[ no ] aaa { accounting interim { interval-timeout interval_timeout | normal | suppress } | group aaa_group_name | secondary-group aaa_secondary_group_name }
|
•
|
accounting: Enables AAA accounting for subscribers.
|
|
•
|
group: Uses the default AAA group—the one specified at the context level or in the default subscriber profile.
|
|
•
|
secondary-group: Removes the secondary AAA group from the subscriber configuration.
|
|
•
|
accounting: Disables AAA accounting for subscribers.
|
|
•
|
group: Uses the default AAA group—the one specified at the context level or in the default subscriber profile.
|
|
•
|
secondary-group: Removes the secondary AAA group from the subscriber configuration.
|
|
•
|
interval-timeout: Specifies the time interval (in seconds) at which to send an interim accounting record.
|
interval_timeout must be an integer from 50 through 40000000.
|
•
|
normal: If RADIUS accounting is enabled, send this Acct-Status-Type message when normally required by operation.
|
|
•
|
suppress: If RADIUS accounting is enabled, suppress the sending of Acct-Status-Type message.
|
group aaa_group_name
aaa_group_name must be an alphanumeric string of 1 through 63 characters.
secondary-group aaa_secondary_group_name
aaa_secondary_group_name must be an alphanumeric string of 1 through 63 characters.
If the same AAA group is configured with both the aaa group aaa_group_name and the aaa secondary-group aaa_group_name commands, then this configuration will have no effect and secondary accounting will not happen.
The AAA secondary server group configuration takes effect only when used with subscriber accounting-mode set to radius-diameter. The RADIUS accounting triggers for both standard RADIUS accounting and secondary accounting will be taken from the AAA group configured with the aaa group aaa_group_name command. On the fly change of this configuration is not supported. Any change to the configuration will have effect only for new calls.
The following command applies the AAA server group star1 to subscribers:
Ignores the DF (Don’t Fragment) bit setting. Fragments and forwards the packet over the access link.
Sets the type of accounting to be performed for the current local subscriber to the default setting.
Default: radius-diameter
GTPP CDR RADIUS accounting is enabled for the current local subscriber. The radius-diameter keyword is available if both GTPP RADIUS and RADIUS-Diameter accounting are to be used.
RADIUS-Diameter accounting is enabled for the current local subscriber. The gtpp keyword is available if both GTPP RADIUS and RADIUS-Diameter accounting are to be used.
If the gtpp option is used, then GTPP RADIUS is used as configured in the Context Configuration mode or the AAA Server Group Configuration mode and GTPP charging records will be enabled.
If the radius-diameter option is used, either the RADIUS or the Diameter protocol is used as configured in the Context Configuration mode or the AAA Server Group Configuration mode.
RADIUS accounting can also be enabled and disabled at the context level with the aaa accounting command in the Context Configuration Mode. If RADIUS accounting is enabled at the context level, the accounting-mode command can be used to disable RADIUS accounting for individual local subscriber configurations.
If the accounting mode is set to rf-style, then BM will generate accounting records corresponding to AIMS RF.
active-charging bandwidth-policy bandwidth_policy_name
active-charging bandwidth-policy bandwidth_policy_name
bandwidth_policy_name must be an alphanumeric string of 1 through 63 characters.
The following command configures a bandwidth policy named standard for the subscriber:
active-charging bandwidth-policy standard
Enables the TCP link monitoring feature on the Mobile Video Gateway. Note that TCP link monitoring is not enabled by default. Also note that when this command is configured without the log option, TCP link monitoring is enabled without logging, and the output from TCP link monitoring is only used by the dynamic translating feature.
The rtt option can be used to enable either histogram or time-series logging for round-trip time (RTT).
Similarly, the bitrate option can be used to enable either histogram or time-series logging for bit rate.
When rtt and bitrate options are used without additional options, histogram and time-series logging are enabled for round-trip time (RTT) and/or bit rate respectively.
active-charging rulebase rulebase_name
active-charging rulebase rulebase_name
rulebase_name must be the name of an ACS rulebase expressed as an alphanumeric string of 1 through 63 characters.
The following command configures the ACS rulebase named rule1 for the subscriber:
Caution: When always-on is enabled, the subscriber must have an idle time-out period configured (default is 0, no time-out). Failure to configure an idle time-out results in a subscriber session that is indefinite.Two timers and a counter are associated with this feature. Refer to the timeout command in this chapter and the ppp echo-retransmit-timeout msec and ppp echo-max-retransmissions num_retries commands.
Disables always-on. The user is disconnected after the idle time expires.
The default is disabled.
[ no ] asn nspid nsp_id
asn nspid nsp_id
nsp_id is three bytes in hexadecimal format. For example: FF-EE-01
asn-pdfid pdf_id
pdf_id must be an integer from 1 through 65535.
asn-service-profile-id svc_profile_id
svc_profile_id is a Service Profile Identifier configured in the Context Configuration Mode.
asn-sdfid sdf_id
sdf_id must be an integer from 1 through 65535.
no authorized-flow-profile-id profile_id
Removes the existing profile ID setting specified by profile_id. profile_id must be an integer from 0 through 65535.
authorized-flow-profile-id profile_id
The profile ID number that is authorized for the current subscriber. profile_id must be an integer from 0 through 65535.
|
•
|
bidirectional: This profile ID pertains to both the forward and reverse directions.
|
|
•
|
forward: This profile ID pertains to data going to the MN.
|
|
•
|
reverse: This profile ID pertains to data coming from the MN.
|
content-filtering category policy-id cf_policy_id
content-filtering category policy-id cf_policy_id
cf_policy_id must be a category policy ID expressed as an integer from 1 through 4294967295.
Important: Category Policy ID configured through this mode overrides the Category Policy ID configured using the content-filtering category policy-id command in the ACS Rulebase Configuration Mode.
Important: If Content Filtering Category Policy ID is not specified here, the similar command in the ACS Rulebase Configuration Mode determines the policy.The following command enters the Content filtering Policy Configuration Mode and enables the Category Policy ID 101 for Content Filtering support:
credit-control-group cc_group_name
credit-control-group cc_group_name
cc_group_name must be an alphanumeric string of 1 through 63 characters.
The following command configures the credit-control group named test12 for the subscriber:
[ no ] credit-control-service cc_service_name
credit-control-service cc_service_name
cc_service_name must be an alphanumeric string of 1 through 63 characters.
The following command configures the credit-control service named test12 for the subscriber:
name must be an alphanumeric string of 1 through 63 characters.
cscf county-name name
name must be an existing LRO profile county name expressed as an alphanumeric string of 1 through 127 characters.
The following command assigns county name norfolk to the subscriber:
The following command removes county name norfolk from the subscriber:
[ no ] cscf private-user-id user_id
cscf private-user-id user_id
user_id must be an alphanumeric string of 1 through 127 characters.
The following command assigns a private user identity named user007 to the subscriber:
The following command removes private user identity named user007 from the subscriber:
name must be an existing CSCF session template name expressed as an alphanumeric string of 1 through 79 characters.
The following command assigns a CSCF session template named template4 to the subscriber profile:
This command is obsolete. Refer to the dcca origin endpoint command.
This command is obsolete. To configure the Diameter Credit Control Origin Endpoint, in the Credit Control Configuration Mode, use the diameter origin endpoint command.
dcca peer-select peer host_name [ realm realm_name ] [ secondary-peer host_name [ realm realm_name ] ]
peer host_name
Specifies a unique name for the peer. peer_name must be an alphanumeric string of 1 through 63 characters that allows punctuation marks.
secondary-peer host_name
Specifies a back-up host that is used for fail-over processing. When the route-table does not find an available route, the secondary host performs a fail-over processing. host_name must be an alphanumeric string of 1 through 63 characters that allows punctuation marks.
realm realm_name
The realm_name must be an alphanumeric string of 1 through 63 characters that allows punctuation marks. The realm may typically be a company or service name.
Warning: This configuration completely overrides all instances of diameter peer-select that have been configured with in the Credit Control Configuration Mode for an Active Charging service.Sets this option to the default behavior, which is to send an ICMP unreachable - need to frag message back to the sender and drop the packet, in the case that fragmentation is required but the DF bit is set.
ip { | allowed-dscp | dhcp-relay | header-compression | hide-service-address | multicast discard | qos-dscp | source-validation | user-datagram-tos copy }
allowed-dscp: resets the allowed DSCP parameters to the system defaults: class none, max-class be.
hide-service-address: specifies the default setting for hide the ip-address of the service from the subscriber. Default is Disabled
dhcp-relay: Configured with the DHCP server address during MS authentication. The AAA server sends the address of the DHCP server in the Access-Accept message. The DHCP relay uses this address to relay the DHCP messages from the MS to the DHCP server.
multicast discard: Configures the default multicast settings which is to discard PDUs
qos-dscp: Sets the quality of service setting to the system default.
source-validation: Specifies the default IP source validation. Default is Enabled.
user-datagram-tos copy: Disables copying of the IP TOS octet value to all tunnel encapsulation IP headers.
mobile-ip { home-agent | mn-aaa-removal-indication | mn-ha-hash-algorithm | reverse-tunnel | security-level | send { dns-address | terminal-verification } }
allow-aaa-address-assignment: Disables the FA from accepting a home address assigned by an AAA server.
home-agent: Sets home agent IP address to its default of 0.0.0.0.
match-aaa-assigned-address: Disables the FA validating the home address in the RRQ against the one assigned by AAA server.
mn-aaa-removal-indication: Sets this parameter to its default of disabled.
mn-ha-hash-algorithm: Sets the encryption algorithm to the default of hmac-md5.
reverse-tunnel: Sets this parameter to its default of enabled.
security-level: Sets this parameter to its default of none.
send dns-address: Disables the HA from sending the DNS address NVSE in the RRP.
send terminal-verification: Disables the FA from sending the terminal verification NVSE in the RRQ.
ppp { always-on-vse-packet | data-compression { mode | protocols } | ip-header-compression negotiation | keepalive | min-compression-size | mtu }
always-on-vse-packet: Re-enables the PDSN to send special 3GPP2 VSE PPP packets to the Mobile Node with a max inactivity timer value for always on sessions. This configuration is applicable only for PDSNsessions.
data-compression { mode | protocols }: restores the default value for either the data compression mode or compression protocols as follows:
ip-header-compression negotiation: Sets the IP header compressions negotiation to the system default: force.
keepalive: sets the subscriber’s PPP keep alive option to the system default: 30 seconds.
min-compression-size: Restores the PPP minimum packet size for compression: 128 octets.
mtu: Sets the maximum message transfer unit packet size to the system default: 1500 octets.
[ no ] dns { primary | secondary } ip_address
dns primary | secondary
dns primary: Updates the primary domain name server for the subscriber.
dns secondary: Updates the secondary domain name server for the subscriber.
msk-lifetime dur
dur is an integer from 60 through 65535.
The following command sets the lifetime for MSK key to 4800 seconds for a WiMAX subscriber through EAP authentication:
encrypted password password
encrypted password password
password is the encrypted password and must be an alphanumeric string of 1 through 132 characters.
Important: This command is only available in StarOS 8.0. In StarOS 8.1 and later releases, this configuration is available in the ACS Rulebase Configuration Mode.
Important: Unless Stateful Firewall support for this subscriber is enabled using this command, firewall processing for this subscriber is disabled.
Important: If firewall is enabled, and the rulebase has no firewall configuration, Stateful Firewall will cause all packets to be discarded.
Important: This command is only available in StarOS 8.1. This customer-specific command must be used to configure the Policy-based Firewall-and-NAT feature.fw-and-nat policy fw_nat_policy
fw_nat_policy must be an alphanumeric string of 1 through 63 characters. Note that this policy will override the default Firewall-and-NAT policy configured in the ACS rulebase.
The following command configures a Firewall-and-NAT policy named standard for the subscriber:
domain-name domain-name
domain-name must be an alphanumeric string of 1 through 63 characters.
ipv4-address ipv4_address
[ default | no ] ims-auth-service auth_svc_name
ims-auth-service auth_svc_name
auth_svc_name must be an alphanumeric string of 1 through 63 characters preconfigured within the same context of this subscriber.
Following command applies a previously configured IMS authorization service named ims_interface1 to a subscriber within the specific context.
If this parameter is disabled, the PDSN will attempt to re-assign the IP address initially provided.
ip access-group group_name
Specifies the name of the IPv4/IPv6 access group. acl_group_name is a configured ACL group expressed as an alphanumeric string of 1 through 79 characters.
in | out
Specifies the access-group as either inbound or outbound by the keywords in and out, respectively. If neither of these key words is specified, the command associates the group_name access group with the current subscriber for both inbound and outbound access.
The following command associates the sampleGroup access group with the current subscriber for both inbound and outbound access:
ip address ip_address
The following command configures a static IP address of 192.168.1.15 with a subnet mask of 255.255.255.0 to the subscriber:
[ no ] ip address pool name pool_name
ip address pool name pool_name
pool_name must be the name of an existing IP pool or IP pool group expressed as an alphanumeric string of 1 through 31 characters.
[ no ] ip address secondary-pool name aux_pool_name
Removes a previously configured auxiliary pool named aux_pool_name for multiple host support in ASN-GW service.
ip address secondary-pool name aux_pool_name
pool_name must be the name of an existing IP pool or IP pool group expressed as an alphanumeric string of 1 through 31 characters.
This command designates the IP address to secondary hosts from locally configured secondary IP address pool. To enable multiple host support behind a WiMAX CPE and configure maximum number of supported hosts use secondary-ip-host command in ASN Gateway Service Configuration mode.
The following command configures the subscriber to receive IP addresses from a secondary IP address pool named auxiliary1 for secondary hosts behind the WiMAX CPE:
Resets the parameters to the defaults: class none, max-class be. This indicates that all packets are let through without any dscp checking
ip allowed-dscp class class
class must be one of the following;
a: allow packets with AF DSCPs
e: allow packets with EF DSCP
o: allow packets for experimental or local use
ae: allow packets with AF and EF DSCPs
ao: allow packets with AF DSCPs or packets for experimental or local use
eo: allow packets with EF DSCPs or packets for experimental or local use
aeo: allow packets with AF or EF DSCPs or packets for experimental or local use
max-class maxclass
The list below identifies the code points from lowest to highest precedence. For example, if the maxclass is set to af22, that becomes the maximum code point that the subscriber session may mark it’s packets with and only be, af13, af12, af11,af23, and af22 are allowed. If a subscriber session marks its packets with anything after af22 in this list, the PDSN service re-marks the packets with the QOS-DSCP value specified by the lower of the maxclass and the ip qos-dscp command.
If class is set to none only the be and sc1 through sc7 codepoints are allowed. For example; if class is set to none and you set max-class to sc1, only the sc1 and be codepoints are allowed.
Default: be
maxclass must be one of the following;
be: best effort forwarding
af13: assured Forwarding 13
af12: assured Forwarding 12
af11: assured Forwarding 11
af23: assured Forwarding 23
af22: assured Forwarding 22
af21: assured Forwarding 21
af31: assured Forwarding 31
af32: assured Forwarding 32
af33: assured Forwarding 33
af41: assured Forwarding 41
af42: assured Forwarding 42
af43: assured Forwarding 43
ef: expedited forwarding
sc1: selector class 1
sc2: selector class 2
sc3: selector class 3
sc4: selector class 4
sc5: selector class 5
sc6: selector class 6
sc7: selector class 7
rt-marking marking
Default: be
marking must be one of the following;
be: best effort forwarding
af11: assured Forwarding 11
af12: assured Forwarding 12
af13: assured Forwarding 13
af21: assured Forwarding 21
af22: assured Forwarding 22
af23: assured Forwarding 23
af31: assured Forwarding 31
af32: assured Forwarding 32
af33: assured Forwarding 33
af41: assured Forwarding 41
af42: assured Forwarding 42
af43: assured Forwarding 43
ef: expedited forwarding
sc1: selector class 1
sc2: selector class 2
sc3: selector class 3
sc4: selector class 4
sc5: selector class 5
sc6: selector class 6
sc7: selector class 7
This command uses class and type of marker (rt-marking for reverse tunnels) for configuration with max-class maximum code point that a subscriber session may mark its packets with.
The following command will allow o packets for experimental or local use with best effort forwarding be:
ip context-name name
Specifies the name of the context to assign the subscriber to once authenticated. name must be an alphanumeric string of 1 trough 79 characters.
ip header-compression { rohc [ any [ mode { optimistic | reliable | unidirectional } ] | cid-mode { { large | small } [ marked-flows-only | max-cid | max-hdr value | mrru value ] } | marked flows-only | max-hdr value | mrru value | downlink | uplink ] | vj } +
ip header-compression { rohc [ any [ mode { optimistic | reliable | unidirectional } ] | cid-mode { { large | small } [ marked-flows-only | max-cid | max-hdr value | mrru value ] } } | marked flows-only | max-hdr value | mrru value | downlink | uplink ] | vj }
Important: ROHC is only supported for use with the PDSN.any: Apply ROHC header compression in both the uplink and downlink directions.
mode { optimistic | reliable | unidirectional }:
|
•
|
optimistic: Sets the ROHC mode to Bidirectional Optimistic mode (O-mode). In this mode packets are sent in both directions. A feedback channel is used to send error recovery requests and (optionally) acknowledgments of significant context updates from decompressor to compressor. Periodic refreshes are not used in the Bidirectional Optimistic mode.
|
|
•
|
reliable: Sets the ROHC mode to Bidirectional Reliable mode (R-mode). This mode applies an intensive usage of a feedback channel and a strict logic at both the compressor and the decompressor that prevents loss of context synchronization between the compressor and the decompressor. Feedback is sent to acknowledge all context updates, including updates of the sequence number field.
|
|
•
|
unidirectional: Sets the ROHC mode to Unidirectional mode (U-mode). With this mode packets are sent in one direction only, from the compressor to the decompressor. This mode therefore makes ROHC usable over links where a return path from the decompressor to the compressor is unavailable or undesirable.
|
cid-mode { { large | small } [ marked-flows-only | dm | max-hdr value | mrru value ] }: Specifies the ROHC packet type to be used.
|
•
|
large | small [ marked-flows-only | max-cid | max-hdr value | mrru value ]: Defines the ROHC packet type as large or small and optionally sets the following parameters for the packet type selected:
|
|
•
|
marked-flows-only: Specifies that ROHC is to be applied only to marked flows.
|
|
•
|
max-cid integer: Default: 0 The highest context ID number to be used by the compressor. integer must be an integer from 0 through 15 when small packet size is selected and must be an integer from 0 through 31 when large packet size is selected.
|
|
•
|
max-hdr value: Specifies the maximum header size to use. Default: 168. value must be an Integer from 0 through 65535.
|
|
•
|
mrru value: Specifies the maximum reconstructed reception unit to use. Default: 65535. value must be an Integer from 0 through 65535.
|
marked-flows-only: Specifies that ROHC is to be applied only to marked flows.
max-hdr value: Specifies the maximum header size to use. Default: 168. value must be an Integer from 0 through 65535.
mrru value: Specifies the maximum reconstructed reception unit to use. Default: 65535. value must be an Integer from 0 through 65535.
downlink: Apply the ROHC algorithm only in the downlink direction.
uplink: Apply the ROHC algorithm only in the uplink direction.
Important: When ROHC is enabled for downlink or uplink only the operational mode is Unidirectional.
Important: If both VJ and ROHC header compression are specified, the optimum header compression algorithm for the type of data being transferred is used for data in the downlink direction.ip local-address ip_address
ip_address ip_address
Specifies an IP address configured in a destination context on the system through which a packet data network can be accessed. ip_address is entered using IPv4 dotted-decimal notation.
ip qos-dscp option
ip qos-dscp option
|
•
|
af11: assured Forwarding 11
|
|
•
|
af12: assured Forwarding 12
|
|
•
|
af13: assured Forwarding 13
|
|
•
|
af21: assured Forwarding 21
|
|
•
|
af22: assured Forwarding 22
|
|
•
|
af23: assured Forwarding 23
|
|
•
|
af31: assured Forwarding 31
|
|
•
|
af32: assured Forwarding 32
|
|
•
|
af33: assured Forwarding 33
|
|
•
|
af41: assured Forwarding 41
|
|
•
|
af42: assured Forwarding 42
|
|
•
|
af43: assured Forwarding 43
|
|
•
|
be: best effort forwarding
|
|
•
|
ef: expedited forwarding
|
ip route ip_address
0 bits in the ip_mask indicate that bit position in the ip_address does not need to match, such as the bit can be either a 0 or a 1.
For example, if the mobile device is assigned IP address 10.2.3.4 and it acts as a gateway for the network 10.2.3.0 (with a network mask of 255.255.255.0) a static route would be configured with the ip_address being 10.2.3.0, ip_mask being 255.255.255.0, and gateway_address being 10.2.3.4.
If an incorrect source address is received from the mobile node, the system attempts to renegotiate the PPP session. The parameters for IP source validation can be set by the ip source-violation command.
ip vlan vlan-id
ip vlan vlan-id
Specifies the VLAN ID that is associated with the IP address for that session. vlan-id is an integer from 1 through 4094.
ipv6 access-group name
Defines the access group name. name is an alphanumeric string of 1 through 47 characters.
ipv6 address address
Specifies an IPv6 address. address is entered using IPv6 colon-separated notation.
prefix-pool name
Specifies an IPv6 prefix pool name. name is an alphanumeric string of 1 through 31 characters.
The following command configures a static IP address of 2001:4A2B::1f3F with a mask length of 24 to the subscriber:
ipv6 dns ipv6_dns_address
Specifies an IP address for the DNS server. ipv6_dns_address is entered using IPv6 colon-separated notation.
interval value
value is an integer between 100 and 16000 milliseconds.
num-advts value value
The number of initial IPv6 router advertisements sent to the mobile node. value is an integer between 1 to 16.
value is an integer between 1 and 30000 milliseconds.
ipv6 interface-id ifid
interface-id ifid
Specifies the interface ID assigned to the Mobile during IPv6 Control Protocol (IPv6CP) negotiation. ifid is a 64-bit unsigned integer.
The following command provides an example of assigning an IPv6 interface ID of 00-00-00-05-47-00-37-44 to the subscriber:
ipv6 minimum-link-mtu value
ipv6 minimum-link-mtu value
Specifies the MTU (in bytes) as a minimum link value. value is an integer between 100 and 2000.
The following command provides an example of assigning an IPv6 minimum link MTU to 1580 to the subscriber:
ipv6 secondary-address ipv6_address_pref
The following command assigns an IPv6 secondary address prefix-pool name of eastcoast to the subscriber:
Restores the default value for Layer 3-to-Layer 2 tunnel addressing: no-alloc-validate.
Use this command to configure the L3 to L2 tunnel address policy for MIP HA sessions tunneled from the system using L2TP tunnels or for GGSN IP Context sessions tunneled using L2TP to a remote LNS. Also refer to the resource keyword of the Context Configuration mode ip pool command.
suppress-notifiaction: Suppresses the SNMP trap and CORBA notification after detecting and disconnecting a long duration session. Default: Disabled
dormant only: Disconnects the dormant sessions after long duration timer and inactivity time with idle time-out duration expires. If the long duration timeout is fired and the call is not dormant, the call is disconnected when the call later moves to dormancy.
Important: For HA calls, the inactivity-time is considered as gauge for dormancy.max-pdn-connections eHRPD_PDNs
max-pdn-connections eHRPD_PDNs
Specifies the maximum number of PDN conceitedness allowed per eHRPD session. eHRPD_PDNs must be an integer from 1 to 14. Default is 3.
The following command specifies a maximum of 5 PDNs per eHRPD session:
mediation-device context-name context-name
context-name must be an alphanumeric string of 1 through 79 characters that is case sensitive. If not specified, the mediation context is same as the destination context of the subscriber.
[ no ] mobile-ip { allow-aaa-address-assignment | dns-address source-priority { aaa | home-agent } | gratuitous-arp aggressive | home-agent ip_address [alternate] | match-aaa-assigned-address | mn-aaa-removal-indication | mn-ha-hash-algorithm { hmac-md5 | md5 | rfc2002-md5 } | mn-ha-shared-key key | mn-ha-spi spi_num | reverse-tunnel | security-level { ipsec | none } | send { accounting-correlation-info | dns-address | imsi | terminal-verification } }
When the no keyword is used in conjunction with the dns-address keyword, information received from both the home-agent and the AAA server is sent if available.
home-agent: If the DNS address is received from the home-agent only that information is sent to the MN. Otherwise the DNS address received from the AAA server is sent.
aaa: If the DNS address is received from the AAA server only that information is sent to MN. Otherwise the DNS address received from the home-agent is sent.
To disable this mode, use the no form of this command.
Important: This mode will only work for IP addresses that have been assigned from a static IP address pool.Specifies the IP address of the mobile IP user’s home agent. ip_address must be entered using IPv4 dotted-decimal or IPv6 colon -separated notation.
alternate - Specifies the secondary, or alternate, Home Agent to use when Proxy Mobile IP HA Failover is enabled.
Default: hmac-md5
hmac-md5: Uses HMAC-MD5 hash algorithm, as defined in RFC-2002bis. This is the default algorithm.
md5: Uses the MD-5 hash algorithm.
rfc2002-md5: Uses the MD-5 hash algorithm variant as defined in RFC-2002.
mn-ha-shared-key key
Verifies the MN-HA Authentication for a local subscriber in the current context. key is an alphanumeric string or a hexadecimal number beginning with "0x" up to 127 bytes
mn-ha-spi spi_num
Specifies the Security Parameter Index (SPI) number. spi_num must be an integer from 256 through 4294967295.
All the mobile IP user to use reverse IP tunnels. The no keyword disables this option.
ipsec: secures both MIP control and data traffic with IPSec.
none: none of the traffic is secured
Important: This keyword corresponds to the 3GPP2-Security-Level RADIUS attribute. This attribute indicates the type of security that the home network mandates on the visited network.
Important: For this attribute, the integer value “3” enables IPSec for tunnels and registration messages, “4“ Disables IPSecaccounting-correlation-info: Configures whether the FA sends the correlation info to the NVSE in the RRQ. Default is disabled.
dns-address: Enables the HA to send the DNS address NVSE in the RRP. Default is disabled. This should only be enabled on the HA side.
imsi: Configures sending the IMSI NVSE in the RRQ. Default is sending IMSI in custom-1 format.
terminal-verification: Enables the FA to send the terminal verification NVSE in the RRQ. Default is disabled. This should only be enabled on the FA side.
Important: send dns-address is a proprietary feature developed for a specific purpose and requires the MN to be able to renegotiate IPCP for DNS addresses and reregister MIP if necessary. Since this feature needs the MN to support certain PPP/MIP behavior, and not all MNs support that particular behavior, send dns-address should be enabled only after careful consideration.assignment-table name
Specifies the name of an existing MIP HA Assignment table. name must be an alphanumeric string of 1 through 63 characters.
The following command assigns the MIP HA Assignment table named Atable1 to the current subscriber:
The following command sets ignore-unknown-ha-addr-error to its default disabled state:
Overrides the MIP registration lifetime from HA for the specified period of time in seconds. dur must be an integer from 1 through 65534.
[ default | no ] mobile-ipv6 { home-address ipv6_address | home-agent ipv6_address | home-link-prefix ipv6_address | tunnel mtu value }
home-address ipv6_address
Specifies the home address for the subscriber. ipv6_address must be entered using IPv6 colon-separated notation.
home-agent ipv6_address
Specifies the IPv6 address of the mobile IP user’s home agent. ipv6_address must be entered using IPv6 colon-separated notation.
home-link-prefix ipv6_address
Specifies the IPv6 address of the mobile IP user’s home link. ipv6_address must be entered using IPv6 colon-separated notation.
tunnel mtu value
Configures the tunnel MTU (in bytes) for the IPv6 tunnel between the HA and the mobile node. value must be an integer from 1024 through 2000. The default is 1500.
nai-construction-domain domain_name
nai-construction-domain domain_name
Defines the domain name to use to replace the NAI constructed domain name. domain_name must be an alphanumeric string of 1 through 79 characters.
nexthop-forwarding-address ip_address
nexthop-forwarding-address ip_address
Configures the IP address of the nexthop forwarding address. ip_address must be entered using IPv4 dotted-decimal or IPv6 colon-separated notation.
The following command configures the next hop forwarding address to 10.1.1.1 (IPv4):
Refer to the System Administration Guide for additional information on NPU QoS functionality.
Important: This functionality is not supported for use with the PDSN at this time.nw-reachability server server_name
nw-reachability server server_name
Specifies the name of a network reachability server that has been defined in the current context. server_name is an alphanumeric string of 1 through 16 characters.
Important: Refer to the HA configuration mode command policy nw-reachability-fail to configure the action that should be taken when network reachability fails.
Important: Refer to the context configuration mode command nw-reachability server to configure network reachability servers.
Important: Refer to the nw-reachability server server_name keyword of the ip pool command in the Context Configuration Mode Commands chapter to bind the network reachability server to an IP pool.To bind a network reachability server named InternetDevice to the current subscriber, enter the following command:
Specifies the password to use for point-to-point protocol session host authentication. The encrypted keyword indicates the password specified uses encryption.
The password specified as pwd must be an alphanumeric string of 1 through 63 characters without encryption, or 1 through 127 characters with encryption.
The encrypted keyword is intended only for use by the chassis while saving configuration scripts. The system displays the encrypted keyword in the configuration file as a flag that the variable following the password keyword is the encrypted version of the plain text password. Only the encrypted password is saved as part of the configuration file.
outbound password secretPwd
outbound encrypted password scrambledPwd
overload-disconnect [ threshold { inactivity-time inactivity_time_threshold | connect-time connect_time_threshold } ]
threshold inactivity-time inactivity_time_threshold
Sets the inactivity time threshold (in seconds) as an integer from 0 through 4294967295. The default value of zero disables this feature. If inactivity-time for the subscriber’s session is greater than inactivity_time_threshold, the session becomes a candidate for disconnection.
threshold connect-time connect_time_threshold
Sets the connection time threshold (in seconds) as an integer from 0 through 4294967295. A value of zero disables this feature. If connect-time for the subscriber’s session is greater than connect_time_threshold, the session becomes a candidate for disconnection.
Set a subscriber’s overload disconnect threshold in seconds, based on either inactivity or connection time. When this threshold is exceeded during a session, the subscriber’s session becomes a candidate for disconnection. To set overload-disconnect policies for the entire chassis, see congestion-control overload-disconnect in the Global Configuration Mode Commands chapter.
The encrypted keyword is intended only for use by the chassis while saving configuration scripts. The system displays the encrypted keyword in the configuration file as a flag that the variable following the password keyword is the encrypted version of the plain text password. Only the encrypted password is saved as part of the configuration file.
Specifies the user’s password for authentication. pwd must be an alphanumeric string of 1 through 63 characters without encryption, or from 1 through 127 characters with encryption. A “null” password is allowed and is entered as consecutive double quotes (" "). See Example(s) for correct syntax.
Important: Subscribers configured with a null password will be authenticated using PAP and CHAP (MD5) only. Subscribers configured without a password (no password) will only be able to access services if the service is configured to allow no authentication.
Important: Subscribers with no password will only be able to access services if the service is configured to grant access with no authentication.password secretPwd
ha-mobile-ip: enables or disables the Home Agent (HA) support for Mobile IP (MIP) service.
pdsn-mobile-ip: enables or disables packet data and Foreign Agent (FA) support for MIP service.
pdsn-simple-ip: enables or disables packet data support for simple IP service.
fragment: Adjusts tunnel MTU and fragment packets
notify-sender: Sends an ICMPv6 Packet Too Big message to the original sender
policy-group policy_group_name
Specifies the traffic policy group name for a subscriber session flow pre-configured within a destination context. policy_group_name is an alphanumeric string of 1 through 15 characters that is case sensitive.
|
•
|
in: specifies the incoming traffic
|
|
•
|
out: specifies the outgoing traffic
|
ppp { accept-peer-ipv6-ifid | always-on-vse-packet | data-compression { mode { normal | stateless } | protocols { protocols [ protocols ] } | ip-header-compression negotiation { detect | force | vj compress-slot-id { both | none | receive | transmit } } | ipv4 { disable | enable | passive } | ipv6 { disable | enable | passive } | keepalive seconds | min-compression-size min_octets | mtu max_octets | remote-renegotiation disconnect { always | nai-prefix-msid-mismatch } }
mode: sets the mode of compression where modes must be one of:
|
•
|
normal: Packets are compressed using the packet history for automatic adjustment for best compression.
|
|
•
|
stateless: Each packet is compressed individually.
|
|
•
|
deflate: DEFLATE algorithm
|
|
•
|
mppc: Microsoft PPP algorithm
|
|
•
|
stac: STAC algorithm
|
Default: force
detect: The local side does not include the Van Jacobson (VJ) Compression option in its IPCP configuration request unless the peer sends an Internet Protocol Control Protocol (IPCP) NAK including a VJ compression option. If the peer requests the VJ compression option in its IPCP request the local side will ACK/NAK.
force: The IP header compression negotiation in IPCP happens normally. The local side requests the VJ compression option in its IPCP configure request. If the peer side requests VJ compression in its IPCP request, the local side will ACK/NAK the option.
vj compress-slot-id [ both | none | receive | transmit ]: Configures the direction in which VJ slotid compression should be negotiated.
|
•
|
both - If the client proposes VJ slotid compression, accept it and propose slotid compression for the downlink and uplink.
|
|
•
|
none - If the client proposes VJ slotid compression, NAK the offer, do not propose slotid compression for the downlink.
|
|
•
|
receive - (Default) If the client proposes VJ slotid compression in the uplink direction accept the configuration.
|
|
•
|
transmit - Propose VJ slotid compression for uplink.
|
disable: The PDSN does not negotiate IPCP with the mobile.
enable: The PDSN negotiates IPCP with the mobile.
passive: The PDSN initiates IPCP only when the mobile sends an IPCP request.
disable: The PDSN does not negotiate IPCP with the mobile.
enable: The PDSN negotiates IPCP with the mobile.
passive: The PDSN initiates IPCP only when the mobile sends an IPCP request.
keepalive seconds
Specifies the frequency of sending the Link Control Protocol keepalive messages. seconds must be either 0 or an integer from 5 through 14400. The special value 0 disables the keepalive messages entirely.
min-compression-size min_octets
Specifies the smallest packet (in octets) to which compression may be applied. min_octets must be an integer from 0 through 2000.
mtu max_octets
Specifies the maximum transmission unit (MTU) [in octets] for packets. max_octets must be an integer from 100 through 2000.
|
•
|
always: Automatically disconnects the session.
|
|
•
|
nai-prefix-msid-mismatch: Disconnects the session only if the MSID of the session does not match NAI-Prefix (prefix before “@” for the NAI). The configuration of the renegotiated (new) NAI is used for the matching process.
|
duration-quota final-duration-algorithm: Resets the end of billing duration quota algorithm to the default of current-time.
preference: Resets the preference to duration, If both duration and volume attributes are present.
Sets the low-watermark for remaining byte credits. percentage is a percentage of the subscriber sessions total credits. When the low-watermark is reached a new RADIUS access-request is sent to the RADIUS server to retrieve more credits. percentage must be an integer from 1 through 99.
no-final-access-request: Stops sending final online access-request on termination of 3GPP2 prepaid sessions. By default, this option is disabled.
duration-quota final-duration-algorithm { current-time | last-airlink-activity-time | last-user-layer3-activity-time }
current-time: Selects the duration quota as the difference between the session termination timestamp and the session setup timestamp.
last-airlink-activity-time: Selects the duration quota as the difference between the last-user-activity timestamp (G17) and the session setup timestamp.
last-user-layer3-activity-time: Selects the duration quota as the difference between the timestamp of the last layer-3 packet sent to or received from the user and the session setup timestamp.
duration: The duration attribute takes precedence.
volume: The volume attribute takes precedence
prepaid custom { accounting | byte-count compressed | low-watermark percent percentage | renewal interval seconds } | preference { duration | volume }
byte-count: Resets to the default of basing the prepaid byte credits on the flow of uncompressed traffic.
low-watermark: Disables sending an access request to retrieve more credits when a low watermark is reached.
byte-count compressed: The prepaid byte credits are based on the flow of uncompressed traffic. This is the default.
low-watermark: Disables the low watermark feature. An access-request is not sent to the RADIUS server until the credits granted for the subscriber session are depleted.
renewal: Disables time-based renewals for prepaid accounting.
low-watermark percent percentage
Sets the low-watermark for remaining byte credits. percentage is a percentage of the subscriber sessions total credits. When the low-watermark is reached a new RADIUS access-request is sent to the RADIUS server to retrieve more credits. percentage must be an integer from 1 through 99.
renewal interval seconds
The time in seconds to wait before sending a new RADIUS access-request to the RADIUS server to retrieve more credits. seconds must be an integer from 60 through 65535.
duration: The duration attribute takes precedence.
volume: The volume attribute takes precedence
name is the name of the intercept list expressed as an alphanumeric string of 1 through 63 characters.
Use this command to identify a proxy DNS rules list for the selected subscriber. For a more detailed explanation of the HA Proxy DNS Intercept feature, see the proxy-dns intercept-list command in the Context Configuration Mode Commands chapter.
qos rate-limit { downlink | uplink } [ qci qci_val ] [ burst-size { bytes | auto-readjust [ duration dur ] } ] [ exceed-action { drop | lower-ip-precedence | transmit } [ violate-action { drop | lower-ip-precedence | shape [ transmit-when-buffer-full ] | transmit } ] ] | [ violate-action { drop | lower-ip-precedence | shape [ transmit-when-buffer-full ] | transmit } [ exceed-action { drop | lower-ip-precedence | transmit } ] ] +no qos rate-limit direction { downlink | uplink } [ qci qci_val ]
Important: If this keyword is omitted, the same values are used for all classes.qci qci_val
qci_val is the QoS Class identifier (QCI) for which the negotiate limit is being set expressed as an integer from 1 through 9. If no qci-val is configured, it will be taken as undefined-qci (same as undefined-qos class).
Default: See the Usage section for this command
bytes must be an integer from 1 through 6000000.
Important: The minimum value of this parameter should be configured to the greater of the following two values: 1) three times greater than the packet MTU for the subscriber connection, OR 2) three seconds worth of token accumulation within the “bucket” for the configured peak-data-rate. If the committed-data-rate parameter is specified, the burst-size is applied to both the committed and peak rates.auto-readjust [ duration dur ] provides the option to calculate the Burst size dynamically while configuring rate-limit. When enabled. the system calculates the burst size using the GGSN QoS-negotiated rate that will be enforced.
duration dur specifies the duration of burst in seconds. If the duration is not specified, the default is 1 second. dur must be an integer from 1 through 30.
Default: See the Usage section for this command
|
•
|
drop: Drops the packets.
|
|
•
|
lower-ip-precedence: Transmits the packets after lowering the ip-precedence.
|
|
•
|
transmit: Transmits the packets.
|
Default: See the Usage section for this command
|
•
|
drop: Drops the packets.
|
|
•
|
lower-ip-precedence: Transmits the packets after lowering the IP precedence.
|
|
•
|
transmit: Transmits the packet after lowering the IP precedence.
|
shape [transmit-when-buffer-full]: Enables traffic shaping and buffers user packets when subscriber traffic violates the allowed peak/committed data rate. The [transmit-when-buffer-full] keyword allows the packets to be transmitted when buffer memory is full.
transmit: Transmits the packet
Important: The buffering of user packets in traffic shaping does not apply for real-time traffic.
Important: If the exceed/violate action is set to “lower-ip-precedence”, this command may override the configuration of the ip qos-dscp command in the GGSN service Configuration mode for packets from the GGSN to the PDG/TTG. In addition, the GGSN service ip qos-dscp command configuration can override the APN setting for packets from the GGSN to the Internet. Therefore, it is recommended that this command not be used in conjunction with this action.
Important: This command should be used in conjunction with the max-contexts command to limit the maximum possible bandwidth consumption by the APN.For additional information on QoS traffic shaping and policing, see the System Administration Guide.
Important: The buffering of user packets in traffic shaping does not apply for real-time traffic.
Important: If the exceed/violate action is set to “lower-ip-precedence”, this command may override the configuration of the ip qos-dscp command in the GGSN service configuration mode for packets from the GGSN to the SGSN. In addition, the GGSN service ip qos-dscp command configuration can override the APN setting for packets from the GGSN to the Internet. Therefore, it is recommended that command not be used in conjunction with this action.
Important: This command should be used in conjunction with the max-contexts command to limit the maximum possible bandwidth consumption by the APN.To calculate the burst size dynamically a new optional keyword auto-readjust [ duration dur ] is provided with burst-size keyword. By default the burst size is fixed if defined in bytes with this command. In other words irrespective of the rate being enforced, burst-size fixed as given in the burst-size bytes parameter.
For the need of variable burst size depending on the rate being enforced this new keyword auto-readjust [ duration dur ] is provided. Use of this keyword enables the calculation of burst size as per token bucket algorithm calculation as T=B/R, where T is the time interval, B is the burst size and R is the Rate being enforced.
If auto-readjust keyword is not used a fixed burst size must be defined which will be applicable for peak data rate and committed data rate irrespective of rate being enforced.
If auto-readjust keyword is provided without specifying the duration a default duration of 1 second will be taken for burst size calculation.
qos traffic-police direction { downlink | uplink } [ burst-size bytes ] [ committed-data-rate bps ] [ exceed-action { drop | lower-ip-precedence | transmit } ] [ peak-data-rate bps ] [ violate-action { drop | lower-ip-precedence | transmit } ]
burst-size bytes
bytes must be an integer from 0 through 4294967295.
Important: This parameter should be configured to at least the greater of the following two values: 1) three times greater than packet MTU for the subscriber connection, OR 2) three seconds worth of token accumulation within the “bucket” for the configured peak-data-rate.bps must be an integer from 0 through 4294967295).
drop: Drops the packet
lower-ip-precedence: Transmits the packet after lowering the ip-precedence
transmit: Transmits the packet
peak-data-rate bps
bps must be an integer from 0 through 4294967295).
drop: Drops the packet
lower-ip-precedence: Transmits the packet after lowering the IP precedence
transmit: Transmits the packet
Important: If the exceed/violate action is set to “lower-ip-precedence”, the TOS value for the outer packet becomes “best effort” for packets that exceed/violate the traffic limits regardless of what the ip user-datagram-tos copy command is configured to. In addition, the “lower-ip-precedence” option may also override the configuration of the ip qos-dscp command. Therefore, it is recommended that command not be used when specifying this option.Details on the QoS traffic policing can be found in the System Administration Guide.
The following command sets an uplink peak data rate of 128000 bps and lowers the IP precedence when the committed-data-rate and the peak-data-rate are exceeded:
The following command sets a downlink peak data rate of 256000 bps and drops packets when the committed-data-rate and the peak-data-rate are exceeded:
Important: This feature is NOT supported for real-time traffic.qos traffic-shape direction { downlink | uplink } [ burst-size bytes ] [ committed-data-rate bps ] [ exceed-action { drop | lower-ip-precedence | transmit } ] [ peak-data-rate bps ] [ violate-action { drop | lower-ip-precedence | buffer [ transmit-when-buffer-full ] | transmit } ] +
burst-size bytes
bytes must be an integer from 0 through 4294967295.
Important: It is recommended that this parameter be configured to at least the greater of the following two values: 1) three times greater than packet MTU for the subscriber connection, OR 2) three seconds worth of token accumulation within the “bucket” for the configured peak-data-rate.bps must be an integer from 0 through 4294967295).
drop: Drops the packet
lower-ip-precedence: Transmits the packet after lowering the ip-precedence
transmit: Transmits the packet
peak-data-rate bps
bps must be an integer from 0 through 4294967295).
Default: See the Usage section for this command
drop: Drops the packet
lower-ip-precedence: Transmits the packet after lowering the IP precedence
buffer [transmit-when-buffer-full]: Enables traffic shaping and buffers user packets when subscriber traffic violates the allowed peak/committed data rate. The [transmit-when-buffer-full] keyword allows the packet to be transmitted when buffer memory is full.
transmit: Transmits the packet
Important: If the exceed or violate action is set to “lower-ip-precedence”, the TOS value for the outer packet becomes “best effort” for packets that exceed or violate the traffic limits regardless how the ip user-datagram-tos copy command is configured. In addition, the “lower-ip-precedence” option may also override the configuration of the ip qos-dscp command. Therefore, this command should not be used when specifying this option.The following command sets an uplink peak data rate of 128000 bps and lowers the IP precedence when the committed-data-rate and the peak-data-rate are exceeded:
The following command buffers the excess user packets when the subscriber traffic violates the configured peak-data-rate 256000 bps in downlink direction. Once the peak/committed data rate for that subscriber goes below the configured limit it transmit them. It also transmits them if buffer memory is full:
radius accounting { interim { interval-timeout timeout | normal | suppress } | ip remote-address list-id list_id | mode { session-based | access-flow-based { none | auxillary-flows | all-flows | main-a10-only } } | start { normal | suppress } | stop { normal | suppress } }
interval-timeout timeout: Indicates the time (in seconds) between updates to session counters (log file on RADIUS or AAA event log) during the session. timeout must be an integer from 50 to 40000000.
Caution: Interim interval settings received from the RADIUS server take precedence over this setting on the system. While the low limit of this setting on the system is a minimum of 50 seconds, the low limit setting on the RADIUS server can be as little as 1 second. To avoid increasing network traffic unnecessarily and potentially reducing network and system performance, do not set this parameter to a value less than 50 on the RADIUS server.normal: If RADIUS accounting is enabled, sends this Acct-Status-Type message when required by normal operation
suppress: If RADIUS accounting is enabled, suppresses the sending of this Acct-Status-Type message.
ip remote-address list-id list_id
list_id: Specifies the RADIUS accounting remote IP address list identifier for remote-address accounting for the subscriber. list_id must be an integer from 1 through 65535.
Remote address lists are configured using the list keyword in the radius accounting ip remote-address command in the Context Configuration mode.
Default: session-based
session-based: configures session-based RADIUS accounting behavior for the subscriber - which means a single radius accounting message generated for the subscriber session not separate accounting messages for individual A10 connections or flows.
access-flow-based: configures access-flow-based RADIUS accounting behavior for the subscriber. This offers flexibility by generating separate accounting messages for flows and A10 sessions.
|
•
|
all-flows: Generates separate RADIUS accounting messages per access flow. Separate accounting messages are not generated for data path connections. (For example, separate messages are not sent for the main A10 or auxiliary connections.).
|
|
•
|
auxillary-flows: Generates RADIUS accounting records for the main data path connection and for access-flows for all auxiliary data connections. (For example, separate RADIUS accounting messages are generated for the main A10 session and for access-flows within auxiliary A10 connections. The main A10 session accounting does not include octets or other accounting information from the auxiliary flows.)
|
|
•
|
main-a10-only: Configures access-flow-based single accounting messages (for example only single start/interim/stop) are generated for the main A-10 flows only.
|
|
•
|
none: Generates separate RADIUS accounting messages for all data path connections (for example, PDSN main or auxiliary A10 connections) but not for individual access-flows. This is essentially A10 connection-based accounting.
|
normal: If RADIUS accounting is enabled, sends this Acct-Status-Type message when required by normal operation
suppress: If RADIUS accounting is enabled, suppresses the sending of this Acct-Status-Type message.
normal: If RADIUS accounting is enabled, sends this Acct-Status-Type message when required by normal operation
suppress: If RADIUS accounting is enabled, suppresses the sending of this Acct-Status-Type message.
interim [ interval-timeout ]: Disables the interim interval setting.
Set the accounting interim interval to one minute (60 seconds) for all sessions that use the current subscriber configuration:
radius group group_name
radius group_name
Specifies the name of the server group that is used for authentication and/or accounting for the specific subscriber. group_name must be an alphanumeric string of 1 through 63 characters. It must have been preconfigured within the same context of subscriber.
Following command applies a previously configured RADIUS server group named star1 to a subscriber within the specific context:
rohc-profile-name name
Specifies the name of the RoHC profile that the system will use to apply header compression and decompression parameters to bearer session data for this subscriber. name must be an existing RoHC profile expressed as an alphanumeric string of 1 through 63 characters.
Use this command to specify a RoHC configuration profile to be applied to bearer sessions belonging to this subscriber. RoHC profiles are configured through the Global Configuration Mode using the rohc-profile command.
The following command specifies that the RoHC profile named rohc-cfg1 is to be applied to all bearer sessions belonging to this subscriber:
Important: This command requires the purchase and installation of a license. Please contact your Cisco sales representative for more information.secondary ip pool pool_name
secondary ip pool pool_name
pool_name must be an alphanumeric string of 1 through 31 characters.
timeout { absolute | idle } seconds
Specifies the maximum amount of time (in seconds) before the specified timeout action is activated. seconds must be an integer from 0 through 4294967295. The special value 0 disables the timeout specified.
long-duration ldt_timeout
ldt_timeout must be a value in the range from 0 through 4294967295. The special value 0 disables the timer.
inactivity-time inact_timeout
Specifies the maximum amount of time (in seconds) before the specified session is marked as dormant.
inact_timeout must be a value in the range from 0 through 4294967295. The special value 0 disables the inactivity time specified.
Refer to the long-duration-action detection and long-duration-action disconnection commands for more information.
The following command sets the long duration timeout duration to 300 seconds and inactivity timer for subscriber session to 45 seconds:
tpo policy tpo_policy_name
tpo policy tpo_policy_name
The following command specifies to use the TPO policy named tpo_policy_110:
For GGSN systems, this command can also be specified in the APN Configuration mode (tunnel address-policy) which would mean the system defers to the old l3-to-l2-tunnel address policy command for calls coming through L2TP tunnels.
Resets the tunnel address-policy to alloc-validate.
peer-address peer_address
local-address local_addr
The following command configures the system to encapsulate subscriber traffic using IP-in-IP and tunnel it from a local address of 192.168.1.100 to a gateway with an IP address of 192.168.1.225:
tunnel l2tp [ peer-address ip address [ [ encrypted ] [secret secret] ] [ preference number] [ tunnel-context context ] [ local-address ip_address ] [ crypto-map map_name { [ encrypted ] isakmp-secret secret } ] ]
peer-address ip_address
A peer L2TP Network Server (LNS) associated with this LAC (L2TP Access Concentrator). ip_address must be an IP address entered using IPv4 dotted-decimal or IPv6 colon-separated format.
[ encrypted ] secret secret
Specifies the shared key (secret) between the L2TP Network Server (LNS) associated with this LAC (L2TP Access Concentrator). secret must be an alphanumeric string of 1 through 63 characters that is case sensitive.
encrypted: Specifies the encrypted shared key between the L2TP Network Server (LNS) associated with this LAC (L2TP Access Concentrator). secret must be an alphanumeric string of 1 through 128 characters that is case sensitive.
The encrypted keyword is intended only for use by the system while saving configuration scripts. The system displays the encrypted keyword in the configuration file as a flag that the variable following the secret keyword is the encrypted version of the plain text secret. Only the encrypted secret is saved as part of the configuration file.
preference number
Specifies the order in which a group of tunnels configured for this subscriber will be tried. number must be an integer from 1 through 65535.
tunnel-context context
Specifies the name of the context containing ports through which this subscriber’s data traffic is to be communicated between this LAC and the LNS. context must be an alphanumeric string of 1 through 79 characters.
local-address ip_address
Specifies a LAC service bind address which is given as a hint that is used to select a particular LAC service. ip_address must be an IP address entered using IPv4 dotted-decimal or IPv6 colon-separated notation.
Specifies the name of a crypto map that has been configured in the current context. map_name must be an alphanumeric string from 1 to 127 alphanumeric characters.
isakmp-secret secret: Specifies the pre-shared key for the Internet Key Exchange (IKE). secret must be an alphanumeric string of 1 through 127 characters.
encrypted isakmp-secret secret: Specifies the pre-shared key for IKE. Encryption must be used when sending the key. secret must be an alphanumeric string of 1 through 127 characters.
To specify L2tp tunneling to the LNS peer at the IP address 198.162.10.100 with a shared secret of bigco and preference of 1, enter the following command:
