This chapter provides information for monitoring service status and performance using the show commands found in the Command Line Interface (CLI). These command have many related keywords that allow them to provide useful information on all aspects of the system ranging from current software configuration through call activity and status.
Statistics and counters can be cleared using the CLI clear command. Refer to Command Line Reference for detailed information on using this command.
Important: ITC includes the class-map, policy-map and policy-group commands. Currently ITC does not include an external policy server interface.
Important: The Ev-Do Rev is a licensed Cisco feature. A separate feature license may be required. Contact your Cisco account representative for detailed information on specific licensing requirements. For information on installing and verifying licenses, refer to the
Managing License Keys section of the
Software Management Operations chapter in the
System Administration Guide.
For more information on EV-DO Rev A, refer to the Policy-Based Management and EV-DO Rev A chapter. For setting the DSCP parameters to control ITC functionality, refer to the
Traffic Policy-Map Configuration Mode Commands chapter in the Command
Line Reference.
|
•
|
condition: Specifies the flow-parameters like source-address, destination-address, source-port, destination-port, protocol, etc. for ingress and/or egress packet.
|
|
•
|
action: Specifies a set of treatments for flow/packet when condition matches. Broadly these actions are based on:
|
Refer to the Traffic Policing and Shaping chapter for more information on Token Bucket Algorithm.
For information on how to configure subscriber profiles on a remote RADIUS server, refer to the StarentVSA and
StarentVSA1 dictionary descriptions in the
AAA and GTP Interface Administration and Reference.
Important: This section provides the minimum instruction set for configuring flow-based traffic policing on an AGW service. Commands that configure additional properties are provided in the Command
Line Interface Reference.
Important: In this mode classification match rules added sequentially with
match command to form a Class-Map. To change and/or delete or re-add a particular rule user must delete specific Class-Map and re-define it.
context <vpn_context_name> [ -noconfirm ]
|
•
|
<vpn_context_name> is the name of the destination context in which you want to configure the flow-based traffic policing.
|
|
•
|
<class_name> is the name of the traffic class to map with the flow for the flow-based traffic policing. A maximum of 32 class-maps can be configured in one context.
|
qos traffic-police committed <bps> peak <bps> burst-size <byte> exceed-action { drop | lower-ip-precedence | allow } violate-action { drop | lower-ip-precedence | allow }
|
•
|
<vpn_context_name> is the name of the destination context in which is configured during Class-Map configuration for flow-based traffic policing.
|
|
•
|
<policy_name> is the name of the traffic policy map you want to configure for the flow-based traffic policing. A maximum of 32 policy maps can be configured in one context.
|
|
•
|
<class_name> is the name of the traffic class to map that you configured in Configuring Class Maps section for the flow-based traffic policing.
|
policy <policy_map_name> precedence <value>
|
•
|
<vpn_context_name> is the name of the destination context which is configured during Class-Map configuration for flow-based traffic policing.
|
|
•
|
<policy_group> is name of the traffic policy group of policy maps you want to configure for the flow-based traffic policing. A maximum of 32 policy groups can be configured in one context.
|
|
•
|
<policy_map_name> is name of the traffic policy you configured in Configuring Policy Maps section for the flow-based traffic policing. A maximum of 16 Policy Maps can be assigned in a Policy Group.
|
|
•
|
<vpn_context_name> is the name of the destination context configured during Class-Map configuration for flow-based traffic policing.
|
|
•
|
<user_name> is the name of the subscriber profile you want to configure for the flow-based traffic policing.
|
|
•
|
<policy_group> is name of the traffic policy group you configured in Configuring Policy Groups section for the flow-based traffic policing. A maximum of 16 Policy groups can be assigned to a subscriber profile.
|
Important: RoHC header compression is not applicable for SGSN and GGSN services.
|
•
|
Van Jacobsen (VJ) - The RFC 1144 (CTCP) header compression standard was developed by V. Jacobson in 1990. It is commonly known as VJ compression. It describes a basic method for compressing the headers of IPv4/TCP packets to improve performance over low speed serial links.
|
|
•
|
RObust Header Compression (RoHC) - The RFC 3095 (RoHC) standard was developed in 2001. This standard can compress IP/UDP/RTP headers to just over one byte, even in the presence of severe channel impairments. This compression scheme can also compress IP/UDP and IP/ESP packet flows. RoHC is intended for use in wireless radio network equipment and mobile terminals to decrease header overhead, reduce packet loss, improve interactive response, and increase security over low-speed, noisy wireless links.
|
Important: The RoHC is a licensed Cisco feature. A separate feature license may be required. Contact your Cisco account representative for detailed information on specific licensing requirements. For information on installing and verifying licenses, refer to the
Managing License Keys section of the
Software Management Operations chapter in the
System Administration Guide.
Important: This section provides the minimum instruction set for configuring subscriber profile for header compression. For more information on commands that configure additional parameters and options, refer
Subscriber Configuration Mode Commands chapter in Command
Line Interface Reference .
|
•
|
<ctxt_name> is the system context in which you wish to configure the subscriber profile. Typically this is an AAA context.
|
|
•
|
<subs_name> is the name of the subscriber in the current context that you want to enable VJ IP header compression for.
|
Important: This section provides the minimum instruction set for configuring subscriber profile for header compression. For more information on commands that configure additional parameters and options, refer
Subscriber Configuration Mode Commands chapter in the Command
Line Interface Reference.
|
•
|
<ctxt_name> is the system context in which you wish to configure the subscriber profile. Typically this is an AAA context.
|
|
•
|
<subs_name> is the name of the subscriber in the current context that you want to enable RoHC header compression for.
|
|
•
|
Refer to the Subscriber Configuration Mode Commands chapter in Command Line Interface Reference for more details on this command and its options.
|
Important: If both RoHC and VJ header compression are specified, the optimum header compression algorithm for the type of data being transferred is used for data in the downlink direction.
Important: This section provides the minimum instruction set for configuring subscriber profile for header compression. For more information on commands that configure additional parameters and options, refer
Subscriber Configuration Mode Commands chapter in th Command
Line Interface Reference.
|
•
|
<ctxt_name> is the system context in which you wish to configure the subscriber profile. Typically this is an AAA context.
|
|
•
|
<subs_name> is the name of the subscriber in the current context that you want to enable RoHC header compression for.
|
Important: This section provides the minimum instruction set for configuring subscriber profile for header compression. For more information on commands that configure additional parameters and options, refer P
DSN Service Configuration Mode Commands or
HSGW Service Configuration Mode Commands chapter in Command
Line Interface Reference.
|
•
|
<ctxt_name> is the system context in which PDSN service is configured and you wish to configure the service profile.
|
|
•
|
<svc_name> is the name of the PDSN service in which you want to enable RoHC over SO67.
|
|
•
|
Refer to the PDSN Service RoHC Configuration Mode Commands chapter in Command Line Interface Reference for more details on this command and its options.
|
|
•
|
<ctxt_name> is the system context in which HSGW service is configured and you wish to configure the service profile.
|
|
•
|
<svc_name> is the name of the HSGW service in which you want to enable RoHC over SO67.
|
|
•
|
Refer to the HSGW Service RoHC Configuration Mode Commands chapter in Command Line Interface Reference for more details on this command and its options.
|
Important: This section provides the minimum instruction set for configuring subscriber profile for header compression. For more information on commands that configure additional parameters and options, refer
Subscriber Configuration Mode Commands chapter in Command
Line Interface Reference.
|
•
|
<RoHC_comp_profile_name> is the name of the RoHC profile with compression mode which you want to apply to a subscriber.
|
|
•
|
<RoHC_profile_name> is the name of the RoHC profile with decompression mode which you want to apply to a subscriber.
|
|
•
|
<ctxt_name> is the system context in which you wish to configure the subscriber profile. Typically this is an AAA context.
|
|
•
|
<subs_name> is the name of the subscriber in the current context that you want to enable RoHC header compression for.
|
|
•
|
<RoHC_profile_name> is the name of the existing RoHC profile (created with compressed or decompressed mode) which you want to apply to a subscriber in the current context.
|
|
•
|
Refer to the Subscriber Configuration Mode Commands chapter in Command Line Interface Reference for more details on this command and its options.
|
Important: This section provides the minimum instruction set for configuring subscriber profile for header compression. For more information on commands that configure additional parameters and options, refer
Subscriber Configuration Mode Commands chapter in Command
Line Interface Reference.
|
•
|
<ctxt_name> is the system context in which you wish to configure the subscriber profile. Typically this is an AAA context.
|
|
•
|
<subs_name> is the name of the subscriber in the current context that you want to disable IP header compression for.
|
Important: This section provides the minimum instruction set for configuring subscriber profile for header compression. For more information on commands that configure additional parameters and options, refer
PDSN Service Configuration Mode Commands or
HSGW Service Configuration Mode Commands chapter in Command
Line Interface Reference.
|
•
|
<ctxt_name> is the system context in which PDSN or HSGW service is configured and you wish to configure the service profile.
|
|
•
|
<svc_name> is the name of the PDSN or HSGW service in which you want to disable RoHC over SO67.
|
Important: The IP Security is a licensed Cisco feature. A separate feature license may be required. Contact your Cisco account representative for detailed information on specific licensing requirements. For information on installing and verifying licenses, refer to the
Managing License Keys section of the
Software Management Operations chapter in the
System Administration Guide.
Caution: IPSec parameter configurations saved using this release may not function properly with older software releases.
|
•
|
PDN Access: Subscriber IP traffic is routed over an IPSec tunnel from the system to a secure gateway on the packet data network (PDN) as determined by access control list (ACL) criteria. This application can be implemented for both core network service and HA-based systems. The following figure shows IPSec configurations.
|
|
•
|
Mobile IP: Mobile IP control signals and subscriber data is encapsulated in IPSec tunnels that are established between foreign agents (FAs) and home agents (HAs) over the Pi interfaces.
|
Important: Once an IPSec tunnel is established between an FA and HA for a particular subscriber, all new Mobile IP sessions using the same FA and HA are passed over the tunnel regardless of whether or not IPSec is supported for the new subscriber sessions. Data for existing Mobile IP sessions is unaffected.
|
•
|
L2TP: L2TP-encapsulated packets are routed from the system to an LNS/secure gateway over an IPSec tunnel.
|
As described in the IP Access Control Lists chapter of this guide, ACLs on the system define rules, usually permissions, for handling subscriber data packets that meet certain criteria. Crypto ACLs, however, define the criteria that must be met in order for a subscriber data packet to be routed over an IPSec tunnel.
Important: Because manual crypto map configurations require the use of static security keys (associations), they are not as secure as crypto maps that rely on dynamically configured keys. Therefore, it is recommended that they only be configured and used for testing purposes.
Important: These instructions assume that the system was previously configured to support subscriber data sessions either as a core service or an HA. In addition, parameters configured using this procedure must be configured in the same destination context on the system.
Important: Once an IPSec tunnel is established between an FA and HA for a particular subscriber, all new Mobile IP sessions using the same FA and HA are passed over the tunnel regardless of whether or not IPSec is supported for the new subscriber sessions. Data for existing Mobile IP sessions is unaffected.
Important: These instructions assume that the systems were previously configured to support subscriber data sessions either as an FA or an HA.
Important: Though the use of DPD is optional, it is recommended in order to ensure service availability.
Important: Though the use of DPD is optional, it is recommended in order to ensure service availability.
Important: These instructions assume that the system was previously configured to support subscriber data sessions and L2TP tunneling either as a PDSN or an HA. In addition, with the exception of subscriber attributes, all other parameters configured using this procedure must be configured in the same destination context on the system as the LAC service.
Important: These instructions assume that the system was previously configured to support PDSN compulsory tunneling subscriber data sessions. In addition, all parameters configured using this procedure must be configured in the same destination context on the system as the LAC service.
Important: These instructions assume that the system was previously configured to support subscriber PDP contexts and L2TP tunneling either as a GGSN. In addition, all parameters configured using this procedure must be configured in the same destination context on the system as the LAC service.
Important: This section provides the minimum instruction set for configuring transform set on your system. For more information on commands that configure additional parameters and options, refer to the
Context Configuration Mode Commands and
Crypto Transform Configuration Mode chapters in the Command
Line Interface Reference.
crypto ipsec transform-set <
transform_name>
ah hmac {
md5-96 |
none |
sha1-96 }
esp hmac { {
md5-96 |
none |
sha1-96 } {
cipher {
des-cbc |
3des-cbc |
aes-cbc } |
none }
mode {
transport |
tunnel }
|
•
|
<ctxt_name> is the system context in which you wish to create and configure the crypto transform set(s).
|
|
•
|
<transform_name> is the name of the crypto transform set in the current context that you want to configure for IPSec configuration.
|
Important: This section provides the minimum instruction set for configuring ISAKMP policies on the system. For more information on commands that configure additional parameters and options, refer to the
Context Configuration Mode Commands and
ISAKMP Configuration Mode Commands chapters in the Command
Line Interface Reference.
encryption {
3des-cbc |
des-cbc }
group {
1 |
2 |
3 |
4 |
5 }
|
•
|
<ctxt_name> is the system context in which you wish to create and configure the ISAKMP policy.
|
|
•
|
<priority> dictates the order in which the ISAKMP policies are proposed when negotiating IKE SAs.
|
show crypto isakmp policy priority
Caution: Modification(s) to an existing ISAKMP policy configuration will not take effect until the related security association has been cleared. Refer to the
clear crypto security-association command located in the
Exec Mode Commands chapter of the Command
Line Interface Reference for more information.
Important: This section provides the minimum instruction set for configuring ISAKMP crypto maps on the system. For more information on commands that configure additional parameters and options, refer to the
Context Configuration Mode Commands and
Crypto Map ISAKMP Configuration Mode chapters in the Command
Line Interface Reference.
crypto map <
map_name>
ipsec-isakmp
set isakmp preshared-key <
isakmp_key>
set mode {
aggressive |
main }
set pfs {
group1 |
group2 |
group5 }
set transform-set <
transform_name>
match address <
acl_name> [
preference ]
match crypto-group <
group_name> {
primary |
secondary }
|
•
|
<ctxt_name> is the system context in which you wish to create and configure the ISAKMP crypto maps.
|
|
•
|
<map_name> is name by which the ISAKMP crypto map will be recognized by the system.
|
|
•
|
<acl_name> is name of the pre-configured ACL. It is used for configurations not implementing the IPSec Tunnel Failover feature and match the crypto map to a previously defined crypto ACL. This is an optional parameter.
|
|
•
|
<group_name> is name of the Crypto group configured in the same context. It is used for configurations using the IPSec Tunnel Failover feature. This is an optional parameter. For more information, refer to the Redundant IPSec Tunnel Fail-Over section of this chapter.
|
Caution: Modification(s) to an existing ISAKMP crypto map configuration will not take effect until the related security association has been cleared. Refer to the
clear crypto security-association command located in the
Exec Mode Commands chapter of the Command
Line Interface Reference for more information.
Important: This section provides the minimum instruction set for configuring dynamic crypto maps on the system. For more information on commands that configure additional parameters and options, refer to the
Context Configuration Mode Commands and
Crypto Map Dynamic Configuration Mode chapters in the Command
Line Interface Reference.
crypto map <
map_name>
ipsec-dynamic
set pfs {
group1 |
group2 |
group5 }
set transform-set <
transform_name>
|
•
|
<ctxt_name> is the system context in which you wish to create and configure the dynamic crypto maps.
|
|
•
|
<map_name> is name by which the dynamic crypto map will be recognized by the system.
|
Caution: Modification(s) to an existing dynamic crypto map configuration will not take effect until the related security association has been cleared. Refer to the
clear crypto security-association command located in the
Exec Mode Commands chapter of the Command
Line Interface Reference for more information.
Important: Because manual crypto map configurations require the use of static security keys (associations), they are not as secure as crypto maps that rely on dynamically configured keys. Therefore, it is recommended that they only be configured and used for testing purposes.
Important: This section provides the minimum instruction set for configuring manual crypto maps on the system. For more information on commands that configure additional parameters and options, refer to the
Context Configuration Mode Commands and
Crypto Map Manual Configuration Mode chapters in the Command
Line Interface Reference.
crypto map <
map_name>
ipsec-manual
match address <
acl_name> [
preference ]
set transform-set <
transform_name>
set session-key {
inbound |
outbound } {
ah <
ah_spi> [
encrypted ]
key <
ah_key> |
esp <
esp_spi> [
encrypted ]
cipher <
encryption_key> [
encrypted ]
authenticator <
auth_key> }
|
•
|
<ctxt_name> is the system context in which you wish to create and configure the manual crypto maps.
|
|
•
|
<map_name> is name by which the manual crypto map will be recognized by the system.
|
|
•
|
<acl_name> is name of the pre-configured ACL. It is used for configurations not implementing the IPSec Tunnel Failover feature and match the crypto map to a previously defined crypto ACL. This is an optional parameter.
|
|
•
|
<group_name> is name of the Crypto group configured in the same context. It is used for configurations using the IPSec Tunnel Failover feature. This is an optional parameter.
|
Caution: Modification(s) to an existing manual crypto map configuration will not take effect until the related security association has been cleared. Refer to the
clear crypto security-association command located in the
Exec Mode Commands chapter of the Command
Line Interface Reference for more information.
Important: This section provides the minimum instruction set for applying manual or ISAKMP crypto maps to an interface on the system. For more information on commands that configure additional parameters and options, refer to the Command
Line Interface Reference.
interface <
interface_name>
|
•
|
<ctxt_name> is the system context in which the interface is configured to apply crypto map.
|
|
•
|
<interface_name> is the name of a specific interface configured in the context to which the crypto map will be applied.
|
|
•
|
<map_name> is name of the preconfigured ISAKMP or a manual crypto map.
|
show configuration context ctxt_name | grep interface
Important: This section provides the minimum instruction set for configuring an FA service to support IPSec on the system. For more information on commands that configure additional parameters and options, refer to the Command
Line Interface Reference.
isakmp peer-ha <
ha_address>
crypto-map <
map_name> [
secret <
preshared_secret> ]
isakmp default crypto-map <
map_name> [
secret <
preshared_secret> ]
|
•
|
<ctxt_name> is the system context in which the FA service is configured to support IPSec.
|
|
•
|
<fa_svc_name> is name of the FA service for which you are configuring IPSec.
|
|
•
|
<ha_address> is IP address of the HA service to which FA service will communicate on IPSec.
|
|
•
|
<map_name> is name of the preconfigured ISAKMP or a manual crypto map.
|
show fa-service {
name service_name |
all }
Important: This section provides the minimum instruction set for configuring an HA service to support IPSec on the system. For more information on commands that configure additional parameters and options, refer to the Command
Line Interface Reference.
isakmp aaa-context <
aaa_ctxt_name>
isakmp peer-fa <
fa_address> crypto-map <
map_name> [
secret <
preshared_secret> ]
|
•
|
<ctxt_name> is the system context in which the FA service is configured to support IPSec.
|
|
•
|
<ha_svc_name> is name of the HA service for which you are configuring IPSec.
|
|
•
|
<fa_address> is IP address of the FA service to which HA service will communicate on IPSec.
|
|
•
|
<aaa_ctxt_name> name of the context through which the HA service accesses the HAAA server to fetch the IKE S Key and S Lifetime parameters.
|
|
•
|
<map_name> is name of the preconfigured ISAKMP or a manual crypot map.
|
show ha-service {
name service_name |
all }
As described in the How the IPSec-based Mobile IP Configuration Works section of this chapter, the system uses attributes stored in a subscriber’s RADIUS profile to determine how IPSec should be implemented.
|
|
|
|
|
|
|
3 : Enables IPSec for tunnels and registration messages
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Important: These instructions are required for compulsory tunneling. They should only be performed for attribute-based tunneling if the Tunnel-Service-Endpoint, the SN1-Tunnel-ISAKMP-Crypto-Map, or the SN1 -Tunnel-ISAKMP-Secret are not configured in the subscriber profile.
Important: This section provides the minimum instruction set for configuring an LAC service to support IPSec on the system. For more information on commands that configure additional parameters and options, refer to the Command
Line Interface Reference.
lac-service <
lac_svc_name>
peer-lns <
ip_address> [
encrypted]
secret <
secret> [
crypto-map <
map_name> { [
encrypted]
isakmp-secret <
secret> } ] [
description <
text> ] [
preference <
integer>]
isakmp aaa-context <
aaa_ctxt_name>
|
•
|
<ctxt_name> is the destination context where the LAC service is configured to support IPSec.
|
|
•
|
<lac_svc_name> is name of the LAC service for which you are configuring IPSec.
|
|
•
|
<lns_address> is IP address of the LNS node to which LAC service will communicate on IPSec.
|
|
•
|
<aaa_ctxt_name> name of the context through which the HA service accesses the HAAA server to fetch the IKE S Key and S Lifetime parameters.
|
|
•
|
<map_name> is name of the preconfigured ISAKMP or a manual crypot map.
|
show lac-service nameservice_name
In addition to the subscriber profile attributes listed in the RADIUS and Subscriber Profile Attributes Used section of the
L2TP Access Concentrator chapter in this guide, the table below lists the attributes required to support IPSec for use with attribute-based L2TP tunneling.
|
•
|
<ctxt_name> is the destination context where the PDSN service is configured.
|
|
•
|
<pdsn_svc_name> is name of the PDSN service for which you are configuring attribute-based L2TP tunneling.
|
|
•
|
<lac_ctxt_name> is the name of the destination context where the LAC service is located.
|
pdsn-service <
pdsn_svc_name>
ppp tunnel-context <
lac_ctxt_name>
|
•
|
<ctxt_name> is the destination context where the PDSN service is configured.
|
|
•
|
<pdsn_svc_name> is name of the PDSN service for which you are configuring attribute-based L2TP tunneling.
|
|
•
|
<lac_ctxt_name> is name of the destination context where the LAC service is located.
|
show pdsn-service name service_name
Important: The peer security gateway must support RFC 3706 in order for this functionality to function properly.
|
•
|
Fail-over successful: The switchover of user traffic was successful. This is generated for both primary-to-secondary and secondary-to-primary switchovers.
|
|
•
|
Unsuccessful fail-over: An error occurred when switching user traffic from either the primary to secondary tunnel or the secondary to primary tunnel.
|
Important: Parameters configured using this procedure must be configured in the same context on the system.
Important: The system supports a maximum of 32 crypto groups per context. However, configuring crypto groups to use the same loopback interface for secondary IPSec tunnels is not recommended and may compromise redundancy on the chassis.
Important: This section provides the minimum instruction set for configuring crypto groups on the system. For more information on commands that configure additional parameters and options, refer Command Line Interface Reference.
ikev1 keepalive dpd interval <
dur> timeout <
dur>
num-retry <
retries>
crypto-group <
group_name>
match address <
acl_name> [ <
preference> ]
switchover auto [
do-not-revert ]
|
•
|
<ctxt_name> is the destination context where the Crypto Group is to be configured.
|
|
•
|
<group_name> is name of the Crypto group you want to configure for IPSec tunnel failover support.
|
|
•
|
<acl_name> is name of the pre-configured crypto ACL. It is used for configurations not implementing the IPSec Tunnel Failover feature and match the crypto map to a previously defined crypto ACL. For more information on crypto ACL, refer Crypto Access Control List (ACL) section of this chapter.
|
crypto map <
map_name1>
ipsec-isakmp
match crypto-group <
group_name>
primary
crypto map <
map_name>
ipsec-isakmp
match crypto-group <
group_name>
secondary
|
•
|
<ctxt_name> is the system context in which you wish to create and configure the ISAKMP crypto maps.
|
|
•
|
<group_name> is name of the Crypto group configured in the same context for IPSec Tunnel Failover feature.
|
|
•
|
<map_name1> is name of the preconfigured ISAKMP crypto map to match with crypto group as primary.
|
|
•
|
<map_name2> is name of the preconfigured ISAKMP crypto map to match with crypto group as secondary.
|
show crypto group [
summary |
name group_name ]
DPD is configured at the context level and is used in support of the IPSec Tunnel Failover feature (refer to the Redundant IPSec Tunnel Fail-Over section) and/or to help prevent tunnel state mismatches between an FA and HA when IPSec is used for Mobile IP applications. When used with Mobile IP applications, DPD ensures the availability of tunnels between the FA and HA. (Note that the starIPSECDynTunUp and starIPSECDynTunDown SNMP traps are triggered to indicate tunnel state for the Mobile IP scenario.)
Important: If DPD is enabled while IPSec tunnels are up, it will not take affect until all of the tunnels are cleared.
Important: DPD must be configured in the same context on the system as other IPSec Parameters.
ikev1 keepalive dpd interval <
dur>
timeout <
dur>
num-retry <
retries>
|
•
|
<ctxt_name> is the destination context where the Crypto Group is to be configured.
|
Important: This section provides the minimum instruction set for configuring an APN template to support L2TP for APN. For more information on commands that configure additional parameters and options, refer to the Command
Line Interface Reference. To configure the APN to support L2TP:
tunnel l2tp [
peer-address <
lns_address> [ [
encrypted ]
secret <
l2tp_secret> ] [
preference <
num> ] [
tunnel-context <
tunnel_ctxt_name> ] [
local-address <
agw_ip_address> ] [
crypto-map <
map_name> { [
encrypted ]
isakmp-secret <
crypto_secret> } ]
|
•
|
<ctxt_name> is the system context in which the APN template is configured.
|
|
•
|
<apn_name> is name of the preconfigured APN template in which you want to configure L2TP support.
|
|
•
|
<lns_address> is IP address of the LNS node to which this APN will communicate.
|
|
•
|
<tunnel_ctxt_name> is the L2TP context in which the L2TP tunnel is configured.
|
|
•
|
<agw_ip_address> is the local IP address of the GGSN in which this APN template is configured.
|
|
•
|
<map_name> is the preconfigured crypto map (ISAKMP or manual) which is to use for L2TP.
|
|
•
|
PSK (Pre-Shared Key) Authentication: A pre-shared key is a shared secret that was previously shared between two network nodes. IPSec for LTE/SAE supports PSK such that both IPSec nodes must be configured to use the same shared secret.
|
|
•
|
Idle Tunnel Termination: When a session manager for a service detects that all subscriber sessions using a given IPSec tunnel have terminated, the IPSec tunnel also gets terminated after a timeout period.
|
|
•
|
Service Termination: When a service running on a network node is brought down for any reason, all corresponding IPSec tunnels get terminated. This may be caused by the interface for a service going down, a service being stopped manually, or a task handling an IPSec tunnel restarting.
|
|
•
|
Unreachable Peer: If a network node detects an unreachable peer via Dead Peer Detection (DPD), the IPSec tunnel between the nodes gets terminated. DPD can be enabled per P-GW, S-GW, and MME service via the system CLI during crypto template configuration.
|
|
•
|
E-UTRAN Handover Handling: Any IPSec tunnel that becomes unusable due to an E-UTRAN network handover gets terminated, while the network node to which the session is handed initiates a new IPSec tunnel for the session.
|
Important: This license is enabled by default; however, not all features are supported on all platforms and other licenses may be required for full functionality as described in this chapter.
Important: Registration Revocation functionality is also supported for Proxy Mobile IP. However, only the HA can initiate the revocation for Proxy-MIP calls.
Important: The Revocation Support Extension in the RRQ or RRP must be protected by the FA-HA Authentication Extension. Therefore, an FA-HA SPI must be configured at the FA and the HA for this to succeed.
|
•
|
FA service(s): Registration Revocation must be enabled and operational parameters optionally configured.
|
|
•
|
HA service(s): Registration Revocation must be enabled and operational parameters optionally configured.
|
Important: These instructions assume that the system was previously configured to support subscriber data sessions for a core network service with FA and/or an HA according to the instructions described in the respective product Administration Guide.
Important: Commands used in the configuration samples in this section provide base functionality to the extent that the most common or likely commands and/or keyword options are presented. In many cases, other optional commands and/or keyword options are available. Refer to the Command
Line Interface Reference for complete information regarding all commands.
fa-service <
fa_service_name>
revocation max-retransmission <
number>
revocation retransmission-timeout <
time>
Save your configuration to flash memory, an external memory device, and/or a network location using the Exec mode command save configuration. For additional information on how to verify and save configuration files, refer to the
System Administration Guide and the Command
Line Interface Reference.
ha-service <
ha_service_name>
revocation max-retransmission <
number>
revocation retransmission-timeout <
time>
Save your configuration to flash memory, an external memory device, and/or a network location using the Exec mode command save configuration. For additional information on how to verify and save configuration files, refer to the
System Administration Guide and the Command
Line Interface Reference.
Important: Proxy Mobile IP is a licensed Cisco feature. A separate feature license may be required. Contact your Cisco account representative for detailed information on specific licensing requirements. For information on installing and verifying licenses, refer to the
Managing License Keys section of the
Software Management Operations chapter in the
System Administration Guide.
|
•
|
Scenario 1: The AAA server that authenticates the MN at the PDSN allocates an IP address to the MN. Note that the PDSN does not allocate an address from its IP pools.
|
|
•
|
Scenario 2: The HA assigns an IP address to the MN from one of its locally configured dynamic pools.
|
|
•
|
Scenario 1: The AAA server that authenticates the MN at the ASN GW allocates an IP address to the MN. Note that the ASN GW does not allocate an address from its IP pools.
|
|
•
|
Scenario 2: The HA assigns an IP address to the MN from one of its locally configured dynamic pools.
|
Important: For Proxy-MIP call setup using PAP, the first 14 steps are the same as for CHAP authentication. However, here they deviate because the MS does not support EAP-MD5 authentication, but EAP-GTC. In response to the EAP-MD5 challenge, the MS instead responds with legacy-Nak with EAP-GTC. The diagram below picks up at this point.
Important: Not all commands and keywords/variables may be supported. This depends on the platform type and the installed license(s).
|
•
|
FA service(s): Proxy Mobile IP must be enabled, operation parameters must be configured, and FA-HA security associations must be specified.
|
|
•
|
Subscriber profile(s): Attributes must be configured to allow the subscriber(s) to use Proxy Mobile IP. These attributes can be configured in subscriber profiles stored locally on the system or remotely on a RADIUS AAA server.
|
|
•
|
APN template(s): Proxy Mobile IP can be supported for every subscriber IP PDP context facilitated by a specific APN template based on the configuration of the APN.
|
Important: These instructions assume that the system was previously configured to support subscriber data sessions as a core network service and/or an HA according to the instructions described in the respective product administration guide.
fa-service <
fa_service_name>
proxy-mip max-retransmissions <
integer>
proxy-mip retransmission-timeout <
seconds>
proxy-mip renew-percent-time percentage
fa-ha-spi remote-address {
ha_ip_address |
ip_addr_mask_combo }
spi-number number {
encrypted secret enc_secret |
secret secret } [
description string ][
hash-algorithm { hmac-md5 | md5 | rfc2002-md5 } | replay-protection { timestamp | nonce } | timestamp-tolerance tolerance ]
|
•
|
The proxy-mip max-retransmissions command configures the maximum number re-try attempts that the FA service is allowed to make when sending Proxy Mobile IP Registration Requests to the HA.
|
|
•
|
proxy-mip retransmission-timeout configures the maximum amount of time allowed by the FA for a response from the HA before re-sending a Proxy Mobile IP Registration Request message.
|
|
•
|
proxy-mip renew-percent-time configures the amount of time that must pass prior to the FA sending a Proxy Mobile IP Registration Renewal Request.
|
|
•
|
Use the fa-ha-spi remote-addresscommand to modify configured FA-HA SPIs to support Proxy Mobile IP. Refer to the Command Line Interface Reference for the full command syntax.
|
Important: Note that FA-HA SPIs
must be configured for the Proxy-MIP feature to work, while it is optional for regular MIP.
|
•
|
Use the authentication mn-ha allow-noauth command to configure the FA service to allow communications from the HA without authenticating the HA.
|
Proceed to the optional Configuring Proxy MIP HA Failover section to configure Proxy MIP HA Failover support or skip to the
Configuring HA Services section to configure HA service support for Proxy Mobile IP.
Important: This configuration in this section is optional.
fa-service <
fa_service_name>
proxy-mip ha-failover [
max-attempts <
max_attempts>
| num-attempts-before-switching <
num_attempts> |
timeout <
seconds> ]
ha-service <
ha_service_name>
Important: Note that FA-HA SPIs must be configured for the Proxy MIP feature to work while it is optional for regular MIP. Also note that the above syntax assumes that FA-HA SPIs were previously configured as part of the HA service as described in respective product Administration Guide. The
replay-protection and
timestamp- tolerance keywords should only be configured when supporting Proxy Mobile IP.
fa-ha-spi remote-address <
fa_ip_address>
spi-number <
number> {
encrypted secret <
enc_secret> |
secret <
secret> } [
description <
string> ] [
hash-algorithm {
hmac-md5 | md5 | rfc2002-md5 } ]
replay-protection {
timestamp | nonce } |
timestamp-tolerance <
tolerance> ]
show ha-service name <
ha_service_name>
Important: Instructions for configuring RADIUS-based subscriber profiles are not provided in this document. Please refer to the documentation supplied with your server for further information.
|
|
|
|
|
|
|
|
|
|
This attribute must be enabled to support Proxy Mobile IP.
|
|
•
|
Disabled - do not perform compulsory Proxy-MIP (0)
|
|
•
|
Enabled - perform compulsory Proxy-MIP (1)
|
|
|
|
Important: Regardless of the configuration of this attribute, the FA facilitating the Proxy Mobile IP session will not allow simultaneous Simple IP and Mobile IP sessions for the MN.
|
|
|
|
|
|
|
|
|
|
subscriber name <
subscriber_name>
mobile-ip home-agent <
ha_address>
<optional> mobile-ip home-agent <
ha_address>
alternate
ip context-name <
context_name>
subscriber name <
subscriber_name>
subscriber_name is the name of the subscriber and can be from 1 to 127 alpha and/or numeric characters and is case sensitive.
ip context-name <
context_name>
Save your configuration to flash memory, an external memory device, and/or a network location using the Exec mode command save configuration. For additional information on how to verify and save configuration files, refer to the
System Administration Guide and the Command
Line Interface Reference.
Important: This is an optional configuration. In addition, attributes returned from the subscriber’s profile for non-transparent IP PDP contexts take precedence over the configuration of the APN.
context_name is the name of the system destination context designated for APN configuration. The name must be from 1 to 79 alpha and/or numeric characters and is case sensitive.The following prompt appears:
[<context_name>]
host_name(config-ctx)#
apn_name is the name of the APN that is being configured. The name must be from 1 to 62 alpha and/or numeric characters and is not case sensitive. It may also contain dots (.) and/or dashes (-).The following prompt appears:
[<context_name>]
host_name(config-apn)#
|
Step 5
|
Optional. GGSN/FA MN-NAI extension can be skipped in MIP Registration Request by entering following command:
|
|
Step 7
|
Repeat step 1 through step 6 as needed to configure additional APNs.
|
Important: Traffic Policing and Shaping is a licensed Cisco feature. A separate feature license may be required. Contact your Cisco account representative for detailed information on specific licensing requirements. For information on installing and verifying licenses, refer to the
Managing License Keys section of the
Software Management Operations chapter in the
System Administration Guide.
|
•
|
Committed Data Rate (CDR): The guaranteed rate (in bits per second) at which packets can be transmitted/received for the subscriber during the sampling interval.
|
|
•
|
Peak Data Rate (PDR): The maximum rate (in bits per second) that subscriber packets can be transmitted/received for the subscriber during the sampling interval.
|
|
•
|
Burst-size: The maximum number of bytes that can be transmitted/received for the subscriber during the sampling interval for both committed (CBS) and peak (PBS) rate conditions. This represents the maximum number of tokens that can be placed in the subscriber’s “bucket”. Note that the committed burst size (CBS) equals the peak burst size (PBS) for each subscriber.
|
|
•
|
Drop: The offending packet is discarded.
|
|
•
|
Lower the IP Precedence: The packet’s ToS bit is set to “0”, thus downgrading it to Best Effort, prior to passing the packet. Note that if the packet’s ToS bit was already set to “0”, this action is equivalent to “Transmit”.
|
Important: In 3GPP service attributes received from the RADIUS server supersede the settings in the APN.
Important: Commands used in the configuration samples in this section provide base functionality to the extent that the most common or likely commands and/or keyword options are presented. In many cases, other optional commands and/or keyword options are available. Refer to the Command
Line Interface Reference for complete information regarding all commands.
Important: Instructions for configuring RADIUS-based subscriber profiles are not provided in this document. Please refer to the documentation supplied with your server for further information.
Important: If the exceed/violate action is set to “lower-ip-precedence”, the TOS value for the outer packet becomes “best effort” for packets that exceed/violate the traffic limits regardless of what the
ip user-datagram-tos-copy command in the Subscriber Configuration mode is configured to. In addition, the “lower-ip-precedence” option may also override the configuration of the
ip qos-dscp command (also in the Subscriber Configuration mode). Therefore, it is recommended that command not be used when specifying this option.
|
•
|
Optionally, configure the maximum number of PDP contexts that can be facilitated by the APN to limit the APN’s bandwidth consumption by entering the following command in the configuration:
|
Important: If a “subscribed” traffic class is received, the system changes the class to background and sets the following: The uplink and downlink guaranteed data rates are set to 0. If the received uplink or downlink data rates are 0 and traffic policing is disabled, the default of 64 kbps is used. When enabled, the APN configured values are used. If the configured value for downlink max data rate is larger than can fit in an R4 QoS profile, the default of 64 kbps is used. If either the received uplink or downlink max data rates is non-zero, traffic policing is employed if enabled for the background class. The received values are used for responses when traffic policing is disabled.
Important: In 3GPP, service attributes received from the RADIUS server supersede the settings in the APN.
Important: Commands used in the configuration samples in this section provide base functionality to the extent that the most common or likely commands and/or keyword options are presented. In many cases, other optional commands and/or keyword options are available. Refer to the Command
Line Interface Reference for complete information regarding all commands.
Important: Instructions for configuring RADIUS-based subscriber profiles are not provided in this document. Please refer to the documentation supplied with your server for further information.
Important: If the exceed/violate action is set to “lower-ip-precedence”, the TOS value for the outer packet becomes “best effort” for packets that exceed/violate the traffic limits regardless of what the
ip user-datagram-tos-copy command in the Subscriber Configuration mode is configured to. In addition, the “lower-ip-precedence” option may also override the configuration of the
ip qos-dscp command (also in the Subscriber Configuration mode). Therefore, it is recommended that command not be used when specifying this option.
|
Step 2
|
Optional. Configure the maximum number of PDP contexts that can be facilitated by the APN to limit the APN’s bandwidth consumption by entering the following command in the configuration:
|
|
•
|
If the exceed/violate action is set to lower-ip-precedence, this command may override the configuration of the ip qos-dscp command in the GGSN service configuration mode for packets from the GGSN to the SGSN. In addition, the GGSN service ip qos-dscp command configuration can override the APN setting for packets from the GGSN to the Internet. Therefore, it is recommended that command not be used in conjunction with this action.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
NOTE: It is recommended that this parameter be configured to at least the greater of the following two values: 1) 3 times greater than packet MTU for the subscriber connection, OR 2) 3 seconds worth of token accumulation within the “bucket” for the configured peak-data-rate.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
NOTE: It is recommended that this parameter be configured to at least the greater of the following two values: 1) 3 times greater than packet MTU for the subscriber connection, OR 2) 3 seconds worth of token accumulation within the “bucket” for the configured peak-data-rate.
|
|
|
|
|
|
|
ip route <ip_addr/ip_mask> <
next_hop_addr> <
lcl_cntxt_intrfc_name>
peer <sta_cfg_name> realm <
name> address <
aaa_ipv4_address>
peer <gxa_cfg_name> realm <
name> address <
pcrf_ip_addr> port <
#>
peer <rf_cfg_name> realm <
name> address <
ocs_ip_addr> port <
#>
Caution: Large numbers of services greatly increase the complexity of management and may impact overall system performance (i.e. resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your local service representative for more information.