To enable or disable accounting for individual local subscriber configurations refer to the accounting-mode command in the Subscriber Configuration Mode Commands chapter.
Important: The accounting parameters in the APN Configuration Mode take precedence over this command for subscriber sessions. Therefore, if accounting is disabled using this command but enabled within the APN configuration, accounting is performed for subscriber sessions.|
•
|
administrator: local+RADIUS
|
|
•
|
subscriber: RADIUS
|
|
•
|
local: Disables local authentication for current context.
|
|
•
|
none: Disables NULL authentication for current context, which enables both local and RADIUS-based authentication.
|
|
•
|
radius-diameter: Disables RADIUS or Diameter-based authentication.
|
|
•
|
administrator: Enables authentication for administrative users.
|
|
•
|
subscriber: Enables authentication for subscribers.
|
|
•
|
local: Enables local authentication for the current context.
|
|
•
|
none: Disables authentication for the current context.
|
|
•
|
radius-diameter: Enables RADIUS or Diameter-based authentication.
|
aaa constructed-nai authentication [ [ encrypted ] password user_password | use-shared-secret-password ]
[ encrypted ] password user_password
encrypted: Specifies that the user password should be encrypted.
password user_password: Specifies an authentication password for the NAI-constructed user.
In 12.1 and earlier releases, the user_password must be an alphanumeric string of 0 through 63 characters with or without encryption.
In 12.2 and later releases, the user_password must be an alphanumeric string of 0 through 63 characters without encryption, or 1 through 132 characters with encryption.
For simple IP sessions facilitated by PDSN services in which the authentication allow-noauth and aaa constructed-nai commands are configured, this command provides a password used for the duration of the session.
For PDP contexts using an APN in which the outbound user name is configured with no password, this command is used to provide the password. Additionally, this command is also used to provide a password for situations in which an outbound username and password are configured and the authentication imsi-auth command has been specified.
The encrypted keyword is intended only for use by the system while saving configuration scripts. The system displays the encrypted keyword in the configuration file as a flag that the variable following the password keyword is the encrypted version of the plain text password. Only the encrypted password is saved as part of the configuration file.
Important: The domain alias can be set with the nai-construction domain command in the PDSN Service Configuration mode, or the aaa default-domain subscriber command in the Global Configuration mode for other core network services.|
•
|
If the domain alias is set by nai-construction domain, that value is always used and the aaa default-domain subscriber value is disregarded, if set. The NAI is of the form <msid><symbol><nai-construction domain>.
|
|
•
|
If the domain alias is not set by nai-construction domain, and the domain alias is set by aaa default-domain subscriber, the aaa default-domain subscriber value is used. The NAI is of the form <msid><symbol><aaa default-domain subscriber>.
|
|
•
|
If the domain alias is not set by nai-construction domain or aaa default-domain subscriber, the domain name alias is the name of the source context for the PDSN service. The NAI is of the form <msid><symbol><source context of PDSN Service>.
|
no aaa group group_name
group_name must be an alphanumeric string of 1 through 63 characters.
Use this command to create/configure/delete AAA server groups within the context. Also, refer to the AAA Server Group Configuration Mode Commands chapter.
When the security policies require strict access control the deny-all handling should be configured.
administrator user_name [ encrypted ] password password | [ ecs ] [ expiry-date date_time ] [ ftp ] [ li-administration ] [ nocli ] [ noecs ] [ timeout-absolute timeout_absolute ] [ timeout-min-absolute timeout_min_absolute ] [ timeout-idle timeout_idle ][ timeout-min-idle timeout_min_idle ]
no administrator user_name
administrator user_name
Specifies the user name for which Security Administrator privileges must be enabled in the current context. user_name must be an alphanumeric string of 1 through 32 characters.
[ encrypted ] password password
Specifies password for the user name. Optionally, the encrypted keyword can be used to specify the password uses encryption.
password must be an alphanumeric string of 1 through 63 characters without encryption, and 1 through 132 characters with encryption.
The encrypted keyword is intended only for use by the system while saving configuration scripts. The system displays the encrypted keyword in the configuration file as a flag that the variable following the password keyword is the encrypted version of the plain text password. Only the encrypted password is saved as part of the configuration file.
expiry-date date_time
Refer to the Lawful Intercept Configuration Guide for a description of this parameter.
timeout-absolute timeout_absolute
Important: This keyword is obsolete. It has been left in place for backward compatibility. If used, a warning is issued and the value entered is rounded to the nearest whole minute.Specifies the maximum time, in seconds, the Security Administrator may have a session active before the session is forcibly terminated. timeout_absolute must be an integer from 0 through 300000000.
timeout-min-absolute timeout_min_absolute
Specifies the maximum time (in minutes) the Security Administrator may have a session active before the session is forcibly terminated. timeout_min_absolute must be an integer from 0 through 525600. The value 0 disables this timeout configuration. Default: 0
timeout-idle timeout_idle
Important: This keyword is obsolete. It has been left in place for backward compatibility. If used a warning is issued and the value entered is rounded to the nearest whole minute.Specifies the maximum time, in seconds, the Security Administrator may have a session active before the session is terminated. timeout_idle must be an integer from 0 through 300000000.
timeout-min-idle timeout_min_idle
Specifies the maximum time, in minutes, the Security Administrator may have a session active before the session is terminated. timeout_min_idle must be an integer from 0 through 525600. The value 0 disables the idle timeout configuration. Default: 0
Security Administrator users have read-write privileges and full access to all contexts and command modes. Refer to the Command Line Interface Overview chapter for more information.
Important: A maximum of 128 administrative users and/or subscribers may be locally configured per context.The following command creates a Security Administrator account named user1 with access to ACS configuration commands:
Warning: If this keyword option is used with the no apn apn_name command, the APN named apn_name will be deleted with all active/inactive subscribers without prompting any warning or confirmation.asn-qos-descriptor id qos_table_id [ default ] dscp [ be | af11 | af12 | af13 | af21 | af22 | af23 | af31 | af32 | af33 | af41 | af 42 | af 43 | ef ] [ -noconfirm ]
no asn-qos-descriptor qos_table_id [ default ] dscp [ be | af11 | af12 | af13 | af21 | af22 | af23 | af31 | af32 | af33 | af41 | af 42 | af 43 | ef ] [ -noconfirm ]
asn-qos-descriptor id qos_table_id
Specifies a unique identifier for ASN QoS descriptor table to create/configure. qos_table_id must be an integer from 1 through 65535.
Warning: If this keyword option is used with no asn-qos-descriptor id qos_table_id command the ASN QoS descriptor table with identifier qos_table_id will be deleted with all active/inactive configurations without prompting any warning or confirmation.Refer to the ASN QoS Descriptor Configuration Mode Commands chapter of this reference for additional information.
The following command creates a QoS descriptor table with identifier 1234 for the ASN-GW service subscribers:
asn-service-profile id asn_profile_id direction { bi-directional | downlink | uplink } [activation-trigger {activate | admit | dynamic-reservation | provisioned } [ -noconfirm ]
asn-service-profile id asn-profile_id
bi-directional: Enables this service profile in both direction of uplink and downlink.
downlink: Enables this service profile in downlink direction, towards the subscriber.
uplink: Enables this service profile in uplink direction, towards the system.
Warning: If this keyword option is used with no asn-service-profile id asn_profile_id command the ASN service profile with identifier asn_profile_id will be deleted with all active/inactive configurations without prompting any warning or confirmation.Refer to the ASN Service Profile Configuration Mode Commands chapter of this reference for additional information.
The following command creates an ASN Service Profile with identifier 1234 for the ASN-GW service subscribers:
asngw-service asngw_name
Warning: If this keyword option is used with no asn-service asngw_name command the ASN-GW service named asngw_name will be deleted with all active/inactive subscribers without prompting any warning or confirmation.
Caution: Large numbers of services greatly increase the complexity of management and may impact overall system performance (i.e. resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your local service representative for more information.Refer to the ASN Gateway Service Configuration Mode Commands chapter of this reference for additional information.
asnpc-service asn_pc_svc_name
Warning: If this keyword option is used with no asnpc-service asn_pc_svc_name command the ASN Paging Controller service named asn_pc_svc_name will be deleted and disabled with all active/inactive paging groups and paging agents configured in a context for ASN paging controller service without prompting any warning or confirmation.
Caution: Large numbers of services greatly increase the complexity of management and may impact overall system performance (i.e. resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your local service representative for more information.Refer to the ASN Paging Controller Service Configuration Mode Commands chapter of this reference for additional information.
Refer to the BFD Configuration Mode Commands chapter for additional information.
bmsc-profile name bmsc_profile_name
Warning: If this keyword option is used with no bmsc-profile name bmsc_profile_name command the BM-SC profile named bmsc_profile_name is deleted with all active/inactive subscribers without prompting any warning or confirmation.busyout ip pool { all | all-dynamic | all-static | name pool_name } [ address-range start_address end_address | lower-percentage percent | upper-percentage percent ]
no busyout ip pool { all | all-dynamic | all-static | name pool_name } [ address-range start_address end_address | lower-percentage percent | upper-percentage percent ]
busyout ip pool name pool_name
Applies the named IP pool or IP pool group in the current context. pool_name must be the name of an existing IP pool or IP pool group in the current context.
address-range start_address end_address
Busyout all addresses from start_address through end_address. start_address: The beginning IP address of the range of addresses to busyout. This IP address must exist in the pool specified and entered in IPv4 dotted-decimal notation.
end_address: The ending IP address of the range of addresses to busyout. This IP address must exist in the pool specified and entered in IPv4 dotted-decimal notation.
lower-percentage percent
Busyout the percentage of IP addresses specified, beginning at the lowest numbered IP address. This is a percentage of all of the IP addresses in the specified IP pool. percent must be an integer from 0 through 100.
upper-percentage percent
Busyout the percentage of IP addresses specified, beginning at the highest numbered IP address. This is a percentage of all of the IP addresses in the specified IP pool. percent must be an integer from 0 through 100.
A single instance of this command can busy-out multiple IP address pools in the context through the use of the all, all-static, or all-dynamic keywords.
Assume an IP pool named Pool10 with addresses from 192.168.100.1 through 192.168.100.254. To busy out the addresses from 192.168.100.50 through 192.169.100.100, enter the following command:
no cae-group cae_group_name
cae-group cae_group_name
Creates the specified CAE group and enters the Video Group Configuration Mode. cae_group_name is an alphanumeric string of 1 through 79 characters.
The following command creates a CAE group named group_1 and enters the Video Group Configuration Mode:
Important: For details about the commands and parameters, check the CAMEL Service Configuration Mode chapter.camel-service srvc_name
no camel-service srvc_name
camel-service srvc_name
The following command creates an CAMEL service named camel1 in the current context:
The following command removes the CAMEL service named camel2 from the configuration for the current context:
[ no ] cipher-suite name
cipher-suite name
Important: One SSL cipher suite can be created per SSL template.Cipher Suite Configuration Mode commands are defined in the Cipher Suite Configuration Mode Commands chapter.
The following command specifies the SSL cipher suite cipher_suite_1 and enters the Cipher Suite Configuration Mode:
lass-map name class_name
Important: In this mode classification rules added sequentially with match command to form a Class-Map. To change and/or delete or re-add a particular rule entire Class-Map is required to delete.Following command configures classification map class_map1 with option to match any condition in match rule.
config-administrator user_name [ encrypted ] password password [ ecs ] [ expiry-date date_time ] [ ftp ] [ li-administration ] [ nocli ] [ noecs ] [ timeout-absolute abs_seconds ] [ timeout-min-absolute abs_minutes ] [ timeout-idle timeout_duration ] [ timeout-min-idle idle_minutes ]
no config-administrator user_name
config-administrator user_name
[ encrypted ] password password
password is an alphanumeric string of 1 through 63 characters without encryption, or 1 through 127 characters with encryption.
expiry-date date_time
Refer to the Lawful Intercept Configuration Guide for a description of this parameter.
Indicates the user is not allowed to access the command line interface. Default: CLI access allowed.
timeout-absolute abs_seconds
Important: This keyword is obsolete. It has been left in place for backward compatibility. If used a warning is issued and the value entered is rounded to the nearest whole minute.Specifies the maximum amount of time (in seconds) that the administrator may have a session active before the session is forcibly terminated. abs_seconds must be an integer from 0 through 300000000. The value 0 disables the absolute timeout. Default: 0
timeout-min-absolute abs_minutes
Specifies the maximum amount of time (in minutes) the context-level administrator may have a session active before the session is forcibly terminated. abs_minutes must be an integer from 0 through 525600 (365 days). The value 0 disables the absolute timeout. Default: 0
timeout-idle timeout_duration
Important: This keyword is obsolete. It has been left in place for backward compatibility. If used a warning is issued and the value entered is rounded to the nearest whole minute.Specifies the maximum amount of idle time, in seconds, the context-level administrator may have a session active before the session is terminated. timeout_duration must be a value in the range from 0 through 300000000. The value 0 disables the idle timeout. Default: 0
timeout-min-idle idle_minutes
Specifies the maximum amount of idle time, in minutes, the context-level administrator may have a session active before the session is terminated. idle_minutes must be a value in the range from 0 through 525600 (365 days). The value 0 disables the idle timeout. Default: 0
Administrator users have read-write privileges and full access to all contexts and command modes (except for a few security functions). Refer to the Command Line Interface Overview chapter of this guide for more information.
Important: A maximum of 128 administrative users and/or subscribers may be locally configured per context.The following configures a context-level administration named user1 with ACS parameter control:
no content-filtering server-group cf_server_group_name
content-filtering server-group cf_server_group_name
The following command creates a CFSG named CF_Server1:
no credit-control-service service_name
credit-control-service service_name
Credit control service configuration commands are described in the Credit Control Service Configuration Mode Commands chapter.
[ no ] crypto group group_name
[ no ] crypto group group_name
Important: A maximum of 32 crypto groups per context can be configured.crypto ipsec transform-set transform_name [ ah { hmac { md5-96 | none | sha1-96 } { esp { hmac { { md5-96 | sha1-96 } { cipher { 3des-cbc | aes-cbc-128 | aes-cbc-256 | des-cbc } } | none } } } } ]
no crypto ipsec transform-set transform_name
crypto ipsec transform-set transform_name
|
•
|
md5-96: Message Digest 5 truncated to 96 bits
|
|
•
|
none: Disables the use of the AH protocol for the transform set.
|
|
•
|
sha1-96: Secure Hash Algorithm-1 truncated to 96 bits
|
|
•
|
md5-96: Message Digest 5 truncated to 96 bits
|
|
•
|
none: Disables the use of the AH protocol for the transform set.
|
|
•
|
sha1-96: Secure Hash Algorithm-1 truncated to 96 bits
|
|
•
|
3des-cbc: Triple Data Encryption Standard (3DES) in chain block (CBC) mode.
|
|
•
|
aes-cbc-128: Advanced Encryption Standard (AES) in CBC mode with a 128-bit key.
|
|
•
|
aes-cbc-256: Advanced Encryption Standard (AES) in CBC mode with a 256-bit key.
|
|
•
|
des-cbc: DES in CBC mode.
|
Important: The ah and subsequent keywords are required when the transform set is initially configured.Create a transform set that has the name tset1, no authentication header, an encapsulating security protocol header hash message authentication code of md5, and a bulk payload encryption algorithm of des-cbc with the following command:
no crypto map name
crypto map name
Refer to the Lawful Intercept Configuration Guide for a description of this parameter.
|
•
|
Manual crypto maps: These are static tunnels that use pre-configured information (including security keys) for establishment. Because they rely on statically configured information, once created, the tunnels never expire; they exist until their configuration is deleted.
|
Important: Because manual crypto map configurations require the use of static security keys (associations), they are not as secure as crypto maps that rely on dynamically configured keys. Therefore, it is recommended that they only be configured and used for testing purposes.|
•
|
IKEv1 crypto maps: These tunnels are similar to manual crypto maps in that they require some statically configured information such as the IP address of a peer security gateway and that they are applied to specific system interfaces. However, IKEv1 crypto maps offer greater security because they rely on dynamically generated security associations through the use of the Internet Key Exchange (IKE) protocol.
|
|
•
|
IKEv2-IPv6 crypto maps: Refer to the Lawful Intercept Configuration Guide for a description of this parameter.
|
|
•
|
Dynamic crypto maps: These tunnels are used for protecting L2TP-encapsulated data between the system and an LNS/security gateway or Mobile IP data between an FA service configured on one system and an HA service configured on another.
|
Important: The crypto map type (dynamic, IKEv1, IKEv2-IPv6, or manual) is specified when the map is first created using this command.Create a dynamic crypto map named map1 and enter the Crypto Map Dynamic Configuration Mode by entering the following command:
no crypto template name
Crypto Template Configuration Mode commands are defined in the Crypto Template Configuration Mode Commands chapter.
The following command configures a IKEv2 dynamic crypto template called crypto1 and enters the Crypto Template Configuration Mode:
no cscf access-profile name profile_name
cscf access-profile name profile_name
no cscf access-profile name profile_name
Access Profile Configuration Mode commands are defined in the CSCF Access Profile Configuration Mode Commands chapter.
The following command creates a CSCF Access Profile named profile2 and enters the Access Profile Configuration Mode:
no cscf acl name list_name
cscf acl name list_name
no cscf acl name list_name
ACL Configuration Mode commands are defined in the CSCF ACL Configuration Mode Commands chapter.
The following command creates a CSCF access control list named acl1 and enters the ACL Configuration Mode:
cdf: Diameter selection table for selecting CDF server
hss: Diameter selection table for selecting HSS server
Important: When HSS table has entries, this criteria is always applied for HSS server selection. CDF server selection, however, can be enabled or disabled for a given access type.Diameter Selection Configuration Mode commands are defined in the CSCF Diameter Selection Configuration Mode Commands chapter.
cscf ifc-filter-criteria id fc_id priority pri [ profile-part-indicator { registered | unregistered } ] app-server uri scheme { sip | sips } as as-default-handling { session-continue | session-terminate } [ -noconfirm ] | [ service-info info ] [ trigger-point tp_name ] [ -noconfirm ] | [ trigger-point tp_id ] [ -noconfirm ]
priority pri
Specifies the priority of the filter criteria, which is used to select a particular filter criteria from multiple ones present under an ISC template. pri must be an integer from 0 through 1024.
Indicates whether the iFC is a part of the registered or unregistered user profile. If a value is not specified, then the configuration will be applied to both registered and unregistered subscribers.
sip: SIP URI
sips: SIPS URI (TLS)
Determines whether the dialog should be released (session-terminate) or not (session-continue) when the application server could not be reached or on application server error is returned.
service-info info
Specifies optional service information to be sent to the application server. info is an alphanumeric string of 1 trough 63 characters.
trigger-point tp_id
Important: Filter criteria is associated with an ISC template in the ISC Template Configuration Mode.
Important: Filter criteria can be assigned to more than one ISC template.The following command creates a iFC filter criteria 15, which has a priority of 2 and is part of the registered user profile. Filter criteria 15 is assigned to a sip application server named appserver. The dialog will not be released if the application server can not be reached. Filter criteria 15 is also assigned trigger point 12:
cscf ifc-spt-condition id cond_id { request-uri content uri_content | session-case { originating-registered | originating-unregistered | terminating-registered | terminating-unregistered } | session-description sdp [ content sdp_data ] | sip-header hdr [ content hdr_data ] | sip-method method } [ -noconfirm ] [ condition-negated ]
no cscf ifc-spt-condition id cond_id
cscf ifc-spt-condition id cond_id
request-uri content uri_content
Important: Wildcard Extended Regular Expressions (ERE) are supported for this value. For example, "sip.user[0-9]@192\\.168\\.176\\.150" |
•
|
originating-registered: Session handling an originating end user.
|
|
•
|
originating-unregistered: Session handling an unregistered originating end user.
|
|
•
|
terminating-registered: Session handling a terminating registered end user.
|
|
•
|
terminating-unregistered: Session handling a terminating unregistered end user.
|
sdp is an alphanumeric string of 1 through 15 characters.
content specifies content on the SDP line.
sdp_data is an alphanumeric string of 1 through 127 characters.
hdr is an alphanumeric string of 1 through 127 characters.
content specifies content on the header.
hdr_data is an alphanumeric string of 1 through 127 characters.
sip-method method
method is an alphanumeric string of 1 through 127 characters.
no cscf ifc-spt-condition id cond_id
Important: An iFC SPT group may be associated with multiple SPT conditions.The following command creates iFC SPT condition 10 which handles an originating end user:
cscf ifc-spt-group id group_id [ [ -noconfirm ] | reg-type { de-registration | initial-registration | re-registration } [ -noconfirm ] ]
no cscf ifc-spt-group id group_id
cscf ifc-spt-group id group_id
no cscf ifc-spt-group id group_id
Important: An iFC SPT group may be associated with multiple SPT conditions.iFC SPT Group Configuration Mode commands are defined in the CSCF IFC SPT Group Configuration Mode Commands chapter.
cnf: conjunctive normal form
dnf: disjunctive normal form
Important: An iFC SPT group can be assigned to more than one iFC trigger point.IFC Trigger Point Configuration Mode commands are defined in the CSCF IFC Trigger Point Configuration Mode Commands chapter.
[ no ] cscf isc-template id template_id
cscf isc-template id template_id
ISC Template Configuration Mode commands are defined in the CSCF ISC Template Configuration Mode Commands chapter.
The following command creates ISC template 10 and enters the ISC Template Configuration Mode:
no cscf last-route-profile name profile_name
cscf last-route-profile name profile_name
county-name: Profile specific to the county-name criteria.
Last Route Profile Criteria Configuration Mode commands are defined in the CSCF Last Route Profile Criteria Configuration Mode Commands chapter.
round-robin: Profile specific to the round-robin criteria.
Last Route Profile Criteria Configuration Mode commands are defined in the CSCF Last Route Profile Criteria Configuration Mode Commands chapter.
no cscf last-route-profile name profile
Important: Last route profiles are associated with peer servers in the CSCF Peer Server Monitoring Configuration Mode.The following command creates a last route profile named lro1 and enters the CSCF Last Route Profile Criteria Configuration Mode to specify county name criteria:
The following command creates a last route profile named lro2 and enters the CSCF Last Route Profile Criteria Configuration Mode to specify round robin criteria:
no cscf peer-servers server_name
cscf peer-servers server_name
|
•
|
bgcf: Border Gateway Control Function
|
|
•
|
ecscf: Emergency Call/Session Control Function
|
|
•
|
ibcf: Interconnect Border Control Function
|
|
•
|
icscf: Interrogating Call/Session Control Function
|
|
•
|
mgcf: Media Gateway Control Function
|
|
•
|
mrfc: Media Resource Function Controller
|
|
•
|
other: Other Function
|
|
•
|
pcscf: Proxy Call/Session Control Function
|
|
•
|
scscf: Serving Call/Session Control Function
|
|
•
|
sip-as: Session Initiation Protocol-Application Server
|
no cscf peer-servers server_name
Peer Servers Configuration Mode commands are defined in the CSCF Peer Servers Configuration Mode Commands chapter.
The following command creates an I-CSCF server type called icscf_peer1 and enters the Peer Servers Configuration Mode:
no cscf peer-servers-group group_name
cscf peer-servers-group group_name
Specifies that the type of peer servers group to configure is sip-as (Session Initiation Protocol-Application Server).
no cscf peer-servers-group group_name
Peer Servers Group Configuration Mode commands are defined in the CSCF Peer Servers Group Configuration Mode Commands chapter.
The following command creates a peer servers group called group1 and enters the Peer Servers Group Configuration Mode:
no cscf policy name policy_name
Default (AoR) Policy Configuration Mode commands are defined in the CSCF AoR Policy Rules Configuration Mode Commands chapter.
cscf policy name policy_name
Policy Configuration Mode commands are defined in the CSCF Policy Configuration Mode Commands chapter.
no cscf policy name policy_name
Use this command to create a policy group and enter either the AoR Policy Rules Configuration Mode (default) or Policy Configuration Mode (name policy_name).
The following command creates a policy group named group2 and enters the CSCF Policy Configuration Mode:
Prefix Table Configuration Mode commands are defined in the CSCF Prefix Table Configuration Mode Commands chapter.
no cscf routes name route_name
cscf routes name route_name
no cscf routes name route_name
Routes Configuration Mode commands are defined in the CSCF Routes Configuration Mode Commands chapter.
The following command creates a route group named route_group5 and enters the Route Group Configuration Mode:
no cscf service service_name
cscf service service_name
Specifies the name of the CSCF service. If service_name does not refer to an existing service, the new service is created if resources allow.
service_name is an alphanumeric string of 1 through 63 characters.
no cscf service service_name
Caution: Large numbers of services greatly increase the complexity of management and may impact overall system performance (for example, resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your local service representative for more information.CSCF Service Configuration Mode commands are defined in the CSCF Service Configuration Mode Commands chapter.
The following command will remove cscf-service1 from the system:
no cscf session-template name template_name
cscf session-template name template_name
no cscf session-template name template_name
Session Template Configuration Mode commands are defined in the CSCF Session Template Configuration Mode Commands chapter.
The following command enters the Session Template Configuration Mode for a template named sess_temp4:
Subdomain-route List Configuration Mode commands are defined in the CSCF Subdomain-route List Configuration Mode Commands chapter.
no cscf translation name list_name
cscf translation name list_name
no cscf translation name list_name
Translation Configuration Mode commands are defined in the CSCF Translation Configuration Mode Commands chapter.
The following command enters the Translation Configuration Mode for a translation list named trans_list3:
no cscf urn-service-list name list_name
cscf urn-service-list name list_name
no cscf urn-service-list name list_name
URN List Configuration Mode commands are defined in the CSCF URN List Configuration Mode Commands chapter.
no dhcp-service service_name
dhcp-service service_name
Warning: If this keyword option is used with no dhcp-service service_name command the DHCP service named service_name is deleted with all active/inactive subscribers without prompting any warning or confirmation.
Caution: Large numbers of services greatly increase the complexity of management and may impact overall system performance (i.e. resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your local service representative for more information.Refer to the DHCP Service Configuration Mode chapter of this reference for additional information.
The following command creates a DHCP service called dhcp1 and enter the DHCP Service Configuration Mode:
diameter accounting { dictionary { aaa-custom1 | aaa-custom10 | aaa-custom2 | aaa-custom3 | aaa-custom4 | aaa-custom5 | aaa-custom6 | aaa-custom7 | aaa-custom8 | aaa-custom9 | nasreq | rf-plus } | endpoint endpoint_name | hd-mode fall-back-to-local | hd-storage-policy hd_policy | max-retries max_retries | max-transmissions transmissions | request-timeout duration | server host_name priority priority }
no diameter accounting { endpoint | hd-mode | hd-storage-policy | max-retries | max-transmissions | server host_name }
no diameter accounting { endpoint | hd-mode | hd-storage-policy | max-retries | max-transmissions | server host_name }
endpoint: Removes the currently configured accounting endpoint. The default accounting server configured in the default AAA group will be used.
hd-mode: Sends records to the Diameter server, if all Diameter servers are down or unreachable, then copies records to the local HDD and periodically retries the Diameter server.
hd-storage-policy: Disables use of the specified HD storage policy.
max-retries: Disables the retry attempts for Diameter accounting in this AAA group.
max-transmissions: Disables the maximum number of transmission attempts for Diameter accounting in this AAA group.
server host_name: Removes the Diameter host host_name from this AAA server group for Diameter accounting.
dictionary: Sets the context’s dictionary to the default.
hd-mode: Sends records to the Diameter server, if all Diameter servers are down or unreachable, then copies records to the local HDD and periodically retries the Diameter server.
max-retries: 0 (disabled)
max-transmissions: 0 (disabled)
request-timeout: 20 seconds
aaa-custom1 ... aaa-custom10: Configures the custom dictionaries. Even though the CLI syntax supports several custom dictionaries, not necessarily all of them have been defined. If a custom dictionary that has not been implemented is selected, the default dictionary will be used.
nasreq: nasreq dictionary—the dictionary defined by RFC 3588.
rf-plus: RF Plus dictionary.
endpoint endpoint_name
endpoint_name is an alphanumeric string of 1 through 63 characters.
hd-storage-policy hd_policy
hd_policy must be the name of a configured HD Storage policy, expressed as an alphanumeric string of 1 through 63 characters.
This and the hd-mode command are used to enable the storage of Rf Diameter Messages to HDD in case all Diameter Servers are down or unreachable.
max-retries max_retries
max_retries specifies the maximum number of retry attempts. The value must be an integer from 1 through 1000.
max-transmissions transmissions
Specifies the maximum number of transmission attempts for a Diameter request. Use this in conjunction with the “max-retries max_retries” option to control how many servers will be attempted to communicate with.
transmissions specifies the maximum number of transmission attempts for a Diameter request. The value must be an integer from 1 through 1000. Default: 0
request-timeout duration
duration specifies the number of seconds the system will wait for a response from a Diameter server before re-transmitting the request. This value must be an integer from 1 through 3600. Default: 20
host_name specifies the Diameter host name, expressed as an alphanumeric string of 1 through 63 characters.
priority specifies the relative priority of this Diameter host. The priority is used in server selection. The priority must be an integer from 1 through 1000.
diameter authentication { dictionary { aaa-custom1 | aaa-custom10 | aaa-custom11 | aaa-custom12 | aaa-custom13 | aaa-custom14 | aaa-custom15 | aaa-custom16 | aaa-custom17 | aaa-custom18 | aaa-custom19 | aaa-custom2 | aaa-custom20 | aaa-custom3 | aaa-custom4 | aaa-custom5 | aaa-custom6 | aaa-custom7 | aaa-custom8 | aaa-custom9 | nasreq } | endpoint endpoint_name | max-retries max_retries | max-transmissions transmissions | redirect-host-avp { just-primary | primary-then-secondary } | request-timeout duration | server host_name priority priority }
|
•
|
endpoint: Removes the authentication endpoint. The default server configured in default AAA group will be used.
|
|
•
|
max-retries: Disables the retry attempts for Diameter authentication in this AAA group.
|
|
•
|
max-transmissions: Disables the maximum transmission attempts for Diameter authentication in this AAA group.
|
|
•
|
server host_name: Removes the Diameter host host_name from this AAA server group for Diameter authentication.
|
|
•
|
dictionary: Sets the context’s dictionary to the default.
|
|
•
|
max-retries: Sets the retry attempts for Diameter authentication requests in this AAA group to default 0 (disable).
|
|
•
|
max-transmissions: Sets the configured maximum transmission attempts for Diameter authentication in this AAA group to default 0 (disable).
|
|
•
|
redirect-host-avp: Sets the redirect choice to default (just-primary).
|
|
•
|
request-timeout: Sets the timeout duration, in seconds, for Diameter authentication requests in this AAA group to default (20).
|
aaa-custom1 ... aaa-custom8, aaa-custom10 ... aaa-custom20: Configures the custom dictionaries. Even though the CLI syntax supports several custom dictionaries, not necessarily all of them have been defined. If a custom dictionary that has not been implemented is selected, the default dictionary will be used.
Important: aaa-custom11 dictionary is only available in Release 8.1 and later. aaa-custom12 to aaa-custom20 dictionaries are only available in Release 9.0 and later releases.aaa-custom9: Configures the STa standard dictionary.
nasreq: nasreq dictionary—the dictionary defined by RFC 3588.
endpoint endpoint_name
endpoint_name is an alphanumeric string of 1 through 63 characters.
max-retries max_retries
max_retries specifies the maximum number of retry attempts, and must be an integer from 1 through 1000. Default: 0
max-transmissions transmissions
Specifies the maximum number of transmission attempts for a Diameter authentication request. Use this in conjunction with the “max-retries max_retries” option to control how many servers will be attempted to communicate with.
transmissions specifies the maximum number of transmission attempts, and must be an integer from 1 through 1000. Default: 0
just-primary: Redirect only to primary host.
primary-then-secondary: Redirect to primary host, if fails then redirect to the secondary host.
Default: just-primary
request-timeout duration
duration specifies the number of seconds the system will wait for a response from a Diameter server before re-transmitting the request, and must be an integer from 1 through 3600. Default: 20
host_name specifies the Diameter host name, expressed as an alphanumeric string of 1 through 63 characters.
priority specifies the relative priority of this Diameter host, and must be an integer from 1 through 1000. The priority is used in server selection.
diameter authentication failure-handling { authorization-request | eap-request | eap-termination-request } { request-timeout action { continue | retry-and-terminate | terminate } | result-code result_code { [ to end_result_code ] action { continue | retry-and-terminate | terminate } } }
no diameter authentication failure-handling { authorization-request | eap-request | eap-termination-request } result-code result_code [ to end_result_code ]
|
•
|
continue: Continues the session
|
|
•
|
retry-and-terminate: First retries, if it fails then terminates the session
|
|
•
|
terminate: Terminates the session
|
result-code result_code { [ to end_result_code ] action { continue | retry-and-terminate | terminate } }
result_code: Specifies the result code, must be an integer from 1 through 65535.
to end_result_code: Specifies the upper limit of a range of result codes. end_result_code must be greater than result_code.
action { continue | retry-and-terminate | terminate }: Specifies action to be taken for failures:
|
•
|
continue: Continues the session
|
|
•
|
retry-and-terminate: First retries, if it fails then terminates the session
|
|
•
|
terminate: Terminates the session
|
The following commands configure result codes 5001, 5002, 5004, and 5005 to use action continue and result code 5003 to use action terminate:
This command is deprecated and is replaced by the diameter accounting dictionary and diameter authentication dictionary commands. See diameter accounting and diameter authentication commands respectively.
no diameter endpoint endpoint_name
Diameter origin endpoint configuration commands are described in the Diameter Endpoint Configuration Mode Commands chapter.
This command configures Diameter SCTP parameters for all Diameter endpoints within the context. In 12.2 and later releases, this command is obsolete and replaced with associate sctp-parameter-templatecommand in Diameter Endpoint Configuration mode.
|
•
|
heartbeat-interval: Sets the heartbeat interval to the default value.
|
|
•
|
path max-retransmissions: Sets the SCTP path maximum retransmissions to the default value.
|
hearbeat-interval interval
interval must be an integer from 1 through 255.
path max-retransmissions retransmissions
retransmissions must be an integer from 1 through 10.
The following command configures the maximum number of consecutive retransmissions to 6, after which the endpoint is marked as inactive:
This command is deprecated and is replaced by the diameter endpoint command.
dns-client name
DNS Client Configuration Mode commands are defined in the DNS Client Configuration Mode Commands chapter.
no domain [ * ] domain_name
no domain [ * ] domain_name
domain [ * ] domain_name
domain_name specifies the domain alias to create/remove from the current context. If the domain portion of a subscribers user name matches this value, the current context is used for that subscriber.
domain_name is an alphanumeric string of 1 through 79 characters. The domain name can contain all special characters, however note that the character * (wildcard character) is only allowed at the beginning of the domain name.
If the domain name is prefixed with * (wildcard character), and an exact match is not found for the domain portion of a subscriber’s user name, subdomains of the domain name are matched. For example, if the domain portion of a subscriber’s user name is abc.xyz.com and you use the domain command domain *xyz.com it matches. But if you do not use the wildcard (domain xyz.com) it does not match.
Important: The domain alias specified must not conflict with the name of any existing context or domain names.default subscriber subs_temp_name
Specifies the name of the subscriber template to apply to subscribers using this domain alias. subs_temp_name is an alphanumeric string of 1 through 127 characters. If this keyword is not specified the default subscriber configuration in the current context is used.
[ no ] eap-profile name
eap-profile name
EAP Configuration Mode commands are defined in the EAP Configuration Mode Commands chapter.
The following command configures an EAP profile called eap1 and enters the EAP Configuration Mode:
If this CLI command is configured without the charging or reporting keywords, by default the EDR module is enabled for charging EDRs.
no egtp-service service_name
egtp-service service_name
Specifies the name of the eGTP service as an alphanumeric string of 1 through 63 characters. If service_name does not refer to an existing service, the new service is created if resources allow.
no egtp-service service_name
Caution: Large numbers of services greatly increase the complexity of management and may impact overall system performance (for example, resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your local service representative for more information.eGTP Service Configuration Mode commands are defined in the eGTP Service Configuration Mode Commands chapter.
The following command will remove egtp-service1 from the system:
[ no ] event-notif-endpoint en_node_name
event-notif-endpoint en_node_name
The commands configured in this mode are defined in the Event Notification Interface Endpoint Configuration Mode Commands chapter of Command Line Interface Reference.
Caution: This is a critical configuration. The PCC Event notification can not be collected on a server without this configuration. Any change to this configuration would lead to the loss of event notifications from PCC service on IPCF node.[ no ] fa-service name
fa-service name
Specifies the name of the FA service to configure as an alphanumeric string of 1 through 63 characters. If name does not refer to an existing service, the new service is created if resources allow.
Caution: Large numbers of services greatly increase the complexity of management and may impact overall system performance (i.e. resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your local service representative for more information.The following command will enter the FA Service Configuration Mode creating the service sampleService, if necessary.
The following command will remove sampleService as being a defined FA service.
no fng-service name
fng-service name
no fng-service name
The following command configures an FNG service named fng1 and enters the FNG Service Configuration Mode:
no ggsn-service svc_name
ggsn-service svc_name
Caution: Large numbers of services greatly increase the complexity of management and may impact overall system performance (i.e. resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your local service representative for more information.
Important: For details about the commands and parameters for this mode, check the GPRS Service Configuration Mode chapter.gprs-service srvc_name
no gprs-service srvc_name
gprs-service srvc_name
no gs-service svc_name
gs-service svc_name
Important: For details about the commands and parameters for this mode, refer Gs Service Configuration Mode chapter.gtpp algorithm first-n count
Specifies that the AGW must send accounting data to count (more than one) CGFs based on their priority. Response from any one of the count CGFs would suffice to proceed with the call. The full set of accounting data is sent to each of the count CGFs.
count is the number of CGFs to which accounting data will be sent, and must be an integer from 2 through 65535. Default: 1 (Disabled)
gtpp attribute { apn-ni | apn-selection-mode | charging-characteristic-selection-mode | cell-plmn-id | diagnostics | duration-ms | dynamic flag | imei | local-record-sequence-number | losdv | ms-timezone | msisdn | |node-id | | node-id-suffix suffix | pdn-connection-id | pdp-address | pdp-type | pgw-plm-id | plmn-id [ unknown-use uncode_value ] | rat | record-extensions rat | served-mnai | served-pdp-pdn-address-extension | sms { destination-number | recording-entity | service-centre } | start time | stop time | uli }
|
•
|
36: if the SGSN sends us “delete PDP context request”.
|
|
•
|
38: if the GGSN sends “delete PDP context request” due to GTP-C/GTP-U echo timeout with SGSN.
|
|
•
|
40: if the GGSN sends “delete PDP context request” due to receiving a RADIUS Disconnect-Request message.
|
|
•
|
26: if the GGSN sends “delete PDP context request” for any other reason (e.g., the operator types “clear subscribers” on the GGSN).
|
node-id-suffix string
string: This is the configured Node-ID-Suffix having any string of 1 through 16 characters.
Important: The NodeID field is a printable string of the ndddstring format: n: The first digit is the SessMgr restart counter having a value between 0 and 7. ddd: The number of SessMgr instances. Uses the specified NodeID-suffix in all CDRs. The “Node-ID” field is consists of SessMgr Recovery counter (1 digit) n + AAA Manager identifier (3 digits) ddd + the configured Node-Id-suffix (1 to 16 characters) string.
Important: If the centralized LRSN feature is enabled, the “Node-ID” field consists of only the specified NodeID-suffix. Otherwise GTPP group name is used. For default GTPP groups, GTPP context-name (truncated to 16 characters) is used.
Important: SessMgr recovery counter gets updated in case of “session recovery not enabled” If session recovery is enabled, the counter never updates. The node-id is displayed in the G-CDR irrespective of gtpp dictionary. The G-CDR is not decoded in monitor protocol for custom1 / custom3 dictionaries.
Important: For the GGSN it provides radio access identifier as the SGSN PLMN Id and for SGSN it includes the PLMN-id of RNC.unknown-use uncode_value encodes the specified value for “SGSN PLMN Identifier” in the CDR if SGSN PLMN-ID information is unavailable.
Must be followed by the uncode_value value to be encoded.
uncode_value must be an hexadecimal value between 0x0 and 0xFFFFFF.
destination-number: This keyword includes the destination-number information of SMS in generated S-SMO-CDRs or S-SMT-CDRs.
Note: This is the destination number of the short message subscriber.
recording-entity: This keyword includes the recording entity information of SMS in generated S-SMO-CDRs or S-SMT-CDRs.
Note: The recording entity is the E.164 number of the SGSN.
service-centre: This keyword includes the service-centre information of SMS in generated S-SMO-CDRs or S-SMT-CDRs.
Note: This is the E.164 address of the SMS-service centre.
Important: This command can be repeated multiple times with different keywords to configure multiple GTPP attributes.gtpp charging-agent address ip_address
Specifies the IP address of the interface configured within the current context that is used to transmit CDR records (G-CDR/eGCRD/M-CDR/S-CDR) to the CGF. ip_address must be entered using IPV4 dotted-decimal notation.
port port
If port is not defined, IP will take the default port number 49999.
Important: Configuring gtpp charging-agent on port 3386 may interfere with a ggsn-service configured with the same ip address.This command establishes a Ga interface for the system. For GTPP accounting, one or more Ga interfaces must be specified for communication with the CGF. These interfaces must exist in the same context in which GTPP functionality is configured (refer to the gtpp commands in this chapter).
The following command configures the system to use the interface with an IP address of 192.168.13.10 as the accounting interface with port 20000 to the CGF:
|
•
|
0: Designates the start sequence number as 0.
|
|
•
|
1: Designates the start sequence number as 1.
|
Important: This command is customer specific. For more information please contact your local Cisco service representative.gtpp deadtime time
gtpp deadtime time
Specifies the amount of time (in seconds) that must elapse before the system attempts to communicate with a CGF that was previously unreachable. time is an integer from 1 through 65535.
Refer to the gtpp detect-dead-server and gtpp max-retries commands for additional information on the process the system uses to mark a CGF as down.
The following command configures the system to wait 60 seconds before attempting to re-communicate with a CGF that was marked as down:
gtpp detect-dead-server consecutive-failures max_number
gtpp detect-dead-server consecutive-failures max_number
Specifies the number of failures that could occur before marking a CGF as down. max_number is an integer from 0 through 1000.
This command works in conjunction with the gtpp max-retries parameter to set a limit to the number of communication failures that can occur with a configured CGF.
Refer to the gtpp max-retries command for additional information.
The following command configures the system to allow 8 consecutive communication failures with a CGF before it marks it as down:
The following command configures the system to use custom3 dictionary to encode IP address in Binary format in G-CDRs:
gtpp duplicate-hold-time minutes
gtpp duplicate-hold-time minutes
Specifies the number of minutes to hold onto CDRs that may be duplicates whenever the primary CGF is down, minutes must be an integer from 1 through 10080.
gtpp echo-interval time
Disables the use of the echo protocol except for the scenarios described in the Usage section for this command.
gtpp echo-interval time
|
•
|
Upon the configuration of a new CGF server on the system using the gtpp server command as described in this chapter
|
|
•
|
Upon the execution of the gtpp test accounting command as described in the Exec Mode Commands chapter of this reference
|
|
•
|
Upon the execution of the gtpp sequence-numbers private-extensions command as described in this chapter
|
The alive/dead status of the CGFs is used by the AAA Managers to affect the sending of CDRs to the CGFs. If all CGFs are dead, the AAA Managers will still send CDRs, (refer to the gtpp deadtime command), albeit at a slower rate than if a CGF were alive. Also, AAA Managers independently determine if CGFs are alive/dead.
The following command configures an echo interval of 120 seconds:
gtpp egcdr { final-record [ [ include-content-ids { all | only-with-traffic } ] [ closing-cause { same-in-all-partials | unique } ] ] | losdv-max-containers max_losdv_containers | lotdv-max-containers max_lotdv_containers | rulebase-max-length rulebase_name_max_length | service-data-flow threshold { interval interval | volume { downlink bytes [ uplink bytes ] | total bytes | uplink bytes [ downlink bytes ] } } | service-idle-timeout { 0 | service_idle_timeout } }
|
•
|
include-content-ids: Controls which content IDs are being included in the final eG-CDR/P-CDR.
|
|
•
|
all: Specifies that all content IDs be included in the final eG-CDR/P-CDR.
|
|
•
|
only-with-traffic: Specifies that only content-IDs with traffic be included in the final eG-CDR/P-CDRs.
|
|
•
|
closing-cause: Configures closing cause for the final eG-CDR/P-CDR.
|
|
•
|
same-in-all-partials: Specifies that the same closing cause is to be included for multiple final eG-CDR/P-CDRs
|
|
•
|
unique: Specifies that the closing cause for final eG-CDR/P-CDRs is to be unique.
|
losdv-max-containers max_losdv_containers
max_losdv_containers must be an integer from 1 through 255.
lotdv-max-containers max_lotdv_containers
max_lotdv_containers must be an integer from 1 through 8.
rulebase-max-length rulebase_name_max_length
rulebase_name_max_length must be an integer from 0 through 63. Zero (0) means the rulebase name is added as-is.
service-data-flow threshold { interval interval | volume { downlink bytes [ uplink bytes ] | total bytes | uplink bytes [ downlink bytes ] } }
|
•
|
interval interval: Specifies the time interval, in seconds, to close the eG-CDR/P-CDR if the minimum time duration thresholds for service data flow containers satisfied in flow-based charging.
|
interval must be an integer from 60 through 40000000.
|
•
|
volume { downlink bytes [ uplink bytes ] | total bytes | uplink bytes [ downlink bytes ] }: Specifies the volume octet counts for the generation of the interim eG-CDR/P-CDRs to service data flow container in FBC.
|
|
•
|
downlink bytes: Specifies the limit for the number of downlink octets after which the eG-CDR/P-CDR is closed.
|
|
•
|
total bytes: Specifies the limit for the total number of octets (uplink+downlink) after which the eG-CDR/P-CDR is closed.
|
|
•
|
uplink bytes: Specifies the limit for the number of uplink octets after which the eG-CDR/P-CDR is closed.
|
|
•
|
bytes must be an integer from 10000 through 400000000.
|
service_idle_timeout must be an integer from 10 through 86400.
0: Specifies no service-idle-timeout trigger.
Use the service-data-flow threshold option to configure the thresholds for closing a service data flow container within an eG-CDR (eG-CDRs for GGSN and P-CDRs for PGW) during flow-based charging (FBC). A service data flow container has statistics regarding an individual content ID.
Default: retry-request
gtpp group group_name
Specifies the name of GTPP server group that is used for charging and/or accounting in a specific context. group_name must be an alphanumeric string of 1 through 63 character.
The following command configures a GTPP server group named star1 for CGF accounting functionality. This server group is available for all subscribers within that context.
Default: One CDR per packet; disables wait-time
gtpp max-cdrs max_cdrs
wait-time wait_time
Specifies the number of seconds the system waits for CDRs to be inserted into the packet before sending it. wait_time must be an integer from 1 through 300. Default: Disabled
Important: If the wait-time expires, the packet is sent as this keyword over-rides max_cdrs.CDRs are placed into a GTPP packet as the CDRs close. The system stops placing CDRs into a packet when either the maximum max_cdrs is met, or the wait-time expires, or the value for the gtpp max-pdu-size command is met.
The following command configures the system to place a maximum of 10 CDRs in a single GTPP packet before transmitting the packet:
gtpp max-pdu-size pdu_size
gtpp max-pdu-size pdu_size
Caution: This command is effective only when GTPP single-source is configured, otherwise this command has no effect.
Important: The maximum size of an IPv4 PDU (including the IPv4 and subsequent headers) is 65,535. However, a slightly smaller limit is imposed by this command because the system’s max-pdu-size doesn't include the IPv4 and UDP headers, and because the system may need to encapsulate GTPP packets in a different/larger IP packet (for sending to a backup device).gtpp max-retries max_attempts
gtpp max-retries max_attempts
Specifies the number of times the system attempts to communicate with a CGF that is not responding. max_attempts is an integer from 1 through 15.
This command works in conjunction with the gtpp detect-dead-server and gtpp timeout parameters to set a limit to the number of communication failures that can occur with a configured CGF.
gtpp node-id node_id
gtpp node-id node_id
This command allows operators to better handle erratic network links, without having to remove the configuration of the backup server(s) via the no gtpp server command.
This command has been obsoleted and is replaced by the gtpp redirection-allowed command.
gtpp server ip_address [ max max_messages ] [ priority priority ] [ udp-portport port ] [ node-alive { enable | disable } ] [ -noconfirm ]
no gtpp server ip_address
gtpp server ip_address
max max_messages
max_messages can be configured as an integer from 1 through 256.
priority priority
priority can be configured as an integer from 1 through 1000. When configuring two or more servers with the same priority you will be asked to confirm that you want to do this. If you use the -noconfirm option, you are not asked for confirmation and multiple servers could be assigned the same priority.
udp-port port
Specifies the UDP port the CGF is using. port can be configured as an integer from 1 through 65535. Default value for port is 3286.
Important: The udp-port keyword option has been modified to port to make it a generic command. The udp-port keyword can still be used, however it will be in concealed mode and will not be shown in auto-complete or help for the command.
Important: The configuration of multiple CGFs with the same IP address but different port numbers is not supported.gtpp storage-server ip-address
port port-num
Important: This command only takes affect if gtpp single-source in the Global Configuration Mode is also configured. Additionally, this command is customer specific. Please contact your local sales representative for additional information.gtpp storage-server local file { compression { gzip | none } | format { custom1 | custom2 | custom3 | custom4 | custom5 | custom6 | custom7 | custom8 } | name { format string [ max-file-seq-num seq_number ] | prefix prefix } | purge-processed-files [ file-name-pattern file_pattern | purge-interval purge_dur ] | rotation { cdr-count count | time-interval time [ force-file-rotation ] | volume mb size } | start-file-seq-num seq_num [ recover-file-seq-num ] }
default gtpp storage-server local file { compression | format | name { format | prefix } | purge-processed-files | rotation { cdr-count | time-interval | volume } | start-file-seq-num }
no gtpp storage-server local file { purge-processed-files | rotation { cdr-count | time-interval } }
|
•
|
gzip: Enables Gzip file compression.
|
|
•
|
none: Disables Gzip file compression -this is the default value.
|
custom1: File format custom1—this is the default value.
custom2: File format custom2.
custom3: File format custom3.
custom4: File format custom4.
custom5: File format custom5.
custom6: File format custom6 with a block size of 8K for CDR files.
custom7: File format custom7 is a customer specific CDR file format.
custom8: File format custom8 is a customer specific CDR file format. It uses node-id-suffix_date_time_fixed-length-seq-num.u format for file naming.
Default: custom1
prefix — Enter an alphanumeric string of 1 through 127 characters. The string must begin with the % (percent sign).
|
•
|
%y: = year as a decimal number without century (range 00 to 99).
|
|
•
|
%Y: year as a decimal number with century.
|
|
•
|
%m: month as a decimal number (range 01 to 12).
|
|
•
|
%d: day of the month as a decimal number (range 01 to 31).
|
|
•
|
%H: hour as a decimal number 24-hour format (range 00 to 23).
|
|
•
|
%h: hour as a decimal number 12-hour format (range 01 to 12).
|
|
•
|
%M: minute as a decimal number (range 00 to 59).
|
|
•
|
%S: second as a decimal number (range 00 to 60). (The range is up to 60 to allow occasional leap seconds.)
|
|
•
|
%Q: File sequence number. Field width may be specified between the % and the Q. If the natural size of the field is smaller than this width, then the result string is padded (on the left) to the specified width with 0s
|
|
•
|
%N: No of CDRs in the file. Field width may be specified between the % and the N. If the natural size of the field is smaller than this width, then the result string is padded (on the left) to the specified width with 0s
|
|
•
|
max-file-seq-no: This can be configured optionally. It indicates the maximum value of sequence number in file name (starts from 1). Once the configured max-file-seq-no limit is reached, the sequence number will restart from 1. If no max-file-seq-no is specified then file sequence number ranges from 1 – 4294967295.
|
Important: This option is available only when GTPP server storage mode is configured for local storage of CDRs with the gtpp storage-server mode local command.Optional keyword file-name-pattern file_pattern provides an option for user to control the pattern of files. file_pattern must be mentioned in *.p format in a string of size 1 through 127, which is also the default format. Wild cards * and : (synonymous to |) are allowed.
Optional keyword purge-interval purge_dur provides an option for user to control the purge interval duration (in minutes). purge_dur must be an integer from 1 through 259200. Default value 60.
cdr-count count: Configures the CDR count for the file rotation as an integer from 1000 through 65000. Default value 10000.
time-interval time: Configures the time interval (in seconds) for file rotation as an integer from 30 through 86400. Default value 3600 (1 hour).
volume mb size: Configure the file volume (in MB) for file rotation. Enter an integer from 2 to 40. This trigger cannot be disabled. Default value is 4MB.
Specifies the start sequence number. The sequence number goes on incrementing until ULONG_MAX (or max-seq-num configured in file name format) and then it would rollover. If recover-file-seq-num is configured, every time the system is rebooted (or aaaproxy recovery/ planned/ unplanned packet service card migration), the file sequence number continues from the last sequence number and during rollover it starts from first-sequence number.
seq_num: Configures the sequence number. Enter an integer from 1 through 4294967295.
recover-file-seq-num: Configures the recovery of file sequence number. This is an optional field and if configured, every time the machine rebooted, the file sequence number continues from the last sequence number.
gtpp storage-server max-retries max_attempts
gtpp storage-server max-retries max_attempts
Specifies the number of times the system attempts to communicate with a GTPP back-up storage server that is not responding. max_attempts enter an integer from 1 through 15.
This command works in conjunction with the gtpp storage-server timeout parameters to set a limit to the number of communication failures that can occur with a configured GTPP back-up storage server.
The gtpp storage-server timeout command controls the amount of time between re-tries.
Default: remote
gtpp storage-server timeout duration
gtpp storage-server timeout duration
Specifies the maximum amount of time (in seconds) the system waits for a response from the GTPP back-up storage server before assuming the packet is lost. duration is an integer from 30 through 120.
This command works in conjunction with the gtpp storage-server max-retries command to establish a limit on the number of times that communication with a GTPP back-up storage server is attempted before a failure is logged. This parameter specifies the time between retries.
gtpp timeout time
gtpp timeout time
Specifies the maximum amount of time (in seconds) the system waits for a response from the CGF before assuming the packet is lost. time is an integer from 1 through 60.
This command works in conjunction with the gtpp max-retries command to establish a limit on the number of times that communication with a CGF is attempted before a failure is logged.
This command is left in place for backward compatibility. To disable and enable GTPP triggers you should use the gtpp trigger command in GTPP Server Group Configuration Mode.
Default: udp
no gtpu-service service_name
gtpu-service service_name
Specifies the name of the GTP-U service. If service_name does not refer to an existing service, a new service is created if resources allow. service_name is an alphanumeric string of 1 through 63 characters.
no gtpu-service service_name
Caution: Large numbers of services greatly increase the complexity of management and may impact overall system performance (for example, resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your local service representative for more information.GTP-U Service Configuration Mode commands are defined in the GTP-U Service Configuration Mode Commands chapter.
The following command will remove gtpu-service1 from the system:
ha-service name
no ha-service name
ha-service name
Specifies the name of the HA service to configure. If name does not refer to an existing service, the new service is created if resources allow. name is an alphanumeric string of 1 through 63 characters.
Caution: Large numbers of services greatly increase the complexity of management and may impact overall system performance (i.e. resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your local service representative for more information.The following command will remove sampleService as being a defined HA service:
hnbgw-service hnbgw_svc_name
Specifies the name of the HNB-GW service. If service_name does not refer to an existing service, the new service is created if resources allow. hnbgw_svc_name is an alphanumeric string of 1 through 63 characters.
Caution: Large numbers of services greatly increase the complexity of management and may impact overall system performance (for example, resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your local service representative for more information.The commands available in this mode are defined in the HNB-GW Service Configuration Mode Commands chapter of Command Line Interface Reference.
Caution: This is a critical configuration. The HNB-GW service can not be configured without this configuration. Any change to this configuration would lead to restarting the HNB-GW service and removing or disabling this configuration will stop the HNB-GW service.The following command will remove hnb-service1 from the system:
no hsgw-service service_name
hsgw-service service_name
Specifies the name of the HSGW service. If service_name does not refer to an existing service, the new service is created if resources allow. service_name is an alphanumeric string of 1 through 63 characters.
no hsgw-service service_name
Caution: Large numbers of services greatly increase the complexity of management and may impact overall system performance (for example, resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your local service representative for more information.HSGW Service Configuration Mode commands are defined in the HSGW Service Configuration Mode Commands chapter.
The following command will remove hsgw-service1 from the system:
Important: For an SGSN, this command is visible, but the feature is in development and not yet supported for configuration.no hss-peer-service service_name
no mme-hss-service service_name
hss-peer-service service_name
Specifies the name of the HSS peer service. If service_name does not refer to an existing service, a new service is created if resources allow. service_name is an alphanumeric string of 1 through 63 characters.
Caution: Large numbers of services greatly increase the complexity of management and may impact overall system performance (for example, resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your local service representative for more information.HSS Peer Service Configuration Mode commands are defined in the HSS Peer Service Configuration Mode Commands chapter.
The following command will remove hss-peer1 from the system:
ikev1 keepalive dpd interval interval
Specifies the time interval (in seconds) at which IPSec DPD Protocol messages are sent. interval is an integer from 10 through 3600.
timeout time
Specifies the amount of time (in seconds) allowed for receiving a response from the peer security gateway prior to re-sending the message. time is an integer from 10 through 3600.
num-retry retries
Specifies the maximum number of times that the system should attempt to reach the peer security gateway prior to considering it unreachable. retries is an integer from 1 through 100.
Important: The peer security gateway must support RFC 3706 in order for this functionality to function properly.Regardless of the application, DPD must be supported/configured on both security peers. If the system is configured with DPD but it is communicating with a peer that does not have DPD configured, IPSec tunnels still come up. However, the only indication that the remote peer does not support DPD exists in the output of the show crypto isakmp security associations summary dpd command.
Important: If DPD is enabled while IPSec tunnels are up, it will not take affect until all of the tunnels are cleared.The following command configures IPSec DPD Protocol parameters to have an interval of 15, a timeout of 10, to retry each attempt 5 times:
[ no ] ikev1 policy priority
ikev1 policy priority
Use the following command to create an ISAKMP policy with the priority 1 and enter the ISAKMP Configuration Mode:
IKEv2 Security Association Configuration Mode commands are defined in the IKEv2 Security Association Configuration Mode Commands chapter.
The following command configures an IKEv2 security association transform set called ikesa3 and enters the IKEv2 Security Association Configuration Mode:
{ no | default } ims-auth-service auth_svc_name
IMS authorization service configuration commands are described in the IMS Authorization Service Configuration Mode Commands chapter.
The following command configures an IMS authorization service named ims_interface1 within the current context:
ims-sh-service name
no ims-sh-service name
ims-sh-service name
IMS Sh Service Configuration Mode commands are defined in the IMS Sh Service Configuration Mode Commands chapter in this guide.
inspector user_name [ encrypted ] password password [ ecs | noecs ] [ expiry-date date_time ] [ li-administration ] [ noecs ] [ timeout-absolute abs_seconds ] [ timeout-min-absolute abs_minutes ] [ timeout-idle timeout_duration ] [ timeout-min-idle idle_minutes ]
no inspector user_name
inspector user_name
[ encrypted ] password password
password is an alphanumeric string of 1 through 63 characters without encryption, or 1 through 127 characters with encryption.
Default: noecs
ecs: Permits the specific user to access ACS-specific configuration commands.
noecs: Prevents the specific user to access ACS-specific configuration commands.
expiry-date date_time
Refer to the Lawful Intercept Configuration Guide for a description of this parameter.
timeout-absolute abs_seconds
Specifies the maximum amount of time (in seconds) the context-level inspector may have a session active before the session is forcibly terminated. abs_seconds must be an integer from 0 through 300000000. The value 0 disables the absolute timeout. Default: 0
timeout-min-absolute abs_minutes
Specifies the maximum amount of time (in minutes) the context-level inspector may have a session active before the session is forcibly terminated. abs_minutes must be an integer from 0 through 525600 (365 days). The value 0 disables the absolute timeout. Default: 0
timeout-idle timeout_duration
Specifies the maximum amount of idle time (in seconds) the context-level inspector may have a session active before the session is terminated. timeout_duration must be an integer from 0 through 300000000. The value 0 disables the idle timeout. Default: 0
timeout-min-idle idle_minutes
Specifies the maximum amount of idle time (in minutes) the context-level inspector may have a session active before the session is terminated. idle_minutes must be an integer from 0 through 525600 (365 days). The value 0 disables the idle timeout. Default: 0
Inspector users have minimal read-only privileges. Refer to the Command Line Interface Overview chapter for more information.
Important: A maximum of 128 administrative users and/or subscribers may be locally configured per context.no interface name
interface name
Specifies the name of the interface to configure. If name does not refer to an existing interface, the new interface is created if resources allow. name is an alphanumeric string of 1 through 79 characters.
Important: Refer to the Ethernet Interface Configuration Mode Command chapter for more information.
Important: Refer to the Loopback Interface Configuration Mode Command chapter for more information.
Important: Refer to the PVC Interface Configuration Mode Command chapter for more information.
Important: Refer to the Tunnel Interface Configuration Mode Commands chapter for more information.
Important: If no keyword is specified, broadcast is assumed and the interface is Ethernet by default.The following command enters the Ethernet Interface Configuration Mode creating the interface sampleService, if necessary:
The following command removes sampleService as being a defined interface:
The following command enters the Tunnel Interface Configuration Mode creating the interface GRE_tunnel1, if necessary:
ip access-group name
In Release 8.1 and later, name is an alphanumeric string of 1 through 47 characters.
In Release 8.0, name is an alphanumeric string of 1 through 79 characters.
Important: Up to eight ACLs can be applied to a group provided that the number of rules configured within the ACL(s) does not exceed the 256-rule limit for the context.The in and out keywords are deprecated and are only present for backward compatibility. The Context-level ACL are applied only to outgoing packets.
Specifies the priority of the access group. 0 is the highest priority. If priority_value is not specified, the priority is set to 0. priority_value must be an integer from 0 through 4294967295. Default: 0
Use this command to add IP access lists (refer to the ip access-list command) configured with in the same context to an ACL group.
Refer to the Access Control Lists appendix of the System Administration Guide for more information on ACLs.
ip access-list name
ip access-list name
In Release 8.0, name is an alphanumeric string of 1 through 79 characters.
In Release 8.1 and later, name is an alphanumeric string of 1 through 47 characters.
Important: A maximum of 64 rules can be configured per ACL. The maximum number of ACLs that can be configured per context is limited by the amount of available memory in the VPN Manager software task; it is typically less then 200.Refer to the Access Control Lists appendix of the System Administration Guide for more information on ACLs.
The following command creates an access list named sampleList, and enters the ACL Configuration Mode:
Specifies the IP address for which to configure the ARP options where ip_address is an IP address expressed in IPv4 dotted-decimal notation.
Specifies the media-specific access control layer address for the IP address. mac_address must be specified as a an 6-byte hexadecimal number with each byte separated by a colon, for example., “AA:12:bb:34:f5:0E”.
vrf vrf_name
vrf_name is name of a preconfigured virtual routing and forwarding (VRF) context configured in Context Configuration Mode via the ip vrf command.
The following commands set the IP and MAC address for a VRF context vrf1 in the configuration:
ip as-path access-list list_name
deny: Denies access to AS paths that match the regular expression.
permit: Allows access to AS paths that match the regular expression.
A regular expression to define the AS paths to match. reg_expr is an alphanumeric string of 1 through 254 characters.
Important: The ? (question mark) character is not supported in regular expressions for this command.The following command creates an AS access list named ASlist1 and permits access to AS paths:
Important: This command must be entered in the destination context for the subscriber. If there are multiple destination contexts for different subscribers, the command must be entered in each context.[ no ] ip dns-proxy source-address ip_address
ip dns-proxy source-address ip_address
Specifies an interface in this context used for redirected DNS packets. ip_address must be entered using IPv4 dotted-decimal notation.
The following command identifies an interface with an address of 10.23.255.255 in a destination context where the system forwards all intercepted DNS requests:
ip domain-name name
no ip domain-name name
ip domain-name name
Specifies the logical domain name to use for domain name server address resolution. name is an alphanumeric string of 1 through 1023 characters formatted to be a valid IP domain name.
Specifies the size of IP packet in bytes above which system will assign unique IP header identification for system generated IP encapsulation headers (such as MIP data tunnel). size is an integer from 0 through 2000. Default: 576
ip localhost name ip_address
no ip localhost name ip_address
ip localhost name
Specifies the logical host name (DNS) for the local machine on which the current context resides. name is an alphanumeric string of 1 through 1023 characters formatted to be a valid IP host name.
Specifies the IP address for the static mapping. ip_address must be expressed in IPv4 dotted-decimal or IPv6 colon-separated notation.
ip name-servers ip_address secondary_ip_address
no ip name-servers ip_address
ip name-servers ip_address
The DNS can be specified at the Context level in Context configuration as well as at the APN level in APN Configuration Mode with dns and ipv6 dns commands, or it can be received from AAA server.
When DNS is requested in PCO configuration, the following preference will be followed for DNS value:
|
3.
|
Important: The same preference would be applicable for the NBNS servers to be negotiated via ICPC with the LNS.ip pool pool_name { ip_address subnet_mask | ip_address_mask_combo | range start_ip_address end_ip_address } [ address-hold-timer address_hold_timer ] [ advertise-if-used ] [ alert-threshold [ group-available | pool-free | pool-hold | pool-release | pool-used ] low_thresh [ clear high_thresh ] ] [ explicit-route-advertise ] [ group-name group_name ] [ include-nw-bcast ] [ napt-users-per-ip-address users_per_ip [ alert-threshold { { pool-free | pool-hold | pool-release | pool-used } low_thresh [ clear high_thresh ] } + ] [ max-chunks-per-user max_chunks_per_user [ nat-binding-timer nat_binding_timer ] [ nexthop-forwarding-address ip_address ] [ on-demand ] [ port-chunk-size port_chunk_size ] [ port-chunk-threshold port_chunk_threshold ] [ send-nat-binding-update ] + ] [ nat priority ] [ nat-one-to-one [ alert-threshold { { pool-free | pool-hold | pool-release | pool-used } low_thresh [ clear high_thresh ] } + ] [ nat-binding-timer nat_binding_timer ] [ nexthop-forwarding-address ip_address ] [ on-demand ] [ send-nat-binding-update ] + ] [ nat-realm users-per-nat-ip-address users [ on-demand [ address-hold-timer address_hold_timer ] ] ] [ nexthop-forwarding-address ip_address [ overlap vlanid vlan_id ] [ respond-icmp-echo ip_address ] ] [ nw-reachability server server_name ] [ policy allow-static-allocation ] [ private priority ] [ public priority ] [ resource priority ] [ send-icmp-dest-unreachable ] [ srp-activate ] [ static ] [ suppress-switchover-arps ] [ tag { none | pdif-setup-addr } ] [ unicast-gratuitous-arp-address ip_address ] [vrf vrf_name {[mpls-label input in_label_value | output out_label_value1 [out_label_value2] } ] +
no ip pool pool_name [ address-hold-timer ] [ advertise-if-used ] [ alert-threshold [ [ group-available ] [ pool-free ] [ pool-hold ] [ pool-release ] [ pool-used ] + ] [ explicit-route-advertise ] [ group-name ] [ include-nw-bcast ] [ nexthop-forwarding-address [ respond-icmp-echo ] ] [ nw-reachability server ] [ policy allow-static-allocation ] [ send-icmp-dest-unreachable ] [ srp-activate ] [ suppress-switchover-arps ] [ tag { none | pdif-setup-addr } ] [ unicast-gratuitous-arp-address ] + [ send-nat-binding-update ]
ip pool name
Specifies the logical name of the IP address pool. name must be an alphanumeric string of 1 through 31 characters.
Important: An error message displays if the ip pool name and the group name in the configuration are the same. An error message displays if the ip pool name or group name are already used in the context.Specifies the IP address mask bits to determine the number of IP addresses in the pool. ip_mask must be specified using IPv4 dotted-decimal notation.
0 bits in the ip_mask indicate that bit position in the ip_address does not need to match – the bit can be either a 0 or a 1.
For example, if the IP address and mask are specified as 172.168.10.0 and 255.255.255.224, respectively, the pool will contain IP addresses in the range 172.168.10.0 through 172.168.10.31 for a total of 32 addresses.
Specifies a combined IP address subnet mask bits to indicate what IP addresses the route applies to. ip_address_mask_combo must be specified using CIDR notation where the IP address is specified using IPv4 dotted-decimal notation and the mask bits are a numeric value which is the number of bits in the subnet mask.
range start_ip_address end_ip_address
start_ip_address specifies the beginning of the range of addresses for the IP pool.
end_ip_address specifies the end of the range of addresses for the IP pool.
For example, if start_ip_address is specified as 172.168.10.0 and end_ip_address is specified as 172.168.10.31 the IP pool will contain addresses in the range 172.168.10.0 through 172.168.10.31 for a total of 32 addresses.
Address pool may only be used by mobile stations which have requested an IP address from a specified pool. When private pools are part of an IP pool group, they are used in a priority order according to the precedence setting. priority must be an integer from 0 through 10 with 0 being the highest priority. The default value is 0.
Address pool is used in priority order for assigning IP addresses to mobile stations which have not requested a specific address pool. priority must be an integer from 0 through 10 with 0 being the highest priority. The default value is 0.
Default: none
none: default tag for all IP address pools
pdif-setup-addr: pool with this tag should only be used for PDIF calls.
address-hold-timer seconds
seconds is the time in seconds and must be an integer from 0 through 31556926.
alert-threshold { group-available | pool-free | pool-hold | pool-release | pool-used } low_thresh [ clear high_thresh ]
group-available: Set an alert based on the available percentage of IP addresses for the entire IP pool group.
pool-free: Set an alert based on the percentage of IP addresses that are unassigned in this IP pool.
pool-hold: Set an alert based on the percentage of IP addresses from this IP pool that are on hold.
pool-release: Set an alert based on the percentage of IP addresses from this IP pool that are in the release state.
pool-used: This command sets an alert based on the percentage of IP addresses that have been assigned from this IP pool.
Important: Refer to the threshold available-ip-pool-group and threshold monitoring commands in this chapter for additional information on IP pool utilization thresholding.low_thresh: The IP pool utilization percentage that must be met or exceeded within the polling interval to generate an alert or alarm. It can be configured as an integer between 0 and 100.
clear high_thresh: The IP pool utilization percentage that maintains a previously generated alarm condition. If the utilization percentage rises above the high threshold within the polling interval, a clear alarm is generated. It may be configured as an integer between 0 and 100.
Important: This value is ignored for the Alert model. In addition, if this value is not configured for the Alarm model, the system assumes it is identical to the low threshold.group-name group_name
Assigns one or more preconfigured IP pools to the IP pool group. group_name is case sensitive and must be an alphanumeric string of 1 through 31 characters. One or more IP pool groups are assigned to a context and one IP pool group consists one or more IP pool(s).
To remove the include-nw-bcast option from the ip pool, use the no ip pool test include-nw-bcast command.
napt-users-per-ip-address users_per_ip [ alert-threshold { { pool-free | pool-hold | pool-release | pool-used } low_thresh [ clear high_thresh ] } + ] [ max-chunks-per-user max_chunks_per_user [ nat-binding-timer nat_binding_timer ] [ nexthop-forwarding-address ip_address ] [ on-demand ] [ port-chunk-size port_chunk_size ] [ port-chunk-threshold port_chunk_threshold ] [ send-nat-binding-update ] +
Important: In UMTS deployments this keyword is available in 9.0 and later releases. In CDMA deployments this keyword is available in 8.3 and later releases. 
Important: In UMTS deployments, on upgrading from Release 8.1 to Release 9.0, and in CDMA deployments, on upgrading from Release 8.1 to 8.3, all NAT realms configured in Release 8.1 using the nat-realm keyword must be reconfigured using either the nat-one-to-one (for one-to-one NAT realms) or the napt-users-per-ip-address (for many-to-one NAT realms) keywords.|
•
|
users_per_ip: Specifies how many users can share a single NAT IP address as an integer from 2 through 2016.
|
|
•
|
alert-threshold: Specifies the alert threshold for the pool:
|
Important: Thresholds configured using the alert-threshold keyword are specific to the pool that they are configured in. Thresholds configured using the threshold ip-pool-* commands in the Context Configuration Mode apply to all IP pools in that context, and override the threshold configurations set within individual pools.|
•
|
pool-free: Percentage free alert threshold for this pool
|
|
•
|
pool-hold: Percentage hold alert threshold for this pool
|
|
•
|
pool-release: Percentage released alert threshold for this pool
|
|
•
|
pool-used: Percentage used alert threshold for this pool
|
|
•
|
low_thresh: The IP pool utilization percentage that must be met or exceeded within the polling interval to generate an alert or alarm. low_thresh must be an integer from 0 through 100.
|
|
•
|
clear high_thresh: The IP pool utilization percentage that maintains a previously generated alarm condition. If the utilization percentage rises above the high threshold within the polling interval, a clear alarm is generated. high_thresh must be an integer from 0 through 100.
|
Important: The high_thresh value is ignored for the Alert model. In addition, if this value is not configured for the Alarm model, the system assumes it is identical to the low threshold.|
•
|
max-chunks-per-user max_chunks_per_user: Specifies the maximum number of port chunks to be allocated per subscriber in the many-to-one NAT pool. max_chunks_per_user must be an integer from 1 through 2016. Default: 1
|
|
•
|
nat-binding-timer binding_timer: Specifies NAT Binding Timer for the NAT pool. timer must be an integer from 0 through 31556926. If set to 0, is disabled. Default: 0
|
|
•
|
nexthop-forwarding-address address: Specifies the nexthop forwarding address for this pool. address must be an IPv4 or IPv6 address. If configured for a NAT pool, packets that are NATed using that NAT pool will be routed based on the configured nexthop address.
|
Important: The nexthop-forwarding-address support for NAT IP pools is functional only in later releases of Release 9.0 and in 10.0 and later releases.|
•
|
on-demand: Specifies allocating IP when matching data traffic begins.
|
|
•
|
port-chunk-size size: Specifies NAT port chunk size (number of NAT ports per chunk) for many-to-one NAT pool. size must be an integer from 32 through 32256.
|
Important: The port-chunk-size configuration is only available for many-to-one NAT pools.|
•
|
port-chunk-threshold chunk_threshold: Specifies NAT port chunk threshold in percentage of number of chunks for many-to-one NAT pool. chunk_threshold must be an integer from 1 through 100. Default: 100%
|
Important: The port-chunk-threshold configuration is only available for many-to-one NAT pools.|
•
|
send-nat-binding-update: Specifies sending NAT binding updates to AAA for this realm. Default: Disabled
|
Important: send-nat-binding-update is not supported for many-to-one realms.|
•
|
group-name group_name: Specifies the pool group name. The grouping enables to bind discontiguous IP address blocks in individual NAT IP pools to a single pool group.
|
group_name is an alphanumeric string of 1 through 31 characters that is case sensitive.
nat priority
priority specifies the priority of the NAT pool. 0 is the highest priority. If priority is not specified, the priority is set to 0.
Important: This functionality is currently supported for use with systems configured as an A-BG or P-CSCF.nat-one-to-one [ alert-threshold { { pool-free | pool-hold | pool-release | pool-used } low_thresh [ clear high_thresh ] } + ] [ nat-binding-timer nat_binding_timer ] [ nexthop-forwarding-address ip_address ] [ on-demand ] [ send-nat-binding-update ] +
Important: In UMTS deployments this keyword is available in Release 9.0 and later releases. In CDMA deployments this keyword is available in Release 8.3 and later releases. 
Important: In UMTS deployments, on upgrading from Release 8.1 to Release 9.0, and in CDMA deployments, on upgrading from Release 8.1 to Release 8.3, all NAT realms configured in Release 8.1 using the nat-realm keyword must be reconfigured using either the nat-one-to-one (for one-to-one NAT realms) or the napt-users-per-ip-address (for many-to-one NAT realms) keywords.|
•
|
alert-threshold: Specifies alert threshold for this pool:
|
Important: Thresholds configured using the alert-threshold keyword are specific to the pool in which they are configured. Thresholds configured using the threshold ip-pool * commands in the Context Configuration Mode apply to all IP pools in the context, and override the threshold configurations set within individual pools.|
•
|
pool-free: Percentage free alert threshold for this pool
|
|
•
|
pool-hold: Percentage hold alert threshold for this pool
|
|
•
|
pool-release: Percentage released alert threshold for this pool
|
|
•
|
pool-used: Percentage used alert threshold for this pool
|
|
•
|
low_thresh: The IP pool utilization percentage that must be met or exceeded within the polling interval to generate an alert or alarm. low_thresh must be an integer from 0 through 100.
|
|
•
|
clear high_thresh: The IP pool utilization percentage that maintains a previously generated alarm condition. If the utilization percentage rises above the high threshold within the polling interval, a clear alarm is generated. high_thresh must be an integer from 0 through 100.
|
Important: The high_thresh value is ignored for the Alert model. In addition, if this value is not configured for the Alarm model, the system assumes it is identical to the low threshold.|
•
|
nat-binding-timer nat_binding_timer: Specifies NAT Binding Timer for the NAT pool. binding_timer must be an integer from 0 through 31556926. If set to 0, is disabled.
|
Important: For many-to-one NAT pools, the default NAT Binding Timer value is 60 seconds. For one-to-one NAT pools, it is 0. By default, the feature is disabled—the IP addresses/ port-chunks once allocated will never be freed.|
•
|
nexthop-forwarding-address ip_address: Specifies the nexthop forwarding address for this pool. address must be an IPv4 or IPv6 address. If configured for a NAT pool, packets that are NATed using that NAT pool will be routed based on the configured nexthop address.
|
Important: The nexthop-forwarding-address support for NAT IP pools is functional only in later releases of Release 9.0 and in Release 10.0 and later releases.|
•
|
on-demand: Specifies allocating IP address when matching data traffic begins.
|
|
•
|
send-nat-binding-update: Specifies sending NAT binding updates to AAA for this realm. Default: Disabled
|
Important: send-nat-binding-update is not supported for many-to-one realms.|
•
|
address-hold-timer address_hold_timer
|
|
•
|
group-name group_name: Specifies the pool group name. The grouping enables to bind discontiguous IP address blocks in individual NAT IP pools to a single pool group. NAT pool and NAT pool group names must be unique. group_name is an alphanumeric string of 1 through 31 characters that is case sensitive. This keyword is available for NAT pool configuration only in StarOS 10.0 and later releases.
|
|
•
|
srp-activate: Activates the IP pool for Interchassis Session Recovery (ICSR).
|
Important: The nat-realm keyword is only available in Release 8.1.
Important: In Release 8.1, the NAT On-demand feature is not supported.
Important: This functionality is currently supported for use with systems configured as an A-BG or P-CSCF.users-per-nat-ip-address users: Specifies the number of users sharing a single NAT IP address as an integer from 1 through 5000.
on-demand: Specifies to allocate IP when matching data traffic begins.
address-hold-timer address_hold_timer: Specifies the address hold timer (in seconds) for this pool as an integer from 0 through 31556926. If set to 0, the address hold timer is disabled.
nexthop-forwarding-address ip_address
overlap vlanid vlan_id
When a nexthop forwarding address is configured, this keyword can be configured to enable over-lapping IP address pool support and associates the pool with the specified virtual LAN (VLAN). vlan_id is the identification number of a VLAN assigned to a physical port and can be configured to any integer from 1 through 4095.
For more information on configuring VLANs, refer to the System Administration Guide.
Important: This functionality is currently supported for use with systems configured as an HA, or as a PDSN for Simple IP, or as a GGSN. This keyword can only be issued for pools of type private or static and must be associated with a different nexthop forwarding address and VLAN. A maximum of 256 over-lapping pools can be configured per context and a maximum of 256 over-lapping pools can be configured per HA or simple IP PDSN. For GGSNs, the total number of pools is limited by the number of VLANs defined but the maximum number per context is 256. Additional network considerations and configuration outside of the system may be required.nw-reachability server server_name
server_name: Specifies the name of a network reachable server that has been defined in the current context, expressed as an alphanumeric string of 1 through 16 characters.
Important: Also see the following commands for more information: Refer to the policy nw-reachability-fail command in the HA Configuration Mode to configure the action that should be taken when network reachability fails. Refer to the nw-reachability server command in this chapter to configure network reachability servers. Refer to the nw-reachability-server command in the Subscriber Configuration Mode to bind a network reachability server to a specific subscriber.respond-icmp-echo ip_address
Important: In order for this functionality to work, all of the pools should contain an initial IP address that can be pinged.Also refer to the Subscriber Configuration Mode Commands chapter for a description of the l3-to-l2-tunnel address-policy command.
When enabled, the output of show ip pool verbose includes the total number of explicit host routes. Default: Enabled
unicast-gratuitous-arp-address ip_address
Important: This command must be used with next-hop parameters.vrf_name is name of a preconfigured virtual routing and forwarding (VRF) context configured in Context Configuration Mode through ip vrf command.
|
•
|
in_label_value is the MPLS label that identifies the inbound traffic destined for this pool.
|
|
•
|
The out_label_value1 and out_label_value2 identify the MPLS labels to be added to the outgoing packets sent for subscriber from this pool. Where out_label_value1 is the inner output label and out_label_value2 is the outer output label.
|
Important: You cannot have overlapping pool addresses using the same VRF. Also you cannot have two pools using different VRFs but the same in-label irrespective of whether the pools are overlapping or not. The pool must be private or static pool in-order to be associated with a certain VRF. If the VRF with such a name is not configured, then the pool configuration would return an error prompting to add the VRF before configuring a pool.
Important: In static allocation scenario, the pool group name is returned by AAA in the attribute SN1-IP-Pool-Name, and the IP address to use will be returned in the Framed-IP-Address attribute.When using the ip pool command to resize an IP pool, the type must be specified since by default the command assumes the type as public. In other words, the CLI syntax to resize an IP pool is the same syntax used to create the pool. See examples below.
Important: If an IP address pool is matched to a ISAKMP crypto map and is resized, removed, or added, the corresponding security association must be cleared in order for the change to take effect. Refer to the clear crypto command in the Exec mode for information on clearing security associations.Over-lapping IP Pools: The system supports the configuration of over-lapping IP address pools within a particular context. Over-lapping pools are configured using either the resource or overlap keywords.
The resource keyword allows over-lapping addresses tunneled to different VPN end points.
The overlap keyword allows over-lapping addresses each associated with a specific virtual LAN (VLAN) configured for an egress port. It uses the VLAN ID and the nexthop address to determine how to forward subscriber traffic with addresses from the pool thus resolving any conflicts with overlapping addresses.
Note that if an overlapping IP Pool is bound to an IPSec Tunnel (refer to the match ip pool command in the Crypto Group Configuration Mode chapter), that tunnel carries the traffic ignoring the nexthop configuration. Therefore, the IPSec Tunnel takes precedence over the nexthop configuration. (Thus, one can configure the overlapping IP Pool with fake VLAN ID and nexthop and still be able to bind it to an IPSec Tunnel for successful operation.
The overlap keyword allows over-lapping addresses each associated with a specific VLAN can only be issued for pools of type private or static and must be associated with a different nexthop forwarding address and VLAN. A maximum of 128 over-lapping pools can be configured per context and a maximum of 256 over-lapping pools can be configured per system.
Important: Overlapping IP address functionality is currently supported for use with systems configured as an HA for Mobile IP, or as a PDSN for Simple IP, or as a GGSN. For deployments in which subscriber traffic is tunneled from the FA to the HA using IP-in-IP, a separate HA service must be configured for each over-lapping pool.IP Pool Address Assignment Method: IP addresses can be dynamically assigned from a single pool or from a group of pools. The addresses are placed into a queue in each pool. An address is assigned from the head of the queue and, when released, returned to the end. This method is known as least recently used (LRU).
Important: Note that setting different priorities on each individual pool in a group can cause addresses in some pools to be used more frequently.
Important: In NAT IP pool configurations, the minimum number of public IP addresses that must be allocated to each NAT pool must be greater than or equal to the number of Session Managers (SessMgrs) available on the system. On the ASR 5000, it is >= 84 public IP addresses. This can be met by a range of 84 host addresses from a single Class C. The remaining space from the Class C can be used for other allocations.ip prefix-list name list_name [ seq seq_number ] { deny | permit } { any | network_address/net_mask [ ge ge_value ] [ le le_value ]
no ip prefix-list list_name [ seq seq_number ] { deny | permit } { any | network_address/net_mask [ ge ge_value ] [ le le_value ]
name list_name
seq seq_number
network_address/net_mask: the IP address and the length, in bits, of the network mask that defines the prefix. The IP address and mask must be entered in IPv4 dotted-decimal notation. When neither ge (greater than or equal to) or le (less than or equal to) are specified an exact match is assumed.
ge ge_value: Specifies the minimum prefix length to match as an integer from 0 through 32. If only the ge value is specified, the range is from the ge value to 32. The ge value must be greater than net_mask and less than the le value.
le le_value: Specifies the maximum prefix length to match as an integer from 0 through 32. If only the le value is specified, the range is from the net_mask to the le value. The le value must be less than or equal to 32.
[ no ] ip route { ip_address/ip_mask | ip_address ip_mask } { gateway_ip_address | next-hop next_hop_ip_address | point-to-point | tunnel } egress_intrfc_name [ cost cost ] [ precedence precedence ][ vrf vrf_name] +
ip_address/ip_mask: Specifies a combined IP address subnet mask bits to indicate what IP addresses to which the route applies. ip_address must be entered using IPv4 dotted-decimal or IPv6 colon-separated notation. ip_mask/ is entered using CIDR notation; the mask bits are a numeric value which is the number of bits in the subnet mask.
ip_address ip_mask: Specifies an IP address and the networking (subnet) mask pair which is used to identify the set of IP addresses to which the route applies. ip_address must be specified using the standard IPv4 dotted decimal notation. ip_mask must be specified using the standard IPv4 dotted decimal notation as network mask for subnets.
The mask as specified by ip_mask or resulting from ip_address/ip_mask is used to determine the network for packet routing.
gateway_ip_address: Specifies the IP address of the network gateway to which to forward packets. The address must be entered in IPv4 dotted-decimal notation (###.###.###.###).
next-hop next_hop_ip_address: Specifies the next-hop IP address to which packets are to be forwarded. The address must be entered in IPv4 dotted-decimal notation.
point-to-point: Specifies that the egress port is an ATM point-to-point interface.
tunnel: Sets the static route for this egress interface as tunnel type, such as IPv6-over-IPv4 or GRE.
cost cost
Specifies the relative cost of the route. cost must be an integer from 0 through 255 where 255 is the most expensive. Default: 0
precedence precedence
Specifies the selection order precedence for this routing information. precedence must be an integer from 1 through 254 where 1 is the highest precedence. Default: 1
vrf vrf_name
vrf_name is the name of a preconfigured VRF context configured in Context Configuration Mode via the ip vrf command.
Creates a static IP route that will be associated with Bidirectional Forwarding Detection (BFD). For additional information, see the BFD Configuration Mode Commands chapter.
if-name: Specifies the interface Name of the Interface to which the static BFD neighbor is bound as an alphanumeric string of 1 through 79 characters.
gateway_ip_address : Specifies the gateway address of the BFD neighbor in IPv4 dotted-decimal notation.
Important: A maximum of 1,200 static routes may be configured per context.ip routing maximum-paths [ max_num ]
ip routing maximum-paths max_num
The maximum number of ECMP paths that can be submitted by a routing protocol. max_num must be an integer from 1 through 10. Default: 4
To enable ECMP and set the maximum number of paths that may be submitted by a routing protocol in the current context to 10, enter the following command:
ip vrf vrf_name
ip vrf vrf_name
Refer to the IP VRF Context Configuration Mode Commands chapter for parameter configuration.
The following command configures the virtual routing and forwarding context instance vrf1 in a context:
Warning: If this keyword option is used with no ipms command the IPMS client service will be deleted with all active/inactive IPMS sessions without prompting any warning or confirmation.
Important: The IPMS is a license enabled external application support. Refer to the IPMS Installation and Administration Guide for more information on this product.Refer to the IPMS Installation and Administration Guide and IPMS Configuration Mode chapter of this reference for additional information.
ipsec transform-set name
IPSec Transform Set Configuration Mode commands are defined in the IPSec Transform Set Configuration Mode Commands chapter.
The following command configures an IPSec transform set called ipsec12 and enters the IPSec Transform Set Configuration Mode:
ipsg-service ipsg_service_name
Specifies the name of the IPSG service to be configured. If ipsg_service_name does not refer to an existing service, the new service is created if resources allow.
ipsg_service_name is an alphanumeric string of 1 through 63 characters.
Configures the IPSG to perform as either a RADIUS server or as a device to extract user information from RADIUS accounting request messages (snoop). If the optional keyword mode is not entered, the system defaults to radius-server.
|
•
|
radius-server: Creates an IP Services Gateway RADIUS Server service in the context and enters the IPSG RADIUS Server Configuration Mode.
|
|
•
|
radius-snoop: Creates an IP Services Gateway RADIUS Snoop service in the context and enters the IPSG RADIUS Snoop Configuration Mode.
|
IPSG service commands are defined in the IPSG RADIUS Snoop Configuration Mode Commands chapter or the IPSG RADIUS Server Configuration Mode Commands chapters.
Caution: A large number of services greatly increases the complexity of system management and may impact overall system performance (i.e., resulting from system handoffs). Do not configure a large number of services unless your application requires it. Contact your Cisco service representative for more information.
Important: IP Services Gateway functionality is a license-controlled feature. A valid feature license must be installed prior to configuring an IPSG service. If you have not previously purchased this feature, contact your sales representative for more information.For more information about the IP Services Gateway, refer to the IP Services Gateway Administration Guide.
The following command configures an IPSG RADIUS Snoop service named ipsg1 and enters the IPSG RADIUS Snoop Configuration Mode:
ipv6 access-group group_name
Specifies the priority of the access group. 0 is the highest priority. If priority_value is not specified the priority is set to 0. priority_value must be an integer from 0 through 4294967295. Default: 0
ipv6 access-list name
Specifies the access list for which to enter the IPv6 ACL Configuration Mode or the list to remove. name is an alphanumeric string of1 through 79 characters.
ipv6 dns-proxy source-ipv4-address ip_address
no ipv6 dns-proxy source-ipv4-address ip_address
Specifies the IPv4 address of one of the local interface in the destination context to configure the IPv6 DNS proxy where ip_address must be specified using IPv4 dotted-decimal notation.
[ no ] ipv6 neighbor ipv6_address hardware_address
ipv6 neighbor ipv6_address hardware_address
ipv6_address is the IP address of node to be added to the table.
hardware_address is the associated 48-bit MAC address.
Add the ipv6 address fe80::210:83ff:fef7:7a9d::/24 and associated 48 bit MAC address 0:10:83:f7:7a:9d to the table.
ipv6 pool name { 6to4 local-endpoint ipv4_address [ default-relay-router router_address ] | alert threshold | group-name name | policy { allow-static-allocation | dup-addr-detection} | prefix ip_address/len [ 6to4-tunnel local-endpoint ip_address | default-relay-router router_address ] | range start_address end_address | suppress-switchover-arps } [ private priority ] [ public priority ] [ shared priority ] [ static priority ] [ group-name name ]
no ipv6 pool name
ipv6 pool name
6to4-tunnel local-endpoint ip_address
alert threshold { 6to4 local-endpoint ipv4_address | alert threshold | group-available | group-name name | policy { allow-static-allocation | dup-addr-detection } | pool-free | pool-used | prefix | range start_address end_address }
|
•
|
6to4: Sets an alert based on the IPv6 Pool for an IPv6-to-IPv4 compatible address type.
|
|
•
|
alert-threshold: Sets an alert based on the percentage free alert threshold for this group.
|
|
•
|
group-available: Sets an alert based on the percentage free alert threshold for this group.
|
|
•
|
group-name: Sets an alert based on the IPv6 Pool Group.
|
|
•
|
policy allow-static-allocation: Sets an alert based on the address allocation policy.
|
|
•
|
pool-free: Sets an alert based on the percentage free alert threshold for this pool.
|
|
•
|
pool-used: Sets an alert based on the percentage used alert threshold for this pool.
|
|
•
|
prefix: Sets an alert based on the IPv6 Pool address prefix.
|
|
•
|
range: Sets an alert based on the IPv6 address pool range of addresses.
|
|
•
|
suppress-switchover-arps: Sets an alert based on the Suppress Gratuitous ARPs when performing a line card switchover.
|
group name name
|
•
|
6to4: IPv6 Pool for IPv6-to-IPv4 compatible address type
|
|
•
|
alert-threshold: Percentage free alert threshold for this group
|
|
•
|
group-name: IPv6 Pool Group
|
|
•
|
policy: Configure an address allocation policy
|
|
•
|
prefix: IPv6 Pool address prefix
|
|
•
|
range: Configures IPv6 address pool to use a range of addresses
|
|
•
|
suppress-switchover-arps: Suppress gratuitous ARPs when performing a line card switchover
|
Specifies the beginning IPv4 address of the IPv4 address pool. ipv4_address must be specified using IPv4 dotted-decimal notation.
default-relay-router router address
|
•
|
6to4: IPv6 Pool for IPv6- to-IPv4 compatible address type
|
|
•
|
alert-threshold: Percentage free alert threshold for this group
|
|
•
|
group-name: IPv6 Pool Group
|
|
•
|
policy: Configure an address allocation policy
|
|
•
|
prefix: IPv6 Pool address prefix
|
|
•
|
range: Configures IPv6 address pool to use a range of addresses
|
|
•
|
suppress-switchover-arps: Suppress gratuitous ARPs when performing a line card switchover
|
This command is valid for IPv6 shared pools only (Sample syntax: ipv6 pool name prefix ip_address/len shared policy dup-addr-detection). When this policy is enabled, the IPv6 shared pool allows a prefix to be shared in different call sessions with different interface IDs for an IPv6 address. This allows the tracking of interface IDs per prefix and the detection of duplicated IDs.
|
•
|
6to4: IPv6 pool for IPv6-to-IPv4 compatible address type
|
|
•
|
alert-threshold: Percentage free alert threshold for this group
|
|
•
|
group-name: IPv6 pool group
|
|
•
|
policy: Configure an address allocation policy
|
|
•
|
prefix: IPv6 pool address prefix
|
|
•
|
range: Configures IPv6 address pool to use a range of addresses
|
|
•
|
suppress-switchover-arps: Suppress gratuitous ARPs when performing a line card switchover
|
prefix ip_address/len
Specifies the beginning IPv6 address of the IPv6 address pool. ip_address/len must be specified using IPv6 colon-separated with CIDR notation.
range start_address end_address
start_address specifies the beginning of the range of addresses for the IPv6 pool. It must be specified using IPv6 colon-separated notation.
end_address specifies the end of the range of addresses for the IPv6 pool. It must be specified using IPv6 colon-separated notation.
|
•
|
6to4: IPv6 Pool for IPv6-to-IPv4 compatible address type
|
|
•
|
alert-threshold: Percentage free alert threshold for this group
|
|
•
|
group-name: IPv6 Pool Group
|
|
•
|
policy: Configure an address allocation policy
|
|
•
|
prefix: IPv6 Pool address prefix
|
|
•
|
range: Configures IPv6 address pool to use a range of addresses
|
|
•
|
suppress-switchover-arps: Suppress gratuitous ARPs when performing a line card switchover
|
Default: public
private priority: Specifies that the address pool may only be used by mobile stations which have requested an IP address from a specified pool. When private pools are part of an IP pool group, they are used in a priority order according to the precedence setting. priority must be an integer from 0 through 10 with 0 being the highest. The default is 0.
public priority: Specifies that the address pool is used in priority order for assigning IP addresses to mobile stations which have not requested a specific address pool. priority must be n integer from 0 through 10 with 0 being the highest and with a default of 0.
shared priority: Specifies that the address pool that may be used by more than one session at any time. priority must be an integer from 0 through 10 with 0 being the highest and with a default of 0.
static priority: Specifies that the address pool is used for statically assigned mobile stations. Statically assigned mobile stations are those with a fixed IP address at all times. priority must be an integer from 0 through 10 with 0 being the highest and with a default of 0.
group-name name
Groups the IPv6 pools in to different groups. The subscribers/domain can be configured with the group-name instead of the prefix-pool names. name is the name of the group by which the IPv6 pool is to be configured expressed as an alphanumeric string of 1 through 79 characters.
[ no ] ipv6 route ipv6_address/prefix_length { interface name | next-hop ipv6_address interface name } [ cost cost ] [ precedence precedence ]
interface name
Specifies the name of the interface on this system associated with the specified route or next-hop address. name must be an existing interface name on the system expressed as an alphanumeric string of 1 through 79 characters.
next-hop ipv6_address
cost cost
precedence precedence
Indicates the administrative preference of the route. A low precedence specifies that this route takes preference over the route with a higher precedence. precedence must be an integer from 1 through 254. Default: 1
T the following example configures a static route with IPv6 prefix/length 2001:0db8:3c4d:0015:0000:0000:abcd:ef12/24 to the next hop interface egress1:
This command is deprecated. Use ikev1 disable-phase1-rekey command to configure the parameters for Phase1 SA rekeying when ISAKMP lifetime expires for IKE v1 protocol.
This command is deprecated. Use ikev1 keepalive dpd command to configure ISAKMP IPSec Dead Peer Detection (DPD) message parameters for IKE v1 protocol.
This command is deprecated. Use ikev1 policy command to create/configure an ISAKMP policy with the specified priority for IKE v1 protocol.
Important: For details about the commands and parameters for this mode, check the IuPS Service Configuration Mode Commands chapter.iups-service srvc_name
no iups-service srvc_name
iups-service srvc_name
l2tp peer-dead-time seconds
peer-dead-time seconds
The following example configures the delay in attempting to tunnel to a temporarily unreachable peer. The delay is set to 120 seconds in this example.
[ no ] lac-service name
lac-service name
Caution: Large numbers of services greatly increase the complexity of management and may impact overall system performance (i.e. resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your local service representative for more information.To add a new LAC service named LAC1 and enter the LAC Service Configuration Mode, enter the following command:
To configure an existing LAC service named LAC2, enter the following command:
To delete an existing LAC service named LAC3, enter the following command:
Refer to the Lawful Intercept Configuration Guide for a description of this command.
Refer to the Lawful Intercept Configuration Guide for a description of this command.
no lma-service service_name
lma-service service_name
Specifies the name of the LMA service. If service_name does not refer to an existing service, the new service is created if resources allow.
service_name is an alphanumeric string of 1 through 63 characters.
no lma-service service_name
Caution: Large numbers of services greatly increase the complexity of management and may impact overall system performance (for example, resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your local service representative for more information.LMA Service Configuration Mode commands are defined in the LMA Service Configuration Mode Commands chapter.
The following command will remove lma-service1 from the system:
[ no ] lns-service name
lns-service name
Caution: Large numbers of services greatly increase the complexity of management and may impact overall system performance (i.e. resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your local service representative for more information.To add a new LNS service named LNS1 and enter the LNS Service Configuration Mode, enter the following commands:
To configure an existing LNS service named LNS2, enter the following command:
To delete an existing LNS service named LNS3, enter the following command:
[ no ] logging syslog ip_address [ event-verbosity { min | concise | full } ] [ facility facilities ] [ pdu-data { none | hex | hex-ascii } ] [ pdu-verbosity pdu_level ] [ rate value ]
logging syslog ip_address
|
•
|
min: Displays minimal detail.
|
|
•
|
concise: Displays summary detail.
|
|
•
|
full: Displays full detail.
|
facility facilities
Default: local7
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
none: Displays data in raw format.
|
|
•
|
hex: Displays data in hexadecimal format.
|
|
•
|
hex-ascii: Displays data in hexadecimal and ASCII format (similar to a main-frame dump).
|
pdu-verbosity pdu_level
rate value
Specifies the rate at which log entries are allowed to be sent to the system log server. No more than the number specified by value will be sent to a system log server within any given one-second interval.
value must be an integer from 0 through 100000. Default: 1000
no mag-service service_name
mag-service service_name
Specifies the name of the MAG service. If service_name does not refer to an existing service, the new service is created if resources allow.
service_name is an alphanumeric string of 1 through 63 characters.
no mag-service service_name
Caution: Large numbers of services greatly increase the complexity of management and may impact overall system performance (for example, resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your Cisco service representative for more information.MAG Service Configuration Mode commands are defined in the MAG Service Configuration Mode Commands chapter.
The following command will remove mag-service1 from the system:
map-service srvc_name
no map-service srvc_name
map-service srvc_name
Important: For details about the commands and parameters, check the MAP Service Configuration Mode Commands chapter.The following command removes the configuration for a MAP service named map_1 from the configuration for the current context:
no mme-service service_name
mme-service service_name
Specifies the name of the MME service. If service_name does not refer to an existing service, the new service is created if resources allow.
service_name is an alphanumeric string of 1 through 63 characters.
Caution: Large numbers of services greatly increase the complexity of management and may impact overall system performance (for example, resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your local service representative for more information.MME Service Configuration Mode commands are defined in the MME Service Configuration Mode Commands chapter.
Caution: This is a critical configuration. The MME service cannot be configured without this configuration. Any change to this configuration would lead to restarting the MME service and removing or disabling this configuration will stop the MME service.The following command will remove mme-service1 from the system:
|
•
|
multiple-dynamic-reg-per-nai: All FA services in the current context can not simultaneously setup multiple dynamic home address registrations that have the same NAI.
|
|
•
|
newcall duplicate-home-address: reject
|
|
•
|
multiple-dynamic-reg-per-nai: Disables all FA services in the current context from simultaneously setting up multiple dynamic home address registrations that have the same NAI.
|
|
•
|
newcall duplicate-home-address: Resets this option to its default of reject.
|
|
•
|
accept: The new call is accepted and the existing call is dropped.
|
|
•
|
reject: The new call is rejected with an Admin Prohibited code.
|
Creates a Mobile IP HA assignment table and enters Mobile IP HA Assignment Table Configuration Mode.
no mobile-ip ha assignment-table atable_name
mobile-ip ha assignment-table atable_name
Important: A maximum of eight MIP HA assignment tables can be configured per context with a maximum of 8 MIP HA assignment tables across all contexts.
Important: A maximum of 256 non-overlapping hoa-ranges can be configured per MIP HA Assignment table with a maximum of 256 non-overlapping hoa-ranges across all MIP HA Assignment tables.The following command creates a new MIP HA assignment table name MIPHAtable1 and enters MIP HA Assignment Table Configuration Mode without asking for confirmation from the user:
|
•
|
duplicate-home-address: reject—sets HA services to reject a new call that requests an IP address that is already assigned.
|
|
•
|
duplicate-imsi-session: allow—sets HA services to accept new calls that have the same IMSI as a call that is already active.
|
|
•
|
wimax-session-overwrite:disallow—disable session overwrite feature for WiMax mobile-ip calls on the HA.
|
|
•
|
accept: The new call is accepted and the existing call is dropped.
|
|
•
|
reject: The new call is rejected with an Admin Prohibited code.
|
|
•
|
allow: Allows multiple sessions for the same IMSI.
|
|
•
|
disallow: If a mobile node already has an active session and a new sessions is requested using the same IMSI, the currently active session is dropped and the new session is accepted.
|
|
•
|
global-disallow: Enables HA services in this context to accept a new session and disconnect any other session(s) having the same IMSI being processed in this context. In addition, a request is sent to all other contexts containing HA services to do the same.
|
Important: In order to ensure a single session per IMSI across all contexts containing HA services, the global-disallow option must be configured in every context.
Caution: This command should be enabled ONLY when all the BGP peering where VPNv4 routes are exchanged are one hop away.Disables MPLS forwarding of IPv4 packets configured on the system. no mpls ip stops dynamic label distribution on all the interfaces irrespective of interface configuration.
Caution: This feature is not enabled by default.
Important: This command is not supported in this release. For more information please contact your Cisco account representative.no mseg-service mseg_service_name
mseg_service_name must be the name of an MSEG service, and must be an alphanumeric string of 1 through 63 characters.
MSEG service configuration commands are described in the MSEG Service Configuration Mode Commands chapter.
The following command creates an MSEG service named test, and enters the MSEG Service Configuration Mode:
nw-reachability server server_name [ interval seconds ] [ local-addr ip_addr ] [ num-retry num ] [ remote-addr ip_addr ] [ timeout seconds]
no nw-reachability server server_name
nw-reachability server server_name
interval seconds
local-addr ip_addr
Specifies the IP address to be used as the source address of the ping packets; If this is unspecified, an arbitrary IP address that is configured in the context is used. ip_addr must be entered using IPv4 dotted-decimal notation.
num-retry num
remote-addr ip_addr
Specifies the IP address of a network element to use as the destination to send the ping packets for detecting network failure or reachability. ip_addr must be entered using IPv4 dotted-decimal notation.
timeout seconds
Important: Refer to the HA Configuration Mode command policy nw-reachability-fail to configure the action that should be taken when network reachability fails.
Important: Refer to the Subscriber Config Mode command nw-reachability-server to bind the network reachability to a specific subscriber.
Important: Refer to the nw-reachability server server_name keyword of the ip pool command in this chapter to bind the network reachability server to an IP pool.To set a network device called InternetDevice with the IP address of 192.168.100.10 as the remote address that is pinged to determine network reachability and use the address 192.168.200.10 as the origination address of the ping packets sent, enter the following command:
network-requested-pdp-context activate address ip_address dst-context context_name imsi imsi apn apn_name
dst-context context_name
Specifies the name of the destination context configured on the system containing the static IP address pool in which the MS’s IP address is configured. context_name is an alphanumeric string of 1 through 79 characters that is case sensitive.
imsi imsi
apn apn_name
Specifies the Access Point Name (APN) that is passed to the SGSN by the system. apn_name is an alphanumeric string of 1 through 63 characters that is case sensitive.
The following command enables support for network initiated PDP contexts for an MS with a static IP address of 20.13.5.40 from a pool configured in the destination context pdn1 with an IMSI of 3319784450 that uses an APN template called isp1:
network-requested-pdp-context gsn-map ip_address
Specifies the IP address of the gsn-map node in Pv4 dotted-decimal or IPv6 colon-separated notation.
The following command configures the system to communicate with a gsn-map node having an IP address of 192.168.2.5:
The following command configures a hold-down-time of 120 seconds:
Specifies the minimum amount of time (in seconds) that must pass before the system allows another network-requested PDP context for a specific MS after the previous context was deleted. time is an integer from 0 through 86400. Default: 60
The following command specifies that the system waits 120 seconds before allowing another network requested PDP context for an MS:
operator user_name [ encrypted ] password password [ ecs ] [ expiry-date date_time ] [ li-administration ] [ noecs ] [ timeout-absolute abs_seconds ] [ timeout-min-absolute abs_minutes ] [ timeout-idle timeout_duration ] [ timeout-min-idle idle_minutes ]
no operator user_name
operator user_name
[ encrypted ] password password
Specifies the password to use for the user which is being given context-level operator privileges within the current context. The encrypted keyword indicates the password specified uses encryption.
password is an alphanumeric string of 1 through 63 characters without encryption, or 1 through 127 with encryption.
The encrypted keyword is intended only for use by the system while saving configuration scripts. The system displays the encrypted keyword in the configuration file as a flag that the variable following the password keyword is the encrypted version of the plain text password. Only the encrypted password is saved as part of the configuration file.
expiry-date date_time
Refer to the Lawful Intercept Configuration Guide for a description of this parameter.
timeout-absolute abs_seconds
Specifies the maximum amount of time (in seconds) the context-level operator may have a session active before the session is forcibly terminated. abs_seconds must be a value in the range from 0 through 300000000. The value 0 disables the absolute timeout. Default: 0
timeout-min-absolute abs_minutes
Specifies the maximum amount of time (in minutes) the context-level operator may have a session active before the session is forcibly terminated. abs_minutes must be an integer from 0 through 300000000. The value 0 disables the absolute timeout. Default: 0
timeout-idle timeout_duration
Specifies the maximum amount of idle time (in seconds) the context-level operator may have a session active before the session is terminated. timeout_duration must be an integer from 0 through 300000000. The value 0 disables the idle timeout. Default: 0
timeout-min-idle idle_minutes
Specifies the maximum amount of idle time (in minutes) the context-level operator may have a session active before the session is terminated. idle_minutes must be an integer from 0 through 300000000. The value 0 disables the idle timeout. Default: 0
Operators have read-only privileges. They can maneuver across multiple contexts, but cannot perform configuration operations. Refer to the Command Line Interface Overview chapter for more information.
Important: A maximum of 128 administrative users and/or subscribers may be locally configured per context.The following command creates a context-level operator account named user1 with ACS control:
pcc-af-service service_name
Specifies the name of the PCC-AF service. If service_name does not refer to an existing service, the new service is created if resources allow. service_name is an alphanumeric string of 1 through 63 characters.
The PCC-AF-Service consolidates the provisioning and management required for the PCC-AF services being supported by the network that fall under the PCC regime. The application service handles the Rx interface over which the IPCF may receive media information for the application usage from AF.
Important: In the absence of an Rx interface, the media information is available in the PCC-AF Service statically.
Caution: Large numbers of services greatly increase the complexity of management and may impact overall system performance (for example, resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your local service representative for more information.The commands available in this mode are defined in the PCC -AF Service Configuration Mode Commands chapter.
Caution: This is a critical configuration. The PCC-AF service cannot be configured without this configuration. Any change to this configuration would lead to restarting the PCC-AF service and removing or disabling this configuration will stop the PCC-AF service.The following command will remove af-service1 from the system:
pcc-policy-service service_name
Specifies the name of the PCC-Policy service. If service_name does not refer to an existing service, the new service is created if resources allow. service_name is an alphanumeric string of 1 through 63 characters.
Caution: Large numbers of services greatly increase the complexity of management and may impact overall system performance (for example, resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your local service representative for more information.The commands available in this mode are defined in the PCC-Policy Service Configuration Mode Commands chapter.
Caution: This is a critical configuration. The PCC-Policy service cannot be configured without this configuration. Any change to this configuration would lead to restarting the PCC-Policy service and removing or disabling this configuration will stop the PCC-Policy service.The following command will remove gx-service1 from the system:
pcc-service service_name
Specifies the name of the PCC service. If service_name does not refer to an existing service, the new service is created if resources allow. service_name is an alphanumeric string of 1 through 63 characters.
Caution: Large numbers of services greatly increase the complexity of management and may impact overall system performance (for example, resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your local service representative for more information.The commands available in this mode are defined in the PCC Service Configuration Mode Commands chapter.
Caution: This is a critical configuration. The PCC service cannot be configured without this configuration. Any change to this configuration would lead to restarting the Policy and Charging Control service and removing or disabling this configuration will stop the PCC service.The following command will remove ipcf-service1 from the system:
pcc-sp-endpoint sp_intfc1
Specifies the name of the PCC Sp interface endpoint. If sp_intfc_endpoint does not refer to an existing endpoint, the new endpoint is created if resources allow. sp_intfc_endpoint is an alphanumeric string of 1 through 63 characters.
Use this command to enter the PCC-Sp-Endpoint Configuration Mode for an existing interface or for a newly defined PCC Sp interface endpoint. This command is also used to remove an existing endpoints.
The commands available in this mode are defined in the PCC-Sp-Endpoint Configuration Mode Commands chapter.
Caution: This is a critical configuration. The PCC Sp endpoint cannot be configured without this configuration. Any change to this configuration would lead to reset the PCC Sp interface and removing or disabling this configuration also disables the PCC Sp interface.The following command will remove sp_intfc1 from the system:
no pdg-service name
pdg-service name
no pdg-service name
The following command configures an PDG service named pdg_service_1 and enters the PDG Service Configuration Mode:
pdif-service name
PDIF Service Configuration Mode commands are defined in the PDIF Service Configuration Mode Commands chapter.
The following command configures a PDIF service called pdif2 and enters the PDIF Service Configuration Mode:
[ no ] pdsn-service name
pdsn-service name
Specifies the name of the PDSN service to configure. If name does not refer to an existing service, the new service is created if resources allow. name is an alphanumeric string of 1 through 63 characters.
Caution: Large numbers of services greatly increase the complexity of management and may impact overall system performance (resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your Cisco service representative for more information.The following command will enter the PDSN Service Configuration Mode creating the service sampleService, if necessary.
The following command will remove sampleService as being a defined PDSN service.
no pgw-service service_name
pgw-service service_name
Specifies the name of the P-GW service. If service_name does not refer to an existing service, the new service is created if resources allow. service_name is an alphanumeric string of 1 through 63 characters.
no pgw-service service_name
Caution: Large numbers of services greatly increase the complexity of management and may impact overall system performance (for example, resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your local service representative for more information.P-GW Service Configuration Mode commands are defined in the P-GW Service Configuration Mode Commands chapter.
The following command will remove pgw-service1 from the system:
pilot-packet source-ip-address source_ip_address destination-ip-address destination_ip_address destination-udp-port udp_port_valueno pilot-packet
pilot-packet source-ip-address source_ip_address
|
•
|
source_ip_address: Specifies the IP address of the source for sending Pilot Packets.
|
|
•
|
destination_ip_address: Specifies the IP address of the destination for the Pilot Packets.
|
destination-udp-port udp_port_value
policy accounting name
Accounting Policy Configuration Mode commands are defined in the Accounting Policy Configuration Mode Commands chapter.
[ no ] policy-group name policy_group
policy-group name policy_group
The following command configures a policy group policy_group1 for a subscriber session flow:
[ no ] policy-map name policy_name
policy-map name policy_name
Following command configures a policy map policy1 where other flow treatments is configured.
ppp { acfc { receive { allow | deny } | transmit { apply | ignore | reject} } | auth-retry suppress-aaa-auth | chap fixed-challenge-length length | dormant send-lcp-terminate | echo-max-retransmissions num_retries | echo-retransmit-timeout msec | first-lcp-retransmit-timeout milliseconds | lcp-authentication-discard retry-alternate num_discard | lcp-authentication-reject retry-alternate | lcp-start-delay delay | lcp-terminate connect-state | lcp-terminate mip-lifetime-expiry | lcp-terminate mip-revocation | max-authentication-attempts num | max-configuration-nak num | max-retransmissions number | max-terminate number | mru packet_size | negotiate default-value-options | peer-authentication user_name [ encrypted ] password password ] | pfc { receive { allow | deny } | transmit { apply | ignore | reject} } | reject-peer-authentication | renegotiation retain-ip-address | retransmit-timeout milliseconds }
no ppp { auth-retry suppress-aaa-auth | chap fixed-challenge-length | dormant send-lcp-terminate | lcp-authentication-descard retry-alternate num_discard | lcp-authentication-reject retry-alternate | lcp-start-delay | lcp-terminate connect-state | reject-peer-authentication | renegotiation retain-ip-address }
no ppp { auth-retry suppress-aaa-auth | chap fixed-challenge-length | dormant send-lcp-terminate | lcp-authentication-discard retry-alternate num_discard | lcp-authentication-reject retry-alternate | lcp-start-delay | lcp-terminate connect-state | lcp-terminate mip-lifetime-expiry | lcp-terminate mip-revocation | negotiate default-value-options | reject-peer-authentication | renegotiation retain-ip-address }
For no ppp renegotiation retain-ip-address the initially allocated IP address will be released and a new IP address will be allocated during PPP renegotiation.
Default: no auth-retry suppress-aaa-auth
Important: This option is not supported in conjunction with the GGSN product.chap fixed-challenge-length length
Normally PPP CHAP uses a random challenge length from 17 to 32 bytes. This command allows you to configure a specific fixed challenge length of from 4 through 32 bytes. length must be an integer from 4 through 32.
Important: This option is not supported in conjunction with the GGSN product.echo-max-retransmissions num_retries
Configures the maximum number of retransmissions of LCP ECHO_REQ before a session is terminated in an always-on session. num_retries must be an integer from 1 through 16. Default: 3
Configures the timeout (in milliseconds) before trying LCP ECHO_REQ for an always-on session. msec must be an integer from 100 through 5000. Default: 3000
first-lcp-retransmit-timeout milliseconds
Specifies the number of milliseconds to wait before attempting to retransmit control packets. This value configures the first retry. All subsequent retries are controlled by the value configured for the ppp retransmit-timeout keyword.
milliseconds must be an integer from 100 through 5000. Default: 3000
lcp-authentication-discard retry-alternate num_discard
Sets the number of discards up to which authentication option is discarded during LCP negotiation and retries starts to allow alternate authentication option. num_discard must be an integer from 0 through 5. Recommended value is 2. Default: Disabled.
lcp-start-delay delay
Specifies the delay (in milliseconds) before link control protocol (LCP) is started. delay must be an integer from 0 through 5000. Default: 0
Important: This option is not supported in conjunction with the GGSN product.Configures the maximum number of time the PPP authentication attempt is allowed. num must be an integer from 1 through 10. Default: 1
This command configures the maximum number of consecutive configuration REJ/NAKs that can be sent during CP negotiations, before the CP is terminated. num must be an integer from 1 through 20. Default: 10
max-retransmission number
Specifies the maximum number of times control packets will be retransmitted. number must be an integer from 1 through 16. Default: 5
max-terminate number
Sets the maximum number of PPP LCP Terminate Requests transmitted to the Mobile Node. number must be an integer from 0 through 16. Default: 2
Important: This option is not supported in conjunction with the GGSN product.mru packet_size
Specifies the maximum packet size that can be received in bytes. packet_size must be an integer from 128 through 1500. Default: 1500
When negotiate default-value-options is enabled, configuration options with default values are included in the PPP configuration Requests.
Specifies the user name and an optional password required for point-to-point protocol peer connection authentications. user_name is an alphanumeric string of 1 through 63 characters. The keyword password is optional and if specified password is an alphanumeric string of 1 through 63 characters. The password specified must be in an encrypted format if the optional keyword encrypted was specified.
The encrypted keyword is intended only for use by the system while saving configuration scripts. The system displays the encrypted keyword in the configuration file as a flag that the variable following the password keyword is the encrypted version of the plain text password. Only the encrypted password is saved as part of the configuration file.
receive { allow | deny } Default: allow
transmit { apply | ignore | reject } Default: ignore
When apply is specified, if the peer requests PFC, it is accepted and PFC is applied for transmitted PPP packets. When ignore is specified, If the peer requests PFC, it is accepted but PFC is not applied for transmitted packets. When reject is specified, all requests for PCF from the peer are rejected.
retransmit-timeout milliseconds
Specifies the number of milliseconds to wait before attempting to retransmit control packets. milliseconds must be an integer from 100 through 5000. Default: 3000
Caution: This command alters the way that some PPP statistics are calculated. Please consult your designated service representative before using this command
Important: HA Proxy DNS Intercept is a license-enabled feature.Defines the rules list and enters the Proxy DNS Configuration Mode. name must be an alphanumeric string of 1 through 63 characters.
The following command creates a proxy DNS rules list named list1 and places the CLI in the HA Proxy DNS Configuration Mode:
radius accounting { archive [ stop-only ] | deadtime dead_minutes | detect-dead-server { consecutive-failures consecutive_failures | keepalive | response-timeout timeout_duration } | interim interval seconds | max-outstanding max_messages | max-pdu-size octets | max-retries max_retries | max-transmissions max_transmissions | timeout timeout_duration | unestablished-sessions }
default radius accounting { deadtime | detect-dead-server | interim interval seconds | max-outstanding | max-pdu-size | max-retries | max-transmissions | timeout }
stop-only specifies archiving of STOP accounting messages only.
deadtime dead_minutes
dead_minutes must be an integer from 0 through 65535.
detect-dead-server { consecutive-failures consecutive_failures | keepalive | response-timeout timeout_duration }
|
•
|
consecutive-failures consecutive_failures: Specifies the number of consecutive failures, for each AAA manager, before a server is marked as unreachable.
|
consecutive_failures must be an integer from 0 through 1000.
|
•
|
keepalive: Enables the AAA server alive-dead detect mechanism based on sending keepalive authentication messages to all authentication servers.
|
|
•
|
response-timeout timeout_duration: Specifies the number of seconds for each AAA manager to wait for a response to any message before a server is detected as failed, or in a down state.
|
timeout_duration must be an integer from 1 through 65535.
Important: If both consecutive-failures and response-timeout are configured, then both parameters have to be met before a server is considered unreachable, or dead.interim interval seconds
Specifies the time interval (in seconds) for sending accounting INTERIM-UPDATE records. seconds must be an integer from 50 through 40000000.
Important: If RADIUS is used as the accounting protocol for the GGSN product, other commands are used to trigger periodic accounting updates. However, these commands would cause RADIUS STOP/START packets to be sent as opposed to INTERIM-UPDATE packets. Also note that accounting interim interval settings received from a RADIUS server take precedence over those configured on the system.max-outstanding max_messages
Specifies the maximum number of outstanding messages a single AAA manager instance will queue. max_messages must be an integer from 1 through 4000. Default: 256
max-pdu-size octets
Specifies the maximum sized packet data unit which can be accepted/generated in bytes (octets). octets must be an integer from 512 through 4096. Default: 4096
max-retries max_retries
Specifies the maximum number of times communication with a AAA server will be attempted before it is marked as unreachable and the detect dead servers consecutive failures count is incremented. max_retries must be an integer from 0 through 65535. Default: 5
max-transmissions max_transmissions
Sets the maximum number of transmissions for a RADIUS accounting message before the message is declared as failed. max_transmissions must be an integer from 1 through 65535. Default: Disabled
timeout seconds
Specifies the amount of time to wait for a response from a RADIUS server before retransmitting a request. seconds must be an integer from 1 through 65535. Default: 3
Default: first-server
first-n n
Specifies that the AGW must send accounting data to n (more than one) AAA servers based on their priority. The full set of accounting data is sent to each of the n AAA servers. Response from any one of the servers would suffice to proceed with the call. On receiving an ACK from any one of the servers, all retries are stopped.
n is the number of AAA servers to which accounting data will be sent, and must be an integer from 2 through 128. Default: 1 (Disabled)
Important: This is a customer-specific keyword and needs customer-specific license to use this feature. For more information on GGSN preservation mode, refer to GGSN Service Configuration Mode Commands chapter.The following command sets the HA accounting policy to custom1-aaa-res-mgmt:
radius accounting interim volume { downlink bytes uplink bytes | total bytes | uplink bytes downlink bytes }
Specifies the downlink to uplink volume limit for RADIUS Interim accounting, in bytes. bytes must be an integer to 100000 through 4000000000.
total bytes
Specifies the total volume limit for RADIUS interim accounting in bytes. bytes must be an integer from 100000 through 4000000000.
uplink bytes
Specifies the uplink volume limit for RADIUS interim accounting in bytes. bytes must be an integer from 100000 through 4000000000.
downlink bytes
Specifies the downlink volume limit for RADIUS interim accounting in bytes. bytes must be an integer from 100000 through 4000000000.
list list_id
Enters the Remote Address List Configuration Mode. This mode configures a list of remote addresses that can be referenced by the subscriber's profile. list_id must be an integer from 1 through 65535.
Individual subscriber can be associated to remote IP address lists through the configuration/specification of an attribute in their local or RADIUS profile. (Refer to the radius accounting command in the Subscriber Configuration mode.) When configured/specified, accounting data is collected pertaining to the subscriber’s communication with any of the remote addresses specified in the list.
radius accounting keepalive { calling-station-id id | consecutive-response responses_no_of | framed-ip-address ip_address | interval interval_duration | retries retries_no_of | timeout timeout_duration | username user_name }
consecutive-response responses_no_of
Configures the number of consecutive authentication response after which the server is marked as reachable. responses_no_of must be an integer from 1 through 5. Default: 1
framed-ip-address ip_address
interval interval_duration
retries retries_no_of
Configures the number of times the keepalive access request to be sent before marking the server as unreachable. retries_no_of must be an integer from 3 through 10. Default: 3
timeout timeout_duration
Configures the time interval between each keepalive access request retries. timeout_duration must be an integer from 1 through 30. Default: 3
username user_name
The following command sets the user name for the RADIUS keepalive access requests to Test-Username2:
radius accounting rp { handoff-stop { immediate | wait-active-stop } | tod minute hour | trigger-event { active-handoff | active-start-param-change | active-stop } | trigger-policy { airlink-usage [ counter-rollover ] | custom [ active-handoff | active-start-param-change | active-stop ] | standard } | trigger-stop-start }
no radius accounting rp { tod minute hour | trigger-event { active-handoff | active-start-param-change | active-stop } | trigger-stop-start }
|
•
|
immediate: Indicates that accounting STOP should be generated immediately on handoff, i.e. not to wait active-stop from the old PCF.
|
|
•
|
wait-active-stop: Indicates that accounting STOP is generated only when active-stop received from the old PCF when handoff occurs.
|
Default: wait-active-stop
tod minute hour
minute must be an integer from 0 through 59.
hour must be an integer from 0 through 23.
|
•
|
active-handoff: Disables a single R-P event (and therefore a RADIUS accounting event) when an Active PCF-to-PFC Handoff occurs. Instead, two R-P events occur (one for the Connection Setup, and the second for the Active-Start). Default: Disabled
|
|
•
|
active-start-param-change: Disables an R-P event (and therefore a RADIUS accounting event) when an Active-Start is received from the PCF and there has been a parameter change. Default: Enabled
|
|
•
|
active-stop: Disables an R-P event (and therefore a RADIUS accounting event) when an Active-Stop is received from the PCF. Default: Disabled
|
Important: This keyword has been obsoleted by the trigger-policy keyword. Note that if this command is used, if the context configuration is displayed, RADIUS accounting RP configuration is represented in terms of the trigger-policy.Default:airlink-usage: Disabled
|
•
|
active-handoff: Disabled
|
|
•
|
active-start-param-change: Disabled
|
|
•
|
active-stop: Disabled
|
|
•
|
standard: Enabled
|
|
•
|
airlink-usage [ counter-rollover ]: Designates the use of Airlink-Usage RADIUS accounting policy for R-P, which generates a start on Active-Starts, and a stop on Active-Stops.
|
If the counter-rollover option is enabled, the system generates a STOP/START pair before input/output data octet counts (or input/output data packet counts) become larger than (2^32 - 1) in value. This setting is used to guarantee that a 32-bit octet count in any STOP message has not wrapped to larger than 2^32 thus ensuring the accuracy of the count. The system, may send the STOP/START pair at any time, so long as it does so before the 32-bit counter has wrapped. Note that a STOP/START pair is never generated unless the subscriber RP session is in the Active state, since octet/packet counts are not accumulated in the Dormant state.
|
•
|
custom: Specifies the use of custom RADIUS accounting policy for R-P. The custom policy can consist of the following:
|
|
•
|
active-handoff: Enables a single R-P event (and therefore a RADIUS accounting event) when an Active PCF-to-PFC Handoff occurs. Normally two R-P events will occur (one for the Connection Setup, and the second for the Active-Start).
|
|
•
|
active-start-param-change: Enables an R-P event (and therefore a RADIUS accounting event) when an Active-Start is received from the PCF and there has been a parameter change.
|
Important: Note that a custom trigger policy with only active-start-param-change enabled is identical to the standard trigger-policy.|
•
|
active-stop: Enables an R-P event (and therefore a RADIUS accounting event) when an Active-Stop is received from the PCF.
|
Important: If the radius accounting rp trigger-policy custom command is executed without any of the optional keywords, all custom options are disabled.|
•
|
standard: Specifies the use of Standard RADIUS accounting policy for R-P in accordance with IS-835B.
|
radius [ mediation-device ] accounting server ip_address [ encrypted ] key value [ acct-on { enable | disable } ] [ acct-off { enable | disable } ] [ max max_messages ] [ oldports ] [ port port_number ] [ priority priority ] [ type { mediation-device | standard } ] [ admin-status { enable | disable } ] [ -noconfirm ]
Important: If this option is not used, the system by default enables standard AAA transactions.ip_address must be specified in IPv4 dotted-decimal or IPv6 colon-separated notation. A maximum of 128 RADIUS servers can be configured per context. This limit includes accounting and authentication servers.
[ encrypted ] key value
Specifies the shared secret key used to authenticate the client to the servers. The encrypted keyword indicates the key specified is encrypted.
In 12.1 and earlier releases, the key value must be an alphanumeric string of 1 through 127 characters without encryption, and 1 through 256 characters with encryption.
In 12.2 and later releases, the key value must be an alphanumeric string of 1 through 127 characters without encryption, and 1 through 236 characters with encryption enabled.
The encrypted keyword is intended only for use by the system while saving configuration scripts. The system displays the encrypted keyword in the configuration file as a flag that the variable following the key keyword is the encrypted version of the plaint text key. Only the encrypted key is saved as part of the configuration file.
Default: disable
Default: enable
max max_messages
Specifies the maximum number of outstanding messages that may be allowed to the server. max_messages must be an integer from 1 through 256. Default: 0
port port_number
priority priority
priority must be an integer from 1 through 1000, where 1 is the highest priority. When configuring two or more servers with the same priority you will be asked to confirm that you want to do this. If you use the -noconfirm option, you are not asked for confirmation and multiple servers could be assigned the same priority.
|
•
|
standard: Use standard AAA transactions.
|
|
•
|
mediation-device: This keyword is obsolete.
|
Default: standard
The following command sets the accounting server with mediation device transaction for AAA server 10.2.3.4:
Important: Please note that this command is applicable ONLY to CDMA products. To configure this functionality in UMTS/LTE products (GGSN/P-GW), use the command mediation-device delay-GTP-response in APN Configuration mode. radius attribute { nas-identifier id | nas-ip-address address primary_address [ backup secondary_address ] [ nexthop-forwarding-address nexthop_ip_address ] [ vlan vlan_id ] [ mpls-label input in_label_value output out_label_value1 out_label_value1 ] }
Specifies the attribute name by which the system will be identified in Access-Request messages. id must be a alphanumeric string of 1 through 32 characters that is case sensitive.
nas-ip-address address primary_address
Specifies the AAA interface IP address(es) to used to identify the system. Up to two addresses can be configured. primary_address is the IP address of the primary interface to use in the current context in IPV4 dotted-decimal or IPv6 colon-separated notation.
backup secondary_address
|
•
|
in_label_value is the MPLS label that identifies inbound traffic destined for the configured NAS IP address.
|
|
•
|
out_label_value1 and out_label_value2 identify the MPLS labels to be added to the packets sent from the specified NAS IP address.
|
|
•
|
out_label_value1 is the inner output label.
|
|
•
|
out_label_value2 is the outer output label.
|
Important: This option is available only when nexthop-forwarding gateway is also configured with the nexthop-forwarding-address keyword.nexthop-forwarding-address nexthop_ip_address
vlan vlan_id
The system uses a revertive algorithm when transitioning active NAS IP addresses as described below:
radius change-authorize-nas-ip ip_address [ encrypted ] key value [ port port ] [ event-timestamp-window window ] [ no-nas-identification-check] [ no-reverse-path-forward-check ] [ mpls-label input in_label_value | output out_label_value1 [ out_label_value2 ]
Specifies the NAS IP address of the current context’s AAA interface that was defined with the radius attribute command.
ip_address can be expressed in IPv4 dotted-decimal or IPv6 colon-separated notation.
[ encrypted ] key value
Specifies the shared secret key used to authenticate the client to the servers. The encrypted keyword indicates the key specified is encrypted.
In 12.1 and earlier releases, the key value must be an alphanumeric string of 1 through 127 characters without encryption, and 1 through 256 characters with encryption.
In 12.2 and later releases, the key value must be an alphanumeric string of 1 through 127 characters without encryption, and 1 through 236 characters with encryption enabled.
The encrypted keyword is intended only for use by the system while saving configuration scripts. The system displays the encrypted keyword in the configuration file as a flag that the variable following the key keyword is the encrypted version of the plain text key. Only the encrypted key is saved as part of the configuration file.
port port
event-timestamp-window window
window must be an integer from 0 through 4294967295. If window is specified as 0 (zero), this feature is disabled; the event-time-stamp attribute in COA or DM messages is ignored and the event-time-stamp attribute is not included in NAK or ACK messages. Default: 300
|
•
|
in_label_value is the MPLS label that identifies inbound COA traffic.
|
|
•
|
out_label_value1 and out_label_value2 identify the MPLS labels to be added to COA response.
|
|
•
|
out_label_value1 is the inner output label.
|
|
•
|
out_label_value2 is the outer output label.
|
|
•
|
3GPP-IMSI: The subscriber’s IMSI. It may include the 3GPP-NSAPI attribute to delete a single PDP context rather than all of the PDP contexts of the subscriber when used with the GGSN product.
|
|
•
|
Framed-IP-address: The subscriber’s IP address.
|
|
•
|
Acct-Session-Id: Identifies a subscriber session or PDP context.
|
Important: For the GGSN product, the value for Acct-Session-Id that is mandated by 3GPP is used instead of the special value for Acct-Session-Id that we use in the RADIUS messages we exchange with a RADIUS accounting server.
Important: When this command is used in conjunction with the GGSN, CoA functionality is not supported.The following command specifies the IP address 192.168.100.10 as the NAS IP address, a key value of 123456 and uses the default port of 3799:
radius charging { deadtime dead_minutes | detect-dead-server { consecutive-failures consecutive_failures | response-timeout timeout_duration } | max-outstanding max_messages | max-retries max_retries | max-transmissions transmissions | timeout timeout_duration }
deadtime dead_minutes
dead_minutes must be an integer from 0 through 65535.
detect-dead-server { consecutive-failures consecutive_failures | response-timeout timeout_duration }
consecutive-failures consecutive_failures: Default: 4. Specifies the number of consecutive failures, for each AAA manager, before a server is marked as unreachable. consecutive_failures must be an integer from 0 through 1000.
response-timeout timeout_duration: Specifies the number of seconds for each AAA manager to wait for a response to any message before a server is detected as failed, or in a down state. timeout_duration must be an integer from 1 through 65535.
max-outstanding max_messages
Specifies the maximum number of outstanding messages a single AAA manager instance will queue. max_messages must be an integer from 1 through 4000. Default: 256
max-retries max_retries
Specifies the maximum number of times communication with a AAA server will be attempted before it is marked as unreachable and the detect dead servers consecutive failures count is incremented. max_retries must be an integer from 0 through 65535. Default: 5
max-transmissions transmissions
Sets the maximum number of re-transmissions for RADIUS authentication requests. This limit is used in conjunction with the max-retries for each server. transmissions must be an integer from 1 through 65535. Default: Disabled
timeout timeout_duration
Specifies the number of seconds to wait for a response from the RADIUS server before re-sending the messages. timeout_duration must be an integer from 1 through 65535. Default: 3
first-n n
Specifies that the AGW must send accounting data to n (more than one) AAA servers based on their priority. Response from any one of the n AAA servers would suffice to proceed with the call. The full set of accounting data is sent to each of the n AAA servers.
n is the number of AAA servers to which accounting data will be sent, and must be an integer from 2 through 128. Default: 1 (Disabled)
radius charging accounting server ip_address [ encrypted ] key key [ max max_messages ] [ max-rate max_rate ] [ oldports ] [ port port_number ] [ priority priority ] [ admin-status { enable | disable } ] [ -noconfirm ]
Specifies the shared secret key used to authenticate the client to the servers. The encrypted keyword indicates the key specified is encrypted.
In 12.1 and earlier releases, the key value must be an alphanumeric string of 1 through 127 characters without encryption, and 1 through 256 characters with encryption.
In 12.2 and later releases, the key value must be an alphanumeric string of 1 through 127 characters without encryption, and 1 through 236 characters with encryption enabled.
The encrypted keyword is intended only for use by the system while saving configuration scripts. The system displays the encrypted keyword in the configuration file as a flag that the variable following the key keyword is the encrypted version of the plaint text key. Only the encrypted key is saved as part of the configuration file.
max max_messages
Specifies the maximum number of outstanding messages that may be allowed to the server. max_messages must be integer from 0 through 4000. Default: 0
max-rate max_rate
Specifies the rate (number of messages per second) at which the authentication messages should be sent to the RADIUS server. max_rate must be an integer from 0 through 1000. Default: 0 (Disabled)
port port_number
priority priority
Specifies the relative priority of this accounting server. The priority is used in server selection for determining to which server to send accounting data. priority must be an integer 1 through 1000 where 1 is the highest priority. Default: 1000
Configures the default setting. Default: first-server
radius charging server ip_address [ encrypted ] key key [ max max_messages ] [ max-rate max_rate ] [ oldports ] [ port port_number ] [ priority priority ] [ admin-status { enable | disable } ] [ -noconfirm ]
Specifies the shared secret key used to authenticate the client to the servers. The encrypted keyword indicates the key specified is encrypted.
In 12.1 and earlier releases, the key value must be an alphanumeric string of 1 through 127 characters without encryption, and 1 through 256 characters with encryption.
In 12.2 and later releases, the key value must be an alphanumeric string of 1 through 127 characters without encryption, and 1 through 236 characters with encryption enabled.
The encrypted keyword is intended only for use by the system while saving configuration scripts. The system displays the encrypted keyword in the configuration file as a flag that the variable following the key keyword is the encrypted version of the plain text key. Only the encrypted key is saved as part of the configuration file.
max max_messages
Specifies the maximum number of outstanding messages that may be allowed to the server. max_messages must be an integer from 0 through 4000. Default: 256
max-rate max_rate
Specifies the rate (number of messages per second), at which the authentication messages should be sent to the RADIUS server. max_rate must be an integer from 0 through 1000. Default: 0 (Disabled)
port port_number
priority priority
Specifies the relative priority of this accounting server. The priority is used in server selection for determining to which server to send accounting data. priority must be an integer from 1 through 1000 where 1 is the highest priority. Default: 1000
radius deadtime minutes
Specifies the number of minutes to wait before changing the state of a RADIUS server from “Down” to “Active”. minutes must be an integer from 0 through 65535.
Important: This parameter should be set to allow enough time to remedy the issue that originally caused the server’s state to be changed to “Down”. After the deadtime timer expires, the system returns the server’s state to “Active” regardless of whether or not the issue has been fixed.
Important: For a complete explanation of RADIUS server states, refer to the RADIUS Server State Behavior appendix in the AAA and GTPP Interface Administration and Reference.radius detect-dead-server { consecutive-failures consecutive_failures_count | keepalive | response-timeout timeout_duration }
|
•
|
consecutive-failures: Enabled; 4 consecutive failures
|
|
•
|
keepalive: Disabled
|
|
•
|
response-timeout: Disabled
|
consecutive-failures consecutive_failures_count
consecutive_failures_count must be an integer from 1 through 1000. Default: Enabled; 4 consecutive failures
response-timeout timeout_duration
timeout_duration must be an integer from 1 through 65535. Default: Disabled
Important: If both consecutive-failures and response-timeout are configured, then both parameters must be met before a server’s state is changed to “Down”.
Important: The “Active” or “Down” state of a RADIUS server as defined by the system, is based on accessibility and connectivity. For example, if the server is functional but the system has placed it into a “Down” state, it could be the result of a connectivity problem. When a RADIUS server’s state is changed to “Down”, a trap is sent to the management station and the deadtime timer is started.radius dictionary dictionary
dictionary must be one of the following values:
|
customXX
|
XX is the integer of the custom dictionary.
NOTE: RADIUS dictionary custom23 should be used in conjunction with Active Charging Service (ACS).
|
 Important: In 12.0 and later releases, no new attributes can be added to the starent-vsa1 dictionary. If there are any new attributes to be added, these can only be added to the starent dictionary. For more information, please contact your Cisco account representative. |
|
This command has been deprecated and is replaced by AAA Server Group configurations. See the AAA Server Group Configuration Mode Commands chapter.
radius ip vrf vrf_name
Specifies the name of a pre-configured VRF context instance. vrf_name is the alphanumeric string of a pre-configured VRF context configured in Context Configuration Mode via the ip vrf command.
Caution: Any incorrect configuration, such as associating AAA group with wrong VRF instance or removing a VRF instance, will fail the RADIUS communication.The following command associates VRF context instance ip_vrf1 with specific AAA group (NAS-IP):
radius keepalive [ calling-station-id id | consecutive-response responses_no_of | encrypted | interval interval_duration | password | retries retries_no_of | timeout timeout_duration | username user_name | valid-response access-accept [ access-reject ] ]
Configures the Calling-Station ID to be used for the keepalive authentication. id must be an alphanumeric string of size 1 to 15 characters. Default: 000000000000000
consecutive-response responses_no_of
Configures the number of consecutive authentication responses after which the server is marked as reachable. responses_no_of must be an integer from 1 through 10. Default: 1
In 12.1 and earlier releases, password must be an alphanumeric string of 1 through 63 characters.
In 12.2 and later releases, password must be an alphanumeric string of 1 through 132 characters.
interval interval_duration
Configures the time interval (in seconds) between two keepalive access requests. interval_duration must be an integer from 30 through 65535. Default: 30
retries retries_no_of
Configures the number of times the keepalive access request are sent before marking the server as unreachable. retries_no_of must be an integer from 3 through 10. Default: 3
timeout timeout_duration
Configures the time interval (in seconds) between keepalive access request retries. timeout_duration must be an integer from 1 through 30. Default: 3
username user_name
If access-reject is configured, then both access-accept and access-reject are considered as success for the keepalive authentication request.
If access-reject is not configured, then only access-accept is considered as success for the keepalive access request.
Default: keepalive valid-response access-accept
The following command sets the user name for the RADIUS keepalive access requests to Test-Username2:
radius max-outstanding max_messages
Specifies the maximum number of outstanding messages a single AAA Manager instance will queue. max_messages must be an integer from 1 through 4000. Default: 256
radius max-retries max_retries
Specifies the maximum number of times communication with a AAA server will be attempted before it is marked as “Not Responding”, and the detect dead server’s consecutive failures count is incremented. max_retries must be an integer from 0 through 65535. Default: 5
radius max-transmissions max_transmissions
Specifies the maximum number of re-transmissions for RADIUS authentication requests. This limit is used in conjunction with radius max-retries configuration for each server. max_transmissions must be an integer from 1 through 65535. Default: Disabled
See the radius accounting server command.
radius probe-interval seconds
radius probe-max-retries retries
Specifies the number of retries for RADIUS authentication probe response before the authentication is declared as failed. retries must be an integer from 1 through 65535. Default: 5
radius probe-message local-service-address ipv4/ipv6_address
Disables sending of AVPs configured under probe-message cli in RADIUS authentication probe messages.
The following command configures the service ip-address 21.32.36.25 to be sent as an AVP in RADIUS authentication probe messages:
radius probe-timeout timeout_duration
Specifies the time duration (in seconds) to wait for a response from the RADIUS server before resending the authentication probe. timeout_duration must be an integer from 1 through 65535. Default: 3
radius server ip_address [ encrypted ] key value [ max max_messages ] [ max-rate max_rate ] [ oldports ] [ port port_number ] [ priority priority ] [ probe | no-probe ] [ probe-username user_name ] [ probe-password [ encrypted ] password password ] [ type { mediation-device | standard } ] [ admin-status { enable | disable } ] [ -noconfirm ]
[ encrypted ] key value
Specifies the shared secret key used to authenticate the client to the servers. The encrypted keyword indicates the key specified is encrypted.
In 12.1 and earlier releases, the key value must be an alphanumeric string of 1 through 127 characters without encryption, and 1 through 256 characters with encryption.
In 12.2 and later releases, the key value must be an alphanumeric string of 1 through 127 characters without encryption, and 1 through 236 characters with encryption enabled.
The encrypted keyword is intended only for use by the system while saving configuration scripts. The system displays the encrypted keyword in the configuration file as a flag that the variable following the key keyword is the encrypted version of the plain text key. Only the encrypted key is saved as part of the configuration file.
max max_messages
Specifies the maximum number of outstanding messages that may be allowed to the server. max_messages must be an integer from 0 through 4000. Default: 256
max-rate max_rate
Specifies the rate (number of messages per second), at which the authentication messages should be sent to the RADIUS server. max_rate must be an integer from 0 through 1000. Default: 0 (Disabled)
port port_number
priority priority
priority must be an integer from 1 through 1000 where 1 is the highest priority. When configuring two or more servers with the same priority you will be asked to confirm that you want to do this. If you use the -noconfirm option, you are not asked for confirmation and multiple servers could be assigned the same priority.
probe-username username
Specifies the user name sent to the RADIUS server to authenticate probe messages. usernamemust be an alphanumeric string of 1 through 127 characters.
encrypted: This keyword is intended only for use by the system while saving configuration scripts. The system displays the encrypted keyword in the configuration file as a flag that the variable following the password keyword is the encrypted version of the plain text password. Only the encrypted password is saved as part of the configuration file.
password password: Specifies the probe-user password for authentication. password must be an alphanumeric string of 1 through 63 characters.
mediation-device: Specifies mediation-device specific AAA transactions. This device is available if you purchased a transaction control services license. Contact your local sales representative for licensing information.
standard: Specifies standard AAA transactions. (Default)
By default, strip-domain configuration will be applied to both authentication and accounting messages, if configured. When the argument authentication-only or accounting-only is present, strip-domain is applied only to the specified RADIUS message types.
The following command configures the stripping of domain from the user name prior to authentication:
radius timeout timeout_duration
Specifies the time duration (in seconds) to wait for a response from the RADIUS server before resending the messages. timeout_duration must be an integer from 1 through 65535. Default: 3
[ no ] route-access-list extended identifier { deny | permit } ip { network_parameter } { mask_parameter
route-access-list extended identifier
|
•
|
ip_address wildcard_mask: Matches a network address and wildcard mask expressed in IPv4 dotted-decimal notation.
|
|
•
|
any: Matches any network address.
|
|
•
|
host network_address: Match the specified network address exactly. network_address must be an IPv4 address specified in dotted-decimal notation.
|
|
•
|
mask_address wildcard_mask: A mask address and wildcard mask expressed in IPv4 dotted-decimal notation.
|
|
•
|
any: Match any network mask.
|
|
•
|
host mask_address: Match the specified mask address exactly. mask_address must be an IPv4 address specified in dotted-decimal notation.
|
[ no ] route-access-list named list_name { deny | permit } { ip_address/mask | any } [ exact-match ]
route-access-list named list_name
Use the following command to create a route access list named list27 that permits routes that match 192.168.1.0/24 exactly:
[ no ] route-access-list standard identifier { permit | deny } { ip_address wildcard_mask | any | host network_address }
route-access-list standard identifier
Specifies the IP address and subnet mask to match for routes. Both ip_address and wildcard_mask must be entered in IPv4 dotted-decimal notation. (For example, 192.168.100.0 255.255.255.0)
host network_address
Matches only routes having the specified network address as if it had a 32-bit network mask. network_address must be an IPv4 address specified in dotted-decimal notation.
Use the following command to create a route access list with an identifier of 10 that permits routes:
Creates a route-map that is used by the routing features and enters Route-map Configuration mode. A route-map allows redistribution of routes and includes a list of match and set commands associated with it. The match commands specify the conditions under which redistribution is allowed; the set commands specify the particular redistribution actions to be performed if the criteria specified by match commands are met. Route-maps are used for detailed control over route distribution between routing processes. Up to eight route-maps can be created in each context. Refer to the Route-map Configuration Mode Commands chapter for more information.
no route-map map_name
route-map map_name
Enables BGP, Open Shortest Path First (OSPF) or OSPF version 3 (OSPFv3) routing functionality and enters the corresponding Configuration Mode. Refer to the BGP Configuration Mode Commands, OSPF Configuration Mode Commands or OSPFv3 Configuration Mode Commands chapter for details on associated Configuration mode commands.
bgp as_number
Enables a BGP routing service for this context and assigns it the specified Autonomous System (AS) number before entering the BGP Configuration mode. as_number must be an integer from 1 through 4294967295.
Important: BGP routing is supported only for use with the HA.
Important: You must obtain and install a valid license key to use these features. Refer to the System Administration Guide for details on obtaining and installing feature use license keys.The following command enables the OSPF routing functionality and enters the OSPF Configuration Mode:
The following command enables a BGP routing service with an AS number of 100, and enters the BGP Configuration Mode:
Important: The FTPD server can only be configured in the local context.
Important: The SSHD server allows only three unsuccessful login attempts before closing a login session attempt.
Important: The TELNET server allows only three unsuccessful login attempts before closing a login session attempt.
Important: The TFTPD server can only be configured in the local context.Session Event Module Configuration Mode commands are defined in the Session Event Module Configuration Mode Commands chapter.
Important: For details about the commands and parameters, check the SGSN Service Configuration Mode chapter.[ no ] sgsn-service srvc_name
sgsn-service srvc_name
The following command creates an SGSN service named sgsn1 in the current context:
The following command removes the sgsn service named sgsn1 from the configuration for the current context:
[ no ] sgs-service name
sgs-service name
Caution: Large numbers of services greatly increase the complexity of management and may impact overall system performance (for example, resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your local service representative for more information.SGS Service Configuration Mode commands are defined in the SGS Service Configuration Mode Commands chapter.
The following command creates an SGS service named sgs1 in the current context:
The following command removes the SGS service named sgs1 from the configuration for the current context:
[ no ] sgtp-service svc_name
sgtp-service svc_name
The following command creates an SGTP service named sgtp1 in the current context:
The following command removes the sgsn service named sgtp1 from the configuration for the current context:
no sgw-service service_name
sgw-service service_name
Specifies the name of the S-GW service. If service_name does not refer to an existing service, the new service is created if resources allow. service_name is an alphanumeric string of 1 through 63 characters.
no sgw-service service_name
Caution: Large numbers of services greatly increase the complexity of management and may impact overall system performance (for example, resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your local service representative for more information.S-GW Service Configuration Mode commands are defined in the S-GW Service Configuration Mode Commands chapter.
The following command will remove spgw-service1 from the system:
Sets the public/private key pair to be used by the system where data is the encrypted key and length is the length of the encrypted key in octets. data must be an alphanumeric string of 1 through 1023 characters and octets must be a value in the range of 0 through 65535.
|
•
|
v1-rsa: SSH v1 RSA host key only
|
|
•
|
v2-rsa: SSH v2 DSA host key only
|
|
•
|
v2-dsa: SSH v2 RSA host key only
|
Important: For maximum security, it is recommended that only SSH v2 be used. v2-rsa is the recommended key type.ssl template name
SSL Template Configuration Mode commands are defined in the SSL Template Configuration Mode Commands chapter.
The following command specifies the SSL template ssl_template_1 and enters the SSL Template Configuration Mode:
subscriber default | name user_name
default: Enters the Subscriber Configuration Mode for the context’s default subscriber settings.
name user_name: Specifies the user which is to be allowed to use the services of the current context. user_name must be an alphanumeric string of 1 through 127 characters.
asn-service-info mobility: Indicates the type of mobility supported and enabled in the Autonomous System Number (ASN).
Important: A maximum of 128 subscribers and/or administrative users may be locally configured per context.Following command configures a subscriber named user1 in a context:
Following command removes a subscriber named user1 from a context:
threshold available-ip-pool-group low_thresh
The low threshold IP pool utilization percentage that must be met or exceeded within the polling interval to generate an alert or alarm. low_thresh can be configured as an integer from 0 through 100. Default: 10
clear high_thresh
Specifies the high threshold IP pool utilization percentage that maintains a previously generated alarm condition. If the utilization percentage rises above the high threshold within the polling interval, a clear alarm will be generated. high_thresh can be configured as an integer from 0 through 100. Default: 10
Important: This value is ignored for the Alert model. In addition, if this value is not configured for the Alarm model, the system assumes it is identical to the low threshold.|
•
|
Enter Condition: Actual IP address utilization percentage per pool group < Low Threshold
|
|
•
|
Clear Condition: Actual IP address utilization percentage per pool group > High Threshold
|
The following command configures a context-level IP pool utilization low threshold percentage of 10 and a high threshold of 35 for an system using the Alarm thresholding model:
threshold ha-service init-rrq-rcvd-rate high_thresh
clear low_thresh
Important: This value is ignored for the Alert model. In addition, if this value is not configured for the Alarm model, the system assumes it is identical to the high threshold.|
•
|
Enter Condition: Actual number of calls setup per second > High Threshold
|
|
•
|
Clear Condition: Actual number of calls setup per second < Low Threshold
|
The following command configures a number of calls setup per second threshold of 1000 and a low threshold of 500 for a system using the Alarm thresholding model:
threshold ip-pool-free low_thresh
clear high_thresh
Important: This value is ignored for the Alert model. In addition, if this value is not configured for the Alarm model, the system assumes it is identical to the low threshold.|
•
|
Enter Condition: Actual percentage of IP addresses free per pool < Low Threshold
|
|
•
|
Clear Condition: Actual percentage of IP addresses free per pool > High Threshold
|
Important: This command is overridden by the settings of the alert-threshold keyword of the ip pool command.The following command configures a context-level IP pool percentage of IP addresses that are unused low threshold percentage of 10 and a high threshold of 35 for an system using the Alarm thresholding model:
threshold ip-pool-hold high_thresh
clear low_thresh
Important: This value is ignored for the Alert model. In addition, if this value is not configured for the Alarm model, the system assumes it is identical to the high threshold.|
•
|
Enter Condition: Actual percentage of IP addresses on hold per pool > High Threshold
|
|
•
|
Clear Condition: Actual percentage of IP addresses on hold per pool < Low Threshold
|
Important: This command is overridden by the settings of the alert-threshold keyword of the ip pool command.The following command configures a context-level IP pool percentage of IP addresses that are on high threshold percentage of 35 and a low threshold of 10 for an system using the Alarm thresholding model:
threshold ip-pool-release high_thresh
clear low_thresh
Important: This value is ignored for the Alert model. In addition, if this value is not configured for the Alarm model, the system assumes it is identical to the low threshold.|
•
|
Enter Condition: Actual percentage of IP addresses in the release state per pool > High Threshold
|
|
•
|
Clear Condition: Actual percentage of IP addresses in the release state per pool < Low Threshold
|
Important: This command is overridden by the settings of the alert-threshold keyword of the ip pool command.The following command configures a context-level IP pool percentage of IP addresses that are in the release state high threshold percentage of 35 and a low threshold of 10 for an system using the Alarm thresholding model:
threshold ip-pool-used high_thresh
clear low_thresh
Important: This value is ignored for the Alert model. In addition, if this value is not configured for the Alarm model, the system assumes it is identical to the low threshold.|
•
|
Enter Condition: Actual percentage of IP addresses used per pool > High Threshold
|
|
•
|
Clear Condition: Actual percentage of IP addresses used per pool < Low Threshold
|
Important: This command is overridden by the settings of the alert-threshold keyword of the ip pool command.The following command configures a context-level IP pool percentage of IP addresses that are used high threshold percentage of 35 and a low threshold of 10 for an system using the Alarm thresholding model:
Refer to the threshold available-ip-pool-group command, the threshold ip-pool-x commands and the alert-threshold keyword of the ip pool command for additional information on these values.
|
•
|
SNMP traps: SNMP traps have been created that indicate the condition (high threshold crossing and/or clear) of each of the monitored values. Complete descriptions and other information pertaining to these traps is located in the starentMIB(8164).starentTraps(2) section of the SNMP MIB Reference.
|
|
•
|
Logs: The system provides a facility called threshold for which active and event logs can be generated. As with other system facilities, logs are generated Log messages pertaining to the condition of a monitored value are generated with a severity level of WARNING.
|
|
•
|
Alarm System: High threshold alarms generated within the specified polling interval are considered “outstanding” until a the condition no longer exists and/or a condition clear alarm is generated.
|
Refer to the threshold poll command in Global Configuration Mode Commands for information on configuring the polling interval over which IP address pool utilization is monitored.
threshold pdsn-service init-rrq-rcvd-rate high_thresh
clear low_thresh
Important: This value is ignored for the Alert model. In addition, if this value is not configured for the Alarm model, the system assumes it is identical to the high threshold.|
•
|
Enter Condition: Actual number of calls setup per second > High Threshold
|
|
•
|
Clear Condition: Actual number of calls setup per second < Low Threshold
|
The following command configures a number of calls setup per second threshold of 1000 and a low threshold of 500 for a system using the Alarm thresholding model:
