Context Configuration
Mode Commands
The Context
Configuration Mode is used to create and manage contexts in the
system. Contexts facilitate management of subscribers and services
in the system.
IMPORTANT:
The commands or keywords/variables
that are available are dependent on platform type, product version,
and installed license(s).
aaa accounting
This command enables/disables
accounting for subscribers and context-level administrative users
for the current context.
Privilege:
Security Administrator,
Administrator
Syntax
aaa accounting { administrator
radius-diameter | subscriber [ radius-diameter ] }
default aaa accounting { administrator | subscriber }
no aaa accounting { administrator | subscriber } [ radius-diameter ]
default
Configures the default
setting.
Default: RADIUS
no
Disables AAA accounting
per the options specified.
radius-diameter
Enables AAA accounting
for context-level administrative users.
subscriber
Enables AAA accounting
for subscribers.
radius-diameter
Enables RADIUS or
Diameter accounting for subscribers.
Usage:
Use this command to
enable/disable accounting for subscribers and context-level administrative
users for the current context.
To enable or disable
accounting for individual local subscriber configurations refer
to the accounting-mode command
in the Subscriber Configuration
Mode Commands chapter.
IMPORTANT:
The accounting parameters
in the APN Configuration Mode take precedence over this command
for subscriber sessions. Therefore, if accounting is disabled using
this command but enabled within the APN configuration, accounting
is performed for subscriber sessions.
Example:
The following command
disables AAA accounting for context-level administrative users:
no aaa accounting administrator
The following command
enables AAA accounting for context-level administrative users:
aaa accounting administrator
radius-diameter
aaa authentication
This command enables/disables
authentication for subscribers and context-level administrative
users for the current context.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] aaa
authentication { administrator | subscriber } { local | none | radius-diameter }
default aaa authentication { administrator | subscriber }
default
Configures the default
setting for the specified parameter.
- administrator:
local+RADIUS
- subscriber: RADIUS
no
Disables AAA authentication
for administrator(s)/subscribers as specified.
- local: Disables
local authentication for current context.
- none: Disables
NULL authentication for current context, which enables both local
and RADIUS-based authentication.
- radius-diameter:
Disables RADIUS or Diameter-based authentication.
administrator | subscriber
- administrator:
Enables authentication for administrative users.
- subscriber:
Enables authentication for subscribers.
local | none | radius-diameter
Enables AAA authentication
for administrator(s)/subscribers as specified.
- local: Enables
local authentication for the current context.
- none: Disables
authentication for the current context.
- radius-diameter:
Enables RADIUS or Diameter-based authentication.
Usage:
Use this command to
enable/disable AAA authentication during specific maintenance activities
or during test periods. The authentication can then be enabled again
for the entire context as needed.
Example:
The following command
disables RADIUS or Diameter-based authentication for subscribers for
the current context:
no aaa authentication
subscriber radius-diameter
The following command
enables RADIUS or Diameter-based authentication for subscribers for
the current context:
aaa authentication
subscriber radius-diameter
aaa constructed-nai
This command configures
the password used during authentication for sessions using a Constructed
Network Access Identifier (NAI)
or
an APN-specified user name.
Privilege:
Security Administrator,
Administrator
Syntax
aaa constructed-nai
authentication [ [ encrypted ] password user_password | use-shared-secret-password ]
no aaa constructed-nai authentication
no
Disables authentication
based upon the constructed NAI.
[ encrypted ] password user_password
encrypted:
Specifies that the user password should be encrypted.
password user_password: Specifies
an authentication password for the NAI-constructed user.
In 12.1 and earlier
releases, the user_password must
be an alphanumeric string of 0 through 63 characters with or without
encryption.
use-shared-secret-password
Specifies using RADIUS
shared secret as the password. Default: No password
Usage:
This command configures
passwords for user sessions that utilize a constructed NAI assigned
via a PDSN service
or
a user name assigned via the APN configuration.
For simple IP sessions
facilitated by PDSN services in which the authentication allow-noauth and aaa constructed-nai commands
are configured, this command provides a password used for the duration
of the session.
For
PDP contexts using an APN in which the outbound user name is configured
with no password, this command is used to provide the password.
Additionally, this command is also used to provide a password for
situations in which an outbound username and password are configured
and the authentication
imsi-auth command has been specified.
The encrypted keyword
is intended only for use by the system while saving configuration scripts.
The system displays the encrypted keyword
in the configuration file as a flag that the variable following
the password keyword
is the encrypted version of the plain text password. Only the encrypted
password is saved as part of the configuration file.
If a password is configured
with this keyword, then the specified password is used. Otherwise,
an empty user-password attribute is sent.
Note that this configuration
works in a different way for GGSN services. If a password is configured
with this keyword for GGSN service, the specified password is used.
Otherwise, if an outbound password is configured, that password
is used. If no outbound password is configured, the RADIUS server
secret is used as the user-password string to compute the user-password
RADIUS attribute.
The NAI-construction
consists of the subscriber’s MSID, a separator character,
and a domain. The domain that is used is either the domain name
supplied as part of the subscriber’s user name or a domain
alias.
IMPORTANT:
The domain alias can
be set with the nai-construction domain command
in the PDSN Service Configuration mode, or the aaa default-domain
subscriber command in the Global Configuration mode for
other core network services.
The domain alias is
determined according to the following rules:
- If the domain alias
is set by nai-construction domain,
that value is always used and the aaa default-domain subscriber value
is disregarded, if set. The NAI is of the form <msid><symbol><nai-construction
domain>.
- If the domain alias
is not set by nai-construction domain,
and the domain alias is set by aaa default-domain subscriber,
the aaa default-domain subscriber value
is used. The NAI is of the form <msid><symbol><aaa
default-domain subscriber>.
- If the domain alias
is not set by nai-construction domain or aaa default-domain
subscriber, the domain name alias is the name of the source
context for the PDSN service. The NAI is of the form <msid><symbol><source
context of PDSN Service>.
The special separator
character can be one of the following six: @, -, %, \,
-, /
The subscriber’s
MSID is constructed in one of the formats displayed in the following figure.
Example:
The following command
configures the authentication password for the NAI-constructed user.
aaa constructed-nai authentication
aaa filter-id rulebase
mapping
This command configures
the system to use the value of the Filter-Id AVP as the ACS rulebase
name.
Privilege:
Security Administrator,
Administrator
Syntax
[ no | default ] aaa
filter-id rulebase mapping
no
Disables the mapping
of Filter-Id AVP and ACS rulebase name.
default
Configures the default
setting. Default: Disabled
Usage:
Use this command to
enable the mapping of Filter-Id attribute’s value returned
during RADIUS authentication as the ACS rulebase name.
This feature provides
the flexibility for operator to transact between multi-charging-service
support for postpaid and prepaid subscribers through Access Control
Lists (ACLs) entered in AAA profiles in RADIUS server to single-charging-service
system based on rulebase configuration for postpaid and prepaid
subscribers.
This feature internally
maps the received ACL in to rulebase name and configures subscriber
for postpaid or prepaid services accordingly.
When this feature
is enabled and ACS rulebase attribute is not received from RADIUS
or not configured in local default subscriber template system copies
the filter-id attribute value to ACS rulebase attribute.
This copying happens
only if the filter-id is configured and received from RADIUS server and
ACS rulebase is not configured in ACS or not received from RADIUS.
Example:
The following command
enables the mapping value of the Filter-Id attribute to ACS rulebase
name:
aaa filter-id rulebase mapping
aaa group
This command enables/disables
the creation, configuration or deletion of AAA server groups in
the context.
Privilege:
Security Administrator,
Administrator
Syntax
aaa group group_name [ -noconfirm ]
no aaa group group_name
no
Deletes the specified
AAA group.
group_name
Specifies name of
the AAA group.
If the specified AAA
group does not exist, it is created, and the prompt changes to the
AAA Server Group Configuration Mode, wherein the AAA group can be
configured.
If the specified AAA
group already exists, the prompt changes to the AAA Server Group Configuration
Mode, wherein the AAA group can be configured.
group_name must
be an alphanumeric string of 1 through 63 characters.
-noconfirm
Executes the command
without any prompt and confirmation from the user.
Usage:
Use this command to
create/configure/delete AAA server groups within
the context. Also, refer to the AAA Server Group Configuration
Mode Commands chapter.
Example:
The following command
enters the AAA Server Group Configuration Mode for a AAA group named
test321:
aaa group test321
aaa nai-policy
This command sets
policies on how Network Access Identifiers (NAIs) are handled during
the authentication process.
Privilege:
Security Administrator,
Administrator
Syntax
[ default | no ] aaa
nai-policy reformat-alg-hex-0-9
default
Sets the NAI policy
back to its default setting which is to remap hexadecimal digits
in NAIs and accept calls with embedded 0x00 hexadecimal digits.
no
Disable remapping
of hexadecimal digits in the NAI and reject calls that have a 0x00 hexadecimal
digit embedded in the NAI.
reformat-alg-hex-0-9
Default: Enabled
Controls remapping
of NAIs that consist only of hex digits 0x00 through 0x09 or if
a 0x00 hexadecimal digit is embedded in the NAI.
By default, the system
remaps NAIs that consist solely of characters 0x00 through 0x09
to their ASCII equivalent. For example; 0x00 0x01 0x2 0x03 will
get remapped to 123.
Also by default the
system accepts an NAI containing one or more 0x00 characters within the
NAI ignoring all characters after the first 0x00.
When this keyword
is disabled NAIs are processed as follows:
- Remapping of hexadecimal
digits 0x00 through 0x09 within the user-provided NAI is disabled.
- When the NAI has an
embedded 0x00 character anywhere within it (including if there is
an extra 0x00 character at the end) the call is rejected.
Usage:
Use this command to
disable or re-enable remapping of hexadecimal digits in the NAI.
Example:
The following command
disables the remapping of hexadecimal digits in the NAI:
no aaa nai-policy
reformat-alg-hex-0-9
access-list undefined
Configures the behavior
of access control for the current context when an undefined access
control list is specified.
Privilege:
Security Administrator,
Administrator
Syntax
access-list undefined { deny-all | permit-all }
{ default | no } access-list undefined
default
Configures the default
setting.
no
Disables handling
undefined access lists.
deny-all
Specifies to drop
all packets when an undefined ACL is specified.
permit-all
Specifies to forward
all packets when an undefined ACL is specified.
Usage:
Use this command to
specify the default behavior when an ACL specified does not exist.
When the security
policies require strict access control the deny-all handling
should be configured.
Example:
The following command
sets the packet handling to ignore (drop) all packets when an undefined
ACL is specified.
access-list undefined
deny-all
administrator
Configures a user
with Security Administrator privileges in the current context.
Privilege:
Security Administrator
Syntax
administrator user_name [ encrypted ] password password | [ ecs ] [ expiry-date date_time ] [ ftp ] [ li-administration ] [ nocli ] [ noecs ] [ timeout-absolute timeout_absolute ] [ timeout-min-absolute timeout_min_absolute ] [ timeout-idle timeout_idle ][ timeout-min-idle timeout_min_idle ]
no administrator user_name
no
Removes Security Administrator
privileges for the specified user name.
user_name
Specifies the user
name for which Security Administrator privileges must be enabled
in the current context. user_name must
be an alphanumeric string of 1 through 32 characters.
[ encrypted ] password password
Specifies password
for the user name. Optionally, the encrypted keyword
can be used to specify the password uses encryption.
password must
be an alphanumeric string of 1 through 63 characters without encryption,
and 1 through 132 characters with encryption.
The encrypted keyword
is intended only for use by the system while saving configuration
scripts. The system displays the encrypted keyword
in the configuration file as a flag that the variable following
the password keyword
is the encrypted version of the plain text password. Only the encrypted
password is saved as part of the configuration file.
ecs
Permits the user to
use ACS-specific configuration commands. Default: Permitted
expiry-date date_time
Specifies the date
and time that this login account expires.
Enter the date and
time in the YYYY:MM:DD:HH:mm or YYYY:MM:DD:HH:mm:ss format. Where
YYYY is the year, MM is the month, DD is the day of the month, HH
is the hour, mm is minutes, and ss is seconds.
ftp
Permits the user to
use FTP and SFTP. Default: Not permitted
li-administration
Refer to the Lawful Intercept Configuration
Guide for a description of this parameter.
nocli
Prevents the user
from using the command line interface. Default: Permitted
noecs
Prevents the user
from accessing ACS-specific commands.
timeout-absolute timeout_absolute
IMPORTANT:
This keyword is obsolete.
It has been left in place for backward compatibility. If used, a warning
is issued and the value entered is rounded to the nearest whole
minute.
Specifies the maximum
time, in seconds, the Security Administrator may have a session active
before the session is forcibly terminated. timeout_absolute must
be an integer from 0 through 300000000.
The value 0 disables
this timeout configuration.
Default: 0
timeout-min-absolute timeout_min_absolute
Specifies the maximum
time (in minutes) the Security Administrator may have a session active
before the session is forcibly terminated. timeout_min_absolute must
be an integer from 0 through 525600. The value 0 disables this timeout
configuration. Default: 0
timeout-idle timeout_idle
IMPORTANT:
This keyword is obsolete.
It has been left in place for backward compatibility. If used a warning
is issued and the value entered is rounded to the nearest whole
minute.
Specifies the maximum
time, in seconds, the Security Administrator may have a session active
before the session is terminated. timeout_idle must
be an integer from 0 through 300000000.
The value 0 disables
the idle timeout configuration.
Default: 0
timeout-min-idle timeout_min_idle
Specifies the maximum
time, in minutes, the Security Administrator may have a session active
before the session is terminated. timeout_min_idle must
be an integer from 0 through 525600. The value 0 disables the idle
timeout configuration. Default: 0
Usage:
Use this command to
create new Security Administrators or modify existing user’s settings.
Security Administrator
users have read-write privileges and full access to all contexts
and command modes. Refer to the Command Line Interface
Overview chapter for more information.
IMPORTANT:
A maximum of 128 administrative
users and/or subscribers may be locally configured per context.
Example:
The following command
creates a Security Administrator account named
user1 with
access to ACS configuration commands:
administrator user1
password secretPassword
The following removes
the Security Administrator account named
user1:
no administrator user1
apn
Creates or deletes
Access Point Name (APN) templates and enters the APN Configuration
Mode within the current context.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] apn apn_name [ -noconfirm ]
no
Deletes a previously
configured APN template.
apn_name
Specifies a name for
the APN template as an alphanumeric string of 1 through 62 characters that
is case insensitive. It may also contain dots (.) and/or
dashes (-).
-noconfirm
Executes the command
without any additional prompt and confirmation from the user.
DANGER:
If this keyword option
is used with the no
apn apn_name command,
the APN named apn_name will
be deleted with all active/inactive subscribers without
prompting any warning or confirmation.
Usage:
This command creates
an APN within the system and causes the CLI to enter the APN Configuration
Mode.
The APN is a logical
name for a packet data network and/or a service to which
the system supports access. When a create PDP context request is
received by the system, it examines the APN information element
within the packet. The system determines if an APN with the identical
name is configured. If so, the system uses the configuration parameters
associated with that APN as a template for processing the request.
If the names do not match, the request is rejected with a cause
code of 219 (DBH, Missing or unknown APN).
APN templates should
be created/configured within destination contexts on the
system.
- Up to 1000 APNs can be
configured in the GGSN.
- In StarOS v12.x and earlier,
up to 1024 APNs can be configured in the P-GW.
Example:
The following command
creates an APN template called
isp1:
apn isp1
asn-qos-descriptor
Creates, deletes or
manages the Quality of Service (QoS) descriptor table identifier
for Access Service Node Gateway (ASN-GW) service and enters the
ASN QoS Descriptor Table Identifier Configuration mode within the
source context.
Privilege:
Security Administrator,
Administrator
Syntax
asn-qos-descriptor
id qos_table_id [ default ] dscp [ be | af11 | af12 | af13 | af21 | af22 | af23 | af31 | af32 | af33 | af41 | af
42 | af 43 | ef ] [ -noconfirm ]
no asn-qos-descriptor qos_table_id [ default ] dscp [ be | af11 | af12 | af13 | af21 | af22 | af23 | af31 | af32 | af33 | af41 | af
42 | af 43 | ef ] [ -noconfirm ]
no
Deletes a preciously
configured ASN QoS descriptor table identifier.
id qos_table_id
Specifies a unique
identifier for ASN QoS descriptor table to create/configure. qos_table_id must
be an integer from 1 through 65535.
[ default ] dscp
Specifies DSCP marking
for this QoS descriptor.
[ be | af11 | af12 | af13 | af21 | af22 | af23 | af31 | af32 | af33 | af41 | af
42 | af 43 | ef ]
The DSCP marking for
this QoS descriptor. Default value is be (best effort).
-noconfirm
Executes the command
without any additional prompt and confirmation from the user.
DANGER:
If this keyword option
is used with no
asn-qos-descriptor id qos_table_id command
the ASN QoS descriptor table with identifier qos_table_id will
be deleted with all active/inactive configurations without
prompting any warning or confirmation.
Usage:
Use this command to
configure a QoS description table to manage QoS functionality for an
ASN-GW service subscriber. This command creates and allows the configuration
of QoS tables with in a context. This command is also used to remove
previously configured ASN-GW services QoS descriptor table.
A maximum of 16 QoS
Descriptor Tables can be configured per system.
Refer to the ASN QoS Descriptor Configuration
Mode Commands chapter of this reference for additional information.
Example:
The following command
creates a QoS descriptor table with identifier
1234 for
the ASN-GW service subscribers:
asn-qos-descriptor
id 1234
asn-service-profile
Creates, deletes or
manages the Service Profiles Identifier for Access Service Node
Gateway (ASN-GW) service subscribers and enters the ASN Service
Profile Configuration mode within the current context.
Syntax
asn-service-profile
id asn_profile_id direction { bi-directional | downlink | uplink } [activation-trigger {activate | admit | dynamic-reservation | provisioned } [ -noconfirm ]
no asn-service-profile
id asn_profile_id [ -noconfirm ]
no
Deletes a preciously
configured ASN service profile identifier.
id asn-profile_id
Specifies a unique
identifier for ASN profile to create/configure.
direction { bi-directional | downlink | uplink }
Specifies the direction
of data traffic to apply this service profile.
bi-directional:
Enables this service profile in both direction of uplink and downlink.
downlink:
Enables this service profile in downlink direction, towards the
subscriber.
uplink:
Enables this service profile in uplink direction, towards the system.
activation-trigger {activate | admit | dynamic-reservation | provisioned
Use this option to
configure the activation-trigger for the asn-service-profile. Default: provisioned | admit | activate
-noconfirm
Executes the command
without any additional prompt and confirmation from the user.
DANGER:
If this keyword option
is used with no
asn-service-profile id asn_profile_id command
the ASN service profile with identifier asn_profile_id will
be deleted with all active/inactive configurations without
prompting any warning or confirmation.
Usage:
Use this command to
configure a service profile to apply the ASN-GW service subscribers.
This command creates and allows the configuration of service profiles
with in a context. This command is also used to remove previously
configured ASN-GW services profiles.
A maximum of 32 ASN
Service Profiles can be configured per context.
Refer to the ASN Service Profile
Configuration Mode Commands chapter of this reference for additional
information.
Example:
The following command
creates an ASN Service Profile with identifier
1234 for
the ASN-GW service subscribers:
asn-service-profile
id 1234 direction uplink
asngw-service
Creates, deletes or
manages an Access Service Node Gateway (ASN-GW) service and enters
the ASN Gateway Service Configuration Mode within the current context.
Privilege:
Security Administrator,
Administrator
Syntax
asngw-service asngw_name [ -noconfirm ]
no asn-service asngw_name
no
Deletes a previously
configured ASN-GW service.
asngw_name
Specifies the name
of the ASN-GW service to create/configure as an alphanumeric
string of 1 through 63 characters that is case sensitive.
-noconfirm
Executes the command
without any additional prompt and confirmation from the user.
DANGER:
If this keyword option
is used with no
asn-service asngw_name command
the ASN-GW service named asngw_name will
be deleted with all active/inactive subscribers without prompting
any warning or confirmation.
Usage:
Services are configured
within a context and enable certain functionality. This command creates
and allows the configuration of services enabling the system to
function as an ASN Gateway in a WiMAX network. This command is also
used to remove previously configured ASN-GW services.
A maximum of 256 services
(regardless of type) can be configured per system.
CAUTION:
Large numbers of services
greatly increase the complexity of management and may impact overall
system performance (i.e. resulting from such things as system handoffs).
Therefore, it is recommended that a large number of services only
be configured if your application absolutely requires it. Please
contact your local service representative for more information.
Refer to the ASN Gateway Service
Configuration Mode Commands chapter of this reference for additional
information.
Example:
The following command
creates an ASN-GW service name
asn-gw1:
asngw-service asn-gw1
asnpc-service
Creates, deletes or
manages an ASN Paging Controller service to manage the ASN paging
controller service and enters the ASN Paging Controller Configuration
mode within the current context.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] asnpc-service asn_pc_svc_name [ -noconfirm ]
no
Deletes a preciously
configured ASN paging controller service.
asnpc-service asn_pc_svc_name
Specifies the name
of the ASN Paging Controller Service to create and enable as an alphanumeric
string of 1 through 63 characters that is case sensitive.
-noconfirm
Executes the command
without any additional prompt and confirmation from the user.
DANGER:
If this keyword option
is used with no
asnpc-service asn_pc_svc_name command
the ASN Paging Controller service named asn_pc_svc_name will
be deleted and disabled with all active/inactive paging groups
and paging agents configured in a context for ASN paging controller
service without prompting any warning or confirmation.
Usage:
Use this command to
create and enable the ASN paging controller services in the system
to provide functionality of an ASN Paging Controller service within
a context. Additionally this command provides the access to the
ASN Paging Controller Service Configuration mode and also used to
remove previously configured ASN Paging Controller services.
A maximum of 256 services
(regardless of type) can be configured per system.
CAUTION:
Large numbers of services
greatly increase the complexity of management and may impact overall
system performance (i.e. resulting from such things as system handoffs).
Therefore, it is recommended that a large number of services only
be configured if your application absolutely requires it. Please
contact your local service representative for more information.
Refer to the ASN Paging Controller
Service Configuration Mode Commands chapter of this reference
for additional information.
Example:
The following command
creates an ASN paging controller service name
asnpc_1:
asnpc-service asnpc_1
bfd-protocol
Enables or
disables Bidirectional Forwarding Detection (BFD) protocol and enters
the BFD Configuration mode.
Privilege
Security Administrator,
Administrator
Syntax
[ no ] bfd-protocol
Usage:
Use this command to
set configuration parameters for detecting faults in paths established with
BFD-enabled routers.
Refer to the BFD Configuration
Mode Commands chapter for additional information.
Example
Example
The following command
enables BFD Configuration mode:
bfd-protocol
bgp extended-asn-cap
Enables or
disables the router to send 4-octet ASN capabilities.
Privilege
Security
Administrator, Administrator
Syntax
[ no ] bgp
extended-asn-cap
no
Disables the ability
of the router to send 4-octet ASN capabilities.
Example
Example
The following command
enables the router to send 4-octet ASN Capabilities:
bgp extended-asn-cap
bmsc-profile
Creates or deletes
Broadcast Multicast Service Center (BM-SC) profiles and enters the
BMSC Profile Configuration Mode within the current context.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] bmsc-profile
name bmsc_profile_name [ -noconfirm ]
no
Deletes a previously
configured BM-SC profile.
name bmsc_profile_name
Specifies a name for
the BM-SC profile as an alphanumeric string of 1 through 62 characters that
is case insensitive. It may also contain dots (.) and/or
dashes (-).
-noconfirm
Executes the command
without any additional prompt and confirmation from the user.
DANGER:
If this keyword option
is used with no
bmsc-profile name bmsc_profile_name command
the BM-SC profile named bmsc_profile_name is
deleted with all active/inactive subscribers without prompting
any warning or confirmation.
Usage:
Use this command to
create a BM-SC profile within the context and take the user to enter the
BMSC Profile Configuration Mode.
The BM-SC profile
is a logical name for a Broadcast Multicast Service Center in Multimedia
Broadcast and Multicast service.
BM-SC profile should
be created/configured within contexts on the system. Up
to four BM-SC profiles can be configured.
Example:
The following command
creates a BM-SC Profile called
mbms_sc_1:
bmsc-profile name
mbms_sc_1
busyout ip pool
Makes addresses from
an IP pool in the current context unavailable once they are free.
Privilege:
Security Administrator,
Administrator
Syntax
busyout ip pool { all | all-dynamic | all-static | name pool_name } [ address-range start_address
end_address | lower-percentage percent | upper-percentage percent ]
no busyout ip pool { all | all-dynamic | all-static | name pool_name } [ address-range start_address
end_address | lower-percentage percent | upper-percentage percent ]
no
Disables the busyout
command specified.
all
Applies to all IP
pools in the current context.
all-dynamic
Applies to all dynamic
IP-pools in the current context.
all-static
Applies to all static
IP pools in the current context.
name pool_name
Applies the named
IP pool or IP pool group in the current context. pool_name must
be the name of an existing IP pool or IP pool group in the current
context.
address-range start_address end_address
Busyout all addresses
from start_address through end_address. start_address:
The beginning IP address of the range of addresses to busyout. This
IP address must exist in the pool specified and entered in IPv4
dotted-decimal notation.
end_address:
The ending IP address of the range of addresses to busyout. This
IP address must exist in the pool specified and entered in IPv4
dotted-decimal notation.
lower-percentage percent
Busyout the percentage
of IP addresses specified, beginning at the lowest numbered IP address.
This is a percentage of all of the IP addresses in the specified
IP pool. percent must
be an integer from 0 through 100.
upper-percentage percent
Busyout the percentage
of IP addresses specified, beginning at the highest numbered IP address.
This is a percentage of all of the IP addresses in the specified
IP pool. percent must
be an integer from 0 through 100.
Usage:
Use this command to
busyout IP addresses when resizing an IP pool.
Up to 32 instances
of this command can be executed per context.
A single instance
of this command can busy-out multiple IP address pools in the context through
the use of the all, all-static,
or all-dynamic keywords.
Example:
Assume an IP pool
named
Pool10 with
addresses from
192.168.100.1 through
192.168.100.254.
To busy out the addresses from
192.168.100.50 through
192.169.100.100,
enter the following command:
busyout ip pool name
Pool10 address-range 92.168.100.50 192.169.100.100
To restore the IP
addresses from the previous example and make them accessible again, enter
the following command:
no busyout ip pool
name Pool10 address-range 92.168.100.50 192.169.100.100
cae-group
Creates a CAE group,
which is a CAE server cluster that services TCP video requests from
the Mobile Video Gateway. The Mobile Video Gateway uses the configured
CAE group for CAE load balancing. The CAE (Content Adaptation Engine)
is an optional component of the Mobile Videoscape.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] cae-group cae_group_name [ -noconfirm ]
nocae_group_name
Deletes the CAE group
if previously configured.
cae_group_name
Creates the specified
CAE group and enters the Video Group Configuration Mode. cae_group_name is
an alphanumeric string of 1 through 79 characters.
-noconfirm
Executes the command
without any prompt and confirmation from the user.
Usage:
Use this command to
create a CAE group and enter the Video Group Configuration Mode. This
command gets issued from the Context Configuration Mode.
Example:
The following command
creates a CAE group named
group_1 and
enters the Video Group Configuration Mode:
cae-group group_!
camel-service
Creates an instance
of the Customized Applications for Mobile Enhanced Logic (CAMEL)
service and enters the CAMEL service configuration mode. This mode
configures or edits the configuration for the parameters which control
the CAMEL functionality on the SGSN.
IMPORTANT:
For details about the
commands and parameters, check the CAMEL Service Configuration
Mode chapter.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] camel-service srvc_name
no
Remove the configuration
for the specified SGSN service from the configuration of the current
context.
srvc_name
Creates a CAMEL service
instance having a unique name expressed as an alphanumeric string
of 1 through 63 characters.
Usage:
Use this command to
create, edit, or remove an CAMEL service
Example:
The following command
creates an CAMEL service named
camel1 in
the current context:
camel-service camel1
The following command
removes the CAMEL service named
camel2 from
the configuration for the current context:
no camel-service camel2
cipher-suite
Creates a new SSL
cipher suite or specifies an existing cipher suite and enters the Cipher
Suite Configuration Mode.
Syntax
[ no ] cipher-suite name
no
Removes the specified
SSL cipher suite from the context.
name
Specifies the name
of a new or existing SSL cipher suite as n alphanumeric string of
1 through 127 characters that must be unique across all CSCF services
within the same context and across all contexts.
Usage:
Use this command to
create a new SSL cipher suite or modify an existing one.
IMPORTANT:
One SSL cipher suite
can be created per SSL template.
A cipher suite contains
the cryptographic algorithms supported by the client, and defines
a key exchange and a cipher spec, which specifies the encryption
and hash algorithms used during authentication. SSL cipher suites
allow operators to select levels of security and to enable communication
between devices with different security requirements.
Entering this command
results in the following prompt:
[context_name]hostname(cfg-ctx-cipher-suite)#
Cipher Suite Configuration
Mode commands are defined in the Cipher Suite Configuration
Mode Commands chapter.
Example:
The following command
specifies the SSL cipher suite
cipher_suite_1 and
enters the Cipher Suite Configuration Mode:
cipher-suite cipher_suite_1
class-map
Creates or deletes
a class map. If the class-map is newly created, the system enters
the Class-Map Configuration Mode within the current destination
context to configure the match rules for packet classification to
flow-based traffic policing for a subscriber session flow.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] class-map
name class_name [ match-all | match-any ]
no
Deletes configured
Class-Map within the context.
class_name
Specifies the name
of Class-Map rule as an alphanumeric string of 1 through 15 characters and
is case sensitive.
match-all
Default: Enabled.
Enables AND logic
for all matching parameters configured in specific Class-Map to
classify traffic flow/packets. It indicates to match all
classification rules in specific Class-Map to consider the specified
Class-Map as a match.
match-any
Default: Disabled.
Enables OR logic for
matching parameters configured in specific Class-Map to classify traffic
flow/packets. It indicates to match any of the classification
rule in specific Class-Map to consider the specified Class-Map as
a match.
Usage:
Use this command to
enter in Class-Map Configuration Mode to set classification parameters
or filters in traffic policy for a subscriber session flow.
IMPORTANT:
In this mode classification
rules added sequentially with match command
to form a Class-Map. To change and/or delete or re-add
a particular rule entire Class-Map is required to delete.
Example:
Following command
configures classification map
class_map1 with
option to match any condition in match rule.
class-map name class_map1
match-any
closedrp-rp handoff
Enables or disables
session handoff between Closed-RP and RP connections. Default: Disabled
Privilege:
Security Administrator,
Administrator
Syntax
closedrp-rp handoff
[ default | no ] closedrp-rp handoff
default
Resets the command
to its default setting of disabled.
no
Disables Closed-RP
to RP session handoff.
Usage:
Use this command to
enable a PDSN service to handoff sessions between Closed-RP and RP
connections.
Example:
To enable Closed-RP
to RP handoffs, use the following command:
closedrp-rp handoff
To disable Closed-RP
to RP handoffs, use the following command:
no closedrp-rp handoff
config-administrator
Configures a context-level
administrator account within the current context.
Privilege:
Security Administrator
Syntax
config-administrator user_name [ encrypted ] password password [ ecs ] [ expiry-date date_time ] [ ftp ] [ li-administration ] [ nocli ] [ noecs ] [ timeout-absolute abs_seconds ] [ timeout-min-absolute abs_minutes ] [ timeout-idle timeout_duration ] [ timeout-min-idle idle_minutes ]
no config-administrator user_name
no
Removes a previously
configured context-level administrator account.
user_name
Specifies the name
for the account as an alphanumeric string of 1 through 32 characters.
[ encrypted ] password password
Specifies the password
to use for the user which is being given context-level administrator privileges
within the current context. The encrypted keyword indicates the
password specified uses encryption.
password is
an alphanumeric string of 1 through 63 characters without encryption,
or 1 through 127 characters with encryption.
The encrypted keyword
is intended only for use by the system while saving configuration scripts.
The system displays the encrypted keyword in the configuration file
as a flag that the variable following the password keyword is the
encrypted version of the plain text password. Only the encrypted
password is saved as part of the configuration file.
ecs
Permits the user access
to ACS-specific configuration commands. Default: Enhanced Charging
Service (ECS / ACS) specific configuration commands allowed.
expiry-date date_time
Specifies the date
and time that this account expires in the format YYYY:MM:DD:HH:mm or
YYYY:MM:DD:HH:mm:ss.
Where YYYY is the
year, MM is the month, DD is the day of the month, HH is the hour, mm
is minutes, and ss is seconds.
ftp
Indicates the user
gains FTP and SFTP access with the administrator privileges. Default: FTP
and SFTP are not allowed.
li-administration
Refer to the Lawful Intercept Configuration
Guide for a description of this parameter.
nocli
Indicates the user
is not allowed to access the command line interface. Default: CLI
access allowed.
noecs
Prevents the specific
user from accessing ACS-specific configuration commands.
timeout-absolute abs_seconds
IMPORTANT:
This keyword is obsolete.
It has been left in place for backward compatibility. If used a warning
is issued and the value entered is rounded to the nearest whole
minute.
Specifies the maximum
amount of time (in seconds) that the administrator may have a session
active before the session is forcibly terminated. abs_seconds must
be an integer from 0 through 300000000. The value 0 disables the
absolute timeout. Default: 0
timeout-min-absolute abs_minutes
Specifies the maximum
amount of time (in minutes) the context-level administrator may have
a session active before the session is forcibly terminated. abs_minutes must
be an integer from 0 through 525600 (365 days). The value 0 disables
the absolute timeout. Default: 0
timeout-idle timeout_duration
IMPORTANT:
This keyword is obsolete.
It has been left in place for backward compatibility. If used a warning
is issued and the value entered is rounded to the nearest whole
minute.
Specifies the maximum
amount of idle time, in seconds, the context-level administrator
may have a session active before the session is terminated. timeout_duration must
be a value in the range from 0 through 300000000. The value 0 disables
the idle timeout. Default: 0
timeout-min-idle idle_minutes
Specifies the maximum
amount of idle time, in minutes, the context-level administrator
may have a session active before the session is terminated. idle_minutes must
be a value in the range from 0 through 525600 (365 days). The value
0 disables the idle timeout. Default: 0
Usage:
Create new context-level
administrators or modify existing administrator’s options,
in particular, the timeout values.
Administrator users
have read-write privileges and full access to all contexts and command
modes (except for a few security functions). Refer to the Command Line Interface
Overview chapter of this guide for more information.
IMPORTANT:
A maximum of 128 administrative
users and/or subscribers may be locally configured per context.
Example:
The following configures
a context-level administration named
user1 with
ACS parameter control:
config-administrator
user1 password secretPassword ecs
The following command
removes a context-level administrator named
user1:
no config-administrator
user1
content-filtering
Enables or disables
the creation, configuration or deletion of Content Filtering Server
Groups (CFSG).
Privilege:
Security Administrator,
Administrator
Syntax
content-filtering
server-group cf_server_group_name [ -noconfirm ]
no content-filtering
server-group cf_server_group_name
no
Removes the specified
CFSG previously configured in this context.
server-group cf_server_group_name
Specifies the name
of the CFSG as an alphanumeric string of 1 through 63 characters.
-noconfirm
Executes the command
without any prompt and confirmation from the user.
Usage:
Use this command to
create/configure/delete a CFSG.
Example:
The following command
creates a CFSG named
CF_Server1:
content-filtering
server-group CF_Server1
credit-control-service
Enables or disables
the creation, configuration or deletion of credit-control services.
Privilege:
Security Administrator,
Administrator
Syntax
credit-control-service service_name [ -noconfirm ]
no credit-control-service service_name
no
Deletes the specified
credit-control service.
service_name
Specifies name of
the credit-control service as an alphanumeric string of 1 through
63 characters.
If the named credit-control
service does not exist, it is created, and the CLI mode changes
to the Credit Control Service Configuration Mode wherein the service
can be configured.
If the named credit-control
service already exists, the CLI mode changes to the Credit Control
Service Configuration Mode wherein the service can be configured.
-noconfirm
Executes the command
without any additional prompt and confirmation from the user.
Usage:
Use this command to
create, configure or delete credit-control services.
Entering this command
results in the following prompt:
[context_name]hostname(config-credit-control-service)
Credit control service
configuration commands are described in the Credit Control Service
Configuration Mode Commands chapter.
Example:
The following command
enters the Credit Control Service Configuration Mode for a credit-control
service named
test159:
credit-control-service test159
crypto group
Creates or deletes
a crypto group and enters the Crypto Configuration Mode allowing
the configuration of crypto group parameters.
Privilege:
Administrator, Config-Administrator
Syntax
[ no ] crypto
group group_name
no
Deletes a previously
configured crypto group.
group_name
Specifies the name
of the crypto group as an alphanumeric string of 1 through 127 characters
that is case sensitive.
IMPORTANT:
A maximum of 32 crypto
groups per context can be configured.
Usage:
Use this command to
enter the configuration mode allowing the configuration of crypto group
parameters.
Crypto (tunnel) groups
are used to support the Redundant IPSec Tunnel Fail-over feature and
consist of two configured ISAKMP crypto maps. Each crypto map defines
the IPSec policy for a tunnel. In the crypto group, one tunnel serves
as the primary, the other as the secondary (redundant).
Example:
The following command
configures a crypto group called
group1:
crypto group group1
crypto ipsec transform-set
Configures transform-sets
on the system and enters the Crypto Trans Configuration Mode.
Privilege:
Security Administrator,
Administrator
Syntax
crypto ipsec transform-set transform_name [ ah { hmac { md5-96 | none | sha1-96 } { esp { hmac { { md5-96 | sha1-96 } { cipher { 3des-cbc | aes-cbc-128 | aes-cbc-256 | des-cbc } } | none } } } } ]
no crypto ipsec transform-set transform_name
no
Removes a previously
configured transform set
transform_name
Specifies the name
of the transform set as an alphanumeric string of 1 through 127 characters
that is case sensitive.
ah hmac
Configures the Authentication
Header (AH) hash message authentication codes (HMAC) parameter for
the transform set to one of the following:
- md5-96:
Message Digest 5 truncated to 96 bits
- none: Disables
the use of the AH protocol for the transform set.
- sha1-96:
Secure Hash Algorithm-1 truncated to 96 bits
esp hmac
Configures the Encapsulating
Security Payload (ESP) hash message authentication codes (HMAC)
parameter for the transform set to one of the following:
- md5-96:
Message Digest 5 truncated to 96 bits
- none: Disables
the use of the AH protocol for the transform set.
- sha1-96:
Secure Hash Algorithm-1 truncated to 96 bits
cipher
If ESP is enabled,
this option must be used to set the encapsulation cipher protocol
to one of the following:
- 3des-cbc:
Triple Data Encryption Standard (3DES) in chain block (CBC) mode.
- aes-cbc-128:
Advanced Encryption Standard (AES) in CBC mode with a 128-bit key.
- aes-cbc-256:
Advanced Encryption Standard (AES) in CBC mode with a 256-bit key.
- des-cbc:
DES in CBC mode.
Usage:
Use this command to
create a transform set on the system.
Transform Sets are
used to define IPSec security associations (SAs). IPSec SAs specify
the IPSec protocols to use to protect packets.
Transform sets are
used during Phase 2 of IPSec establishment. In this phase, the system and
a peer security gateway negotiate one or more transform sets (IPSec
SAs) containing the rules for protecting packets. This negotiation
ensures that both peers can properly protect and process the packets.
This command applies
to IKEv1. Please check ipsec
transform-set command for configuration for IKEv2.
IMPORTANT:
The ah and subsequent
keywords are required when the transform set is initially configured.
Example:
Create a transform
set that has the name
tset1,
no authentication header, an encapsulating security protocol header
hash message authentication code of
md5, and
a bulk payload encryption algorithm of
des-cbc with
the following command:
crypto ipsec transform-set
tset1 ah hmac none esp hmac md5 cipher des-cbc
crypto map
Configures the name
of the policy and enters the specified Crypto Map Configuration
mode.
Product:
PDSN, HA
, GGSN, P-GW, PDIF
Privilege:
Security Administrator,
Administrator
Syntax
crypto map name [ ikev2-ipv6 | ipsec-dynamic | ipsec-ikev1 | ipsec-manual ]
no crypto map name
no
Removes a previously
configured crypto map.
name
Specifies the name
of the crypto map as an alphanumeric string of 1 through 127 characters that
is case sensitive.
ikev2-ipv6
Refer to the Lawful Intercept Configuration
Guide for a description of this parameter.
ipsec-dynamic
Creates a dynamic
crypto map and/or enters the Crypto Map Dynamic Configuration Mode.
ipsec-ikev1
Creates an IKEv1 crypto
map and/or enters the Crypto Map IKEv1 Configuration Mode.
ipsec-manual
Creates a manual crypto
map and/or enters the Crypto Map Manual Configuration Mode.
Usage:
Crypto Maps define
the policies that determine how IPSec is implemented for subscriber data
packets. There are several types of crypto maps supported by the
system. They are:
- Manual crypto maps:
These are static tunnels that use pre-configured information (including
security keys) for establishment. Because they rely on statically
configured information, once created, the tunnels never expire;
they exist until their configuration is deleted.
IMPORTANT:
Because manual crypto
map configurations require the use of static security keys (associations),
they are not as secure as crypto maps that rely on dynamically configured
keys. Therefore, it is recommended that they only be configured
and used for testing purposes.
- IKEv1 crypto maps:
These tunnels are similar to manual crypto maps in that they require
some statically configured information such as the IP address of
a peer security gateway and that they are applied to specific system
interfaces. However, IKEv1 crypto maps offer greater security because
they rely on dynamically generated security associations through
the use of the Internet Key Exchange (IKE) protocol.
-
IKEv2-IPv6 crypto
maps: Refer to the Lawful
Intercept Configuration Guide for a description of this parameter.
- Dynamic crypto maps: These
tunnels are used for protecting L2TP-encapsulated data between the
system and an LNS/security gateway or Mobile IP data between
an FA service configured on one system and an HA service configured
on another.
IMPORTANT:
The crypto map type
(dynamic, IKEv1, IKEv2-IPv6, or manual) is specified when the map is
first created using this command.
Example:
Create a dynamic crypto
map named
map1 and
enter the Crypto Map Dynamic Configuration Mode by entering the
following command:
crypto map map1 ipsec-dynamic
crypto template
Creates a new or specifies
an existing crypto template and enters the Crypto Template Configuration
Mode.
Privilege:
Security Administrator,
Administrator
Syntax
crypto template name ikev2-dynamic
no crypto template name
no
Deletes a previously
configured crypto template.
name ikev2-pdif
Specifies the name
of a new or existing crypto template as an alphanumeric string of
1 through 127 characters.
ikev2-dynamic
Configures the Crypto
Template to be used for configuring IPSec functionality.
Usage:
Use this command to
create a new or enter an existing crypto template.
Entering this command
results in the following prompt:
[context_name]hostname(cfg-crypto-tmpl-ikev2-tunnel)#
Crypto Template Configuration
Mode commands are defined in the Crypto Template Configuration
Mode Commands chapter.
Example:
The following command
configures a IKEv2 dynamic crypto template called
crypto1 and
enters the Crypto Template Configuration Mode:
crypto template crypto1
ikev2-dynamic
cscf access-profile
Creates a new or enters
an existing access profile used to set signaling compression for
various network access types.
Syntax
cscf access-profile { default | name profile_name } [ -noconfirm ]
no cscf access-profile
name profile_name
no
Removes the CSCF access
profile from the context.
default
Specifies that the
system is to enter the Access Profile Configuration Mode for the
default access profile.
name profile_name
Specifies a name for
the access profile as an alphanumeric string of 1 through 79 characters.
-noconfirm
Executes the command
without any additional prompt and confirmation from the user.
Usage:
Use this command to
create an access profile for the CSCF service and cause the system
to enter the Access Profile Configuration Mode where parameters
are configured for the profile.
Entering this command
results in the following prompt:
[context_name]hostname(config-cscf-access-profile)#
Access Profile Configuration
Mode commands are defined in the CSCF Access Profile
Configuration Mode Commands chapter.
Example:
The following command
creates a CSCF Access Profile named
profile2 and
enters the Access Profile Configuration Mode:
cscf access-profile
name profile2
cscf acl
Creates an Access
Control List (ACL) and enters the ACL Configuration Mode.
Syntax
cscf acl { default | name list_name } [ -noconfirm ]
no cscf acl name list_name
no
Removes the CSCF ACL
from the context.
default
Specifies that the
system is to enter the ACL Configuration Mode for the default ACL.
name list_name
Specifies a name for
the ACL as an alphanumeric string of 1 through 47 characters.
-noconfirm
Executes the command
without any additional prompt and confirmation from the user.
Usage:
Use this command to
create an access control list for the CSCF service and cause the system
to enter the ACL Configuration Mode where parameters are configured
for the new list.
Entering this command
results in the following prompt:
[context_name]hostname(config-cscf-acl)#
ACL Configuration
Mode commands are defined in the CSCF ACL Configuration Mode
Commands chapter.
Use this command when
configuring the following SCM components: P-CSCF, S-CSCF, and SIP
Proxy.
Example:
The following command
creates a CSCF access control list named
acl1 and
enters the ACL Configuration Mode:
cscf acl name acl1
cscf ifc-filter-criteria
Creates Initial Filter
Criteria (iFC) filter criteria for shared iFC functionality.
Product:
SCM (S-CSCF, SIP Proxy)
Syntax
cscf ifc-filter-criteria
id fc_id priority pri [ profile-part-indicator
{ registered | unregistered } ] app-server
uri scheme { sip | sips } as as-default-handling { session-continue | session-terminate } [ -noconfirm ] | [ service-info info ] [ trigger-point tp_name ] [ -noconfirm ] | [ trigger-point tp_id ] [ -noconfirm ]
no cscf ifc-filter-criteria
id fc_id
no
Removes the specified
CSCF iFC filter criteria from the context.
id fc_id
Specifies an ID for
the iFC filter criteria as an integer from 1 through 200.
priority pri
Specifies the priority
of the filter criteria, which is used to select a particular filter
criteria from multiple ones present under an ISC template. pri must
be an integer from 0 through 1024.
profile-part-indicator { registered | unregistered }
Indicates whether
the iFC is a part of the registered or unregistered user
profile. If a value is not specified, then the configuration will
be applied to both registered and unregistered subscribers.
app-server uri scheme { sip | sips }
Determines the associated
application server’s URI scheme.
sip: SIP
URI
sips: SIPS
URI (TLS)
as
Specifies an address
for the associated application server as an alphanumeric string
of 1 through 127 characters.
as-default-handling { session-continue | session-terminate }
Determines whether
the dialog should be released (session-terminate)
or not (session-continue)
when the application server could not be reached or on application
server error is returned.
-noconfirm
Executes command without
any additional prompt and confirmation from the user.
service-info info
Specifies optional
service information to be sent to the application server. info is
an alphanumeric string of 1 trough 63 characters.
trigger-point tp_id
Assigns an iFC trigger
point to the filter criteria as an integer from 1 through 200.
Usage:
Use this command to
create a filter criteria ID and associate an application server
address to it. You may also define a trigger point ID to be executed
in order to select the application server. If no trigger point is
specified, then the application server is selected unconditionally.
IMPORTANT:
Filter criteria is
associated with an ISC template in the ISC Template Configuration Mode.
IMPORTANT:
Filter criteria can
be assigned to more than one ISC template.
Example:
The following command
creates a iFC filter criteria
15, which has
a priority of 2 and is part of the registered user profile. Filter
criteria
15 is
assigned to a sip application server named
appserver.
The dialog will not be released if the application server can not
be reached. Filter criteria
15 is also
assigned trigger point
12:
cscf ifc-filter-criteria
id 15 priority 2 profile-part-indicator registered app-server uri
scheme sip appserver as-default-handling session-continue trigger-point 12
cscf ifc-spt-condition
Creates an Initial
Filter Criteria (iFC) Service Point Trigger (SPT) condition for shared
iFC functionality.
Product:
SCM (S-CSCF, SIP Proxy)
Syntax
cscf ifc-spt-condition
id cond_id { request-uri
content uri_content | session-case { originating-registered | originating-unregistered | terminating-registered | terminating-unregistered } | session-description sdp [ content sdp_data ] | sip-header hdr [ content hdr_data ] | sip-method method } [ -noconfirm ] [ condition-negated ]
no cscf ifc-spt-condition
id cond_id
no
Removes the specified
CSCF iFC SPT condition from the context.
id cond_id
Specifies an ID for
the iFC SPT condition as an integer from 1 through 200.
request-uri content uri_content
Specifies request
URI content as an alphanumeric string of 1 through 127 characters.
IMPORTANT:
Wildcard Extended
Regular Expressions (ERE) are supported for this value. For example, "sip.user[0-9]@192\\.168\\.176\\.150"
session-case { originating-registered | originating-unregistered | terminating-registered | terminating-unregistered }
Determines the type
of session:
- originating-registered:
Session handling an originating end user.
- originating-unregistered:
Session handling an unregistered originating end user.
- terminating-registered:
Session handling a terminating registered end user.
- terminating-unregistered:
Session handling a terminating unregistered end user.
session-description sdp [ content sdp_data ]
Specifies an SDP line
type.
sdp is an
alphanumeric string of 1 through 15 characters.
content specifies
content on the SDP line.
sdp_data is
an alphanumeric string of 1 through 127 characters.
sip-header hdr [ content hdr_data ]
Specifies a header
type.
hdr is an
alphanumeric string of 1 through 127 characters.
content specifies
content on the header.
hdr_data is
an alphanumeric string of 1 through 127 characters.
sip-method method
Specifies a sip method.
method is
an alphanumeric string of 1 through 127 characters.
-noconfirm
Executes the command
without any additional prompt and confirmation from the user.
condition-negated
Negates the specified
condition.
Usage:
Use this command to
create individual SPT conditions that are later associated with
an SPT group in the iFC SPT Group Configuration Mode.
IMPORTANT:
An iFC SPT group may
be associated with multiple SPT conditions.
Example:
The following command
creates iFC SPT condition
10 which handles
an originating end user:
cscf ifc-spt-condition
id 10 session-case originating-registered
The following command
negates the condition created above:
cscf ifc-spt-condition
id 10 session-case originating-registered condition-negated
cscf ifc-spt-group
Creates an Initial
Filter Criteria (iFC) Service Point Trigger (SPT) group for shared
iFC functionality.
Product:
SCM (S-CSCF, SIP Proxy)
Syntax
cscf ifc-spt-group
id group_id [ [ -noconfirm ] |
reg-type { de-registration | initial-registration | re-registration } [ -noconfirm ] ]
no cscf ifc-spt-group
id group_id
no
Removes the specified
CSCF iFC SPT group from the context.
id group_id
Specifies an ID for
the iFC SPT group as an integer from 1 through 200.
-noconfirm
Executes the command
without any additional prompt and confirmation from the user.
reg-type { de-registration| initial-registration | re-registration }
Defines whether the
SPT condition matches to REGISTER messages that are related to:
- de-registration
- initial-registration
- re-registration
Usage:
Use this command to
create an iFC SPT group ID and bind different SPT conditions under it.
IMPORTANT:
An iFC SPT group may
be associated with multiple SPT conditions.
The SPT group can
also specify the registration type that defines whether the SPT condition
matches to REGISTER messages that are related to initial registrations,
re-registrations, or de-registrations.
Entering this command
results in the following prompt:
[context_name]hostname(config-cscf-ifc-spt-group)#
iFC SPT Group Configuration
Mode commands are defined in the CSCF IFC SPT Group
Configuration Mode Commands chapter.
Example:
The following command
creates iFC SPT group
21:
cscf ifc-spt-group
id 21
cscf ifc-trigger-point
Creates an Initial
Filter Criteria (iFC) trigger point for shared iFC functionality.
Product:
SCM (S-CSCF, SIP Proxy)
Syntax
cscf ifc-trigger-point
id tp_id condition-type { cnf | dnf } [ -noconfirm ]
no cscf ifc-trigger-point
id tp_id
no
Removes the specified
CSCF iFC trigger point from the context.
id tp_id
Specifies an ID for
the iFC trigger point as an integer from 1 through 200.
condition-type { cnf | dnf }
Defines the condition
type of the iFC trigger point:
cnf: conjunctive
normal form
dnf: disjunctive
normal form
-noconfirm
Executes the command
without any additional prompt and confirmation from the user.
Usage:
Use this command to
create a trigger point ID and bind different SPT groups under it.
IMPORTANT:
An iFC SPT group can
be assigned to more than one iFC trigger point.
Entering this command
results in the following prompt:
[context_name]hostname(config-cscf-ifc-trigger-point)#
IFC Trigger Point
Configuration Mode commands are defined in the CSCF IFC Trigger Point
Configuration Mode Commands chapter.
Example:
The following command
creates iFC trigger point
11 with
a
cnf condition
type:
cscf ifc-trigger-point
id 11 condition-type cnf
cscf isc-template
Creates an IMS Service
Control (ISC) template and enters the ISC Template Configuration
Mode.
Syntax
[ no ] cscf
isc-template id template_id
no
Removes the CSCF ISC
template from the context.
cscf isc-template
id template_id
Specifies an ID for
the ISC template as an integer from 1 through 200.
Usage:
Use this command to
create an ISC template for the CSCF service and cause the system
to enter the ISC Template Configuration Mode where parameters are
configured for the new template.
Entering this command
results in the following prompt:
[context_name]hostname(config-cscf-isc-tmpl)#
ISC Template Configuration
Mode commands are defined in the CSCF ISC Template Configuration
Mode Commands chapter.
Use this command when
configuring the following SCM component: S-CSCF.
Example:
The following command
creates ISC template
10 and
enters the ISC Template Configuration Mode:
cscf isc-template id 10
cscf last-route-profile
Creates a last route
profile, which will be specified on peer server configuration to
select the Last Routing Option (LRO) number while forwarding an
emergency call packet to a particular peering server, and enters
the Last Route Profile Criteria Configuration Mode.
Syntax
cscf last-route-profile
name profile_name criteria { county-name | round-robin } [ -noconfirm ]
no cscf last-route-profile
name profile_name
no
Removes the specified
CSCF last route profile from the context.
name profile_name
Specifies the name
of the last route profile as an alphanumeric string of 1 through
79 characters.
criteria { county-name | round-robin }
county-name:
Profile specific to the county-name criteria.
Entering this command
results in the following prompt:
[context_name]hostname(config-county-name-lro-profile)#
Last Route Profile
Criteria Configuration Mode commands are defined in the CSCF Last Route Profile
Criteria Configuration Mode Commands chapter.
round-robin:
Profile specific to the round-robin criteria.
Entering this command
results in the following prompt:
[context_name]hostname(config-round-robin-lro-profile)#
Last Route Profile
Criteria Configuration Mode commands are defined in the CSCF Last Route Profile
Criteria Configuration Mode Commands chapter.
-noconfirm
Executes the command
without any additional prompt and confirmation from the user.
Usage:
Use this command to
create a last route profile and enter the Last Route Profile Criteria Configuration
Mode.
IMPORTANT:
Last route profiles
are associated with peer servers in the CSCF Peer Server Monitoring Configuration
Mode.
Use this command when
configuring the following SCM components: S-CSCF and SIP Proxy.
Example:
The following command
creates a last route profile named
lro1 and
enters the CSCF Last Route Profile Criteria Configuration Mode to
specify county name criteria:
cscf last-route-profile
name lro1 criteria county-name
The following command
creates a last route profile named
lro2 and
enters the CSCF Last Route Profile Criteria Configuration Mode to
specify round robin criteria:
cscf last-route-profile
name lro2 criteria round-robin
cscf peer-servers
Creates a peer server
type for next-hop session routing and enters the Peer Servers Configuration
Mode.
Syntax
cscf peer-servers server_name type { type } [ -noconfirm ]
no cscf peer-servers server_name
no
Removes the specified
CSCF peer server from the context.
server_name
Specifies the name
of the peer server as an alphanumeric string of 1 through 79 characters.
type { type }
Specifies the type
of peer server to configure:
- bgcf: Border
Gateway Control Function
-
ecscf: Emergency
Call/Session Control Function
- ibcf: Interconnect
Border Control Function
- icscf: Interrogating
Call/Session Control Function
- mgcf: Media
Gateway Control Function
- mrfc: Media
Resource Function Controller
-
other: Other
Function
- pcscf: Proxy
Call/Session Control Function
- scscf: Serving
Call/Session Control Function
- sip-as: Session
Initiation Protocol-Application Server
-noconfirm
Executes the command
without any additional prompt and confirmation from the user.
Usage:
Use this command to
create a specific peer server and enter the Peer Servers Configuration Mode
where connectivity parameters can be entered.
Entering this command
results in the following prompt:
[context_name]hostname(config-cscf-peer-servers)#
Peer Servers Configuration
Mode commands are defined in the CSCF Peer Servers Configuration
Mode Commands chapter.
Use this command when
configuring the following SCM components: E-CSCF, P-CSCF, S-CSCF,
and SIP Proxy.
Example:
The following command
creates an I-CSCF server type called
icscf_peer1 and
enters the Peer Servers Configuration Mode:
cscf peer-servers
icscf_peer1 type icscf
cscf policy
Creates a policy group
for specific AoR profiles and enters the Policy Configuration Mode.
Syntax
cscf policy { default | name policy_name [ -noconfirm ] }
no cscf policy name policy_name
no
Removes the specified
CSCF policy group from the context.
default
Specifies that the
system is to enter the AoR Policy Rules Configuration Mode for the default
policy. The default policy uses AoR policy rules.
Entering this command
results in the following prompt:
[context_name]hostname(config-aor-policy)#
Default (AoR) Policy
Configuration Mode commands are defined in the CSCF AoR Policy Rules
Configuration Mode Commands chapter.
name policy_name
Specifies the name
of the policy group as an alphanumeric string of 1 through 79 characters.
Entering this command
results in the following prompt:
[context_name]hostname(config-cscf-policy)#
Policy Configuration
Mode commands are defined in the CSCF Policy Configuration Mode
Commands chapter.
-noconfirm
Executes the command
without any additional prompt and confirmation from the user.
Usage:
Use this command to
create a policy group and enter either the AoR Policy Rules Configuration
Mode (default)
or Policy Configuration Mode (name policy_name).
Use this command when
configuring the following SCM components: P-CSCF, S-CSCF, and SIP
Proxy.
Example:
The following command
creates a policy group named
group2 and
enters the CSCF Policy Configuration Mode:
cscf policy name group2
cscf routes
Creates a route group
for specifying routing information and enters the Routes Configuration
Mode.
Syntax
cscf routes { default | name route_name [ -noconfirm ] }
no cscf routes name route_name
no
Removes the specified
CSCF route group from the context.
default
Specifies that the
system is to enter the Routes Configuration Mode for the default
route group.
name route_name
Specifies the name
of the route group as an alphanumeric string of 1 through 79 characters.
-noconfirm
Executes the command
without any additional prompt and confirmation from the user.
Usage:
Use this command to
create a route group and enter the Routes Configuration Mode.
Entering this command
results in the following prompt:
[context_name]hostname(config-cscf-route)#
Routes Configuration
Mode commands are defined in the CSCF Routes Configuration Mode
Commands chapter.
Use this command when
configuring the following SCM components: P-CSCF, S-CSCF, SIP Proxy.
Example:
The following command
creates a route group named
route_group5 and
enters the Route Group Configuration Mode:
cscf routes name route_group5
cscf service
Creates a CSCF service
or specifies an existing CSCF service and enters the CSCF Service
Configuration Mode for the current context.
Syntax
[ no ] cscf
service service_name [ -noconfirm ]
no
Removes the specified
CSCF service from the context.
service_name
Specifies the name
of the CSCF service. If service_name does not
refer to an existing service, the new service is created if resources
allow.
service_name is
an alphanumeric string of 1 through 63 characters.
-noconfirm
Executes the command
without any additional prompt and confirmation from the user.
Usage:
Enter the CSCF Service
Configuration Mode for an existing service or for a newly defined service.
This command is also used to remove an existing service.
A maximum of 256 services
(regardless of type) can be configured per system.
CAUTION:
Large numbers of services
greatly increase the complexity of management and may impact overall
system performance (for example, resulting from such things as system
handoffs). Therefore, it is recommended that a large number of services
only be configured if your application absolutely requires it. Please
contact your local service representative for more information.
Entering this command
results in the following prompt:
[context_name]hostname(config-cscf-service)#
CSCF Service Configuration
Mode commands are defined in the CSCF Service Configuration
Mode Commands chapter.
Use this command when
configuring the following SCM components: P-CSCF, S-CSCF, SIP Proxy.
Example:
The following command
enters the existing CSCF Service Configuration Mode (or creates
it if it does not already exist) for the service named
cscf-service1:
cscf service cscf-service1
The following command
will remove
cscf-service1 from
the system:
no cscf service cscf-service1
cscf session-template
Creates a session
template and/or enters the Session Template Configuration Mode.
Syntax
cscf session-template { default | name template_name [ -noconfirm ] }
no cscf session-template
name template_name
no
Removes the specified
CSCF session template from the context.
default
Specifies that the
system is to enter the Session Template Configuration Mode for the
default session template.
name template_name
Specifies a name for
the template as an alphanumeric string of 1 through 79 characters.
-noconfirm
Executes the command
without any additional prompt and confirmation from the user.
Usage:
Use this command to
create a new session template and enter the Session Template Configuration
Mode or enter the mode for an existing template.
Entering this command
results in the following prompt:
[context_name]hostname(config-cscf-session-template)#
Session Template Configuration
Mode commands are defined in the CSCF Session Template
Configuration Mode Commands chapter.
Use this command when
configuring the following SCM components: P-CSCF, S-CSCF, SIP Proxy.
Example:
The following command
enters the Session Template Configuration Mode for a template named
sess_temp4:
cscf session-template
name sess_temp4
cscf subdomain-routes
Creates subdomain-route
list and enters the Subdomain-route List Configuration Mode.
Syntax
[ no ] cscf
subdomain-routes
no
Removes the CSCF subdomain-route
list from the context.
Usage:
Use this command to
create a subdomain-route list and enter the Subdomain-route List Configuration
Mode.
I-CSCF, upon receiving
the terminating request, checks the subdomain-route list for matches.
If a match is found, the routing will happen based on it. Otherwise,
I-CSCF performs a User Location Query (Location-Information-Request)
before proceeding.
Entering this command
results in the following prompt:
[context_name]hostname(config-cscf-subdomain-route)#
Subdomain-route List
Configuration Mode commands are defined in the CSCF Subdomain-route
List Configuration Mode Commands chapter.
Example:
The following command
enters the Subdomain-route List Configuration Mode:
cscf subdomain-routes
cscf translation
Creates a translation
list and enters the Translation Configuration Mode.
Syntax
cscf translation { default | name list_name [ -noconfirm ] }
no cscf translation
name list_name
no
Removes the specified
CSCF translation list from the context.
default
Specifies that the
system is to enter the Translation Configuration Mode for the default translation
list.
name list_name
Specifies a name for
the translation list as an alphanumeric string of 1 through 79 characters.
-noconfirm
Executes the command
without any additional prompt and confirmation from the user.
Usage:
Use this command to
create a new translation list and enter the Translation Configuration Mode
or enter the mode for an existing list.
Translation lists
are used to modify or replace a request-URI such as an E.164 number.
For example, a translation list can be configured to append digits
to the end of a number or replace a domain name with another.
Entering this command
results in the following prompt:
[context_name]hostname(config-cscf-translation)#
Translation Configuration
Mode commands are defined in the CSCF Translation Configuration
Mode Commands chapter.
Use this command when
configuring the following SCM components: P-CSCF, S-CSCF, SIP Proxy.
Example:
The following command
enters the Translation Configuration Mode for a translation list named
trans_list3:
cscf translation name trans_list3
cscf urn-service-list
Creates a URN service
list and enters the URN List Configuration Mode.
Syntax
cscf urn-service-list { default | name list_name [ -noconfirm ] }
no cscf urn-service-list
name list_name
no
Removes the specified
CSCF URN service list from the context.
default
Specifies that the
system is to enter the URN List Configuration Mode for the default
URN service list.
name list_name
Specifies a name for
the URN service list as an alphanumeric string of 1 through 79 characters.
-noconfirm
Executes the command
without any additional prompt and confirmation from the user.
Usage:
Use this command to
create a URN service list name and enter the URN List Configuration
Mode. URN lists contain URN to URI mappings used for emergency and location-based
services. A URN service list is selected by a CSCF session template.
Entering this command
results in the following prompt:
[context_name]hostname(config-cscf-service-urn)#
URN List Configuration
Mode commands are defined in the CSCF URN List Configuration
Mode Commands chapter.
Use this command when
configuring the following SCM components: P-CSCF.
Example:
The following command
enters the URN List Configuration Mode for a URN list named
urn_list1:
cscf urn-service-list
name urn_list1
css server
In StarOS 9.0 and
later releases, this command is obsolete. And, in earlier releases,
this command is restricted.
dhcp-service
Adds a Dynamic Host
Control Protocol (DHCP) service instance to the current context
and enters the configuration mode for that service.
Privilege:
Security Administrator,
Administrator
Syntax
dhcp-service service_name [ no ] allow
dhcp-relay-agent-auth-suboption[ -noconfirm ]
no dhcp-service service_name
no
Removes a previously
configured DHCP service from the current context.
service_name
Specifies the name
of the DHCP service as an alphanumeric string of 1 through 63 characters
that is case sensitive.
allow dhcp-relay-agent-auth-suboption
The DHCP Relay Agent
Information Option conveys information between a DHCP Relay Agent
and a DHCP server. This specification defines an authentication
suboption for that option, containing a keyed hash in its payload.
The suboption supports data integrity and replay protection for
relayed DHCP messages.
-noconfirm
Executes the command
without any additional prompt and confirmation from the user.
DANGER:
If this keyword option
is used with no
dhcp-service service_name command
the DHCP service named service_name is
deleted with all active/inactive subscribers without prompting
any warning or confirmation.
Usage:
Use this command to
add a DHCP service to a context configured on the system and enter the
DHCP Service Configuration Mode. A DHCP service is a logical grouping
of external DHCP servers.
The DHCP Configuration
Mode provides parameters that dictate the system’s communication
with one or more of these DHCP servers.
A maximum of 256 services
(regardless of type) can be configured per system.
CAUTION:
Large numbers of services
greatly increase the complexity of management and may impact overall
system performance (i.e. resulting from such things as system handoffs).
Therefore, it is recommended that a large number of services only
be configured if your application absolutely requires it. Please
contact your local service representative for more information.
Refer to the DHCP Service Configuration
Mode chapter of this reference for additional information.
Example:
The following command
creates a DHCP service called
dhcp1 and
enter the DHCP Service Configuration Mode:
dhcp-service dhcp1
diameter accounting
This command configures
Diameter accounting related settings.
Privilege:
Security Administrator,
Administrator
Syntax
diameter accounting { dictionary { aaa-custom1 | aaa-custom10 | aaa-custom2 | aaa-custom3 | aaa-custom4 | aaa-custom5 | aaa-custom6 | aaa-custom7 | aaa-custom8 | aaa-custom9 | nasreq | rf-plus } | endpoint endpoint_name | hd-mode fall-back-to-local | hd-storage-policy hd_policy | max-retries max_retries | max-transmissions transmissions | request-timeout duration | server host_name priority priority }
default diameter accounting { dictionary | hd-mode | max-retries | max-transmissions | request-timeout }
no diameter accounting { endpoint | hd-mode | hd-storage-policy | max-retries | max-transmissions | server host_name }
no diameter accounting { endpoint | hd-mode | hd-storage-policy | max-retries | max-transmissions | server host_name }
endpoint:
Removes the currently configured accounting endpoint. The default
accounting server configured in the default AAA group will be used.
hd-mode:
Sends records to the Diameter server, if all Diameter servers are
down or unreachable, then copies records to the local HDD and periodically retries
the Diameter server.
hd-storage-policy:
Disables use of the specified HD storage policy.
max-retries:
Disables the retry attempts for Diameter accounting in this AAA
group.
max-transmissions:
Disables the maximum number of transmission attempts for Diameter
accounting in this AAA group.
server host_name:
Removes the Diameter host host_name from
this AAA server group for Diameter accounting.
default diameter accounting { dictionary | hd-mode | max-retries | max-transmissions | request-timeout }
dictionary:
Sets the context’s dictionary to the default.
hd-mode:
Sends records to the Diameter server, if all Diameter servers are
down or unreachable, then copies records to the local HDD and periodically retries
the Diameter server.
max-retries:
0 (disabled)
max-transmissions:
0 (disabled)
request-timeout:
20 seconds
dictionary { aaa-custom1 | aaa-custom10 | aaa-custom2 | aaa-custom3 | aaa-custom4 | aaa-custom5 | aaa-custom6 | aaa-custom7 | aaa-custom8 | aaa-custom9 | nasreq | rf-plus }
Specifies the Diameter
accounting dictionary.
aaa-custom1 ... aaa-custom10:
Configures the custom dictionaries. Even though the CLI syntax supports
several custom dictionaries, not necessarily all of them have been
defined. If a custom dictionary that has not been implemented is
selected, the default dictionary will be used.
nasreq:
nasreq dictionary—the dictionary defined by RFC 3588.
rf-plus:
RF Plus dictionary.
endpoint endpoint_name
Enables Diameter to
be used for accounting, and specifies which Diameter endpoint to use.
endpoint_name is
an alphanumeric string of 1 through 63 characters.
hd-mode fall-back-to-local
Specifies that records
be copied to the local HDD if the Diameter server is down or unreachable.
CDF/CGF will pull the records through SFTP.
hd-storage-policy hd_policy
Specifies the HD Storage
policy name.
hd_policy must
be the name of a configured HD Storage policy, expressed as an alphanumeric
string of 1 through 63 characters.
HD storage policies
are configured through the Global Configuration Mode.
This and the hd-mode command
are used to enable the storage of Rf Diameter Messages to HDD in
case all Diameter Servers are down or unreachable.
max-retries max_retries
Specifies how many
times a Diameter request should be retried with the same server,
if the server fails to respond to a request.
max_retries specifies
the maximum number of retry attempts. The value must be an integer
from 1 through 1000.
Default: 0
max-transmissions transmissions
Specifies the maximum
number of transmission attempts for a Diameter request. Use this
in conjunction with the “max-retries max_retries” option
to control how many servers will be attempted to communicate with.
transmissions specifies
the maximum number of transmission attempts for a Diameter request.
The value must be an integer from 1 through 1000. Default: 0
request-timeout duration
Specifies how long
the system will wait for a response from a Diameter server before
re-transmitting the request.
duration specifies
the number of seconds the system will wait for a response from a
Diameter server before re-transmitting the request. This value must
be an integer from 1 through 3600. Default: 20
server host_name priority priority
Specifies the current
context Diameter accounting server’s host name and priority.
host_name specifies
the Diameter host name, expressed as an alphanumeric string of 1
through 63 characters.
priority specifies
the relative priority of this Diameter host. The priority is used
in server selection. The priority must be an integer from 1 through 1000.
Usage:
Use this command to
manage the Diameter accounting options according to the Diameter server
used for the context.
Example:
The following command
configures the Diameter accounting dictionary as
aaa-custom4:
diameter accounting
dictionary aaa-custom4
The following command
configures the Diameter endpoint named
aaaa_test:
diameter accounting
endpoint aaaa_test
diameter authentication
This command configures
Diameter authentication related settings.
Privilege:
Security Administrator,
Administrator
Syntax
diameter authentication { dictionary { aaa-custom1 | aaa-custom10 | aaa-custom11 | aaa-custom12 | aaa-custom13 | aaa-custom14 | aaa-custom15 | aaa-custom16 | aaa-custom17 | aaa-custom18 | aaa-custom19 | aaa-custom2 | aaa-custom20 | aaa-custom3 | aaa-custom4 | aaa-custom5 | aaa-custom6 | aaa-custom7 | aaa-custom8 | aaa-custom9 | nasreq } | endpoint endpoint_name | max-retries max_retries | max-transmissions transmissions | redirect-host-avp { just-primary | primary-then-secondary } | request-timeout duration | server host_name priority priority }
default diameter authentication { dictionary | max-retries | max-transmissions | redirect-host-avp | request-timeout }
no diameter authentication { endpoint | max-retries | max-transmissions | server host_name }
no diameter authentication { endpoint | max-retries | max-transmissions | server host_name }
- endpoint:
Removes the authentication endpoint. The default server configured
in default AAA group will be used.
- max-retries:
Disables the retry attempts for Diameter authentication in this
AAA group.
- max-transmissions:
Disables the maximum transmission attempts for Diameter authentication
in this AAA group.
- server host_name: Removes
the Diameter host host_name from
this AAA server group for Diameter authentication.
default diameter authentication { dictionary | max-retries | max-transmissions | redirect-host-avp | request-timeout }
Configures default
setting for specified parameter.
- dictionary:
Sets the context’s dictionary to the default.
- max-retries:
Sets the retry attempts for Diameter authentication requests in
this AAA group to default 0 (disable).
- max-transmissions:
Sets the configured maximum transmission attempts for Diameter authentication
in this AAA group to default 0 (disable).
- redirect-host-avp:
Sets the redirect choice to default (just-primary).
- request-timeout:
Sets the timeout duration, in seconds, for Diameter authentication
requests in this AAA group to default (20).
dictionary { aaa-custom1 | aaa-custom10 | aaa-custom11 | aaa-custom12 | aaa-custom13 | aaa-custom14 | aaa-custom15 | aaa-custom16 | aaa-custom17 | aaa-custom18 | aaa-custom19 | aaa-custom2 | aaa-custom20 | aaa-custom3 | aaa-custom4 | aaa-custom5 | aaa-custom6 | aaa-custom7 | aaa-custom8 | aaa-custom9 | nasreq }
Specifies the Diameter
authentication dictionary.
aaa-custom1 ... aaa-custom8,
aaa-custom10 ... aaa-custom20: Configures the custom dictionaries.
Even though the CLI syntax supports several custom dictionaries,
not necessarily all of them have been defined. If a custom dictionary
that has not been implemented is selected, the default dictionary
will be used.
IMPORTANT:
aaa-custom11 dictionary
is only available in Release 8.1 and later. aaa-custom12 to aaa-custom20 dictionaries
are only available in Release 9.0 and later releases.
aaa-custom9:
Configures the STa standard dictionary.
nasreq:
nasreq dictionary—the dictionary defined by RFC 3588.
endpoint endpoint_name
Enables Diameter to
be used for authentication, and specifies which Diameter endpoint
to use.
endpoint_name is
an alphanumeric string of 1 through 63 characters.
max-retries max_retries
Specifies how many
times a Diameter authentication request should be retried with the
same server, if the server fails to respond to a request.
max_retries specifies
the maximum number of retry attempts, and must be an integer from
1 through 1000. Default: 0
max-transmissions transmissions
Specifies the maximum
number of transmission attempts for a Diameter authentication request.
Use this in conjunction with the “max-retries max_retries” option
to control how many servers will be attempted to communicate with.
transmissions specifies
the maximum number of transmission attempts, and must be an integer
from 1 through 1000. Default: 0
diameter authentication
redirect-host-avp { just-primary | primary-then-secondary }
Specifies whether
to use just one returned AVP, or use the first returned AVP as selecting
the primary host and the second returned AVP as selecting the secondary
host.
just-primary:
Redirect only to primary host.
primary-then-secondary:
Redirect to primary host, if fails then redirect to the secondary
host.
Default: just-primary
request-timeout duration
Specifies how long
the system will wait for a response from a Diameter server before
re-transmitting the request.
duration specifies
the number of seconds the system will wait for a response from a
Diameter server before re-transmitting the request, and must be
an integer from 1 through 3600. Default: 20
server host_name priority priority
Specifies the current
context Diameter authentication server’s host name and
priority.
host_name specifies
the Diameter host name, expressed as an alphanumeric string of 1
through 63 characters.
priority specifies
the relative priority of this Diameter host, and must be an integer
from 1 through 1000. The priority is used in server selection.
Usage:
Use this command to
manage the Diameter authentication configurations according to the Diameter
server used for the context.
Example:
The following command
configures the Diameter authentication dictionary
aaa-custom14:
diameter authentication
dictionary aaa-custom14
The following command
configures the Diameter endpoint named
aaau1:
diameter authentication
endpoint aaau1
diameter authentication
failure-handling
This command configures
error handling for Diameter EAP requests.
Privilege:
Security Administrator,
Administrator
Syntax
diameter authentication
failure-handling { authorization-request | eap-request | eap-termination-request } { request-timeout
action { continue | retry-and-terminate | terminate } | result-code result_code { [ to end_result_code ] action { continue | retry-and-terminate | terminate } } }
no diameter authentication
failure-handling { authorization-request | eap-request | eap-termination-request } result-code result_code [ to end_result_code ]
default diameter authentication
failure-handling { authorization-request | eap-request | eap-termination-request } request-timeout
action
no
Disables Diameter
authentication failure handling.
default
Configures the default
Diameter authentication failure handling setting.
authorization-request
Specifies that failure
handling is to be performed on Diameter authorization request messages
(AAR/AAA).
eap-request
Specifies configuring
failure handling for EAP requests.
eap-termination-request
Specifies configuring
failure handling for EAP termination requests.
request-timeout action { continue | retry-and-terminate | terminate }
Specifies the action
to be taken for failures:
- continue:
Continues the session
- retry-and-terminate:
First retries, if it fails then terminates the session
- terminate:
Terminates the session
result-code result_code { [ to end_result_code ] action { continue | retry-and-terminate | terminate } }
result_code:
Specifies the result code, must be an integer from 1 through 65535.
to end_result_code:
Specifies the upper limit of a range of result codes. end_result_code must
be greater than result_code.
action { continue | retry-and-terminate | terminate }:
Specifies action to be taken for failures:
- continue:
Continues the session
- retry-and-terminate:
First retries, if it fails then terminates the session
- terminate:
Terminates the session
Usage:
Use this command to
configure error handling for Diameter EAP, EAP-termination
, and authorization requests.
Specific actions (continue, retry-and-terminate, or terminate) can
be associated with each possible result-code. Ranges of result codes
can be defined with the same action, or actions can be specific
on a per-result code basis.
Example:
The following commands
configure result codes 5001, 5002, 5004, and 5005 to use
action continue and
result code 5003 to use a
ction terminate:
diameter authentication
failure-handling eap-request result-code 5002 to 5005 action continue
diameter authentication
failure-handling eap-request result-code 5003 action terminate
diameter dictionary
This command is deprecated
and is replaced by the diameter accounting
dictionary and diameter authentication
dictionary commands. See diameter accounting and diameter authentication commands respectively.
diameter endpoint
This command enables
the creation, configuration or deletion of a Diameter endpoint.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] diameter
endpoint endpoint_name [ -noconfirm ]
no
Removes the specified
Diameter endpoint.
endpoint_name
Specifies name of
the Diameter endpoint as an alphanumeric string of 1 through 63 characters
that should be unique within the system.
If the named endpoint
does not exist, it is created, and the CLI mode changes to the Diameter
Endpoint Configuration Mode wherein the endpoint can be configured.
If the named endpoint
already exists, the CLI mode changes to the Diameter Endpoint Configuration
Mode wherein the endpoint can be reconfigured.
-noconfirm
Executes the command
without any additional prompt and confirmation from the user.
Usage:
Use this command to
create/configure/delete a Diameter origin endpoint.
Entering this command
results in the following prompt:
[context_name]hostname(config-ctx-diameter)
Diameter origin endpoint
configuration commands are described in the Diameter Endpoint Configuration
Mode Commands chapter.
Example:
The following command
changes to the Diameter Endpoint Configuration CLI mode for Diameter
origin endpoint named
test13:
diameter endpoint test13
diameter sctp
This command configures
Diameter SCTP parameters for all Diameter endpoints within the context.
Privilege:
Security Administrator,
Administrator
Syntax
diameter sctp { hearbeat-interval interval | path max-retransmissions retransmissions }
default diameter sctp { heartbeat-interval | path
max-retransmissions }
default
Configures this command
with the default settings.
- heartbeat-interval:
Sets the heartbeat interval to the default value.
- path max-retransmissions:
Sets the SCTP path maximum retransmissions to the default value.
hearbeat-interval interval
Specifies the time
interval between heartbeat chunks sent to a destination transport
address in seconds.
interval must
be an integer from 1 through 255.
Default: 30 seconds
path max-retransmissions retransmissions
Specifies the maximum
number of consecutive retransmissions over a destination transport address
of a peer endpoint before it is marked as inactive.
retransmissions must
be an integer from 1 through 10.
Default: 10
Usage:
Use this command to
configure Diameter SCTP parameters for all diameter endpoints within
the context.
Example:
The following command
configures the heartbeat interval to
60 seconds:
diameter sctp hearbeat-interval
60
The following command
configures the maximum number of consecutive retransmissions to
6, after
which the endpoint is marked as inactive:
diameter sctp path
max-retransmissions 6
diameter origin
This command is deprecated
and is replaced by the diameter endpoint command.
dns-client
Creates a DNS client
and/or enters the DNS Client Configuration Mode.
Product:
ePDG, SCM, SGSN, MME, P-GW
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] dns-client name [ -noconfirm ]
no
Removes the specified
DNS client from the context.
dns-client name
Specifies a name for
the DNS client as an alphanumeric string of 1 through 63 characters.
Usage:
Use this command to
create a new DNS client and enter the DNS Client Configuration Mode
or enter the mode for an existing client.
Entering this command
results in the following prompt:
[context_name]hostname(config-dns-client)#
DNS Client Configuration
Mode commands are defined in the DNS Client Configuration
Mode Commands chapter.
Example:
The following command
enters the DNS Client Configuration Mode for a DNS client named
dns1:
dns-client dns1
domain
Configures a domain
alias for the current context.
Privilege:
Security Administrator,
Administrator
Syntax
domain [ * ]domain_name [ default
subscriber subscriber_template_name ]
no domain [ * ]domain_name
no
Indicates the domain
specified is to be removed as an alias to the current context.
[ * ]domain_name
domain_name specifies
the domain alias to create/remove from the current context.
If the domain portion of a subscribers user name matches this value,
the current context is used for that subscriber.
domain_name must
be an alphanumeric string of 1 through 79 characters. The domain
name can contain all special characters, however note that the character * (wildcard
character) is only allowed at the beginning of the domain name.
If the domain name
is prefixed with * (wildcard character), and an exact match
is not found for the domain portion of a subscriber’s user
name, subdomains of the domain name are matched. For example, if
the domain portion of a subscriber’s user name is abc.xyz.com
and you use the domain command domain *xyz.com it
matches. But if you do not use the wildcard (domain xyz.com)
it does not match.
IMPORTANT:
The domain alias specified
must not conflict with the name of any existing context or domain
names.
default subscriber subscriber_template_name
Specifies the name
of the subscriber template to apply to subscribers using this domain alias.
subscriber_template_name must
be an alphanumeric string of 1 through 127 characters. If this keyword
is not specified the default subscriber configuration in the current
context is used.
Usage:
Use this comand to
configure a domain alias when a single context may be used to support multiple
domains via aliasing.
Example:
domain sampleDomain.net
no domain sampleDomain.net
eap-profile
Creates a new, or
specifies an existing, Extensible Authentication Protocol (EAP) profile
and enters the EAP Configuration Mode.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] eap-profile name
name
Specifies the name
of a new or existing EAP profile as an alphanumeric string of 1
through 256 characters.
Usage:
Use this command to
create a new or enter an existing EAP profile.
Entering this command
results in the following prompt:
[context_name]hostname(config-ctx-eap-profile)#
EAP Configuration
Mode commands are defined in the EAP Configuration Mode Commands chapter.
Example:
The following command
configures an EAP profile called
eap1 and
enters the EAP Configuration Mode:
eap-profile eap1
edr-module active-charging-service
Enables the creation,
configuration, or deletion of the Event Data Record (EDR) module
for this context.
Product:
ACS, GGSN, HA, LNS,
PDSN
, SGSN
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] edr-module
active-charging-service
no
Removes the EDR module
configuration for the current context.
Usage:
Use this command to
create the EDR module for the context, and configure the EDR module
for active charging service records. You must be in a non-local
context when specifying this command, and you must use the same
context when specifying the UDR module command.
On entering the command
with the chargingkeyword
or without any keywords, the CLI prompt changes to:
[context_name]hostname(config-edr)#
On entering the command
with the reportingkeyword,
the CLI prompt changes to:
[context_name]hostname(config-redr)#
Example:
The following command
creates the EDR module for the context ,
and enters the EDR Module Configuration Mode:
edr-module active-charging-service
egtp-service
Creates an eGTP service
or specifies an existing eGTP service and enters the eGTP Service
Configuration Mode for the current context.
Syntax
[ no ] egtp-service service_name [ -noconfirm ]
egtp-service service_name
Specifies the name
of the eGTP service as an alphanumeric string of 1 through 63 characters.
If service_name does
not refer to an existing service, the new service is created if
resources allow.
-noconfirm
Executes the command
without any additional prompt and confirmation from the user.
no egtp-service service_name
Removes the specified
eGTP service from the context.
Usage:
Enter the eGTP Service
Configuration Mode for an existing service or for a newly defined service.
This command is also used to remove an existing service.
A maximum of 256 services
(regardless of type) can be configured per system.
CAUTION:
Large numbers of services
greatly increase the complexity of management and may impact overall
system performance (for example, resulting from such things as system
handoffs). Therefore, it is recommended that a large number of services
only be configured if your application absolutely requires it. Please
contact your local service representative for more information.
Entering this command
results in the following prompt:
[context_name]hostname(config-egtp-service)#
eGTP Service Configuration
Mode commands are defined in the eGTP Service Configuration
Mode Commands chapter.
Use this command when
configuring the following GTP SAE components: MME, P-GW, and S-GW.
Example:
The following command
enters the existing eGTP Service Configuration Mode (or creates
it if it does not already exist) for the service named
egtp-service1:
egtp-service egtp-service1
The following command
will remove
egtp-service1 from
the system:
no egtp-service egtp-service1
end
Exits the current
configuration mode and returns to the Exec mode.
Privilege:
Security Administrator,
Administrator
Usage:
Use this command to
return to the Exec mode.
exit
Exits the current
mode and returns to the parent configuration mode.
Privilege:
Security Administrator,
Administrator
Usage:
Use this command to
return to the parent configuration mode.
external-inline-server
This is a restricted command.
fa-service
Creates or deletes
a foreign agent (FA) service or specifies an existing FA service for
which to enter the FA Service Configuration Mode for the current
context.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] fa-service name [ -noconfirm ]
no
Indicates the foreign
agent service specified is to be removed.
name
Specifies the name
of the FA service to configure as an alphanumeric string of 1 through
63 characters. If name does
not refer to an existing service, the new service is created if
resources allow.
-noconfirm
Executes the command
without any additional prompt and confirmation from the user.
Usage:
Enter the FA Service
Configuration Mode for an existing service or for a newly defined service.
This command is also used to remove an existing service.
A maximum of 256 services
(regardless of type) can be configured per system.
CAUTION:
Large numbers of services
greatly increase the complexity of management and may impact overall
system performance (i.e. resulting from such things as system handoffs).
Therefore, it is recommended that a large number of services only
be configured if your application absolutely requires it. Please
contact your local service representative for more information.
Example:
The following command
will enter the FA Service Configuration Mode creating the service
sampleService,
if necessary.
fa-service sampleService
The following command
will remove
sampleService as
being a defined FA service.
no fa-service sampleService
firewall max-associations
This command is obsolete.
fng-service
Creates a new, or specifies
an existing FNG service and enters the FNG Service Configuration
Mode. A maximum of 16 FNG services can be created. This limit applies
per ASR 5000 chassis and per context.
Privilege:
Security Administrator,
Administrator
Syntax
fng-service name [ -noconfirm ]
no fng-service name
fng-service name
Specifies the name of
a new or existing FNG service as an alphanumeric string of 1 through 63
characters that must be unique across all FNG services within the
same context and across all contexts.
no fng-service name
Deletes the specified
FNG service.
Usage:
Use this command in
Context Configuration Mode to create a new FNG service or modify an
existing one. Executing this command enters the FNG Service Configuration Mode.
Example:
The following command
configures an FNG service named
fng1 and enters
the FNG Service Configuration Mode:
fng-service fmg1
ggsn-service
Creates or deletes
a Gateway GPRS Support Node (GGSN) service and enters the GGSN Service
Configuration Mode within the current context to configure it.
Privilege:
Security Administrator,
Administrator
Syntax
ggsn-service svc_name [ -noconfirm ]
no ggsn-service svc_name
no
Deletes a preciously
configured GGSN service.
svc_name
Specifies the name
of the GGSN service to create/configure as an alphanumeric
string of 1 through 63 characters that is case sensitive.
-noconfirm
Executes the command
without any additional prompt and confirmation from the user.
Usage:
Services are configured
within a context and enable certain functionality. This command creates
and allows the configuration of services enabling the system to
function as a GGSN in a GPRS or UMTS network. This command is also
used to remove previously configured GGSN services.
A maximum of 256 services
(regardless of type) can be configured per system.
CAUTION:
Large numbers of services
greatly increase the complexity of management and may impact overall
system performance (i.e. resulting from such things as system handoffs).
Therefore, it is recommended that a large number of services only
be configured if your application absolutely requires it. Please
contact your local service representative for more information.
Example:
The following command
creates a GGSN service named
ggsn1:
ggsn-service ggsn1
gprs-service
Creates a GPRS service
instance and enters the GPRS Service Configuration Mode. This mode
configures all of the parameters specific to the operation of an
SGSN in a GPRS network.
IMPORTANT:
For details about
the commands and parameters for this mode, check the GPRS Service Configuration
Mode chapter.
Privilege:
Security Administrator,
Administrator
Syntax
gprs-service srvc_name [ -noconfirm ]
no gprs-service srvc_name
no
Removes the configuration
for the specified IGPRS service from the configuration for the current
context.
srvc_name
Specifies the name
of the GPRS service as a unique alphanumeric string of 1 through
63 characters.
-noconfirm
Executes the command
without any additional prompt and confirmation from the user.
Usage:
Use this command to
create or remove a GPRS service. Entering this command will move the
system to the GPRS Service Configuration Mode and change the prompt
to:
[context_name]hostname(config-gprs-service)#
Example:
The following command
creates an GPRS service named
gprs1:
gprs-service gprs1
The following command
removes the GPRS service named
gprs1:
no gprs-service gprs1
gs-service
Creates a Gs service
instance and enters the Gs Service Configuration Mode. This mode
configures the parameters specific to the Gs interface between the
SGSN and the MSC/VLR.
Privilege:
Security Administrator,
Administrator
Syntax
gs-service svc_name [ -noconfirm ]
no gs-service svc_name
no
Remove the configured
Gs service from the current context.
svc_name
Specifies the Gs service
as a unique alphanumeric string of 1 through 63 characters.
-noconfirm
Executes the command
without any additional prompt and confirmation from the user.
Usage:
Use this command to
create, edit, or remove a Gs service.
A maximum of 32 Gs
service can be configured in one context/system. This limit
is subject to maximum of 256 services (regardless of type) can be
configured per system.
IMPORTANT:
For details about
the commands and parameters for this mode, refer Gs Service Configuration
Mode chapter.
Example:
The following command
creates an Gs service named
gs1:
gs-service gs1
The following command
removes the Gs service named
gs1:
no gs-service gs1
gtpp algorithm
Configures GTPP routing
algorithms for the current context.
Privilege:
Security Administrator,
Administrator
Syntax
gtpp algorithm { first-server | round-robin | first-n count }
first-server
Specifies that accounting
data is sent to the first available charging gateway function (CGF) based
upon the relative priority of each configured CGF. Default: Enabled
round-robin
Specifies that accounting
data is transmitted in a circular queue fashion such that data is
sent to the highest priority CGF first, then to the next available
CGF of the highest priority, and so on. Ultimately, the queue returns
to the CGF with the highest configured priority. Default: Disabled
first-n count
Specifies that the
AGW must send accounting data to count (more
than one) CGFs based on their priority. Response from any one of
the count CGFs
would suffice to proceed with the call. The full set of accounting
data is sent to each of the count CGFs.
count is
the number of CGFs to which accounting data will be sent, and must
be an integer from 2 through 65535. Default: 1 (Disabled)
Usage:
Use this command to
control how G-CDR/P-CDR accounting data is routed among
the configured CGFs.
Example:
The following command
configures the system to use the round-robin algorithm when transmitting
G-CDR/P-CDR accounting data:
gtpp algorithm round-robin
gtpp attribute
Allows the specification
of the optional attributes to be present in the call detail records
(CDRs) that the GPRS/PDN/UMTS access gateway generates.
It also defines that how the information is presented in CDRs by
encoding the attribute field values.
Privilege:
Security Administrator,
Administrator
Syntax
gtpp attribute { apn-ni | apn-selection-mode | charging-characteristic-selection-mode | cell-plmn-id | diagnostics | duration-ms | dynamic flag | imei | local-record-sequence-number | losdv | ms-timezone | msisdn | |node-id | | node-id-suffix suffix | pdn-connection-id | pdp-address | pdp-type | pgw-plm-id | plmn-id [ unknown-use uncode_value ] | rat | record-extensions
rat | served-mnai | served-pdp-pdn-address-extension | sms { destination-number | recording-entity | service-centre } | start time | stop time | uli }
default gtpp attribute { apn-ni | apn-selection-mode | charging-characteristic-selection-mode | cell-plmn-id | diagnostics | duration-ms | dynamic flag | imei | local-record-sequence-number | losdv | ms-timezone | msisdn | node-id | pdn-connection-id | pdp-address | pdp-type | pgw-plm-id | plmn-id | rat | record-extensions | served-mnai | served-pdp-pdn-address-extension | sms { destination-number | recording-entity | service-centre } | start time | stop time | uli }
no gtpp attribute { apn-ni | apn-selection-mode | charging-characteristic-selection-mode | cell-plmn-id | diagnostics | duration-ms | dynamic flag | imei | local-record-sequence-number | losdv | ms-timezone | msisdn | node-id | node-id-suffix | pdn-connection-id | pdp-address | pdp-type | pgw-plm-id | plmn-id | rat | record-extensions | served-mnai | served-pdp-pdn-address-extension | sms { destination-number | recording-entity | service-centre } | start time | stop time | uli }
default
Sets the default GTPP
attributes in generated the CDRs. It also sets the default presentation of
attribute values in generated CDRs.
no
Removes the configured
GTPP attributes from the CDRs.
apn-ni
Default: Enabled
Includes the APN field
in the CDR that is created.
This keyword is applicable
for P-GW and
GGSN only.
apn-selection-mode
Default: Enabled
Includes the APN Selection
Mode field in the CDR that is created.
This keyword is applicable
for P-GW and
GGSN only.
charging-characteristics-selection-mode
Default: Enabled
Includes the Charging
Characteristic Selection Mode field in the CDR that is created.
This keyword is applicable
for P-GW and
GGSN only.
cell-plmn-id
Default: Disabled
This keyword configures
the SGSN to include the cell’s PLMN identifier (MCC and
MNC) in generated CDRs (M-CDRs and/or the S-CDRs).
This keyword is applicable
for SGSN only.
diagnostics
Default: Disabled
Includes the Diagnostic
field in the CDR that is created when PDP contexts are released. The
field will contain one of the following values:
- 36: if the SGSN
sends us “delete PDP context request”.
- 38: if the GGSN
sends “delete PDP context request” due to GTP-C/GTP-U echo
timeout with SGSN.
- 40: if the GGSN
sends “delete PDP context request” due to receiving
a RADIUS Disconnect-Request message.
- 26: if the GGSN
sends “delete PDP context request” for any other
reason (e.g., the operator types “clear subscribers” on
the GGSN).
duration-ms
Default: Disabled
Specifies that the
information contained in the mandatory Duration field be reported
in milliseconds instead of seconds (as the standards require).
dynamic-flag
Default: Enabled
Includes the Dynamic
Flag field in the CDR that is created.
This keyword is applicable
for P-GW and
GGSN only.
imei
Default: Disabled
This keyword configures
the SGSN to include the International Mobile Equipment Identifier (IM
EI) in generated CDRs (M-CDRs and/or the S-CDRs).
This keyword is applicable
for SGSN only.
local-record-sequence-number
Default: Disabled
Includes the Node
ID field in the CDR that is created when PDP contexts are released.
The field consists of a AAA Manager identifier automatically appended
to the name of the GGSN or SGSN service.
The name of the GGSN/SGSN
service may be truncated, because the maximum length of the Node
ID field is 20 bytes. Since each AAA Manager generates CDRs independently,
this allows the Local Record Sequence Number and Node ID fields
to uniquely identify a CDR.
losdv
Default: Enabled
Includes the List
of Service Data field in the CDR that is created.
This keyword is applicable
for P-GW and
GGSN only.
ms-timezone
Default: Enabled
Includes the MS-Timezone
field in the CDR that is created.
This keyword is applicable
for P-GW and
GGSN only.
msisdn
Default: Disabled
This keyword configures
the SGSN to include the Mobile Subscribers Integrated Services Digital
Network identifier in generated CDRs (M-CDRs and/or the
S-CDRs).
This keyword is applicable
for SGSN only.
node-id
Default: Enabled
Includes the Node
ID field in the CDR that is created.
This keyword is applicable
for P-GW and
GGSN only.
node-id-suffix string
Default: Disabled
Specifies the string
suffix to use in the NodeID field of GTPP CDRs. Each Session Manager task
generates a unique NodeID string per GTPP context.
string:
This is the configured Node-ID-Suffix having any string of 1 through
16 characters.
IMPORTANT:
The NodeID field is
a printable string of the ndddstring format: n: The first
digit is the SessMgr restart counter having a value between 0 and
7. ddd:
The number of SessMgr instances. Uses the specified NodeID-suffix
in all CDRs. The “Node-ID” field is consists of
SessMgr Recovery counter (1 digit) n + AAA
Manager identifier (3 digits) ddd + the configured
Node-Id-suffix (1 to 16 characters) string.
IMPORTANT:
If the centralized
LRSN feature is enabled, the “Node-ID” field consists
of only the specified NodeID-suffix. Otherwise GTPP group name is
used. For default GTPP groups, GTPP context-name (truncated to 16
characters) is used.
IMPORTANT:
SessMgr recovery counter
gets updated in case of “session recovery not enabled” If
session recovery is enabled, the counter never updates. The node-id
is displayed in the G-CDR irrespective of gtpp dictionary. The G-CDR
is not decoded in monitor protocol for custom1 / custom3 dictionaries.
pdn-connections-id
Default: Enabled
Includes the PDN Connection
ID field in the CDR that is created.
This keyword is applicable
for P-GW and
GGSN only.
pdp-address
Default: Enabled
Includes the PDP Address
field in the CDR that is created.
This keyword is applicable
for P-GW and
GGSN only.
pdp-type
Default: Enabled
Includes the PDP Type
field in the CDR that is created.
This keyword is applicable
for P-GW and
GGSN only.
pgw-plm-id
Default: Enabled
Includes the PGW PLMN-ID
field in the CDR that is created.
This keyword is applicable
for P-GW and
GGSN only.
plmn-id [ unknown-use uncode_value ]
Default: Enabled
Includes the SGSN
PLMN Identifier value (the RAI) in generated CDR (M-CDRs and/or
the S-CDRs), if it is provided by the SGSN in the GTP create PDP
context request. It is omitted if the SGSN does not supply one.
IMPORTANT:
For the GGSN it provides
radio access identifier as the SGSN PLMN Id and for SGSN it includes
the PLMN-id of RNC.
unknown-use uncode_value encodes
the specified value for “SGSN PLMN Identifier” in
the CDR if SGSN PLMN-ID information is unavailable.
Must be followed by
the uncode_value value
to be encoded.
uncode_value must
be an hexadecimal value between 0x0 and 0xFFFFFF.
This keyword is applicable
for SGSN only.
rat
Default: Disabled
This keyword configures
the SGSN to include the radio access technology attribute in generated
CDRs (M-CDRs and/or the S-CDRs).
This keyword is applicable
for SGSN only.
record-extensions rat
Default: Disabled
This keyword configures
the SGSN to include the radio access technology attribute in record extension
field of generated CDRs (M-CDRs and/or the S-CDRs).
This keyword is applicable
for SGSN only.
served-mnai
Default: Enabled
Includes the Served
MNAI field in the CDR that is created.
This keyword is applicable
for P-GW and
GGSN only.
sms { destination-number | recording-entity | service-centre }
Default: Disabled
This keyword configures
the SGSN to include the SMS related attributes in generated S-SMO-CDRs
or S-SMT-CDRs.
destination-number:
This keyword includes the destination-number information of SMS
in generated S-SMO-CDRs or S-SMT-CDRs.
Note: This is the
destination number of the short message subscriber.
recording-entity:
This keyword includes the recording entity information of SMS in
generated S-SMO-CDRs or S-SMT-CDRs.
Note: The recording
entity is the E.164 number of the SGSN.
service-centre:
This keyword includes the service-centre information of SMS in generated
S-SMO-CDRs or S-SMT-CDRs.
Note: This is the
E.164 address of the SMS-service centre.
This keyword is applicable
for SGSN only.
start-time
Default: Enabled
Includes the Start-Time
field in the CDR that is created.
This keyword is applicable
for P-GW and
GGSN only.
stop-time
Default: Enabled
Includes the Stop-Time
field in the CDR that is created.
This keyword is applicable
for P-GW and
GGSN only.
uli
Default: Enabled
Includes the User
Location Information field in the CDR that is created.
This keyword is applicable
for P-GW and
GGSN only.
Usage:
Use this command to
configure the type of optional information fields to include in generated
CDRs (M-CDRs, S-CDRs, S-SMO-CDR, S-SMT-CDR from SGSN and G-CDRs, eG-CDRs
from GGSN) by the AGW (SGSN/GGSN/P-GW).
In addition, it controls how the information for some of the mandatory
fields are reported.
Fields described as
optional by the standards but not listed above will always be present
in the CDRs, except for Record Extensions (which will never be present).
IMPORTANT:
This command can be
repeated multiple times with different keywords to configure multiple GTPP
attributes.
Example:
The following command
configures the system to present the time provided in the Duration field
of the CDR is reported in milliseconds:
gtpp attribute duration-ms
gtpp charging-agent
Configures the IP
address and port of the system interface within the current context
used to communicate with the Charging Gateway Function (CGF).
Privilege:
Security Administrator,
Administrator
Syntax
gtpp charging-agent
address ip_address [ port port ]
no gtpp charging-agent
no
Removes a previously
configured charging agent address.
address ip_address
Specifies the IP address
of the interface configured within the current context that is used
to transmit CDR records (G-CDR/eGCRD/M-CDR/S-CDR)
to the CGF. ip_address must
be entered using IPV4 dotted-decimal notation.
port port
Specifies the Charging
Agent UDP port. as an integer from 1 through 65535.
If port is
not defined, IP will take the default port number 49999.
IMPORTANT:
Configuring gtpp charging-agent
on port 3386 may interfere with a ggsn-service configured with the
same ip address.
Usage:
This command establishes
a Ga interface for the system. For GTPP accounting, one or more
Ga interfaces must be specified for communication with the CGF.
These interfaces must exist in the same context in which GTPP functionality
is configured (refer to the gtpp commands
in this chapter).
This command instructs
the system as to what interface to use. The IP address supplied
is also the address by which the GSN is known to the CGF. Therefore,
the IP address used for the Ga interface could be identical to one
bound to a GSN service (a Gn interface).
If no GSN service
is configured in the same context as the Ga interface, the address configured
by this command is used to receive unsolicited GTPP packets.
Example:
The following command
configures the system to use the interface with an IP address of
192.168.13.10 as
the accounting interface with port
20000 to
the CGF:
gtpp charging-agent
address 192.168.13.10 port 20000
gtpp data-request
sequence-numbers
Configures the range
of sequence numbers to be used in the GTPP data record transfer
record (DRT). Use this command to set the start value for the sequence number.
Privilege:
Security Administrator,
Administrator
Syntax
gtpp data-request sequence-numbers
start { 0 | 1 }
default gtpp data-request
sequence-numbers start
default
Default is 0 (zero).
{ 0 | 1 }
Specifies the value
of the start sequence number for the GTPP Data Record Transfer Request.
Default: 0
- 0: Designates
the start sequence number as 0.
- 1: Designates
the start sequence number as 1.
Usage:
When the GGSN/P-GW/SGSN
is configured to send GTPP echo request packets, the SGSN always
uses 0 as the sequence number in those packets. Re-using 0 as a
sequence number in the DRT packets is allowed by the 3GPP standards;
however, this CLI command ensures the possibility of inter-operating
with CGFs that can not properly handle the re-use of sequence number
0 in the echo request packets.
Example:
The following command
sets the sequence to start at
1.
gtpp data-request sequence-numbers
start 1
gtpp dead-server
suppress-cdrs
Enables or disables
CDR archiving when a dead server is detected.
IMPORTANT:
This command is customer
specific. For more information please contact your local Cisco service
representative.
Privilege:
Security Administrator,
Administrator
Syntax
[ default | no ] gtpp
dead-server suppress-cdrs
default
Configures the default
setting.
Default: Disabled
no
Re-enables CDR archiving.
Usage:
Use this command to
enable/disable CDR archiving when a dead server is detected.
With this CLI, once a server is detected as down, requests are purged.
Also the requests generated for the period when the server is down
are purged.
gtpp deadtime
Configures the amount
of time to wait before attempting to communicate with a Charging
Gateway Function (CGF) that was previously marked as unreachable.
Privilege:
Security Administrator,
Administrator
Syntax
gtpp deadtime time
default gtpp deadtime
default
Configures this command
with the default setting.
Default: 120 seconds
time
Specifies the amount
of time (in seconds) that must elapse before the system attempts
to communicate with a CGF that was previously unreachable. time is
an integer from 1 through 65535.
Usage:
If the system is unable
to communicate with a configured CGF, after a pre-configured number
of failures the system marks the CGF as being down.
This command specifies
the amount of time that the system waits prior to attempting to communicate
with the downed CGF.
Refer to the gtpp
detect-dead-server and gtpp max-retries commands
for additional information on the process the system uses to mark
a CGF as down.
Example:
The following command
configures the system to wait
60 seconds
before attempting to re-communicate with a CGF that was marked as
down:
gtpp deadtime 60
gtpp detect-dead-server
Configures the number
of consecutive communication failures that could occur before the
system marks a Charging Gateway Function (CGF) as down.
Privilege:
Security Administrator,
Administrator
Syntax
gtpp detect-dead-server
consecutive-failures max_number
default gtpp detect-dead-server
consecutive-failures
default
Configures this command
with the default setting.
Default: 0
consecutive-failures max_number
Specifies the number
of failures that could occur before marking a CGF as down. max_number is
an integer from 0 through 1000.
Usage:
This command works
in conjunction with the gtpp max-retries parameter
to set a limit to the number of communication failures that can
occur with a configured CGF.
The gtpp max-retries
parameter limits the number of attempts to communicate with a CGF. Once
that limit is reached, the system treats it as a single failure.
The gtpp detect-dead-server parameter limits the number of consecutive
failures that can occur before the system marks the CGF as down
and communicate with the CGF of next highest priority.
If all of the configured
CGFs are down, the system ignores the detect-dead-server configuration
and attempt to communicate with highest priority CGF again.
If the system receives
a GTPP Node Alive Request, Echo Request, or Echo Response message
from a CGF that was previously marked as down, the system immediately
treats it as being active.
Refer to the gtpp
max-retries command for additional information.
Example:
The following command
configures the system to allow
8 consecutive
communication failures with a CGF before it marks it as down:
gtpp detect-dead-server
consecutive-failures 8
gtpp dictionary
Designates a dictionary
used by GTPP for a specific context.
Privilege:
Security Administrator,
Administrator
Syntax
gtpp dictionary { custom1 | custom10 | custom11 | custom12 | custom13 | custom14 | custom15 | custom16 | custom17 | custom18 | custom19 | custom2 | custom20 | custom21 | custom22 | custom23 | custom24 | custom25 | custom26 | custom27 | custom28 | custom29 | custom3 | custom30 | custom31 | custom32 | custom33 | custom34 | custom35 | custom36 | custom37 | custom38 | custom39 | custom4 | custom40 | custom5 | custom6 | custom7 | custom8 | custom9 | standard }
default gtpp dictionary
default
Configures the default
dictionary.
custom1
This is a custom-defined
dictionary that conforms to TS 32.015 v 3.6.0 for R99. It supports the
encoding of IP addresses in text format for G-CDRs.
custom2
Custom-defined dictionary.
custom3
This is a custom-defined
dictionary that conforms to TS 32.015 v 3.6.0 for R99 except that
it supports the encoding of IP addresses in binary format for G-CDRs.
custom4
This is a custom-defined
dictionary that conforms to TS 32.015 v 3.6.0 for R99 except that:
- IP addresses are encoded
in binary format.
- The Data Record Format
Version information element contains 0x1307 instead of 0x1308.
- QoSRequested is not
present in the LoTV containers.
- QoSnegotiated is added
only for the first container and the container after a QoS change.
custom5
Custom-defined dictionary.
custom6
This is a custom-defined
dictionary for eG-CDR encoding.
custom7 ... custom30
These custom-defined
dictionary have default behavior or “standard” dictionary.
custom31
This is a custom-defined
dictionary for S-CDR encoding that is based on 3GPP TS 32.298 v6.4.1
with a special field appended for the PLMN-ID.
custom33
This ia a custom-defined
dictionary for S-CDR encoding that is based on the 3GPP TS 32.298
v6.4.1 with the following exceptions:
- Proprietary PLMN-ID
field is present.
- It is a SEQUENCE and
not a SET.
- Diagnostics and SGSN-Change
fields are not supported.
- Indefinite length encoding
is used.
- Booleans are encoded
as 0x01(3GPP it is 0xff).
- IMEISV shall be sent
if available else IMEI should be sent.
- Record Sequence Number
is Mandatory.
- APN OI and NI part
is length encoded.
- Cause for Record closure
should be “RAT Change” instead of “intra-SGSN
inter-system”.
standard
Default: Enabled
This dictionary conforms
to TS 32.215 v 4.6.0 for R4 (and also R5 - extended QoS format).
Usage:
Use this command to
designate specific dictionary used by GTPP for specific context.
Example:
The following command
configures the system to use
custom3 dictionary
to encode IP address in Binary format in G-CDRs:
gtpp dictionary custom3
gtpp duplicate-hold-time
Configures the number
of minutes to hold onto CDRs that are possibly duplicates while
waiting for the primary Charging Gateway Function (CGF) to come
back up.
Privilege:
Security Administrator,
Administrator
Syntax
gtpp duplicate-hold-time minutes
default gtpp duplicate-hold-time
default
Configures this command
with the default setting.
Default: 60 minutes
minutes
Specifies the number
of minutes to hold onto CDRs that may be duplicates whenever the primary
CGF is down, minutes must
be an integer from 1 through 10080.
Usage:
Use this command to
configure how long to hold onto CDRs that are possibly duplicates while
waiting for the primary CGF to come back up. If the GGSN/P-GW determines
that the primary CGF is down, CDRs that were sent to the primary CGF
but not acknowledged are sent by the GSN to the secondary CGF as “possibly
duplicates”. When the primary CGF comes back up, the GSN
uses GTPP to determine whether the possibly duplicate CDRs were
received by the primary CGF. Then the secondary CGF is told whether
to release or cancel those CDRs. This command configures how long
the system should wait for the primary CGF to come back up. As soon
as the configured time expires, the secondary CGF is told to release
all of the possibly duplicate CDRs.
Example:
Use the following
command to set the amount of time to hold onto CDRs to 2 hours (120 minutes);
gtpp duplicate-hold-time 120
gtpp echo-interval
Configures the frequency
at which the system sends GTPP echo packets to configured CGFs.
Privilege:
Security Administrator,
Administrator
Syntax
gtpp echo-interval time
{ default | no } gtpp
echo-interval
default
Configures the default
setting for this command,
Default: 60 seconds
no
Disables the use of
the echo protocol except for the scenarios described in the Usage section for
this command.
time
Specifies the time
interval (in seconds) for sending GTPP echo packets as an integer
from 60 through 2147483647. Default: 60
Usage:
The GTPP echo protocol
is used by the system to ensure that it can communicate with configured
CGFs. The system initiates this protocol for each of the following
scenarios:
- Upon system boot
- Upon the configuration
of a new CGF server on the system using the gtpp server command
as described in this chapter
- Upon the execution
of the gtpp test
accounting command as described in the Exec Mode Commands chapter
of this reference
- Upon the execution
of the gtpp sequence-numbers
private-extensions command as described in this chapter
The echo-interval
command is used in conjunction with the gtpp max-retries and gtpp timeout
commands as described in this chapter.
In addition to receiving
an echo response for this echo protocol, if we receive a GTPP Node
Alive Request message or a GTPP Echo Request message from a presumed
dead CGF server, we will immediately assume the server is active
again.
The alive/dead
status of the CGFs is used by the AAA Managers to affect the sending
of CDRs to the CGFs. If all CGFs are dead, the AAA Managers will
still send CDRs, (refer to the gtpp deadtime command),
albeit at a slower rate than if a CGF were alive. Also, AAA Managers
independently determine if CGFs are alive/dead.
Example:
The following command
configures an echo interval of
120 seconds:
gtpp echo-interval 120
gtpp egcdr
Configures the eG-CDR
and P-CDR (P-GW CDR) parameters and triggers.
Privilege:
Security Administrator,
Administrator
Syntax
gtpp egcdr { final-record [ [ include-content-ids { all | only-with-traffic } ] [ closing-cause { same-in-all-partials | unique } ] ] | losdv-max-containers max_losdv_containers | lotdv-max-containers max_lotdv_containers | rulebase-max-length rulebase_name_max_length | service-data-flow
threshold { interval interval | volume { downlink bytes [ uplink bytes ] | total bytes | uplink bytes [ downlink bytes ] } } | service-idle-timeout { 0 | service_idle_timeout } }
default gtpp egcdr { final-record
include-content-ids only-with-traffic closing-cause same-in-all-partials | losdv-max-containers | lotdv-max-containers | service-idle-timeout
0 }
no gtpp egcdr { rulebase-max-length | service-data-flow threshold { interval | volume { downlink [ uplink ] | total | uplink [ downlink ] } } }
final-record [ [ include-content-ids { all | only-with-traffic } ] [ closing-cause { same-in-all-partials | unique } ] ]
Enables configuration
of the final eG-CDR/P-CDR.
Default: Restores the
GTPP eG-CDR/P-CDR final record to the default setting to
include content IDs with some data to report are included. Also,
sets the closing cause to the default of using the same closing
cause for multiple final eG-CDR/P-CDRs.
- include-content-ids:
Controls which content IDs are being included in the final eG-CDR/P-CDR.
- all: Specifies
that all content IDs be included in the final eG-CDR/P-CDR.
- only-with-traffic:
Specifies that only content-IDs with traffic be included in the
final eG-CDR/P-CDRs.
- closing-cause:
Configures closing cause for the final eG-CDR/P-CDR.
- same-in-all-partials:
Specifies that the same closing cause is to be included for multiple
final eG-CDR/P-CDRs
- unique:
Specifies that the closing cause for final eG-CDR/P-CDRs
is to be unique.
losdv-max-containers max_losdv_containers
The maximum number
of List of Service Data Volume (LoSDV) containers in one eG-CDR/P-CDR.
max_losdv_containers must
be an integer from 1 through 255.
Default: 10
lotdv-max-containers max_lotdv_containers
The maximum number
of List of Traffic Data Volume (LoTDV) containers in one eG-CDR/P-CDR.
max_lotdv_containers must
be an integer from 1 through 8.
Default: 8
rulebase-max-length rulebase_name_max_length
Specifies the maximum
character length of charging rulebase name in LOSDVs of eG- CDR/P-CDR.
rulebase_name_max_length must
be an integer from 0 through 63. Zero (0) means the rulebase name
is added as-is.
Default: None. That
is, full (un-truncated) charging rulebase name will go in LOSDVs
of eG-CDR/P-CDR.
service-data-flow
threshold { interval interval | volume { downlink bytes [ uplink bytes ] | total bytes | uplink bytes [ downlink bytes ] } }
Configures the thresholds
for closing a service data flow container within an eG-CDR/P-CDR.
- interval interval:
Specifies the time interval, in seconds, to close the eG-CDR/P-CDR
if the minimum time duration thresholds for service data flow containers
satisfied in flow-based charging.interval must
be an integer from 60 through 40000000.Default: Disabled
- volume { downlink bytes [ uplink bytes ] | total bytes | uplink bytes [ downlink bytes ] }:
Specifies the volume octet counts for the generation of the interim
eG-CDR/P-CDRs to service data flow container in FBC.
- downlink bytes: Specifies
the limit for the number of downlink octets after which the eG-CDR/P-CDR
is closed.
- total bytes: Specifies the
limit for the total number of octets (uplink+downlink)
after which the eG-CDR/P-CDR is closed.
- uplink bytes: Specifies
the limit for the number of uplink octets after which the eG-CDR/P-CDR
is closed.
- bytes must
be an integer from 10000 through 400000000.
A service data flow
container has statistics for an individual content ID. When the
threshold is reached, the service data flow container is closed.
service-idle-timeout { 0 | service_idle_timeout }
Specifies a time period
where if no data is reported for a service flow, the service container is
closed and added to eG-CDR/P-CDR (as part of LOSDV container
list) with service condition change as ServiceIdleOut.
service_idle_timeout must
be an integer from 10 through 86400.
0: Specifies
no service-idle-timeout trigger.
Default: 0
Usage:
Use this command to
configure individual triggers for eG-CDR/P-CDR generation.
Use the service-data-flow
threshold option to configure the thresholds for closing
a service data flow container within an eG-CDR (eG-CDRs for GGSN
and P-CDRs for PGW) during flow-based charging (FBC). A service
data flow container has statistics regarding an individual content
ID.
Thresholds can be
specified for time interval and for data volume, by entering the command
twice (once with interval and once with volume). When either configured
threshold is reached, the service data flow container will be closed.
The volume trigger can be specified for uplink or downlink or the
combined total (uplink + downlink) byte thresholds.
When the PDP context
is terminated, all service data flow containers will be closed regardless
of whether the thresholds have been reached.
An eG-CDR/P-CDR
will have at most ten service data flow containers. Multiple eG-CDR/P-CDRs
will be created when there are more than ten.
Example:
Use the following
command to set the maximum number of LoSDV containers to
7:
gtpp egcdr losdv-max-containers 7
The following command
sets an eG-CDR threshold interval of
6000 seconds:
gtpp egcdr service-data-flow
threshold interval 6000
gtpp error-response
Configures the response
when the system receives an error response after transmitting a
DRT (data record transfer) request.
Privilege:
Security Administrator,
Administrator
Syntax
gtpp error-response { discard-cdr | retry-request }
default gtpp error-response
default
Configures this command
with the default setting.
Default: retry-request
discard-cdr
Instructs the system
to purge the request upon receipt of an error response and not to retry.
retry-request
Instructs the system
to retry sending a DRT after receiving an error response. This is
the default behavior.
Usage:
This command configures
the system’s response to receiving an error message after sending
a DRT request.
Example:
gtpp error-response
discard-cdr
gtpp group
Configures GTPP server
group in a context for the Charging Gateway Function (CGF) accounting
server(s) that the system is to communicate with.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] gtpp
group group_name [ -noconfirm ]
group_name
Specifies the name
of GTPP server group that is used for charging and/or accounting
in a specific context. group_name must
be an alphanumeric string of 1 through 63 character.
A maximum of eight
GTPP server groups (excluding system created default GTPP server group “default”)
can be configured with this command in a context.
no
Removes the previously
configured GTPP group within a context.
When a GTPP group
is removed accounting information is not generated for all calls
using that group and all calls associated with that group are dropped.
A warning message displays indicating the number of calls that will
be dropped.
-noconfirm
Executes the command
without any additional prompt and confirmation from the user.
Usage:
This feature provides
the charging gateway function (CGF) accounting server configurable for
a group of servers. Instead of having a single list of CGF accounting
servers per context, this feature configures multiple GTPP accounting
server groups in a context and each server group is consist of list
of CGF accounting servers.
In case no GTPP server
group is configured in a context, a server group named “default” is available
and all the CGF servers configured in a specific context for CGF
accounting functionality will be part of this “default” server
group.
Example:
The following command
configures a GTPP server group named
star1 for
CGF accounting functionality. This server group is available for
all subscribers within that context.
gtpp group star1
gtpp max-cdrs
Configures the maximum
number of charging data records (CDRs) included per packet.
Privilege:
Security Administrator,
Administrator
Syntax
gtpp max-cdrs max_cdrs [ wait-time wait_time ]
default gtpp max-cdrs
default
Configures this command
with the default setting.
Default: One CDR per
packet; disables wait-time
max_cdrs
Specifies the maximum
number of CDRs to be inserted in a single packet as an integer from 1
through 255. Default: 1
wait-time wait_time
Specifies the number
of seconds the system waits for CDRs to be inserted into the packet before
sending it. wait_time must
be an integer from 1 through 300. Default: Disabled
IMPORTANT:
If the wait-time expires,
the packet is sent as this keyword over-rides max_cdrs.
Usage:
CDRs are placed into
a GTPP packet as the CDRs close. The system stops placing CDRs into
a packet when either the maximum max_cdrs is
met, or the wait-time expires,
or the value for the gtpp max-pdu-size command
is met.
Example:
The following command
configures the system to place a maximum of
10 CDRs in
a single GTPP packet before transmitting the packet:
gtpp max-cdrs 10
gtpp max-pdu-size
Configures the maximum
payload size of a single GTPP packet that could be sent by the system.
Privilege:
Security Administrator,
Administrator
Syntax
gtpp max-pdu-size pdu_size
default gtpp max-pdu-size
default
Configures this command
with the default setting.
Default:
65400 bytes
pdu_size
Specifies the maximum
payload size (in octets) of the GTPP packet as an integer from 1024 to
65400. The payload includes the CDR and the GTPP header.
CAUTION:
This command is effective
only when GTPP single-source is configured, otherwise this command
has no effect.
Usage:
The GTPP packet contains
headers (layer 2, IP, UDP, and GTPP) followed by the CDR. Each CDR
contains one or more volume containers. If a packet containing one
CDR exceeds the configured maximum payload size, the system creates
and send the packet containing the one CDR regardless.
The larger the packet
data unit (PDU) size allowed, the more volume containers that can
be fit into the CDR.
The system performs
standard IP fragmentation for packets that exceed the system’s maximum
transmission unit (MTU).
IMPORTANT:
The maximum size of
an IPv4 PDU (including the IPv4 and subsequent headers) is 65,535. However,
a slightly smaller limit is imposed by this command because the
system’s max-pdu-size doesn't include the IPv4 and UDP
headers, and because the system may need to encapsulate GTPP packets
in a different/larger IP packet (for sending to a backup
device).
Example:
The following command
configures a maximum PDU size of
2048 octets:
gtpp max-pdu-size 2048
gtpp max-retries
Configures the maximum
number of times the system attempts to communicate with an unresponsive
Charging Gateway Function (CGF).
Privilege:
Security Administrator,
Administrator
Syntax
gtpp max-retries max_attempts
default gtpp max-retries
default
Configures this command
with the default setting.
Default: 4
max_attempts
Specifies the number
of times the system attempts to communicate with a CGF that is not responding. max_attempts is
an integer from 1 through 15.
Usage:
This command works
in conjunction with the gtpp
detect-dead-server and gtpp timeout parameters
to set a limit to the number of communication failures that can
occur with a configured CGF.
When the value specified
by this parameter is met, a failure is logged. The gtpp detect-dead-server
parameter specifies the number of consecutive failures that could
occur before the server is marked as down.
In addition, the gtpp
timeout command controls the amount of time between re-tries.
If the value for the
max-retries is met, the system begins storing CDRs in Random Access Memory
(RAM). The system allocates memory as a buffer, enough to store
one million CDRs for a fully loaded chassis (a maximum of one outstanding
CDR per PDP context). Archived CDRs are re-transmitted to the CGF
until they are acknowledged or the system’s memory buffer is
exceeded.
Refer to the gtpp
detect-dead-server and gtpp timeout commands
for additional information.
Example:
The following command
configures the maximum number of re-tries to be
8:
gtpp max-retries 8
gtpp node-id
Configures the GTPP
Node ID for all CDRs.
Privilege:
Security Administrator,
Administrator
Syntax
gtpp node-id node_id
no gtpp node-id
no
Removes the previous
gtpp node ID configuration.
node_id
Specifies the node
ID for all CDRs as an alphameric string of 1 through 16 characters.
Usage:
Use this command to
configure the GTPP Node ID for all CDRs.
Example:
The following command
configures the GTPP Node ID as
test123:
gtpp node-id test123
gtpp redirection-allowed
Configures the system
to allow or disallow the redirection of CDRs when the primary Charging
Gateway Function (CGF) is unavailable.
Privilege:
Security Administrator,
Administrator
Syntax
gtpp redirection-allowed
{ default | no } gtpp
redirection-allowed
default
Configures this command
with the default setting. Default: Enabled
no
Deletes the command
from the configuration.
Usage:
This command allows
operators to better handle erratic network links, without having
to remove the configuration of the backup server(s) via the no gtpp server command.
This functionality
is enabled by default.
If the no gtpp redirection-allowed
command is executed, the system only sends CDRs to the primary CGF.
If that CGF goes down, we will buffer the CDRs in memory until the
CGF comes back or until the system runs out of buffer memory. In
addition, if the primary CGF announces its intent to go down (with
a GTPP Redirection Request message), the system responds to that
request with an error response.
gtpp redirection-disallowed
This command has been
obsoleted and is replaced by the gtpp redirection-allowed command.
gtpp server
Configures the Charging
Gateway Function (CGF) accounting server(s) with which the system
will communicate.
Privilege:
Security Administrator,
Administrator
Syntax
gtpp server ip_address [ max max_messages ] [ priority priority ] [ node-alive { enable | disable } ] [ -noconfirm ]
no gtpp server ip_address
no
Deletes a previously
configured CGF.
ip_address
Specifies the IP address
of the CGF in IPv4 dotted-decimal or IPV6 colon-separated-hexadecimal
notation.
max max_messages
Default: 256
Specifies the maximum
number of outstanding or unacknowledged GTPP packets (from any one
AAA Manager task) allowed for this CGF before the system begins
buffering the packets.
max_messages can
be configured as an integer from 1 through 256.
priority priority
Default:1000
Specifies the relative
priority of this CGF. When multiple CGFs are configured, the priority is
used to determine which CGF server to send accounting data to.
priority can
be configured as an integer from 1 through 1000. When configuring
two or more servers with the same priority you will be asked to
confirm that you want to do this. If you use the -noconfirm option,
you are not asked for confirmation and multiple servers could be
assigned the same priority.
port port
Default: 3386
Specifies the port
the CGF is using. port can
be configured as an integer from 1 through 65535. Default value
for port is 3286.
node-alive { enable | disable }
Default: Disable.
This optional keyword
allows operator to enable/disable GSN to send Node Alive
Request to GTPP Server (i.e. CGF). This configuration can be done
per GTPP Server basis.
-noconfirm
Executes the command
without any additional prompt and confirmation from the user.
Usage:
Use this command to
configure the CGF(s) that the system sends CDR accounting data to.
Multiple CGFs can be
configured using multiple instances of this command. Up to 12 CGFs
can be configured per system context. Each configured CGF can be
assigned a priority. The priority is used to determine which server
to use for any given subscriber based on the routing algorithm that
has been implemented. A CGF with a priority of “1” has
the highest priority.
IMPORTANT:
The configuration of
multiple CGFs with the same IP address but different port numbers
is not supported.
Each CGF can also be
configured with the maximum allowable number of unacknowledged GTPP
packets. Since multiple AAA Manager tasks could be communicating with
the same CGF, the maximum is based on any one AAA Manager instance.
If the maximum is reached, the system buffers the packets Random
Access Memory (RAM). The system allocates memory as a buffer, enough
to store one million CDRs for a fully loaded chassis (a maximum
of one outstanding CDR per PDP context).
Example:
The following command
configures a CGF with an IP address of
192.168.2.2 and
a priority of
5.
gtpp server 192.168.2.2
priority 5
The following command
deletes a previously configured CGF with an IP address of
100.10.35.7:
no gtpp server 100.10.35.7
gtpp source-port-validation
Toggles port checking
for node alive/echo/redirection requests from
the CGF.
Privilege:
Security Administrator,
Administrator
Syntax
[ default | no ] gtpp
source-port-validation
default
Configures this command
with the default setting.
Default: Enabled
no
Disables CGF port checking.
Only the IP address will be used to verify CGF requests.
Usage:
This command is for
enabling or disabling port checking on node alive/echo/redirection requests
from the CGF. If the CGF sends messages on a non-standard port,
it may be necessary to disable port checking in order to receive
CGF requests. On the default setting, both IP and port are checked.
Example:
The following command
disables port checking for CGF requests:
no gtpp source-port-validation
gtpp storage-server
Configures information
for the GTPP back-up storage server.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] gtpp
storage-server ip-address port port-num
no
Removes a previously
configured back-up storage server.
ip-address
Specifies the IP address
of the back-up storage server expressed in IPv4 dotted-decimal notation.
port port-num
Specifies the UDP port
number over which the GSN communicates with the back-up storage server.
Default: 3386
Usage:
This command configures
the information for the server to which GTPP packets are to be backed-up
to in the event that all CGFs are unreachable.
One backup storage
server can be configured per system context.
IMPORTANT:
This command only takes
affect if gtpp
single-source in the Global Configuration Mode is also
configured. Additionally, this command is customer specific. Please contact
your local sales representative for additional information.
Example:
The following command
configures a back-up server with an IP address of
192.168.1.2:
gtpp storage-server 192.168.1.2
gtpp storage-server
local file
Configures the parameters
for GTPP files stored locally on the GTPP storage server. This command
is available for the ASR 5000 platform only.
Privilege:
Security Administrator,
Administrator
Syntax
gtpp storage-server
local file { compression { gzip | none } | format { custom1 | custom2 | custom3 | custom4 | custom5 | custom6 | custom7 | custom8 } | name { format string [ max-file-seq-num seq_number ] | prefix prefix } | purge-processed-files [ file-name-pattern file_pattern | purge-interval purge_dur ] | rotation { cdr-count count | time-interval time [ force-file-rotation ] | volume
mb size } }
default gtpp storage-server
local file { compression | format | name { format | prefix } | purge-processed-files | rotation { cdr-count | time-interval | volume } }
no gtpp storage-server
local file { purge-processed-files | rotation { cdr-count | time-interval } }
default
Configures default
setting for the specified parameter.
no
Removes a previously
configured parameters for local storage of CDR files on HDD on SMC
card.
compression { gzip | none }
Configures the type
of compression to be used on the files stored locally.
- gzip: Enables
Gzip file compression.
- none: Disables
Gzip file compression -this is the default value.
Default: Disabled
format { custom-n }
Configures the file
format to be used to format files to be stored locally.
custom1:
File format custom1—this is the default value.
custom2:
File format custom2.
custom3:
File format custom3.
custom4:
File format custom4.
custom5:
File format custom5.
custom6:
File format custom6 with a block size of 8K for CDR files.
custom7:
File format custom7 is a customer specific CDR file format.
custom8:
File format custom8 is a customer specific CDR file format. It uses node-id-suffix_date_time_fixed-length-seq-num.u
format for file naming.
Default: custom1
name { format | prefix prefix }
Allows the format of
the CDR filenames to be configured independently from the file format.so
that the name format contains the file name with conversion specifications.
prefix — Enter
an alphanumeric string of 1 through 127 characters. The string
must begin with
the % (percent sign).
- %y: = year
as a decimal number without century (range 00 to 99).
- %Y: year
as a decimal number with century.
- %m: month
as a decimal number (range 01 to 12).
- %d: day
of the month as a decimal number (range 01 to 31).
- %H: hour
as a decimal number 24-hour format (range 00 to 23).
- %h: hour
as a decimal number 12-hour format (range 01 to 12).
- %M: minute
as a decimal number (range 00 to 59).
- %S: second
as a decimal number (range 00 to 60). (The range is up to 60 to allow
occasional leap seconds.)
- %Q: File
sequence number. Field width may be specified between the % and
the Q. If the natural size of the field is smaller than this width,
then the result string is padded (on the left) to the specified
width with 0s
- %N: No
of CDRs in the file. Field width may be specified between the % and
the N. If the natural size of the field is smaller than this width,
then the result string is padded (on the left) to the specified
width with 0s
- max-file-seq-no:
This can be configured optionally. It indicates the maximum value
of sequence number in file name (starts from 1). Once the configured
max-file-seq-no limit is reached, the sequence number will restart
from 1. If no max-file-seq-no is specified then file sequence number
ranges from 1 – 4294967295.
By default the above
keyword is not configured (default gtpp storage-server local file
name format). In which case the CDR filenames are generated based
on the file format as before (maintains backward compatibility).
purge-processed-files [ file-name-pattern file_pattern | purge-interval purge_dur ]
Enables the GSN to
periodically (every 4 minutes) delete locally processed (*.p)
CDR files from the HDD on the SMC card. Default: Disabled
IMPORTANT:
This option is available
only when GTPP server storage mode is configured for local storage of
CDRs with the gtpp
storage-server mode local command.
Optional keyword file-name-pattern file_pattern provides
an option for user to control the pattern of files. file_pattern must
be mentioned in *.p format in a string of size 1 through
127, which is also the default format. Wild cards * and
: (synonymous to |) are allowed.
Optional keyword purge-interval purge_dur provides
an option for user to control the purge interval duration (in minutes). purge_dur must
be an integer from 1 through 259200. Default value 60.
rotation { cdr-count
count | time-interval time | volume mb size }
Specifies rotation
related configuration for GTPP files stored locally.
cdr-count count: Configures the
CDR count for the file rotation as an integer from 1000 through
65000. Default value 10000.
time-interval time: Configures
the time interval (in seconds) for file rotation as an integer from
30 through 86400. Default value 3600 (1 hour).
volume mb size: Configure
the file volume (in MB) for file rotation. Enter an integer from
2 to 40. This trigger cannot be disabled. Default value is 4MB.
Usage:
This command configures
the parameters for storage of GTPP packets as files on the local server—meaning
the hard disk.
Example:
The following command
configures rotation for every 1.5 hours (5400 seconds) for locally stored
files.
gtpp storage-server
local file rotation time-interval 5400 start-file-seq-num 20 recover-file-seq-num
gtpp storage-server
max-retries
Configures the maximum
number of times the system attempts to communicate with an unresponsive
GTPP back-up storage server.
Privilege:
Security Administrator,
Administrator
Syntax
gtpp storage-server
max-retries max_attempts
default gtpp storage-server
max-retries
default
Configures this command
with the default setting.
Default: 2
max_attempts
Specifies the number
of times the system attempts to communicate with a GTPP back-up storage
server that is not responding. max_attempts enter
an integer from 1 through 15.
Usage:
This command works
in conjunction with the gtpp
storage-server timeout parameters to set a limit to the number
of communication failures that can occur with a configured GTPP
back-up storage server.
The gtpp storage-server
timeout command controls the amount of time between re-tries.
Example:
The following command
configures the maximum number of re-tries to be
8:
gtpp storage-server
max-retries 8
gtpp storage-server
mode
Configures storage
mode, local or remote, for CDRs. Local storage mode is available
with ASR 5000 platforms only.
Privilege:
Security Administrator,
Administrator
Syntax
gtpp storage-server
mode { local | remote | streaming }
default gtpp storage-server mode
default
Configures this command
with the default setting.
Default: remote
local
Default: Disabled
Specifies the use of
the hard disk on the SMC for storing CDRs
remote
Specifies the use of
an external server for storing CDRs. This is the default value.
streaming
Default: Disabled
Allows the operator
to configure “streaming” mode of operation for
GTPP group. When this keyword is supplied the CDRs will be stored
in following fashion:
- When GTPP link is active
with CGF, CDRs are sent to a CGF via GTPP and local hard disk is
NOT used as long as every record is acknowledged in time.
- If the GTPP connection
is considered to be down, all streaming CDRs will be saved temporarily
on the local hard disk and once the connection is restored, unacknowledged
records will be retrieved from the hard disk and sent to the CGF.
Usage:
This command configures
whether the CDRs should be stored on the hard disk of the SMC or
remotely, on an external server.
Example:
The following command
configures use of a hard disk for storing CDRs:
gtpp storage-server
mode local
gtpp storage-server
timeout
Configures the amount
of time that must pass with no response before the system re-attempts
to communicate with the GTPP back-up storage server.
Privilege:
Security Administrator,
Administrator
Syntax
gtpp storage-server
timeout duration
default gtpp storage-server timeout
default
Configures this command
with the default setting.
Default: 30 seconds
duration
Specifies the maximum
amount of time (in seconds) the system waits for a response from the
GTPP back-up storage server before assuming the packet is lost. duration is
an integer from 30 through 120.
Usage:
This command works
in conjunction with the gtpp storage-server max-retries command
to establish a limit on the number of times that communication with
a GTPP back-up storage server is attempted before a failure is logged.
This parameter specifies the time between retries.
Example:
The following command
configures a retry timeout of 60 seconds:
gtpp storage-server
timeout 60
gtpp suppress-cdrs
zero-volume-and-duration
Suppresses the CDRs
created by sessions having zero duration and/or zero volume.
By default this mode is disabled.
Privilege:
Security Administrator,
Administrator
Syntax
gtpp suppress-cdrs zero-volume-and-duration { gcdrs [ egcdrs ] | egcdrs [ gcdrs ] }
default gtpp suppress-cdrs
zero-volume-and-duration
default
Configures this command
with the default setting.
Default: Disabled.
gcdrs [ egcdrs ]
Suppresses G-CDRs before
eG-CDRs.
egcdrs [ gcdrs ]
Suppresses eG-CDRs
before G-CDRs.
Usage:
Use this command to
suppress the CDRs (G-CDRs and eG-CDRs) which were created when zero-duration
sessions and zero-volume sessions are encountered due to any reason.
By default this command is disabled and system will not suppress
any CDR.
Example:
The following command
configures the system to suppress the eG-CDRs created for a zero duration
session or zero volume session:
gtpp suppress-cdrs
zero-volume-and-duration egcdrs gcdrs
gtpp timeout
Configures the amount
of time that must pass with no response before the system re-attempts
to communicate with the Charging Gateway Function (CGF).
Privilege:
Security Administrator,
Administrator
Syntax
gtpp timeout time
default gtpp timeout
default
Configures this command
with the default setting. Default: 20 seconds
time
Specifies the maximum
amount of time (in seconds) the system waits for a response from the
CGF before assuming the packet is lost. time is an
integer from 1 through 60.
Usage:
This command works
in conjunction with the gtpp max-retries command
to establish a limit on the number of times that communication with
a CGF is attempted before a failure is logged.
This parameter specifies
the time between retries.
Example:
The following command
configures a retry timeout of
30 seconds:
gtpp timeout 30
gtpp trigger
This command is left
in place for backward compatibility. To disable and enable GTPP
triggers you should use the gtpp trigger command
in GTPP Server Group Configuration Mode.
gtpp transport-layer
Selects the transport
layer protocol for the Ga interface for communication between the
access gateways (GSNs) and GTPP servers.
Privilege:
Security Administrator,
Administrator
Syntax
gtpp transport-layer { tcp | udp }
default gtpp transport-layer
default
Configures this command
with the default setting.
Default: udp
tcp
Default: Disabled
Enables the system
to implement TCP as transport layer protocol for communication with GTPP
server.
udp
Default: Enabled
Enables the system
to implement UDP as transport layer protocol for communication with GTPP
server.
Usage:
Use this command to
select the TCP or UDP as the transport layer protocol for Ga interface
communication between GTPP servers and AGWs (GSNs).
Example:
The following command
enables TCP as the transport layer protocol for the GSN’s
Ga interface.
gtpp transport-layer tcp
gtpu-service
Creates a GTP-U service
or specifies an existing GTP-U service and enters the GTP-U Service
Configuration Mode for the current context.
Syntax
gtpu-service service_name [ -noconfirm ]
no gtpu-service service_name
gtpu-service service_name
Specifies the name
of the GTP-U service. If service_name does
not refer to an existing service, a new service is created if resources
allow. service_name is
an alphanumeric string of 1 through 63 characters.
-noconfirm
Executes the command
without any additional prompt and confirmation from the user.
no gtpu-service service_name
Removes the specified
GTP-U service from the context.
Usage:
Enter the GTP-U Service
Configuration Mode for an existing service or for a newly defined
service. This command is also used to remove an existing service.
A maximum of 256 services
(regardless of type) can be configured per system.
CAUTION:
Large numbers of services
greatly increase the complexity of management and may impact overall
system performance (for example, resulting from such things as system
handoffs). Therefore, it is recommended that a large number of services
only be configured if your application absolutely requires it. Please
contact your local service representative for more information.
Entering this command
results in the following prompt:
[context_name]hostname(config-gtpu-service)#
GTP-U Service Configuration
Mode commands are defined in the GTP-U Service Configuration
Mode Commands chapter.
Example:
The following command
enters the existing GTP-U Service Configuration Mode (or creates it
if it does not already exist) for the service named
gtpu-service1:
gtpu-service gtpu-service1
The following command
will remove
gtpu-service1 from
the system:
no gtpu-service gtpu-service1
ha-service
Creates/deletes
a home agent service or specifies an existing HA service for which
to enter the Home Agent Service Configuration Mode for the current context.
Privilege:
Security Administrator,
Administrator
Syntax
ha-service name [ -noconfirm ]
no ha-service name
no
Indicates the home
agent service specified is to be removed.
name
Specifies the name
of the HA service to configure. If name does not
refer to an existing service, the new service is created if resources
allow. name is
an alphanumeric string of 1 through 63 characters.
-noconfirm
Executes the command
without any additional prompt and confirmation from the user.
Usage:
Enter the HA Service
Configuration Mode for an existing service or for a newly defined service.
This command is also used to remove an existing service.
A maximum of 256 services
(regardless of type) can be configured per system.
CAUTION:
Large numbers of services
greatly increase the complexity of management and may impact overall
system performance (i.e. resulting from such things as system handoffs).
Therefore, it is recommended that a large number of services only
be configured if your application absolutely requires it. Please
contact your local service representative for more information.
Example:
The following command
will enter, or create and enter, the HA service
sampleService:
ha-service sampleService
The following command
will remove
sampleService as
being a defined HA service:
no ha-service sampleService
hnbgw-service
Creates or removes
an Home NodeB Gateway (HNB-GW) service or configures an existing
HNB-GW service and enters the HNB-GW Service Configuration Mode
for Femto UMTS access networks configuration in the current context.
Syntax
hnbgw-service hnbgw_svc_name [ -noconfirm ]
no hnbgw-service hnbgw_svc_name
no
Removes the specified
HNB-GW service from the context.
hnbgw_svc_name
Specifies the name
of the HNB-GW service. If service_name does
not refer to an existing service, the new service is created if
resources allow. hnbgw_svc_name is
an alphanumeric string of 1 through 63 characters.
-noconfirm
Executes the command
without any additional prompt and confirmation from the user.
Usage:
Use this command to
enter the HNB-GW Service Configuration Mode for an existing service
or for a newly defined service. This command is also used to remove
an existing service.
A maximum of one HNB-GW
service which is further limited to a maximum of 256 services (regardless
of type) can be configured per system.
CAUTION:
Large numbers of services
greatly increase the complexity of management and may impact overall
system performance (for example, resulting from such things as system
handoffs). Therefore, it is recommended that a large number of services
only be configured if your application absolutely requires it. Please
contact your local service representative for more information.
Entering this command
results in the following prompt:
[context_name]hostname(config-hnbgw-service)#
The commands available
in this mode are defined in the HNB-GW Service Configuration
Mode Commands chapter of Command
Line Interface Reference.
CAUTION:
This is a critical
configuration. The HNB-GW service can not be configured without
this configuration. Any change to this configuration would lead
to restarting the HNB-GW service and removing or disabling this
configuration will stop the HNB-GW service.
Example:
The following command
enters the existing HNB-GW Service Configuration Mode (or creates
it if it does not already exist) for the service named
hnb-service1:
hnbgw-service hnb-service1
The following command
will remove
hnb-service1 from
the system:
no hnbgw-service hnb-service1
hsgw-service
Creates an HSGW service
or specifies an existing HSGW service and enters the HSGW Service
Configuration Mode for the current context.
Syntax
hsgw-service service_name [ -noconfirm ]
no hsgw-service service_name
no
Removes the specified
HSGW service from the context.
service_name
Specifies the name
of the HSGW service. If service_name does
not refer to an existing service, the new service is created if
resources allow. service_name is
an alphanumeric string of 1 through 63 characters.
-noconfirm
Executes the command
without any additional prompt and confirmation from the user.
Usage:
Enter the HSGW Service
Configuration Mode for an existing service or for a newly defined
service. This command is also used to remove an existing service.
A maximum of 256 services
(regardless of type) can be configured per system.
CAUTION:
Large numbers of services
greatly increase the complexity of management and may impact overall
system performance (for example, resulting from such things as system
handoffs). Therefore, it is recommended that a large number of services
only be configured if your application absolutely requires it. Please
contact your local service representative for more information.
Entering this command
results in the following prompt:
[context_name]hostname(config-hsgw-service)#
HSGW Service Configuration
Mode commands are defined in the HSGW Service Configuration
Mode Commands chapter.
Use this command when
configuring the following eHRPD components: HSGW.
Example:
The following command
enters the existing HSGW Service Configuration Mode (or creates it
if it does not already exist) for the service named
hsgw-service1:
hsgw-service hsgw-service1
The following command
will remove
hsgw-service1 from
the system:
no hsgw-service hsgw-service1
hss-peer-service
Creates a Home Subscriber
Service (HSS) peer service or configures an existing HSS peer service
and enters the HSS Peer Service Configuration Mode.
Syntax
hss-peer-service service_name [ -noconfirm ]
no hss-peer-service service_name
no
Removes the specified
HSS peer service from the context.
service_name
Specifies the name of
the HSS peer service. If service_name does
not refer to an existing service, a new service is created if resources
allow. service_name is
an alphanumeric string of 1 through 63 characters.
-noconfirm
Executes the command
without any additional prompt and confirmation from the user.
Usage:
Enter the HSS Peer Service
Configuration Mode for an existing service or for a newly defined
service. This command is also used to remove an existing service.
A maximum of 256 services
(regardless of type) can be configured per system.
CAUTION:
Large numbers of services
greatly increase the complexity of management and may impact overall
system performance (for example, resulting from such things as system
handoffs). Therefore, it is recommended that a large number of services
only be configured if your application absolutely requires it. Please
contact your local service representative for more information.
Entering this command
results in the following prompt:
[context_name]hostname(config-hss-peer-service)#
HSS Peer Service Configuration
Mode commands are defined in the HSS Peer Service Configuration
Mode Commands chapter.
Example:
The following command
enters the existing HSS Peer Service Configuration Mode (or creates
it if it does not already exist) for the service named
hss-peer1:
hss-peer-service hss-peer1
The following command
will remove
hss-peer1 from
the system:
no hss-peer-service
hss-peer1
ikev1 disable-initial-contact
Disables the sending
of the INITIAL-CONTACT message in the IKEv1 protocol after the node
creates a new Phase1 SA, caused either by Dead Peer Detection or
by a rekey.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] ikev1
disable-initial-contact
no
Disables this command,
which re-enables the sending of the INITIAL-CONTACT message.
Usage:
Use this command to
disable the sending of the INITIAL-CONTACT message in the IKE v1
protocol.
Example:
The following command
disables the sending of the INITIAL-CONTACT message:
ikev1 disable-initial-contact
ikev1 disable-phase1-rekey
Configures the rekeying
of Phase1 SA when the Internet Security Association and Key Management
Protocol (ISAKMP) lifetime expires in Internet Key Exchange (IKE)
v1 protocol.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] ikev1
disable-phase1-rekey
no
Re-enables Phase 1
SAs when the ISAKMP lifetime expires.
Usage:
Use this command to
disable the rekeying of Phase 1 SAs when the ISAKMP lifetime expires
in IKE v1 protocol.
Example:
The following command
disables rekeying of Phase1 SAs when the lifetime expires:
ikev1 disable-phase1-rekey
ikev1 keepalive
dpd
Configures the ISAKMP
IPSec Dead Peer Detection (DPD) message parameters for IKE v1 protocol.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] ikev1
keepalive dpd interval interval timeout time num-retry retries
no
Deletes previously
configured IPSec DPD Protocol settings.
dpd interval interval
Specifies the time
interval (in seconds) at which IPSec DPD Protocol messages are sent. interval is
an integer from 10 through 3600.
timeout time
Specifies the amount
of time (in seconds) allowed for receiving a response from the peer security
gateway prior to re-sending the message. time is an
integer from 10 through 3600.
num-retry retries
Specifies the maximum
number of times that the system should attempt to reach the peer security
gateway prior to considering it unreachable. retries is
an integer from 1 through 100.
Usage:
Use this command to
configure the ISAKMP dead peer detection parameters in IKE v1 protocol.
Tunnels belonging to
crypto groups are perpetually kept “up” through
the use of the IPSec Dead Peer Detection (DPD) packets exchanged
with the peer security gateway.
IMPORTANT:
The peer security gateway
must support RFC 3706 in order for this functionality to function properly.
This functionality
is for use with the Redundant IPSec Tunnel Fail-over feature and
to prevent IPSec tunnel state mismatches between the FA and HA when
used in conjunction with Mobile IP applications.
Regardless of the application,
DPD must be supported/configured on both security peers. If
the system is configured with DPD but it is communicating with a
peer that does not have DPD configured, IPSec tunnels still come
up. However, the only indication that the remote peer does not support
DPD exists in the output of the show crypto isakmp security
associations summary dpd command.
IMPORTANT:
If DPD is enabled while
IPSec tunnels are up, it will not take affect until all of the tunnels are
cleared.
Example:
The following command
configures IPSec DPD Protocol parameters to have an interval of
15, a timeout
of
10,
to retry each attempt
5 times:
ikev1 keepalive dpd
interval 15 timeout 10 num-retry 5
ikev1 policy
Configures or creates
an ISAKMP policy with the specified priority and enters ISAKMP Configuration
Mode for IKE v1 protocol.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] ikev1
policy priority
no
Removes a previously
configured ISAKMP policy for IKE v1 protocol.
priority
Specifies the priority
of an ISAKMP policy as an integer from 0 through 100. ISAKMP policies
for IKE v1 protocol with lower priority numbers take precedence
over policies with higher priorities. “0” is the
highest priority. Default: 0
Usage:
Use this command to
create ISAKMP policies to regulate how IPSec key negotiation is performed
for IKE v1 protocol.
Internet Security Association
Key Management Protocol (ISAKMP) policies are used to define Internet
Key Exchange (IKE) SAs. The IKE SAs dictate the shared security
parameters (i.e. which encryption parameters to use, how to authenticate
the remote peer, etc.) between the system and a peer security gateway.
During Phase 1 of IPSec
establishment, the system and a peer security gateway negotiate IKE
SAs. These SAs are used to protect subsequent communications between
the peers including the IPSec SA negotiation process.
Multiple ISAKMP policies
can be configured in the same context and are used in an order determined
by their priority number.
Example:
Use the following
command to create an ISAKMP policy with the priority
1 and enter
the ISAKMP Configuration Mode:
ikev1 policy 1
ikev2-ikesa
Creates a new, or specifies
an existing, IKEv2 security association transform set and enters
the IKEv2 Security Association Configuration Mode.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] ikev2-ikesa
transform-set name
no
Removes the entered
IKEv2 security association transform set from the system.
name
Specifies the name
of a new or existing security association transform set as an alphanumeric
string of 1 through 127 characters.
Usage:
Use this command to
create a new or enter an existing IKEv2 security association transform-set.
A list of up to four separate transform-sets can be created.
Entering this command
results in the following prompt:
[context_name]hostname(cfg-ctx-ikev2ikesa-tran-set)#
IKEv2 Security Association
Configuration Mode commands are defined in the IKEv2 Security Association
Configuration Mode Commands chapter.
Example:
The following command
configures an IKEv2 security association transform set called
ikesa3 and
enters the IKEv2 Security Association Configuration Mode:
ikev2-ikesa transform-set ikesa3
ims-auth-service
This command enables
the creation, configuration or deletion of an IMS authorization
service in the current context.
Product:
GGSN, HA, IPSG, PDSN,
P-GW
Privilege:
Security Administrator,
Administrator
Syntax
ims-auth-service auth_svc_name [ -noconfirm ]
{ no | default } ims-auth-service auth_svc_name
no
Deletes the specified
IMS authorization service within the current context.
default
Restores default state
of IMS authorization service, disabled for a specific context.
auth_svc_name
Specifies name of the
IMS authorization service as a unique alphanumeric string of 1 through
63 characters.
A maximum of 16 authorization
services can be configured globally in the system. There is also
a system limit for the maximum number of total configured services.
-noconfirm
Executes the command
without any additional prompt and confirmation from the user.
Usage:
Use this command to
create/configure/delete an IMS authorization service
for Gx interface support in the current context.
Entering this command
results in the following prompt:
[context_name]hostname(config-imsa-service)
IMS authorization service
configuration commands are described in the IMS Authorization Service
Configuration Mode Commands chapter.
Example:
The following command
configures an IMS authorization service named
ims_interface1 within
the current context:
ims-auth-service ims_interface1
ims-sh-service
Creates the specified
IP Multimedia Subsystem (IMS) Sh service name to allow configuration
of an Sh service.
Syntax
ims-sh-service name
no ims-sh-service name
no
Removes a previously
configured IMS-Sh-service.
name
Specifies the name
of the IMS-Sh-service to be configured as an alphanumeric string
of 1 through 63 characters.
Usage:
The IMS-Sh-service
is named in the pdif-service and/or cscf-service. Use this
command to enter the IMS Sh Service Configuration Mode.
Entering this command
results in the following prompt:
[context_name]hostname(config-ims-sh-service)#
IMS Sh Service Configuration
Mode commands are defined in the IMS Sh Service Configuration
Mode Commands chapter in this guide.
Example:
The following example
creates or enters an IMS Sh service named
ims-1:
ims-sh-service ims-1
inspector
Configures a context-level
inspector account within the current context.
Privilege:
Security Administrator
Syntax
inspector user_name [ encrypted ] password password [ ecs | noecs ] [ expiry-date date_time ] [ li-administration ] [ noecs ] [ timeout-absolute abs_seconds ] [ timeout-min-absolute abs_minutes ] [ timeout-idle timeout_duration ] [ timeout-min-idle idle_minutes ]
no inspector user_name
no
Removes a previously
configured inspector account.
user_name
Specifies a name for
the context-level inspector account as an alphanumeric string of
1 through 32 characters.
[ encrypted ] password password
Specifies the password
to use for the user which is being given context-level inspector privileges
within the current context. The encrypted keyword indicates the
password specified uses encryption.
password is
an alphanumeric string of 1 through 63 characters without encryption,
or 1 through 127 characters with encryption.
The encrypted keyword
is intended only for use by the system while saving configuration scripts.
The system displays the encrypted keyword in the configuration file
as a flag that the variable following the password keyword is the
encrypted version of the plain text password. Only the encrypted
password is saved as part of the configuration file.
ecs | noecs
Default: noecs
ecs: Permits
the specific user to access ACS-specific configuration commands.
noecs: Prevents
the specific user to access ACS-specific configuration commands.
expiry-date date_time
Specifies the date
and time that this account expires. Enter the date and time in the
format YYYY:MM:DD:HH:mm or YYYY:MM:DD:HH:mm:ss.
Where YYYY is the year,
MM is the month, DD is the day of the month, HH is the hour, mm
is minutes, and ss is seconds.
li-administration
Refer to the Lawful Intercept Configuration
Guide for a description of this parameter.
timeout-absolute abs_seconds
This keyword is obsolete.
It has been left in place for backward compatibility. If used a warning
is issued and the value entered is rounded to the nearest whole
minute.
Specifies the maximum
amount of time (in seconds) the context-level inspector may have
a session active before the session is forcibly terminated. abs_seconds must
be an integer from 0 through 300000000. The value 0 disables the
absolute timeout. Default: 0
timeout-min-absolute abs_minutes
Specifies the maximum
amount of time (in minutes) the context-level inspector may have
a session active before the session is forcibly terminated. abs_minutes must
be an integer from 0 through 525600 (365 days). The value 0 disables
the absolute timeout. Default: 0
timeout-idle timeout_duration
This keyword is obsolete.
It has been left in place for backward compatibility. If used a warning
is issued and the value entered is rounded to the nearest whole
minute.
Specifies the maximum
amount of idle time (in seconds) the context-level inspector may have
a session active before the session is terminated. timeout_duration must
be an integer from 0 through 300000000. The value 0 disables the
idle timeout. Default: 0
timeout-min-idle idle_minutes
Specifies the maximum
amount of idle time (in minutes) the context-level inspector may have
a session active before the session is terminated. idle_minutes must
be an integer from 0 through 525600 (365 days). The value 0 disables
the idle timeout. Default: 0
Usage:
Create new context-level
inspector or modify existing inspector’s options, in particular, the
timeout values.
Inspector users have
minimal read-only privileges. Refer to the Command Line Interface
Overview chapter for more information.
IMPORTANT:
A maximum of 128 administrative
users and/or subscribers may be locally configured per context.
Example:
The following command
creates a context-level inspector account named
user1:
inspector user1 password secretPassword
The following command
removes a context-level inspector account named
user1:
no inspector user1
interface
Creates or deletes
an interface or specifies an existing interface. By identifying
an interface, the mode changes to configure this interface in the
current context.
Privilege:
Security Administrator,
Administrator
Syntax
interface name [ broadcast | loopback | point-to-point | tunnel ]
no interface name
no
Indicates the interface
specified is to be removed.
name
Specifies the name
of the interface to configure. If name does
not refer to an existing interface, the new interface is created
if resources allow. name is
an alphanumeric string of 1 through 79 characters.
broadcast
Creates an Ethernet
broadcast (IP) interface and enters the Ethernet Configuration Mode. Default:
Enabled
IMPORTANT:
Refer to the Ethernet Interface Configuration
Mode Command chapter for more information.
loopback
Creates an internal
IP address that is always UP, is not bound to any physical card/port,
and can be reached by any interface configured in the current context.
As a loopback interface uses all available physical ports, this
type of interface is particularly useful for load-balancing. The interface
must be configured for loopback when configuring Interchassis Session
Recovery (ICSR). A total of 256 loopback interfaces can be configured.
Default: Disabled
This loopback option
is not used to setup a diagnostic test port so it should not be
confused with the loopback option used in the various card/port
configuration modes.
IMPORTANT:
Refer to the Loopback Interface Configuration
Mode Command chapter for more information.
point-to-point
Creates a permanent
virtual connection (PVC) in the current context and enters the PVC Configuration
Mode. Currently, this type of interface is only used with an optical
(ATM) line card.
IMPORTANT:
Refer to the PVC Interface Configuration
Mode Command chapter for more information.
tunnel
Creates a tunnel interface
to support the various tunnel interfaces. Currently only IPv6-over-IPv4
and GRE tunnel interfaces are supported.
IMPORTANT:
Refer to the Tunnel Interface Configuration
Mode Commands chapter for more information.
Usage:
Use this command to
enter or create the interface configuration mode for an existing interface
or for a newly defined interface. This command is also used to remove
an existing interface when it longer is needed.
IMPORTANT:
If no keyword is specified,
broadcast is assumed and the interface is Ethernet by default.
For IPv6-over-IPv4
or GRE tunneling, you need to specify the interface type as tunnel.
Example:
The following command
enters the Ethernet Interface Configuration Mode creating the interface
sampleService,
if necessary:
interface sampleInterface
The following command
removes
sampleService as
being a defined interface:
no interface sampleInterface
The following command
enters the Tunnel Interface Configuration Mode creating the interface GRE_tunnel1,
if necessary:
interface GRE_tunnel1 tunnel
ip access-group
Configures an access
group with an Access Control List (ACL) for IP traffic for the current
context. The Context-level ACL is applied only to outgoing packets.
Privilege:
Security Administrator,
Administrator
Syntax
ip access-group name [ in | out ] [ priority_value ]
no ip access-group name [ in | out ]
no
Indicates the specified
ACL rule is to be removed from the group.
name
Specifies the ACL rule
to be added/removed from the group.
In Release 8.1 and
later, name is
an alphanumeric string of 1 through 47 characters.
In Release 8.0, name is an
alphanumeric string of 1 through 79 characters.
IMPORTANT:
Up to eight ACLs can
be applied to a group provided that the number of rules configured within
the ACL(s) does not exceed the 256-rule limit for the context.
in | out
The in and out keywords
are deprecated and are only present for backward compatibility.
The Context-level ACL are applied only to outgoing packets.
priority_value
Specifies the priority
of the access group. 0 is the highest priority. If priority_value is
not specified, the priority is set to 0. priority_value must
be an integer from 0 through 4294967295. Default: 0
If access groups in
the list have the same priority, the last one entered is used first.
Usage:
Use this command to
add IP access lists (refer to the ip access-list command)
configured with in the same context to an ACL group.
Refer to the Access Control Lists appendix
of the System Administration Guide for
more information on ACLs.
Example:
The following commands
add
sampleGroup to
the context-level ACL with a priority of
0:
ip access-group sampleGroup 0
ip access-list
Enables creation, configuration
or deletion of an IP Access List in the current context.
Privilege:
Security Administrator,
Administrator
Syntax
ip access-list name
{ default | no } ip
access-list name
default
Sets the context’s
default access control list to that specified by name.
no
Removes the specified
access list.
name
Specifies the access
list name.
In
Release 8.0, name is
an alphanumeric string of 1 through 79 characters.
In Release 8.1 and
later, name is
an alphanumeric string of 1 through 47 characters.
If the named access
list does not exist, it is created, and the CLI mode changes to
the ACL Configuration Mode, wherein the access list can be configured.
If the named access
list already exists, the CLI mode changes to the ACL Configuration Mode,
wherein the access list can be reconfigured.
Usage:
Executing this command
enters the ACL Configuration Mode in which rules and criteria are
defined for the ACL.
IMPORTANT:
A maximum of 64 rules
can be configured per ACL. The maximum number of ACLs that can be
configured per context is limited by the amount of available memory
in the VPN Manager software task; it is typically less then 200.
The no version of this
command deletes the ACL.
Refer to the Access Control Lists appendix
of the System Administration Guide for
more information on ACLs.
Example:
The following command
creates an access list named
sampleList,
and enters the ACL Configuration Mode:
ip access-list sampleList
ip arp
Configures the allocation
retention priority (ARP) options for the current context.
Privilege:
Security Administrator,
Administrator
Syntax
ip arp ip_address mac_address [ vrf vrf_name ]
no ip arp ip_address mac_address
no
Removes the ARP configuration
data for the specified IP address from the configuration.
ip_address
Specifies the IP address
for which to configure the ARP options where ip_address is
an IP address expressed in IPv4 dotted-decimal notation.
mac_address
Specifies the media-specific
access control layer address for the IP address. mac_address must
be specified as a an 6-byte hexadecimal number with each byte separated
by a colon, for example., “AA:12:bb:34:f5:0E”.
vrf vrf_name
Associates a Virtual
Routing and Forwarding (VRF) context with this static ARP entry.
vrf_name is
name of a preconfigured virtual routing and forwarding (VRF) context
configured in Context
Configuration Mode via the ip vrf command.
Usage:
Manage the IP address
mapping which is a logical/virtual identifier to the more
lower layer addressing used for address resolution in ICMP messages.
For tunnel-based interface,
network IP pool can have overlapping ip-addresses across Verve.
To manage it adding a preconfigured VRF context is required to associate
with an static ARP entry. By default, the ARP is added in the given
context. If the VRF name is specified, then the ARP is added to
the VRF ARP table.
Example:
The following commands
set the IP and MAC address for the current context then remove it from
the configuration:
ip arp 10.2.3.4 F1:E2:D4:C5:B6:A7
no ip arp 10.2.3.4
The following commands
set the IP and MAC address for a VRF context vrf1 in the
configuration:
ip arp 10.2.3.4 F1:E2:D4:C5:B6:A7
vrf vrf1
ip as-path access-list
Defines Border Gateway
Protocol (BGP) Autonomous System (AS) Path access lists.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] ip
as-path access-list list_name [ { deny | permit } reg_expr ]
no
Remove the specified
regular expression from the AS path access list.
list_name
Specifies the name
of an AS path list as an alphanumeric string of 1 through 79 characters.
{ deny | permit }
deny: Denies
access to AS paths that match the regular expression.
permit: Allows
access to AS paths that match the regular expression.
reg_expr
A regular expression
to define the AS paths to match. reg_expr is
an alphanumeric string of 1 through 254 characters.
IMPORTANT:
The ? (question mark)
character is not supported in regular expressions for this command.
Usage:
Use this command to
define AS path access lists for the BGP router in the current context. The
chassis supports a maximum of 64 access lists per context.
Example:
The following command
creates an AS access list named
ASlist1 and
permits access to AS paths:
ip as-path access-list
ASlist1 permit
ip dns-proxy source-address
Enables the proxy DNS
functionality and identifies this context as the destination context
for all redirected DNS requests.
IMPORTANT:
This command must be
entered in the destination context for the subscriber. If there
are multiple destination contexts for different subscribers, the
command must be entered in each context.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] ip
dns-proxy source-address ip_address
no
Removes the address
in this context as a destination for redirected DNS packets.
ip_address
Specifies an interface
in this context used for redirected DNS packets. ip_address must
be entered using IPv4 dotted-decimal notation.
Usage:
Use this command to
identify the interface in this context where redirected DNS packets are
sent to the home DNS. The system uses this address as the source
address of the DNS packets when forwarding the intercepted DNS request
to the home DNS server. For a more detailed explanation of the proxy
DNS intercept feature, see the proxy-dns intercept-list command.
Example:
The following command
identifies an interface with an address of
10.23.255.255 in
a destination context where the system forwards all intercepted
DNS requests:
ip dns-proxy source-address 10.23.255.255
ip domain-lookup
Enables or disables
domain name lookup via domain name servers for the current context.
Privilege:
Security Administrator,
Administrator
Syntax
ip domain-lookup
no ip domain-lookup
no
Disables domain name
lookup.
Usage:
Domain name look up
is necessary if the subscribers configured for the context are to
be allowed to use logical host names for services which requires
the host name resolution via DNS.
Example:
ip domain-lookup
no ip domain-lookup
ip domain-name
Configures or removes
a logical domain name for the current context.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] ip
domain-name name
no
Indicates the logical
domain name for the current context is to be removed.
name
Specifies the logical
domain name to use for domain name server address resolution. name is an
alphanumeric string of 1 through 1023 characters formatted to be
a valid IP domain name.
Usage:
Set a logical domain
name if the context is to be accessed by logical domain name in addition
to direct IP address.
Example:
ip domain-name sampleName.org
ip forward
Configures an IP forwarding
policy to forward outgoing pool packets whose flow lookup fails
to the default-gateway.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] ip
forward outbound unused-pool-dest-address default-gateway
no
Disables forwarding
to the default gateway.
outbound unused-pool-dest-address
default-gateway
Enables forwarding
to the default gateway.
Usage:
Use this command to
set an IP forwarding policy that forwards outgoing pool packets whose
flow lookup fails to the default gateway. By default, the behavior
is to either send an ICMP Unreachable message or to discard the
packet depending on the configuration of the IP pool.
Pool packets coming
from the linecard or MIO card whose flow lookup fails are discarded or
ICMP unreachable is sent irrespective of whether this command is
configured or not.
Example:
To enable this functionality,
enter the following command:
ip forward outbound
unused-pool-dest-address default-gateway
To disable this functionality,
enter the following command:
no ip forward outbound
unused-pool-dest-address default-gateway
ip identification
packet-size-threshold
Configures the packet
size above which system will assign unique IP header identification.
Privilege:
Security Administrator,
Administrator
Syntax
ip identification packet-size-threshold size
default ip identification
packet-size-threshold
default
Restores default value
of 576 bytes to IP packet size for fragmentation threshold.
size
Specifies the size
of IP packet in bytes above which system will assign unique IP header identification
for system generated IP encapsulation headers (such as MIP data
tunnel). size is
an integer from 0 through 2000. Default: 576
Usage:
This configuration
is used to set the upper limit of the IP packet size. All packets
above that size limit will be considered “fragmentable”,
and an unique non-zero identifier will be assigned.
Example:
The following commands
set the IP packet size to 1024 bytes as threshold. above this limit system
will assign unique IP header identification for system generated
IP encapsulation headers:
ip identification packet-size-threshold 1023
ip igmp profile
Configures an Internet
Group Management Protocol (IGMP) profile and moves to the IGMP Profile
Configuration mode.
Product:
PDSN, GGSN, SDSN
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] ip
igmp profile name
no
Removes the specified
IGMP profile.
name
Specifies the name
of an IGMP profile as an alphanumeric string of 1 through 63 characters. If
this is not the name of an existing profile, you are prompted to
create the new profile.
Usage:
Configure and existing
IGMP profile or create a new one. When this command is executed you
are moved to the IGMP Profile Configuration mode. For additional
information, refer to the IGMP
Profile Configuration Mode Commands chapter.
ip localhost
Configures or removes
the static local host logical name to IP address mapping for the
current context.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] ip
localhost name ip_address
no
Specifies that the
static mapping must be removed.
name
Specifies the logical
host name (DNS) for the local machine on which the current context resides. name is an
alphanumeric string of 1 through 1023 characters formatted to be
a valid IP host name.
ip_address
Specifies the IP address
for the static mapping. ip_address must
be expressed in IPv4 dotted-decimal or IPv6 colon-separated-hexadecimal notation.
Usage:
Avoid excessive DNS
lookups across the network by statically mapping the logical host name
to the local host’s context.
Example:
ip localhost localHostName 10.2.3.4
no ip localhost localHostName 10.2.3.4
ip name-servers
Modifies the list of
domain name servers the current context may use for logical host
name resolution.
Privilege:
Security Administrator,
Administrator
Syntax
ip name-servers ip_address secondary_ip_address
no ip name-servers ip_address
no
Indicates the name
server specified is to be removed from the list of name servers
for the current context.
ip_address
Specifies the IP address
of a domain name server using IPv4 dotted-decimal or IPv6 colon-separated-hexadecimal
notation.
secondary_ip_address
Specifies the IP address
of a secondary domain name server using either IPv4 dotted-decimal
or IPv6 colon-separated-hexadecimal notation.
Usage:
Manage the list of
name servers the current context may use in resolving logical host names.
The DNS can be specified
at the Context level in Context configuration as well as at the APN
level in APN Configuration Mode with dns and ipv6 dns commands,
or it can be received from AAA server.
When DNS is requested
in PCO configuration, the following preference will be followed for
DNS value:
- DNS Values received
from LNS have the first preference.
- DNS values received
from RADIUS Server has the second preference.
- DNS values locally
configured with APN with dns and ipv6 dns commands
has the third preference.
- DNS values configured
at context level has the last preference.
IMPORTANT:
The same preference
would be applicable for the NBNS servers to be negotiated via ICPC with
the LNS.
ip pool
Enables creation, configuration
or deletion of IP address pools in the current context.
Privilege:
Security Administrator,
Administrator
Syntax
ip pool pool_name { ip_address
subnet_mask | ip_address_mask_combo | range start_ip_address
end_ip_address } [ address-hold-timer address_hold_timer ] [ advertise-if-used ] [ alert-threshold [ group-available | pool-free | pool-hold | pool-release | pool-used ] low_thresh [ clear high_thresh ] ] [ explicit-route-advertise ] [ group-name group_name ] [ include-nw-bcast ] [ napt-users-per-ip-address users_per_ip [ alert-threshold { { pool-free | pool-hold | pool-release | pool-used } low_thresh [ clear high_thresh ] } + ] [ max-chunks-per-user max_chunks_per_user [ nat-binding-timer nat_binding_timer ] [ nexthop-forwarding-address ip_address ] [ on-demand ] [ port-chunk-size port_chunk_size ] [ port-chunk-threshold port_chunk_threshold ] [ send-nat-binding-update ] + ] [ nat priority ] [ nat-one-to-one [ alert-threshold { { pool-free | pool-hold | pool-release | pool-used } low_thresh [ clear high_thresh] } + ] [ nat-binding-timer nat_binding_timer ] [ nexthop-forwarding-address ip_address ] [ on-demand ] [ send-nat-binding-update ] + ] [ nat-realm users-per-nat-ip-address users [ on-demand [ address-hold-timer address_hold_timer ] ] ] [ nexthop-forwarding-address ip_address [ overlap vlanid vlan_id ] [ respond-icmp-echo ip_address ] ] [ nw-reachability server server_name ] [ policy allow-static-allocation ] [ private priority ] [ public priority ] [ resource priority ] [ send-icmp-dest-unreachable ] [ srp-activate ] [ static ] [ suppress-switchover-arps ] [ tag { none | pdif-setup-addr } ] [ unicast-gratuitous-arp-address ip_address ] [ vrf vrf_name { [ mpls-label input in_label_value | output out_label_value1 [ out_label_value2 ] } ] +
no ip pool pool_name [ address-hold-timer ] [ advertise-if-used ] [ alert-threshold [ [ group-available ] [ pool-free ] [ pool-hold ] [ pool-release ] [ pool-used ] + ] [ explicit-route-advertise ] [ group-name ] [ include-nw-bcast ] [ nexthop-forwarding-address [ respond-icmp-echo ] ] [ nw-reachability
server ] [ policy allow-static-allocation ] [ send-icmp-dest-unreachable ] [ srp-activate ] [ suppress-switchover-arps ] [ tag { none | pdif-setup-addr } ] [ unicast-gratuitous-arp-address ] + [ send-nat-binding-update ]
no
Removes the specified
IP address pool from the current context’s configuration,
or disables the specified option(s) for the specified IP pool.
no alert-threshold
This command without
any optional keywords disables all alert thresholds.
name
Specifies the logical
name of the IP address pool. name must
be an alphanumeric string of 1 through 31 characters.
IMPORTANT:
An error message displays
if the ip pool name and
the group name in
the configuration are the same. An error message displays if the ip pool name or group name are
already used in the context.
ip_address
Specifies the beginning
IP address of the IP address pool using IPv4 dotted-decimal.
subnet_mask
Specifies the IP address
mask bits to determine the number of IP addresses in the pool. ip_mask must
be specified using IPv4 dotted-decimal notation.
1 bits in the ip_mask indicate
that bit position in the ip_address must
also have a value of 1.
0 bits in the ip_mask indicate
that bit position in the ip_address does
not need to match – the bit can be either a 0 or a 1.
For example, if the
IP address and mask are specified as 172.168.10.0 and 255.255.255.224, respectively,
the pool will contain IP addresses in the range 172.168.10.0 through 172.168.10.31 for
a total of 32 addresses.
ip_address_mask_combo
Specifies a combined
IP address subnet mask bits to indicate what IP addresses the route applies
to. ip_address_mask_combo must
be specified using CIDR notation where the IP address is specified
using IPv4 dotted-decimal notation and the mask bits are a numeric
value which is the number of bits in the subnet mask.
range start_ip_address end_ip_address
Specifies the IP addresses
for the IP pool as a range of addresses.
start_ip_address specifies
the beginning of the range of addresses for the IP pool.
end_ip_address specifies
the end of the range of addresses for the IP pool.
The IP address range
must be specified using IPv4 dotted-decimal notation.
For example, if start_ip_address is
specified as 172.168.10.0 and end_ip_address is specified
as 172.168.10.31 the
IP pool will contain addresses in the range 172.168.10.0 through 172.168.10.31 for
a total of 32 addresses.
private [ priority ]
Address pool may only
be used by mobile stations which have requested an IP address from a
specified pool. When private pools are part of an IP pool group,
they are used in a priority order according to the precedence setting. priority must
be an integer from 0 through 10 with 0 being the highest priority.
The default value is 0.
public [ priority ]
Address pool is used
in priority order for assigning IP addresses to mobile stations
which have not requested a specific address pool. priority must
be an integer from 0 through 10 with 0 being the highest priority.
The default value is 0.
static
Address pool is used
for statically assigned mobile stations. Statically assigned mobile stations
are those with a fixed IP address at all times.
tag { none | pdif-setup-addr }
Default: none
none: default
tag for all IP address pools
pdif-setup-addr:
pool with this tag should only be used for PDIF calls.
address-hold-timer seconds
When this is enabled,
and an active subscriber is disconnected, the IP address is held
or considered still in use, and is not returned to the free state
until the address-hold-timer expires. This enables subscribers who
reconnect within the length of time specified (in seconds) to obtain the
same IP address from the IP pool.
seconds is
the time in seconds and must be an integer from 0 through 31556926.
alert-threshold { group-available | pool-free | pool-hold | pool-release | pool-used } low_thresh [ clear high_thresh ]
Default: All thresholds
are disabled.
Configures IP address
pool-level utilization thresholds. These thresholds take precedence over
context-level IP pool thresholds.
group-available:
Set an alert based on the available percentage of IP addresses for
the entire IP pool group.
pool-free:
Set an alert based on the percentage of IP addresses that are unassigned
in this IP pool.
pool-hold:
Set an alert based on the percentage of IP addresses from this IP
pool that are on hold.
pool-release:
Set an alert based on the percentage of IP addresses from this IP
pool that are in the release state.
pool-used:
This command sets an alert based on the percentage of IP addresses
that have been assigned from this IP pool.
IMPORTANT:
Refer to the threshold
available-ip-pool-group and threshold monitoring commands
in this chapter for additional information on IP pool utilization
thresholding.
low_thresh:
The IP pool utilization percentage that must be met or exceeded
within the polling interval to generate an alert or alarm. It can
be configured as an integer between 0 and 100.
clear high_thresh:
The IP pool utilization percentage that maintains a previously generated
alarm condition. If the utilization percentage rises above the high
threshold within the polling interval, a clear alarm is generated.
It may be configured as an integer between 0 and 100.
IMPORTANT:
This value is ignored
for the Alert model. In addition, if this value is not configured
for the Alarm model, the system assumes it is identical to the low
threshold.
group-name group_name
Assigns one or more
preconfigured IP pools to the IP pool group. group_name is
case sensitive and must be an alphanumeric string of 1 through 31
characters. One or more IP pool groups are assigned to a context
and one IP pool group consists one or more IP pool(s).
IP pool group name
is used in place of an IP pool name. When specifying a desired pool group
in a configuration the IP pool with the highest precedence is used
first. When that IP pool’s addresses are exhausted the
pool with the next highest precedence is used.
include-nw-bcast
Includes the network
and broadcast addresses as part of the pool.
To remove the include-nw-bcast option
from the ip pool, use the no ip pool test include-nw-bcast command.
napt-users-per-ip-address users_per_ip [ alert-threshold { { pool-free | pool-hold | pool-release | pool-used } low_thresh [ clear high_thresh ] } + ] [ max-chunks-per-user max_chunks_per_user [ nat-binding-timer nat_binding_timer ] [ nexthop-forwarding-address ip_address ] [ on-demand ] [ port-chunk-size port_chunk_size ] [ port-chunk-threshold port_chunk_threshold ] [ send-nat-binding-update ] +
IMPORTANT:
In UMTS deployments
this keyword is available in 9.0 and later releases. In CDMA deployments
this keyword is available in 8.3 and later releases.
IMPORTANT:
In UMTS deployments,
on upgrading from Release 8.1 to Release 9.0, and in CDMA deployments,
on upgrading from Release 8.1 to 8.3, all NAT realms configured
in Release 8.1 using the nat-realm keyword
must be reconfigured using either the nat-one-to-one (for
one-to-one NAT realms) or the napt-users-per-ip-address (for
many-to-one NAT realms) keywords.
Configures many-to-one
NAT realms.
- users_per_ip:
Specifies how many users can share a single NAT IP address as an
integer from 2 through 2016.
- alert-threshold:
Specifies the alert threshold for the pool:
IMPORTANT:
Thresholds configured
using the alert-threshold keyword are
specific to the pool that they are configured in. Thresholds configured
using the threshold
ip-pool-* commands in the Context Configuration
Mode apply to all IP pools in that context, and override the threshold
configurations set within individual pools.
- pool-free:
Percentage free alert threshold for this pool
- pool-hold:
Percentage hold alert threshold for this pool
- pool-release:
Percentage released alert threshold for this pool
- pool-used:
Percentage used alert threshold for this pool
- low_thresh:
The IP pool utilization percentage that must be met or exceeded
within the polling interval to generate an alert or alarm. low_thresh must
be an integer from 0 through 100.
- clear high_thresh:
The IP pool utilization percentage that maintains a previously generated
alarm condition. If the utilization percentage rises above the high
threshold within the polling interval, a clear alarm is generated. high_thresh must
be an integer from 0 through 100.
IMPORTANT:
The high_thresh value
is ignored for the Alert model. In addition, if this value is not
configured for the Alarm model, the system assumes it is identical
to the low threshold.
- max-chunks-per-user max_chunks_per_user:
Specifies the maximum number of port chunks to be allocated per
subscriber in the many-to-one NAT pool. max_chunks_per_user must
be an integer from 1 through 2016. Default: 1
- nat-binding-timer binding_timer:
Specifies NAT Binding Timer for the NAT pool. timer must
be an integer from 0 through 31556926. If set to 0, is disabled.
Default: 0
- nexthop-forwarding-address address:
Specifies the nexthop forwarding address for this pool. address must
be an IPv4 or IPv6 address. If configured for a NAT pool, packets
that are NATed using that NAT pool will be routed based on the configured
nexthop address.
IMPORTANT:
The nexthop-forwarding-address support
for NAT IP pools is functional only in later releases of Release
9.0 and in 10.0 and later releases.
- on-demand:
Specifies allocating IP when matching data traffic begins.
- port-chunk-size size: Specifies
NAT port chunk size (number of NAT ports per chunk) for many-to-one
NAT pool. size must
be an integer from 32 through 32256.
IMPORTANT:
The port-chunk-size configuration
is only available for many-to-one NAT pools.
- port-chunk-threshold chunk_threshold:
Specifies NAT port chunk threshold in percentage of number of chunks
for many-to-one NAT pool. chunk_threshold must
be an integer from 1 through 100. Default: 100%
IMPORTANT:
The port-chunk-threshold configuration
is only available for many-to-one NAT pools.
- send-nat-binding-update:
Specifies sending NAT binding updates to AAA for this realm. Default:
Disabled
IMPORTANT:
send-nat-binding-update is
not supported for many-to-one realms.
The following IP pool
configuration keywords can also be used in the many-to-one NAT pool
configuration:
- group-name group_name:
Specifies the pool group name. The grouping enables to bind discontiguous
IP address blocks in individual NAT IP pools to a single pool group.This keyword is available
for NAT pool configuration only in Release 10.0 and later.NAT pool and NAT pool
group names must be unique.group_name is
an alphanumeric string of 1 through 31 characters that is case sensitive.
- srp-activateActivates the IP pool
for Interchassis Session Recovery (ICSR).
nat priority
Designates the IP address
pool as a Network Address Translation (NAT) address pool.
priority specifies
the priority of the NAT pool. 0 is the highest priority. If priority is
not specified, the priority is set to 0.
Must be a value from
0 (default) to 10.
IMPORTANT:
This functionality
is currently supported for use with systems configured as an A-BG
or P-CSCF.
nat-one-to-one [ alert-threshold { { pool-free | pool-hold | pool-release | pool-used } low_thresh [ clear high_thresh ] } + ] [ nat-binding-timer nat_binding_timer ] [ nexthop-forwarding-address ip_address ] [ on-demand ] [ send-nat-binding-update ] +
IMPORTANT:
In UMTS deployments
this keyword is available in Release 9.0 and later releases. In
CDMA deployments this keyword is available in Release 8.3 and later
releases.
IMPORTANT:
In UMTS deployments,
on upgrading from Release 8.1 to Release 9.0, and in CDMA deployments,
on upgrading from Release 8.1 to Release 8.3, all NAT realms configured
in Release 8.1 using the nat-realm keyword
must be reconfigured using either the nat-one-to-one (for
one-to-one NAT realms) or the napt-users-per-ip-address (for
many-to-one NAT realms) keywords.
Configures one-to-one
NAT realm.
- alert-threshold:
Specifies alert threshold for this pool:
IMPORTANT:
Thresholds configured
using the alert-threshold keyword are
specific to the pool in which they are configured. Thresholds configured
using the threshold
ip-pool * commands in the Context Configuration
Mode apply to all IP pools in the context, and override the threshold
configurations set within individual pools.
- pool-free:
Percentage free alert threshold for this pool
- pool-hold:
Percentage hold alert threshold for this pool
- pool-release:
Percentage released alert threshold for this pool
- pool-used:
Percentage used alert threshold for this pool
- low_thresh:
The IP pool utilization percentage that must be met or exceeded
within the polling interval to generate an alert or alarm. low_thresh must
be an integer from 0 through 100.
- clear high_thresh:
The IP pool utilization percentage that maintains a previously generated
alarm condition. If the utilization percentage rises above the high
threshold within the polling interval, a clear alarm is generated. high_thresh must
be an integer from 0 through 100.
IMPORTANT:
The high_thresh value
is ignored for the Alert model. In addition, if this value is not
configured for the Alarm model, the system assumes it is identical
to the low threshold.
- nat-binding-timer nat_binding_timer:
Specifies NAT Binding Timer for the NAT pool. binding_timer must
be an integer from 0 through 31556926. If set to 0, is disabled.
IMPORTANT:
For many-to-one NAT
pools, the default NAT Binding Timer value is 60 seconds. For one-to-one
NAT pools, it is 0. By default, the feature is disabled—the
IP addresses/ port-chunks once allocated will never be
freed.
- nexthop-forwarding-address ip_address:
Specifies the nexthop forwarding address for this pool. address must
be an IPv4 or IPv6 address. If configured for a NAT pool, packets
that are NATed using that NAT pool will be routed based on the configured
nexthop address.
IMPORTANT:
The nexthop-forwarding-address support
for NAT IP pools is functional only in later releases of Release
9.0 and in Release 10.0 and later releases.
- on-demand:
Specifies allocating IP address when matching data traffic begins.
- send-nat-binding-update:
Specifies sending NAT binding updates to AAA for this realm. Default:
Disabled
IMPORTANT:
send-nat-binding-update is
not supported for many-to-one realms.
The following IP pool
configuration keywords can also be used in the one-to-one NAT pool configurations:
- address-hold-timer address_hold_timer
- group-name group_name: Specifies
the pool group name. The grouping enables to bind discontiguous
IP address blocks in individual NAT IP pools to a single pool group.
NAT pool and NAT pool group names must be unique. group_name is
an alphanumeric string of 1 through 31 characters that is case sensitive. This keyword is available
for NAT pool configuration only in StarOS 10.0 and later releases.
- srp-activate:
Activates the IP pool for Interchassis Session Recovery (ICSR).
nat-realm users-per-nat-ip-address users [ on-demand [ address-hold-timer address_hold_timer ] ]
IMPORTANT:
The nat-realm keyword
is only available in Release 8.1.
IMPORTANT:
In Release 8.1, the
NAT On-demand feature is not supported.
IMPORTANT:
This functionality
is currently supported for use with systems configured as an A-BG
or P-CSCF.
Designates the IP address
pool as a Network Address Translation (NAT) realm pool.
users-per-nat-ip-address users: Specifies
the number of users sharing a single NAT IP address as an integer
from 1 through 5000.
on-demand:
Specifies to allocate IP when matching data traffic begins.
address-hold-timer address_hold_timer:
Specifies the address hold timer (in seconds) for this pool as an
integer from 0 through 31556926. If set to 0, the address hold timer
is disabled.
nexthop-forwarding-address ip_address
A subscriber that is
assigned an IP address from this pool is forwarded to the next hop gateway
with the specified IP address.
overlap vlanid vlan_id
When a nexthop forwarding
address is configured, this keyword can be configured to enable over-lapping
IP address pool support and associates the pool with the specified
virtual LAN (VLAN). vlan_id is
the identification number of a VLAN assigned to a physical port
and can be configured to any integer from 1 through 4095.
For more information
on configuring VLANs, refer to the System Administration Guide.
IMPORTANT:
This functionality
is currently supported for use with systems configured as an HA,
or as a PDSN for Simple IP, or as a GGSN. This keyword can only
be issued for pools of type private or static and must be associated
with a different nexthop forwarding address and VLAN. A maximum
of 256 over-lapping pools can be configured per context and a maximum
of 256 over-lapping pools can be configured per HA or simple IP
PDSN. For GGSNs, the total number of pools is limited by the number
of VLANs defined but the maximum number per context is 256. Additional
network considerations and configuration outside of the system may
be required.
nw-reachability server server_name
Binds the name of a
configured network reachability server to the IP pool and enables network
reachability detection for the IP pool. This takes precedence over
any network reachability server settings in a subscriber configuration.
server_name:
Specifies the name of a network reachable server that has been defined
in the current context, expressed as an alphanumeric string of 1
through 16 characters.
IMPORTANT:
Also see the following
commands for more information: Refer to the policy nw-reachability-fail command
in the HA Configuration Mode to configure the action that should
be taken when network reachability fails. Refer to the nw-reachability
server command in this chapter to configure network reachability servers.
Refer to the nw-reachability-server command
in the Subscriber Configuration Mode to bind a network reachability
server to a specific subscriber.
respond-icmp-echo ip_address
Pings the first IP
address from overlapping IP address pools.
IMPORTANT:
In order for this functionality
to work, all of the pools should contain an initial IP address that
can be pinged.
resource
Specifies this IP pool
as a resource pool. The IP addresses in resource pools may have
IP addresses that also exist in other resource pools. IP addresses
from a resource pool should not be used for IP connectivity within
the system where the pool is defined. These IP addresses should be
allocated for sessions which are L3 tunneled through the system
(IP-in-IP or GRE). It is possible for resource pools in the same
context to have overlapping addresses when the terminating network
elements for the L3 tunnels are in different VPNs. Default: Disabled
Also refer to the Subscriber Configuration
Mode Commands chapter for a description of the l3-to-l2-tunnel
address-policy command.
send-icmp-dest-unreachable
When enabled, this
generates an ICMP destination unreachable PDU when the system receives
a PDU destined for an unused address within the pool. Default: Disabled
explicit-route-advertise
When enabled, the output
of show ip pool
verbose includes the total number of explicit host routes.
Default: Enabled
srp-activate
Activates the IP pool
for Interchassis Session Recovery (ICSR).
suppress-switchover-arp
Suppress corresponding
gratuitous ARP generation when a line card or MIO card switchover
occurs. Default: Disabled
unicast-gratuitous-arp-address ip_address
Perform a unicast gratuitous
ARP to the specified IP address rather than broadcast gratuitous ARP
when gratuitous ARP generation is required. Default: Perform broadcast
gratuitous ARP.
vrf vrf_name { [ mpls-label input in_label_value | output out_label_value1 [ out_label_value2 ] }
Associates a preconfigured
Virtual Routing and Forwarding (VRF) context instance with this
IP pool and configures the other MPLS label parameters like values
of In and Out labels.
IMPORTANT:
This command must
be used with next-hop parameters.
vrf_name is
name of a preconfigured virtual routing and forwarding (VRF) context
configured in Context Configuration Mode through
ip vrf command.
- in_label_value is
the MPLS label that identifies the inbound traffic destined for
this pool.
- The out_label_value1 and out_label_value2 identify
the MPLS labels to be added to the outgoing packets sent for subscriber
from this pool. Where out_label_value1 is
the inner output label and out_label_value2 is
the outer output label.
MPLS label values must
be an integer from 16 through 1048575.
By default, the pools
configured are bound to the default VRF unless specified with a
VRF name.
IMPORTANT:
You cannot have overlapping
pool addresses using the same VRF. Also you cannot have two pools
using different VRFs but the same in-label irrespective of whether
the pools are overlapping or not. The pool must be private or static
pool in-order to be associated with a certain VRF. If the VRF with
such a name is not configured, then the pool configuration would
return an error prompting to add the VRF before configuring a pool.
policy allow-static-allocation
Configures static address
allocation policy for dynamic IP pool. This keyword enables a dynamic
IP pool to accept a static address for allocation.
IMPORTANT:
In static allocation
scenario, the pool group name is returned by AAA in the attribute SN1-IP-Pool-Name,
and the IP address to use will be returned in the Framed-IP-Address attribute.
+
Indicates that more
than one of the previous keywords can be entered within a single command.
Usage:
Define one or more
pools of IP addresses for the context to use in assigning IPs to
mobile stations. This command is also useful in resizing existing
IP pools to expand or contract the number of addresses allocated.
If you resize an IP pool, the change is effective immediately.
When using the
ip pool command
to resize an IP pool, the type must be specified since by default
the command assumes the type as public. In other words, the CLI
syntax to resize an IP pool is the same syntax used to create the
pool. See examples below.
ip pool pool1 100.1.1.0/24 static
The syntax to resize
that pool would be:
ip pool pool1 100.1.1.0/25 static
A pool which is deleted
will be marked as such. No new IP addresses will be assigned from
a deleted pool. Once all assigned IP addresses from a deleted pool
have been released, the pool, and all associated resources, are
freed.
IMPORTANT:
If an IP address pool
is matched to a ISAKMP crypto map and is resized, removed, or added, the
corresponding security association must be cleared in order for
the change to take effect. Refer to the clear crypto command
in the Exec mode for information on clearing security associations.
Over-lapping IP Pools:
The system supports the configuration of over-lapping IP address
pools within a particular context. Over-lapping pools are configured
using either the resource or overlap keywords.
The resource keyword
allows over-lapping addresses tunneled to different VPN end points.
The overlap keyword
allows over-lapping addresses each associated with a specific virtual
LAN (VLAN) configured for an egress port. It uses the VLAN ID and
the nexthop address to determine how to forward subscriber traffic
with addresses from the pool thus resolving any conflicts with overlapping
addresses.
Note that if an overlapping
IP Pool is bound to an IPSec Tunnel (refer to the match ip pool command
in the Crypto Group Configuration
Mode chapter), that tunnel carries the traffic ignoring the
nexthop configuration. Therefore, the IPSec Tunnel takes precedence
over the nexthop configuration. (Thus, one can configure the overlapping
IP Pool with fake VLAN ID and nexthop and still be able to bind
it to an IPSec Tunnel for successful operation.
The overlap keyword
allows over-lapping addresses each associated with a specific VLAN
can only be issued for pools of type private or static and must be
associated with a different nexthop forwarding address and VLAN.
A maximum of 128 over-lapping pools can be configured per context
and a maximum of 256 over-lapping pools can be configured per system.
IMPORTANT:
Overlapping IP address
functionality is currently supported for use with systems configured as
an HA for Mobile IP
,
or as a PDSN for Simple IP,
or as a GGSN. For deployments in which subscriber traffic is
tunneled from the FA to the HA using IP-in-IP, a separate HA service
must be configured for each over-lapping pool.
IP Pool Address Assignment
Method: IP addresses can be dynamically assigned from a single
pool or from a group of pools. The addresses are placed into a queue
in each pool. An address is assigned from the head of the queue
and, when released, returned to the end. This method is known as
least recently used (LRU).
When a group of pools
have the same priority, an algorithm is used to determine a probability
for each pool based on the number of available addresses, then a
pool is chosen based on the probability. This method, over time,
allocates addresses evenly from the group of pools.
IMPORTANT:
Note that setting different
priorities on each individual pool in a group can cause addresses in
some pools to be used more frequently.
IMPORTANT:
In NAT IP pool configurations,
the minimum number of public IP addresses that must be allocated
to each NAT pool must be greater than or equal to the number of
Session Managers (SessMgrs) available on the system.
On the ASR 5000, it
is >= 84 public IP addresses. This can be met by a range
of 84 host addresses from a single Class C. The remaining space
from the Class C can be used for other allocations.
Example:
The following commands
define a private IP address pool, a public IP address pool, and
a static address pool, respectively.
ip pool samplePool1
1.2.3.0 255.255.255.0 private
ip pool samplePool2
1.3.0.0 255.255.0.0 public
ip pool samplePool3
1.4.5.0 255.255.255.0 static
The following command
defines a private IP pool specified with a range of IP addresses. The
pool has 101 addresses.
ip pool samplePool4
range 10.5.5.0 10.5.5.100 private
The following command
sets the address hold timer on the pool to
60 minutes
(
3600 seconds):
ip pool samplePool4
address-hold-timer 3600
The following command
removes the IP address pool from the configuration:
no ip pool samplePool1
The following command
creates a static IP pool:
ip pool pool1 100.1.1.0/24 static
The following command
resizes the static IP pool created in the previous example:
ip pool pool1 100.1.1.0/25 static
ip prefix-list
Creates an IP prefix
list for filtering routes.
Privilege:
Security Administrator,
Administrator
Syntax
ip prefix-list name list_name [ seq seq_number ] { deny | permit } { any | network_address/net_mask [ ge ge_value ] [ le le_value ]
no ip prefix-list list_name [ seq seq_number ] { deny | permit } { any | network_address/net_mask [ ge ge_value ] [ le le_value ]
no
Delete the specified
prefix-list entry.
name list_name
Specifies a name for
the prefix list as an alphanumeric string of 1 through 79 characters.
seq seq_number
Assigns the specified
sequence number to the prefix list entry as an integer from 1 through 4294967295.
deny
Specifies prefixes
to deny.
permit
Specifies prefixes
to permit.
network_address/net_mask [ ge ge_value ] [ le le_value ]
Specifies the prefix
to match.
network_address/net_mask:
the IP address and the length, in bits, of the network mask that
defines the prefix. The IP address and mask must be entered in IPv4
dotted-decimal notation. When neither ge (greater
than or equal to) or le (less
than or equal to) are specified an exact match is assumed.
ge ge_value:
Specifies the minimum prefix length to match as an integer from
0 through 32. If only the ge value is specified, the range is from
the ge value to 32. The ge value must be greater than net_mask and
less than the le value.
le le_value:
Specifies the maximum prefix length to match as an integer from
0 through 32. If only the le value is specified, the range is from
the net_mask to
the le value. The le value must be less than or equal to 32.
The following equation
describes the conditions that ge and le values must satisfy:
net_mask < ge_value < le_value <= 32
Usage:
Use this command to
filter routes by their IP prefix.
Example:
ip prefix-list name prelist10
seq 5 permit 192.168.100.0/8 ge 12 le 24
ip prefix-list sequence-number
Enables or disables
the inclusion of IP prefix list sequence numbers in the configuration
file. This option is enabled by default.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] ip
prefix-list sequence-number
no
Disables the listing
of IP prefix list sequence numbers in the configuration file.
Usage:
Use this command to
enable and disable the inclusion of IP prefix list sequence numbers
in the configuration file.
Example:
To disable the inclusion
of IP prefix list sequence numbers in the configuration file, enter
the following command:
no ip prefix-list sequence-number
ip route
Adds or removes routing
information from the current context’s configuration.
Syntax
[ no ] ip
route ( ip_address | static bfd }
[ no ] ip
route { ip_address/ip_mask | ip_address
ip_mask } { gateway_ip_address | next-hop next_hop_ip_address | point-to-point | tunnel } egress_intrfc_name [ cost cost ] [ precedence precedence ] [ vrf vrf_name] +
[ no ] ip
route static bfd if-name gateway_ip_address
no
Indicates the route
specified by this options is to be removed from the configuration.
ip_address/ip_mask | ip_address
ip_mask
Specifies a destination
IP address or group of addresses that will use this route.
ip_address/ip_mask:
Specifies a combined IP address subnet mask bits to indicate what
IP addresses to which the route applies. ip_address must
be entered using IPv4 dotted-decimal or IPv6 colon-separated-hexadecimal
notation. ip_mask/ is
entered using CIDR notation; the mask bits are a numeric value which
is the number of bits in the subnet mask.
ip_address
ip_mask: Specifies an IP address and the networking
(subnet) mask pair which is used to identify the set of IP addresses
to which the route applies. ip_address must
be specified using the standard IPv4 dotted decimal notation. ip_mask must
be specified using the standard IPv4 dotted decimal notation as
network mask for subnets.
The mask as specified
by ip_mask or
resulting from ip_address/ip_mask is
used to determine the network for packet routing.
0’s in the
resulting mask indicate the corresponding bit in the IP address
is not significant in determining the network for packet routing.
1’s in the
resulting mask indicate the corresponding bit in the IP address
is significant in determining the network.
gateway_ip_address | next-hop next_hop_ip_address | point-to-point | tunnel
Specifies which device
or network to use when forwarding packets.
gateway_ip_address:
Specifies the IP address of the network gateway to which to forward
packets. The address must be entered in IPv4 dotted-decimal notation
(###.###.###.###).
next-hop next_hop_ip_address:
Specifies the next-hop IP address to which packets are to be forwarded.
The address must be entered in IPv4 dotted-decimal notation.
point-to-point:
Specifies that the egress port is an ATM point-to-point interface.
tunnel: Sets
the static route for this egress interface as tunnel type, such
as IPv6-over-IPv4
or GRE.
egress_intrfc_name
Specifies the name of
the egress (out-bound) interface name in the current context as
an alphanumeric string of 1 through 79 characters.
cost cost
Specifies the relative
cost of the route. cost must
be an integer from 0 through 255 where 255 is the most expensive.
Default: 0
precedence precedence
Specifies the selection
order precedence for this routing information. precedence must
be an integer from 1 through 254 where 1 is the highest precedence.
Default: 1
vrf vrf_name
Associates a Virtual
Routing and Forwarding (VRF) context with this static route configuration.
vrf_name is
the name of a preconfigured VRF context configured in Context Configuration
Mode via the ip
vrf command.
ip route static bfdif-name gateway_ip_address
Creates a static IP
route that will be associated with Bidirectional Forwarding Detection (BFD).
For additional information, see the BFD Configuration Mode
Commands chapter.
if-name:
Specifies the interface Name of the Interface to which the static
BFD neighbor is bound as an alphanumeric string of 1 through 79
characters.
gateway_ip_address :
Specifies the gateway address of the BFD neighbor in IPv4 dotted-decimal
notation.
Usage:
Use this command to
configure IP route parameters. Precedence and cost options tailor
the route selections such that routes of the same precedence are
grouped together then lowest cost is selected first. This results
in route’s being selected first by lower precedence then
the cost is used if multiple route’s are defined with the
same precedence.
This command also configures
static IP routes when implementing Bidirectional Forwarding Detection
(BFD).
IMPORTANT:
A maximum of 1,200 static
routes may be configured per context.
Virtual Routing and
Forwarding (VRF) context can be associated with static IP route
for BGP/MPLS, GRE, or IPSec tunnel support.
Example:
The following command
adds a route using the combined IP address and subnet mask form:
ip route 10.2.3.0/32
192.168.1.2 egressSample1 precedence 160
The following configures
route options for a route specified using the distinct IP address
and subnet mask form:
ip route 10.2.3.4 255.224.0.0
10.1.2.3 egressSample2 cost 43
The following deletes
the two routes configured above:
no ip route 10.2.3.0/32
192.168.1.2 egressSample1 precedence 160
no ip route 10.2.3.4
255.224.0.0 10.1.2.3 egressSample2 cost 43
The following command
adds a route using the combined IP address and subnet mask form and
specifies the egress interface as tunnel type:
ip route 10.2.3.0/32
tunnel egressSample1 precedence 160 vrf vrf1
ip routing maximum-paths
Enables Equal Cost Multiple
Path (ECMP) routing support and specifies the maximum number of
ECMP paths that can be submitted by a routing protocol in the current context.
Privilege:
Security Administrator,
Administrator
Syntax
ip routing maximum-paths [ max_num ]
[ default | no ] ip
routing maximum-paths
default
Resets the command to
its default setting of 4.
no
Disables ECMP for the
current context.
max_num
The maximum number of
ECMP paths that can be submitted by a routing protocol. max_num must
be an integer from 1 through 10. Default: 4
Usage:
Use this command to
enable ECMP for routing and set the maximum number of ECMP paths
that can be submitted by a routing protocol.
Example:
To enable ECMP and set
the maximum number of paths that may be submitted by a routing protocol
in the current context to
10, enter
the following command:
ip routing maximum-paths 10
To disable ECMP in the
current context, enter the following command:
no ip routing maximum-paths
ip routing overlap-pool
Configures the routing
behavior for overlap-pool addresses.
Privilege:
Security Administrator,
Administrator
Syntax
[ no | default ] ip
routing overlap-pool
default
Resets the command to
its default setting of disabled.
no
Disables the routing
behavior for overlap-pool addresses for the current context.
Usage:
Use this command configuration
to advertise overlap-pool addresses in dynamic routing protocols
when overlap pools are configured using vlan-ids. If the “ip
routing overlap-pool” is configured, then the overlap-addresses
are added as interface addresses and advertised.
ip vrf
Creates a Virtual Routing
and Forwarding (VRF) context instance, assigns a VTF id, and configures
the VRF parameters for BGP/MPLS VPN, GRE tunnel, and IPSec
interface configuration.
Privilege:
Security Administrator,
Administrator
Syntax
ip vrf vrf_name
no ip vrf
no
Disables IP Virtual Routing
and Forwarding (VRF) parameters.
vrf_name
Specifies the name of
the virtual routing and forwarding interface as an alphanumeric
string of 1 through 79 characters.
Usage:
Use this command to create
a VRF context and assigns a VRF id for BGP/MPLS VPN, IPSec,
GRE tunnel configuration in this context instance. This command
used when system works as a BGP router with MPLS VPN and binds a
MPLS VPN to system or to facilitate GRE or IPSec tunnelling. The
addresses that assigned to this interface are visible in the VRF
routing table.
This command switches
the command mode to IP VRF Context Configuration Mode and changes
the CLI prompt to:
[context_name>]host_name(config-context-vrf)#
If required, this command
creates IP VRF Context Configuration Mode instance.
While using this command
user must take note of the following:
- A VRF context instance
must be created and configured before referring, associating, or
binding the same with any command or mode.
- If interface binding
to a VRF context instance is changed or any IP address assigned
to the interface is deleted a warning will be displayed.
- All interface bound
with a VRF context instance will be deleted when that VRF is removed/deleted.
- An interface can be
bound to only one VRF context instance.
- A maximum of 100 VRF
context instances can be configured on a system.
Refer to the IP VRF Context Configuration
Mode Commands chapter for parameter configuration.
Example:
The following command
configures the virtual routing and forwarding context instance
vrf1 in a context:
ip vrf vrf1
ipms
Enables/disables/manages
an intelligent packet monitoring system (IPMS) client service and
enters the IPMS Client Configuration Mode within the current context.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] ipms [ -noconfirm ]
no
Deletes a previously
configured IPMS client service.
-noconfirm
Executes the command
without any additional prompt and confirmation from the user.
DANGER:
If this keyword option
is used with no
ipms command the IPMS client service will be deleted with
all active/inactive IPMS sessions without prompting any
warning or confirmation.
Usage:
Use this command to enable/disable/manage
the IPMS client service within a context and configure certain functionality.
This command enables and allows the configuration of service enabling
the system to function as an IPMS-enabled Access Gateway in a network.
This command is also used to remove previously configured IPMS client
service.
A maximum of 1 IPMS client
can be configured per system.
IMPORTANT:
The IPMS is a license
enabled external application support. Refer to the IPMS Installation and
Administration Guide for more information on this product.
Refer to the IPMS Installation and
Administration Guide and IPMS Configuration
Mode chapter of this reference for additional information.
Example:
The following command
creates an IPMS client service name within the context:
ipms
ipsec replay:
Configures IKEv2 IPSec
specific anti-replay.
Privilege:
Security Administrator,
Administrator
Usage:
Use this command to Configure
IKEv2 IPSec specific anti-replay.
Example:
The following command
sets the window size to 256:
ipsec replay window-size 256
ipsec transform-set
Creates a new or specifies
an existing IPSec transform set and enters the IPSec Transform Set
Configuration Mode for the current context.
Privilege:
Security Administrator,
Administrator
no
Removes an existing
transform set from the system.
transform-set name
Specifies the name of
a new or existing transform set as an alphanumeric string of 1 through 127
characters.
Usage:
Use this command to Configure
IKEv2 IPsec child security association transform set parameters.
Up to four transform-sets can be created.
Entering this command
results in the following prompt:
[context_name]hostname(cfg-ctx-ipsec-tran-set)#
This command applies
to IKEv2. Please check crypto
ipsec transform-set command for ipsec transform-set configuration
for IKEv1.
Example:
The following command
configures an IPSec transform set called
ipsec12 and
enters the IPSec Transform Set Configuration Mode:
ipsec transform-set ipsec12
ipsg-service
This command allows you
to create/modify/delete an IP Services Gateway (IPSG)
service in the current context.
Privilege:
Security Administrator,
Administrator
Syntax
ipsg-service ipsg_service_name [ mode { radius-server | radius-snoop } ] [ -noconfirm ]
no ipsg-service ipsg_service_name [ mode { radius-server | radius-snoop } ]
no
If previously configured,
deletes the specified IPSG service.
ipsg_service_name
Specifies the name of
the IPSG service.
ipsg_service_name must
be an alphanumeric string of 1 through 63 characters.
mode { radius-server | radius-snoop }
Configures the IPSG
to perform as either a RADIUS server or as a device to extract user information
from RADIUS accounting request messages (snoop). If the optional
keyword mode is
not entered, the system defaults to radius-server.
- radius-server:
Creates the named IPSG RADIUS Server service in the current context
and/or enters the IPSG RADIUS Server Configuration Mode.
- radius-snoop:
Creates the named IPSG RADIUS Snoop service in the current context
and/or enters the IPSG RADIUS Snoop Configuration Mode.
-noconfirm
Specifies to execute
the command without additional prompt or confirmation.
Usage:
Use this command to
create/configure/delete an IPSG service.
A maximum of one IPSG
service can be configured per context.
IPSG service commands
are defined in the IPSG
RADIUS Snoop Configuration Mode Commands chapter and the IPSG RADIUS Server Configuration
Mode Commands chapters.
A maximum of 256 services
(regardless of type) can be configured per system.
CAUTION:
A large number of services
greatly increases the complexity of system management and may impact
overall system performance (i.e., resulting from system handoffs).
Do not configure a large number of services unless your application
requires it. Contact your Cisco account representative for more information.
IMPORTANT:
IP Services Gateway
functionality is a license-controlled feature. A valid feature license must
be installed prior to configuring an IPSG service. Contact your
Cisco account representative for more information.
On entering the command
with the radius-server mode
or without any mode, the CLI prompt changes to:
[context_name]hostname(config-ipsg-service-radius-server)#
On entering the command
with the radius-snoop mode, the
CLI prompt changes to:
[context_name]hostname(config-ipsg-service-radius-snoop)#
For more information
about the IP Services Gateway, refer to the IP Services Gateway Administration
Guide.
Example:
The following command
configures an IPSG RADIUS Snoop service named
ipsg1 and
enters the IPSG RADIUS Snoop Configuration Mode:
ipsg-service ipsg1 mode
radius-snoop
ipv6 access-group
Configures the IPv6
Access group.
Privilege:
Security Administrator,
Administrator
Syntax
ipv6 access-group group name { priority_value }
group_name
Specifies the name of
the access group as an alphanumeric string of 1 through 79 characters.
priority_value
Specifies the priority
of the access group. 0 is the highest priority. If priority_value is
not specified the priority is set to 0. priority_value must
be an integer from 0 through 4294967295. Default: 0
If access groups in
the list have the same priority, the last one entered is used first.
Usage:
Use this command to
specify IPv6 access group name and priority. Use a lower value to indicate
a higher priority for the group.
Example:
ipv6 access-group group_1
ipv6 access-list
Configures access list
(or packet filter) name and enters the IPv6 ACL Configuration Mode.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] ipv6
access-list name
no
Indicates the access
list specified is to be removed from the configuration.
name
Specifies the access
list for which to enter the IPv6 ACL Configuration Mode or the list
to remove. name is
an alphanumeric string of1 through 79 characters.
Usage:
Executing this command
enters the IPv6 ACL Configuration Mode in which rules and criteria
are defined for the ACL.
Example:
ipv6 access-list samplelist
no ipv6 access-list samplelist
ipv6 dns-proxy
Configures the domain
name server proxy for the context.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] ipv6
dns-proxy source-ipv4-address ip_address
no
Removes the predefined
IP address for local interface in the destination context.
ip_address
Specifies the IPv4 address
of one of the local interface in the destination context to configure the
IPv6 DNS proxy where ip_address must
be specified using IPv4 dotted-decimal notation.
Usage:
The IPv6 DNS proxy source
IPv4 address is used as the source IP address for the DNS proxy
transaction.
Example:
The following command
provides an example of configuring a IPv6 DNS proxy of
192.168.23.1:
ipv6 dns-proxy source-ipv4-address 192.168.23.1
ipv6 neighbor
Adds a static IPv6 neighbor
entry into the neighbor discovery table.
Privilege:
Administrator, Security
Administrator
Syntax
[ no ] ipv6
neighbor ipv6_address hardware_address
no
Removes the specified
address.
ipv6_address
hardware_address
ipv6_address is
the IP address of node to be added to the table.
hardware_address is
the associated 48-bit MAC address.
Usage:
Add a static IPv6 neighbor
entry into the neighbor discovery table.
Example:
Add the ipv6 address
fe80::210:83ff:fef7:7a9d::/24 and
associated 48 bit MAC address
0:10:83:f7:7a:9d to
the table.
ipv6 neighbor fe80::210:83ff:fef7:7a9d::/24 0:10:83:f7:7a:9d
ipv6 pool
Modifies the current
context’s IP address pools by adding, updating or deleting
a pool. This command also resizes an existing IP pool.
Privilege:
Security Administrator,
Administrator
Syntax
ipv6 pool name { 6to4 local-endpoint ipv4_address [ default-relay-router router_address ] | alert
threshold | group-name name | policy { allow-static-allocation | dup-addr-detection} | prefix ip_address/len [ 6to4-tunnel
local-endpoint ip_address | default-relay-router router_address ] | range start_address
end_address | suppress-switchover-arps } [ private priority ] [ public priority ] [ shared priority ] [ static priority ] [ group-name name ]
no ipv6 pool name
no
Deletes the previously
configured IPv6 pool.
name
Specifies the logical
name of the IP address pool as an alphanumeric string of 1 through
31 characters.
6to4-tunnel local-endpoint ip_address
Specifies the IPv4 address
of the local interface to be used for IPv6-to-IPv4 compatible pool address
construction.
alert threshold { 6to4
local-endpoint ipv4_address | alert threshold | group-available | group-name name | policy { allow-static-allocation | dup-addr-detection } | pool-free | pool-used | prefix | range start_address
end_address }
Default: All thresholds
are disabled.
Configures IP address
pool-level utilization thresholds. These thresholds take precedence over
context-level IPv6 pool thresholds.
- 6to4: Sets
an alert based on the IPv6 Pool for an IPv6-to-IPv4 compatible address
type.
- alert-threshold:
Sets an alert based on the percentage free alert threshold for this
group.
- group-available:
Sets an alert based on the percentage free alert threshold for this
group.
- group-name:
Sets an alert based on the IPv6 Pool Group.
- policy allow-static-allocation:
Sets an alert based on the address allocation policy.
- pool-free:
Sets an alert based on the percentage free alert threshold for this
pool.
- pool-used:
Sets an alert based on the percentage used alert threshold for this
pool.
- prefix: Sets
an alert based on the IPv6 Pool address prefix.
- range: Sets
an alert based on the IPv6 address pool range of addresses.
- suppress-switchover-arps:
Sets an alert based on the Suppress Gratuitous ARPs when performing
a line card or an MIO switchover.
group name name
IPv6 Pool Group.
The following options
are available:
- 6to4: IPv6
Pool for IPv6-to-IPv4 compatible address type
- alert-threshold:
Percentage free alert threshold for this group
- group-name:
IPv6 Pool Group
- policy: Configure
an address allocation policy
- prefix: IPv6
Pool address prefix
- range: Configures
IPv6 address pool to use a range of addresses
- suppress-switchover-arps:
Suppress gratuitous ARPs when performing a line card or an MIO switchover
ipv4_address
Specifies the beginning
IPv4 address of the IPv4 address pool. ipv4_address must
be specified using IPv4 dotted-decimal notation.
default-relay-router router address
Specifies the default
relay router for the tunnel.
policy allow-static-allocation
Allows a dynamic pool
to accept a static address allocation.
The following options
are available:
- 6to4: IPv6
Pool for IPv6- to-IPv4 compatible address type
- alert-threshold:
Percentage free alert threshold for this group
- group-name:
IPv6 Pool Group
- policy: Configure
an address allocation policy
- prefix: IPv6
Pool address prefix
- range: Configures
IPv6 address pool to use a range of addresses
- suppress-switchover-arps:
Suppress gratuitous ARPs when performing a line card or an MIO switchover
policy dup-addr-detection
This command is valid
for IPv6 shared pools only (Sample syntax: ipv6 pool name prefix ip_address/len shared policy dup-addr-detection).
When this policy is enabled, the IPv6 shared pool allows a prefix
to be shared in different call sessions with different interface
IDs for an IPv6 address. This allows the tracking of interface IDs
per prefix and the detection of duplicated IDs.
With this policy disabled,
the IPv6 shared pool will allow a prefix to be shared across different
call sessions. The interface ID is not considered for any duplicate
address detection. Default: Disabled
The following options
are available:
- 6to4: IPv6
pool for IPv6-to-IPv4 compatible address type
- alert-threshold:
Percentage free alert threshold for this group
- group-name:
IPv6 pool group
- policy: Configure
an address allocation policy
- prefix: IPv6
pool address prefix
- range: Configures
IPv6 address pool to use a range of addresses
- suppress-switchover-arps:
Suppress gratuitous ARPs when performing a line card or an MIO switchover
prefix ip_address/len
Specifies the beginning
IPv6 address of the IPv6 address pool. ip_address/len must
be specified using IPv6 colon-separated-hexadecimal with CIDR notation.
range start_address end_address
Configures an IPv6 address
pool to use a range of addresses.
start_address specifies
the beginning of the range of addresses for the IPv6 pool. It must
be specified using IPv6 colon-separated-hexadecimal notation.
end_address specifies
the end of the range of addresses for the IPv6 pool. It must be
specified using IPv6 colon-separated-hexadecimal notation.
suppress-switchover-arps
Suppresses gratuitous
ARPs when performing a line card switchover.
The following options
are available:
- 6to4: IPv6
Pool for IPv6-to-IPv4 compatible address type
- alert-threshold:
Percentage free alert threshold for this group
- group-name:
IPv6 Pool Group
- policy: Configure
an address allocation policy
- prefix: IPv6
Pool address prefix
- range: Configures
IPv6 address pool to use a range of addresses
- suppress-switchover-arps:
Suppress gratuitous ARPs when performing a line card or an MIO switchover
private priority | public priority | shared priority | static priority
Default: public
private priority:
Specifies that the address pool may only be used by mobile stations
which have requested an IP address from a specified pool. When private
pools are part of an IP pool group, they are used in a priority order
according to the precedence setting. priority must
be an integer from 0 through 10 with 0 being the highest. The default
is 0.
public priority:
Specifies that the address pool is used in priority order for assigning
IP addresses to mobile stations which have not requested a specific
address pool. priority must
be n integer from 0 through 10 with 0 being the highest and with
a default of 0.
shared priority:
Specifies that the address pool that may be used by more than one
session at any time. priority must
be an integer from 0 through 10 with 0 being the highest and with
a default of 0.
static priority:
Specifies that the address pool is used for statically assigned
mobile stations. Statically assigned mobile stations are those with
a fixed IP address at all times. priority must
be an integer from 0 through 10 with 0 being the highest and with
a default of 0.
group-name name
Groups the IPv6 pools
in to different groups. The subscribers/domain can be configured with
the group-name instead of the prefix-pool names. name is the name
of the group by which the IPv6 pool is to be configured expressed
as an alphanumeric string of 1 through 79 characters.
Usage:
Use this command to
modify the current context’s IP address pools by adding,
updating, or deleting a pool. Also use this command to resize an
existing IP pool.
Example:
The following command
adds an IPv6 pool named
ip6Star:
ipv6 pool ip6Star
ipv6 prefix-list
Creates an IPv6 prefix
list for filtering routes.
Privilege:
Security Administrator,
Administrator
Syntax
ipv6 prefix-list name list_name [ seq seq_number ] { deny | permit } { any | network_address/net_mask [ ge ge_value ] [ le le_value ]
no ipv6 prefix-list list_name [ seq seq_number ] { deny | permit } { any | network_address/net_mask [ ge ge_value ] [ le le_value ]
no
Delete the specified
prefix-list entry.
name list_name
Specifies a name for
the prefix list as an alphanumeric string of 1 through 79 characters.
seq seq_number
Assigns the specified
sequence number to the prefix list entry as an integer from 1 through 4294967295.
deny
Specifies prefixes
to deny.
permit
Specifies prefixes
to permit.
network_address/net_mask [ ge ge_value ] [ le le_value ]
Specifies the prefix
to match.
network_address/net_mask:
the IP address and the length, in bits, of the network mask that
defines the prefix. The IP address and mask must be entered in IPv6
colon-separated-hexadecimal-hexadecimal notation. When neither ge (greater
than or equal to) or le (less
than or equal to) are specified an exact match is assumed.
ge ge_value:
Specifies the minimum prefix length to match as an integer from
0 through 128. If only the ge value is specified, the range is from
the ge value to 128. The ge value must be greater than net_mask and
less than the le value.
le le_value:
Specifies the maximum prefix length to match as an integer from
0 through 128. If only the le value is specified, the range is from
the net_mask to
the le value. The le value must be less than or equal to 128.
The following equation
describes the conditions that ge and le values must satisfy:
net_mask < ge_value < le_value <= 128
Usage:
Use this command to
filter routes by their IPv6 prefix.
Example:
ipv6 prefix-list name
prelistv6-10 seq 5 permit 2002::123.45.67.89/122
ipv6 prefix-list
sequence-number
Enables or disables
the inclusion of IPv6 prefix list sequence numbers in the configuration
file. This option is enabled by default.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] ipv6
prefix-list sequence-number
no
Disables the listing
of IPv6 prefix list sequence numbers in the configuration file.
Usage:
Use this command to
enable and disable the inclusion of IPv6 prefix list sequence numbers in
the configuration file.
Example:
To disable the inclusion
of IPv6 prefix list sequence numbers in the configuration file,
enter the following command:
no ipv6 prefix-list
sequence-number
ipv6 route
Configures a static
IPv6 route to the next-hop router.
Syntax
[ no ] ipv6
route ipv6_address/prefix_length { interface name | next-hop ipv6_address interface name } [ cost cost ] [ precedence precedence ]
no
Removes the specified
static route.
ipv6_address/prefix_length
Specifies a destination
IPv6 address or group of addresses that will use this route.
ipv6_address/prefix_length must
be specified using IPv6 colon-separated-hexadecimal with CIDR notation.
interface name
Specifies the name of
the interface on this system associated with the specified route
or next-hop address. name must
be an existing interface name on the system expressed as an alphanumeric
string of 1 through 79 characters.
next-hop ipv6_address
The IPv6 address of
the directly connected next hop device in IPv6 colon-separated-hexadecimal
notation.
cost cost
Defines the number of
hops to the next gateway as an integer from 0 through 255. Default: 0
precedence precedence
Indicates the administrative
preference of the route. A low precedence specifies that this route
takes preference over the route with a higher precedence. precedence must
be an integer from 1 through 254. Default: 1
Usage:
Use this command to
create a static route and send data traffic to a next-hop device.
Example:
T the following example
configures a static route with IPv6 prefix/length
2001:0db8:3c4d:0015:0000:0000:abcd:ef12/24 to
the next hop interface
egress1:
ipv6 route 2001:0db8:3c4d:0015:0000:0000:abcd:ef12/24
interface egress1
ipv6 route-access-list
Configures an IPv6
route access list for filtering routes.
Privilege:
Security Administrator,
Administrator
Syntax
ipv6 route-access-list
named list_name ] { deny | permit } network_address/net_mask [ exact-match ]
no ipv6 prefix-list list_name ] { deny | permit } { any | network_address/net_mask [ exact-match ]
no
Delete the specified
prefix-list entry.
name list_name
Specifies a name for
the prefix list as an alphanumeric string of 1 through 79 characters.
deny
Specifies prefixes
to deny.
permit
Specifies prefixes
to permit.
network_address/net_mask [ exact-match ]
Specifies the prefix
to match.
network_address/net_mask:
the IP address and the length, in bits, of the network mask that
defines the prefix. The IP address and mask must be entered in IPv6
colon-separated-hexadecimal-hexadecimal notation.
exact-match le_value: Specifies
that only an exact match will initiate access list deny/permit
function.
Usage:
Use this command to
filter routes by their IPv6 prefix.
Example:
ipv6 route-access-list
name routelistv6 seq 5 permit 2002::123.45.67.89/122
isakmp disable-phase1-rekey
This command is deprecated.
Use ikev1
disable-phase1-rekey command to configure the parameters
for Phase1 SA rekeying when ISAKMP lifetime expires for IKE v1 protocol.
isakmp keepalive
This command is deprecated.
Use ikev1 keepalive
dpd command to configure ISAKMP IPSec Dead Peer Detection (DPD)
message parameters for IKE v1 protocol.
isakmp policy
This command is deprecated.
Use ikev1 policy command
to create/configure an ISAKMP policy with the specified priority
for IKE v1 protocol.
iups-service
Creates an Iu-PS service
instance and enters the Iu-PS Service Configuration Mode. This mode
defines the configuration and usage of Iu-PS interfaces between
the SGSN and the RNCs in the UMTS radio access network (UTRAN).
It defines both the control plane (GTP-C) and the data plane (GTP-U)
between these nodes.
IMPORTANT:
For details about the
commands and parameters for this mode, check the IuPS Service Configuration
Mode Commands chapter.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] iups-service srvc_name
no
Remove the configuration
for the specified Iu-PS service from the configuration for the current
context.
srvc_name
Specifies the IuPS service
name as a unique alphanumeric string of 1 through 63 characters.
Usage:
Use this command to
create, edit, or remove an Iu-PS service. Add up to eight definitions to
be used with a single SGSN service so the SGSN can support multiple PLMNs.
Example:
The following command
creates an Iu-PS service named
iu-ps1:
iups-service iu-ps1
The following command
removes the Iu-PS service named
iu-ps1:
no iups-service iu-ps1
l2tp peer-dead-time
Configures a delay when
attempting to tunnel to a specific peer which is initially unreachable
due to reasons such as a network issue or temporarily having reached
its capacity.
Privilege:
Security Administrator,
Administrator
Syntax
l2tp peer-dead-time seconds
default l2tp peer-dead-time
default
Rests the command to
its default setting of 60.
seconds
Specifies the interval
(in seconds) to wait before attempting to tunnel to a specific peer which
is initially unreachable as an integer from 5 through 64,000. Default:
60
Usage:
The time to wait before
trying to establish a tunnel to a known peer after the initial attempt was
unsuccessful.
Example:
The following example
configures the delay in attempting to tunnel to a temporarily unreachable
peer. The delay is set to
120 seconds
in this example.
l2tp peer-dead-time 120
lac-service
Enters the LAC Service
Configuration Mode, or is used to add or remove a specified L2TP
Access Concentrator (LAC) service.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] lac-service name
no
Removes the specified
lac-service from the current context.
name
Specifies the name of
a LAC service to configure, add, or remove as an alphanumeric string of
1 through 63 characters that is case-sensitive.
Usage:
Enter the LAC Service
Configuration Mode for an existing service or for a newly defined service.
This command is also used to remove an existing service.
A maximum of 256 services
(regardless of type) can be configured per system.
CAUTION:
Large numbers of services
greatly increase the complexity of management and may impact overall
system performance (i.e. resulting from such things as system handoffs).
Therefore, it is recommended that a large number of services only
be configured if your application absolutely requires it. Please
contact your local service representative for more information.
Example:
To add a new LAC service
named
LAC1 and
enter the LAC Service Configuration Mode, enter the following command:
lac-service LAC1
To configure an existing
LAC service named
LAC2,
enter the following command:
lac-service LAC2
To delete an existing
LAC service named
LAC3,
enter the following command:
no lac-service LAC3
lawful-intercept
Refer to the Lawful Intercept Configuration
Guide for a description of this command.
lawful-intercept
dictionary
Refer to the Lawful Intercept Configuration
Guide for a description of this command.
lma-service
Creates an Local Mobility
Anchor (LMA) service or specifies an existing LMA service and enters
the LMA Service Configuration Mode for the current context.
Syntax
lma-service service_name [ -noconfirm ]
no lma-service service_name
no
Removes the specified
LMA service from the context.
service_name
Specifies the name of
the LMA service. If service_name does not
refer to an existing service, the new service is created if resources
allow.
service_name is
an alphanumeric string of 1 through 63 characters.
-noconfirm
Executes the command
without any additional prompt and confirmation from the user.
Usage:
Enter the LMA Service
Configuration Mode for an existing service or for a newly defined service.
This command is also used to remove an existing service.
A maximum of 256 services
(regardless of type) can be configured per system.
CAUTION:
Large numbers of services
greatly increase the complexity of management and may impact overall
system performance (for example, resulting from such things as system
handoffs). Therefore, it is recommended that a large number of services
only be configured if your application absolutely requires it. Please
contact your local service representative for more information.
Entering this command
results in the following prompt:
[context_name]hostname(config-lma-service)#
LMA Service Configuration
Mode commands are defined in the LMA Service Configuration
Mode Commands chapter.
Use this command when
configuring the following eHRPD and PMIP SAE components: P-GW.
Example:
The following command
enters the existing LMA Service Configuration Mode (or creates it if
it does not already exist) for the service named
lma-service1:
lma-service lma-service1
The following command
will remove
lma-service1 from
the system:
no lma-service lma-service1
lns-service
Enters the LNS Service
Configuration Mode, or is used to add or remove a specified L2TP
Network Server (LNS) service.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] lns-service name
no
Removes the specified
lac-service from the current context.
name
Specifies the name of
a LNS service to configure, add or remove as an alphanumeric string of
1 through 63 characters that is case-sensitive.
Usage:
Enter the LNS Service
Configuration Mode for an existing service or for a newly defined service.
This command is also used to remove an existing service.
A maximum of 256 services
(regardless of type) can be configured per system.
CAUTION:
Large numbers of services
greatly increase the complexity of management and may impact overall
system performance (i.e. resulting from such things as system handoffs).
Therefore, it is recommended that a large number of services only
be configured if your application absolutely requires it. Please
contact your local service representative for more information.
Example:
To add a new LNS service
named
LNS1 and
enter the LNS Service Configuration Mode, enter the following commands:
lns-service LNS1
To configure an existing
LNS service named
LNS2,
enter the following command:
lns-service LNS2
To delete an existing
LNS service named
LNS3,
enter the following command:
no lns-service LNS3
logging
Modifies the logging
options for a specified system log server for the current context.
Syntax
[ no ] logging
syslog ip_address [ event-verbosity { min | concise | full } ] [ facility facilities ] [ pdu-data { none | hex | hex-ascii } ] [ pdu-verbosity pdu_level ] [ rate value ]
no
Indicates that internal
logging is to be disabled for the options specified.
syslog ip_address
Specifies the IP address
of a system log server on the network in IPv4 dotted-decimal or IPv6
colon-separated-hexadecimal notation.
event-verbosity { min | concise | full }
Specifies the level
of detail to use in logging of events. Detail level must be one
of the following:
- min: Displays
minimal detail.
- concise:
Displays summary detail.
- full: Displays
full detail.
facility facilities
Default: local7
Specifies the local
facility for which the system logging server’s logging
options shall be applied. Local facility must be one of the following:
- local0
- local1
- local2
- local3
- local4
- local5
- local6
- local7
Multiple system log
servers can share the logging options of a given local facility.
This allows for the logical grouping of system log servers and the
options which affect all of those associated with the same local
facility.
pdu-data { none | hex | hex-ascii }
Specifies output format
for packet data units when logged. Format must be one of the following:
- none: Displays
data in raw format.
- hex: Displays
data in hexadecimal format.
- hex-ascii:
Displays data in hexadecimal and ASCII format (similar to a main-frame
dump).
pdu-verbosity pdu_level
Specifies the level
of verboseness to use in logging of packet data units as a value
from 1 through 5, where 5 is the most detailed.
rate value
Specifies the rate at
which log entries are allowed to be sent to the system log server.
No more than the number specified by value will
be sent to a system log server within any given one-second interval.
value must
be an integer from 0 through 100000. Default: 1000
Usage:
Set the log servers
to enable remote review of log data.
Example:
The following sets the
logging for events to the maximum for the local7 facility:
logging syslog 10.2.3.4
event-verbosity full
The following command
sets the logging for packet data units to level 3 and sets the output format
to the main-frame style hex-ascii for the local3 facility:
logging syslog 10.2.3.4
facility local3 pdu-data hex-ascii pdu-verbosity 3
The following sets
the rate of information for the local1 facility:
logging syslog 10.2.3.4
facility local1 rate 100
The following disables
internal logging to the system log server specified:
no logging syslog 10.2.3.4
mag-service
Creates a Mobile Access
Gateway (MAG) service or specifies an existing MAG service and enters
the MAG Service Configuration Mode for the current context.
Syntax
mag-service service_name [ -noconfirm ]
no mag-service service_name
no
Removes the specified
MAG service from the context.
service_name
Specifies the name of
the MAG service. If service_name does not
refer to an existing service, the new service is created if resources
allow.
service_name is
an alphanumeric string of 1 through 63 characters.
-noconfirm
Executes the command
without any additional prompt and confirmation from the user.
Usage:
Enter the MAG Service
Configuration Mode for an existing service or for a newly defined service.
This command is also used to remove an existing service.
A maximum of 256 services
(regardless of type) can be configured per system.
CAUTION:
Large numbers of services
greatly increase the complexity of management and may impact overall
system performance (for example, resulting from such things as system
handoffs). Therefore, it is recommended that a large number of services
only be configured if your application absolutely requires it. Please
contact your Cisco service representative for more information.
Entering this command
results in the following prompt:
[context_name]hostname(config-mag-service)#
MAG Service Configuration
Mode commands are defined in the MAG Service Configuration
Mode Commands chapter.
Use this command when
configuring the following eHRPD and PMIP SAE components: HSGW and
S-GW.
Example:
The following command
enters the existing MAG Service Configuration Mode (or creates it if
it does not already exist) for the service named
mag-service1:
mag-service mag-service1
The following command
will remove
mag-service1 from
the system:
no mag-service mag-service1
map-service
Creates a Mobile Application
Part (MAP) Service instance and enters the MAP Service Configuration
mode to define or edit the MAP service parameters.
MAP is the SS7 protocol
that provides the application layer required by some of the nodes
in GPRS/UMTS networks to communicate with each other in
order to provide services to mobile phone users. MAP is used by
the serving GPRS support node (SGSN) to access SS7 network nodes
such as a home location register (HLR) or a radio access network
(RAN).
Privilege:
Security Administrator,
Administrator
Syntax
map-service srvc_name
no map-service srvc_name
no
Remove the specified
MAP service from the configuration for the current context.
srvc_name
Specifies the name of
the MAP service as a unique alphanumeric string of 1 through 63 characters.
Usage:
Use this command to
create, edit, or remove a MAP service configuration.
IMPORTANT:
For details about the
commands and parameters, check the MAP Service Configuration Mode
Commands chapter.
Example:
The following command
creates a MAP service named
map_1:
map-service map_1
The following command
removes the configuration for a MAP service named
map_1 from
the configuration for the current context:
no map-service map_1
mipv6ha-service
Creates a Mobile IPv6
Home Agent (MIPv6-HA) service instance and enters the MIPv6 HA Service
Configuration mode to define or edit the MIPv6-HA service parameters.
Privilege:
Security Administrator,
Administrator
Syntax
mipv6ha-service srvc_name
no mipv6ha-service srvc_name
no
Remove the specified
MIPv6-HA service from the configuration for the current context.
srvc_name
Specifies the name of
the MIPv6-HA service as a unique alphanumeric string of 1 through 63
characters.
Usage:
Use this command to
create, edit, or remove a MIPv6-HA service configuration.
IMPORTANT:
For details about the
commands and parameters, check the MIPv6 HA Service Configuration
Mode Commands chapter.
Example:
The following command
creates a MIPv6-HA service named
mipv6ha_1:
mipv6ha-service mipv6ha_1
The following command
removes the configuration for a MIPv6-HA service named
mipv6ha_1 from
the configuration for the current context:
no mipv6ha-service mipv6ha_1
mme-service
Creates an Mobility
Management Entity (MME) service or configures an existing MME service
and enters the MME Service Configuration Mode for Evolved Packet
Core (EPC) networks in the current context.
Syntax
mme-service service_name [ -noconfirm ]
no mme-service service_name
no
Removes the specified
MME service from the context.
service_name
Specifies the name of
the MME service. If service_name does not
refer to an existing service, the new service is created if resources
allow.
service_name is
an alphanumeric string of 1 through 63 characters.
-noconfirm
Executes the command
without any additional prompt and confirmation from the user.
Usage:
Enter the MME Service
Configuration Mode for an existing service or for a newly defined service.
This command is also used to remove an existing service.
A maximum of 8 MME service
can be configured on a system which is further limited to a maximum
of 256 services (regardless of type) can be configured per system.
CAUTION:
Large numbers of services
greatly increase the complexity of management and may impact overall
system performance (for example, resulting from such things as system
handoffs). Therefore, it is recommended that a large number of services
only be configured if your application absolutely requires it. Please
contact your local service representative for more information.
Entering this command
results in the following prompt:
[context_name]hostname(config-mme-service)#
MME Service Configuration
Mode commands are defined in the MME Service Configuration
Mode Commands chapter.
CAUTION:
This is a critical configuration.
The MME service cannot be configured without this configuration.
Any change to this configuration would lead to restarting the MME
service and removing or disabling this configuration will stop the
MME service.
Example:
The following command
enters the existing MME Service Configuration Mode (or creates it if
it does not already exist) for the service named
mme-service1:
mme-service mme-service1
The following command
will remove
mme-service1 from
the system:
no mme-service mme-service1
mobile-ip fa
Configures settings
that effect all FA services in the current context.
Privilege:
Security Administrator,
Administrator
Syntax
mobile-ip fa { multiple-dynamic-reg-per-nai | newcall
duplicate-home-address { accept | reject } }
{ default | no } mobile-ip
fa { multiple-dynamic-reg-per-nai | newcall duplicate-home-address }
default
Configures the default
setting for the specified parameter.
- multiple-dynamic-reg-per-nai:
All FA services in the current context can not simultaneously setup
multiple dynamic home address registrations that have the same NAI.
- newcall duplicate-home-address: reject
no
- multiple-dynamic-reg-per-nai: Disables
all FA services in the current context from simultaneously setting
up multiple dynamic home address registrations that have the same
NAI.
- newcall duplicate-home-address:
Resets this option to its default of reject.
multiple-dynamic-reg-per-nai
This keyword allows
all FA services in the current context to simultaneously setup multiple dynamic
home address registrations that have the same NAI.
newcall duplicate-home-address { accept | reject }
- accept: The
new call is accepted and the existing call is dropped.
- reject: The
new call is rejected with an Admin Prohibited code.
Usage:
Use this command to
set the behavior of all FA services in the current context.
Example:
To configure all FA
services to accept new calls and drop the existing call when the
new call requests an IP address that is already in use by an existing
call, enter the following command:
mobile-ip fa newcall
duplicate-home-address accept
To enable all FA services
in the current context to allow all FA services in the current context to
simultaneously setup multiple dynamic home address registrations
that have the same NAI, enter the following command:
mobile-ip fa multiple-dynamic-reg-per-nai
mobile-ip ha assignment-table
Creates a Mobile IP
HA assignment table and enters Mobile IP HA Assignment Table Configuration
Mode.
Privilege:
Security Administrator,
Administrator
Syntax
mobile-ip ha assignment-table atable_name [ -noconfirm ]
no mobile-ip ha assignment-table atable_name
no
This keyword deletes
the specified assignment table
atable_name
Specifies the name of
the MIP HA assignment table to create or edit as an alphanumeric string
of 1 through 63 characters.
-noconfirm
Executes the command
without any additional prompt and confirmation from the user.
Usage:
Use this command to
create a new MIP HA assignment table or edit an existing MIP HA assignment
table.
IMPORTANT:
A maximum of eight MIP
HA assignment tables can be configured per context with a maximum
of 8 MIP HA assignment tables across all contexts.
IMPORTANT:
A maximum of 256 non-overlapping
hoa-ranges can be configured per MIP HA Assignment table with a
maximum of 256 non-overlapping hoa-ranges across all MIP HA Assignment tables.
Example:
The following command
creates a new MIP HA assignment table name
MIPHAtable1 and
enters MIP HA Assignment Table Configuration Mode without asking
for confirmation from the user:
mobile-ip ha assignment-table MIPHAtable1
mobile-ip ha newcall
Configures the behavior
of all HA services when duplicate home addresses and duplicate IMSI
sessions occur for new calls.
Privilege:
Security Administrator,
Administrator
Syntax
mobile-ip ha newcall { duplicate-home-address { accept | reject } | duplicate-imsi-session { allow | disallow | global-disallow } | wimax-session-overwrite {allow | disallow }
{ default | no } mobile-ip
ha newcall { duplicate-home-address | duplicate-imsi-session | wimax-session-overwrite
}
default
Configures the default
setting for the specified parameter.
- duplicate-home-address: reject—sets
HA services to reject a new call that requests an IP address that
is already assigned.
- duplicate-imsi-session: allow—sets
HA services to accept new calls that have the same IMSI as a call
that is already active.
- wimax-session-overwrite:disallow—disable
session overwrite feature for WiMax mobile-ip calls on the HA.
no
Configures the default
setting for the specified parameter.
duplicate-home-address { accept | reject }
Configures the HA to
either accept or reject new calls if the new call requests a static
IP home address that is already assigned to an existing call from
an IP address pool in the same destination context.
- accept: The
new call is accepted and the existing call is dropped.
- reject: The
new call is rejected with an Admin Prohibited code.
duplicate-imsi-session { allow | disallow | global-disallow }
Configures the HA to
either permit or not permit multiple sessions for the same IMSI.
- allow: Allows
multiple sessions for the same IMSI.
- disallow:
If a mobile node already has an active session and a new sessions
is requested using the same IMSI, the currently active session is dropped
and the new session is accepted.
- global-disallow:
Enables HA services in this context to accept a new session and
disconnect any other session(s) having the same IMSI being processed
in this context. In addition, a request is sent to all other contexts
containing HA services to do the same.
IMPORTANT:
In order to ensure a
single session per IMSI across all contexts containing HA services,
the global-disallow option must be configured in every context.
wimax-session-overwrite { allow | disallow }
Use this command to
enable or disable the overwrite feature for WiMAX mobile ip (MIPv4) calls
on the HA.
Usage:
Use this command to
set the behavior of all HA services for new calls.
Example:
To configure all HA
services to accept new calls when the new call requests a static
IP that is already assigned from an IP pool in the same destination
context, enter the following command:
mobile-ip ha newcall
duplicate-home-address accept
To configure all HA
services to drop an active call and accept a new one that uses the
same IMSI, enter the following command:
mobile-ip ha newcall
duplicate-imsi-session disallow
mobile-ip ha reconnect
Sets the behavior of
all HA services to reconnect dropped calls.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] mobile-ip
ha reconnect [ static-homeaddr [ dynamic-pool-allocation ] ] }
static-homeaddr
Specifies that the home
address as a static IP address.
dynamic-pool-allocation
Allows a dynamic pool
to accept a static address allocation.
Usage:
Use this command to
reset the HA behavior for new calls.
Example:
mobile-ip ha reconnect
mobile-ip ha reconnect
static-homeaddr
mobile-ip ha reconnect
static-homeaddr dynamic-pool-allocation
no mobile-ip ha reconnect
no mobile-ip ha reconnect
static-homeaddr
mpls bgp forwarding
Globally enables Multiprotocol
Label Switching (MPLS) Border Gateway Protocol (BGP) forwarding.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] mpls
bgp forwarding
no
Disables MPLS BGP forwarding.
Usage:
Use this command to
globally enable the MPLS BGP forwarding. By enabling this command,
the BGP VPNv4 routes need not have an underlying LSP to forward
the IP packets. If this command is not enabled, then the nexthop
for the BGP routes must be reachable via LDP.
CAUTION:
This command should
be enabled ONLY when all the BGP peering where VPNv4 routes are exchanged
are one hop away.
Example:
The following command
enables the MPLS BGP forwarding on the system:
mpls bgp forwarding
mpls ip
Globally enables the
Multiprotocol Label Switching (MPLS) forwarding of IPv4 packets
along normally routed paths.
Privilege:
Security Administrator,
Administrator
no
Disables MPLS forwarding
of IPv4 packets configured on the system. no mpls ip stops
dynamic label distribution on all the interfaces regardless of interface
configuration.
Usage:
Globally enables the
MPLS forwarding of IPv4 packets along normally routed paths for the
entire context.
It does not start
label distribution over an interface until MPLS has been enabled
for the interface as well. Refer to the Ethernet Interface
Configuration Mode Commands chapter for additional information.
CAUTION:
This feature is not
enabled by default.
Example:
Following command enables
(but does not start) MPLS forwarding of IPv4 packets along normally
routed paths:
mpls ip
nw-reachability server
Adds or deletes a reachability-detect
server and configures parameters for retrying the failure-detection
process. When network reachability is enabled, an ICMP ping request
is sent to this device. If there is no response after a specified
number of retries, the network is deemed failed. Execute this command
multiple times to configure multiple network reachability servers.
Privilege:
Security Administrator,
Administrator
Syntax
nw-reachability server server_name [ interval seconds ] [ local-addr ip_addr ] [ num-retry num ] [ remote-addr ip_addr ] [ timeout seconds]
no nw-reachability server server_name
no
Delete the reference
to the specified network reachability server.
server_name
Specifies the name for
the network device that is sent ping packets to test for network reachability.
interval seconds
Specifies the frequency
in seconds for sending ping requests. as an integer from 1 through 3600.
Default: 60
local-addr ip_addr
Specifies the IP address
to be used as the source address of the ping packets; If this is unspecified,
an arbitrary IP address that is configured in the context is used. ip_addr must
be entered using IPv4 dotted-decimal notation.
num-retry num
Specifies the number
of retries before deciding that there is a network-failure. as an
integer from 0 through 100. Default: 5
remote-addr ip_addr
Specifies the IP address
of a network element to use as the destination to send the ping packets
for detecting network failure or reachability. ip_addr must be
entered using IPv4 dotted-decimal notation.
timeout seconds
Specifies how long to
wait (in seconds) before retransmitting a ping request to the remote address
as an integer from 1 through 1. Default: 3
Usage:
Use this command to
set up a network device on a destination network that is used ensure that
Mobile IP sessions can reach the required network from the HA.
IMPORTANT:
Refer to the HA Configuration
Mode command policy nw-reachability-fail to
configure the action that should be taken when network reachability
fails.
IMPORTANT:
Refer to the Subscriber
Config Mode command nw-reachability-server to
bind the network reachability to a specific subscriber.
IMPORTANT:
Refer to the nw-reachability
server server_name keyword of the ip
pool command in this chapter to bind the network reachability
server to an IP pool.
Example:
To set a network device
called InternetDevice with the IP address of
192.168.100.10 as
the remote address that is pinged to determine network reachability
and use the address
192.168.200.10 as
the origination address of the ping packets sent, enter the following
command:
nw-reachability server
InternetDevice local-addr 192.168.200.10 remote-addr 192.168.100.10
network-requested-pdp-context
activate
Configures the mobile
station(s) (MSs) for which network initiated PDP contexts are supported.
Privilege:
Security Administrator,
Administrator
Syntax
network-requested-pdp-context
activate address ip_address dst-context context_name imsi imsi apn apn_name
no network-requested-pdp-context
activate address ip_address dst-context context_name
no
Disables the system’s
ability to accept network-requested PDP contexts on the specified interface.
ip_address
Specifies the static
IP address of the MS n IPv4 dotted-decimal notation.
dst-context context_name
Specifies the name of
the destination context configured on the system containing the
static IP address pool in which the MS’s IP address is
configured. context_name is
an alphanumeric string of 1 through 79 characters that is case sensitive.
imsi imsi
Specifies the International
Mobile Subscriber Identity (IMSI) of the MS as a string of 1 through
15 numeric characters
apn apn_name
Specifies the Access
Point Name (APN) that is passed to the SGSN by the system. apn_name is
an alphanumeric string of 1 through 63 characters that is case sensitive.
Usage:
Use this command to
specify the MS(s) for which network initiated PDP contexts are supported.
When a packet is received
for an MS that does not currently have a PDP context established,
the system checks the configuration of this parameter to determine
if the destination IP address specified in the packet is specified
by this parameter. If the address is not specified, then the system
discards the packet. If the address is specified, the system uses
the configured IMSI and APN to determine the appropriate SGSN from
the Home Location Register (HLR). The system communicates with the
HLR through the interworking node configured using the network-requested-pdp-context
gsn-map command.
Once the session is
established, the destination context specified by this command is
used in place of the one either configured within the specified
APN template or returned by a RADIUS server during authentication.
This command can be
issued multiple times supporting network initiated PDP contexts
for up to 1,000 configured addresses per system context.
Example:
The following command
enables support for network initiated PDP contexts for an MS with a
static IP address of
20.13.5.40 from
a pool configured in the destination context pdn1 with an IMSI of
3319784450 that
uses an APN template called
isp1:
network-requested-pdp-context
activate address 20.13.5.40 dst-context pdn1 imsi 3319784450 apn isp1
network-requested-pdp-context
gsn-map
Configures the IP address
of the interworking node that is used by the system to communicate
with the Home Location Register (HLR), and optionally sets the GTP
version to use.
Privilege:
Security Administrator,
Administrator
Syntax
network-requested-pdp-context
gsn-map ip_address [ gtp-version { 0 | 1 } ]
no network-requested-pdp-context
gsn-map
no
Deletes a previously
configured gsn-map node.
ip_address
Specifies the IP address
of the gsn-map node in Pv4 dotted-decimal or IPv6 colon-separated-hexadecimal
notation.
gtp-version { 0 | 1 }
Specifies the gtp version
used. Default: 1
Usage:
Communications from
the system to the HLR must go through a GSN-map interworking node
that performs the protocol conversion from GTPC to SS7.
The UDP port for this
communication is 2123.
Support for network
requested PDP contexts must be configured within source contexts
on the system. Only one gsn-map node can be configured per source
context.
The source context also
contains the GGSN service configuration that specifies the IP address
of the Gn interface. If multiple GGSN services are configured in
the source context, one is selected at random for initiating the
Network Requested PDP Context Activation procedure.
Communication with the
gsn-map node is done over the Gn interface configured for the GGSN
service. The IP address of that interface is used as the system’s
source address.
Example:
The following command
configures the system to communicate with a gsn-map node having an
IP address of
192.168.2.5:
network-requested-pdp-context
gsn-map 192.168.2.5
network-requested-pdp-context
hold-down-time
Configures the time
duration to that the system will wait after the SGSN rejects an
attempt for a network-requested PDP context creation for the subscriber.
Privilege:
Security Administrator,
Administrator
Syntax
network-requested-pdp-context
hold-down-time time
default network-requested-pdp-context
hold-down-time
default
Configures the default
setting.
Default:
60 seconds
time
Specifies the time interval
(in seconds) as an integer from 0 through 86400.
Usage:
Packets received during
this time period would be discarded, rather than being used to cause
another network-requested PDP context creation attempt for the same
subscriber. After the time period has expired, any subsequent packets
received would cause another network-requested PDP context creation
procedure to begin.
Example:
The following command
configures a hold-down-time of
120 seconds:
network-requested-pdp-context
hold-down-time 120
network-requested-pdp-context
interval
Configures the minimum
amount of time that must elapse between the deletion of a network
initiated PDP context and the creation of a new one for the same
MS.
Privilege:
Security Administrator,
Administrator
Syntax
network-requested-pdp-context
interval time
default network-requested-pdp-context interval
default
Returns the command to
its default setting of 60.
time
Specifies the minimum
amount of time (in seconds) that must pass before the system allows another
network-requested PDP context for a specific MS after the previous
context was deleted. time is
an integer from 0 through 86400. Default: 60
Usage:
Once an MS deletes a
PDP context that initiated from the network, the system automatically
waits the amount of time configured by this parameter before allowing
another network initiated PDP context for the same MS.
Example:
The following command
specifies that the system waits
120 seconds
before allowing another network requested PDP context for an MS:
network-requested-pdp-context
interval 120
network-requested-pdp-context
sgsn-cache-time
Configures the time
duration that the GGSN keeps the SGSN/subscriber pair cached
in its local memory.
Privilege:
Security Administrator,
Administrator
Syntax
network-requested-pdp-context
sgsn-cache-time time
default network-requested-pdp-context
sgsn-cache-time
default
Configures the default
setting.
Default: 300 seconds
time
Specifies the time interval
(in seconds) as an integer from 0 through 86400.
Usage:
For an initial network-requested
PDP context creation, the system contacts the HLR (via the GSN-MAP
interworking node) to learn which SGSN is currently servicing the
subscriber. The system keeps that information in cache memory for
the configured time, so that future network-requested PDP context
creations for that subscriber can be initiated without having to contact
the HLR again.
Example:
The following command
configures an sgsn-cache-time of
500 seconds:
network-requested-pdp-context
sgsn-cache-time 500
operator
Configures a context-level
operator account within the current context.
Privilege:
Security Administrator
Syntax
operator user_name [ encrypted ] password password [ ecs ] [ expiry-date date_time ] [ li-administration ] [ noecs ] [ timeout-absolute abs_seconds ] [ timeout-min-absolute abs_minutes ] [ timeout-idle timeout_duration ] [ timeout-min-idle idle_minutes ]
no operator user_name
no
Removes a previously
configured context-level operator account.
user_name
Specifies a name for
the account as an alphanumeric string of 1 through 32 characters.
[ encrypted ] password password
Specifies the password
to use for the user which is being given context-level operator privileges
within the current context. The encrypted keyword indicates
the password specified uses encryption.
password is
an alphanumeric string of 1 through 63 characters without encryption,
or 1 through 127 with encryption.
The encrypted keyword
is intended only for use by the system while saving configuration
scripts. The system displays the encrypted keyword
in the configuration file as a flag that the variable following
the password keyword
is the encrypted version of the plain text password. Only the encrypted
password is saved as part of the configuration file.
ecs
Permits the specific
user to access ACS-specific configuration commands from Exec Mode only.
Default: ACS-specific configuration commands are not allowed.
expiry-date date_time
Specifies the date and
time that this account expires. Enter the date and time in the format YYYY:MM:DD:HH:mm
or YYYY:MM:DD:HH:mm:ss.
Where YYYY is the year,
MM is the month, DD is the day of the month, HH is the hour, mm
is minutes, and ss is seconds.
li-administration
Refer to the Lawful Intercept Configuration
Guide for a description of this parameter.
noecs
Prevents the user from
accessing ACS-specific configuration commands. Default: Enabled
timeout-absolute abs_seconds
This keyword is obsolete.
It has been left in place for backward compatibility. If used a warning
is issued and the value entered is rounded to the nearest whole
minute.
Specifies the maximum
amount of time (in seconds) the context-level operator may have
a session active before the session is forcibly terminated. abs_seconds must
be a value in the range from 0 through 300000000. The value 0 disables
the absolute timeout. Default: 0
timeout-min-absolute abs_minutes
Specifies the maximum
amount of time (in minutes) the context-level operator may have
a session active before the session is forcibly terminated. abs_minutes must
be an integer from 0 through 300000000. The value 0 disables the
absolute timeout. Default: 0
timeout-idle timeout_duration
This keyword is obsolete.
It has been left in place for backward compatibility. If used a warning
is issued and the value entered is rounded to the nearest whole
minute.
Specifies the maximum
amount of idle time (in seconds) the context-level operator may have
a session active before the session is terminated. timeout_duration must
be an integer from 0 through 300000000. The value 0 disables the
idle timeout. Default: 0
timeout-min-idle idle_minutes
Specifies the maximum
amount of idle time (in minutes) the context-level operator may have
a session active before the session is terminated. idle_minutes must
be an integer from 0 through 300000000. The value 0 disables the
idle timeout. Default: 0
Usage:
Use this command to
create new context-level operator or modify existing operator’s options,
in particular, the timeout values.
Operators have read-only
privileges. They can maneuver across multiple contexts, but cannot
perform configuration operations. Refer to the Command Line Interface Overview chapter
for more information.
IMPORTANT:
A maximum of 128 administrative
users and/or subscribers may be locally configured per context.
Example:
The following command
creates a context-level operator account named
user1 with
ACS control:
operator user1 password
secretPassword ecs
The following command
removes a previously configured context-level operator account named
user1:
no operator user1
optimize pdsn inter-service-handoff
Controls the optimization
of the system’s handling of inter-PDSN handoffs.
Privilege:
Security Administrator,
Administrator
Syntax
[ default | no ] optimize
pdsn inter-service-handoff
default
Resets the command to
its default setting of enabled.
Usage:
When more than one PDSN
service is defined in a context, each PDSN-Service acts as an independent
PDSN. When a Mobile Node (MN) moves from one PDSN service to another PDSN
service, by rule, it is an inter-PDSN handoff. This command optimizes
PDSN handoffs between PDSN Services that are defined in the same
context in the system.
The default for this
parameter is enabled. The no keyword disables this functionality.
When enabled, the system
treats handoffs happening between two PDSN services in the same
context as an inter-PDSN handoff. Existing PPP session states and
connection information is reused. If the inter-PDSN handoff requires
a PPP restart, then PPP is restarted. The optimized inter-service-handoff
may not restart the PPP during handoffs allowing the MN to keep
the same IP address for the Simple IP session.
Example:
optimize pdsn inter-service-handoff
pdg-service
Creates a new PDG service
or specifies an existing PDG service and enters the PDG Service
Configuration Mode. A maximum of 16 PDG services can be created.
This limit applies per ASR 5000 chassis and per context.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] pdg-service name
noname
Deletes the specified
PDG service.
name
Specifies the name of
a new or existing PDG service as an alphanumeric string 1 through
63 characters that must be unique across all FNG services within
the same context and across all contexts.
Usage:
Use this command in
Context Configuration Mode to create a new PDG service or modify an
existing one. Executing this command enters the PDG Service Configuration Mode.
Example:
The following command
configures an PDG service named
pdg_service_1 and
enters the PDG Service Configuration Mode:
pdg-service pdg_service_1
pdif-service
Creates a new, or specifies
an existing, Packet Data Interworking Function (PDIF) service and
enters the PDIF Service Configuration Mode.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] pdif-service name [ -noconfirm ]
name
Specifies the name of
a new or existing PDIF service as an alphanumeric string of 1 through 63
characters.
Usage:
Use this command to
create a new or enter an existing PDIF service.
Entering this command
results in the following prompt:
[context_name]hostname(config-pdif-service)#
PDIF Service Configuration
Mode commands are defined in the PDIF Service Configuration
Mode Commands chapter.
Example:
The following command
configures a PDIF service called
pdif2 and
enters the PDIF Service Configuration Mode:
pdif-service pdif2
pdsn-service
Creates or deletes a
packet data service or specifies an existing PDSN service for which
to enter the Packet Data Service Configuration Mode for the current context.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] pdsn-service name
no
Indicates the packet
data service specified is to be removed.
name
Specifies the name of
the PDSN service to configure. If name does
not refer to an existing service, the new service is created if
resources allow. name is
an alphanumeric string of 1 through 63 characters.
Usage:
Enter the PDSN Service
Configuration Mode for an existing service or for a newly defined service.
This command is also used to remove an existing service.
A maximum of 256 services
(regardless of type) can be configured per system.
CAUTION:
Large numbers of services
greatly increase the complexity of management and may impact overall
system performance (resulting from such things as system handoffs).
Therefore, it is recommended that a large number of services only
be configured if your application absolutely requires it. Please
contact your Cisco service representative for more information.
Example:
The following command
will enter the PDSN Service Configuration Mode creating the service
sampleService,
if necessary.
pdsn-service sampleService
The following command
will remove
sampleService as
being a defined PDSN service.
no pdsn-service sampleService
pgw-service
Creates a PDN-Gateway
(P-GW) service or specifies an existing P-GW service and enters
the P-GW Service Configuration Mode for the current context.
Syntax
pgw-service service_name [ -noconfirm ]
no pgw-service service_name
service_name
Specifies the name of
the P-GW service. If service_name does not
refer to an existing service, the new service is created if resources
allow. service_name is
an alphanumeric string of 1 through 63 characters.
-noconfirm
Executes the command
without any additional prompt and confirmation from the user.
no pgw-service service_name
Removes the specified
P-GW service from the context.
Usage:
Enter the P-GW Service
Configuration Mode for an existing service or for a newly defined service.
This command is also used to remove an existing service.
A maximum of 256 services
(regardless of type) can be configured per system.
CAUTION:
Large numbers of services
greatly increase the complexity of management and may impact overall
system performance (for example, resulting from such things as system
handoffs). Therefore, it is recommended that a large number of services
only be configured if your application absolutely requires it. Please
contact your local service representative for more information.
Entering this command
results in the following prompt:
[context_name]hostname(config-pgw-service)#
P-GW Service Configuration
Mode commands are defined in the P-GW Service Configuration
Mode Commands chapter.
Use this command when
configuring the following eHRPD and SAE components: P-GW.
Example:
The following command
enters the existing P-GW Service Configuration Mode (or creates
it if it does not already exist) for the service named
pgw-service1:
pgw-service pgw-service1
The following command
will remove
pgw-service1 from
the system:
no pgw-service pgw-service1
policy
Enters an existing accounting
policy or creates a new one where accounting parameters are configured.
Product:
HSGW, P-GW, S-GW
Syntax
[ no ] policy
accounting name
no
Removes the specified
accounting policy from the context.
name
Specifies the name of
the existing or new accounting policy as an alphanumeric string
of 1 through 63 characters.
Usage:
Use this command to
enter the Accounting Policy Configuration mode to edit an existing accounting
policy or configure an new policy.
Entering this command
results in the following prompt:
[context_name]hostname(config-accounting-policy)#
Accounting Policy Configuration
Mode commands are defined in the Accounting Policy Configuration
Mode Commands chapter.
Example:
The following command
enters the Accounting Policy Configuration Mode for a policy named
acct5:
policy accounting acct5
policy-group
Creates or deletes a
policy group. It enters the Policy-Group Configuration Mode within
the current destination context for flow-based traffic policing
to a subscriber session flow.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] policy-group
name policy_group
no
Deletes configured policy
group within the context.
name policy_group
Specifies the name of
Policy-Group as an alphanumeric string of 1 through 15 characters that
is case sensitive.
Usage:
Use this command to
form a policy group from a set of configured Policy-Maps. A policy group
supports up to 16 policies for a subscriber session flow.
Example:
The following command
configures a policy group
policy_group1 for
a subscriber session flow:
policy-group name policy_group1
policy-map
Creates or deletes a
policy map. It enters the Traffic Policy-Map Configuration Mode
within the current destination context to configure the flow-based
traffic policing for a subscriber session flow.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] policy-map
name policy_name
no
Deletes configured Policy-Map
within the context.
name policy_name
Specifies the name of
Policy-Map as an alphanumeric string of 1 through 15 characters
that is case sensitive.
Usage:
Use this command to
enter Traffic Policy-Map Configuration Mode and to set the Class-Map
and corresponding traffic flow treatment to traffic policy for a
subscriber session flow.
Example:
Following command configures
a policy map
policy1 where other
flow treatments is configured.
policy-map name policy1
ppp
Configures point-to-point
protocol parameters for the current context.
Privilege:
Security Administrator,
Administrator
Syntax
ppp { acfc { receive { allow | deny } | transmit { apply | ignore | reject} } | auth-retry
suppress-aaa-auth | chap fixed-challenge-length length | dormant send-lcp-terminate | echo-max-retransmissions num_retries | echo-retransmit-timeout msec | first-lcp-retransmit-timeout milliseconds | lcp-authentication-discard
retry-alternate num_discard | lcp-authentication-reject
retry-alternate | lcp-start-delay delay | lcp-terminate
connect-state | lcp-terminate mip-lifetime-expiry | lcp-terminate
mip-revocation | max-authentication-attempts num | max-configuration-nak num | max-retransmissions number | max-terminate number | mru packet_size | negotiate
default-value-options | peer-authentication user_name [ encrypted ] password password ] | pfc { receive { allow | deny } | transmit { apply | ignore | reject} } | reject-peer-authentication | renegotiation
retain-ip-address | retransmit-timeout milliseconds }
no ppp { auth-retry
suppress-aaa-auth | chap fixed-challenge-length | dormant
send-lcp-terminate | lcp-authentication-descard retry-alternate num_discard | lcp-authentication-reject
retry-alternate | lcp-start-delay | lcp-terminate connect-state | reject-peer-authentication | renegotiation
retain-ip-address }
default lcp-authentication-descard
retry-alternate num_discard
default
Restores the system
defaults for the specific command/keyword.
no
Disables, deletes, or
resets the specified option.
For no ppp renegotiation
retain-ip-address the initially allocated IP address will
be released and a new IP address will be allocated during PPP renegotiation.
acfc { receive { allow | deny } | transmit { apply | ignore | reject} }
Configures PPP Address
and Control Field Compression (ACFC) parameters.
receive { allow | deny }
This keyword specifies
whether to allow Address and Control Field Compressed PPP packets
received from the Peer. During LCP negotiation, the local PPP side
indicates whether it can handle ACFC compressed PPP packets. Default: allow
When allow is specified,
the local PPP side indicates that it can process ACFC compressed PPP
packets and compressed packets are allowed. When deny is specified,
the local PPP side indicates that it cannot handle ACFC compressed
packets and compressed packets are not allowed.
transmit { apply | ignore | reject }
Specifies how Address
and Control Field Compression should be applied for PPP packets transmitted
to the Peer. During LCP negotiation, the Peer indicates whether
it can handle ACFC compressed PPP packets. Default: ignore
When apply is specified,
if the peer requests ACFC, the request is accepted and ACFC is applied
for transmitted PPP packets. When ignore is specified, if the peer
requests ACFC, the request is accepted, but ACFC is not applied
for transmitted PPP packets. When reject is specified, if the peer
requests ACFC, the request is rejected and ACFC is not applied to transmitted
packets.
auth-retry suppress-aaa-auth
This option does not
allow PPP authentication retries to the AAA server after the AAA server
has already authenticated a session. PPP locally stores the username
and password, or challenge response, after a successful PPP authentication.
If the Mobile Node retries the PAP request or CHAP-Response packet
to the PDSN, PPP locally compares the incoming username, password
or Challenge Response with the information stored from the previous
successful authentication. If it matches, PAP ACK or CHAP Success
is sent back to the Mobile Node, without performing AAA authentication.
If the incoming information does not match with what is stored locally,
then AAA authentication is attempted. The locally stored PPP authentication information
is cleared once the session reaches a connected state.
Default: no auth-retry suppress-aaa-auth
IMPORTANT:
This option is not supported
in conjunction with the GGSN product.
chap fixed-challenge-length length
Normally PPP CHAP uses
a random challenge length from 17 to 32 bytes. This command allows
you to configure a specific fixed challenge length of from 4 through
32 bytes. length must
be an integer from 4 through 32.
Default: Disabled. PAP
CHAP uses a random challenge length.
dormant send-lcp-terminate
Indicates a link control
protocol (LCP) terminate message is enabled for dormant sessions.
IMPORTANT:
This option is not supported
in conjunction with the GGSN product.
echo-max-retransmissions num_retries
Configures the maximum
number of retransmissions of LCP ECHO_REQ before a session is
terminated in an always-on session. num_retries must
be an integer from 1 through 16. Default: 3
echo-retransmit-timeout msec
Configures the timeout
(in milliseconds) before trying LCP ECHO_REQ for an always-on session. msec must
be an integer from 100 through 5000. Default: 3000
first-lcp-retransmit-timeout milliseconds
Specifies the number
of milliseconds to wait before attempting to retransmit control
packets. This value configures the first retry. All subsequent retries
are controlled by the value configured for the ppp retransmit-timeout keyword.
milliseconds must
be an integer from 100 through 5000. Default: 3000
lcp-authentication-discard
retry-alternate num_discard
Sets the number of discards
up to which authentication option is discarded during LCP negotiation
and retries starts to allow alternate authentication option. num_discard must
be an integer from 0 through 5. Recommended value is 2. Default:
Disabled.
lcp-authentication-reject
retry-alternate
Specifies the action
to be taken if the authentication option is rejected during LCP negotiation
and retries the allowed alternate authentication option.
Default: Disabled. No
alternate authentication option will be retried.
lcp-start-delay delay
Specifies the delay
(in milliseconds) before link control protocol (LCP) is started. delay must
be an integer from 0 through 5000. Default: 0
lcp-terminate connect-state
Enables sending an LCP
terminate message to the Mobile Node when a PPP session is disconnected
if the PPP session was already in a connected state.
Note that if the no
keyword is used with this option, the PDSN must still send LCP Terminate
in the event of an LCP/PCP negotiation failure or PPP authentication
failure, which happens during connecting state.
IMPORTANT:
This option is not supported
in conjunction with the GGSN product.
lcp-terminate mip-lifetime-expiry
Configures the PDSN
to send an LCP Terminate Request when a MIP Session is terminated due
to MIP Lifetime expiry (default).
Note that if the no
keyword is used with this option, the PDSN does not send a LCP Terminate
Request when a MIP session is terminated due to MIP Lifetime expiry.
lcp-terminate mip-revocation
Configures the PDSN
to send a LCP Terminate Request when a MIP Session is terminated due
to a Revocation being received from the HA (default).
Note that if the no
keyword is used with this option, the PDSN does not send a LCP Terminate
Request when a MIP session is terminated due to a Revocation being
received from the HA.
max-authentication-attempts num
Configures the maximum
number of time the PPP authentication attempt is allowed. num must be
an integer from 1 through 10. Default: 1
max-configuration-nak num
This command configures
the maximum number of consecutive configuration REJ/NAKs that
can be sent during CP negotiations, before the CP is terminated. num must
be an integer from 1 through 20. Default: 10
max-retransmission number
Specifies the maximum
number of times control packets will be retransmitted. number must
be an integer from 1 through 16. Default: 5
max-terminate number
Sets the maximum number
of PPP LCP Terminate Requests transmitted to the Mobile Node. number must
be an integer from 0 through 16. Default: 2
IMPORTANT:
This option is not
supported in conjunction with the GGSN product.
mru packet_size
Specifies the maximum
packet size that can be received in bytes. packet_size must
be an integer from 128 through 1500. Default: 1500
negotiate default-value-options
Enables the inclusion
of configuration options with default values in PPP configuration requests.
Default: Disabled
The PPP standard states
that configuration options with default values should not be included
in Configuration Request (LCP, IPCP, etc.) packets. If the option
is missing in the Configuration Request, the peer PPP assumes the
default value for that configuration option.
When negotiate default-value-options is
enabled, configuration options with default values are included
in the PPP configuration Requests.
peer-authenticate user_name [ [ encrypted ] password password ]
Specifies the user
name and an optional password required for point-to-point protocol
peer connection authentications. user_name is
an alphanumeric string of 1 through 63 characters. The keyword password is
optional and if specified password is
an alphanumeric string of 1 through 63 characters. The password
specified must be in an encrypted format if the optional keyword encrypted was
specified.
The encrypted keyword
is intended only for use by the system while saving configuration
scripts. The system displays the encrypted keyword
in the configuration file as a flag that the variable following
the password keyword
is the encrypted version of the plain text password. Only the encrypted
password is saved as part of the configuration file.
pfc { receive { allow | deny } | transmit { apply | ignore | reject} }
Configures Protocol
Field Compression (PFC) parameters.
receive { allow | deny } Default: allow
This keyword specifies
whether to allow Protocol Field Compression (PFC) for PPP packets received
from the peer. During LCP negotiation, the local PPP side indicates
whether it can handle Protocol Field Compressed PPP packets.
When allow is specified,
the peer is allowed to request PFC during LCP negotiation. When deny
is specified, the Peer is not allowed to request PFC during LCP
negotiation.
transmit { apply | ignore | reject } Default: ignore
This keyword specifies
how Protocol field Compression should be applied for PPP packets transmitted
to the Peer. During LCP negotiation, the Peer indicates whether
it can handle PFC compressed PPP packets.
When apply is specified,
if the peer requests PFC, it is accepted and PFC is applied for
transmitted PPP packets. When ignore is
specified, If the peer requests PFC, it is accepted but PFC is not
applied for transmitted packets. When reject is specified,
all requests for PCF from the peer are rejected.
reject-peer-authentication
If disabled, re-enables
the system to reject peer requests for authentication. Default: Enabled
renegotiation retain-ip-address
If enabled, retain
the currently allocated IP address for the session during PPP renegotiation (Simple
IP) between FA and Mobile node. Default: Enabled
If disabled, the initially
allocated IP address will be released and a new IP address will
be allocated during PPP renegotiation.
retransmit-timeout milliseconds
Specifies the number
of milliseconds to wait before attempting to retransmit control
packets. milliseconds must
be an integer from 100 through 5000. Default: 3000
Usage:
Modify the context
PPP options to ensure authentication and communication for PPP sessions
have fewer dropped sessions.
Example:
The following commands
set various PPP options:
ppp dormant send-lcp-terminate
ppp max-retransmission 3
ppp peer-authenticate
user1 password secretPwd
ppp peer-authenticate user1
ppp retransmit-timeout 1000
The following command
disables the sending of LCP terminate messages for dormant sessions.
no ppp dormant send-lcp-terminate
ppp magic-number
Manages magic number
checking during LCP Echo message handling. The magic number is a
random number chosen to distinguish a peer and detect looped back lines.
Privilege:
Security Administrator,
Administrator
Syntax
[ no | default ] ppp
magic-number receive ignore
no
Disables the specified
behavior.
default
Restores the system
defaults for the specific command/keyword.
receive ignore
Ignores the checking
of magic number at the PDSN during LCP Echo message handling. Default:
Disabled.
If a valid magic numbers
were negotiated for the PPP endpoints during LCP negotiation and LCP
Echo Request/Response have invalid magic numbers, enabling
this command will cause the system to ignore the checking of magic
number during LCP Echo message handling.
Usage:
Use this command to
allow the system to ignore invalid magic number during LCP Echo Request/Response
handling.
Example:
The following command
allows the invalid magic number during LCP Echo Request/Response
negotiation:
ppp magic-number receive ignore
ppp statistics
Changes the manor in
which some PPP statistics are calculated.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] ppp
statistics success-sessions { lcp-max-retry | misc-reasons | remote-terminated }
no
Disable the specified
behavior.
ppp statistics success-sessions
lcp-max-retry
Alters statistical
calculations so that: ppp successful session = successful
sessions + lcp-max-retry.
success-sessions misc-reasons
Alters statistical
calculations so that: ppp successful session = successful
sessions + misc-reasons.
success-sessions remote-terminated
Alters statistical
calculations so that: ppp successful session = successful
sessions + remote-terminated.
Usage:
Use this command to
alter how certain PPP statistics are calculated.
CAUTION:
This command alters
the way that some PPP statistics are calculated. Please consult
your designated service representative before using this command
Example:
The following command
alters the statistic “ppp successful session” so
that it displays the sum of successful sessions and lcp-max-retry:
ppp statistics success-sessions
lcp-max-retry
The following command
disables the alteration of the statistic ppp successful session:
no ppp statistics success-sessions
lcp-max-retry
proxy-dns intercept-list
Enters the HA Proxy
DNS Configuration Mode and defines a name of a redirect rules list
for the domain name servers associated with a particular FA (Foreign
Agent) or group of FAs.
IMPORTANT:
HA Proxy DNS Intercept
is a license-enabled feature.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] proxy-dns
intercept-list name
no
Removes the intercept
list from the system.
name
Defines the rules list
and enters the Proxy DNS Configuration Mode. name must
be an alphanumeric string of 1 through 63 characters.
Usage:
Use this command to
define a name for a list of rules pertaining to the IP addresses associated
with the foreign network’s DNS. Up to 128 rules of any
type can be configured per rules list.
Upon entering the command,
the system switches to the HA Proxy DNS Configuration Mode where
the lists can be defines. Up to 64 separate rules lists can be configured
in a single AAA context.
This command and the
commands in the HA Proxy DNS Configuration Mode provide a solution
to the Mobile IP problem that occurs when a MIP subscriber, with
a legacy MN or MN that does not support IS-835D, receives a DNS
server address from a foreign network that is unreachable from the
home network. The following flow shows the steps that occur when
this feature is enabled:
By configuring the
Proxy DNS feature on the Home Agent, the foreign DNS address is intercepted
and replaced with a home DNS address while the call is being handled
by the home network.
Example:
The following command
creates a proxy DNS rules list named
list1 and
places the CLI in the HA Proxy DNS Configuration Mode:
proxy-dns intercept-list list1
radius accounting
This command configures
RADIUS accounting parameters for the current context.
Privilege:
Security Administrator,
Administrator
Syntax
radius accounting { archive [ stop-only ] | deadtime dead_minutes | detect-dead-server { consecutive-failures consecutive_failures | keepalive | response-timeout timeout_duration } | interim interval seconds | max-outstanding max_messages | max-pdu-size octets | max-retries max_retries | max-transmissions max_transmissions | timeout timeout_duration | unestablished-sessions }
default radius accounting { deadtime | detect-dead-server | interim
interval seconds | max-outstanding | max-pdu-size | max-retries | max-transmissions | timeout }
no radius accounting { archive | detect-dead-server | interim
interval | max-transmissions | unestablished-sessions }
default
Configures the default
settings.
no
Removes earlier configuration
for the specified keyword.
archive [ stop-only ]
Enables archiving of
RADIUS Accounting messages in the system after the accounting message
has exhausted retries to all available RADIUS Accounting servers.
All RADIUS Accounting messages generated by a session are delivered
to the RADIUS Accounting server in serial. That is, previous RADIUS
Accounting messages from the same call must be delivered and acknowledged
by the RADIUS Accounting server before the next RADIUS Accounting
message is sent to the RADIUS Accounting server.
stop-only specifies
archiving of STOP accounting messages only.
Default: Enabled
deadtime dead_minutes
Specifies the number
of minutes to wait before attempting to communicate with a server which
has been marked as unreachable.
dead_minutes must
be an integer from 0 through 65535.
Default: 10
detect-dead-server { consecutive-failures consecutive_failures | keepalive | response-timeout timeout_duration }
- consecutive-failures consecutive_failures:
Specifies the number of consecutive failures, for each AAA manager,
before a server is marked as unreachable.consecutive_failures must
be an integer from 0 through 1000.Default: 4
- keepalive:
Enables the AAA server alive-dead detect mechanism based on sending
keepalive authentication messages to all authentication servers.Default: Disabled
- response-timeout timeout_duration:
Specifies the number of seconds for each AAA manager to wait for
a response to any message before a server is detected as failed, or
in a down state.timeout_duration must
be an integer from 1 through 65535.
IMPORTANT:
If both consecutive-failures and response-timeout are
configured, then both parameters have to be met before a server
is considered unreachable, or dead.
interim interval seconds
Specifies the time
interval (in seconds) for sending accounting INTERIM-UPDATE records. seconds must
be an integer from 50 through 40000000.
IMPORTANT:
If RADIUS is used as
the accounting protocol for the GGSN product, other commands are used
to trigger periodic accounting updates. However, these commands
would cause RADIUS STOP/START packets to be sent as opposed
to INTERIM-UPDATE packets. Also note that accounting interim interval
settings received from a RADIUS server take precedence over those
configured on the system.
Default: Disabled
max-outstanding max_messages
Specifies the maximum
number of outstanding messages a single AAA manager instance will
queue. max_messages must
be an integer from 1 through 4000. Default: 256
max-pdu-size octets
Specifies the maximum
sized packet data unit which can be accepted/generated
in bytes (octets). octets must
be an integer from 512 through 4096. Default: 4096
max-retries max_retries
Specifies the maximum
number of times communication with a AAA server will be attempted
before it is marked as unreachable and the detect dead servers consecutive
failures count is incremented. max_retries must
be an integer from 0 through 65535. Default: 5
Once the maximum number
of retries is reached this is considered a single failure for the consecutive
failures count for detecting dead servers.
max-transmissions max_transmissions
Sets the maximum number
of transmissions for a RADIUS accounting message before the message
is declared as failed. max_transmissions must
be an integer from 1 through 65535. Default: Disabled
timeout seconds
Specifies the amount
of time to wait for a response from a RADIUS server before retransmitting
a request. seconds must
be an integer from 1 through 65535. Default: 3
unestablished-sessions
Indicates RADIUS STOP
events are to be generated for sessions that were initiated but never
fully established.
Usage:
Manage the RADIUS accounting
options according to the RADIUS server used for the context.
Example:
The following commands
configure accounting options.
radius accounting
detect-dead-server consecutive-failures 5
radius accounting max-pdu-size 1024
radius accounting timeout 16
radius accounting
algorithm
This command specifies
the fail-over/load-balancing algorithm to select the RADIUS
accounting server(s) to which accounting data must be sent.
Privilege:
Security Administrator,
Administrator
Syntax
radius accounting algorithm { first-n n | first-server | round-robin }
default radius accounting algorithm
default
Configures the default
setting.
Default: first-server
first-n n
Specifies that the
AGW must send accounting data to n (more than
one) AAA servers based on their priority. The full set of accounting
data is sent to each of the n AAA servers.
Response from any one of the servers would suffice to proceed with
the call. On receiving an ACK from any one of the servers, all retries
are stopped.
n is the
number of AAA servers to which accounting data will be sent, and
must be an integer from 2 through 128. Default: 1 (Disabled)
first-server
Specifies that the
context must send accounting data to the RADIUS server with the
highest configured priority. In the event that this server becomes
unreachable, accounting data is sent to the server with the next-highest
configured priority. This is the default algorithm.
round-robin
Specifies that the
context must load balance sending accounting data among all of the defined
RADIUS servers. Accounting data is sent in a circular queue fashion
on a per Session Manager task basis, where data is sent to the next
available server and restarts at the beginning of the list of configured
servers. The order of the list is based upon the configured relative
priority of the servers.
Usage:
Use this command to
specify the algorithm to select the RADIUS accounting server(s)
to which accounting data must be sent.
Example:
The following command
specifies to use the round-robin algorithm to select the RADIUS server:
radius accounting algorithm
round-robin
radius accounting
apn-to-be-included
This command configures
the Access Point Name (APN) to be included for RADIUS accounting.
Privilege:
Security Administrator,
Administrator
Syntax
radius accounting apn-to-be-included { gi | gn }
default radius accounting
apn-to-be-included
default
Configures the default
setting.
gi
Specifies the usage
of the Gi APN name in the RADIUS accounting request. The Gi APN represents
the APN received in the Create PDP context request message from
the SGSN.
gn
Specifies the usage
of the Gn APN name in the RADIUS accounting request. The Gn APN represents
the APN selected by the GGSN.
Usage:
Use this command to
configure the APN name for RADIUS Accounting. This can be set to either
gi or gn.
Example:
The following command
specifies the usage of Gn APN name in the RADIUS accounting request:
radius accounting apn-to-be-included gn
radius accounting
billing-version
This command configures
the billing-system version of RADIUS accounting servers.
Privilege:
Security Administrator,
Administrator
Syntax
radius accounting billing-version version
default radius accounting
billing-version
default
Configures the default
setting. Default: 0
version
Specifies the billing-system
version of RADIUS accounting servers as an integer from 0 through
4294967295. Default: 0
Usage:
Use this command to
configure the billing-system version of RADIUS accounting servers.
Example:
The following command
configures the billing-system version of RADIUS accounting servers
as
10:
radius accounting billing-version 10
radius accounting
gtp trigger-policy
This command configures
the RADIUS accounting trigger policy for GTP messages.
Privilege:
Security Administrator,
Administrator
Syntax
radius accounting gtp
trigger-policy [ standard | ggsn-preservation-mode ]
default radius accounting
gtp trigger-policy
default
Resets the RADIUS accounting
trigger policy to standard behavior for GTP session.
standard
Sets the RADIUS accounting
trigger policy to standard behavior which is configured for GTP
session for GGSN service.
ggsn-preservation-mode
Sends RADIUS Accounting
Start when the GTP message with private extension of preservation
mode is received from SGSN.
IMPORTANT:
This is a customer-specific
keyword and needs customer-specific license to use this feature. For
more information on GGSN preservation mode, refer to GGSN Service Configuration
Mode Commands chapter.
Usage:
Use this command to
set the trigger policy for the AAA accounting for a GTP session.
Example:
The following command
sets the RADIUS accounting trigger policy for GTP session to standard:
default radius accounting
gtp trigger-policy
radius accounting
ha policy
This command configures
the RADIUS accounting policy for HA sessions.
Privilege:
Security Administrator,
Administrator
Syntax
radius accounting ha
policy { session-start-stop | custom1-aaa-res-mgmt }
default radius accounting
ha policy
session-start-stop
Specifies to send Accounting
Start when the session is connected, and send Accounting Stop when
the session is disconnected. This is the default behavior.
custom1-aaa-res-mgmt
Accounting Start/Stop
messages are generated to assist special resource management done by
AAA servers. It is similar to the session-start-stop accounting
policy, except for the following differences:
- Accounting Start is
generated when a new call overwrites an existing session. Accounting
Start is also generated during MIP session handoffs.
- No Accounting stop
is generated when an existing session is overwritten and the new session
continues to use the IP address assigned for the old session.
Usage:
Use this command to
set the behavior of the AAA accounting for an HA session.
Example:
The following command
sets the HA accounting policy to
custom1-aaa-res-mgmt:
radius accounting ha
policy custom1-aaa-res-mgmt
radius accounting
interim volume
This command configures
the volume of uplink and downlink volume octet counts that triggers
RADIUS interim accounting.
Privilege:
Security Administrator,
Administrator
Syntax
radius accounting interim
volume { downlink bytes uplink bytes | total bytes | uplink bytes downlink bytes }
no radius accounting
interim volume
no
Disables volume based
RADIUS accounting.
downlink bytes uplink bytes
Specifies the downlink
to uplink volume limit for RADIUS Interim accounting, in bytes. bytes must
be an integer to 100000 through 4000000000.
total bytes
Specifies the total
volume limit for RADIUS interim accounting in bytes. bytes must
be an integer from 100000 through 4000000000.
uplink bytes
Specifies the uplink
volume limit for RADIUS interim accounting in bytes. bytes must
be an integer from 100000 through 4000000000.
downlink bytes
Specifies the downlink
volume limit for RADIUS interim accounting in bytes. bytes must
be an integer from 100000 through 4000000000.
Usage:
Use this command to
trigger RADIUS interim accounting based on the volume of uplink and
downlink bytes.
Example:
The following command
triggers RADIUS interim accounting when the total volume of uplink
and downlink bytes reaches
110000:
radius accounting interim
volume total 110000
radius accounting
ip remote-address
This command configures
IP remote address-based RADIUS accounting parameters.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] radius
accounting ip remote-address { collection | list list_id }
no
Removes earlier configuration
for the specified keyword.
collection
Enables collecting
and reporting Remote-Address-Based accounting in RADIUS Accounting.
This should be enabled in the AAA Context. It is disabled by default.
list list_id
Enters the Remote Address
List Configuration Mode. This mode configures a list of remote addresses
that can be referenced by the subscriber's profile. list_id must
be an integer from 1 through 65535.
Usage:
This command is used
as part of the Remote Address-based Accounting feature to both configure
remote IP address lists and enable the collection of accounting
data for the addresses in those lists on a per-subscriber basis.
Individual subscriber
can be associated to remote IP address lists through the configuration/specification
of an attribute in their local or RADIUS profile. (Refer to the radius accounting command
in the Subscriber Configuration mode.) When configured/specified,
accounting data is collected pertaining to the subscriber’s communication
with any of the remote addresses specified in the list.
Once this functionality
is configured on the system and in the subscriber profiles, it must be
enabled by executing this command with the collection keyword.
Example:
The following command
enables collecting and reporting Remote-Address-Based accounting
in RADIUS Accounting:
radius accounting ip
remote-address collection
radius accounting
keepalive
This command configures
the keepalive authentication parameters for the RADIUS accounting
server.
Privilege:
Security Administrator,
Administrator
Syntax
radius accounting keepalive { calling-station-id id | consecutive-response responses_no_of | framed-ip-address ip_address | interval interval_duration | retries retries_no_of | timeout timeout_duration | username user_name }
no radius accounting
keepalive framed-ip-address
default radius accounting
keepalive { calling-station-id | consecutive-response | interval | retries | timeout | username }
no
Removes configuration
for the specified keyword.
default
Configures the default
settings.
calling-station-id id
Configures the Calling-Station
ID to be used for the keepalive authentication as an alphanumeric
string of size 1 to 15 characters. Default: 000000000000000
consecutive-response responses_no_of
Configures the number
of consecutive authentication response after which the server is marked
as reachable. responses_no_of must
be an integer from 1 through 5. Default: 1
framed-ip-address ip_address
Specifies the framed
ip-address to be used for the keepalive accounting in IPv4 dotted-decimal
notation.
interval interval_duration
Configures the time
interval (in seconds) between the two keepalive access requests. Default:
30
retries retries_no_of
Configures the number
of times the keepalive access request to be sent before marking
the server as unreachable. retries_no_of must
be an integer from 3 through 10. Default: 3
timeout timeout_duration
Configures the time
interval between each keepalive access request retries. timeout_duration must
be an integer from 1 through 30. Default: 3
username user_name
Configures the user
name to be used for the authentication as an alphanumeric string
of 1 through 127 characters. Default: Test-Username
Usage:
Configures the keepalive
authentication parameters for the RADIUS accounting server.
Example:
The following command
sets the user name for the RADIUS keepalive access requests to
Test-Username2:
radius accounting keepalive
username Test-Username2
The following command
sets the number of retries to
4:
radius accounting keepalive
retries 4
radius accounting
rp
This command configures
the current context’s RADIUS accounting R-P originated
call options.
Privilege:
Security Administrator,
Administrator
Syntax
radius accounting rp { handoff-stop { immediate |
wait-active-stop } | tod minute hour | trigger-event { active-handoff | active-start-param-change | active-stop } | trigger-policy { airlink-usage [ counter-rollover ] | custom [ active-handoff | active-start-param-change | active-stop ] | standard } | trigger-stop-start }
no radius accounting
rp { tod minute hour | trigger-event { active-handoff | active-start-param-change | active-stop } | trigger-stop-start }
default radius accounting
rp { handoff-stop | trigger-policy }
no
Removes earlier configuration
for the specified keyword.
default
Configures this command
with the default settings.
handoff-stop { immediate | wait-active-stop }
Specifies the behavior
of generating accounting STOP when handoff occurs.
- immediate:
Indicates that accounting STOP should be generated immediately on
handoff, i.e. not to wait active-stop from the old PCF.
- wait-active-stop:
Indicates that accounting STOP is generated only when active-stop
received from the old PCF when handoff occurs.
Default: wait-active-stop
tod minute hour
Specifies the time
of day a RADIUS event is to be generated for accounting. Up to four different
times of the day may be specified through separate commands.
minute must
be an integer from 0 through 59.
hour must
be an integer from 0 through 23.
trigger-event { active-handoff | active-start-param-change | active-stop }
Configures the events
for which a RADIUS event is generated for accounting as one of the following:
- active-handoff:
Disables a single R-P event (and therefore a RADIUS accounting event)
when an Active PCF-to-PFC Handoff occurs. Instead, two R-P events
occur (one for the Connection Setup, and the second for the Active-Start). Default:
Disabled
- active-start-param-change:
Disables an R-P event (and therefore a RADIUS accounting event)
when an Active-Start is received from the PCF and there has been
a parameter change. Default: Enabled
- active-stop:
Disables an R-P event (and therefore a RADIUS accounting event)
when an Active-Stop is received from the PCF. Default: Disabled
IMPORTANT:
This keyword has been
obsoleted by the trigger-policy keyword.
Note that if this command is used, if the context configuration
is displayed, RADIUS accounting RP configuration is represented
in terms of the trigger-policy.
trigger-policy { airlink-usage [ counter-rollover ] | custom [ active-handoff | active-start-param-change | active-stop ] | standard }
Default:airlink-usage:
Disabled
custom:
- active-handoff:
Disabled
- active-start-param-change:
Disabled
- active-stop:
Disabled
- standard:
Enabled
Configures the overall
accounting policy for R-P sessions as one of the following:
- airlink-usage [ counter-rollover ]:
Designates the use of Airlink-Usage RADIUS accounting policy for
R-P, which generates a start on Active-Starts, and a stop on Active-Stops.
If the counter-rollover option
is enabled, the system generates a STOP/START pair before
input/output data octet counts (or input/output
data packet counts) become larger than (2^32 - 1) in value.
This setting is used to guarantee that a 32-bit octet count in any
STOP message has not wrapped to larger than 2^32 thus ensuring
the accuracy of the count. The system, may send the STOP/START
pair at any time, so long as it does so before the 32-bit counter
has wrapped. Note that a STOP/START pair is never generated
unless the subscriber RP session is in the Active state, since octet/packet
counts are not accumulated in the Dormant state.
- custom: Specifies
the use of custom RADIUS accounting policy for R-P. The custom policy
can consist of the following:
- active-handoff:
Enables a single R-P event (and therefore a RADIUS accounting event)
when an Active PCF-to-PFC Handoff occurs. Normally two R-P events
will occur (one for the Connection Setup, and the second for the
Active-Start).
- active-start-param-change:
Enables an R-P event (and therefore a RADIUS accounting event) when
an Active-Start is received from the PCF and there has been a parameter
change.
IMPORTANT:
Note that a custom
trigger policy with only active-start-param-change enabled
is identical to the standard trigger-policy.
- active-stop:
Enables an R-P event (and therefore a RADIUS accounting event) when
an Active-Stop is received from the PCF.
IMPORTANT:
If the radius accounting rp
trigger-policy custom command is executed without any
of the optional keywords, all custom options are disabled.
- standard:
Specifies the use of Standard RADIUS accounting policy for R-P in
accordance with IS-835B.
trigger-stop-start
Specifies that a stop/start
RADIUS accounting pair should be sent to the RADIUS server when
an applicable R-P event occurs.
Usage:
Use this command to
configure the events for which a RADIUS event is sent to the server when
the accounting procedures vary between servers.
Example:
The following command
enables an R-P event (and therefore a RADIUS accounting event) when
an Active-Stop is received from the PCF:
radius accounting rp
trigger-event active-stop
The following command
generates the STOP only when active-stop received from the old PCF
when handoff occurs:
default radius accounting
rp handoff-stop
radius accounting
server
This command configures
RADIUS accounting server(s) in the current context.
Privilege:
Security Administrator,
Administrator
Syntax
radius [ mediation-device ] accounting
server ip_address [ encrypted ] key value [ acct-on { enable | disable } ] [ acct-off { enable | disable } ] [ max
max_messages ] [ oldports ] [ port port_number ] [ priority priority ] [ type { mediation-device | standard } ] [ admin-status { enable | disable } ] [ -noconfirm ]
no radius [ mediation-device ] accounting
server ip_address [ oldports | port port_number ]
no
Removes the server
or server port(s) specified from the list of configured servers.
mediation-device
Enables mediation-device
specific AAA transactions use to communicate with this RADIUS server.
IMPORTANT:
If this option is not
used, the system by default enables standard AAA transactions.
ip_address
Specifies the IP address
of the accounting server.
ip_address must
be specified in IPv4 dotted-decimal or IPv6 colon-separated-hexadecimal
notation. A maximum of 128 RADIUS servers can be configured per
context. This limit includes accounting and authentication servers.
[ encrypted ] key value
Specifies the shared
secret key used to authenticate the client to the servers. The encrypted keyword
indicates the key specified is encrypted.
The encrypted keyword
is intended only for use by the system while saving configuration
scripts. The system displays the encrypted keyword
in the configuration file as a flag that the variable following
the key keyword
is the encrypted version of the plaint text key. Only the encrypted
key is saved as part of the configuration file.
acct-on { enable | disable }
Enables and disables
sending of the Accounting-On message when a new RADIUS server is added
to the configuration.
When enabled, the Accounting-On
message is sent when a new RADIUS server is added in the configuration.
However, if for some reason the Accounting-On message cannot be
sent at the time of server configuration (for example, if the interface
is down), then the message is sent as soon as possible. Once the
Accounting-On message is sent, if it is not responded to after the configured
RADIUS accounting timeout, the message is retried the configured
number of RADIUS accounting retries. Once all retries have been
exhausted, the system no longer attempts to send the Accounting-On
message for this server.
Default: disable
acct-off { enable | disable }
Default: enable
Disables and enables
the sending of the Accounting-Off message when a RADIUS server is removed
from the configuration.
The Accounting-Off
message is sent when a RADIUS server is removed from the configuration,
or when there is an orderly shutdown. However, if for some reason
the Accounting-On message cannot be sent at this time, it is never
sent. The Accounting-Off message is sent only once, regardless of
how many accounting retries are enabled.
max max_messages
Specifies the maximum
number of outstanding messages that may be allowed to the server. max_messages must
be an integer from 1 through 256. Default: 0
oldports
Sets the UDP communication
port to the out of date standardized default for RADIUS communications
to 1646.
port port_number
Specifies the port
number to use for communications as an integer from 1 through 65535. Default:
1813
priority priority
Specifies the relative
priority of this accounting server. The priority is used in server selection
for determining which server to send accounting data to.
priority must
be an integer from 1 through 1000, where 1 is the highest priority.
When configuring two or more servers with the same priority you
will be asked to confirm that you want to do this. If you use the -noconfirm option,
you are not asked for confirmation and multiple servers could be
assigned the same priority.
Default: 1000
type { mediation-device | standard }
Specifies the type
of AAA transactions to use to communicate with this RADIUS server.
- standard:
Use standard AAA transactions.
- mediation-device:
This keyword is obsolete.
Default: standard
admin-status { enable | disable }
Enables or disables
the RADIUS authentication/accounting/ charging
server functionality, and saves the status setting in the configuration
file to re-establish the set status at reboot.
-noconfirm
Executes the command
without any additional prompt and confirmation from the user.
Usage:
This command is used
to configure the RADIUS accounting servers with which the system is
to communicate for accounting.
Up to 128 RADIUS servers
can be configured per context. The servers can be configured as
Accounting, Authentication, charging servers, or any combination
thereof.
Example:
The following commands
configure the RADIUS accounting server with the IP address set to
10.2.3.4, port to 1024, and priority to 10:
radius accounting server
10.2.3.4 key sharedKey port 1024 max 127
radius accounting server
10.2.3.4 encrypted key scrambledKey oldports priority 10
no radius accounting
server 10.2.5.6
The following command
sets the accounting server with mediation device transaction for AAA
server
10.2.3.4:
radius mediation-device
accounting server 10.2.3.4 key sharedKey port 1024 max 127
radius algorithm
This command configures
the RADIUS authentication server selection algorithm for the current
context.
Privilege:
Security Administrator,
Administrator
Syntax
radius algorithm { first-server | round-robin }
default radius algorithm
default
Configures this command
with the default setting. Default: first-server
first-server
Sends authentication
data to the first available server based upon the relative priority
of each configured server.
round-robin
Sends authentication
data in a circular queue fashion on a per Session Manager task basis where
data is sent to the next available server and restarts at the beginning
of the list of configured servers. The order of the list is based
upon the configure relative priority of the servers.
Usage:
Use this command to
configure the context’s RADIUS server selection algorithm
to ensure proper load distribution through the available servers.
Example:
The following command
configures to use the round-robin algorithm for RADIUS server selection:
radius algorithm round-robin
radius allow
This command configures
the system behavior to allow subscriber sessions when RADIUS accounting
and/or authentication is unavailable.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] radius
allow { accounting-down | authentication-down }
no
Removes earlier configuration
for the specified keyword.
accounting-down
Allows sessions while
accounting is unavailable (down). Default: Enabled
authentication-down
Allows sessions while
authentication is not available (down). Default: Disabled
Usage:
Allow sessions during
system troubles when the risk of IP address and/or subscriber spoofing
is minimal. The denial of sessions may cause dissatisfaction with
subscribers at the cost/expense of verification and/or
accounting data.
IMPORTANT:
Please note that this
command is applicable ONLY to CDMA products. To configure this functionality
in UMTS/LTE products (GGSN/P-GW),
use the command mediation-device
delay-GTP-response in APN Configuration mode.
Example:
The following command
configures the RADIUS server to allow the sessions while accounting
is unavailable:
radius allow accounting-down
radius attribute
This command configures
the system’s RADIUS identification parameters.
Privilege:
Security Administrator,
Administrator
Syntax
radius attribute { nas-identifier
id | nas-ip-address address primary_address [ backup secondary_address ] [ nexthop-forwarding-address nexthop_ip_address ] [ vlan vlan_id ] [ mpls-label
input in_label_value output out_label_value1 out_label_value1 ] }
no radius attribute { nas-identifier | nas-ip-address }
default radius attribute
nas-identifier
no
Removes earlier configuration
for the specified keyword.
default
Configures the default
setting.
nas-identifier id
Specifies the attribute
name by which the system will be identified in Access-Request messages. id must be
a alphanumeric string of 1 through 32 characters that is case sensitive.
nas-ip-address address primary_address
Specifies the AAA interface
IP address(es) to used to identify the system. Up to two addresses
can be configured. primary_address is
the IP address of the primary interface to use in the current context
in IPV4 dotted-decimal or IPv6 colon-separated-hexadecimal notation.
backup secondary_address
Specifies the IP address
of the secondary interface to use in the current context in IPV4 dotted-decimal
or IPv6 colon-separated-hexadecimal notation.
mpls-label input in_label_value | output out_label_value1 [ out_label_value2 ]
This command configures
the traffic from the specified AAA client NAS IP address to use the
specified MPLS labels.
- in_label_value is
the MPLS label that identifies inbound traffic destined for the
configured NAS IP address.
- out_label_value1 and out_label_value2 identify
the MPLS labels to be added to the packets sent from the specified
NAS IP address.
- out_label_value1 is
the inner output label.
- out_label_value2 is
the outer output label.
MPLS label values must
be an integer from 16 through 1048575.
IMPORTANT:
This option is available
only when nexthop-forwarding gateway is also configured with the nexthop-forwarding-address keyword.
nexthop-forwarding-address nexthop_ip_address
Configures the next
hop IP address for this NAS IP address in IPV4 dotted-decimal or
IPv6 colon-separated-hexadecimal notation.
vlan vlan_id
Specifies the VLAN
ID to be associated with the next-hop IP address as an integer from
1 through 4094.
Usage:
This is necessary for
NetWare Access Server usage such as the system must be identified to
the NAS.
The system supports
the concept of the active nas-ip-address. The active nas-ip-address
is defined as the current source ip address for RADIUS messages
being used by the system. This is the content of the nas-ip-address
attribute in each RADIUS message.
The system will always
have exactly one active nas-ip-address. The active nas-ip-address will
start as the primary nas-ip-address. However, the active nas-ip-address
may switch from the primary to the backup, or the backup to the
primary. The following events will occur when the active nas-ip-address
is switched:
- All current in-process
RADIUS accounting messages from the entire system are cancelled.
The accounting message is re-sent, with retries preserved, using
the ne w active nas-ip-address. Acct-Delay-Time, however, is updated
to reflect the time that has occurred since the accounting event.
The value of Event-Timestamp is preserved.
- All current in-process
RADIUS authentication messages from the entire system are cancelled.
The authentication message is re-sent, with retries preserved, using
the new active nas-ip-address. The value of Event-Timestamp is preserved.
- All subsequent in-process
RADIUS requests uses the new active nas-ip-address.
The system uses a revertive
algorithm when transitioning active NAS IP addresses as described
below:
- If the configured primary
nas-ip-address transitions from UP to DOWN, and the backup nas-ip-address
is UP, then the active nas-ip-address switches from the primary
to the backup nas-ip-address
- If the backup nas-ip-address
is active, and the primary nas-ip-address transitions from DOWN
to UP, then the active nas-ip-address switches from the backup to
the primary nas-ip-address
Example:
The following command
configures the RADIUS attribute nas-ip-address as
10.2.3.4:
radius attribute nas-ip-address 10.2.3.4
radius authenticate
null-username
This command enables
(allows) or disables (prevents) the authentication of user names
that are blank or empty. This is enabled by default.
Privilege:
Security Administrator,
Administrator
Syntax
[ no | default ] radius
authenticate null-username
default
Configures the default
setting.
Default: Authenticate,
send Access-Request messages to the AAA server, all user names, including
NULL user names.
no
Disables sending an
Access-Request message to the AAA server for user names (NAI) that are
blank.
null-username
Enables sending an
Access-Request message to the AAA server for user names (NAI) that are
blank.
Usage:
Use this command to
disable, or re-enable, sending Access-Request messages to the AAA server
for user names (NAI) that are blank (NULL).
Example:
The following command
disables sending of Access-Request messages for user names (NAI)
that are blank:
no radius authenticate
null-username
The following command
re-enables sending of Access-Request messages for user names (NAI)
that are blank:
radius authenticate
null-username
radius authenticate
apn-to-be-included
This command configures
the Access Point Name (APN) to be included for RADIUS authentication.
Privilege:
Security Administrator,
Administrator
Syntax
[ default ] radius
authenticate apn-to-be-included { gi | gn }
default
Configures the default
setting.
gi
Specifies the use of
the Gi APN name in the RADIUS authentication request. The Gi APN represents
the APN received in the Create PDP Context Request message from
the SGSN.
gn
Specifies the use of
the Gn APN name in the RADIUS authentication request. The Gn APN represents
the APN selected by the GGSN.
Usage:
Use this command to
configure the APN name for RADIUS authentication. This can be set to
either gi or gn.
Example:
The following command
specifies the usage of Gn APN name in the RADIUS authentication
request.
radius authenticate
apn-to-be-included gn
radius authenticator-validation
This command enables
(allows) or disables (prevents) the MD5 authentication of RADIUS
users. By default this feature is enabled.
Privilege:
Security Administrator,
Administrator
Syntax
[ default | no ] radius
authenticator-validation
default
Enables MD5 authentication
validation for an Access-Request message to the AAA server.
no
Disables MD5 authentication
validation for an Access-Request message to the AAA server.
Usage:
Use this command to
disable, or re-enable, sending Access-Request messages to the AAA server
for MD5 validation.
Example:
The following command
disables MD5 authentication validation for Access-Request messages
for user names (NAI):
no radius authenticator-validation
The following command
enables MD5 authentication validation for Access-Request messages
for user names (NAI):
radius radius authenticator-validation
radius change-authorize-nas-ip
This command configures
the NAS IP address and UDP port on which the current context will
listen for Change of Authorization (COA) messages and Disconnect Messages
(DM). If the NAS IP address is not defined with this command, any
COA or DM messages from the RADIUS server are returned with a Destination
Unreachable error.
Privilege:
Security Administrator,
Administrator
Syntax
radius change-authorize-nas-ip ip_address [ encrypted ] key value [ port port ] [ event-timestamp-window window ] [ no-nas-identification-check] [ no-reverse-path-forward-check ] [ mpls-label
input in_label_value | output out_label_value1 [ out_label_value2 ]
no radius change-authorize-nas-ip
no
Deletes the NAS IP
address information which disables the system from receiving and responding
to COA and DM messages from the RADIUS server.
ip_address
Specifies the NAS IP
address of the current context’s AAA interface that was
defined with the radius attribute command.
ip_address can
be expressed in IPv4 dotted-decimal or IPv6 colon-separated-hexadecimal
notation.
[ encrypted ] key value
Specifies the shared
secret key used to authenticate the client to the servers. The encrypted keyword
indicates the key specified is encrypted.
The encrypted keyword
is intended only for use by the system while saving configuration
scripts. The system displays the encrypted keyword
in the configuration file as a flag that the variable following
the key keyword
is the encrypted version of the plain text key. Only the encrypted
key is saved as part of the configuration file.
port port
The UDP port on which
to listen for CoA and DM messages. Default: 3799
event-timestamp-window window
When a COA or DM request
is received with an event-time-stamp, if the current-time is greater
than the received-pkt-event-time-stamp plus the event-time-stamp-window,
the packet is silently discarded
When a COA or DM request
is received without the event-timestamp attribute, the packet is silently
discarded.
window must
be an integer from 0 through 4294967295. If window is
specified as 0 (zero), this feature is disabled; the event-time-stamp
attribute in COA or DM messages is ignored and the event-time-stamp
attribute is not included in NAK or ACK messages. Default: 300
no-nas-identification-check
Disables the context
from checking the NAS Identifier/ NAS IP Address while
receiving the CoA/DM requests. By default this check is
enabled.
no-reverse-path-forward-check
Disables the context
from checking whether received CoA or DM packets are from one of the
AAA servers configured in the current context. Only the src-ip address
in the received CoA or DM request is validated and the port and
key are ignored. The reverse-path-forward-check is enabled by default.
When reverse-path-forward-check
is disabled, CoA and DM messages are accepted from any AAA server.
mpls-label input in_label_value | output out_label_value1 [ out_label_value2 ]
This command configures
COA traffic to use the specified MPLS labels.
- in_label_value is
the MPLS label that identifies inbound COA traffic.
- out_label_value1 and out_label_value2 identify
the MPLS labels to be added to COA response.
- out_label_value1 is
the inner output label.
- out_label_value2 is
the outer output label.
MPLS label values must
be an integer from 16 through 1048575.
Usage:
Use this command to
enable the current context to listen for COA and DM messages.
Any one of the following
RADIUS attributes may be used to identify the subscriber:
-
3GPP-IMSI: The
subscriber’s IMSI. It may include the 3GPP-NSAPI attribute
to delete a single PDP context rather than all of the PDP contexts
of the subscriber when used with the GGSN product.
- Framed-IP-address:
The subscriber’s IP address.
- Acct-Session-Id:
Identifies a subscriber session or PDP context.
IMPORTANT:
For the GGSN product,
the value for Acct-Session-Id that is mandated by 3GPP is used instead
of the special value for Acct-Session-Id that we use in the RADIUS
messages we exchange with a RADIUS accounting server.
IMPORTANT:
When this command is
used in conjunction with the GGSN, CoA functionality is not supported.
Example:
The following command
specifies the IP address
192.168.100.10 as
the NAS IP address, a key value of
123456 and
uses the default port of
3799:
radius change-authorize-nas-ip
192.168.100.10 key 123456
The following command
disables the nas-identification-check for the above parameters:
radius change-authorize-nas-ip
192.168.100.10 key 123456 no-nas-identification-check
radius charging
This command configures
basic RADIUS options for Active Charging Services.
Privilege:
Security Administrator,
Administrator
Syntax
radius charging { deadtime dead_minutes | detect-dead-server { consecutive-failures consecutive_failures | response-timeout timeout_duration } | max-outstanding max_messages | max-retries max_retries | max-transmissions transmissions | timeout timeout_duration }
default radius charging { deadtime | detect-dead-server | max-outstanding | max-retries | max-transmissions | timeout }
no radius charging { detect-dead-server | max-transmissions | timeout }
no
Removes configuration
for the specified keyword.
default
Configures the default
settings.
deadtime dead_minutes
Specifies the number
of minutes to wait before attempting to communicate with a server which
has been marked as unreachable.
dead_minutes must
be an integer from 0 through 65535.
Default: 10
detect-dead-server { consecutive-failures consecutive_failures | response-timeout timeout_duration }
consecutive-failures consecutive_failures:
Default: 4. Specifies the number of consecutive failures, for each
AAA manager, before a server is marked as unreachable. consecutive_failures must
be an integer from 0 through 1000.
response-timeout timeout_duration:
Specifies the number of seconds for each AAA manager to wait for
a response to any message before a server is detected as failed, or
in a down state. timeout_duration must
be an integer from 1 through 65535.
max-outstanding max_messages
Specifies the maximum
number of outstanding messages a single AAA manager instance will
queue. max_messages must
be an integer from 1 through 4000. Default: 256
max-retries max_retries
Specifies the maximum
number of times communication with a AAA server will be attempted
before it is marked as unreachable and the detect dead servers consecutive
failures count is incremented. max_retries must
be an integer from 0 through 65535. Default: 5
max-transmissions transmissions
Sets the maximum number
of re-transmissions for RADIUS authentication requests. This limit
is used in conjunction with the max-retries for
each server. transmissions must
be an integer from 1 through 65535. Default: Disabled
When failing to communicate
with a RADIUS sever, the subscriber is failed once all of the configured
RADIUS servers have been exhausted or once the configured number
of maximum transmissions is reached.
For example, if 3 servers
are configured and if the configured max-retries is 3 and max-transmissions
is 12, then the primary server is tried 4 times (once plus 3 retries),
the secondary server is tried 4 times, and then a third server is
tried 4 times. If there is a fourth server, it is not tried because
the maximum number of transmissions (12) has been reached.
timeout timeout_duration
Specifies the number
of seconds to wait for a response from the RADIUS server before
re-sending the messages. timeout_duration must
be an integer from 1 through 65535. Default: 3
Usage:
Manage the basic Charging
Service RADIUS options according to the RADIUS server used for the
context.
Example:
The following command
configures the AAA server to be marked as unreachable when the consecutive
failure count exceeds 6:
radius charging detect-dead-server
consecutive-failures6
The following command
sets the timeout value to 300 seconds to wait for a response from RADIUS
server before resending the messages:
radius charging timeout 300
radius charging
accounting algorithm
This command specifies
the fail-over/load-balancing algorithm to be used for selecting
RADIUS servers for charging services.
Privilege:
Security Administrator,
Administrator
Syntax
radius charging accounting
algorithm { first-n n | first-server | round-robin }
first-n n
Specifies that the
AGW must send accounting data to n (more than
one) AAA servers based on their priority. Response from any one
of the n AAA
servers would suffice to proceed with the call. The full set of accounting
data is sent to each of the n AAA servers.
n is the
number of AAA servers to which accounting data will be sent, and
must be an integer from 2 through 128. Default: 1 (Disabled)
first-server
Specifies that the
context must send accounting data to the RADIUS server with the
highest configured priority. In the event that this server becomes
unreachable, accounting data is sent to the server with the next-highest
configured priority. This is the default algorithm.
round-robin
Specifies that the
context must load balance sending accounting data among all of the defined
RADIUS servers. Accounting data is sent in a circular queue fashion
on a per Session Manager task basis, where data is sent to the next
available server and restarts at the beginning of the list of configured
servers. The order of the list is based upon the configured relative
priority of the servers.
Usage:
Use this command to
specify the accounting algorithm to use to select RADIUS servers
for charging services configured in the current context.
Example:
The following command
specifies to use the round-robin algorithm to select the RADIUS server:
radius charging accounting
algorithm round-robin
radius charging
accounting server
This command configures
RADIUS charging accounting servers in the current context for Active
Charging Services prepaid accounting.
Privilege:
Security Administrator,
Administrator
Syntax
radius charging accounting
server ip_address [ encrypted ] key key [ max max_messages ] [ max-rate max_rate ] [ oldports ] [ port port_number ] [ priority priority ] [ admin-status { enable | disable } ] [ -noconfirm ]
no radius charging
accounting server ip_address [ oldports | port port_number ]
no
Removes the server
or server port(s) specified from the list of configured servers.
ip_address
Specifies IP address
of the accounting server. in IPv4 dotted-decimal notation. A maximum of
128 RADIUS servers can be configured per context. This limit includes
accounting and authentication servers.
[ encrypted ] key key
Specifies the shared
secret key used to authenticate the client to the servers. The encrypted keyword
indicates the key specified is encrypted.
The encrypted keyword
is intended only for use by the system while saving configuration
scripts. The system displays the encrypted keyword
in the configuration file as a flag that the variable following
the key keyword
is the encrypted version of the plaint text key. Only the encrypted
key is saved as part of the configuration file.
max max_messages
Specifies the maximum
number of outstanding messages that may be allowed to the server. max_messages must
be integer from 0 through 4000. Default: 0
max-rate max_rate
Specifies the rate
(number of messages per second) at which the authentication messages should
be sent to the RADIUS server. max_rate must
be an integer from 0 through 1000. Default: 0 (Disabled)
oldports
Sets the UDP communication
port to the out of date standardized default for RADIUS communications
to 1646.
port port_number
Specifies the port
number to use for communications as an integer from 1 through 65535. Default: 1813
priority priority
Specifies the relative
priority of this accounting server. The priority is used in server selection
for determining to which server to send accounting data. priority must
be an integer 1 through 1000 where 1 is the highest priority. Default:
1000
admin-status { enable | disable }
Enables or disables
the RADIUS authentication/ accounting/charging
server functionality, and saves the status setting in the configuration
file to re-establish the set status at reboot.
-noconfirm
Executes the command
without any additional prompt and confirmation from the user.
Usage:
This command is used
to configure the RADIUS charging accounting server(s) with which the
system is to communicate for Active Charging Services prepaid accounting
requests.
Up to 128 AAA servers
can be configured per context when the system is functioning as
a PDSN and/or HA. Up to 16 servers are supported per context
when the system is functioning as a GGSN.
Example:
The following commands
configure RADIUS charging accounting server with the IP address
set to 10.2.3.4, port to 1024, and priority to 10:
radius charging accounting
server 10.2.3.4 key sharedKey port 1024 max 127
radius charging accounting
server 10.2.3.4 encrypted key scrambledKey oldports priority 10
radius charging
algorithm
This command configures
the RADIUS authentication server selection algorithm for Active
Charging Services for the current context.
Privilege:
Security Administrator,
Administrator
Syntax
radius charging algorithm { first-server | round-robin }
default radius charging algorithm
default
Configures the default
setting. Default: first-server
first-server
Sends accounting data
to the first available server based upon the relative priority of
each configured server.
round-robin
Sends accounting data
in a circular queue fashion on a per Session Manager task basis
where data is sent to the next available server and restarts at
the beginning of the list of configured servers. The order of the
list is based upon the configured relative priority of the servers.
Usage:
Set the context’s
RADIUS server selection algorithm for Active Charging Services to ensure
proper load distribution through the servers available.
Example:
The following command
configures to use the round-robin algorithm for RADIUS server selection:
radius charging algorithm
round-robin
radius charging
server
This command configures
the RADIUS charging server(s) in the current context for Active
Charging Services prepaid authentication.
Privilege:
Security Administrator,
Administrator
Syntax
radius charging server ip_address [ encrypted ] key key [ max max_messages ] [ max-rate max_rate ] [ oldports ] [ port port_number ] [ priority priority ] [ admin-status { enable | disable } ] [ -noconfirm ]
no radius charging
server ip_address [ oldports | port port_number ]
no
Removes the server
or server port(s) specified from the list of configured servers.
ip_address
Specifies the IP address
of the server in IPv4 dotted-decimal notation. A maximum
of 128 RADIUS servers can be configured per context. This limit
includes accounting and authentication servers.
[ encrypted ] key key
Specifies the shared
secret key used to authenticate the client to the servers. The encrypted keyword
indicates the key specified is encrypted.
The encrypted keyword
is intended only for use by the system while saving configuration
scripts. The system displays the encrypted keyword
in the configuration file as a flag that the variable following
the key keyword
is the encrypted version of the plain text key. Only the encrypted
key is saved as part of the configuration file.
max max_messages
Specifies the maximum
number of outstanding messages that may be allowed to the server. max_messages must
be an integer from 0 through 4000. Default: 256
max-rate max_rate
Specifies the rate
(number of messages per second), at which the authentication messages should
be sent to the RADIUS server. max_rate must
be an integer from 0 through 1000. Default: 0 (Disabled)
oldports
Sets the UDP communication
port to the old default for RADIUS communications to 1645.
port port_number
Specifies the port
number to use for communications as an integer from 1 through 65535. Default:
1812
priority priority
Specifies the relative
priority of this accounting server. The priority is used in server selection
for determining to which server to send accounting data. priority must
be an integer from 1 through 1000 where 1 is the highest priority.
Default: 1000
admin-status { enable | disable }
Enables or disables
the RADIUS authentication/accounting/charging
server functionality and saves the status setting in the configuration
file to re-establish the set status at reboot.
-noconfirm
Executes the command
without any additional prompt and confirmation from the user.
Usage:
This command is used
to configure the RADIUS charging server(s) with which the system is
to communicate for Active Charging Services prepaid authentication
requests.
Up to 128 AAA servers
can be configured per context when the system is functioning as
a PDSN and/or HA. Up to 16 servers are supported per context
when the system is functioning as a GGSN.
Example:
The following commands
configure RADIUS charging server with the IP address set to 10.2.3.4,
port to 1024, and priority to 10:
radius charging server
10.2.3.4 key sharedKey port 1024 max 127
radius charging server
10.2.3.4 encrypted key scrambledKey oldports priority 10
radius deadtime
This command configures
the maximum period of time (in minutes) that must elapse between
when a context marks a RADIUS server as unreachable and when it
can re-attempt to communicate with the server.
Privilege:
Security Administrator,
Administrator
Syntax
radius deadtime minutes
default radius deadtime
default
Configures the default
setting.
Default: 10 minutes
minutes
Specifies the number
of minutes to wait before changing the state of a RADIUS server
from “Down” to “Active”. minutes must
be an integer from 0 through 65535.
Usage:
Use this command to
configure the basic RADIUS parameters according to the RADIUS server
used for the context.
IMPORTANT:
This parameter should
be set to allow enough time to remedy the issue that originally
caused the server’s state to be changed to “Down”.
After the deadtime timer expires, the system returns the server’s
state to “Active” regardless of whether or not
the issue has been fixed.
IMPORTANT:
For a complete explanation
of RADIUS server states, refer to the RADIUS Server State
Behavior appendix in the AAA
and GTPP Interface Administration and Reference.
Example:
The following command
configures the RADIUS deadtime to 100 minutes:
radius deadtime 100
radius detect-dead-server
This command configures
how the system detects a dead RADIUS server.
Privilege:
Security Administrator,
Administrator
Syntax
radius detect-dead-server { consecutive-failures consecutive_failures_count | keepalive | response-timeout timeout_duration }
{ default | no } radius
detect-dead-server
no
Removes the configuration.
default
Configures the default
setting.
- consecutive-failures:
Enabled; 4 consecutive failures
- keepalive:
Disabled
- response-timeout: Disabled
consecutive-failures consecutive_failures_count
Specifies the consecutive
number of times that the system must find the AAA server unreachable
for the server to be marked unreachable, that is the server’s
state is changed from “Active” to “Down”.
consecutive_failures_count must
be an integer from 1 through 1000. Default: Enabled; 4 consecutive
failures
keepalive
Enables the AAA server
alive-dead detect mechanism based on sending keepalive authentication
messages to all authentication servers. Default: Disabled
response-timeout timeout_duration
Specifies the time
duration, in seconds, that the system must wait for a response from
the AAA server to any message before the server is marked unreachable,
that is the server’s state is changed from “Active” to “Down”.
timeout_duration must
be an integer from 1 through 65535. Default: Disabled
Usage:
Use this command to
configure how the system detects a dead RADIUS server.
IMPORTANT:
If both consecutive-failures and response-timeout are
configured, then both parameters must be met before a server’s
state is changed to “Down”.
IMPORTANT:
The “Active” or “Down” state
of a RADIUS server as defined by the system, is based on accessibility
and connectivity. For example, if the server is functional but the
system has placed it into a “Down” state, it could
be the result of a connectivity problem. When a RADIUS server’s
state is changed to “Down”, a trap is sent to
the management station and the deadtime timer is
started.
Example:
The following command
enables the detect-dead-server consecutive-failures mechanism and configures
the consecutive number of failures to
10:
radius detect-dead-server
consecutive-failures 10
radius dictionary
Configures the RADIUS
dictionary.
Privilege:
Security Administrator,
Administrator
Syntax
radius dictionary dictionary
default radius dictionary
default
Configures the default
setting.
dictionary
Specifies which dictionary
to use.
dictionary must
be one of the following values:
Table 1. RADIUS Dictionary
Types
Dictionary |
Description |
3gpp
|
This dictionary consists
of all the attributes in the standard dictionary, and all of the
attributes specified in 3GPP 32.015.
|
3gpp2
|
This dictionary consists
of all the attributes in the standard dictionary, and all of the
attributes specified in IS-835-A.
|
3gpp2-835
|
This dictionary consists
of all the attributes in the standard dictionary, and all of the
attributes specified in IS-835.
|
customXX
|
These are customized
dictionaries. For information on custom dictionaries, please contact
your local service representative.
XX is the
integer of the custom dictionary.
NOTE: RADIUS dictionary custom23 should
be used in conjunction with Active Charging Service (ACS).
|
standard
|
This dictionary consists
only of the attributes specified in RFC 2865, RFC 2866, and RFC
2869.
|
starent
|
This dictionary consists
of all the attributes in the starent-vsa1 dictionary and incorporates
additional VSAs by using a two-byte VSA Type field. This dictionary
is the master-set of all of the attributes in all of the dictionaries
supported by the system.
|
starent-835
|
This dictionary consists
of all of the attributes in the starent-vsa1-835 dictionary and
incorporates additional VSAs by using a two-byte VSA Type field.
This dictionary is the master-set of all of the attributes in all
of the -835 dictionaries supported by the system.
|
starent-vsa1
|
This dictionary consists
not only of the 3gpp2 dictionary, but also includes vendor-specific
attributes (VSAs) as well. The VSAs in this dictionary support a
one-byte wide VSA Type field in order to support certain RADIUS
applications. The one-byte limit allows support for only 256 VSAs
(0–255). This is the default dictionary.
IMPORTANT:
In 12.0 and later releases,
no new attributes can be added to the starent-vsa1 dictionary.
If there are any new attributes to be added, these can only be added
to the starent dictionary.
For more information, please contact your Cisco account representative.
|
starent-vsa1-835
|
This dictionary consists
not only of the 3gpp2-835 dictionary, but also includes vendor-specific
attributes (VSAs) as well. The VSAs in this dictionary support a
one-byte wide VSA Type field in order to support certain RADIUS
applications. The one-byte limit allows support for only 256 VSAs
(0–255). This is the default dictionary.
|
Usage:
Use this command to
configure the RADIUS dictionary.
Example:
The following command
configures the RADIUS dictionary standard.
radius dictionary standard
radius group
This command has been
deprecated and is replaced by AAA Server Group configurations. See
the AAA Server Group
Configuration Mode Commands chapter.
radius ip vrf
This command associates
the specific AAA group (NAS-IP) with a Virtual Routing and Forwarding
(VRF) Context instance for BGP/MPLS, GRE, and IPSec tunnel functionality
which needs VRF support for RADIUS communication. By default the
VRF is NULL, which means that AAA group is associated with global
routing table.
Privilege:
Security Administrator,
Administrator
Syntax
radius ip vrf vrf_name
no radius ip vrf
no
Disables the configured
IP Virtual Routing and Forwarding (VRF) context instance and removes
the association between the VRF context instance and the AAA group
instance (NAS-IP).
By default this command
is disabled, which means the NAS-IP being used is assumed a non-VRF
IP and specific AAA group does not have any VRF association.
vrf_name
Specifies the name
of a pre-configured VRF context instance. vrf_name is
the alphanumeric string of a pre-configured VRF context configured
in Context Configuration Mode via the ip vrf command.
CAUTION:
Any incorrect configuration,
such as associating AAA group with wrong VRF instance or removing
a VRF instance, will fail the RADIUS communication.
Usage:
Use this command to
associate/disassociate a pre-configured VRF context for
a feature such as BGP/MPLS VPN or GRE, and IPSec tunneling
which needs VRF support for RADIUS communication.
By default the VRF
is NULL, which means that AAA group (NAS-IP) is associated with global
routing table and NAS-IP being used is assumed a non-VRF IP.
This IP VRF feature
can be applied to RADIUS communication, which associates the VRF with
the AAA group. This command must be configured whenever a VRF IP
is used as a NAS-IP in the AAA group or at the Context level for ‘default’ AAA
group.
This is a required
configuration as VRF IPs may be overlapping hence AAA needs to know
which VRF the configured NAS-IP belongs to. By this support different
VRF-based subscribers can communicate with different RADIUS servers
using the same, overlapping NAS-IP address, if required across different
AAA groups.
Example:
The following command
associates VRF context instance
ip_vrf1 with
specific AAA group (NAS-IP):
radius ip vrf ip_vrf1
radius keepalive
This command configures
the keepalive authentication parameters for the RADIUS server.
Privilege:
Security Administrator,
Administrator
Syntax
radius keepalive [ calling-station-id id | consecutive-response responses_no_of | encrypted | interval interval_duration | password | retries retries_no_of | timeout timeout_duration | username user_name | valid-response
access-accept [ access-reject ] ]
default radius keepalive { calling-station-id | consecutive-response | interval | password | retries | timeout | username | valid-response }
default
Configures the default
setting for the specified parameter.
calling-station-id id
Configures the Calling-Station
ID to be used for the keepalive authentication. id must be
an alphanumeric string of size 1 to 15 characters. Default: 000000000000000
consecutive-response responses_no_of
Configures the number
of consecutive authentication responses after which the server is marked
as reachable. responses_no_of must
be an integer from 1 through 10. Default: 1
encrypted password
Designates use of encryption
for the password.
Default: Test-Password
interval interval_duration
Configures the time
interval (in seconds) between two keepalive access requests. interval_duration must
be an integer from 30 through 65535. Default: 30
password
Configures the password
to be used for the authentication as an alphanumeric string of 1 through
63 characters. Default: Test-Password
retries retries_no_of
Configures the number
of times the keepalive access request are sent before marking the server
as unreachable. retries_no_of must
be an integer from 3 through 10. Default: 3
timeout timeout_duration
Configures the time
interval (in seconds) between keepalive access request retries. timeout_duration must
be an integer from 1 through 30. Default: 3
username user_name
Configures the user
name to be used for authentication as an alphanumeric string of
1 through 127 characters. Default: Test-Username
valid-response access-accept [ access-reject ]
Configures the valid
response for the authentication request.
If access-reject is
configured, then both access-accept and access-reject are considered
as success for the keepalive authentication request.
If access-reject is
not configured, then only access-accept is considered as success
for the keepalive access request.
Default: keepalive valid-response
access-accept
Usage:
Use this command to
configure the Keepalive Authentication parameters for the RADIUS server.
Example:
The following command
sets the user name for the RADIUS keepalive access requests to
Test-Username2:
radius keepalive username
Test-Username2
The following command
sets the number of retries to
4:
radius keepalive retries 4
radius max-outstanding
This command configures
the maximum number of outstanding messages a single AAA Manager
instance will queue.
Privilege:
Security Administrator,
Administrator
Syntax
radius max-outstanding max_messages
default radius max-outstanding
default
Configures the default
setting.
Default: 256
max_messages
Specifies the maximum
number of outstanding messages a single AAA Manager instance will
queue. max_messages must
be an integer from 1 through 4000. Default: 256
Usage:
Use this command to
configure the maximum number of outstanding messages a single AAA
Manager instance will queue.
Example:
The following command
configures the maximum number of outstanding messages a single AAA
Manager instance will queue to
100:
radius max-outstanding 100
radius max-retries
This command configures
the maximum number of times communication with a AAA server will
be attempted before it is marked as “Not Responding”.
Privilege:
Security Administrator,
Administrator
Syntax
radius max-retries max_retries
default radius max-retries
default
Configures the default
setting.
max_retries
Specifies the maximum
number of times communication with a AAA server will be attempted
before it is marked as “Not Responding”, and the
detect dead server’s consecutive failures count is incremented. max_retries must
be an integer from 0 through 65535. Default: 5
Usage:
Use this command to
configure the maximum number of times communication with a AAA server
will be attempted before it is marked as “Not Responding”.
Example:
The following command
configures the maximum number of times communication with a AAA
server will be attempted before it is marked as “Not Responding” to
10:
radius max-retries 10
radius max-transmissions
This command configures
the maximum number of re-transmissions for RADIUS authentication
requests.
Privilege:
Security Administrator,
Administrator
Syntax
radius max-transmissions max_transmissions
{ default | no } radius
max-transmissions
no
Deletes the RADIUS
max-transmissions configuration.
default
Configures the default
setting.
Default: Disabled
max_transmissions
Specifies the maximum
number of re-transmissions for RADIUS authentication requests. This
limit is used in conjunction with radius max-retries configuration
for each server. max_transmissions must
be an integer from 1 through 65535. Default: Disabled
When failing to communicate
with a RADIUS sever, the subscriber is failed once all of the configured
RADIUS servers have been exhausted, or once the configured number
of maximum transmissions is reached.
For example, if three
servers are configured and if the configured max-retries is 3 and
max-transmissions is 12, then the primary server is tried four times
(once plus three retries), the secondary server is tried four times,
and then a third server is tried four times. If there is a fourth server,
it is not tried because the maximum number of transmissions (12)
has been reached.
Usage:
Use this command to
configure the maximum number of re-transmissions for RADIUS authentication
requests.
Example:
The following command
configures the maximum number of re-transmissions for RADIUS authentication
requests to
10:
radius max-transmissions 10
radius mediation-device
See the radius
accounting server command.
radius probe-interval
This command configures
the interval between two RADIUS authentication probes.
Product:
All products supporting
Interchassis Session Recovery (ICSR)
Privilege:
Security Administrator,
Administrator
Syntax
radius probe-interval seconds
default radius probe-interval
default
Configures the default
setting of 3.
seconds
Specifies the time
duration (in seconds) to wait before sending another probe authentication request
to a RADIUS server. The value must be an integer from 1 through
65535. Default: 3
Usage:
Use this command for
ICSR support to set the duration between two authentication probes to
the RADIUS server.
Example:
The following command
sets the authentication probe interval to 30 seconds.
radius probe-interval 30
radius probe-max-retries
This command configures
the number of retries for RADIUS authentication probe response.
Product:
All products supporting
Interchassis Session Recovery (ICSR)
Privilege:
Security Administrator,
Administrator
Syntax
radius probe-max-retries retries
default radius probe-max-retries
default
Configures the default
setting.
Default: 5
retries
Specifies the number
of retries for RADIUS authentication probe response before the authentication
is declared as failed. retries must
be an integer from 1 through 65535. Default: 5
Usage:
Use this command for
ICSR support to set the number of attempts to send RADIUS authentication
probe without a response before the authentication is declared as failed.
Example:
The following command
sets the maximum number of retries to
6:
radius probe-max-retries 6
radius probe-timeout
This command configures
the timeout duration to wait for a response for RADIUS authentication
probes.
Product:
All products supporting
Interchassis Session Recovery (ICSR)
Privilege:
Security Administrator,
Administrator
Syntax
radius probe-timeout timeout_duration
default radius probe-timeout
default
Configures the default
setting.
Default: 3
timeout_duration
Specifies the time
duration (in seconds) to wait for a response from the RADIUS server before
resending the authentication probe. timeout_duration must be
an integer from 1 through 65535. Default: 3
Usage:
Use this command for
ICSR support to set the duration to wait for a response before re-sending
the RADIUS authentication probe to the RADIUS server.
Example:
The following command
sets the authentication probe timeout to 120 seconds:
radius server
This command configures
RADIUS authentication server(s) in the current context.
Privilege:
Security Administrator,
Administrator
Syntax
radius server ip_address [ encrypted ] key value [ max max_messages ] [ max-rate max_rate ] [ oldports ] [ port port_number ] [ priority priority ] [ probe | no-probe ] [ probe-username user_name ] [ probe-password [ encrypted ] password password ] [ type { mediation-device | standard } ] [ admin-status { enable | disable } ] [ -noconfirm ]
no radius server ip_address [ oldports | port port_number ]
no
Removes the server
or server port(s) specified from the list of configured servers.
ip_address
Specifies the IP address
of the server in IPv4 dotted-decimal or IPv6 colon-separated-hexadecimal
notation. A maximum of 128 RADIUS servers can be configured per
context. This limit includes accounting and authentication servers.
[ encrypted ] key value
Specifies the shared
secret key used to authenticate the client to the servers. The encrypted keyword
indicates the key specified is encrypted.
The encrypted keyword
is intended only for use by the system while saving configuration
scripts. The system displays the encrypted keyword
in the configuration file as a flag that the variable following
the key keyword
is the encrypted version of the plain text key. Only the encrypted
key is saved as part of the configuration file.
max max_messages
Specifies the maximum
number of outstanding messages that may be allowed to the server. max_messages must
be an integer from 0 through 4000. Default: 256
max-rate max_rate
Specifies the rate
(number of messages per second), at which the authentication messages should
be sent to the RADIUS server. max_rate must
be an integer from 0 through 1000. Default: 0 (Disabled)
oldports
Sets the UDP communication
port to the old default for RADIUS communications to 1645.
port port_number
Specifies the port
number to use for communications as an integer from 1 through 65535. Default: 1812
priority priority
Specifies the relative
priority of this accounting server. The priority is used in server selection
for determining to which server is to send accounting data.
priority must
be an integer from 1 through 1000 where 1 is the highest priority.
When configuring two or more servers with the same priority you
will be asked to confirm that you want to do this. If you use the -noconfirm option,
you are not asked for confirmation and multiple servers could be
assigned the same priority.
Default: 1000
probe
Enables probe messages
to be sent to the specified RADIUS server.
no-probe
Disables probe messages
from being sent to the specified RADIUS server. This is the default behavior.
probe-username username
Specifies the user
name sent to the RADIUS server to authenticate probe messages. usernamemust
be an alphanumeric string of 1 through 127 characters.
probe-password [ encrypted ] password password
The password sent to
the RADIUS server to authenticate probe messages.
encrypted:
This keyword is intended only for use by the system while saving
configuration scripts. The system displays the encrypted keyword
in the configuration file as a flag that the variable following
the password keyword
is the encrypted version of the plain text password. Only the encrypted
password is saved as part of the configuration file.
password password:
Specifies the probe-user password for authentication. password must
be an alphanumeric string of 1 through 63 characters.
type { mediation-device | standard }
Specifies the type
of transactions the RADIUS server accepts.
mediation-device:
Specifies mediation-device specific AAA transactions. This device
is available if you purchased a transaction control services license. Contact
your local sales representative for licensing information.
standard:
Specifies standard AAA transactions. (Default)
admin-status { enable | disable }
Enables or disables
the RADIUS authentication/accounting/charging
server functionality, and saves the status setting in the configuration
file to re-establish the set status at reboot.
-noconfirm
Executes the command
without any additional prompt and confirmation from the user.
Usage:
This command is used
to configure the RADIUS authentication server(s) with which the system
is to communicate for authentication.
Up to 128 RADIUS servers
can be configured per context. The servers can be configured as
Accounting, Authentication, charging servers, or any combination
thereof.
Example:
The following commands
configure RADIUS server with the IP address set to 10.2.3.4, port to
1024, and priority to 10:
radius server 10.2.3.4
key sharedKey port 1024 max 127
radius server 10.2.3.4
encrypted key scrambledKey oldports priority 10
radius strip-domain
This command configures
the stripping of the domain from the user name prior to authentication
or accounting.
Privilege:
Security Administrator,
Administrator
Syntax
radius strip-domain { authentication-only | accounting-only }
no radius strip-domain
no
Removes the RADIUS
strip-domain configuration.
authentication-only
Specifies that the
domain must be stripped from the user name prior to authentication.
accounting-only
Specifies that the
domain must be stripped from the user name prior to accounting.
Usage:
Use this command to
configure the stripping of domain from the user name prior to authentication
or accounting.
By default, strip-domain
configuration will be applied to both authentication and accounting
messages, if configured. When the argument authentication-only or accounting-only is
present, strip-domain is
applied only to the specified RADIUS message types.
Example:
The following command
configures the stripping of domain from the user name prior to authentication:
radius strip-domain
authentication-only
radius timeout
This command configures
the time duration to wait for a response from the RADIUS server
before resending the messages.
Privilege:
Security Administrator,
Administrator
Syntax
radius timeout timeout_duration
default radius timeout
default
Configures the default
setting.
timeout_duration
Specifies the time
duration (in seconds) to wait for a response from the RADIUS server before
resending the messages. timeout_duration must
be an integer from 1 through 65535. Default: 3
Usage:
Use this command to
configure the time duration to wait for a response from the RADIUS server
before resending the messages.
Example:
The following command
configures the RADIUS timeout parameter to 300 seconds:
radius timeout 300
radius trigger
This command enables
specific RADIUS triggers. The RADIUS Trigger configuration in the
Context Configuration Mode is to enable backward compatibility.
To configure RADIUS triggers for the default AAA group, you must
configure them in the Context Configuration Mode.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] radius
trigger { ms-timezone-change | qos-change | rai-change | rat-change | serving-node-change | uli-change }
default radius trigger
no
Disables the specified
RADIUS trigger.
default
Configures the default
setting.
Default: All RADIUS
triggers are enabled.
ms-timezone-change
Specifies to enable
RADIUS trigger for MS time zone change.
qos-change
Specifies to enable
RADIUS trigger for Quality of Service change.
rai-change
Specifies to enable
RADIUS trigger for Routing Area Information change.
rat-change
Specifies to enable
RADIUS trigger for Radio Access Technology change.
serving-node-change
Specifies to enable
RADIUS trigger for Serving Node change.
uli-change
Specifies to enable
RADIUS trigger for User Location Information change.
Usage:
Use this command to
enable RADIUS triggers.
Example:
The following command
enables RADIUS trigger for RAT change:
radius trigger rat-change
route-access-list
extended
Configures an access
list for filtering routes based on a specified range of IP addresses.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] route-access-list
extended identifier { deny | permit } ip { network_parameter } { mask_parameter
no
Deletes the specified
route access list.
identifier
Specifies a value to
identify the route access list as an integer from 100 through 999.
deny
Deny routes that match
the specified criteria.
permit
Permit routes that
match the specified criteria.
ip network_parameter ip_address
wildcard_mask
Specifies the network
portion of the route to match. The network portion of the route
is mandatory and must be expressed in one of the following ways:
- ip_address
wildcard_mask: Matches a network address and
wildcard mask expressed in IPv4 dotted-decimal notation.
- any: Matches
any network address.
- host network_address: Match
the specified network address exactly. network_address must
be an IPv4 address specified in dotted-decimal notation.
mask_parameter
This specifies the
mask portion of the route to match. The mask portion of the route
is mandatory and must be expressed in one of the following ways:
- mask_address
wildcard_mask: A mask address and wildcard mask
expressed in IPv4 dotted-decimal notation.
- any: Match
any network mask.
- host mask_address: Match
the specified mask address exactly. mask_address must
be an IPv4 address specified in dotted-decimal notation.
Usage:
Use this command to
create an extended route-access-list that matches routes based on network
addresses and masks.
Example:
Use the following command
to create an extended route-access-list:
route-access-list extended
100 permit ip 192.168.100.0 0.0.0.255
route-access-list
named
Configures an access
list for filtering routes based on a network address and net mask.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] route-access-list
named list_name { deny | permit } { ip_address/mask | any } [ exact-match ]
no
Deletes the specified
route access list.
list_name
Specifies name that
identifies the route access list as an alphanumeric string of 1
through 79 characters.
deny
Denies routes that
match the specified criteria.
permit
Permits routes that
match the specified criteria.
ip_address/mask
Specifies the IP address
(in IPv4 dotted-decimal notation) and the number of subnet bits, representing
the subnet mask in CIDR notation (for example 10.1.1.1/24).
exact-match
Matches the IP address
prefix exactly.
Usage:
Use this command to
create route-access lists that specify routes that are accepted.
Example:
Use the following command
to create a route access list named
list27 that
permits routes that match
192.168.1.0/24 exactly:
route-access-list named
list 27 permit 192.168.1.0/24 exact-match
To delete the list,
use the following command:
no route-access-list
named list 27 permit 192.168.1.0/24 exact-match
route-access-list
standard
Configures an access-list
for filtering routes based on network addresses.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] route-access-list
standard identifier { permit | deny } { ip_address wildcard_mask | any | host network_address }
no
Deletes the specified
route access list.
identifier
Specifies a value that
identifies the route-access-list as an integer from 1 through 99.
deny
Denies routes that
match the specified criteria.
permit
Permits routes that
match the specified criteria.
ip_address wildcard_mask
Specifies the IP address
and subnet mask to match for routes. Both ip_address and wildcard_mask must be
entered in IPv4 dotted-decimal notation. (For example, 192.168.100.0 255.255.255.0)
host network_address
Matches only routes
having the specified network address as if it had a 32-bit network
mask. network_address must
be an IPv4 address specified in dotted-decimal notation.
Usage:
Use this command to
create route-access-lists that specify routes that are accepted.
Example:
Use the following command
to create a route access list with an identifier of
10 that permits
routes:
route-access-list standard
10 permit 192.168.1.0 255.255.255.0
To delete the list,
use the following command:
no route-access-list
standard 10 permit 192.168.1.0 255.255.255.0
route-map
Creates a route-map
that is used by the routing features and enters Route-map Configuration
mode. A route-map allows redistribution of routes and includes a
list of match and set commands associated with it. The match commands
specify the conditions under which redistribution is allowed; the
set commands specify the particular redistribution actions to be performed
if the criteria specified by match commands are met. Route-maps
are used for detailed control over route distribution between routing
processes. Up to eight route-maps can be created in each context.
Refer to the Route-map
Configuration Mode Commands chapter for more information.
Privilege:
Security Administrator,
Administrator
Syntax
route-map map_name { deny | permit } seq_number
no route-map map_name
no
Deletes the specified
route map.
map_name
Specifies the name
of the route map to create or edit as an alphanumeric string of
1 through 69 characters.
deny
If the deny parameter
is specified and the match command criteria are met, the route is
not redistributed and any other route maps with the same map name
are not examined. Set commands have no affect on deny route-maps.
permit
If the permit parameter
is specified, and the match criteria are met, the route is redistributed as
specified by set actions. If the match criteria are not met, the
next route map with the same name is tested.
seq_number
Specifies the sequence
number that indicates the position a new route map is to have in
the list of route maps already configured with the same name. Route
maps with the same name are tested in ascending order of their sequence
numbers. This must be an integer from 1 through 65535.
Usage:
Use this command to
create route maps that allow redistribution of routes based on specified
criteria and set parameters for the routes that get redistributed.
The chassis supports a maximum of 64 route maps per context.
Example:
To create a route map
named map1 that permits routes that match the specified criteria,
use the following command:
route-map map1 permit 10
To delete the route-map,
enter the following command:
no route-map map1 permit 10
router
Enables BGP, Open Shortest
Path First (OSPF) or OSPF version 3 (OSPFv3) routing functionality
and enters the corresponding Configuration Mode. Refer to the BGP Configuration Mode
Commands, OSPF Configuration
Mode Commands or OSPFv3
Configuration Mode Commands chapter for details on associated Configuration
mode commands.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] router { bgp as_number | ospf | ospfv3 | rip }
no
Disables the specified
routing support in the current context.
bgp as_number
Enables a BGP routing
service for this context and assigns it the specified Autonomous System
(AS) number before entering the BGP Configuration mode. as_number must
be an integer from 1 through 4294967295.
IMPORTANT:
BGP routing is supported
only for use with the HA.
ospf
Enables OSPF routing
in this context and enters OSPF Configuration mode.
ospfv3
Enables OSPFv3 routing
in this context and enter OSPFv3 Configuration mode.
Usage:
Use this command to
enable and configure OSPF and BGP routing in the current context.
IMPORTANT:
You must obtain and
install a valid license key to use these features. Refer to the System Administration
Guide for details on obtaining and installing feature use license keys.
Example:
The following command
enables the OSPF routing functionality and enters the OSPF Configuration
Mode:
router ospf
The following command
enables the OSPFv3 routing functionality and enters the OSPFv3 Configuration
Mode:
router ospfv3
The following command
enables a BGP routing service with an AS number of
100, and enters
the BGP Configuration Mode:
router bgp 100
server
Configures remote server
access protocols for the current context. This command is used to
enter the specified protocols configuration mode.
Privilege:
Security Administrator,
Administrator
Syntax
server { ftpd | named | sshd | telnetd | tftpd }
no server { ftpd | named | sshd | telnetd | tftpd } [ kill ]
no
Disables the specified
service.
ftpd
Enters the FTP Server
Configuration Mode.
IMPORTANT:
The FTPD server can
only be configured in the local context.
named
Starts the named server.
sshd
Enters the SSH Server
Configuration Mode.
IMPORTANT:
The SSHD server allows
only three unsuccessful login attempts before closing a login session
attempt.
telnetd
Enters the Telnet Server
Configuration Mode.
IMPORTANT:
The TELNET server allows
only three unsuccessful login attempts before closing a login session
attempt.
tftpd
Enters the TFTP Server
Configuration Mode.
IMPORTANT:
The TFTPD server can
only be configured in the local context.
kill
Indicates all instances
of the server are to be stopped.
This option only works
with the ftpd, sshd, telnetd, and tftpd commands.
Usage:
Enter the Context Configuration
Mode for the appropriate, previously defined context, to set the
server option(s). Repeat the command as needed to enable/disable
more than one option server daemon.
Example:
server ftpd
server named
no server tftpd
server sshd
server telnetd
no server telnetd kill
service-redundancy-protocol
Configures Interchassis
Session Recovery (ICSR) services for the current context. This command
is used to enter the Service Redundancy Protocol Configuration Mode.
Product:
All products supporting
ICSR
Privilege:
Security Administrator,
Administrator
Syntax
service-redundancy-protocol
Usage:
Enter the configuration
mode to set the service redundancy protocol options.
Example:
The following command
enters Service Redundancy Protocol Configuration Mode.
service-redundancy-protocol
sgsn-service
Creates an SGSN service
instance and enters the SGSN Service Configuration mode. This mode
configures or edits the configuration for an SGSN service which
controls the SGSN functionality.
An SGSN mediates access
to GPRS/UMTS network resources on behalf of user equipment
(UE) and implements the packet scheduling policy between different QoS
classes. It is responsible for establishing the packet data protocol
(PDP) context with the GGSN.
IMPORTANT:
For details about the
commands and parameters, check the SGSN Service Configuration
Mode chapter.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] sgsn-service srvc_name
no
Remove the configuration
for the specified SGSN service from the configuration of the current
context.
srvc_name
Specifies the name
of the SGSN service as a unique alphanumeric string of 1 through
63 characters.
Usage:
Use this command to
create, edit, or remove an SGSN service
Example:
The following command
creates an SGSN service named
sgsn1 in the
current context:
sgsn-service sgsn1
The following command
removes the sgsn service named
sgsn1 from
the configuration for the current context:
no sgsn-service sgsn1
sgs-service
Creates an SGs service
instance and enters the SGS Service Configuration mode.
Syntax
[ no ] sgs-service name
no
Remove the configuration
for the specified SGs service from the configuration of the current context.
name
Specifies a name for
an SGs service as a unique alphanumeric string of 1 through 63 characters.
-noconfirm
Executes the command
without any additional prompt and confirmation from the user.
Usage:
Enter the SGS Service
Configuration Mode for an existing service or for a newly defined service.
This command is also used to remove an existing service.
A maximum of 256 services
(regardless of type) can be configured per system.
CAUTION:
Large numbers of services
greatly increase the complexity of management and may impact overall
system performance (for example, resulting from such things as system
handoffs). Therefore, it is recommended that a large number of services
only be configured if your application absolutely requires it. Please
contact your local service representative for more information.
Entering this command
results in the following CLI prompt:
[context_name]hostname(config-sgs-service)#
SGS Service Configuration
Mode commands are defined in the MME SGS Service Configuration
Mode Commands chapter.
Example:
The following command
creates an SGS service named
sgs1 in the
current context:
sgs-service sgs1
The following command
removes the SGS service named
sgs1 from
the configuration for the current context:
no sgs-service sgs1
sgw-service
Creates an S-GW service
or specifies an existing S-GW service and enters the S-GW Service
Configuration Mode for the current context.
Syntax
sgw-service service_name [ -noconfirm ]
no sgw-service service_name
service_name
Specifies the name
of the S-GW service. If service_name does not
refer to an existing service, the new service is created if resources
allow. service_name is
an alphanumeric string of 1 through 63 characters.
-noconfirm
Executes the command
without any additional prompt and confirmation from the user.
no sgw-service service_name
Removes the specified
S-GW service from the context.
Usage:
Enter the S-GW Service
Configuration Mode for an existing service or for a newly defined service.
This command is also used to remove an existing service.
A maximum of 256 services
(regardless of type) can be configured per system.
CAUTION:
Large numbers of services
greatly increase the complexity of management and may impact overall
system performance (for example, resulting from such things as system
handoffs). Therefore, it is recommended that a large number of services
only be configured if your application absolutely requires it. Please
contact your local service representative for more information.
Entering this command
results in the following prompt:
[context_name]hostname(config-sgw-service)#
S-GW Service Configuration
Mode commands are defined in the S-GW Service Configuration
Mode Commands chapter.
Use this command when
configuring the following SAE components: S-GW.
Example:
The following command
enters the existing S-GW Service Configuration Mode (or creates
it if it does not already exist) for the service named
sgw-service1:
sgw-service sgw-service1
The following command
will remove
spgw-service1 from
the system:
no sgw-service sgw-service1
ssh
Generates public and
private keys for use with the configured Secure Shell (SSH) server
for the current context and sets the public/private key
pair to specified values.
Privilege:
Security Administrator,
Administrator
Syntax
ssh { generate
key | key data length octets } [ type { v1-rsa | v2-rsa | v2-dsa } ]
no ssh key [ type { v1-rsa | v2-rsa | v2-dsa } ]
no ssh key [ type { v1-rsa | v2-rsa | v2-dsa } ]
This command clears
configured SSH keys. If type is not specified, all SSH keys are cleared.
generate key
Generates a public/private
key pair which is to be used by the SSH server. The generated key pair
is in use until the command is issued again.
key data length octets
Sets the public/private
key pair to be used by the system where data is the
encrypted key and length is the
length of the encrypted key in octets. data must
be an alphanumeric string of 1 through 1023 characters and octets must be
a value in the range of 0 through 65535.
[ type { v1-rsa | v2-rsa | v2-dsa } ]
Specifies the type
of SSH key to generate. If type is not specified, all three key
types are generated.
- v1-rsa: SSH
v1 RSA host key only
- v2-rsa: SSH
v2 DSA host key only
- v2-dsa: SSH
v2 RSA host key only
IMPORTANT:
For maximum security,
it is recommended that only SSH v2 be used. v2-rsa is
the recommended key type.
Usage:
Generate secure shell
keys for use in public key authentication.
Example:
ssh generate key
ssh key g6j93fw59cx length 128
ssl
Creates a new Secure
Sockets Layer (SSL) template or specifies an existing one and enters
the SSL Template Configuration Mode.
Syntax
[ no ] ssl
template name { ssl-subscriber }
no
Removes the specified
SSL template from the context.
template name
Specifies the name
of a new or existing SSL template as an alphanumeric string of 1
through 127 alphanumeric characters.
ssl-subscriber
Specifies that the
SSL template is an SSL subscriber template.
Usage:
Use this command to
create a new SSL template or modify an existing one.
Entering this command
results in the following prompt:
[context_name]hostname(cfg-ctx-ssl-subscriber-template)#
SSL Template Configuration
Mode commands are defined in the SSL Template Configuration
Mode Commands chapter.
Example:
The following command
specifies the SSL template
ssl_template_1 and
enters the SSL Template Configuration Mode:
ssl template ssl_template_1
ssl-subscriber
subscriber
Configures the specified
subscriber for the current context.
Privilege:
Security Administrator,
Administrator
Syntax
subscriber { default | name user_name } asn-service-info mobility [ ipv4 | ipv6 | ipv6-ipv4 ]
no subscriber { default | name user_name }
no
Indicates the subscriber
specified is to be removed from the list of allowed users for the current
context.
default | name user_name
default:
Enters the Subscriber Configuration Mode for the context’s
default subscriber settings.
name user_name:
Specifies the user which is to be allowed to use the services of
the current context. user_name must
be an alphanumeric string of 1 through 127 characters.
asn-service-info mobility:
Indicates the type of mobility supported and enabled in the Autonomous
System Number (ASN).
Usage:
Enter the Subscriber
Configuration Mode for actual users as well as for a default subscriber
for the current context.
Entering this command
results in the following prompt:
[context_name]hostname(config-subscriber)#
Subscriber Configuration
Mode commands are defined in the Subscriber Configuration
Mode Commands chapter.
NAS uses the specified
parameter for asn-service-info mobility to indicate and pack the mobility
support field for IPv4, IPv6, or both, in the Service-Info attribute
in the Access-request. RADIUS sends back this attribute in the Access-accept
message by indicating respective bits to authorize the service indicated
by NAS.
IMPORTANT:
A maximum of 128 subscribers
and/or administrative users may be locally configured per context.
Example:
Following command configures
the default subscriber in a context:
subscriber default
Following command removes
the default subscriber from a context:
no subscriber default
Following command configures
a subscriber named
user1 in
a context:
subscriber name user1
Following command removes
a subscriber named
user1 from
a context:
no subscriber name user1
threshold available-ip-pool-group
Configures context-level
thresholds for IP pool utilization for the system.
Privilege:
Security Administrator,
Administrator
Syntax
threshold available-ip-pool-group low_thresh [ clear high_thresh ]
default threshold available-ip-pool-group
default
Configures the default
setting.
low_thresh
The low threshold IP
pool utilization percentage that must be met or exceeded within
the polling interval to generate an alert or alarm. low_thresh can
be configured as an integer from 0 through 100. Default: 10
clear high_thresh
Specifies the high
threshold IP pool utilization percentage that maintains a previously generated
alarm condition. If the utilization percentage rises above the high
threshold within the polling interval, a clear alarm will be generated. high_thresh can
be configured as an integer from 0 through 100. Default: 10
IMPORTANT:
This value is ignored
for the Alert model. In addition, if this value is not configured
for the Alarm model, the system assumes it is identical to the low
threshold.
Usage:
When IP address pools
are configured on the system, they can be assigned to a group. IP address
pool utilization thresholds generate alerts or alarms based on the
utilization percentage of all IP address contained in the pool group
during the specified polling interval.
All configured public
IP address pools that were not assigned to a group are treated as belonging
to the same group. Individual configured static or private pools
are each treated as their own group.
Alerts or alarms are
triggered for IP address pool utilization based on the following rules:
- Enter Condition:
Actual IP address utilization percentage per pool group < Low Threshold
- Clear Condition:
Actual IP address utilization percentage per pool group > High Threshold
If a trigger condition
occurs within the polling interval, the alert or alarm will not
be generated until the end of the polling interval.
The following table
describes the possible methods for configuring IP pool utilization thresholds:
Table 2. IP Pool Utilization
Thresholds - Configuration Methods
Method |
Description |
Context-level
|
A single IP pool utilization
threshold can be configured for all IP pool groups within a given
system context. If a single threshold is configured for all pool
groups, separate alerts or alarms can be generated for each group.
This command configures
that threshold.
|
IP address pool-level
|
Each individual IP
address pool can be configured with its own threshold. Thresholds
configured for individual pools take precedence over the context-level threshold
that would otherwise be applied (if configured).
In the event that two
IP address pools belonging to the same pool group are configured
with different thresholds, the system uses the pool configuration
that has the greatest low threshold for that group.
|
Example:
The following command
configures a context-level IP pool utilization low threshold percentage
of
10 and
a high threshold of
35 for
an system using the Alarm thresholding model:
threshold available-ip-pool-group
10 clear 35
threshold ha-service
init-rrq-rcvd-rate
Sets an alarm or alert
based on the average number of calls setup per second for an HA
service.
Privilege:
Security Administrator,
Administrator
Syntax
threshold ha-service
init-rrq-rcvd-rate high_thresh [ clear low_thresh ]
no threshold ha-service
init-rrq-rcvd-rate
no
Deletes the alert or
alarm.
high_thresh
Sets the high threshold
average number of calls setup per second that must be met or exceeded
within the polling interval to generate an alert or alarm. It can
be configured as an integer from 0 through 1000000. Default: 0
clear low_thresh
Sets the low threshold
average number of calls setup per second that must be met or exceeded
within the polling interval to clear an alert or alarm. It can be
configured as an integer from 0 through 1000000. Default: 0
IMPORTANT:
This value is ignored
for the Alert model. In addition, if this value is not configured
for the Alarm model, the system assumes it is identical to the high
threshold.
Usage:
Use this command to
set an alert or an alarm when the average number of calls setup
per second is equal to or less than a specified number of calls
per second.
Alerts or alarms are
triggered for the number of calls setup per second based on the following
rules:
- Enter Condition:
Actual number of calls setup per second > High Threshold
- Clear Condition:
Actual number of calls setup per second < Low Threshold
Example:
The following command
configures a number of calls setup per second threshold of
1000 and a
low threshold of
500 for
a system using the Alarm thresholding model:
threshold ha-service
init-rrq-rcvd-rate 1000 clear 500
threshold ip-pool-free
Sets an alarm or alert
based on the percentage of IP addresses that are unassigned in an
IP pool. This command affects all IP pools in the current context.
Privilege:
Security Administrator,
Administrator
Syntax
threshold ip-pool-free low_thresh [ clear high_thresh ]
default threshold ip-pool-free
default
Configures the default
setting.
low_thresh
Sets the low threshold
percentage of addresses available in an IP pool that must be met
or exceeded within the polling interval to generate an alert or
alarm. It can be configured as an integer between 0 and 100. Default:
0
clear high_thresh
Sets the high threshold
percentage of addresses available in an IP pool that maintains a previously
generated alarm condition. If the utilization percentage rises above
the high threshold within the polling interval, a clear alarm will
be generated. It may be configured as an integer between 0 and 100.
Default: 0
IMPORTANT:
This value is ignored
for the Alert model. In addition, if this value is not configured
for the Alarm model, the system assumes it is identical to the low
threshold.
Usage:
Use this command to
set an alert or an alarm when the number of unassigned IP addresses in
any pool is equal to or less than a specified percentage of the
total number of addresses in the pool.
Alerts or alarms are
triggered for percentage of IP address pool free based on the following rules:
- Enter Condition:
Actual percentage of IP addresses free per pool < Low Threshold
- Clear Condition:
Actual percentage of IP addresses free per pool > High Threshold
IMPORTANT:
This command is overridden
by the settings of the alert-threshold keyword
of the ip pool command.
Example:
The following command
configures a context-level IP pool percentage of IP addresses that are
unused low threshold percentage of
10 and a high
threshold of
35 for
an system using the Alarm thresholding model:
threshold ip-pool-free
10 clear 35
threshold ip-pool-hold
Sets an alert based
on the percentage of IP addresses from an IP pool that are on hold.
This command affects all IP pools in the current context.
Privilege:
Security Administrator,
Administrator
Syntax
threshold ip-pool-hold high_thresh [ clear low_thresh ]
default threshold ip-pool-hold
default
Configures the default
setting.
high_thresh
Sets the high threshold
percentage of addresses on hold in an IP pool that must be met or exceeded
within the polling interval to generate an alert or alarm. It can
be configured as an integer from 0 through 100. Default: 0
clear low_thresh
Sets the low threshold
percentage of addresses on hold in an IP pool that maintains a previously
generated alarm condition. If the utilization percentage rises below
the low threshold within the polling interval, a clear alarm will
be generated. It may be configured as an integer from 0 through
100. Default: 0
IMPORTANT:
This value is ignored
for the Alert model. In addition, if this value is not configured
for the Alarm model, the system assumes it is identical to the high
threshold.
Usage:
Use this command to
set an alert or an alarm when the percentage of IP addresses on
hold in any pool is equal to or greater than a specified percentage
of the total number of addresses in the pool.
Alerts or alarms are
triggered for percentage of IP address pool addresses on hold based
on the following rules:
- Enter Condition:
Actual percentage of IP addresses on hold per pool > High Threshold
- Clear Condition:
Actual percentage of IP addresses on hold per pool < Low Threshold
IMPORTANT:
This command is overridden
by the settings of the alert-threshold keyword
of the ip pool command.
Example:
The following command
configures a context-level IP pool percentage of IP addresses that are
on high threshold percentage of
35 and a low
threshold of
10 for
an system using the Alarm thresholding model:
threshold ip-pool-hold
35 clear 10
threshold ip-pool-release
Sets an alert based
on the percentage of IP addresses from an IP pool that are in the
release state. This command affects all IP pools in the current
context.
Privilege:
Security Administrator,
Administrator
Syntax
threshold ip-pool-release high_thresh [ clear low_thresh ]
default threshold ip-pool-release
default
Configures the default
setting.
high_thresh
Sets the high threshold
percentage of addresses in the release state in an IP pool that
must be met or exceeded within the polling interval to generate
an alert or alarm. It can be configured as an integer from 0 through
100. Default: 0
clear low_thresh
Sets the low threshold
percentage of addresses in the release state in an IP pool that maintains
a previously generated alarm condition. If the utilization percentage
rises below the low threshold within the polling interval, a clear
alarm will be generated. It may be configured as an integer from
0 through 100. Default:0
IMPORTANT:
This value is ignored
for the Alert model. In addition, if this value is not configured
for the Alarm model, the system assumes it is identical to the low
threshold.
Usage:
Use this command to
set an alert or an alarm when the number of IP addresses the release state
in any pool is equal to or greater than a specified percentage of
the total number of addresses in the pool.
Alerts or alarms are
triggered for percentage of IP address pool addresses in the release state
based on the following rules:
- Enter Condition:
Actual percentage of IP addresses in the release state per pool
> High Threshold
- Clear Condition:
Actual percentage of IP addresses in the release state per pool < Low Threshold
IMPORTANT:
This command is overridden
by the settings of the alert-threshold keyword
of the ip pool command.
Example:
The following command
configures a context-level IP pool percentage of IP addresses that are
in the release state high threshold percentage of
35 and a low threshold
of
10 for
an system using the Alarm thresholding model:
threshold ip-pool-release
35 clear 10
threshold ip-pool-used
Sets an alert based
on the percentage of IP addresses that have been assigned from an
IP pool. This command affects all IP pools in the current context.
Privilege:
Security Administrator,
Administrator
Syntax
threshold ip-pool-used high_thresh [ clear low_thresh ]
default threshold ip-pool-used
default
Configures the default
setting.
high_thresh
Sets the high threshold
percentage of addresses assigned from an IP pool that must be met
or exceeded within the polling interval to generate an alert or
alarm. It can be configured as an integer from 0 through 100. Default:
0
clear low_thresh
Sets the low threshold
percentage of addresses assigned from an IP pool that maintains
a previously generated alarm condition. If the utilization percentage
rises above the high threshold within the polling interval, a clear
alarm will be generated. It may be configured to any integer between
0 and 100. Default: 0
IMPORTANT:
This value is ignored
for the Alert model. In addition, if this value is not configured
for the Alarm model, the system assumes it is identical to the low
threshold.
Usage:
Use this command to
set an alert or an alarm when the number of IP addresses assigned from
any pool is equal to or greater than a specified percentage of the
total number of addresses in the pool.
Alerts or alarms are
triggered for percentage of IP address pool addresses used based
on the following rules:
- Enter Condition:
Actual percentage of IP addresses used per pool > High Threshold
- Clear Condition:
Actual percentage of IP addresses used per pool < Low Threshold
IMPORTANT:
This command is overridden
by the settings of the alert-threshold keyword
of the ip pool command.
Example:
The following command
configures a context-level IP pool percentage of IP addresses that are
used high threshold percentage of
35 and a low
threshold of
10 for
an system using the Alarm thresholding model:
threshold ip-pool-used
35 clear 10
threshold monitoring
Enables or disables
thresholds alerting for a group of thresholds.
Privilege:
Security Administrator,
Administrator
Syntax
[ default | no ] threshold
monitoring available-ip-pool-group
default
Configures the default
setting.
no
Disables threshold
monitoring for the specified value.
available-ip-pool-group
Enables threshold monitoring
for IP pool thresholds at the context level and the IP address pool-level.
Refer to the threshold
available-ip-pool-group command, the threshold ip-pool-x commands
and the alert-threshold keyword
of the ip pool command
for additional information on these values.
Usage:
Thresholding on the
system is used to monitor the system for conditions that could potentially
cause errors or outage. Typically, these conditions are temporary
(i.e high CPU utilization, or packet collisions on a network) and
are quickly resolved. However, continuous or large numbers of these
error conditions within a specific time interval may be indicative
of larger, more severe issues. The purpose of thresholding is to
help identify potentially severe conditions so that immediate action
can be taken to minimize and/or avoid system downtime.
Thresholding reports
conditions using one of the following mechanisms:
- SNMP traps: SNMP
traps have been created that indicate the condition (high threshold
crossing and/or clear) of each of the monitored values.
Complete descriptions and other information pertaining to these
traps is located in the starentMIB(8164).starentTraps(2)
section of the SNMP
MIB Reference.
The generation of specific
traps can be enabled or disabled on the system allowing you to view
only those traps that are most important to you.
- Logs: The system
provides a facility called threshold for which active and event
logs can be generated. As with other system facilities, logs are
generated Log messages pertaining to the condition of a monitored
value are generated with a severity level of WARNING.
- Alarm System: High
threshold alarms generated within the specified polling interval
are considered “outstanding” until a the condition
no longer exists and/or a condition clear alarm is generated.
“Outstanding” alarms
are reported to through the system’s alarm subsystem and
are viewable through the CLI.
The following table
indicates the reporting mechanisms supported by each of the above models.
Table 3. Thresholding Reporting
Mechanisms by Model
Model |
SNMP
Traps |
Logs |
Alarm
System |
Alert
|
X
|
X
|
|
Alarm
|
X
|
X
|
X
|
Refer to the threshold
poll command in Global Configuration Mode Commands for
information on configuring the polling interval over which IP address
pool utilization is monitored.
Example:
the following command
enables threshold monitoring for IP pool thresholds at the context level
and the IP address pool-level:
threshold monitoring
available-ip-pool-group
threshold pdsn-service
init-rrq-rcvd-rate
Sets an alarm or alert
based on the average number of calls setup per second for a PDSN
service.
Privilege:
Security Administrator,
Administrator
Syntax
threshold pdsn-service
init-rrq-rcvd-rate high_thresh [ clear low_thresh ]
no threshold pdsn-service
init-rrq-rcvd-rate
no
Deletes the alert or
alarm.
high_thresh
Sets the high threshold
average number of calls setup per second that must be met or exceeded
within the polling interval to generate an alert or alarm. It can
be configured as an integer between 0 and 1000000. Default: 0
clear low_thresh
Sets the low threshold
average number of calls setup per second that must be met or exceeded
within the polling interval to clear an alert or alarm. It can be
configured as an integer between 0 and 1000000. Default: 0
IMPORTANT:
This value is ignored
for the Alert model. In addition, if this value is not configured
for the Alarm model, the system assumes it is identical to the high
threshold.
Usage:
Use this command to
set an alert or an alarm when the average number of calls setup
per second is equal to or less than a specified number of calls
per second.
Alerts or alarms are
triggered for the number of calls setup per second based on the following
rules:
- Enter Condition:
Actual number of calls setup per second > High Threshold
- Clear Condition:
Actual number of calls setup per second < Low Threshold
Example:
The following command
configures a number of calls setup per second threshold of
1000 and a
low threshold of
500 for
a system using the Alarm thresholding model:
threshold pdsn-service
init-rrq-rcvd-rate 1000 clear 500
udr-module active-charging-service
Enables creation, configuration
and deletion of the User Data Record (UDR) module for the context.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] udr-module
active-charging-service
no
Deletes the UDR module
configuration for the current context.
Usage:
Use this command to
create the UDR module for the context, and configure the UDR module
for active charging service records. You must be in a non-local
context when specifying this command, and you must use the same
context when specifying the EDR module command.
On entering this command,
the CLI prompt changes to:
[context_name]hostname(config-udr)#
Example:
The following command
creates the UDR module for the context, and enters the UDR Module
Configuration Mode:
udr-module active-charging-service