should be applied for PPP packets transmitted to the Peer. During LCP negotiation, the Peer indicates whether it can handle ACFC compressed PPP packets. Default: ignore

When apply is specified, if the peer requests ACFC, the request is accepted and ACFC is applied for transmitted PPP packets. When ignore is specified, if the peer requests ACFC, the request is accepted, but ACFC is not applied for transmitted PPP packets. When reject is specified, if the peer requests ACFC, the request is rejected and ACFC is not applied to transmitted packets.

auth-retry suppress-aaa-auth

This option does not allow PPP authentication retries to the AAA server after the AAA server has already authenticated a session. PPP locally stores the username and password, or challenge response, after a successful PPP authentication. If the Mobile Node retries the PAP request or CHAP-Response packet to the PDSN, PPP locally compares the incoming username, password or Challenge Response with the information stored from the previous successful authentication. If it matches, PAP ACK or CHAP Success is sent back to the Mobile Node, without performing AAA authentication. If the incoming information does not match with what is stored locally, then AAA authentication is attempted. The locally stored PPP authentication information is cleared once the session reaches a connected state.

Default: no auth-retry suppress-aaa-auth

IMPORTANT:

This option is not supported in conjunction with the GGSN product.

chap fixed-challenge-length length

Normally PPP CHAP uses a random challenge length from 17 to 32 bytes. This command allows you to configure a specific fixed challenge length of from 4 through 32 bytes. length must be an integer from 4 through 32.

Default: Disabled. PAP CHAP uses a random challenge length.

dormant send-lcp-terminate

Indicates a link control protocol (LCP) terminate message is enabled for dormant sessions.

IMPORTANT:

This option is not supported in conjunction with the GGSN product.

echo-max-retransmissions num_retries

Configures the maximum number of retransmissions of LCP ECHO_REQ before a session is terminated in an always-on session. num_retries must be an integer from 1 through 16. Default: 3

echo-retransmit-timeout msec

Configures the timeout (in milliseconds) before trying LCP ECHO_REQ for an always-on session. msec must be an integer from 100 through 5000. Default: 3000

first-lcp-retransmit-timeout milliseconds

Specifies the number of milliseconds to wait before attempting to retransmit control packets. This value configures the first retry. All subsequent retries are controlled by the value configured for the ppp retransmit-timeout keyword.

milliseconds must be an integer from 100 through 5000. Default: 3000

lcp-authentication-discard retry-alternate num_discard

Sets the number of discards up to which authentication option is discarded during LCP negotiation and retries starts to allow alternate authentication option. num_discard must be an integer from 0 through 5. Recommended value is 2. Default: Disabled.

lcp-authentication-reject retry-alternate

Specifies the action to be taken if the authentication option is rejected during LCP negotiation and retries the allowed alternate authentication option.

Default: Disabled. No alternate authentication option will be retried.

lcp-start-delay delay

Specifies the delay (in milliseconds) before link control protocol (LCP) is started. delay must be an integer from 0 through 5000. Default: 0

lcp-terminate connect-state

Enables sending an LCP terminate message to the Mobile Node when a PPP session is disconnected if the PPP session was already in a connected state.

Note that if the no keyword is used with this option, the PDSN must still send LCP Terminate in the event of an LCP/PCP negotiation failure or PPP authentication failure, which happens during connecting state.

IMPORTANT:

This option is not supported in conjunction with the GGSN product.

lcp-terminate mip-lifetime-expiry

Configures the PDSN to send an LCP Terminate Request when a MIP Session is terminated due to MIP Lifetime expiry (default).

Note that if the no keyword is used with this option, the PDSN does not send a LCP Terminate Request when a MIP session is terminated due to MIP Lifetime expiry.

lcp-terminate mip-revocation

Configures the PDSN to send a LCP Terminate Request when a MIP Session is terminated due to a Revocation being received from the HA (default).

Note that if the no keyword is used with this option, the PDSN does not send a LCP Terminate Request when a MIP session is terminated due to a Revocation being received from the HA.

max-authentication-attempts num

Configures the maximum number of time the PPP authentication attempt is allowed. num must be an integer from 1 through 10. Default: 1

max-configuration-nak num

This command configures the maximum number of consecutive configuration REJ/NAKs that can be sent during CP negotiations, before the CP is terminated. num must be an integer from 1 through 20. Default: 10

max-retransmission number

Specifies the maximum number of times control packets will be retransmitted. number must be an integer from 1 through 16. Default: 5

max-terminate number

Sets the maximum number of PPP LCP Terminate Requests transmitted to the Mobile Node. number must be an integer from 0 through 16. Default: 2

IMPORTANT:

This option is not supported in conjunction with the GGSN product.

mru packet_size

Specifies the maximum packet size that can be received in bytes. packet_size must be an integer from 128 through 1500. Default: 1500

negotiate default-value-options

Enables the inclusion of configuration options with default values in PPP configuration requests. Default: Disabled

The PPP standard states that configuration options with default values should not be included in Configuration Request (LCP, IPCP, etc.) packets. If the option is missing in the Configuration Request, the peer PPP assumes the default value for that configuration option.

When negotiate default-value-options is enabled, configuration options with default values are included in the PPP configuration Requests.

peer-authenticate user_name [ [ encrypted ] password password ]

Specifies the user name and an optional password required for point-to-point protocol peer connection authentications. user_name is an alphanumeric string of 1 through 63 characters. The keyword password is optional and if specified password is an alphanumeric string of 1 through 63 characters. The password specified must be in an encrypted format if the optional keyword encrypted was specified.

The encrypted keyword is intended only for use by the system while saving configuration scripts. The system displays the encrypted keyword in the configuration file as a flag that the variable following the password keyword is the encrypted version of the plain text password. Only the encrypted password is saved as part of the configuration file.

pfc { receive { allow | deny } | transmit { apply | ignore | reject} }

Configures Protocol Field Compression (PFC) parameters.

receive { allow | deny } Default: allow

This keyword specifies whether to allow Protocol Field Compression (PFC) for PPP packets received from the peer. During LCP negotiation, the local PPP side indicates whether it can handle Protocol Field Compressed PPP packets.

When allow is specified, the peer is allowed to request PFC during LCP negotiation. When deny is specified, the Peer is not allowed to request PFC during LCP negotiation.

transmit { apply | ignore | reject } Default: ignore

This keyword specifies how Protocol field Compression should be applied for PPP packets transmitted to the Peer. During LCP negotiation, the Peer indicates whether it can handle PFC compressed PPP packets.

When apply is specified, if the peer requests PFC, it is accepted and PFC is applied for transmitted PPP packets. When ignore is specified, If the peer requests PFC, it is accepted but PFC is not applied for transmitted packets. When reject is specified, all requests for PCF from the peer are rejected.

reject-peer-authentication

If disabled, re-enables the system to reject peer requests for authentication. Default: Enabled

renegotiation retain-ip-address

If enabled, retain the currently allocated IP address for the session during PPP renegotiation (Simple IP) between FA and Mobile node. Default: Enabled

If disabled, the initially allocated IP address will be released and a new IP address will be allocated during PPP renegotiation.

retransmit-timeout milliseconds

Specifies the number of milliseconds to wait before attempting to retransmit control packets. milliseconds must be an integer from 100 through 5000. Default: 3000


Usage:

Modify the context PPP options to ensure authentication and communication for PPP sessions have fewer dropped sessions.


Example:
The following commands set various PPP options:
ppp dormant send-lcp-terminate
ppp max-retransmission 3
ppp peer-authenticate
user1 password secretPwd
ppp peer-authenticate user1
ppp retransmit-timeout 1000
The following command disables the sending of LCP terminate messages for dormant sessions.
no ppp dormant send-lcp-terminate
ppp magic-number

Manages magic number checking during LCP Echo message handling. The magic number is a random number chosen to distinguish a peer and detect looped back lines.

Platform:

ASR 5000

Product:

PDSN, GGSN


Privilege:

Security Administrator, Administrator


Syntax
[ no | default ] ppp
magic-number receive ignore
no

Disables the specified behavior.

default

Restores the system defaults for the specific command/keyword.

receive ignore

Ignores the checking of magic number at the PDSN during LCP Echo message handling. Default: Disabled.

If a valid magic numbers were negotiated for the PPP endpoints during LCP negotiation and LCP Echo Request/Response have invalid magic numbers, enabling this command will cause the system to ignore the checking of magic number during LCP Echo message handling.


Usage:

Use this command to allow the system to ignore invalid magic number during LCP Echo Request/Response handling.


Example:
The following command allows the invalid magic number during LCP Echo Request/Response negotiation:
ppp magic-number receive ignore
ppp statistics

Changes the manor in which some PPP statistics are calculated.

Platform:

ASR 5000

Product:

PDSN, GGSN


Privilege:

Security Administrator, Administrator


Syntax
[ no ] ppp
statistics success-sessions { lcp-max-retry | misc-reasons | remote-terminated }
no

Disable the specified behavior.

ppp statistics success-sessions lcp-max-retry

Alters statistical calculations so that: ppp successful session = successful sessions + lcp-max-retry.

success-sessions misc-reasons

Alters statistical calculations so that: ppp successful session = successful sessions + misc-reasons.

success-sessions remote-terminated

Alters statistical calculations so that: ppp successful session = successful sessions + remote-terminated.


Usage:

Use this command to alter how certain PPP statistics are calculated.

CAUTION:

This command alters the way that some PPP statistics are calculated. Please consult your designated service representative before using this command


Example:
The following command alters the statistic “ppp successful session” so that it displays the sum of successful sessions and lcp-max-retry:
ppp statistics success-sessions
lcp-max-retry
The following command disables the alteration of the statistic ppp successful session:
no ppp statistics success-sessions
lcp-max-retry
proxy-dns intercept-list

Enters the HA Proxy DNS Configuration Mode and defines a name of a redirect rules list for the domain name servers associated with a particular FA (Foreign Agent) or group of FAs.

IMPORTANT:

HA Proxy DNS Intercept is a license-enabled feature.

Platform:

ASR 5000

Product:

HA


Privilege:

Security Administrator, Administrator


Syntax
[ no ] proxy-dns
intercept-list name
no

Removes the intercept list from the system.

name

Defines the rules list and enters the Proxy DNS Configuration Mode. name must be an alphanumeric string of 1 through 63 characters.


Usage:

Use this command to define a name for a list of rules pertaining to the IP addresses associated with the foreign network’s DNS. Up to 128 rules of any type can be configured per rules list.

Upon entering the command, the system switches to the HA Proxy DNS Configuration Mode where the lists can be defines. Up to 64 separate rules lists can be configured in a single AAA context.

This command and the commands in the HA Proxy DNS Configuration Mode provide a solution to the Mobile IP problem that occurs when a MIP subscriber, with a legacy MN or MN that does not support IS-835D, receives a DNS server address from a foreign network that is unreachable from the home network. The following flow shows the steps that occur when this feature is enabled:

By configuring the Proxy DNS feature on the Home Agent, the foreign DNS address is intercepted and replaced with a home DNS address while the call is being handled by the home network.


Example:
The following command creates a proxy DNS rules list named list1 and places the CLI in the HA Proxy DNS Configuration Mode:
proxy-dns intercept-list list1
radius accounting

This command configures RADIUS accounting parameters for the current context.

Platform:

ASR 5000

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
radius accounting { archive [ stop-only ] | deadtime dead_minutes | detect-dead-server { consecutive-failures consecutive_failures | keepalive | response-timeout timeout_duration } | interim interval seconds | max-outstanding max_messages | max-pdu-size octets | max-retries max_retries | max-transmissions max_transmissions | timeout timeout_duration | unestablished-sessions }default radius accounting { deadtime | detect-dead-server | interim
interval seconds | max-outstanding | max-pdu-size | max-retries | max-transmissions | timeout }no radius accounting { archive | detect-dead-server | interim
interval | max-transmissions | unestablished-sessions }
default

Configures the default settings.

no

Removes earlier configuration for the specified keyword.

archive [ stop-only ]

Enables archiving of RADIUS Accounting messages in the system after the accounting message has exhausted retries to all available RADIUS Accounting servers. All RADIUS Accounting messages generated by a session are delivered to the RADIUS Accounting server in serial. That is, previous RADIUS Accounting messages from the same call must be delivered and acknowledged by the RADIUS Accounting server before the next RADIUS Accounting message is sent to the RADIUS Accounting server.

stop-only specifies archiving of STOP accounting messages only.

Default: Enabled

deadtime dead_minutes

Specifies the number of minutes to wait before attempting to communicate with a server which has been marked as unreachable.

dead_minutes must be an integer from 0 through 65535.

Default: 10

detect-dead-server { consecutive-failures consecutive_failures | keepalive | response-timeout timeout_duration }
  • consecutive-failures consecutive_failures: Specifies the number of consecutive failures, for each AAA manager, before a server is marked as unreachable.consecutive_failures must be an integer from 0 through 1000.Default: 4
  • keepalive: Enables the AAA server alive-dead detect mechanism based on sending keepalive authentication messages to all authentication servers.Default: Disabled
  • response-timeout timeout_duration: Specifies the number of seconds for each AAA manager to wait for a response to any message before a server is detected as failed, or in a down state.timeout_duration must be an integer from 1 through 65535.

IMPORTANT:

If both consecutive-failures and response-timeout are configured, then both parameters have to be met before a server is considered unreachable, or dead.

interim interval seconds

Specifies the time interval (in seconds) for sending accounting INTERIM-UPDATE records. seconds must be an integer from 50 through 40000000.

IMPORTANT:

If RADIUS is used as the accounting protocol for the GGSN product, other commands are used to trigger periodic accounting updates. However, these commands would cause RADIUS STOP/START packets to be sent as opposed to INTERIM-UPDATE packets. Also note that accounting interim interval settings received from a RADIUS server take precedence over those configured on the system.

Default: Disabled

max-outstanding max_messages

Specifies the maximum number of outstanding messages a single AAA manager instance will queue. max_messages must be an integer from 1 through 4000. Default: 256

max-pdu-size octets

Specifies the maximum sized packet data unit which can be accepted/generated in bytes (octets). octets must be an integer from 512 through 4096. Default: 4096

max-retries max_retries

Specifies the maximum number of times communication with a AAA server will be attempted before it is marked as unreachable and the detect dead servers consecutive failures count is incremented. max_retries must be an integer from 0 through 65535. Default: 5

Once the maximum number of retries is reached this is considered a single failure for the consecutive failures count for detecting dead servers.

max-transmissions max_transmissions

Sets the maximum number of transmissions for a RADIUS accounting message before the message is declared as failed. max_transmissions must be an integer from 1 through 65535. Default: Disabled

timeout seconds

Specifies the amount of time to wait for a response from a RADIUS server before retransmitting a request. seconds must be an integer from 1 through 65535. Default: 3

unestablished-sessions

Indicates RADIUS STOP events are to be generated for sessions that were initiated but never fully established.


Usage:

Manage the RADIUS accounting options according to the RADIUS server used for the context.


Example:
The following commands configure accounting options.
radius accounting
detect-dead-server consecutive-failures 5
radius accounting max-pdu-size 1024
radius accounting timeout 16
radius accounting algorithm

This command specifies the fail-over/load-balancing algorithm to select the RADIUS accounting server(s) to which accounting data must be sent.

Platform:

ASR 5000

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
radius accounting algorithm { first-n n | first-server | round-robin }default radius accounting algorithm
default

Configures the default setting.

Default: first-server

first-n n

Specifies that the AGW must send accounting data to n (more than one) AAA servers based on their priority. The full set of accounting data is sent to each of the n AAA servers. Response from any one of the servers would suffice to proceed with the call. On receiving an ACK from any one of the servers, all retries are stopped.

n is the number of AAA servers to which accounting data will be sent, and must be an integer from 2 through 128. Default: 1 (Disabled)

first-server

Specifies that the context must send accounting data to the RADIUS server with the highest configured priority. In the event that this server becomes unreachable, accounting data is sent to the server with the next-highest configured priority. This is the default algorithm.

round-robin

Specifies that the context must load balance sending accounting data among all of the defined RADIUS servers. Accounting data is sent in a circular queue fashion on a per Session Manager task basis, where data is sent to the next available server and restarts at the beginning of the list of configured servers. The order of the list is based upon the configured relative priority of the servers.


Usage:

Use this command to specify the algorithm to select the RADIUS accounting server(s) to which accounting data must be sent.


Example:
The following command specifies to use the round-robin algorithm to select the RADIUS server:
radius accounting algorithm
round-robin
radius accounting apn-to-be-included

This command configures the Access Point Name (APN) to be included for RADIUS accounting.

Platform:

ASR 5000

Product:

GGSN


Privilege:

Security Administrator, Administrator


Syntax
radius accounting apn-to-be-included { gi | gn }default radius accounting
apn-to-be-included
default

Configures the default setting.

gi

Specifies the usage of the Gi APN name in the RADIUS accounting request. The Gi APN represents the APN received in the Create PDP context request message from the SGSN.

gn

Specifies the usage of the Gn APN name in the RADIUS accounting request. The Gn APN represents the APN selected by the GGSN.


Usage:

Use this command to configure the APN name for RADIUS Accounting. This can be set to either gi or gn.


Example:
The following command specifies the usage of Gn APN name in the RADIUS accounting request:
radius accounting apn-to-be-included gn
radius accounting billing-version

This command configures the billing-system version of RADIUS accounting servers.

Platform:

ASR 5000

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
radius accounting billing-version versiondefault radius accounting
billing-version
default

Configures the default setting. Default: 0

version

Specifies the billing-system version of RADIUS accounting servers as an integer from 0 through 4294967295. Default: 0


Usage:

Use this command to configure the billing-system version of RADIUS accounting servers.


Example:
The following command configures the billing-system version of RADIUS accounting servers as 10:
radius accounting billing-version 10
radius accounting gtp trigger-policy

This command configures the RADIUS accounting trigger policy for GTP messages.

Platform:

ASR 5000

Product:

GGSN


Privilege:

Security Administrator, Administrator


Syntax
radius accounting gtp
trigger-policy [ standard | ggsn-preservation-mode ]default radius accounting
gtp trigger-policy
default

Resets the RADIUS accounting trigger policy to standard behavior for GTP session.

standard

Sets the RADIUS accounting trigger policy to standard behavior which is configured for GTP session for GGSN service.

ggsn-preservation-mode

Sends RADIUS Accounting Start when the GTP message with private extension of preservation mode is received from SGSN.

IMPORTANT:

This is a customer-specific keyword and needs customer-specific license to use this feature. For more information on GGSN preservation mode, refer to GGSN Service Configuration Mode Commands chapter.


Usage:

Use this command to set the trigger policy for the AAA accounting for a GTP session.


Example:
The following command sets the RADIUS accounting trigger policy for GTP session to standard:
default radius accounting
gtp trigger-policy
radius accounting ha policy

This command configures the RADIUS accounting policy for HA sessions.

Platform:

ASR 5000

Product:

HA


Privilege:

Security Administrator, Administrator


Syntax
radius accounting ha
policy { session-start-stop | custom1-aaa-res-mgmt }default radius accounting
ha policy
session-start-stop

Specifies to send Accounting Start when the session is connected, and send Accounting Stop when the session is disconnected. This is the default behavior.

custom1-aaa-res-mgmt

Accounting Start/Stop messages are generated to assist special resource management done by AAA servers. It is similar to the session-start-stop accounting policy, except for the following differences:

  • Accounting Start is generated when a new call overwrites an existing session. Accounting Start is also generated during MIP session handoffs.
  • No Accounting stop is generated when an existing session is overwritten and the new session continues to use the IP address assigned for the old session.

Usage:

Use this command to set the behavior of the AAA accounting for an HA session.


Example:
The following command sets the HA accounting policy to custom1-aaa-res-mgmt:
radius accounting ha
policy custom1-aaa-res-mgmt
radius accounting interim volume

This command configures the volume of uplink and downlink volume octet counts that triggers RADIUS interim accounting.

Platform:

ASR 5000

Product:

GGSN, PDSN, HA


Privilege:

Security Administrator, Administrator


Syntax
radius accounting interim
volume { downlink bytes uplink bytes | total bytes | uplink bytes downlink bytes }no radius accounting
interim volume
no

Disables volume based RADIUS accounting.

downlink bytes uplink bytes

Specifies the downlink to uplink volume limit for RADIUS Interim accounting, in bytes. bytes must be an integer to 100000 through 4000000000.

total bytes

Specifies the total volume limit for RADIUS interim accounting in bytes. bytes must be an integer from 100000 through 4000000000.

uplink bytes

Specifies the uplink volume limit for RADIUS interim accounting in bytes. bytes must be an integer from 100000 through 4000000000.

downlink bytes

Specifies the downlink volume limit for RADIUS interim accounting in bytes. bytes must be an integer from 100000 through 4000000000.


Usage:

Use this command to trigger RADIUS interim accounting based on the volume of uplink and downlink bytes.


Example:
The following command triggers RADIUS interim accounting when the total volume of uplink and downlink bytes reaches 110000:
radius accounting interim
volume total 110000
radius accounting ip remote-address

This command configures IP remote address-based RADIUS accounting parameters.

Platform:

ASR 5000

Product:

PDSN, HA


Privilege:

Security Administrator, Administrator


Syntax
[ no ] radius
accounting ip remote-address { collection | list list_id }
no

Removes earlier configuration for the specified keyword.

collection

Enables collecting and reporting Remote-Address-Based accounting in RADIUS Accounting. This should be enabled in the AAA Context. It is disabled by default.

list list_id

Enters the Remote Address List Configuration Mode. This mode configures a list of remote addresses that can be referenced by the subscriber's profile. list_id must be an integer from 1 through 65535.


Usage:

This command is used as part of the Remote Address-based Accounting feature to both configure remote IP address lists and enable the collection of accounting data for the addresses in those lists on a per-subscriber basis.

Individual subscriber can be associated to remote IP address lists through the configuration/specification of an attribute in their local or RADIUS profile. (Refer to the radius accounting command in the Subscriber Configuration mode.) When configured/specified, accounting data is collected pertaining to the subscriber’s communication with any of the remote addresses specified in the list.

Once this functionality is configured on the system and in the subscriber profiles, it must be enabled by executing this command with the collection keyword.


Example:
The following command enables collecting and reporting Remote-Address-Based accounting in RADIUS Accounting:
radius accounting ip
remote-address collection
radius accounting keepalive

This command configures the keepalive authentication parameters for the RADIUS accounting server.

Platform:

ASR 5000

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
radius accounting keepalive { calling-station-id id | consecutive-response responses_no_of | framed-ip-address ip_address | interval interval_duration | retries retries_no_of | timeout timeout_duration | username user_name }no radius accounting
keepalive framed-ip-addressdefault radius accounting
keepalive { calling-station-id | consecutive-response | interval | retries | timeout | username }
no

Removes configuration for the specified keyword.

default

Configures the default settings.

calling-station-id id

Configures the Calling-Station ID to be used for the keepalive authentication as an alphanumeric string of size 1 to 15 characters. Default: 000000000000000

consecutive-response responses_no_of

Configures the number of consecutive authentication response after which the server is marked as reachable. responses_no_of must be an integer from 1 through 5. Default: 1

framed-ip-address ip_address

Specifies the framed ip-address to be used for the keepalive accounting in IPv4 dotted-decimal notation.

interval interval_duration

Configures the time interval (in seconds) between the two keepalive access requests. Default: 30

retries retries_no_of

Configures the number of times the keepalive access request to be sent before marking the server as unreachable. retries_no_of must be an integer from 3 through 10. Default: 3

timeout timeout_duration

Configures the time interval between each keepalive access request retries. timeout_duration must be an integer from 1 through 30. Default: 3

username user_name

Configures the user name to be used for the authentication as an alphanumeric string of 1 through 127 characters. Default: Test-Username


Usage:

Configures the keepalive authentication parameters for the RADIUS accounting server.


Example:
The following command sets the user name for the RADIUS keepalive access requests to Test-Username2:
radius accounting keepalive
username Test-Username2
The following command sets the number of retries to 4:
radius accounting keepalive
retries 4
radius accounting rp

This command configures the current context’s RADIUS accounting R-P originated call options.

Platform:

ASR 5000

Product:

PDSN


Privilege:

Security Administrator, Administrator


Syntax
radius accounting rp { handoff-stop { immediate | 
wait-active-stop } | tod minute hour | trigger-event { active-handoff | active-start-param-change | active-stop } | trigger-policy { airlink-usage [ counter-rollover ] | custom [ active-handoff | active-start-param-change | active-stop ] | standard } | trigger-stop-start }no radius accounting
rp { tod minute hour | trigger-event { active-handoff | active-start-param-change | active-stop } | trigger-stop-start }default radius accounting
rp { handoff-stop | trigger-policy }
no

Removes earlier configuration for the specified keyword.

default

Configures this command with the default settings.

handoff-stop { immediate | wait-active-stop }

Specifies the behavior of generating accounting STOP when handoff occurs.

  • immediate: Indicates that accounting STOP should be generated immediately on handoff, i.e. not to wait active-stop from the old PCF.
  • wait-active-stop: Indicates that accounting STOP is generated only when active-stop received from the old PCF when handoff occurs.

Default: wait-active-stop

tod minute hour

Specifies the time of day a RADIUS event is to be generated for accounting. Up to four different times of the day may be specified through separate commands.

minute must be an integer from 0 through 59.

hour must be an integer from 0 through 23.

trigger-event { active-handoff | active-start-param-change | active-stop }

Configures the events for which a RADIUS event is generated for accounting as one of the following:

  • active-handoff: Disables a single R-P event (and therefore a RADIUS accounting event) when an Active PCF-to-PFC Handoff occurs. Instead, two R-P events occur (one for the Connection Setup, and the second for the Active-Start). Default: Disabled
  • active-start-param-change: Disables an R-P event (and therefore a RADIUS accounting event) when an Active-Start is received from the PCF and there has been a parameter change. Default: Enabled
  • active-stop: Disables an R-P event (and therefore a RADIUS accounting event) when an Active-Stop is received from the PCF. Default: Disabled

IMPORTANT:

This keyword has been obsoleted by the trigger-policy keyword. Note that if this command is used, if the context configuration is displayed, RADIUS accounting RP configuration is represented in terms of the trigger-policy.

trigger-policy { airlink-usage [ counter-rollover ] | custom [ active-handoff | active-start-param-change | active-stop ] | standard }

Default:airlink-usage: Disabled

custom:

  • active-handoff: Disabled
  • active-start-param-change: Disabled
  • active-stop: Disabled
  • standard: Enabled

Configures the overall accounting policy for R-P sessions as one of the following:

  • airlink-usage [ counter-rollover ]: Designates the use of Airlink-Usage RADIUS accounting policy for R-P, which generates a start on Active-Starts, and a stop on Active-Stops.

If the counter-rollover option is enabled, the system generates a STOP/START pair before input/output data octet counts (or input/output data packet counts) become larger than (2^32 - 1) in value. This setting is used to guarantee that a 32-bit octet count in any STOP message has not wrapped to larger than 2^32 thus ensuring the accuracy of the count. The system, may send the STOP/START pair at any time, so long as it does so before the 32-bit counter has wrapped. Note that a STOP/START pair is never generated unless the subscriber RP session is in the Active state, since octet/packet counts are not accumulated in the Dormant state.

  • custom: Specifies the use of custom RADIUS accounting policy for R-P. The custom policy can consist of the following:
  • active-handoff: Enables a single R-P event (and therefore a RADIUS accounting event) when an Active PCF-to-PFC Handoff occurs. Normally two R-P events will occur (one for the Connection Setup, and the second for the Active-Start).
  • active-start-param-change: Enables an R-P event (and therefore a RADIUS accounting event) when an Active-Start is received from the PCF and there has been a parameter change.

IMPORTANT:

Note that a custom trigger policy with only active-start-param-change enabled is identical to the standard trigger-policy.

  • active-stop: Enables an R-P event (and therefore a RADIUS accounting event) when an Active-Stop is received from the PCF.

IMPORTANT:

If the radius accounting rp trigger-policy custom command is executed without any of the optional keywords, all custom options are disabled.

  • standard: Specifies the use of Standard RADIUS accounting policy for R-P in accordance with IS-835B.
trigger-stop-start

Specifies that a stop/start RADIUS accounting pair should be sent to the RADIUS server when an applicable R-P event occurs.


Usage:

Use this command to configure the events for which a RADIUS event is sent to the server when the accounting procedures vary between servers.


Example:
The following command enables an R-P event (and therefore a RADIUS accounting event) when an Active-Stop is received from the PCF:
radius accounting rp
trigger-event active-stop
The following command generates the STOP only when active-stop received from the old PCF when handoff occurs:
default radius accounting
rp handoff-stop
radius accounting server

This command configures RADIUS accounting server(s) in the current context.

Platform:

ASR 5000

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
radius [ mediation-device ] accounting
server ip_address [ encrypted ] key value [ acct-on { enable | disable } ] [ acct-off { enable | disable } ] [ max
 max_messages ] [ oldports ] [ port port_number ] [ priority priority ] [ type { mediation-device | standard } ] [ admin-status { enable | disable } ] [ -noconfirm ] no radius [ mediation-device ] accounting
server ip_address [ oldports | port port_number ]
no

Removes the server or server port(s) specified from the list of configured servers.

mediation-device

Enables mediation-device specific AAA transactions use to communicate with this RADIUS server.

IMPORTANT:

If this option is not used, the system by default enables standard AAA transactions.

ip_address

Specifies the IP address of the accounting server.

ip_address must be specified in IPv4 dotted-decimal or IPv6 colon-separated-hexadecimal notation. A maximum of 128 RADIUS servers can be configured per context. This limit includes accounting and authentication servers.

[ encrypted ] key value

Specifies the shared secret key used to authenticate the client to the servers. The encrypted keyword indicates the key specified is encrypted.

The encrypted keyword is intended only for use by the system while saving configuration scripts. The system displays the encrypted keyword in the configuration file as a flag that the variable following the key keyword is the encrypted version of the plaint text key. Only the encrypted key is saved as part of the configuration file.

acct-on { enable | disable }

Enables and disables sending of the Accounting-On message when a new RADIUS server is added to the configuration.

When enabled, the Accounting-On message is sent when a new RADIUS server is added in the configuration. However, if for some reason the Accounting-On message cannot be sent at the time of server configuration (for example, if the interface is down), then the message is sent as soon as possible. Once the Accounting-On message is sent, if it is not responded to after the configured RADIUS accounting timeout, the message is retried the configured number of RADIUS accounting retries. Once all retries have been exhausted, the system no longer attempts to send the Accounting-On message for this server.

Default: disable

acct-off { enable | disable }

Default: enable

Disables and enables the sending of the Accounting-Off message when a RADIUS server is removed from the configuration.

The Accounting-Off message is sent when a RADIUS server is removed from the configuration, or when there is an orderly shutdown. However, if for some reason the Accounting-On message cannot be sent at this time, it is never sent. The Accounting-Off message is sent only once, regardless of how many accounting retries are enabled.

max max_messages

Specifies the maximum number of outstanding messages that may be allowed to the server. max_messages must be an integer from 1 through 256. Default: 0

oldports

Sets the UDP communication port to the out of date standardized default for RADIUS communications to 1646.

port port_number

Specifies the port number to use for communications as an integer from 1 through 65535. Default: 1813

priority priority

Specifies the relative priority of this accounting server. The priority is used in server selection for determining which server to send accounting data to.

priority must be an integer from 1 through 1000, where 1 is the highest priority. When configuring two or more servers with the same priority you will be asked to confirm that you want to do this. If you use the -noconfirm option, you are not asked for confirmation and multiple servers could be assigned the same priority.

Default: 1000

type { mediation-device | standard }

Specifies the type of AAA transactions to use to communicate with this RADIUS server.

  • standard: Use standard AAA transactions.
  • mediation-device: This keyword is obsolete.

Default: standard

admin-status { enable | disable }

Enables or disables the RADIUS authentication/accounting/ charging server functionality, and saves the status setting in the configuration file to re-establish the set status at reboot.

-noconfirm

Executes the command without any additional prompt and confirmation from the user.


Usage:

This command is used to configure the RADIUS accounting servers with which the system is to communicate for accounting.

Up to 128 RADIUS servers can be configured per context. The servers can be configured as Accounting, Authentication, charging servers, or any combination thereof.


Example:
The following commands configure the RADIUS accounting server with the IP address set to 10.2.3.4, port to 1024, and priority to 10:
radius accounting server
10.2.3.4 key sharedKey port 1024 max 127
radius accounting server
10.2.3.4 encrypted key scrambledKey oldports priority 10
no radius accounting
server 10.2.5.6
The following command sets the accounting server with mediation device transaction for AAA server 10.2.3.4:
radius mediation-device
accounting server 10.2.3.4 key sharedKey port 1024 max 127
radius algorithm

This command configures the RADIUS authentication server selection algorithm for the current context.

Platform:

ASR 5000

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
radius algorithm { first-server | round-robin }default radius algorithm
default

Configures this command with the default setting. Default: first-server

first-server

Sends authentication data to the first available server based upon the relative priority of each configured server.

round-robin

Sends authentication data in a circular queue fashion on a per Session Manager task basis where data is sent to the next available server and restarts at the beginning of the list of configured servers. The order of the list is based upon the configure relative priority of the servers.


Usage:

Use this command to configure the context’s RADIUS server selection algorithm to ensure proper load distribution through the available servers.


Example:
The following command configures to use the round-robin algorithm for RADIUS server selection:
radius algorithm round-robin
radius allow

This command configures the system behavior to allow subscriber sessions when RADIUS accounting and/or authentication is unavailable.

Platform:

ASR 5000

Product:

PDSN, HA, FA


Privilege:

Security Administrator, Administrator


Syntax
[ no ] radius
allow { accounting-down | authentication-down }
no

Removes earlier configuration for the specified keyword.

accounting-down

Allows sessions while accounting is unavailable (down). Default: Enabled

authentication-down

Allows sessions while authentication is not available (down). Default: Disabled


Usage:

Allow sessions during system troubles when the risk of IP address and/or subscriber spoofing is minimal. The denial of sessions may cause dissatisfaction with subscribers at the cost/expense of verification and/or accounting data.

IMPORTANT:

Please note that this command is applicable ONLY to CDMA products. To configure this functionality in UMTS/LTE products (GGSN/P-GW), use the command mediation-device delay-GTP-response in APN Configuration mode.


Example:
The following command configures the RADIUS server to allow the sessions while accounting is unavailable:
radius allow accounting-down
radius attribute

This command configures the system’s RADIUS identification parameters.

Platform:

ASR 5000

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
radius attribute { nas-identifier
id | nas-ip-address address primary_address [ backup secondary_address ] [ nexthop-forwarding-address nexthop_ip_address ] [ vlan vlan_id ] [ mpls-label
input in_label_value output out_label_value1 out_label_value1 ] }no radius attribute { nas-identifier | nas-ip-address }default radius attribute
nas-identifier
no

Removes earlier configuration for the specified keyword.

default

Configures the default setting.

nas-identifier id

Specifies the attribute name by which the system will be identified in Access-Request messages. id must be a alphanumeric string of 1 through 32 characters that is case sensitive.

nas-ip-address address primary_address

Specifies the AAA interface IP address(es) to used to identify the system. Up to two addresses can be configured. primary_address is the IP address of the primary interface to use in the current context in IPV4 dotted-decimal or IPv6 colon-separated-hexadecimal notation.

backup secondary_address

Specifies the IP address of the secondary interface to use in the current context in IPV4 dotted-decimal or IPv6 colon-separated-hexadecimal notation.

mpls-label input in_label_value | output out_label_value1 [ out_label_value2 ]

This command configures the traffic from the specified AAA client NAS IP address to use the specified MPLS labels.

  • in_label_value is the MPLS label that identifies inbound traffic destined for the configured NAS IP address.
  • out_label_value1 and out_label_value2 identify the MPLS labels to be added to the packets sent from the specified NAS IP address.
    • out_label_value1 is the inner output label.
    • out_label_value2 is the outer output label.

MPLS label values must be an integer from 16 through 1048575.

IMPORTANT:

This option is available only when nexthop-forwarding gateway is also configured with the nexthop-forwarding-address keyword.

nexthop-forwarding-address nexthop_ip_address

Configures the next hop IP address for this NAS IP address in IPV4 dotted-decimal or IPv6 colon-separated-hexadecimal notation.

vlan vlan_id

Specifies the VLAN ID to be associated with the next-hop IP address as an integer from 1 through 4094.


Usage:

This is necessary for NetWare Access Server usage such as the system must be identified to the NAS.

The system supports the concept of the active nas-ip-address. The active nas-ip-address is defined as the current source ip address for RADIUS messages being used by the system. This is the content of the nas-ip-address attribute in each RADIUS message.

The system will always have exactly one active nas-ip-address. The active nas-ip-address will start as the primary nas-ip-address. However, the active nas-ip-address may switch from the primary to the backup, or the backup to the primary. The following events will occur when the active nas-ip-address is switched:

  • All current in-process RADIUS accounting messages from the entire system are cancelled. The accounting message is re-sent, with retries preserved, using the ne w active nas-ip-address. Acct-Delay-Time, however, is updated to reflect the time that has occurred since the accounting event. The value of Event-Timestamp is preserved.
  • All current in-process RADIUS authentication messages from the entire system are cancelled. The authentication message is re-sent, with retries preserved, using the new active nas-ip-address. The value of Event-Timestamp is preserved.
  • All subsequent in-process RADIUS requests uses the new active nas-ip-address.

The system uses a revertive algorithm when transitioning active NAS IP addresses as described below:

  • If the configured primary nas-ip-address transitions from UP to DOWN, and the backup nas-ip-address is UP, then the active nas-ip-address switches from the primary to the backup nas-ip-address
  • If the backup nas-ip-address is active, and the primary nas-ip-address transitions from DOWN to UP, then the active nas-ip-address switches from the backup to the primary nas-ip-address

Example:
The following command configures the RADIUS attribute nas-ip-address as 10.2.3.4:
radius attribute nas-ip-address 10.2.3.4
radius authenticate null-username

This command enables (allows) or disables (prevents) the authentication of user names that are blank or empty. This is enabled by default.

Platform:

ASR 5000

Product:

PDSN


Privilege:

Security Administrator, Administrator


Syntax
[ no | default ] radius
authenticate null-username
default

Configures the default setting.

Default: Authenticate, send Access-Request messages to the AAA server, all user names, including NULL user names.

no

Disables sending an Access-Request message to the AAA server for user names (NAI) that are blank.

null-username

Enables sending an Access-Request message to the AAA server for user names (NAI) that are blank.


Usage:

Use this command to disable, or re-enable, sending Access-Request messages to the AAA server for user names (NAI) that are blank (NULL).


Example:
The following command disables sending of Access-Request messages for user names (NAI) that are blank:
no radius authenticate
null-username
The following command re-enables sending of Access-Request messages for user names (NAI) that are blank:
radius authenticate
null-username
radius authenticate apn-to-be-included

This command configures the Access Point Name (APN) to be included for RADIUS authentication.

Platform:

ASR 5000

Product:

GGSN


Privilege:

Security Administrator, Administrator


Syntax
[ default ] radius
authenticate apn-to-be-included { gi | gn }
default

Configures the default setting.

gi

Specifies the use of the Gi APN name in the RADIUS authentication request. The Gi APN represents the APN received in the Create PDP Context Request message from the SGSN.

gn

Specifies the use of the Gn APN name in the RADIUS authentication request. The Gn APN represents the APN selected by the GGSN.


Usage:

Use this command to configure the APN name for RADIUS authentication. This can be set to either gi or gn.


Example:
The following command specifies the usage of Gn APN name in the RADIUS authentication request.
radius authenticate
apn-to-be-included gn
radius authenticator-validation

This command enables (allows) or disables (prevents) the MD5 authentication of RADIUS users. By default this feature is enabled.

Platform:

ASR 5000

Product:

PDSN, GGSN


Privilege:

Security Administrator, Administrator


Syntax
[ default | no ] radius
authenticator-validation
default

Enables MD5 authentication validation for an Access-Request message to the AAA server.

no

Disables MD5 authentication validation for an Access-Request message to the AAA server.


Usage:

Use this command to disable, or re-enable, sending Access-Request messages to the AAA server for MD5 validation.


Example:
The following command disables MD5 authentication validation for Access-Request messages for user names (NAI):
no radius authenticator-validation
The following command enables MD5 authentication validation for Access-Request messages for user names (NAI):
radius radius authenticator-validation
radius change-authorize-nas-ip

This command configures the NAS IP address and UDP port on which the current context will listen for Change of Authorization (COA) messages and Disconnect Messages (DM). If the NAS IP address is not defined with this command, any COA or DM messages from the RADIUS server are returned with a Destination Unreachable error.

Platform:

ASR 5000

Product:

PDSN, FA, HA, GGSN, LNS


Privilege:

Security Administrator, Administrator


Syntax
radius change-authorize-nas-ip ip_address [ encrypted ] key value [ port port ] [ event-timestamp-window window ] [ no-nas-identification-check] [ no-reverse-path-forward-check ] [ mpls-label
input in_label_value | output out_label_value1 [ out_label_value2 ]no radius change-authorize-nas-ip 
no

Deletes the NAS IP address information which disables the system from receiving and responding to COA and DM messages from the RADIUS server.

ip_address

Specifies the NAS IP address of the current context’s AAA interface that was defined with the radius attribute command.

ip_address can be expressed in IPv4 dotted-decimal or IPv6 colon-separated-hexadecimal notation.

[ encrypted ] key value

Specifies the shared secret key used to authenticate the client to the servers. The encrypted keyword indicates the key specified is encrypted.

The encrypted keyword is intended only for use by the system while saving configuration scripts. The system displays the encrypted keyword in the configuration file as a flag that the variable following the key keyword is the encrypted version of the plain text key. Only the encrypted key is saved as part of the configuration file.

port port

The UDP port on which to listen for CoA and DM messages. Default: 3799

event-timestamp-window window

When a COA or DM request is received with an event-time-stamp, if the current-time is greater than the received-pkt-event-time-stamp plus the event-time-stamp-window, the packet is silently discarded

When a COA or DM request is received without the event-timestamp attribute, the packet is silently discarded.

window must be an integer from 0 through 4294967295. If window is specified as 0 (zero), this feature is disabled; the event-time-stamp attribute in COA or DM messages is ignored and the event-time-stamp attribute is not included in NAK or ACK messages. Default: 300

no-nas-identification-check

Disables the context from checking the NAS Identifier/ NAS IP Address while receiving the CoA/DM requests. By default this check is enabled.

no-reverse-path-forward-check

Disables the context from checking whether received CoA or DM packets are from one of the AAA servers configured in the current context. Only the src-ip address in the received CoA or DM request is validated and the port and key are ignored. The reverse-path-forward-check is enabled by default.

When reverse-path-forward-check is disabled, CoA and DM messages are accepted from any AAA server.

mpls-label input in_label_value | output out_label_value1 [ out_label_value2 ]

This command configures COA traffic to use the specified MPLS labels.

  • in_label_value is the MPLS label that identifies inbound COA traffic.
  • out_label_value1 and out_label_value2 identify the MPLS labels to be added to COA response.
    • out_label_value1 is the inner output label.
    • out_label_value2 is the outer output label.

MPLS label values must be an integer from 16 through 1048575.


Usage:

Use this command to enable the current context to listen for COA and DM messages.

Any one of the following RADIUS attributes may be used to identify the subscriber:

  • 3GPP-IMSI: The subscriber’s IMSI. It may include the 3GPP-NSAPI attribute to delete a single PDP context rather than all of the PDP contexts of the subscriber when used with the GGSN product.
  • Framed-IP-address: The subscriber’s IP address.
  • Acct-Session-Id: Identifies a subscriber session or PDP context.

IMPORTANT:

For the GGSN product, the value for Acct-Session-Id that is mandated by 3GPP is used instead of the special value for Acct-Session-Id that we use in the RADIUS messages we exchange with a RADIUS accounting server.

IMPORTANT:

When this command is used in conjunction with the GGSN, CoA functionality is not supported.


Example:
The following command specifies the IP address 192.168.100.10 as the NAS IP address, a key value of 123456 and uses the default port of 3799:
radius change-authorize-nas-ip
192.168.100.10 key 123456
The following command disables the nas-identification-check for the above parameters:
radius change-authorize-nas-ip
192.168.100.10 key 123456 no-nas-identification-check
radius charging

This command configures basic RADIUS options for Active Charging Services.

Platform:

ASR 5000

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
radius charging { deadtime dead_minutes | detect-dead-server { consecutive-failures consecutive_failures | response-timeout timeout_duration } | max-outstanding max_messages | max-retries max_retries | max-transmissions transmissions | timeout timeout_duration }default radius charging { deadtime | detect-dead-server | max-outstanding | max-retries | max-transmissions | timeout } no radius charging { detect-dead-server | max-transmissions | timeout }
no

Removes configuration for the specified keyword.

default

Configures the default settings.

deadtime dead_minutes

Specifies the number of minutes to wait before attempting to communicate with a server which has been marked as unreachable.

dead_minutes must be an integer from 0 through 65535.

Default: 10

detect-dead-server { consecutive-failures consecutive_failures | response-timeout timeout_duration }

consecutive-failures consecutive_failures: Default: 4. Specifies the number of consecutive failures, for each AAA manager, before a server is marked as unreachable. consecutive_failures must be an integer from 0 through 1000.

response-timeout timeout_duration: Specifies the number of seconds for each AAA manager to wait for a response to any message before a server is detected as failed, or in a down state. timeout_duration must be an integer from 1 through 65535.

max-outstanding max_messages

Specifies the maximum number of outstanding messages a single AAA manager instance will queue. max_messages must be an integer from 1 through 4000. Default: 256

max-retries max_retries

Specifies the maximum number of times communication with a AAA server will be attempted before it is marked as unreachable and the detect dead servers consecutive failures count is incremented. max_retries must be an integer from 0 through 65535. Default: 5

max-transmissions transmissions

Sets the maximum number of re-transmissions for RADIUS authentication requests. This limit is used in conjunction with the max-retries for each server. transmissions must be an integer from 1 through 65535. Default: Disabled

When failing to communicate with a RADIUS sever, the subscriber is failed once all of the configured RADIUS servers have been exhausted or once the configured number of maximum transmissions is reached.

For example, if 3 servers are configured and if the configured max-retries is 3 and max-transmissions is 12, then the primary server is tried 4 times (once plus 3 retries), the secondary server is tried 4 times, and then a third server is tried 4 times. If there is a fourth server, it is not tried because the maximum number of transmissions (12) has been reached.

timeout timeout_duration

Specifies the number of seconds to wait for a response from the RADIUS server before re-sending the messages. timeout_duration must be an integer from 1 through 65535. Default: 3


Usage:

Manage the basic Charging Service RADIUS options according to the RADIUS server used for the context.


Example:
The following command configures the AAA server to be marked as unreachable when the consecutive failure count exceeds 6:
radius charging detect-dead-server
consecutive-failures6
The following command sets the timeout value to 300 seconds to wait for a response from RADIUS server before resending the messages:
radius charging timeout 300
radius charging accounting algorithm

This command specifies the fail-over/load-balancing algorithm to be used for selecting RADIUS servers for charging services.

Platform:

ASR 5000

Product:

PDSN, GGSN


Privilege:

Security Administrator, Administrator


Syntax
radius charging accounting
algorithm { first-n n | first-server | round-robin }
first-n n

Specifies that the AGW must send accounting data to n (more than one) AAA servers based on their priority. Response from any one of the n AAA servers would suffice to proceed with the call. The full set of accounting data is sent to each of the n AAA servers.

n is the number of AAA servers to which accounting data will be sent, and must be an integer from 2 through 128. Default: 1 (Disabled)

first-server

Specifies that the context must send accounting data to the RADIUS server with the highest configured priority. In the event that this server becomes unreachable, accounting data is sent to the server with the next-highest configured priority. This is the default algorithm.

round-robin

Specifies that the context must load balance sending accounting data among all of the defined RADIUS servers. Accounting data is sent in a circular queue fashion on a per Session Manager task basis, where data is sent to the next available server and restarts at the beginning of the list of configured servers. The order of the list is based upon the configured relative priority of the servers.


Usage:

Use this command to specify the accounting algorithm to use to select RADIUS servers for charging services configured in the current context.


Example:
The following command specifies to use the round-robin algorithm to select the RADIUS server:
radius charging accounting
algorithm round-robin
radius charging accounting server

This command configures RADIUS charging accounting servers in the current context for Active Charging Services prepaid accounting.

Platform:

ASR 5000

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
radius charging accounting
server ip_address [ encrypted ] key key [ max max_messages ] [ max-rate max_rate ] [ oldports ] [ port port_number ] [ priority priority ] [ admin-status { enable | disable } ] [ -noconfirm ]no radius charging
accounting server ip_address [ oldports | port port_number ]
no

Removes the server or server port(s) specified from the list of configured servers.

ip_address

Specifies IP address of the accounting server. in IPv4 dotted-decimal notation. A maximum of 128 RADIUS servers can be configured per context. This limit includes accounting and authentication servers.

[ encrypted ] key key

Specifies the shared secret key used to authenticate the client to the servers. The encrypted keyword indicates the key specified is encrypted.

The encrypted keyword is intended only for use by the system while saving configuration scripts. The system displays the encrypted keyword in the configuration file as a flag that the variable following the key keyword is the encrypted version of the plaint text key. Only the encrypted key is saved as part of the configuration file.

max max_messages

Specifies the maximum number of outstanding messages that may be allowed to the server. max_messages must be integer from 0 through 4000. Default: 0

max-rate max_rate

Specifies the rate (number of messages per second) at which the authentication messages should be sent to the RADIUS server. max_rate must be an integer from 0 through 1000. Default: 0 (Disabled)

oldports

Sets the UDP communication port to the out of date standardized default for RADIUS communications to 1646.

port port_number

Specifies the port number to use for communications as an integer from 1 through 65535. Default: 1813

priority priority

Specifies the relative priority of this accounting server. The priority is used in server selection for determining to which server to send accounting data. priority must be an integer 1 through 1000 where 1 is the highest priority. Default: 1000

admin-status { enable | disable }

Enables or disables the RADIUS authentication/ accounting/charging server functionality, and saves the status setting in the configuration file to re-establish the set status at reboot.

-noconfirm

Executes the command without any additional prompt and confirmation from the user.


Usage:

This command is used to configure the RADIUS charging accounting server(s) with which the system is to communicate for Active Charging Services prepaid accounting requests.

Up to 128 AAA servers can be configured per context when the system is functioning as a PDSN and/or HA. Up to 16 servers are supported per context when the system is functioning as a GGSN.


Example:
The following commands configure RADIUS charging accounting server with the IP address set to 10.2.3.4, port to 1024, and priority to 10:
radius charging accounting
server 10.2.3.4 key sharedKey port 1024 max 127
radius charging accounting
server 10.2.3.4 encrypted key scrambledKey oldports priority 10
radius charging algorithm

This command configures the RADIUS authentication server selection algorithm for Active Charging Services for the current context.

Platform:

ASR 5000

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
radius charging algorithm { first-server | round-robin }default radius charging algorithm
default

Configures the default setting. Default: first-server

first-server

Sends accounting data to the first available server based upon the relative priority of each configured server.

round-robin

Sends accounting data in a circular queue fashion on a per Session Manager task basis where data is sent to the next available server and restarts at the beginning of the list of configured servers. The order of the list is based upon the configured relative priority of the servers.


Usage:

Set the context’s RADIUS server selection algorithm for Active Charging Services to ensure proper load distribution through the servers available.


Example:
The following command configures to use the round-robin algorithm for RADIUS server selection:
radius charging algorithm
round-robin
radius charging server

This command configures the RADIUS charging server(s) in the current context for Active Charging Services prepaid authentication.

Platform:

ASR 5000

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
radius charging server ip_address [ encrypted ] key key [ max max_messages ] [ max-rate max_rate ] [ oldports ] [ port port_number ] [ priority priority ] [ admin-status { enable | disable } ] [ -noconfirm ]no radius charging
server ip_address [ oldports | port port_number ]
no

Removes the server or server port(s) specified from the list of configured servers.

ip_address

Specifies the IP address of the server in IPv4 dotted-decimal notation. A maximum of 128 RADIUS servers can be configured per context. This limit includes accounting and authentication servers.

[ encrypted ] key key

Specifies the shared secret key used to authenticate the client to the servers. The encrypted keyword indicates the key specified is encrypted.

The encrypted keyword is intended only for use by the system while saving configuration scripts. The system displays the encrypted keyword in the configuration file as a flag that the variable following the key keyword is the encrypted version of the plain text key. Only the encrypted key is saved as part of the configuration file.

max max_messages

Specifies the maximum number of outstanding messages that may be allowed to the server. max_messages must be an integer from 0 through 4000. Default: 256

max-rate max_rate

Specifies the rate (number of messages per second), at which the authentication messages should be sent to the RADIUS server. max_rate must be an integer from 0 through 1000. Default: 0 (Disabled)

oldports

Sets the UDP communication port to the old default for RADIUS communications to 1645.

port port_number

Specifies the port number to use for communications as an integer from 1 through 65535. Default: 1812

priority priority

Specifies the relative priority of this accounting server. The priority is used in server selection for determining to which server to send accounting data. priority must be an integer from 1 through 1000 where 1 is the highest priority. Default: 1000

admin-status { enable | disable }

Enables or disables the RADIUS authentication/accounting/charging server functionality and saves the status setting in the configuration file to re-establish the set status at reboot.

-noconfirm

Executes the command without any additional prompt and confirmation from the user.


Usage:

This command is used to configure the RADIUS charging server(s) with which the system is to communicate for Active Charging Services prepaid authentication requests.

Up to 128 AAA servers can be configured per context when the system is functioning as a PDSN and/or HA. Up to 16 servers are supported per context when the system is functioning as a GGSN.


Example:
The following commands configure RADIUS charging server with the IP address set to 10.2.3.4, port to 1024, and priority to 10:
radius charging server
10.2.3.4 key sharedKey port 1024 max 127
radius charging server
10.2.3.4 encrypted key scrambledKey oldports priority 10
radius deadtime

This command configures the maximum period of time (in minutes) that must elapse between when a context marks a RADIUS server as unreachable and when it can re-attempt to communicate with the server.

Platform:

ASR 5000

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
radius deadtime minutesdefault radius deadtime
default

Configures the default setting.

Default: 10 minutes

minutes

Specifies the number of minutes to wait before changing the state of a RADIUS server from “Down” to “Active”. minutes must be an integer from 0 through 65535.


Usage:

Use this command to configure the basic RADIUS parameters according to the RADIUS server used for the context.

IMPORTANT:

This parameter should be set to allow enough time to remedy the issue that originally caused the server’s state to be changed to “Down”. After the deadtime timer expires, the system returns the server’s state to “Active” regardless of whether or not the issue has been fixed.

IMPORTANT:

For a complete explanation of RADIUS server states, refer to the RADIUS Server State Behavior appendix in the AAA and GTPP Interface Administration and Reference.


Example:
The following command configures the RADIUS deadtime to 100 minutes:
radius deadtime 100
radius detect-dead-server

This command configures how the system detects a dead RADIUS server.

Platform:

ASR 5000

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
radius detect-dead-server { consecutive-failures consecutive_failures_count | keepalive | response-timeout timeout_duration }{ default | no } radius
detect-dead-server
no

Removes the configuration.

default

Configures the default setting.

  • consecutive-failures: Enabled; 4 consecutive failures
  • keepalive: Disabled
  • response-timeout: Disabled
consecutive-failures consecutive_failures_count

Specifies the consecutive number of times that the system must find the AAA server unreachable for the server to be marked unreachable, that is the server’s state is changed from “Active” to “Down”.

consecutive_failures_count must be an integer from 1 through 1000. Default: Enabled; 4 consecutive failures

keepalive

Enables the AAA server alive-dead detect mechanism based on sending keepalive authentication messages to all authentication servers. Default: Disabled

response-timeout timeout_duration

Specifies the time duration, in seconds, that the system must wait for a response from the AAA server to any message before the server is marked unreachable, that is the server’s state is changed from “Active” to “Down”.

timeout_duration must be an integer from 1 through 65535. Default: Disabled


Usage:

Use this command to configure how the system detects a dead RADIUS server.

IMPORTANT:

If both consecutive-failures and response-timeout are configured, then both parameters must be met before a server’s state is changed to “Down”.

IMPORTANT:

The “Active” or “Down” state of a RADIUS server as defined by the system, is based on accessibility and connectivity. For example, if the server is functional but the system has placed it into a “Down” state, it could be the result of a connectivity problem. When a RADIUS server’s state is changed to “Down”, a trap is sent to the management station and the deadtime timer is started.


Example:
The following command enables the detect-dead-server consecutive-failures mechanism and configures the consecutive number of failures to 10:
radius detect-dead-server
consecutive-failures 10
radius dictionary

Configures the RADIUS dictionary.

Platform:

ASR 5000

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
radius dictionary dictionarydefault radius dictionary
default

Configures the default setting.

dictionary

Specifies which dictionary to use.

dictionary must be one of the following values:


Table 1. RADIUS Dictionary Types
Dictionary Description

3gpp

This dictionary consists of all the attributes in the standard dictionary, and all of the attributes specified in 3GPP 32.015.

3gpp2

This dictionary consists of all the attributes in the standard dictionary, and all of the attributes specified in IS-835-A.

3gpp2-835

This dictionary consists of all the attributes in the standard dictionary, and all of the attributes specified in IS-835.

customXX

These are customized dictionaries. For information on custom dictionaries, please contact your local service representative.

XX is the integer of the custom dictionary.

NOTE: RADIUS dictionary custom23 should be used in conjunction with Active Charging Service (ACS).

standard

This dictionary consists only of the attributes specified in RFC 2865, RFC 2866, and RFC 2869.

starent

This dictionary consists of all the attributes in the starent-vsa1 dictionary and incorporates additional VSAs by using a two-byte VSA Type field. This dictionary is the master-set of all of the attributes in all of the dictionaries supported by the system.

starent-835

This dictionary consists of all of the attributes in the starent-vsa1-835 dictionary and incorporates additional VSAs by using a two-byte VSA Type field. This dictionary is the master-set of all of the attributes in all of the -835 dictionaries supported by the system.

starent-vsa1

This dictionary consists not only of the 3gpp2 dictionary, but also includes vendor-specific attributes (VSAs) as well. The VSAs in this dictionary support a one-byte wide VSA Type field in order to support certain RADIUS applications. The one-byte limit allows support for only 256 VSAs (0–255). This is the default dictionary.

IMPORTANT:

In 12.0 and later releases, no new attributes can be added to the starent-vsa1 dictionary. If there are any new attributes to be added, these can only be added to the starent dictionary. For more information, please contact your Cisco account representative.

starent-vsa1-835

This dictionary consists not only of the 3gpp2-835 dictionary, but also includes vendor-specific attributes (VSAs) as well. The VSAs in this dictionary support a one-byte wide VSA Type field in order to support certain RADIUS applications. The one-byte limit allows support for only 256 VSAs (0–255). This is the default dictionary.




Usage:

Use this command to configure the RADIUS dictionary.


Example:
The following command configures the RADIUS dictionary standard.
radius dictionary standard
radius group

This command has been deprecated and is replaced by AAA Server Group configurations. See the AAA Server Group Configuration Mode Commands chapter.

radius ip vrf

This command associates the specific AAA group (NAS-IP) with a Virtual Routing and Forwarding (VRF) Context instance for BGP/MPLS, GRE, and IPSec tunnel functionality which needs VRF support for RADIUS communication. By default the VRF is NULL, which means that AAA group is associated with global routing table.

Platform:

ASR 5000

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
radius ip vrf vrf_nameno radius ip vrf
no

Disables the configured IP Virtual Routing and Forwarding (VRF) context instance and removes the association between the VRF context instance and the AAA group instance (NAS-IP).

By default this command is disabled, which means the NAS-IP being used is assumed a non-VRF IP and specific AAA group does not have any VRF association.

vrf_name

Specifies the name of a pre-configured VRF context instance. vrf_name is the alphanumeric string of a pre-configured VRF context configured in Context Configuration Mode via the ip vrf command.

CAUTION:

Any incorrect configuration, such as associating AAA group with wrong VRF instance or removing a VRF instance, will fail the RADIUS communication.


Usage:

Use this command to associate/disassociate a pre-configured VRF context for a feature such as BGP/MPLS VPN or GRE, and IPSec tunneling which needs VRF support for RADIUS communication.

By default the VRF is NULL, which means that AAA group (NAS-IP) is associated with global routing table and NAS-IP being used is assumed a non-VRF IP.

This IP VRF feature can be applied to RADIUS communication, which associates the VRF with the AAA group. This command must be configured whenever a VRF IP is used as a NAS-IP in the AAA group or at the Context level for ‘default’ AAA group.

This is a required configuration as VRF IPs may be overlapping hence AAA needs to know which VRF the configured NAS-IP belongs to. By this support different VRF-based subscribers can communicate with different RADIUS servers using the same, overlapping NAS-IP address, if required across different AAA groups.


Example:
The following command associates VRF context instance ip_vrf1 with specific AAA group (NAS-IP):
radius ip vrf ip_vrf1
radius keepalive

This command configures the keepalive authentication parameters for the RADIUS server.

Platform:

ASR 5000

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
radius keepalive [ calling-station-id id | consecutive-response responses_no_of | encrypted | interval interval_duration | password | retries retries_no_of | timeout timeout_duration | username user_name | valid-response
access-accept [ access-reject ] ]default radius keepalive { calling-station-id | consecutive-response | interval | password | retries | timeout | username | valid-response }
default

Configures the default setting for the specified parameter.

calling-station-id id

Configures the Calling-Station ID to be used for the keepalive authentication. id must be an alphanumeric string of size 1 to 15 characters. Default: 000000000000000

consecutive-response responses_no_of

Configures the number of consecutive authentication responses after which the server is marked as reachable. responses_no_of must be an integer from 1 through 10. Default: 1

encrypted password

Designates use of encryption for the password.

Default: Test-Password

interval interval_duration

Configures the time interval (in seconds) between two keepalive access requests. interval_duration must be an integer from 30 through 65535. Default: 30

password

Configures the password to be used for the authentication as an alphanumeric string of 1 through 63 characters. Default: Test-Password

retries retries_no_of

Configures the number of times the keepalive access request are sent before marking the server as unreachable. retries_no_of must be an integer from 3 through 10. Default: 3

timeout timeout_duration

Configures the time interval (in seconds) between keepalive access request retries. timeout_duration must be an integer from 1 through 30. Default: 3

username user_name

Configures the user name to be used for authentication as an alphanumeric string of 1 through 127 characters. Default: Test-Username

valid-response access-accept [ access-reject ]

Configures the valid response for the authentication request.

If access-reject is configured, then both access-accept and access-reject are considered as success for the keepalive authentication request.

If access-reject is not configured, then only access-accept is considered as success for the keepalive access request.

Default: keepalive valid-response access-accept


Usage:

Use this command to configure the Keepalive Authentication parameters for the RADIUS server.


Example:
The following command sets the user name for the RADIUS keepalive access requests to Test-Username2:
radius keepalive username
Test-Username2
The following command sets the number of retries to 4:
radius keepalive retries 4
radius max-outstanding

This command configures the maximum number of outstanding messages a single AAA Manager instance will queue.

Platform:

ASR 5000

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
radius max-outstanding max_messagesdefault radius max-outstanding
default

Configures the default setting.

Default: 256

max_messages

Specifies the maximum number of outstanding messages a single AAA Manager instance will queue. max_messages must be an integer from 1 through 4000. Default: 256


Usage:

Use this command to configure the maximum number of outstanding messages a single AAA Manager instance will queue.


Example:
The following command configures the maximum number of outstanding messages a single AAA Manager instance will queue to 100:
radius max-outstanding 100
radius max-retries

This command configures the maximum number of times communication with a AAA server will be attempted before it is marked as “Not Responding”.

Platform:

ASR 5000

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
radius max-retries max_retriesdefault radius max-retries
default

Configures the default setting.

max_retries

Specifies the maximum number of times communication with a AAA server will be attempted before it is marked as “Not Responding”, and the detect dead server’s consecutive failures count is incremented. max_retries must be an integer from 0 through 65535. Default: 5


Usage:

Use this command to configure the maximum number of times communication with a AAA server will be attempted before it is marked as “Not Responding”.


Example:
The following command configures the maximum number of times communication with a AAA server will be attempted before it is marked as “Not Responding” to 10:
radius max-retries 10
radius max-transmissions

This command configures the maximum number of re-transmissions for RADIUS authentication requests.

Platform:

ASR 5000

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
radius max-transmissions max_transmissions{ default | no } radius
max-transmissions
no

Deletes the RADIUS max-transmissions configuration.

default

Configures the default setting.

Default: Disabled

max_transmissions

Specifies the maximum number of re-transmissions for RADIUS authentication requests. This limit is used in conjunction with radius max-retries configuration for each server. max_transmissions must be an integer from 1 through 65535. Default: Disabled

When failing to communicate with a RADIUS sever, the subscriber is failed once all of the configured RADIUS servers have been exhausted, or once the configured number of maximum transmissions is reached.

For example, if three servers are configured and if the configured max-retries is 3 and max-transmissions is 12, then the primary server is tried four times (once plus three retries), the secondary server is tried four times, and then a third server is tried four times. If there is a fourth server, it is not tried because the maximum number of transmissions (12) has been reached.


Usage:

Use this command to configure the maximum number of re-transmissions for RADIUS authentication requests.


Example:
The following command configures the maximum number of re-transmissions for RADIUS authentication requests to 10:
radius max-transmissions 10
radius mediation-device

See the radius accounting server command.

radius probe-interval

This command configures the interval between two RADIUS authentication probes.

Platform:

ASR 5000

Product:

All products supporting Interchassis Session Recovery (ICSR)


Privilege:

Security Administrator, Administrator


Syntax
radius probe-interval secondsdefault radius probe-interval
default

Configures the default setting of 3.

seconds

Specifies the time duration (in seconds) to wait before sending another probe authentication request to a RADIUS server. The value must be an integer from 1 through 65535. Default: 3


Usage:

Use this command for ICSR support to set the duration between two authentication probes to the RADIUS server.


Example:
The following command sets the authentication probe interval to 30 seconds.
radius probe-interval 30
radius probe-max-retries

This command configures the number of retries for RADIUS authentication probe response.

Platform:

ASR 5000

Product:

All products supporting Interchassis Session Recovery (ICSR)


Privilege:

Security Administrator, Administrator


Syntax
radius probe-max-retries retriesdefault radius probe-max-retries
default

Configures the default setting.

Default: 5

retries

Specifies the number of retries for RADIUS authentication probe response before the authentication is declared as failed. retries must be an integer from 1 through 65535. Default: 5


Usage:

Use this command for ICSR support to set the number of attempts to send RADIUS authentication probe without a response before the authentication is declared as failed.


Example:
The following command sets the maximum number of retries to 6:
radius probe-max-retries 6
radius probe-timeout

This command configures the timeout duration to wait for a response for RADIUS authentication probes.

Platform:

ASR 5000

Product:

All products supporting Interchassis Session Recovery (ICSR)


Privilege:

Security Administrator, Administrator


Syntax
radius probe-timeout timeout_durationdefault radius probe-timeout
default

Configures the default setting.

Default: 3

timeout_duration

Specifies the time duration (in seconds) to wait for a response from the RADIUS server before resending the authentication probe. timeout_duration must be an integer from 1 through 65535. Default: 3


Usage:

Use this command for ICSR support to set the duration to wait for a response before re-sending the RADIUS authentication probe to the RADIUS server.


Example:

The following command sets the authentication probe timeout to 120 seconds:

radius probe-timeout 120
radius server

This command configures RADIUS authentication server(s) in the current context.

Platform:

ASR 5000

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
radius server ip_address [ encrypted ] key value [ max max_messages ] [ max-rate max_rate ] [ oldports ] [ port port_number ] [ priority priority ] [ probe | no-probe ] [ probe-username user_name ] [ probe-password [ encrypted ] password password ] [ type { mediation-device | standard } ] [ admin-status { enable | disable } ] [ -noconfirm ]no radius server ip_address [ oldports | port port_number ]
no

Removes the server or server port(s) specified from the list of configured servers.

ip_address

Specifies the IP address of the server in IPv4 dotted-decimal or IPv6 colon-separated-hexadecimal notation. A maximum of 128 RADIUS servers can be configured per context. This limit includes accounting and authentication servers.

[ encrypted ] key value

Specifies the shared secret key used to authenticate the client to the servers. The encrypted keyword indicates the key specified is encrypted.

The encrypted keyword is intended only for use by the system while saving configuration scripts. The system displays the encrypted keyword in the configuration file as a flag that the variable following the key keyword is the encrypted version of the plain text key. Only the encrypted key is saved as part of the configuration file.

max max_messages

Specifies the maximum number of outstanding messages that may be allowed to the server. max_messages must be an integer from 0 through 4000. Default: 256

max-rate max_rate

Specifies the rate (number of messages per second), at which the authentication messages should be sent to the RADIUS server. max_rate must be an integer from 0 through 1000. Default: 0 (Disabled)

oldports

Sets the UDP communication port to the old default for RADIUS communications to 1645.

port port_number

Specifies the port number to use for communications as an integer from 1 through 65535. Default: 1812

priority priority

Specifies the relative priority of this accounting server. The priority is used in server selection for determining to which server is to send accounting data.

priority must be an integer from 1 through 1000 where 1 is the highest priority. When configuring two or more servers with the same priority you will be asked to confirm that you want to do this. If you use the -noconfirm option, you are not asked for confirmation and multiple servers could be assigned the same priority.

Default: 1000

probe

Enables probe messages to be sent to the specified RADIUS server.

no-probe

Disables probe messages from being sent to the specified RADIUS server. This is the default behavior.

probe-username username

Specifies the user name sent to the RADIUS server to authenticate probe messages. usernamemust be an alphanumeric string of 1 through 127 characters.

probe-password [ encrypted ] password password

The password sent to the RADIUS server to authenticate probe messages.

encrypted: This keyword is intended only for use by the system while saving configuration scripts. The system displays the encrypted keyword in the configuration file as a flag that the variable following the password keyword is the encrypted version of the plain text password. Only the encrypted password is saved as part of the configuration file.

password password: Specifies the probe-user password for authentication. password must be an alphanumeric string of 1 through 63 characters.

type { mediation-device | standard }

Specifies the type of transactions the RADIUS server accepts.

mediation-device: Specifies mediation-device specific AAA transactions. This device is available if you purchased a transaction control services license. Contact your local sales representative for licensing information.

standard: Specifies standard AAA transactions. (Default)

admin-status { enable | disable }

Enables or disables the RADIUS authentication/accounting/charging server functionality, and saves the status setting in the configuration file to re-establish the set status at reboot.

-noconfirm

Executes the command without any additional prompt and confirmation from the user.


Usage:

This command is used to configure the RADIUS authentication server(s) with which the system is to communicate for authentication.

Up to 128 RADIUS servers can be configured per context. The servers can be configured as Accounting, Authentication, charging servers, or any combination thereof.


Example:
The following commands configure RADIUS server with the IP address set to 10.2.3.4, port to 1024, and priority to 10:
radius server 10.2.3.4
key sharedKey port 1024 max 127
radius server 10.2.3.4
encrypted key scrambledKey oldports priority 10
radius strip-domain

This command configures the stripping of the domain from the user name prior to authentication or accounting.

Platform:

ASR 5000

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
radius strip-domain { authentication-only | accounting-only }no radius strip-domain
no

Removes the RADIUS strip-domain configuration.

authentication-only

Specifies that the domain must be stripped from the user name prior to authentication.

accounting-only

Specifies that the domain must be stripped from the user name prior to accounting.


Usage:

Use this command to configure the stripping of domain from the user name prior to authentication or accounting.

By default, strip-domain configuration will be applied to both authentication and accounting messages, if configured. When the argument authentication-only or accounting-only is present, strip-domain is applied only to the specified RADIUS message types.


Example:
The following command configures the stripping of domain from the user name prior to authentication:
radius strip-domain
authentication-only
radius timeout

This command configures the time duration to wait for a response from the RADIUS server before resending the messages.

Platform:

ASR 5000

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
radius timeout timeout_durationdefault radius timeout
default

Configures the default setting.

timeout_duration

Specifies the time duration (in seconds) to wait for a response from the RADIUS server before resending the messages. timeout_duration must be an integer from 1 through 65535. Default: 3


Usage:

Use this command to configure the time duration to wait for a response from the RADIUS server before resending the messages.


Example:
The following command configures the RADIUS timeout parameter to 300 seconds:
radius timeout 300
radius trigger

This command enables specific RADIUS triggers. The RADIUS Trigger configuration in the Context Configuration Mode is to enable backward compatibility. To configure RADIUS triggers for the default AAA group, you must configure them in the Context Configuration Mode.

Platform:

ASR 5000

Product:

GGSN, P-GW


Privilege:

Security Administrator, Administrator


Syntax
[ no ] radius
trigger { ms-timezone-change | qos-change | rai-change | rat-change | serving-node-change | uli-change }default radius trigger
no

Disables the specified RADIUS trigger.

default

Configures the default setting.

Default: All RADIUS triggers are enabled.

ms-timezone-change

Specifies to enable RADIUS trigger for MS time zone change.

qos-change

Specifies to enable RADIUS trigger for Quality of Service change.

rai-change

Specifies to enable RADIUS trigger for Routing Area Information change.

rat-change

Specifies to enable RADIUS trigger for Radio Access Technology change.

serving-node-change

Specifies to enable RADIUS trigger for Serving Node change.

uli-change

Specifies to enable RADIUS trigger for User Location Information change.


Usage:

Use this command to enable RADIUS triggers.


Example:
The following command enables RADIUS trigger for RAT change:
radius trigger rat-change
route-access-list extended

Configures an access list for filtering routes based on a specified range of IP addresses.

Platform:

ASR 5000

Product:

PDSN, HA, GGSN


Privilege:

Security Administrator, Administrator


Syntax
[ no ] route-access-list
extended  identifier { deny | permit } ip { network_parameter } { mask_parameter
no

Deletes the specified route access list.

identifier

Specifies a value to identify the route access list as an integer from 100 through 999.

deny

Deny routes that match the specified criteria.

permit

Permit routes that match the specified criteria.

ip network_parameter ip_address wildcard_mask
Specifies the network portion of the route to match. The network portion of the route is mandatory and must be expressed in one of the following ways:
  • ip_address wildcard_mask: Matches a network address and wildcard mask expressed in IPv4 dotted-decimal notation.
  • any: Matches any network address.
  • host network_address: Match the specified network address exactly. network_address must be an IPv4 address specified in dotted-decimal notation.
mask_parameter
This specifies the mask portion of the route to match. The mask portion of the route is mandatory and must be expressed in one of the following ways:
  • mask_address wildcard_mask: A mask address and wildcard mask expressed in IPv4 dotted-decimal notation.
  • any: Match any network mask.
  • host mask_address: Match the specified mask address exactly. mask_address must be an IPv4 address specified in dotted-decimal notation.

Usage:

Use this command to create an extended route-access-list that matches routes based on network addresses and masks.


Example:
Use the following command to create an extended route-access-list:
route-access-list extended
100 permit ip 192.168.100.0 0.0.0.255
route-access-list named

Configures an access list for filtering routes based on a network address and net mask.

Platform:

ASR 5000

Product:

PDSN, HA, GGSN


Privilege:

Security Administrator, Administrator


Syntax
[ no ] route-access-list
named list_name { deny | permit } { ip_address/mask | any } [ exact-match ]
no

Deletes the specified route access list.

list_name

Specifies name that identifies the route access list as an alphanumeric string of 1 through 79 characters.

deny

Denies routes that match the specified criteria.

permit

Permits routes that match the specified criteria.

ip_address/mask

Specifies the IP address (in IPv4 dotted-decimal notation) and the number of subnet bits, representing the subnet mask in CIDR notation (for example 10.1.1.1/24).

any

Matches any route.

exact-match

Matches the IP address prefix exactly.


Usage:

Use this command to create route-access lists that specify routes that are accepted.


Example:
Use the following command to create a route access list named list27 that permits routes that match 192.168.1.0/24 exactly:
route-access-list named
list 27 permit 192.168.1.0/24 exact-match
To delete the list, use the following command:
no route-access-list
named list 27 permit 192.168.1.0/24 exact-match
route-access-list standard

Configures an access-list for filtering routes based on network addresses.

Platform:

ASR 5000

Product:

PDSN, HA, GGSN


Privilege:

Security Administrator, Administrator


Syntax
[ no ] route-access-list
standard identifier { permit | deny } { ip_address wildcard_mask | any | host network_address }
no

Deletes the specified route access list.

identifier

Specifies a value that identifies the route-access-list as an integer from 1 through 99.

deny

Denies routes that match the specified criteria.

permit

Permits routes that match the specified criteria.

ip_address wildcard_mask

Specifies the IP address and subnet mask to match for routes. Both ip_address and wildcard_mask must be entered in IPv4 dotted-decimal notation. (For example, 192.168.100.0 255.255.255.0)

any

Matches any route.

host network_address

Matches only routes having the specified network address as if it had a 32-bit network mask. network_address must be an IPv4 address specified in dotted-decimal notation.


Usage:

Use this command to create route-access-lists that specify routes that are accepted.


Example:
Use the following command to create a route access list with an identifier of 10 that permits routes:
route-access-list standard
10 permit 192.168.1.0 255.255.255.0 
To delete the list, use the following command:
no route-access-list
standard 10 permit 192.168.1.0 255.255.255.0
route-map

Creates a route-map that is used by the routing features and enters Route-map Configuration mode. A route-map allows redistribution of routes and includes a list of match and set commands associated with it. The match commands specify the conditions under which redistribution is allowed; the set commands specify the particular redistribution actions to be performed if the criteria specified by match commands are met. Route-maps are used for detailed control over route distribution between routing processes. Up to eight route-maps can be created in each context. Refer to the Route-map Configuration Mode Commands chapter for more information.

Platform:

ASR 5000

Product:

PDSN, HA, GGSN


Privilege:

Security Administrator, Administrator


Syntax
route-map map_name { deny | permit } seq_numberno route-map map_name
no

Deletes the specified route map.

map_name

Specifies the name of the route map to create or edit as an alphanumeric string of 1 through 69 characters.

deny

If the deny parameter is specified and the match command criteria are met, the route is not redistributed and any other route maps with the same map name are not examined. Set commands have no affect on deny route-maps.

permit

If the permit parameter is specified, and the match criteria are met, the route is redistributed as specified by set actions. If the match criteria are not met, the next route map with the same name is tested.

seq_number

Specifies the sequence number that indicates the position a new route map is to have in the list of route maps already configured with the same name. Route maps with the same name are tested in ascending order of their sequence numbers. This must be an integer from 1 through 65535.


Usage:

Use this command to create route maps that allow redistribution of routes based on specified criteria and set parameters for the routes that get redistributed. The chassis supports a maximum of 64 route maps per context.


Example:
To create a route map named map1 that permits routes that match the specified criteria, use the following command:
route-map map1 permit 10
To delete the route-map, enter the following command:
no route-map map1 permit 10
router

Enables BGP, Open Shortest Path First (OSPF) or OSPF version 3 (OSPFv3) routing functionality and enters the corresponding Configuration Mode. Refer to the BGP Configuration Mode Commands, OSPF Configuration Mode Commands or OSPFv3 Configuration Mode Commands chapter for details on associated Configuration mode commands.

Platform:

ASR 5000

Product:

PDSN, HA, GGSN


Privilege:

Security Administrator, Administrator


Syntax
[ no ] router { bgp as_number | ospf | ospfv3 | rip }
no

Disables the specified routing support in the current context.

bgp as_number

Enables a BGP routing service for this context and assigns it the specified Autonomous System (AS) number before entering the BGP Configuration mode. as_number must be an integer from 1 through 4294967295.

IMPORTANT:

BGP routing is supported only for use with the HA.

ospf

Enables OSPF routing in this context and enters OSPF Configuration mode.

ospfv3

Enables OSPFv3 routing in this context and enter OSPFv3 Configuration mode.


Usage:

Use this command to enable and configure OSPF and BGP routing in the current context.

IMPORTANT:

You must obtain and install a valid license key to use these features. Refer to the System Administration Guide for details on obtaining and installing feature use license keys.


Example:
The following command enables the OSPF routing functionality and enters the OSPF Configuration Mode:
router ospf
The following command enables the OSPFv3 routing functionality and enters the OSPFv3 Configuration Mode:
router ospfv3
The following command enables a BGP routing service with an AS number of 100, and enters the BGP Configuration Mode:
router bgp 100
server

Configures remote server access protocols for the current context. This command is used to enter the specified protocols configuration mode.

Platform:

ASR 5000

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
server { ftpd | named | sshd | telnetd | tftpd }no server { ftpd | named | sshd | telnetd | tftpd } [ kill ]
no

Disables the specified service.

ftpd

Enters the FTP Server Configuration Mode.

IMPORTANT:

The FTPD server can only be configured in the local context.

named

Starts the named server.

sshd

Enters the SSH Server Configuration Mode.

IMPORTANT:

The SSHD server allows only three unsuccessful login attempts before closing a login session attempt.

telnetd

Enters the Telnet Server Configuration Mode.

IMPORTANT:

The TELNET server allows only three unsuccessful login attempts before closing a login session attempt.

tftpd

Enters the TFTP Server Configuration Mode.

IMPORTANT:

The TFTPD server can only be configured in the local context.

kill

Indicates all instances of the server are to be stopped.

This option only works with the ftpd, sshd, telnetd, and tftpd commands.


Usage:

Enter the Context Configuration Mode for the appropriate, previously defined context, to set the server option(s). Repeat the command as needed to enable/disable more than one option server daemon.


Example:
server ftpd
server named
no server tftpd
server sshd
server telnetd
no server telnetd kill
service-redundancy-protocol

Configures Interchassis Session Recovery (ICSR) services for the current context. This command is used to enter the Service Redundancy Protocol Configuration Mode.

Platform:

ASR 5000

Product:

All products supporting ICSR


Privilege:

Security Administrator, Administrator


Syntax
service-redundancy-protocol

Usage:

Enter the configuration mode to set the service redundancy protocol options.


Example:
The following command enters Service Redundancy Protocol Configuration Mode.
service-redundancy-protocol
sgsn-service

Creates an SGSN service instance and enters the SGSN Service Configuration mode. This mode configures or edits the configuration for an SGSN service which controls the SGSN functionality.

An SGSN mediates access to GPRS/UMTS network resources on behalf of user equipment (UE) and implements the packet scheduling policy between different QoS classes. It is responsible for establishing the packet data protocol (PDP) context with the GGSN.

IMPORTANT:

For details about the commands and parameters, check the SGSN Service Configuration Mode chapter.

Platform:

ASR 5000

Product:

SGSN


Privilege:

Security Administrator, Administrator


Syntax
[ no ] sgsn-service srvc_name
no

Remove the configuration for the specified SGSN service from the configuration of the current context.

srvc_name

Specifies the name of the SGSN service as a unique alphanumeric string of 1 through 63 characters.


Usage:

Use this command to create, edit, or remove an SGSN service


Example:
The following command creates an SGSN service named sgsn1 in the current context:
sgsn-service sgsn1
The following command removes the sgsn service named sgsn1 from the configuration for the current context:
no sgsn-service sgsn1
sgs-service

Creates an SGs service instance and enters the SGS Service Configuration mode.

Platform:

ASR 5000

Product:

MME


Privilege:

Administrator


Syntax
[ no ] sgs-service name
no

Remove the configuration for the specified SGs service from the configuration of the current context.

name

Specifies a name for an SGs service as a unique alphanumeric string of 1 through 63 characters.

-noconfirm

Executes the command without any additional prompt and confirmation from the user.


Usage:

Enter the SGS Service Configuration Mode for an existing service or for a newly defined service. This command is also used to remove an existing service.

A maximum of 256 services (regardless of type) can be configured per system.

CAUTION:

Large numbers of services greatly increase the complexity of management and may impact overall system performance (for example, resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your local service representative for more information.

Entering this command results in the following CLI prompt:

[context_name]hostname(config-sgs-service)#

SGS Service Configuration Mode commands are defined in the MME SGS Service Configuration Mode Commands chapter.


Example:
The following command creates an SGS service named sgs1 in the current context:
sgs-service sgs1
The following command removes the SGS service named sgs1 from the configuration for the current context:
no sgs-service sgs1
sgw-service

Creates an S-GW service or specifies an existing S-GW service and enters the S-GW Service Configuration Mode for the current context.

Platform:

ASR 5000

Product:

S-GW


Privilege:

Administrator


Syntax
sgw-service service_name [ -noconfirm ]no sgw-service service_name
service_name

Specifies the name of the S-GW service. If service_name does not refer to an existing service, the new service is created if resources allow. service_name is an alphanumeric string of 1 through 63 characters.

-noconfirm

Executes the command without any additional prompt and confirmation from the user.

no sgw-service service_name

Removes the specified S-GW service from the context.


Usage:

Enter the S-GW Service Configuration Mode for an existing service or for a newly defined service. This command is also used to remove an existing service.

A maximum of 256 services (regardless of type) can be configured per system.

CAUTION:

Large numbers of services greatly increase the complexity of management and may impact overall system performance (for example, resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your local service representative for more information.

Entering this command results in the following prompt:

[context_name]hostname(config-sgw-service)#

S-GW Service Configuration Mode commands are defined in the S-GW Service Configuration Mode Commands chapter.

Use this command when configuring the following SAE components: S-GW.


Example:
The following command enters the existing S-GW Service Configuration Mode (or creates it if it does not already exist) for the service named sgw-service1:
sgw-service sgw-service1
The following command will remove spgw-service1 from the system:
no sgw-service sgw-service1
ssh

Generates public and private keys for use with the configured Secure Shell (SSH) server for the current context and sets the public/private key pair to specified values.

Platform:

ASR 5000

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
ssh { generate
key | key data length octets } [ type { v1-rsa | v2-rsa | v2-dsa } ]no ssh key [ type { v1-rsa | v2-rsa | v2-dsa } ]
no ssh key [ type { v1-rsa | v2-rsa | v2-dsa } ]

This command clears configured SSH keys. If type is not specified, all SSH keys are cleared.

generate key

Generates a public/private key pair which is to be used by the SSH server. The generated key pair is in use until the command is issued again.

key data length octets

Sets the public/private key pair to be used by the system where data is the encrypted key and length is the length of the encrypted key in octets. data must be an alphanumeric string of 1 through 1023 characters and octets must be a value in the range of 0 through 65535.

[ type { v1-rsa | v2-rsa | v2-dsa } ]
Specifies the type of SSH key to generate. If type is not specified, all three key types are generated.
  • v1-rsa: SSH v1 RSA host key only
  • v2-rsa: SSH v2 DSA host key only
  • v2-dsa: SSH v2 RSA host key only

IMPORTANT:

For maximum security, it is recommended that only SSH v2 be used. v2-rsa is the recommended key type.


Usage:

Generate secure shell keys for use in public key authentication.


Example:
ssh generate key
ssh key g6j93fw59cx length 128
ssl

Creates a new Secure Sockets Layer (SSL) template or specifies an existing one and enters the SSL Template Configuration Mode.

Platform:

ASR 5000

Product:

SCM


Privilege:

Administrator


Syntax
[ no ] ssl
template name { ssl-subscriber }
no

Removes the specified SSL template from the context.

template name

Specifies the name of a new or existing SSL template as an alphanumeric string of 1 through 127 alphanumeric characters.

ssl-subscriber

Specifies that the SSL template is an SSL subscriber template.


Usage:

Use this command to create a new SSL template or modify an existing one.

Entering this command results in the following prompt:

[context_name]hostname(cfg-ctx-ssl-subscriber-template)#

SSL Template Configuration Mode commands are defined in the SSL Template Configuration Mode Commands chapter.


Example:
The following command specifies the SSL template ssl_template_1 and enters the SSL Template Configuration Mode:
ssl template ssl_template_1
ssl-subscriber
subscriber

Configures the specified subscriber for the current context.

Platform:

ASR 5000

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
subscriber { default | name user_name } asn-service-info mobility [ ipv4 | ipv6 | ipv6-ipv4 ]no subscriber { default | name user_name }
no

Indicates the subscriber specified is to be removed from the list of allowed users for the current context.

default | name user_name

default: Enters the Subscriber Configuration Mode for the context’s default subscriber settings.

name user_name: Specifies the user which is to be allowed to use the services of the current context. user_name must be an alphanumeric string of 1 through 127 characters.

asn-service-info mobility: Indicates the type of mobility supported and enabled in the Autonomous System Number (ASN).


Usage:

Enter the Subscriber Configuration Mode for actual users as well as for a default subscriber for the current context.

Entering this command results in the following prompt:

[context_name]hostname(config-subscriber)#

Subscriber Configuration Mode commands are defined in the Subscriber Configuration Mode Commands chapter.

NAS uses the specified parameter for asn-service-info mobility to indicate and pack the mobility support field for IPv4, IPv6, or both, in the Service-Info attribute in the Access-request. RADIUS sends back this attribute in the Access-accept message by indicating respective bits to authorize the service indicated by NAS.

IMPORTANT:

A maximum of 128 subscribers and/or administrative users may be locally configured per context.


Example:
Following command configures the default subscriber in a context:
subscriber default
Following command removes the default subscriber from a context:
no subscriber default
Following command configures a subscriber named user1 in a context:
subscriber name user1 
Following command removes a subscriber named user1 from a context:
no subscriber name user1
threshold available-ip-pool-group

Configures context-level thresholds for IP pool utilization for the system.

Platform:

ASR 5000

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
threshold available-ip-pool-group low_thresh [ clear high_thresh ]default threshold available-ip-pool-group
default

Configures the default setting.

low_thresh

The low threshold IP pool utilization percentage that must be met or exceeded within the polling interval to generate an alert or alarm. low_thresh can be configured as an integer from 0 through 100. Default: 10

clear high_thresh

Specifies the high threshold IP pool utilization percentage that maintains a previously generated alarm condition. If the utilization percentage rises above the high threshold within the polling interval, a clear alarm will be generated. high_thresh can be configured as an integer from 0 through 100. Default: 10

IMPORTANT:

This value is ignored for the Alert model. In addition, if this value is not configured for the Alarm model, the system assumes it is identical to the low threshold.


Usage:

When IP address pools are configured on the system, they can be assigned to a group. IP address pool utilization thresholds generate alerts or alarms based on the utilization percentage of all IP address contained in the pool group during the specified polling interval.

All configured public IP address pools that were not assigned to a group are treated as belonging to the same group. Individual configured static or private pools are each treated as their own group.

Alerts or alarms are triggered for IP address pool utilization based on the following rules:

  • Enter Condition: Actual IP address utilization percentage per pool group < Low Threshold
  • Clear Condition: Actual IP address utilization percentage per pool group > High Threshold

If a trigger condition occurs within the polling interval, the alert or alarm will not be generated until the end of the polling interval.

The following table describes the possible methods for configuring IP pool utilization thresholds:


Table 2. IP Pool Utilization Thresholds - Configuration Methods
Method Description

Context-level

A single IP pool utilization threshold can be configured for all IP pool groups within a given system context. If a single threshold is configured for all pool groups, separate alerts or alarms can be generated for each group.

This command configures that threshold.

IP address pool-level

Each individual IP address pool can be configured with its own threshold. Thresholds configured for individual pools take precedence over the context-level threshold that would otherwise be applied (if configured).

In the event that two IP address pools belonging to the same pool group are configured with different thresholds, the system uses the pool configuration that has the greatest low threshold for that group.




Example:
The following command configures a context-level IP pool utilization low threshold percentage of 10 and a high threshold of 35 for an system using the Alarm thresholding model:
threshold available-ip-pool-group
10 clear 35
threshold ha-service init-rrq-rcvd-rate

Sets an alarm or alert based on the average number of calls setup per second for an HA service.

Platform:

ASR 5000

Product:

HA


Privilege:

Security Administrator, Administrator


Syntax
threshold ha-service
init-rrq-rcvd-rate high_thresh [ clear low_thresh ]no threshold ha-service
init-rrq-rcvd-rate
no

Deletes the alert or alarm.

high_thresh

Sets the high threshold average number of calls setup per second that must be met or exceeded within the polling interval to generate an alert or alarm. It can be configured as an integer from 0 through 1000000. Default: 0

clear low_thresh

Sets the low threshold average number of calls setup per second that must be met or exceeded within the polling interval to clear an alert or alarm. It can be configured as an integer from 0 through 1000000. Default: 0

IMPORTANT:

This value is ignored for the Alert model. In addition, if this value is not configured for the Alarm model, the system assumes it is identical to the high threshold.


Usage:

Use this command to set an alert or an alarm when the average number of calls setup per second is equal to or less than a specified number of calls per second.

Alerts or alarms are triggered for the number of calls setup per second based on the following rules:

  • Enter Condition: Actual number of calls setup per second > High Threshold
  • Clear Condition: Actual number of calls setup per second < Low Threshold

Example:
The following command configures a number of calls setup per second threshold of 1000 and a low threshold of 500 for a system using the Alarm thresholding model:
threshold ha-service
init-rrq-rcvd-rate 1000 clear 500
threshold ip-pool-free

Sets an alarm or alert based on the percentage of IP addresses that are unassigned in an IP pool. This command affects all IP pools in the current context.

Platform:

ASR 5000

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
threshold ip-pool-free low_thresh [ clear high_thresh ]default threshold ip-pool-free
default

Configures the default setting.

low_thresh

Sets the low threshold percentage of addresses available in an IP pool that must be met or exceeded within the polling interval to generate an alert or alarm. It can be configured as an integer between 0 and 100. Default: 0

clear high_thresh

Sets the high threshold percentage of addresses available in an IP pool that maintains a previously generated alarm condition. If the utilization percentage rises above the high threshold within the polling interval, a clear alarm will be generated. It may be configured as an integer between 0 and 100. Default: 0

IMPORTANT:

This value is ignored for the Alert model. In addition, if this value is not configured for the Alarm model, the system assumes it is identical to the low threshold.


Usage:

Use this command to set an alert or an alarm when the number of unassigned IP addresses in any pool is equal to or less than a specified percentage of the total number of addresses in the pool.

Alerts or alarms are triggered for percentage of IP address pool free based on the following rules:

  • Enter Condition: Actual percentage of IP addresses free per pool < Low Threshold
  • Clear Condition: Actual percentage of IP addresses free per pool > High Threshold

IMPORTANT:

This command is overridden by the settings of the alert-threshold keyword of the ip pool command.


Example:
The following command configures a context-level IP pool percentage of IP addresses that are unused low threshold percentage of 10 and a high threshold of 35 for an system using the Alarm thresholding model:
threshold ip-pool-free
10 clear 35
threshold ip-pool-hold

Sets an alert based on the percentage of IP addresses from an IP pool that are on hold. This command affects all IP pools in the current context.

Platform:

ASR 5000

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
threshold ip-pool-hold high_thresh [ clear low_thresh ]default threshold ip-pool-hold
default

Configures the default setting.

high_thresh

Sets the high threshold percentage of addresses on hold in an IP pool that must be met or exceeded within the polling interval to generate an alert or alarm. It can be configured as an integer from 0 through 100. Default: 0

clear low_thresh

Sets the low threshold percentage of addresses on hold in an IP pool that maintains a previously generated alarm condition. If the utilization percentage rises below the low threshold within the polling interval, a clear alarm will be generated. It may be configured as an integer from 0 through 100. Default: 0

IMPORTANT:

This value is ignored for the Alert model. In addition, if this value is not configured for the Alarm model, the system assumes it is identical to the high threshold.


Usage:

Use this command to set an alert or an alarm when the percentage of IP addresses on hold in any pool is equal to or greater than a specified percentage of the total number of addresses in the pool.

Alerts or alarms are triggered for percentage of IP address pool addresses on hold based on the following rules:

  • Enter Condition: Actual percentage of IP addresses on hold per pool > High Threshold
  • Clear Condition: Actual percentage of IP addresses on hold per pool < Low Threshold

IMPORTANT:

This command is overridden by the settings of the alert-threshold keyword of the ip pool command.


Example:
The following command configures a context-level IP pool percentage of IP addresses that are on high threshold percentage of 35 and a low threshold of 10 for an system using the Alarm thresholding model:
threshold ip-pool-hold
35 clear 10
threshold ip-pool-release

Sets an alert based on the percentage of IP addresses from an IP pool that are in the release state. This command affects all IP pools in the current context.

Platform:

ASR 5000

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
threshold ip-pool-release high_thresh [ clear low_thresh ]default threshold ip-pool-release
default

Configures the default setting.

high_thresh

Sets the high threshold percentage of addresses in the release state in an IP pool that must be met or exceeded within the polling interval to generate an alert or alarm. It can be configured as an integer from 0 through 100. Default: 0

clear low_thresh

Sets the low threshold percentage of addresses in the release state in an IP pool that maintains a previously generated alarm condition. If the utilization percentage rises below the low threshold within the polling interval, a clear alarm will be generated. It may be configured as an integer from 0 through 100. Default:0

IMPORTANT:

This value is ignored for the Alert model. In addition, if this value is not configured for the Alarm model, the system assumes it is identical to the low threshold.


Usage:

Use this command to set an alert or an alarm when the number of IP addresses the release state in any pool is equal to or greater than a specified percentage of the total number of addresses in the pool.

Alerts or alarms are triggered for percentage of IP address pool addresses in the release state based on the following rules:

  • Enter Condition: Actual percentage of IP addresses in the release state per pool > High Threshold
  • Clear Condition: Actual percentage of IP addresses in the release state per pool < Low Threshold

IMPORTANT:

This command is overridden by the settings of the alert-threshold keyword of the ip pool command.


Example:
The following command configures a context-level IP pool percentage of IP addresses that are in the release state high threshold percentage of 35 and a low threshold of 10 for an system using the Alarm thresholding model:
threshold ip-pool-release
35 clear 10
threshold ip-pool-used

Sets an alert based on the percentage of IP addresses that have been assigned from an IP pool. This command affects all IP pools in the current context.

Platform:

ASR 5000

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
threshold ip-pool-used high_thresh [ clear low_thresh ]default threshold ip-pool-used
default

Configures the default setting.

high_thresh

Sets the high threshold percentage of addresses assigned from an IP pool that must be met or exceeded within the polling interval to generate an alert or alarm. It can be configured as an integer from 0 through 100. Default: 0

clear low_thresh

Sets the low threshold percentage of addresses assigned from an IP pool that maintains a previously generated alarm condition. If the utilization percentage rises above the high threshold within the polling interval, a clear alarm will be generated. It may be configured to any integer between 0 and 100. Default: 0

IMPORTANT:

This value is ignored for the Alert model. In addition, if this value is not configured for the Alarm model, the system assumes it is identical to the low threshold.


Usage:

Use this command to set an alert or an alarm when the number of IP addresses assigned from any pool is equal to or greater than a specified percentage of the total number of addresses in the pool.

Alerts or alarms are triggered for percentage of IP address pool addresses used based on the following rules:

  • Enter Condition: Actual percentage of IP addresses used per pool > High Threshold
  • Clear Condition: Actual percentage of IP addresses used per pool < Low Threshold

IMPORTANT:

This command is overridden by the settings of the alert-threshold keyword of the ip pool command.


Example:
The following command configures a context-level IP pool percentage of IP addresses that are used high threshold percentage of 35 and a low threshold of 10 for an system using the Alarm thresholding model:
threshold ip-pool-used
35 clear 10
threshold monitoring

Enables or disables thresholds alerting for a group of thresholds.

Platform:

ASR 5000

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
[ default | no ] threshold
monitoring available-ip-pool-group
default

Configures the default setting.

no

Disables threshold monitoring for the specified value.

available-ip-pool-group

Enables threshold monitoring for IP pool thresholds at the context level and the IP address pool-level.

Refer to the threshold available-ip-pool-group command, the threshold ip-pool-x commands and the alert-threshold keyword of the ip pool command for additional information on these values.


Usage:

Thresholding on the system is used to monitor the system for conditions that could potentially cause errors or outage. Typically, these conditions are temporary (i.e high CPU utilization, or packet collisions on a network) and are quickly resolved. However, continuous or large numbers of these error conditions within a specific time interval may be indicative of larger, more severe issues. The purpose of thresholding is to help identify potentially severe conditions so that immediate action can be taken to minimize and/or avoid system downtime.

Thresholding reports conditions using one of the following mechanisms:

  • SNMP traps: SNMP traps have been created that indicate the condition (high threshold crossing and/or clear) of each of the monitored values. Complete descriptions and other information pertaining to these traps is located in the starentMIB(8164).starentTraps(2) section of the SNMP MIB Reference.

The generation of specific traps can be enabled or disabled on the system allowing you to view only those traps that are most important to you.

  • Logs: The system provides a facility called threshold for which active and event logs can be generated. As with other system facilities, logs are generated Log messages pertaining to the condition of a monitored value are generated with a severity level of WARNING.
  • Alarm System: High threshold alarms generated within the specified polling interval are considered “outstanding” until a the condition no longer exists and/or a condition clear alarm is generated.

“Outstanding” alarms are reported to through the system’s alarm subsystem and are viewable through the CLI.

The following table indicates the reporting mechanisms supported by each of the above models.


Table 3. Thresholding Reporting Mechanisms by Model
Model SNMP Traps Logs Alarm System

Alert

X

X

Alarm

X

X

X



Refer to the threshold poll command in Global Configuration Mode Commands for information on configuring the polling interval over which IP address pool utilization is monitored.


Example:
the following command enables threshold monitoring for IP pool thresholds at the context level and the IP address pool-level:
threshold monitoring
available-ip-pool-group
threshold pdsn-service init-rrq-rcvd-rate

Sets an alarm or alert based on the average number of calls setup per second for a PDSN service.

Platform:

ASR 5000

Product:

PDSN


Privilege:

Security Administrator, Administrator


Syntax
threshold pdsn-service
init-rrq-rcvd-rate high_thresh [ clear low_thresh ]no threshold pdsn-service
init-rrq-rcvd-rate
no

Deletes the alert or alarm.

high_thresh

Sets the high threshold average number of calls setup per second that must be met or exceeded within the polling interval to generate an alert or alarm. It can be configured as an integer between 0 and 1000000. Default: 0

clear low_thresh

Sets the low threshold average number of calls setup per second that must be met or exceeded within the polling interval to clear an alert or alarm. It can be configured as an integer between 0 and 1000000. Default: 0

IMPORTANT:

This value is ignored for the Alert model. In addition, if this value is not configured for the Alarm model, the system assumes it is identical to the high threshold.


Usage:

Use this command to set an alert or an alarm when the average number of calls setup per second is equal to or less than a specified number of calls per second.

Alerts or alarms are triggered for the number of calls setup per second based on the following rules:

  • Enter Condition: Actual number of calls setup per second > High Threshold
  • Clear Condition: Actual number of calls setup per second < Low Threshold

Example:
The following command configures a number of calls setup per second threshold of 1000 and a low threshold of 500 for a system using the Alarm thresholding model:
threshold pdsn-service
init-rrq-rcvd-rate 1000 clear 500
udr-module active-charging-service

Enables creation, configuration and deletion of the User Data Record (UDR) module for the context.

Platform:

ASR 5000

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
[ no ] udr-module
active-charging-service
no

Deletes the UDR module configuration for the current context.


Usage:

Use this command to create the UDR module for the context, and configure the UDR module for active charging service records. You must be in a non-local context when specifying this command, and you must use the same context when specifying the EDR module command.

On entering this command, the CLI prompt changes to:

[context_name]hostname(config-udr)#


Example:
The following command creates the UDR module for the context, and enters the UDR Module Configuration Mode:
udr-module active-charging-service