ACS Configuration Mode Commands


ACS Configuration Mode Commands
 
 
The Active Charging Service (ACS) Configuration Mode is used to manage active charging service/enhanced charging service (ECS) configurations. ACS provides flexible, differentiated, and detailed billing to subscribers through Layer 3 through Layer 7 packet inspection and the ability to integrate with back-end billing mediation systems.
note_smallImportant: In this release only one active charging service can be configured in a system.
 
note_smallImportant: The commands or keywords/variables that are available are dependent on platform type, product version, and installed license(s).
 
access-ruledef
This command enables to create/configure/delete access ruledefs.
note_smallImportant: This command is available only in StarOS 8.1 and in StarOS 9.0 and later releases, and must be used to configure the Policy-based Stateful Firewall and NAT features.
Product
NAT, FW
Privilege
Security Administrator, Administrator
Syntax
access-ruledef access_ruledef_name [ -noconfirm ]
no access-ruledef access_ruledef_name
no
Deletes the specified access ruledef, if previously configured, from the active charging service.
access_ruledef_name
Specifies name of the access ruledef.
access_ruledef_name must be an alpha and/or numeric string of 1 through 63 characters in length, and can contain punctuation characters.
If the named access ruledef does not exist, it is created, and the CLI mode changes to the Firewall-and-NAT Access Ruledef Configuration Mode wherein the ruledef can be configured.
If the named access ruledef already exists, the CLI mode changes to the Firewall-and-NAT Access Ruledef Configuration Mode for that access ruledef.
-noconfirm
Specifies that the command must execute without prompting for confirmation.
Usage
Use this command to create/configure/delete an access ruledef. A ruledef contains different conditions/criteria to permit, drop, or reject a packet/connection/traffic based on one or more parameters. The ruledef name must be unique within the service. Host pool, port map, IMSI pool, and access/firewall, routing, and charging ruledefs must have unique names.
note_smallImportant: An access ruledef can be referenced by multiple firewall rulebases.
note_smallImportant: Access ruledefs are different from ACS ruledefs.
Also see the Firewall-and-NAT Access Ruledef Configuration Mode Commands chapter.
Example
The following command creates an access ruledef named ruledef1, and enters the Firewall-and-NAT Access Ruledef Configuration Mode:
access-ruledef ruledef1
 
bandwidth-policy
This command enables to create/configure/delete bandwidth policies.
Product
ACS
Privilege
Security Administrator, Administrator
Syntax
bandwidth-policy policy_name [ -noconfirm ]
no bandwidth-policy policy_name
no
Deletes the specified bandwidth policy, if previously configured, from the active charging service.
policy_name
Specifies name of the bandwidth policy.
policy_name and must be an alpha and/or numeric string of 1 through 63 characters in length.
If the named bandwidth policy does not exist, it is created, and the CLI mode changes to the ACS Bandwidth Policy Configuration Mode wherein the bandwidth policy can be configured.
If the named bandwidth policy already exists, the CLI mode changes to the ACS Bandwidth Policy Configuration Mode for that bandwidth policy.
-noconfirm
Specifies that the command must execute without prompting for confirmation.
Usage
Use this command to create/configure/delete a bandwidth policy.
Also see the ACS Bandwidth Policy Configuration Mode Commands chapter.
Example
The following command creates a bandwidth policy named test73, and enters the ACS Bandwidth Policy Configuration Mode:
bandwidth-policy test73
 
buffering-limit
This command configures the flow- or session-based packet buffering setting.
Product
ACS
Privilege
Security Administrator, Administrator
Syntax
buffering-limit { flow-max-packets number | subscriber-max-packets number }
{ default | no } buffering-limit { flow-max-packets | subscriber-max-packets }
default
Configures the default buffering-limit setting.
Default: no limit, other than the maximum amount of available memory
no
Disables the buffering limit configuration.
flow-max-packets number
Specifies the maximum number of packets that can be buffered per flow.
number must be an integer from 1 through 255.
subscriber-max-packets number
Specifies the maximum number of packets that can be buffered per subscriber.
number must be an integer from 1 through 255.
Usage
Use this command to configure the limits for buffering packets sent by a subscriber, while it is waiting for a response from the Diameter server. Packets need to be buffered for various reasons, such as, waiting for Credit Control Authorization or waiting for the result of a content filtering rating request.
Example
The following command sets the buffering limit per flow to 55:
buffering-limit flow-max-packets 55
 
charging-action
This command enables to create/configure/delete ACS charging actions.
note_smallImportant: A maximum of 2048 charging actions can be configured in the active charging service.
Product
ACS
Privilege
Security Administrator, Administrator
Syntax
[ no ] charging-action charging_action_name [ -noconfirm ]
no
Deletes the specified charging action, if previously configured, from the active charging service.
charging_action_name
Specifies name of the charging action.
charging_action_name must be an alpha and/or numeric string of 1 through 63 characters in length, and can contain punctuation characters.
If the named charging action does not exist, it is created, and the CLI mode changes to the ACS Charging Action Configuration Mode wherein the charging action can be configured.
If the named charging action already exists, the CLI mode changes to the ACS Charging Action Configuration Mode for that charging action.
The charging action’s name must be unique in the active charging service. Up to 2048 charging actions can be configured in the active charging service.
-noconfirm
Specifies that the command must execute without prompting for confirmation.
Usage
Use this command to create/configure/delete an ACS charging action.
A charging action represents actions to be taken when a configured rule is matched. Actions could range from generating an accounting record (for example, an EDR) to dropping the IP packet, etc. The charging action will also determine the metering principle—whether to count retransmitted packets and which protocol field to use for billing (L3/L4/L7 etc).
Also see the ACS Charging Action Configuration Mode Commands chapter.
Example
The following command creates a charging action named action123 and changes to the ACS Charging Action Configuration Mode:
charging-action action123
content-filtering category match-method
This command sets the match method to look up URLs in the Category-based Content Filtering database.
Product
CF
Privilege
Security Administrator, Administrator
Syntax
content-filtering category match-method { exact | generic }
default content-filtering category match-method
default
Configures the default match-method setting.
Default: generic
exact
Specifies the exact-match method, wherein URLs are rated only on exact match with URLs present in the Category-based Content Filtering database.
generic
Specifies the generic match method, wherein normalization, multi-lookups, rollback algorithms are applied to URLs during look up, and URLs are rated on generic match with URLs present in the Category-based Content Filtering database.
Usage
Use this command to set the match method to look up URLs in the Category-based Content Filtering database.
Example
The following command sets the exact-match method to look up URLs in the Category-based Content Filtering database:
content-filtering category match-method exact
 
content-filtering category policy-id
This command enables to create/configure/delete Content Filtering Category Policies for Category-based Content Filtering support.
note_smallImportant: A maximum of 64 Content Filtering Category Policies can be configured in the active charging service.
Product
CF
Privilege
Security Administrator, Administrator
Syntax
content-filtering category policy-id cf_policy_id [ description [ description_string ] ] [ -noconfirm ]
no content-filtering category policy-id cf_policy_id
no
Deletes the specified Content Filtering Category Policy, if previously configured, from the active charging service.
category policy-id cf_policy_id
Specifies the Content Filtering Category Policy ID.
cf_policy_id must be an integer from 1 through 4,294,967,295.
If the specified policy ID does not exist, it is created and the CLI mode changes to the Content Filtering Policy Configuration Mode, wherein the policy can be configured.
If the specified policy ID already exists, the CLI mode changes to the Content Filtering Policy Configuration Mode for that policy.
description [ description_string ]
Specifies a description for the Content Filtering Category Policy.
description_string must be an alpha and/or numeric string of 1 through 31 characters in length.
Note that both description and description_string are optional.
description description_string” saves description_string as the new description.
description” removes the previously specified description.
This description is displayed in the output of the “show content-filtering category policy-id id id” and “show active-charging service name service_name” commands.
-noconfirm
Specifies that the command must execute without prompting for confirmation.
Usage
Use this command to create/configure/delete a Content Filtering Category Policy.
Also see the Content Filtering Policy Configuration Mode Commands chapter.
Example
The following command creates a Content Filtering Policy with the ID 101, and enters the Content Filtering Policy Configuration Mode:
content-filtering category policy-id 101
 
credit-control
This command enables/disables Prepaid Credit Control Configuration Mode.
Product
All
Privilege
Security Administrator, Administrator
Syntax
[ no ] credit-control [ group group_name ]
no
Disables the specified Prepaid Credit Control Application configuration.
group group_name
note_smallImportant: The group keyword is only available in StarOS 8.1 and later releases.
Specifies name of the credit control group.
group_name must be an alpha and/or numeric string of 1 through 63 characters in length.
If the named credit control group does not exist, it is created, and the CLI mode changes to the Credit Control Configuration Mode, wherein the credit control group can be configured.
If the named credit control group already exists, the CLI mode changes to the Credit Control Configuration Mode for that credit control group.
Creating different credit control groups enables applying different credit control configurations (DCCA dictionary, failure-handling, session-failover, Diameter endpoint selection, etc.) to different subscribers on the same system.
Without credit control groups, only one credit control configuration is possible on a system. All the subscribers in the system will have to use the same configuration.
Usage
Use this command to enable/disable Prepaid Credit Control Configuration for RADIUS/Diameter charging mode.
Also see the Credit Control Configuration Mode Commands chapter.
Example
The following command enables prepaid credit control accounting to use RADIUS and/or Diameter interface mode.
credit-control
 
diameter credit-control
Description This command has been obsoleted, and is replaced by the credit-control command.
 
edr-format
This command enables to create/configure/delete ACS EDR format specifications.
Product
All
Privilege
Security Administrator, Administrator
Syntax
edr-format edr_format_name [ -noconfirm ]
no edr-format edr_format_name
no
Deletes the specified EDR format, if previously configured, from the active charging service.
edr_format_name
Specifies name of the EDR format.
edr_format_name must be a string of 1 through 63 characters in length.
If the named EDR format does not exist, it is created, and the CLI mode changes to the EDR Format Configuration Mode wherein the EDR format can be configured.
If the named EDR format already exists, the CLI mode changes to the EDR Format Configuration Mode for that EDR format.
The EDR format name must be unique in the active charging service. Up to 256 combined total EDR plus UDR formats can be configured in the active charging service.
-noconfirm
Specifies that the command must execute without prompting for confirmation.
Usage
Use this command to create/configure/delete an ACS EDR format.
Also see the EDR Format Configuration Mode Commands chapter.
Example
The following command creates an EDR format named edr_format1:
edr-format edr_format1
 
edr-udr-flow-control
This command enables Flow Control between Session Managers (SessMgrs) and the CDRMOD process.
Product
All
Privilege
Security Administrator, Administrator
Syntax
edr-udr-flow-control [ unsent-queue-size queue_size ]
{ default | no } edr-udr-flow-control
no
Disables the flow control configuration.
default
Configures the default flow control setting.
Default: Flow control is enabled; unsent-queue-size: 375
unsent-queue-size queue_size
Specifies the flow control unsent queue size at Session Manager (SessMgr) level.
queue_size must be an integer from 1 through 2500.
Usage
Use this command to enable Flow Control between SessMgr and the CDRMOD process, and configure the unsent queue size.
Example
The following command enable Flow Control between SessMgrs and the CDRMOD process, and configure the unsent queue size to 1000:
edr-udr-flow-control unsent-queue-size 1000
 
end
Exits the current configuration mode and returns to the Exec mode.
Product
All
Privilege
Security Administrator, Administrator
Syntax
end
Usage
Use this command to return to the Exec mode.
 
exit
Exits the current mode and returns to the parent configuration mode.
Product
All
Privilege
Security Administrator, Administrator
Syntax
exit
Usage
Use this command to return to the parent configuration mode.
 
fair-usage deact-margin
This command enables Fair Usage feature configuration.
Product
ACS, ADC, CF, FW, NAT
Privilege
Security Administrator, Administrator
Syntax
fair-usage deact-margin deactivate_margin
default fair-usage deact-margin
default
Configures this command with the default setting.
Default: 5 percent
deactivate_margin
Specifies that Fair Usage monitoring must be disabled when the instance-level credit usage goes deactivate_margin percentage below usage_threshold.
deactivate_margin is a percentage value, and must be an integer from 1 through 100.
Usage
Use this command to configure when to disable the Fair Usage feature, which enables to perform SessMgr instance-level load balancing for in-line service features, and resource usage control for subscribers. For information, refer to the feature description in the Enhanced Charging Service Administration Guide.
Example
The following command configures the deactivate margin to disable Fair Usage monitoring to 10% below the session resource usage threshold (65%):
fair-usage deact-margin 10
 
fair-usage tcp-proxy
This command configures the maximum number of flows for which TCP Proxy can be used per subscriber, and what portion of ECS memory should be reserved for TCP Proxy flows.
Product
ACS
Privilege
Security Administrator, Administrator
Syntax
fair-usage tcp-proxy { max-flows-per-subscriber max_flows | memory-share memory_share }
max-flows-per-subscriber max_flows
Specifies the maximum number of flows for which TCP Proxy can be used per subscriber.
This limit is per Session Manager.
max_flows must be an integer from 1 through 1000.
Default: 5
memory-share memory_share
Specifies what portion of ECS memory should be reserved for TCP Proxy flows.
memory_share is a percentage value, and must be an integer from 1 through 100.
Default: 10%
Usage
Use this command to configure the maximum number of flows for which TCP Proxy can be used for a subscriber, and what portion of ECS memory should be reserved for TCP Proxy flows.
Example
The following command configures 100 as the maximum number of flows for which TCP Proxy can be enabled for the subscriber:
fair-usage tcp-proxy max-flows-per-subscriber 100
 
fair-usage threshold-percent
This command the threshold to start Fair Usage monitoring.
Product
ACS, ADC, CF, FW, NAT
Privilege
Security Administrator, Administrator
Syntax
fair-usage threshold-percent usage_threshold
default fair-usage threshold-percent
default
Configures this command with the default setting.
Default: 50 percent
usage_threshold
Specifies the threshold to start Fair Usage monitoring. Till the credit usage hits this threshold, all session resource allocation is allowed. On crossing this threshold, any new resource allocation request is evaluated and allowed or failed.
usage_threshold is a percentage value, and must be an integer from 1 through 100.
Usage
Use this command to configure the threshold to enable the Fair Usage feature, which enables to perform SessMgr instance-level load balancing for in-line service features, and resource usage control for subscribers. For information, refer to the feature description in the Enhanced Charging Service Administration Guide.
Example
The following command enables the Fair Usage feature, and configures the session resource usage threshold to start Fair Usage monitoring to 75%:
fair-usage threshold-percent 75
 
firewall dos-protection
In StarOS 8.1 and later releases, for Rulebase-based Stateful Firewall this command is available in the ACS Rulebase Configuration Mode, and for Policy-based Stateful Firewall in the Firewall-and-NAT Policy Configuration Mode. In StarOS 8.3, this command is available in the ACS Rulebase Configuration Mode.
 
firewall flooding
In StarOS 8.1 and later releases, for Rulebase-based Stateful Firewall this command is available in the ACS Rulebase Configuration Mode, and for Policy-based Stateful Firewall in the Firewall-and-NAT Policy Configuration Mode. In StarOS 8.3, this command is available in the ACS Rulebase Configuration Mode.
 
firewall flow-recovery
This command configures Stateful Firewall Flow Recovery feature.
Product
FW
Privilege
Security Administrator, Administrator
Syntax
firewall flow-recovery { { downlink [ [ timeout timeout ] [ no-flow-creation ] + ] } | { uplink [ timeout timeout ] } }
{ default | no } firewall flow-recovery { downlink | uplink }
default
Configures the default flow-recovery setting.
Default: Downlink and uplink flow recovery enabled, 300 seconds
no
Disables the flow recovery configuration.
downlink | uplink
Specifies the packets:
downlink: Enables flow recovery for packets from downlink direction.
uplink: Enables flow recovery for packets from uplink direction.
timeout timeout
Specifies the Stateful Firewall Flow Recovery Timeout setting, in seconds.
timeout must be an integer from 1 through 86400.
Default: 300 seconds
no-flow-creation
Specifies not to create data session/flow-related information for downlink-initiated packets (from the Internet to the subscriber) while the firewall downlink flow-recovery timer is running, but send to subscriber.
Usage
Use this command to configure Stateful Firewall Flow Recovery feature.
note_smallImportant: NAT flows will not be recovered.
Example
The following command configures Stateful Firewall Flow Recovery for packets in downlink direction with a timeout setting of 600 seconds:
firewall flow-recovery downlink timeout 600
 
firewall icmp-destination-unreachable-message-threshold
In StarOS 8.1 and later releases, for Rulebase-based Stateful Firewall this command is available in the ACS Rulebase Configuration Mode, and for Policy-based Stateful Firewall in the Firewall-and-NAT Policy Configuration Mode. In StarOS 8.3, this command is available in the ACS Rulebase Configuration Mode.
 
firewall max-ip-packet-size
In StarOS 8.1 and later releases, for Rulebase-based Stateful Firewall this command is available in the ACS Rulebase Configuration Mode, and for Policy-based Stateful Firewall in the Firewall-and-NAT Policy Configuration Mode. In StarOS 8.3, this command is available in the ACS Rulebase Configuration Mode.
 
firewall mime-flood
In StarOS 8.1 and later releases, for Rulebase-based Stateful Firewall this command is available in the ACS Rulebase Configuration Mode, and for Policy-based Stateful Firewall in the Firewall-and-NAT Policy Configuration Mode. In StarOS 8.3, this command is available in the ACS Rulebase Configuration Mode.
 
firewall nat-alg
This command enables/disables NAT Application Level Gateways (ALGs).
Product
NAT
Privilege
Security Administrator, Administrator
Syntax
[ default | no ] firewall nat-alg { all | ftp | h323 | pptp | rtsp | sip } [ ipv4-and-ipv6 | ipv4-only | ipv6-only ]
default
Configures the default setting.
Default:
ftp: Enabled
h323: Enabled
pptp: Disabled
rtsp: Disabled
sip: Disabled
no
Disables all/specified NAT ALG configuration. When disabled, the ALG(s) will not do any payload translation for NATd calls.
all | ftp | h323 | pptp | rtsp | sip
Specifies the NAT ALG to enable/disable.
all: Enables/disables all of the following NAT ALGs.
ftp: Enables/disables File Transfer Protocol (FTP) NAT ALG.
h323: Enables/disables H323 NAT ALG.
pptp: Enables/disables Point-to-Point Tunneling Protocol (PPTP) NAT ALG.
rtsp: Enables/disables Real Time Streaming Protocol (RTSP) ALG.
sip: Enables/disables Session Initiation Protocol (SIP) NAT ALG.
ipv4-and-ipv6 | ipv4-only | ipv6-only
Specifies the NAT44/NAT64 ALG to enable/disable.
ipv4-and-ipv6: Enables both NAT44 and NAT64 ALGs.
ipv4-only: Enables only NAT44 ALG.
ipv6-only: Enables only NAT64 ALG.
Usage
Use this command to enable/disable NAT ALGs.
To enable NAT ALG processing, in addition to this configuration, ensure that the routing rule for that particular protocol is added in the rulebase.
Example
The following command enables FTP NAT ALG:
firewall nat-alg ftp
The following command disables FTP NAT ALG:
no firewall nat-alg ftp
The following command enables FTP NAT ALG, and disables H323, PPTP, RTSP , and SIP NAT ALGs:
default firewall nat-alg all
 
firewall no-ruledef-matches
In StarOS 8.1 and later releases, this command is available in the ACS Rulebase Configuration Mode.
 
firewall port-scan
This command configures the Port Scan Detection algorithm.
Product
FW
Privilege
Security Administrator, Administrator
Syntax
firewall port-scan { connection-attempt-success-percentage { non-scanner | scanner } percentage | inactivity-timeout inactivity_timeout | protocol { tcp | udp } response-timeout response_timeout | scanner-policy { block inactivity-timeout inactivity_timeout | log-only } }
default firewall port-scan { connection-attempt-success- percentage { non-scanner | scanner } | inactivity-timeout | protocol { tcp | udp } response-timeout | scanner-policy }
default
Configures the default port-scan detection settings.
connection-attempt-success-percentage { non-scanner | scanner } percentage
Specifies the connection attempt success percentage:
non-scanner: Specifies the connection attempt success percentage for a non-scanner.
percentage must be an integer from 60 through 99.
Default: 70%
scanner: Specifies the connection attempt success percentage for a scanner.
percentage must be an integer from 1 through 40.
Default: 30%
inactivity-timeout inactivity_timeout
Specifies the port scan inactivity timeout period, in seconds.
inactivity_timeout must be an integer from 60 through 1800.
Default: 300 seconds
protocol { tcp | udp } response-timeout response_timeout
Specifies transport protocol and response-timeout period:
tcp: Specifies response timeout for TCP.
response_timeout must be an integer from 3 through 30.
udp: Specifies response timeout for UDP.
response_timeout must be an integer from 3 through 60.
Default: 3 seconds
scanner-policy { block inactivity-timeout inactivity_timeout | log-only }
Specifies how to treat packets from a source address that has been detected as a scanner:
block inactivity-timeout inactivity_timeout: Specifies blocking any subsequent traffic from the scanner. If the scanner is found to be inactive for the inactivity-timeout period, then the scanner is no longer blocked, and traffic is allowed.
inactivity_timeout specifies the scanner inactivity timeout period, in seconds, and must be an integer from 1 through 4294967295.
log-only: Specifies logging scanner information without blocking scanner traffic.
Default: log-only
Usage
Use this command to configure the Stateful Firewall Port Scan Detection algorithm enabled by the firewall dos-protection port-scan CLI command.
This protection tracks all uplink source addresses, and the packets they initiate towards all subscribers that have this protection enabled.
Example
The following command configures the Stateful Firewall Port Scan inactivity timeout setting to 900 seconds:
firewall port-scan inactivity-timeout 900
 
firewall ruledef
This command enables to create/configure/delete Stateful Firewall ruledefs.
note_smallImportant: This command is available only in StarOS 8.1. This command must be used to configure the Rulebase-based Stateful Firewall and NAT features.
Product
FW
Privilege
Security Administrator, Administrator
Syntax
firewall ruledef firewall_ruledef_name [ -noconfirm ]
no firewall ruledef firewall_ruledef_name
no
Deletes the specified firewall ruledef, if previously configured, from the active charging service.
firewall_ruledef_name
Specifies name of the firewall ruledef.
firewall_ruledef_name must be a string of 1 through 63 characters in length, and can contain punctuation characters.
If the named firewall ruledef does not exist, it is created, and the CLI mode changes to the Firewall Ruledef Configuration Mode wherein the ruledef can be configured.
If the named firewall ruledef already exists, the CLI mode changes to the Firewall Ruledef Configuration Mode for that ruledef.
-noconfirm
Specifies that the command must execute without prompting for confirmation.
Usage
Use this command to create/configure/delete a firewall ruledef. A firewall ruledef contains different conditions to permit, drop, or reject a packet/connection/traffic based on one or more parameters. The ruledef name must be unique with in the service. Host pool, port map, IMSI pool, and firewall, routing, and charging ruledefs must have unique names.
note_smallImportant: A firewall ruledef can be referenced by multiple firewall rulebases.
note_smallImportant: The firewall ruledefs are different from the ACS ruledefs.
Also see the Firewall-and-NAT Access Ruledef Configuration Mode Commands chapter.
Example
The following command creates a firewall ruledef named fw_ruledef1, and enters the Firewall Ruledef Configuration Mode:
firewall ruledef fw_ruledef1
 
firewall tcp-syn-flood-intercept
In StarOS 8.1 and later releases, for Rulebase-based Stateful Firewall this command is available in the ACS Rulebase Configuration Mode, and for Policy-based Stateful Firewall in the Firewall-and-NAT Policy Configuration Mode. In StarOS 8.3, this command is available in the ACS Rulebase Configuration Mode.
 
firewall track-list
This command configures the maximum number of server IPs to be tracked that are involved in any kind of DOS attacks.
Product
FW
Privilege
Security Administrator, Administrator
Syntax
firewall track-list attacking-servers no_of_servers
{ default | no } firewall track-list attacking-servers
default
Configures the default setting.
Default: 10
no
note_smallImportant: This command variant is available only in StarOS 8.3 and later releases.
Disables the configuration.
attacking-servers no_of_servers
Specifies to track the attacking servers.
no_of_servers specifies the number of servers to track, and must be an integer from 1 through 100.
Usage
Use this command to configure the maximum number of server IPs to be tracked that are involved in any kind of DOS attacks.
Example
The following command configures the maximum number of server IPs to be tracked that are involved in any kind of DOS attacks to 20:
firewall track-list attacking-servers 20
 
fw-and-nat action
This command enables to create/configure/delete Firewall-and-NAT actions.
note_smallImportant: This command is available only in 11.0 and later releases. This command must be used to configure the Stateful Firewall and NAT Action features.
Product
FW, NAT
Privilege
Security Administrator, Administrator
Syntax
fw-and-nat action action_name [ -noconfirm ]
no fw-and-nat action action_name
no
Deletes the specified Firewall-and-NAT action, if previously configured, from the active charging service.
action_name
Specifies the name of the Firewall-and-NAT action.
action_name must be an alpha and/or numeric string of 1 through 63 characters in length.
-noconfirm
Specifies that the command must execute without prompting for confirmation.
Usage
Use this command to create/configure/delete a Firewall-and-NAT action.
Entering this command results in the following prompt:
[context_name]hostname(config-fw-and-nat-action)#
Also see the Firewall-and-NAT Action Configuration Mode Commands chapter.
Example
The following command creates a Firewall-and-NAT action named test1, and changes to the Firewall-and-NAT Action Configuration Mode:
fw-and-nat action test1
 
fw-and-nat policy
This command enables to create/configure/delete Firewall-and-NAT policies.
note_smallImportant: This command is available only in StarOS 8.1 and in StarOS 9.0 and later releases. This command must be used to configure the Policy-based Stateful Firewall and NAT features.
Product
FW, NAT
Privilege
Security Administrator, Administrator
Syntax
fw-and-nat policy policy_name [ -noconfirm ]
no fw-and-nat policy policy_name
no
Deletes the specified Firewall-and-NAT policy, if previously configured, from the active charging service.
note_smallImportant: When a Firewall-and-NAT policy is deleted, for all subscribers using the policy, Stateful Firewall and NAT processing is disabled, also ACS sessions for the subscribers are dropped. In case of session recovery, the calls are recovered but with Stateful Firewall and NAT disabled.
policy_name
Specifies name of the Firewall-and-NAT policy.
policy_name must be an alpha and/or numeric string of 1 through 63 characters in length.
-noconfirm
Specifies that the command must execute without prompting for confirmation.
Usage
Use this command to create/configure/delete a Firewall-and-NAT policy.
Entering this command results in the following prompt:
[context_name]hostname(config-fw-and-nat-policy)#
Also see the Firewall-and-NAT Policy Configuration Mode Commands chapter.
Example
The following command creates a Firewall-and-NAT policy named test321, and changes to the Firewall-and-NAT Policy Configuration Mode:
fw-and-nat policy test321
group-of-objects
This command enables to create/configure/delete ACS group-of-objects.
note_smallImportant: This command is available only in StarOS 10.2 and later releases.
note_smallImportant: A maximum of 16 object groups can be configured in the active charging service. And a maximum of 128 objects can be configured within each object group.
Product
ACS
Privilege
Security Administrator, Administrator
Syntax
group-of-objects group_name [ type string [ -noconfirm ] ]
no group-of-objects group_name
no
Deletes the specified group-of-objects, if previously configured, from the active charging service.
group_name
Specifies name of the group-of-objects.
group_name must be an alpha and/or numeric string of 1 through 63 characters in length.
If the named group-of-objects does not exist, it is created, and the CLI mode changes to the ACS Group-of-Objects Configuration Mode wherein the group can be configured.
If the named group-of-objects already exists, the CLI mode changes to the ACS Group-of-Objects Configuration Mode for that group.
type
Specifies the data type for the group-of-objects.
note_smallImportant: “string” is the only data type supported in this release.
string
Specifies the data type as string.
When creating a group, specifying the data type is mandatory.
When modifying an existing group, specifying the data type is optional.
-noconfirm
Specifies that the command must execute without prompting for confirmation.
Usage
Use this command to create/configure/delete a group-of-objects.
Also see the ACS Group-of-Objects Configuration Mode Commands chapter.
Example
The following command creates a group-of-objects named test4 with the data type string, and enters the ACS Group-of-Objects Configuration Mode:
group-of-objects test4 type string
 
group-of-prefixed-urls
This command enables to create/configure/delete ACS group-of-prefixed-URLs.
note_smallImportant: This command is customer specific. For more information contact your local sales representative.
note_smallImportant: A maximum of 64 group-of-prefixed-URL groups can be configured in the active charging service.
Product
ACS
Privilege
Security Administrator, Administrator
Syntax
group-of-prefixed-urls group_name [ -noconfirm ]
no group-of-prefixed-urls group_name
no
Deletes the specified group-of-prefixed-urls, if previously configured, from the active charging service.
group_name
Specifies name of the group-of-prefixed-urls.
group_name must be an alpha and/or numeric string of 1 through 63 characters in length.
If the named group-of-prefixed-urls does not exist, it is created, and the CLI mode changes to the ACS Group-of-Prefixed-URLs Configuration Mode wherein the group can be configured.
If the named group-of-prefixed-urls already exists, the CLI mode changes to the ACS Group-of-Prefixed-URLs Configuration Mode for that group.
-noconfirm
Specifies that the command must execute without prompting for confirmation.
Usage
Use this command to create/configure/delete a group-of-prefixed-URLs.
Also see the ACS Group-of-Prefixed-URLs Configuration Mode Commands chapter.
Example
The following command creates group-of-prefixed-urls named test5, and enters the ACS Group-of-Prefixed-URLs Configuration Mode:
group-of-prefixed-urls test5
 
group-of-ruledefs
This command enables to create/configure/delete ACS group-of-ruledefs.
note_smallImportant: A maximum of 64 groups-of-ruledefs can be configured in the active charging service.
Product
ACS
Privilege
Security Administrator, Administrator
Syntax
group-of-ruledefs ruledefs_group_name [ -noconfirm ]
no group-of-ruledefs ruledefs_group_name
no
Deletes the specified group-of-ruledefs, if previously configured, from the active charging service.
ruledefs_group_name
Specifies name of the group-of-ruledefs.
ruledefs_group_name must be unique within the active charging service, and must be a string of 1 through 63 characters in length. Up 64 groups may be configured.
If the named group-of-ruledefs does not exist, it is created, and the CLI mode changes to the ACS Group-of-Ruledefs Configuration Mode wherein the group can be configured.
If the named group-of-ruledefs already exists, the CLI mode changes to the ACS Group-of-Ruledefs Configuration Mode for that group.
-noconfirm
Specifies that the command must execute without prompting for confirmation.
Usage
Use this command to create/configure/delete a group-of-ruledefs.
A group-of-ruledefs is a collection of rule definitions to use in access policy creation. The group-of-ruledefs name must be unique within the service.
Also see the ACS Group-of-Ruledefs Configuration Mode Commands chapter.
Example
The following command creates a group-of-ruledefs named group1, and enters the ACS Group-of-Ruledefs Configuration Mode:
group-of-ruledefs group1
 
h323 time-to-live
This command configures the time for which an endpoint’s registration to a gatekeeper is valid.
Product
NAT
Privilege
Security Administrator, Administrator
Syntax
h323 time-to-live timeout
default h323 time-to-live
default
Configures the default setting for endpoint registration.
Default: 3600 seconds
timeout
Specifies the timeout setting, in seconds.
timeout must be an integer from 1 through 2147483647.
Usage
Use this command to configure the time for which an endpoint’s registration to a gatekeeper is valid.
Example
The following command configures the time for an endpoint registration with a timeout setting of 5 seconds:
h323 time-to-live 5
 
h323 timeout
This command configures the timeout intervals for the various H323 requests.
Product
NAT
Privilege
Security Administrator, Administrator
Syntax
h323 timeout { admission adm_timeout | discovery disc_timeout | location loc_timeout | registration reg_timeout | unregistration unreg_timeout }
default h323 timeout { admission | discovery | location | registration | unregistration }
default
Configures the default setting for the various H323 requests.
admission adm_timeout
Configures the timeout value for the admission request sent to the gatekeeper.
adm_timeout must be an integer from 1 through 20.
Default: 10 seconds
discovery disc_timeout
Configures the timeout value for the gatekeeper request message sent to the Gatekeeper.
disc_timeout must be an integer from 1 through 20.
Default: 10 seconds
location loc_timeout
Configures the timeout value for the location request message sent to the Gatekeeper.
loc_timeout must be an integer from 1 through 20.
Default: 10 seconds
registration reg_timeout
Configures the timeout value for the registration request message sent to the Gatekeeper.
reg_timeout must be an integer from 1 through 20.
Default: 6 seconds
unregistration unreg_timeout
Configures the timeout value for the unregistration request message sent to the Gatekeeper.
unreg_timeout must be an integer from 1 through 20.
Default: 3 seconds
Usage
Use this command to configure the timeout interval for the various H323 requests.
Example
The following command configures the admission request message with a timeout value of 15 seconds:
h323 timeout admission 15
 
h323 tpkt
This command configures the maximum size of Transport Protocol Data Unit Packets (TPKT) that H323 ALG can handle.
Product
NAT
Privilege
Security Administrator, Administrator
Syntax
h323 tpkt max_tpkt_size
default h323 tpkt
default
Configures the default setting for this command.
Default: 2048 bytes
max_tpkt_size
Specifies the maximum TPKT size, in bytes.
max_tpkt_size must be an integer from 4 through 4096.
Usage
Use this command to configure the maximum packet size for the H.323 ALG.
Example
The following command configures a maximum TPKT packet size of 100 bytes:
h323 tpkt 100
 
h323 version
This command configures the H323 version number supported by H323 ALG.
Product
NAT
Privilege
Security Administrator, Administrator
Syntax
h323 version version_number
default h323 version
default
Configures the default H323 version.
Default: 5
version_number
Specifies the H323 version number.
version_number must be an integer from 1 through 7.
Usage
Use this command to configure the H323 version number supported by the H323 ALG.
Example
The following command configures the H323 version number 1:
h323 version 1
 
host-pool
This command enables to create/configure/delete host pools.
Product
All
Privilege
Security Administrator, Administrator
Syntax
host-pool host_pool_name [ -noconfirm ]
no host-pool host_pool_name
no
Deletes the specified host pool, if previously configured, from the active charging service.
host_pool_name
Specifies name of the host pool.
host_pool_name must be a string of 1 through 63 characters in length, and can contain punctuation characters.
If the named host pool does not exist, it is created, and the CLI mode changes to the ACS Host Pool Configuration Mode wherein the host pool can be configured.
If the named host pool already exists, the CLI mode changes to the ACS Host Pool Configuration Mode for that host pool.
-noconfirm
Specifies that the command must execute without prompting for confirmation.
Usage
Use this command to create/configure/delete ACS host pools.
A host pool is a collection of hosts and IP addresses to use in access policy creation. The host pool name must be unique with in the service. Host pool, port map, IMSI pool, and firewall, routing, and charging ruledefs must have unique names. A maximum of the 256 host pools can be created.
note_smallImportant: Host pools configured in other ruledefs cannot be deleted.
Also see the ACS Host Pool Configuration Mode Commands chapter.
Example
The following command creates a host pool named hostpool1, and enters the ACS Host Pool Configuration Mode:
host-pool hostpool1
 
idle-timeout
This command configures the maximum duration a flow can remain idle, in seconds, after which the system automatically terminates the flow.
Product
ACS , NAT, FW
Privilege
Security Administrator, Administrator
Syntax
idle-timeout { alg-media | flow-mapping { tcp | udp } | icmp | tcp | udp } idle_timeout
{ default | no } idle-timeout { alg-media | flow-mapping { tcp | udp } | icmp | tcp | udp }
default
Configures the default idle-timeout setting for the specified flow.
Default: alg-media: 120 seconds; flow-mapping: 300 seconds for TCP and 0 seconds for UDP; icmp, tcp, udp: 300 seconds
no
Disables the idle-timeout configuration for the specified flow.
alg-media
Configures the ALG media for the specified flow.
flow-mapping { tcp | udp }
The Flow Mapping timer is an extension to the existing flow idle-timeout in ACS. This flow mapping timeout applies only for NAT enabled calls and is supported only for TCP and UDP flows. The purpose of this timer is to hold the resources (NAT IP, NAT port, Private IP NPU flow) associated with a 5-tuple flow until Mapping timeout expiry.
If the Flow Mapping timer is disabled, then the Mapping timeout will not get triggered for UDP/TCP idle timed out flows. The resources such as NAT mapping will be released along with the 5-tuple flow.
icmp
Configures the ICMP protocol for the specified flow.
tcp
Configures the TCP protocol for the specified flow.
udp
Configures the UDP protocol for the specified flow.
idle_timeout
Specifies the timeout duration, in seconds, and must be an integer from 0 through 86400.
For alg-media specifies the media inactivity timeout. The idle_timeout value gets applied on RTP and RTCP media flows that are created for SIP/H.323 calls. The timeout is applied only on those flows that actually match the RTP and RTCP media pinholes that are created by the SIP/H.323 ALG.
A value of 0 disables the idle-timeout setting.
Usage
Use this command to configure the maximum duration a flow can remain idle, in seconds, after which the system automatically terminates the flow.
Setting the value to 0 will cause the idle-timeout setting to be disabled.
For flows other than TCP, UDP and ICMP, timeout value will always be 300 seconds (unless configured in the charging-action). Charging action’s flow idle-timeout will have precedence over ACS idle-timeout. If charging action’s flow idle-timeout is default, then flows will have the value configured in the active charging service.
Example
The following command configures the maximum duration a TCP flow can remain idle to 3000 seconds, after which the system automatically terminates the flow:
idle-timeout tcp 3000
 
imsi-pool
This command enables to create/configure/delete IMSI pools.
Product
All
Privilege
Security Administrator, Administrator
Syntax
imsi-pool imsi_pool_name [ -noconfirm ]
no imsi-pool imsi_pool_name
no
Deletes the specified IMSI pool, if previously configured, from the active charging service.
imsi_pool_name
Specifies name of the IMSI pool.
imsi_pool_name must be a string of 1 through 63 characters in length, and can contain punctuation characters.
If the named IMSI pool does not exist, it is created, and the CLI mode changes to the ACS IMSI Pool Configuration Mode wherein the IMSI pool can be configured.
If the named IMSI pool already exists, the CLI mode changes to the ACS IMSI Pool Configuration Mode for that IMSI pool.
-noconfirm
Specifies that the command must execute without prompting for confirmation.
Usage
Use this command to create/configure/delete pools of International Mobile Subscriber Identifier (IMSI) numbers having group of single or range of IMSI numbers to use in access policy creation. The IMSI pool name must be unique with in the service. Host pool, port map, IMSI pool, and firewall, routing, and charging ruledefs must have unique names. A maximum of 256 IMSI pools can be created.
note_smallImportant: IMSI pools configured in other ruledefs cannot be deleted.
Also see the ACS IMSI Pool Configuration Mode Commands chapter.
Example
The following command creates an IMSI pool named imsipool1, and enters the ACS IMSI Pool Configuration Mode:
imsi-pool imsipool1
ip max-fragments
This command limits the maximum number of IPv4/IPv6 fragments per fragment chain.
Product
All
Privilege
Security Administrator, Administrator
Syntax
ip max-fragments max_fragments
default ip max-fragments
default
Configures the default maximum number of IPv4/IPv6 fragments limit.
Default: 45
max_fragments
Specifies the maximum number of IPv4/IPv6 fragments per fragment chain.
max_fragments must be an integer from 1 through 300.
Usage
Use this command to limit the maximum number of IPv4/IPv6 fragments.
Example
The following command limits the maximum number of IPv4/IPv6 fragments to 100:
ip max-fragments 100
 
label
This command defines a text string label to specific content ID for UDRs/EDRs/eG-CDRs in the active charging service.
Product
All
Privilege
Security Administrator, Administrator
Syntax
label content-id content_id text string
no label content-id content_id
no
Deletes the specified label, if previously configured, from the active charging service.
content-id content_id
Specifies the content ID to add a text string label for a description.
content_id must be an integer from 0 through 4,294,967,295.
text string
This keyword provides option to add descriptive text with each content Id for definition or user specific requirement.
string must be an alpha and/or numeric string of 1 through 64 characters in length.
Usage
Use this command to create a label string to attach to a specific content ID configured in the ACS Charging Action Configuration Mode.
A maximum of 2048 labels can be configured in the active charging service.
Example
The following command creates a label string test_charge1 for content-id 1378:
label content-id 1378 text test_charge1
 
nat allocation-failure
Configures action to take when NAT IP/Port allocation fails.
note_smallImportant: This command is available only in StarOS 8.3 and later releases.
Product
NAT
Privilege
Security Administrator, Administrator
Syntax
nat allocation-failure send-icmp-dest-unreachable
{ default | no } nat allocation-failure
default
Configures the default setting.
Default: Packets are dropped silently
no
Disables the NAT Allocation Failure configuration.
When set, packets are dropped silently.
send-icmp-dest-unreachable
Specifies sending ICMP Destination Unreachable message when NAT IP/Port allocation fails.
Usage
Use this command to configure the action to take when NAT IP/port allocation fails—to send or not to send an “ICMP destination unreachable message” when a NAT IP/port cannot be assigned to a flow in data-path.
Example
The following command configures sending ICMP Destination Unreachable message when NAT IP/Port allocation fails:
nat allocation-failure send-icmp-dest-unreachable
 
nat allocation-in-progress
Configures action to take on packets when NAT IP/NPU allocation is in progress.
note_smallImportant: This command is available only in StarOS 8.3 and later releases.
Product
NAT
Privilege
Security Administrator, Administrator
Syntax
nat allocation-in-progress { buffer | drop }
default nat allocation-in-progress
default
Configures the default setting.
Default: buffer
buffer | drop
Specifies the action to take on packets when NAT IP/NPU allocation is in progress:
buffer: Specifies to buffer packets.
drop: Specifies to drop packets.
Usage
In On-demand NAT IP allocation (wherein NAT IP address is allocated to the subscriber when a packet is being sent), if no free NAT IP address is available, a NAT-IP Alloc Request is sent to the VPNMgr to get NAT-IP. During that time packets are dropped. This command enables buffering the packets received when IP Alloc Request is sent to VPNMgr.
Example
The following command specifies to buffer packets when NAT IP/NPU allocation is in progress:
nat allocation-in-progress buffer
 
nat tcp-2msl-timeout
This command configures TCP 2msl timeout configuration for NAT.
note_smallImportant: This command is available only in StarOS 8.3 and later releases.
Product
NAT
Privilege
Security Administrator, Administrator
Syntax
nat tcp-2msl-timeout timeout
default nat tcp-2msl-timeout
default
Configures the default setting.
Default: 60 seconds
timeout
Specifies the TCP 2msl timeout period, in seconds.
timeout must be an integer from 30 through 240.
Usage
Use this command to configure the TCP 2msl timeout configuration for NAT.
Example
The following command configures the TCP 2msl timeout for NAT to 120 seconds:
nat tcp-2msl-timeout 120
 
p2p-detection protocol
This command configures the detection of specific peer-to-peer (P2P) protocol.
Product
ADC
Privilege
Security Administrator, Administrator
Syntax
[ no ] p2p-detection protocol [ actsync | aimini | all | antsp2p | applejuice | ares | armagettron | battlefld | bittorrent | blackberry | citrix | clubpenguin | crossfire | ddlink | directconnect | dofus | edonkey | facebook | facetime | fasttrack | feidian | fiesta | filetopia | florensia | freenet | fring | funshion | gadugadu | gamekit | gmail | gnutella | gtalk | guildwars | halflife2 | hamachivpn | iax | icecast | imesh | imo | iptv | irc | isakmp | iskoot | itunes | jabber | kontiki | manolito | maplestory | meebo | mgcp | msn | mute | myspace | netmotion | nimbuzz | octoshape | off | ogg | oovoo | openft | openvpn | orb | oscar | paltalk | pando | pandora | popo | pplive | ppstream | ps3 | qq | qqgame | qqlive | quake | quicktime | rdp | rfactor | rmstream | scydo | secondlife | shoutcast | skinny | skype | slingbox | sopcast | soulseek | splashfighter | spotify | ssdp | stealthnet | steam | stun | tango | teamspeak | teamviewer | thunder | tor | truphone | tunnelvoice | tvants | tvuplayer | twitter | ultrabac | usenet | uusee | veohtv | viber | vpnx | vtun | warcft3 | whatsapp | wii | winmx | winny | wmstream | wofkungfu | wofwarcraft | xbox | xdcc | yahoo | yourfreetunnel | zattoo + ]
all
Configures the system to detect all supported P2P protocols. Specifying all is the same as individually configuring each of the following protocols.
actsync
Configures the system to detect actsync protocol.
aimini
Configures the system to detect aimini protocol.
antsp2p
Configures the system to detect antsp2p protocol.
applejuice
Configures the system to detect applejuice protocol.
ares
Configures the system to detect ares protocol.
armagettron
Configures the system to detect armagettron protocol.
battlefld
Configures the system to detect battlefld protocol.
bittorrent
Configures the system to detect bittorrent protocol.
blackberry
Configures the system to detect blackberry protocol.
citrix
Configures the system to detect citrix protocol.
clubpenguin
Configures the system to detect clubpenguin protocol.
crossfire
Configures the system to detect crossfire protocol.
ddlink
Configures the system to detect ddlink protocol.
directconnect
Configures the system to detect directconnect protocol.
dofus
Configures the system to detect dofus protocol.
edonkey
Configures the system to detect edonkey protocol.
facebook
Configures the system to detect facebook protocol.
facetime
Configures the system to detect facetime protocol.
note_smallImportant: The facetime protocol option is available only in 9.0 and in 11.0 and later releases.
fasttrack
Configures the system to detect fasttrack protocol.
feidian
Configures the system to detect feidian protocol.
fiesta
Configures the system to detect fiesta protocol.
filetopia
Configures the system to detect filetopia protocol.
florensia
Configures the system to detect florensia protocol.
freenet
Configures the system to detect freent protocol.
fring
Configures the system to detect fring protocol.
funshion
Configures the system to detect funshion protocol.
gadugadu
Configures the system to detect gadugadu protocol.
gamekit
Configures the system to detect gamekit protocol.
note_smallImportant: The gamekit protocol option is available only in 9.0 and in 11.0 and later releases.
gmail
Configures the system to detect gmail protocol.
gnutella
Configures the system to detect gnutella protocol.
gtalk
Configures the system to detect gtalk protocol.
guildwars
Configures the system to detect guildwars protocol.
halflife2
Configures the system to detect halflife2 protocol.
hamachivpn
Configures the system to detect hamachivpn protocol.
iax
Configures the system to detect iax protocol.
icecast
Configures the system to detect icecast protocol.
imesh
Configures the system to detect imesh protocol.
imo
Configures the system to detect imo protocol.
iptv
Configures the system to detect iptv protocol.
irc
Configures the system to detect irc protocol.
isakmp
Configures the system to detect isakmp protocol.
itunes
Configures the system to detect itunes protocol.
gmail
Configures the system to detect gmail protocol.
jabber
Configures the system to detect jabber protocol.
kontiki
Configures the system to detect kontiki protocol.
manolito
Configures the system to detect manolito protocol.
maplestory
Configures the system to detect maplestory protocol.
meebo
Configures the system to detect meebo protocol.
mgcp
Configures the system to detect mgcp protocol.
msn
Configures the system to detect msn protocol.
mute
Configures the system to detect mute protocol.
myspace
Configures the system to detect myspace protocol.
netmotion
Configures the system to detect netmotion protocol.
nimbuzz
Configures the system to detect nimbuzz protocol.
octoshape
Configures the system to detect octoshape protocol.
off
Configures the system to detect off protocol.
ogg
Configures the system to detect ogg protocol.
oovoo
Configures the system to detect oovoo protocol.
openft
Configures the system to detect openft protocol.
openvpn
Configures the system to detect openvpn protocol.
orb
Configures the system to detect orb protocol.
oscar
Configures the system to detect oscar protocol.
paltalk
Configures the system to detect paltalk protocol.
pando
Configures the system to detect pando protocol.
pandora
Configures the system to detect pandora protocol.
popo
Configures the system to detect popo protocol.
pplive
Configures the system to detect pplive protocol.
ppstream
Configures the system to detect ppstream protocol.
ps3
Configures the system to detect ps3 protocol.
qq
Configures the system to detect qq protocol.
qqgame
Configures the system to detect qqgame protocol.
qqlive
Configures the system to detect qqlive protocol.
quake
Configures the system to detect quake protocol.
quicktime
Configures the system to detect quicktime protocol.
rdp
Configures the system to detect rdp protocol.
rfactor
Configures the system to detect rfactor protocol.
rmstream
Configures the system to detect rmstream protocol.
scydo
Configures the system to detect scydo protocol.
secondlife
Configures the system to detect secondlife protocol.
shoutcast
Configures the system to detect shoutcast protocol.
skinny
Configures the system to detect skinny protocol.
skype
Configures the system to detect skype protocol.
slingbox
Configures the system to detect slingbox protocol.
sopcast
Configures the system to detect sopcast protocol.
soulseek
Configures the system to detect soulseek protocol.
splashfighter
Configures the system to detect splashfighter protocol.
spotify
Configures the system to detect spotify protocol.
ssdp
Configures the system to detect ssdp protocol.
stealthnet
Configures the system to detect stealthnet protocol.
steam
Configures the system to detect steam protocol.
stun
Configures the system to detect stun protocol.
tango
Configures the system to detect tango protocol.
teamspeak
Configures the system to detect teamspeak protocol.
teamviewer
Configures the system to detect teamviewer protocol.
thunder
Configures the system to detect thunder protocol.
tor
Configures the system to detect tor protocol.
truphone
Configures the system to detect truphone protocol.
tunnelvoice
Configures the system to detect tunnelvoice protocol.
tvants
Configures the system to detect tvants protocol.
tvuplayer
Configures the system to detect tvuplayer protocol.
twitter
Configures the system to detect twitter protocol.
ultrabac
Configures the system to detect ultrabac protocol.
usenet
Configures the system to detect usenet protocol.
uusee
Configures the system to detect uusee protocol.
veohtv
Configures the system to detect veohtv protocol.
viber
Configures the system to detect viber protocol.
vpnx
Configures the system to detect vpnx protocol.
vtun
Configures the system to detect vtun protocol.
warcft3
Configures the system to detect warcft3 protocol.
whatsapp
Configures the system to detect whatsapp protocol.
wii
Configures the system to detect wii protocol.
winmx
Configures the system to detect winmx protocol.
winny
Configures the system to detect winny protocol.
wmstream
Configures the system to detect wmstream protocol.
wofkungfu
Configures the system to detect wofkungfu protocol.
wofwarcraft
Configures the system to detect wofwarcraft protocol.
xbox
Configures the system to detect xbox protocol.
xdcc
Configures the system to detect xdcc protocol.
yahoo
Configures the system to detect yahoo protocol.
yourfreetunnel
Configures the system to detect yourfreetunnel protocol.
zattoo
Configures the system to detect zatoo protocol.
+
More than one of the above keywords can be entered within a single command.
Usage
Use this command to configure the detection of specific P2P protocol. Multiple commands can be specified in the command.
Example
The following command enables detection of all P2P protocols:
p2p-detection protocol all
 
p2p-dynamic-rules
This command is under development for a future release and is not supported in this release.
 
 
packet-filter
This command enables to create/configure/delete ACS packet filters.
Product
ACS
Privilege
Security Administrator, Administrator
Syntax
packet-filter packet_filter_name [ -noconfirm ]
no packet-filter packet_filter_name
no
Deletes the specified packet filter, if previously configured, from the active charging service.
packet_filter_name
Specifies name of the packet filter.
packet_filter_name must be a string of 1 through 63 characters in length.
If the named packet filter does not exist, it is created, and the CLI mode changes to the ACS Packet Filter Configuration Mode wherein the packet filter can be configured.
If the named packet filter already exists, the CLI mode changes to the ACS Packet Filter Configuration Mode for that packet filter.
-noconfirm
Specifies that the command must execute without prompting for confirmation.
Usage
Use this command to create/configure/delete an ACS packet filter.
Also see the ACS Packet Filter Configuration Mode Commands chapter.
Example
The following command creates a packet filter named filter3, and enters the ACS Packet Filter Configuration Mode:
packet-filter filter3
 
passive-mode
This command configures the active charging service to operate in passive mode.
Product
All
Privilege
Security Administrator, Administrator
Syntax
[ default | no ] passive-mode
no
Disables the passive mode configuration.
default
Configures the default setting.
Default: Disabled
Usage
Use this command to put the active charging service in/out of passive mode operation. Configures whether the active charging service passively monitors copies of packets.
Example
The following command puts the active charging service into passive mode operation:
passive-mode
 
policy-control burst-size
This command configures the burst size for bandwidth limiting per dynamic-rule or per bearer.
Product
All
Privilege
Security Administrator, Administrator
Syntax
policy-control burst-size { auto-readjust [ duration duration ] | bytes bytes }
{ default | no } policy-control burst-size
default | no
Configures the default setting.
Default: 65535 bytes
auto-readjust
Configures the burst size equal to <seconds> of traffic.
Default: 10 seconds
duration duration
Specifies the seconds of traffic configured for burst size.
duration must be an integer from 1 through 20.
bytes bytes
Configures the burst size in bytes.
bytes must be an integer from 1 through 4000000000.
Usage
Use this command to configure the burst size for bandwidth limiting per dynamic-rule or per bearer.
Example
The following command configures the burst size for bandwidth limiting per dynamic-rule or per bearer equal to 10 seconds of traffic:
policy-control burst-size auto-readjust
 
policy-control charging-rule-base-name
This command configures interpretation of Charging-Rule-Base-Name AVP from PCRF either as active-charging rulebase or ACS group-of-ruledefs.
Product
ACS
Privilege
Security Administrator, Administrator
Syntax
policy-control charging-rule-base-name { active-charging-group-of-ruledefs | active-charging-rulebase [ ignore-when-removed ] }
default policy-control charging-rule-base-name
default
Configures the default setting.
Default: active-charging-group-of-ruledefs
active-charging-group-of-ruledefs
Specifies interpreting Charging-Rule-Base-Name as active-charging group-of-ruledefs.
active-charging-rulebase [ ignore-when-removed ]
Specifies interpreting Charging-Rule-Base-Name as active-charging rulebase.
When Charging-Rule-Base-Name AVP is interpreted as active-charging rulebase, if PCRF requests the removal of a Charging-Rule-Base-Name, which is the same as the rulebase used for that PDP context, the PDP context is terminated. This is because after removal of the rulebase, the PDP context will have no rulebase. This is the default behavior.
When the ignore-when-removed option is configured, PCRF request for removal of Charging-Rule-Base-Name is ignored and no action is taken.
For each call, this interpretation is decided at call setup, and will not be changed during the life of that call. Change will only apply to new calls coming up after the change.
Usage
Use this command to configure interpretation of Charging-Rule-Base-Name AVP from PCRF either as active charging group-of-ruledefs or as active-charging rulebase.
Example
The following command configures interpreting of Charging-Rule-Base-Name AVP as active-charging rulebase:
policy-control charging-rule-base-name active-charging-rulebase
 
policy-control retransmissions-counted
This command enables/disables charging of retransmitted packets when they hit a dynamic rule.
Product
ACS
Privilege
Security Administrator, Administrator
Syntax
[ default | no ] policy-control retransmissions-counted
default | no
Disables charging of retransmitted packets when they hit a dynamic rule.
Default: Disabled
Usage
Use this command to enable/disable charging of retransmitted packets when they hit a dynamic rule.
Example
The following command enables retransmissions to be charged when they hit a dynamic rule:
policy-control retransmissions-counted
 
port-map
This command enables to create/configure/delete port maps.
Product
All
Privilege
Security Administrator, Administrator
Syntax
port-map port_map_name [ -noconfirm ]
no port-map port_map_name
no
Deletes the specified port map, if previously configured, from the active charging service.
port_map_name
Specifies name of the port map.
port_map_name must be an alpha and/or numeric string of 1 through 63 characters in length, and can contain punctuation characters.
If the named port map does not exist, it is created, and the CLI mode changes to the ACS Port Map Configuration Mode wherein the port map can be configured.
If the named port map already exists, the CLI mode changes to the ACS Port Map Configuration Mode for that port map.
-noconfirm
Specifies that the command must execute without prompting for confirmation.
Usage
Use this command to create/configure/delete an ACS port map.
The port map name must be unique with in the service. Host pool, port map, IMSI pool, and firewall, routing, and charging ruledefs must have unique names. A maximum of the 256 port maps can be created.
note_smallImportant: Port maps in use in other ruledefs cannot be deleted.
Also see the ACS Port Map Configuration Mode Commands chapter.
Example
The following command creates a port map named portmap1, and enters the ACS Port Map Configuration Mode:
port-map portmap1
 
redirect user-agent
This command specifies the user agent for conditional redirection of traffic flows.
Product
All
Privilege
Security Administrator, Administrator
Syntax
[ no ] redirect user-agent user_agent_name
no
Deletes the specified user agent, if previously configured, from the active charging service.
user_agent_name
Specifies name of the user agent to be used for redirecting traffic flow.
user_agent_name must be an alpha and/or numeric string of 1 through 32 characters in length.
A maximum of 16 user-agents can be configured in the active charging service.
Usage
Use this command to redirect the traffic flow with conditions based on configured user-agent name. This user agent is used with flow action command in the ACS Charging Action Configuration Mode.
Example
The following command specifies the redirect user agent user_rule1 for conditional redirection of traffic flow:
redirect user-agent user_rule1
 
rulebase
This command enables to create/configure/delete ACS rulebases.
note_smallImportant: A maximum of 512 rulebases can be configured in the active charging service.
Product
ACS
Privilege
Security Administrator, Administrator
Syntax
rulebase rulebase_name [ -noconfirm ]
no rulebase rulebase_name
no
Deletes the specified rulebase, if previously configured, from the active charging service.
rulebase_name
Specifies name of the rulebase.
rulebase_name must be an alpha and/or numeric string of 1 through 63 characters in length, and can contain punctuation characters.
If the named rulebase does not exist, it is created, and the CLI mode changes to the ACS Rulebase Configuration Mode wherein the rulebase can be configured.
If the named rulebase already exists, the CLI mode changes to the ACS Rulebase Configuration Mode for that rulebase.
-noconfirm
Specifies that the command must execute without prompting for confirmation.
Usage
Use this command to create/configure/delete an ACS rulebase. A rulebase is a collection of protocol rules to match a flow and associated actions to be taken for matching flow. The rulebase_name must be unique in the active charging service.
The default rulebase is used when a subscriber/APN is not configured with a specific rulebase to use.
Also see the ACS Rulebase Configuration Mode Commands chapter.
Example
The following command creates a rulebase named test1, and enters the ACS Rulebase Configuration Mode:
rulebase test1
 
ruledef
This command enables to create/configure/delete ACS rule definitions.
note_smallImportant: A maximum of 2048 ruledefs can be configured in the active charging service.
Product
ACS
Privilege
Security Administrator, Administrator
Syntax
ruledef ruledef_name [ -noconfirm ]
no ruledef ruledef_name
no
Deletes the specified ruledef, if previously configured, from the active charging service.
ruledef_name
Specifies name of the ruledef.
ruledef_name must be an alpha and/or numeric string of 1 through 63 characters in length, and can contain punctuation characters.
ruledef_name must be unique with in the service. Host pool, port map, IMSI pool, and firewall, routing, and charging ruledefs must have unique names.
If the named ruledef does not exist, it is created, and the CLI mode changes to the ACS Ruledef Configuration Mode wherein the ruledef can be configured.
If the named ruledef already exists, the CLI mode changes to the ACS Ruledef Configuration Mode for that ruledef.
-noconfirm
Specifies that the command must execute without prompting for confirmation.
Usage
Use this command to create/configure/delete an ACS ruledef.
A ruledef represents a set of matching conditions across multiple L3 – L7 protocol based on protocol fields and state information. Each ruledef can be used across multiple rulebases within the active charging service.
Also see the ACS Ruledef Configuration Mode Commands chapter.
Example
The following command creates an ACS ruledef named test1, and enters the ACS Ruledef Configuration Mode:
ruledef test1
system-limit l4-flows
This command configures the system-wide Layer 4 flow limit.
note_smallImportant: This command is customer specific. For more information contact your local sales representative.
Product
ACS
Privilege
Security Administrator, Administrator
Syntax
system-limit l4-flows limit
{ default | no } system-limit l4-flows
default
Configures the default setting.
Default: no system-limit l4-flows
no
Disables the limit checking configuration.
limit
Specifies the Layer 4 flows limit, and must be an integer from 1 through 2147483647.
Usage
Use this command to configure the system-wide limit for Layer 4 flows.
The System-wide L4 Flow Limiting feature provides the capability to limit the number of TCP and UDP flow over the system. This limiting can be applied to all subscribers attaching to the system and to all APNs. This feature is compatible with the existing per-subscriber limiting (configured using the flow limit-for-flow-type charging action). Both limiting can be active in the same time.
System-wide flow limiting is implemented by comparing the “Effective Flows” periodically (~ every 10 seconds) against the configurable “System-wide Flow Limit”. Where “Effective Flows” is the number of active data sessions, each identified by 5 tuple key. If the “Effective Flows” exceeds the “System-wide Flow Limit”, the Resource Manager indicates it to the ACS service. Once ACS is aware of the “System-wide Flow Limit” being reached, no more data sessions are setup. The packets are discarded. While processing a successive flow-usage update from ACS service a change in behavior is indicated to ACS service to start accepting data sessions. As this relies on periodic reporting there is an inherent delay in the detection of “exceeding/returning once exceeded” to the flow limit.
Example
The following command sets the system limit for L4 flows to 100:
system-limit l4-flows 100
timedef
This command enables to create/configure/delete ACS Time Definitions (timedefs).
note_smallImportant: This command is available only in StarOS 8.1 and in StarOS 9.0 and later releases.
note_smallImportant: A maximum of 10 timedefs can be configured in the active charging service.
Product
ACS
Privilege
Security Administrator, Administrator
Syntax
timedef timedef_name [ -noconfirm ]
no timedef timedef_name
no
Deletes the specified timedef, if previously configured, from the active charging service.
timedef_name
Specifies name of the timedef.
timedef_name must be an alpha and/or numeric string of 1 through 63 characters in length.
If the named timedef does not exist, it is created, and the CLI mode changes to the ACS Timedef Configuration Mode wherein timeslots for the timedef can be configured.
If the named timedef already exists, the CLI mode changes to the ACS Timedef Configuration Mode for that timedef.
-noconfirm
Specifies that the command must execute without prompting for confirmation.
Usage
Use this command to create/configure/delete ACS timedefs for the Time-of-Day Activation/Deactivation of Rules feature. Timedefs enable activation/deactivation of ruledefs/groups-of-ruledefs such that they are available for rule matching only when they are active.
Also see the ACS Timedef Configuration Mode Commands chapter.
Example
The following command creates a timedef named test1, and enters the ACS Timedef Configuration Mode:
timedef test1
 
tpo policy
This command enables to create/configure/delete Traffic Performance Optimization (TPO) policies.
Product
TPO
Privilege
Security Administrator, Administrator
Syntax
tpo policy tpo_policy_name [ -noconfirm ]
no tpo policy tpo_policy_name
no
Deletes the specified TPO policy, if previously configured, from the active charging service.
tpo_policy_name
Specifies name of the TPO policy.
tpo_policy_name must be an alpha and/or numeric string of 1 through 63 characters in length.
If the named TPO policy does not exist, it is created, and the CLI mode changes to the ACS TPO Policy Configuration Mode wherein the TPO policy can be configured.
If the named TPO policy already exists, the CLI mode changes to the ACS TPO Policy Configuration Mode for that TPO policy.
-noconfirm
Specifies that the command must execute without prompting for confirmation.
Usage
note_smallImportant: A maximum of 2048 TPO policies can be created in the system.
Use this command to create/configure/delete TPO policies.
A TPO Policy contains the rules that determine which TPO profile is to be used.
Also see the ACS TPO Policy Configuration Mode Commands chapter.
Example
The following command creates a TPO policy named tpo_policy_1, and enters the ACS TPO Policy Configuration Mode:
tpo policy tpo_policy_1
 
tpo profile
This command enables to create/configure/delete Traffic Performance Optimization (TPO) profiles.
Product
TPO
Privilege
Security Administrator, Administrator
Syntax
tpo profile tpo_profile_name [ -noconfirm ]
no tpo profile tpo_profile_name
no
Deletes the specified TPO profile, if previously configured, from the active charging service.
tpo_profile_name
Specifies name of the TPO profile.
tpo_profile_name must be an alpha and/or numeric string of 1 through 63 characters in length.
If the named TPO profile does not exist, it is created, and the CLI mode changes to the ACS TPO Profile Configuration Mode wherein the TPO profile can be configured.
If the named TPO profile already exists, the CLI mode changes to the ACS TPO Profile Configuration Mode for that TPO profile.
-noconfirm
Specifies that the command must execute without prompting for confirmation.
Usage
note_smallImportant: A maximum of 2048 TPO profiles can be created in the system.
Use this command to create/configure/delete TPO profiles.
A TPO profile contains the optimization configuration to be used.
Also see the ACS TPO Profile Configuration Mode Commands chapter.
Example
The following command creates a TPO profile named tpo_profile_1, and enters the ACS TPO Profile Configuration Mode:
tpo profile tpo_profile_1
 
udr-format
This command creates/configures/deletes an UDR format specification.
Product
All
Privilege
Security Administrator, Administrator
Syntax
udr-format udr_format_name [ -noconfirm ]
no udr-format udr_format_name
no
Deletes the specified UDR format, if previously configured, from the active charging service.
udr_format_name
Specifies name of UDR format.
udr_format_name must be an alpha and/or numeric string of 1 through 63 characters in length.
If the named UDR format does not exist, it is created, and the CLI mode changes to the UDR Format Configuration Mode wherein the UDR format can be configured.
If the named UDR format already exists, the CLI mode changes to the UDR Format Configuration Mode for that UDR format.
Up to 256 UDR and/or EDR formats can be configured in the active charging service.
-noconfirm
Specifies that the command must execute without prompting for confirmation.
Usage
Use this command to create/configure/delete an UDR format in the active charging service.
Also see the UDR Format Configuration Mode Commands chapter.
Example
The following command creates an UDR format named udr_fromat1:
udr-format udr_format1
 
url-blacklisting match-method
This command sets the match method to look up URLs in the URL Blacklisting database.
Product
CF
Privilege
Security Administrator, Administrator
Syntax
url-blacklisting match-method { exact | generic }
default url-blacklisting match-method
default
Default: exact
Configures the default match method.
exact
Specifies the exact-match method, wherein URL Blacklisting is performed only on exact match with URLs present in the URL Blacklisting database.
generic
Specifies the generic-match method, wherein URL Blacklisting is performed on generic match with URLs present in the URL Blacklisting database.
Usage
Use this command to set the match method to look up URLs in the URL Blacklisting database.
Example
The following command sets the exact-match method to look up URLs in the URL Blacklisting database:
url-blacklisting match-method exact
 
xheader-format
This command enables to create/configure/delete ACS extension-header (x-header) format specifications.
Product
ACS
Privilege
Security Administrator, Administrator
Syntax
xheader-format xheader_format_name [ -noconfirm ]
no xheader-format xheader_format_name
no
Deletes the specified x-header format, if previously configured, from the active charging service.
xheader_format_name
Specifies name of the x-header format.
xheader_format_name must be an alpha and/or numeric string of 1 through 63 characters in length.
If the named x-header format does not exist, it is created, and the CLI mode changes to the ACS X-header Format Configuration Mode wherein the x-header format can be configured.
If the named x-header format already exists, the CLI mode changes to the ACS X-header Format Configuration Mode for that x-header format.
-noconfirm
Specifies that the command must execute without prompting for confirmation.
Usage
Use this command to create/configure/delete an x-header format specification in the active charging service.
An x-header may be specified in a charging action to be inserted into HTTP GET and POST request packets. See xheader-insert CLI command in the ACS Charging Action Configuration Mode Commands chapter. Also see the ACS X-header Format Configuration Mode Commands chapter.
Example
The following command creates an x-header format named test, and enters the ACS X-header Format Configuration Mode:
xheader-format test
 
 

Cisco Systems Inc.
Tel: 408-526-4000
Fax: 408-527-0883