Important: The commands or keywords/variables that are available are dependent on platform type, product version, and installed license(s).action priority action_priority { [ dynamic-only | static-and-dynamic | timedef timedef_name ] { group-of-ruledefs ruledefs_group_name | ruledef ruledef_name } charging-action charging_action_name [ monitoring-key monitoring_key ] [ description description ] }
no action priority action_priority
priority action_priority
action_priority must be unique in the current rulebase, and must be an integer from 1 through 65535.
Configuring the dynamic-only keyword causes the configuration to be defined, but not enabled. If enabled, the action associated with this option will not be matched against a flow until it is enabled from a dynamic charging interface like Gx. Gx can disable or enable this action entry in the rulebase using Gx messages.
Important: When R7 Gx is enabled, “static-and-dynamic” rules behave exactly like “dynamic-only” rules. That is, they must be activated explicitly by the Policy and Charging Rules Function (PCRF). When Gx is not enabled, “static-and-dynamic” rules behave exactly like static rules.timedef timedef_name
Important: This keyword is only available in StarOS 8.1 and StarOS 9.0 and later releases.timedef_name must be the name of a timedef, and must be an alphanumeric string of 1 through 63 characters.
Important: The time considered for timedef matching is the system’s local time.ruledef ruledef_name
ruledef_name must be the name of a ruledef, and must be an alphanumeric string of 1 through 63 characters.
Important: If the ruledef specified here is deleted or is not configured, the system accepts it without applying any ruledef under current rulebase for this action priority.group-of-ruledefs ruledefs_group_name
ruledefs_group_name must be the name of a group-of-ruledefs, and must be an alphanumeric string of 1 through 63 characters.
Important: If the group-of-ruledefs specified here is deleted or is not configured, the system accepts it without applying any ruledefs under current rulebase for this action priority.charging-action charging_action_name
charging_action_name must be the name of a charging action, and must be an alphanumeric string of 1 through 63 characters.
Important: If the charging action specified here is not configured or is later deleted, the system will not apply any charging action under current rulebase for this action priority.monitoring-key monitoring_key
monitoring_key must be an integer from 1 through 4000000000.
description description
description must be an alphanumeric string of 1 through 63 characters.
The following command assigns a rule and action with the action priority of 23, a ruledef named test, and a charging action named test1 to the current rulebase:
Important: This command is customer specific. For more information contact your Cisco account representative.no active-charging rf rating-group-override: Rating group override will not be enforced on the PCC rules, predefined ACS rules, and static ACS rules. If any of these rules have their own rating group, it will continue to use that.
no active-charging rf service-id-override: Service ID override will not be enforced on the PCC rules, predefined ACS rules, and static ACS rules. If any of these rules have their own service ID, it will continue to use that.
rating-group-override rating_group
rating_group must be an integer from 1 through 65535.
service-id-override service_id
service_id must be an integer from 1 through 65535.
bandwidth default-policy bandwidth_policy_name
bandwidth_policy_name must be the name of a bandwidth policy, and must be an alphanumeric string of 1 through 63 characters.
For subscribers using the current rulebase, the default bandwidth policy will be used if in the APN/subscriber profile the default active-charging bandwidth-policy command is configured, or no bandwidth policy is configured.
The following command configures a bandwidth policy named standard for the rulebase:
bandwidth default-policy standard
billing-records { egcdr | radius | rf | udr udr-format udr_format_name [ failure-handling-udr-format udr_format_name ] } +
Important: In the GGSN, if in the APN configuration the “accounting-mode” is set to “none”, the system continues to send ACS-generated RADIUS accounting messages. In the PDSN, if in the subscriber default configuration the “accounting-mode” is set to “none”, the system does not send any RADIUS accounting messages (including ACS accounting messages).Rf accounting is applicable only for dynamic and predefined rules that are marked for it. Dynamic rules have a field offline-enabled to indicate this. To mark a predefined rule as offline-enabled, use this keyword and the billing-action command in the ACS Charging Action Configuration Mode.
udr udr-format udr_format_name
udr_format_name must be the name of an UDR format, and must be an alphanumeric string of 1 through 63 characters.
Use this command to generate enhanced G-CDRs (eG-CDRs), P-GW-CDR for P-GW, RADIUS CDRs and/or UDRs for billing records. The format of eG-CDRs for the default GTPP group is controlled by the inspector command in the Context Configuration Mode.
cca diameter requested-service-unit sub-avp { time cc-time duration | units cc-service-specific-units charging_unit | volume { cc-input-octets bytes | cc-output-octets bytes | cc-total-octets bytes } + }
time cc-time duration
duration specifies charging time in seconds, and must be an integer from 1 through 4000000000.
units cc-service-specific-units charging_unit
charging_unit specifies service-specific charging unit and must be an integer from 1 through 4000000000.
|
•
|
cc-input-octets: Specifies input charging octets.
|
|
•
|
cc-output-octets: Specifies output charging octets.
|
|
•
|
cc-total-octets: Specifies total charging octets.
|
|
•
|
bytes: Specifies volume in bytes and must be an integer from 1 through 4000000000.
|
+: Indicates that more than one of the previous keywords can be entered within a single command.
cca quota { holding-time holding_time content-id content_id | retry-time retry_time [ max-retries retries ] }
holding-time holding_time
Specifies the value for the Quota Holding Time (QHT). QHT is used with both time-based and volume-based quotas. After holding_time seconds has passed without user traffic, the quota is reported back and the charging stops until new traffic starts.
holding_time must be an integer from 1 through 4000000000.
content-id content_id
content_id is the content ID specified for credit control service in ACS.
In 12.1 and earlier releases, content_id must be an integer from 1 through 65535.
In 12.2 and later releases, content_id must be an integer from 1 through 2147483647.
retry_time must be an integer from 0 through 86400. To disable this assign 0.
max-retries retries configures the maximum number of retries allowed for blacklisted categories. This option has a default value of 65535 retries (the maximum value).
retries must be an integer from 1 through 65535. To disable this assign 0.
cca quota retry time allows an operator to set the amount of time that the ACS waits before it retries the prepaid server for a content ID for which quota was exhausted earlier.
The following command configures the prepaid credit control request retry time to 60 seconds and the maximum number of retries to 65535:
cca quota time-duration algorithm { consumed-time seconds [ plus-idle ] | continuous-time-periods seconds | parking-meter seconds } [ content-id content_id ]
no cca quota time-duration algorithm { consumed-time | continuous-time-periods | parking-meter } [ content-id content_id ]
consumed-time seconds
seconds must be an integer from 1 through 4294967295.
When used along with consumed-time it indicates the active usage + idle time, when no traffic flow occurs.
continuous-time-periods seconds
seconds must be an integer from 1 through 4294967295.
parking-meter seconds
seconds must be an integer from 1 through 4294967295.
content-id content_id
content_id is the content ID specified for credit control service in ACS,
In 12.1 and earlier releases, content_id must be an integer from 1 through 65535.
In 12.2 and later releases, content_id must be an integer from 1 through 2147483647.
cca radius accounting interval interval
Default: Disabled; same as no cca radius accounting interval
interval must be an integer from 1 through 3600.
The following command defines RADIUS accounting interval of 20 seconds for RADIUS prepaid service in the rulebase:
vpn_context must be an alphanumeric string of 1 through 79 characters.
group server_group_name
server_group_name must be the name of a RADIUS server group, and must be an alphanumeric string of 1 through 63 characters.
The following command defines RADIUS charging context prepaid_rad1 for RADIUS prepaid charging in the rulebase:
[ encrypted ] password password
In 12.1 and earlier releases, password must be an alphanumeric string of 1 through 63 characters with or without encryption.
In 12.2 and later releases, password must be an alphanumeric string of 1 through 63 characters without encryption, and 1 through 132 characters with encryption enabled.
The encrypted keyword is intended only for use by the system while saving configuration scripts. The system displays the encrypted keyword in the configuration file as a flag that the variable following the password keyword is the encrypted version of the plain text password. Only the encrypted password is saved as part of the configuration file.
The following command configures the user password as user_123 without encryption in the current rulebase:
This command allows you to configure the internal optimization level to use, for improved performance, when evaluating each instance of the action priority command.
Important: In 11.0 and later releases, the medium keyword is deprecated.Use this command to specify the level of internal optimization for improved performance when evaluating each instance of the action priority command.
Both the high and medium options cause re-organization of the entire memory structure whenever any change is made, such as on the addition of an action prority command.
constituent-policies { bandwidth-policy bandwidth_policy_name | cbb-policy cbb_policy_name | firewall-policy fw_policy_name | fw-and-nat-policy fw_nat_policy_name } +
bandwidth-policy bandwidth_policy_name
bandwidth_policy_name must be the name of a bandwidth policy, and must be an alphanumeric string of 1 through 63 characters.
cbb-policy cbb_policy_name
cbb_policy_name must be the name of a CBB policy, and must be an alphanumeric string of 1 through 63 characters.
firewall-policy fw_policy_name
Important: This keyword is customer specific. For more information, please contact your Cisco account representative.fw_policy_name must be the name of a Stateful Firewall policy, and must be an alphanumeric string of 1 through 63 characters.
fw-and-nat-policy fw_nat_policy_name
Important: This keyword is customer specific, and is only available in StarOS 8.1 and in StarOS 9.0 and later releases.fw_nat_policy_name must be the name of a Firewall-and-NAT policy, and must be an alphanumeric string of 1 through 63 characters.
content-filtering category policy-id cf_policy_id
content-filtering category policy-id cf_policy_id
cf_policy_id must be the ID of an existing Content Filtering Category Policy, and must be an integer from 1 through 4294967295.
Important: If the specified Content Filtering Category Policy does not exist, all packets will be passed regardless of the categories/actions determined for such packets.
Important: The category policy ID that is configured using the category policy-id cf_policy_id command in the APN/Subscriber Configuration Mode prevails over this configuration.The following command configures the Content Filtering Category Policy ID 101 in the rulebase:
Default: permit
All the denied packets will be accounted for by the discarded-flow-content-id configuration in the Content Filtering Policy Configuration Mode. This content ID will be used to generate UDRs for packets denied via content filtering.
content-filtering mode { category { static-and-dynamic | static-only } | server-group cf_server_group }
|
•
|
static-only: Configures Category-based Content Filtering in static only mode, wherein all URLs are compared against an internal database to categorize the requested content.
|
Using Category-based Content Filtering support requires configuration of the require active-charging content-filtering category command in the Global Configuration Mode.
|
•
|
static-and-dynamic: Configures Category-based Content Filtering in Static-and-Dynamic mode, wherein a static rating of the URL is first performed, and only if the static rating fails to find a match, dynamic rating of the content that the server returns is then performed.
|
Important: Before enabling static-and-dynamic rating in the rulebase, it must be enabled at the global level as the resources required for dynamic rating are allocated at the global level. To enable static-and-dynamic rating at the global level, in the Global Configuration Mode use the require active-charging content-filtering category static-and-dynamic command.server-group cf_server_group
cf_server_group must be the name of a CFSG, and must be unique, and must be an alphanumeric string of 1 through 63 characters.
The following command enables the content filtering mode for external content filtering server group CF_Server1 in the rulebase:
A rule is a combination of a ruledef, charging action, and precedence. Static rules are defined by the action CLI command in the ACS Rulebase Configuration Mode, and are applicable to all subscribers that are associated with the rulebase. Dynamic rules are obtained via a dynamic protocol, such as, the Gx-interface for a particular subscriber session.
The following specifies to include units retransmitted by ACS in the sn-charge-volume EDR attribute:
Default: Disabled; same as no edr suppress-zero-byte-records
Important: This command is available only in StarOS 8.1 and in StarOS 9.0 and later releases.edr transaction-complete http edr-format edr_format_name
edr transaction-complete http [ charging-edr charging_edr_format_name | edr-format edr_format_name | reporting-edr reporting_edr_format_name ]
Default: Disabled; same as no edr transaction-complete
edr-format edr_format_name
Important: This option is available only in 12.1 and earlier releases. In 12.2 and later releases, this option is deprecated and is replaced by the charging-edr option.edr_format_name must be the name of an EDR format, and must be an alphanumeric string of 1 through 63 characters.
charging-edr charging_edr_format_name
Important: This option is available only in 12.2 and later releases.charging_edr_format_name must be the name of a charging EDR format, and must be an alphanumeric string of 1 through 63 characters.
reporting-edr reporting_edr_format_name
Important: This option is available only in 12.2 and later releases.reporting_edr_format_name must be the name of a reporting EDR, and must be an alphanumeric string of 1 through 63 characters.
edr voip-call-end edr-format edr_format_name
edr voip-call-end { charging-edr charging_edr_format_name | edr-format edr_format_name | reporting-edr reporting_edr_format_name } +
Default: Disabled; same as no edr voip-call-end
edr-format edr_format_name
Important: This option is available only in 12.1 and earlier releases. In 12.2 and later releases, it has been deprecated and is replaced by the charging-edr option.edr_format_name must be the name of an EDR format, and must be an alphanumeric string of 1 through 63 characters.
charging-edr charging_edr_format_name
Important: This option is available only in 12.2 and later releases.charging_edr_format_name must be the name of a charging EDR format, and must be an alphanumeric string of 1 through 63 characters.
reporting-edr reporting_edr_format_name
Important: This option is available only in 12.2 and later releases.reporting_edr_format_name must be the name of a reporting EDR format, and must be an alphanumeric string of 1 through 63 characters.
Description This command has been deprecated. It is included in the CLI for backward compatibility with older configuration files. When executed performs no function. Use the egcdr threshold interval interval [ regardless-of-other-triggers ] command for this functionality.
Default: asn.1
delimiter { colon | comma | pipe }: Specifies the delimiter character to use in eG-CDRs in ASCII format.
|
•
|
colon: Specifies to use “:” (colon) as a delimiter in eG-CDR.
|
|
•
|
comma: Specifies to use “,” (comma), as a delimiter in eG-CDR.
|
|
•
|
pipe: Specifies to use “|” (pipe) as a delimiter in eG-CDR.
|
Default: pipe
minute minute
minute must be an integer from 0 through 59.
hour hour
hour must be an integer from 0 through 23.
egcdr threshold { interval interval [ regardless-of-other-triggers ] | volume { downlink | total | uplink } bytes }
Default: Disabled; same as no egcdr threshold interval and no egcdr threshold interval volume commands.
interval must be an integer from 60 through 40000000.
regardless-of-other-triggers: This option enables eG-CDR/P-GW-CDR generation at the fixed time interval irrespective of any other eG-CDR/P-GW-CDR triggers that may have happened in between.
|
•
|
downlink bytes: Specifies the limit for the number of downlink (from network to subscriber) octets after which the eG-CDR/P-GW-CDR is closed.
|
bytes must be an integer from 100000 through 4000000000.
|
•
|
total bytes: Specifies the limit for the total number of octets (uplink+downlink) after which the eG-CDR/P-GW-CDR is closed.
|
bytes must be an integer from 100000 through 4000000000.
|
•
|
uplink bytes: Specifies the limit for the number of uplink (from subscriber to network) octets after which the eG-CDR/P-GW-CDR is closed.
|
bytes must be an integer from 100000 through 4000000000.
egcdr time-duration algorithm { consumed-time consumed_time [ plus-idle ] | continuous-time-periods ctp_time | parking-meter seconds }
consumed_time must be an integer from 1 through 4294967295.
plus-idle: Specifies the idle time between arrival of two packets to include in time usage record in eG-CDR.
When used along with consumed-time it indicates the active usage + idle time, when no traffic flow occurs.
continuous-time-periods ctp_time
ctp_time sets the audition, in seconds, to start a counter on arrival of the first packet and thereafter include only that period in charging in which one or more packets arrived. For the period where no packets arrived or no traffic was detected, usage will not be computed.
ctp_time must be an integer from 1 through 4294967295.
parking-meter seconds
seconds must be an integer from 1 through 4294967295.
consumed-time in above scenario calculates the time duration as (T2 – T1) + (T4 – T3) where consumed-time with plus-idle calculates the time duration as (T2-T1)+I + (T4 – T3)+I or (T4-T1).
The following command sets consumed time duration to 400 seconds:
Default: Disabled; same as no extract-host-from-uri
Important: Applying the extract-host-from-uri command a second time will overwrite the previous configuration. For example, if you apply the command extract-host-from-uri http wsp http, and then apply the command extract-host-from-uri http wsp, extraction of host from URI will happen only for WSP analyzer.fair-usage session-waiver-percent waiver_percent
waiver_percent must be an integer from 1 through 1000.
Important: In StarOS 8.0, this command is available in the ACS Configuration Mode. In StarOS 8.1 and StarOS 8.3, use this command for Rulebase-based Firewall-and-NAT configuration. In StarOS 8.1 and StarOS 9.0 and later releases, for Policy-based Firewall-and-NAT configuration, this command is available in the Firewall-and-NAT Policy Configuration Mode.|
•
|
icmp: Enables protection against ICMP Flood attacks
|
|
•
|
tcp-syn: Enables protection against TCP SYN Flood attacks
|
|
•
|
udp: Enables protection against UDP Flood attacks
|
Important: The DoS attacks are detected only in the downlink direction.
Important: In StarOS 8.0, this command is available in the ACS Configuration Mode. In StarOS 8.1 and StarOS 8.3, use this command for Rulebase-based Firewall-and-NAT configuration. In StarOS 8.1 and StarOS 9.0 and later releases, for Policy-based Firewall-and-NAT configuration, this command is available in the Firewall-and-NAT Policy Configuration Mode.firewall flooding { { protocol { icmp | tcp-syn | udp } packet limit packets } | { sampling-interval interval } }
|
•
|
icmp: Configuration for ICMP protocol.
|
|
•
|
tcp-syn: Configuration for TCP-SYN packet limit.
|
|
•
|
udp: Configuration for UDP protocol.
|
packet limit packets
packets must be an integer from 1 through 4294967295.
sampling-interval interval
interval must be an integer from 1 through 60.
Important: In StarOS 8.0, this command is available in the ACS Configuration Mode. In StarOS 8.1 and StarOS 8.3, use this command for Rulebase-based Firewall-and-NAT configuration. In StarOS 8.1 and StarOS 9.0 and later releases, for Policy-based Firewall-and-NAT configuration, this command is available in the Firewall-and-NAT Policy Configuration Mode.messages must be an integer from 1 through 100.
Important: In StarOS 8.0, this command is available in the ACS Configuration Mode. In StarOS 8.1 and StarOS 8.3, use this command for Rulebase-based Firewall-and-NAT configuration. In StarOS 8.1 and StarOS 9.0 and later releases, for Policy-based Firewall-and-NAT configuration, this command is available in the Firewall-and-NAT Policy Configuration Mode.packet_size must be an integer from 30000 through 65535.
|
•
|
icmp: Configuration for ICMP protocol.
|
|
•
|
non-icmp: Configuration for protocols other than ICMP.
|
The following command allows a maximum packet size of 60000 for ICMP protocol:
Important: In StarOS 8.0, this command is available in the ACS Configuration Mode. In StarOS 8.1 and StarOS 8.3, use this command for Rulebase-based Firewall-and-NAT configuration. In StarOS 8.1 and StarOS 9.0 and later releases, for Policy-based Firewall-and-NAT configuration, this command is available in the Firewall-and-NAT Policy Configuration Mode.http-headers-limit max_limit
max_limit must be an integer from 1 through 256.
max-http-header-field-size max_size
max_size must be an integer from 1 through 8192.
Important: In StarOS 8.0, this command is available in the ACS Configuration Mode. In StarOS 8.1 and StarOS 8.3, use this command for Rulebase-based Firewall-and-NAT configuration. In StarOS 8.1 and StarOS 9.0 and later releases, for Policy-based Firewall-and-NAT configuration, use the access-rule no-ruledef-matches command available in the Firewall-and-NAT Policy Configuration Mode.firewall no-ruledef-matches { downlink | uplink } action { deny [ charging-action charging_action_name ] | permit [ bypass-nat | nat-realm nat_realm_name ] }
|
•
|
downlink: Downlink (from network to subscriber) packets with no Stateful Firewall ruledef match.
|
Default: deny
|
•
|
uplink: Uplink (from subscriber to network) packets with no Stateful Firewall ruledef match.
|
Default: permit
action { deny [ charging-action charging_action_name ] | permit [ bypass-nat | nat-realm nat_realm_name ] }
Important: The bypass-nat keyword is only available in StarOS 8.3 and later releases.|
•
|
bypass-nat: Specifies to bypass Network Address Translation (NAT).
|
|
•
|
nat-realm nat_realm_name: Specifies a NAT realm to be used for performing NAT on subscriber packets.
|
nat_realm_name must be the name of a NAT realm, and must be an alphanumeric string of 1 through 31 characters.
Important: If neither bypass-nat or nat-realm are configured, NAT is performed if the nat policy nat-required CLI command is configured with the default-nat-realm option.charging_action_name must be the name of a charging action, and must be an alphanumeric string of 1 through 63 characters.
|
•
|
Stateful Firewall ruledef matching is done. If a rule matches, the packet is allowed or dropped as per the firewall priority configuration.
|
|
•
|
If no Stateful Firewall ruledef matches, the packet is allowed or dropped as per the no-ruledef-matches configuration.
|
For a packet dropped due to Stateful Firewall ruledef match or no match (first packet of a flow), the charging action applied is the one configured in the firewall priority or the firewall no-ruledef-matches command respectively.
In StarOS 8.1, in the case of Policy-based Stateful Firewall, the charging action applied is the one configured in the access-rule priority or the access-rule no-ruledef-matches command respectively.
For action on packets dropped due to any error condition after data session is created, the charging action must be configured in the flow any-error charging-action command.
Important: In StarOS 8.0, this command is available in the APN/Subscriber Configuration Mode. In StarOS 8.1 and StarOS 8.3, use this command for Rulebase-based Firewall-and-NAT configuration. In StarOS 8.1 and StarOS 9.0 and later releases, for Policy-based Firewall-and-NAT configuration, this command is available in the Firewall-and-NAT Policy Configuration Mode.
Important: In StarOS 8.1 and StarOS 9.0 and later releases, for Policy-based Firewall-and-NAT configuration, use the access-rule priority command available in the Firewall-and-NAT Policy Configuration Mode.firewall priority priority [ dynamic-only | static-and-dynamic ] firewall-ruledef firewall_ruledef_name { { deny [ charging-action charging_action_name ] } | { permit [ nat-realm nat_realm_name | [ trigger open-port { aux_port_number | range start_port_number to end_port_number } direction { both | reverse | same } ] ] } }
no firewall priority priority
priority must be a unique value in the current rulebase, and must be an integer from 1 through 65535.
[ dynamic-only | static-and-dynamic ] firewall-ruledef firewall_ruledef_name
|
•
|
dynamic-only: Firewall Dynamic Ruledef—Predefined ruledef that can be enabled/disabled by the policy server, and is disabled by default.
|
|
•
|
static-and-dynamic: Firewall Static and Dynamic Ruledef—Predefined ruledef that can be disabled/enabled by the policy server, and is enabled by default.
|
|
•
|
firewall_ruledef_name must be the name of a Stateful Firewall ruledef, and must be an alphanumeric string of 1 through 63 characters.
|
charging_action_name must be the name of a charging action, and must be an alphanumeric string of 1 through 63 characters.
permit [ nat-realm nat_realm_name | [ bypass-nat ] [ trigger open-port { aux_port_number | range start_port_number to end_port_number } ] ]
|
•
|
nat-realm nat_realm_name: Specifies the NAT realm to be used for performing NAT on subscriber packets matching the Stateful Firewall ruledef.
|
nat_realm_name must be the name of a NAT realm, and must be an alphanumeric string of 1 through 31 characters.
|
•
|
bypass-nat: Specifies that packets bypass NAT.
|
Important: If the nat-realm is not configured, NAT is performed if the nat policy nat-required CLI command is configured with the default-nat-realm option.|
•
|
trigger open-port { aux_port_number | range start_port_number to end_port_number }: Permits packets if the rule is matched, and allows the creation of data flows for Stateful Firewall. Optionally a port trigger can be specified to be used for this rule to limit the range of auxiliary data connections (a single or range of port numbers) for protocols having control and data connections (like FTP). The trigger port will be the destination port of an association which matches a rule.
|
|
•
|
aux_port_number: Specifies the number of auxiliary ports to open for traffic, and must be an integer from 1 through 65535.
|
|
•
|
range start_port_number to end_port_number: Specifies the range of ports to open for subscriber traffic.
|
|
•
|
start_port_number must be an integer from 1 through 65535. This is the start of the port range and must be less than end_port_number.
|
|
•
|
end_port_number must be an integer from 1 through 65535. This is the end of the port range and must be greater than start_port_number.
|
|
•
|
both: Provides the trigger to open port for traffic in either direction of the control connection.
|
|
•
|
reverse: Provides the trigger to open port for traffic in the reverse direction of the control connection (from where the connection is initiated).
|
|
•
|
same: Provides the trigger to open port for traffic in the same direction of the control connection (from where the connection is initiated).
|
Important: For Stateful Firewall ruledefs, only the terminate-flow action is applicable if configured in the specified charging action.For a packet dropped due to Stateful Firewall ruledef match or no match (first packet of a flow), the charging action applied is the one configured in the firewall priority or the firewall no-ruledef-matches command respectively.
In StarOS 8.1, in the case of Policy-based Firewall, the charging action applied is the one configured in the access-rule priority or the access-rule no-ruledef-matches command respectively.
For action on packets dropped due to any error condition after data session is created, the charging action must be configured in the flow any-error charging-action command.
The following command assigns a priority of 10 to the Stateful Firewall ruledef fw_rule1, adds it to the rulebase, and permits port trigger to be used for the rule to open ports in the range of 100 to 200 in either direction of the control connection:
The following command configures the Stateful Firewall ruledef fw_rule2 as a dynamic ruledef:
This command allows you to configure the action to take on TCP flows starting with a non-syn packet.
Important: In StarOS 8.1 and StarOS 8.3, use this command for Rulebase-based Firewall-and-NAT configuration. In StarOS 8.1 and StarOS 9.0 and later releases, for Policy-based Firewall-and-NAT configuration, this command is available in the Firewall-and-NAT Policy Configuration Mode.Default: drop
Important: In StarOS 8.1 and StarOS 8.3, use this command for Rulebase-based Firewall-and-NAT configuration. In StarOS 8.1 and StarOS 9.0 and later releases, for Policy-based Firewall-and-NAT configuration, this command is available in the Firewall-and-NAT Policy Configuration Mode.Default: reset
Important: This command is only available in StarOS 8.3 and later releases. In StarOS 8.3, use this command for Rulebase-based Firewall-and-NAT configuration. In StarOS 9.0 and later releases, for Policy-based Firewall-and-NAT configuration, this command is available in the Firewall-and-NAT Policy Configuration Mode.Default: no firewall tcp-reset-message-threshold
messages must be an integer from 1 through 100.
This command allows you to configure the TCP intercept parameters to prevent TCP SYN flooding attacks by intercepting and validating TCP connection requests for DoS protection mechanism configured with the dos-protection command.
Important: In StarOS 8.0, this command is available in the ACS Configuration Mode. In StarOS 8.1 and StarOS 8.3, use this command for Rulebase-based Firewall-and-NAT configuration. In StarOS 8.1 and StarOS 9.0 and later releases, for Policy-based Firewall-and-NAT configuration, this command is available in the Firewall-and-NAT Policy Configuration Mode.firewall tcp-syn-flood-intercept { mode { none | watch [ aggressive ] } | watch-timeout intercept_watch_timeout }
|
•
|
none: Disables TCP SYN flood intercept feature.
|
|
•
|
watch: Configures TCP SYN flood intercept feature in watch mode. Stateful Firewall passively watches to see if TCP connections become established within a configurable interval. If connections are not established within the timeout period, Stateful Firewall clears the half-open connections by sending RST to TCP client and server. The default watch-timeout for connection establishment is 30 seconds.
|
|
•
|
aggressive: Configures TCP SYN flood Intercept or Watch feature for aggressive behavior. Each new connection request causes the oldest incomplete connection to be deleted. When operating in watch mode, the watch timeout is reduced by half. If the watch-timeout is 30 seconds, under aggressive conditions it becomes 15 seconds. When operating in intercept mode, the retransmit timeout is reduced by half (i.e. if the timeout is 60 seconds, it is reduced to 30 seconds). Thus the amount of time waiting for connections to be established is reduced by half (i.e. it is reduced to 150 seconds from 300 seconds under aggressive conditions).
|
Default: none
watch-timeout intercept_watch_timeout
intercept_watch_timeout must be an integer from 5 through 30.
flow any-error charging-action charging_action_name
charging_action_name must be the name of a charging action, and must be an alphanumeric string of 1 through 63 characters.
Important: The charging action specified here should preferably not be used for action on packets dropped due to Stateful Firewall ruledef match or no-match (in the firewall priority and firewall no-ruledef-matches commands) and the content ID within the charging action must be unique so that dropped counts will not interfere with other content IDs.For a packet dropped due to Stateful Firewall ruledef match or no match (first packet of a flow), the charging action applied is the one configured in the firewall priority or the firewall no-ruledef-matches command respectively.
In StarOS 8.1, in the case of Policy-based Firewall, the charging action applied is the one configured in the access-rule priority or the access-rule no-ruledef-matches command respectively.
For a packet dropped due to any error condition after data session is created, the charging action used is the one configured in the flow any-error charging-action command.
If the charging action applied on a packet is the one specified in the flow any-error charging-action command, flow statistics are updated and action is taken as configured in the charging action:
The following command specifies the charging action test2 for accounting action on packets dropped/discarded by Stateful Firewall due to any error:
Default: Same as no flow control-handshaking
In this command, the optional keyword charge-to-application is deprecated and has no effect.
|
•
|
all-packets: Specifies that the initial setup packets will wait until the application has been determined before assigning the content-id, and all mid-session ACK packets as well as the final tear-down packets will use that content-id.
|
|
•
|
initial-packets: Specifies that only the initial setup packets will wait for content-id assignment.
|
|
•
|
mid-session-packets: Specifies that the ACK packets after the initial setup will use the application's or content-id assignment.
|
|
•
|
tear-down-packets: Specifies that the final tear-down packets (TCP or WAP) will use the application's or content-id assignment.
|
flow end-condition { content-filtering | hagr | handoff | normal-end-signaling | session-end | url-blacklisting | timeout } [ flow-overflow ] + { charging-edr charging_edr_format_name | reporting-edr reporting_edr_format_name }
Important: This keyword is only available in StarOS 8.3 and later releases. And, is only applicable when used with the hagr, handoff, and session-end keywords.edr edr_format_name
Important: This option is available only in the 12.1 and earlier releases. In 12.2 and later releases, this option is deprecated and is replaced by the charging-edr option.edr_format_name must be the name of an EDR format, and must be a unique alphanumeric string of 1 through 63 characters.
charging-edr charging_edr_format_name
Important: This option is available only in 12.2 and later releases.charging_edr_format_name must be the name of a charging EDR format, and must be an alphanumeric string of 1 through 63 characters.
reporting-edr reporting_edr_format_name
Important: This option is available only in 12.2 and later releases.reporting_edr_format_name must be the name of a reporting EDR format, and must be a unique alphanumeric string of 1 through 63 characters.
limit must be an integer from 1 through 4000000000.
non-tcp limit
limit must be an integer from 1 through 4000000000.
tcp limit
limit must be an integer from 1 through 4000000000.
|
•
|
Exempted flows: System exempts all the other flows specified with the flow limit-for-flow-type command in the ACS Charging Action Configuration Mode set to no.
|
The following command defines the maximum number of 200000 flows for the rulebase:
Important: This command is only available in StarOS 8.1 and StarOS 9.0 and later releases. fw-and-nat default-policy fw_nat_policy_name
fw_nat_policy_name must be the name of a Firewall-and-NAT policy, and must be an alphanumeric string of 1 through 63 characters.
For subscribers using the current rulebase, the default Firewall-and-NAT policy will be used if in the APN/subscriber profile the default fw-and-nat policy command is configured, and a policy to use is not received from the AAA/OCS.
For more information, see the Personal Stateful Firewall Administration Guide.
The following command configures a Firewall-and-NAT policy named standard to the rulebase:
ip reassembly-timeout timeout_duration
timeout_duration must be an integer from 100 through 30000.
The following command sets the timeout timer to 15000 milliseconds:
Important: This command is only available in StarOS 8.3. In StarOS 9.0 and later releases this command is available in the Firewall-and-NAT Policy Configuration Mode.Default: port-chunk-release
edr-format edr_format_name
edr_format_name must be the name of an EDR format, and must be an alphanumeric string of 1 through 63 characters.
The following command configures an EDR format named test123 and specifies generating NBR when a port chunk is allocated, and when a port chunk is released:
Important: In StarOS 8.1 and StarOS 9.0 and later releases, for Policy-based Firewall-and-NAT, this command is available in the Firewall-and-NAT Policy Configuration Mode.
Important: Before enabling NAT processing for a subscriber, Stateful Firewall must be enabled for the subscriber. See the firewall policy CLI command.default-nat-realm nat_realm_name
Important: This keyword is only available in StarOS 8.3 and later releases.nat_realm_name must be the name of a NAT realm, and must be an alphanumeric string of 1 through 31 characters.
Important: Including the default NAT realm, a maximum of three NAT realms are supported.After NAT is enabled for a subscriber, the NAT IP address to be used is chosen from the NAT realms defined in the rule priority lines within the rulebase. See the firewall priority CLI command.
Important: This command is customer-specific. For more information please contact your Cisco account representative. In release 9.0, this command is available in the Firewall-and-NAT Policy Configuration Mode.post-processing dynamic { group-of-ruledefs ruledefs_group_name | ruledef ruledef_name } charging-action charging_action_name [ description description ]
group-of-ruledefs ruledefs_group_name
ruledefs_group_name must be the name of a group-of-ruledefs, and must be an alphanumeric string of 1 through 63 characters.
ruledef ruledef_name
ruledef_name must be the name of a ruledef, and must be an alphanumeric string of 1 through 63 characters.
charging-action charging_action_name
charging_action_name must be the name of a charging action, and must be an alphanumeric string of 1 through 63 characters.
description description
description must be an alphanumeric string of 1 through 31 characters.
The following command specifies the ruledef named test_rule as a dynamic post-processing ruledef configured with the charging action ca13 and a description of testing:
Default: not-for-dynamic-discard
active-charging service service1
charging-action standard1
flow action redirect-url http://aoc.com
rulebase base1
post-processing priority 1 ruledef http_low charging-action redirect
Important: This command is only available in StarOS 8.3 and later releases.post-processing priority priority { group-of-ruledefs ruledefs_group_name | ruledef ruledef_name } charging-action charging_action_name [ description description ]
no post-processing priority priority
priority priority
priority must be a unique value in the current rulebase, and must be an integer from 1 through 65535.
group-of-ruledefs ruledefs_group_name
ruledefs_group_name must be the name of a group-of-ruledefs, and must be an alphanumeric string of 1 through 63 characters.
Important: The group-of-ruledefs specified must be configured for post-processing. See the group-of-ruledefs-application command in the ACS Group-of-Ruledefs Configuration mode.ruledef ruledef_name
ruledef_name must be the name of a ruledef, and must be an alphanumeric string of 1 through 63 characters.
Important: The ruledef specified must be configured for post-processing. See the rule-application command in the ACS Ruledef Configuration Mode Commands chapter.charging-action charging_action_name
charging_action_name must be the name of a charging action, and must be an alphanumeric string of 1 through 63 characters.
description description
description must be an alphanumeric string of 1 through 31 characters.
The following command configures the ruledef named test_ruledef with a priority of 10, and the charging action named test_ca for post processing:
Important: This command is license dependent. For more information contact your Cisco account representative.qos-renegotiate timeout timeout
timeout is the timeout period in seconds, and must be an integer from 0 through 4294967295. If set to 0, timeout is disabled.
interval interval
interval must be an integer from 60 through 40000000.
volume total volume
volume must be an integer from 100000 through 4000000000.
The following command configures a time threshold interval of 600 seconds for RADIUS CDRs:
route priority route_priority ruledef ruledef_name analyzer { dns | file-transfer | ftp-control | ftp-data | h323 | http | imap | mms | p2p | pop3 | pptp | rtcp | rtp | rtsp | sdp | secure-http | sip [ advanced | basic-and-advanced ] | smtp | tftp | wsp-connection-less | wsp-connection-oriented } [ description description ]
no route priority route_priority
route priority route_priority
route_priority must be an integer from 1 through 65535.
ruledef ruledef_name
ruledef_name specifies the name of the ruledef configured for the route application using the rule-application command in the ACS Ruledef Configuration Mode.
ruledef_name must be the name of a ruledef, and must be an alphanumeric string of 1 through 63 characters.
|
•
|
dns: Route to DNS protocol analyzer.
|
|
•
|
file-transfer: Route to file analyzer.
|
|
•
|
ftp-control: Route to FTP control protocol analyzer.
|
|
•
|
ftp-data: Route to FTP data protocol analyzer.
|
|
•
|
h323: Route to H323 protocol analyzer.
|
|
•
|
http: Route to HTTP protocol analyzer.
|
|
•
|
imap: Route to IMAP protocol analyzer.
|
|
•
|
mms: Route to MMS protocol analyzer.
|
|
•
|
p2p: Route to the P2P protocol analyzer.
|
|
•
|
pop3: Route to POP3 protocol analyzer.
|
|
•
|
pptp: Route to PPTP protocol analyzer.
|
|
•
|
rtcp: Route to RTCP protocol analyzer.
|
|
•
|
rtp: Route to RTP protocol analyzer.
|
|
•
|
rtsp: Route to RTSP protocol analyzer.
|
|
•
|
sdp: Route to SDP protocol analyzer.
|
|
•
|
secure-http: Route to secure HTTP protocol analyzer.
|
|
•
|
sip [ advanced | basic-and-advanced ]: Route to SIP protocol analyzer.
|
|
•
|
advanced: For SIP calls to work with NAT/Stateful Firewall, a SIP Application-Level Gateway (ALG) is required to do payload translation of SIP packets and pin-hole (dynamic flow) creation for media packets. A SIP routing rule must to be configured for routing the packets to the SIP ALG for processing. If the keyword advanced is configured, the packets matching the routing rule will be routed to SIP ALG for processing and not to ACS SIP analyzer. If not configured, then packets will not be routed to SIP ALG and will be routed to ACS SIP analyzer for processing.
|
Also, see firewall nat-alg CLI command in the ACS Configuration Mode.
|
•
|
basic-and-advanced: For SIP ALG to co-exist with SIP Analyzer, the packets are routed through ACS SIP Analyzer and SIP ALG. The SIP packets can pass through ACS functionality (by ACS SIP Analyzer processing) and at the same time payload translation/pinhole-creation can happen successfully (by SIP ALG processing). If basic-and-advanced is configured, then the packets matching the routing rule will be routed through the SIP Analyzer and then through SIP ALG for processing.
|
|
•
|
tftp: Route to TFTP protocol analyzer.
|
|
•
|
smtp: Route to SMTP protocol analyzer.
|
|
•
|
wsp-connection-less: Route to WSP connection-less protocol analyzer.
|
|
•
|
wsp-connection-oriented: Route to WSP connection-oriented protocol analyzer.
|
Important: To route packets to the P2P analyzer, the ruledef should have rules to match all IP packets. Otherwise, the analyzer may not detect all P2P traffic.
Important: Use the show active-charging analyzer statistics command in the Exec Mode to see the list of supported analyzers.description description
Enables to add a description to the rule and action for later reference in saved configuration file.
description must be an alphanumeric string of 1 through 63 characters.
|
TCP destination port or source port of the carrier-specific port number for WAP-2 (e.g. one carrier uses 8799); or, send all HTTP traffic to the wap2 analyzer if the carrier does not use a special port number.
|
|
|
WSP content type is application/vnd.wap.mms-message; or, WSP uri contains “mms”; or, HTTP content type is application/vnd.wap.mms-message; or, HTTP uri contains “mms”.
|
|
|
rtp and rtcp
|
|
|
Use the p2p dynamic-flow-detection CLI command to enable detection of the different P2P applications specified by the p2p application CLI command; that will cause every TCP or UDP packet to be automatically routed here
|
The following command assigns a route and rule action with the route priority of 23, a ruledef named test, and an analyzer test_analyzer with description as route_test1 to the current rulebase:
Default: Disabled; same as no rtp dynamic-flow-detection.
Use this command to enable the RTSP and SDP analyzer to detect the start/stop of RTP and RTCP flows. This command is used in conjunction with the route priority command.
Default: Same as no ruledef-parsing ignore-port-numbers-embedded-in-application-headers analyzers { http rstp sip wsp }— not ignoring port numbers that are embedded in application headers.
tcp 2msl-timeout 2msl_timeout
tcp 2msl-timeout 2msl_timeout
2msl_timeout specifies the timeout duration, in seconds, and must be an integer from 1 through 20.
Important: This command is only available in StarOS 8.1 and later releases.tcp mss tcp_mss
tcp_mss must be an integer from 496 through 65535.
The following command limits the TCP maximum segment size to 3000, and if not present adds it to the packets:
Description This command has been deprecated, and is replaced by the tcp packets-out-of-order command.
|
•
|
timeout: 5000 milliseconds
|
|
•
|
transmit: immediately
|
timeout timeout_duration
timeout_duration is the timeout duration, in milliseconds, and must be an integer from 100 through 30000.
|
•
|
after-reordering: Sends the TCP out-of-order segment after all packets are received and successfully reordered. If reordering is not successful due to a timeout, the received packets are forwarded without being passed through the protocol analyzers. If memory allocation fails or the received packet is partial retransmitted data, the packet will be forwarded immediately without being passed through the protocol analyzers, except for the IP analyzer.
|
|
•
|
immediately: Sends the TCP out-of-order segment immediately after buffering a copy. The packets are transmitted as they are received without any in-line services or charging action processing, but also a copy of each packet is held onto. When the missing packet is received, complete deep packet inspection of all the packets and all relevant in-line services is done, and then the last packet is forwarded.
|
Default: immediately
The following command sets the timeout timer to 10000 milliseconds:
tcp proxy-mode { dynamic { all | content-filtering | dcca | ip-readdressing | nexthop-readdressing | xheader-insert } + | static [ port [ port_number [ to port_number ] ] ] }
no tcp proxy-mode [ dynamic { content-filtering | dcca | ip-readdressing | nexthop-readdressing | xheader-insert } + | static [ port [ port_number [ to port_number ] ] ] ]
|
•
|
all: Specifies that subscriber-initiated TCP flows be proxied if all/any of the following conditions are satisfied.
|
|
•
|
content-filtering: Specifies that subscriber-initiated TCP flows be proxied if a URL is requested, and that URL is checked because Category-based Content Filtering is enabled in the rulebase.
|
|
•
|
dcca: Specifies that subscriber-initiated TCP flows be proxied if DCCA is enabled in the charging action.
|
|
•
|
ip-readdressing: Specifies that subscriber-initiated TCP flows be proxied if IP Readdressing feature is enabled in the charging action.
|
|
•
|
nexthop-readdressing: Specifies that subscriber-initiated TCP flows be proxied if Nexthop Readdressing feature is enabled in the charging action.
|
|
•
|
xheader-insert: Specifies that subscriber-initiated TCP flows be proxied if x-Header Insertion feature is enabled in the charging action.
|
port_number must be an integer from 1 through 65535.
Important: Up to 32 port numbers and eight port ranges can be specified.
Important: In release 11.0, TCP Proxy functions only in Static mode. Dynamic TCP Proxy mode is supported only in 12.0 and later releases.
Important: Regardless of the setting of this command, TCP Proxy is enabled whenever a TPO profile is selected for the subscriber's flow(s).Default: round-off
tpo default-policy tpo_policy_name
tpo default-policy tpo_policy_name
tpo_policy_name must be the name of a TPO policy, and must be an alphanumeric string of 1 through 63 characters.
The following command configures a TPO policy named standard as default TPO policy for the rulebase:
Default: Same as transport-layer-checksum verify-during-packet-inspection—to perform the checksum verification calculation on all TCP and UDP packets.
If the checksum is not verified, the packets will go through the TCP/UDP analyzers (and deeper analyzers, if so configured via the route command) regardless of the value of the TCP/UDP checksum.
udr threshold { interval interval | volume { downlink bytes [ uplink bytes ] | total bytes | downlink bytes [ uplink bytes ] } }
interval interval
interval must be an integer from 60 through 40000000.
|
•
|
downlink bytes: Specifies the limit for the number of downlink octets after which the UDR is closed.
|
bytes must be an integer from 100000 through 4000000000.
|
•
|
total bytes: Specifies the limit for the total number of octets (uplink+downlink) after which the UDR is closed.
|
bytes must be an integer from 100000 through 4000000000.
|
•
|
uplink bytes: Specifies the limit for the number of uplink octets after which the UDR is closed.
|
bytes must be an integer from 100000 through 4000000000.
The following command specifies that UDR records should be generated every 10 minutes (600 seconds):
Important: This command is only available in StarOS 8.3 and later releases.url-blacklisting action { discard | redirect-url url | terminate-flow | www-reply-code-and-terminate-flow reply_code } [ content-id content_id ]
redirect-url url
url specifies the redirect URL/URI, which must be a fully qualified URL/URI, and must be an alphanumeric string of 1 through 1023 characters.
www-reply-code-and-terminate-flow reply_code
reply_code specifies the reply code, and must be an integer from 100 through 599.
content-id content_id
Important: This command is customer specific. For more information, please contact your Cisco account representative.[ no ] url-preprocessing bypass group-of-prefixed-urls prefixed_urls_group_name
group-of-prefixed-urls prefixed_urls_group_name
prefixed_urls_group_name must be the name of a group-of-prefixed-urls, and must be an alphanumeric string of 1 through 63 characters.
Description This command has been deprecated, and is replaced by the wtp packets-out-of-order command.
wtp packets-out-of-order { out-of-order-timeout timeout | transmit [ after-reordering | immediately ] }
|
•
|
out-of-order-timeout: 5000 milliseconds
|
|
•
|
transmit: immediately
|
out-of-order-timeout timeout
timeout is the timeout duration, in milliseconds, and must be an integer from 100 through 30000.
|
•
|
after-reordering: Sends WTP out-of-order segment after it becomes ordered
|
|
•
|
immediately: Sends WTP out-of-order segment immediately after buffering a copy
|
Default: immediately
If after-reordering transmitting is specified, the packets are held onto and reordered. After successfully reordering the packets, they are processed in the proper order. If reordering is not successful due to timeout (wtp out-of-order-timeout), the received packets are forwarded without being passed through the protocol analyzers.
If immediately is specified, the packets are transmitted as they are received without any in-line services or Charging Action processing, however a copy of each packet is retained. When the missing packet is received, complete deep packet inspection of all the packets and all relevant in-line services is undertaken, and then the last packet is forward (unless otherwise configured by the in-line services or Charging Action).
The following command sets the timeout timer to 10000 milliseconds:
Important: This command is license dependent. For more information, please contact your Cisco account representative.certificate-name certificate_name
certificate_name must be the name of an encryption certificate, and must be an alphanumeric string of 1 through 63 characters.
re-encryption period period
period specifies the re-encryption time period in minutes, and must be an integer from 1 through 10000.
