Caution: This system recovery process interrupts subscriber service by dropping any existing flows and preventing traffic from being processed during the boot interval. It should only be initiated as an emergency measure.Refer to the Configuring the Boot Stack section in the Software Management Operations chapter for additional information on boot stack entries and prioritization.
Caution: This system recovery process interrupts subscriber service by dropping any existing flows and preventing traffic from being processed during the boot interval. It should only be initiated as an emergency measure.|
•
|
Execute a reload command
|
[local]asr5000# reload -noconfirm
When the “Booting priority” message line appears (and not before), press CTRL+C to break out of the boot process as shown in the example below:
With the boot prompt displayed, enter cli to access the boot recovery CLI. The CLI prompt changes as shown below:
8/0:boot>cli
|
•
|
-show: displays the current boot configuration
|
|
•
|
-priority=*: selects the desired boot stack priority (*)
|
|
•
|
-config=*: enters the desired configuration filename (*), if not the default file
|
|
•
|
-noconfig: boots using no configuration file
|
bootfile_URL is the URL for the location of the StarOS boot image file. It specifies the path and file name of the StarOS .bin file from which the system will be booted.
{ /flash | /pcmcia1 /<filename>
You can exit the Quick Setup Wizard by entering no in response to the above prompt. Load a desired configuration file using the Exec mode configure command followed by the URL for the configuration file as shown in the example below:
[local]asr5000# configure /flash/system.cfg
Confirm that the desired configuration has loaded by running the Exec mode show configuration command.
Appendix A
Engineering Rules
Engineering Rules
Important: If you have enabled the Port Redundancy feature, it is possible for ports on both line cards to be active while one provides line card redundancy for the other. With the port redundancy feature, each physical port has a primary MAC address. Each corresponding standby port has a different (alternate) MAC address.|
•
|
|
•
|
If you want processing-only application cards, all line card slots directly behind the such cards can be empty. Otherwise, disable those line card slots with the shutdown command described in the Command Line Interface Reference.
|
|
•
|
If you want standby (redundant) PSCs or PSC2s, do not populate all line card slots directly behind them since they will not be used. If the slots are populated, disable the line card slots with the shutdown command as described in the Card Configuration Mode Commands section of the Command Line Interface Reference.
|
Important: Each address in the pool requires approximately 60 bytes of memory. The amount of memory required, however, depends on a number of factors such as the pool type, and hold-timer usage. Therefore, in order to conserve available memory, you may need to limit the number of pools depending on the number of addresses to be configured and the number of installed application cards.
Important: Default is not used when local authentication (for local subscribers) is performed.
Caution: Large numbers of services greatly increase the complexity of management and may affect overall system performance. Therefore, you should not configure a large number of services unless your application absolutely requires it. Please contact your Cisco service representative for more information.This appendix describes the system and subsystem tasks running under StarOS on an ASR 5000 platform.
|
•
|
All tasks run in a Common Firmware Environment (CFE) that resides on specialized Central Processing Units (CPUs) on each of the application cards. The System Management Cards (SMCs) each have a single CPU that is responsible for running tasks related to system management and control. The packet processing cards (PSCn, PPC) contain two CPUs (CPU 0 and CPU 1). These CPUs are responsible for session processing and running the various tasks and processes required to handle mobile data calls. In addition to the CPUs, the packet processing cards each have a Network Processor Unit (NPU) for IP forwarding.
|
•
|
System Initiation Task (SIT): This subsystem starts tasks and initializes the system. This includes starting a set of initial tasks at system startup time (static tasks), and starting individual tasks on demand at arbitrary times (dynamic tasks).
|
|
•
|
High Availability Task (HAT): With the Recovery Control Task (RCT) subsystem, the HAT subsystem maintains the operational state of the system. HAT monitors the various software and hardware components of the system. If there are unusual activities, such as the unexpected termination of another task, the HAT subsystem takes a suitable course of action, such as triggering an event to the RCT subsystem to take corrective action or to report the status. The end result is that there is minimal or no impact to the service.
|
|
•
|
Recovery Control Task (RCT): This subsystem executes a recovery action for any failure that occurs in the system. The RCT subsystem receives signals from the HAT subsystem (and in some cases from the NPU subsystem) and determines what recovery actions are needed.
|
|
•
|
Shared Configuration Task (SCT): This subsystem provides a facility to set, retrieve, and receive notification of system configuration parameters. The SCT is mainly responsible for storing configuration data for the applications that run on the system.
|
|
•
|
Resource Management (RM): This subsystem assigns resources, such as CPU loading and memory, for every system task upon start-up. The RM subsystem monitors resource use to verify that allocations are as specified. RM also monitors all sessions and communicates with the Session Controller to enforce capacity licensing limits.
|
|
•
|
Virtual Private Network (VPN): This subsystem manages the administrative and operational aspects of all VPN-related entities in the system. The functions performed by the VPN subsystem include:
|
|
•
|
Network Processing Unit (NPU): This subsystem is responsible for the following:
|
|
•
|
Card/Slot/Port (CSP): Coordinates the events that occur when any card is inserted, locked, unlocked, removed, shutdown, or migrated. SCP also performs auto-discovery and configures ports on a newly-inserted line card. It determines how line cards map to packet processing cards (through a Redundancy Crossbar Card [RCC], if necessary).
|
|
•
|
Session: Performs high-touch processing of mobile subscribers’ packet-oriented data session flows. High-touch user data processing consists of the following:
|
|
•
|
Important: Variations regarding how the managers and tasks are distributed based on session recovery (SR) are included in the Card and CPU columns in some tables. Tables without these indicators are applicable to ASR 5x00s with and without session recovery. The ASR 5x00 dynamically distributes processes, tasks, and managers on startup. The following tables list the typical locations but variations can occur depending on available resources.
|
|||||||
|
The BGP task is created by the VPN Manager for each context that has enabled the BGP routing protocol (router bgp config-context CLI command).
|
|||||||
|
The OSPF task is created by VPN Manager for each context that has enabled the OSPF routing protocol (router ospf config-context CLI command).
|
|||||||
|
The OSPFv3 task is created by VPN Manager for each context that has enabled the OSPF routing protocol (router ospfv3 config-context CLI command)
|
|||||||
|
The RIP task is created by VPN Manager for each context that has enabled the RIP routing protocol (router rip config-context CLI command)
|
|||||||
|
NOTE: For ASR 5000s with session recovery (SR) enabled, this demux manager is usually established on one of the CPUs on the first active packet processing card.
|
Any (see NOTE)
|
||||||||||
|
NOTE: For ASR 5000s with session recovery (SR) enabled, this demux manager is usually established on one of the CPUs on the first active packet processing card. The HNBMGRs should not be started on a packet processing card which has the HNB DEMUX MGR started.
|
Any (see NOTE)
|
||||||||||
|
NOTE: For ASR 5x00s with session recovery (SR) enabled, this demux manager is usually established on one of the CPUs on the first active packet processing card.
|
Any (see NOTE)
|
||||||||||
|
NOTE: For ASR 5x00s with session recovery (SR) enabled, this demux manager is usually established on one of the CPUs on the first active packet processing card.
|
Any (see NOTE)
|
||||||||||
|
NOTE: For ASR 5000s with session recovery (SR) enabled, this demux manager is usually established on one of the CPUs on the first active PSC.
|
Any (see NOTE)
|
||||||||||
|
NOTE: For ASR 5x00s with session recovery (SR) enabled, this demux manager is usually established on one of the CPUs on the First active PSC.
|
Any (see NOTE)
|
||||||||||
|
NOTE: For ASR 5000s with session recovery (SR) enabled, this demux manager is usually established on one of the CPUs on the first active packet processing card, but should not be created on the same packet processing card that has HNB Manager.
|
Any (see NOTE)
|
||||||||||
|
NOTE: For ASR 5000s with session recovery (SR) enabled, this manager is usually established on one of the CPUs on the first active packet processing card. The HNBMGRs should not be started on a packet processing card which has the HNB DEMUX MGR started.
|
Any (see NOTE)
|
||||||||||
|
NOTE: For ASR 5000s with session recovery (SR) enabled, this demux manager is usually established on one of the CPUs on the first active packet processing card.
|
Any (see NOTE)
|
||||||||||
|
NOTE: For ASR 5000s with session recovery (SR) enabled, this demux manager is usually established on one of the CPUs on the first active packet processing card. The IMSIMgr will not start on a packet processing card in which SessMgrs are started.
|
Any (see NOTE)
|
||||||||||
|
NOTE: For ASR 5000s with session recovery (SR) enabled, this demux manager is usually established on one of the CPUs on the first active deumux packet processing card. The IMSIMgr will not start on a packet processing card in which SessMgrs are already started.
|
Any (see NOTE)
|
||||||||||
|
NOTE: For ASR 5x00s with session recovery (SR) enabled, this demux manager is usually established on one of the CPUs on the first active packet processing card.
|
Any (see NOTE)
|
||||||||||
|
NOTE: For ASR 5x00s with session recovery (SR) enabled, this demux manager is usually established on one of the CPUs on the first active packet processing card.
|
Any (see NOTE)
|
||||||||||
|
|||||||||||
|
NOTE: For ASR 5x00s with session recovery (SR) enabled, this demux manager is usually established on one of the CPUs on the First active packet processing card but should not be created on the same packet processing card that has MME Manager.
|
Any (see NOTE)
|
||||||||||
|
NOTE: For ASR 5x00s with session recovery (SR) enabled, this demux manager is usually established on one of the CPUs on the first active packet processing card. The MMEMGRs should not be started on a packet processing card which has the MME DEMUX MGR started.
|
Any (see NOTE)
|
||||||||||
NOTE: For ASR 5x00s with session recovery (SR) enabled, this demux manager is usually established on one of the CPUs on the first active packet processing card but should not be created on the same packet processing card that has PCC Manager.
|
Any (see NOTE)
|
||||||||||
|
NOTE: For ASR 5x00s with session recovery (SR) enabled, this manager is usually established on one of the CPUs on the first active packet processing card. The PCCMGRs should not be started on a packet processing card which has the PCC BINDMUX MGR started.
|
Any (see NOTE)
|
||||||||||
|
The SPR Manager is part of AAAMgr process and manages the transactions towards an external SSC/SPR node over Sp interface.
The Sp interface is based on Sh protocol interface. The SPRMgr abstracts the Sp interactions required for the PCC functions.
|
Any (see NOTE)
|
||||||||||
|
NOTE: For ASR 5x00s with session recovery (SR) enabled, this demux manager is usually established on one of the CPUs on the first active demux packet processing card. The IMSIMgr will not start on a packet processing card in which SessMgrs are already started.
|
Any (see NOTE)
|
||||||||||
|
NOTE: For ASR 5000s with session recovery (SR) enabled, this demux manager is usually established on one of the CPUs on the first active demux packet processing card. The IMSIMgr will not start on a packet processing card in which SessMgrs are already started.
|
Any (see NOTE)
|
||||||||||
Appendix C
Access Control Lists
Access Control Lists
Important: You do not require a license to configure ACLs. However, the number of ACLs configured may impact performance significantly.
Important: Not all commands and keywords/variables may be available. Availability depends on the platform type.|
•
|
Important: Refer to the ACL Configuration Mode Commands chapter of the Command Line Interface Reference for the full command syntax.
Important: Configured ACLs consisting of no rules imply a “deny any” rule. The deny action and any criteria are discussed later in this section. This is the default behavior for an empty ACL.|
•
|
Permit: The packet is accepted and processed.
|
|
•
|
Deny: The packet is rejected.
|
|
•
|
Redirect: The packet is forwarded to the specified next-hop address through a specific system interface or to the specified context for processing.
|
Important: Redirect rules are ignored for ACLs applied to specific subscribers or all subscribers facilitated by a specific context, or APN for UMTS subscribers.|
•
|
Any: Filters all packets
|
|
•
|
Host: Filters packets based on the source host IP address
|
|
•
|
ICMP: Filters Internet Control Message Protocol (ICMP) packets
|
|
•
|
IP: Filters Internet Protocol (IP) packets
|
|
•
|
Source IP Address: Filter packets based on one or more source IP addresses
|
|
•
|
TCP: Filters Transport Control Protocol (TCP) packets
|
|
•
|
UDP: Filters User Datagram Protocol (UDP) packets
|
Important: The following sections contain basic ACL rule syntax information. Refer to the ACL Configuration Mode Commands chapter of the Command Line Interface Reference for the full command syntax.|
•
|
Any: The rule applies to all packets.
|
|
•
|
Host: The rule applies to a specific host as determined by its IP address.
|
|
•
|
ICMP: The rule applies to specific Internet Control Message Protocol (ICMP) packets, Types, or Codes. ICMP type and code definitions can be found at www.iana.org (RFC 3232).
|
|
•
|
IP: The rule applies to specific Internet Protocol (IP) packets or fragments.
|
|
•
|
IP Packet Size Identification Algorithm: The rule applies to specific Internet Protocol (IP) packets identification for fragmentation during forwarding.
|
|
•
|
Source IP Address: The rule applies to specific packets originating from a specific source address or a group of source addresses.
|
|
•
|
TCP: The rule applies to any Transport Control Protocol (TCP) traffic and could be filtered on any combination of source/destination IP addresses, a specific port number, or a group of port numbers. TCP port numbers definitions can be found at www.iana.org
|
|
•
|
UDP: The rule applies to any User Datagram Protocol (UDP) traffic and could be filtered on any combination of source/destination IP addresses, a specific port number, or a group of port numbers. UDP port numbers definitions can be found at www.iana.org.
|
|
•
|
|
•
|
Important: This section provides the minimum instruction set for configuring access control list on the system. For more information on commands that configure additional parameters and options, refer to the ACL Configuration Mode Commands chapter in the Command Line Interface Reference.|
Step 1
|
|
Step 2
|
|
Step 3
|
Optional. The system provides an “undefined” ACL that acts as a default filter for all packets into the context. The default action is to “permit all”. Modify the default configuration for “unidentified” ACLs for by applying the example configuration in the Configuring an Undefined ACL section.
|
|
Step 4
|
|
Step 5
|
Save your configuration as described in the Verifying and Saving Your Configuration chapter in this guide.
|
Caution: The system does not apply a “deny any” rule, unless it is specified in the ACL. This behavior can be changed by adding a “deny any” rule at the end of the ACL.|
•
|
The maximum number of rules that can be configured per ACL varies depending on how the ACL is to be used. For more information, refer to the Engineering Rules appendix in this guide.
|
|
•
|
Use the information provided in the Actions and Criteria sections of this appendix to configure the rules that comprise the ACL. For more information, refer to the ACL Configuration Mode Commands chapter in the Command Line Interface Reference.
|
|
•
|
Context name is the name of the context containing the “undefined” ACL to be modified. For more information, refer to the Context Configuration Mode Commands chapter in the Command Line Interface Reference.
|
|
Step 1
|
In the Exec Mode, enter the show ip access-list command.
|
The following is a sample output of this command. In this example, an ACL named acl_1 was configured.
ip access list acl_1
deny host 1.2.3.4
deny ip any host 1.2.3.4
permit any 1.2.4.4
Important: All ACLs should be configured and verified according to the instructions in the Configuring ACLs on the System section of this appendix prior to beginning these procedures. The procedures described below also assume that the subscribers have been previously configured.|
•
|
Applying an ACL to All Traffic Within a Context (known as a policy ACL)
|
|
•
|
Applying a Single ACL to Multiple Subscribers via APNs (for 3GPP subscribers only)
|
Important: ACLs must be configured in the same context in which the subscribers and/or interfaces to which they are to be applied. Similarly, ACLs to be applied to a context must be configured in that context.
Important: This section provides the minimum instruction set for applying the ACL list to an interface on the system. For more information on commands that configure additional parameters and options, refer to the Ethernet Interface Configuration Mode Commands chapter in the Command Line Interface Reference.|
Step 1
|
|
Step 2
|
|
Step 3
|
Save your configuration as described in the Verifying and Saving Your Configuration chapter in this guide.
|
show configuration context context_name
context_name is the name of the context containing the interface to which the ACL(s) was/were applied.
context context_name
ip access-list acl_name
deny host ip_address
deny ip any host ip_address
ip access-group access_group_name
interface interface_name
ip address ip_address/mask
Important: This section provides the minimum instruction set for applying the ACL list to all traffic within a context. For more information on commands that configure additional parameters and options, refer to the Context Configuration Mode Commands chapter in the Command Line Interface Reference.|
Step 1
|
|
Step 2
|
|
Step 3
|
Save your configuration as described in the Verifying and Saving Your Configuration chapter in this guide.
|
|
•
|
The context-level ACL are applied only to outgoing packets. The in and out keywords are deprecated and are only present for backward compatibility.
|
|
Step 1
|
show configuration context context_name
context_name is the name of the context to which the ACL(s) was/were applied.
context context_name
ip access-list acl_name
deny host ip_address
deny ip any host ip_address
ip access-group access_group_name
interface interface_name
ip address ip_address/mask
To apply an ACL to a RADIUS-based subscriber, use the Filter-Id attribute. Refer to the AAA and GTPP Interface Administration and Reference for more detail on this attribute.
Important: This section provides the minimum instruction set for applying the ACL list to all traffic within a context. For more information on commands that configure additional parameters and options, refer to the Subscriber Configuration Mode Commands chapter in the Command Line Interface Reference.|
Step 1
|
|
Step 2
|
|
Step 3
|
Save your configuration as described in the Verifying and Saving Your Configuration chapter in this guide.
|
|
•
|
If neither the in nor the out keyword is specified, the ACL will be applied to all inbound and outbound packets.
|
|
Step 1
|
show configuration context context_name
context_name is the name of the context containing the subscriber subs1 to which the ACL(s) was/were applied.
context context_name
ip access-list acl_name
deny host ip_address
deny ip any host ip_address
ip access-group access_group_name
interface interface
ip address ip_address/mask
subscriber name subscriber_name
ip access-group access_group_name in
ip access-group access_group_name out
content-filtering server-group cfsg_name
response-timeout response_timeout
connection retry-timeout retry_timeout
|
NOTE: The profile for the subscriber named default is not used to provide missing information for subscribers configured locally.
|
|
|
default subscriber Command
|
|
•
|
All subscribers facilitated by specific services by applying the ACL to a subscriber profile and then using the default subscriber command to configure the service to use that subscriber as the “default” profile.
|
This section provides information and instructions for applying an ACL to the subscriber named default.
Important: This section provides the minimum instruction set for applying the ACL list to all traffic within a context. For more information on commands that configure additional parameters and options, refer to the Subscriber Configuration Mode Commands chapter in the Command Line Interface Reference.|
Step 1
|
|
Step 2
|
|
Step 3
|
Save your configuration as described in the Verifying and Saving Your Configuration chapter in this guide.
|
|
•
|
If neither the in nor the out keyword is specified, the ACL will be applied to all inbound and outbound packets.
|
|
Step 1
|
show configuration context context_name
context_name is the name of the context containing the subscriber default to which the ACL(s) was/were applied.
context context_name
ip access-list acl_name
deny host ip_address
deny ip any host ip_address
ip access-group access_group_name
interface interface
ip address ip_address/mask
ip access-group access_group_name in
ip access-group access_group_name out
content-filtering server-group cfsg_name
response-timeout response_timeout
connection retry-timeout retry_timeout
Important: This section provides the minimum instruction set for applying the ACL list to all traffic within a context. For more information on commands that configure additional parameters and options, refer the Subscriber Configuration Mode Commands chapter in the Command Line Interface Reference.|
Step 1
|
|
Step 2
|
|
Step 3
|
Save your configuration as described in the Verifying and Saving Your Configuration chapter in this guide.
|
|
•
|
If neither the in nor the out keyword is specified, the ACL will be applied to all inbound and outbound packets.
|
|
Step 1
|
show configuration context context_name
context_name is the name of the context containing the service with the default subscriber to which the ACL(s) was/were applied.
context context_name
ip access-list acl_name
deny host ip_address
deny ip any host ip_address
ip access-group access_group_name
interface interface
ip address ip_address/mask
subscriber name subscriber_name
ip access-group access_group_name in
ip access-group access_group_name out
pdsn-service service_name
default subscriber subscriber_name
Important: This section provides the minimum instruction set for applying the ACL list to all traffic within a context. For more information on commands that configure additional parameters and options, refer to the Subscriber Configuration Mode Commands chapter in the Command Line Interface Reference.|
Step 1
|
|
Step 2
|
|
Step 3
|
Save your configuration as described in the Verifying and Saving Your Configuration chapter in this guide.
|
|
•
|
If either the in or out keyword is not specified, the command is added to the config file twice, once with in and once with out, and the ACL will be applied to all inbound and outbound packets.
|
|
Step 1
|
show configuration context context_name
context_name is the name of the context containing the APN apn1 having default subscriber to which the ACL(s) was/were applied.
context context_name
ip access-list acl_name
deny host ip_address
deny ip any host ip_address
ip access-group access_group_name
interface interface
ip address ip_adrress/mask
apn apn_name
ip access-group access_group_name in
ip access-group access_group_name out
Appendix D
Congestion Control
Congestion Control
|
•
|
|
•
|
Congestion Condition Thresholds: Thresholds dictate the conditions for which congestion control is enabled and establishes limits for defining the state of the system (congested or clear). These thresholds function in a way similar to operation thresholds that are configured for the system as described in the Thresholding Configuration Guide. The primary difference is that when congestion thresholds are reached, a service congestion policy and an SNMP trap, starCongestion, are generated.
|
|
•
|
Port Utilization Thresholds: If you set a port utilization threshold, when the average utilization of all ports in the system reaches the specified threshold, congestion control is enabled.
|
|
•
|
Port-specific Thresholds: If you set port-specific thresholds, when any individual port-specific threshold is reached, congestion control is enabled system-wide.
|
|
•
|
Service Congestion Policies: Congestion policies are configurable for each service. These policies dictate how services respond when the system detects that a congestion condition threshold has been crossed.
|
Important: This section provides the minimum instruction set for configuring congestion control. Commands that configure additional interface or port properties are provided in the Subscriber Configuration Mode chapter of the Command Line Interface Reference.|
Step 1
|
|
Step 2
|
|
Step 3
|
|
Step 4
|
|
Step 5
|
Save your configuration as described in the Saving and Verifying Your Configuration chapter in this guide.
|
congestion-control threshold tolerance <percent>
|
•
|
There are several additional threshold parameters. See the Global Configuration Mode chapter of the Command Line Interface Reference for more information.
|
congestion-control policy <service> action { drop | none | redirect | reject }
|
•
|
redirect is not available for PDIF.
|
|
•
|
redirect can not be used in conjunction with GGSN services.
|
|
•
|
redirect is not available for the LMA service.
|
|
•
|
When setting the action to reject, the reply code is 130, “insufficient resources”.
|
|
•
|
For the MME, redirect is not available.
|
When an overload condition is detected on an MME and the report-overload keyword is enabled in the congestion-control policy command, the MME reports the condition to a specified percentage of eNodeBs and proceeds to take the configured action on incoming sessions. To create a congestion control policy with overload reporting, apply the following example configuration:
congestion-control policy mme-service action report-overload reject-new-sessions enodeb-percentage <percentage>
|
•
|
Important: Redirect is not available on PDIF for this release. context <context_name>
|
•
|
Optional: If the congestion control policy action was configured to redirect, then a redirect overload policy must be configured for the service(s) that are affected.
|
|
•
|
There are several service configuration modes that you can configure. See the Command Line Interface Reference for a complete list of modes.
|
|
•
|
You can set various options for redirection. See the Command Line Interface Reference for more information.
|
To verify Congestion Control Configuration enter the show congestion-control configuration command in the Exec Mode.
The primary threshold to observe is license utilization. This threshold is defaulted to 80%. Overload controls on the system enables the Congestion-control Policy when the system has only 80% of the licenses used. The overload condition will not clear until the utilization drops below the tolerance limit setting. The tolerance limit is defaulted to 10%. If the system goes into overload due to license utilization (threshold at 80%), the overload condition will not clear until the license utilization reaches 70%.
Since the recommendation for license utilization overload threshold is 100%, you should enable a license threshold alarm at 80%. An alarm is then triggered when the license utilization hits 80%. When the congestion-control policy setting is set to drop, the system drops incoming packets containing new session requests.
Important: For additional information on configuring the alarm threshold, refer to the Threshold Configuration Guide. context <context_name>
subscriber name <subscriber_name>
context <context_name>
subscriber <subscriber_name>
|
•
|
overload-disconnect is not supported for the CSCF service.
|
Appendix E
Content Service Steering
Content Service Steering
Important: Internal CSS is a generic feature, if an ECSv2 license is installed on your system, internal CSS can be enabled. A separate license is not required to enable internal CSS. Contact your local Cisco account representative for information on how to obtain a license.|
•
|
ACLs are configurable on a per-context basis and applies to a subscriber through either a subscriber profile (or an APN profile in the destination context. For additional information, refer to the Access Control Lists appendix in this guide
|
Step 2
|
Optional: Apply an ACL to an individual subscriber as described in the Applying an ACL to an Individual Subscriber (Optional) section.
|
|
Step 3
|
Optional: Apply a single ACL to multiple subscribers as described in the Applying an ACL to Multiple Subscribers (Optional) section.
|
|
Step 4
|
Optional: Apply an ACL to multiple subscribers via APNs as described in the Applying an ACL to Multiple Subscribers via APNs (Optional) section.
|
|
Step 5
|
Save your configuration as described in the Verifying and Saving Your Configuration chapter in this guide.
|
Important: Commands used in the configuration examples in this section provide base functionality to the extent that the most common or likely commands and/or keyword options are presented. In many cases, other optional commands and/or keyword options are available. Refer to the Command Line Interface Reference for complete information regarding all commands. Not all commands or keywords/variables may be supported or available. Availability varies on the platform type and installed license(s).
Caution: To minimize the risk of data loss, do not make configuration changes to ACLs while the system is facilitating subscriber sessions.|
•
|
<service_name> must be an ACL service name.
|
|
•
|
For information on the keywords and options available with the redirect css service command, see the ACL Configuration Mode Commands chapter of the Command Line Interface Reference.
|
|
•
|
For IPv6 ACLs, the same configurations must be done in the IPv6 ACL Configuration Mode. See the IPv6 ACL Configuration Mode Commands chapter of the Command Line Interface Reference.
|
For information on how to apply an ACL to an individual subscriber, refer to the Applying an ACL to an Individual Subscriber section of the Access Control Lists appendix.
|
•
|
All subscribers facilitated by specific services by applying the ACL to a subscriber profile and then using the default subscriber command to configure the service to use that subscriber as the “default” profile.
|
For information on how to apply an ACL to the default subscriber, refer to the Applying an ACL to the Subscriber Named default section of the Access Control Lists appendix.
For information on how to apply an ACL to the subscriber to be used as the “default” profile by various system services, refer to the Applying an ACL to Service-specified Default Subscribers section of the Access Control Lists appendix.
For information on how to apply an ACL to multiple subscribers via APNs, refer to the Applying a Single ACL to Multiple Subscribers via APNs section the Access Control Lists chapter.
Appendix F
Interchassis Session Recovery
Interchassis Session Recovery
|
•
|
Caution: ICSR should not be configured on chassis supporting L2TP calls.
Important: Refer to the Product Overview to verify whether a specific service supports ICSR as an option. AAA servers are monitored using the authentication probe mechanism. AAA servers are considered Up if the authentication-probe receives a valid response. AAA servers are considered Down when the max-retries count specified in the configuration of the AAA server has been reached. The service-redundancy protocol will initiate a switchover when none of the configured AAA servers responds to an authentication probe. AAA probing is only be performed on the active chassis.
Important: A switchover event caused by a AAA monitoring failure is non-revertible. If the newly active chassis fails to monitor the configured AAA servers it remains as the active chassis until one of the following occurs:|
•
|
Redundancy – to configure the primary and backup chassis redundancy.
|
|
•
|
Source – AAA configuration of the specified nas-ip-address must be the IP address of an interface bound to an HA, or any core network service configured within the same context.
|
|
•
|
Destination – to configure monitoring and routing to the PDN.
|
Important: ICSR is a licensed feature. Verify that each chassis has the appropriate license before using the procedures in this appendix. To do this, log in to both chassis and execute a show license information command. Look for Inter-Chassis Session Recovery. If the chassis is not licensed, please contact your Cisco account representative.
Caution: ICSR should not be configured for chassis supporting L2TP calls.
During initialization, if both chassis are misconfigured in the same mode - both active (primary) or both standby (backup), the chassis with the highest priority (highest number set with the ICSR priority command) becomes active and the other chassis becomes the standby.
If the chassis priorities are the same, the system compares the two MAC addresses and the chassis with the higher SPIO MAC address becomes active. For example, if the chassis have MAC addresses of 00-02-43-03-1C-2B and 00-02-43-03-01-3B, the last 3 sets of octets (the first 3 sets are the vendor code) are compared. In this example, the 03-1C-2B and 03-01-3B are compared from left to right. The first pair of octets in both MAC addresses are the same, so the next pairs are compared. Since the 01 is lower than the 1C, the chassis with the SPIO MAC address of 00-02-43-03-1C-2B becomes active and the other chassis the standby.
Important: The ICSR configuration must be the same on the primary and backup chassis. If each chassis has a different Service Redundancy Protocol (SRP) configuration, the session recovery feature does not function and sessions cannot be recovered when the active chassis goes out of service.This section describes how to configure basic ICSR on each chassis. For information on commands that configure additional parameters and options, refer to the Command Line Interface Reference.
Caution: ICSR should not be configured for chassis supporting L2TP calls.|
•
|
In addition, the IP address pools must be srp activated.
|
For more information on configuring the AAA server, refer to the AAA Interface Administration and Reference.
|
•
|
BGP router installed and configured. See the Routing appendix in this guide for more information on configuring BGP services.
|
|
Step 1
|
|
Step 2
|
|
Step 3
|
|
Step 4
|
Optional: Disable bulk statistics collection on the standby system by applying the example configuration in the Disabling Bulk Statistics Collection on a Standby System section.
|
|
Step 5
|
|
Step 6
|
Save your configuration as described in the Verifying and Saving Your Configuration chapter of this guide.
|
|
Step 1
|
|
Step 2
|
|
Step 3
|
|
Step 4
|
|
Step 5
|
Save your configuration as described in the Verifying and Saving Your Configuration chapter of this guide.
|
Important: ICSR is configured using two systems. Be sure to create the redundancy context on both systems. CLI commands must be executed on both systems. Log onto both chassis before continuing. Always make configuration changes on the primary chassis first. Before starting this configuration, identify which chassis to configure as the primary and use that login session.
Important: CLI commands must be executed on both chassis. Log onto both chassis before continuing. Always make configuration changes on the primary chassis first.|
•
|
The priority determines which chassis becomes active when the redundancy link goes out of service. The higher priority chassis has the lower number. Be sure to assign different priorities to each chassis.
|
|
•
|
Enter the IP chassis of the backup chassis as the peer-ip-address to the primary chassis. Assign the IP address of the primary chassis as the peer-ip-address to the backup chassis.
|
|
•
|
The dead-intervalmust be at least three times greater than the hello-interval. For example, if the hello interval is 10, the dead interval should be at least 30. System performance is severely impacted if the hello interval and dead interval are not set properly.
|
Important: CLI commands must be executed on both chassis. Log onto both chassis before continuing. Always make configuration changes on the primary chassis first. |
Step 1
|
Verify that your SRP contexts were created and configured properly by entering the show srp info command (Exec Mode).
|
Sample output for this command as shown. In this example, an SRP context called srp1 was configured with default parameters.
|
Step 1
|
|
Step 2
|
|
Step 3
|
|
Step 4
|
Save your configuration as described in the Verifying and Saving Your Configuration chapter in this guide.
|
|
•
|
source_ctxt_nameis the context where the core network service is configured.
|
|
Step 1
|
Verify your BGP configuration by entering the show srp monitor bgp command (Exec Mode).
|
|
Step 1
|
|
Step 2
|
|
Step 3
|
Set the subscriber mode to default by following the steps in the Setting Subscriber to Default Mode section.
|
|
Step 4
|
|
Step 5
|
Save your configuration as described in the Verifying and Saving Your Configuration chapter in this guide.
|
|
•
|
AS_num is the autonomous systems path number for this BGP router.
|
|
Step 1
|
Verify your BGP configuration by entering the show srp monitor bgp command (Exec Mode).
|
Important: When this feature is enabled and a system transitions to standby state, any pending accumulated statistical data is transferred at the first opportunity. After that no additional statistics gathering takes place until the system comes out of standby state.|
Step 1
|
Enter the show configuration srp command on both chassis (Exec mode).
|
Appendix G
QoS Management
QoS Management
Important: For L7 traffic analysis an ECSv2 license is required.
Important: For L7 traffic analysis ECSv2 license is required.|
2.
|
As the subscriber starts using some applications, the traffic gets classified on the basis of type of data packets or traffic as mentioned in section Classification of Application Traffic and the corresponding bit in Traffic-class-bitfield is set accordingly.
|
Warning: This feature does not work in conjunction with IMS-Authorization service.
Important: The packet that triggered the NRUPC request is discarded.
Important: The packet that triggered the NRSPCA request is discarded.
Important: The packet that triggered the NRUPC/NRSPCA request is discarded.
Caution: For Dynamic QoS Renegotiation, two RADIUS attributes are required for remote subscriber configuration. For a particular subscriber, these attributes can be overridden without considering the timeout for Dynamic QoS Renegotiation and whether Dynamic QoS Renegotiation is enabled or not.|
Step 1
|
|
Step 2
|
|
Step 3
|
Save your configuration as described in the Verifying and Saving Your Configuration chapter in this guide.
|
|
Step 4
|
Important: Commands used in the configuration examples in this section reflect base functionality (most common or likely commands and/or keyword options). In many cases, other commands and/or keyword options are available. Refer to the ACS Configuration Mode Commands and APN Configuration Mode Commands sections of the Command Line Interface Reference for complete information regarding all commands. context <context_name>
ip access-list <acl_name>
|
•
|
<context_name> must be the name of the destination context in which you want to configure the ACL. The same context must be used for APN configuration.
|
|
•
|
For information on configuring the rules that comprise the ACL, refer to the Access Control Lists appendix.
|
active-charging service <service_name>
flow limit-for-bandwidth direction downlink peak-data-rate <bps> peak-burst-size <bytes> violate-action lower-ip-precedence
|
•
|
The flow limit-for-bandwidth command contains other option than the example shown here. Refer ti the ACS Charging Action Configuration Mode Commands chapter in the Command Line Interface Reference for more information on this command.
|
active-charging service <service_name>
qos-renegotiate timeout <timeout>
context <context_name>
apn <apn_name>
|
•
|
<context_name> must be the name of the destination context in which you have already configured the ACL, and want to configure the APN template.
|
|
•
|
<acl_name> must be the name of the ACL that you have already configured in the context.
|
|
•
|
If in the ip access-group command of the APN Configuration Mode, the optional in or out keywords are not specified, the ACL will be applied to all inbound and outbound packets.
|
|
Step 8
|
|
Step 9
|
|
Step 10
|
|
Step 11
|
Save your configuration as described in the Verifying and Saving Your Configuration chapter.
|
|
Step 12
|
Important: Commands used in the configuration examples in this section implement base functionality (most common or likely commands and/or keyword options). In many cases, other commands and/or keyword options are available. Refer to the Command Line Interface Reference for complete information regarding all commands. active-charging service <service_name>
ip remote-address { = { <ip_address> | <ip_address/mask> } | { range { <ip_address> | <ip_address/mask> } to { <ip_address> | <ip_address/mask> } }
priority <priority>
active-charging service <service_name>
qos-class-identifier <identifier>
tft packet-filter <filter_name>
flow limit-for-bandwidth direction { downlink | uplink } peak-data-rate <bps> peak-burst-size <bytes> violate-action { discard | lower-ip-precedence }
|
•
|
A number of optional keywords and variable are available for the flow limit-for-bandwidth direction command. Refer to the ACS Charging Action Configuration Mode Commands section of the Command Line Interface Reference for more information regarding this command.
|
context <context_name>
apn <apn_name>
|
•
|
show apn name <apn_name>
apn_name must be the name of the APN configured in the Configuring APNs for Dynamic QoS Renegotiation section.The output of this command displays the APN configuration. Examine the output for the ip output access-group and ip input access-group fields. For more details refer to the Applying a Single ACL to Multiple Subscribers section.
show ip access-list <acl_name>
|
Step 4
|
Monitor your QoS renegotiation status for a subscriber by running the show subscriber ggsn-only full command (Exec mode).
|
|
Step 5
|
For L7 based QoS Renegotiation, view how many time QoS renegotiations have happened for that session by running the show active-charging sessions full all command (Exec mode).
|
The RADIUS attributes listed in the following table are used to enable Dynamic QoS Renegotiation for subscribers configured on remote RADIUS servers. More information on these attributes can be found in the AAA and GTPP Interface Administration and Reference.
Appendix H
Routing
Routing
|
•
|
Route Access Lists – The basic building block of a routing policy. Route access lists filter routes based on a range of IP addresses.
|
|
•
|
IP Prefix Lists – A more advanced element of a routing policy. An IP Prefix list filters routes based on IP prefixes.
|
|
•
|
AS Path Access Lists – A basic building block used for Border Gateway Protocol (BGP) routing. These lists filter Autonomous System (AS) paths.
|
|
•
|
Route Maps – Route-maps provide detailed control over routes during route selection or route advertisement by a routing protocol, and in route redistribution between routing protocols. For this level of control you use IP Prefix Lists, Route Access Lists and AS Path Access Lists to specify IP addresses, address ranges, and Autonomous System paths.
|
context <context_name>
|
•
|
Save your configuration as described in the Verifying and Saving Your Configuration chapter of this guide.
|
route-access-list standard identifier { permit | deny } {<ip_address> <wildcard_mask> | any | host <network_address> }
|
•
|
Save your configuration as described in the Verifying and Saving Your Configuration chapter of this guide.
|
|
•
|
Save your configuration as described in the Verifying and Saving Your Configuration chapter of this guide.
|
|
•
|
Use the match and set commands in Route Map Configuration mode to configure the route map. Refer to the Command Line Interface Reference for more information on these commands.
|
|
•
|
Save your configuration as described in the Verifying and Saving Your Configuration chapter of this guide.
|
To add static routes to a context configuration, you must know the names of the interfaces that are configured in the current context. Use the show ip interface command to list the interfaces in the current context (Exec mode).
[ local ]< host_name > #show ip interface
context <context_name>
ip route { < ip_address | ip_mask > | < ip_addr_mask_combo > } { next-hop } < next_hop_address > | < egress_name > [ precedence ] < precedence > [ cost ] < cost >
You can configure a maximum of 1,200 static routes per context. Save your configuration as described in the Verifying and Saving Your Configuration chapter of this guide.
context context_name
no ip route { < ip_address > < ip_mask > | < ip_addr_mask_combo > } < next_hop_address > < egress_name > [ precedence < precedence > ] [ cost < cost > ]
|
•
|
Save your configuration as described in the Verifying and Saving Your Configuration chapter of this guide.
|
Important: During system task recovery, it is possible for a dynamically-learned forwarding entry to incorrectly remain in the system forwarding table if that forwarding entry has been removed from the dynamic routing protocol during the recovery.OSPF uses a link-state algorithm to build and calculate the shortest path to all known destinations.
|
•
|
Save your configuration as described in the Verifying and Saving Your Configuration chapter in this guide.
|
Important: The default cost for OSPF on the system is 10. To change the cost, refer to the ip ospf cost command in the Ethernet Interface Configuration Commands section of the Command Line Interface Reference.|
•
|
Save your configuration as described in the Verifying and Saving Your Configuration chapter of this guide.
|
|
•
|
Save your configuration as described in the Verifying and Saving Your Configuration chapter of this guide.
|
To confirm the OSPF router configuration, use the following command and look for the section labeled router ospf in the screen output:
|
•
|
show ip route: Displays information for all types of routes in the current contexts routing table.
|
|
•
|
show ip static-route: Displays information only for static routes in the current contexts routing table.
|
|
•
|
show ip ospf: Displays OSPF process summary information in the current context.
|
This example shows sample output of the command, show ip route.
|
•
|
Save your configuration as described in the Verifying and Saving Your Configuration chapter in this guide.
|
Mobile devices communicate to the Internet through Home Agents (HAs). HAs assign IP addresses to the mobile node from a configured pool of addresses. These addresses are also advertised to Internet routers through an IP routing protocol to ensure dynamic routing. The BGP-4 protocol is used as a monitoring mechanism between an HA and Internet router with routing to support Interchassis Session Recovery (ICSR). (Refer to the Interchassis Session Recovery appendix in this guide for more information.)
|
•
|
Through BGP Configuration Mode redistribution commands, all or some of the connected routes are redistributed into the BGP domain. (IP pool and loopback routes are present in the IP routing table as connected routes.) The network routemap command provides the flexibility to change many BGP attributes.
|
|
•
|
Through the BGP Configuration Mode network commands, connected routes are explicitly configured for advertisement into the BGP domain. The network routemap command provides the flexibility to change many BGP attributes. Refer to the Border Gateway Protocol Configuration Mode Commands section of the Command Line Interface Reference for details on these commands.
|
Important: If a BGP task restarts because of a processing card failure, a migration, a crash, or the removal of a processing card, all peering session and route information is lost.|
•
|
Save your configuration as described in the Verifying and Saving Your Configuration chapter of this guide.
|
redistribute{bgp | connected | static } [ metric ] < metric_value > ] [ metric-type ] {1 | 2 } ] [ route-map ] < route_map_name ]
|
•
|
The redistribution options are connected, ospf, rip, or static. Refer to the Border Gateway Protocol Configuration Mode Commands section of the Command Line Interface Reference for details on the redistribute command.
|
|
•
|
Save your configuration as described in Verifying and Saving Your Configuration chapter of this guide.
|
Appendix I
Session Recovery
Session Recovery
The system spawns new instances of “standby mode” session and AAA managers for each active control processor (CP) being used. These mirrored processes require both memory and processing resources, which means that additional hardware may be required to enable this feature (see the Additional Hardware Requirements section).
|
•
|
Task recovery mode: Wherein one or more session manager failures occur and are recovered without the need to use resources on a standby packet processing card. In this mode, recovery is performed by using the mirrored “standby-mode” session manager task(s) running on active packet processing cards. The “standby-mode” task is renamed, made active, and is then populated using information from other tasks such as AAA manager. In case of Task failure, limited subscribers will be affected and will suffer outage only until the task starts back up.
|
|
•
|
Full packet processing card recovery mode: Used when a packet processing card hardware failure occurs, or when a planned packet processing card migration fails. In this mode, the standby packet processing card is made active and the “standby-mode” session manager and AAA manager tasks on the newly activated packet processing card perform session recovery.
|
Important: After a session recovery operation, some statistics, such as those collected and maintained on a per manager basis (AAA Manager, Session Manager, etc.) are in general not recovered, only accounting and billing related information is checkpointed and recovered.|
•
|
HNB-GW: HNB Session over IuH
|
|
•
|
HNB-GW: HNB-CN Session over IuPS and IuCS
|
|
•
|
HNB-GW: SeGW Session IPSec Tunnel
|
Session recovery is not supported for the following functions:
Important: Session Recovery requires the purchase of a license key. Contact your Cisco account representative for more information.
Important: Any partially connected calls (for example, a session where HA authentication was pending but has not yet been acknowledged by the AAA server) are not recovered when a failure occurs.
Important: A minimum of four packet processing cards (three active and one standby) per individual chassis is required to use this feature.
Important: The session recovery feature, even when the feature use key is present, is disabled by default on the system.|
Step 1
|
Important: If the current status of the Session Recovery feature is Disabled, you cannot enable this feature until a license key is installed in the system.|
Step 3
|
Save your configuration as described in the Verifying and Saving Your Configuration chapter of this guide.
|
|
Step 4
|
After the system has been configured and placed in-service, you should verify the preparedness of the system to support this feature as described in the Viewing Session Recovery Status section.
|
|
Step 2
|
Important: If the current status of the Session Recovery feature is Disabled, you cannot enable this feature until a license key is installed in the system.
Important: This feature does not take effect until after the system has been restarted.|
Step 4
|
Save your configuration as described in the Verifying and Saving Your Configuration. chapter of this guide.
|
|
Step 5
|
Perform a system restart by entering the reload command:
|
|
Step 6
|
After the system has been restarted, you should verify the preparedness of the system to support this feature as described in the Viewing Session Recovery Status section.
|
Important: More advanced users may opt to simply insert the require session recovery command syntax into an existing configuration file using a text editor or other means, and then applying the configuration file manually. Exercise caution when doing this to ensure that this command is placed among the first few lines of any existing configuration file; it must appear before the creation of any non-local context.To disable the session recovery feature on a system, enter the no require session recovery command from the Global Configuration mode prompt.
Important: If this command is issued on an in-service system, then the system must be restarted by issuing the reload command.To determine if the system is capable of performing session recovery, when enabled, enter the show session recovery status verbose command from the Exec mode prompt.
[local]host_name# show session recovery status
[local]host_name# show session recovery status
[local]host_name# show session recovery status verbose
|
callid id
|
Displays subscriber information for the call specified by id. The call ID must be specified as an 8-byte hexadecimal number.
|
|
msid id
|
Displays information for the mobile user identified by id. id must be from 7 to 16 digits specified as an IMSI, MIN, or RMI. Wildcard characters $ and * are allowed. The * wildcard matches multiple characters and the $ wildcard matches a single character. If you do not want the wildcard characters interpreted as a wildcard enclose them in single quotes ( ‘ ). For example; ‘$’.
|
|
username name
|
Displays information for connections for the subscriber identified by name. The user must have ben previously configured. name must be a sequence of characters and/or wildcard characters ('$' and '*') from 1 to 127 characters in length. The * wildcard matches multiple characters and the $ wildcard matches a single character. If you do not want the wildcard characters interpreted as wildcard enclose them in single quotes ( ‘). For example; ‘$’.
|
Appendix J
VLANs
VLANs
|
•
|
Important: VLANs are supported in conjunction with subscriber traffic ports on Ethernet line cards. The system supports the configuration limits for VLANs as described in the Engineering Rules appendix of this guide. Use the following example to create VLANs on a port and bind them to pre-existing interfaces. For information on creating interfaces, refer to the System Element Configuration Procedures chapter of this guide.
|
•
|
Optional: Configure VLAN-subscriber associations. Refer to the Configuring Subscriber VLAN Associations section for more information.
|
|
•
|
Optional: Repeat this configuration as needed to configure additional ports.
|
|
•
|
Optional: Configure VLAN-subscriber associations if needed.
|
|
•
|
Save your configuration as described in the Verifying and Saving Your Configuration chapter of this guide.
|
|
•
|
SN-Assigned-VLAN-ID: In the Starent VSA dictionary
|
|
•
|
SN1-Assigned-VLAN-ID: In the Starent VSA1 dictionary
|
Important: Since the instructions for configuring subscriber profiles differ between RADIUS server applications, this section only describes the individual attributes that can be added to the subscriber profile. Please refer to the documentation that shipped with your RADIUS server for instructions on configuring subscribers.
Important: These instructions assume that you have already configured subscriber-type VLAN tags according to the instructions provided in the Creating VLAN Tags section of this appendix.show subscriber configuration username <user_name>
|
•
|
Save your configuration as described in the Verifying and Saving Your Configuration chapter of this guide.
|
