administrator: Enables/disables AAA accounting for context-level administrative users.
subscriber: Enables/disables AAA accounting for subscribers.
To enable or disable accounting for individual local subscriber configurations refer to the accounting-mode command in the Subscriber Configuration Mode Commands chapter.
Important: The accounting parameters in the APN Configuration Mode take precedence over this command for subscriber sessions. Therefore, if accounting is disabled using this command but enabled within the APN configuration, accounting is performed for subscriber sessions.|
•
|
administrator: local+RADIUS
|
|
•
|
subscriber: RADIUS
|
|
•
|
local: Disables local authentication for current context.
|
|
•
|
none: Disables NULL authentication for current context, which enables both local and RADIUS-based authentication.
|
|
•
|
radius-diameter: Disables RADIUS or Diameter-based authentication.
|
|
•
|
administrator: Enables/disables authentication for administrative users.
|
|
•
|
subscriber: Enables/disables authentication for subscribers.
|
|
•
|
local: Enables local authentication for the current context.
|
|
•
|
none: Disables authentication for the current context.
|
|
•
|
radius-diameter: Enables RADIUS or Diameter-based authentication.
|
aaa constructed-nai authentication [ [ encrypted ] password user_password | use-shared-secret-password ]
[ encrypted ] password user_password
encrypted: Specifies that the password (user_password) be encrypted.
password user_password: Specifies an authentication password for the NAI-constructed user. user_password must be an alpha and/or numeric string of 0 through 63 characters in length.
For simple IP sessions facilitated by PDSN services in which the authentication allow-noauth and aaa constructed-nai commands are configured, this command provides a password used for the duration of the session.
For PDP contexts using an APN in which the outbound user name is configured with no password, this command is used to provide the password. Additionally, this command is also used to provide a password for situations in which an outbound username and password are configured and the authentication imsi-auth command has been specified.
The encrypted keyword is intended only for use by the system while saving configuration scripts. The system displays the encrypted keyword in the configuration file as a flag that the variable following the password keyword is the encrypted version of the plain text password. Only the encrypted password is saved as part of the configuration file.
Important: The domain alias can be set with the nai-construction domain command in the PDSN Service Configuration mode, or the aaa default-domain subscriber command in the Global Configuration mode for other core network services.|
•
|
If the domain alias is set by nai-construction domain, that value is always used and the aaa default-domain subscriber value is disregarded, if set. The NAI is of the form <msid><symbol><nai-construction domain>.
|
|
•
|
If the domain alias is not set by nai-construction domain, and the domain alias is set by aaa default-domain subscriber, the aaa default-domain subscriber value is used. The NAI is of the form <msid><symbol><aaa default-domain subscriber>.
|
|
•
|
If the domain alias is not set by nai-construction domain or aaa default-domain subscriber, the domain name alias is the name of the source context for the PDSN service. The NAI is of the form <msid><symbol><source context of PDSN Service>.
|
no aaa group group_name
group_name must be a string of 1 through 63 characters in length.
Use this command to create/configure/delete AAA server groups within the context. Also, refer to the AAA Server Group Configuration Mode Commands chapter.
aaa group test321
When the security policies require strict access control the deny-all handling should be configured.
administrator user_name [ encrypted ] password password | [ ecs ] [ expiry-date date_time ] [ ftp ] [ li-administration ] [ nocli ] [ noecs ] [ timeout-absolute timeout_absolute ] [ timeout-min-absolute timeout_min_absolute ] [ timeout-idle timeout_idle ] [ timeout-min-idle timeout_min_idle ]
no administrator user_name
Specifies the user name for which Security Administrator privileges must be enabled in the current context. user_name must be an alpha and/or numeric string of 1 through 32 characters in length.
[ encrypted ] password password
Specifies password for the user name. Optionally, the encrypted keyword can be used to specify the password uses encryption.
Without encryption password must be an alpha and/or numeric string of 1 through 63 characters in length. With encryption password can be an alpha and/or numeric string of 1 through 127 characters in length.
The encrypted keyword is intended only for use by the system while saving configuration scripts. The system displays the encrypted keyword in the configuration file as a flag that the variable following the password keyword is the encrypted version of the plain text password. Only the encrypted password is saved as part of the configuration file.
expiry-date date_time
Refer to the ASR 5000 Lawful Intercept Configuration Guide for a description of this parameter.
timeout-absolute timeout_absolute
Important: This keyword is obsolete. It has been left in place for backward compatibility. If used, a warning is issued and the value entered is rounded to the nearest whole minute.Specifies the maximum time, in seconds, the Security Administrator may have a session active before the session is forcibly terminated. timeout_absolute must be an integer from 0 through 300000000.
timeout-min-absolute timeout_min_absolute
Specifies the maximum time, in minutes, the Security Administrator may have a session active before the session is forcibly terminated. timeout_min_absolute must be an integer from 0 through 525600.
timeout-idle timeout_idle
Important: This keyword is obsolete. It has been left in place for backward compatibility. If used a warning is issued and the value entered is rounded to the nearest whole minute.Specifies the maximum time, in seconds, the Security Administrator may have a session active before the session is terminated. timeout_idle must be an integer from 0 through 300000000.
timeout-min-idle timeout_min_idle
Specifies the maximum time, in minutes, the Security Administrator may have a session active before the session is terminated. timeout_min_idle must be an integer from 0 through 525600.
Security Administrator users have read-write privileges and full access to all contexts and command modes. Refer to the Command Line Interface Overview chapter for more information.
Important: A maximum of 128 administrative users and/or subscribers may be locally configured per context.The following command creates a Security Administrator account named user1 with access to ACS configuration commands:
no administrator user1
apn_name can be from 1 to 62 alpha and/or numeric characters and is not case sensitive. It may also contain dots (.) and/or dashes (-).
Warning: If this keyword option is used with no apn apn_name command the APN named apn_name will be deleted with all active/inactive subscribers without prompting any warning or confirmation.apn isp1
asn-qos-descriptor id qos_table_id [ default ] dscp [ be | af11 | af12 | af13 | af21 | af22 | af23 | af31 | af32 | af33 | af41 | af 42 | af 43 | ef ] [ -noconfirm ]
no asn-qos-descriptor qos_table_id [ default ] dscp [ be | af11 | af12 | af13 | af21 | af22 | af23 | af31 | af32 | af33 | af41 | af 42 | af 43 | ef ] [ -noconfirm ]
qos_table_id must be an integer between 1 to 65535.
Warning: If this keyword option is used with no asn-qos-descriptor id qos_table_id command the ASN QoS descriptor table with identifier qos_table_id will be deleted with all active/inactive configurations without prompting any warning or confirmation.Refer to the ASN QoS Descriptor Configuration Mode Commands chapter of this reference for additional information.
The following command creates a QoS descriptor table with identifier 1234 for the ASN-GW service subscribers:
asn-service-profile id asn_profile_id direction { bi-directional | downlink | uplink } [activation-trigger {activate | admit | dynamic-reservation | provisioned } [ -noconfirm ]
bi-directional: This keyword enables this service profile in both direction of uplink and downlink.
downlink: This keyword enables this service profile in downlink direction, towards the subscriber.
uplink: This keyword enables this service profile in uplink direction, towards the system.
Warning: If this keyword option is used with no asn-service-profile id asn_profile_id command the ASN service profile with identifier asn_profile_id will be deleted with all active/inactive configurations without prompting any warning or confirmation.Refer to the ASN Service Profile Configuration Mode Commands chapter of this reference for additional information.
The following command creates an ASN Service Profile with identifier 1234 for the ASN-GW service subscribers:
asngw_name must be from 1 to 63 alpha and/or numeric characters and is case sensitive.
Warning: If this keyword option is used with no asn-service asngw_name command the ASN-GW service named asngw_name will be deleted with all active/inactive subscribers without prompting any warning or confirmation.
Caution: Large numbers of services greatly increase the complexity of management and may impact overall system performance (i.e. resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your local service representative for more information.Refer to the ASN Gateway Service Configuration Mode Commands chapter of this reference for additional information.
asngw-service asn-gw1
asn_pc_svc_name must be from 1 to 63 alpha and/or numeric characters and is case sensitive.
Warning: If this keyword option is used with no asnpc-service asn_pc_svc_name command the ASN Paging Controller service named asn_pc_svc_name will be deleted and disabled with all active/inactive paging groups and paging agents configured in a context for ASN paging controller service without prompting any warning or confirmation.
Caution: Large numbers of services greatly increase the complexity of management and may impact overall system performance (i.e. resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your local service representative for more information.Refer to the ASN Paging Controller Service Configuration Mode Commands chapter of this reference for additional information.
asnpc-service asnpc_1
bmsc_profile_name can be from 1 to 62 alpha and/or numeric characters and is not case sensitive. It may also contain dots (.) and/or dashes (-).
Warning: If this keyword option is used with no bmsc-profile name bmsc_profile_name command the BM-SC profile named bmsc_profile_name is deleted with all active/inactive subscribers without prompting any warning or confirmation.bmsc-profile name mbms_sc_1
busyout ip pool { all | all-dynamic | all-static | name pool_name } [ address-range start_address end_address | lower-percentage percent | upper-percentage percent ]
no busyout ip pool { all | all-dynamic | all-static | name pool_name } [ address-range start_address end_address | lower-percentage percent | upper-percentage percent ]
name pool_name
This is the name of an IP pool or IP pool group in the current context to which this command is applied. pool_name must be the name of an existing IP pool or IP pool group in the current context.
address-range start_address end_address
Busyout all addresses from start_address through end_address. start_address: The beginning IP address of the range of addresses to busyout. This IP address must exist in the pool specified and must be entered in IP v4 dotted decimal notation.
end_address: The ending IP address of the range of addresses to busyout. This IP address must exist in the pool specified and must be entered in IP v4 dotted decimal notation.
lower-percentage percent
Busyout the percentage of IP addresses specified, beginning at the lowest numbered IP address. This is a percentage of all of the IP addresses in the specified IP pool. percent must be an integer from 0 through 100.
upper-percentage percent
Busyout the percentage of IP addresses specified, beginning at the highest numbered IP address. This is a percentage of all of the IP addresses in the specified IP pool. percent must be an integer from 0 through 100.
A single instance of this command can busy-out multiple IP address pools in the context through the use of the all, all-static, or all-dynamic keywords.
Assume an IP pool named Pool10 with addresses from 192.168.100.1 through 192.168.100.254. To busy out the addresses from 192.168.100.50 through 192.169.100.100, enter the following command:
no cae-group cae_group_name
cae-group cae_group_name
Creates the specified CAE group and enters the Video Group Configuration Mode. cae_group_name can be between 1 and 79 characters.
The following command creates a CAE group named group_1 and enters the Video Group Configuration Mode:
cae-group group_1
Important: For details about the commands and parameters, check the CAMEL Service Configuration Mode chapter.camel-service srvc_name
no camel-service srvc_name
The following command creates an CAMEL service named camel1 in the current context:
camel-service sgsn1
The following command removes the CAMEL service named camel2 from the configuration for the current context:
no camel-service camel2
[ no ] cipher-suite name
name must be from 1 to 127 alpha and/or numeric characters and must be unique across all CSCF services within the same context and across all contexts.
Important: One SSL cipher suite can be created per SSL template.Cipher Suite Configuration Mode commands are defined in the Cipher Suite Configuration Mode Commands chapter.
The following command specifies the SSL cipher suite cipher_suite_1 and enters the Cipher Suite Configuration Mode:
cipher-suite cipher_suite_1
Important: In this mode classification rules added sequentially with match command to form a Class-Map. To change and/or delete or re-add a particular rule entire Class-Map is required to delete.Following command configures classification map class_map1 with option to match any condition in match rule.
config-administrator user_name [ encrypted ] password password [ ecs ] [ expiry-date date_time ] [ ftp ] [ li-administration ] [ nocli ] [ noecs ] [ timeout-absolute abs_seconds ] [ timeout-min-absolute abs_minutes ] [ timeout-idle timeout_duration ] [ timeout-min-idle idle_minutes ]
no config-administrator user_name
Specifies the name for the account. user_name must be from 1 to 32 alpha and/or numeric characters.
[ encrypted ] password password
password must be from 1 to 63 alpha and/or numeric characters without encryption and must be from 1 to 127 alpha and/or numeric characters when encryption has been indicated.
expiry-date date_time
Refer to the ASR 5000 Lawful Intercept Configuration Guide for a description of this parameter.
timeout-absolute abs_seconds
Specifies the maximum amount of time, in seconds, the administrator may have a session active before the session is forcibly terminated. abs_seconds must be a value in the range from 0 through 300000000.
timeout-min-absolute abs_minutes
Specifies the maximum amount of time, in minutes, the context-level administrator may have a session active before the session is forcibly terminated. abs_minutes must be a value in the range from 0 through 525600 (365 days).
timeout-idle timeout_duration
Specifies the maximum amount of idle time, in seconds, the context-level administrator may have a session active before the session is terminated. timeout_duration must be a value in the range from 0 through 300000000.
timeout-min-idle idle_minutes
Specifies the maximum amount of idle time, in minutes, the context-level administrator may have a session active before the session is terminated. idle_minutes must be a value in the range from 0 through 525600 (365 days).
Administrator users have read-write privileges and full access to all contexts and command modes (except for a few security functions). Refer to the Command Line Interface Overview chapter of this guide for more information.
Important: A maximum of 128 administrative users and/or subscribers may be locally configured per context.The following configures a context-level administration named user1 with ACS parameter control:
no config-administrator user1
no content-filtering server-group cf_server_group_name
cf_server_group_name must be an alpha and/or numeric string of 1 through 63 characters in length.
The following command creates a CFSG named CF_Server1:
content-filtering server-group CF_Server1
no credit-control-service service_name
service_name must be an alpha and/or numeric string of 1 through 63 characters in length.
credit-control-service test159
crypto group group_name
no crypto group group_name
Important: A maximum of 32 crypto groups per context can be configured.crypto group group1
crypto ipsec transform-set transform_name [ ah { hmac { md5-96 | none | sha1-96 } { esp { hmac { { md5-96 | sha1-96 } { cipher { 3des-cbc | aes-cbc-128 | aes-cbc-256 | des-cbc } } | none } } } } ]
no crypto ipsec transform-set transform_name
|
•
|
md5-96: Message Digest 5 truncated to 96 bits
|
|
•
|
none: Disables the use of the AH protocol for the transform set.
|
|
•
|
sha1-96: Secure Hash Algorithm-1 truncated to 96 bits
|
|
•
|
md5-96: Message Digest 5 truncated to 96 bits
|
|
•
|
none: Disables the use of the AH protocol for the transform set.
|
|
•
|
sha1-96: Secure Hash Algorithm-1 truncated to 96 bits
|
|
•
|
3des-cbc: Triple Data Encryption Standard (3DES) in chain block (CBC) mode.
|
|
•
|
aes-cbc-128: Advanced Encryption Standard (AES) in CBC mode with a 128-bit key.
|
|
•
|
aes-cbc-256: Advanced Encryption Standard (AES) in CBC mode with a 256-bit key.
|
|
•
|
des-cbc: DES in CBC mode.
|
Important: The ah and subsequent keywords are required when the transform set is initially configured.Create a transform set that has the name tset1, no authentication header, an encapsulating security protocol header hash message authentication code of md5, and a bulk payload encryption algorithm of des-cbc with the following command:
no crypto map name
The name by which the crypto map will be recognized by the system. name must be a string of from 1 through 127 alpha and/or numeric characters and is case sensitive.
Refer to the ASR 5000 Lawful Intercept Configuration Guide for a description of this parameter.
|
•
|
Manual crypto maps: These are static tunnels that use pre-configured information (including security keys) for establishment. Because they rely on statically configured information, once created, the tunnels never expire; they exist until their configuration is deleted.
|
Important: Because manual crypto map configurations require the use of static security keys (associations), they are not as secure as crypto maps that rely on dynamically configured keys. Therefore, it is recommended that they only be configured and used for testing purposes.|
•
|
IKEv1 crypto maps: These tunnels are similar to manual crypto maps in that they require some statically configured information such as the IP address of a peer security gateway and that they are applied to specific system interfaces. However, IKEv1 crypto maps offer greater security because they rely on dynamically generated security associations through the use of the Internet Key Exchange (IKE) protocol.
|
|
•
|
IKEv2-IPv6 crypto maps: Refer to the ASR 5000 Lawful Intercept Configuration Guide for a description of this parameter.
|
|
•
|
Dynamic crypto maps: These tunnels are used for protecting L2TP-encapsulated data between the system and an LNS/security gateway or Mobile IP data between an FA service configured on one system and an HA service configured on another.
|
Important: The crypto map type (dynamic, IKEv1, IKEv2-IPv6, or manual) is specified when the map is first created using this command.no crypto node node_name
map name
Assigns a previously configured crypto map policy to this crypto node. name must be a string of from 1 through 127 alpha and/or numeric characters and is case sensitive.
no crypto template name
name { ikev2-pdif | ipsec-3gpp-cscf }
Specifies the name of a new or existing crypto template. name must be from 1 to 127 alpha and/or numeric characters.
ikev2-dynamic: Configure the Crypto Template to be used for configuring IPSc functionality.
Important: This keyword cannot be used with IPSec for the SCM.ipsec-3gpp-cscf: Configure the Crypto Template to be used for configuring P-CSCF IPSec functionality.
Important: This keyword can only be used with IPSec for the SCM.
Important: The CSCF crypto template should be configured in the same context in which the P-CSCF is configured.Crypto Template Configuration Mode commands are defined in the Crypto Template Configuration Mode Commands and CSCF Crypto Template Configuration Mode Commands chapters.
The following command configures a IKEv2 dynamic crypto template called crypto1 and enters the Crypto Template Configuration Mode:
The following command configures a P-CSCF crypto template called crypto2 and enters the CSCF Crypto Template Configuration Mode:
no cscf access-profile name profile_name
name profile_name
profile_name must be from 1 to 79 alpha and/or numeric characters.
no cscf access-profile name profile_name
Access Profile Configuration Mode commands are defined in the CSCF Access Profile Configuration Mode Commands chapter.
The following command creates a CSCF Access Profile named profile2 and enters the Access Profile Configuration Mode:
cscf access-profile name profile2
no cscf acl name list_name
name list_name
list_name must be from 1 to 47 alpha and/or numeric characters in length.
no cscf acl name list_name
ACL Configuration Mode commands are defined in the CSCF ACL Configuration Mode Commands chapter.
The following command creates a CSCF access control list named acl1 and enters the ACL Configuration Mode:
cscf acl name acl1
Diameter Selection Configuration Mode commands are defined in the CSCF Diameter Configuration Mode Commands chapter.
cscf ifc-filter-criteria id fc_id priority pri [ profile-part-indicator { registered | unregistered } ] app-server uri scheme { sip | sips } as as-default-handling { session-continue | session-terminate } [ -noconfirm ] | [ service-info info ] [ trigger-point tp_name ] [ -noconfirm ] | [ trigger-point tp_id ] [ -noconfirm ]
name fc_id
fc_id must be an integer from 1 through 200.
priority pri
pri must be an integer from 0 through 1024.
Indicates whether the iFC is a part of the registered (registered) or unregistered (unregistered) user profile. If a value is not specified, then the configuration will be applied to both registered and unregistered subscribers.
sip: sip uri
sips: sips uri
as must be from 1 to 127 alpha and/or numeric characters in length.
Determines whether the dialog should be released (session-terminate) or not (session-continue) if the application server could not be reached or on application server error return.
service-info info
info must be from 1 to 63 alpha and/or numeric characters in length.
trigger-point tp_id
tp_id must be an integer from 1 through 200.
Important: Filter criteria is associated with an ISC template in the ISC Template Configuration Mode.
Important: Filter criteria can be assigned to more than one ISC template.The following command creates a iFC filter criteria 15, which has a priority of 2 and is part of the registered user profile. Filter criteria 15 is assigned to a sip application server named appserver. The dialog will not be released if the application server can not be reached. Filter criteria 15 is also assigned trigger point 12:
cscf ifc-filter-criteria id 15 priority 2 profile-part-indicator registered app-server uri scheme sip appserver as-default-handling session-continue trigger-point 12
cscf ifc-spt-condition id cond_id { request-uri content uri_content | session-case { originating-registered | originating-unregistered | terminating-registered | terminating-unregistered } | session-description sdp [ content sdp_data ] | sip-header hdr [ content hdr_data ] | sip-method method } [ -noconfirm ] [ condition-negated ]
no cscf ifc-spt-condition id cond_id
id cond_id
cond_id must be an integer from 1 through 200.
request-uri content uri_content
uri_content must be from 1 to 127 alpha and/or numeric characters in length.
Important: Wildcard Extended Regular Expressions (ERE) are supported for this value. For example, "sip.user[0-9]@192\\.168\\.176\\.150" |
•
|
originating-registered: Session handling an originating end user.
|
|
•
|
originating-unregistered: Session handling an unregistered originating end user.
|
|
•
|
terminating-registered: Session handling a terminating registered end user.
|
|
•
|
terminating-unregistered: Session handling a terminating unregistered end user.
|
sdp must be from 1 to 15 alpha and/or numeric characters in length.
content specifies content on the SDP line.
sdp_data must be from 1 to 127 alpha and/or numeric characters in length.
hdr must be from 1 to 127 alpha and/or numeric characters in length.
content specifies content on the header.
hdr_data must be from 1 to 127 alpha and/or numeric characters in length.
sip-method method
method must be from 1 to 127 alpha and/or numeric characters in length.
no cscf ifc-spt-condition id cond_id
Important: An iFC SPT group may be associated with multiple SPT conditions.The following command creates iFC SPT condition 10 which handles an originating end user:
cscf ifc-spt-group id group_id [ [ -noconfirm ] | reg-type { de-registration | initial-registration | re-registration } [ -noconfirm ] ]
no cscf ifc-spt-group id group_id
id group_id
group_id must be an integer from 1 through 200.
no cscf ifc-spt-group id group_id
Important: An iFC SPT group may be associated with multiple SPT conditions.iFC SPT Group Configuration Mode commands are defined in the CSCF IFC SPT Group Configuration Mode Commands chapter.
id tp_id
tp_id must be an integer from 1 through 200.
cnf: conjunctive normal form
dnf: disjunctive normal form
Important: An iFC SPT group can be assigned to more than one iFC trigger point.IFC Trigger Point Configuration Mode commands are defined in the CSCF IFC Trigger Point Configuration Mode Commands chapter.
The following command creates iFC trigger point 11 with a cnf condition type:
[ no ] cscf isc-template id template_id
id template_id
template_id must be an integer from 1 through 200.
ISC Template Configuration Mode commands are defined in the CSCF ISC Template Configuration Mode Commands chapter.
The following command creates ISC template 10 and enters the ISC Template Configuration Mode:
no cscf last-route-profile name profile_name
name profile_name
profile_name must be from 1 to 79 alpha and/or numeric characters in length.
county-name: Profile specific to the county-name criteria.
Last Route Profile Criteria Configuration Mode commands are defined in the CSCF Last Route Profile Criteria Configuration Mode Commands chapter.
round-robin: Profile specific to the round-robin criteria.
Last Route Profile Criteria Configuration Mode commands are defined in the CSCF Last Route Profile Criteria Configuration Mode Commands chapter.
no cscf last-route-profile name profile
Important: Last route profiles are associated with peer servers in the CSCF Peer Server Monitoring Configuration Mode.The following command creates a last route profile named lro1 and enters the CSCF Last Route Profile Criteria Configuration Mode to specify county name criteria:
The following command creates a last route profile named lro2 and enters the CSCF Last Route Profile Criteria Configuration Mode to specify round robin criteria:
no cscf peer-servers server_name
server_name must be from 1 to 79 alpha and/or numeric characters in length.
|
•
|
bgcf: Border Gateway Control Function
|
|
•
|
ecscf: Emergency Call/Session Control Function
|
|
•
|
ibcf: Interconnect Border Control Function
|
|
•
|
icscf: Interrogating Call/Session Control Function
|
|
•
|
mgcf: Media Gateway Control Function
|
|
•
|
mrfc: Media Resource Function Controller
|
|
•
|
other: Other Function
|
|
•
|
pcscf: Proxy Call/Session Control Function
|
|
•
|
scscf: Serving Call/Session Control Function
|
|
•
|
sip-as: Session Initiation Protocol-Application Server
|
no cscf peer-servers server_name
Peer Servers Configuration Mode commands are defined in the CSCF Peer Servers Configuration Mode Commands chapter.
The following command creates an I-CSCF server group type called icscf_group1 and enters the Peer Server Configuration Mode:
no cscf policy name policy_name
Default (AoR) Policy Configuration Mode commands are defined in the CSCF AoR Policy Rules Configuration Mode Commands chapter.
name policy_name
policy_name must be from 1 to 79 alpha and/or numeric characters in length.
Policy Configuration Mode commands are defined in the CSCF Policy Configuration Mode Commands chapter.
no cscf policy name policy_name
Use this command to create a policy group and enter either the AoR Policy Rules Configuration Mode (default) or Policy Configuration Mode (name policy_name).
The following command creates a policy group named group2 and enters the CSCF Policy Configuration Mode:
cscf policy name group2
no cscf routes name route_name
name route_name
route_name must be from 1 to 79 alpha and/or numeric characters in length.
no cscf routes name route_name
Routes Configuration Mode commands are defined in the CSCF Routes Configuration Mode Commands chapter.
The following command creates a route group named route_group5 and enters the Route Group Configuration Mode:
cscf routes name route_group5
no cscf service service_name
Specifies the name of the CSCF service. If service_name does not refer to an existing service, the new service is created if resources allow.
service_name must be from 1 to 63 alpha and/or numeric characters.
no cscf service service_name
Caution: Large numbers of services greatly increase the complexity of management and may impact overall system performance (for example, resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your local service representative for more information.CSCF Service Configuration Mode commands are defined in the CSCF Service Configuration Mode Commands chapter.
cscf service cscf-service1
The following command will remove cscf-service1 from the system:
no cscf service cscf-service1
no cscf session-template name template_name
name template_name
template_name must be from 1 to 79 alpha and/or numeric characters in length.
no cscf session-template name template_name
Session Template Configuration Mode commands are defined in the CSCF Session Template Configuration Mode Commands chapter.
The following command enters the Session Template Configuration Mode for a template named sess_temp4:
cscf session-template name sess_temp4
Subdomain-route List Configuration Mode commands are defined in the CSCF Subdomain-route List Configuration Mode Commands chapter.
no cscf translation name list_name
name list_name
list_name must be from 1 to 79 alpha and/or numeric characters in length.
no cscf translation name list_name
Translation Configuration Mode commands are defined in the CSCF Translation Configuration Mode Commands chapter.
The following command enters the Translation Configuration Mode for a translation list named trans_list3:
cscf translation name trans_list3
no cscf urn-service-list name list_name
name list_name
list_name must be from 1 to 79 alpha and/or numeric characters.
no cscf urn-service-list name list_name
URN List Configuration Mode commands are defined in the CSCF URN List Configuration Mode Commands chapter.
cscf urn-service-list name urn_list1
no dhcp-service service_name
Warning: If this keyword option is used with no dhcp-service service_name command the DHCP service named service_name is deleted with all active/inactive subscribers without prompting any warning or confirmation.
Caution: Large numbers of services greatly increase the complexity of management and may impact overall system performance (i.e. resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your local service representative for more information.Refer to the DHCP Service Configuration Mode chapter of this reference for additional information.
dhcp-service dhcp1
diameter accounting { dictionary { aaa-custom1 | aaa-custom10 | aaa-custom2 | aaa-custom3 | aaa-custom4 | aaa-custom5 | aaa-custom6 | aaa-custom7 | aaa-custom8 | aaa-custom9 | nasreq | rf-plus } | endpoint endpoint_name | hd-mode fall-back-to-local | hd-storage-policy hd_policy | max-retries max_retries | max-transmissions transmissions | request-timeout duration | server host_name priority priority }
no diameter accounting { endpoint | hd-mode | hd-storage-policy | max-retries | max-transmissions | server host_name }
no diameter accounting { endpoint | hd-mode | hd-storage-policy | max-retries | max-transmissions | server host_name }
endpoint: Removes the currently configured accounting endpoint. The default accounting server configured in the default AAA group will be used.
hd-mode: Sends records to the Diameter server, if all Diameter servers are down or unreachable, then copies records to the local HDD and periodically retries the Diameter server.
hd-storage-policy: Disables use of the specified HD storage policy.
max-retries: Disables the retry attempts for Diameter accounting in this AAA group.
max-transmissions: Disables the maximum number of transmission attempts for Diameter accounting in this AAA group.
server host_name: Removes the Diameter host host_name from this AAA server group for Diameter accounting.
dictionary: Sets the context’s dictionary to the default.
hd-mode: Sends records to the Diameter server, if all Diameter servers are down or unreachable, then copies records to the local HDD and periodically retries the Diameter server.
max-retries: 0 (disabled)
max-transmissions: 0 (disabled)
request-timeout: 20 seconds
aaa-custom1 ... aaa-custom10: Configures the custom dictionaries. Even though the CLI syntax supports several custom dictionaries, not necessarily all of them have been defined. If a custom dictionary that has not been implemented is selected, the default dictionary will be used.
nasreq: nasreq dictionary—the dictionary defined by RFC 4005.
rf-plus: RF Plus dictionary.
endpoint endpoint_name
endpoint_name must be a string of 1 through 63 characters in length.
hd-storage-policy hd_policy
hd_policy must be the name of a configured HD Storage policy, and must be a string of 1 through 63 alpha and/or numeric characters in length.
This and the hd-mode command are used to enable the storage of Rf Diameter Messages to HDD in case all Diameter Servers are down or unreachable.
max-retries max_retries
max_retries specifies the maximum number of retry attempts. The value must be an integer from 1 through 1000.
max-transmissions transmissions
Specifies the maximum number of transmission attempts for a Diameter request. Use this in conjunction with the “max-retries max_retries” option to control how many servers will be attempted to communicate with.
transmissions specifies the maximum number of transmission attempts for a Diameter request. The value must be an integer from 1 through 1000.
request-timeout duration
duration specifies the number of seconds the system will wait for a response from a Diameter server before re-transmitting the request. The value must be an integer from 1 to 3600.
host_name specifies the Diameter host name, it must be a string of 1 through 63 characters in length.
priority specifies the relative priority of this Diameter host. The priority is used in server selection. The priority must be an integer from 1 through 1000.
diameter accounting endpoint aaaa_test
diameter authentication { dictionary { aaa-custom1 | aaa-custom10 | aaa-custom11 | aaa-custom12 | aaa-custom13 | aaa-custom14 | aaa-custom15 | aaa-custom16 | aaa-custom17 | aaa-custom18 | aaa-custom19 | aaa-custom2 | aaa-custom20 | aaa-custom3 | aaa-custom4 | aaa-custom5 | aaa-custom6 | aaa-custom7 | aaa-custom8 | aaa-custom9 | nasreq } | endpoint endpoint_name | max-retries max_retries | max-transmissions transmissions | redirect-host-avp { just-primary | primary-then-secondary } | request-timeout duration | server host_name priority priority }
|
•
|
endpoint: Removes the authentication endpoint. The default server configured in default AAA group will be used.
|
|
•
|
max-retries: Disables the retry attempts for Diameter authentication in this AAA group.
|
|
•
|
max-transmissions: Disables the maximum transmission attempts for Diameter authentication in this AAA group.
|
|
•
|
server host_name: Removes the Diameter host host_name from this AAA server group for Diameter authentication.
|
|
•
|
dictionary: Sets the context’s dictionary to the default.
|
|
•
|
max-retries: Sets the retry attempts for Diameter authentication requests in this AAA group to default 0 (disable).
|
|
•
|
max-transmissions: Sets the configured maximum transmission attempts for Diameter authentication in this AAA group to default 0 (disable).
|
|
•
|
redirect-host-avp: Sets the redirect choice to default (just-primary).
|
|
•
|
request-timeout: Sets the timeout duration, in seconds, for Diameter authentication requests in this AAA group to default (20).
|
aaa-custom1 ... aaa-custom8, aaa-custom10 ... aaa-custom20: Configures the custom dictionaries. Even though the CLI syntax supports several custom dictionaries, not necessarily all of them have been defined. If a custom dictionary that has not been implemented is selected, the default dictionary will be used.
Important: aaa-custom11 dictionary is only available in Release 8.1 and later. aaa-custom12 to aaa-custom20 dictionaries are only available in Release 9.0 and later releases.aaa-custom9: Configures the STa standard dictionary.
nasreq: nasreq dictionary—the dictionary defined by RFC 4005.
endpoint endpoint_name
endpoint_name must be a string of 1 through 63 characters in length.
max-retries max_retries
max_retries specifies the maximum number of retry attempts, and must be an integer from 1 through 1000.
max-transmissions transmissions
Specifies the maximum number of transmission attempts for a Diameter authentication request. Use this in conjunction with the “max-retries max_retries” option to control how many servers will be attempted to communicate with.
transmissions specifies the maximum number of transmission attempts, and must be an integer from 1 through 1000.
just-primary: Redirect only to primary host.
primary-then-secondary: Redirect to primary host, if fails then redirect to the secondary host.
Default: just-primary
request-timeout duration
duration specifies the number of seconds the system will wait for a response from a Diameter server before re-transmitting the request, and must be an integer from 1 through 3600.
host_name specifies the Diameter host name, and must be a string of 1 through 63 characters in length.
priority specifies the relative priority of this Diameter host, and must be an integer from 1 through 1000. The priority is used in server selection.
diameter authentication failure-handling { authorization-request | eap-request | eap-termination-request } { request-timeout action { continue | retry-and-terminate | terminate } | result-code result_code { [ to end_result_code ] action { continue | retry-and-terminate | terminate } } }
no diameter authentication failure-handling { authorization-request | eap-request | eap-termination-request } result-code result_code [ to end_result_code ]
|
•
|
continue: Continues the session
|
|
•
|
retry-and-terminate: First retries, if it fails then terminates the session
|
|
•
|
terminate: Terminates the session
|
result-code result_code { [ to end_result_code ] action { continue | retry-and-terminate | terminate } }
result_code: Specifies the result code, must be an integer from 1 through 65535.
to end_result_code: Specifies the upper limit of a range of result codes. end_result_code must be greater than result_code.
action { continue | retry-and-terminate | terminate }: Specifies action to be taken for failures:
|
•
|
continue: Continues the session
|
|
•
|
retry-and-terminate: First retries, if it fails then terminates the session
|
|
•
|
terminate: Terminates the session
|
This command is deprecated and is replaced by the diameter accounting dictionary and diameter authentication dictionary commands. See diameter accounting and diameter authentication commands respectively.
no diameter endpoint endpoint_name
endpoint_name must be an alpha and/or numeric string of 1 through 63 characters in length. The endpoint_name should be unique within the system.
Diameter origin endpoint configuration commands are described in the Diameter Endpoint Configuration Mode Commands chapter.
diameter endpoint test13
|
•
|
heartbeat-interval: Sets the heartbeat interval to the default value.
|
|
•
|
path max-retransmissions: Sets the SCTP path maximum retransmissions to the default value.
|
hearbeat-interval interval
interval must be an integer from 1 through 255.
path max-retransmissions retransmissions
retransmissions must be an integer from 1 through 10.
The following command configures the maximum number of consecutive retransmissions to 6, after which the endpoint is marked as inactive:
This command is deprecated and is replaced by the diameter endpoint command.
Specifies a name for the DNS client. name must be from 1 to 63 alpha and/or numeric characters in length.
DNS Client Configuration Mode commands are defined in the DNS Client Configuration Mode Commands chapter.
dns-client dns1
no domain [ * ] domain_name
no domain [ * ] domain_name
[ * ] domain_name
domain_name specifies the domain alias to create/remove from the current context. If the domain portion of a subscribers user name matches this value, the current context is used for that subscriber.
domain_name must be an alpha and/or numeric string of 1 through 79 characters in length. The domain name can contain all special characters, however note that the character * (wildcard character) is only allowed at the beginning of the domain name.
If the domain name is prefixed with * (wildcard character), and an exact match is not found for the domain portion of a subscriber’s user name, subdomains of the domain name are matched. For example, if the domain portion of a subscriber’s user name is abc.xyz.com and you use the domain command domain *xyz.com it matches. But if you do not use the wildcard (domain xyz.com) it does not match.
Important: The domain alias specified must not conflict with the name of any existing context or domain names.default subscriber subs_temp_name
Specifies the name of the subscriber template to apply to subscribers using this domain alias. subs_temp_name must be an alpha and/or numeric string of 1 through 127 characters in length. If this keyword is not specified the default subscriber configuration in the current context is used.
domain sampleDomain.net
no domain sampleDomain.net
[ no ] eap-profile name
Specifies the name of a new or existing EAP profile. name must be from 1 to 256 alpha and/or numeric characters.
EAP Configuration Mode commands are defined in the EAP Configuration Mode Commands chapter.
The following command configures an EAP profile called eap1 and enters the EAP Configuration Mode:
eap-profile eap1
If this CLI command is configured without the charging or reporting keywords, by default the EDR module is enabled for charging EDRs.
no egtp-service service_name
Specifies the name of the eGTP service. If service_name does not refer to an existing service, the new service is created if resources allow.
service_name must be from 1 to 63 alpha and/or numeric characters.
no egtp-service service_name
Caution: Large numbers of services greatly increase the complexity of management and may impact overall system performance (for example, resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your local service representative for more information.eGTP Service Configuration Mode commands are defined in the eGTP Service Configuration Mode Commands chapter.
egtp-service egtp-service1
The following command will remove egtp-service1 from the system:
no egtp-service egtp-service1
This command enables creating/configuring/deleting an Event Notification collection server endpoint.
[ no ] event-notif-endpoint en_node_name
en_node_name must be an alpha and/or numeric string of 1 through 31 characters in length.
The commands configured in this mode are defined in the Event Notification Interface Endpoint Configuration Mode Commands chapter of Command Line Interface Reference.
Caution: This is a critical configuration. The PCC Event notification can not be collected on a server without this configuration. Any change to this configuration would lead to the loss of event notifications from PCC service on IPCF node.event-notif-endpoint event_intfc_3
[ no ] fa-service name
Specifies the name of the FA service to configure. If name does not refer to an existing service, the new service is created if resources allow. name must be from 1 to 63 alpha and/or numeric characters.
Caution: Large numbers of services greatly increase the complexity of management and may impact overall system performance (i.e. resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your local service representative for more information.The following command will enter the FA Service Configuration Mode creating the service sampleService, if necessary.
fa-service sampleService
The following command will remove sampleService as being a defined FA service.
no fa-service sampleService
no fng-service name
fng-service name
name must be from 1 to 63 alpha and/or numeric characters and must be unique across all FNG services within the same context and across all contexts.
no fng-service name
fng-service fng1
no ggsn-service svc_name
svc_name must be from 1 to 63 alpha and/or numeric characters and is case sensitive.
Caution: Large numbers of services greatly increase the complexity of management and may impact overall system performance (i.e. resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your local service representative for more information.ggsn-service ggsn1
Important: For details about the commands and parameters for this mode, check the GPRS Service Configuration Mode chapter.gprs-service srvc_name
no gprs-service srvc_name
gprs-service gprs1
no gprs-service gprs1
no gs-service svc_name
Important: For details about the commands and parameters for this mode, refer Gs Service Configuration Mode chapter.gs-service gs1
no gs-service gs1
first-n count
Specifies that the AGW must send accounting data to count (more than one) CGFs based on their priority. Response from any one of the count CGFs would suffice to proceed with the call. The full set of accounting data is sent to each of the count CGFs.
count is the number of CGFs to which accounting data will be sent, and must be an integer from 2 through 65535.
gtpp attribute { apn-ni | apn-selection-mode | charging-characteristic-selection-mode | cell-plmn-id | diagnostics | duration-ms | dynamic flag | imei | local-record-sequence-number | losdv | ms-timezone | msisdn | |node-id | | node-id-suffix suffix | pdn-connection-id | pdp-address | pdp-type | pgw-plm-id | plmn-id [ unknown-use uncode_value ] | rat | record-extensions rat | served-mnai | served-pdp-pdn-address-extension | sms { destination-number | recording-entity | service-centre } | start time | stop time | uli }
|
•
|
36: if the SGSN sends us “delete PDP context request”.
|
|
•
|
38: if the GGSN sends “delete PDP context request” due to GTP-C/GTP-U echo timeout with SGSN.
|
|
•
|
40: if the GGSN sends “delete PDP context request” due to receiving a RADIUS Disconnect-Request message.
|
|
•
|
26: if the GGSN sends “delete PDP context request” for any other reason (e.g., the operator types “clear subscribers” on the GGSN).
|
node-id-suffix string
string: This is the configured Node-ID-Suffix having any string between 1 to16 characters.
Important: The NodeID field is a printable string of the ndddstring format: n: The first digit is the SessMgr restart counter having a value between 0 and 7. ddd: The number of SessMgr instances. Uses the specified NodeID-suffix in all CDRs. The “Node-ID” field is consists of SessMgr Recovery counter (1 digit) n + AAA Manager identifier (3 digits) ddd + the configured Node-Id-suffix (1 to 16 characters) string.
Important: If the centralized LRSN feature is enabled, the “Node-ID” field consists of only the specified NodeID-suffix. Otherwise GTPP group name is used. For default GTPP groups, GTPP context-name (truncated to 16 characters) is used.
Important: SessMgr recovery counter gets updated in case of “session recovery not enabled” If session recovery is enabled, the counter never updates. The node-id is displayed in the G-CDR irrespective of gtpp dictionary. The G-CDR is not decoded in monitor protocol for custom1 / custom3 dictionaries.
Important: For the GGSN it provides radio access identifier as the SGSN PLMN Id and for SGSN it includes the PLMN-id of RNC.unknown-use uncode_value encodes the specified value for “SGSN PLMN Identifier” in the CDR if SGSN PLMN-ID information is unavailable.
Must be followed by the uncode_value value to be encoded.
uncode_value must be an hexadecimal value between 0x0 and 0xFFFFFF.
destination-number: This keyword includes the destination-number information of SMS in generated S-SMO-CDRs or S-SMT-CDRs.
Note: This is the destination number of the short message subscriber.
recording-entity: This keyword includes the recording entity information of SMS in generated S-SMO-CDRs or S-SMT-CDRs.
Note: The recording entity is the E.164 number of the SGSN.
service-centre: This keyword includes the service-centre information of SMS in generated S-SMO-CDRs or S-SMT-CDRs.
Note: This is the E.164 address of the SMS-service centre.
Important: This command can be repeated multiple times with different keywords to configure multiple GTPP attributes.address ip_address
ip_address must be configured using dotted decimal notation.
port port
If port is not defined IP will take the default port number 49999.
port must be an integer from 1 through 65535.
Important: Configuring gtpp charging-agent on port 3386 may interfere with ggsn-service configured with the same ip address.This command establishes a Ga interface for the system. For GTPP accounting, one or more Ga interfaces must be specified for communication with the CGF. These interfaces must exist in the same context in which GTPP functionality is configured (refer to the gtpp commands in this chapter).
The following command configures the system to use the interface with an IP address of 192.168.13.10 as the accounting interface with port 20000 to the CGF:
gtpp charging-agent address 192.168.13.10
|
•
|
0: Designates the start sequence number as 0.
|
|
•
|
1: Designates the start sequence number as 1.
|
Important: This command is customer specific. For more information please contact your local service representative.gtpp deadtime time
time is measured in seconds and can be configured to any integer value from 1 to 65535.
Refer to the gtpp detect-dead-server and gtpp max-retries commands for additional information on the process the system uses to mark a CGF as down.
The following command configures the system to wait 60 seconds before attempting to re-communicate with a CGF that was marked as down:
gtpp detect-dead-server consecutive-failures max_number
consecutive-failures max_number
max_number could be configured to any integer value from 0 to 1000.
This command works in conjunction with the gtpp max-retries parameter to set a limit to the number of communication failures that can occur with a configured CGF.
Refer to the gtpp max-retries command for additional information.
The following command configures the system to allow 8 consecutive communication failures with a CGF before it marks it as down:
gtpp duplicate-hold-time minutes
minutes must be an integer from 1 to 10080.
gtpp echo-interval time
time is measured in seconds and can be configured to any integer value from 60 to 2147483647.
|
•
|
Upon the configuration of a new CGF server on the system using the gtpp server command as described in this chapter
|
|
•
|
Upon the execution of the gtpp test accounting command as described in the Exec Mode Commands chapter of this reference
|
|
•
|
Upon the execution of the gtpp sequence-numbers private-extensions command as described in this chapter
|
The alive/dead status of the CGFs is used by the AAA Managers to affect the sending of CDRs to the CGFs. If all CGFs are dead, the AAA Managers will still send CDRs, (refer to the gtpp deadtime command), albeit at a slower rate than if a CGF were alive. Also, AAA Managers independently determine if CGFs are alive/dead.
gtpp egcdr { final-record [ [ include-content-ids { all | only-with-traffic } ] [ closing-cause { same-in-all-partials | unique } ] ] | losdv-max-containers max_losdv_containers | lotdv-max-containers max_lotdv_containers | service-data-flow threshold { interval interval | volume { downlink bytes [ uplink bytes ] | total bytes | uplink bytes [ downlink bytes ] } } | service-idle-timeout { 0 | service_idle_timeout } }
|
•
|
include-content-ids: Controls which content IDs are being included in the final eG-CDR.
|
|
•
|
all: Specifies that all content IDs be included in the final eG-CDR.
|
|
•
|
only-with-traffic: Specifies that only content-IDs with traffic be included in the final eG-CDRs.
|
|
•
|
closing-cause: Configures closing cause for the final eG-CDR.
|
|
•
|
same-in-all-partials: Specifies that the same closing cause is to be included for multiple final eG-CDRs
|
|
•
|
unique: Specifies that the closing cause for final eG-CDRs is to be unique.
|
losdv-max-containers max_losdv_containers
max_losdv_containers must be an integer from 1 through 255.
lotdv-max-containers max_lotdv_containers
max_lotdv_containers must be an integer from 1 through 8.
service-data-flow threshold { interval interval | volume { downlink bytes [ uplink bytes ] | total bytes | uplink bytes [ downlink bytes ] } }
|
•
|
interval interval: Specifies the time interval, in seconds, to close the eG-CDR if the minimum time duration thresholds for service data flow containers satisfied in flow-based charging.
|
interval must be an integer from 60 through 40000000.
|
•
|
volume { downlink bytes [ uplink bytes ] | total bytes | uplink bytes [ downlink bytes ] }: Specifies the volume octet counts for the generation of the interim eG-CDRs to service data flow container in FBC.
|
|
•
|
downlink bytes: Specifies the limit for the number of downlink octets after which the eG-CDR is closed.
|
|
•
|
total bytes: Specifies the limit for the total number of octets (uplink+downlink) after which the eG-CDR is closed.
|
|
•
|
uplink bytes: Specifies the limit for the number of uplink octets after which the eG-CDR is closed.
|
|
•
|
bytes must be an integer from 10000 through 400000000.
|
service_idle_timeout must be an integer from 10 through 86400.
0: Specifies no service-idle-timeout trigger.
Use the service-data-flow threshold option to configure the thresholds for closing a service data flow container within an eG-CDR (eG-CDRs for GGSN and PGW-CDRs for PGW) during flow-based charging (FBC). A service data flow container has statistics regarding an individual content ID.
Default: retry-request
group_name must be a string of size 1 to 63 character.
Following command configures a GTPP server group named star1 for charging gateway function accounting functionality and this server group is available for all subscribers with in that context.
gtpp group star1
Default: One CDR per packet; disables wait-time
max_cdrs must be an integer from 1 through 255.
wait-time wait_time
wait_time must be an integer from 1 through 300.
Important: If the wait-time expires, the packet is sent as this keyword over-rides max_cdrs.CDRs are placed into a GTPP packet as the CDRs close. The system stops placing CDRs into a packet when either the maximum max_cdrs is met, or the wait-time expires, or the value for the gtpp max-pdu-size command is met.
gtpp max-pdu-size pdu_size
pdu_size is measured in octets and can be configured to any integer value from 1024 to 65400.
Caution: This command is effective only when GTPP single-source is configured, otherwise this command has no effect.
Important: The maximum size of an IPv4 PDU (including the IPv4 and subsequent headers) is 65,535. However, a slightly smaller limit is imposed by this command because the system’s max-pdu-size doesn't include the IPv4 and UDP headers, and because the system may need to encapsulate GTPP packets in a different/larger IP packet (for sending to a backup device).gtpp max-pdu-size 2048
gtpp max-retries max_attempts
max_attempts can be configured to any integer value from 1 to 15.
This command works in conjunction with the gtpp detect-dead-server and gtpp timeout parameters to set a limit to the number of communication failures that can occur with a configured CGF.
gtpp node-id node_id
node_id must be a string of 1 through 16 characters in length.
gtpp node-id test123
Configures the system to allow/disallow the redirection of CDRs when the primary CGF is unavailable.
This command allows operators to better handle erratic network links, without having to remove the configuration of the backup server(s) via the no gtpp server command.
This command has been obsoleted and is replaced by the gtpp redirection-allowed command.
gtpp server ip_address [ max max_messages ] [ priority priority ] [ udp-port port ] [ node-alive { enable | disable } ] [ -noconfirm ]
no gtpp server ip_address
max max_messages
max_messages can be configured to any integer value from 1 to 256.
priority priority
priority can be configured to any integer value from 1 to 1000. When configuring two or more servers with the same priority you will be asked to confirm that you want to do this. If you use the -noconfirm option, you are not asked for confirmation and multiple servers could be assigned the same priority.
udp-port port
Specifies the UDP port over which the GSN communicates with the CGF. port can be configured to any integer value between 1 and 65535.
Important: The configuration of multiple CGFs with the same IP address but different port numbers is not supported.no gtpp server 100.10.35.7
port port-num
Important: This command only takes affect if gtpp single-source in the Global Configuration Mode is also configured. Additionally, this command is customer specific. Please contact your local sales representative for additional information.gtpp storage-server 192.168.1.2
gtpp storage-server local file { compression { gzip | none } | format { custom1 | custom2 | custom3 | custom4 | custom5 | custom6 | custom7 | custom8 } | name { format string [ max-file-seq-num seq_number ] | prefix prefix } | purge-processed-files [ file-name-pattern file_pattern | purge-interval purge_dur ] | rotation { cdr-count count | time-interval time [ force-file-rotation ] | volume mb size } | start-file-seq-num seq_num [ recover-file-seq-num ] }
default gtpp storage-server local file { compression | format | name { format | prefix } | purge-processed-files | rotation { cdr-count | time-interval | volume } | start-file-seq-num }
no gtpp storage-server local file { purge-processed-files | rotation { cdr-count | time-interval } }
|
•
|
gzip: Enables Gzip file compression.
|
|
•
|
none: Disables Gzip file compression -this is the default value.
|
custom1: File format custom1—this is the default value.
custom2: File format custom2.
custom3: File format custom3.
custom4: File format custom4.
custom5: File format custom5.
custom6: File format custom6 with a block size of 8K for CDR files.
custom7: File format custom7 is a customer specific CDR file format.
custom8: File format custom8 is a customer specific CDR file format. It uses node-id-suffix_date_time_fixed-length-seq-num.u format for file naming.
Default: custom1
string — Enter a string of 1 to 127 alphanumeric characters. The string must begin with the % (percent sign).
|
•
|
%y: = year as a decimal number without century (range 00 to 99).
|
|
•
|
%Y: year as a decimal number with century.
|
|
•
|
%m: month as a decimal number (range 01 to 12).
|
|
•
|
%d: day of the month as a decimal number (range 01 to 31).
|
|
•
|
%H: hour as a decimal number 24-hour format (range 00 to 23).
|
|
•
|
%h: hour as a decimal number 12-hour format (range 01 to 12).
|
|
•
|
%M: minute as a decimal number (range 00 to 59).
|
|
•
|
%S: second as a decimal number (range 00 to 60). (The range is up to 60 to allow occasional leap seconds.)
|
|
•
|
%Q: File sequence number. Field width may be specified between the % and the Q. If the natural size of the field is smaller than this width, then the result string is padded (on the left) to the specified width with 0s
|
|
•
|
%N: No of CDRs in the file. Field width may be specified between the % and the N .If the natural size of the field is smaller than this width, then the result string is padded (on the left) to the specified width with 0s
|
|
•
|
max-file-seq-no: This can be configured optionally. It indicates the maximum value of sequence number in file name (starts from 1). Once the configured max-file-seq-no limit is reached, the sequence number will restart from 1. If no max-file-seq-no is specified then file sequence number ranges from 1- 4294967295.
|
Important: This option is available only when GTPP server storage mode is configured for local storage of CDRs with the gtpp storage-server mode local command.Optional keyword file-name-pattern file_pattern provides an option for user to control the pattern of files to be purged by setting file_pattern.
file_pattern must be mentioned in *.p format in a string of size 1 to 127, which is also the default format. Wild cards * and : (synonymous to |) are allowed.
Optional keyword purge-interval purge_dur provides an option for user to control the purge interval duration in minutes by setting purge_dur.
purge_dur must be and integer between 1 through 259200. Which has a default value of 60 minutes.
cdr-count count: Configure the CDR count for the file rotation. Enter a value from 1000 to 65000. Default value 10000.
time-interval time: Configure the time interval for file rotation. Enter a value in seconds ranging from 30 to 86400. Default value is 3600 seconds (1 hour).
volume mb size: Configure the file volume, in MB, for file rotation. Enter a value ranging from 2 to 40. This trigger can not be disabled. Default value is 4MB.
Specifies the start sequence number. The sequence number goes on incrementing until ULONG_MAX (or max-seq-num configured in file name format) and then it would rollover. If recover-file-seq-num is configured then every time the machine rebooted (or aaaproxy recovery/ planned/ unplanned PSC migration), the file sequence number continues from the last sequence number and during rollover it starts from first-sequence number.
seq_num: Configures the sequence number. Enter an integer value from 1 to 4294967295.
recover-file-seq-num: Configures the recovery of file sequence number. This is an optional field and if configured, every time the machine rebooted, the file sequence number continues from the last sequence number.
gtpp storage-server local file rotation time-interval 5400 start-file-seq-num 20 recover-file-seq-num
gtpp storage-server max-retries max_attempts
max_attempts can be configured to any integer value from 1 to 15.
This command works in conjunction with the gtpp storage-server timeout parameters to set a limit to the number of communication failures that can occur with a configured GTPP back-up storage server.
Default: remote
gtpp storage-server timeout duration
duration is measured in seconds and can be configured to any integer value from 30 to 120.
This command works in conjunction with the gtpp storage-server max-retries command to establish a limit on the number of times that communication with a GTPP back-up storage server is attempted before a failure is logged.
gtpp timeout time
time is measured in seconds and can be configured to any integer value from 1 to 60.
This command works in conjunction with the gtpp max-retries command to establish a limit on the number of times that communication with a CGF is attempted before a failure is logged.
gtpp timeout 30
This command is left in place for backward compatibility. To disable and enable GTPP triggers you should use the gtpp trigger command in GTPP Server Group Configuration Mode.
Default: udp
no gtpu-service service_name
Specifies the name of the GTP-U service. If service_name does not refer to an existing service, a new service is created if resources allow.
service_name must be from 1 to 63 alpha and/or numeric characters.
no gtpu-service service_name
Caution: Large numbers of services greatly increase the complexity of management and may impact overall system performance (for example, resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your local service representative for more information.GTP-U Service Configuration Mode commands are defined in the GTP-U Service Configuration Mode Commands chapter.
gtpu-service gtpu-service1
The following command will remove gtpu-service1 from the system:
no gtpu-service gtpu-service1
ha-service name
no ha-service name
Specifies the name of the HA service to configure. If name does not refer to an existing service, the new service is created if resources allow. name must be from 1 to 63 alpha and/or numeric characters.
Caution: Large numbers of services greatly increase the complexity of management and may impact overall system performance (i.e. resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your local service representative for more information.The following command will enter the HA Service Configuration Mode creating the service sampleService, if necessary.
ha-service sampleService
The following command will remove sampleService as being a defined HA service.
no ha-service sampleService
Specifies the name of the HNB-GW service. If service_name does not refer to an existing service, the new service is created if resources allow.
hnbgw_svc_name must be from 1 to 63 alpha and/or numeric characters.
Caution: Large numbers of services greatly increase the complexity of management and may impact overall system performance (for example, resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your local service representative for more information.The commands available in this mode are defined in the HNB-GW Service Configuration Mode Commands chapter of Command Line Interface Reference.
Caution: This is a critical configuration. The HNB-GW service can not be configured without this configuration. Any change to this configuration would lead to restarting the HNB-GW service and removing or disabling this configuration will stop the HNB-GW service.hnbgw-service hnb-service1
The following command will remove hnb-service1 from the system:
no hnbgw-service hnb-service1
no hsgw-service service_name
Specifies the name of the HSGW service. If service_name does not refer to an existing service, the new service is created if resources allow.
service_name must be from 1 to 63 alpha and/or numeric characters.
no hsgw-service service_name
Caution: Large numbers of services greatly increase the complexity of management and may impact overall system performance (for example, resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your local service representative for more information.HSGW Service Configuration Mode commands are defined in the HSGW Service Configuration Mode Commands chapter.
hsgw-service hsgw-service1
The following command will remove hsgw-service1 from the system:
no hsgw-service hsgw-service1
Important: For an SGSN, this command is visible, but the feature is in development and not yet supported for configuration.no hss-peer-service service_name
no mme-hss-service service_name
Specifies the name of the HSS peer service. If service_name does not refer to an existing service, a new service is created if resources allow.
service_name must be from 1 to 63 alpha and/or numeric characters.
Caution: Large numbers of services greatly increase the complexity of management and may impact overall system performance (for example, resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your local service representative for more information.HSS Peer Service Configuration Mode commands are defined in the HSS Peer Service Configuration Mode Commands chapter.
hss-peer-service hss-peer1
The following command will remove hss-peer1 from the system:
no hss-peer-service hss-peer1
interval interval
interval is measured in seconds and can be configured to any integer value between 10 and 3600.
timeout time
time is measured in seconds and can be configured to any integer value between 10 and 3600.
num-retry retries
retries can be configured to any integer value between 1 and 100.
Important: The peer security gateway must support RFC 3706 in order for this functionality to function properly.Regardless of the application, DPD must be supported/configured on both security peers. If the system is configured with DPD but it is communicating with a peer that does not have DPD configured, IPSec tunnels still come up. However, the only indication that the remote peer does not support DPD exists in the output of the show crypto isakmp security associations summary dpd command.
Important: If DPD is enabled while IPSec tunnels are up, it will not take affect until all of the tunnels are cleared.The following command configures IPSec DPD Protocol parameters to have an interval of 15, a timeout of 10, to retry each attempt 5 times:
[ no ] ikev1 policy priority
Specifies the name of a new or existing security association transform set. name must be from 1 to 127 alpha and/or numeric characters.
IKEv2 Security Association Configuration Mode commands are defined in the IKEv2 Security Association Configuration Mode Commands chapter.
The following command configures an IKEv2 security association transform set called ikesa3 and enters the IKEv2 Security Association Configuration Mode:
ikev2-ikesa transform-set ikesa3
This command enables creating/configuring/deleting IMS authorization service in the current context.
{ no | default } ims-auth-service auth_svc_name
auth_svc_name must be a unique alpha and/or numeric string of 1 through 63 characters in length.
The following command configures an IMS authorization service named ims_interface1 within the current context:
ims-auth-service ims_interface1
ims-sh-service name
no ims-sh-service name
Name of the IMS-Sh-service to be configured. name must be from 1 to 63 alpha and/or numeric characters.
IMS Sh Service Configuration Mode commands are defined in the IMS Sh Service Configuration Mode Commands chapter in this guide.
ims-sh-service ims-1
inspector user_name [ encrypted ] password password [ ecs | noecs ] [ expiry-date date_time ] [ li-administration ] [ noecs ] [ timeout-absolute abs_seconds ] [ timeout-min-absolute abs_minutes ] [ timeout-idle timeout_duration ] [ timeout-min-idle idle_minutes ]
no inspector user_name
Specifies a name for the context-level inspector account. user_name must be from 1 to 32 alpha and/or numeric characters.
[ encrypted ] password password
password must be from 1 to 63 alpha and/or numeric characters without encryption and must be from 1 to 127 alpha and/or numeric characters when encryption has been indicated.
Default: noecs
ecs: Permits the specific user to access ACS-specific configuration commands.
noecs: Prevents the specific user to access ACS-specific configuration commands.
expiry-date date_time
Refer to the ASR 5000 Lawful Intercept Configuration Guide for a description of this parameter.
timeout-absolute abs_seconds
Specifies the maximum amount of time, in seconds, the context-level inspector may have a session active before the session is forcibly terminated. abs_seconds must be a value in the range from 0 through 300000000.
timeout-min-absolute abs_minutes
Specifies the maximum amount of time, in minutes, the context-level inspector may have a session active before the session is forcibly terminated. abs_minutes must be a value in the range from 0 through 525600 (365 days).
timeout-idle timeout_duration
Specifies the maximum amount of idle time, in seconds, the context-level inspector may have a session active before the session is terminated. timeout_duration must be a value in the range from 0 through 300000000.
timeout-min-idle idle_minutes
Specifies the maximum amount of idle time, in minutes, the context-level inspector may have a session active before the session is terminated. idle_minutes must be a value in the range from 0 through 525600 (365 days).
Inspector users have minimal read-only privileges. Refer to the Command Line Interface Overview chapter for more information.
Important: A maximum of 128 administrative users and/or subscribers may be locally configured per context.no inspector user1
no interface name
Specifies the name of the interface to configure. If name does not refer to an existing interface, the new interface is created if resources allow. name must be from 1 to 79 alpha and/or numeric characters.
Important: Refer to the Ethernet Interface Configuration Mode Command chapter for more information.
Important: Refer to the Loopback Interface Configuration Mode Command chapter for more information.
Important: Refer to the PVC Interface Configuration Mode Command chapter for more information.
Important: Refer to the Tunnel Interface Configuration Mode Commands chapter for more information.
Important: If no keyword is specified, broadcast is assumed and the interface is Ethernet by default.The following command enters the Ethernet Interface Configuration Mode creating the interface sampleService, if necessary.
interface sampleInterface
The following command removes sampleService as being a defined interface.
no interface sampleInterface
The following command enters the Tunnel Interface Configuration Mode creating the interface GRE_tunnel1, if necessary.
In Release 8.1 and later, name must be an alpha and/or numeric string of 1 through 47 characters in length.
In Release 8.0, name must be an alpha and/or numeric string of 1 through 79 characters in length.
Important: Up to 8 ACLs can be applied to a group provided that the number of rules configured within the ACL(s) does not exceed the 256 rule limit for the context.The in and out keywords are deprecated and are only present for backward compatibility. The Context-level ACL are applied only to outgoing packets.
Specifies the priority of the access group. 0 is the highest priority. If priority_value is not specified, the priority is set to 0. priority_value must be an integer from 0 through 4294967295.
Use this command to add IP access lists (refer to the ip access-list command) configured with in the same context to an ACL group.
Refer to the Access Control Lists appendix of the System Administration Guide for more information on ACLs.
ip access-group sampleGroup 0
ip access-list name
In Release 8.0, name must be an alpha and/or numeric string of 1 through 79 characters in length.
In Release 8.1 and later, name must be an alpha and/or numeric string of 1 through 47 characters in length.
Important: A maximum of 64 rules can be configured per ACL. The maximum number of ACLs that can be configured per context is limited by the amount of available memory in the VPN Manager software task; it is typically less then 200.Refer to the Access Control Lists appendix of the System Administration Guide for more information on ACLs.
The following command creates an access list named sampleList, and enters the ACL Configuration Mode:
ip access-list sampleList
Specifies the IP address to configure the ARP options where ip_address must be specified using the standard IPv4 dotted decimal notation.
Specifies the media-specific access control layer address for the IP address. mac_address must be specified as a an 6-byte hexadecimal number with each byte separated by a colon, e.g., ‘AA:12:bb:34:f5:0E’.
vrf vrf_name
vrf_name is name of a preconfigured virtual routing and forwarding (VRF) context configured in Context Configuration Mode through ip vrf command.
no ip arp 1.2.3.4
The following commands set the IP and MAC address for a VRF context vrf1 in the configuration.
To add new rules to an existing list, enter the list name. list_name must be a string of alpha numeric characters from 1 through 79 characters.
deny: Deny access to AS paths that match the regular expression.
permit: Allow access to AS paths that match the regular expression.
A regular expression to define the AS paths to match. reg_expr must be a string containing 1 through 254 alpha and/or numeric characters.
Important: The ? (question mark) character is not supported in regular expressions for this command.The following command creates an AS access list named ASlist1 and permits access to AS paths.
Important: This command must be entered in the destination context for the subscriber. If there are multiple destination contexts for different subscribers, the command must be entered in each context.[ no ] ip dns-proxy source-address ip_address
ip dns-proxy source-address ip_address
Specifies an interface in this context used for redirected DNS packets. ip_address must be specified using the standard IPv4 dotted decimal notation.
The following command identifies an interface with an address of 1.23.456.456 in a destination context where the system forwards all intercepted DNS requests:
ip dns-proxy source-address 1.23.456.456
ip domain-name name
no ip domain-name name
Specifies the logical domain name to use for domain name server address resolution. name must be from 1 to 1023 alpha and/or numeric characters formatted to be a valid IP domain name.
ip domain-name sampleName.org
size can be configured to any integer value from 0 to 2000.
ip localhost name ip_address
no ip localhost name ip_address
Specifies the logical host name for the local machine the current context resides on. name must be from 1 to 1023 alpha and/or numeric characters formatted to be a valid IP host name.
Specifies the IP address for the static mapping. ip_address must be specified using the standard IPv4 dotted decimal notation.
ip localhost localHostName 1.2.3.4
no ip localhost localHostName 1.2.3.4
ip name-servers ip_address secondary_ip_address
no ip name-servers ip_address
Specifies the IP address of a domain name server. ip_address must be specified using either standard IPv4 dotted decimal notation or standard IPv6 colon-separated notation.
Specifies the IP address of a secondary domain name server. secondary_ip_address must be specified using either standard IPv4 dotted decimal notation or standard IPv6 colon-separated notation.
The DNS can be specified at the Context level in Context configuration as well as at the APN level in APN Configuration Mode with dns and ipv6 dns commands, or it can be received from AAA server.
When DNS is requested in PCO configuration, the following preference will be followed for DNS value:
|
3.
|
Important: The same preference would be applicable for the NBNS servers to be negotiated via ICPC with the LNS.ip name-servers 1.2.3.4
ip pool pool_name { ip_address subnet_mask | ip_address_mask_combo | range start_ip_address end_ip_address } [ address-hold-timer address_hold_timer ] [ advertise-if-used ] [ alert-threshold [ group-available | pool-free | pool-hold | pool-release | pool-used ] low_thresh [ clear high_thresh ] ] [ explicit-route-advertise ] [ group-name group_name ] [ include-nw-bcast ] [ napt-users-per-ip-address users_per_ip [ alert-threshold { { pool-free | pool-hold | pool-release | pool-used } low_thresh [ clear high_thresh ] } + ] [ max-chunks-per-user max_chunks_per_user [ nat-binding-timer nat_binding_timer ] [ nexthop-forwarding-address ip_address ] [ on-demand ] [ port-chunk-size port_chunk_size ] [ port-chunk-threshold port_chunk_threshold ] [ send-nat-binding-update ] + ] [ nat priority ] [ nat-one-to-one [ alert-threshold { { pool-free | pool-hold | pool-release | pool-used } low_thresh [ clear high_thresh ] } + ] [ nat-binding-timer nat_binding_timer ] [ nexthop-forwarding-address ip_address ] [ on-demand ] [ send-nat-binding-update ] + ] [ nat-realm users-per-nat-ip-address users [ on-demand [ address-hold-timer address_hold_timer ] ] ] [ nexthop-forwarding-address ip_address [ overlap vlanid vlan_id ] [ respond-icmp-echo ip_address ] ] [ nw-reachability server server_name ] [ policy allow-static-allocation ] [ private priority ] [ public priority ] [ resource priority ] [ send-icmp-dest-unreachable ] [ srp-activate ] [ static ] [ suppress-switchover-arps ] [ tag { none | pdif-setup-addr } ] [ unicast-gratuitous-arp-address ip_address ] [vrf vrf_name {[mpls-label input in_label_value | output out_label_value1 [out_label_value2] } ] +
no ip pool pool_name [ address-hold-timer ] [ advertise-if-used ] [ alert-threshold [ [ group-available ] [ pool-free ] [ pool-hold ] [ pool-release ] [ pool-used ] + ] [ explicit-route-advertise ] [ group-name ] [ include-nw-bcast ] [ nexthop-forwarding-address [ respond-icmp-echo ] ] [ nw-reachability server ] [ policy allow-static-allocation ] [ send-icmp-dest-unreachable ] [ srp-activate ] [ suppress-switchover-arps ] [ tag { none | pdif-setup-addr } ] [ unicast-gratuitous-arp-address ] + [ send-nat-binding-update ]
Specifies the logical name of the IP address pool. name must be an alpha and/or numeric string of 1 through 31 characters in length.
Important: An error message displays if the ip pool name and the group name in the configuration are the same. An error message displays if the ip pool name or group name are already used in the context.ip_address can either be an IPv4 address expressed in dotted decimal notation, or an IPv6 address expressed in colon notation.
Specifies the IP address mask bits to determine the number of IP addresses in the pool. ip_mask must be specified using the standard IPv4 dotted decimal notation.
0 bits in the ip_mask indicate that bit position in the ip_address does not need to match, i.e., the bit can be either a 0 or a 1.
For example, if the IP address and mask are specified as 172.168.10.0 and 255.255.255.224, respectively, the pool will contain IP addresses in the range 172.168.10.0 through 172.168.10.31 for a total of 32 addresses.
Specifies a combined IP address subnet mask bits to indicate what IP addresses the route applies to. ip_address_mask_combo must be specified using the form ‘IP Address/Mask Bits’ where the IP address is specified using the standard IPv4 dotted decimal notation and the mask bits are a numeric value which is the number of bits in the subnet mask.
range start_ip_address end_ip_address
start_ip_address specifies the beginning of the range of addresses for the IP pool.
end_ip_address specifies the end of the range of addresses for the IP pool.
For example, if start_ip_address is specified as 172.168.10.0 and end_ip_address is specified as 172.168.10.31 the IP pool will contain addresses in the range 172.168.10.0 through 172.168.10.31 for a total of 32 addresses.
Address pool may only be used by mobile stations which have requested an IP address from a specified pool. When private pools are part of an IP pool group, they are used in a priority order according to the precedence setting. priority must be a value in the range from 0 through 10 with 0 being the highest priority. The default value is 0.
Address pool is used in priority order for assigning IP addresses to mobile stations which have not requested a specific address pool. priority must be a value in the range from 0 through 10 with 0 being the highest priority. The default value is 0.
Default: none
none: default tag for all IP address pools
pdif-setup-addr: pool with this tag should only be used for PDIF calls.
address-hold-timer seconds
seconds is the time in seconds and must be an integer from 0 through 31556926.
alert-threshold { group-available | pool-free | pool-hold | pool-release | pool-used } low_thresh [ clear high_thresh ]
group-available: Set an alert based on the available percentage of IP addresses for the entire IP pool group.
pool-free: Set an alert based on the percentage of IP addresses that are unassigned in this IP pool.
pool-hold: Set an alert based on the percentage of IP addresses from this IP pool that are on hold.
pool-release: Set an alert based on the percentage of IP addresses from this IP pool that are in the release state.
pool-used: This command sets an alert based on the percentage of IP addresses that have been assigned from this IP pool.
Important: Refer to the threshold available-ip-pool-group and threshold monitoring commands in this chapter for additional information on IP pool utilization thresholding.low_thresh: The IP pool utilization percentage that must be met or exceeded within the polling interval to generate an alert or alarm. It can be configured to any integer value between 0 and 100.
clear high_thresh : The IP pool utilization percentage that maintains a previously generated alarm condition. If the utilization percentage rises above the high threshold within the polling interval, a clear alarm is generated. It may be configured to any integer value between 0 and 100.
Important: This value is ignored for the Alert model. In addition, if this value is not configured for the Alarm model, the system assumes it is identical to the low threshold.group-name group_name
Assigns preconfigured one or more IP pools to the IP pool group group_name. group_name is case sensitive and must be a string of 1 to 31 characters. One or more IP pool groups are assigned to a context and one IP pool group consists one or more IP pool(s).
To remove the include-nw-bcast option from the ip pool, use the no ip pool test include-nw-bcast command.
napt-users-per-ip-address users_per_ip [ alert-threshold { { pool-free | pool-hold | pool-release | pool-used } low_thresh [ clear high_thresh ] } + ] [ max-chunks-per-user max_chunks_per_user [ nat-binding-timer nat_binding_timer ] [ nexthop-forwarding-address ip_address ] [ on-demand ] [ port-chunk-size port_chunk_size ] [ port-chunk-threshold port_chunk_threshold ] [ send-nat-binding-update ] +
Important: In UMTS deployments this keyword is available in 9.0 and later releases. In CDMA deployments this keyword is available in 8.3 and later releases. 
Important: In UMTS deployments, on upgrading from Release 8.1 to Release 9.0, and in CDMA deployments, on upgrading from Release 8.1 to 8.3, all NAT realms configured in Release 8.1 using the nat-realm keyword must be reconfigured using either the nat-one-to-one (for one-to-one NAT realms) or the napt-users-per-ip-address (for many-to-one NAT realms) keywords.|
•
|
users_per_ip: Specifies how many users can share a single NAT IP address. users_per_ip must be an integer from 2 through 2016.
|
|
•
|
alert-threshold: Specifies alert threshold for the pool:
|
Important: Thresholds configured using the alert-threshold keyword are specific to the pool that they are configured in. Thresholds configured using the threshold ip-pool-* commands in the Context Configuration Mode apply to all IP pools in that context, and override the threshold configurations set within individual pools.|
•
|
pool-free: Percentage free alert threshold for this pool
|
|
•
|
pool-hold: Percentage hold alert threshold for this pool
|
|
•
|
pool-release: Percentage released alert threshold for this pool
|
|
•
|
pool-used: Percentage used alert threshold for this pool
|
|
•
|
low_thresh: The IP pool utilization percentage that must be met or exceeded within the polling interval to generate an alert or alarm. low_thresh must be an integer from 0 through 100.
|
|
•
|
clear high_thresh : The IP pool utilization percentage that maintains a previously generated alarm condition. If the utilization percentage rises above the high threshold within the polling interval, a clear alarm is generated. high_thresh must be an integer from 0 through 100.
|
Important: The high_thresh value is ignored for the Alert model. In addition, if this value is not configured for the Alarm model, the system assumes it is identical to the low threshold.|
•
|
max-chunks-per-user max_chunks_per_user: Specifies the maximum number of port chunks to be allocated per subscriber in the many-to-one NAT pool. max_chunks_per_user must be an integer from 1 through 2016. Default: 1
|
|
•
|
nat-binding-timer binding_timer: Specifies NAT Binding Timer for the NAT pool. timer must be an integer from 0 through 31556926. If set to 0, is disabled. Default: 0
|
|
•
|
nexthop-forwarding-address address: Specifies the nexthop forwarding address for this pool. address must be a standard IPv4 or IPv6 address. If configured for a NAT pool, packets that are NATed using that NAT pool will be routed based on the configured nexthop address.
|
Important: The nexthop-forwarding-address support for NAT IP pools is functional only in later releases of Release 9.0 and in 10.0 and later releases.|
•
|
on-demand: Specifies allocating IP when matching data traffic begins.
|
|
•
|
port-chunk-size size: Specifies NAT port chunk size (number of NAT ports per chunk) for many-to-one NAT pool. size must be an integer from 32 through 32256.
|
Important: The port-chunk-size configuration is only available for many-to-one NAT pools.|
•
|
port-chunk-threshold chunk_threshold: Specifies NAT port chunk threshold in percentage of number of chunks for many-to-one NAT pool. chunk_threshold must be an integer from 1 through 100. Default: 100%
|
Important: The port-chunk-threshold configuration is only available for many-to-one NAT pools.|
•
|
send-nat-binding-update: Specifies sending NAT binding updates to AAA for this realm. Default: Disabled
|
Important: send-nat-binding-update is not supported for many-to-one realms.|
•
|
group-name group_name: This keyword is available for NAT pool configuration only in Release 10.0 and later.
|
group_name must be an alpha and/or numeric string of 1 through 31 characters in length, and is case sensitive.
nat priority
priority specifies the priority of the NAT pool. 0 is the highest priority. If priority is not specified, the priority is set to 0.
Important: This functionality is currently supported for use with systems configured as an A-BG or P-CSCF.nat-one-to-one [ alert-threshold { { pool-free | pool-hold | pool-release | pool-used } low_thresh [ clear high_thresh ] } + ] [ nat-binding-timer nat_binding_timer ] [ nexthop-forwarding-address ip_address ] [ on-demand ] [ send-nat-binding-update ] +
Important: In UMTS deployments this keyword is available in Release 9.0 and later releases. In CDMA deployments this keyword is available in Release 8.3 and later releases. 
Important: In UMTS deployments, on upgrading from Release 8.1 to Release 9.0, and in CDMA deployments, on upgrading from Release 8.1 to Release 8.3, all NAT realms configured in Release 8.1 using the nat-realm keyword must be reconfigured using either the nat-one-to-one (for one-to-one NAT realms) or the napt-users-per-ip-address (for many-to-one NAT realms) keywords.|
•
|
alert-threshold: Specifies alert threshold for this pool:
|
Important: Thresholds configured using the alert-threshold keyword are specific to the pool that they are configured in. Thresholds configured using the threshold ip-pool * commands in the Context Configuration Mode apply to all IP pools in the context, and override the threshold configurations set within individual pools.|
•
|
pool-free: Percentage free alert threshold for this pool
|
|
•
|
pool-hold: Percentage hold alert threshold for this pool
|
|
•
|
pool-release: Percentage released alert threshold for this pool
|
|
•
|
pool-used: Percentage used alert threshold for this pool
|
|
•
|
low_thresh: The IP pool utilization percentage that must be met or exceeded within the polling interval to generate an alert or alarm. low_thresh must be an integer from 0 through 100.
|
|
•
|
clear high_thresh: The IP pool utilization percentage that maintains a previously generated alarm condition. If the utilization percentage rises above the high threshold within the polling interval, a clear alarm is generated. high_thresh must be an integer from 0 through 100.
|
Important: The high_thresh value is ignored for the Alert model. In addition, if this value is not configured for the Alarm model, the system assumes it is identical to the low threshold.|
•
|
nat-binding-timer nat_binding_timer: Specifies NAT Binding Timer for the NAT pool. binding_timer must be an integer from 0 through 31556926. If set to 0, is disabled.
|
Important: For many-to-one NAT pools, the default NAT Binding Timer value is 60 seconds. For one-to-one NAT pools, it is 0. I.e., by default, the feature is disabled—the IP addresses/ port-chunks once allocated will never be freed.|
•
|
nexthop-forwarding-address ip_address: Specifies the nexthop forwarding address for this pool. address must be a standard IPv4 or IPv6 address. If configured for a NAT pool, packets that are NATed using that NAT pool will be routed based on the configured nexthop address.
|
Important: The nexthop-forwarding-address support for NAT IP pools is functional only in later releases of Release 9.0 and in Release 10.0 and later releases.|
•
|
on-demand: Specifies allocating IP address when matching data traffic begins.
|
|
•
|
send-nat-binding-update: Specifies sending NAT binding updates to AAA for this realm. Default: Disabled
|
Important: send-nat-binding-update is not supported for many-to-one realms.|
•
|
address-hold-timer address_hold_timer
|
|
•
|
group-name group_name: This keyword is available for NAT pool configuration only in StarOS 10.0 and later releases.
|
group_name must be an alpha and/or numeric string of 1 through 31 characters in length, and is case sensitive.
Important: The nat-realm keyword is only available in Release 8.1.
Important: In Release 8.1, the NAT On-demand feature is not supported.
Important: This functionality is currently supported for use with systems configured as an A-BG or P-CSCF.users-per-nat-ip-address users: Specifies the number of users sharing a single NAT IP address. users must be an integer from 1 through 5000.
on-demand: Specifies to allocate IP when matching data traffic begins.
address-hold-timer address_hold_timer: Specifies the address hold timer for this pool, in seconds. address_hold_timer must be an integer from 0 through 31556926. If set to 0, the address hold timer is disabled.
nexthop-forwarding-address ip_address
overlap vlanid vlan_id
For more information on configuring VLANs, refer to the System Administration Guide.
vlan_id is the identification number of a VLAN assigned to a physical port and can be configured to any integer value from 1 to 4095.
Important: This functionality is currently supported for use with systems configured as an HA, or as a PDSN for Simple IP, or as a GGSN. This keyword can only be issued for pools of type private or static and must be associated with a different nexthop forwarding address and VLAN. A maximum of 256 over-lapping pools can be configured per context and a maximum of 256 over-lapping pools can be configured per HA or simple IP PDSN. For GGSNs, the total number of pools is limited by the number of VLANs defined but the maximum number per context is 256. Additional network considerations and configuration outside of the system may be required.nw-reachability server server_name
server_name: Specifies the name of a network reachable server that has been defined in the current context, and must be a string of 1 through 16 characters in length.
Important: Also see the following commands for more information: Refer to the policy nw-reachability-fail command in the HA Configuration Mode to configure the action that should be taken when network reachability fails. Refer to the nw-reachability server command in this chapter to configure network reachability servers. Refer to the nw-reachability-server command in the Subscriber Configuration Mode to bind a network reachability server to a specific subscriber.respond-icmp-echo ip_address
Important: In order for this functionality to work, all of the pools should contain an initial IP address that can be pinged.unicast-gratuitous-arp-address ip_address
Important: This command must be used with next-hop parameters.vrf_name is name of a preconfigured virtual routing and forwarding (VRF) context configured in Context Configuration Mode through ip vrf command.
|
•
|
in_label_value is the MPLS label that identifies the inbound traffic destined for this pool.
|
|
•
|
The out_label_value1 and out_label_value2 identify the MPLS labels to be added to the outgoing packets sent for subscriber from this pool. Where out_label_value1 is the inner output label and out_label_value2 is the outer output label.
|
Important: You cannot have overlapping pool addresses using the same VRF. Also you cannot have two pools using different VRF’s but the same in-label irrespective of whether the pools are overlapping or not. The pool must be private or static pool in-order to be associated with a certain VRF. If the VRF with such a name is not configured, then the pool configuration would return an error prompting to add the VRF before configuring a pool.
Important: In static allocation scenario, the pool group name is returned by AAA in the attribute SN1-IP-Pool-Name, and the IP address to use will be returned in the Framed-IP-Address attribute.
Important: If an IP address pool is matched to a ISAKMP crypto map and is resized, removed, or added, the corresponding security association must be cleared in order for the change to take effect. Refer to the clear crypto command in the Exec mode for information on clearing security associations.Over-lapping IP Pools: The system supports the configuration of over-lapping IP address pools within a particular context. Over-lapping pools are configured using either the resource or overlap keywords.
The resource keyword allows over-lapping addresses tunneled to different VPN end points.
The overlap keyword allows over-lapping addresses each associated with a specific virtual LAN (VLAN) configured for an egress port. It uses the VLAN ID and the nexthop address to determine how to forward subscriber traffic with addresses from the pool thus resolving any conflicts with overlapping addresses.
Note that if an overlapping IP Pool is bound to an IPSec Tunnel (refer to the match ip pool command in the Crypto Group Configuration Mode chapter), that tunnel carries the traffic ignoring the nexthop configuration. Therefore, the IPSec Tunnel takes precedence over the nexthop configuration. (Thus, one can configure the overlapping IP Pool with fake VLAN ID and nexthop and still be able to bind it to an IPSec Tunnel for successful operation.
The overlap keyword allows over-lapping addresses each associated with a specific VLAN can only be issued for pools of type private or static and must be associated with a different nexthop forwarding address and VLAN. A maximum of 128 over-lapping pools can be configured per context and a maximum of 256 over-lapping pools can be configured per system.
Important: Overlapping IP address functionality is currently supported for use with systems configured as an HA for Mobile IP, or as a PDSN for Simple IP, or as a GGSN. For deployments in which subscriber traffic is tunneled from the FA to the HA using IP-in-IP, a separate HA service must be configured for each over-lapping pool.IP Pool Address Assignment Method: IP addresses can be dynamically assigned from a single pool or from a group of pools. The addresses are placed into a queue in each pool. An address is assigned from the head of the queue and, when released, returned to the end. This method is known as least recently used (LRU).
Important: Note that setting different priorities on each individual pool in a group can cause addresses in some pools to be used more frequently.
Important: In NAT IP pool configurations, the minimum number of public IP addresses that must be allocated to each NAT pool must be greater than or equal to the number of Session Managers (SessMgrs) available on the system. On the ASR 5000, it is >= 84 public IP addresses. This can be met by a range of 84 host addresses from a single Class C. The remaining space from the Class C can be used for other allocations.no ip pool samplePool1
ip prefix-list name list_name [ seq seq_number ] { deny | permit } { any | network_address/net_mask [ ge ge_value ] [ le le_value ]
no ip prefix-list list_name [ seq seq_number ] { deny | permit } { any | network_address/net_mask [ ge ge_value ] [ le le_value ]
name list_name
Specifies a name for the prefix list. list_name must be a string of 1 through 79 characters in length.
seq seq_number
Assign the specified sequence number to the prefix list entry. seq_number must be an integer from 1 through 4294967295.
network_address/net_mask: the IP address and the length, in bits, of the network mask that defines the prefix. This must be an IP address entered in dotted decimal notation and a mask (192.168.0/24). When neither ge or le are specified an exact match is assumed.
ge ge_value: The minimum prefix length to match. This must be an integer from 0 through 32. If only the ge value is specified, the range is from the ge value to 32. The ge value must be greater than net_mask and less than the le value.
le le_value: The maximum prefix length to match. This must be an integer from 0 through 32. If only the le value is specified, the range is from the net_mask to the le value. The le value must be less than or equal to 32.
[ no ] ip route { ip_address/ip_mask | ip_address ip_mask } { gateway_ip_address | next-hop next_hop_ip_address | point-to-point | tunnel } egress_intrfc_name [ cost cost ] [ precedence precedence ][ vrf vrf_name] +
ip_address/ip_mask: Specifies a combined IP address subnet mask bits to indicate what IP addresses to which the route applies. ip_address/ip_mask must be specified using the form ‘IP Address/Mask Bits’ where the IP address is specified using the standard IPv4 dotted decimal notation and the mask bits are a numeric value which is the number of bits in the subnet mask.
ip_address ip_mask: Specifies an IP address and the networking (subnet) mask pair which is used to identify the set of IP addresses to which the route applies. ip_address must be specified using the standard IPv4 dotted decimal notation. ip_mask must be specified using the standard IPv4 dotted decimal notation as network mask for subnets.
The mask as specified by ip_mask or resulting from ip_address/ip_mask is used to determine the network for packet routing.
gateway_ip_address: Specifies the IP address of the network gateway to which to forward packets. The address must be entered in IPv4 dotted decimal notation (###.###.###.###).
next-hop next_hop_ip_address: The next-hop IP address to which to forward packets. The address must be entered in IPv4 dotted decimal notation (###.###.###.###).
point-to-point: Specifies that the egress port is an ATM point-to-point interface.
tunnel: This keyword sets the static route for this egress interfaceas tunnel type. i.e. IPv6-over-IPv4 or GRE.
Specifies the name of the egress (out-bound) interface name in the current context. egress_intrfc_name must be from 1 to 79 alpha and/or numeric characters.
cost cost
Specifies the relative cost of the route. cost must be a value in the range 0 through 255 where 255 is the most expensive.
precedence precedence
Specifies the selection order precedence for this routing information. precedence must be a value in the range from 1through 254 where 1 is the highest precedence.
vrf vrf_name
vrf_name is name of a preconfigured virtual routing and forwarding (VRF) context configured in Context Configuration Mode through ip vrf command.
Important: A maximum of 1200 static routes may be configured per context.ip routing maximum-paths [ max_no ]
The maximum number of ECMP paths that can be submitted by a routing protocol. max_no must be an integer from 1 through 10.
To enable ECMP and set the maximum number of paths that may be submitted by a routing protocol in the current context to 10, enter the following command:
vrf_name must be an alpha and/or neumeric string of 1 t o 79 characters.
This command swithces the command mode to IP VRF Context Configuraiton Mode and prompt will be changed to the following:
If required, this command creates IP VRF Context Configuration Mode instance.
Kindly refer IP VRF Context Configuration Mode Commands chapter for parameter configuration.
Warning: If this keyword option is used with no ipms command the IPMS client service will be deleted with all active/inactive IPMS sessions without prompting any warning or confirmation.
Important: The IPMS is a license enabled external application support. Refer to the IPMS Installation and Administration Guide for more information on this product.Refer to the IPMS Installation and Administration Guide and IPMS Configuration Mode chapter of this reference for additional information.
name must be from 1 to 127 alpha and/or numeric characters.
IPSec Transform Set Configuration Mode commands are defined in the IPSec Transform Set Configuration Mode Commands chapter.
The following command configures an IPSec transform set called ipsec12 and enters the IPSec Transform Set Configuration Mode:
ipsec transfrom-set ipsec12
Specifies the name of the IPSG service to be configured. If ipsg_service_name does not refer to an existing service, the new service is created if resources allow.
ipsg_service_name must be an alpha and/or numeric string of 1 through 63 characters in length.
Configures the IPSG to perform as either a RADIUS server or as a device to extract user information from RADIUS accounting request messages (snoop). If the optional keyword mode is not entered, the system defaults to radius-server.
|
•
|
radius-server: Creates an IP Services Gateway RADIUS Server service in the context and enters the IPSG RADIUS Server Configuration Mode.
|
|
•
|
radius-snoop: Creates an IP Services Gateway RADIUS Snoop service in the context and enters the IPSG RADIUS Snoop Configuration Mode.
|
IPSG service commands are defined in the IPSG RADIUS Snoop Configuration Mode Commands chapter or the IPSG RADIUS Server Configuration Mode Commands chapters.
Caution: A large number of services greatly increases the complexity of system management and may impact overall system performance (i.e., resulting from system handoffs). Do not configure a large number of services unless your application requires it. Contact your local service representative for more information.
Important: IP Services Gateway functionality is a license-controlled feature. A valid feature license must be installed prior to configuring an IPSG service. If you have not previously purchased this feature, contact your sales representative for more information.For more information about the IP Services Gateway, refer to the IP Services Gateway Administration Guide.
The following command configures an IPSG RADIUS Snoop service named ipsg1 and enters the IPSG RADIUS Snoop Configuration Mode:
Specifies the priority of the access group. 0 is the highest priority. If priority_value is not specified the priority is set to 0. priority_value must be a value from 0 to 4294967295.
ipv6 access-group group_1
name must be from 1 to 79 alpha and/or numeric characters.
ipv6 access-list samplelist
no ipv6 access-list samplelist
ipv6 dns-proxy source-ipv4-address ip_address
no ipv6 dns-proxy source-ipv4-address ip_address
Specifies the IPv4 address of one of the local interface in the destination context to configure the IPv6 DNS proxy where ip_address must be specified using the standard IPv4 dotted decimal notation.
ipv6 dns-proxy source-ipv4-address 192.168.23.1
[ no ] ipv6 neighbor ipv6_address hardware_address
ipv6 neighbor ipv6_address hardware_address
ipv6_address is the IP address of node to be added to the table.
hardware_address is the associated 48-bit MAC address.
Add the ipv6 address fe80::210:83ff:fef7:7a9d::/24 and associated 48 bit MAC address 0:10:83:f7:7a:9d to the table.
ipv6 neighbor fe80::210:83ff:fef7:7a9d::/24 0:10:83:f7:7a:9d
ipv6 pool name { 6to4 local-endpoint ipv4_address [ default-relay-router router_address ] | alert threshold | group-name name | policy { allow-static-allocation | dup-addr-detection} | prefix ip_address/len [ 6to4-tunnel local-endpoint ip_address | default-relay-router router_address ] | range start_address end_address | suppress-switchover-arps } [ private priority ] [ public priority ] [ shared priority ] [ static priority ] [ group-name name ]
no ipv6 pool name
name must be from 1 to 31 alpha and/or numeric characters.
6to4-tunnel local-endpoint ip_address
alert threshold { 6to4 local-endpoint ipv4_address | alert threshold | group-available | group-name name | policy { allow-static-allocation | dup-addr-detection } | pool-free | pool-used | prefix | range start_address end_address }
|
•
|
6to4: Sets an alert based on the IPv6 Pool for 6to4 compatible address type.
|
|
•
|
alert-threshold: Sets an alert based on the percentage free alert threshold for this group.
|
|
•
|
group-available: Sets an alert based on the percentage free alert threshold for this group.
|
|
•
|
group-name: Sets an alert based on the IPv6 Pool Group.
|
|
•
|
policy allow-static-allocation: Sets an alert based on the address allocation policy.
|
|
•
|
pool-free: Sets an alert based on the percentage free alert threshold for this pool.
|
|
•
|
pool-used: Sets an alert based on the percentage used alert threshold for this pool.
|
|
•
|
prefix: Sets an alert based on the IPv6 Pool address prefix.
|
|
•
|
range: Sets an alert based on the IPv6 address pool range of addresses.
|
|
•
|
suppress-switchover-arps: Sets an alert based on the Suppress Gratuitous ARPS when performing a line card switchover.
|
group name name
|
•
|
6to4: IPv6 Pool for 6to4 compatible address type
|
|
•
|
alert-threshold: Percentage free alert threshold for this group
|
|
•
|
group-name: IPv6 Pool Group
|
|
•
|
policy: Configure an address allocation policy
|
|
•
|
prefix: IPv6 Pool address prefix
|
|
•
|
range: Configures IPv6 address pool to use a range of addresses
|
|
•
|
suppress-switchover-arps: Suppress Gratuitous ARPS when performing a line card switchover
|
Specifies the beginning IPv4 address of the IPv4 address pool. ipv4_address must be specified using the standard IPv4 dotted decimal notation.
default-relay-router router address
|
•
|
6to4: IPv6 Pool for 6to4 compatible address type
|
|
•
|
alert-threshold: Percentage free alert threshold for this group
|
|
•
|
group-name: IPv6 Pool Group
|
|
•
|
policy: Configure an address allocation policy
|
|
•
|
prefix: IPv6 Pool address prefix
|
|
•
|
range: Configures IPv6 address pool to use a range of addresses
|
|
•
|
suppress-switchover-arps: Suppress Gratuitous ARPS when performing a line card switchover
|
This command is valid for IPv6 shared pools only (Sample syntax: ipv6 pool name prefix ip_address/len shared policy dup-addr-detection). When this policy is enabled, the IPv6 shared pool allows a prefix to be shared in different call sessions with different interface IDs for an IPv6 address. This allows the tracking of interface IDs per prefix and the detection of duplicated IDs.
|
•
|
6to4: IPv6 pool for 6to4 compatible address type
|
|
•
|
alert-threshold: Percentage free alert threshold for this group
|
|
•
|
group-name: IPv6 pool group
|
|
•
|
policy: Configure an address allocation policy
|
|
•
|
prefix: IPv6 pool address prefix
|
|
•
|
range: Configures IPv6 address pool to use a range of addresses
|
|
•
|
suppress-switchover-arps: Suppress gratuitous ARPS when performing a line card switchover
|
prefix ip_address/len
Specifies the beginning IPv6 address of the IPv6 address pool. ip_address/len must be specified using colon notation.
range start_address end_address
start_address specifies the beginning of the range of addresses for the IPv6 pool.
end_address specifies the end of the range of addresses for the IPv6 pool.
|
•
|
6to4: IPv6 Pool for 6to4 compatible address type
|
|
•
|
alert-threshold: Percentage free alert threshold for this group
|
|
•
|
group-name: IPv6 Pool Group
|
|
•
|
policy: Configure an address allocation policy
|
|
•
|
prefix: IPv6 Pool address prefix
|
|
•
|
range: Configures IPv6 address pool to use a range of addresses
|
|
•
|
suppress-switchover-arps: Suppress Gratuitous ARPS when performing a line card switchover
|
Default: public
private priority: address pool may only be used by mobile stations which have requested an IP address from a specified pool. When private pools are part of an IP pool group, they are used in a priority order according to the precedence setting. priority must be a value in the range from 0 through 10 with 0 being the highest. The default is 0.
public priority: address pool is used in priority order for assigning IP addresses to mobile stations which have not requested a specific address pool. priority must be a value in the range from 0 through 10 with 0 being the highest and with a default of 0.
shared priority: address pool that may be used by more than one session at any time. priority must be a value in the range from 0 through 10 with 0 being the highest and with a default of 0.
static priority: address pool is used for statically assigned mobile stations. Statically assigned mobile stations are those with a fixed IP address at all times. priority must be a value in the range from 0 through 10 with 0 being the highest and with a default of 0.
group-name name
name is the name of the group by which the IPv6 pool is to be configured and must be a string having 1 to 79 alpha and/or numeric characters.
ipv6 pool ip6Star
[ no ] ipv6 route ipv6_address/prefix_length { interface name | next-hop ipv6_address interface name } [ cost cost ] [ precedence precedence ]
interface name
Specifies the name of the interface on this system associated with the specified route or next-hop address. name must be an existing interface name on the system and be from 1 to 79 alpha and/or numeric characters.
next-hop ipv6_address
The IPv6 address of the directly connected next hop device. ipv6_address must be specified in IPv6 colon separated notation.
cost cost
Defines the number of hops to the next gateway. cost must be an integer value from 0 to 255.
precedence precedence
Indicates the administrative preference of the route. A low precedence specifies that this route takes preference over the route with a higher precedence. precedence must be an integer value from 1 to 254.
Use the following example to configure a static route with ipv6 prefix/length 2001:0db8:3c4d:0015:0000:0000:abcd:ef12/24 to the next hop interface egress1:
This command is deprecated. Use ikev1 disable-phase1-rekey command to configure the parameters for Phase1 SA rekeying when ISAKMP lifetime expires for IKE v1 protocol.
This command is deprecated. Use ikev1 keepalive dpd command to configure ISAKMP IPSec Dead Peer Detection (DPD) message parameters for IKE v1 protocol.
This command is deprecated. Use ikev1 policy command to create/configure an ISAKMP policy with the specified priority for IKE v1 protocol.
Important: For details about the commands and parameters for this mode, check the IuPS Service Configuration Mode chapter.iups-service srvc_name
no iups-service srvc_name
l2tp peer-dead-time seconds
seconds: Must be an integer value from 5 to 64,000.
The following example configures the delay in attempting to tunnel to a temporarily unreachable peer. The delay is set to 120 seconds in this example.
[ no ] lac-service name
Caution: Large numbers of services greatly increase the complexity of management and may impact overall system performance (i.e. resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your local service representative for more information.To add a new LAC service named LAC1 and enter the LAC Service Configuration Mode, enter the following commands:
lac-service LAC1
To configure an existing LAC service named LAC2, enter the following command:
lac-service LAC2
To delete an existing LAC service named LAC3, enter the following command:
no lac-service LAC3
Refer to the ASR 5000 Lawful Intercept Configuration Guide for a description of this command.
Refer to the ASR 5000 Lawful Intercept Configuration Guide for a description of this command.
no lma-service service_name
Specifies the name of the LMA service. If service_name does not refer to an existing service, the new service is created if resources allow.
service_name must be from 1 to 63 alpha and/or numeric characters.
no lma-service service_name
Caution: Large numbers of services greatly increase the complexity of management and may impact overall system performance (for example, resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your local service representative for more information.LMA Service Configuration Mode commands are defined in the LMA Service Configuration Mode Commands chapter.
lma-service lma-service1
The following command will remove lma-service1 from the system:
no lma-service lma-service1
[ no ] lns-service name
Caution: Large numbers of services greatly increase the complexity of management and may impact overall system performance (i.e. resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your local service representative for more information.To add a new LNS service named LNS1 and enter the LNS Service Configuration Mode, enter the following commands:
lns-service LNS1
To configure an existing LNS service named LNS2, enter the following command:
lns-service LNS2
To delete an existing LNS service named LNS3, enter the following command:
no lns-service LNS3
[ no ] logging syslog ip_address [ event-verbosity { min | concise | full } ] [ facility facilities ] [ pdu-data { none | hex | hex-ascii } ] [ pdu-verbosity pdu_level ] [ rate value ]
syslog ip_address
ip_address must be an IPv4 IP address entered using dotted decimal notation or an IPv6 IP address using colon (:) separated notation.
|
•
|
min: Displays minimal detail.
|
|
•
|
concise: Displays summary detail.
|
|
•
|
full: Displays full detail.
|
facility facilities
Default: local7
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
none: Displays data in raw format.
|
|
•
|
hex: Displays data in hexadecimal format.
|
|
•
|
hex-ascii: Displays data in hexadecimal and ASCII format (similar to a main-frame dump).
|
pdu-verbosity pdu_level
rate value
Specifies the rate at which log entries are allowed to be sent to the system log server. No more than the number specified by value will be sent to a system log server within any given one-second interval.
value must be in the range from 0 through 100000.
no logging syslog 1.2.3.4
no mag-service service_name
Specifies the name of the MAG service. If service_name does not refer to an existing service, the new service is created if resources allow.
service_name must be from 1 to 63 alpha and/or numeric characters.
no mag-service service_name
Caution: Large numbers of services greatly increase the complexity of management and may impact overall system performance (for example, resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your local service representative for more information.MAG Service Configuration Mode commands are defined in the MAG Service Configuration Mode Commands chapter.
mag-service mag-service1
The following command will remove mag-service1 from the system:
no mag-service mag-service1
map-service srvc_name
no map-service srvc_name
Important: For details about the commands and parameters, check the MAP Service Configuration Mode chapter.map-service map_1
The following command removes the configuration for a MAP service named map_1 from the configuration for the current context:
no map-service map_1
no mme-service service_name
Specifies the name of the MME service. If service_name does not refer to an existing service, the new service is created if resources allow.
service_name must be from 1 to 63 alpha and/or numeric characters.
Caution: Large numbers of services greatly increase the complexity of management and may impact overall system performance (for example, resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your local service representative for more information.MME Service Configuration Mode commands are defined in the MME Service Configuration Mode Commands chapter.
Caution: This is a critical configuration. The MME service can not be configured without this configuration. Any change to this configuration would lead to restarting the MME service and removing or disabling this configuration will stop the MME service.mme-service mme-service1
The following command will remove mme-service1 from the system:
no mme-service mme-service1
|
•
|
multiple-dynamic-reg-per-nai: All FA services in the current context can not simultaneously setup multiple dynamic home address registrations that have the same NAI.
|
|
•
|
newcall duplicate-home-address: reject
|
|
•
|
multiple-dynamic-reg-per-nai: Disables all FA services in the current context from simultaneously setting up multiple dynamic home address registrations that have the same NAI.
|
|
•
|
newcall duplicate-home-address: Resets this option to its default of reject.
|
|
•
|
accept: The new call is accepted and the existing call is dropped.
|
|
•
|
reject: The new call is rejected with an Admin Prohibited code.
|
no mobile-ip ha assignment-table atable_name
Important: A maximum of 8 MIP HA assignment tables can be configured per context with a maximum of 8 MIP HA assignment tables across all contexts.
Important: A maximum of 256 non-overlapping hoa-ranges can be configured per MIP HA Assignment table with a maximum of 256 non-overlapping hoa-ranges across all MIP HA Assignment tables.The following command creates a new MIP HA assignment table name MIPHAtable1 and enters MIP HA Assignment Table Configuration Mode without asking for confirmation from the user:
mobile-ip ha assignment-table MIPHAtable1
|
•
|
duplicate-home-address: reject—sets HA services to reject a new call that requests an IP address that is already assigned.
|
|
•
|
duplicate-imsi-session: allow—sets HA services to accept new calls that have the same IMSI as a call that is already active.
|
|
•
|
wimax-session-overwrite:disallow—disable session overwrite feature for WiMax mobile-ip calls on the HA.
|
|
•
|
accept: The new call is accepted and the existing call is dropped.
|
|
•
|
reject: The new call is rejected with an Admin Prohibited code.
|
|
•
|
allow: Allows multiple sessions for the same IMSI.
|
|
•
|
disallow: If a mobile node already has an active session and a new sessions is requested using the same IMSI, the currently active session is dropped and the new session is accepted.
|
|
•
|
global-disallow: Enables HA services in this context to accept a new session and disconnect any other session(s) having the same IMSI being processed in this context. In addition, a request is sent to all other contexts containing HA services to do the same.
|
Important: In order to ensure a single session per IMSI across all contexts containing HA services, the global-disallow option must be configured in every context.
Caution: This command should be enabled ONLY when all the BGP peering where VPNv4 routes are exchanged are one hop away.Disables MPLS forwarding of IPv4 packets configured on the system. no mpls ip stops dynamic label distribution on all the interfaces irrespective of interface configuration.
Caution: This feature is not enabled by default.no mseg-service mseg_service_name
mseg_service_name must be an alpha and/or numeric string of 1 through 63 characters in length.
MSEG service configuration commands are described in the MSEG Service Configuration Mode Commands chapter.
The following command creates an MSEG service named test, and enters the MSEG Service Configuration Mode:
mseg-service test
nw-reachability server server_name [ interval seconds ] [ local-addr ip_addr ] [ num-retry num ] [ remote-addr ip_addr ] [ timeout seconds]
no nw-reachability server server_name
interval seconds
seconds must be an integer from 1 through 3600.
local-addr ip_addr
Specifies the IP address to be used as the source address of the ping packets; If this is unspecified, an arbitrary IP address that is configured in the context is used. ip_addr must be an IP v4 address in dotted decimal notation.
num-retry num
num must be an integer from 0 through 100.
remote-addr ip_addr
ip_addr must be an IP v4 address in dotted decimal notation.
timeout seconds
seconds must be an integer from 1 through 10.
Important: Refer to the HA Configuration Mode command policy nw-reachability-fail to configure the action that should be taken when network reachability fails.
Important: Refer to the subscriber config mode command nw-reachability-server to bind the network reachability to a specific subscriber.
Important: Refer to the nw-reachability server server_name keyword of the ip pool command in this chapter to bind the network reachability server to an IP pool.To set a network device called InternetDevice with the IP address of 192.168.100.10 as the remote address that is pinged to determine network reachability and use the address 192.168.200.10 as the origination address of the ping packets sent, enter the following command:
network-requested-pdp-context activate address ip_address dst-context context_name imsi imsi apn apn_name
address ip_address
ip_address must be expressed in dotted decimal notation.
dst-context context_name
context_name must be from 1 to 79 alpha and/or numeric characters and is case sensitive.
imsi imsi
imsi must be from 1 to 15 numeric characters.
apn apn_name
apn_name must be from 1 to 63 alpha and/or numeric characters and is case sensitive.
The following command enables support for network initiated PDP contexts for an MS with a static IP address of 20.13.5.40 from a pool configured in the destination context pdn1 with an IMSI of 3319784450 that uses an APN template called isp1:
ip_address must be an IPv4 or IPv6 IP address entered using dotted decimal notation or an IPv6 IP address using colon (:) separated notation.
The following command configures the system to communicate with a gsn-map node having an IP address of 192.168.2.5:
network-requested-pdp-context gsn-map 192.168.2.5
The following command configures a hold-down-time of 120 seconds:
time is measured in seconds and can be configured to any integer value from 0 to 86400.
The following command specifies that the system waits 120 seconds before allowing another network requested PDP context for an MS:
operator user_name [ encrypted ] password password [ ecs ] [ expiry-date date_time ] [ li-administration ] [ noecs ] [ timeout-absolute abs_seconds ] [ timeout-min-absolute abs_minutes ] [ timeout-idle timeout_duration ] [ timeout-min-idle idle_minutes ]
no operator user_name
Specifies a name for the account. user_name must be from 1 to 32 alpha and/or numeric characters.
[ encrypted ] password password
Specifies the password to use for the user which is being given context-level operator privileges within the current context. The encrypted keyword indicates the password specified uses encryption.
password must be from 1 to 63 alpha and/or numeric characters without encryption and must be from 1 to 127 alpha and/or numeric characters when encryption has been indicated.
The encrypted keyword is intended only for use by the system while saving configuration scripts. The system displays the encrypted keyword in the configuration file as a flag that the variable following the password keyword is the encrypted version of the plain text password. Only the encrypted password is saved as part of the configuration file.
expiry-date date_time
Refer to the ASR 5000 Lawful Intercept Configuration Guide for a description of this parameter.
timeout-absolute abs_seconds
Specifies the maximum amount of time, in seconds, the context-level operator may have a session active before the session is forcibly terminated. abs_seconds must be a value in the range from 0 through 300000000.
timeout-min-absolute abs_minutes
Specifies the maximum amount of time, in minutes, the context-level operator may have a session active before the session is forcibly terminated. abs_minutes must be a value in the range from 0 through 300000000.
timeout-idle timeout_duration
Specifies the maximum amount of idle time, in seconds, the context-level operator may have a session active before the session is terminated. timeout_duration must be an integer from 0 through 300000000.
timeout-min-idle idle_minutes
Specifies the maximum amount of idle time, in minutes, the context-level operator may have a session active before the session is terminated. idle_minutes must be a value in the range from 0 through 300000000.
Operator users have read-only privileges. They can maneuver across multiple contexts, but cannot perform configuration operations. Refer to the Command Line Interface Overview chapter for more information.
Important: A maximum of 128 administrative users and/or subscribers may be locally configured per context.The following command creates a context-level operator account named user1 with ACS control:
no operator user1
This command creates/removes an IPCF Policy and Charging Control (PCC) Application Function (AF) service or configures an existing PCC-AF service and enters the PCC-AF Service Configuration Mode to link, configure, and manage the Application Function endpoints and associated PCC services over Rx interface for the IPCF services.
Specifies the name of the PCC-AF service. If service_name does not refer to an existing service, the new service is created if resources allow.
service_name must be from 1 to 63 alpha and/or numeric characters.
The PCC-AF-Service consolidates the provisioning and management required for the PCC-AF services being supported by the network that fall under the PCC regime. The application service handles the Rx interface over which the IPCF may receive media information for the application usage from AF.
Important: In case of absence of the Rx interface, the media information is available in the PCC-AF Service statically.
Caution: Large numbers of services greatly increase the complexity of management and may impact overall system performance (for example, resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your local service representative for more information.The commands available in this mode are defined in the PCC -AF Service Configuration Mode Commands chapter.
Caution: This is a critical configuration. The PCC-AF service can not be configured without this configuration. Any change to this configuration would lead to restarting the PCC-AF service and removing or disabling this configuration will stop the PCC-AF service.pcc-af-service af-service1
The following command will remove af-service1 from the system:
no pcc-af-service af-service1
This command creates/removes an IPCF PCC-Policy service or configures an existing PCC-Policy service and enters the PCC-Policy Service Configuration Mode to link, configure, and manage the Gx interface endpoints for policy authorization where IPCF acts as a policy server.
Specifies the name of the PCC-Policy service. If service_name does not refer to an existing service, the new service is created if resources allow.
service_name must be from 1 to 63 alpha and/or numeric characters.
The PCC-Policy-Service is mainly used to provide a mechanism to manage the external Gx or similar interfaces required for policy authorization purpose. It manages Gx and Gx-like interfaces such as Gxc/Gxa between IPCF/PCRF and PCEF or BBERF, which is based on the dictionary used for PCC.
Caution: Large numbers of services greatly increase the complexity of management and may impact overall system performance (for example, resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your local service representative for more information.The commands available in this mode are defined in the PCC-Policy Service Configuration Mode Commands chapter.
Caution: This is a critical configuration. The PCC-Policy service can not be configured without this configuration. Any change to this configuration would lead to restarting the PCC-Policy service and removing or disabling this configuration will stop the PCC-Policy service.pcc-policy-service gx-service1
The following command will remove gx-service1 from the system:
no pcc-policy-service gx-service1
Specifies the name of the PCC service. If service_name does not refer to an existing service, the new service is created if resources allow.
service_name must be from 1 to 63 alpha and/or numeric characters.
Caution: Large numbers of services greatly increase the complexity of management and may impact overall system performance (for example, resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your local service representative for more information.The commands available in this mode are defined in the PCC Service Configuration Mode Commands chapter.
Caution: This is a critical configuration. The PCC service can not be configured without this configuration. Any change to this configuration would lead to restarting the Policy and Charging Control service and removing or disabling this configuration will stop the PCC service.pcc-service ipcf-service1
The following command will remove ipcf-service1 from the system:
no pcc-service ipcf-service1
This command creates/removes an IPCF PCC Sp interface endpoint or configures an existing PCC Sp interface client endpoint and enters the PCC Sp Endpoint Configuration Mode to link, configure, and manage the operational parameters related to its peer.
Removes the specified PCC Sp interface endpoint from the context.
Specifies the name of the PCC Sp interface endpoint. If sp_intfc_endpoint does not refer to an existing endpoint, the new endpoint is created if resources allow.
sp_intfc_endpoint must be from 1 to 63 alpha and/or numeric characters.
Use this command to enter the PCC-Sp-Endpoint Configuration Mode for an existing interface or for a newly defined PCC Sp interface endpoint. This command is also used to remove an existing endpoints.
An instance of PCC Sp endpoint represent a client end for SSC/SPR interactions. It is possible to support multiple Sp endpoints each supporting the same or different protocol. The PCC Sp endpoint facilitates the configuration of the treatment required of the Sp interface as well as manage the connection and operational parameters related to its peer.
The commands available in this mode are defined in the PCC-Sp-Endpoint Configuration Mode Commands chapter.
Caution: This is a critical configuration. The PCC Sp endpoint can not be configured without this configuration. Any change to this configuration would lead to reset the PCC Sp interface and removing or disabling this configuration also disables the PCC Sp interface.pcc-sp-endpoint sp_intfc1
The following command will remove sp_intfc1 from the system:
pcc-sp-endpoint sp_intfc1
no pdg-service name
pdg-service name
name must be from 1 to 63 alpha and/or numeric characters and must be unique across all FNG services within the same context and across all contexts.
no pdg-service name
The following command configures an PDG service named pdg_service_1 and enters the PDG Service Configuration Mode:
pdg-service pdg_service_1
Specifies the name of a new or existing PDIF service. name must be from 1 to 63 alpha and/or numeric characters.
PDIF Service Configuration Mode commands are defined in the PDIF Service Configuration Mode Commands chapter.
The following command configures a PDIF service called pdif2 and enters the PDIF Service Configuration Mode:
pdif-service pdif2
[ no ] pdsn-service name
Specifies the name of the PDSN service to configure. If name does not refer to an existing service, the new service is created if resources allow. name must be from 1 to 63 alpha and/or numeric characters.
Caution: Large numbers of services greatly increase the complexity of management and may impact overall system performance (i.e. resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your local service representative for more information.The following command will enter the PDSN Service Configuration Mode creating the service sampleService, if necessary.
pdsn-service sampleService
The following command will remove sampleService as being a defined PDSN service.
no pdsn-service sampleService
no pgw-service service_name
Specifies the name of the P-GW service. If service_name does not refer to an existing service, the new service is created if resources allow.
service_name must be from 1 to 63 alpha and/or numeric characters.
no pgw-service service_name
Caution: Large numbers of services greatly increase the complexity of management and may impact overall system performance (for example, resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your local service representative for more information.P-GW Service Configuration Mode commands are defined in the P-GW Service Configuration Mode Commands chapter.
pgw-service pgw-service1
The following command will remove pgw-service1 from the system:
no pgw-service pgw-service1
Specifies the name of the existing or new accounting policy. name must be from 1 to 63 alpha and/or numeric characters.
Accounting Policy Configuration Mode commands are defined in the Accounting Policy Configuration Mode Commands chapter.
policy accounting acct5
[ no ] policy-group name policy_group
Following command configures a policy group policy_group1 for a subscriber session flow.
policy-group name policy_group1
[ no ] policy-map name policy_name
Following command configures a policy map policy1 where other flow treatments is configured.
policy-map name policy1
ppp { acfc { receive { allow | deny } | transmit { apply | ignore | reject} } | auth-retry suppress-aaa-auth | chap fixed-challenge-length length | dormant send-lcp-terminate | echo-max-retransmissions num_retries | echo-retransmit-timeout msec | first-lcp-retransmit-timeout milliseconds | lcp-authentication-discard retry-alternate num_discard | lcp-authentication-reject retry-alternate | lcp-start-delay delay | lcp-terminate connect-state | lcp-terminate mip-lifetime-expiry | lcp-terminate mip-revocation | max-authentication-attempts num | max-configuration-nak num | max-retransmissions number | max-terminate number | mru packet_size | negotiate default-value-options | peer-authentication user_name [ encrypted ] password password ] | pfc { receive { allow | deny } | transmit { apply | ignore | reject} } | reject-peer-authentication | renegotiation retain-ip-address | retransmit-timeout milliseconds }
no ppp { auth-retry suppress-aaa-auth | chap fixed-challenge-length | dormant send-lcp-terminate | lcp-authentication-descard retry-alternate num_discard | lcp-authentication-reject retry-alternate | lcp-start-delay | lcp-terminate connect-state | reject-peer-authentication | renegotiation retain-ip-address }
no ppp { auth-retry suppress-aaa-auth | chap fixed-challenge-length | dormant send-lcp-terminate | lcp-authentication-discard retry-alternate num_discard | lcp-authentication-reject retry-alternate | lcp-start-delay | lcp-terminate connect-state | lcp-terminate mip-lifetime-expiry | lcp-terminate mip-revocation | negotiate default-value-options | reject-peer-authentication | renegotiation retain-ip-address }
In case of no ppp renegotiation retain-ip-address the initially allocated IP address will be released and a new IP address will be allocated during PPP renegotiation.
Default: allow
Default: ignore
Default: no auth-retry suppress-aaa-auth
Important: This option is not supported in conjunction with the GGSN product.chap fixed-challenge-length length
length must be an integer from 4 through 32.
Important: This option is not supported in conjunction with the GGSN product.echo-max-retransmissions num_retries
first-lcp-retransmit-timeout milliseconds
Specifies the number of milliseconds to wait before attempting to retransmit control packets. This value configures the first retry. All subsequent retries are controlled by the value configured for the ppp retransmit-timeout keyword.
milliseconds must be a value in the range 100 through 5000.
lcp-authentication-discard retry-alternate num_discard
num_discard must be an integer from 0 through 5. Recommended value is 2.
lcp-start-delay delay
The delay in milliseconds before link control protocol (LCP) is started. delay must be an integer from 0 through 5000.
Important: This option is not supported in conjunction with the GGSN product.num must be an integer in the range from 1 through 10.
num must be an integer in the range from 1 through 20.
max-retransmission number
Specifies the maximum number of times control packets will be retransmitted. number must be a value from 1 to 16.
max-terminate number
Sets the maximum number of PPP LCP Terminate Requests transmitted to the Mobile Node. number must be an integer from 0 through 16.
Important: This option is not supported in conjunction with the GGSN product.mru packet_size
Specifies the maximum packet size that can be received in bytes. packet_size must be an integer from 128 to 1500.
Specifies the user name and an optional password required for point-to-point protocol peer connection authentications. user_name must be from 1 to 63 alpha and/or numeric characters. The keyword password is optional and if specified password must be from 1 to 63 alpha and/or numeric characters. The password specified must be in an encrypted format if the optional keyword encrypted was specified.
The encrypted keyword is intended only for use by the system while saving configuration scripts. The system displays the encrypted keyword in the configuration file as a flag that the variable following the password keyword is the encrypted version of the plain text password. Only the encrypted password is saved as part of the configuration file.
Default: allow
Default: ignore
retransmit-timeout milliseconds
Specifies the number of milliseconds to wait before attempting to retransmit control packets. milliseconds must be a value in the range 100 through 5000.
ppp peer-authenticate user1
Caution: Use caution when using this command. This command alters the way that some PPP statistics are calculated. Please consult your designated service representative before using this command
Important: HA Proxy DNS Intercept is a license-enabled feature.name must be a string from 1 to 63 characters in length.
The following command creates a proxy DNS rules list named list1 and places the CLI in the HA Proxy DNS Configuration Mode:
proxy-dns intercept-list list1
radius accounting { archive [ stop-only ] | deadtime dead_minutes | detect-dead-server { consecutive-failures consecutive_failures | keepalive | response-timeout timeout_duration } | interim interval seconds | max-outstanding max_messages | max-pdu-size octets | max-retries max_retries | max-transmissions max_transmissions | timeout timeout_duration | unestablished-sessions }
default radius accounting { deadtime | detect-dead-server | interim interval seconds | max-outstanding | max-pdu-size | max-retries | max-transmissions | timeout }
stop-only specifies archiving of STOP accounting messages only.
deadtime dead_minutes
dead_minutes must be an integer from 0 through 65535.
detect-dead-server { consecutive-failures consecutive_failures | keepalive | response-timeout timeout_duration }
|
•
|
consecutive-failures consecutive_failures: Specifies the number of consecutive failures, for each AAA manager, before a server is marked as unreachable.
|
consecutive_failures must be an integer from 0 through 1000.
|
•
|
keepalive: Enables the AAA server alive-dead detect mechanism based on sending keepalive authentication messages to all authentication servers.
|
|
•
|
response-timeout timeout_duration: Specifies the number of seconds for each AAA manager to wait for a response to any message before a server is detected as failed, or in a down state.
|
timeout_duration must be an integer from 1 through 65535.
Important: If both consecutive-failures and response-timeout are configured, then both parameters have to be met before a server is considered unreachable, or dead.interim interval seconds
seconds must be an integer from 50 through 40000000.
Important: If RADIUS is used as the accounting protocol for the GGSN product, other commands are used to trigger periodic accounting updates. However, these commands would cause RADIUS STOP/START packets to be sent as opposed to INTERIM-UPDATE packets. Also note that accounting interim interval settings received from a RADIUS server take precedence over those configured on the system.max-outstanding max_messages
max_messages must be an integer from 1 through 4000.
max-pdu-size octets
octets must be an integer from 512 through 4096.
max-retries max_retries
max_retries must be an integer from 0 through 65535.
max-transmissions max_transmissions
max_transmissions must be an integer from 1 through 65535.
timeout seconds
seconds must be an integer from 1 through 65535.
Default: first-server
first-n n
Specifies that the AGW must send accounting data to n (more than one) AAA servers based on their priority. The full set of accounting data is sent to each of the n AAA servers. Response from any one of the servers would suffice to proceed with the call. On receiving an ACK from any one of the servers, all retries are stopped.
n is the number of AAA servers to which accounting data will be sent, and must be an integer from 2 through 128.
version and must be an integer from 0 through 4294967295.
Important: This is a customer-specific keyword and needs customer-specific license to use this feature. For more information on GGSN preservation mode, refer GGSN Service Mode Commands chapter.Use the following command to set the HA accounting policy to custom1-aaa-res-mgmt:
radius accounting interim volume { downlink bytes uplink bytes | total bytes | uplink bytes downlink bytes }
bytes must be an integer from 100000 through 4000000000.
total bytes
bytes must be an integer from 100000 through 4000000000.
bytes must be an integer from 100000 through 4000000000.
list list_id
list_id must be an integer from 1 through 65535.
Individual subscriber can be associated to remote IP address lists through the configuration/specification of an attribute in their local or RADIUS profile. (Refer to the radius accounting command in the Subscriber Configuration mode.) When configured/specified, accounting data is collected pertaining to the subscriber’s communication with any of the remote addresses specified in the list.
radius accounting keepalive { calling-station-id id | consecutive-response responses_no_of | framed-ip-address ip_address | interval interval_duration | retries retries_no_of | timeout timeout_duration | username user_name }
id must be an alpha and/or numeric string of 1 through 15 characters in length.
consecutive-response responses_no_of
responses_no_of must be an integer from 1 through 5.
framed-ip-address ip_address
ip_address must be specified using the standard IPv4 dotted decimal notation.
interval interval_duration
retries retries_no_of
retries_no_of must be an integer from 3 through 10.
timeout timeout_duration
timeout_duration must be an integer from 1 through 30.
username user_name
user_name must be an alpha and/or numeric string of 1 through 127 characters in length.
The following command sets the user name for the RADIUS keepalive access requests to Test-Username2:
radius accounting keepalive username Test-Username2
radius accounting rp { handoff-stop { immediate | wait-active-stop } | tod minute hour | trigger-event { active-handoff | active-start-param-change | active-stop } | trigger-policy { airlink-usage [ counter-rollover ] | custom [ active-handoff | active-start-param-change | active-stop ] | standard } | trigger-stop-start }
no radius accounting rp { tod minute hour | trigger-event { active-handoff | active-start-param-change | active-stop } | trigger-stop-start }
|
•
|
immediate: Indicates that accounting STOP should be generated immediately on handoff, i.e. not to wait active-stop from the old PCF.
|
|
•
|
wait-active-stop: Indicates that accounting STOP is generated only when active-stop received from the old PCF when handoff occurs.
|
Default: wait-active-stop
tod minute hour
minute must be an integer from 0 through 59.
hour must be an integer from 0 through 23.
|
•
|
active-handoff: Disables a single R-P event (and therefore a RADIUS accounting event) when an Active PCF-to-PFC Handoff occurs. Instead, two R-P events occur (one for the Connection Setup, and the second for the Active-Start).
|
|
•
|
active-start-param-change: Disables an R-P event (and therefore a RADIUS accounting event) when an Active-Start is received from the PCF and there has been a parameter change.
|
|
•
|
active-stop: Disables an R-P event (and therefore a RADIUS accounting event) when an Active-Stop is received from the PCF.
|
Important: This keyword has been obsoleted by the trigger-policy keyword. Note that if this command is used, if the context configuration is displayed, radius accounting rp configuration is represented in terms of the trigger-policy.Default:airlink-usage: Disabled
|
•
|
active-handoff: Disabled
|
|
•
|
active-start-param-change: Disabled
|
|
•
|
active-stop: Disabled
|
|
•
|
standard: Enabled
|
|
•
|
airlink-usage [ counter-rollover ]: Designates the use of Airlink-Usage RADIUS accounting policy for R-P, which generates a start on Active-Starts, and a stop on Active-Stops.
|
If the counter-rollover option is enabled, the system generates a STOP/START pair before input/output data octet counts (or input/output data packet counts) become larger than (2^32 - 1) in value. This setting is used to guarantee that a 32-bit octet count in any STOP message has not wrapped to larger than 2^32 thus ensuring the accuracy of the count. The system, may, at its discretion, send the STOP/START pair at any time, so long as it does so before the 32-bit counter has wrapped. Note that a STOP/START pair is never generated unless the subscriber RP session is in the Active state, since octet/packet counts are not accumulated when in the Dormant state.
|
•
|
custom: Specifies the use of custom RADIUS accounting policy for R-P. The custom policy can consist of the following:
|
|
•
|
active-handoff: Enables a single R-P event (and therefore a RADIUS accounting event) when an Active PCF-to-PFC Handoff occurs. Normally two R-P events will occur (one for the Connection Setup, and the second for the Active-Start).
|
|
•
|
active-start-param-change: Enables an R-P event (and therefore a RADIUS accounting event) when an Active-Start is received from the PCF and there has been a parameter change.
|
Important: Note that a custom trigger policy with only active-start-param-change enabled is identical to the standard trigger-policy.|
•
|
active-stop: Enables an R-P event (and therefore a RADIUS accounting event) when an Active-Stop is received from the PCF.
|
Important: If the radius accounting rp trigger-policy custom command is executed without any of the optional keywords, all custom options are disabled.|
•
|
standard: Specifies the use of Standard RADIUS accounting policy for R-P in accordance with IS-835B.
|
radius [ mediation-device ] accounting server ip_address [ encrypted ] key value [ acct-on { enable | disable } ] [ acct-off { enable | disable } ] [ max max_messages ] [ oldports ] [ port port_number ] [ priority priority ] [ type { mediation-device | standard } ] [ admin-status { enable | disable } ] [ -noconfirm ]
Important: If this option is not used, the system by default enables standard AAA transactions.ip_address must be specified in dotted decimal notation for IPv4 or colon notation for IPv6. A maximum of 128 RADIUS servers can be configured per context. This limit includes accounting and authentication servers.
[ encrypted ] key value
Specifies the shared secret key used to authenticate the client to the servers. The encrypted keyword indicates the key specified is encrypted.
The key value must be a string of 1 to 15 alpha and/or numeric characters or a string of 1 to 30 alpha and/or numeric characters when encrypted.
The encrypted keyword is intended only for use by the system while saving configuration scripts. The system displays the encrypted keyword in the configuration file as a flag that the variable following the key keyword is the encrypted version of the plaint text key. Only the encrypted key is saved as part of the configuration file.
Default: disable
Default: enable
max max_messages
max_messages must be an integer from 1 through 256.
port port_number
port_number must be an integer from 0 through 65535.
priority priority
priority must be an integer from 1 through 1000, where 1 is the highest priority. When configuring two or more servers with the same priority you will be asked to confirm that you want to do this. If you use the -noconfirm option, you are not asked for confirmation and multiple servers could be assigned the same priority.
|
•
|
standard: Use standard AAA transactions.
|
|
•
|
mediation-device: This keyword is obsolete.
|
Default: standard
no radius accounting server 1.2.5.6
The following command sets the accounting server with mediation device transaction for AAA server 1.2.3.4:
Default: first-server
Important: Please note that this command is applicable ONLY to CDMA products. To configure this functionality in UMTS/LTE products (GGSN/P-GW), use the command mediation-device delay-GTP-response in APN Configuration mode. radius attribute { nas-identifier id | nas-ip-address address primary_address [ backup secondary_address ] [ nexthop-forwarding-address nexthop_ip_address ] [ vlan vlan_id ] [ mpls-label input in_label_value output out_label_value1 out_label_value1 ] }
id must be a case-sensitive alpha and/or numeric string of 1 through 32 characters in length.
nas-ip-address address primary_address
primary_address : The IP address of the primary interface to use in the current context. This must be specified in dotted decimal notation for IPv4 or colon notation for IPv6.
backup secondary_address
|
•
|
in_label_value is the MPLS label that identifies inbound traffic destined for the configured NAS IP address.
|
|
•
|
out_label_value1 and out_label_value2 identify the MPLS labels to be added to the packets sent from the specified NAS IP address.
|
|
•
|
out_label_value1 is the inner output label.
|
|
•
|
out_label_value2 is the outer output label.
|
Important: This option is available only when nexthop-forwarding gateway is also configured with nexthop-forwarding-address keyword.nexthop-forwarding-address nexthop_ip_address
nexthop_ip_address must be an IPv4 address or an IPv6 address in standard format.
vlan vlan_id
vlan_id must be an integer from 1 through 4094.
The system uses a revertive algorithm when transitioning active NAS IP addresses as described below:
radius attribute nas-ip-address 1.2.3.4
no radius attribute nas-identifier sampleID
[ no ] radius change-authorize-nas-ip ip_address [ encrypted ] key value [ port port ] [ event-timestamp-window window ] [ no-nas-identification-check] [ no-reverse-path-forward-check ] [ mpls-label input in_label_value | output out_label_value1 [ out_label_value2 ]
Specifies the NAS IP address of the current context’s AAA interface that was defined with the radius attribute command.
ip_address can either be an IPv4 address expressed in dotted decimal notation, or an IPv6 address expressed in colon notation.
[ encrypted ] key value
Specifies the shared secret key used to authenticate the client to the servers. The encrypted keyword indicates the key specified is encrypted. The key value must be a string of 1 to 15 alpha and/or numeric characters or a string of 1 to 30 alpha and/or numeric characters when encrypted.
The encrypted keyword is intended only for use by the system while saving configuration scripts. The system displays the encrypted keyword in the configuration file as a flag that the variable following the key keyword is the encrypted version of the plain text key. Only the encrypted key is saved as part of the configuration file.
port port
event-timestamp-window window
window must be an integer from 0 through 4294967295.
If window is specified as 0 (zero), this feature is disabled; the event-time-stamp attribute in COA or DM messages is ignored and the event-time-stamp attribute is not included in NAK or ACK messages.
|
•
|
in_label_value is the MPLS label that identifies inbound COA traffic.
|
|
•
|
out_label_value1 and out_label_value2 identify the MPLS labels to be added to COA response.
|
|
•
|
out_label_value1 is the inner output label.
|
|
•
|
out_label_value2 is the outer output label.
|
|
•
|
3GPP-IMSI: The subscriber’s IMSI. It may include the 3GPP-NSAPI attribute to delete a single PDP context rather than all of the PDP contexts of the subscriber when used with the GGSN product.
|
|
•
|
Framed-IP-address: The subscriber’s IP address.
|
|
•
|
Acct-Session-Id: Identifies a subscriber session or PDP context.
|
Important: For the GGSN product, the value for Acct-Session-Id that is mandated by 3GPP is used instead of the special value for Acct-Session-Id that we use in the RADIUS messages we exchange with a RADIUS accounting server.
Important: When this command is used in conjunction with the GGSN, CoA functionality is not supported.Specify the IP address 192.168.100.10 as the NAS IP address, a key value of 123456 and use the default port of 3799, by entering the following command:
[ no | default ] radius charging { deadtime dead_minutes | detect-dead-server { consecutive-failures consecutive_failures | response-timeout timeout_duration } | max-outstanding max_messages | max-retries max_retries | max-transmissions transmissions | timeout timeout_duration }
deadtime dead_minutes
dead_minutes must be an integer from 0 through 65535.
detect-dead-server { consecutive-failures consecutive_failures | response-timeout timeout_duration }
consecutive-failures consecutive_failures: Default: 4. Specifies the number of consecutive failures, for each AAA manager, before a server is marked as unreachable. consecutive_failures must be an integer from 0 through 1000.
response-timeout timeout_duration: Specifies the number of seconds for each AAA manager to wait for a response to any message before a server is detected as failed, or in a down state.
max-outstanding max_messages
max_messages must be an integer from 1 through 4000.
max-retries max_retries
max_retries must be an integer from 0 through 65535.
max-transmissions transmissions
Sets the maximum number of re-transmissions for RADIUS authentication requests. This limit is used in conjunction with the max-retries for each server.
transmissions must be an integer from 1 through 65535.
timeout timeout_duration
timeout_duration must be an integer from 1 through 65535.
first-n n
Specifies that the AGW must send accounting data to n (more than one) AAA servers based on their priority. Response from any one of the n AAA servers would suffice to proceed with the call. The full set of accounting data is sent to each of the n AAA servers.
n is the number of AAA servers to which accounting data will be sent, and must be an integer from 2 through 128.
radius charging accounting server ip_address [ encrypted ] key key [ max max_messages ] [ max-rate max_rate ] [ oldports ] [ port port_number ] [ priority priority ] [ admin-status { enable | disable } ] [ -noconfirm ]
ip_address must be specified using the standard IPv4 dotted decimal notation. A maximum of 128 RADIUS servers can be configured per context. This limit includes accounting and authentication servers.
Specifies the shared secret key used to authenticate the client to the servers. The encrypted keyword indicates the key specified is encrypted. The key key must be a string of 1 to 15 alpha and/or numeric characters, or when encrypted a string of 1 to 30 alpha and/or numeric characters.
The encrypted keyword is intended only for use by the system while saving configuration scripts. The system displays the encrypted keyword in the configuration file as a flag that the variable following the key keyword is the encrypted version of the plaint text key. Only the encrypted key is saved as part of the configuration file.
max max_messages
max_messages must be integer from 0 through 4000.
max-rate max_rate
max_rate must be an integer from 1 through 1000.
port port_number
port_number must be an integer from 0 through 65535.
priority priority
priority must be a value in the range 1 through 1000 where 1 is the highest priority.
Default: first-server
radius charging server ip_address [ encrypted ] key key [ max max_messages ] [ max-rate max_rate ] [ oldports ] [ port port_number ] [ priority priority ] [ admin-status { enable | disable } ] [ -noconfirm ]
ip_address must be specified using the standard IPv4 dotted decimal notation. A maximum of 128 RADIUS servers can be configured per context. This limit includes accounting and authentication servers.
Specifies the shared secret key used to authenticate the client to the servers. The encrypted keyword indicates the key specified is encrypted. The key key must be a string of 1 to 15 alpha and/or numeric characters, or when encrypted a string of 1 to 30 alpha and/or numeric characters.
The encrypted keyword is intended only for use by the system while saving configuration scripts. The system displays the encrypted keyword in the configuration file as a flag that the variable following the key keyword is the encrypted version of the plain text key. Only the encrypted key is saved as part of the configuration file.
max max_messages
max_messages must be an integer from 0 through 4000.
max-rate max_rate
max_rate must be an integer from 1 through 1000.
port port_number
port_number must be an integer from 0 through 65535.
priority priority
priority must be a value in the range 1 through 1000 where 1 is the highest priority.
no radius charging server 1.2.5.6
radius deadtime minutes
minutes must be an integer from 0 through 65535.
Important: This parameter should be set to allow enough time to remedy the issue that originally caused the server’s state to be changed to “Down”. After the deadtime timer expires, the system returns the server’s state to “Active” regardless of whether or not the issue has been fixed.
Important: For a complete explanation of RADIUS server states, refer to the RADIUS Server State Behavior appendix in the AAA and GTPP Interface Administration and Reference.radius deadtime 100
radius detect-dead-server { consecutive-failures consecutive_failures_count | keepalive | response-timeout timeout_duration }
|
•
|
consecutive-failures: Enabled; 4 consecutive failures
|
|
•
|
keepalive: Disabled
|
|
•
|
response-timeout: Disabled
|
consecutive-failures consecutive_failures_count
consecutive_failures_count must be an integer from 1 through 1000.
response-timeout timeout_duration
timeout_duration must be an integer from 1 through 65535.
Important: If both consecutive-failures and response-timeout are configured, then both parameters must be met before a server’s state is changed to “Down”.
Important: The “Active” or “Down” state of a RADIUS server as defined by the system, is based on accessibility and connectivity. For example, if the server is functional but the system has placed it into a “Down” state, it could be the result of a connectivity problem. When a RADIUS server’s state is changed to “Down”, a trap is sent to the management station and the deadtime timer is started.radius dictionary dictionary
dictionary must be one of the following values:
|
customXX
|
XX is the integer value of the custom dictionary.
 Important: RADIUS dictionary custom23 should be used in conjunction with Active Charging Service (ACS). |
This command has been deprecated and is replaced by AAA Server Group configurations. See the AAA Server Group Configuration Mode Commands chapter.
vrf_name is the name of a pre-configured virtual routing and forwarding (VRF) context configured in Context configuration mode through ip vrf command.
Caution: Any incorrect configuration, such as associating AAA group with wrong VRF instance or removing a VRF instance, will fail the RADIUS communication.The following command associates VRF context instance ip_vrf1 with specific AAA group (NAS-IP):
[ default ] radius keepalive [ calling-station-id id | consecutive-response responses_no_of | encrypted | interval interval_duration | password | retries retries_no_of | timeout timeout_duration | username user_name | valid-response access-accept [ access-reject ] ]
id must be an alpha and/or numeric string of 1 through 15 characters in length.
consecutive-response responses_no_of
responses_no_of must be an integer from 1 through 5.
password must be an alpha and/or numeric string of 1 through 64 characters in length.
interval interval_duration
password must be an alpha and/or numeric string of 1 through 64 characters in length.
retries retries_no_of
retries_no_of must be an integer from 3 through 10.
timeout timeout_duration
timeout_duration must be an integer from 1 through 30.
username user_name
user_name must be an alpha and/or numeric string of 1 through 127 characters in length.
If access-reject is configured, then both access-accept and access-reject are considered as success for the keepalive authentication request.
If access-reject is not configured, then only access-accept is considered as success for the keepalive access request.
Default: keepalive valid-response access-accept
The following command sets the user name for the RADIUS keepalive access requests to Test-Username2:
radius keepalive username Test-Username2
radius max-outstanding max_messages
max_messages must be an integer from 1 through 4000.
radius max-retries max_retries
max_retries must be an integer from 0 through 65535.
radius max-transmissions max_transmissions
Specifies the maximum number of re-transmissions for RADIUS authentication requests. This limit is used in conjunction with radius max-retries configuration for each server.
max_transmissions must be an integer from 1 through 65535.
See the radius accounting server command.
radius probe-interval seconds
seconds must be an integer from 1 through 65535.
radius probe-max-retries retries
retries must be an integer from 1 through 65535.
radius probe-message local-service-address ipv4/ipv6_address
Disables sending of AVPs configured under probe-message cli in RADIUS authentication probe messages.
ip_address must be specified in dotted decimal notation for IPv4 or colon notation for IPv6. A maximum of 128 RADIUS servers can be configured per context. This limit includes accounting and authentication servers.
The following command configures the service ip-address 21.32.36.25 to be sent as an AVP in RADIUS authentication probe messages:
radius probe-message local-service-address 21.32.36.25
radius probe-timeout timeout_duration
timeout_duration must be an integer from 1 through 65535.
radius server ip_address [ encrypted ] key value [ max max_messages ] [ max-rate max_rate ] [ oldports ] [ port port_number ] [ priority priority ] [ probe | no-probe ] [ probe-username user_name ] [ probe-password [ encrypted ] password password ] [ type { mediation-device | standard } ] [ admin-status { enable | disable } ] [ -noconfirm ]
ip_address must be specified in dotted decimal notation for IPv4 or colon notation for IPv6. A maximum of 128 RADIUS servers can be configured per context. This limit includes accounting and authentication servers.
[ encrypted ] key value
Specifies the shared secret key used to authenticate the client to the servers. The encrypted keyword indicates the key specified is encrypted. The key value must be a string of 1 to 15 alpha and/or numeric characters or a string of 1 to 30 alpha and/or numeric characters when encrypted.
The encrypted keyword is intended only for use by the system while saving configuration scripts. The system displays the encrypted keyword in the configuration file as a flag that the variable following the key keyword is the encrypted version of the plain text key. Only the encrypted key is saved as part of the configuration file.
max max_messages
max_messages must be an integer from 0 through 4000.
max-rate max_rate
max_rate must be an integer from 1 through 1000.
port port_number
port_number must be an integer from 1 through 65535.
priority priority
priority must be a value in the range 1 through 1000 where 1 is the highest priority. When configuring two or more servers with the same priority you will be asked to confirm that you want to do this. If you use the -noconfirm option, you are not asked for confirmation and multiple servers could be assigned the same priority.
Disable probe messages from being sent to the specified RADIUS server. This is the default behavior.
probe-username username
user_name must be an alpha and/or numeric string of 1 through 127 characters in length.
encrypted: This keyword is intended only for use by the system while saving configuration scripts. The system displays the encrypted keyword in the configuration file as a flag that the variable following the password keyword is the encrypted version of the plain text password. Only the encrypted password is saved as part of the configuration file.
password password: Specifies the probe-user password for authentication. password must be an alpha and/or numeric string of 1 through 63 characters in length.
mediation-device: Specifies mediation-device specific AAA transactions. This device is available if you purchased a transaction control services license. Contact your local sales representative for licensing information.
standard: Specifies standard AAA transactions. (Default)
no radius server 1.2.5.6
By default, strip-domain configuration will be applied to both authentication and accounting messages, if configured. When the argument authentication-only or accounting-only is present, strip-domain is applied only to the specified RADIUS message types.
The following command configures the stripping of domain from the user name prior to authentication:
radius timeout timeout_duration
timeout_duration must be an integer from 1 through 65535.
radius timeout 300
[ no ] route-access-list extended identifier { deny | permit } ip { network_parameter } { mask_parameter }
identifier must be an integer from 100 through 999.
ip_address wildcard_mask: A network address and wildcard mask expressed in IPv4 dotted decimal notation. (192.168.100.0 0.0.0.255)
any: Match any network address.
host network_address: Match the specified network address exactly. network_address must be an IPv4 address specified in dotted decimal notation.
mask_address wildcard_mask: A mask address and wildcard mask expressed in IPv4 dotted decimal notation. (255.255.255.0 0.0.0.255)
any: Match any network mask.
host mask_address: Match the specified mask address exactly. mask_address must be an IPv4 address specified in dotted decimal notation.
This command configures an access list for filtering routes based on a network address and net mask.
[ no ] route-access-list named list_name { deny | permit } { ip_address/mask | any } [ exact-match ]
A name that identifies the route access list. list_name must be a string of 1 through 79 alphanumeric characters in length.
Use the following command to create a route access list named list27 that permits routes that match 192.168.1.0/24 exactly:
[ no ] route-access-list standard identifier { permit | deny } { ip_address wildcard_mask | any | host network_address }
The IP address and subnet mask to match for routes. Both ip_address and wildcard_mask must be entered in IPv4 dotted decimal notation. (192.168.100.0 255.255.255.0)
host network_address
Routes must match the specified network address as if it had a 32-bit network mask. network_address must be an IPv4 address specified in dotted decimal notation.
Use the following command to create a route access list with an identifier of 10 that permits routes:
This command creates a route-map that is used by the routing features and enters Route-map Configuration mode. A route-map allows redistribution of routes. A routemap has a list of match and set commands associated with it. The match commands specify the conditions under which redistribution is allowed and the set commands specify the particular redistribution actions to be performed if the criteria specified by match commands are met. Route-maps are used for detailed control over route distribution between routing processes. Up to eight route-maps can be created in each context. Refer to the Route-map Configuration Mode Commands chapter for more information.
no route-map map_name
This command enables the OSPF routing functionality and enters the OSPF Configuration Mode. Refer to the OSPF Configuration Mode Commands chapter for details on OSPF Configuration mode commands.
bgp as_number
Enable a BGP routing service for this context and assign it the specified AS number. as_number must be an integer from 1 through 4294967295.
Important: BGP routing is supported only for use with the HA.
Important: You must obtain and install a valid OSPF or BGP-4 feature use license key to use OSPF and BGP routing features. Refer to the System Administration Guide for details on obtaining and installing feature use license keys.The following command enables the OSPF routing functionality and enters the OSPF Configuration Mode:
The following command enables a BGP routing service with an AS number of 100, and enters the BGP Configuration Mode:
router bgp 100
Important: The FTPD server can only be configured in the local context.
Important: The SSHD server allows only three unsuccessful login attempts before closing a login session attempt.
Important: The TELNET server allows only three unsuccessful login attempts before closing a login session attempt.
Important: The TFTPD server can only be configured in the local context.
Important: For details about the commands and parameters, check the SGSN Service Configuration Mode chapter.[ no ] sgsn-service srvc_name
The following command creates an SGSN service named sgsn1 in the current context:
sgsn-service sgsn1
The following command removes the sgsn service named sgsn1 from the configuration for the current context:
no sgsn-service sgsn1
[ no ] sgs-service name
Caution: Large numbers of services greatly increase the complexity of management and may impact overall system performance (for example, resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your local service representative for more information.SGS Service Configuration Mode commands are defined in the SGS Service Configuration Mode Commands chapter.
The following command creates an SGS service named sgs1 in the current context:
sgs-service sgs1
The following command removes the SGS service named sgs1 from the configuration for the current context:
no sgs-service sgs1
[ no ] sgtp-service svc_name
The following command creates an SGTP service named sgtp1 in the current context:
sgtp-service sgtp1
The following command removes the sgsn service named sgtp1 from the configuration for the current context:
no sgtp-service sgtp1
no sgw-service service_name
Specifies the name of the S-GW service. If service_name does not refer to an existing service, the new service is created if resources allow.
service_name must be from 1 to 63 alpha and/or numeric characters.
no sgw-service service_name
Caution: Large numbers of services greatly increase the complexity of management and may impact overall system performance (for example, resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your local service representative for more information.S-GW Service Configuration Mode commands are defined in the S-GW Service Configuration Mode Commands chapter.
sgw-service sgw-service1
The following command will remove spgw-service1 from the system:
no sgw-service sgw-service1
This command sets the public/private key pair to be used by the system where data is the encrypted key and length is the length of the encrypted key in octets. data must be an alpha and/or numeric string of 1 to 1023 characters and octets must be a value in the range of 0 through 65535.
v1-rsa: SSH v1 RSA host key only
v2-rsa: SSH v2 DSA host key only
v2-dsa: SSH v2 RSA host key only
Important: For maximum security, it is recommended that only SSH v2 be used. v2-rsa is the recommended key type.name must be from 1 to 127 alpha and/or numeric characters.
SSL Template Configuration Mode commands are defined in the SSL Template Configuration Mode Commands chapter.
The following command specifies the SSL template ssl_template_1 and enters the SSL Template Configuration Mode:
default | name user_name
default: Enters the Subscriber Configuration Mode for the context’s default subscriber settings.
name user_name: Specifies the user which is to be allowed to use the services of the current context. user_name must be from 1 to 127 alpha and/or numeric characters.
asn-service-info mobility: This configuration indicates the type of mobility supported and enabled in the ASN.
Important: A maximum of 128 subscribers and/or administrative users may be locally configured per context.Following command configures a subscriber named user1 in a context:
subscriber name user1
Following command removes a subscriber named user1 from a context:
no subscriber name user1
low_thresh can be configured to any integer value between 0 and 100.
clear high_thresh
high_thresh can be configured to any integer value between 0 and 100. The default is 10
Important: This value is ignored for the Alert model. In addition, if this value is not configured for the Alarm model, the system assumes it is identical to the low threshold.|
•
|
Enter Condition: Actual IP address utilization percentage per pool group < Low Threshold
|
|
•
|
Clear Condition: Actual IP address utilization percentage per pool group > High Threshold
|
The following command configures a context-level IP pool utilization low threshold percentage of 10 and a high threshold of 35 for an system using the Alarm thresholding model:
clear low_thresh
Important: This value is ignored for the Alert model. In addition, if this value is not configured for the Alarm model, the system assumes it is identical to the high threshold.|
•
|
Enter Condition: Actual number of calls setup per second > High Threshold
|
|
•
|
Clear Condition: Actual number of calls setup per second < Low Threshold
|
The following command configures a number of calls setup per second threshold of 1000 and a low threshold of 500 for a system using the Alarm thresholding model:
clear high_thresh
Important: This value is ignored for the Alert model. In addition, if this value is not configured for the Alarm model, the system assumes it is identical to the low threshold.|
•
|
Enter Condition: Actual percentage of IP addresses free per pool < Low Threshold
|
|
•
|
Clear Condition: Actual percentage of IP addresses free per pool > High Threshold
|
Important: This command is overridden by the settings of the alert-threshold keyword of the ip pool command.The following command configures a context-level IP pool percentage of IP addresses that are unused low threshold percentage of 10 and a high threshold of 35 for an system using the Alarm thresholding model:
clear low_thresh
Important: This value is ignored for the Alert model. In addition, if this value is not configured for the Alarm model, the system assumes it is identical to the high threshold.|
•
|
Enter Condition: Actual percentage of IP addresses on hold per pool > High Threshold
|
|
•
|
Clear Condition: Actual percentage of IP addresses on hold per pool < Low Threshold
|
Important: This command is overridden by the settings of the alert-threshold keyword of the ip pool command.The following command configures a context-level IP pool percentage of IP addresses that are on high threshold percentage of 35 and a low threshold of 10 for an system using the Alarm thresholding model:
clear low_thresh
Important: This value is ignored for the Alert model. In addition, if this value is not configured for the Alarm model, the system assumes it is identical to the low threshold.|
•
|
Enter Condition: Actual percentage of IP addresses in the release state per pool > High Threshold
|
|
•
|
Clear Condition: Actual percentage of IP addresses in the release state per pool < Low Threshold
|
Important: This command is overridden by the settings of the alert-threshold keyword of the ip pool command.The following command configures a context-level IP pool percentage of IP addresses that are in the release state high threshold percentage of 35 and a low threshold of 10 for an system using the Alarm thresholding model:
clear low_thresh
Important: This value is ignored for the Alert model. In addition, if this value is not configured for the Alarm model, the system assumes it is identical to the low threshold.|
•
|
Enter Condition: Actual percentage of IP addresses used per pool > High Threshold
|
|
•
|
Clear Condition: Actual percentage of IP addresses used per pool < Low Threshold
|
Important: This command is overridden by the settings of the alert-threshold keyword of the ip pool command.The following command configures a context-level IP pool percentage of IP addresses that are used high threshold percentage of 35 and a low threshold of 10 for an system using the Alarm thresholding model:
Refer to the threshold available-ip-pool-group command, the threshold ip-pool-x commands and the alert-threshold keyword of the ip pool command for additional information on these values.
|
•
|
SNMP traps: SNMP traps have been created that indicate the condition (high threshold crossing and/or clear) of each of the monitored values. Complete descriptions and other information pertaining to these traps is located in the starentMIB(8164).starentTraps(2) section of the SNMP MIB Reference.
|
|
•
|
Logs: The system provides a facility called threshold for which active and event logs can be generated. As with other system facilities, logs are generated Log messages pertaining to the condition of a monitored value are generated with a severity level of WARNING.
|
|
•
|
Alarm System: High threshold alarms generated within the specified polling interval are considered “outstanding” until a the condition no longer exists and/or a condition clear alarm is generated.
|
Refer to the threshold poll command in Global Configuration Mode Commands for information on configuring the polling interval over which IP address pool utilization is monitored.
clear low_thresh
Important: This value is ignored for the Alert model. In addition, if this value is not configured for the Alarm model, the system assumes it is identical to the high threshold.|
•
|
Enter Condition: Actual number of calls setup per second > High Threshold
|
|
•
|
Clear Condition: Actual number of calls setup per second < Low Threshold
|
The following command configures a number of calls setup per second threshold of 1000 and a low threshold of 500 for a system using the Alarm thresholding model:
