Diameter Endpoint Configuration Mode Commands

Diameter Endpoint Configuration Mode Commands
 
 
Diameter Endpoint Configuration Mode is accessed from the Context Configuration Mode. The base Diameter protocol operation is configured in the Diameter Endpoint Configuration Mode.
 
note_smallImportant: The commands or keywords/variables that are available are dependent on platform type, product version, and installed license(s).
 
associate
This command associates or disassociates an SCTP parameter template with the Diameter endpoint.
Product
MME
Privilege
Administrator
Syntax
associate sctp-parameter-template template_name
no associate sctp-parameter-template
no
Disassociates an SCTP parameter template with the Diameter endpoint.
sctp-parameter-template template_name
Associates previously created SCTP parameter template with the Diameter endpoint.
template_name specifies the name for a pre-configured SCTP parameter template. For more information on SCTP parameter templates, refer to the sctp-param-template command in the Global Configuration Mode Commands chapter.
Usage
Use this command to associate a configured SCTP parameter template with the Diameter endpoint.
The SCTP parameter template allows for SCTP timer values to be configured for the interface using the Diameter endpoint configuration. For more information on SCTP parameters, refer to the SCTP Parameter Template Configuration Mode Commands chapter.
note_smallImportant: Only one SCTP parameter template can be associated with the Diameter endpoint configuration. The SCTP parameter template should be configured prior to issuing this command.
Only the following parameters from the template will be associated with the endpoint. When no SCTP parameter template is associated with the endpoint, the following default values are used:
sctp-cookie-life 60000 (default for the parameter template as well)
sctp-max-init-retx 5 (default for the parameter template as well)
sctp-max-path-retx 10 (default in the parameter template is 5)
sctp-rto-initial 3000 (default for the parameter template as well)
sctp-rto-max 60000 (default for the parameter template as well)
sctp-rto-min 1000 (default for the parameter template as well)
sctp-sack-period 200 (default for the parameter template as well)
timeout sctp-heart-beat 30 (default for the parameter template as well)
Example
The following command associates a pre-configured SCTP parameter template called sctp1 to the Diameter endpoint:
associate sctp-parameter-template sctp1
 
cea-timeout
This command configures the Capabilities-Exchange-Answer (CEA) message timeout duration for Diameter sessions.
Product
All
Privilege
Security Administrator, Administrator
Syntax
cea-timeout timeout
default cea-timeout
default
Configures this command with the default setting.
Default: 30 seconds
timeout
Specifies the timeout duration, in seconds, to make the system wait for this duration for CEA message.
timeout must be an integer from 1 through 120.
Usage
Use this command to configure the CEA timer, i.e., how long to wait for the Capabilities-Exchange-Answer message.
Example
The following command sets the Diameter CEA timeout to 16 seconds:
cea-timeout 16
 
connection retry-timeout
This command configures the Diameter Connection Retry Timeout parameter.
Product
All
Privilege
Security Administrator, Administrator
Syntax
connection retry-timeout timeout
default connection retry-timeout
default
Configures this command with the default setting.
Default: 30 seconds
timeout
Specifies the connection retry timeout duration, in seconds, and must be an integer from 1 through 3600.
Usage
Use this command to configure the Diameter Connection Retry Timeout parameter.
Example
The following command sets the Diameter Connection Retry Timer to 120 seconds:
connection retry-timeout 120
 
connection timeout
This command configures the Diameter Connection Timeout parameter.
Product
All
Privilege
Security Administrator, Administrator
Syntax
connection timeout timeout
default connection timeout
default
Configures this command with the default setting.
Default: 30 seconds
connection timeout timeout
timeout specifies the connection timeout duration, in seconds, and must be an integer from 1 through 30.
Usage
Use this command to configure the Diameter Connection Timeout parameter.
Example
The following command sets Diameter connection timeout to 16 seconds:
connection timeout 16
 
destination-host-avp
This command controls encoding of the Destination-Host AVP in initial/retried requests.
Product
All
Privilege
Security Administrator, Administrator
Syntax
destination-host-avp { session-binding | always | initial-request | retried-request }
default destination-host-avp
default
Configures this command with the default setting.
Default: session-binding
session-binding
Specifies to include the Destination-Host AVP when the Diameter session is bound with a host.
always
Specifies to include the Destination-Host AVP in all types of request messages.
initial-request
Specifies to include the Destination-Host AVP in initial request but not in retried request.
retried-request
Specifies to include the Destination-Host AVP in retried request but not in initial request.
Usage
Use this command to control encoding of the Destination-Host AVP in initial/retried requests.
This CLI command has been introduced in release 12.0, in earlier releases, the Destination-Host AVP is not sent in session-setup/initial request (first message sent on that interface for that subscriber. The message will vary with different interfaces. For example, CCR-Initial for Gy, ACR-start for Rf, and so on). Also, Destination-Host AVP was not sent in retried requests. For example, CCR-Update failed to be responded by server. The message was retransmitted to alternate server.
In both these scenarios, it is not known which server will respond to the initial/retried message, so the Destination-Realm is encoded but not the Destination-Host. Only after a response for this message is received from one of the hosts present in that realm, the session is considered to be BOUND with that server. Any message sent after this binding will have the Destination-Host AVP encoded.
In this release, with this CLI command, if the application has selected one of the servers using application-level commands like peer-select command in case of credit-control or diameter authentication/accounting server command in AAA group, encoding of this AVP in initial/retried request is configurable.
Example
The following command specifies to include the Destination-Host AVP in initial request but not in retried request:
destination-host-avp initial-request
 
device-watchdog-request
This command manages transport failure algorithm and configures the number of Device Watchdog Requests (DWRs) that will be sent before a connection is closed.
Product
All
Privilege
Security Administrator, Administrator
Syntax
device-watchdog-request max-retries retry_count
default device-watchdog-request max-retries
default
Configures this command with the default setting.
Default: 1
retry_count
Specifies the maximum number of DWRs, and must be an integer from 1 through 10.
Usage
Use this command to configure the number of DWRs to be sent before closing the connection from a Diameter endpoint.
Example
The following command sets the DWRs to 3:
device-watchdog-request max-retries 3
 
dpa-timeout
This command configures the Disconnect-Peer-Answer (DPA) message timeout duration for the Diameter sessions.
Product
All
Privilege
Security Administrator, Administrator
Syntax
dpa-timeout timeout
default dpa-timeout
default
Configures this command with the default setting.
Default: 30 seconds
timeout
Specifies the DPA message timeout duration, in seconds, and must be an integer from 1 through 60.
Usage
Use this command to set the timer for DPA message timeout during Diameter connection session. This makes the system wait for this duration for DPA message.
Example
The following command sets the Diameter DPA timeout to 16 seconds:
dpa-timeout 16
 
dynamic-peer-discovery
Configures the system to dynamically locate peer Diameter servers by means of DNS.
Product
All
Privilege
Security Administrator, Administrator
Syntax
dynamic-peer-discovery [ protocol { sctp | tcp } ]
{ default | no } dynamic-peer-discovery
default
Configures this command with the default setting.
Default: disabled
no
Removes the configuration.
protocol { sctp | tcp }
Configures peer discovery to use a specific protocol.
sctp: Specifies that the Streaming Control Transmission Protocol (SCTP) is to be used for peer discovery.
tcp: Specifies that the Transmission Control Protocol (TCP) is to be used for peer discovery.
Default: TCP
Usage
Use this command to configure the system to dynamically locate peer Diameter servers by means of DNS.
Configure the dynamic-peer-realm command to locate Diameter servers using Naming Authority Pointer (NAPTR) queries. If the peer realm command is not configured, confgiuring this command will still allow applications to trigger an NAPTR query on their chosen realms.
The preferred transport protocol is TCP to resolves instances were multiple NAPTR responses with same priority are received. The one using the TCP transport protocol will be chosen. If the transport protocol is confiured through the CLI, then the configured protocol is given preference.
The IP address version will be the same as that of the origin host address configured for the endpoint. For IPv4 endpoints, A-type DNS queries will be sent to resolve FQDNs. For IPv6 endpoints, AAAA-type queries are sent.
Example
The following command configures the system to dynamically locate peer Diameter servers using SCTP:
dynamic-peer-discovery protocol sctp
 
dynamic-peer-failure-retry-count
Configures the number of times the system will attempt to connect to a dynamically discovered Diameter peer.
Product
All
Privilege
Security Administrator, Administrator
Syntax
dynamic-peer-failure-retry-count no_of_retries
default dynamic-peer-failure-retry-count
default
Configures this command with the default setting.
Default: 8
no_of_retries
Specifies the number of retry attempts to connect to a dynamically discovered Diameter peer.
no_of_retries must be an integer from 0 through 255.
Usage
Use this command to configure the number of times the system attempts to connect to a dynamically discovered Diameter peer.
After the specified number of attempts if the peer is still not open, the peer is moved into blacklist and other peers are tried. The blacklisted peer will be retried after a time period one hour.
Example
The following command sets the retry attempts to 10:
dynamic-peer-failure-retry 10
 
dynamic-peer-realm
Configures the name of the realm where peer Diameter servers can be dynamically discovered.
Product
All
Privilege
Security Administrator, Administrator
Syntax
[ no ] dynamic-peer-realm realm_name
no
Removes the specified dynamic peer realm name from this endpoint configuration.
realm_name
Specifies the name of the peer realm where peer Diameter server are to be dynamically discovered. realm_name must be an existing realm, and must be an alpha and/or numeric string of 1 through 127 characters in length.
Usage
Use this command to locate Diameter servers using Naming Authority Pointer (NAPTR) queries.
Multiple realms can be configured. Even if the dynamic-peer-discovery command is not enabled, the realm configuration(s) will trigger dynamic peer discovery on all diabase instances.
Example
The following command configures a peer realm, used for dynamic peer discovery, with a name of service-provider.com:
dynamic-peer-realm service-provider.com
 
dynamic-route
Configures the expiration time for dynamic routes created after a Diameter destination host is reached.
Product
All
Privilege
Security Administrator, Administrator
Syntax
dynamic-route expiry-timeout value
default dynamic-route expiry-timeout
default
Configures this command with the default setting.
Default: 86400 seconds (1 day)
value
Specifies the time, in seconds, that a dynamic route to a Diameter host will expire in.
value must be an integer from 1 through 86400000.
Usage
Use this command to set expiration times for dynamic routes that are set up after a Diameter host has been reached.
Example
The following command sets the dynamic route expiration to 43200 seconds:
dynamic-route expiry-timeout 43200
 
end
This command returns the CLI prompt to the Exec mode.
Product
All
Privilege
Security Administrator, Administrator
Syntax
end
Usage
Use this command to change to the Exec mode.
 
exit
This command exits the Diameter Endpoint Configuration mode and returns to the parent configuration mode.
Product
All
Privilege
Security Administrator, Administrator
Syntax
exit
Usage
Use this command to return to the parent configuration mode.
 
load-balancing-algorithm
Configures the behavior for load balancing Diameters peers in the event of a failure of an active server.
Product
All
Privilege
Security Administrator, Administrator
Syntax
load-balancing-algorithm { highest-weight | lowest-weight-borrowing min-active-servers number }
default load-balancing-algorithm
default
Configures this command with the default setting.
Default: highest-weight
highest-weight
Specifies that an idle server with the highest weight are selected in failure scenarios. If multiple server have the same high weight, load balancing is performed among those servers.
lowest-weight-borrowing min-active-servers number
Specifies that an idle server with the lowest weight are borrowed and added to the group of servers where load balancing is performed.
number specifies the number of servers that must always be available as active for load balancing, and must be an integer from 2 through 4000.
Usage
Use this command to configure the behavior for load balancing Diameter peers in the event of a failure to an active server.
Example
The following command configures the load balancing behavior for Diameter peers to borrowing minimally active servers (lower weight) and maintaining an active server group of 30 servers:
load-balancing-algorithm lowest-weight-borrowing min-active-servers 30
 
max-outstanding
This command specifies the maximum number of Diameter messages that any application can send to any one peer, awaiting responses.
Product
All
Privilege
Security Administrator, Administrator
Syntax
max-outstanding messages
{ default | no } max-outstanding
no
Disables the maximum outstanding messages configuration.
default
Configures this command with the default setting.
Default: 256
messages
Specifies the maximum outstanding peer transmit window size setting, and must be an integer from 1 through 4096.
Usage
Use this command to set the unanswered Diameter messages that any application may send to any one peer, awaiting responses. An application will not send any more Diameter messages to that peer until it has disposed of at least one of those queued messages. It disposes a message by either receiving a valid response or by discarding the message due to no response.
Example
The following command sets the Diameter maximum outstanding messages setting to 1024:
max-outstanding 1024
 
origin address
This command has been deprecated. See the origin host and origin realm commands.
 
origin host
This command sets the origin host for the Diameter endpoint.
Product
All
Privilege
Security Administrator, Administrator
Syntax
origin host host_name address ipv4/ipv6_address [ port port_number ] [ accept-incoming-connections ] [ address ipv4/ipv6_address_secondary ]
no origin host host_name address ipv4/ipv6_address [ port port_number ]
no
Removes the origin host configuration.
host_name
Specifies the host name to bind the Diameter endpoint.
host_name must be the local Diameter host name, and must be a string of 1 through 255 characters in length.
address ipv4/ipv6_address
Specifies the IP address to bind the Diameter endpoint. This address must be one of the addresses of a chassis interface configured within the context in which Diameter is configured.
ipv4/ipv6_address must either be an IPv4 address expressed in dotted decimal notation, or an IPv6 address expressed in colon notation.
port port_number
Specifies the port number for the Diameter endpoint (on inbound connections).
port_number must be an integer from 1 through 65535.
accept-incoming-connections
Specifies to accept inbound connection requests for the specified host.
address ipv4/ipv6_address_secondary
Specifies the secondary bind address for the Diameter endpoint. This address must be one of the addresses of a chassis interface configured within the context in which Diameter is configured.
ipv4/ipv6_address_secondary must either be an IPv4 address expressed in dotted decimal notation, or an IPv6 address expressed in colon notation.
Usage
Use this command to set the bind address for the Diameter endpoint.
Diameter agent on chassis listens to standard TCP port 3868 and also supports the acceptance of any incoming TCP connection from external server.
The command origin host host-name must be entered exactly once. Alternatively, the origin host host-name address ipv4/ipv6_address [ port port_number ] command may be entered one or more times. The host names should be unique across all endpoints within the system. The host names and address values or address/port combinations should be unique across all endpoints within the system.
Example
The following command sets the origin host name to test and the IP address to 1.1.1.1:
origin host test address 1.1.1.1
 
origin realm
This command configures the realm to use in conjunction with the origin host.
Product
All
Privilege
Security Administrator, Administrator
Syntax
[ no ] origin realm realm_name
no
Removes the origin realm configuration.
realm_name
Specifies the realm to bind the Diameter endpoint. The realm is the Diameter identity. The originator’s realm must be present in all Diameter messages. The origin realm can typically be a company or service name.
realm_name must be an alpha and/or numeric string of 1 through 127 characters in length.
Usage
Use this command to set the realm for the Diameter endpoint.
Diameter agent on chassis listens to standard TCP port 3868 and also supports the acceptance of any incoming TCP connection from external server.
Example
The following command sets the origin realm to companyx:
origin realm companyx
 
peer
This command specifies a peer address for the Diameter endpoint.
Product
All
Privilege
Security Administrator, Administrator
Syntax
peer [*] peer_name [*] [ realm realm_name ] { address ipv4/ipv6_address [ [ port port_number ] [ connect-on-application-access ] [ send-dpr-before-disconnect disconnect-cause disconnect_cause ] [ sctp ] ] + | fqdn fqdn [ [ port port_number ] [ send-dpr-before-disconnect disconnect-cause disconnect_cause ] ] }
no peer peer_name [ realm realm_name ]
no
Removes the specified peer configuration.
[*] peer_name [*]
Specifies the peer’s name.
peer_name must be an alpha and/or numeric string of 1 through 63 characters in length, and allows punctuation characters.
The Diameter server endpoint can now be a wildcarded peer name (with * as a valid wildcard character) and the client peers which satisfy the wild-carded pattern is treated as valid peers and the connection will be accepted. The wildcarded token indicates that the peer name is wildcarded and any ‘*’ in the preceding string is treated as wildcard.
realm realm_name
Specifies the realm of this peer.
realm_name must be an alpha and/or numeric string of 1 through 127 characters in length. The realm name can be a company or service name.
address ipv4/ipv6_address
Specifies the Diameter peer IP address. This address must be the IP address of the device the chassis is communicating with.
ipv4/ipv6_address can either be an IPv4 address expressed in dotted decimal notation, or an IPv6 address expressed in colon notation.
fqdn fqdn
Specifies the Diameter peer fully qualified domain name (FQDN).
fqdn must be an alpha and/or numeric string of 1 through 127 characters in length.
port port_number
Specifies the port number for this Diameter peer.
port_number must be an integer from 1 through 65535.
connect-on-application-access
Specifies to activate peer on first application access.
send-dpr-before-disconnect
Specifies to send Disconnect-Peer-Request (DPR).
disconnect-cause
Specifies to send Disconnect-Peer-Request to the specified peer with the specified disconnect reason. The disconnect cause must be an integer from 0 through 2, for one of the following:
REBOOTING(0)
BUSY(1)
DO_NOT_WANT_TO_TALK_TO_YOU(2)
sctp
To use Stream Control Transmission Protocol (SCTP) for this peer.
+
Indicates that more than one of the previous keywords can be entered within a single command.
Usage
Use this command to add a peer to the Diameter endpoint.
If the Diameter server side endpoint is catering to multiple peers, there has to be an entry for each peer in the peer list for that endpoint.
In cases where the client like GGSN does not use a diameter proxy, the peer list can be as large as number of session managers on GGSN. This might leads to a very complex configuration at the Diameter server endpoint.
To simplify the configurations, the Diameter server endpoint accepts a wildcarded peer name (with * as a valid wild-card character).
The client peers which satisfy the wild-carded pattern is treated as valid peers and the connection will be accepted. The new token ‘wildcarded*’ indicates that the peer name is wildcarded and any ‘*’ in the preceding string should be treated as wild-card.
For example if the peer name is prefixed and suffixed with *ggsn* (* wildcard character) and an exact match is not found for the peer name portions peers like 0001-sessmgr.ggsn-gx, 0002-sessmgr.ggsn-gx, will be treated as valid peers at the Diameter server endpoint.
Example
The following command adds the peer named test with IP address 1.1.1.1 using port 126:
peer test address 1.1.1.1 port 126
 
response-timeout
This command configures the Response Timeout parameter.
Product
All
Privilege
Security Administrator, Administrator
Syntax
response-timeout timeout
default response-timeout
default
Configures this command with the default setting.
Default: 60 seconds
timeout
Specifies the response timeout duration, in seconds, and must be an integer from 1 through 300.
Usage
Use this command to configure the Response Timeout parameter.
Example
The following command sets the response timeout to 100 seconds:
response-timeout 100
 
route-entry
This command creates an entry in the route table for Diameter peer.
Product
All
Privilege
Security Administrator, Administrator
Syntax
route-entry { [ host host_name ] [ peer peer_id [ weight priority ] ] [ realm realm_name [ application credit-control peer peer_id ] [ weight value ] | peer peer_id [ weight value ] ] }
no route-entry { [ host host_name ] [ peer peer_id ] [ realm realm_name { application credit-control peer peer_id | peer peer_id } ] }
no
Disables the specified route-entry table configuration.
host host_name
Specifies the Diameter server’s host name.
host_name must be an alpha and/or numeric string of 1 through 63 characters in length.
realm realm_name
Specifies the realm name. The realm may typically be a company or service name.
realm_name must be an alpha and/or numeric string of 1 through 127 characters in length.
application credit-control
Specifies the credit control application, i.e. DCCA or RADIUS.
peer peer_id
Specifies the peer ID of Diameter endpoint route.
peer_id must be an alpha and/or numeric string of 1 through 63 characters in length.
weight priority
Specifies the priority for a peer in the route table.
The peer with the highest weight is used. If multiple peers have the highest weight, selection is by round-robin mechanism.
priority must be an integer from 0 through 255.
Default: 10
Usage
Use this command to create a route table for Diameter application.
When a Diameter client starts to establish a session with a realm/application, the system searches the route table for the best match. If an entry has no host specified, then the entry is considered to match the requested value. Similarly, if an entry has no realm or application specified, then the entry is considered to match any such requested value. The best match algorithm is to prefer specific matches for whatever was requested, i.e., either realm/application or host/realm/application. If there are no such matches, then system looks for route table entries that have wildcards.
Example
The following command creates a route entry with the host name dcca_host1 and peer ID dcca_peer with priority weight of 10:
route-entry host dcca_host1 peer dcca_peer weight 10
 
route-failure
This command controls how action after failure or recovery after failure is performed for the route table.
Product
All
Privilege
Security Administrator, Administrator
Syntax
route-failure { deadtime seconds | recovery-threshold percent percentage | result-code result_code | threshold counter }
default route-failure { deadtime | recovery-threshold | threshold }
no route-failure result-code result_code
no
Disables the route-failure configuration.
default
Configures the default setting for the specified parameter.
deadtime seconds
Specifies the time duration, in seconds, for which system keeps the route FAILED status. When this time expires, the system changes the status to AVAILABLE.
seconds must be the deadtime duration, in seconds, and must be an integer from 1 through 86400.
Default: 60 seconds
recovery-threshold percent percentage
Specifies how to reset the failure counter when provisionally changing the status from FAILED to AVAILABLE.
For example, if a failure counter of 16 caused the status to change to FAILED. After the configured deadtime expires, the status changes to AVAILABLE. If this keyword is configured with 75 percent, the failure counter will be reset to 12, i.e., 75 percent of 16.
percentage must be the value in percentage of the counter which caused FAILED, and must be an integer from 1 through 99.
Default: 90 percent
result-code result_code
Configures which answer messages are to be treated as failures, in addition to requests that time out.
Up to 16 different result codes can be specified.
result_code must be an integer from 0 through 4,294,967,295.
threshold counter
Configures the number of errors that causes the status to become FAILED.
counter must be an integer from 0 through 4,294,967,295.
The error counter begins at zero, and whenever there is a good response it decrements (but not below zero) or increments (but not above this threshold).
Default: 16
Usage
Use this command to control how failure/recovery is performed for the route table. After a session is established, it is possible for the session to encounter errors or Diameter redirection messages that cause the Diameter protocol to re-use the route table to switch to a different route.
Each Diameter client within the chassis maintains counters relating to the status of each of its connections to different hosts (when the destination is realm/application without a specific host, the host name is kept as “”, i.e., blank).
Moreover, those counters are further divided according to which peer is used to reach each host. Each Diameter client maintains a status of each peer-to-host combination. Under normal good conditions the status will be AVAILABLE, while error conditions might cause the status to be FAILED.
Only combinations that are AVAILABLE will be used. If none are AVAILABLE, then system attempts the secondary peer if failover is configured and system can find an AVAILABLE combination there. If nothing is AVAILABLE, system uses a FAILED combination.
Example
The following command configures the time duration for route failure to 90 seconds:
route-failure deadtime 90
 
server-mode
Configures the Diameter endpoint to establish the system as the server side endpoint of the connection.
Product
All
Privilege
Security Administrator, Administrator
Syntax
server-mode [ demux-mode ]
demux-mode
Specifies that the Diameter proxy is to use the demux manager to identify the appropriate session manager. If this keyword is not enabled, the proxy will route the request directly to a session manager.
Usage
Use this command to configure the Diameter endpoint to establish this system as the server side endpoint of the connection. When the Diameter proxy receives an incoming request, the proxy identifies the endpoint for the request. If the system is in client mode, the proxy extracts the instance ID of the session manager which serves as the session-ID of the request. If this command is enabled, the extraction of the instance ID is disabled.
Example
The following command sets the system as the server side of the Diameter endpoint and instructs the Diameter proxy to use the demux manager to identify the appropriate session manager where the request is to be routed:
server-mode demux-mode
 
tls
This command enables/disables the Transport Layer Security (TLS) support between a Diameter client and Diameter server node.
Product
All
Privilege
Security Administrator, Administrator
Syntax
tls { certificate certificate | password password | privatekey private_key }
default tls
default
Disables the TLS support at Diameter endpoint.
certificate certificate
Specifies the certificate for TLS support.
certificate must be an encrypted certificate, and must be an alpha and/or numeric string of 700 through 900 characters in length.
password password
Specifies the password for TLS support.
password must be an encrypted password, and must be an alpha and/or numeric string of 6 through 50 characters in length.
privatekey private_key
Specifies the private key for TLS support.
private_key must be an encrypted key, and must be an alpha and/or numeric string of 900 through 1500 characters in length.
Usage
Use this command to configure TLS support between a Diameter client and Diameter server node. By default, TLS is disabled.
note_smallImportant: Both the Diameter client and server must be configured with TLS enabled or TLS disabled; otherwise, the Diameter connection will be rejected.
Example
The following commands enable the TLS between a Diameter client and Diameter server node:
tls certificate "-----BEGIN CERTIFICATE-----\nMIICGDCCAYECAgEBMA0GCSqGSIb3DQEBBAUAMFcxCzAJBgNVBAYTAlVTMRMwEQYD\nVQQKEwpSVEZNLCBJbmMuMRkwFwYDVQQLExBXaWRnZXRzIERpdmlzaW9uMRgwFgYD\nVQQDEw9UZXN0IENBMjAwMTA1MTcwHhcNMDEwNTE3MTYxMDU5WhcNMDQwMzA2MTYx\nMDU5WjBRMQswCQYDVQQGEwJVUzETMBEGA1UEChMKUlRGTSwgSW5jLjEZMBcGA1UE\nCxMQV2lkZ2V0cyBEaXZpc2lvbjESMBAGA1UEAxMJbG9jYWxob3N0MIGfMA0GCSqG\nSIb3DQEBAQUAA4GNADCBiQKBgQCiWhMjNOPlPLNW4DJFBiL2fFEIkHuRor0pKw25\nJ0ZYHW93lHQ4yxA6afQr99ayRjMY0D26pH41f0qjDgO4OXskBsaYOFzapSZtQMbT\n97OCZ7aHtK8z0ZGNW/cslu+1oOLomgRxJomIFgW1RyUUkQP1n0hemtUdCLOLlO7Q\nCPqZLQIDAQABMA0GCSqGSIb3DQEBBAUAA4GBAIumUwl1OoWuyN2xfoBHYAs+lRLY\nKmFLoI5+iMcGxWIsksmA+b0FLRAN43wmhPnums8eXgYbDCrKLv2xWcvKDP3mps7m\nAMivwtu/eFpYz6J8Mo1fsV4Ys08A/uPXkT23jyKo2hMu8mywkqXCXYF2e+7pEeBr\ndsbmkWK5NgoMl8eM\n-----END CERTIFICATE-----\n"
tls privatekey "-----BEGIN RSA PRIVATE KEY-----\nProc-Type: 4,ENCRYPTED\nDEK-Info: DES-EDE3-CBC,5772A2A7BE34B611\n\n1yJ+xAn4MudcIfXXy7ElYngJ9EohIh8yvcyVLmE4kVd0xeaL/Bqhvk25BjYCK5d9\nk1K8cjgnKEBjbC++0xtJxFSbUhwoKTLwn+sBoJDcFzMKkmJXXDbSTOaNr1sVwiAR\nSnB4lhUcHguYoV5zlRJn53ft7t1mjB6RwGH+d1Zx6t95OqM1lnKqwekwmotVAWHj\nncu3N8qhmoPMppmzEv0fOo2/pK2WohcJykSeN5zBrZCUxoO0NBNEZkFUcVjR+KsA\n1ZeI1mU60szqg+AoU/XtFcow8RtG1QZKQbbXzyfbwaG+6LqkHaWYKHQEI1546yWK\nus1HJ734uUkZoyyyazG6PiGCYV2u/aY0i3qdmyDqTvmVIvve7E4glBrtDS9h7D40\nnPShIvOatoPzIK4Y0QSvrI3G1vTsIZT3IOZto4AWuOkLNfYS2ce7prOreF0KjhV0\n3tggw9pHdDmTjHTiIkXqheZxZ7TVu+pddZW+CuB62I8lCBGPW7os1f21e3eOD/oY\nYPCI44aJvgP+zUORuZBWqaSJ0AAIuVW9S83Yzkz/tlSFHViOebyd8Cug4TlxK1VI\nq6hbSafh4C8ma7YzlvqjMzqFifcIolcbx+1A6ot0UiayJTUra4d6Uc4Rbc9RIiG0\njfDWC6aii9YkAgRl9WqSd31yASge/HDqVXFwR48qdlYQ57rcHviqxyrwRDnfw/lX\nMf6LPiDKEco4MKej7SR2kK2c2AgxUzpGZeAY6ePyhxbdhA0eY21nDeFd/RbwSc5s\neTiCCMr41OB4hfBFXKDKqsM3K7klhoz6D5WsgE6u3lDoTdz76xOSTg==\n-----END RSA PRIVATE KEY-----\n"
tls password password_for_TLS
 
use-proxy
This command enables/disables Diameter proxy for the Diameter endpoint. By default this command is disabled.
Product
All
Privilege
Security Administrator, Administrator
Syntax
use-proxy [server-mode [demux-mode]]
no use-proxy
no
Disables Diameter proxy for the current endpoint.
This command at endpoint level will actually equip an application to use Diameter proxy to route all its messages to external peer.
server-mode
Specifies that the Diameter endpoint to establish the Diameter proxy as the server side endpoint of the connection.
demux-mode
Specifies that the Diameter endpoint to establish the Diameter proxy to use the Demux manager to identify the appropriate session manager. If this keyword is not enabled, the proxy will route the request directly to a session manager.
For IPCF it uses BindMux to identify the appropriate session manager.
Usage
Use this command to use Diameter proxy to route all its messages to external peer. The proxy acts as an application gateway for Diameter. It gets the configuration information at process startup and decides which Diameter peer has to be contacted for each application. It establishes the peer connection upon finding no peer connection already exists.
In IPCF Bindmux is used as a Demux manager with the help of which IPCF distributes the new incoming sessions across available Sessmgrs on the system.
All the incoming Diameter requests/responses land on Diamproxy. Diamproxy checks if a sessmgr is already serving this session based on parameters like session-id and peer-id of request/response.
In case, no Sessmgr is allocated to the request and the Demux mode is ON the DiamProxy forwards the new request to Demux/Bindmux for sessmgr allocation. Demux/Bindmux has updated information about the load on all the Sessmgrs and it assigns the most optimal Sessmgr to the Diameter session. Once a session manager is allocated for the session, a mapping of session-id to Sessmgr is added at Diamproxy. All further request for this session will be directly routed to Ssessmgr.
Each proxy task will automatically select one of the host names configured with the origin host CLI command. Multiple proxy tasks will not use the same host names, so there should be at least as many host names as proxy tasks. Otherwise, some proxy tasks will not be able to perform Diameter functionality. The chassis automatically selects which proxy tasks are used by which managers (i.e., ACSMgrs/SessMgrs), without verifying whether the proxy task is able to perform Diameter functionality.
To be able to run this command, the Diameter proxy must be enabled. In the Global Configuration Mode, see the require diameter-proxy CLI command.
Example
The following command enables Diameter proxy for the current endpoint:
use-proxy
The following command disables Diameter proxy for the current endpoint:
no use-proxy
 
vsa-support
This command allows DIABASE to use vendor IDs configured in the dictionary for negotiation of the Diameter peers’ capabilities irrespective of the supported vendor IDs received in CEA message.
Product
GGSN
Privilege
Security Administrator, Administrator
Syntax
vsa-support { all-from-dictionary | negotiated-vendor-ids }
default vsa-support
default
Configures this command with the default setting.
Default: negotiated-vendor-ids
all-from-dictionary
This keyword allows DIABASE to use the vendor IDs from the dictionary as indicated in the CER message from Diameter peers.
negotiated-vendor-ids
This keyword allows DIABASE to use the supported vendor IDs satisfying capability negotiation.
Usage
Use this command to set DIABASE to use the vendor IDs from the dictionary or use the vendor IDs satisfying the capabilities negotiation.
Example
The following command enables DIABASE to use the vendor IDs specified in the dictionary:
vsa-support all-from-dictionary
 
watchdog-timeout
This command configures the Watchdog Timeout parameter.
Product
All
Privilege
Security Administrator, Administrator
Syntax
watchdog-timeout timeout
{ default | no } watchdog-timeout
no
Disables the watchdog timeout configuration.
default
Configures this command with the default setting.
Default: 30 seconds
timeout
Specifies the timeout duration, in seconds, and must be an integer from 6 through 30.
Usage
Use this command to configure the Watchdog Timeout parameter for the Diameter endpoint. If this timer expires before getting a response from the destination, other route to the same destination is tried, as long as the retry count setting has not been exceeded (see the device-watchdog-request CLI command) and as long as the response timer has not expired (see the response-timeout CLI command).
Example
The following command sets the watchdog timeout setting to 15 seconds:
watchdog-timeout 15
 
 
Cisco Systems Inc.
Tel: 408-526-4000
Fax: 408-527-0883