|
|
Table Of Contents
Cisco IOS Mobile Wireless Commands
access-violation deactivate-pdp-context
cdma pdsn a10 init-ppp-after-airlink-start airlink-start-timeout
cdma pdsn a11 dormant ppp-idle-timeout send-termreq
cdma pdsn a11 mandate presence airlink-setup
cdma pdsn accounting local-timezone
cdma pdsn accounting send cdma-ip-tech
cdma pdsn accounting time-of-day
cdma pdsn cluster controller session-high
cdma pdsn cluster controller session-low
cdma pdsn compliance iosv4.1 session-reference
cdma pdsn compliance is835a esn-optional
cdma pdsn ingress-address-filtering
cdma pdsn mobile-advertisement-burst
cdma pdsn retransmit a11-update
cdma pdsn selection load-balancing
cdma pdsn selection session-table-size
cdma pdsn timeout mobile-ip-registration
clear cdma pdsn cluster controller session records age
clear gprs access-point statistics
clear gprs gtp-director statistics
clear ip rtp header-compression
gprs canonical-qos best-effort bandwidth-factor
gprs canonical-qos gsn-resource-factor
gprs canonical-qos premium mean-throughput-deviation
Cisco IOS Mobile Wireless Commands
This book documents all of the Cisco IOS software commands in Cisco IOS Release 12.3(11)T for the Gateway GPRS Support Node (GGSN), GTP Director Module (GDM), and Packet Data Serving Node (PDSN), in alphabetical order.
aaa-accounting
To enable or disable accounting for a particular access point on the GGSN, use the aaa-accounting access-point configuration command.
aaa-accounting [enable | disable | interim update]
Syntax Description
Defaults
enable—For non-transparent APNs
disable—For transparent APNs
Interim accounting is disabled.
Command Modes
Access-point configuration
Command History
Usage Guidelines
You can configure AAA accounting services at an access point. However, for accounting to occur, you also must complete the configuration by specifying the following other configuration elements on the GGSN:
•
Enable AAA services using the aaa new-model global configuration command.
•
•
–
–
–
•
•
Note
You can verify whether AAA accounting services are configured at an APN using the show gprs access-point command.
There is not a no form of this command.
Enabling and Disabling Accounting Services for an Access Point
The Cisco Systems GGSN has different defaults for enabling and disabling accounting services for transparent and non-transparent access points:
•
•
To selectively disable accounting at specific APNs where you do not want that service, use the aaa-accounting disable access-point configuration command.
Configuring Interim Accounting for an Access Point
Using the aaa-accounting interim access-point configuration command, you can configure the GGSN to send Interim-Update Accounting requests to the AAA server when a routing area update (resulting in an SGSN change) or QoS change has occurred for a PDP context. These changes are conveyed to the GGSN by an Update PDP Context request.
Note
There is not a no form of this command.
Examples
Example 1
The following configuration example disables accounting at access-point 1:
interface virtual-template 1gprs access-point-list abc!gprs access-point-list abcaccess-point 1access-point-name gprs.pdn.com access-mode non-transparentaaa-accounting disableExample 2
The following configuration example enables accounting on transparent access-point 4. Accounting is disabled on access-point 5 because it is configured for transparent mode and the aaa-accounting enable command is not explicitly configured.
Accounting is automatically enabled on access-point 1 because it has been configured for non-transparent access mode. Accounting is explicitly disabled at access-point 3, because accounting is automatically enabled for non-transparent access mode.
An example of some of the AAA and RADIUS global configuration commands are also shown:
aaa new-model!aaa group server radius fooserver 10.2.3.4server 10.6.7.8aaa group server radius foo1server 10.10.0.1aaa group server radius foo2server 10.2.3.4server 10.10.0.1aaa group server foo3server 10.6.7.8server 10.10.0.1!aaa authentication ppp foo group fooaaa authentication ppp foo2 group foo2aaa authorization network default group radiusaaa accounting exec default start-stop group fooaaa accounting network foo1 start-stop group foo1aaa accounting network foo2 start-stop group foo2!gprs access-point-list gprsaccess-point 1access-mode non-transparentaccess-point-name www.pdn1.comaaa-group authentication foo!access-point 3access-point-name www.pdn2.comaccess-mode non-transparentaaa-accounting disableaaa-group authentication foo!access-point 4access-point-name www.pdn3.comaaa-accounting enableaaa-group accounting foo1!access-point 5access-point-name www.pdn4.com!gprs default aaa-group authentication foo2gprs default aaa-group accounting foo3!radius-server host 10.2.3.4 auth-port 1645 acct-port 1646 non-standardradius-server host 10.6.7.8 auth-port 1645 acct-port 1646 non-standardradius-server host 10.10.0.1 auth-port 1645 acct-port 1646 non-standardradius-server key ggsntelRelated Commands
aaa-group
To specify a AAA server group and assign the type of AAA services to be supported by the server group for a particular access point on the GGSN, use the aaa-group access-point configuration command. To remove a AAA server group, use the no form of this command.
aaa-group {authentication | accounting} server-group
no aaa-group {authentication | accounting} server-group
Syntax Description
Defaults
No default behavior or values.
Command Modes
Access-point configuration
Command History
Usage Guidelines
The Cisco Systems GGSN supports authentication and accounting at APNs using AAA server groups. By using AAA server groups, you gain the following benefits:
•
•
•
The GGSN supports the implementation of AAA server groups at both the global and access-point configuration levels. You can minimize your configuration by specifying the configuration that you want to support across most APNs, at the global configuration level. Then, at the access-point configuration level, you can selectively modify the services and server groups that you want to support at a particular APN. Therefore, you can override the AAA server global configuration at the APN configuration level.
To configure a default AAA server group to be used for all APNs on the GGSN, use the gprs default aaa-group global configuration command. To specify a different AAA server group to be used at a particular APN for authentication or accounting, use the aaa-group access-point configuration command.
If accounting is enabled on the APN, then the GGSN looks for an accounting server group to be used for the APN in the following order:
•
•
•
•
If none of the above commands are configured on the GGSN, then AAA accounting is not performed.
If authentication is enabled on the APN, then the GGSN first looks for an authentication server group at the APN, configured in the aaa-group authentication command. If an authentication server group is not found at the APN, then the GGSN looks for a globally configured, GPRS default authentication server group, configured in the gprs default aaa-group authentication command.
To complete the configuration, you also must specify the following configuration elements on the GGSN:
•
•
•
•
–
–
–
•
–
You can enable or disable accounting services at the APN using the aaa-accounting command.
–
You can verify the AAA server groups that are configured for an APN using the show gprs access-point command.
Note
Examples
The following configuration example defines four AAA server groups on the GGSN: foo, foo1, foo2, and foo3, shown by the aaa group server commands.
Using the gprs default aaa-group command, two of these server groups are globally defined as default server groups: foo2 for authentication, and foo3 for accounting.
At access-point 1, which is enabled for authentication, the default global authentication server group of foo2 is overridden and the server group named foo is designated to provide authentication services on the APN. Notice that accounting services are not explicitly configured at that access point, but are automatically enabled because authentication is enabled. Because there is a globally defined accounting server-group defined, the server named foo3 will be used for accounting services.
At access-point 2, which is enabled for authentication, the default global authentication server group of foo2 is used. Because there is a globally defined accounting server-group defined, the server named foo3 will be used for accounting services.
At access-point 4, which is enabled for accounting using the aaa-accounting enable command, the default accounting server group of foo3 is overridden and the server group named foo1 is designated to provide accounting services on the APN.
Access-point 5 does not support any AAA services because it is configured for transparent access mode, and accounting is not enabled.
aaa new-model!aaa group server radius fooserver 10.2.3.4server 10.6.7.8aaa group server radius foo1server 10.10.0.1aaa group server radius foo2server 10.2.3.4server 10.10.0.1aaa group server foo3server 10.6.7.8server 10.10.0.1!aaa authentication ppp foo group fooaaa authentication ppp foo2 group foo2aaa authorization network default group radiusaaa accounting exec default start-stop group fooaaa accounting network foo1 start-stop group foo1aaa accounting network foo2 start-stop group foo2aaa accounting network foo3 start-stop group foo3!gprs access-point-list gprsaccess-point 1access-mode non-transparentaccess-point-name www.pdn1.comaaa-group authentication foo!access-point 2access-mode non-transparentaccess-point-name www.pdn2.com!access-point 4access-point-name www.pdn4.comaaa-accounting enableaaa-group accounting foo1!access-point 5access-point-name www.pdn5.com!gprs default aaa-group authentication foo2gprs default aaa-group accounting foo3!radius-server host 10.2.3.4 auth-port 1645 acct-port 1646 non-standardradius-server host 10.6.7.8 auth-port 1645 acct-port 1646 non-standardradius-server host 10.10.0.1 auth-port 1645 acct-port 1646 non-standardradius-server key ggsntelRelated Commands
access-mode
To specify whether the GGSN requests user authentication at the access point to a PDN, use the access-mode access-point configuration command. To remove an access mode and return to the default value, use the no form of this command.
access-mode {transparent | non-transparent}
no access-mode {transparent | non-transparent}
Syntax Description
Defaults
transparent
Command Modes
Access-point configuration
Command History
Usage Guidelines
Use the access-mode command to specify whether users accessing a PDN through a particular access point associated with the virtual template interface have transparent or non-transparent access to the network.
Transparent access means that users who access the PDN through the current virtual template are granted access without further authentication.
Non-transparent access means that users who access the PDN through the current virtual template must be authenticated by the GGSN. You must configure non-transparent access to support RADIUS services at an access point. Authentication is performed by the GGSN while establishing the PDP context.
Examples
Example 1
The following example specifies non-transparent access to the PDN, gprs.pdn.com, through access-point 1:
interface virtual-template 1gprs access-point-list abc!gprs access-point-list abcaccess-point 1access-point-name gprs.pdn.com access-mode non-transparentExample 2
The following example specifies transparent access to the PDN, gprs.pdn2.com, through access-point 2:
interface virtual-template 1gprs access-point-list abc!gprs access-point-list abcaccess-point 2access-point-name gprs.pdn2.com
Note
Related Commands
access-point
To specify an access point number and enter access-point configuration mode, use the access-point access-point list configuration command. To remove an access point number, use the no form of this command.
access-point access-point-index
no access-point access-point-index
Syntax Description
Defaults
No default behavior or values.
Command Modes
Access-point list configuration
Command History
12.1(1)GA
This command was introduced.
12.1(5)T
This command was integrated in Cisco IOS Release 12.1(5)T.
12.2(4)MX
This command was incorporated in Cisco IOS Release 12.2(4)MX.
Usage Guidelines
Use the access-point command to create an access point to a PDN.
To configure an access point, first set up an access-point list using the gprs access-point-list command and then add the access point to the access-point list.
You can specify access point numbers in any sequence.
Note
Examples
The following example configures an access point with an index number of 7 in an access-point-list named "abc" on the GGSN:
gprs access-point-list abcaccess-point 7Related Commands
access-point-name
To specify the network (or domain) name for a PDN that users can access from the GGSN at a defined access point, use the access-point-name access-point configuration command. To remove an access point name, use the no form of this command.
access-point-name apn-name
no access-point-name apn-name
Syntax Description
apn-name
Specifies the network or domain name of the private data network that can be accessed through the current access point.
Defaults
There is no default value for this command.
Command Modes
Access-point configuration
Command History
Usage Guidelines
Use the access-point-name command to specify the PDN name of a network that can be accessed through a particular access point. An access-point name is mandatory for each access point.
To configure an access point, first set up an access-point list using the gprs access-point-list command and then add the access point to the access-point list.
The access-point name typically is the domain name of the service provider that users access, for example, www.isp.com.
Examples
The following example specifies the access-point name for a network:
access-point 1access-point-name www.isp.comexitRelated Commands
access-type
To specify whether an access point is real or virtual on the GGSN, use the access-type access-point configuration command. To return to the default value, use the no form of this command.
access-type {virtual | real}
no access-type {virtual | real}
Syntax Description
Defaults
real
Command Modes
Access-point configuration
Command History
Usage Guidelines
Use the access-type command to specify whether an access point is real or virtual on the GGSN. You only need to configure this command for virtual access types.
Virtual access types are used to configure virtual APN support on the Cisco Systems GGSN to minimize provisioning issues in other GPRS network entities that require configuration of APN information. Using the virtual APN feature on the Cisco Systems GGSN, HLR subscription data can simply provide the name of the virtual APN. User's can still request access to specific target networks that are accessible by the GGSN without requiring each of those destination APNs to be provisioned at the HLR.
The default keyword, real, identifies a physical target network that the GGSN can reach. Real APNs must always be configured on the GGSN to reach external networks. Virtual APNs can be configured in addition to real access points to ease provisioning in the GPRS PLMN.
No other access-point configuration commands are applicable if the access type is virtual.
Examples
The following example shows configuration of a virtual access point type and a real access point type:
access-point 1access-point-name corporateaccess-type virtualexitaccess-point 2access-point-name corporatea.comip-address-pool dhcp-clientdhcp-server 10.21.21.1Related Commands
access-violation deactivate-pdp-context
To specify that a user's session be ended and the user packets discarded when a user attempts unauthorized access to a PDN through an access point, use the access-violation deactivate-pdp-context command. To return to the default value, use the no form of this command.
access-violation deactivate-pdp-context
no access-violation deactivate-pdp-context
Syntax Description
This command has no arguments or keywords.
Defaults
The user's session remains active and the user packets are discarded.
Command Modes
Access-point configuration
Command History
Usage Guidelines
Use the access-violation deactivate-pdp-context command to specify the action that is taken if a user attempts unauthorized access through the specified access point.
The default is that the GGSN simply drops user packets when an unauthorized access is attempted. However, if you specify access-violation deactivate-pdp-context, the GGSN terminates the user's session in addition to discarding the packets.
Examples
The following example shows deactivation of a user's access in addition to discarding the user packets:
access-point 1access-point-name pdn.aaaa.comip-access-group 101 inaccess-violation deactivate-pdp-contextexitRelated Commands
Specifies the network (or domain) name for a PDN that users can access from the GGSN at a defined access point.
aggregate
To configure the GGSN to create an aggregate route in its IP routing table, when receiving PDP requests from MSs on the specified network, for a particular access point on the GGSN, use the aggregate access-point configuration command. To remove an aggregate route, use the no form of this command.
aggregate {auto | ip-network-prefix{/mask-bit-length | ip-mask}}
no aggregate {auto | ip-network-prefix{/mask-bit-length | ip-mask}}
Syntax Description
Defaults
No default behavior or values.
Command Modes
Access-point configuration
Command History
Usage Guidelines
The GGSN uses a static host route to forward user data packets received from the Gi interface to the Gn interface using the virtual template interface of the GTP tunnel.
Without the aggregate command or gprs default aggregate command, the GGSN creates a static host route for each PDP context. For example, for 45,000 PDP contexts supported, the GGSN creates 45,000 static host routes in its IP routing table.
You can use the aggregate command to reduce the number of static routes implemented by the GGSN for PDP contexts at a particular access point. The aggregate command allows you to specify an IP network prefix to combine the routes of PDP contexts from the same network as a single route on the GGSN.
To configure the GGSN to automatically aggregate routes that are returned by a DHCP or RADIUS server, use the aggregate auto command at the APN. Automatic route aggregation can be configured at the access-point configuration level only on the GGSN. The gprs default aggregate global configuration command does not support the auto option; therefore, you cannot configure automatic route aggregation globally on the GGSN.
You can specify multiple aggregate commands at each access point to support multiple network aggregates. However, if you use the aggregate auto command at the APN, you cannot specify any other aggregate route ranges at the APN. If you need to handle other static route cases at the APN, then you will have to use the gprs default aggregate global configuration command.
To globally define an aggregate IP network address range for all access points on the GGSN for statically derived addresses, you can use the gprs default aggregate command. Then, you can use the aggregate command to override this default address range at a particular access point.
The GGSN responds in the following manner to manage routes for MSs through an access point, when route aggregation is configured in the following scenarios:
•
•
–
–
•
–
–
–
•
–
–
Use care when assigning IP addresses to an MS before you configure the aggregation ranges on the GGSN. A basic guideline is to aggregate as many addresses as possible, but to minimize your use of aggregation with respect to the total amount of IP address space being used by the access point.
Note
Use the show gprs access-point command to display information about the aggregate routes that are configured on the GGSN. The aggregate output field appears only when aggregate routes have been configured on the GGSN, or the auto option is configured.
Use the show ip route command to verify whether the static route is in the current IP routing table on the GGSN. The static route created for any PDP requests (aggregated or non-aggregated) appears with the code "U" in the routing table indicating a per-user static route.
Note
Examples
Example 1
The following example specifies two aggregate network address ranges for access point 8. The GGSN will create aggregate routes for PDP context requests received from MSs with IP addresses on the networks 172.16.0.0 and 10.0.0.0:
gprs access-point-list gprsaccess-point 8access-point-name pdn.aaaa.comaggregate 172.16.0.0/16aggregate 10.0.0.0/8
Note
Example 2
The following example shows a route aggregation configuration for access point 8 using DHCP on the GGSN, along with the associated output from the show gprs gtp pdp-context all command and the show ip route commands.
Notice that the aggregate auto command is configured at the access point where DHCP is being used. The dhcp-gateway-address command specifies the subnet addresses to be returned by the DHCP server. This address should match the IP address of a loopback interface on the GGSN. In addition, to accommodate route aggregation for another subnet 10.80.0.0, the gprs default aggregate global configuration command is used.
In this example, the GGSN aggregates routes for dynamically derived addresses for MSs through access point 8 based upon the address and mask returned by the DHCP server. For PDP context requests received for statically derived addresses on the 10.80.0.0 network, the GGSN also implements an aggregate route into its routing table, as configured by the gprs default aggregate command.
interface Loopback0ip address 10.80.0.1 255.255.255.255!interface Loopback2ip address 10.88.0.1 255.255.255.255!gprs access-point-list gprsaccess-point 8access-point-name pdn.aaaa.comip-address-pool dhcp-proxy-clientaggregate autodhcp-server 172.16.43.35dhcp-gateway-address 10.88.0.1exit!gprs default aggregate 10.80.0.0 255.255.255.0In the following output for the show gprs gtp pdp-context all command, 5 PDP context requests are active on the GGSN for pdn.aaaa.com from the 10.88.0.0/24 network:
router# show gprs gtp pdp-context allTID MS Addr Source SGSN Addr APN6161616161610001 10.88.0.1 DHCP 172.16.123.1 pdn.aaaa.com6161616161610002 10.88.0.2 DHCP 172.16.123.1 pdn.aaaa.com6161616161610003 10.88.0.3 DHCP 172.16.123.1 pdn.aaaa.com6161616161610004 10.88.0.4 DHCP 172.16.123.1 pdn.aaaa.com6161616161610005 10.88.0.5 DHCP 172.16.123.1 pdn.aaaa.comThe following output for the show ip route command shows a single static route in the IP routing table for the GGSN, which routes the traffic for the 10.88.0.0/24 subnet through the virtual template (or Virtual-Access1) interface:
Router# show ip routeCodes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGPD - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter areaN1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGPi - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS interarea* - candidate default, U - per-user static route, o - ODRP - periodic downloaded static routeGateway of last resort is not set10.80.0.0/16 is subnetted, 1 subnetsC 10.80.0.0 is directly connected, Loopback010.113.0.0/16 is subnetted, 1 subnetsC 10.113.0.0 is directly connected, Virtual-Access1172.16.0.0/16 is variably subnetted, 3 subnets, 3 masksC 172.16.43.192/28 is directly connected, FastEthernet0/0S 172.16.43.0/24 is directly connected, FastEthernet0/0S 172.16.43.35/32 is directly connected, Ethernet2/310.0.0.0/8 is variably subnetted, 2 subnets, 2 masksU 10.88.0.0/24 [1/0] via 0.0.0.0, Virtual-Access1C 10.88.0.0/16 is directly connected, Loopback2Related Commands
anonymous user
To configure anonymous user access at an access point, use the anonymous user access-point configuration command. To remove the username configuration, use the no form of this command.
anonymous user username [password]
no anonymous user username [password]
Syntax Description
Defaults
No default behavior or values.
Command Modes
Access-point configuration
Command History
Usage Guidelines
Use this command to allow a mobile station (MS) to access a non-transparent mode APN without supplying the username and password in the GTP protocol configuration option (PCO) information element (IE) of the create PDP context request message. The GGSN will use the username and password configured on the APN for the user session.
This command enables anonymous access, which means that a PDP context can be created by an MS to a specific host without specifying a username and password.
Examples
The following example specifies the username george and the password abcd123 for anonymous access at access point 49:
gprs access-point-list abcaccess-point 49access-point-name www.pdn.comanonymous user george abcd123block count
To lock out group members for a length of time after a set number of incorrect passwords, use the block count command in local RADIUS server group configuration mode. To remove the user block after invalid login attempts, use the no form of this command.
block count count time {seconds | infinite}
no block count count time {seconds | infinite}
Syntax Description
Defaults
No default behavior or values
Command Modes
Local RADIUS server group configuration
Command History
Usage Guidelines
If a setting of infinite is entered, an administrator must manually unblock the locked username.
Examples
The following command locks out group members for 120 seconds after 3 incorrect passwords are entered:
block count 3 time 120Related Commands
block-foreign-ms
To restrict GPRS access based on the mobile user's home PLMN, use the block-foreign-ms access-point configuration command. To disable blocking of foreign subscribers, use the no form of this command.
block-foreign-ms
no block-foreign-ms
Syntax Description
This command has no arguments or keywords.
Defaults
Disabled
Command Modes
Access-point configuration
Command History
Usage Guidelines
The block-foreign-ms command enables the GGSN to block foreign MSs from accessing the GGSN.
When you use this command, the GGSN determines if an MS is inside or outside of the PLMN based on the mobile country code (MCC) and mobile network code (MNC). The MCC and MNC are specified using the gprs mcc mnc command.
Examples
The following example blocks access to foreign MSs at access point 49:
gprs access-point-list abcaccess-point 49access-point-name www.pdn.comblock-foreign-msRelated Commands
Configures the mobile country code and mobile network code that the GGSN uses to determine whether a create PDP context request is from a foreign MS.
cdma pdsn a10 ahdlc engine
To limit the number of Asynchronous High-Level Data Link Control (AHDLC) channel resources provided by the AHDLC engine, use the cdma pdsn a10 ahdlc engine command to in global configuration mode. To reset the number of AHDLC channel resources to the default, use the no form of this command.
cdma pdsn a10 ahdlc engine slot usable-channels usable-channels
no cdma pdsn a10 ahdlc engine slot usable-channels
Syntax Description
Defaults
The default number of usable channels equals the maximum channels supported by the engine; the c-5 images supports 8000 sessions, and all c-6 image support 20000 sessions.
Command Modes
Global configuration
Command History
Usage Guidelines
If the value of usable-channels is greater than default maximum channels provided by the engine, the command will fail.
If the engine has any active channels, the command will fail.
Examples
The following example limits the number of service channels provided by the AHDLC engine to 1000:
cdma pdsn a10 ahdlc engine 0 usable-channels 1000Related Commands
cdma pdsn a10 gre sequencing
To enable inclusion of Generic Routing Encapsulation (GRE) sequence numbers in the packets sent over the A10 interface, use the cdma pdsn gre sequencing command in global configuration mode. To disable the inclusion of GRE sequence number in the packets sent over the A10 interface, use the no form of this command.
cdma pdsn a10 gre sequencing
no cdma pdsn a10 gre sequencing
Syntax Description
This command has no arguments or keywords.
Defaults
GRE sequence numbers are included in the packets sent over the A10 interface.
Command Modes
Global configuration
Command History
12.1(3)XS
This command was introduced.
12.3(4)T
This command was incorporated in Cisco IOS Release 12.3(4)T.
Examples
The following example instructs Cisco PDSN to include per-session GRE sequence numbers in the packets sent over the A10 interface:
cdma pdsn a10 gre sequencingRelated Commands
cdma pdsn a10 init-ppp-after-airlink-start airlink-start-timeout
To configure the PDSN so that Point-to-Point Protocol (PPP) negotiation with an MN will start only after the traffic channel is assigned, ( inother words, after a Registration Request with airlink-start is received), use the cdma pdsn a10 init-ppp-after-airlink-start command in global configuration mode. Use the no form of this command to revert to the default behavior.
cdma pdsn a10 init-ppp-after-airlink-start airlink-start-timeout 1-120
no cdma pdsn a10 init-ppp-after-airlink-start airlink-start-timeout 1-120
Syntax Description
Defaults
By default, this CLI is not enabled, therefore, the PDSN will initiate PPP negotiation immediately after a Registration Reply is sent to the initial Registration.Request.
When enabled, the default timeout interval is 10 seconds.
Command Modes
Global configuration
Command History
12.2(8)ZB4a
This command was introduced.
12.3(4)T
This command was incorporated in Cisco IOS Release 12.3(4)T.
Usage Guidelines
The PDSN initiates PPP negotiation immediately after a Registration Reply is sent to the initial Registration Request, but the calls (for which the PPP negotiation has started before the traffic channel is assigned to MN) have failed.
When this command is enabled, the PPP negotiation withthe MN will start only after the traffic channel is assigned—after a Registration Request with airlink-start is received. If the airlink start is not received at all, the session will be torn down when timeout occurs.By default, this timeout interval is 10 seconds, or can be configured through the CLI.
The session is not torn down immediately after the timeout, so, in order to minimize the impact on the performance, there is just one timer started to keep track of all the sessions waiting for airlink-start to start PPP.
For example, take the default of 10 seconds. If the timer expires at t1 and a new call comes at t2( t2 >t1), the next run of the timer will be at t1+10. It is likely that the uptime for the call is not more than 10 seconds since t2 > t1. So the call will be checked at the next next run (t1+10+10). That is , the variation is between 1 and 10.
Examples
The following example illustrates the cdma pdsn a10 init-ppp-after-airlink-start airlink-start-timeout command:
router# cdma pdsn a10 init-ppp-after-airlink-start airlink-start-timeout 20cdma pdsn a10 max-lifetime
To specify the maximum A10 registration lifetime accepted, use the cdma pdsn a10 max-lifetime command in global configuration mode. To return to the default length of time, use the no form of this command.
cdma pdsn a10 max-lifetime seconds
no cdma pdsn a10 max-lifetime
Syntax Description
seconds
Maximum A10 registration lifetime accepted by Cisco PDSN. The range is 1 to 65535 seconds. The default is 1800 seconds.
Defaults
1800 seconds.
Command Modes
Global configuration
Command History
12.1(3)XS
This command was introduced.
12.3(4)T
This command was incorporated in Cisco IOS Release 12.3(4)T.
Examples
The following example specifies that the A10 interface will be maintained for 1440 seconds:
cdma pdsn a10 max-lifetime 1440Related Commands
cdma pdsn a11 dormant ppp-idle-timeout send-termreq
To specify that for dormant sessions, on ppp idle timeout, ppp termreq will be sent, use the cdma pdsn all dormant ppp-idle-timeout send-termreq command in global configuration mode. To disble this feature, use the no form of this command.
cdma pdsn all dormant ppp-idle-timeout send-termreq
no cdma pdsn all dormant ppp-idle-timeout send-termreq
Syntax Description
There are no keywords or variable for this command.
Defaults
There are no default values.
Command Modes
Global configuration
Command History
12.2(8)ZB
This command was introduced.
12.3(4)T
This command was incorporated in Cisco IOS Release 12.3(4)T.
Usage Guidelines
Disabling this behaviour will avoid traffic channel allocation for cleaning up ppp sessions at the mobile.
Examples
router# cdma pdsn a11 dormant ppp-idle-timeout send-termreq
cdma pdsn a11 mandate presence airlink-setup
To mandate that the initial RRQ should have Airlink-Setup in Acct CVSE from PCF, use the cdma pdsn all mandate presence airlink-setup command in global configuration mode. To disable this feature, use the no form of this command.
cdma pdsn a11 mandate presence airlink-setup
no cdma pdsn a11 mandate presence airlink-setup
Syntax Description
This command has no keywords or variables.
Defaults
There are no default values.
Command Modes
Global configuration
Command History
12.2(8)ZB1
This command was introduced.
12.3(4)T
This command was incorporated in Cisco IOS Release 12.3(4)T.
Usage Guidelines
Issuing this command mandates that the initial RRQ should have Airlink-Setup in Acct CVSE from PCF. As a result, if this Airlink setup is not present in the RRQ, the session is not created, and a RRP with error code "86H - Poorly formed request" is returned.
If you do not configure this command, or disable it, then sessions can be opened even with no accounting CVSE being present in the initial RRQ.
Examples
router# cdma pdsn a11 mandate presence airlink-setup
cdma pdsn accounting local-timezone
To specify the local time stamp for PDSN accounting events, use the cdma pdsn accounting local-timezone command in global configuration mode. To return to the default Universal Time (UTC), use the no form of this command.
cdma pdsn accounting local-timezone
no cdma pdsn accounting local-timezone
Syntax Description
This command has no arguments or keywords.
Defaults
UTC time, a standard based on GMT, is enabled.
Command Modes
Global configuration
Command History
12.1(5)XS
This command was introduced.
12.3(4)T
This command was incorporated in Cisco IOS Release 12.3(4)T.
Usage Guidelines
You must use the clock timezone hours-offset [minutes-offset] global configuration command to reflect the difference between local time and UTC time.
Examples
The following example sets the local time in Korea:
clock timezone KOREA 9cdma pdsn accounting local-timezoneRelated Commands
cdma pdsn accounting send
To cause the PDSN to send accounting records when the call transitions between active and dormant states, use the cdma pdsn accounting send start-stop command in global configuration mode. To stop sending accounting records, use the no form of this command.
cdma pdsn accounting send {start-stop | cdma-ip-tech}
no cdma pdsn accounting send {start-stop | cdma-ip-tech}
Syntax Description
start-stop
Informs the PDSN when to begin sending accounting records and when to stop sending them.
cdma-ip-tech
Accounting records are generated with special IP-Tech number.
Defaults
No default behavior or values.
Command Modes
Global configuration
Command History
12.2(2)XC
This command was introduced.
12.3(4)T
This command was incorporated in Cisco IOS Release 12.3(4)T.
Usage Guidelines
When this feature is enabled, the PDSN will send:
•
•
Examples
The following example starts sending PDSN accounting events:
cdma pdsn accounting send start-stopRelated Commands
cdma pdsn accounting send cdma-ip-tech
To configure specific values for the F11 attribute for proxy Mobile IP and VPDN services, use the cdma pdsn accounting send cdma-ip-tech command in global configuration mode. To deconfigure those values, use the no form of this command.
cdma pdsn accounting send cdma-ip-tech [proxy-mobile-ip | vpdn]
no cdma pdsn accounting send cdma-ip-tech [proxy-mobile-ip | vpdn]
Syntax Description
proxy-mobile-ip
Sets the IP-Tech proxy-mobile-ip number. Values are 3-65535.
vpdn
Sets the IP-Tech vpdn number. Values are 3-65535.
Defaults
No default behavior or values.
Command Modes
Global configuration.
Command History
12.1XC
This command was introduced.
12.3(4)T
This command was incorporated in Cisco IOS Release 12.3(4)T.
Examples
pdsn(config)#cdma pdsn accounting send cdma-ip-tech proxy-mobile-ip 3pdsn(config)#cdma pdsn accounting send cdma-ip-tech vpdn 4cdma pdsn accounting time-of-day
To set the accounting information for specified times during the day, use the cdma pdsn accounting time-of-day command in global configuration mode. To disable the specification, use the no form of this command.
cdma pdsn accounting time-of-day hh:mm:ss
no cdma pdsn accounting time-of-day
Syntax Description
Defaults
No default behavior or values.
Command Modes
Global configuration
Command History
12.1(5)XS
This command was introduced.
12.3(4)T
This command was incorporated in Cisco IOS Release 12.3(4)T.
Usage Guidelines
This command is used to facilitate billing when a user is charged different prices based upon the time of the day. Up to ten different accounting triggers can be configured.
Examples
The following example sets an accounting trigger for 13:30:20:
cdma pdsn accounting time-of-day 13:30:30Related Commands
cdma pdsn age-idle-users
To configure the aging of idle users, use the cdma pdsn age-idle-users command. To stop aging out idle users, use the no form of this command.
cdma pdsn age-idle-users [minimum-age value]
no cdma pdsn age-idle-users
Syntax Description
minimum-age value
(Optional) The minimum number of seconds a user should be idle before they are a candidate for being aged out. Possible values are 1 through 65535.
Defaults
By default, no idle users are aged out.
Command Modes
Global configuration
Command History
12.2(2)XC
This command was introduced.
12.3(4)T
This command was incorporated in Cisco IOS Release 12.3(4)T.
Usage Guidelines
If no value is specified, the user that has been idle the longest will be aged out. If an age is specified and the user that has been idle the longest has not been idle for the specified value, then no users are aged out.
Examples
The following example sets a minimum age out value of 5 seconds:
cdma pdsn age-idle-users minimum-age 5cdma pdsn cluster controller
To configure the PDSN to operate as a cluster controller, and to configure various parameters on the cluster controller, use the cdma pdsn cluster controller command. To disable certain cluster controller parameters, use the no form of this command.
cdma pdsn cluster controller [ interface interface-name | timeout seconds [window number] | window number ]
no cdma pdsn cluster controller [ interface interface-name | timeout seconds [window number] | window number ]
Syntax Description
Defaults
The timeout default value is 300 seconds.
Command Modes
Global configuration
Command History
12.2(2)XC
This command was introduced.
12.3(4)T
This command was incorporated in Cisco IOS Release 12.3(4)T.
Examples
The following example enables the cdma cluster controller:
cdma pdsn cluster controller interface FastEthernet1/0cdma pdsn cluster controller session-high
To generate an alarm when the controller reaches the upper threshold of the maximum number of sessions it can handle, use the cdma pdsn cluster member session-high command. To disable this feature, use the no form of this command.
cdma pdsn cluster controller session-high 1-1000000
no cdma pdsn cluster controller session-high 1-1000000
Syntax Description
Defaults
The range is 1-1000000. The configured value should be more than the lower threshold value. The default value is 200000.
Command Modes
Global configuration
Command History
12.2(8)ZB1
This command was introduced.
12.3(4)T
This command was incorporated in Cisco IOS Release 12.3(4)T.
Usage Guidelines
You should take into account the number of members in the cluster when you configure the high threshold. For example, if there are only 2 members in the cluster, the high threshold should be less than 40000.
Examples
The following example illustrates the cdma pdsn cluster contoller session-high command:
Received SNMPv1 Trap:Community: publicEnterprise: cCdmaPdsnMIBNotifPrefixAgent-addr: 9.15.72.15Enterprise Specific trap.Enterprise Specific trap: 8Time Ticks: 9333960cCdmaServiceAffectedLevel.0 = major(3)cCdmaClusterSessHighThreshold.0 = 50cdma pdsn cluster controller session-low
To generate an alarm when the controller reaches the lower threshold of the sessions (hint to NOC that the system is being under utilized), use the cdma pdsn cluster member session-low command. To disable this feature, use the no form of this command.
cdma pdsn cluster controller session-low 1-1000000
no cdma pdsn cluster controller session-low 1-1000000
Syntax Description
Defaults
The range is 0-999999. The configured value should be less than the upper threshold value. The default value is 190000.
Command Modes
Global configuration
Command History
12.2(8)ZB1
This command was introduced.
12.3(4)T
This command was incorporated in Cisco IOS Release 12.3(4)T.
Usage Guidelines
You should take into account the number of members in the cluster when you configure the low threshold.
Examples
The following example illustrates the cdma pdsn cluster contoller session-low command:
Received SNMPv1 Trap:Community: publicEnterprise: cCdmaPdsnMIBNotifPrefixAgent-addr: 9.15.72.15Enterprise Specific trap.Enterprise Specific trap: 9Time Ticks: 9330691cCdmaServiceAffectedLevel.0 = major(3)cCdmaClusterSessLowThreshold.0 = 10cdma pdsn cluster member
To configure the PDSN to operate as a cluster member, and to configure various parameters on the cluster member, use the cdma pdsn cluster member command. To disable certain cluster controller parameters, use the no form of this command.
cdma pdsn cluster member [ controller ipaddr | interface interface-name | prohibit type | timeout seconds [window number] | window number ]
no cdma pdsn cluster member [ controller ipadd | interface interface-name | timeout seconds [window number] | window number ]
Syntax Description
Defaults
The default timeout value for the cluster member is 300 seconds.
Command Modes
Global configuration
Command History
12.2(2)XC
This command was introduced.
12.3(4)T
This command was incorporated in Cisco IOS Release 12.3(4)T.
Usage Guidelines
The prohibit field enables a member to administratively rid itself of its load without service interruption. When enabled, the member is no longer given any new data sessions by the controller.
Examples
The following example enables a cdma pdsn cluster member:
cdma pdsn cluster member interface FastEthernet1/0cdma pdsn compliance iosv4.1 session-reference
3GPP2 IOS version 4.2 mandates that the Session Reference ID in the A11 Registration Request is always set to 1. To configure the PDSN to interoperate with a PCF that is not compliant with 3GPP2 IOS version 4.2, use the cdma pdsn compliance iosv4.1 session-reference command inGlobal configuration mode. To disable this configuration, use the no form of this command.
cdma pdsn compliance iosv4.1 session-reference
no cdma pdsn compliance iosv4.1 session-reference
Syntax Description
This command has no arguments or keywords.
Defaults
Session Reference ID set to 1 in the A11 registration Request is on by default.
Command Modes
Global configuration.
Command History
12.2(8)BY1
This command was introduced.
12.3(4)T
This command was incorporated in Cisco IOS Release 12.3(4)T.
Examples
The following command instructs the PDSN to skip any checks done on the session reference id of incoming Registration Requests to ensure that they are set to 1.
router # cdma pdsn compliance iosv4.1 session-referenceRelated Commands
debug cdma pdsn a11
Displays debug messages for A11 interface errors, events, and packets.
cdma pdsn compliance is835a esn-optional
To send an ESN value in accounting packets to the RADIUS server only if it has received an ESN value (A2) in the A11 RRQ from PCF, use the cdma pdsn compliance is835 esn-optional command in global configuration mode. To disable the specification, use the no form of this command.
cdma pdsn compliance is835 esn-optional
no cdma pdsn compliance is835 esn-optional
Syntax Description
There are no keywords or arguments for this command.
Defaults
The default behavior is to send the ESN attribute in all accounting records..
Command Modes
Global configuration
Command History
12.2(8)ZB4
This command was introduced.
12.3(4)T
This command was incorporated in Cisco IOS Release 12.3(4)T.
Usage Guidelines
If no A2 is received in the RRQ, the PDSN will not send the ESN attribute in the accounting record. This behavior is in accordance to IS835A.
If this command is not configured, the PDSN will send the ESN value regardless whether the A2 attribute value is received from PCF or not. This is in accordance to IS835B.
cdma pdsn failure-history
To configure CDMA PDSN SNMP session failure history size, use the cdma pdsn failure-history command in global configuration mode. To return to the default length of time, use the no form of this command.
cdma pdsn failure-history entries
no cdma pdsn failure-history
Syntax Description
entries
Maximum number of entries that can be recorded in the SNMP session failure table. Possible values are 0 through 2000.
Defaults
No default behavior or values.
Command Modes
Global configuration
Command History
12.1(3)XS
This command was introduced.
12.3(4)T
This command was incorporated in Cisco IOS Release 12.3(4)T.
Examples
The following example specifies that 1000 is the maximum number of entries that can be recorded in the SNMP session table:
cdma pdsn failure-history 1000Related Commands
cdma pdsn ingress-address-filtering
To enable ingress address filtering, use the cdma pdsn ingress-address-filtering command in global configuration mode. To disable ingress address filtering, use the no form of this command.
cdma pdsn ingress-address-filtering
no cdma pdsn ingress-address-filtering
Syntax Description
This command has no arguments or keywords.
Defaults
Ingress address filtering is disabled.
Command Modes
Global configuration
Command History
12.1(3)XS
This command was introduced.
12.3(4)T
This command was incorporated in Cisco IOS Release 12.3(4)T.
Usage Guidelines
When this command is configured, the PDSN checks the source IP address of every packet received on the PPP link from the mobile station. If the address is not associated with the PPP link to the mobile station and is not an MIP RRQ or Agent Solicitation, then the PDSN discards the packet and sends a request to reestablish the PPP link.
Examples
The following example enables ingress address filtering:
cdma pdsn ingress-address-filteringRelated Commands
show cdma pdsn
Displays the current status and configuration of the PDSN gateway.
show cdma pdsn session
Displays the session information on the PDSN.
cdma pdsn maximum pcf
To set the maximum number of PCFs that can connect to a PDSN, use the cdma pdsn maximum pcf command in global configuration mode. To disable a configured limit, use the no form of this command.
cdma pdsn maximum pcf maxpcf
no cdma pdsn maximum pcf
Syntax Description
Defaults
No default behavior or values.
Command Modes
Global Configuration
Command History
12.1(3)XS
This command was introduced.
12.3(4)T
This command was incorporated in Cisco IOS Release 12.3(4)T.
Usage Guidelines
If no maximum number of PCFs is configured, the only limitation is the amount of memory.
You can configure the maximum PCFs to be less than the existing PCFs. As a result, when you issue the show cdma pdsn command, you may see more existing PCFs than the configured maximum. It is the responsibility of the user to bring down the existing PCFs to match the configured maximum.
Examples
The following example specifies that 200 PCFs can be sent:
cdma pdsn maximum pcf 200Related Commands
show cdma pdsn
Displays the current status and configuration of the PDSN gateway.
cdma pdsn maximum sessions
To set the maximum number of mobile sessions allowed on a PDSN, use the cdma pdsn maximum sessions command in global configuration mode. To disable a configured limit, use the no form of this command.
cdma pdsn maximum sessions maxsessions
no cdma pdsn maximum sessions
Syntax Description
maxsessions
Maximum number of mobile sessions allowed on a PDSN. Possible values depend on which image you are using.
Defaults
The c-5 images support 8000 sessions, and the c-6 images support 20000 sessions.
Command Modes
Global Configuration.
Command History
12.1(3)XS
This command was introduced.
12.2(8)BY
The maximum number of mobile sessions was raised to 20000.
12.3(4)T
This command was incorporated in Cisco IOS Release 12.3(4)T.
Usage Guidelines
If PDSN runs out of resources before the configured number is reached, then PDSN will reject the creation of further sessions.
You can configure the maximum sessions to be less than the existing sessions. As a result, when you issue the show cdma pdsn command, you may see more existing sessions than the configured maximum. It is the responsibility of the user to bring down the existing sessions to match the configured maximum.
Examples
The following example sets the maximum number of mobile sessions to 100:
cdma pdsn maximum sessions 100Related Commands
cdma pdsn mobile-advertisement-burst
To configure the number and interval of Agent Advertisements that a PDSN FA can send, use the cdma pdsn mobile-advertisement-burst command in interface configuration mode. To reset the configuration to the defaults, use the no form of this command.
cdma pdsn mobile-advertisement-burst {number value | interval msec}
no cdma pdsn mobile-advertisement-burst {number | interval}
Syntax Description
Defaults
The default number of agent advertisements to send is 5.
The default interval between advertisements is 200 milliseconds.
Command Modes
Interface Configuration.
Command History
12.2(2)XC
This command was introduced.
12.3(4)T
This command was incorporated in Cisco IOS Release 12.3(4)T.
Usage Guidelines
You must specify at least one of the optional parameters. Otherwise, the command has no effect. When virtual-access interfaces are created from the virtual template, default values will be used for any parameters not already configured on the virtual template.
This command should be configured on virtual templates only, and only when PDSN service is configured.
Examples
The following example configures PDSN FA advertisement:
cdma pdsn mobile-advertisement-burst number 10 interval 500Related Commands
cdma pdsn msid-authentication
To enable MSID-based authentication and access, use the cdma pdsn msid-authentication command in global configuration mode. To disable MSID-based authentication and access, use the no form of this command.
cdma pdsn msid-authentication [close-session-on-failure][imsi number] [irm number] [min number] [profile-password password]
no cdma pdsn msid-authentication
Syntax Description
Defaults
MSID authentication is disabled. When enabled, the default values are as follows:
•
•
•
•
Command Modes
Global Configuration.
Command History
Usage Guidelines
MSID authentication provides Simple IP service for mobile stations that do not negotiate CHAP or PAP. Cisco PDSN retrieves a network profile based on the MSID from the RADIUS server. The network profile should include the internet realm of the home network that owns the MSID. Cisco PDSN constructs the NAI from the MSID and the realm. The constructed NAI is used in generated accounting records. If the PDSN is unable to obtain the realm, then it denies service to the mobile station.
The identifier used to retrieve the network profile from the RADIUS server depends on the format of the MSID, which can be one of the following:
•
•
•
If the mobile station uses IMSI, the default identifier that PDSN uses to retrieve network profile is of the form IMSI-nnnnn where nnnnn is the first five digits of the IMSI. The number of digits from the IMSI to be used can be configured using the command cdma pdsn msid-authentication imsi.
If the mobile station uses MIN, the default identifier that PDSN uses to retrieve network profile is of the form MIN-nnnnnn where nnnnnn is the first six digits of the MIN. The number of digits from the MIN to be used can be configured using the command cdma pdsn msid-authentication min.
If the mobile station uses IRM, the default identifier that PDSN uses to retrieve network profile is of the form IRM-nnnn where nnnn is the first four digits of the IRM. The number of digits from the IRM to be used can be configured using the command cdma pdsn msid-authentication irm.
The realm should be defined in the network profile on the RADIUS user with the Cisco AVPair attribute cdma:cdma-realm.
Examples
The following example enables MSID-based authentication and access:
cdma pdsn msid-authentication profile-password test1Related Commands
show cdma pdsn
Displays the current status and configuration of the PDSN gateway.
cdma pdsn retransmit a11-update
To specify the maximum number of times an A11 Registration Update message is retransmitted, use the cdma pdsn retransmit a11-update command in global configuration mode. To return to the default of 5 retransmissions, use the no form of this command.
cdma pdsn retransmit a11-update number
no cdma pdsn retransmit a11-update
Syntax Description
number
Maximum number of times an A11 Registration Update message is retransmitted. Possible values are 0 through 9. The default is 5 retransmissions.
Defaults
5 retransmissions.
Command Modes
Global Configuration
Command History
12.1(3)XS
This command was introduced.
12.3(4)T
This command was incorporated in Cisco IOS Release 12.3(4)T.
Usage Guidelines
PDSN may initiate the release of an A10 connection by sending an A11 Registration Update message to the PCF. In this case, the PCF is expected to send an A11 Registration Acknowledge message followed by an A11 Registration Request with Lifetime set to 0. If PDSN does not receive an A11 Registration Acknowledge or an A11 Registration Request with Lifetime set to 0, or if it receives an A11 Registration Acknowledge message with an update denied status, PDSN retransmits the A11 Registration Update. The number of retransmissions is 5 by default and is configurable using this command.
Examples
The following example specifies that A11 Registration Update messages will be retransmitted a maximum of 9 times:
cdma pdsn retransmit a11-update 9Related Commands
cdma pdsn secure cluster
To configure one common security association for all PDSNs in a cluster, use the cdma pdsn secure cluster command. To remove this configuration, use the no form of the command.
cdma pdsn secure cluster default spi {value | inbound value outbound value} key {hex | ascii} string
no cdma pdsn secure cluster
Syntax Description
Defaults
No default behavior or values.
Command Modes
Global Configuration
Command History
12.2(2)XC
This command was introduced.
12.3(4)T
This command was incorporated in Cisco IOS Release 12.3(4)T.
Usage Guidelines
The SPI is the 4-byte index that selects the specific security parameters to be used to authenticate the peer. The security parameters consist of the authentication algorithm and mode, replay attack protection method, timeout, and IP address.
Examples
The following example shows a security association for a cluster of PDSNs:
cdma pdsn secure cluster spi 100 key hex 12345678123456781234567812345678Related Commands
cdma pdsn secure pcf
To configure the security association for one or more PCFs or the default security association for all PCFs, use the cdma pdsn secure pcf command. To remove this configuration, use the no form of the command.
cdma pdsn secure pcf {lower [upper] | default} spi {value | inbound value outbound value} key {hex | ascii} string [local-timezone]
no cdma pdsn secure pcf
Syntax Description
Defaults
There are no default behavior or values.
Command Modes
Global Configuration
Command History
12.2(2)XC
This command was introduced.
12.2(8)BY1
The local-timezone keyword was added.
12.3(4)T
This command was incorporated in Cisco IOS Release 12.3(4)T.
Usage Guidelines
The SPI is the 4-byte index that selects the specific security parameters to be used to authenticate the peer. The security parameters consist of the authentication algorithm and mode, replay attack protection method, timeout, and IP address.
You can configure several explicit and default secure PCF entries. (An explicit entry being one in which the IP address of a PCF is specified.) When the PDSN receives an A11 message from a PCF, it attempts to match the message to a secure PCF entry as follows:
•
•
•
When the PDSN receives a request from a PCF, it performs an identity check. As part of this check, the PDSN compares the timestamp of the request to its own local time and determines whether the difference is within a specified range. This range is determined by the replay time window. If the difference between the timestamp and the local time is not within this range, a request rejection message is sent back to the PCF along with the value of PDSN's local time.
Examples
The following example shows PCF 20.0.0.1, which has a key that is generated by the MD5 hash of the string:
cdma pdsn secure pcf 20.0.0.1 spi 100 key hex 12345678123456781234567812345678The following example configures a global default replay time of 60 seconds for all PCFs and all SPIs:
cdma pdsn secure pcf default replay 60The following example configures a default replay time of 30 seconds for a specific SPI applicable to all PCFs:
cdma pdsn secure pcf default spi 100 key ascii cisco replay 30The following example configures a replay time of 45 seconds for a specific PCF/SPI combination:
cdma pdsn secure pcf 192.168.105.4 spi 200 key ascii cisco replay 45Related Commands
cdma pdsn selection interface
To configure the interface used to send and receive PDSN selection messages, use the cdma pdsn selection interface command in global configuration mode. To remove the configuration, use the no form of the command.
cdma pdsn selection interface interface_name
no cdma pdsn selection interface
Syntax Description
interface_name
Name (type and number) of the interface that is connected to the LAN to be used to exchange PDSN selection messages with the other PDSNs in the cluster.
Defaults
No default behavior or values.
Command Modes
Global Configuration
Command History
12.1(3)XS
This command was introduced.
12.3(4)T
This command was incorporated in Cisco IOS Release 12.3(4)T.
Usage Guidelines
Each PDSN in a cluster maintains information about the mobile stations connected to the other PDSNs in the cluster. All PDSNs in the cluster exchange this information using periodic multicast messages. For this reason, all PDSNs in the cluster should be connected to a shared LAN.
This command identifies the interface on the PDSN that is connected to the LAN used for sending and receiving PDSN selection messages.
The Intelligent PDSN Selection feature will not work if you do not configure this interface on each PDSN in the cluster.
Examples
The following example specifies that the FastEthernet0/1 interface should be used for sending and receiving PDSN selection messages:
cdma pdsn selection interface FastEthernet0/1Related Commands
cdma pdsn selection keepalive
To configure the intelligent PDSN selection keepalive feature, use the cdma pdsn selection keepalive command in global configuration mode. To disable the feature, use the no form of this command.
cdma pdsn selection keepalive value
no cdma pdsn selection keepalive
Syntax Description
Defaults
No default behavior or values.
Command Modes
Global Configuration
Command History
12.1(3)XS
This command was introduced.
12.3(4)T
This command was incorporated in Cisco IOS Release 12.3(4)T.
Examples
The following example configures a keepalive value of 200 seconds:
cdma pdsn selection keepalive 200Related Commands
cdma pdsn selection load-balancing
To enable the load-balancing function of the intelligent PDSN selection feature, use the cdma pdsn selection load-balancing command in global configuration mode. To disable the load-balancing function, use the no form of this command.
cdma pdsn selection load-balancing [threshold val [alternate]]
no cdma pdsn selection load-balancing
Syntax Description
Defaults
The threshold value is 100 sessions.
Command Modes
Global Configuration
Command History
Usage Guidelines
You must enable PDSN selection session-table-size first. If sessions in a PDSN go beyond the threshold, PDSN selection will redirect the PCF to the PDSN that has less of a load.
Examples
The following example configures load-balancing with an advertisement interval of 2 minutes and a threshold of 50 sessions:
cdma pdsn selection load-balancing advertisement 2 threshold 50Related Commands
cdma pdsn selection session-table-size
Defines the size of the selection session database.
show cdma pdsn session
Displays PDSN session information.
cdma pdsn selection session-table-size
In PDSN selection, a group of PDSNs maintains a distributed session database. To define the size of the database, use the cdma pdsn selection session-table-size command in global configuration mode. To disable PDSN selection, use the no form of this command.
cdma pdsn selection session-table-size size
no cdma pdsn selection session-table-size
Syntax Description
Defaults
PDSN selection is disabled.
The default session table size is undefined.
Command Modes
Global Configuration
Command History
12.1(3)XS
This command was introduced.
12.3(4)T
This command was incorporated in Cisco IOS Release 12.3(4)T.
Examples
The following example sets the size of the distributed session database to 5000 sessions:
cdma pdsn selection session-table-size 5000Related Commands
cdma pdsn selection load-balancing
Enables the load-balancing function of PDSN selection.
show cdma pdsn session
Displays PDSN session information.
cdma pdsn send-agent-adv
To enable agent advertisements to be sent over a newly formed PPP session with an unknown user class that negotiates IPCP address options, use the cdma pdsn send-agent-adv command in global configuration mode. To disable the sending of agent advertisements, use the no form of this command.
cdma pdsn send-agent-adv
no cdma pdsn send-agent-adv
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
Global Configuration
Command History
12.2(2)XC
This command was introduced.
12.3(4)T
This command was incorporated in Cisco IOS Release 12.3(4)T.
Usage Guidelines
This command is used with multiple flows.
Examples
The following example enables agent advertisements to be sent:
cdma pdsn send-agent-advRelated Commands
show cdma pdsn
Displays the current status and configuration of the PDSN gateway.
cdma pdsn timeout a11-update
To specify a A11 Registration Update message timeout, use the cdma pdsn timeout a11-update command in global configuration mode. To return to the default of 1 second, use the no form of this command.
cdma pdsn timeout a11-update seconds
no cdma pdsn timeout a11-update
Syntax Description
seconds
Maximum A11 Registration Update message timeout value, in seconds. Possible values are 0 through 5. The default is 1 second.
Defaults
1 second.
Command Modes
Global Configuration
Command History
12.1(3)XS
This command was introduced.
12.3(4)T
This command was incorporated in Cisco IOS Release 12.3(4)T.
Usage Guidelines
PDSN may initiate the release of an A10 connection by sending an A11 Registration Update message to the PCF. In this case, the PCF is expected to send an A11 Registration Acknowledge message followed by an A11 Registration Request with Lifetime set to 0. If PDSN does not receive an A11 Registration Acknowledge or an A11 Registration Request with Lifetime set to 0, PDSN times out and retransmits the A11 Registration Update. The default timeout is 1 second and is configurable using this command.
Examples
The following example specifies an A11 Registration Update message timeout value of 5 seconds:
cdma pdsn timeout a11-update 5Related Commands
cdma pdsn timeout mobile-ip-registration
To set the timeout value before which Mobile IP registration should occur for a user skipping the PPP authentication, use the cdma pdsn timeout mobile-ip-registration command in global configuration mode. To return to the default 5-second timeout, use the no version of the command.
cdma pdsn timeout mobile-ip-registration timeout
no cdma pdsn timeout mobile-ip-registration
Syntax Description
Defaults
5 seconds.
Command Modes
Global Configuration
Command History
12.1(3)XS
This command was introduced.
12.3(4)T
This command was incorporated in Cisco IOS Release 12.3(4)T.
Usage Guidelines
A CDMA data user using Mobile IP will skip authentication and authorization during PPP and perform those tasks through Mobile IP registration. In order to secure the network, the traffic is filtered. The only packets allowed through the filter are the Mobile IP registration messages. As an additional protection, if the Mobile IP registration does not happen within a defined time, the PPP link is terminated.
Examples
The following example sets the timeout value for Mobile IP registration to 15 seconds:
cdma pdsn mobile-ip-timeout 15Related Commands
cdma pdsn virtual-template
To associate a virtual template with PPP over GRE, use the cdma pdsn virtual-template command in global configuration mode. To remove the association, use the no form of this command.
cdma pdsn virtual-template virtualtemplate_num
no cdma pdsn virtual-template virtualtemplate_num
Syntax Description
Defaults
No default behavior or values.
Command Modes
Global Configuration
Command History
12.1(3)XS
This command was introduced.
12.3(4)T
This command was incorporated in Cisco IOS Release 12.3(4)T.
Usage Guidelines
PPP links are dynamically created. Each link requires an interface. The characteristics of each link are cloned from a virtual template. Because there can be multiple virtual templates defined in a single PDSN, this command is used to identify the virtual template that is used for cloning virtual accesses for PPP over GRE.
Examples
The following example associate virtual template 2 with PPP over GRE:
cdma pdsn virtual-template 2Related Commands
clear cdma pdsn cluster controller session records age
To clear session records of a specified age, use the clear cdma pdsn cluster controller session records age command in privileged EXEC mode.
clear cdma pdsn cluster controller session records age days
Syntax Description
Defaults
No default keywords or arguments.
Command Modes
Privileged EXEC
Command History
12.2(8)BY
This command was introduced.
12.3(4)T
This command was incorporated in Cisco IOS Release 12.3(4)T.
Examples
The following example shows output from the clear cdma pdsn cluster controller session records age command:
Router# clear cdma pdsn cluster controller session records age 1clear cdma pdsn selection
To clear PDSN selection tables, use the clear cdma pdsn selection command in privileged EXEC mode.
clear cdma pdsn selection [pdsn ip-addr | msid number]
Syntax Description
pdsn ip-addr
(Optional) IP address of the PDSN selection session table to be cleared.
msid number
(Optional) Identification of the MSID to be cleared.
Command Modes
Privileged EXEC
Command History
12.1(3)XS
This command was introduced.
12.3(4)T
This command was incorporated in Cisco IOS Release 12.3(4)T.
Examples
The following example clears the pdsn selection session table for PDSN 5.5.5.5:
clear cdma pdsn selection pdsn 5.5.5.5Related Commands
cdma pdsn selection session-table-size
Enables the PDSN selection feature and defines the size of the session table.
clear cdma pdsn session
To clear one or more user sessions on the PDSN, use the clear cdma pdsn session command in privileged EXEC mode.
clear cdma pdsn session {all | pcf ip_addr | msid number}
Syntax Description
all
Keyword to clear all sessions on a given PDSN.
pcf ip_addr
IP address of the PCF sessions that are to be cleared.
msid number
Identification of the MSID to be cleared.
Defaults
No default behavior or values.
Command Modes
Privileged EXEC
Command History
12.1(3)XS
This command was introduced.
12.3(4)T
This command was incorporated in Cisco IOS Release 12.3(4)T.
Usage Guidelines
This command terminates one or more user sessions. When this command is issued, the PDSN initiates the session release by sending an A11Registration Update message to the PCF.
The keyword all clears all sessions on a given PDSN. The keyword pcf with an IP address clears all the sessions coming from a given PCF. The keyword msid with a number will clear the session for a given MSID.
Examples
The following example clears session MSID 0000000002:
clear cdma pdsn session msid 0000000002Related Commands
clear cdma pdsn statistics
To clear the RAN-to-PDSN interface (RP) or PPP statistics on the PDSN, use the clear cdma pdsn statistics command in privileged EXEC mode.
clear cdma pdsn statistics
Syntax Description
There are no arguments or keywords for this command.
Defaults
No default behavior or values.
Command Modes
Privileged EXEC
Command History
12.2(8)BY
This command was introduced.
12.3(4)T
This command was incorporated in Cisco IOS Release 12.3(4)T.
Usage Guidelines
Previous releases used the show cdma pdsn statistics command to show PPP and RP statistic summaries from the time the system was restarted. The clear cdma pdsn statistics command allows the user to reset the counters as desired, and to view the history since the counters were last reset.
Examples
The following example illustrates the clear cdma pdsn statistics rp command before and after the counters are reset.
Before counters are reset
Router#show cdma pdsn statistics rpRP Interface:Reg Request rcvd 5, accepted 5, denied 0, discarded 0
Note
Initial Reg Request accepted 4, denied 0Re-registration requests accepted 0, denied 0De-registration accepted 1, denied 0Registration Request Errors:Unspecified 0, Administratively prohibited 0Resource unavailable 0, Authentication failed 0Identification mismatch 0, Poorly formed requests 0Unknown PDSN 0, Reverse tunnel mandatory 0Reverse tunnel unavailable 0, Bad CVSE 0Update sent 1, accepted 1, denied 0, not acked 0Initial Update sent 1, retransmissions 0Acknowledge received 1, discarded 0Update reason lifetime expiry 0, PPP termination 1, other 0Registration Update Errors:Unspecified 0, Identification mismatch 0Authentication failed 0, Administratively prohibited 0Poorly formed request 0Service Option:asyncDataRate2 (12) success 4, failure 0After the counters are reset
Router#clear cdma pdsn statistics rp==> RESETTING COUNTERSRouter#show cdma pdsn statistics rpRP Interface:Reg Request rcvd 0, accepted 0, denied 0, discarded 0
Note
Initial Reg Request accepted 0, denied 0Re-registration requests accepted 0, denied 0De-registration accepted 0, denied 0Registration Request Errors:Unspecified 0, Administratively prohibited 0Resource unavailable 0, Authentication failed 0Identification mismatch 0, Poorly formed requests 0Unknown PDSN 0, Reverse tunnel mandatory 0Reverse tunnel unavailable 0, Bad CVSE 0Update sent 0, accepted 0, denied 0, not acked 0Initial Update sent 0, retransmissions 0Acknowledge received 0, discarded 0Update reason lifetime expiry 0, PPP termination 0, other 0Registration Update Errors:Unspecified 0, Identification mismatch 0Authentication failed 0, Administratively prohibited 0Poorly formed request 0Service Option:asyncDataRate2 (12) success 4, failure 0Related Commands
clear gprs access-point statistics
To clear statistics counters for a specific access point or for all access points on the GGSN, use the clear gprs access-point statistics privileged EXEC command.
clear gprs access-point statistics {access-point-index | all}
Syntax Description
access-point-index
Index number of an access point. Information about that access point is cleared.
all
Information about all access points on the GGSN is cleared.
Defaults
No default behavior or values.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
This command clears the statistics that are displayed by the show gprs access-point statistics command.
Examples
The following example clears the statistics at access point 2:
clear gprs access-point statistics 2The following example clears the statistics for all access points:
clear gprs access-point statistics allRelated Commands
Displays data volume and PDP context activation and deactivation statistics for access points on the GGSN.
clear gprs charging cdr
To clear GPRS call detail records (CDRs), use the clear gprs charging cdr privileged EXEC configuration command.
clear gprs charging cdr {access-point access-point-index | all | partial-record | tid tunnel-id}
Syntax Description
Defaults
No default behavior or values.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Use the clear gprs charging cdr command to clear the CDRs for one or more PDP contexts.
To clear CDRs by tunnel ID (TID), use the clear gprs charging cdr command with the tid keyword and specify the corresponding TID for which you want to clear the CDRs. To determine the tunnel ID (TID) of an active PDP context, you can use the show gprs gtp pdp-context all command to obtain a list of the currently active PDP contexts (mobile sessions).
To clear CDRs by access point, use the clear gprs charging cdr command with the access-point keyword and specify the corresponding access-point index for which you want to clear CDRs. To obtain a list of access points, you can use the show gprs access-point command.
When you clear CDRs for a TID, an access point, or for all access points, charging data records for the specified TID or access point(s) are sent immediately to the charging gateway. When you run these versions of this command, the following things occur:
•
•
•
To close all CDRs and open partial CDRs for existing PDP contexts on the GGSN, use the clear gprs charging cdr partial-record command.
The clear gprs charging cdr command is normally used before disabling the charging function.
Examples
The following example shows how to clear CDRs by tunnel ID:
router# show gprs gtp pdp-context allTID MS Addr Source SGSN Addr APN1234567890123456 10.11.1.1 Radius 10.4.4.11 www.pdn1.com2345678901234567 Pending DHCP 10.4.4.11 www.pdn2.com3456789012345678 10.21.1.1 IPCP 10.1.4.11 www.pdn3.com4567890123456789 10.31.1.1 IPCP 10.1.4.11 www.pdn4.com5678901234567890 10.41.1.1 Static 10.4.4.11 www.pdn5.comrouter# clear gprs gtp charging cdr tid 1234567890123456The following example shows how to clear CDRs for access point 1:
router# clear gprs charging cdr access-point 1Related Commands
clear gprs gtp pdp-context
To clear one or more PDP contexts (mobile sessions), use the clear gprs gtp pdp-context privileged EXEC configuration command.
clear gprs gtp pdp-context {tid tunnel-id | imsi imsi_value | path ip-address | access-point access-point-index | all}
Syntax Description
Defaults
No default behavior or values.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Use the clear gprs gtp pdp-context command to clear one or more PDP contexts (mobile sessions). Use this command when operator intervention is required for administrative reasons—for example, when there are problematic user sessions or the system must be taken down for maintenance.
After the clear gprs gtp pdp-context command is issued, those users who are accessing the PDN through the specified TID, IMSI, path, or access point are disconnected.
To determine the tunnel ID of an active PDP context, you can use the show gprs gtp pdp-context command to obtain a list of the currently active PDP contexts (mobile sessions). Then, to clear a PDP context by tunnel ID, use the clear gprs gtp pdp-context command with the tid keyword and the corresponding tunnel ID that you want to clear.
To clear PDP contexts by access point, use the clear gprs gtp pdp-context command with the access-point keyword and the corresponding access-point index. To display a list of access points that are configured on the GGSN, use the show gprs access-point command.
If you know the IMSI of the PDP context, you can use the clear gprs gtp pdp-context with the imsi keyword and the corresponding IMSI of the connected user to clear the PDP context. If you want to determine the IMSI of a PDP context, you can use the show gprs gtp pdp-context all command to display a list of the currently active PDP contexts. Then, after finding the TID value that corresponds to the session that you want to clear, you can use the show gprs gtp pdp-context tid command to display the IMSI.
Examples
The following example shows how to clear PDP contexts by tunnel ID:
router# show gprs gtp pdp-context allTID MS Addr Source SGSN Addr APN1234567890123456 10.11.1.1 Radius 10.4.4.11 www.pdn1.com2345678901234567 Pending DHCP 10.4.4.11 www.pdn2.com3456789012345678 10.21.1.1 IPCP 10.1.4.11 www.pdn3.com4567890123456789 10.31.1.1 IPCP 10.1.4.11 www.pdn4.com5678901234567890 10.41.1.1 Static 10.4.4.11 www.pdn5.comrouter# clear gprs gtp pdp-context tid 1234567890123456The following example shows how to clear PDP contexts at access point 1:
router# clear gprs gtp pdp-context access-point 1clear gprs gtp statistics
To clear the current GPRS GTP statistics, use the clear gprs gtp statistics privileged EXEC configuration command.
clear gprs gtp statistics
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Use the clear gprs gtp statistics command to clear the current GPRS GTP statistics. This command clears the counters that are displayed by the show gprs gtp statistics command.
Note
Examples
The following example clears the GPRS GTP statistics:
router# clear gprs gtp statisticsclear gprs gtp-director statistics
To clear the current counters for GTP Director Module (GDM) statistics, use the clear gprs gtp-director statistics privileged EXEC configuration command.
clear gprs gtp-director statistics
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Use the clear gprs gtp-director statistics command to clear all of the counters that are displayed by the show gprs gtp-director statistics command.
Examples
The following example clears the GDM counters:
router# clear gprs gtp-director statisticsRelated Commands
clear ip mobile host-counters
To clear the mobility counters specific to each mobile node, use the clear ip mobile host-counters command in EXEC mode.
clear ip mobile host-counters [[ip-address | nai string] undo]]
Syntax Description
ip-address
(Optional) IP address of a mobile node.
nai string
(Optional) Network access identifier of the mobile node.
undo
(Optional) Restores the previously cleared counters.
Command Modes
EXEC
Command History
12.0(1)T
This command was introduced.
12.2(2)XC
The nai keyword was added.
12.2(13)T
The nai keyword was integrated into Cisco IOS Release 12.2(13)T.
Usage Guidelines
This command clears the counters that are displayed when you use the show ip mobile host command. The undo keyword restores the counters (this option is useful for debugging).
Examples
The following example shows how the counters can be used for debugging:
Router# show ip mobile host10.0.0.1:Allowed lifetime 10:00:00 (36000/default)Roaming status -registered-, Home link on virtual network 20.0.0.0/8Accepted 2, Last time 04/13/02 19:04:28Overall service time 00:04:42Denied 0, Last time -never-Last code `-never- (0)'Total violations 1Tunnel to MN - pkts 0, bytes 0Reverse tunnel from MN - pkts 0, bytes 0.Router# clear ip mobile host-countersRouter# show ip mobile host-counters20.0.0.1:Allowed lifetime 10:00:00 (36000/default)Roaming status -Unregistered-, Home link on virtual network 20.0.0.0/8Accepted 0, Last time -never-Overall service time -never-Denied 0, Last time -never-Last code `-never- (0)'Total violations 0Tunnel to MN - pkts 0, bytes 0Reverse tunnel from MN - pkts 0, bytes 0Related Commands
clear ip mobile secure
To clear and retrieve remote security associations, use the clear ip mobile secure command in EXEC mode.
clear ip mobile secure {host lower [upper] | nai string | empty | all} [load]
Syntax Description
Command Modes
EXEC
Command History
12.0(1)T
This command was introduced.
12.2(2)XC
The nai keyword was added.
12.2(13)T
The nai keyword was integrated into Cisco IOS Release 12.2(13)T.
Usage Guidelines
Security associations are required for registration authentication. They can be stored on an AAA server. During registration, they may be stored locally after retrieval from the AAA server. The security association on the router may become stale or out of date when the security association on the AAA server changes.
This command clears security associations that have been downloaded from the AAA server.
Note
Examples
In the following example, the AAA server has the security association for user 10.2.0.1 after registration:
Router# show ip mobile secure host 10.2.0.1Security Associations (algorithm,mode,replay protection,key):10.2.0.1:SPI 300, MD5, Prefix-suffix, Timestamp +/- 7,Key `oldkey' 1230552d39b7c1751f86bae5205ec0c8If you change the security association stored on the AAA server for this mobile node, the router clears the security association and reloads it from the AAA server:
Router# clear ip mobile secure host 10.2.0.1 loadRouter# show ip mobile secure host 10.2.0.110.2.0.1:SPI 300, MD5, Prefix-suffix, Timestamp +/- 7,Key `newkey' 1230552d39b7c1751f86bae5205ec0c8Related Commands
ip mobile secure
Specifies the mobility security associations for mobile host, visitor, home agent, and foreign agent.
clear ip mobile visitor
To remove visitor information, use the clear ip mobile visitor command in privileged EXEC mode.
clear ip mobile visitor [ip-address | nai string [session-id string] [ip-address]]
Syntax Description
Command Modes
EXEC
Command History
Usage Guidelines
The foreign agent creates a visitor entry for each accepted visitor. The visitor entry allows the mobile node to receive packets while in a visited network. Associated with the visitor entry is the Address Resolution Protocol (ARP) entry for the visitor. There should be no need to clear the entry because it expires after lifetime is reached or when the mobile node deregisters.
When a visitor entry is removed, the number of users on the tunnel is decremented and the ARP entry is removed from the ARP cache. The visitor is not notified.
If the nai string session-id string option is specified, only the visitor entry with that session identifier is cleared. If the session-id keyword is not specified, all visitor entries (potentially more than one, with different session identifiers) for that NAI are cleared. You can determine the session-id string value by using the show ip mobile visitor command.
Use this command with care because it may terminate any sessions used by the mobile node. After you use this command, the visitor will need to reregister to continue roaming.
Examples
The following example administratively stops visitor 172.21.58.16 from visiting:
Router# clear ip mobile visitor 172.21.58.16Related Commands
show ip mobile visitor
Displays the table containing the visitor list of the foreign agent.
clear ip rtp header-compression
To clear Real-Time Transport Protocol (RTP) header compression structures and statistics, use the clear ip rtp header-compression command in privileged EXEC mode.
clear ip rtp header-compression [interface-type interface-number]
Syntax Description
Command Modes
Privileged EXEC
Command History
Usage Guidelines
If this command is used without an interface type and number, it clears all RTP header compression structures and statistics.
Examples
The following example clears RTP header compression structures and statistics for serial interface 0:
Router# clear ip rtp header-compression serial 0Related Commands
clear ppp mux
To clear PPP mux statistics, use the clear ppp mux EXEC command.
clear ppp mux [interface interface]
Syntax Description
interface
(Optional) The identifier of the multilink or serial interface for which you want to clear counters.
Defaults
If no interface is specified, statistics for all multilink and serial interfaces are cleared.
Command Modes
EXEC
Command History
Usage Guidelines
None
Examples
The following example clears PPP mux statistics for multilink interface 1:
clear ppp mux interface multilink1Related Commands
clear radius local-server
To clear the display on the local server or to unblock a locked username, use the clear radius local-server command in privileged EXEC mode.
clear radius local-server {statistics | user username}
Syntax Description
statistics
Clears the display of statistical information.
user
Unblocks the locked username specified.
username
Locked username.
Defaults
No default behavior or values
Command Modes
Privileged EXEC
Command History
Examples
The following example unblocks the locked username "smith":
Router# clear radius local-server user smithSyntax Description
crypto map (global IPSec)
To enter crypto map configuration mode and create or modify a crypto map entry, to create a crypto profile that provides a template for configuration of dynamically created crypto maps, or to configure a client accounting list, use the crypto map command in global configuration mode. To delete a crypto map entry, profile, or set, use the no form of this command.
crypto map map-name seq-num [ipsec-manual]
crypto map map-name seq-num [ipsec-isakmp] [dynamic dynamic-map-name] [discover] [profile profile-name]
crypto map map-name [client-accounting-list aaalist]
no crypto map map-name seq-num
Note
Syntax Description
Defaults
No crypto maps exist.
Peer discovery is not enabled.
Command Modes
Global configuration
Command History
Usage Guidelines
Use this command to create a new crypto map entry, to create a crypto map profile, or to modify an existing crypto map entry or profile.
After a crypto map entry has been created, you cannot change the parameters specified at the global configuration level because these parameters determine which of the configuration commands are valid at the crypto map level. For example, after a map entry has been created using the ipsec-isakmp keyword, you cannot change it to the option specified by the ipsec-manual keyword; you must delete and reenter the map entry.
After you define crypto map entries, you can assign the crypto map set to interfaces using the crypto map (interface IPSec) command.
Crypto Map Functions
Crypto maps provide two functions: filtering and classifying traffic to be protected and defining the policy to be applied to that traffic. The first use affects the flow of traffic on an interface; the second affects the negotiation performed (via IKE) on behalf of that traffic.
IPSec crypto maps define the following:
•
•
•
•
Multiple Crypto Map Entries with the Same Map Name Form a Crypto Map Set
A crypto map set is a collection of crypto map entries, each with a different seq-num argument but the same map-name argument. Therefore, for a given interface, you could have certain traffic forwarded to one IPSec peer with specified security applied to that traffic and other traffic forwarded to the same or a different IPSec peer with different IPSec security applied. To accomplish differential forwarding you would create two crypto maps, each with the same map-name argument, but each with a different seq-num argument. Crypto profiles must have unique names within a crypto map set.
Sequence Numbers
The number you assign to the seq-num argument should not be arbitrary. This number is used to rank multiple crypto map entries within a crypto map set. Within a crypto map set, a crypto map entry with a lower seq-num is evaluated before a map entry with a higher seq-num; that is, the map entry with the lower number has a higher priority.
For example, consider a crypto map set that contains three crypto map entries: mymap 10, mymap 20, and mymap 30. The crypto map set named "mymap" is applied to serial interface 0. When traffic passes through serial interface 0, the traffic is evaluated first for mymap 10. If the traffic matches any access list permit statement entry in the extended access list in mymap 10, the traffic will be processed according to the information defined in mymap 10 (including establishing IPSec SAs when necessary). If the traffic does not match the mymap 10 access list, the traffic will be evaluated for mymap 20, and then mymap 30, until the traffic matches a permit entry in a map entry. (If the traffic does not match a permit entry in any crypto map entry, it will be forwarded without any IPSec security.)
Dynamic Crypto Maps
Refer to the "Usage Guidelines" section of the crypto dynamic-map command for a discussion on dynamic crypto maps.
Crypto map entries that reference dynamic map sets should be the lowest priority map entries, allowing inbound SA negotiation requests to try to match the static maps first. Only after the request does not match any of the static maps, do you want it to be evaluated against the dynamic map set.
To make a crypto map entry referencing a dynamic crypto map set the lowest priority map entry, give the map entry the highest seq-num of all the map entries in a crypto map set.
Create dynamic crypto map entries using the crypto dynamic-map command. After you create a dynamic crypto map set, add the dynamic crypto map set to a static crypto map set with the crypto map (global IPSec) command using the dynamic keyword.
TED
TED is an enhancement to the IPSec feature. Defining a dynamic crypto map allows you to dynamically determine an IPSec peer; however, only the receiving router has this ability. With TED, the initiating router can dynamically determine an IPSec peer for secure IPSec communications.
Dynamic TED helps to simplify IPSec configuration on the individual routers within a large network. Each node has a simple configuration that defines the local network that the router is protecting and the IPSec transforms that are required.
Note
Crypto Map Profiles
Crypto map profiles are created using the profile profile-name keyword and argument combination. Crypto map profiles are used as configuration templates for dynamically creating crypto maps on demand for use with the Layer 2 Transport Protocol (L2TP) Security feature. The relevant SAs the crypto map profile will be cloned and used to protect IP traffic on the L2TP tunnel.
Note
Examples
The following example shows the minimum required crypto map configuration when IKE will be used to establish the SAs:
crypto map mymap 10 ipsec-isakmpmatch address 101set transform-set my_t_set1set peer 10.0.0.1The following example shows the minimum required crypto map configuration when the SAs are manually established:
crypto transform-set someset ah-md5-hmac esp-descrypto map mymap 10 ipsec-manualmatch address 102set transform-set somesetset peer 10.0.0.5set session-key inbound ah 256 98765432109876549876543210987654set session-key outbound ah 256 fedcbafedcbafedcfedcbafedcbafedcset session-key inbound esp 256 cipher 0123456789012345set session-key outbound esp 256 cipher abcdefabcdefabcdThe following example configures an IPSec crypto map set that includes a reference to a dynamic crypto map set.
Crypto map "mymap 10" allows SAs to be established between the router and either (or both) of two remote IPSec peers for traffic matching access list 101. Crypto map "mymap 20" allows either of two transform sets to be negotiated with the remote peer for traffic matching access list 102.
Crypto map entry "mymap 30" references the dynamic crypto map set "mydynamicmap," which can be used to process inbound SA negotiation requests that do not match "mymap" entries 10 or 20. In this case, if the peer specifies a transform set that matches one of the transform sets specified in "mydynamicmap," for a flow permitted by the access list 103, IPSec will accept the request and set up SAs with the remote peer without previously knowing about the remote peer. If the request is accepted, the resulting SAs (and temporary crypto map entry) are established according to the settings specified by the remote peer.
The access list associated with "mydynamicmap 10" is also used as a filter. Inbound packets that match any access list permit statement in this list are dropped for not being IPSec protected. (The same is true for access lists associated with static crypto maps entries.) Outbound packets that match a permit statement without an existing corresponding IPSec SA are also dropped.
crypto map mymap 10 ipsec-isakmpmatch address 101set transform-set my_t_set1set peer 10.0.0.1set peer 10.0.0.2crypto map mymap 20 ipsec-isakmpmatch address 102set transform-set my_t_set1 my_t_set2set peer 10.0.0.3crypto map mymap 30 ipsec-isakmp dynamic mydynamicmap!crypto dynamic-map mydynamicmap 10match address 103set transform-set my_t_set1 my_t_set2 my_t_set3The following example configures TED on a Cisco router:
crypto map testtag 10 ipsec-isakmp dynamic dmap discoverThe following example configures a crypto profile to be used as a template for dynamically created crypto maps when IPSec is used to protect an L2TP tunnel:
crypto map l2tpsec 10 ipsec-isakmp profile l2tpRelated Commands
dhcp-gateway-address
To specify the subnet in which the DHCP server should return addresses for DHCP requests for MS users entering a particular PDN access point, use the dhcp-gateway-address access-point configuration command. To remove a DHCP gateway address and return to the default, use the no form of this command.
dhcp-gateway-address ip-address
no dhcp-gateway-address ip-address
Syntax Description
ip-address
The IP address of the DHCP gateway to be used in DHCP requests for users who connect through the specified access point.
Defaults
When you do not configure a dhcp-gateway-address, the GGSN uses the virtual template interface address as the DHCP gateway address.
Command Modes
Access-point configuration
Command History
Usage Guidelines
The dhcp-gateway-address specifies the value of the giaddr field that is passed in DHCP messages between the GGSN and the DHCP server. If you do not specify a DHCP gateway address, the address assigned to the virtual template is used.
Though a default value for the virtual template address will occur, you should configure another value for the dhcp-gateway-address command whenever you are implementing DHCP services at an access point.
If the access point is configured for VRF, then the dynamic (or static addresses) returned for MSs of PDP contexts at the access point will also be part of that VRF address space. If the DHCP server is located within the VRF address space, then the corresponding loopback interface for the dhcp-gateway-address must also be configured within the VRF address space.
Examples
The following example specifies an IP address of 10.88.0.1 for the giaddr field (the dhcp-gateway-address) of DHCP server requests. Note that the IP address of a loopback interface, in this case Loopback2, matches the IP address specified in the dhcp-gateway-address command. This is required for proper configuration of DHCP on the GGSN.
interface Loopback2ip address 10.88.0.1 255.255.255.255!gprs access-point-list gprsaccess-point 8access-point-name pdn.aaaa.comip-address-pool dhcp-proxy-clientaggregate autodhcp-server 172.16.43.35dhcp-gateway-address 10.88.0.1exitRelated Commands
dhcp-server
To specify a primary (and backup) DHCP server to allocate IP addresses to MS users entering a particular PDN access point, use the dhcp-server access-point configuration command. To remove the DHCP server from the access-point configuration, use the no form of this command.
dhcp-server {ip-address} [ip-address] [vrf]
no dhcp-server {ip-address} [ip-address] [vrf]
Syntax Description
Defaults
Global routing table
Command Modes
Access-point configuration
Command History
Usage Guidelines
To configure DHCP on the GGSN, you must configure either the gprs default ip-address-pool global configuration command, or the ip-address-pool access-point configuration command with the dhcp-proxy-client keyword option.
After you configure the access point for DHCP proxy client services, use the dhcp-server command to specify a DHCP server.
Use the ip-address argument to specify the IP address of the DHCP server. The second, optional ip-address argument can be used to specify the IP address of a backup DHCP server to be used in the event that the primary DHCP server is unavailable. If you do not specify a backup DHCP server, then no backup DHCP server is available.
The DHCP server can be specified in two ways:
•
•
If you specify a DHCP server at the access-point level using the dhcp-server command, then the server address specified at the access point overrides the address specified at the global level. If you do not specify a DHCP server address at the access-point level, then the address specified at the global level is used.
Therefore, you can have a global address setting and also one or more local access-point level settings if you need to use different DHCP servers for different access points.
Use the vrf keyword when the DHCP server itself is located within the address space of a VRF interface on the GGSN. If the DHCP server is located within the VRF address space, then the corresponding loopback interface for the dhcp-gateway-address must also be configured within the VRF address space.
Examples
Example 1
The following example specifies both primary and backup DHCP servers to allocate IP addresses to mobile station users through a non-VPN access point. Because the vrf keyword is not configured, the default global routing table is used. The primary DHCP server is located at IP address 10.60.0.1, and the secondary DHCP server is located at IP address 10.60.0.2:
access-point 2access-point-name xyz.comdhcp-server 10.60.0.1 10.60.0.2dhcp-gateway-address 10.60.0.1exitExample 2
The following example shows a VRF configuration for vpn3 (without tunneling) using the ip vrf global configuration command. Because the ip vrf command establishes both VRF and CEF routing tables, notice that ip cef also is configured at the global configuration level to enable CEF switching at all of the interfaces.
The following other configuration elements must also associate the same VRF named vpn3:
•
•
The DHCP server at access-point 2 also is configured to support VRF. Notice that access-point 1 uses the same DHCP server, but is not supporting the VRF address space. The IP addresses for access-point 1 will apply to the global routing table:
aaa new-model!aaa group server radius fooserver 10.2.3.4server 10.6.7.8!aaa authentication ppp foo group fooaaa authorization network default group radiusaaa accounting exec default start-stop group foo!ip cef!ip vrf vpn3rd 300:3!interface Loopback1ip address 10.30.30.30 255.255.255.255!interface Loopback2ip vrf forwarding vpn3ip address 10.27.27.27 255.255.255.255!interface FastEthernet0/0ip vrf forwarding vpn3ip address 10.50.0.1 255.255.0.0duplex half!interface FastEthernet1/0ip address 10.70.0.1 255.255.0.0duplex half!interface Virtual-Template1ip address 10.8.0.1 255.255.0.0encapsulation gtpgprs access-point-list gprs!ip route 10.10.0.1 255.255.255.255 Virtual-Template1ip route vrf vpn3 10.100.0.5 255.255.255.0 fa0/0 10.50.0.2ip route 10.200.0.5 255.255.255.0 fa1/0 10.70.0.2!no ip http server!gprs access-point-list gprsaccess-point 1access-point-name gprs.pdn.comip-address-pool dhcp-proxy-clientdhcp-server 10.200.0.5dhcp-gateway-address 10.30.30.30network-request-activationexit!access-point 2access-point-name gprs.pdn2.comaccess-mode non-transparentip-address-pool dhcp-proxy-clientdhcp-server 10.100.0.5 10.100.0.6 vrfdhcp-gateway-address 10.27.27.27aaa-group authentication foovrf vpn3exit!gprs default ip-address-pool dhcp-proxy-clientgprs gtp ip udp ignore checksum!radius-server host 10.2.3.4 auth-port 1645 acct-port 1646 non-standardradius-server host 10.6.7.8 auth-port 1645 acct-port 1646 non-standardradius-server key ggsntelRelated Commands
dns primary
To specify a primary (and backup) DNS to be sent in create PDP responses at the access point, use the dns primary access-point configuration command. To remove the DNS from the access-point configuration, use the no form of this command
dns primary ip-address [secondary ip-address]
Syntax Description
ip-address
IP address of the primary DNS.
secondary ip-address
(Optional) Specifies the IP address of the backup DNS.
Defaults
No default behavior or values.
Command Modes
Access-point configuration
Command History
12.2(8)YY
This command was introduced.
12.3(2)XB
This command was integratedin Cisco IOS Release 12.3(2)XB.
12.3(8)T
This command was incorporated in Cisco IOS Release 12.3(8)T.
Usage Guidelines
Use the dns primary command to specify the primary (and backup) DNS at the access point level.
This feature is benefits address allocation schemes where there is no mechanism to obtain these address. Also, for a RADIUS-based allocation scheme, it prevents the operator from having to configure a NBNS and DNS under each user profile.
The DNS address can come from three possible sources: DHCP server, RADIUS server, or local APN configuration. The criterium for selecting the DNS address depends on the IP address allocation scheme configured under the APN. Depending on the configuration, the criterium for selecting the DNS address is as follows:
1.
2.
3.
4.
Note
Examples
The following example specifies a primary and secondary DNS at the access point level:
access-point 2access-point-name xyz.comdns primary 10.60.0.1 secondary 10.60.0.2exitRelated Commands
Specifies a dynamic address allocation method using IP address pools for the current access point.
Specifies a primary (and backup) NBNS at the access point level.
encapsulation gtp
To specify the GPRS tunneling protocol (GTP) as the encapsulation type for packets transmitted over the virtual template interface, use the encapsulation gtp interface configuration command. To remove the GTP encapsulation type and return to the default, use the no form of this command.
encapsulation gtp
no encapsulation gtp
Syntax Description
This command has no arguments or keywords.
Defaults
PPP encapsulation
Command Modes
Interface configuration
Command History
Usage Guidelines
Use the encapsulation gtp command to specify the GTP as the encapsulation type for a virtual template. This is a mandatory setting for both the GGSN and GDM.
Examples
The following example specifies the GPRS tunneling protocol (GTP) as the encapsulation type:
interface virtual-template 1ip address 10.10.10.1 255.255.255.0no ip directed-broadcastencapsulation gtpgprs access-point-list
To configure an access point list that you use to define PDN access points on the GGSN, use the gprs access-point-list global configuration command. To remove an existing access-point list, use the no form of this command.
gprs access-point-list list_name
no gprs access-point-list list_name
Syntax Description
Defaults
No access-point list is defined.
Command Modes
Global configuration
Command History
Usage Guidelines
Use the gprs access-point-list command to configure an access list that you use to define PDN access points on the GGSN. Currently, only one access list can be defined per virtual template.
Examples
The following example sets up an access list that is used to define two GPRS access points:
! Virtual Template configurationinterface virtual-template 1ip address 10.10.10.1 255.255.255.0no ip directed-broadcastencapsulation gtpgprs access-point-list abc!! Access point list configurationgprs access-point-list abcaccess-point 1access-point-name gprs.somewhere.comexit!access-point 2access-point-name xyz.comexitRelated Commands
gprs canonical-qos best-effort bandwidth-factor
To specify the bandwidth factor to be applied to the canonical best-effort Quality of Service (QoS) class, use the gprs canonical-qos best-effort bandwidth-factor global configuration command. To return to the default value, use the no form of this command.
gprs canonical-qos best-effort bandwidth-factor bandwidth-factor
no gprs canonical-qos best-effort bandwidth-factor bandwidth-factor
Syntax Description
bandwidth-factor
Integer from 1 to 4000000 that specifies the desired bandwidth factor (in bits per second). The default is 10 bits per second.
Defaults
10 bits per second
Command Modes
Global configuration
Command History
Usage Guidelines
The canonical qos best-effort bandwidth-factor command specifies an average bandwidth that is expected to be used by best-effort QoS class mobile sessions. The default value of 10 bps is chosen arbitrarily. If you observe that users accessing the GGSN are using a higher average bandwidth, then you should increase the bandwidth value.
Note
Examples
The following example configures a bandwidth factor of 20:
gprs canonical-qos best-effort bandwidth-factor 20Related Commands
Specifies the total amount of resource that the GGSN uses to provide canonical QoS service levels to mobile users.
gprs canonical-qos gsn-resource-factor
To specify the total amount of resource that the GGSN uses to provide canonical QoS service levels to mobile users, use the gprs canonical-qos gsn-resource-factor global configuration command. To return to the default value, use the no form of this command.
gprs canonical-qos gsn-resource-factor resource-factor
no gprs canonical-qos gsn-resource-factor resource-factor
Syntax Description
resource-factor
Integer between 1 and 4294967295 representing an amount of resource that the GGSN calculates internally for canonical QoS processing. The default value is 3145728000.
Defaults
3,145,728,000
Command Modes
Global configuration
Command History
Usage Guidelines
The default value for this command was chosen to support 10000 PDP contexts with a premium QoS class. If a greater throughput is required for GPRS user data, increase the resource factor value. However, selecting a high value may result in exceeding the actual processing capacity of the GGSN.
Examples
The following example configures a resource factor of 1048576:
gprs canonical-qos gsn-resource-factor 1048576Related Commands
gprs canonical-qos map tos
To specify a QoS mapping from the canonical QoS classes to an IP type of service (ToS) precedence value, use the gprs canonical-qos map tos global configuration command. To remove a QoS mapping and return to the default values, use the no form of this command.
gprs canonical-qos map tos [premium tos-value [normal tos-value [best-effort tos-value]]]
no gprs canonical-qos map tos [premium tos-value [normal tos-value [best-effort tos-value]]]
Syntax Description
Defaults
When canonical QoS is enabled on the GGSN, the default IP ToS precedence values are assigned according to the canonical QoS class as follows:
•
•
•
Command Modes
Global configuration
Command History
Usage Guidelines
Use the gprs canonical-qos map tos command to specify a mapping between various QoS categories and the ToS precedence bits in the IP header for packets transmitted over the Gn (GTP tunnels) and Gi interfaces.
All the keyword arguments for the command are optional. However, if you specify a value for the normal argument, you must specify a value for the premium argument. And if you specify a value with the best-effort argument, then you must specify a value for both the premium and the normal arguments.
When a request for a user session comes in (a PDP context activation request), the GGSN determines whether the requested QoS for the session packets can be handled based on the maximum packet handling capability of the GGSN. Based on this determination, one of the following occurs:
•
•
Examples
The following example specifies a QoS mapping from the canonical QoS classes to a premium ToS category of five, a normal ToS category of three, and a best-effort ToS category of two:
gprs canonical-qos map tos premium 5 normal 3 best-effort 2Related Commands
gprs canonical-qos premium mean-throughput-deviation
To specify a mean throughput deviation factor that the GGSN uses to calculate the allowable data throughput for the premium QoS class, use the gprs canonical-qos premium mean-throughput-deviation global configuration command. To return to the default value, use the no form of this command.
gprs canonical-qos premium mean-throughput-deviation deviation_factor
no gprs canonical-qos premium mean-throughput-deviation deviation_factor
Syntax Description
deviation_factor
Value that specifies the deviation factor. This value can range from 1 to 1000. The default value is 100.
Defaults
100
Command Modes
Global configuration
Command History
Usage Guidelines
The GGSN uses the gprs canonical-qos premium mean-throughput-deviation command to calculate a mean throughput value that determines the amount of data throughput used for a premium QoS. The calculation is made based on the following formula, which includes the input deviation factor:
EB = Min[p, m + a(p - m)]
Where
EB = the effective bandwidth
p = peak throughput from the GPRS QoS profile in PDP context requests
m = mean throughput from the GPRS QoS profile in PDP context requests
a = the deviation factor divided by 1000 (a/1000)Examples
The following example configures a mean throughput deviation of 1000:
gprs canonical-qos premium mean-throughput-deviation 1000Related Commands
Posted: Mon Mar 28 00:06:40 PST 2005
All contents are Copyright © 1992--2005 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.
