Application Assurance uses system components for some of its functionality. Refer to the following for details on:
This command creates a text description which is stored in the configuration file to help identify the content of the entity.
The no form of the command removes the string from the configuration.
none
This command administratively disables the entity. When disabled, an entity does not change, reset, or remove any configuration settings or statistics. Many entities must be explicitly enabled using the no shutdown command.
The shutdown command administratively disables an entity. The operational state of the entity is disabled as well as the operational state of any entities contained within. Many objects must be shut down before they may be deleted.
This mandatory command adds an IOM o the device configuration for the slot. The card type can be preprovisioned, meaning that the card does not need to be installed in the chassis.
A card must be provisioned before an MDA, MCM or port can be configured .
A card can only be provisioned in a slot that is vacant, meaning no other card can be provisioned (configured) for that particular slot. To reconfigure a slot position, use the no form of this command to remove the current information.
A card can only be provisioned in a slot if the card type is allowed in the slot. An error message is generated if an attempt is made to provision a card type that is not allowed.
If a card is inserted that does not match the configured card type for the slot, then a medium severity alarm is raised. The alarm is cleared when the correct card type is installed or the configuration is modified.
A high severity alarm is raised if an administratively enabled card is removed from the chassis. The alarm is cleared when the correct card type is installed or the configuration is modified. A low severity trap is issued when a card is removed that is administratively disabled.
Because the IOM-3 integrated card does not have the capability in install separate MDAs, the configuration of the MDA is automatic. This configuration only includes the default parameters such as default buffer policies. Commands to manage the MDA such as shutdown, named buffer pool etc will remain in the MDA configuration context.
An appropriate alarm is raised if a partial or complete card failure is detected. The alarm is cleared when the error condition ceases.
Refer to the Interface Configuration Guide for information about slots, cards and MDAs.
The no form of this command removes the card from the configuration.
No cards are preconfigured for any slots.
This mandatory command provisions a specific MDA type to the device configuration for the slot. The MDA can be preprovisioned but an MDA must be provisioned before ports can be configured. Ports can be configured once the MDA is properly provisioned. A maximum of two MDAs can be provisioned on an IOM. Only one MDA can be provisioned per IOM MDA slot. To modify an MDA slot, shut down all port associations.
A maximum of six MDAs or eight CMAs (or a combination) can be provisioned on a 7750 SR-c12. Only one MDA/CMA can be provisioned per MDA slot. To modify an MDA slot, shut down all port associations. CMAs do not rely on MCM configuration and are provisioned without MCMs. CMAs are provisioned using MDA commands. A medium severity alarm is generated if an MDA/ CMA is inserted that does not match the MDA/CMA type configured for the slot. This alarm is cleared when the correct MDA/CMA is inserted or the configuration is modified. A high severity alarm is raised when an administratively enabled MDA/CMA is removed from the chassis. This alarm is cleared if the either the correct MDA/CMA type is inserted or the configuration is modified. A low severity trap is issued if an MDA/CMA is removed that is administratively disabled.
An MDA can only be provisioned in a slot if the MDA type is allowed in the MDA slot. An error message is generated when an MDA is provisioned in a slot where it is not allowed.
A medium severity alarm is generated if an MDA is inserted that does not match the MDA type configured for the slot. This alarm is cleared when the correct MDA is inserted or the configuration is modified.
A high severity alarm is raised when an administratively enabled MDA is removed from the chassis. This alarm is cleared if the either the correct MDA type is inserted or the configuration is modified. A low severity trap is issued if an MDA is removed that is administratively disabled.
An alarm is raised if partial or complete MDA failure is detected. The alarm is cleared when the error
condition ceases. All parameters in the MDA context remain and if non-default values are required then their configuration remains as it is on all existing MDAs.
Refer to the Interface Guide for further information on command usage and syntax for the AA ISA and other MDA and ISA types.
The no form of this command deletes the MDA from the configuration. The MDA must be administratively shut down before it can be deleted from the configuration.
No MDA types are configured for any slots by default.
ISA-2: isa2-aa, isa2-bb, isa2-tunnel
7750 SR: m60-10/100eth-tx, m10-1gb-sfp, m16-oc12/3-sfp, m8-oc12/3-sfp, m16-oc3-sfp, m8-oc3-sfp, m4- oc48-sfp, m1-oc192, m5-1gb-sfp, m12-chds3, m1-choc12-sfp, m1-10gb, m4-choc3-sfp, m2-oc192-xpxfp, m2-oc48-sfp, m20-100eth-sfp, m20-1gb-tx, m2-10gb-xfp, m2-oc192-xfp, m12-1gb-sfp, m12- 1gb+2-10gb-xp, m4-atmoc12/3-sfp, m16-atmoc3-sfp, m20-1gb-sfp, m4-chds3, m1-10gb-xfp, vsm-cca,m5-1gb-sfp-b, m10-1gb-sfp-b, m4-choc3-as-sfp, m10-1gb+1-10gb, isa-ipsec, m1-choc12-as-sfp, m12-chds3-as, m4-chds3-as, isa-aa, isa-tms, m12-1gb-xp-sfp, m12-1gb+2-10gb-xp, m10-1gb-hs-sfp, m1-10gb-hs-xfp, m4-choc3-ces-sfp, m1-choc3-ces-sfp, m4-10gb-xp-xfp, m2-10gb-xp-xfp, m1-10gb-xpxfp,m10-1gb-xp-sfp, m20-1gb-xp-sfp, m20-1gb-xp-tx, m1-choc12-ces-sfp, p1-100g-cfp, p10-10gsfp,p3-40g-qsfp, p6-10g-sfp, imm24-1gb-xp-sfp, imm24-1gb-xp-tx, imm5-10gb-xp-xfp, imm4-10gbxp-xfp, imm3-40gb-qsfp, imm1-40gb-qsfp, imm1-40gb-xp-tun, imm-1pac-fp3/p1-100g-tun, imm2-10gb-xp-xfp, imm12-10gb-xp-SF+, imm1-oc768-xp-tun, imm1-100gb-xp-cfp, isa-video, m1-10gbdwdm-tun, iom3-xp-b, m4-atmoc12/3-sf-b, m16-atmoc3-sfp-b, m16-oc12/3-sfp-b, m4-oc48-sfp-bisa2-aa, isa2-bb, isa2-tunnel
7750 SR-c12: m60-10/100eth-tx, m8-oc3-sfp, m5-1gb-sfp, m2-oc48-sfp, m20-100eth-sfp, m20-1gbtx,m4-atmoc12/3-sfp, m20-1gb-sfp, m5-1gb-sfp-b, m4-choc3-as-sfp, c8-10/100eth-tx, c1-1gb-sfp,c2-oc12/3-sfp-b, c8-chds1, c4-ds3, c2-oc12/3-sfp, c1-choc3-ces-sfp, m1-choc12-as-sfp, m12-chds3-as,m4-chds3-as, m4-choc3-ces-sfp, m10-1gb-xp-sfp, m20-1gb-xp-sfp, m20-1gb-xp-t, isa-aa, isa2-aa,
Refer to the Interface Configuration Guide for further information.
This command enables the context to perform Application Assurance (AA) configuration operations.
Use this command to load a new isa-aa.tim file as part of a router-independent signature upgrade. An AA ISA reboot is required.
This command defines an Application Assurance Redundancy Protocol (AARP) instance. This instance is paired with the same aarpId in a peer node as part of a configuration to provide flow and packet asymmetry removal for traffic for a multi-homed SAP or spoke SDP.
The no form of the command removes the instance from the configuration.
no aarp
This command configures the AARP mode of operation with the peer instance. The modes affect the AARP state machine behavior according to the desired behavior. Minimize-switchover will change AARP state based on Master ISA failure, and be non-revertive in that when the priority ISA returns a switch does not occur, which is optimal for AA flow identification. Inter-chassis efficiency mode considers both priority (revertive) and the endpoint status of the AARP instance and will switch activity in case of EP failure in order to avoid sending all the traffic over the ICL. The priority-based-balance mode will be revertive after a priority master returns to service, but excludes EP status. The master-selection-mode configuration must match on both peer AARP instances, or the AARP operational status will stay down.
minimize-switchovers
This command defines the IP address of the peer router which must be a routable system IP address.
If no peer is configured and the AARP is no shutdown, it is configured as a single node AARP instance.
The no form of the command removes the IP address from the AARP instance.
no peer
This command defines the peer endpoint ID of the SAP or spoke-SDP parent-aa-sub of the AARP peer.
The no form of the command removes the peer endpoint from the AARP instance.
no peer-endpoint
This command defines the priority for the AARP instance. The priority value is used to determine the master/backup upon initialization or re-balance.
The no form of the command removes the priority.
priority 100
This command configures the high watermark for bit rate alarms.
max (disabled)
This command configures the utilization of the flow records on the ISA-AA Group when the full alarm will be cleared by the agent.
0
This command configures the packet rate on the ISA-AA when a packet rate alarm will be raised by the agent.
max = disabled
This command configures the system wide low watermark threshold for per-ISA throughput in packets/second when an high packet rate alarm will be cleared by the agent. The value must be less than or equal to the packet-rate-high-wmark parameter.
The no form of the command sets the parameter to minimum (watermark disabled).
0
This command configures the system wide high watermark threshold for per-ISA throughput in packets/second when an alarm will be raised by the agent. The value must be larger than or equal to the packet-rate-low-wmark parameter.
The no form of the command sets the parameter to maximum (watermark disabled).
0
This command configures the flow setup rate on the ISA-AA when a flow setup alarm will be raised by the agent.
0
This command enables the context to perform Application Assurance (AA) configuration operations.
The command configures the system-wide high watermark threshold as a percentage of the flow table size for the per-ISA utilization of the flow records when a full alarm will be raised by the agent.
This command configures the system-wide low watermark threshold as a percentage of the flow table size for per-ISA. The value must be lower than or equal to the flow-table-high-wmark high-watermark parameter.
This command configures the shutdown of protocols system-wide.
This command configures and enables the context to configure an application assurance group and partition parameters.
This command specifies whether or not the from subscriber and to subscriber traffic direction is reversed for this group-partition.
no aa-sub-remote
This command enables the context to configure cflowd parameters for the application assurance group.
This command configures a DNS IP cache used to snoop DNS requests generated by subscribers to populate a cache of IP addresses matching a specified list of domain names. In the context of URL content charging strengthening, it is also mandatory to specify a list of trusted DNS servers to populate the DNS IP cache.
This command configures a domain expression to populate the DNS IP cache, up to 32 domains can be configured.
This command configures a domain expression to populate the DNS IP cache. Up to 32 domains can be configured.
This command configures a DNS server-address. DNS responses from this DNS server are used to populate the dns-ip-cache. Up to 64 server-addresses can be configured.
ipv4-address | a.b.c.d[/mask] | |
mask - [1..32] | ||
ipv6-address | x:x:x:x:x:x:x:x/prefix-length | |
x:x:x:x:x:x:d.d.d.d | ||
x - [0..FFFF]H | ||
d - [0..255]D | ||
prefix-length | [1..128] |
This command configures the dns-ip-cache cache parameters.
This command configures the maximum number of entries in the cache.
10
This command configures the high watermark value for the DNS IP cache. When the number of IP addresses stored in the cache crosses above this threshold the system will generate a trap.
90
This command configures the low watermark value for the dns-ip-cache. If the dns-ip-cache has previously crosses the high-watermark value, the system will clear the trap in case the number of IP addresses stored in the cache crosses below the low-watermark value.
90
This command defines a flow data collector for cflowd data. The IP address of the flow collector must be specified. The UDP port number is an optional parameter. If it is not set, the default of 2055 is used.
This command enables the context to configure cflowd comprehensive statistics output parameters.
This command enables the context to perform configuration related to the export of AA cflowd records directly inband from AA instead of going through the CPM.
This command configures the cflowd direct export collector. Only one collector can be configured.
none
This command configures cflowd direct export collector remote address. Two addresses can be configured for each "collector"for redundancy. AA sends the same records to both at the same time.
No default ip-address. Default port is 4739.
This command configures the VLAN ID on which the ISA-AA is expected to be emitting traffic.
none
This command configures the cflowd RTP performance export.
This command configures an event log.
This command specifies the the type of buffer to be used in the event log.
linear
This command configures the number of entries in the buffer.
This command enables the context for configuring the target Syslog server.
shutdown
This command configures the target syslog host IP address.
none
This command configures the syslog facility. The syslog facility is an information field associated with a syslog message. It is defined by the syslog protocol and provides an indication of which part of the system originated the message.
local7
This command specifies the UDP port used by application assurance to inject the syslog events inband.
514
This command configures the syslog message severity level threshold.
info
This command configures the service port VLAN ID to be used by application assurance to inject the syslog events inband. This VLAN ID needs also to be configured for application assurance interface.
none
Description This command configures application groups to export performance records with cflowd.
The no form of the command removes the parameters from the configuration.
This command configures applications to export performance records with cflowd.
The no form of the command removes the parameters from the configuration.
This command configures specifies the per-flow sampling rate for the cflowd export of Application Assurance performance statistics.
The no form of the command reverts to the default.
no flow-rate
This command configures specifies the per-flow second sampling rate for the cflowd export of Application Assurance performance statistics.
The no form of the command reverts to the default.
no flow-rate
This command configures the period of time, in seconds, for the template to be retransmitted.
This command enables the context to configure Cflowd TCP performance export parameters.
This command configures the cflowd volume export.
This command configures the sampling rate of packets for the cflowd export of application assurance volume statistics.
The no form of the command reverts to the default value.
This command configures an HTTP error redirect policy. The policy contains important information relevant to the redirect server.
The no form of the command removes the redirect name from the group configuration.
none
This command refers to which HTTP status codes a redirect action is applied. Currently, only 404 http error code is supported. Only messages with sizes less than that configured here (custom-msg-size) are eligible for redirect action.
The no form of the command removes the parameters from the configuration.
Error code: none
This is a string that refers to the http host name of the landing server (barefurit or xerocole). It is used in the HTTP GET operation from the client (which is being redirected) to the redirect search landing server. It must contain a valid IP address or HTTP host name / URI for the HTTP GET from the client to the landing server to work.
The no form of the command removes the HTTP host string from the configuration.
none
This command specifies a 32-character string assigned to the operator by Barefruit. It is used by barefruit landing servers (applies to template # 1 only).
None
The redirect template refers to the template of parameters passed from the AA-ISA to the redirect server via JavaScript in the redirect packet. The template is specific to the redirect server being used in the network.
Currently, two partners are used and tested with AA-ISA redirect solution, Barefruit and Xerocole.
The no form of the command reverts to the default.
1 = referring to redirect format for Barefruit landing server.
1 = Barefruit specific template
2 = xerocole.specific template.
This command enables HTTP matching for all requests for a given HTTP expression.
The no form of the command restores the default (removes http-match-all-request for this particular expression) by this app-filter entry).
no http-match-all-requests
This command configures an http-notification object for subscriber in browser notification.
The no form of the command removes the http notification policy from the configuration.
This command configures the minimum interval in between notification messages. It can be set to one-time or a value in minutes from 1 to 1440.
The no form of the command removes the interval from the http-notification policy.
This command configures the template which defines the format and parameters included in the http notification message.
The no form of the command removes the template from the configuration.
This command configures the url of the script used by the http notification policy.
The no form of the command removes the script-url from the http-notification policy.
This command configures an HTTP redirect.
The no form of the command removes the http redirect policy from the configuration.
This command configures the captive redirect capability for an HTTP redirect policy. HTTP redirect policies using captive redirect can be used in conjunction with a session filter policy and will terminate TCP flows in the ISA-AA card before reaching the Internet to redirect subscribers to the predefined redirect URL. Non-HTTP TCP flows are TCP reset. Captive redirect uses the provisioned VLAN id to send the HTTP response to subscribers; therefore this VLAN id must be properly assigned in the same VPN as the subscriber. The operator can select the URL arguments to include in the redirect URL using either a specific template id or by configuring the redirect URL using one of the supported macro substitution keywords.
This command configures the VLAN id for captive redirect. Captive redirect uses the provisioned VLAN id to send the HTTP response to subscribers; therefore this VLAN id must be properly assigned in the same VPN as the subscriber.
This command configures the captive-redirect http-redirect policy to redirect HTTPs session to the configured redirect-url.
The no form of the command removes the redirect-https.
This command configures the http redirect URL which is the URL (page) that the user is redirected to when an HTTP redirect takes effect.
The operator can select the URL arguments to include in the redirect-url using either a specific template-id or by configuring the redirect-url using one of the supported macro substitution keywords.
The no form of the command removes the redirect-url field from the configuration.
$URL | The Request-URI in the HTTP GET Request received |
$SUB | - A string that represents the subscriber ID |
$IP | - A string that represents the IP address of the subscriber host |
$RTRID | - A string that represents the router ID |
$URLPRM | - The HTTP URL parameter associated with the subscriber |
This command enables an HTTP-redirect policy to initiate a TCP reset towards the client if the AA policy results in a redirect with packet drop but the http redirect cannot be delivered. Scenarios for this include HTTPs (TLS) sessions, blocking of non-HTTP TCP traffic, and blocking of existing flows after a policy re-evaluate of an existing subscriber.
The no form of the command disables the command.
This command configures the template that defines which parameters are appended to the HTTP host redirect field in the redirect message.
The HTTP redirect template provides HTTP 302 redirect containing only the URL specified in the redirect policy, with no other parameters.
The no form of the command removes the template from the configuration.
none
This command specifies whether X-Online-Host header field is used as a replacement for the HTTP Host header field.
The no form of the command disables the use of X-Online-Host header field used as a replacement.
This command configures an IP prefix list.
This command configures an HTTP enrichment policy.
The no form of the command removes the http enrichment policy from the configuration
none
This command configures what fields to be inserted into the HTTP header. The command is repeated for each field to be inserted. The same field cannot be inserted twice into the header under different header names.
The no form of the command removes the specified parameter so that it is not inserted into the http header.
none
This command configures an HTTP enrichment template field header name.
The no form of the command removes the http enrichment template field header name from the configuration.
none
This command configures the HTTP header enrichment anti-spoofing functionality.
The no form of the command disables anti-spoofing functionality.
no anti-spoof
This command configures an HTTP header enrichment template field static string.
The no form of the command removes the template field static string.
no static-string
This command configures an HTTP header enrichment template field static string.
The no form of the command removes the template field static string.
no static-string
This command defines a transit AA subscriber IP policy. Transit AA subscribers are managed by the system through the use of this policy assigned to services, which determines how transit subs are created and removed for that service.
The no form of the command deletes the policy from the configuration. All associations must be removed in order to delete a policy.
no transit-ip-policy
This command creates application assurance policer profile of a specified type. Policers can be bandwidth or flow limiting and can have a system scope (limits traffic entering AA ISA for all or a subset of AA subscribers), subscriber scope or granularity (limits apply to each AA subscriber traffic).
The policer type and granularity can only be configured during creation. They cannot be modified. The policer profile must be removed from all AQPs in order to be removed. Changes to policer profile parameters take effect immediately for policers instantiated as result of AQP actions using this profile..
The no form of the command deletes the specified policer from the configuration.
none
This command provides a mechanism to configure a policer to function at the GTP tunnel level. GTP tunnels are defined by a TEID and destination IP address as oppose to normal flows that are defined by IP 5 tuple values. By setting this value, the policer then can be used to limit GTP traffic (SeGW GTP firewall application).
The no form of the command resets policer behavior to act at the normal 5 tuple flow level and not at the GTP tunnel level
no gtp-traffic
This command configures the action to be performed by single-bucket bandwidth policers for non-conformant traffic.
Dual bucket bandwidth policers cannot have their action configured and always mark traffic below CIR in profile, between CIR and PIR out of profile, and drop traffic above PIR. Flow policers always discard non-conformant traffic. When multiple application assurance policers are configured against a single flow (including policers at both subscriber and system), the final action done to the flow/packet will be a logical OR of all policersí actions. For example, if only of the policers requires the packet to be discarded, the packet will be dropped regardless of the action of the other policers.
permit-deny
This command defines the method used by the system to derive the operational CIR and PIR settings when the queue is provisioned in hardware. For the CIR and PIR parameters individually, the system attempts to find the best operational rate depending on the defined option. To change the CIR adaptation rule only, the current PIR rule must be part of the command executed.
The no form of the command removes any explicitly defined constraints used to derive the operational CIR and PIR created by the application of the policy. When a specific adaptation-rule is removed, the default constraints for rate and cir apply.
closest
This command configures the flow count for the flow-count-limit policer. It is recommended to configure flow count subscriber-level policer for AA subscribers to ensure fair usage of flow resources between AA subscribers.
This command provides a mechanism to configure the committed burst size for the policer. It is recommended that CBS is configured larger than twice the maximum MTU for the traffic handled by the policer to allow for some burstiness of the traffic. CBS is configurable for dual-bucket bandwidth policers only.
The no form of the command resets the cbs value to its default.
0
This command provides a mechanism to configure the maximum burst size for the policer. It is recommended that MBS is configured larger than twice the MTU for the traffic handled by the policer to allow for some burstiness of the traffic. MBS is configurable for single-bucket, dual-bucket bandwidth and flow setup rate policers only.
The no form of the command resets the MBS value to its default.
0
This command configures the administrative PIR and CIR for bandwidth policers and flow setup rate limits for flow policers. The actual rate sustained by the flow can be limited by other policers that may be applied to that flow’s traffic. This command does not apply to flow-count-limit policers. The cir option is applicable only to dual-bucket bandwidth policers. It is recommended to configure flow setup rate subscriber-level policer for AA subscribers to ensure fair usage of flow resources between AA subscribers.
The no form of the command resets the values to defaults.
0
This commands creates a time of day override policy for a given policer. Up to 8 overrides can be configured per policer. Rate/mbs/cbs/flow-rate/flow-count configured in each override-id will override the default policer values at the specified time of day configured in the override.
none
This command configures the time-range applicable to a particular override-id. The time-range can be configured as daily or weekly policies.
When using a daily override the operator can select which day(s) during the week from Sunday to Saturday it is applicable along with the start/end hour/min time range repeated over the(se) day(s).
When using a weekly override the operator can select between which days in the week the policy start up to the hours/min for both start day and end day.
no time-range
start-time | daily | <hh>:<mm> |
weekly | <day>,<hh>:<mm> | |
<hh> : 0..23 | ||
<mm> : 0 | 15 | 30 | 45 | ||
end-time | daily | <hh>:<mm> |
weekly | <day>,<hh>:<mm> | |
<hh> 0..23 | ||
<mm> 0 | 15 | 30 | 45 | ||
day | sunday | monday | tuesday | wednesday | thursday | friday | saturday | |
This command enables the context to configure parameters for application assurance policy. To edit any policy content begin command must be executed first to enter editing mode. The editing mode is left when the abort or commit commands are issued.
This command ends the current editing session and aborts any changes entered during this policy editing session.
This command begins a policy editing session.
The editing session continues until one of the following conditions takes place:
The editing session is not interrupted by:
This command commits changes made during the current editing session. None of the policy changes done will take effect until commit command is issued. If the changes can be successfully committed, no errors detected during the commit during cross-reference verification against exiting application assurance configuration, the editing session will also be closed.
The newly committed policy takes affect immediately for all new flows, existing flows will transition onto the new policy shortly after the commit.
This command creates an application group for an application assurance policy.
The no form of the command deletes the application group from the configuration. All associations must be removed in order to delete a group.
no app-group
This command creates a charging group for an application assurance policy.
The no form of the command deletes the charging group from the configuration. All associations must be removed in order to delete a group.
no charging-group
This command associates an application or app-group to an application assurance charging group.
The no form of the command deletes the charging group association.
no charging-group
This command assigns an export-id value to a charging group app-group or application to be used for accounting export identification in RADIUS accounting. This ID is encoded in the top 2 bytes of the RADIUS accounting VSA to identify which charging group the counter value represents.
If no export-id is assigned, that counter cannot be added to the aa-sub stats RADIUS export-type. Once a charging group index is referenced, it cannot be deleted without removing the reference.
The no form of the command removes the export-id from the configuration.
no export-id
This command enables the context to configure an application filter for application assurance.
This command enables the context to configure an application QoS policy.
This command enables the context to configure application service option characteristics.
This command associates a charging group to any applications or app-groups that are not explicitly assigned to a charging group, for an application assurance policy.
The no form of the command deletes the default charging group from the configuration.
no default-charging-group
This command compares the newly configured policy against the operational policy.
This command creates an application of an application assurance policy.
The no form of the command deletes the application. To delete an application, all associations to the application must be removed.
none
This command enables the context to configure policy override parameters.
This command specifies a given SAP or SDP to be used for a static policy override.
The no form of the command removes the policy override.
This command configure an override characteristic and value.
This command associates an application with an application group of an application assurance policy.
none
This command creates an application filter entry.
App filter entries are an ordered list, the lowest numerical entry that matches the flow defines the application for that flow.
An application filter entry or entries configures match attributes of an application.
The no form of this command deletes the specified application filter entry.
none
This command assigns this application filter entry to an existing application. Assigning the entry to Unknown application restores the default configuration.
unknown application
This command configures string values to use in the application definition.
http-host | http-uri | http-referer | http-user-agent |
sip-ua | sip-uri | sip-mt | citrix-app | h323-product-id | tls-cert-subj-org-name | tls-cert-subj-common-name | rtsp-host | rtsp-uri | rtsp-ua
http-host — Matches the string against the HTTP Host field or TLS Server Name Indicator (SNI).
http-uri — Matches the string against the HTTP URI field.
http-referer — Matches the string against the HTTP Referer field.
http-user-agent — Matches the string against the HTTP User Agent field.
sip-ua — Matches the string against the SIP UA field.
sip-uri — Matches the string against the SIP URI field.
sip-mt — Matches the string against the SIP MT field.
citrix-app — Matches the string against the Citrix app field.
h323-product-id — Matches the string against the h323-product-id field.
tls-cert-subj-org-name — Matches the TLS Certificate Subject Organization Name substring.
tls-cert-subj-common-name — Matches the TLS Certificate Subject Common Name substring.
rtsp-host — Matches the Real Time Streaming Protocol (RTSP) substring host.
rtsp-uri — Matches the RTSP URI substring.
rtsp-ua — Matches the RTSP UA substring.
rtmp-page-host — Matches against the RTMP Page Host Field
rtmp-page-uri — Matches against the RTMP Page URI Field
rtmp-swf-host — Matches against the RTMP Swf Host Field
rtmp-swf-uri — Matches against the RTMP Swf URI Field
The following syntax is permitted within the substring to define the pattern match criteria:
^<substring>* - matches when <substring> is at the beginning of the object.
*<substring>* - matches when <substring> is at any place within the object.
*<substring>$ - matches when <substring> is at the end of the object.
^<substring>$ - matches when <substring> is the entire object.
* - matches zero to many of any character. A single wildcard as infix in the expression is allowed.
\. - matches any single character
\d - matches any single decimal digit [0-9]
\I - forces case sensitivity (by default, the expression match are case insensitive), the \I can be specified anywhere between
the leading [^*] and trailing [$*]
\* - matches the asterisk character
Rules for <substring> characters:
<substring> must contain printable ASCII characters.
<substring> must not contain the “double quote” character or the “ ” (space) character on its own.
<substring> match is case in sensitive by default.
<substring> must not include any regular expression meta-characters other than "*", "\I", "\.", "\*" and "\d".
The “\” (slash) character is used as an ESCAPE sequence. The following ESCAPE sequences are permitted within the <substring>:
Character to match <substring> input
Hexidecimal Octet YY \xYY
A <substring> that uses the '\' (backslash) ESCAPE character which is not followed by a “\” or “\x” and a 2-digit hex octet is not valid.
Operational notes:
This command configures the direction of flow setup to which the application filter entry is to be applied.
both
This command configures the IP protocol to use in the application definition.
The no form of the command restores the default (removes IP protocol number from application criteria defined by this app-filter entry).
none
The no form the command removes the protocol from the match criteria.
This command configures the network address to use in application definition. The network address will match the destination IP address in a from-sub flow or the source IP address in a to-sub flow.
The no form of the command restores the default (removes the network address from application criteria defined by this entry).
no net-address
ipv4-address | a.b.c.d[/mask] |
mask - [1..32] | |
ipv6-address | x:x:x:x:x:x:x:x/prefix-length |
x:x:x:x:x:x:d.d.d.d | |
x - [0..FFFF]H | |
d - [0..255]D | |
prefix-length [1..128] |
This command configures the server address to use in application definition. The server IP address may be the source or destination, network or subscriber IP address.
The no form of the command restores the default (removes the server address from application criteria defined by this entry).
no net-address
ipv4-address | a.b.c.d[/mask] |
mask - [1..32] | |
ipv6-address | x:x:x:x:x:x:x:x/prefix-length |
x:x:x:x:x:x:d.d.d.d | |
x - [0..FFFF]H | |
d - [0..255]D | |
prefix-length [1..128] |
This command specifies the server TCP or UDP port number to use in the application definition.
The no form of the command restores the default (removes server port number from application criteria defined by this app-filter entry).
no server-port (the server port is not used in the application definition)
This command configures protocol signature in the application definition.
The no form of the command restores the default (removes protocol from match application defined by this app-filter entry).
no protocol
This command creates an application profile and enables the context to configure the profile parameters.
The no form of the command removes the application profile from the configuration.
none
This command configures an application profile capacity cost. Capacity-Cost based load balancing allows a cost to be assigned to diverted SAPs (with the app-profile) and this is then used for load-balancing SAPs between ISAs as well as for a threshold that notifies the operator if/when capacity planning has been exceeded.
This command assigns one of the existing values of an existing application service option characteristic to the application profile.
The no form of the command removes the characteristic from the application profile.
none
This command enables the redirection of traffic to AA ISA for the system-wide forwarding classes diverted to application assurance (divert-fc) for AA subscribers using this application profile.
The no form of the command stops redirect of traffic to AA ISAs for the AA subscribers using this application profile.
no divert
This command configures an app-profile as “aa-sub-suppressible”, this function is used in the context of an SRRP group interface. If an SRRP group interface is configured as “suppress-aa-sub” then subscribers with an app-profile configured as “aa-sub-suppressible” will not be diverted to Application Assurance.
The no form of the command restores the default behavior.
no aa-sub-suppressible
This command creates an application QoS policy entry. A flow that matches multiple Application QoS policies (AQP) entries will have multiple AQP entries actions applied. When a conflict occurs for two or more actions, the action from the AQP entry with the lowest numerical value takes precedence.
The no form of this command deletes the specified application QoS policy entry.
none
This command enables the context to configure AQP actions to be performed on flows that match the AQP entry’s match criteria.
This command assigns an existing bandwidth policer as an action on flows matching this AQP entry. The match criteria for the AQP entry must specify a uni-directional traffic direction before a policer action can be configured. If a policer is used in one direction in an AQP match entry the same policer name cannot be used by another AQP entry which uses a different traffic direction match criteria.
When multiple policers apply to a single flow, the final action on a packet is the worse case of all policer outcome (for example, if one of the policers marks packet out of profile, the final marking will reflect that).
The no form of the command removes bandwidth policer from actions on flows matching this AQP entry.
no bandwidth-policer
This command configures the drop action on flows matching this AQP entry. When enabled, all flow traffic matching this AQP entry will be dropped. When drop action is part of a set of multiple actions to be applied to a single flow as result of one or more AQP entry match, drop action will be performed first and no other action will be invoked on that flow.
The no form of the command disables the drop action on flows matching this AQP entry.
no drop
This command configures a drop action for error flows (bad IP checksums, tcp/udp port 0, etc.).
This command assigns an existing flow count limit policer as an action on flows matching this AQP entry.
The match criteria for the AQP entry must specify a uni-directional traffic direction before a policer action can be configured. If a policer is used in one direction in an AQP match entry the same policer name cannot be used by another AQP entry which uses a different traffic direction match criteria.
When multiple policers apply to a single flow, the final action on a packet is the worse case of all policer outcome (for example, if one of the policers marks packet out of profile, the final marking will reflect that).
The no form of the command removes this flow policer from actions on flows matching this AQP entry.
no flow-count-limit
This command assigns an existing flow setup rate limit policer as an action on flows matching this AQP entry.
The match criteria for the AQP entry must specify a uni-directional traffic direction before a policer action can be configured. If a policer is used in one direction in an AQP match entry the same policer name cannot be used by another AQP entry which uses a different traffic direction match criteria.
When multiple policers apply to a single flow, the final action on a packet is the worse case of all policer outcome (for example, if one of the policers marks packet out of profile, the final marking will reflect that).
The no form of the command removes this flow policer from actions on flows matching this AQP entry.
no flow-rate-limit
This command specifies the action to apply to fragments.
This command assigns an existing gtp filter as an action on flows matching this AQP entry.
The no form of the command removes this gtp filter from actions on flows matching this AQP entry.
no gtp-filter
This command assigns an existing sctp filter as an action on flows matching this AQP entry.
The no form of the command removes this sctp filter from actions on flows matching this AQP entry.
no gtp-filter
This command configures a the HTTP header enrichment template name that will be applied as defined in the tmnxBsxHttpEnrichTable. An empty value specifies no HTTP header enrichment template.
This command assigns an existing http redirect policy as an action on flows matching this AQP entry.
The redirect only takes effect if the matching flows are HTTP and the condition specified after the http-redirect command, admitted flows or dropped-flows, is met. The condition specified by “dropped-flows” means the flow is dropped due to an AQP actions such as “flow rate/count policers” or “drop” actions. HTTP Policy Redirect on admitted-flows allows the operator to redirect HTTP traffic to a web portal while allowing non-HTTP matching the same AQP rule to be forwarded.
No HTTP redirect will take place if HTTP redirect action and a “drop/flow-police” action are part of the default AQP policy, because in this case, any flow drop actions will take place before identification of the application/application-group.
The no form of the command removes http redirect from actions on flows matching this AQP entry.
no http-redirect
This command specifies the HTTP error redirect that will be applied as defined in the redirect table. An empty value specifies no HTTP error redirect.
This command configures an HTTP redirect action for flows of a specific type matching this entry
no http-redirect
This command configures a url-filter action for flows matching this entry.
This command configures the value to adjust the TCP Maximum Segment Size (MSS) option. The no form of the command disables the segment size adjustment.
no tcp-mss-adjust
This command enables the system to use the value of the characteristic name specified in the app-qos-policy url-filter action for the configurable ICAP x-header name provisioned in the url-filter policy. The ICAP server can then use this value to decide which url-filter policy to apply instead of applying a filter policy based on the subscriber name.
This command configures an HTTP notification action for flows matching this entry.
This command configures an application-based policy mirroring service that uses this AA ISA group’s AQP entry as a mirror source. When configured, AQP entry becomes a mirror source for IP packets seen by the AA (the mirrored packet is an IP packet analyzed by AA and does not include encapsulations present on the incoming interfaces).
no mirror-source
This command configures remark action on flows matching this AQP entry.
This command enables the context to configure DSCP remark action or actions on flows matching this AQP entry. When enabled, all packets for all flows matching this AQP entry will be remarked to the configured DSCP name.
DSCP remark can only be applied when the entry remarks forwarding class or forwarding class and priority. In-profile and out-of profile of a given packet for DSCP remark is assessed after all AQP policing and priority remarking actions took place.
The no form of the command stops DSCP remarking action on flows matching this AQP entry.
This command configures remark FC action on flows matching this AQP entry. When enabled, all packets for all flows matching this AQP entry will be remarked to the configured forwarding class.
The no form of the command stops FC remarking action on packets belonging to flows matching this AQP entry
This command configures remark discard priority action on flows matching this AQP entry. When enabled, all packets for all flows matching this AQP entry will be remarked to the configured discard priority.
no priority
This command specifies the Application-Assurance session filter that will be evaluated. If no session filters are specified then no session filters will be evaluated.
none
This command enables the context to configure flow match rules for this AQP entry. A flow matches this AQP entry only if it matches all the match rules defined (logical and of all rules). If no match rule is specified, the entry will match all flows.
This command specifies a Service Access Point (SAP) or an ESM subscriber as matching criteria.
The no form of the command removes the SAP or ESM matching criteria.
This command adds app-group to match criteria used by this AQP entry.
The no form of the command removes the app-group from match criteria for this AQP entry.
no app-group
This command adds an application to match criteria used by this AQP entry.
The no form of the command removes the application from match criteria for this AQP entry.
no application
This command adds an existing characteristic and its value to the match criteria used by this AQP entry.
The no form of the command removes the characteristic from match criteria for this AQP entry.
no characteristic
This command adds charging-group to match criteria used by this AQP entry.
The no form of the command removes the charging-group from match criteria for this AQP entry.
no charging-group
This command adds a DSCP name to the match criteria used by this entry.
The no form of the command removes dscp from match criteria for this entry.
no dscp
This command specifies a destination IP address to use as match criteria.
ipv4-address | a.b.c.d[/mask] |
mask - [1..32] | |
ipv6-address | x:x:x:x:x:x:x:x/prefix-length |
x:x:x:x:x:x:d.d.d.d | |
x - [0..FFFF]H | |
d - [0..255]D | |
prefix-length [1..128] |
This command specifies a destination TCP/UDP port or destination range to use as match criteria.
The no form of the command removes the parameters from the configuration.
This command configures the IP protocol to use to use as match criteria.
The no form the command removes the protocol from the match criteria.
none
This command specifies a source TCP/UDP address to use as match criteria.
ipv4-address | a.b.c.d[/mask] |
mask - [1..32] | |
ipv6-address | x:x:x:x:x:x:x:x/prefix-length |
x:x:x:x:x:x:d.d.d.d | |
x - [0..FFFF]H | |
d - [0..255]D | |
prefix-length [1..128] |
This command specifies a source IP port or source range to use as match criteria.
The no form of the command removes the parameters from the configuration.
This command specifies the direction of traffic where the AQP match entry will be applied.
To use a policer action with the AQP entry the match criteria must specify a traffic-direction of either subscriber-to-network or network-to-subscriber.
both
This command creates the characteristic of the application service options.
The no form of the command deletes characteristic option. To delete a characteristic, it must not be referenced by other components of application assurance.
none
This command assigns one of the characteristic values as default.
When a default value is specified, app-profile entries that do not explicitly include this characteristic inherit the default value and use it as part of the AQP match criteria based on that app-profile.
A default-value is required for each characteristic. This is evaluated at commit time.
The no form of the command removes the default value for the characteristic.
none
This command configures a characteristic value.
The no form of the command removes the value for the characteristic.
none
This command creates and enters configuration context for custom protocols. Custom protocols allow the creation of TCP and UDP-based custom protocols ( based on the ip-protocol-num option) that employ pattern-match at offset in protocol signature definition.
Operator-configurable custom-protocols are evaluated ahead of any Alcatel-Lucent provided protocol signature in order of custom-protocol-id (the lower ID is matched first in case of flow matching multiple custom-protocols) within the context the protocol is defined.
Custom protocols must be created before they can be used in application definition but do not have to be enabled. To reference a custom protocol in application definition, or any other CLI configuration one must use protocol name that is a concatenation of “custom_” and <custom-protocol-id>, (for example custom_01, custom_02 ... custom_10, etc.). This concatenation is also used when reporting custom protocol statistics.
This command configures an expression string value for pattern-based custom protocols match. A flow matches a custom protocol if the specified string is found at an offset of a TCP/UDP of the first payload packet.
Options:
The no form of this command deletes a specified string expression from the definition.
The “\” (slash) character is used as an ESCAPE sequence. The following ESCAPE sequences are permitted within the expr-string:
Character to match expr-string input
Hexidecimal Octet YY \xYY
An expr-string that uses the '\' (backslash) ESCAPE character which is not followed by a “\” or “\x” and a 2-digit hex octet is not valid.
This command creates a session filter.
This command specifies the default action to take for packets that do not match any filter entries.
The no form of the command reverts the default action to the default value (forward).
deny
This command configures a particular Application-Assurance session filter match entry. Every session filter can have zero or more session filter match entries. An application filter entry or entries configures match attributes of an application.
The no form of this command deletes the specified entry.
none
This command enables the context to configure session conditions for this entry.
This command configures a DNS IP cache using session filter DST IP match criteria. It is typically combine with an allow action in the context of captive-redirect.
This command configures the action for this entry.
This command configures a session filter entry action to HTTP redirect the subscriber flows. The HTTP redirect policy referenced within this session filter entry is configured for captive redirect with the appropriate VLAN id assigned.
This command enables the context to configure accounting and billing statistics for this AA ISA group.
This command enables the context to configure admit-deny statistics generation.
This command configures whether to include or exclude GTP filter admit-deny statistics in accounting records.
no gtp-filter-stats
This command configures whether to include or exclude system and subscriber-level flow count and flow-setup rate policer admit-deny statistics in accounting records.
no policer-stats
This command allows the operator to allocate or deallocate AA partition resources for policer admit-deny statistics.
no policer-stats-resources
This command configures whether to include or exclude SCTP filter admit-deny statistics in accounting records.
no sctp-filter-stats
This command configures whether to include or exclude session filter admit-deny statistics in accounting records.
no session-filter-stats
This command enables the context to configure accounting and statistics collection parameters per system for application groups of application assurance for a given AA ISA group/partition.
The no form of the command removes the application group name.
none
Usage monitoring must be enabled at the group:partition level (config>app-assure>group>statistics>aa-sub>usage-monitoring) as well in order to allow any application/application group/charging group usage monitoring.
This command enables the context to configure accounting and statistics collection parameters per application assurance subscribers.
This command enables the context to configure accounting and statistics collection parameters per application assurance special study subscribers.
This command configures aa-sub accounting statistics for export of applications of a given AA ISA group/partition.
The no form of the command removes the application name.
none
Usage monitoring must be enabled at the group:partition level (config>app-assure>group>statistics>aa-sub>usage-monitoring) as well in order to allow any application/application group/charging group usage monitoring.
This command configures aa-sub accounting statistics for export of charging groups of a given AA ISA group/partition.
The no form of the command removes the parameters from the configuration.
none
Usage monitoring must be enabled at the group:partition level (config>app-assure>group>statistics>aa-sub>usage-monitoring) as well in order to allow any application/application group/charging group usage monitoring.
This command specifies the exisiting accounting policy to use for AA. Accounting policies are configured in the config>log>accounting-policy context.
This command configures aa-sub accounting statistics for export of aggregate statistics of a given subscriber.
none
This command enables the context to configure accounting and statistics collection parameters per-system for protocols of application assurance for a given AA ISA group/partition.
This command adds an existing subscriber identification to a group of special study subscribers (for example, subscribers for which per subscriber statistics and accounting records can be collected for protocols and applications of application assurance).
The no form of the command removes the subscriber from the special study subscribers.
Up to 100 subscribers can be configured into the special study group for protocols and up to a 100 potentially different subscribers can be configured into the special study group for applications.
When adding a subscriber to the special study group, accounting records and statistics generation will commence immediately. When removing a subscriber from the group, special study statistics and accounting records for that subscriber in the current interval will be lost.
none
This command enables statistic collection within the applicable context.
disabled
This command enables traffic type statistics collection within an aa-partition.
The no form of the command disables traffic type statistics collection.
This command is to only to EPC. When enabled, TCP errors and retransmission packets are not counted for the purpose of CBC. This setting has no impact on app/app-group aggregate AA stats.
This command enables the collection of max-throughput statistics.
The no form of the command disables the collection.
This command configures aa-sub accounting statistics for export of protocols of a given AA ISA group/partition.
The no form of the command removes the protocol name.
none
This command specifies an existing subscriber RADIUS based accounting policy to use for AA. RADIUS Accounting policies are configured in the config>application-assurance>radius-accounting-policy context.
This command enables Gx usage monitoring the given AA group/partition. It can only be enabled if there is enough usage monitoring resources for all existing subs. Once disabled, all monitoring instances for AA subscriber(s) are silently removed (no PCRF notifications) and all subsequent AA Gx usage monitoring messages are ignored.
Disabled for Gx usage monitoring.
This command enables the context to configure the generation of threshold crossing alerts (TCAs).
This command configures a TCA for the counter capturing error drops. An error drop TCA can be created for traffic generated from the subscriber side of AA (from-sub) or for traffic generated from the network toward the AA subscriber (to-sub). The create keyword is mandatory when creating an error-drop TCA.
none
This command configures a TCA for the counter capturing drops due to the fragment-drop- all AQP command. A fragment-drop-all TCA can be created for traffic generated from the subscriber side of AA (from-sub) or for traffic generated from the network toward the AA subscriber (to-sub). The create keyword is mandatory when creating a fragment-drop-all TCA.
none
This command configures a TCA for the counter capturing drops due to the fragment-drop- out-of-order AQP command. A fragment-drop-out-of-order TCA can be created for traffic generated from the subscriber side of AA (from-sub) or for traffic generated from the network toward the AA subscriber (to-sub). The create keyword is mandatory when creating a fragment-drop-out-of-order TCA.
none
This command configures TCA generation for a GTP filter.
none
This command configures a TCA for the counter capturing drops due to the GTP filter maximum payload length. A maximum payload length drop TCA can be created for traffic generated from the subscriber side of AA (from-sub) or for traffic generated from the network toward the AA subscriber (to-sub). The create keyword is mandatory when creating a maximum payload length drop TCA.
none
This command configures a TCA for the counter capturing hits due to the GTP filter message type.
none
This command configures a TCA for the counter capturing hits for the specified GTP filter default action. A default action TCA can be created for traffic generated from the subscriber side of AA (from-sub) or for traffic generated from the network toward the AA subscriber (to-sub). The create keyword is mandatory when creating a default action TCA.
none
This command configures a TCA for the counter capturing hits for the specified GTP filter entry. A GTP filter entry TCA can be created for traffic generated from the subscriber side of AA (from-sub) or for traffic generated from the network toward the AA subscriber (to-sub). The create keyword is mandatory when creating a default action TCA.
none
This command configures a TCA for the counter capturing hits for the GTP filter header sanity. A GTP filter header-sanity TCA can be created for traffic generated from the subscriber side of AA (from-sub) or for traffic generated from the network toward the AA subscriber (to-sub). The create keyword is mandatory when creating a TCA.
none
This command configures a TCA for the counter capturing drops due to basic GTP header sanity checks, such as validating that the GTP-U version is 1 and that the protocol bit is set to 1 for UDP traffic destined to port 2152. A GTP sanity drop TCA can be created for traffic generated from the subscriber side of AA (from-sub) or for traffic generated from the network toward the AA subscriber (to-sub). The create keyword is mandatory when creating a default action TCA.
none
This command configures a TCA for the counter capturing drops due to the overload-drop AQP command. An overload-drop TCA can be created for traffic generated from the subscriber side of AA (from-sub) or for traffic generated from the network toward the AA subscriber (to-sub). The create keyword is mandatory when creating an overload-drop TCA.
none
This command configures a TCA for the counter capturing drops or admit events due to the specified flow policer. A policer TCA can be created for traffic generated from the subscriber side of AA (from-sub) or for traffic generated from the network toward the AA subscriber (to-sub). The create keyword is mandatory when creating a policer TCA.
none
This command configures TCA generation for an SCTP filter.
none
This command configures a TCA for the counter capturing packet sanity hits for the specified SCTP filter. A packet sanity TCA can be created for traffic generated from the subscriber side of AA (from-sub) or for traffic generated from the network toward the AA subscriber (to-sub). The create keyword is mandatory when creating a TCA.
none
This command configures a TCA for the counter capturing PPID hits for the specified SCTP filter.
none
This command configures a TCA for the counter capturing hits for the specified SCTP filter default PPID. A default action TCA can be created for traffic generated from the subscriber side of AA (from-sub) or for traffic generated from the network toward the AA subscriber (to-sub). The create keyword is mandatory when creating a default action TCA.
none
This command configures a TCA for the counter capturing hits for the specified SCTP filter PPID entry. An SCTP filter entry TCA can be created for traffic generated from the subscriber side of AA (from-sub) or for traffic generated from the network toward the AA subscriber (to-sub). The create keyword is mandatory when creating a TCA.
none
This command configures a TCA for the counter capturing hits for the specified SCTP filter PPID range command. An PPIPD range TCA can be created for traffic generated from the subscriber side of AA (from-sub) or for traffic generated from the network toward the AA subscriber (to-sub). The create keyword is mandatory when creating a TCA.
none
This command configures TCA generation for a session filter.
none
This command configures a TCA for the counter capturing hits for the specified session filter default action. A default action TCA can be created for traffic generated from the subscriber side of AA (from-sub) or for traffic generated from the network toward the AA subscriber (to-sub). The create keyword is mandatory when creating a default action TCA.
none
This command configures a TCA for the counter capturing hits for the specified session filter entry. A session filter entry TCA can be created for traffic generated from the subscriber side of AA (from-sub) or for traffic generated from the network toward the AA subscriber (to-sub). The create keyword is mandatory when creating a TCA.
none
This command configures the high watermark and low watermark thresholds for the specified TCA.
This command defines a transit AA subscriber IP policy. Transit AA subscribers are managed by the system through the use of this policy assigned to services, which determines how transit subs are created and removed for that service.
The no form of the command deletes the policy from the configuration. All associations must be removed in order to delete a policy.
no transit-ip-policy
This command enables the context to configure dynamic Diameter-based management of transit AA subs for the transit IP policy. This is mutually exclusive to other types of management of transit subs for a given transit IP policy.
This command specifies the Diameter application to be used by seen IP transit subs. The application policy is defined using the config>subscr-mgmt>diameter-application-policy command.
The no form of the command removes the policy.
no application-policy
This command removes all transit-AA subs created via Diameter on this transit AA subscriber IP policy and clears all corresponding Diameter sessions.
This command allows AA to treat traffic on UDP port number 2152 as GTP-u. Without further specifying any other parameters within this GTP context, AA performs basic GTP-u header sanity checks and discards packets that are malformed. This GTP context allows the operator to configure various GTP filters (maximum of 128 GTP filters).
shutdown
This command allows AA to treat traffic on UDP port number 2152 as GTP-u. Without further specifying any other parameters within this GTP context, AA performs basic GTP-u header sanity checks and discards packets that are malformed. This GTP context allows the operator to configure various GTP filters (maximum of 128 GTP filters).
no gtp-filter
This command specifies the maximum allowed GTP payload size.
The no form of the command removes this gtp message length filter.
no max-payload-length
This command specifies the context for configuration of GTP message-type filtering.
None. If no message-type is specified within a filter, then all GTP message types are allowed.
Thios command configures the default action for all GTP message types.
This command configures an entry for a specific GTP message type value.
This command specifies if a GTP message-type is allowed or not.
The no form of the command removes this gtp message-type. The default action for the gtp-filter>message-type is applied.
none
This command enables the context to configure Stream Control Transmission Protocol (SCTP) parameters.
The no form of the command removes this filter.
no sctp-filter
This command enables the context to configure actions for specific or default Payload Protocol Identifiers (PPIDs).
This command configures the default action for all SCTP PPIDs.
permit
This command specifies the range of PPID values that are allowed by AA SCTP filter firewall.
The no form of the command removes this PPID range.
None
This command specifies if an SCTP PPID value is allowed or not.
The no form of the command removes this PPID. In which case, the default action for the sctp-filter>ppid is applied.
None
This command allows AA to perform AQP lookups on flows prior to complete application identification. As usual, AQP will be looked up again on identification complete. Without this, AA executes AQPs that are part of what so called “sub-default policy”. Sub-default policy is formed by regular AQPs that contain ASOs, subID and/or flow direction as matching condition(s).
This behavior is required, for example, in order to be able apply GTP and SCTP filtering on the first packet of a new GTP/SCTP flow (AQP matching conditions in this case contains protocol id).
The no form of the command forces complete AQP look up on identification finish stage only
no aqp-initial-lookup
This command enables dynamic DHCP-based management of transit aa-subs for the transit-ip-policy. This is mutually exclusive to other types management of transit subs for a given transit-ip-policy.
This command configures a transit IP policy IPv6 address prefix length.
0
This command enables dynamic radius based management of transit aa-subs for the transit-ip-policy. This is mutually exclusive to other types management of transit subs for a given transit-ip-policy.
This command configures the RADIUS authentication-policy for the IP transit policy.
This command refers to a RADIUS accounting-policy to enable seen-IP notification.
The no form of the command removes the policy.
no seen-ip-radius-acct-policy
This command configures static transit aa-subs with a name and an app-profile. A new transit sub with both a name and an app-profile is configured with the create command. Static transit aa-sub must have an explicitly assigned app-profile. An existing transit sub can optionally be assigned a different app-profile, or this command can be used to enter the static-aa-sub context.
The no form of the command deletes the named static transit aa-sub from the configuration.
no transit-ip-policy
This command configures the /32 ip address for a static transit aa-sub.
The no form of the command deletes the ip address assigned to the static transit aa-sub from the configuration.
no ip
ipv6-address/prefix: | ipv6-address x:x:x:x:x:x:x:x (eight 16-bit pieces) |
x:x:x:x:x:x:d.d.d.d | |
x [0 — FFFF]H | |
d [0 — 255]D | |
prefix-length /32 to /64 |
This command associates a subscriber identification policy to this SAP. The subscriber identification policy must be defined prior to associating the profile with a SAP in the config>subscribermgmt>sub-ident-policy context.
Subscribers are managed by the system through the use of subscriber identification strings. A subscriber identification string uniquely identifies a subscriber. For static hosts, the subscriber identification string is explicitly defined with each static subscriber host.
For dynamic hosts, the subscriber identification string must be derived from the DHCP ACK message sent to the subscriber host. The default value for the string is the content of Option 82 CIRCUIT-ID and REMOTE-ID fields interpreted as an octet string. As an option, the DHCP ACK message may be processed by a subscriber identification policy which has the capability to parse the message into an alternative ASCII or octet string value.
When multiple hosts on the same port are associated with the same subscriber identification string they are considered to be host members of the same subscriber.
A sub-ident-policy can also used for identifying dynamic transit subscriber names.
The no form of the command removes the default subscriber identifcationidentification policy from the SAP configuration.
no sub-ident-policy
This command enables seen-IP auto creation of transit subscribers using the transit-IP-policy name nd subscriber IP address as the AA-sub name. The default app-profile configured against the transit-ip-policy is applied to these subscribers.
disabled
This command defines the number of transit-prefix IPv4 entries for an ISA.
The no form of the command removes the assignment of entries space from the configuration. All entries must be removed in order to delete the configuration.
This command configures the ISA-AA-group transit prefix IPv4 remote entry limit. This entry space is allocated on the IOM within a common area with the second MDA/ISA position of the IOM and also used for IPv4filter entries for system SDPs. The per-ISA size allocated for transit-prefix-ipv4 entries should be set to allow sufficient space on the IOM for SDP IPv4 filters.
The no form of the command removes the assignment of entries space from the configuration. All entries must be removed in order to delete the configuration.
This command configures the ISA-AA-group transit prefix IPv6 entry limit for each ISA in the group. This entry space is allocated on the IOM within a common area with the second MDA / ISA position of the IOM and also used for ipv6-filter entries for system SDPs. The per-ISA size allocated for transit-prefix-ipv6 entries should be set to allow sufficient space on the IOM for SDP ipv6-filters.
The no form of the command removes the assignment of entries space from the configuration. All entries must be removed in order to delete the configuration.
This command configures the ISA-AA-group transit prefix IPv6 remote entry limit. This entry space is allocated on the IOM within a common area with the second MDA/ISA position of the IOM and also used for IPv6filter entries for system SDPs. The per-ISA size allocated for transit-prefix-ipv6 entries should be set to allow sufficient space on the IOM for SDP IPv6 filters.
The no form of the command removes the assignment of entries space from the configuration. All entries must be removed in order to delete the configuration.
This command associates a transit aa subscriber prefix policy to the service. The transit prefix policy must be defined prior to associating the policy with a SAP in the config>application assurance>group>policy>transit-prefix-policy context.
The no form of the command removes the association of the policy to the service.
This command defines a transit aa subscriber prefix policy. Transit AA subscribers are managed by the system through the use of this policy assigned to services, which determines how transit subs are created and removed for that service.
The no form of the command deletes the policy from the configuration. All associations must be removed in order to delete a policy.
This command configures the index to a specific entry of a transit prefix policy.
The no form of the command removes the entry ID from the transit prefix policy configuration.
none
This command configures a transit prefix policy entry subscriber.
The no form of the command removes the transit subscriber name from the transit prefix policy configuration.
none
This command enables the context to configure transit prefix policy entry match criteria.
This command configures a transit prefix subscriber ip address prefix. It is used when the site is on the local side, being the same side of the system as the parent SAP. The local aa-sub-ip addresses represent the src-IP in the from-SAP direction and dest-IP in the to-SAP direction.
The no form of the command deletes the aa-sub-ip address assigned from the entry configuration.
no aa-sub-ip
ip-address[/mask] : | ipv4-address - a.b.c.d[/mask] |
mask - [1..32] | |
ipv6-address - x:x:x:x:x:x:x:x/prefix-length | |
x:x:x:x:x:x:d.d.d.d | |
x - [0..FFFF]H | |
d - [0..255]D | |
prefix-length [1..128] |
This command configures an entry for an address of prefix transit aa-sub and is used when the site is a remote site on the same opposite side of the system as the parent SAP. The network IP addresses represents the dest-IP in the from-SAP direction and src-IP in the to-SAP direction.
The no form of the command removes the network IP address/mask from the match criteria.
ip-address[/mask] : | ipv4-address - a.b.c.d[/mask] |
mask - [1..32] | |
ipv6-address - x:x:x:x:x:x:x:x/prefix-length | |
x:x:x:x:x:x:d.d.d.d | |
x - [0..FFFF]H | |
d - [0..255]D | |
prefix-length [1..128] |
This command configures a static transit aa-sub with a name and an app-profile. A new transit sub with both a name and an app-profile is configured with the create command. Static transit aa-sub must have an explicitly assigned app-profile. An existing transit sub can optionally be assigned a different app-profile, or this command can be used to enter the static-aa-sub context.
The no form of the command deletes the named static transit aa-sub from the configuration.
This command configures static remote transit aa-subs with a name and an app-profile. Remote transit subscribers are configured for sites on the opposite side of the system as the parent SAP/spoke- SDP. A new remote transit sub with both a name and an app-profile is configured with the create command. Static remote transit aa-subs must have an explicitly assigned app-profile. An existing remote transit sub can optionally be assigned a different app-profile.
The no form of the command removes the name from the transit prefix policy.
This commands specifies which ISA card and which VLAN is used by a given AA Interface.
no sap
This commands performs a group-specific upgrade.
This command configures a url-list object. The url-list points to a file containing a list of URLs located on the system Compact Flash. The url-list is then referenced in a url-filter object in order to filter and redirect subscribers when a URL from this file is accessed.
The no form of the command removes the url-list object.
In case the file is encrypted this command is used to configure the decryption key used to read the file.
The no form of the command removes the url-list object.
This command specifies the file for the URL list.
The no form of the command removes the url-list object.
This command specifies the size of the URL list that can be filtered. The size can be set to either standard or extended. Configuring the specified url-list as extended provides support for filtering on a larger number of URLs.
standard
This command configures a URL filter action for flows of a specific type matching this entry.
If no URL filters are specified then no URL filters will be evaluated.
This commands creates a new AA interface within an IES or VPRN service. It is used by the aa-isa to send/receive IPv4 traffic. In the context of ICAP url-filtering this interface is used by the ISA to establish ICAP TCP connections to the ICAP server(s).
This interface supports /31 subnet only, and uses by default .1q encapsulation.
The system will automatically configure the ISA IP address based on the address configured by the operator under the aa-interface object (which represents the ISA sap facing interface on the ISA).
no aa-interface
This command configures the default action to take when the ICAP server is unreachable.
HTTP Filtering can either be enabled for all HTTP request within a flow or limited to the first HTTP request in a flow.
all
This command specifies the HTTP redirect that will be applied when the Internet Content Adaptation Protocol (ICAP) server blocks an HTTP request.
none
This command configures the IP address and server port of the ICAP server.
none
This command configures the VLAN ID on which the ISA-AA is expected to be emitting traffic mapping to a pre-configured aa-interface.
This command configures the url-filter ICAP policy to include a new x-header field; the content of the x-header is populated based on AQP url-filter action which can optionally specify the ASO characteristic value to include in the x-header.
This command configures a URL filter policy for local filtering in order to filter traffic based on a list of URLs located on a file stored in the router compact flash.
This command adds a URL list to the local filtering URL filter policy.
The no form of the command removes the URL list object.
This command configures the Wireless Application Protocol (WAP) 1.X.
This command configures the packet rate on the ISA-AA when a packet rate alarm will be raised by the agent.
max = disabled
This command configures the the packet rate on the ISA-AA when a packet rate alarm will be cleared by the agent.
The no form of the command reverts to the default.
0
This command configures the high watermark for the weighted average utilization of the shared buffer space in the from-subscriber buffer pool for each ISA. When a buffer pool is not in the overload state and the wa-shared buffer utilization for an ISA crosses above the high watermark value in the ISA from-subcriber buffer pool enters an overload state and an overload notification is raised.
100
This command configures the low watermark for the weighted average utilization of the shared buffer space in the from-subscriber buffer pool. When a buffer pool is in an overloaded state and the wa-shared buffer utilization for an ISA drops below low watermark value ISA from-subcriber buffer pool leaves the overload state and a is sent to indicate the overload state has cleared.
0
This command configures the shutdown of protocols system-wide
This command administratively disables the protocol specified in protocol protocol-name.
The no form of the command enables the protocol.
This command specifies an existing subscriber RADIUS-based accounting policy to use for AA. RADIUS accounting policies are configured in the config>application-assurance>radius-accounting-policy context.
none
This command configures the interim update interval.
The no form of the command reverts to the default.
no interim-update-interval
This command creates the context for defining RADIUS accounting server attributes under a given session authentication policy.
This command configures the algorithm used to access the list of configured RADIUS servers.
direct
This command configures the number of times the router attempts to contact the RADIUS server for authentication, if not successful the first time.
The no form of the command reverts to the default value.
3
This command specifies the number of times the router attempts to contact the RADIUS server for authentication, if not successful the first time.
The no form of the command reverts to the default value.
This command adds a RADIUS server and configures the RADIUS server IP address, index, and key values.
Up to five RADIUS servers can be configured at any one time. RADIUS servers are accessed in order from lowest to highest index for authentication requests until a response from a server is received. A higher indexed server is only queried if no response is received from a lower indexed server (which implies that the server is not available). If a response from a server is received, no other RADIUS servers are queried.
The no form of the command removes the server from the configuration.
none
This command configures the source address of the RADIUS packet. The system IP address must be configured in order for the RADIUS client to work. See Configuring a System Interface in the Router Configuration Guide. The system IP address must only be configured if the source-address is not specified. When the no source-address command is executed, the source address is determined at the moment the request is sent. This address is also used in the nas-ip-address attribute: over there it is set to the system IP address if no source address was given.
The no form of the command reverts to the default value.
systemIP address
This command configures the number of seconds the router waits for a response from a RADIUS server.
The no form of the command reverts to the default value.
5
This command configures the VLAN ID.
This command configures the significant change required to generate the record.
The no form of the command reverts to the default.
no significant-change
This command enables the context to configure persistence parameters on the system.
The persistence feature enables state on information learned through DHCP snooping across reboots to be retained. This information includes data such as the IP address and MAC binding information, lease-length information, and ingress SAP information (required for VPLS snooping to identify the ingress interface).
If persistence is enabled when there are no DHCP relay or snooping commands enabled, it will simply create an empty file.
no persistence
This command enables the context to configure application assurance persistence parameters.
This command instructs the system where to write the file. The name of the file is: appassure.db. On boot the system scans the file systems looking for appassure.db, if it finds it, it starts to load it.
In the subscriber management context, the location specifies the flash device on a CPM card where the data for handling subscriber management persistency is stored.
The no form of this command returns the system to the default. If there is a change in file location while persistence is running, a new file will be written on the new flash, and then the old file will be removed.
no location
This command enables the context to create an application assurance group with the specified system-unique index and enables the context to configure that group’s parameters.
The no form of the command deletes the specified application assurance group from the system. The group must be shutdown first.
none
residential: | Scaling limits for residential operation. |
vpn: | Scaling limits for VPNs. |
mobile-gateway: | Scaling limits for operation as a mobile gateway. |
This command assigns an AA ISA configured in the specified slot to this application assurance group. The backup module provides the application assurance group with warm redundancy when the primary module in the group is configured. Primary and backup modules have equal operational status and when both module are coming up, the ones that becomes operational first becomes the active module. A module can serve as a backup for multiple AA ISA cards but only one can fail to it at one time.
On an activity switch from the primary module, configurations are already on the backup MDA but flow state information must be re-learned. Any statistics not yet spooled will be lost. Auto-switching from the backup to primary, once the primary becomes available again, is not supported.
Operator is notified through SNMP events when:
The no form of the command removes the specified module from the application assurance group.
no backup
mda-id: | slot/mda | |
slot | 1 — up to 10 depending on chassis model | |
mda | 1 — 2 |
This command selects a forwarding class in the system to be diverted to an application assurance engine for this application assurance group. Only traffic to/from subscribers with application assurance enabled is diverted.
To divert multiple forwarding classes, the command needs to be executed multiple times specifying each forwarding class to be diverted at a time.
The no form of the command stops diverting of the traffic to an application assurance engine for this application assurance group.
no divert-fc
This command configures mode of operation during an operational failure of this application assurance group when no application assurance engines are available to service traffic. When enabled, all traffic that was to be inspected will be dropped. When disabled, all traffic that was to be inspected will be forwarded without any inspection as if the group was not configured at all.
no fail-to-open
This command configures the ISA-AA capacity cost high threshold.
The no form of the command reverts the threshold to the default value.
4294967295
This command configures the ISA-AA capacity cost low threshold.
The no form of the command reverts the threshold to the default value.
0
This command configures the ISA group to enable cut-through of traffic if an overload event occurs, triggered when the IOM weighted average queues depth exceeds the wa-shared-high-wmark. In this ISA state, packets are cut-through from application analysis but retain subscriber context with default subscriber policy applied.
The no form of the command disables cut-through processing on overload.
isa-overload-cut-through
This command configures the scale parameters for the ISA group. When min-isa-generation is configured as 1, the group and per-ISA limits are the MS-ISA scale.
If there is a mix of ISA 1s and 2s, the min-isa-generation must be left as 1.
When min-isa-gen is configured as 2, the per-isa resource limits shown in the show isa application-assurance-group 1 load-balance output will increase to show ISA2 limits.
1
This command enables partitions within an ISA-AA group. When enabled, partitions can be created
The no form of the command disables partitions within an ISA-AA group.
disabled
This command assigns an AA ISA module configured in the specified slot to this application assurance group. Primary and backup ISAs have equal operational status and when both ISAs are coming up, the one that becomes operational first becomes the active ISA.
On an activity switch from the primary ISA, all configurations are already on the backup ISA but flow state information must be re-learned. Any statistics not yet spooled will be lost. Auto-switching from the backup to primary, once the primary becomes available again, is not supported.
Operator is notified through SNMP events when:
The no form of the command removes the specified ISA from the application assurance group.
no primary
mda-id: | slot/mda | |
slot | 1 — up to 10 depending on chassis model | |
mda | 1 — 2 |
This command enables the context for Quality of Service configuration for this application assurance group.
This command enables the context to configure statistics generation.
This command configures the ISA group to enable the aa-performance statistic record. This record contains information on the traffic load and resource consumption for each ISA in the group, to allow tracking of ISA load for long term capacity planning and short term anomalies. The user can configure the accounting policy to be used, and enables the record using the [no] collect-stats command.
This command enables the context for IOM port-level Quality of Service configuration for this application assurance group in the egress direction (traffic entering an application assurance engine).
This command enables the context for Quality of Service configuration for this application assurance group form-subscriber logical port, traffic entering the system from AA subscribers and entering an application assurance engine.
This command enables the context to configure an IOM pool as applicable to the specific application assurance group traffic. The user can configure resv-cbs (as percentage) values and slope-policy similarly to other IOM pool commands.
default
This command defines the percentage or specifies the sum of the pool buffers that are used as a guideline for CBS calculations for access and network ingress and egress queues. Two actions are accomplished by this command.
This command does not actually set aside buffers within the buffer pool for CBS reservation. The CBS value per queue only determines the point at which enqueuing packets are subject to a RED slope. Oversubscription of CBS could result in a queue operating within its CBS size and still not able to enqueue a packet due to unavailable buffers. The resv-cbs parameter can be changed at any time.
If the total pool size is 10 MB and the resv-cbs set to 5, the ‘reserved size’ is 500 KB.
The no form of this command restores the default value.
default (30%)
This command specifies an existing slope policy which defines high and low priority RED slope parameters and the time average factor. The slope policy is defined in the config>qos>slope-policy context.
This command assigns an IOM network queue policy as applicable to specific application assurance group traffic.
default
This command configures the high watermark for the weighted average utilization of the shared buffer space in the from-subscriber buffer pool for each ISA. When a buffer pool is not in the overload state and the wa-shared buffer utilization for an ISA crosses above the high watermark value in the ISA from-subcriber buffer pool enters an overload state and an overload notification is raised.
100
This command configures the low watermark for the weighted average utilization of the shared buffer space in the from-subscriber buffer pool. When a buffer pool is in an overloaded state and the wa-shared buffer utilization for an ISA drops below low watermark value ISA from-subcriber buffer pool leaves the overload state and a is sent to indicate the overload state has cleared.
0
This command assigns an existing port scheduler policy as applicable to the specific application assurance group traffic.
default
This command enables the context for Quality of Service configuration for this application assurance group to-subscriber logical port, traffic destined to AA subscribers and entering an application assurance engine.
This command enables the context for MDA-level IOM Quality of Service configuration.