FNG Service Configuration Mode Commands

FNG Service Configuration Mode Commands
 
 
The FNG Service Configuration Mode is used to configure the properties required for the FNG to interface with the FAPs in the network.
 
 
aaa aggregation
Sets the system attributes for A12 aggregation for the FNG service.
Product
FNG
Privilege
Security Administrator, Administrator
Syntax
aaa aggregation { interface type a12| destination address ipv4_address | a12-group { context name [ aaa-group name ] | aaa-group name [ context name ] } }
no aaa aggregation interface type a12
no a12 destination address ipv4_address
no aaa aggregation a12-group { context name [ aaa-group name ] | aaa-group name [ context name ] }
aaa aggregation interface type a12
Enables A12 aggregation functionality for the FNG service.
aaa aggregation interface a12 destination addressipv4_address
Adds a destination address for an AN-AAA server for A12 aggregation. A maximum of ten destination addresses can be configured.
aaa aggregation a12-group { context name [ aaa-group name ] | aaa-group [ context name ] }
Defines the AAA context and AAA group to be used for A12 aggregation.
If the context name and AAA group are not specified, the FNG defaults to the FNG service context and the default AAA group in that context. If the AAA group is specified but the context is not specified, the FNG uses the FNG service context and the AAA group in that context. If the AAA group is not specified and the context is specified, the FNG uses the default AAA group in that context.
no aaa aggregation interface type a12
Disables A12 aggregation functionality for the FNG service.
no aaa aggregation a12-destination address ipv4_address
Deletes the specified destination address for an AN-AAA server.
no aaa aggregation a12-group { context name [ aaa-group name ] | aaa-group [ context name ] }
Deletes the specified AAA context and AAA group to be used for A12 aggregation.
Usage
Sets the system attributes for AAA aggregation in the FNG service.
Example
The following command enables the A12 functionality for the FNG service:
aggregation interface type a12
 
aaa authentication
Specifies the AAA group to use for FAP authentication.
Product
FNG
Privilege
Security Administrator, Administrator
Syntax
aaa authentication { context-name name aaa-group name | context-name name aaa-group name }
no aaa authentication
no aaa authentication
Removes any existing authentication configuration.
context-name name aaa-group name
Specifies the context name and the AAA group name configured in the context for FAP authentication.
context-name name: The context where the AAA server group is defined.
name must be a string of size 1-79.
aaa-group name: The name of the AAA group to be used for authentication.
name must be a string of size 1-63.
Usage
Use this command to specify that during IPSec session establishment using IKEv2 setup, the FNG will use Radius AAA for FAP authentication.
Example
Use the following to configure device authentication for an AAA group named aaa-10 in the FNG context named fng1:
aaa authentication context-name fng1 aaa-group aaa-10
 
bind
Binds the FNG service IP address to a crypto template and specifies the maximum number of sessions the FNG service supports.
Product
FNG
Privilege
Security Administrator, Administrator
Syntax
bind address ipv4_address { crypto-template string }[ max-sessions number ]
no bind
no bind
Removes a previously configured binding.
address
Specifies the IPv4 address of the FNG service.
crypto-template string
Specifies the name of the crypto template to be bound to the FNG service.
string is any value from 0 - 127 alpha and/or numeric characters.
max-sessions number
Default is 1000000.
Specifies the maximum number of sessions to be supported by the FNG service.
number can be any integer value from 0 - 1000000.
If the max-sessions value is changed on an existing system, the new value takes effect immediately if it is higher than the current value. If the new value is lower than the current value, existing sessions remain established, but no new sessions are permitted until usage falls below the newly-configured value.
Usage
Binds the IP address used as the connection point for establishing the IKEv2 sessions to a crypto template. It can also define the maximum number of sessions the FNG can support.
Example
The following command binds an FNG service with an IP address of 1.2.3.4 to the crypto template named T1 and sets the maximum number of sessions to 500000:
bind address 1.2.3.4 crypto-template T1 max-sessions 500000
 
default
Sets or restores the default condition for the selected parameter.
Product
FNG
Privilege
Security Administrator, Administrator
Syntax
default { { aaa attribute 3gpp2-service-option } | duplicate-session-detection | ip source-violation { drop-limit | period } | setup-timeout | subscriber name }
aaa attribute 3gpp2-service-option
Sets or restores the default value of 4095.
duplicate-session-detection
Sets or restores the default option for duplicate session detection to be fapid-based.
ip source-violation ( drop-limit | period }
Sets or restores the IP source violation detection defaults, as follows:
drop-limit: Sets or restores the maximum number of IP source violations within the detection period before dropping the call to the default value of 10.
period: Sets or restores the detection period for IP source violations to the default value of 120 seconds.
setup-timeout
Sets or restores the maximum time allowed for session setup to the default value of 60 seconds.
subscriber name
Sets or restores the name of the default subscriber.
name is a string of 1-127 characters.
username mac-address-stripping
The default behavior is to disable stripping the MAC address from the username.
Usage
Configures the default settings for a given parameter.
Example
Use the following command to set the maximum time allowed for session setup to the default value of 60 seconds:
default setup-timeout
 
duplicate-session-detection
Configures the FNG to detect duplicate call sessions based on Femtocell Access Point (FAP) ID and to clear old call information.
This feature is disabled by default.
Product
FNG
Privilege
Security Administrator, Administrator
Syntax
duplicate-session-detection { fapid-based }
no duplicate-session-detection
default duplicate-session-detection
fapid-based
Sets the FNG to detect duplicate call sessions based on the FAP ID.
no
Disables duplicate session detection.
default
Sets or restores the default option for duplicate session detection to be fapid-based.
Usage
By default, duplicate session detection is disabled.Use this command to enable this feature. It applies only to calls established after the feature has been enabled.
The following command enables duplicate session detection based on FAP ID:
duplicate-session-detection fapid-based
 
ip source-violation
Sets the parameters for IP source validation. Source validation is useful if packet spoofing is suspected or for verifying packet routing and labeling within the network.
Source validation requires the source address of received packets to match the IP address assigned to the subscriber (either statically or dynamically) during the session.
Product
FNG
Privilege
Security Administrator, Administrator
Syntax
ip source-violation { clear-on-valid-packet | drop-limit num | period secs }
no ip source-violation clear-on-valid-packet
clear-on-valid-packet
Default: disabled
Configures the service to reset the drop-limit counters upon receipt of a properly addressed packet.
drop-limit num
Default: 10
Sets the maximum number of allowed IP source violations within the detection period before dropping a call. If num is not specified, the value is set to the default value.
num can be any integer value from 1 to 1000000.
period secs
Default: 120
Sets the detection period in seconds for IP source violations. If secs is not specified, the value is set to the default value.
secs can be any integer value from 1 to 1000000.
Usage
This function is intended to allow the operator to configure the network to prevent problems such as when a user gets handed back and forth between two gateways a number of times during a handoff scenario.
This function operates in the following manner:
When a subscriber packet is received with a source IP address violation, the system increments the IP source violation drop-limit counter and starts the timer for the IP source violation period. Every subsequent packet received with a bad source address during the IP source violation period causes the drop-limit counter to increment.
For example, if the drop-limit is set to 10, after 10 source violations, the call is dropped. The detection period timer continues to count throughout this process.
Example
The following command sets the drop limit to 15 and leaves the other values at their default values:
ip source-violation drop-limit 15
 
setup-timeout
Specifies the maximum time allowed to set up a session in seconds.
Product
FNG
Privilege
Security-Administrator, Administrator
Syntax
setup-timeout integer
default setup-timeout
setup-timeout integer
Default: 60
Sets the session setup timer.
integer is a value in the range of 2 - 300 seconds.
default
Sets or restores the default session setup timer value to 60 seconds.
Usage
The FNG clears both the user session and tunnels if a call does not initiate successfully before the session setup timer expires.
Example
The following command sets the session setup timeout value to the default value of 60 seconds:
default setup-timeout
 
 
Cisco Systems Inc.
Tel: 408-526-4000
Fax: 408-527-0883