a11-signalling-packets ip-header-dscp ip-header-dscpno a11-signalling-packets ip-header-dscpdefault a11-signalling-packets ip-header-dscp
accounting Enables the sending of AAA accounting information for subscriber sessions by the Home Agent (HA), by default is enabled.
roaming Enables the sending of AAA accounting information for subscriber sessions by the Home Agent (HA) only for roaming subscribers.
group configures aaa group for ha-service, group has lower priority than subscriber/apn config.
Important: In order for this command to function properly, AAA accounting must be enabled for the context in which the HA service is configured using the aaa accounting subscriber radius command.access-network accounting identifier access_network_accounting_identifierno access-network accounting identifier
string is an alphanumeric string of 1 through 63 characters.
authentication {aaa-distributed-mip-keys [ disabled | optional | required ]|dmu-refresh-key | imsi-auth| mn-aaa {allow-noauth | always| dereg-noauth | noauth | renew-reg-noauth | renew-and-dereg-noauth } | mn-ha { allow-noauth | always } | pmip-auth | stale-key-disconnect }
default authentication { aaa-distributed-mip-keys | dmu-refresh-key | imsi-auth | mn-aaa | mn-ha | pmip-auth | stale-key-disconnect }
disabled: Disables using AAA distributed WiMAX Mobile IP (MIP) keys for authenticating MIP RRQ.
optional: Uses AAA distributed WiMAX MIP keys for authenticating RRQ with fallback option to use static/3GPP2 based MIP keys.
required: AAA distributed WiMAX MIP keys for authenticating MIP RRQ are mandatory
mn-aaa { allow-noauth | always | dereg-noauth | noauth | renew-reg-noauth | renew-and-dereg-noauth }
allow-noauth: Specifies that the HA service does not require authentication for every mobile node registration request. However, if the mn-aaa extension is received, the HA service will authenticate it.
always: Specifies that the HA service will perform authentication each time a mobile node registers.
dereg-noauth: Disables authentication request upon de-registration.
noauth: Specifies that the HA service will not look for mn-aaa extension and will not authenticate it.
renew-reg-noauth: Specifies that the HA service will not perform authentication for mobile node re-registrations. Initial registration and de-registration will be handled normally.
renew-and-dereg-noauth: Disables authentication request upon re-registration and de-registration.
allow-noauth: Allows a request that does not contain the auth extension.
always: A request should always contain the auth extension to be accepted.
allow-noauth: Allows a request that does not contain the auth extension.
always: A request should always contain the auth extension to be accepted.
The authentication command, combined with a keyword, can be used to specify how the system will perform authentication of registration request messages.
Specifies the IP address (address) of the interface configured as the Pi interface. address is specified in IPv4 dotted-decimal notation.
max-subscribers count
Default: 500000
count can be configured to an integer from 0 through 4000000.
Important: The maximum number of subscribers supported is dependant on the license key installed and the number of active packet processing cards installed in the system.When configuring the max-subscribers option, be sure to consider the following:
Use the no bind address command to delete a previously configured binding.
The following command would bind the logical IP interface with the address of 192.168.3.1 to the HA service and specifies that a maximum of 600 simultaneous subscriber sessions can be facilitated by the interface/service at any given time.
Use to disable or re-enable the use of GRE encapsulation or Key-less encapsulation for MIP sessions.
In case of chassis HA operating with other vendor equipment, which does not support the 3GPP2 to exchange key, this command with keyless-gre keyword will make the chassis HA to accept MIP data with legacy GRE.
fa-ha-spi remote-address { fa_ip_address | fa_ip_address_mask } spi-number number { encrypted secret enc_secret | secret secret } [ allow-fa-ha-auth-extension ] [ description string ] [ disallow-fa-ha-auth-extension ] [ hash-algorithm { hmac-md5 | md5 | rfc2002-md5 } ] [ replay-protection { nonce | timestamp [timestamp-tolerance tolerance ] } ] [timestamp-tolerance tolerance ]
Specifies the IP address of the FA. fa_ip_address is entered using IPv4 dotted-decimal notation with CIDR for the subnet mask.
Important: The system supports unlimited peer FA addresses per HA but only maintains statistics for a maximum of 8,192 peer FAs. If more than 8,192 FAs are attached, older statistics are overwritten.spi-number number
number is an integer value from 256 through 4294967295.
encrypted secret enc_secret: Specifies the encrypted shared key between the HA service and the FA. enc_secret must be an alphanumeric string of 1 through 236 characters that is case sensitive.
secret secret: Specifies the shared key between the HA service and the FA. secret must be an alphanumeric string of 1 through 236 characters that is case sensitive.
description string
This is a description for the SPI. string must be an alphanumeric string of 0 through 31 characters.
hmac-md5: Configures the hash-algorithm to implement HMAC-MD5 per RFC 2002bis.
md5: Configures the hash-algorithm to implement MD5 per RFC 1321.
rfc2002-md5: Configures the hash-algorithm to implement keyed-MD5 per RFC 2002.
nonce: Configures replay protection to be implemented using NONCE per RFC 2002.
timestamp: Configures replay protection to be implemented using timestamps per RFC 2002.
timestamp-tolerance: Specifies the allowable difference (tolerance) in timestamps that is acceptable. If the difference is exceeded, then the session will be rejected. tolerance is measured in seconds and can be configured to an integer from 1 and 65535. The default is 60.
Important: The SPI configuration on the HA must match the SPI configuration for the FA service on the system in order for the two devices to communicate properly.Use the no version of this command to delete a previously configured SPI.
The following command configures the FA service to use an SPI of 512 when communicating with an HA with the IP address 192.168.0.2. The key that would be shared between the HA and the FA service is q397F65. When communicating with this HA, the FA service will also be configured to use the rfc2002-md5 hash-algorithm.
The following command deletes the configured SPI of 400 for an HA with an IP address of 172.100.3.200:
gre { checksum | checksum-verify | reorder-timeout timeout | sequence-mode { none | reorder } | sequence-numbers }
default gre { checksum | checksum-verify | reorder-timeout | sequence-mode | sequence-numbers }no gre { checksum | checksum-verify | sequence-numbers }
reorder-timeout timeout
Configures the maximum number of milliseconds to wait before processing reordered out-of-sequence GRE packets. timeout must be an integer from 0 through 5000.
none: Disables reordering of incoming out-of-sequence GRE packets.
reorder: Enables reordering of incoming out-of-sequence GRE packets.
To set the maximum number of milliseconds to wait before processing reordered out-of-sequence GRE packets to 500 milliseconds, enter the following command:
ikev1 { aaa-context aaa_context_string | peer-fa IPAddress crypto-map crypto_map_string [ encrypted ] [ secret secret_string ] | skew-lifetime seconds } no ikev1 { aaa-context | peer-fa IPAddress | skew-lifetime }
aaa_context_string is an alphanumeric string of 1 through 63 characters.
IPAddress is IP address entered using IPv4 dotted-decimal or IPv6 colon-separated notation.
crypto_map_string is an alphanumeric string of 1 through 63 characters.
encrypted designates use of encryption
secret secret_string uses a secret that is shared between FA and HA. secret_string is an alphanumeric string of 1 through 256 characters.
Configures the “S” lifetime Skew (in seconds). seconds is an integer from 1 through 65534. Default is 10.
Specifies the name of the context to assign the subscriber to once authenticated. name must be an alphanumeric string from 1 through 79 characters.
number is an integer from 1 through 65535. Default is 434.
The following command specifies a UDP port of 3950 for the HA service to use to communicate with the HA on the Pi interface:
Specifies the logical name of the IP address pool. name must be an alphanumeric string of 1 through 31 characters.
[ no | default ] min-reg-lifetime min_reg_lifetime_seconds
Use this command to configure Mobile IP session minimum registration lifetime, in seconds, between 1 and 65534. Default is 0 seconds.
Use the following command to configure mobile IP session to minimum registered life time to 100 seconds:
min-reg-lifetime 100
mn-ha-spi spi-number number [ description string ] [ encrypted secret enc_secret ] [ hash-algorithm { hmac-md5 | md5 | rfc2002-md5 } ] [ permit-any-hash-algorithm ] [ replay-protection { nonce | timestamp } ] [ secret secret ] [ timestamp-tolerance tolerance ]
spi-number number
Specifies the SPI (number) which indicates a security context between the mobile node and the HA service in accordance with RFC 2002. number can be configured to an integer from 256 through 4294967295.
description string
This is a description for the SPI. string is an alphanumeric string of 1 through 31 characters.
encrypted secret enc_secret: Specifies the encrypted shared key between the HA service and the mobile node. enc_secret must be an alphanumeric string of 1 through 254 characters that is case sensitive.
secret secret: Specifies the shared key between the HA service and the mobile node. secret must be an alphanumeric string of 1 through 127 characters that is case sensitive.
The encrypted keyword is intended only for use by the chassis while saving configuration scripts. The system displays the encrypted keyword in the configuration file as a flag that the variable following the secret keyword is the encrypted version of the plain text secret key. Only the encrypted secret key is saved as part of the configuration file.
hmac-md5: Configures the hash-algorithm to implement HMAC-MD5 per RFC 2002bis.
md5: Configures the hash-algorithm to implement MD5 per RFC 1321.
rfc2002-md5: Configures the hash-algorithm to implement keyed-MD5 per RFC 2002.
nonce: configures replay protection to be implemented using NONCE per RFC 2002.
timestamp: configures replay protection to be implemented using timestamps per RFC 2002.
timestamp-tolerance tolerance
Default: 60
Specifies the allowable difference (tolerance) in timestamps that is acceptable. If the difference is exceeded, then the session will be rejected. If this is set to 0, timestamp tolerance checking is disabled at the receiving end.
Use the no version of this command to delete a previously configured SPI.
This command enables NAT traversal and also configures the forcing of UDP tunnels for NAT traversal.
nat-traversal [force-accept]
Important: You should not use this command without first consulting Cisco Systems Technical Support. This command applies to very specific scenarios where packet reassembly is not supported at the far end of the tunnel. There are cases where the destination network may either discard the data, or be unable to reassemble the packets.
Important: This functionality works best when the HA service is communicating with an FA service running in a system. However, an HA service running in the system communicating with an FA from a different manufacturer will operate correctly even if this parameter is enabled.Use the no version of this command to disable tunnel optimization if enabled.
network-failure code
Default: 0xFFFF
code must be either 0xFFFF or 0xFFFE.
policy nw-reachability-fail { redirect ip_addr1 [ weight value ] [ ip_addr2 [ weight value ] ... ip_addr16 [ weight value ] ] | reject [ use-reject-code { admin-prohibited | insufficient-resources } ] }
use-reject-code { admin-prohibited | insufficient-resources }: When rejecting calls send the specified reject code. If this keyword is not specified the admin-prohibited reject code is sent by default.
use-reject-code { admin-prohibited | insufficient-resources }: Use the specified reject code when rejecting traffic.
admin-prohibited: When this keyword is specified and traffic is rejected, the error code 81H (admin-prohibited) is returned.
insufficient-resources: When this keyword is specified and traffic is rejected, the error code 82H (insufficient resources) is returned.
ip_addr1: This must entered using IPv4 dotted-decimal notation. Up to 16 IP addresses and optional weight values can be entered on one command line.
weight value: When multiple addresses are specified, they are selected in a weighted round-robin scheme. If a weight is not specified the entry is automatically assigned a weight of 1. value must be an integer from 1 through 10.
Important: Refer to the Context Configuration mode command nw-reachability server to configure network reachability servers.
Important: Refer to the Subscriber Configuration mode command nw-reachability-server to bind the network reachability to a specific subscriber.
Important: Refer to the nw-reachability server server_name keyword of the Context Configuration mode ip pool command to bind the network reachability server to an IP pool.Use the following command to set the HA service to redirect all calls to the HA at IP address 192.168.100.10 and 192.168.200.10 on a network reachability failure:
policyoverload { redirectaddress [ weightweight_num ] [ address2 [ weightweight_num ] ... address16[ weightweight_num ] ] | reject[ use-reject-code { admin-prohibited | insufficient-resources } ] }
overload: Without any options deletes the complete overload policy from the PDSN service.
overload redirect address [ address2 ... address16 ]: deletes up to 16 IP addresses from the overload redirect policy. The IP addresses must be expressed in IP v4 dotted-decimal notation
redirect address [ weight weight_num ] [ address2 [ weight weight_num ] ... address16 [ weight weight_num ]
address: The IP address of an alternate HA expressed in IP v4 dotted-decimal notation. Up to 16 IP addresses can be specified either in one command or by issuing the redirect command multiple times. If you try to add more than 16 IP addresses to the redirect policy, the CLI issues an error message. If you specify an IP address and weight that already exists in the redirect policy the new values override the existing values.
weight weight_num: When multiple addresses are specified, they are selected in a weighted round-robin scheme. Entries with higher weights are more likely to be chosen. If a weight is not specified the entry is automatically assigned a weight of 1. weight_num must be an integer from 1 through 10.
use-reject-code { admin-prohibited | insufficient-resources }: Use the specified reject code when rejecting traffic.
admin-prohibited: When this keyword is specified and traffic is rejected, the error code 81H (admin-prohibited) is returned.
insufficient-resources: When this keyword is specified and traffic is rejected, the error code 82H (insufficient resources) is returned.
Use the no version of this command to restore the default policy.
The following command enables an overload redirect policy for the HA service that will send overload calls to either of two destinations with weights of 1 and 10 respectively:
reg-lifetime time
time is an integer from 1 through 65534.
Use the no version of this command to disable reverse tunneling. If reverse tunneling is disabled, and the mobile node does not request it, triangular routing will be performed.
Important: If reverse tunneling is disabled on the system and a mobile node requests it, the call will be rejected with a reply code of 74H (reverse-tunneling unavailable).revocation { enable | max-retransmission number | negotiate-i-bit | retransmission-timeout secs | send-nai-ext | trigger { handoff | idle-timeout } }
default revocation [ enable ] [ max-retransmission ] [ negotiate-i-bit ] [ retransmission-timeout ] [ send-nai-ext ] [ trigger { handoff | idle-timeout } ]
max-retransmission number
The maximum number of retransmissions of a Revocation message before the revocation fails. number must be an integer from 0 through 10.
The number of seconds to wait for a Revocation Acknowledgement from the FA before retransmitting the Revocation message. secs must be an integer from 1 through 10.
handoff: Default: Enabled
idle-timeout: Default: Enabled
Important: The value of retransmission-timeout doubles. HA disconnects the session forcibly in 120 seconds after sending initial MIP revocation.setup-timeout seconds
The maximum amount of time (in seconds) to allow for setup of a session. seconds must be an integer from 1 through 1000000
To set the maximum time allowed for setting up a session to 5 minutes (300 seconds), enter the following command:
simul-bindings number
clear low_thresh
Important: This value is ignored for the Alert model. In addition, if this value is not configured for the Alarm model, the system assumes it is identical to the high threshold.|
•
|
Enter condition: Actual number of de-registration reply errors > High Threshold
|
|
•
|
Clear condition: Actual number of de-registration reply errors < Low Threshold
|
The following command configures a de-registration reply error threshold of 1000 and a low threshold of 500 for a system using the Alarm thresholding model:
Specifies the high threshold average number of calls setup per second that must be met or exceeded within the polling interval to generate an alert or alarm. high_thresh is an integer from 0 through 100000.
clear low_thresh
The low threshold average number of calls setup per second that must be met or exceeded within the polling interval to clear an alert or alarm. low_thresh is an integer from 0 through 100000.
Important: This value is ignored for the Alert model. In addition, if this value is not configured for the Alarm model, the system assumes it is identical to the high threshold.|
•
|
Enter condition: Actual number of calls setup per second is greater than the high threshold.
|
|
•
|
Clear condition: Actual number of calls setup per second is less that the low threshold.
|
The following command configures a number of calls setup per second threshold of 1000 and a low threshold of 500 for a system using the Alarm thresholding model:
high_thresh is an integer from 0 through 1000000.
clear low_thresh
low_thresh is an integer from 0 through 1000000.
Important: This value is ignored for the Alert model. In addition, if this value is not configured for the Alarm model, the system assumes it is identical to the high threshold.|
•
|
Enter condition: Actual number of IPSec IKE requests is greater than the high threshold.
|
|
•
|
Clear condition: Actual number of IPSec IKE requests is less than the low threshold.
|
The following command configures a number of IPSec call requests rejected threshold of 1000 and a low threshold of 800 for a system using the Alarm thresholding model:
high_thresh is an integer from 0 through 100.
clear low_thresh
low_thresh is an integer from 0 through 100.
Important: This value is ignored for the Alert model. In addition, if this value is not configured for the Alarm model, the system assumes it is identical to the high threshold.|
•
|
Enter condition: Percentage of IPSec IKE failures is greater than the high threshold.
|
|
•
|
Clear condition: Percentage of IPSec IKE failures is less than the low threshold.
|
The following command configures a percentage of IPSec IKE failures threshold of 1000 and a low threshold of 800 for a system using the Alarm thresholding model:
Default: 0
high_thresh is an integer from 0 through 1000000.
clear low_thresh
low_thresh is an integer from 0 through 1000000.
Important: This value is ignored for the Alert model. In addition, if this value is not configured for the Alarm model, the system assumes it is identical to the high threshold.|
•
|
Enter condition: Actual number of IPSec IKE failures is greater than the high threshold.
|
|
•
|
Clear condition: Actual number of IPSec IKE failures is less than the low threshold.
|
The following command configures a number of IPSec IKE failures threshold of 1000 and a low threshold of 800 for a system using the Alarm thresholding model:
high_thresh is an integer from 0 through 1000000.
clear low_thresh
low_thresh is an integer from 0 through 1000000.
Important: This value is ignored for the Alert model. In addition, if this value is not configured for the Alarm model, the system assumes it is identical to the high threshold.|
•
|
Enter condition: Actual number of IPSec IKE failures is greater than the high threshold.
|
|
•
|
Clear condition: Actual number of IPSec IKE failures is less than the low threshold.
|
The following command configures a number of IPSec IKE requests threshold of 1000 and a low threshold of 800 for a system using the Alarm thresholding model:
high_thresh is an integer from 0 through 1000000.
clear low_thresh
low_thresh is an integer from 0 through 1000000.
Important: This value is ignored for the Alert model. In addition, if this value is not configured for the Alarm model, the system assumes it is identical to the high threshold.|
•
|
Enter condition: Actual number of IPSec tunnels established is greater than the high threshold.
|
|
•
|
Clear condition: Actual number of IPSec tunnels established is less than the low threshold.
|
The following command configures a number of IPSec tunnels established threshold of 1000 and a low threshold of 800 for a system using the Alarm thresholding model:
high_thresh is an integer from 0 through 1000000.
clear low_thresh
low_thresh is an integer from 0 through 1000000.
Important: This value is ignored for the Alert model. In addition, if this value is not configured for the Alarm model, the system assumes it is identical to the high threshold.|
•
|
Enter condition: Actual number of IPSec tunnels setup is greater than the high threshold.
|
|
•
|
Clear condition: Actual number of IPSec tunnels setup is less than the low threshold.
|
The following command configures a number of IPSec tunnels setup threshold of 1000 and a low threshold of 800 for a system using the Alarm thresholding model:
Specifies the high threshold number of registration reply errors that must be met or exceeded within the polling interval to generate an alert or alarm. high_thresh is an integer from 0 through 100000.
clear low_thresh
Specifies the low threshold number of registration reply errors that must be met or exceeded within the polling interval to clear an alert or alarm. low_thresh is an integer from 0 through 100000.
Important: This value is ignored for the Alert model. In addition, if this value is not configured for the Alarm model, the system assumes it is identical to the high threshold.|
•
|
Enter condition: Actual number of registration reply errors is greater than the high threshold.
|
|
•
|
Clear condition: Actual number of registration reply errors is less than the low threshold.
|
The following command configures a registration reply error threshold of 1000 and a low threshold of 500 for a system using the Alarm thresholding model:
Specifies the high threshold number of re-registration reply errors that must be met or exceeded within the polling interval to generate an alert or alarm. high_thresh is an integer from 0 through 100000.
clear low_thresh
Specifies the low threshold number of re-registration reply errors that must be met or exceeded within the polling interval to clear an alert or alarm. low_thresh is an integer from 0 through 100000.
Important: This value is ignored for the Alert model. In addition, if this value is not configured for the Alarm model, the system assumes it is identical to the high threshold.|
•
|
Enter condition: Actual number of re-registration reply errors is greater than the high threshold.
|
|
•
|
Clear condition: Actual number of re-registration reply errors is less than the low threshold.
|
The following command configures a reregistration reply error threshold of 1000 and a low threshold of 500 for a system using the Alarm thresholding model:
Configures the WiMAX-3GPP2 interworking to default setting: disabled.
Important: Use this command in conjunction with the authentication aaa-distributed-mip-keys required command.