3.4. Application Assurance Command Reference

  1. Application Assurance Command Reference
  2. Command Descriptions

3.4.1. Application Assurance Command Reference

  1. Hardware Commands
  2. Admin Commands
  3. ISA Commands
  4. Application Assurance Commands
  5. AA Interface Commands
  6. Persistence Commands

3.4.1.1. Hardware Commands

Refer to the 7450 ESS, 7750 SR, 7950 XRS, and VSR Interface Configuration Guide for hardware command descriptions.

3.4.1.2. Admin Commands

admin
application-assurance
group aa-group-id
url-list url-list-name upgrade
upgrade

3.4.1.3. ISA Commands

config
— isa
application-assurance-group application-assurance-group-index [create] [aa-sub-scale sub-scale]
— no application-assurance-group application-assurance-group-index
[no] backup mda-id
description description-string
— no description
[no] divert-fc fc-name
[no] fail-to-open
[no] http-enrich-maximum
isa-capacity-cost-high-threshold threshold
— no isa-capacity-cost-high-threshold
isa-capacity-cost-low-threshold threshold
— no isa-capacity-cost-low-threshold
[no] isa-overload-cut-through
minimum-isa-generation min-isa-generation
overload-sub-quarantine
[no] shutdown
[no] partitions
[no] primary mda-id
qos
egress
from-subscriber
pool [pool-name]
— no pool
resv-cbs percent-or-default
— no resv-cbs
slope-policy slope-policy-name
— no slope-policy
port-scheduler-policy port-scheduler-policy-name
— no port-scheduler-policy
queue-policy network-queue-policy-name
— no queue-policy
wa-shared-high-wmark percent
— no wa-shared-high-wmark
wa-shared-low-wmark percent
— no wa-shared-low-wmark
to-subscriber
pool [pool-name]
— no pool
resv-cbs percent-or-default
— no resv-cbs
slope-policy slope-policy-name
— no slope-policy
port-scheduler-policy port-scheduler-policy-name
— no port-scheduler-policy
queue-policy network-queue-policy-name
— no queue-policy
wa-shared-high-wmark percent
— no wa-shared-high-wmark
wa-shared-low-wmark percent
— no wa-shared-low-wmark
shared-resources
tcp-adv-func
[no] shutdown
statistics
performance
accounting-policy acct-policy-id
— no accounting-policy
[no] collect-stats
transit-prefix-ipv4-entries entries
— no transit-prefix-ipv4-entries
transit-prefix-ipv4-remote-entries entries
— no transit-prefix-ipv4-remote-entries
transit-prefix-ipv6-entries entries
— no transit-prefix-ipv6-entries
transit-prefix-ipv6-remote-entries entries
— no transit-prefix-ipv6-remote-entries

3.4.1.4. Application Assurance Commands

  1. AA Commands
  2. AA Group Commands

3.4.1.4.1. AA Commands

config
— application-assurance
aarp aarpId [create]
— no aarp aarpId
description description-string
— no description
master-selection-mode mode
peer ip-address
— no peer
peer-endpoint sap sap-id encap-type {dot1q | null | qinq}
peer-endpoint spoke-sdp sdp-id:vc-id
— no peer-endpoint
priority value
— no priority
[no] shutdown
bit-rate-high-wmark high-watermark
bit-rate-low-wmark low-watermark
— no bit-rate-low-wmark
datapath-cpu-high-wmark high-watermark
datapath-cpu-high-wmark max
datapath-cpu-low-wmark low-watermark
flow-setup-high-wmark high-watermark
flow-setup-low-wmark low-watermark
— no flow-setup-low-wmark
flow-table-high-wmark high-watermark
— no flow-table-high-wmark
flow-table-low-wmark low-watermark
— no flow-table-low-wmark
packet-rate-high-wmark high-watermark
packet-rate-low-wmark low-watermark
— no packet-rate-low-wmark
protocol protocol-name
[no] shutdown
radius-accounting-policy rad-acct-plcy-name [create]
— no radius-accounting-policy rad-acct-plcy-name
description description-string
— no description
interim-update-interval minutes
— no interim-update-interval
radius-accounting-server
access-algorithm {direct | round-robin}
retry count
router router-instance
router service-name service-name
— no router
server server-index address ip-address secret key [hash | hash2] [port port] [create]
— no server server-index
source-address ip-address
— no source-address
timeout seconds
significant-change delta
— no significant-change

3.4.1.4.2. AA Group Commands

config
— application-assurance
group aa-group-id[:partition-id [create]]
— no group aa-group-id:partition-id
[no] aa-sub-remote
access-network-location
source source-type level level
— no source source-type
rtt-threshold threshold
— no rtt-threshold
rtt-threshold-tolerance tolerance
— no rtt-threshold-tolerance
[no] aqp-initial-lookup
certificate-profile cert-profile-name [create]
— no certificate-profile cert-profile-name
certificate certificate-file
— no certificate
description description-string
— no description
[no] shutdown
cflowd
collector ip-address[:port] [create]
— no collector ip-address[:port]
description description-string
— no description
[no] shutdown
comprehensive
app-group app-group-name [rate]
— no app-group app-group-name
application application-name [rate]
— no application application-name
flow-rate sample-rate
— no flow-rate
flow-rate2 sample-rate
— no flow-rate2
[no] shutdown
direct-export
collector collector-id [create]
— no collector collector-id
[no] address ip-address [:port]
[no] shutdown
description description-string
— no description
vlan-id service-port-vlan-id
— no vlan-id
export-override mode
— no export-override
prefix prefix-string
— no prefix
rtp-performance
app-group app-group-name [rate]
— no app-group app-group-name
application application-name [rate]
— no application application-name
flow-rate sample-rate
— no flow-rate
flow-rate2 sample-rate
— no flow-rate2
[no] shutdown
[no] shutdown
tcp-performance
app-group app-group-name [rate]
— no app-group app-group-name
application application-name [rate]
application application-name
flow-rate sample-rate
— no flow-rate
flow-rate2 sample-rate
— no flow-rate2
[no] shutdown
template-retransmit seconds
— no template-retransmit
volume
rate sample-rate
— no rate
[no] shutdown
description description-string
— no description
[no] disable-deferred-billing
dns-ip-cache dns-ip-cache-name [create]
— no dns-ip-cache dns-ip-cache-name
description description-string
— no description
dns-match
domain domain-name expression expression
— no domain domain-name
server-address server-address [name server-name]
— no server-address server-address
ip-cache
high-wmark percent
low-wmark percent
size cache-size
[no] static-address static-ip-address
[no] shutdown
event-log event-log-name [create]
— no event-log event-log-name
buffer-type buffer-type
max-entries max-entries
[no] shutdown
syslog
address ip-address
— no address
description description-string
— no description
facility syslog-facility
port port
severity syslog-severity
vlan-id service-port-vlan-id
— no vlan-id
gtp
event-log event-log-name
— no event-log
gtp-filter gtp-filter-name [create]
— no gtp-filter gtp-filter-name
description description-string
— no description
event-log event-log-name
— no event-log
max-payload-length bytes
— no max-payload-length
message-type
default-action {permit | deny}
entry entry-id value gtp-message-value action {permit | deny}
— no entry entry-id
mode mode
[no] shutdown
http-enrich http-enrich-name [create]
— no http-enrich http-enrich-name
description description-string
— no description
[no] field field-name
[no] anti-spoof
encode type type key key
encode type type key hash-key hash
encode type type key hash2-key hash2
encode type type cert-profile cert-profile-name
— no encode
name header-name
static-string string
— no static-string
[no] shutdown
[no] tls-extension
extension-id extension-id
— no extension-id
— [no] subtype tls extension subtype
encode type type key key | hash-key | hash2-key [hash | hash2]
— no encode
http-error-redirect redirect-name [create]
— no http-error-redirect redirect-name
description description-string
— no description
error-code error-code [custom-msg-size custom-msg-size]
— no error-code error-code
http-host http-host
— no http-host
participant-id participant-id
— no participant-id
[no] shutdown
template template-id
— no template
[no] http-match-all-requests
http-notification http-notification [create]
— no http-notification http-notification
description description-string
— no description
interval minimum-interval
interval one-time
script-url script-url-name
— no script-url
[no] shutdown
template template-id
— no template
http-redirect redirect-name [create]
— no http-redirect redirect-name
captive-redirect
vlan-id service-port-vlan-id
— no vlan-id
description description-string
— no description
[no] redirect-https
redirect-url redirect-url
— no redirect-url
[no] shutdown
[no] tcp-client-reset
template template-id
— no template
[no] http-x-online-host
ip-prefix-list ip-prefix-list-name [create]
— no ip-prefix-list ip-prefix-list-name
description description-string
— no description
prefix ip-prefix/ip-prefix-length [name prefix-name]
— no prefix ip-prefix/ip-prefix-length
policer policer-name type type granularity granularity [create]
policer policer-name
— no policer policer-name
action {priority-mark | permit-deny}
adaptation-rule pir {max | min | closest} [cir {max | min | closest}]
— no adaptation-rule
cbs committed-burst-size
— no cbs
congestion-override
cbs congested-cbs
— no cbs
cir congested-cir
— no cir
mbs congested-mbs
— no mbs
pir congested-pir
— no pir
description description-string
— no description
flow-count flow-count
— no flow-count
[no] gtp-traffic
mbs maximum-burst-size
— no mbs
rate pir-rate [cir cir-rate]
— no rate
rate-percentage rate-percentage
— no rate-percentage
tod-override tod-override-id [create]
— no tod-override tod-override-id
cbs committed-burst-size
— no cbs
description description-string
— no description
flow-count flow-count
— no flow-count
mbs maximum-burst-size
— no mbs
rate pir-rate [cir cir-rate]
— no rate
[no] shutdown
time-range daily start start-time end end-time [on day [day]]
time-range weekly start start-time end end-time
— no time-range
policy
abort
app-filter
entry entry-id [create]
— no entry entry-id
application application-name
description description-string
— no description
expression expr-index expr-type {eq | neq} expr-string
— no expression expr-index
flow-setup-direction {subscriber-to-network | network-to-subscriber | both}
[no] http-match-all-requests
http-port {eq | neq} port-num
http-port {eq | neq} port-list port-list-name
— no http-port
ip-protocol-num {eq | neq} protocol-id
— no ip-protocol-num
network-address {eq | neq} ip-address
network-address {eq | neq} ip-prefix-list ip-prefix-list-name
— no network-address
protocol {eq | neq} protocol-name
— no protocol
server-address {eq | neq} ip-address
server-address {eq | neq} ip-prefix-list ip-prefix-list-name
server-address {eq | neq} dns-ip-cache dns-ip-cache-name
— no server-address
server-port {eq | neq | gt | lt} port-num
server-port {eq | neq} range start-port-num end-port-num
server-port {eq} {port-num | range start-port-num end-port-num} {first-packet-trusted | first-packet-validate}
server-port {eq | neq} port-list port-list-name
server-port {eq} port-list port-list-name {first-packet-trusted | first-packet-validate}
— no server-port
[no] shutdown
app-group application-group-name [create]
— no app-group application-group-name
charging-group charging-group-name
— no charging-group
description description
— no description
export-id export-id
— no export-id
app-profile app-profile-name [create]
— no app-profile app-profile-name
[no] aa-sub-suppressible
capacity-cost cost
— no capacity-cost
characteristic characteristic-name value value-name
— no characteristic characteristic-name
description description-string
— no description
[no] divert
app-qos-policy
entry entry-id [create]
— no entry entry-id
action
bandwidth-policer policer-name
— no bandwidth-policer
dns-ip-cache dns-ip-cache-name
— no dns-ip-cache
[no] drop
error-drop [event-log event-log-name]
— no error-drop
flow-count-limit policer-name [event-log event-log-name]
— no flow-count-limit
flow-rate-limit policer-name [event-log event-log-name]
— no flow-rate-limit
fragment-drop {all | out-of-order} [event-log event-log-name]
— no fragment-drop
gtp-filter gtp-filter-name
— no gtp-filter
http-enrich http-enrich-name
— no http-enrich
http-error-redirect redirect-name
— no http-error-redirect
http-notification http-notification
— no http-notification
http-redirect redirect-name flow-type flow-type
— no http-redirect
mirror-source [all-inclusive] mirror-service-id
— no mirror-source
overload-drop [event-log event-log-name]
— no overload-drop
remark
dscp in-profile dscp-name out-profile dscp-name
no dscp
fc fc-name
no fc
priority priority-level
no priority
sctp-filter sctp-filter-name
— no sctp-filter
session-filter session-filter-name
— no session-filter
tcp-mss-adjust segment-size
— no tcp-mss-adjust
tcp-validate tcp-validate-name
— no tcp-validate
— [no] tls-enrich
url-filter url-filter-name [characteristic characteristic-name]
— no url-filter
description description-string
— no description
match
aa-sub esm {eq | neq} sub-ident-string
aa-sub esm-mac {eq | neq} esm-mac-name
aa-sub sap {eq | neq} sap-id
aa-sub spoke-sdp {eq | neq} sdp-id:vc-id
aa-sub transit {eq | neq} transit-aasub-name
— no aa-sub
app-group {eq | neq} application-group-name
— no app-group
application {eq | neq} application-name
— no application
characteristic characteristic-name eq value-name
— no characteristic characteristic-name
charging-group {eq | neq} charging-group-name
— no charging-group
dscp {eq | neq} dscp-name
— no dscp
dst-ip {eq | neq} ip-address
dst-ip {eq | neq} ip-prefix-list ip-prefix-list-name
— no dst-ip
dst-port {eq | neq} port-num
dst-port {eq | neq} port-list port-list-name
dst-port {eq | neq} range start-port-num end-port-num
— no dst-port
ip-protocol-num {eq | neq} protocol-id
— no ip-protocol-num
src-ip {eq | neq} ip-address
src-ip {eq | neq} ip-prefix-list ip-prefix-list-name
— no src-ip
src-port {eq | neq} port-num
src-port {eq | neq} port-list port-list-name
src-port {eq | neq} range start-port-num end-port-num
— no src-port
traffic-direction {subscriber-to-network | network-to-subscriber | both}
[no] shutdown
app-service-options
characteristic characteristic-name [create]
— no characteristic characteristic-name
default-value value-name
— no default-value
[no] value value-name
application application-name [create]
— no application application-name
app-group app-group-name
charging-group charging-group-name
— no charging-group
description description-string
— no description
export-id export-id
— no export-id
begin
charging-group charging-group-name [create]
— no charging-group charging-group-name
description description-string
— no description
export-id export-id
— no export-id
— notify-start-stop [flow-based]
— no notify-start-stop
commit
custom-protocol custom-protocol-id ip-protocol-num protocol-id [create]
custom-protocol custom-protocol-id
— no custom-protocol custom-protocol-id
description description-string
— no description
expression expr-index eq expr-string offset payload-octet-offset direction direction
— no expression expr-index
[no] shutdown
default-charging-group charging-group-name
— no default-charging-group
diff
policy-override
policy aa-sub {sap sap-id | spoke-sdp sdp-id:vc-id | transit transit-aasub-name} [create]
— no policy aa-sub {sap sap-id | spoke-sdp sdp-id:vc-id | transit transit-aasub-name}
characteristic characteristic-name value value-name
— no characteristic characteristic-name
port-list port-list-name [create]
— no port-list port-list-name
description description-string
— no description
[no] port port-number
[no] port range start-port-num end-port-num
sctp-filter sctp-filter-name [create]
— no sctp-filter sctp-filter-name
description description-string
— no description
event-log event-log-name
— no event-log
ppid
default-action {permit | deny}
entry entry-id value ppid-value action {permit | deny}
— no entry entry-id
ppid-range min min-ppid max max-ppid
— no ppid-range
session-filter session-filter-name [create]
— no session-filter session-filter-name
default-action {permit | deny} [event-log event-log-name]
description description-string
— no description
entry entry-id [create]
— no entry entry-id
action {permit | deny | tcp-strict-order} [event-log event-log-name]
action application application-name
action http-redirect http-redirect-name [event-log event-log-name]
action tcp-optimizer tcp-optimizer-name
description description-string
— no description
— match
dst-ip ip-address
dst-ip dns-ip-cache dns-ip-cache-name
dst-ip ip-prefix-list ip-prefix-list-name
— no dst-ip
dst-port {eq | gt | lt} port-num
dst-port port-list port-list-name
dst-port range start-port-num end-port-num
— no dst-port
ip-protocol-num {ip-protocol-number | protocol-name}
— no ip-protocol-num
src-ip ip-address
src-ip ip-prefix-list ip-prefix-list
— no src-ip
src-port {eq | gt | lt} port-num
src-port port-list port-list-name
src-port range start-port-num end-port-num
— no src-port
statistics
aa-admit-deny
accounting-policy acct-policy-id
— no accounting-policy
[no] collect-stats
[no] gtp-filter-stats
[no] policer-stats
[no] policer-stats-resources
[no] sctp-filter-stats
[no] session-filter-stats
[no] tcp-validate-stats
— aa-partition
accounting-policy acct-policy-id
— no accounting-policy
[no] collect-stats
[no] traffic-type
aa-sub
accounting-policy acct-policy-id
— no accounting-policy
aggregate-stats export-using export-method [export-method...(up to 2 max)]
aggregate-stats no-export
app-group app-group-name export-using export-method [export-method...(up to 2 max)]
app-group app-group-name no-export
— no app-group app-group-name
application application-name export-using export-method
application application-name no-export
— no application application-name
charging-group charging-group-name export-using export-method [export-method...(up to 2 max)]
charging-group charging-group-name no-export
— no charging-group charging-group-name
[no] collect-stats
[no] exclude-tcp-retrans
[no] max-throughput-stats
[no] protocol protocol-name export-using export-method
radius-accounting-policy rad-acct-plcy-name
— no radius-accounting-policy
[no] usage-monitoring
aa-sub-study study-type
aa-sub {esm sub-ident-string | esm-mac esm-mac-name | sap sap-id | spoke-sdp sdp-id:vc-id | transit transit-aasub-name}
— no aa-sub {esm sub-ident-string | sap sap-id | spoke-sdp sdp-id:vc-id | transit transit-aasub-name}
accounting-policy acct-policy-id
— no accounting-policy
[no] collect-stats
— app-group
accounting-policy acct-policy-id
— no accounting-policy
[no] collect-stats
— application
accounting-policy acct-policy-id
— no accounting-policy
[no] collect-stats
protocol
accounting-policy acct-policy-id
— no accounting-policy
[no] collect-stats
[no] shutdown
threshold-crossing-alert
error-drop direction direction [create]
— no error-drop direction direction
high-wmark high-watermark low-wmark low-watermark
fragment-drop-all direction direction [create]
— no fragment-drop-all direction direction
high-wmark high-watermark low-wmark low-watermark
fragment-drop-out-of-order direction direction [create]
— no fragment-drop-out-of-order direction direction
high-wmark high-watermark low-wmark low-watermark
gtp-filter filter-name
max-payload-length direction direction [create]
— no max-payload-length direction direction
high-wmark high-watermark low-wmark low-watermark
message-type
default-action direction direction [create]
— no default-action direction direction
high-wmark high-watermark low-wmark low-watermark
entry entry-id direction direction [create]
— no entry entry-id direction direction
high-wmark high-watermark low-wmark low-watermark
header-sanity direction direction [create]
— no header-sanity direction direction
high-wmark high-watermark low-wmark low-watermark
gtp-sanity-drop direction direction [create]
— no gtp-sanity-drop direction direction
high-wmark high-watermark low-wmark low-watermark
overload-drop direction direction [create]
— no overload-drop direction direction
high-wmark high-watermark low-wmark low-watermark
policer policer-name direction direction [create]
— no policer policer-name direction direction
high-wmark high-watermark low-wmark low-watermark
sctp-filter sctp-filter-name
packet-sanity direction direction [create]
— no packet-sanity direction direction
high-wmark high-watermark low-wmark low-watermark
ppid
default-action direction direction [create]
— no default-action direction direction
high-wmark high-watermark low-wmark low-watermark
entry entry-id direction direction [create]
— no entry entry-id direction direction
high-wmark high-watermark low-wmark low-watermark
ppid-range direction direction [create]
— no ppid-range direction direction
high-wmark high-watermark low-wmark low-watermark
session-filter session-filter-name
default-action direction direction [create]
— no default-action direction direction
high-wmark high-watermark low-wmark low-watermark
entry entry-id direction direction [create]
— no entry entry-id direction direction
high-wmark high-watermark low-wmark low-watermark
tcp-validate tcp-validate-name direction direction [create]
— no tcp-validate tcp-validate-name direction direction
high-wmark high-watermark low-wmark low-watermark
tcp-validate tcp-validate-name [create]
— no tcp-validate tcp-validate-name
description description-string
— no description
event-log event-log-name [all]
— no event-log
[no] strict
transit-ip-policy ip-policy-id [create]
— no transit-ip-policy ip-policy-id
def-app-profile app-profile-name
— no def-app-profile
description description-string
— no description
[no] detect-seen-ip
dhcp
[no] shutdown
diameter
[no] application-policy name
[no] shutdown
ipv6-address-prefix-length IPv6-prefix-length
— no ipv6-address-prefix-length
radius
authentication-policy name
— no authentication-policy
seen-ip-radius-acct-policy rad-acct-plcy-name
— no seen-ip-radius-acct-policy
[no] shutdown
static-aa-sub transit-aasub-name
static-aa-sub transit-aasub-name app-profile app-profile-name [create]
— no static-aa-sub transit-aasub-name
[no] ip ip-address[/mask]
sub-ident-policy sub-ident-policy-name
— no sub-ident-policy
transit-auto-create
[no] shutdown
transit-prefix-policy prefix-policy-id [create]
— no transit-prefix-policy prefix-policy-id
description description-string
— no description
entry entry-id [create]
entry entry-id
— no entry entry-id
aa-sub transit-aasub-name
— no aa-sub
match
aa-sub-ip ip-address[/mask]
— no aa-sub-ip
network-ip ip-address[/mask]
— no network-ip
static-aa-sub transit-aasub-name
static-aa-sub transit-aasub-name app-profile app-profile-name [create]
— no static-aa-sub transit-aasub-name
static-remote-aa-sub transit-aasub-name
static-remote-aa-sub transit-aasub-name app-profile app-profile-name [create]
— no static-remote-aa-sub transit-aasub-name
url-filter url-filter-name [create]
— no url-filter url-filter-name
default-action allow
default-action block-all
default-action block-http-redirect http-redirect-name
— no default-action
description description-string
— no description
http-redirect http-redirect-name
— no http-redirect
http-request-filtering all | first
— icap
custom-x-header custom-x-header-name
— no custom-x-header
server ip-address[:port] [create]
— no server ip-address[:port]
description description-string
— no description
[no] shutdown
vlan-id service-port-vlan-id
— no vlan-id
local-filtering
[no] url-list url-list-name
[no] shutdown
url-list url-list-name [create]
— no url-list url-list-name
decrypt-key key | hash-key | hash2-key [hash1 | hash2]
— no decrypt-key
description description-string
— no description
file file-url
— no file
[no] shutdown
size url-list-size
wap1x
[no] shutdown

3.4.1.5. AA Interface Commands

config
— service
— ies/vprn service-id
aa-interface aa-if-name [create]
— no aa-interface aa-if-name
address {ip-address/mask | ip-address netmask}
— no address [ip-address/mask | ip-address netmask]
description description-string
— no description
ip-mtu octets
— no ip-mtu
sap sap-id [create]
— no sap sap-id
description long-description-string
— no description
egress
filter ip ip-filter-id
— no filter [ip ip-filter-id]
qos policy-id
— no qos [policy-id]
ingress
qos policy-id
— no qos [policy-id]
[no] shutdown
[no] shutdown

3.4.1.6. Persistence Commands

config
system
persistence
application-assurance
description description-string
no description
location cflash-id
no location

3.4.2. Command Descriptions

  1. Generic Commands
  2. Admin Commands
  3. Application Assurance Commands
  4. Group Commands
  5. Policer Commands
  6. Policy Commands
  7. Application Filter Commands
  8. Application Profile Commands
  9. Application QoS Policy Commands
  10. Application Service Options Commands
  11. Statistics Commands
  12. ISA Commands

Application Assurance uses system components for some of its functionality. Refer to the following for details on:

  1. Configuration of Application Assurance Accounting policy including per accounting type record selection and customization of AA subscriber records.
  2. Configuration of AA ISA IOM QoS.

3.4.2.1. Generic Commands

description

Syntax 
description description-string
no description
Context 
config>app-assure>aarp
config>app-assure>group
config>app-assure>group>statistics>aa-sub
config>app-assure>group>cflowd>collector
config>app-assure>group>cflowd>dir-exp>collector
config>app-assure>group>cflowd>group>cflowd
config>app-assure>group>cflowd>group>cflowd>collector
config>app-assure>group>cflowd>group>cflowd>volume
config>app-assure>group>certificate-profile
config>app-assure>group>dns-ip-cache
config>app-assure>group>event-log>syslog
config>app-assure>group>gtp>gtp-filter
config>app-assure>group>http-enrich
config>app-assure>group>http-error-redirect
config>app-assure>group>http-notification
config>app-assure>group>http-redirect
config>app-assure>group>ip-prefix-list
config>app-assure>group>policer
config>app-assure>group>policer>tod-override
config>app-assure>group>policy>app-filter>entry
config>app-assure>group>policy>app-group
config>app-assure>group>policy>application
config>app-assure>group>policy>app-profile
config>app-assure>group>policy>app-qos-policy>entry
config>app-assure>group>policy>aqp>entry
config>app-assure>group>policy>aqp>entry>action>url-filter
config>app-assure>group>policy>charging-group
config>app-assure>group>policy>custom-protocol
config>app-assure>group>policy>transit-ip-policy
config>app-assure>group>port-list
config>app-assure>group>sctp-filter
config>app-assure>group>session-filter
config>app-assure>group>session-filter>entry
config>app-assure>group>tcp-validate
config>app-assure>group>tod-override
config>app-assure>group>transit-prefix-policy
config>app-assure>group>url-filter
config>app-assure>group>url-filter>icap>server
config>app-assure>group>url-list
config>app-assure>protocol
config>app-assure>rad-acct-plcy
config>isa
config>isa>aa-group
config>service>ies>aa-interface
config>service>vprn>aa-interface
config>system>persistence>application-assurance
Description 

This command creates a text description which is stored in the configuration file to help identify the content of the entity.

The no form of the command removes the string from the configuration.

Parameters 
string—
The description character string, up to 80 characters. Allowed values are any string composed of printable, 7-bit ASCII characters. If the string contains special characters (#, $, spaces, and so on), the entire string must be enclosed within double quotes.

description

Syntax 
description long-description-string
no description
Context 
config>service>ies>aa-interface>sap
config>service>vprn>aa-interface>sap
Description 

This command creates a text description which is stored in the configuration file to help identify the content of the entity.

The no form of the command removes the string from the configuration.

Parameters 
string—
The description character string, up to 160 characters. Allowed values are any string composed of printable, 7-bit ASCII characters. If the string contains special characters (#, $, spaces, and so on), the entire string must be enclosed within double quotes.

shutdown

Syntax 
[no] shutdown
Context 
config>app-assure>aarp
config>app-assure>group>cflowd
config>app-assure>group>cflowd>collector
config>app-assure>group>cflowd>comprehensive
config>app-assure>group>cflowd>rtp-performance
config>app-assure>group>cflowd>tcp-performance
config>app-assure>group>cflowd>volume
config>app-assure>group>certificate-profile
config>app-assure>group>dns-ip-cache
config>app-assure>group>event-log
config>app-assure>group>gtp
config>app-assure>group>http-enrich
config>app-assure>group>http-error-redirect
config>app-assure>group>http-notification
config>app-assure>group>http-redirect
config>app-assure>group>policer>tod-override
config>app-assure>group>policy>app-filter>entry
config>app-assure>group>policy>app-qos-policy>entry
config>app-assure>group>policy>custom-protocol
config>app-assure>group>statistics>protocol
config>app-assure>group>transit-ip-policy>dhcp
config>app-assure>group>transit-ip-policy>radius
config>app-assure>group>transit-ip-policy>transit-auto-create
config>app-assure>group>url-filter
config>app-assure>group>url-filter>icap>server
config>app-assure>group>url-list
config>app-assure>group>wap1x
config>app-assure>protocol
config>isa>aa-grp
config>service>ies>aa-interface
config>service>ies>aa-interface
config>service>ies>aa-interface>sap
config>service>vprn>aa-interface
config>service>vprn>aa-interface>sap
Description 

This command administratively disables the entity. When disabled, an entity does not change, reset, or remove any configuration settings or statistics. Many entities must be explicitly enabled using the no shutdown command.

The shutdown command administratively disables an entity. The operational state of the entity is disabled as well as the operational state of any entities contained within. Many objects must be shut down before they may be deleted.

3.4.2.2. Admin Commands

application-assurance

Syntax 
application-assurance
Context 
admin
Description 

This command enables the context to perform Application Assurance (AA) configuration operations.

upgrade

Syntax 
upgrade
Context 
admin>app-assure
Description 

Use this command to load a new isa-aa.tim file as part of a router-independent signature upgrade. An AA ISA reboot is required.

3.4.2.3. Application Assurance Commands

aarp

Syntax 
aarp aarpId [create]
no aarp aarpId
Context 
config>application-assurance
Description 

This command defines an Application Assurance Redundancy Protocol (AARP) instance. This instance is paired with the same aarpId in a peer node as part of a configuration to provide flow and packet asymmetry removal for traffic for a multi-homed SAP or spoke SDP.

The no form of the command removes the instance from the configuration.

Parameters 
aarpid—
An integer that identifies an AARP instance.
Values—
1 to 65535

 

create—
Keyword used to create the AARP instance.

master-selection-mode

Syntax 
master-selection-mode mode
Context 
config>app-assure>aarp
Description 

This command configures the AARP mode of operation with the peer instance. The modes affect the AARP state machine behavior according to the desired behavior. Minimize-switchover will change AARP state based on Master ISA failure, and be non-revertive in that when the priority ISA returns a switch does not occur, which is optimal for AA flow identification. Inter-chassis efficiency mode considers both priority (revertive) and the endpoint status of the AARP instance and will switch activity in case of EP failure in order to avoid sending all the traffic over the ICL. The priority-based-balance mode will be revertive after a priority master returns to service, but excludes EP status. The master-selection-mode configuration must match on both peer AARP instances, or the AARP operational status will stay down.

Default 

master-selection-mode minimize-switchovers

Parameters 
mode—
Specifies the AARP master selection mode.
Values—
minimize-switchovers — Optimal AA flow detection continuity by minimizing AARP switchovers.
inter-chassis-efficiency — Minimizes inter-chassis traffic.
priority-based-balance — AA load balance between AARP peers based on configured priority.

 

peer

Syntax 
peer ip-address
no peer
Context 
config>app-assure>aarp
Description 

This command defines the IP address of the peer router which must be a routable system IP address.

If no peer is configured and the AARP is no shutdown, it is configured as a single node AARP instance.

The no form of the command removes the IP address from the AARP instance.

Default 

no peer

Parameters 
ip-address —
Specifies the IP address in the a.b.c.d format.

peer-endpoint

Syntax 
peer-endpoint sap sap-id encap-type {dot1q | null | qinq}
peer-endpoint spoke-sdp sdp-id:vc-id
no peer-endpoint
Context 
config>app-assure>aarp
Description 

This command defines the peer endpoint ID of the SAP or spoke-SDP parent-aa-sub of the AARP peer.

The no form of the command removes the peer endpoint from the AARP instance.

Default 

no peer-endpoint

Parameters 
sap-id—
Specifies the physical port identifier portion of the SAP definition.
sdp-id:vc-id—
Specifies the spoke SDP ID and VC ID.
Values—
1 to 32767
1 to 4294967295

 

dot1q | null | qinq—
Specifies the encapsulation type.

priority

Syntax 
priority value
no priority
Context 
config>app-assure>aarp
Description 

This command defines the priority for the AARP instance. The priority value is used to determine the master/backup upon initialization or re-balance.

The no form of the command reverts to the default value.

Default 

priority 100

Parameters 
value—
Specifies an integer that defines the priority of an AARP instance.
Values—
0 to 255

 

bit-rate-high-wmark

Syntax 
bit-rate-high-wmark high-watermark
Context 
config>application-assurance
Description 

This command configures the high watermark for bit rate alarms.

Default 

bit-rate-high-wmark max

Parameters 
high-watermark—
Specifies the high watermark for bit rate alarms, in Mb/s. The value must be larger than or equal to the low watermark value.
Values—
1 to 40000, max (disabled)

 

bit-rate-low-wmark

Syntax 
bit-rate-low-wmark low-watermark
no bit-rate-low-wmark
Context 
config>application-assurance
Description 

This command configures the utilization of the flow records on the ISA-AA Group when the full alarm will be cleared by the agent.

Default 

bit-rate-low-wmark 0

Parameters 
low-watermark—
Specifies the low watermark for bit rate alarms, in Mb/s. The value must be lower than or equal to the high watermark value.
Values—
0 to 39999

 

datapath-cpu-high-wmark

Syntax 
datapath-cpu-high-wmark high-watermark
datapath-cpu-high-wmark max
Context 
config>app-assure
Description 

This command configures the system-wide high watermark threshold as a percentage of the per-ISA datapath core CPU utilization, where an alarm will be raised by the agent. CPU usage is the average usage across all datapath cores.

Default 

datapath-cpu-high-wmark 95

Parameters 
high-watermark—
Specifies the high watermark for datapath CPU usage alarms.
Values—
1 to 100

 

max—
Disables the high watermark for datapath CPU usage alarms

datapath-cpu-low-wmark

Syntax 
datapath-cpu-low-wmark low-watermark
Context 
config>app-assure
Description 

This command configures the system-wide low watermark threshold as a percentage of the per-ISA datapath core CPU utilization, where an alarm will be raised by the agent. CPU usage is the average usage across all datapath cores.

Default 

datapath-cpu-low-wmark 90

Parameters 
low-watermark—
Specifies the low watermark for datapath CPU usage alarms.
Values—
1 to 100

 

packet-rate-high-wmark

Syntax 
packet-rate-high-wmark high-watermark
Context 
config>app-assure
Description 

This command configures the packet rate on the ISA-AA when a packet rate alarm will be raised by the agent.

Default 

packet-rate-high-wmark max

Parameters 
high-watermark—
Specifies the high watermark for packet rate alarms. The value must be larger than or equal to the packet-rate-low-wmark value.
Values—
1 to 59523808, max packets/sec (disabled)

 

packet-rate-low-wmark

Syntax 
packet-rate-low-wmark low-watermark
no packet-rate-low-wmark
Context 
config>app-assure
Description 

This command configures the system wide low watermark threshold for per-ISA throughput in packets/second when an high packet rate alarm will be cleared by the agent. The value must be less than or equal to the packet-rate-high-wmark parameter.

The no form of the command sets the parameter to minimum (watermark disabled).

Default 

packet-rate-low-wmark 0

Parameters 
low-watermark—
Specifies the low watermark for packet rate alarms. The value must be lower than or equal to the packet-rate-high-wmark value.
Values—
0 to 59523807 packets/sec

 

flow-setup-high-wmark

Syntax 
flow-setup-high-wmark high-watermark
Context 
config>app-assure
Description 

This command configures the system wide high watermark threshold for per-ISA throughput in packets/second when an alarm will be raised by the agent. The value must be larger than or equal to the packet-rate-low-wmark parameter.

Default 

flow-setup-high-wmark max

Parameters 
high-watermark—
Specifies the high watermark for flow setup rate alarms. The value must be larger than or equal to the flow-setup-low-wmark value.
Values—
1 to 800000, max flows/sec (disabled)

 

flow-setup-low-wmark

Syntax 
flow-setup-low-wmark low-watermark
no flow-setup-low-wmark
Context 
config>app-assure
Description 

This command configures the flow setup rate on the ISA-AA when a flow setup alarm will be raised by the agent.

Default 

flow-setup-low-wmark 0

Parameters 
low-watermark—
Specifies the low watermark for flow setup rate alarms. The value must be larger than or equal to the flow-setup-high-wmark value.
Values—
1 to 799999 flows/sec

 

application-assurance

Syntax 
application-assurance
Context 
config
Description 

This command enables the context to perform Application Assurance (AA) configuration operations.

flow-table-high-wmark

Syntax 
flow-table-high-wmark high-watermark
no flow-table-high-wmark
Context 
config>app-assure
Description 

This command configures the system-wide high watermark threshold as a percentage of the flow table size for the per-ISA utilization of the flow records when a full alarm will be raised by the agent.

Default 

flow-table-high-wmark 95

Parameters 
high-watermark—
Specifies the high watermark for flow table full alarms, in percent.
Values—
0 to 100

 

Default—
95

flow-table-low-wmark

Syntax 
flow-table-low-wmark low-watermark
no flow-table-low-wmark
Context 
config>app-assure
Description 

This command configures the system-wide low watermark threshold as a percentage of the flow table size for per-ISA. The value must be lower than or equal to the flow-table-high-wmark high-watermark parameter.

Default 

flow-table-low-wmark 90

Parameters 
low-watermark—
Specifies the low watermark for flow table full alarms, in percent.
Values—
0 to 100

 

Default—
90

protocol

Syntax 
protocol protocol-name
Context 
config>app-assure
Description 

This command configures the shutdown of protocols system-wide.

Parameters 
protocol-name—
A string of up to 32 characters identifying a predefined protocol.

group

Syntax 
group aa-group-id[:partition-id [create]
no group aa-group-id:partition-id
Context 
config>app-assure
Description 

This command configures and enables the context to configure an application assurance group and partition parameters.

Parameters 
aa-group-id—
Specifies a group of ISA MDAs.
Values—
1 to 255

 

partition-id—
Specifies a partition within a group.
Values—
1 to 65535

 

create—
Keyword used to create the partition in the group.

aa-sub-remote

Syntax 
[no] aa-sub-remote
Context 
config>app-assure>group
Description 

This command specifies whether or not the from subscriber and to subscriber traffic direction is reversed for this group-partition.

Default 

no aa-sub-remote

cflowd

Syntax 
cflowd
Context 
config>app-assure>group
Description 

This command enables the context to configure cflowd parameters for the application assurance group.

certificate-profile

Syntax 
certificate-profile cert-prof-name [create]
no certificate-profile cert-prof-name
Context 
config>app-assure>group
Description 

This command creates a certificate profile to be used for certificate-based encryption in HTTP header enrichment.

The no form of this command removes the certificate profile.

Parameters 
cert-profile-name—
Specifies the name of the profile, up to 32 characters.

certificate

Syntax 
certificate certificate-file
no certificate
Context 
config>app-assure>group>certificate-profile
Description 

This command indicated the file name of the certificate to be added to the profile.

The no form of this command removes the certificate from the profile.

Default 

no certificate

Parameters 
certificate-file—
Specifies the name of the certificate file, up to 95 characters.

disable-deferred-billing

Syntax 
[no] disable-deferred-billing
Context 
config>app-assure>group
Description 

This command disables deferred billing.

dns-ip-cache

Syntax 
dns-ip-cache dns-ip-cache-name [create]
no dns-ip-cache dns-ip-cache-name
Context 
config>app-assure>group
Description 

This command configures a DNS IP cache used to snoop DNS requests generated by subscribers to populate a cache of IP addresses matching a specified list of domain names. In the context of URL content charging strengthening, it is also mandatory to specify a list of trusted DNS servers to populate the DNS IP cache.

Parameters 
dns-ip-cache-name—
Specifies the Application Assurance DNS IP cache name.
create—
Specifies a keyword used to create the DNS IP cache.

dns-match

Syntax 
dns-match
Context 
config>app-assure>group>dns-ip-cache
Description 

This command enters the context to configure match parameters in the DNS IP cache.

domain

Syntax 
domain domain-name expression expression
no domain domain-name
Context 
config>app-assure>group>dns-ip-cache>dns-match
Description 

This command configures a domain expression to populate the DNS IP cache. Up to 32 domains can be configured.

Parameters 
domain-name—
Specifies the name of the domain expression entry.
expression
Specifies a domain name expression string, up to 64 characters, used to define a pattern match. This domain expression uses the same syntax as the expressions used in app-filters.

server-address

Syntax 
server-address server-address [name server-name]
no server-address server-address
Context 
config>app-assure>group>dns-ip-cache>dns-match
Description 

This command configures a DNS server address. DNS responses from this DNS server are used to populate the dns-ip-cache. Up to 64 server addresses can be configured.

Parameters 
server-address—
Specifies the IPv4 or IPv6 address of the DNS.
Values—

ipv4-address

a.b.c.d[/mask]

mask - [1 to 32]

ipv6-address

x:x:x:x:x:x:x:x/prefix-length

x:x:x:x:x:x:d.d.d.d

x - [0 to FFFF]H

d - [0 to 255]D

prefix-length

[1 to 128]

 

server-name
Specifies an optional server name for a given server address.

ip-cache

Syntax 
ip-cache
Context 
config>app-assure>group>dns-ip-cache
Description 

This command configures the dns-ip-cache cache parameters.

high-wmark

Syntax 
high-wmark percent
Context 
config>app-assure>group>dns-ip-cache>ip-cache
Description 

This command configures the high watermark value for the DNS IP cache. When the number of IP addresses stored in the cache crosses above this threshold, the system will generate a trap.

Default 

high-wmark 90

Parameters 
percent—
Specifies the high watermark value, in percent
Values—
0 to 100

 

Default—
90

low-wmark

Syntax 
low-wmark percent
Context 
config>app-assure>group>dns-ip-cache>ip-cache
Description 

This command configures the low watermark value for the dns-ip-cache. If the dns-ip-cache has previously crossed the high-watermark value, the system will clear the trap in case the number of IP addresses stored in the cache crosses below the low watermark value.

Default 

low-wmark 80

Parameters 
percent—
Specifies the low watermark value, in percent.
Values—
0 to 100

 

Default—
80

size

Syntax 
size cache-size
Context 
config>app-assure>group>dns-ip-cache>ip-cache
Description 

This command configures the maximum number of entries in the cache.

Default 

size 10

Parameters 
cache-size—
Specifies the maximum number of IP addresses that can be stored in the cache.
Values—
10 to 32000

 

Default—
10

static-address

Syntax 
[no] static-address {ip-address | ipv6-address}
Context 
config>app-assure>group>dns-ip-cache>ip-cache
Description 

This command configures a static address in the cache.

Parameters 
ip-address | ipv6-address—
Specifies a character string up to 64 characters.

collector

Syntax 
collector ip-address[:port] [create]
no collector ip-address[:port]
Context 
config>app-assure>group>cflowd
Description 

This command defines a flow data collector for cflowd data. The IP address of the flow collector must be specified. The UDP port number is an optional parameter. If it is not set, the default of 2055 is used.

Parameters 
ip-address—
Specifies the IP address of the flow data collector in dotted decimal notation.
port
Specifies the UDP port of flow data collector.
Values—
1 to 65535

 

Default—
2055
create—
Keyword used to create the flow data collector.

comprehensive

Syntax 
comprehensive
Context 
config>app-assure>group>cflowd
Description 

This command enables the context to configure cflowd comprehensive statistics output parameters.

direct-export

Syntax 
direct-export
Context 
config>app-assure>group>cflowd
Description 

This command enables the context to perform configuration related to the export of AA cflowd records directly inband from AA instead of going through the CPM.

collector

Syntax 
collector collector-id [create]
no collector collector-id
Context 
config>app-assure>group>cflowd>dir-exp
Description 

This command configures the cflowd direct export collector. Only one collector can be configured.

Default 

none

Parameters 
collector ID—
the ID of the Cflowd direct export collector
Values—
1 to 65535

 

create—
keyword to create the collector

address

Syntax 
[no] address ip-address [:port]
Context 
config>app-assure>group>cflowd>dir-exp-coll
Description 

This command configures cflowd direct export collector remote address. Two addresses can be configured for each “collector” for redundancy. AA sends the same records to both at the same time.

Default 

No default ip-address. Default port is 4739.

Parameters 
ip-address—
a.b.c.d
Values—
port: 1 to 65535

 

vlan-id

Syntax 
vlan-id service-port-vlan-id
no vlan-id
Context 
config>app-assure>group>cflowd>dir-exp
Description 

This command configures the VLAN ID on which the ISA-AA is expected to be emitting traffic.

Default 

none

Parameters 
service-port-vlan-id—
Specifies the VLAN ID value.
Values—
1 to 4094

 

export-override

Syntax 
export-override mode
no export-override
Context 
configure>application-assurance>group>cflowd
Description 

This command configures the AA sub-type used in cflowd record export. The cflowd stats exported to the cflowd collector to look identical to when AA is on the type of system defined by the mode. The following cflowd export fields are affected:

  1. cflowd export observation point (field 138), the mode will be derived from the export-override category that is selected.
  2. cflowd export AA_Subscriber_Type (field 12) modified as configured, using existing field types.
  3. cflowd interface name is used as the sub-ID field, optionally modified to use the export-override mode prefix as a global identifier.

All AA cflowd record types are affected by export-override. To change any of the export-override and/or prefix, cflowd must be shutdown first. When the export-override is set back to default (no export-override) the prefix will also be set back to default.

The no form of the command removes the export override.

Default 

no export-override

Parameters 
mode—
The type of system emulated by stats export.
Values—
mobile(mobile gateway mode, cflowd field 138 = 2)

 

prefix

Syntax 
prefix prefix-string
no prefix
Context 
config>application-assurance>group>cflowd>export-override
Description 

This command specifies the prefix-string associated with the export-override.

Parameters 
prefix-string—
Up to an 8 character string. If the 8 character prefix is "ABCDEFG_" for a particular node, the cflowd export override would generate IPv4 interface names such as ABCDEFG_255.255.255.255 or IPv6 as ABCDEFG_2001:DB8:EF01:2345::/64. By default the prefix will be left blank.

rtp-performance

Syntax 
rtp-performance
Context 
config>app-assure>group>cflowd
Description 

This command configures the cflowd RTP performance export.

event-log

Syntax 
event-log event-log-name [create]
no event-log event-log-name
Context 
config>app-assure>group
Description 

This command configures an event log.

Parameters 
event-log-name—
Specifies the name of the event log.

buffer-type

Syntax 
buffer-type buffer-type
Context 
config>app-assure>group>evt-log
Description 

This command specifies the type of buffer to be used in the event log.

Default 

buffer-type linear

Parameters 
buffer-type—
Specifies the type of event type.
Values—
linear — Specifies a linear buffer which once full will stop recording events until it is cleared
circular — Specifies a circular buffer whereby older entries will be overwritten by newer entries
syslog—Specifies that events are stored offline on a syslog host

 

max-entries

Syntax 
max-entries max-entries
no shutdown
Context 
config>app-assure>group>evt-log
Description 

This command configures the number of entries in the buffer.

Default 

max-entries 500

Parameters 
max-entries—
Specifies the maximum number of entries for the event log.
Values—
1 to 100000

 

Default—
500

syslog

Syntax 
syslog
Context 
config>app-assure>group>evt-log
Description 

This command enables the context for configuring the target Syslog server.

address

Syntax 
address ip-address
no address
Context 
config>app-assure>group>evt-log>syslog
Description 

This command configures the target syslog host IP address.

Default 

no address

Parameters 
ip-address—
Specifies the IP address of the target syslog host, either IPv4 or IPv6.
Values—
ipv4-address a.b.c.d
ipv6-address x:x:x:x:x:x:x:x
x:x:x:x:x:x:d.d.d.d
x: [0 to FFFF]H
d: [0 to 255]D

 

facility

Syntax 
facility syslog-facility
Context 
config>app-assure>group>evt-log>syslog
Description 

This command configures the syslog facility. The syslog facility is an information field associated with a syslog message. It is defined by the syslog protocol and provides an indication of which part of the system originated the message.

Default 

facility local7

Parameters 
syslog-facility—
Specifies the syslog facility keyword.
Values—
kernel, user, mail, systemd, auth, syslogd, printer, netnews, uucp, cron, authpriv, ftp, ntp, logaudit, logalert, cron2, local0, local1, local2, local3, local4, local5, local6, local7

 

port

Syntax 
port port
Context 
config>app-assure>group>event-log>syslog
Description 

This command specifies the UDP port used by application assurance to inject the syslog events inband.

Default 

port 514

Parameters 
port—
Specifies the UDP port number.
Values—
0 to 65535

 

severity

Syntax 
severity syslog-severity
Context 
config>app-assure>group>evt-log>syslog
Description 

This command configures the syslog message severity level threshold.

Default 

severity info

Parameters 
syslog-severity—
Specifies the severity level for the syslog message.
Values—
emergency, alert, critical, error, warning, notice, info, debug

 

vlan-id

Syntax 
vlan-id service-port-vlan-id
no vlan-id
Context 
config>app-assure>group>evt-log>syslog
Description 

This command configures the service port VLAN ID to be used by application assurance to inject the syslog events inband. This VLAN ID needs also to be configured for application assurance interface.

Default 

no vlan-id

Parameters 
service-port-vlan-id—
Specifies the service port VLAN identifier.
Values—
1 to 4094

 

app-group

Syntax 
app-group app-group-name [rate]
no app-group app-group-name
Context 
config>app-assure>group>cflowd>rtp-performance
config>app-assure>group>cflowd>tcp-performance
config>app-assure>group>cflowd>comprehensive
Description 

This command configures application groups to export performance records with cflowd.

The no form of the command removes the parameters from the configuration.

Parameters 
app-group-name —
Specifies the application group name.
rate —
Specifies which sampling flow rate to use; flow-rate or flow-rate2.
Values—
flow-rate, flow-rate2

 

Default—
flow-rate

application

Syntax 
application application-name [rate]
no application application-name
Context 
config>app-assure>group>cflowd>rtp-performance
config>app-assure>group>cflowd>tcp-performance
config>app-assure>group>cflowd>comprehensive
Description 

This command configures applications to export performance records with cflowd.

The no form of the command removes the parameters from the configuration.

Parameters 
application-name—
Specifies the name defined for the application.
rate—
Specifies which sampling flow rate to use; flow-rate or flow-rate2.
Values—
flow-rate, flow-rate2

 

Default—
flow-rate

flow-rate

Syntax 
flow-rate sample-rate
no flow-rate
Context 
config>app-assure>group>cflowd>rtp-performance
config>app-assure>group>cflowd>tcp-performance
config>app-assure>group>cflowd>comprehensive
Description 

This command specifies the per-flow sampling rate for the cflowd export of Application Assurance performance statistics.

The no form of the command reverts to the default.

Default 

no flow-rate

Parameters 
sample-rate—
Specifies the rate at which to sample flows that are eligible for TCP performance measurement.
Values—
1 to 1000

 

flow-rate2

Syntax 
flow-rate2 sample-rate
no flow-rate2
Context 
config>app-assure>group>cflowd>rtp-performance
config>app-assure>group>cflowd>tcp-performance
config>app-assure>group>cflowd>comprehensive
Description 

This command specifies the per-flow second sampling rate for the cflowd export of Application Assurance performance statistics.

The no form of the command reverts to the default.

Default 

no flow-rate2

Parameters 
sample-rate —
Specifies the rate at which to sample flows that are eligible for TCP and/or RTP performance measurement.
Values—
1 to 1000

 

template-retransmit

Syntax 
template-retransmit seconds
no template-retransmit
Context 
config>app-assure>group>cflowd
Description 

This command configures the period of time, in seconds, for the template to be retransmitted.

Default 

template-retransmit 600

Parameters 
seconds—
Specifies the time period for the template to be retransmitted.
Values—
10 to 600

 

Default—
600

tcp-performance

Syntax 
tcp-performance
Context 
config>app-assure>group>cflowd
Description 

This command enables the context to configure Cflowd TCP performance export parameters.

volume

Syntax 
volume
Context 
config>app-assure>group>cflowd
Description 

This command configures the cflowd volume export.

rate

Syntax 
rate sample-rate
no rate
Context 
config>app-assure>group>cflowd>volume
Description 

This command configures the sampling rate of packets for the cflowd export of application assurance volume statistics.

The no form of the command reverts to the default value.

Parameters 
sample-rate—
Specifies the rate at which to sample packets for the cflowd export of application assurance volume statistics.
Values—
1 to 10000

 

tls-extension

Syntax 
[no] tls-extension
Context 
config>app-assure>group>http-enrich
Description 

This command enables the context to configure the TLS extension field name.

extension-id

Syntax 
extension-id extension-id
no extension-id
Context 
config>app-assure>group>http-enrich>tls-extension
Description 

This command configures an extension ID to be used for the customized extension.

The no form of the command removes the extension ID.

Default 

extension-id 17516

Parameters 
extension-id—
Specifies an extension ID
Values—
1 to 65535

 

subtype

Syntax 
[no] subtype tls extension subtype
Context 
config>app-assure>group>http-enrich>tls-extension
Description 

This command configures a TLS subtype.

The no form of the command removes the TLS subtype from the configuration.

Parameters 
tls extension subtype—
Specifies a TLS subtype, up to 32 characters

encode

Syntax 
encode type type key key | hash-key | hash2-key [hash | hash2]
no encode
Context 
config>app-assure>group>http-enrich>tls-extension>subtype
Description 

This command configures how the HTTP header enrichment TLS extension TLS subtype will be encoded.

The no form of the command removes the values from the configuration.

Parameters 
type—
Specifies the type of encoding that will be used on the field
Values—
md5, rc4

 

key—
Specifies the key associated with the encode method for the field name
hash-key—
Specifies the first hashed key
hash-key2—
Specifies the second hashed key
hash—
Specifies the key is entered in an encrypted form. If the hash or hash2 parameter is not used, the key is assumed to be in an unencrypted, clear text form. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 parameter specified.
hash2—
Specifies the key is entered in a more complex encrypted form that involves more variables than the key value alone, meaning that the hash2 encrypted variable cannot be copied and pasted. If the hash or hash2 parameter is not used, the key is assumed to be in an unencrypted, clear text form. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 parameter specified.

http-error-redirect

Syntax 
http-error-redirect redirect-name [create]
no http-error-redirect redirect-name
Context 
config>app-assure>group
Description 

This command configures an HTTP error redirect policy. The policy contains important information relevant to the redirect server.

The no form of the command removes the redirect name from the group configuration.

Parameters 
redirect-name—
Specifies a string, up to 32 characters, that identifies the HTTP error redirect policy.
create—
Keyword to create the HTTP error redirect policy.

error-code

Syntax 
error-code error-code [custom-msg-size custom-msg-size]
no error-code error-code
Context 
config>app-assure>group>http-error-redirect
Description 

This command refers to which HTTP status codes a redirect action is applied. Only messages with sizes less than that configured here (custom-msg-size) are eligible for redirect action.

The no form of the command removes the parameters from the configuration.

Parameters 
error-code—
Specifies the error code for an HTTP error redirect.
Values—
0 to 4294967295, of which 400, 401, 402, 403, 404, 405, 406, 407, 408, 409, 410, 411, 412, 413, 414, 415, 416, 417, 421, 422, 423, 424, 425, 426, 427, 428, 429, 430, 431, 451, 500, 501, 502, 503, 504, 505, 506, 507, 508, 509, 510, 511, 730, 731, and 735 are supported for redirect

 

custom-msg-size—
Specifies the maximum message size above which redirect will not be done.
Values—
0 to 4294967295

 

http-host

Syntax 
http-host http-host
no http-host
Context 
config>app-assure>group>http-error-redirect
Description 

This command refers to the http host name of the landing server (Barefruit or Xerocole). It is used in the HTTP GET operation from the client (which is being redirected) to the redirect search landing server. It must contain a valid IP address or HTTP host name / URI for the HTTP GET from the client to the landing server to work.

The no form of the command removes the HTTP host string from the configuration.

Default 

no http-host

Parameters 
http-host—
Specifies a string of 255 chars max length, that refers to the HTTP host name of the landing server (barefruit or xerocole).

participant-id

Syntax 
participant-id participant-id
no participant-id
Context 
config>app-assure>group>http-error-redirect
Description 

This command specifies a 32-character string assigned to the operator by Barefruit. It is used by barefruit landing servers (applies to template # 1 only).

Default 

no participant-id

Parameters 
participant-id—
Specifies the 32-character string supplied by Barefruit.

template

Syntax 
template template-id
no template
Context 
config>app-assure>group
config>app-assure>group>http-error-redirect
Description 

This command refers to the template of parameters passed from the AA-ISA to the redirect server via JavaScript in the redirect packet. The template is specific to the redirect server being used in the network.

Currently, two partners are used and tested with AA-ISA redirect solution, Barefruit and Xerocole.

The no form of the command reverts to the default.

Default 

1 = referring to redirect format for Barefruit landing server.

Parameters 
template-id—
Specifies an HTTP error redirect template.

1 = Barefruit specific template

2 = xerocole.specific template.

Values—
0 to 4294967295

 

http-match-all-requests

Syntax 
[no] http-match-all-requests
Context 
config>app-assure>group
config>app-assure>group>policy>app-filter>entry
Description 

This command enables HTTP matching for all requests for a given HTTP expression.

The no form of the command restores the default (removes http-match-all-request for this particular expression) by this app-filter entry).

Default 

no http-match-all-requests

http-notification

Syntax 
http-notification http-notification-name [create]
no http-notification http-notification-name
Context 
config>app-assure>group
Description 

This command configures an http-notification object for subscriber in browser notification.

The no form of the command removes the http notification policy from the configuration.

Parameters 
http-notification-name—
Specifies the name of the HTTP Notification policy.
create—
Specifies the mandatory keyword to create the policy.

interval

Syntax 
interval {one-time | minimum-interval}
Context 
config>app-assure>group>http-notif
Description 

This command configures the minimum interval in between notification messages. It can be set to one-time or a value in minutes from 1 to 1440.

The no form of the command removes the interval from the http-notification policy.

Default 

interval one-time

Parameters 
minimum-interval—
Represents the minimum interval value in minutes in between two http notifications.
Values—
1 to 1440

 

script-url

Syntax 
script-url script-url-name
no script-url
Context 
config>app-assure>group>http-notif
Description 

This command configures the URL of the script used by the http notification policy.

The no form of the command removes the script URL from the http-notification policy.

Default 

no script-url

Parameters 
script-url-name—
Specifies the string representing the URL of the script used in the http notification policy, up to 255 characters.
create—
Keyword to create the script URL.

template

Syntax 
template value
no template
Context 
config>app-assure>group>http-notif
Description 

This command configures the template which defines the format and parameters included in the http notification message.

The no form of the command removes the template from the configuration.

Default 

no template

Parameters 
value—
Specifies the template id of this HTTP Notification.
Values—
1 — Javascript-url with SubID and optional Http-Url-Param
2 — Javascript-url and optional Http-Url-Param

 

http-redirect

Syntax 
http-redirect redirect-name [create]
no http-redirect redirect-name
Context 
config>app-assure>group
Description 

This command configures an HTTP redirect.

The no form of the command removes the HTTP redirect policy from the configuration.

Parameters 
redirect-name—
Specifies the HTTP redirect that will be applied. If no redirect name is specified, then HTTP redirect is not enabled.
create—
Keyword to create the HTTP redirect policy.

captive-redirect

Syntax 
captive-redirect
Context 
config>app-assure>group>http-redirect
Description 

This command configures the captive redirect capability for an HTTP redirect policy. HTTP redirect policies using captive redirect can be used in conjunction with a session filter policy and will terminate TCP flows in the ISA-AA card before reaching the Internet to redirect subscribers to the predefined redirect URL. Non-HTTP TCP flows are TCP reset. Captive redirect uses the provisioned VLAN id to send the HTTP response to subscribers; therefore this VLAN id must be properly assigned in the same VPN as the subscriber. The operator can select the URL arguments to include in the redirect URL using either a specific template id or by configuring the redirect URL using one of the supported macro substitution keywords.

vlan-id

Syntax 
vlan-id service-port-vlan-id
no vlan-id
Context 
config>app-assure>group>http-redirect>captive-redirect
Description 

This command configures the VLAN id for captive redirect. Captive redirect uses the provisioned VLAN id to send the HTTP response to subscribers; therefore this VLAN id must be properly assigned in the same VPN as the subscriber.

Parameters 
service-port-vlan-id —
Specifies the vlan-id.
Values—
1 to 4094

 

redirect-https

Syntax 
redirect-https
no redirect-https
Context 
config>app-assure>group>http-redirect
Description 

This command configures the http-redirect policy to redirect HTTPS sessions to the configured redirect-url.

The no form of the command removes the redirect-https.

redirect-url

Syntax 
redirect-url redirect-url
no redirect-url
Context 
config>app-assure>group>http-redirect
Description 

This command configures the http redirect URL which is the URL (page) that the user is redirected to when an HTTP redirect takes effect.

The operator can select the URL arguments to include in the redirect-url using either a specific template-id or by configuring the redirect-url using any of the supported macro substitution keywords. Only ESM and ESM-MAC sub types support $MAC, $SAP, $CID, and $RID macro substitution.

The no form of the command removes the redirect-url field from the configuration.

Parameters 
redirect-url—
Specifies the URL of the landing page
Values—
macro substitutions:

$URL

The Request-URI in the HTTP GET Request received.

$SUB

A string that represents the subscriber ID.

$IP

A string that represents the IP address of the subscriber host.

$RTRID

A string that represents the router ID.

$URLPRM

The HTTP URL parameter associated with the subscriber.

$MAC

A string that represents the MAC address of the subscriber host.

$SAP

A string that represents a SAP ID.

$CID

A string that represents the circuit-id or interface-id of the subscriber host (hexadecimal format).

$RID

A string that represents the remote-id of the subscriber host (hexadecimal format).

 

tcp-client-reset

Syntax 
[no] tcp-client-reset
Context 
config>app-assure>group>http-redirect
Description 

This command enables an HTTP-redirect policy to initiate a TCP reset towards the client if the AA policy results in a redirect with packet drop but the http redirect cannot be delivered. Scenarios for this include HTTPs (TLS) sessions, blocking of non-HTTP TCP traffic, and blocking of existing flows after a policy re-evaluate of an existing subscriber.

The no form of the command disables the command.

template

Syntax 
template template-id
no template
Context 
config>app-assure>group>http-redirect
Description 

This command configures the template that defines which parameters are appended to the HTTP host redirect field in the redirect message.

The HTTP redirect template provides HTTP 302 redirect containing only the URL specified in the redirect policy, with no other parameters.

The no form of the command removes the template from the configuration.

Default 

no template

Parameters 
template-id —
Specifies the HTTP Policy Redirect template.
Values—
1 — Javascript based redirect embedded in HTTP 200 OK response with a predefined number of arguments automatically appended to the redirect URL
2 — HTTP 302 Redirect with a predefined number of arguments automatically appended to the redirect URL.
3 — HTTP 302 Redirect with no parameters appended to the URL (empty).
4 — Empty Redirect format using Javascript.
5 — Redirect supporting macro substitution using HTTP 302.
6 — Redirect supporting macro substitution using Javascript.

 

http-x-online-host

Syntax 
[no] http-x-online-host
Context 
config>app-assure>group
Description 

This command specifies whether X-Online-Host header field is used as a replacement for the HTTP Host header field.

The no form of the command disables the use of X-Online-Host header field used as a replacement.

Default 

no http-x-online-host

ip-prefix-list

Syntax 
ip-prefix-list ip-prefix-list-name [create]
no ip-prefix-list ip-prefix-list-name
Context 
config>app-assure>group
Description 

This command configures an IP prefix list.

Parameters 
ip-prefix-list-name—
Specifies the name of the IP prefix list, up to 32 characters.
create—
Mandatory keyword used when creating an application profile. The create keyword requirement can be enabled or disabled in the environment>create context.

prefix

Syntax 
prefix ip-prefix/ip-prefix-length [name prefix-name]
no prefix ip-prefix/ip-prefix-length
Context 
config>app-assure>group>ip-prefix-list
Description 

This command configures an IP prefix within the list.

The no form of the command removes the IP prefix from the configuration.

Parameters 
ip-prefix/ip-prefix-length—
The IP address in dotted decimal notation.
Values—

ipv4-prefix

a.b.c.d (host bits must be 0)

ipv4-prefix-length

0 to 32

ipv6-prefix

x:x:x:x:x:x:x:x (eight 16-bit pieces)

x:x:x:x:x:x:d.d.d.d

x:

[0 to FFFF]H

d:

[0 to 255]D

prefix-name

32 characters max

 

http-enrich

Syntax 
http-enrich http-enrich_name [create]
no http-enrich http-enrich_name
Context 
config>app-assure>group
Description 

This command configures an HTTP enrichment policy.

The no form of the command removes the http enrichment policy from the configuration

Parameters 
http-enrich-name—
Specifies the name of the http enrichment policy up to 32 characters.
create—
Mandatory keyword used when creating an application profile. The create keyword requirement can be enabled and disabled in the environment>create context.

field

Syntax 
[no] field field-name
Context 
config>app-assure>group>http-enrich
Description 

This command configures what fields to be inserted into the HTTP header. The command is repeated for each field to be inserted. The same field cannot be inserted twice into the header under different header names.

The no form of the command removes the specified parameter so that it is not inserted into the http header.

Default 

none

Parameters 
field-name—
Specifies which parameters to inserted into the header.
Values—
subscriber-ip, static-string

 

Where:

subscriber-ip: header name for the subscriber IP

static-string: header name for inserted string

subscriber-id: header name for subscriber ID

none

anti-spoof

Syntax 
[no] anti-spoof
Context 
config>app-assure>group>http-enrich>field
Description 

This command configures the HTTP header enrichment anti-spoofing functionality.

The no form of the command disables anti-spoofing functionality.

Default 

no anti-spoof

encode

Syntax 
encode type type key key
encode type type key hash-key hash
encode type type key hash2-key hash2
encode type type cert-profile cert-profile-name
no encode
Context 
config>app-assure>group>http-enrich>field
Description 

This command configures an HTTP header enrichment template field static string.

The no form of the command removes the template field static string.

Default 

no static-string

Parameters 
type—
Specifies whether the parameters are hashed with MD5 or encrypted with RC4 using the configured key, or if certificate-based encryption is used with RSA.
Values—
md5, rc4, certificate

 

key—
Specifies the key string, 64 characters maximum.
hash-key—
Specifies the first hashed key.
hash-key2—
Specifies the second hashed key.
hash—
Specifies the key is entered in an encrypted form. If the hash or hash2 parameter is not used, the key is assumed to be in an unencrypted, clear text form. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 parameter specified.
hash2—
Specifies the key is entered in a more complex encrypted form that involves more variables than the key value alone, meaning that the hash2 encrypted variable cannot be copied and pasted. If the hash or hash2 parameter is not used, the key is assumed to be in an unencrypted, clear text form. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 parameter specified.
cert-profile-name—
Specifies the name of the certificate profile to be used. This profile must have already been created using the certificate-profile command.

name

Syntax 
name header-name
Context 
config>app-assure>group>http-enrich>field
Description 

This command configures an HTTP enrichment template field header name.

The no form of the command removes the http enrichment template field header name from the configuration.

Parameters 
header-name—
Specifies the name of the http enrichment policy. It is inserted before the actual field name (e.g. x-subId = subscriberID).

static-string

Syntax 
static-string static-string
no static-string
Context 
config>app-assure>group>http-enrich>field
Description 

This command configures an HTTP header enrichment template field static string.

The no form of the command removes the template field static string.

Default 

no static-string

Parameters 
static-string—
Specifies a static string.

3.4.2.4. Group Commands

3.4.2.4.1. Transit Subscriber Commands

transit-ip-policy

Syntax 
transit-ip-policy ip-policy-id [create]
no transit-ip-policy ip-policy-id
Context 
config>app-assure>group
Description 

This command defines a transit AA subscriber IP policy. Transit AA subscribers are managed by the system through the use of this policy assigned to services, which determines how transit subs are created and removed for that service.

The no form of the command deletes the policy from the configuration. All associations must be removed in order to delete a policy.

Parameters 
ip-policy-id —
An integer that identifies a transit IP profile entry.
Values—
1 to 65535

 

create —
Keyword used to create the entry.

3.4.2.4.2. Policer Commands

policer

Syntax 
policer policer-name type type granularity granularity [create]
policer policer-name
no policer policer-name
Context 
config>app-assure>group
Description 

This command creates application assurance policer profile of a specified type. Policers can be bandwidth or flow limiting and can have a system scope (limits traffic entering AA ISA for all or a subset of AA subscribers), subscriber scope or granularity (limits apply to each AA subscriber traffic).

The policer type and granularity can only be configured during creation. They cannot be modified. The policer profile must be removed from all AQPs in order to be removed. Changes to policer profile parameters take effect immediately for policers instantiated as result of AQP actions using this profile.

The no form of the command deletes the specified policer from the configuration.

Parameters 
policer-name —
Specifies a string of up to 32 characters that identifies the policer.
type—
Specifies the policer type.
Values—
single-bucket-bandwidth — Creates a profile for a single bucket (PIR) bandwidth limiting policer.
dual-bucket-bandwidth — Creates profile for a dual bucket (PIR, CIR) bandwidth limiting policer.
flow-rate-limit — Creates profile for a policer limiting rate of flow set-ups.
flow-count-limit — Creates profile for a policer limiting total flow count.

 

granularity—
Specifies the granularity type.
Values—
system — Creates a system policer profile for a policer that limits the traffic in the scope of all or a subset of AA subscribers on a given AA ISA.
subscriber — Creates a policer profile for a policer for each AA subscriber that limits the traffic in the scope of that subscriber.
access-network-location — Creates a policer profile for a policer instance for each ANL that limits traffic bandwidth in the scope of that ANL. For ANL, only single-bucket bandwidth policers can be configured.

 

create—
Keyword used to create the policer name and parameters.

action

Syntax 
action {priority-mark | permit-deny}
Context 
config>app-assure>group>policer
Description 

This command configures the action to be performed by single-bucket bandwidth policers for non-conformant traffic.

Dual bucket bandwidth policers cannot have their action configured and always mark traffic below CIR in profile, between CIR and PIR out of profile, and drop traffic above PIR. Flow policers always discard non-conformant traffic.

When multiple application assurance policers are configured against a single flow (including policers at both subscriber and system), the final action done to the flow/packet will be a logical OR of all policers actions. For example, if only of the policers requires the packet to be discarded, the packet will be dropped regardless of the action of the other policers.

Default 

action permit-deny

Parameters 
priority-mark —
Non-conformant traffic will be marked out of profile and the conformant traffic will be marked in profile. The new marking will overwrite any previous IOM QoS marking done to a packet.
permit-deny —
Non-conformant traffic will be dropped.

adaptation-rule

Syntax 
adaptation-rule pir {max | min | closest} [cir {max | min | closest}]
no adaptation-rule
Context 
config>app-assure>group>policer
Description 

This command defines the method used by the system to derive the operational CIR and PIR settings when the queue is provisioned in hardware. For the CIR and PIR parameters individually, the system attempts to find the best operational rate depending on the defined option. To change the CIR adaptation rule only, the current PIR rule must be part of the command executed.

The no form of the command removes any explicitly defined constraints used to derive the operational CIR and PIR created by the application of the policy. When a specific adaptation-rule is removed, the default constraints for rate and cir apply.

Default 

adaptation-rule pir closest cir closest

Parameters 
max—
The operational PIR or CIR for the queue will be equal to or less than the administrative rate specified using the rate command.
min —
The operational PIR or CIR for the queue will be equal to or greater than the administrative rate specified using the rate command.
closest —
The operational PIR or CIR for the queue will be the rate closest to the rate specified using the rate command.

congestion-override

Syntax 
congestion-override
Context 
config>app-assure>group>policer
Description 

This command enables the context to configure per subscriber congestion bandwidth policer override rates.

cbs

Syntax 
cbs committed-burst-size
cbs congested-cbs
no cbs
Context 
config>app-assure>group>policer
config>app-assure>group>policer>congestion-override
config>app-assure>group>tod-override
Description 

This command provides a mechanism to configure the committed burst size for the policer. It is recommended that CBS is configured larger than twice the maximum MTU for the traffic handled by the policer to allow for some burstiness of the traffic. CBS is configurable for dual-bucket bandwidth policers only.

The no form of the command resets the CBS value to its default.

Default 

no cbs

Parameters 
committed-burst-size | congested-cbs—
Specifies an integer value defining size, in kbytes, for the CBS of the policer.
Values—
0 to 131071

 

cir

Syntax 
cir congested-cir
no cir
Context 
config>app-assure>group>policer>congestion-override
Description 

This command provides a mechanism to configure the CIR for the congestion override policer. It is recommended that the CIR is configured larger than twice the maximum MTU for the traffic handled by the policer to allow for some burstiness of the traffic. The CIR is configurable for dual-bucket bandwidth policers only.

The no form of the command resets the CIR value to its default.

Default 

cir 0

Parameters 
congested-cir —
Specifies an integer value defining size, in kilobytes, for the CIR of thepolicer.
Values—
0 to 100000000

 

pir

Syntax 
pir congested-pir
no pir
Context 
config>app-assure>group>policer>congestion-override
Description 

This command provides a mechanism to configure the PIR for the congestion override policer. It is recommended that the PIR is configured larger than twice the maximum MTU for the traffic handled by the policer to allow for some burstiness of the traffic.

The no form of the command resets the PIR value to its default.

Default 

pir 0

Parameters 
congested-pir —
Specifies an integer value defining size, in kbytes, for the PIR of thepolicer.
Values—
0 to 100000000

 

flow-count

Syntax 
flow-count flow-count
no flow-count
Context 
config>app-assure>group>policer
config>app-assure>group>tod-override
Description 

This command configures the flow count for the flow-count-limit policer. It is recommended to configure flow count subscriber-level policer for AA subscribers to ensure fair usage of flow resources between AA subscribers.

Default 

no flow-count

Parameters 
flow-count—
Specifies the flow count for the flow-count-limit policer.
Values—
0 to 100000000, max

 

gtp-traffic

Syntax 
[no] gtp-traffic
Context 
config>app-assure>group>policer
Description 

This command provides a mechanism to configure a policer to function at the GTP tunnel level. GTP tunnels are defined by a TEID and destination IP address as oppose to normal flows that are defined by IP 5 tuple values. By setting this value, the policer then can be used to limit GTP traffic (SeGW GTP firewall application).

The no form of the command resets policer behavior to act at the normal 5 tuple flow level and not at the GTP tunnel level

Default 

no gtp-traffic

mbs

Syntax 
mbs congested-mbs
mbs maximum-burst-size
no mbs
Context 
config>app-assure>group>policer
config>app-assure>group>policer>congestion-override
config>app-assure>group>tod-override
Description 

This command provides a mechanism to configure the maximum burst size for the policer. It is recommended that MBS is configured larger than twice the MTU for the traffic handled by the policer to allow for some burstiness of the traffic. MBS is configurable for single-bucket, dual-bucket bandwidth and flow setup rate policers only.

The no form of the command resets the MBS value to its default.

Default 

no mbs

Parameters 
maximum-burst-size | congested-mbs—
Specifies an integer value defining either size, in kbytes, for the MBS of the bandwidth policer, or flow count for the MBS of the flow setup rate policers.
Values—
0 to 131071

 

rate

Syntax 
rate pir-rate [cir cir-rate]
no rate
Context 
config>app-assure>group>policer
config>app-assure>group>tod-override
Description 

This command configures the administrative PIR and CIR for bandwidth policers and flow setup rate limits for flow policers. The actual rate sustained by the flow can be limited by other policers that may be applied to that flow’s traffic. This command does not apply to flow-count-limit policers.

The cir option is applicable only to dual-bucket bandwidth policers. It is recommended to configure flow setup rate subscriber-level policer for AA subscribers to ensure fair usage of flow resources between AA subscribers.

The no form of the command resets the values to defaults.

Default 

rate max cir 0

Parameters 
pir-rate—
Specifies an integer for the PIR rate in kb/s for bandwidth policers.
Values—
1 to 100000000, max or flows/sec

 

cir-rate
Specifies an integer for the CIR rate in kb/s.
Values—
0 to 100000000, max

 

rate-percentage

Syntax 
rate-percentage rate-percentage
no rate-percentage
Context 
config>app-assure>group>policer
Description 

This command indirectly configures the rate used by Access-Network-Location (ANL) policers. Because ANL total bandwidth is dynamically measured and estimated by AA, this command allows the operator to configure the ratio of that measured bandwidth to be used by the ANL policer as the policer rate.

The no form of the command resets the values to defaults.

Default 

no rate-percentage

Parameters 
rate-percentage—
Specifies an integer value that specifies a percentage that is applied against the ANL estimate maximum bandwidth to produce the actual rate that is used by the policer when ANL congestion occurs.
Values—
0 to 200 (0: means drop all traffic)

 

Default—
0

tod-override

Syntax 
tod-override tod-override-id [create]
no tod-override tod-override-id
Context 
config>app-assure>group>policer
Description 

This commands creates a time of day override policy for a given policer. Up to 8 overrides can be configured per policer. Rate/mbs/cbs/flow-rate/flow-count configured in each override-id will override the default policer values at the specified time of day configured in the override.

Parameters 
tod-override-id —
Specifies the time of day override ID.
Values—
1 to 255

 

create—
Keyword used to create the time of day override policy.

time-range

Syntax 
time-range daily start start-time end end-time [on day [day]]
time-range weekly start start-time end end-time
no time-range
Context 
config>app-assure>group>tod-override
Description 

This command configures up to seven time-ranges applicable to a particular override-id. The time-range can be configured as daily or weekly policies.

When using a daily override the operator can select which days during the week from Sunday to Saturday it is applicable along with the start/end hour/min time range repeated over these days.

When using a weekly override the operator can select between which days in the week the policy start up to the hours/min for both start day and end day.

Default 

no time-range

Parameters 
daily —
Schedule the override as a daily occurrence.
weekly —
Schedule the override as a weekly occurrence.
Values—

start-time

daily

<hh>:<mm>

weekly

<day>,<hh>:<mm>

<hh> : 0..23

<mm> : 0 | 15 | 30 | 45

end-time

daily

<hh>:<mm>

weekly

<day>,<hh>:<mm>

<hh> 0..23

<mm> 0 | 15 | 30 | 45

day

sunday | monday | tuesday | wednesday | thursday | friday | saturday

 

3.4.2.4.3. Policy Commands

policy

Syntax 
policy
Context 
config>app-assure>group>policy
Description 

This command enables the context to configure parameters for application assurance policy. To edit any policy content begin command must be executed first to enter editing mode. The editing mode is left when the abort or commit commands are issued.

abort

Syntax 
abort
Context 
config>app-assure>group>policy
Description 

This command ends the current editing session and aborts any changes entered during this policy editing session.

begin

Syntax 
begin
Context 
config>app-assure>group>policy
Description 

This command begins a policy editing session.

The editing session continues until one of the following conditions takes place:

  1. Abort or commit is issued.
  2. Control complex resets.

The editing session is not interrupted by:

  1. HA activity switch.
  2. CLI session termination (for example, as result of closing a Telnet session).

commit

Syntax 
commit
Context 
config>app-assure>group>policy
Description 

This command commits changes made during the current editing session. None of the policy changes done will take effect until commit command is issued. If the changes can be successfully committed, no errors detected during the commit during cross-reference verification against exiting application assurance configuration, the editing session will also be closed.

The newly committed policy takes effect immediately for all new flows, existing flows will transition onto the new policy shortly after the commit.

app-group

Syntax 
app-group application-group-name [create]
no app-group application-group-name
Context 
config>app-assure>group>policy
Description 

This command creates an application group for an application assurance policy.

The no form of the command deletes the application group from the configuration. All associations must be removed in order to delete a group.

Default 

no app-group

Parameters 
application-group-name —
A string of up to 32 characters uniquely identifying this application group in the system.
create—
Mandatory keyword used when creating an application group. The create keyword requirement can be enabled/disabled in the environment>create context.

charging-group

Syntax 
charging-group charging-group-name
no charging-group
Context 
config>app-assure>group>policy>app-group
config>app-assure>group>policy>application
Description 

This command associates an application or app-group to an application assurance charging group.

The no form of the command deletes the charging group association.

Default 

no charging-group

Parameters 
charging-group-name—
Specifies a string of up to 32 characters uniquely identifying an existing charging group in the system.

charging-group

Syntax 
charging-group {eq | neq} charging-group-name
no charging-group
Context 
config>app-assure>group>policy>aqp>entry>match
Description 

This command associates an application or app-group to an application assurance charging group.

The no form of the command deletes the charging group association.

Default 

no charging-group

Parameters 
charging-group-name—
Specifies a string of up to 32 characters uniquely identifying an existing charging group in the system.

charging-group

Syntax 
charging-group charging-group-name [create]
no charging-group charging-group-name
Context 
config>app-assure>group>policy
Description 

This command creates a charging group for an application assurance policy.

The no form of the command deletes the charging group from the configuration. All associations must be removed to delete a group.

Default 

no charging-group

Parameters 
charging-group-name—
Specifies a string of up to 32 characters uniquely identifying an existing charging group in the system.
create—
Mandatory keyword used when creating an charging group. The create keyword requirement can be enabled or disabled in the environment>create context.

export-id

Syntax 
export-id export-id
no export-id
Context 
config>app-assure>group>policy>application
config>app-assure>group>policy>application>charging-group
config>app-assure>group>policy>app-group
Description 

This command assigns an export-id value to a charging group app-group or application to be used for accounting export identification in RADIUS accounting. This ID is encoded in the top 2 bytes of the RADIUS accounting VSA to identify which charging group the counter value represents.

If no export-id is assigned, that counter cannot be added to the aa-sub stats RADIUS export-type. Once a charging group index is referenced, it cannot be deleted without removing the reference.

The no form of the command removes the export-id from the configuration.

Default 

no export-id

Parameters 
export-id—
Specifies an integer that identifies an export-id.
Values—
1 to 255

 

app-filter

Syntax 
app-filter
Context 
config>app-assure>group>policy
Description 

This command enables the context to configure an application filter for application assurance.

app-qos-policy

Syntax 
app-qos-policy
Context 
config>app-assure>group>policy
Description 

This command enables the context to configure an application QoS policy.

app-service-options

Syntax 
app-service-options
Context 
config>app-assure>group>policy
Description 

This command enables the context to configure application service option characteristics.

default-charging-group

Syntax 
default-charging-group charging-group-name
no default-charging-group
Context 
config>app-assure>group>policy
Description 

This command associates a charging group to any applications or app-groups that are not explicitly assigned to a charging group, for an application assurance policy.

The no form of the command deletes the default charging group from the configuration.

Default 

no default-charging-group

Parameters 
charging-group-name —
A string of up to 32 characters uniquely identifying an existing charging group in the system

diff

Syntax 
diff
Context 
config>app-assure>group>policy
Description 

This command compares the newly configured policy against the operational policy.

application

Syntax 
application application-name [create]
no application application-name
Context 
config>app-assure>group>policy
Description 

This command creates an application of an application assurance policy.

The no form of the command deletes the application. To delete an application, all associations to the application must be removed.

Default 

none

Parameters 
application-name—
Specifies a string of up to 32 characters uniquely identifying this application in the system.
create—
Mandatory keyword used when creating an application. The create keyword requirement can be enabled/disabled in the environment>create context.

policy-override

Syntax 
policy-override
Context 
config>app-assure>group
Description 

This command enables the context to configure policy override parameters.

policy

Syntax 
policy aa-sub {sap sap-id | spoke-sdp sdp-id:vc-id | transit transit-aasub-name} [create]
no policy aa-sub {sap sap-id | spoke-sdp sdp-id:vc-id | transit transit-aasub-name}
Context 
config>app-assure>group>policy-override
Description 

This command specifies a given SAP or SDP to be used for a static policy override.

The no form of the command removes the policy override.

Parameters 
sap-id—
Specifies the physical port identifier portion of the SAP definition.
sdp-id:vc-id—
Specifies the spoke SDP ID and VC ID.
Values—
1 to 32767
1 to 4294967295

 

transit-aasub-name—
Specifies an existing transit subscriber name, up to 32 characters.
create—
Keyword used to create the policy override.

characteristic

Syntax 
characteristic characteristic-name value value-name
no characteristic characteristic-name
Context 
config>app-assure>group>policy-override>policy
Description 

This command configure an override characteristic and value.

Parameters 
characteristic-name—
Specifies the characteristic name, up to 32 characters.
value-name—
Specifies the override characteristic value for the application profile characteristic used by the Application assurance subscriber.

port-list

Syntax 
port-list port-list-name [create]
no port-list port-list-name
Context 
config>app-assure>group
Description 

This command defines an AA group or partition named port-list, which contains a list of port numbers or port ranges. The port list is then referenced in AA policy app-filters, allowing increased flexibility in the use of server ports or HTTP proxy ports for application definition.

The no form of the command removes the list.

Parameters 
port-list-name—
Specifies the name of the port list.
Default—
default

port

Syntax 
[no] port port-number
[no] port range start-port-num end-port-num
Context 
config>app-assure>group>port-list
Description 

This command specifies the server TCP or UDP port number to use in the port list definition.

The no form of the command restores the default by removing port number from the port list.

Default 

no port

Parameters 
port-number—
Specifies the port number.
Values—
0 to 65535

 

start-port-number—
Specifies the start port number.
Values—
0 to 65535

 

end-port-number—
Specifies the end port number.
Values—
0 to 65535

 

app-group

Syntax 
app-group app-group-name
Context 
config>app-assure>group>policy>application
Description 

This command associates an application with an application group of an application assurance policy.

Parameters 
app-group-name —
A string of up to 32 characters uniquely identifying an existing application in the system.

3.4.2.4.3.1. Application Filter Commands

entry

Syntax 
entry entry-id [create]
no entry entry-id
Context 
config>app-assure>group>policy>app-filter
Description 

This command creates an application filter entry.

App filter entries are an ordered list, the lowest numerical entry that matches the flow defines the application for that flow.

An application filter entry or entries configures match attributes of an application.

The no form of this command deletes the specified application filter entry.

Default 

none

Parameters 
entry-id —
Specifies an integer that identifies an app-filter entry.
Values—
1 to 65535

 

create—
Keyword used to create the entry.

application

Syntax 
application application-name
Context 
config>app-assure>group>policy>application
config>app-assure>group>policy>app-filter>entry
Description 

This command assigns this application filter entry to an existing application. Assigning the entry to Unknown application restores the default configuration.

Default 

unknown application

Parameters 
application-name —
Specifies an existing application name.

expression

Syntax 
expression expr-index expr-type {eq | neq} expr-string
no expression expr-index
Context 
config>app-assure>group>policy>app-filter>entry
Description 

This command configures string values to use in the application definition.

Parameters 
expr-index—
Specifies an index value which represents expression substrings.
Values—
1 to 4

 

expr-type—
Represents a type (and thereby the expression substring).

http-host — Matches the string against the HTTP Host field or TLS Server Name Indicator (SNI).

http-uri — Matches the string against the HTTP URI field.

http-referer — Matches the string against the HTTP Referer field.

http-user-agent — Matches the string against the HTTP User Agent field.

sip-ua — Matches the string against the SIP UA field.

sip-uri — Matches the string against the SIP URI field.

sip-mt — Matches the string against the SIP MT field.

citrix-app — Matches the string against the Citrix app field.

h323-product-id — Matches the string against the h323-product-id field.

tls-cert-subj-org-name — Matches the TLS Certificate Subject Organization Name substring.

tls-cert-subj-common-name — Matches the TLS Certificate Subject Common Name substring.

rtsp-host — Matches the Real Time Streaming Protocol (RTSP) substring host.

rtsp-uri — Matches the RTSP URI substring.

rtsp-ua — Matches the RTSP UA substring.

rtmp-page-host — Matches against the RTMP Page Host Field

rtmp-page-uri — Matches against the RTMP Page URI Field

rtmp-swf-host — Matches against the RTMP Swf Host Field

rtmp-swf-uri — Matches against the RTMP Swf URI Field

eq—
Specifies the equal to comparison operator to match the specified HTTP string.
neq—
Specifies the not equal to comparison operator to match the specified HTTP string.
expr-string—
Specifies an expression string, up to 64 characters, used to define a pattern match. Denotes a printable ASCII substring used as input to an application assurance filter match criteria object.

The following syntax is permitted within the substring to define the pattern match criteria:

^<substring>* - matches when <substring> is at the beginning of the object.

*<substring>* - matches when <substring> is at any place within the object.

*<substring>$ - matches when <substring> is at the end of the object.

^<substring>$ - matches when <substring> is the entire object.

* - matches zero to many of any character. A single wildcard as infix in the expression is allowed.

\. - matches any single character

\d - matches any single decimal digit [0-9]

\I - forces case sensitivity (by default, the expression match are case insensitive), the \I can be specified anywhere between

the leading [^*] and trailing [$*]

\* - matches the asterisk character

Rules for <substring> characters:

<substring> must contain printable ASCII characters.

<substring> must not contain the “double quote” character or the “  ” (space) character on its own.

<substring> match is case in sensitive by default.

<substring> must not include any regular expression meta-characters other than "*", "\I", "\.", "\*" and "\d".

The “\” (slash) character is used as an ESCAPE sequence. The following ESCAPE sequences are permitted within the <substring>:

Character to match     <substring> input

Hexadecimal Octet YY     \xYY

A <substring> that uses the '\' (backslash) ESCAPE character which is not followed by a “\” or “\x” and a 2-digit hex octet is not valid.

Operational notes:

  1. When matching a TCP flow against HTTP-string based applications, the HTTP header fields are collected from the first HTTP request (for example a GET or a POST) for a given TCP flow. The collected strings are then evaluated against each HTTP flow created within the given TCP flow to determine whether a given HTTP flow matches the application. By not specifying a protocol, the HTTP expressions are matched against all protocols in the HTTP family. By specifying a specific HTTP protocol (for example, http_video) the expression match can be constrained to a subset of the HTTP protocols.
  2. To uniquely identify a SIP-based application a protocol match is not required in the app-filter entry with the SIP expression. The SIP expression match is performed against any protocol in the SIP family (such as sip and rtp_sip). By specifying a specific SIP protocol (like rtp_sip) the expression match can be constrained to a subset of the SIP protocols.

flow-setup-direction

Syntax 
flow-setup-direction {subscriber-to-network | network-to-subscriber | both}
Context 
config>app-assure>group>policy>app-filter>entry
Description 

This command configures the direction of flow setup to which the application filter entry is to be applied.

Default 

flow-setup-direction both

Parameters 
subscriber-to-network—
Specifies that the app-filter entry will be applied to flows initiated by a local subscriber.
network-to-subscriber —
Specifies that the app-filter entry will be applied to flows initiated from a remote destination towards a local subscriber.
both —
Specifies that the app filter entry will be applied for subscriber-to-network and network-to-subscriber traffic.

http-port

Syntax 
http-port {eq | neq} port-num
http-port {eq | neq} port-list port-list-name
no http-port
Context 
config>app-assure>group>policy>app-filter>entry
Description 

This command specifies an HTTP server TCP or UDP port number or port list to use in the application definition.

The no form of the command restores the default by removing the HTTP port or port list from the application criteria defined by this app-filter entry.

Default 

no http-port

Parameters 
eq —
Specifies that the value configured and the value in the flow are equal.
neq —
Specifies that the value configured differs from the value in the flow.
port-list-name—
Specifies the name of the port list containing a set or range of ports, up to 32 characters.
port-num —
Specifies a valid server port number.
Values—
0 to 65535

 

ip-protocol-num

Syntax 
ip-protocol-num {eq | neq} protocol-id
no ip-protocol-num
Context 
config>app-assure>group>policy>app-filter>entry
config>app-assure>group>policy>aqp>entry>match
Description 

This command configures the IP protocol to use in the application definition.

The no form of the command restores the default (removes IP protocol number from application criteria defined by this app-filter entry).

Default 

no ip-protocol-num

Parameters 
eq—
Specifies that the value configured and the value in the flow must be equal.
neq —
Specifies that the value configured differs from the value in the flow.
protocol-id —
Specifies the decimal value representing the IP protocol to be used as an IP filter match criterion. Well known protocol numbers include ICMP (1), TCP (6), UDP (17).

The no form the command removes the protocol from the match criteria.

Values—
1 to 255 (Decimal, Hexadecimal, or Binary representation).
Supported IANA IP protocol names:
none, crtp, crudp, egp, eigrp, encap, ether-ip, gre, icmp, idrp, igmp, igp, ip, ipv6, ipv6-frag, ipv6-icmp, ipv6-no-nxt, ipv6-opts, ipv6-route, isis, iso-ip, l2tp, ospf-igp, pim, pnni, ptp, rdp, rsvp, sctp, stp, tcp, udp, vrrp
* - udp/tcp wildcard

 

network-address

Syntax 
network-address {eq | neq} ip-address
network-address {eq | neq} ip-prefix-list ip-prefix-list-name
no network-address
Context 
config>app-assure>group>policy>app-filter>entry
Description 

This command configures the network address to use in application definition. The network address will match the destination IP address in a from-sub flow or the source IP address in a to-sub flow.

The no form of the command restores the default (removes the network address from application criteria defined by this entry).

Default 

no network-address

Parameters 
eq —
Specifies a comparison operator indicating that the value configured and the value in the flow are equal.
neq —
Specifies a comparison operator indicating that the value configured differs from the value in the flow.
ip-address—
Specifies a valid unicast address.
Values—

ipv4-address

a.b.c.d[/mask]

  mask - [1..32]

ipv6-address

x:x:x:x:x:x:x:x/prefix-length

x:x:x:x:x:x:d.d.d.d

  x - [0..FFFF]H

  d - [0..255]D

prefix-length   [1..128]

 

ip-prefix-list-name—
Specifies the name of an IP prefix list, up to 32 characters.

protocol

Syntax 
protocol {eq | neq} protocol-name
no protocol
Context 
config>app-assure>group>policy>app-filter>entry
Description 

This command configures protocol signature in the application definition.

The no form of the command restores the default (removes protocol from match application defined by this app-filter entry).

Default 

no protocol

Parameters 
eq—
Specifies that the value configured and the value in the flow are equal.
neq —
Specifies that the value configured differs from the value in the flow.
protocol-name —
A string of up to 32 characters identifying a predefined protocol.

server-address

Syntax 
server-address {eq | neq} ip-address
server-address {eq | neq} dns-ip-cache dns-ip-cache-name
server-address {eq | neq} ip-prefix-list ip-prefix-list-name
no server-address
Context 
config>app-assure>group>policy>app-filter>entry
Description 

This command configures the server address to use in application definition. The server IP address may be the source or destination, network or subscriber IP address.

The no form of the command restores the default (removes the server address from application criteria defined by this entry).

Default 

no server-address

Parameters 
eq —
Specifies a comparison operator that the value configured and the value in the flow are equal.
neq —
Specifies a comparison operator that the value configured differs from the value in the flow.
ip-address—
Specifies a valid unicast address.
Values—

ipv4-address

a.b.c.d[/mask]

  mask - [1..32]

ipv6-address

x:x:x:x:x:x:x:x/prefix-length

x:x:x:x:x:x:d.d.d.d

  x - [0..FFFF]H

  d - [0..255]D

prefix-length   [1..128]

 

dns-ip-cache-name—
Specifies a DNS IP cache name, up to 32 characters.
ip-prefix-list-name—
Specifies the name of an IP prefix list, up to 32 characters.

server-port

Syntax 
server-port {eq | neq | gt | lt} port-num
server-port {eq | neq} range start-port-num end-port-num
server-port {eq} {port-num | range start-port-num end-port-num} {first-packet-trusted | first-packet-validate}
server-port {eq | neq} port-list port-list-name
server-port {eq} port-list port-list-name {first-packet-trusted | first-packet-validate}
no server-port
Context 
config>app-assure>group>policy>app-filter>entry
Description 

This command specifies the server TCP or UDP port number to use in the application definition.

The no form of the command restores the default (removes server port number from application criteria defined by this app-filter entry).

Default 

no server-port (the server port is not used in the application definition)

Parameters 
eq —
Specifies that the value configured and the value in the flow are equal.
neq —
Specifies that the value configured differs from the value in the flow.
gt—
Specifies all port numbers greater than server-port-number match.
lt —
Specifies all port numbers less than server-port-number match.
port-list-name—
Specifies a named port list containing a set or range of ports.
port-num —
Specifies a valid server port number.
Values—
0 to 65535

 

start-port-num, end-port-num—
Specifies the starting or ending port number.
Values—
0 to 65535

 

Server Port Options:—
  1. No option specified: TCP/UDP port applications with full signature verification:
    1. AA ensures that other applications that can be identified do not run over a well-known port.
    2. Application-aware policy applied once signature-based identification completes (likely requiring several packets).
  2. first-packet-validate: TCP/UDP trusted port applications with signature verification:
    1. Application identified using well known TCP/UDP port based filters and re-identified once signature identification completes.
    2. AA policy applied from the first packet of a flow while continuing signature-based application identification. Policy re-evaluated once the signature identification completes, allowing to detect improper/unexpected applications on a well-known port.
  3. first-packet-trusted: TCP/UDP trusted port applications - no signature verification:
    1. Application identified using well known TCP/UDP port based filters only.
    2. Application Aware policy applied from the first packet of a flow.
    3. No signature processing assumes operator/customer trusts that no other applications can run on the well-known TCP/UDP port (statistics collected against trusted_tcp or trusted_udp protocol).

3.4.2.4.3.2. Application Profile Commands

app-profile

Syntax 
app-profile app-profile-name [create]
no app-profile app-profile-name
Context 
config>app-assure>group>policy
Description 

This command creates an application profile and enables the context to configure the profile parameters.

The no form of the command removes the application profile from the configuration.

Default 

none

Parameters 
app-profile-name —
Specifies the name of the application profile up to 32 characters.
create—
Mandatory keyword used when creating an application profile. The create keyword requirement can be enabled/disabled in the environment>create context.

aa-sub-suppressible

Syntax 
aa-sub-suppressible
no aa-sub-suppressible
Context 
config>app-assure>group>policy>app-profile
Description 

This command configures an app-profile as “aa-sub-suppressible”, this function is used in the context of an SRRP group interface. If an SRRP group interface is configured as “suppress-aa-sub” then subscribers with an app-profile configured as “aa-sub-suppressible” will not be diverted to Application Assurance.

The no form of the command restores the default behavior.

Default 

no aa-sub-suppressible

capacity-cost

Syntax 
capacity-cost cost
no capacity-cost
Context 
config>app-assure>group>policy>app-profile
Description 

This command configures an application profile capacity cost. Capacity-Cost based load balancing allows a cost to be assigned to diverted SAPs (with the app-profile) and this is then used for load-balancing SAPs between ISAs as well as for a threshold that notifies the operator if/when capacity planning has been exceeded.

Default 

capacity-cost 1

Parameters 
cost—
Specifies the profile capacity cost.
Values—
1 to 65535

 

characteristic

Syntax 
characteristic characteristic-name value value-name
no characteristic characteristic-name
Context 
config>app-assure>group>policy>app-profile
Description 

This command assigns one of the existing values of an existing application service option characteristic to the application profile.

The no form of the command removes the characteristic from the application profile.

Parameters 
characteristic-name —
Specifies the name of an existing ASO characteristic.
value-name—
Specifies the name for the application profile characteristic up to 32 characters.

divert

Syntax 
[no] divert
Context 
config>app-assure>group>policy>app-profile
Description 

This command enables the redirection of traffic to AA ISA for the system-wide forwarding classes diverted to application assurance (divert-fc) for AA subscribers using this application profile.

The no form of the command stops redirect of traffic to AA ISAs for the AA subscribers using this application profile.

Default 

no divert

3.4.2.4.3.3. Application QoS Policy Commands

entry

Syntax 
entry entry-id [create]
no entry entry-id
Context 
config>app-assure>group>policy>aqp
Description 

This command creates an application QoS policy entry. A flow that matches multiple Application QoS policies (AQP) entries will have multiple AQP entries actions applied. When a conflict occurs for two or more actions, the action from the AQP entry with the lowest numerical value takes precedence.

The no form of this command deletes the specified application QoS policy entry.

Default 

none

Parameters 
entry-id —
An integer identifying the AQP entry.
Values—
1 to 65535

 

create—
Mandatory keyword creates the entry. The create keyword requirement can be enabled/disabled in the environment>create context.

action

Syntax 
action
Context 
config>app-assure>group>policy>aqp>entry
Description 

This command enables the context to configure AQP actions to be performed on flows that match the AQP entry’s match criteria.

bandwidth-policer

Syntax 
bandwidth-policer policer-name
no bandwidth-policer
Context 
config>app-assure>group>policy>aqp>entry>action
Description 

This command assigns an existing bandwidth policer as an action on flows matching this AQP entry. The match criteria for the AQP entry must specify a uni-directional traffic direction before a policer action can be configured. If a policer is used in one direction in an AQP match entry the same policer name cannot be used by another AQP entry which uses a different traffic direction match criteria.

When multiple policers apply to a single flow, the final action on a packet is the worst case of all policer outcomes (for example, if one of the policers marks packet out of profile, the final marking will reflect that).

The no form of the command removes bandwidth policer from actions on flows matching this AQP entry.

Default 

no bandwidth-policer

Parameters 
policer-name —
The name of the existing flow setup rate policer for this application assurance profile. The policer-name is configured in the config>app-assure>group>policer context.

drop

Syntax 
[no] drop
Context 
config>app-assure>group>policy>aqp>entry>action
Description 

This command configures the drop action on flows matching this AQP entry. When enabled, all flow traffic matching this AQP entry will be dropped. When drop action is part of a set of multiple actions to be applied to a single flow as result of one or more AQP entry match, drop action will be performed first and no other action will be invoked on that flow.

The no form of the command disables the drop action on flows matching this AQP entry.

Default 

no drop

error-drop

Syntax 
error-drop [event-log event-log-name]
no error-drop
Context 
config>app-assure>group>policy>aqp>entry>action
Description 

This command configures a drop action for error flows (bad IP checksums, tcp/udp port 0, and so on).

Default 

no error-drop

Parameters 
event-log-name —
Specifies the event log name, up to 32 characters.

flow-count-limit

Syntax 
flow-count-limit policer-name [event-log event-log-name]
no flow-count-limit
Context 
config>app-assure>group>policy>aqp>entry>action
Description 

This command assigns an existing flow count limit policer as an action on flows matching this AQP entry.

The match criteria for the AQP entry must specify a uni-directional traffic direction before a policer action can be configured. If a policer is used in one direction in an AQP match entry the same policer name cannot be used by another AQP entry which uses a different traffic direction match criteria.

When multiple policers apply to a single flow, the final action on a packet is the worst case of all policer outcomes (for example, if one of the policers marks packet out of profile, the final marking will reflect that).

The no form of the command removes this flow policer from actions on flows matching this AQP entry.

Default 

no flow-count-limit

Parameters 
policer-name —
Specifies the name of the existing flow setup rate policer for this application assurance profile. The policer-name is configured in the config>app-assure>group>policer context.
event-log-name —
Specifies the name of the event log used when event logging is enabled, up to 32 characters, which is used when event logging is enabled.

flow-rate-limit

Syntax 
flow-rate-limit policer-name [event-log event-log-name]
no flow-rate-limit
Context 
config>app-assure>group>policy>aqp>entry>action
Description 

This command assigns an existing flow setup rate limit policer as an action on flows matching this AQP entry.

The match criteria for the AQP entry must specify a uni-directional traffic direction before a policer action can be configured. If a policer is used in one direction in an AQP match entry the same policer name cannot be used by another AQP entry which uses a different traffic direction match criteria.

When multiple policers apply to a single flow, the final action on a packet is the worst case of all policer outcomes (for example, if one of the policers marks packet out of profile, the final marking will reflect that).

The no form of the command removes this flow policer from actions on flows matching this AQP entry.

Default 

no flow-rate-limit

Parameters 
policer-name —
Specifies the policer name up to 32 characters.
event-log event-log-name
Specifies the event-log-name up to 32 characters, which will be used when event logging is enabled.

fragment-drop

Syntax 
fragment-drop {all | out-of-order} [event-log event-log-name]
no fragment-drop
Context 
config>app-assure>group>policy>aqp>entry>action
Description 

This command specifies the action to apply to fragments.

Default 

no fragment-drop

Parameters 
all—
All the fragments will be dropped.
out-of-order—
All out of order fragments will be dropped.
event-log-name—
Specifies if the dropping of fragments should be logged to the specified event log name.

gtp-filter

Syntax 
gtp-filter gtp-filter-name
no gtp-filter
Context 
config>app-assure>group>policy>aqp>entry>action
Description 

This command assigns an existing GTP filter as an action on flows matching this AQP entry.

The no form of the command removes this GTP filter from actions on flows matching this AQP entry.

Default 

no gtp-filter

Parameters 
gtp-filter-name—
Specifies the name of an existing GTP filter for this application assurance profile. The gtp-filter-name is configured in the config>app-assure>group[:partition]>gtp>gtp-filter context.

http-enrich

Syntax 
http-enrich http-enrich-name
no http-enrich
Context 
config>app-assure>group>policy>aqp>entry>action
Description 

This command configures a the HTTP header enrichment template name that will be applied as defined in the tmnxBsxHttpEnrichTable. An empty value specifies no HTTP header enrichment template.

Default 

no http-enrich

Parameters 
http-enrich-name—
Specifies the HTTP header enrichment template name up to 32 characters.

http-error-redirect

Syntax 
http-error-redirect redirect-name
no http-error-redirect
Context 
config>app-assure>group>policy>aqp>entry>action
Description 

This command specifies the HTTP error redirect that will be applied as defined in the redirect table. An empty value specifies no HTTP error redirect.

Default 

no http-error-redirect

Parameters 
redirect-name—
Specifies an http-error redirect action, up to 32 characters, for flows matching this entry.

http-notification

Syntax 
http-notification http-notification
no http-notification
Context 
config>app-assure>group>policy>aqp>entry>action
Description 

This command configures an HTTP notification action for flows matching this entry.

Default 

no http-notification

Parameters 
http-notification—
specifies the Application-Assurance HTTP Notification that will be applied as defined in the tmnxBsxHttpNotifTable. If no string is configured then no HTTP notification will occur.

http-redirect

Syntax 
http-redirect http-redirect–name flow-type flow-type
no http-redirect
Context 
config>app-assure>group>policy>aqp>entry>action
Description 

This command assigns an existing http redirect policy as an action on flows matching this AQP entry.

The redirect only takes effect if the matching flows are HTTP and the condition specified after the http-redirect command, admitted flows or dropped-flows, is met. The condition specified by “dropped-flows” means the flow is dropped due to an AQP actions such as “flow rate/count policers” or “drop” actions. HTTP Policy Redirect on admitted-flows allows the operator to redirect HTTP traffic to a web portal while allowing non-HTTP matching the same AQP rule to be forwarded.

No HTTP redirect will take place if HTTP redirect action and a “drop/flow-police” action are part of the default AQP policy, because in this case, any flow drop actions will take place before identification of the application/application-group.

The no form of the command removes http redirect from actions on flows matching this AQP entry.

Default 

no http-redirect

Parameters 
http-redirect-name —
Specifies the name of the existing http policy redirect for this application assurance profile. The HTTP redirect name is configured in the config>app-assure>group>http-redirect context.
flow-type—
Specifies the flow type.
Values—
admitted-flows — Redirect HTTP flows matching the AQP criteria.
dropped-flows — Redirects those HTTP flows that are dropped due to an AQP action.

 

mirror-source

Syntax 
mirror-source [all-inclusive] mirror-service-id
no mirror-source
Context 
config>app-assure>group>policy>aqp>entry>action
Description 

This command configures an application-based policy mirroring service that uses this AA ISA group’s AQP entry as a mirror source. When configured, AQP entry becomes a mirror source for IP packets seen by the AA (the mirrored packet is an IP packet analyzed by AA and does not include encapsulations present on the incoming interfaces).

Default 

no mirror-source

Parameters 
all-inclusive—
Specifies that all packets during identification phase that could match a given AQP rule are mirrored in addition to packets after an application identification completes that match the AQP rule. This ensures all packets of a given flow are mirrored at a cost of sending unidentified packets that once the application is identified will no longer match this AQP entry.
mirror-service-id—
Specifies the mirror source service ID to use for flows that match this policy.
Values—
1 to 2147483647
svc-name: 64 characters maximum

 

overload-drop

Syntax 
overload-drop [event-log event-log-name]
no overload-drop
Context 
config>app-assure>group>policy>aqp>entry>action
Description 

This command configures a drop action for cases where flow records are not created (overload).

Parameters 
event-log-name—
Specifies the event log name, up to 32 characters

remark

Syntax 
remark
Context 
config>app-assure>group>policy>aqp>entry>action
Description 

This command configures remark action on flows matching this AQP entry.

dscp

Syntax 
dscp in-profile dscp-name out-profile dscp-name
no dscp
Context 
config>app-assure>group>policy>aqp>entry>action>remark
Description 

This command enables the context to configure DSCP remark action or actions on flows matching this AQP entry. When enabled, all packets for all flows matching this AQP entry will be remarked to the configured DSCP name.

DSCP remark can only be applied when the entry remarks forwarding class or forwarding class and priority. In-profile and out-of profile of a given packet for DSCP remark is assessed after all AQP policing and priority remarking actions took place.

The no form of the command stops DSCP remarking action on flows matching this AQP entry.

Default 

no dscp

Parameters 
in-profile dscp-name
Specifies the DSCP name to use to remark in-profile flows that match this policy.
out-profile dscp-name
Specifies the DSCP name to use to remark out-of-profile flows that match this policy.
Values—
be, cp1, cp2, cp3, cp4, cp5, cp6, cp7, cs1, cp9, af11, cp11, af12, cp13, af13, cp15, cs2, cp17, af21, cp19, af22, cp21, af23, cp23, cs3, cp25, af31, cp27, af32, cp29, af33, cp31, cs4, cp33, af41, cp35, af42, cp37, af43, cp39, cs5, cp41, cp42, cp43, cp44, cp45, ef, cp47, nc1, cp49, cp50, cp51, cp52, cp53, cp54, cp55, nc2, cp57, cp58, cp59, cp60, cp61, cp62, cp63

 

fc

Syntax 
fc fc-name
no fc
Context 
config>app-assure>group>policy>aqp>entry>action>remark
Description 

This command configures remark FC action on flows matching this AQP entry. When enabled, all packets for all flows matching this AQP entry will be remarked to the configured forwarding class.

The no form of the command stops FC remarking action on packets belonging to flows matching this AQP entry

Default 

no fc

Parameters 
fc-name—
Configure the FC remark action for flows matching this entry.
Values—
be, l2, af, l1, h2, ef, h1, nc

 

priority

Syntax 
priority priority-level
no priority
Context 
config>app-assure>group>policy>aqp>entry>action>remark
Description 

This command configures remark discard priority action on flows matching this AQP entry. When enabled, all packets for all flows matching this AQP entry will be remarked to the configured discard priority.

Default 

no priority

Parameters 
priority-level—
Specifies the priority to apply to a packet.
Values—
high, low

 

sctp-filter

Syntax 
sctp-filter sctp-filter-name
no sctp-filter
Context 
config>app-assure>group>policy>aqp>entry>action
Description 

This command assigns an existing SCTP filter as an action on flows matching this AQP entry.

The no form of the command removes this SCTP filter from actions on flows matching this AQP entry.

Default 

no sctp-filter

Parameters 
sctp-filter-name—
The name of the existing SCTP filter for this application assurance profile. The sctp-filter-name is configured in the config>app-assure>group[:partition]>sctp-filter context.

tcp-mss-adjust

Syntax 
tcp-mss-adjust segment-size
no tcp-mss-adjust
Context 
config>app-assure>group>aqp>entry>action
Description 

This command configures the value to adjust the TCP Maximum Segment Size (MSS) option. The no form of the command disables the segment size adjustment.

Default 

no tcp-mss-adjust

Parameters 
segment-size—
Specifies the value to put into the TCP Maximum Segment Size (MSS) option if not already present, or if the present value is higher.
Values—
160 to 10240

 

tcp-validate

Syntax 
tcp-validate tcp-validate-name
no tcp-validate
Context 
config>app-assure>group>policy>aqp>entry>action
Description 

This command assigns an existing TCP validation policy as an action on flows matching this AQP entry.

tcp-validate can only be called from AQP entries that:

  1. have no matching conditions that relate to information extracted from the incoming IP packets; for example, no application or IP address.
  2. allow the following match conditions:
    1. none
    2. aa-sub
    3. characteristic
    4. traffic-direction (both only)
      traffic-direction cannot be unidirectional (from or to sub). It can either be set to both or left unspecified.

The no form of the command removes the TCP validation policy action from flows matching this AQP entry.

Default 

no tcp-validate

Parameters 
tcp-validate-name—
Specifies the name of the TCP validation policy for this application assurance profile. The TCP validation policy is configured using the config>app-assure>group>tcp-validate tcp-validate-name command.

tls-enrich

Syntax 
[no] tls-enrich
Context 
config>app-assure>group>aqp>entry>action
Description 

This command configures a TLS richment action for flows matching this entry.

url-filter

Syntax 
url-filter url-filter-name [characteristic characteristic-name]
no url-filter
Context 
config>app-assure>group>aqp>entry>action
Description 

This command configures a url-filter action for flows matching this entry.

Parameters 
url-filter-name—
Specifies the name of the url-filter policy.
characteristic-name—
Specifies the name of the characteristic.

characteristic

Syntax 
characteristic characteristic-name
Context 
config>app-assure>group>aqp>entry>action
Description 

This command enables the system to use the value of the characteristic name specified in the app-qos-policy url-filter action for the configurable ICAP x-header name provisioned in the url-filter policy. The ICAP server can then use this value to decide which url-filter policy to apply instead of applying a filter policy based on the subscriber name.

Parameters 
characteristic-name—
Specifies the name of the characteristic.

session-filter

Syntax 
session-filter session-filter-name
no session-filter
Context 
config>app-assure>group>policy>aqp>entry>action
Description 

This command specifies the Application-Assurance session filter that will be evaluated. If no session filters are specified then no session filters will be evaluated.

Default 

no session-filter

Parameters 
session-filter-name—
Specifies the session filter to be applied.

match

Syntax 
match
Context 
config>app-assure>group>policy>aqp>entry
Description 

This command enables the context to configure flow match rules for this AQP entry. A flow matches this AQP entry only if it matches all the match rules defined (logical and of all rules). If no match rule is specified, the entry will match all flows.

aa-sub

Syntax 
aa-sub esm {eq | neq} sub-ident-string
aa-sub esm-mac {eq | neq} esm-mac-name
aa-sub sap {eq | neq} sap-id
aa-sub spoke-sdp {eq | neq} sdp-id:vc-id
aa-sub transit {eq | neq} transit-aasub-name
no aa-sub
Context 
config>app-assure>group>policy>aqp>entry>match
Description 

This command specifies a Service Access Point (SAP) or an ESM subscriber as matching criteria.

The no form of the command removes the SAP or ESM matching criteria.

Parameters 
eq—
Specifies that the value configured and the value in the flow are equal.
neq —
Specifies that the value configured differs from the value in the flow.
sub-ident-string—
Specifies the name of an existing application assurance subscriber.
esm-mac-name —
Specifies the name of an ESM-MAC subscriber.
sap-id—
Specifies the SAP ID.
sap sap-id
Specifies the physical port identifier portion of the SAP definition.
sdp-id:vc-id—
Specifies the spoke SDP ID and VC ID.
Values—
1 to 32767
1 to 4294967295

 

transit-aa-sub-name —
Specifies the name of a transit AA subscriber.

app-group

Syntax 
app-group {eq | neq} application-group-name
no app-group
Context 
config>app-assure>group>policy>aqp>entry>match
Description 

This command adds app-group to match criteria used by this AQP entry.

The no form of the command removes the app-group from match criteria for this AQP entry.

Default 

no app-group

Parameters 
eq—
Specifies that the value configured and the value in the flow are equal.
neq —
Specifies that the value configured differs from the value in the flow.
application-group-name —
The name of the existing application group entry. The application-group-name is configured in the config>app-assure>group>policy>aqp>entry>match context.

application

Syntax 
application {eq | neq} application-name
no application
Context 
config>app-assure>group>policy>aqp>entry>match
Description 

This command adds an application to match criteria used by this AQP entry.

The no form of the command removes the application from match criteria for this AQP entry.

Default 

no application

Parameters 
eq—
Specifies that the value configured and the value in the flow are equal.
neq —
Specifies that the value configured differs from the value in the flow.
application-name —
The name of name existing application name. The application-group-name is configured in the config>app-assure>group>policy>aqp>entry>match context.

characteristic

Syntax 
characteristic characteristic-name eq value-name
no characteristic
Context 
config>app-assure>group>policy>aqp>entry>match
Description 

This command adds an existing characteristic and its value to the match criteria used by this AQP entry.

The no form of the command removes the characteristic from match criteria for this AQP entry.

Parameters 
eq—
Specifies that the value configured and the value in the flow are equal.
characteristic-name —
The name of the existing ASO characteristic up to 32 characters in length.
value-name —
The name of an existing value for the characteristic up to 32 characters in length.

charging-group

Syntax 
charging-group {eq | neq} charging-group-name
no charging-group
Context 
config>app-assure>group>policy>aqp>entry>match
Description 

This command adds charging-group to match criteria used by this AQP entry.

The no form of the command removes the charging-group from match criteria for this AQP entry.

Default 

no charging-group

Parameters 
eq —
Specifies that the value configured and the value in the flow are equal.
neq —
Specifies that the value configured differs from the value in the flow.
charging-group-name —
The name of the existing application group entry. The application-group name is configured in the config>app-assure>group>policy>aqp>entry>match context.

dscp

Syntax 
dscp {eq | neq} dscp-name
no dscp
Context 
config>app-assure>group>policy>aqp>entry>match
config>app-assure>group>sess-fltr>entry>match
Description 

This command adds a DSCP name to the match criteria used by this entry.

The no form of the command removes dscp from match criteria for this entry.

Default 

no dscp

Parameters 
eq—
Specifies that the value configured and the value in the flow are equal.
neq —
Specifies that the value configured differs from the value in the flow.
dscp-name —
Specifies the DSCP name to be used in the match.
Values—
be, cp1, cp2, cp3, cp4, cp5, cp6, cp7, cs1, cp9, af11, cp11, af12, cp13, af13, cp15, cs2, cp17, af21, cp19, af22, cp21, af23, cp23, cs3, cp25, af31, cp27, af32, cp29, af33, cp31, cs4, cp33, af41, cp35, af42, cp37, af43, cp39, cs5, cp41, cp42, cp43, cp44, cp45, ef, cp47, nc1, cp49, cp50, cp51, cp52, cp53, cp54, cp55, nc2, cp57, cp58, cp59, cp60, cp61, cp62, cp63

 

dst-ip

Syntax 
dst-ip {eq | neq} ip-address
dst-ip {eq | neq} ip-prefix-list ip-prefix-list-name
no dst-ip
Context 
config>app-assure>group>policy>aqp>entry>match
Description 

This command specifies a destination IP address to use as match criteria.

Default 

no dst-ip

Parameters 
eq—
Specifies that a successful match occurs when the flow matches the specified address or prefix.
neq —
Specifies that a successful match occurs when the flow does not match the specified address or prefix.
ip-address—
Specifies a valid unicast address.
Values—

ipv4-address

a.b.c.d[/mask]

  mask - [1..32]

ipv6-address

x:x:x:x:x:x:x:x/prefix-length

x:x:x:x:x:x:d.d.d.d

  x - [0..FFFF]H

  d - [0..255]D

prefix-length   [1..128]

 

ip-prefix-list-name—
Specifies the name of an IP prefix list, up to 32 characters.

dst-port

Syntax 
dst-port {eq | neq} port-num
dst-port {eq | neq} port-list port-list-name
dst-port {eq | neq} range start-port-num end-port-num
no dst-port
Context 
config>app-assure>group>policy>aqp>entry>match
Description 

This command specifies a destination TCP/UDP port, destination port list, or destination range to use as match criteria.

The no form of the command removes the parameters from the configuration.

Default 

no dst-port

Parameters 
eq—
Specifies that a successful match occurs when the flow matches the specified port.
neq —
Specifies that a successful match occurs when the flow does not match the specified port.
port-num—
Specifies the destination port number.
Values—
0 to 65535

 

start-port-num end-port-num—
Specifies the start or end destination port number.
Values—
0 to 65535

 

port-list-name —
Specifies a named port-list, up to 32 characters, containing a set of ports or ranges of ports.

ip-protocol-num

Syntax 
ip-protocol-num {eq | neq} protocol-id
no ip-protocol-num
Context 
config>app-assure>group>policy>aqp>entry>match
Description 

This command configures the IP protocol to use to use as match criteria.

The no form the command removes the protocol from the match criteria.

Default 

no ip-protocol-num

Parameters 
eq —
Specifies that the value configured and the value in the flow must be equal.
neq —
Specifies that the value configured differs from the value in the flow.
protocol-id —
Specifies the decimal value representing the IP protocol to be used as an IP filter match criterion. Well known protocol numbers include ICMP (1), TCP (6), UDP (17).
Values—
1 to 255 (Decimal, Hexadecimal, or Binary representation).
Supported IANA IP protocol names:
crtp, crudp, egp, eigrp, encap, ether-ip, gre, icmp, idrp, igmp, igp, ip, ipv6, ipv6-
frag, ipv6-icmp, ipv6-no-nxt, ipv6-opts, ipv6-route, isis, iso-ip, l2tp, ospf-igp, pim,
pnni, ptp, rdp, rsvp, sctp, stp

 

src-ip

Syntax 
src-ip {eq | neq} ip-address
src-ip {eq | neq} ip-prefix-list ip-prefix-list-name
no src-ip
Context 
config>app-assure>group>policy>aqp>entry>match
Description 

This command specifies a source TCP/UDP address to use as match criteria.

Default 

no src-ip

Parameters 
eq—
Specifies that a successful match occurs when the flow matches the specified address or prefix.
neq —
Specifies that a successful match occurs when the flow does not match the specified address or prefix.
ip-address—
Specifies a valid unicast address.
Values—

ipv4-address

a.b.c.d[/mask]

  mask - [1..32]

ipv6-address

x:x:x:x:x:x:x:x/prefix-length

x:x:x:x:x:x:d.d.d.d

  x - [0..FFFF]H

  d - [0..255]D

prefix-length   [1..128]

 

ip-prefix-list-name—
Specifies an IP prefix list name, up to 32 characters.

src-port

Syntax 
src-port {eq | neq} port-num
src-port {eq | neq} port-list port-list-name
src-port {eq | neq} range start-port-num end-port-num
no src-port
Context 
config>app-assure>group>policy>aqp>entry>match
Description 

This command specifies a source IP port, source port list, or source range to use as match criteria.

The no form of the command removes the parameters from the configuration.

Default 

no src-port

Parameters 
eq—
Specifies that a successful match occurs when the flow matches the specified port.
neq —
Specifies that a successful match occurs when the flow does not match the specified port.
port-num—
Specifies the source port number.
Values—
0 to 65535

 

start-port-num end-port-num—
Specifies the start or end source port number.
Values—
0 to 65535

 

port-list-name —
Specifies a named port-list, up to 32 characters, containing a set of ports or ranges of ports.

traffic-direction

Syntax 
traffic-direction {subscriber-to-network | network-to-subscriber | both}
Context 
config>app-assure>group>policy>aqp>entry>match
Description 

This command specifies the direction of traffic where the AQP match entry will be applied.

To use a policer action with the AQP entry the match criteria must specify a traffic-direction of either subscriber-to-network or network-to-subscriber.

Default 

traffic-direction both

Parameters 
subscriber-to-network—
Traffic from a local subscriber will match this AQP entry.
network-to-subscriber —
Traffic to a local subscriber will match this AQP entry.
both—
Combines subscriber-to-network and network-to-subscriber.

3.4.2.4.3.4. Application Service Options Commands

characteristic

Syntax 
characteristic characteristic-name [create]
no characteristic characteristic-name
Context 
config>app-assure>group>policy>aso
Description 

This command creates the characteristic of the application service options.

The no form of the command deletes characteristic option. To delete a characteristic, it must not be referenced by other components of application assurance.

Default 

none

Parameters 
characteristic-name—
Specifies a string of up to 32 characters uniquely identifying this characteristic.
create—
Mandatory keyword used to create when creating a characteristic. The create keyword requirement can be enabled or disabled in the environment>create context.

default-value

Syntax 
default-value value-name
no default-value
Context 
config>app-assure>group>policy>aso>char
Description 

This command assigns one of the characteristic values as default.

When a default value is specified, app-profile entries that do not explicitly include this characteristic inherit the default value and use it as part of the AQP match criteria based on that app-profile.

A default-value is required for each characteristic. This is evaluated at commit time.

The no form of the command removes the default value for the characteristic.

Parameters 
value-name—
Specifies the name of an existing characteristic value.

value

Syntax 
[no] value value-name
Context 
config>app-assure>group>policy>aso>char
Description 

This command configures a characteristic value.

The no form of the command removes the value for the characteristic.

Parameters 
value-name —
Specifies a string of up to 32 characters uniquely identifying this characteristic value.

3.4.2.4.3.5. Custom Protocol Commands

custom-protocol

Syntax 
custom-protocol custom-protocol-id ip-protocol-num protocol-id [create]
custom-protocol custom-protocol-id
no custom-protocol custom-protocol-id
Context 
config>app-assure>group>policy
Description 

This command creates and enters configuration context for custom protocols. Custom protocols allow the creation of TCP and UDP-based custom protocols (based on the ip-protocol-num option) that employ pattern-match at offset in protocol signature definition.

Operator-configurable custom-protocols are evaluated ahead of any Nokia-provided protocol signature in order of custom-protocol-id (the lower ID is matched first in case of flow matching multiple custom-protocols) within the context the protocol is defined.

Custom protocols must be created before they can be used in application definition but do not have to be enabled. To reference a custom protocol in application definition, or any other CLI configuration one must use protocol name that is a concatenation of “custom_” and <custom-protocol-id>, (for example custom_01, custom_02 ... custom_10, and so on). This concatenation is also used when reporting custom protocol statistics.

Parameters 
custom-protocol-id—
Specifies the index into the protocol list that defines a custom protocol for application assurance.
Values—
1 to 10

 

protocol-id —
Specifies the IP protocol to match against for the custom protocol.
Values—
6, 17, Protocol numbers accepted in DHB, keywords: tcp, udp

 

create—
Mandatory keyword used when creating custom protocol. The create keyword requirement can be enabled/disabled in the environment>create context.

expression

Syntax 
expression expr-index eq expr-string offset payload-octet-offset direction direction
no expression expr-index
Context 
config>app-assure>group>policy>custom-protocol
Description 

This command configures an expression string value for pattern-based custom protocols match. A flow matches a custom protocol if the specified string is found at an offset of a TCP/UDP of the first payload packet.

Options:

  1. client-to-server — A pattern will be matched against a flow from a TCP client.
  2. server-to-client — A pattern will be matched against a flow from a TCP server.
  3. any – A pattern will be matched against a TCP/UDP flow in any direction (towards or from AA subscriber)

The no form of this command deletes a specified string expression from the definition.

Parameters 
expr-index—
Specifies the expression substring index.
Values—
1

 

expr-string—
Denotes a printable ASCII string, up to 16 characters, used to define a custom protocol match. Rules for expr-string characters:
  1. Must contain printable ASCII characters.
  2. Must not contain the “double quote” character or the “ ” (space) character on its own.
  3. Match is case sensitive.
  4. Must not include any regular expression meta-characters.

The “\” (slash) character is used as an ESCAPE sequence. The following ESCAPE sequences are permitted within the expr-string:

Character to match       expr-string input

Hexadecimal Octet YY      \xYY

An expr-string that uses the '\' (backslash) ESCAPE character which is not followed by a “\” or “\x” and a 2-digit hex octet is not valid.

offset payload-octet-offset
specifies the offset (in octets) into the protocol payload, where the expr-string match criteria will start.
Values—
0 to 127

 

direction direction
Specifies the protocol direction to match against to resolve to a custom protocol.
Values—
client-to-server, server-to-client, any

 

3.4.2.4.3.6. Session Filter Commands

session-filter

Syntax 
session-filter session-filter-name [create]
no session-filter session-filter-name
Context 
config>app-assure>group
Description 

This command creates a session filter.

Parameters 
session-filter-name—
Creates a session filter name up to 32 characters.
create—
Keyword used to create the session filter.

default-action

Syntax 
default-action {permit | deny} [event-log event-log-name]
Context 
config>app-assure>group>sess-fltr
Description 

This command specifies the default action to take for packets that do not match any filter entries.

The no form of the command reverts the default action to the default value (forward).

Default 

default-action deny

Parameters 
deny—
Indicates that packets matching the criteria are denied
permit—
Indicates that packets matching the criteria are permitted.
event-log-name—
Specifies the event log name, up to 32 characters.

entry

Syntax 
entry entry-id [create]
no entry entry-id
Context 
config>app-assure>group>policy>sess-fltr
Description 

This command configures a particular Application-Assurance session filter match entry. Every session filter can have zero or more session filter match entries. An application filter entry or entries configures match attributes of an application.

The no form of this command deletes the specified entry.

Default 

none

Parameters 
entry-id —
Specifies an integer that identifies the entry.
Values—
1 to 65535

 

create—
Keyword used to create the entry.

action

Syntax 
action {permit | deny} [event-log event-log-name]
action application application-name
action http-redirect http-redirect-name [event-log event-log-name]
action tcp-optimizer tcp-optimizer-name
Context 
config>app-assure>group>sess-fltr>entry
Description 

This command configures the action for this entry.

Parameters 
deny—
Packets matching the criteria are denied
permit—
Packets matching the criteria are permitted.
event-log-name—
Specifies the event log name, up to 32 characters.
application-name—
Specifies the application name, up to 32 characters.
http-redirect-name—
Specifies the HTTP redirect name, up to 32 characters.
tcp-optimizer-name—
Specifies the TCP optimizer name, up to 32 characters.

match

Syntax 
match
Context 
config>app-assure>group>sess-fltr>entry
Description 

This command enables the context to configure session conditions for this entry.

dst-ip

Syntax 
dst-ip ip-address
dst-ip dns-ip-cache dns-ip-cache-name
dst-ip ip-prefix-list ip-prefix-list-name
no dst-ip
Context 
config>app-assure>group>sess-fltr>entry>match
Description 

This command configures the destination IP address to match.

Default 

no dst-ip

Parameters 
ip-address—
Specifies a valid unicast address.
Values—

ipv4-address

a.b.c.d[/mask]

  mask - [1..32]

ipv6-address

x:x:x:x:x:x:x:x/prefix-length

x:x:x:x:x:x:d.d.d.d

  x - [0..FFFF]H

  d - [0..255]D

prefix-length   [1..128]

 

dns-ip-cache-name—
Specifies the name of the dns-ip-cache policy.

dst-port

Syntax 
dst-port {eq | gt | lt} port-num
dst-port port-list port-list-name
dst-port range start-port-num end-port-num
no dst-port
Context 
config>app-assure>group>sess-fltr>entry>match
Description 

This command specifies a destination TCP/UDP port, destination port list, or destination range to use as match criteria.

The no form of the command removes the parameters from the configuration.

Default 

no dst-port

Parameters 
eq—
Specifies that a successful match occurs when the flow matches the specified port.
gt —
Specifies all port numbers greater than the port-number match.
lt —
Specifies all port numbers less than the port-number match.
port-num—
Specifies the destination port number.
Values—
0 to 65535

 

start-port-num end-port-num—
Specifies the start or end destination port number.
Values—
0 to 65535

 

port-list-name —
Specifies a named port-list, up to 32 characters, containing a set of ports or ranges of ports.

ip-protocol-num

Syntax 
ip-protocol-num {ip-protocol-number | protocol-name}
no ip-protocol-num
Context 
config>app-assure>group>policy>sess-fltr>entry>match
Description 

This command configures the IP protocol to use in the application definition.

The no form of the command restores the default (removes IP protocol number from application criteria defined by this app-filter entry).

Default 

no ip-protocol-num

Parameters 
ip-protocol-number | protocol-name—
Specifies the decimal value representing the IP protocol to be used as an IP filter match criterion. Well known protocol numbers include ICMP (1), TCP (6), UDP (17).

The no form the command removes the protocol from the match criteria.

Values—
1 to 255 (Decimal, Hexadecimal, or Binary representation).
Supported IANA IP protocol names:
none, crtp, crudp, egp, eigrp, encap, ether-ip, gre, icmp, idrp, igmp, igp, ip, ipv6, ipv6-frag, ipv6-icmp, ipv6-no-nxt, ipv6-opts, ipv6-route, isis, iso-ip, l2tp, ospf-igp, pim, pnni, ptp, rdp, rsvp, sctp, stp, tcp, udp, vrrp
* - udp/tcp wildcard

 

src-ip

Syntax 
src-ip ip-address
src-ip ip-prefix-list ip-prefix-list-name
no src-ip
Context 
config>app-assure>group>sess-fltr>entry>match
Description 

This command specifies a source TCP/UDP address to use as match criteria.

Default 

no src-ip

Parameters 
ip-address—
Specifies a valid unicast address.
Values—

ipv4-address

a.b.c.d[/mask]

  mask - [1..32]

ipv6-address

x:x:x:x:x:x:x:x/prefix-length

x:x:x:x:x:x:d.d.d.d

  x - [0..FFFF]H

  d - [0..255]D

prefix-length   [1..128]

 

ip-prefix-list-name—
Specifies an IP prefix list name, up to 32 characters.

src-port

Syntax 
src-port {eq | gt | lt} port-num
src-port port-list port-list-name
src-port range start-port-num end-port-num
no src-port
Context 
config>app-assure>group>sess-fltr>entry>match
Description 

This command specifies a source IP port, source port list, or source range to use as match criteria.

The no form of the command removes the parameters from the configuration.

Default 

no src-port

Parameters 
eq—
Specifies that a successful match occurs when the flow matches the specified port.
gt —
Specifies all port numbers greater than the port-number match.
lt —
Specifies all port numbers less than the port-number match.
port-num—
Specifies the source port number.
Values—
0 to 65535

 

start-port-num end-port-num—
Specifies the start or end source port number.
Values—
0 to 65535

 

port-list-name —
Specifies a named port-list, up to 32 characters, containing a set of ports or ranges of ports.

dns-ip-cache

Syntax 
dns-ip-cache dns-ip-cache-name
Context 
config>app-assure>group>sess-fltr>entry>match
Description 

This command configures a DNS IP cache using session filter DST IP match criteria. It is typically combine with an allow action in the context of captive-redirect.

Parameters 
dns-ip-cache-name—
Specifies the name of the dns-ip-cache policy.

http-redirect

Syntax 
http-redirect http-redirect-name
Context 
config>app-assure>group>sess-fltr>entry>action
Description 

This command configures a session filter entry action to HTTP redirect the subscriber flows. The HTTP redirect policy referenced within this session filter entry is configured for captive redirect with the appropriate VLAN id assigned.

Parameters 
http-redirect-name—
Specifies the name of the http-redirect-policy.

3.4.2.4.4. Statistics Commands

statistics

Syntax 
statistics
Context 
config>app-assure>group
Description 

This command enables the context to configure accounting and billing statistics for this AA ISA group.

aa-admit-deny

Syntax 
aa-admit-deny
Context 
config>app-assure>group>statistics
Description 

This command enables the context to configure admit-deny statistics generation.

accounting-policy

Syntax 
accounting-policy acct-policy-id
no accounting-policy
Context 
config>app-assure>group>statistics>aa-admit-deny
config>app-assure>group>statistics>aa-partition
config>app-assure>group>statistics>aa-sub
config>app-assure>group>statistics>aa-sub-study
config>app-assure>group>statistics>application
config>app-assure>group>statistics>app-grp
config>app-assure>group>statistics>protocol
config>isa>aa-grp>statistics
Description 

This command specifies the existing accounting policy to use for AA. Accounting policies are configured in the config>log>accounting-policy context.

Parameters 
acct-policy-id—
Specifies the existing accounting policy to use for applications.
Values—
1 to 99

 

collect-stats

Syntax 
[no] collect-stats
Context 
config>app-assure>group>statistics>aa-admit-deny
config>app-assure>group>statistics>aa-partition
config>app-assure>group>statistics>aa-sub
config>app-assure>group>statistics>aa-sub-study
config>app-assure>group>statistics>app-grp
config>app-assure>group>statistics>application
config>app-assure>group>statistics>protocol
config>isa>aa-grp>statistics
Description 

This command enables statistic collection within the applicable context.

Default 

disabled

gtp-filter-stats

Syntax 
[no] gtp-filter-stats
Context 
config>app-assure>group>statistics>aa-admit-deny
Description 

This command configures whether to include or exclude GTP filter admit-deny statistics in accounting records.

Default 

no gtp-filter-stats

policer-stats

Syntax 
[no] policer-stats
Context 
config>app-assure>group>statistics>aa-admit-deny
Description 

This command configures whether to include or exclude system and subscriber-level flow count and flow-setup rate policer admit-deny statistics in accounting records.

Default 

no policer-stats

policer-stats-resources

Syntax 
[no] policer-stats-resources
Context 
config>app-assure>group>statistics>aa-admit-deny
Description 

This command allows the operator to allocate or deallocate AA partition resources for policer admit-deny statistics.

Default 

no policer-stats-resources

sctp-filter-stats

Syntax 
[no] sctp-filter-stats
Context 
config>app-assure>group>statistics>aa-admit-deny
Description 

This command configures whether to include or exclude SCTP filter admit-deny statistics in accounting records.

Default 

no sctp-filter-stats

session-filter-stats

Syntax 
[no] session-filter-stats
Context 
config>app-assure>group>statistics>aa-admit-deny
Description 

This command configures whether to include or exclude session filter admit-deny statistics in accounting records.

Default 

no session-filter-stats

tcp-validate-stats

Syntax 
[no] tcp-validate-stats
Context 
config>app-assure>group>statistics>aa-admit-deny
Description 

This command configures whether to include or exclude TCP validation admit-deny statistics in accounting records.

Default 

no tcp-validate-stats

traffic-type

Syntax 
[no] traffic-type
Context 
config>app-assure>group>statistics>aa-partition
Description 

This command enables traffic type statistics collection within an aa-partition.

The no form of the command disables traffic type statistics collection.

aa-sub

Syntax 
aa-sub
Context 
config>app-assure>group>statistics
Description 

This command enables the context to configure accounting and statistics collection parameters per application assurance subscribers.

aggregate-stats

Syntax 
aggregate-stats export-using export-method [export-method...(up to 2 max)]
aggregate-stats no-export
Context 
config>app-assure>group>statistics>aa-sub
Description 

This command configures aa-sub accounting statistics for export of aggregate statistics of a given subscriber.

Default 

aggregate-stats no-export

Parameters 
export-method
Specifies the method of statistics export to be used.
Values—
accounting-policy (this is the only option for sub-aggregate statistics, and it is only supported in residential and VPN sub-scale modes).

 

no-export—
Disables the export.

app-group

Syntax 
app-group app-group-name export-using export-method [export-method...(up to 2 max)]
app-group app-group-name no-export
no app-group app-group-name
Context 
config>app-assure>group>statistics>aa-sub
Description 

This command enables the context to configure accounting and statistics collection parameters per system for application groups of application assurance for a given AA ISA group/partition.

The no form of the command removes the application group name.

Default 

none

Parameters 
app-group-name—
Specifies an existing application group name, up to 32 characters.
export-method —
Specifies the method of statistics export to be used.
Values—
accounting-policy, radius-accounting-policy

 

no-export—
Allows the operator to enable the referred to application group to be selected (via Diameter) for Gx-usage monitoring. Gx usage monitoring is enabled automatically (and this command is not shown) if the export-using parameter is selected for the respective application group.

Usage monitoring must be enabled at the group:partition level (config>app-assure>group>statistics>aa-sub>usage-monitoring) as well in order to allow any application/application group/charging group usage monitoring.

aa-sub-study

Syntax 
aa-sub-study study-type
Context 
config>app-assure>group>statistics
Description 

This command enables the context to configure accounting and statistics collection parameters per application assurance special study subscribers.

Parameters 
study-type—
Specifies special study protocol subscriber stats.
Values—
application, protocol

 

application

Syntax 
application application-name export-using export-method [export-method...(up to 2 max)]
application application-name no-export
no application application-name
Context 
config>app-assure>group>statistics>aa-sub
Description 

This command configures aa-sub accounting statistics for export of applications of a given AA ISA group/partition.

The no form of the command removes the application name.

Default 

none

Parameters 
application-name —
Specifies an existing application name, up to 32 characters.
export-method —
Specifies the method of statistics export to be used.
Values—
accounting-policy, radius-accounting-policy

 

no-export—
Allows the operator to enable the referred application group to be selected (via Diameter) for Gx-usage monitoring. Gx usage monitoring is enabled automatically (and this command is not shown) if the export-using parameter is selected for the respective application group.

Usage monitoring must be enabled at the group:partition level (config>app-assure>group>statistics>aa-sub>usage-monitoring) as well in order to allow any application/application group/charging group usage monitoring.

charging-group

Syntax 
charging-group charging-group-name export-using export-method [export-method...(up to 2 max)]
charging-group charging-group-name no-export
no charging-group charging-group-name
Context 
config>app-assure>group>statistics>aa-sub
Description 

This command configures aa-sub accounting statistics for export of charging groups of a given AA ISA group/partition.

The no form of the command removes the parameters from the configuration.

Default 

none

Parameters 
charging-group-name —
The name of the charging group. The string is case sensitive and limited to 32 ASCII 7-bit printable characters with no spaces.
export-using export-method
Specifies that the method of stats export to be used.
Values—
accounting-policy, radius-accounting-policy

 

no-export—
Allows the operator to enable the referred to a charging group to be selected (via Diameter) for Gx-usage monitoring. Gx usage monitoring is enabled automatically (and this command is not shown) if the export-using parameter is selected for the respective charging group.

Usage monitoring must be enabled at the group:partition level (config>app-assure>group>statistics>aa-sub>usage-monitoring) as well in order to allow any application/application group/charging group usage monitoring.

exclude-tcp-retrans

Syntax 
[no] exclude-tcp-retrans
Context 
config>app-assure>group>statistics>aa-sub
Description 

This command is to only to EPC. When enabled, TCP errors and retransmission packets are not counted for the purpose of CBC. This setting has no impact on app/app-group aggregate AA stats.

Default 

no exclude-tcp-retrans

max-throughput-stats

Syntax 
[no] max-throughput-stats
Context 
config>app-assure>group>statistics>aa-sub
Description 

This command enables the collection of max-throughput statistics.

The no form of the command disables the collection.

Default 

no max-throughput-stats

protocol

Syntax 
protocol protocol-name export-using export-method
no protocol protocol-name
Context 
config>app-assure>group>statistics>aa-sub
Description 

This command configures aa-sub accounting statistics for export of protocols of a given AA ISA group/partition.

The no form of the command removes the protocol name.

Default 

none

Parameters 
protocol-name —
Specifies an existing protocol name up to 32 characters in length.
export-using export-method
Specifies that the method of stats export to be used. Accounting-policy is the only option for protocol statistics.

protocol

Syntax 
protocol
Context 
config>app-assure>group>statistics
Description 

This command enables the context to configure accounting and statistics collection parameters per-system for protocols of application assurance for a given AA ISA group/partition.

aa-sub

Syntax 
[no] aa-sub {esm sub-ident-string | sap sap-id | spoke-sdp sdp-id:vc-id | transit transit-aasub-name | esm-mac esm-mac-name}
Context 
config>app-assure>group>statistics>aa-sub-study
Description 

This command adds an existing subscriber identification to a group of special study subscribers (for example, subscribers for which per subscriber statistics and accounting records can be collected for protocols and applications of application assurance).

The no form of the command removes the subscriber from the special study subscribers.

Up to 100 subscribers can be configured into the special study group for protocols and up to a 100 potentially different subscribers can be configured into the special study group for applications.

When adding a subscriber to the special study group, accounting records and statistics generation will commence immediately. When removing a subscriber from the group, special study statistics and accounting records for that subscriber in the current interval will be lost.

Default 

none

Parameters 
sub-ident-string —
Specifies the name of a subscriber ID. The subscriber does not need to be currently active. Any sub-ident-string will be accepted. When the subscriber becomes active, statistics generation will start automatically at that time.
sap-id
Specifies the physical port identifier portion of the SAP definition.
spoke-id sdp-id:vc-id—
Specifies the spoke SDP ID and VC ID.
Values—
1 to 32767
1 to 4294967295

 

transit-aasub-name
Specifies an existing transit subscriber name string, up to 32 characters in length.
esm-mac-name
Specifies an existing ESM-MAC subscriber name, up to 32 characters.

radius-accounting-policy

Syntax 
radius-accounting-policy rad-acct-plcy-name
no radius-accounting-policy
Context 
config>app-assure>group>statistics>aa-sub
Description 

This command specifies an existing subscriber RADIUS based accounting policy to use for AA. RADIUS Accounting policies are configured in the config>app-assure>radius-accounting-policy context.

Default 

no radius-accounting-policy

Parameters 
rad-acct-plcy-name—
Specifies the name of the policy. The string is case sensitive and limited to 32 ASCII 7-bit printable characters with no spaces.

usage-monitoring

Syntax 
[no] usage-monitoring
Context 
config>app-assure>group>statistics>aa-sub
Description 

This command enables Gx usage monitoring the given AA group/partition. It can only be enabled if there is enough usage monitoring resources for all existing subs. Once disabled, all monitoring instances for AA subscribers are silently removed (no PCRF notifications) and all subsequent AA Gx usage monitoring messages are ignored.

Default 

no usage-monitoring.

threshold-crossing-alert

Syntax 
threshold-crossing-alert
Context 
config>app-assure>group>statistics
Description 

This command enables the context to configure the generation of threshold crossing alerts (TCAs).

error-drop

Syntax 
error-drop direction direction [create]
no error-drop direction direction
Context 
config>app-assure>group>statistics>tca
Description 

This command configures a TCA for the counter capturing error drops. An error drop TCA can be created for traffic generated from the subscriber side of AA (from-sub) or for traffic generated from the network toward the AA subscriber (to-sub). The create keyword is mandatory when creating an error-drop TCA.

Default 

none

Parameters 
direction—
Specifies the traffic direction.
Values—
from-sub, to-sub

 

create—
Keyword used to create the error drop TCA.

fragment-drop-all

Syntax 
fragment-drop-all direction [create]
no fragment-drop-all direction
Context 
config>app-assure>group>statistics>tca
Description 

This command configures a TCA for the counter capturing drops due to the fragment-drop- all AQP command. A fragment-drop-all TCA can be created for traffic generated from the subscriber side of AA (from-sub) or for traffic generated from the network toward the AA subscriber (to-sub). The create keyword is mandatory when creating a fragment-drop-all TCA.

Default 

none

Parameters 
direction—
Specifies the traffic direction.
Values—
from-sub, to-sub

 

create—
Keyword used to create the TCA.

fragment-drop-out-of-order

Syntax 
fragment-drop-out-of-order direction [create]
no fragment-drop-out-of-order direction
Context 
config>app-assure>group>statistics>tca
Description 

This command configures a TCA for the counter capturing drops due to the fragment-drop- out-of-order AQP command. A fragment-drop-out-of-order TCA can be created for traffic generated from the subscriber side of AA (from-sub) or for traffic generated from the network toward the AA subscriber (to-sub). The create keyword is mandatory when creating a fragment-drop-out-of-order TCA.

Parameters 
direction—
Specifies the traffic direction.
Values—
from-sub, to-sub

 

create—
Keyword used to create the TCA.

gtp-filter

Syntax 
gtp-filter filter-name
Context 
config>app-assure>group>statistics>tca
Description 

This command configures TCA generation for a GTP filter.

Parameters 
filter-name—
Specifies the name of the GTP filter, up to 32 characters.

max-payload-length

Syntax 
max-payload-length direction direction [create]
no max-payload-length direction direction
Context 
config>app-assure>group>statistics>tca>gtp-filter
Description 

This command configures a TCA for the counter capturing drops due to the GTP filter maximum payload length. A maximum payload length drop TCA can be created for traffic generated from the subscriber side of AA (from-sub) or for traffic generated from the network toward the AA subscriber (to-sub). The create keyword is mandatory when creating a maximum payload length drop TCA.

Default 

none

Parameters 
direction—
Specifies the traffic direction.
Values—
from-sub, to-sub

 

create—
Keyword used to create the TCA.

message-type

Syntax 
message-type
Context 
config>app-assure>group>statistics>tca>gtp-filter
Description 

This command configures a TCA for the counter capturing hits due to the GTP filter message type.

Default 

none

default-action

Syntax 
default-action direction direction [create]
no default-action direction direction
Context 
config>app-assure>group>statistics>tca>gtp-fltr>msg
Description 

This command configures a TCA for the counter capturing hits for the specified GTP filter default action. A default action TCA can be created for traffic generated from the subscriber side of AA (from-sub) or for traffic generated from the network toward the AA subscriber (to-sub). The create keyword is mandatory when creating a default action TCA.

Default 

none

Parameters 
direction—
Specifies the traffic direction.
Values—
from-sub, to-sub

 

create—
Keyword used to create the TCA.

entry

Syntax 
entry entry-id direction direction [create]
no entry entry-id direction direction
Context 
config>app-assure>group>statistics>tca>gtp-fltr>msg
Description 

This command configures a TCA for the counter capturing hits for the specified GTP filter entry. A GTP filter entry TCA can be created for traffic generated from the subscriber side of AA (from-sub) or for traffic generated from the network toward the AA subscriber (to-sub). The create keyword is mandatory when creating a default action TCA.

Default 

none

Parameters 
entry-id—
Specifies the GTP filter message-type entry identifier.
Values—
1 to 255

 

direction—
Specifies the traffic direction.
Values—
from-sub, to-sub

 

create—
Keyword used to create the TCA.

header-sanity

Syntax 
header-sanity direction direction [create]
no header-sanity direction direction
Context 
config>app-assure>group>statistics>tca>gtp-fltr>msg
Description 

This command configures a TCA for the counter capturing hits for the GTP filter header sanity. A GTP filter header-sanity TCA can be created for traffic generated from the subscriber side of AA (from-sub) or for traffic generated from the network toward the AA subscriber (to-sub). The create keyword is mandatory when creating a TCA.

Default 

none

Parameters 
direction—
Specifies the traffic direction.
Values—
from-sub, to-sub

 

create—
Keyword used to create the TCA.

gtp-sanity-drop

Syntax 
gtp-sanity-drop direction direction [create]
no gtp-sanity-drop direction direction
Context 
config>app-assure>group>statistics>tca
Description 

This command configures a TCA for the counter capturing drops due to basic GTP header sanity checks, such as validating that the GTP-U version is 1 and that the protocol bit is set to 1 for UDP traffic destined to port 2152. A GTP sanity drop TCA can be created for traffic generated from the subscriber side of AA (from-sub) or for traffic generated from the network toward the AA subscriber (to-sub). The create keyword is mandatory when creating a default action TCA.

Default 

none

Parameters 
direction—
Specifies the traffic direction.
Values—
from-sub, to-sub

 

create—
Keyword used to create the TCA.

overload-drop

Syntax 
overload-drop direction direction [create]
no overload-drop direction direction
Context 
config>app-assure>group>statistics>tca
Description 

This command configures a TCA for the counter capturing drops due to the overload-drop AQP command. An overload-drop TCA can be created for traffic generated from the subscriber side of AA (from-sub) or for traffic generated from the network toward the AA subscriber (to-sub). The create keyword is mandatory when creating an overload-drop TCA.

Default 

none

Parameters 
direction—
Specifies the traffic direction.
Values—
from-sub, to-sub

 

create—
Keyword used to create the TCA.

policer

Syntax 
policer policer-name direction direction [create]
no policer policer-name direction direction
Context 
config>app-assure>group>statistics>tca
Description 

This command configures a TCA for the counter capturing drops or admit events due to the specified flow policer. A policer TCA can be created for traffic generated from the subscriber side of AA (from-sub) or for traffic generated from the network toward the AA subscriber (to-sub). The create keyword is mandatory when creating a policer TCA.

Default 

none

Parameters 
policer-name—
Specifies the name of the flow policer, up to 32 characters
direction—
Specifies the traffic direction.
Values—
from-sub, to-sub

 

create—
Keyword used to create the TCA.

sctp-filter

Syntax 
sctp-filter sctp-filter-name
Context 
config>app-assure>group>statistics>tca
Description 

This command configures TCA generation for an SCTP filter.

Default 

none

Parameters 
sctp-filter-name—
Specifies the name of the SCTP filter, up to 32 characters

packet-sanity

Syntax 
packet-sanity direction direction [create]
no packet-sanity direction direction
Context 
config>app-assure>group>statistics>tca>sctp-filter
Description 

This command configures a TCA for the counter capturing packet sanity hits for the specified SCTP filter. A packet sanity TCA can be created for traffic generated from the subscriber side of AA (from-sub) or for traffic generated from the network toward the AA subscriber (to-sub). The create keyword is mandatory when creating a TCA.

Default 

none

Parameters 
direction—
Specifies the traffic direction.
Values—
from-sub, to-sub

 

create—
Keyword used to create the TCA.

ppid

Syntax 
ppid
Context 
config>app-assure>group>statistics>tca>sctp-filter
Description 

This command configures a TCA for the counter capturing PPID hits for the specified SCTP filter.

Default 

none

default-action

Syntax 
default-action direction direction [create]
Context 
config>app-assure>group>statistics>tca>sctp-fltr>ppid
Description 

This command configures a TCA for the counter capturing hits for the specified SCTP filter default PPID. A default action TCA can be created for traffic generated from the subscriber side of AA (from-sub) or for traffic generated from the network toward the AA subscriber (to-sub). The create keyword is mandatory when creating a default action TCA.

Default 

none

Parameters 
direction—
Specifies the traffic direction.
Values—
from-sub, to-sub

 

create—
Keyword used to create the TCA.

entry

Syntax 
entry entry-id direction direction [create]
no entry entry-id direction direction
Context 
config>app-assure>group>statistics>tca>sctp-fltr>ppid
Description 

This command configures a TCA for the counter capturing hits for the specified SCTP filter PPID entry. An SCTP filter entry TCA can be created for traffic generated from the subscriber side of AA (from-sub) or for traffic generated from the network toward the AA subscriber (to-sub). The create keyword is mandatory when creating a TCA.

Default 

none

Parameters 
entry-id—
Specifies the SCTP filter PPID entry identifier.
Values—
1 to 255

 

direction—
Specifies the traffic direction.
Values—
from-sub, to-sub

 

create—
Keyword used to create the TCA.

ppid-range

Syntax 
ppid-range direction direction [create]
no ppid-range direction direction
Context 
config>app-assure>group>statistics>tca>sctp-filter
Description 

This command configures a TCA for the counter capturing hits for the specified SCTP filter PPID range command. An PPIPD range TCA can be created for traffic generated from the subscriber side of AA (from-sub) or for traffic generated from the network toward the AA subscriber (to-sub). The create keyword is mandatory when creating a TCA.

Default 

none

Parameters 
direction—
Specifies the traffic direction.
Values—
from-sub, to-sub

 

create—
Keyword used to create the TCA.

session-filter

Syntax 
session-filter session-filter-name
Context 
config>app-assure>group>statistics>tca
Description 

This command configures TCA generation for a session filter.

Default 

none

Parameters 
session-filter-name—
Specifies the name of the session filter, up to 32 characters.

default-action

Syntax 
default-action direction direction [create]
no default-action direction direction
Context 
config>app-assure>group>statistics>tca>session-filter
Description 

This command configures a TCA for the counter capturing hits for the specified session filter default action. A default action TCA can be created for traffic generated from the subscriber side of AA (from-sub) or for traffic generated from the network toward the AA subscriber (to-sub). The create keyword is mandatory when creating a default action TCA.

Default 

none

Parameters 
direction—
Specifies the traffic direction.
Values—
from-sub, to-sub

 

create—
Keyword used to create the TCA.

entry

Syntax 
entry entry-id direction direction [create]
no entry entry-id direction direction
Context 
config>app-assure>group>statistics>tca>session-filter
Description 

This command configures a TCA for the counter capturing hits for the specified session filter entry. A session filter entry TCA can be created for traffic generated from the subscriber side of AA (from-sub) or for traffic generated from the network toward the AA subscriber (to-sub). The create keyword is mandatory when creating a TCA.

Default 

none

Parameters 
entry-id—
Specifies the SCTP filter PPID entry identifier.
Values—
1 to 65535

 

direction—
Specifies the traffic direction.
Values—
from-sub, to-sub

 

create—
Keyword used to create the TCA.

high-wmark

Syntax 
high-wmark high-watermark low-wmark low-watermark
Context 
config>app-assure>group>statistics>tca>error-drop
config>app-assure>group>statistics>tca>fragment-drop-all
config>app-assure>group>statistics>tca>fragment-drop-out-of-order
config>app-assure>group>statistics>tca>gtp-fltr>max-payload-length
config>app-assure>group>statistics>tca>gtp-fltr>msg>default-action
config>app-assure>group>statistics>tca>gtp-fltr>msg>entry
config>app-assure>group>statistics>tca>gtp-fltr>msg>header-sanity
config>app-assure>group>statistics>tca>gtp-sanity-drop
config>app-assure>group>statistics>tca>overload-drop
config>app-assure>group>statistics>tca>policer
config>app-assure>group>statistics>tca>sctp-fltr>packet-sanity
config>app-assure>group>statistics>tca>sctp-fltr>ppid>default-action
config>app-assure>group>statistics>tca>sctp-fltr>ppid>entry
config>app-assure>group>statistics>tca>sctp-fltr>ppid>ppid-range
config>app-assure>group>statistics>tca>sess-fltr>default-action
config>app-assure>group>statistics>tca>sess-fltr>entry
config>app-assure>group>statistics>tca>tcp-validate
Description 

This command configures the high watermark and low watermark thresholds for the specified TCA.

Default 

high-wmark 4294967295 low-wmark 0

Parameters 
high-watermark—
Specifies the TCA high watermark.
Values—
1 to 4294967295

 

Default—
4294967295
low-watermark—
Specifies the TCA low watermark.
Values—
0 to 4294967294

 

Default—
0

tcp-validate

Syntax 
tcp-validate tcp-validate-name direction direction [create]
no tcp-validate tcp-validate-name direction direction
Context 
config>app-assure>group>statistics>tca
Description 

This command configures TCA for the counter, and enables the capture of drop or admit events due to the specified TCP validation function.

Default 

none

Parameters 
tcp-validate-name—
Specifies the name of the TCP validation policy up to 32 characters.
direction—
Specifies the traffic direction in relation to the AA subscriber
Values—
from-sub, to-sub

 

create—
This keyword is mandatory when creating a TCA instance

3.4.2.4.5. TCP Validation Commands

tcp-validate

Syntax 
tcp-validate tcp-validate-name [create]
no tcp-validate tcp-validate-name
Context 
config>app-assure>group
Description 

This command configures a TCP validation policy.

The no form of the command removes the specified TCP validation policy.

Default 

no tcp-validate

Parameters 
tcp-validate-name—
Specifies the name of the TCP validation policy up to 32 characters.
create—
This keyword is mandatory when creating a TCP validation policy.

event-log

Syntax 
event-log event-log-name [all]
no event-log
Context 
config>app-assure>group>tcp-validate
Description 

This command enables logging of traffic dropped by TCP validation.

The no form of the command disables logging of traffic dropped by TCP validation.

Default 

no event-log

Parameters 
event-log-name—
Specifies the name of the event log up to 32 characters.
all—
Logs all dropped traffic. Using the all option allows the operator to capture all discards made by the TCP validation policy, including those related to:
  1. packets that were received after an RST and discarded
  2. packets received before TCP session establishment (before SYN) and discarded

Without the all option, discards related to these cases are not captured in any event log.

strict

Syntax 
[no] strict
Context 
config>app-assure>group>tcp-validate
Description 

This command specifies whether enforcement of TCP sequence and acknowledgment numbers is applied. If a packet does not meet the expected sequence or acknowledgment number, it is dropped.

This command should only be enabled if the expected bit error rate or packet loss is low. For example, if acknowledgments are lost before being detected by AA, the server timeouts are triggered and retransmissions occur. If strict is enabled, these retransmissions would resemble a reply attack and would be dropped by AA.

The no form of the command removes TCP sequence and acknowledgment number enforcement.

Default 

no strict

3.4.2.4.6. Policy Commands

transit-ip-policy

Syntax 
transit-ip-policy ip-policy-id [create]
no transit-ip-policy ip-policy-id
Context 
config>app-assure>group
Description 

This command defines a transit AA subscriber IP policy. Transit AA subscribers are managed by the system through the use of this policy assigned to services, which determines how transit subs are created and removed for that service.

The no form of the command deletes the policy from the configuration. All associations must be removed in order to delete a policy.

Default 

no transit-ip-policy

Parameters 
ip-policy-id —
Specifies an integer that identifies a transit IP profile entry.
Values—
1 to 65535

 

create —
A keyword used to create the entry.

diameter

Syntax 
diameter
Context 
config>app-assure>group>transit-ip
Description 

This command enables the context to configure dynamic Diameter-based management of transit AA subs for the transit IP policy. This is mutually exclusive to other types of management of transit subs for a given transit IP policy.

application-policy

Syntax 
[no] application-policy name
Context 
config>app-assure>group>transit-ip>diameter
Description 

This command specifies the Diameter application to be used by seen IP transit subs. The application policy is defined using the config>subscr-mgmt>diameter-application-policy command.

The no form of the command removes the policy.

Default 

no application-policy

Parameters 
name—
Specifies the name of the application policy configured using the diameter-application-policy command up to 32 characters.

shutdown

Syntax 
[no] shutdown
Context 
config>app-assure>group>transit-ip>diameter
Description 

This command removes all transit AA subscribers created via Diameter on this transit AA subscriber IP policy and clears all corresponding Diameter sessions.

gtp

Syntax 
gtp
Context 
config>app-assure>group
Description 

This command enters the context to configure GTP parameters.

event-log

Syntax 
event-log event-log-name
no event-log
Context 
config>app-assure>group>gtp
config>app-assure>group>gtp>gtp-filter
Description 

This command allows AA to treat traffic on UDP port number 2152 as GTP-u. Without further specifying any other parameters within this GTP context, AA performs basic GTP-u header sanity checks and discards packets that are malformed. This GTP context allows the operator to configure various GTP filters (maximum of 128 GTP filters).

Default 

no event-log

Parameters 
event-log-name—
Specifies the event log name to be used to log discards due to GTP-u basic header sanity checks.

gtp-filter

Syntax 
gtp-filter gtp-filter-name [create]
no gtp-filter gtp-filter-name
Context 
config>app-assure>group>gtp
Description 

This command allows AA to treat traffic on UDP port number 2152 as GTP-u. Without further specifying any other parameters within this GTP context, AA performs basic GTP-u header sanity checks and discards packets that are malformed. This GTP context allows the operator to configure various GTP filters (maximum of 128 GTP filters).

Parameters 
gtp-filter-name—
Specifies a GTP filter name, up to 32 characters.
create
Keyword used to create the GTP filter name and parameters.

max-payload-length

Syntax 
max-payload-length bytes
no max-payload-length
Context 
config>app-assure>group>gtp>gtp-filter
Description 

This command specifies the maximum allowed GTP payload size.

The no form of the command removes this GTP message length filter.

Default 

no max-payload-length

Parameters 
bytes—
Specifies the packet length in bytes.
Values—
0 to 65535

 

message-type

Syntax 
message-type
Context 
config>app-assure>group>gtp>gtp-filter
Description 

This command specifies the context for configuration of GTP message-type filtering.

Default 

None. If no message-type is specified within a filter, then all GTP message types are allowed.

default-action

Syntax 
default-action {permit | deny}
Context 
config>app-assure>group>gtp>gtp-fltr>message-type
Description 

This command configures the default action for all GTP message types.

Default 

default-action permit

Parameters 
permit—
Specifies to permit packets that do not match any message entries.
deny—
Specifies to deny packets that do not match any message entries.

entry

Syntax 
entry entry-id value gtp-message-value action {permit | deny}
no entry entry-id
Context 
config>app-assure>group>gtp>gtp-fltr>message-type
Description 

This command configures an entry for a specific GTP message type value.

Parameters 
entry-id—
Specifies the index into the GTP message value list that defines a custom message-type action.
Values—
1 to 255

 

gtp-message-value—
Specifies the GTP-u message type, either as a numeric value or as a string.
Values—
1 to 255 or 256 characters {echo-request, echo-response, error-indication, g-pdu, supported-extension-headers-notification}

 

permit | deny—
Specifies the action to take for packets that match this GTP filter message entry.

mode

Syntax 
mode mode
Context 
config>app-assure>group>gtp
Description 

This command is used to either untunnel GTP-U traffic received on UDP port number 2152, or apply GTP filtering/firewall rules as specified under this GTP CLI context.

Default 

mode filtering

Parameters 
mode—
Specifies the operational mode of the command.
Values—
filtering — AA applies GTP filtering rules to GTP-U traffic, without further analysis of IP traffic tunneled within GTP.
untunneling — AA untunnels GTP traffic and provides analytical reporting of the applications running within the GTP tunnels. The rest of the commands under GTP CLI context (such as GTP-filter and event-log) are not applicable in this mode.
Please note that for AA to untunnel GTP traffic, the operator must configure “gtp” under the partition by using the config>app-assure>group>gtp command.
The following caveats apply:
  1. Only GTP-U traffic with TID <> 0 is untunneled.
  1. Any UDP but non-GTP traffic that uses port 2152 will be identified as UDP traffic.
  1. Only GTP-U packets with message type: G-PDU (0xFF) is untunneled. Other GTP-U packets with different message types are reported as GTP Protocol.
  1. Only GTP-u packets with non-fragmented outer IP and no IPv4 options or IPv6 extension headers are untunneled. Otherwise, no inner GTP tunnel classification is performed and the traffic is identified and reported as GTP protocol.

 

sctp-filter

Syntax 
sctp-filter sctp-filter-name [create]
no sctp-filter sctp-filter-name
Context 
config>app-assure>group
Description 

This command enables the context to configure Stream Control Transmission Protocol (SCTP) parameters.

The no form of the command removes this filter.

Parameters 
sctp-filter-name—
Specifies the SCTP filter name, up to 32 characters.
create—
Keyword used to create the SCTP filter.

event-log

Syntax 
event-log event-log-name
no event-log
Context 
config>app-assure>group>sctp-filter
Description 

This command configures an event log for packets dropped by the SCTP filter

Default 

no event-log

Parameters 
event-log-name—
Specifies the event log name to be used.

ppid

Syntax 
ppid
Context 
config>app-assure>group>sctp-filter
Description 

This command enables the context to configure actions for specific or default Payload Protocol Identifiers (PPIDs).

default-action

Syntax 
default-action {permit | deny}
Context 
config>app-assure>group>sctp-fltr>ppid
Description 

This command configures the default action for all SCTP PPIDs.

Default 

default-action permit

Parameters 
permit—
Specifies to permit packets that do not match any PPID entries.
deny—
Specifies to deny packets that do not match any PPID entries.

entry

Syntax 
entry entry-id value ppid-value action {permit | deny}
no entry entry-id
Context 
config>app-assure>group>sctp-fltr>ppid
Description 

This command specifies if an SCTP PPID value is allowed or not.

The no form of the command removes this PPID. In which case, the default action for the sctp-filter>ppid is applied.

Parameters 
entry-id—
Specifies the SCTP filter PPID entry identifier.
ppid-value—
Specifies the PPID value, either as numeric value or as a string.
Values—
0 to 4294967295 D, 256 chars max

 

action {permit | deny}—
Specifies to allow or deny the configured PPID.

ppid-range

Syntax 
ppid-range min min-ppid max max-ppid
no ppid-range
Context 
config>app-assure>group>sctp-filter
Description 

This command specifies the range of PPID values that are allowed by AA SCTP filter firewall.

The no form of the command removes this PPID range.

Default 

no ppid-range

Parameters 
min-ppid —
Specifies the minimum SCTP Payload Protocol Identifier (PPID) to be permitted by the SCTP filter. The value must be less than or equal to the max max-ppid value.
Values—
0 to 4294967295

 

max-ppid —
Specifies the minimum SCTP Payload Protocol Identifier (PPID) to be permitted by the SCTP filter. The value must be greater or equal to the min min-ppid value.
Values—
0 to 4294967295

 

access-network-location

Syntax 
access-network-location
Context 
config>app-assure>group
Description 

This command provides the context to configure parameters related to dynamic experience management, also known as Access Network Location (ANL).

These parameters include location source type congestion point and congestion detection parameters (such as roundtrip delay thresholds), if applicable.

source

Syntax 
source source-type
source source-type level level
no source source-type
Context 
config>app-assure>group>anl
Description 

This command configures location sources for the dynamic experience management. The location source types are, for example, 3G and congestion point.

Default 

no source source-type

Parameters 
source-type—
Specifies the location or access technology.
Values—
access-point — Provides Dynamic Experience Management (DEM) for the WLGW access point.
Note:

The access points do not need to support the Nokia CEA function.

 

level—
Specifies which congestion point within the specified source-type to monitor for congestion.
Values—
MAC+VLAN — WLGW access point (MAC) and radio (VLAN).
Note:

The access points do not need to support the Nokia CEA function.

 

rtt-threshold

Syntax 
rtt-threshold threshold
no rtt-threshold
Context 
config>app-assure>group>anl>source>level
Description 

This command configures the ANL roundtrip delay threshold to be used for congestion detection algorithm (if applicable).

Default 

rtt-threshold 173

Parameters 
threshold—
This parameter is used by the DEM-GW algorithm that determines ANL congestion. It specifics the maximum acceptable round trip time (RTT), in milliseconds, for TCP connections under no congestion. Any measured RTT above the threshold is considered an indication of possible congestion.
Values—
0 to 500

 

rtt-threshold-tolerance

Syntax 
rtt-threshold-tolerance tolerance
no rtt-threshold-tolerance
Context 
config>app-assure>group>anl>source>level
Description 

This command configures the ANL roundtrip delay threshold tolerance to be used for congestion detection algorithm (if applicable).

Parameters 
tolerance—
This parameter is used by the DEM-GW algorithm that determines ANL congestion. It represents the ratio in percentage, of RTTs above the configured threshold (rtt-threshold) over the total RTT measurements.

The ratio is calculated as follows, measured across a one-minute period:

rtt-threshold-tolerance = #(RTTs > rtt-threshold)/ (Total #RTTs)

If the rtt-threshold-tolerance ratio is exceeded, the ANL is declared congested.

Values—
0 to 100

 

Default—
50

aqp-initial-lookup

Syntax 
aqp-initial-lookup
no aqp-initial-lookup
Context 
config>app-assure>group:[partition]
Description 

This command allows AA to perform AQP lookups on flows prior to complete application identification. As usual, AQP will be looked up again on identification complete. Without this, AA executes AQPs that are part of what so called “sub-default policy”. Sub-default policy is formed by regular AQPs that contain ASOs, subID and/or flow direction as matching conditions.

This behavior is required, for example, in order to be able apply GTP and SCTP filtering on the first packet of a new GTP/SCTP flow (AQP matching conditions in this case contains protocol id).

The no form of the command forces complete AQP look up on identification finish stage only

Default 

no aqp-initial-lookup

dhcp

Syntax 
dhcp
Context 
config>app-assure>group>transit-ip-policy
Description 

This command enables dynamic DHCP-based management of transit aa-subs for the transit-ip-policy. This is mutually exclusive to other types management of transit subs for a given transit-ip-policy.

ipv6-address-prefix-length

Syntax 
ipv6-address-prefix-length IPv6-prefix-length
no ipv6-address-prefix-length
Context 
config>app-assure>group>transit-ip-policy
Description 

This command configures a transit IP policy IPv6 address prefix length.

Default 

no ipv6-address-prefix-length

Parameters 
IPv6-prefix-length—
Specifies the prefix length of IPv6 addresses in this policy for both static and dynamic transits.
Values—
32 to 64

 

def-app-profile

Syntax 
def-app-profile app-profile-name
no def-app-profile
Context 
config>app-assure>group>transit-ip-policy
Description 

This command configures a default application profile.

Default 

no def-app-profile

Parameters 
app-profile-name—
Specifies the application profile name, up to 32 characters.

detect-seen-ip

Syntax 
[no] detect-seen-ip
Context 
config>app-assure>group>transit-ip-policy
Description 

This command enables the detection of transit subscribers based on the IP address.

radius

Syntax 
radius
Context 
config>app-assure>group>transit-ip-policy
Description 

This command enables dynamic radius based management of transit aa-subs for the transit-ip-policy. This is mutually exclusive to other types management of transit subs for a given transit-ip-policy.

authentication-policy

Syntax 
authentication-policy name
no authentication-policy
Context 
config>app-assure>group>transit-ip>radius
Description 

This command configures the RADIUS authentication-policy for the IP transit policy.

Default 

no authentication-policy

Parameters 
name—
Specifies the authentication policy name, up to 32 characters.

seen-ip-radius-acct-policy

Syntax 
seen-ip-radius-acct-policy rad-acct-plcy-name
no seen-ip-radius-acct-policy
Context 
config>app-assure>group>transit-ip-policy>radius
Description 

This command refers to a RADIUS accounting-policy to enable seen-IP notification.

The no form of the command removes the policy.

Default 

no seen-ip-radius-acct-policy

Parameters 
rad-acct-plcy-name—
Specifies the RADIUS accounting policy name, up to 32 characters.

static-aa-sub

Syntax 
static-aa-sub transit-aasub-name
static-aa-sub transit-aasub-name app-profile app-profile-name [create]
no static-aa-sub transit-aasub-name
Context 
config>app-assure>group>transit-ip-policy
Description 

This command configures static transit aa-subs with a name and an app-profile. A new transit sub with both a name and an app-profile is configured with the create command. Static transit aa-sub must have an explicitly assigned app-profile. An existing transit sub can optionally be assigned a different app-profile, or this command can be used to enter the static-aa-sub context.

The no form of the command deletes the named static transit aa-sub from the configuration.

Parameters 
transit-aasub-name —
Specifies the name of a transit subscriber up to 32 characters in length.
app-profile-name—
Specifies the name of an existing application profile up to 32 characters in length.
create —
Keyword used to create a new app-profile entry.

ip

Syntax 
[no] ip ip-address[/mask]
Context 
config>app-assure>group>policy>transit-ip-policy>static-aa-sub
Description 

This command configures the /32 IP address for a static transit aa-sub.

The no form of the command deletes the ip address assigned to the static transit aa-sub from the configuration.

Parameters 
ip-address —
Specifies the IP address in a.b.c.d form.
Values—

ipv6-address/prefix:

ipv6-address x:x:x:x:x:x:x:x (eight 16-bit pieces)

x:x:x:x:x:x:d.d.d.d

  x [0 to FFFF]H

  d [0 to 255]D

prefix-length /32 to /64

 

sub-ident-policy

Syntax 
sub-ident-policy sub-ident-policy-name
no sub-ident-policy
Context 
config>app-assure>group>transit-ip-policy
Description 

This command associates a subscriber identification policy to this SAP. The subscriber identification policy must be defined prior to associating the profile with a SAP in the config>subscribermgmt>sub-ident-policy context.

Subscribers are managed by the system through the use of subscriber identification strings. A subscriber identification string uniquely identifies a subscriber. For static hosts, the subscriber identification string is explicitly defined with each static subscriber host.

For dynamic hosts, the subscriber identification string must be derived from the DHCP ACK message sent to the subscriber host. The default value for the string is the content of Option 82 CIRCUIT-ID and REMOTE-ID fields interpreted as an octet string. As an option, the DHCP ACK message may be processed by a subscriber identification policy which has the capability to parse the message into an alternative ASCII or octet string value.

When multiple hosts on the same port are associated with the same subscriber identification string they are considered to be host members of the same subscriber.

A sub-ident-policy can also be used for identifying dynamic transit subscriber names.

The no form of the command removes the default subscriber identification policy from the SAP configuration.

Default 

no sub-ident-policy

Parameters 
sub-ident-policy-name—
Specifies the subscriber identification policy name, up to 32 characters.

transit-auto-create

Syntax 
transit-auto-create
Context 
config>app-assure>group>transit-ip-policy
Description 

This command enables seen-IP auto creation of transit subscribers using the transit-IP-policy name and subscriber IP address as the AA-sub name. The default app-profile configured against the transit-ip-policy is applied to these subscribers.

transit-prefix-ipv4-entries

Syntax 
transit-prefix-ipv4-entries entries
no transit-prefix-ipv4-entries
Context 
config>isa>aa-grp
Description 

This command defines the number of transit-prefix IPv4 entries for an ISA.

The no form of the command removes the assignment of entries space from the configuration. All entries must be removed in order to delete the configuration.

Default 

no transit-prefix-ipv4-entries

Parameters 
entries—
Specifies an integer that determines the number of transit-prefix-ipv4 entries.
Values—
0 to 16383

 

transit-prefix-ipv4-remote-entries

Syntax 
transit-prefix-ipv4-remote-entries entries
no transit-prefix-ipv4-remote-entries
Context 
config>isa>aa-grp
Description 

This command configures the ISA-AA-group transit prefix IPv4 remote entry limit. This entry space is allocated on the IOM within a common area with the second MDA/ISA position of the IOM and also used for IPv4filter entries for system SDPs. The per-ISA size allocated for transit-prefix-ipv4 entries should be set to allow sufficient space on the IOM for SDP IPv4 filters.

The no form of the command removes the assignment of entries space from the configuration. All entries must be removed in order to delete the configuration.

Default 

no transit-prefix-ipv4-remote-entries

Parameters 
entries —
Specifies the ISA-AA-Group transit prefix IPv4 remote entry limit.
Values—
0 to 2047

 

transit-prefix-ipv6-entries

Syntax 
transit-prefix-ipv6-entries entries
no transit-prefix-ipv6-entries
Context 
config>isa>aa-grp
Description 

This command configures the ISA-AA-group transit prefix IPv6 entry limit for each ISA in the group. This entry space is allocated on the IOM within a common area with the second MDA / ISA position of the IOM and also used for ipv6-filter entries for system SDPs. The per-ISA size allocated for transit-prefix-ipv6 entries should be set to allow sufficient space on the IOM for SDP ipv6-filters.

The no form of the command removes the assignment of entries space from the configuration. All entries must be removed in order to delete the configuration.

Default 

no transit-prefix-ipv6-entries

Parameters 
entries—
Specifies the ISA-AA-Group transit prefix IPv6 entry limit.
Values—
0 to 8191

 

transit-prefix-ipv6-remote-entries

Syntax 
transit-prefix-ipv6-remote-entries entries
no transit-prefix-ipv6-remote-entries
Context 
config>isa>aa-grp
Description 

This command configures the ISA-AA-group transit prefix IPv6 remote entry limit. This entry space is allocated on the IOM within a common area with the second MDA/ISA position of the IOM and also used for IPv6filter entries for system SDPs. The per-ISA size allocated for transit-prefix-ipv6 entries should be set to allow sufficient space on the IOM for SDP IPv6 filters.

The no form of the command removes the assignment of entries space from the configuration. All entries must be removed in order to delete the configuration.

Default 

no transit-prefix-ipv6-remote-entries

Parameters 
entries—
Specifies the ISA-AA-Group transit prefix IPv6 remote entry limit.
Values—
0 to 1023

 

transit-policy

Syntax 
transit-policy ip ip-aasub-policy-id
transit-policy prefix prefix-aasub-policy-id
no transit-policy
Context 
config>service>ies>if>sap
config>service>ies>if>spoke-sdp
config>service>vprn>if>sap
config>service>vprn>if>spoke-sdp
config>service>epipe>sap
config>service>epipe>spoke-sdp
config>service>ipipe>sap
config>service>ipipe>spoke-sdp
config>service>vpls>sap
config>service>vpls>spoke-sdp
Description 

This command associates a transit AA subscriber IP or prefix policy to the service. The transit policy must be defined prior to associating the policy with a SAP in the config>app-assure>group>transit-ip-policy or transit-prefix-policy context.

The no form of the command removes the association of the policy to the service.

Parameters 
ip-aasub-policy-id—
Specifies a transit IP policy ID.
Values—
1 to 65535

 

prefix-aasub-policy-id—
Specifies a transit prefix policy ID.
Values—
1 to 65535

 

transit-prefix-policy

Syntax 
transit-prefix-policy prefix-policy-id [create]
no transit-prefix-policy prefix-policy-id
Context 
config>app-assure>group
Description 

This command defines a transit aa subscriber prefix policy. Transit AA subscribers are managed by the system through the use of this policy assigned to services, which determines how transit subs are created and removed for that service.

The no form of the command deletes the policy from the configuration. All associations must be removed in order to delete a policy.

Parameters 
prefix-policy-id —
Indicates the transit prefix policy to which this subscriber belongs.
Values—
1 to 65535

 

create—
Mandatory keyword used when creating transit prefix policy. The create keyword requirement can be enabled/disabled in the environment>create context.

entry

Syntax 
entry entry-id [create]
entry entry-id
no entry entry-id
Context 
config>app-assure>group>transit-prefix-policy
Description 

This command configures the index to a specific entry of a transit prefix policy.

The no form of the command removes the entry ID from the transit prefix policy configuration.

Default 

none

Parameters 
entry-id—
Specifies a transit prefix policy entry.
Values—
1 to 4294967295

 

create—
Keyword used when creating an entry.

aa-sub

Syntax 
aa-sub transit-aasub-name
no aa-sub
Context 
config>app-assure>group>transit-prefix-policy>entry
Description 

This command configures a transit prefix policy entry subscriber.

The no form of the command removes the transit subscriber name from the transit prefix policy configuration.

Default 

none

Parameters 
transit-aasub-name—
specifies the name of the transit prefix AA subscriber up to 32 characters.

match

Syntax 
match
Context 
config>app-assure>group>transit-prefix-policy>entry
Description 

This command enables the context to configure transit prefix policy entry match criteria.

aa-sub-ip

Syntax 
aa-sub-ip ip-address[/mask]
no aa-sub-ip
Context 
config>app-assure>group>transit-prefix-policy>entry>match
Description 

This command configures a transit prefix subscriber ip address prefix. It is used when the site is on the local side, being the same side of the system as the parent SAP. The local aa-sub-ip addresses represent the src-IP in the from-SAP direction and dest-IP in the to-SAP direction.

The no form of the command deletes the aa-sub-ip address assigned from the entry configuration.

Default 

no aa-sub-ip

Parameters 
ip-address[/mask]—
Specifies the address type of the subscriber address prefix associated with this transit prefix policy entry.
Values—

ip-address[/mask] :

ipv4-address - a.b.c.d[/mask]

mask - [1..32]

ipv6-address - x:x:x:x:x:x:x:x/prefix-length

x:x:x:x:x:x:d.d.d.d

x - [0..FFFF]H

d - [0..255]D

prefix-length [1..128]

 

network-ip

Syntax 
network-ip ip-address[/mask]
no network-ip
Context 
config>app-assure>group>transit-prefix-policy>entry>match
Description 

This command configures an entry for an address of prefix transit aa-sub and is used when the site is a remote site on the same opposite side of the system as the parent SAP. The network IP addresses represents the dest-IP in the from-SAP direction and src-IP in the to-SAP direction.

The no form of the command removes the network IP address/mask from the match criteria.

Parameters 
ip-address[/mask]—
specifies the network address prefix and length associated with this transit prefix policy entry.
Values—

ip-address[/mask] :

ipv4-address - a.b.c.d[/mask]

mask - [1..32]

ipv6-address - x:x:x:x:x:x:x:x/prefix-length

x:x:x:x:x:x:d.d.d.d

x - [0..FFFF]H

d - [0..255]D

prefix-length [1..128]

 

static-aa-sub

Syntax 
static-aa-sub transit-aasub-name
static-aa-sub transit-aasub-name app-profile app-profile-name [create]
no static-aa-sub transit-aasub-name
Context 
config>app-assure>group>transit-prefix-policy
config>app-assure>group>transit-ip-policy>static
Description 

This command configures a static transit aa-sub with a name and an app-profile. A new transit sub with both a name and an app-profile is configured with the create command. Static transit aa-sub must have an explicitly assigned app-profile. An existing transit sub can optionally be assigned a different app-profile, or this command can be used to enter the static-aa-sub context.

The no form of the command deletes the named static transit aa-sub from the configuration.

Parameters 
transit-aasub-name—
Specifies a transit aasub-name up to 32 characters.
app-profile-name —
Specifies the name of an existing application profile up to 32 characters.
create —
Keyword used to create a new app-profile entry

static-remote-aa-sub

Syntax 
static-remote-aa-sub transit-aasub-name
static-remote-aa-sub transit-aasub-name app-profile app-profile-name [create]
no static-remote-aa-sub transit-aasub-name
Context 
config>app-assure>group>transit-prefix-policy
Description 

This command configures static remote transit aa-subs with a name and an app-profile. Remote transit subscribers are configured for sites on the opposite side of the system as the parent SAP/spoke- SDP. A new remote transit sub with both a name and an app-profile is configured with the create command. Static remote transit aa-subs must have an explicitly assigned app-profile. An existing remote transit sub can optionally be assigned a different app-profile.

The no form of the command removes the name from the transit prefix policy.

Parameters 
transit-aasub-name—
Specifies a transit aasub-name up to 32 characters.
app-profile-name —
Specifies the name of an existing application profile up to 32 characters.
create —
Keyword used to create a new app-profile entry.

sap

Syntax 
sap card/mda/aa-svc:vlan [create]
no sap
Context 
config>service>vprn>aa-if
config>service>ies>aa-if
Description 

This commands specifies which ISA card and which VLAN is used by a given AA Interface.

Default 

no sap

Parameters 
card/mda/aa-svc:vlan—
Specifies the AA ISA card slot/port and VLAN information.
create—
Keyword used to create the AARP instance.

group

Syntax 
group aa-group-id
Context 
admin>app-assure
Description 

This commands performs a group-specific upgrade.

Parameters 
aa-group-id—
Specifies the AA group identifier.
Values—
1 to 255

 

url-list

Syntax 
url-list url-list-name [create]
no url-list url-list-name
Context 
config>app-assure>group
Description 

This command configures a url-list object. The url-list points to a file containing a list of URLs located on the system Compact Flash. The url-list is then referenced in a url-filter object in order to filter and redirect subscribers when a URL from this file is accessed.

The no form of the command removes the url-list object.

Parameters 
url-list-name—
Specify the Application-Assurance url-list
create—
Keyword used to create the URL list.

decrypt-key

Syntax 
decrypt-key key | hash-key | hash2-key [hash | hash2]
no decrypt-key
Context 
config>app-assure>group>url-list
Description 

In case the file is encrypted this command is used to configure the decryption key used to read the file.

The no form of the command removes the url-list object.

Default 

no decrypt-key

Parameters 
key | hash-key | hash2-key—
Specify the Application-Assurance url-list decryption key
hash—
Specifies the key is entered in an encrypted form. If the hash or hash2 parameter is not used, the key is assumed to be in an unencrypted, clear text form. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 parameter specified
hash2—
Specifies the key is entered in a more complex encrypted form that involves more variables than the key value alone, meaning that the hash2 encrypted variable cannot be copied and pasted. If the hash or hash2 parameter is not used, the key is assumed to be in an unencrypted, clear text form. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 parameter specified.

file

Syntax 
file file-url
no file
Context 
config>app-assure>group>url-list
Description 

This command specifies the file for the URL list.

The no form of the command removes the url-list object.

Default 

no file

Parameters 
file-url—
Specifies the flash ID or file path.
Values—
[cflash-id/] file-path: [200 chars max]
cflash-id: - cf1: | cf1-A: | cf1-B: | cf2: | cf2-A: | cf2-B: | cf3: | cf3-A: | cf3-B:

 

size

Syntax 
size url-list-size
Context 
config>app-assure>group>url-list
Description 

This command specifies the size of the URL list that can be filtered. The size can be set to either standard or extended. Configuring the specified url-list as extended provides support for filtering on a larger number of URLs.

Default 

size standard

Parameters 
url-list-size
Specifies the size of the AA url-list for URL filtering.
Values—
standard, extended

 

url-filter

Syntax 
url-filter url-filter-name [create]
no url-filter url-filter-name
Context 
config>app-assure>group
Description 

This command configures a URL filter action for flows of a specific type matching this entry.

If no URL filters are specified then no URL filters will be evaluated.

Parameters 
url-filter-name—
Specifies the Application-Assurance URL filter that will be evaluated.

default-action

Syntax 
default-action allow
default-action block-all
default-action block-http-redirect http-redirect-name
no default-action
Context 
config>app-assure>group>policy>aqp>entry>action>url-filter
Description 

This command configures the default action to take when the ICAP server is unreachable.

Default 

no default-action

Parameters 
allow—
Allows all requests.
block-all—
Blocks all requests.
block-http-redirect http-redirect-name
Blocks and redirects requests.

http-request-filtering

Syntax 
http-request-filtering {all | first}
Context 
config>app-assure>group>url-filter
Description 

HTTP Filtering can either be enabled for all HTTP request within a flow or limited to the first HTTP request in a flow.

Default 

http-request-filtering all

Parameters 
all —
Specifies all HTTP Request within a flow.
first —
Specifies the first HTTP Request within a flow.

http-redirect

Syntax 
http-redirect http-redirect-name
no http-redirect
Context 
config>app-assure>group>url-filter
Description 

This command specifies the HTTP redirect that will be applied when the Internet Content Adaptation Protocol (ICAP) server blocks an HTTP request.

Default 

no http-redirect

Parameters 
http-redirect-name—
Specifies the ICAP HTTP redirect name up to 32 characters.

server

Syntax 
server ip-address[:port] [create]
no server ip-address[:port]
Context 
config>app-assure>group>url-filter>icap
Description 

This command configures the IP address and server port of the ICAP server.

Default 

none

Parameters 
ip-address[:port]—
Specifies the ICAP server IP address and port.

vlan-id

Syntax 
vlan-id service-port-vlan-id
no vlan-id
Context 
config>app-assure>group>url-filter>icap
Description 

This command configures the VLAN ID on which the ISA-AA is expected to be emitting traffic mapping to a pre-configured aa-interface.

Default 

no vlan-id

Parameters 
service-port-vlan-id—
Specifies the VLAN ID.
Values—
1 to 4094

 

custom-x-header

Syntax 
custom-x-header x-header-name
no custom-x-header
Context 
config>app-assure>group>url-filter>icap
Description 

This command configures the url-filter ICAP policy to include a new x-header field; the content of the x-header is populated based on AQP url-filter action which can optionally specify the ASO characteristic value to include in the x-header.

Default 

no custom-x-header

Parameters 
x-header-name —
The name of the x-header added to the ICAP request.

local-filtering

Syntax 
local-filtering
Context 
config>app-assure>group>url-filter
Description 

This command configures a URL filter policy for local filtering in order to filter traffic based on a list of URLs located on a file stored in the router compact flash.

url-list

Syntax 
[no] url-list url-list-name
Context 
admin>app-assure>group>url-filter>local-filtering
Description 

This command adds a URL list to the local filtering URL filter policy.

The no form of the command removes the URL list object.

Parameters 
url-list-name—
Specify the URL list.

wap1x

Syntax 
wap1x
Context 
config>app-assure>group
Description 

This command configures the Wireless Application Protocol (WAP) 1.X.

packet-rate-high-wmark

Syntax 
packet-rate-high-wmark high-watermark
no packet-rate-high-wmark
Context 
config>app-assure
Description 

This command configures the packet rate on the ISA-AA when a packet rate alarm will be raised by the agent.

The no version of this command reverts to the default.

Default 

packet-rate-high-wmark max

Parameters 
high-watermark—
Specifies the high watermark for packet rate alarms. The value must be larger than or equal to the packet-rate-low-wmark low-watermark value.
Values—
1 to 14880952, max packets/sec (disabled)

 

packet-rate-low-wmark

Syntax 
packet-rate-low-wmark low-watermark
no packet-rate-low-wmark
Context 
config>app-assure
Description 

This command configures the packet rate on the ISA-AA when a packet rate alarm will be cleared by the agent.

The no form of the command reverts to the default.

Default 

packet-rate-low-wmark 0

Parameters 
low-watermark—
Specifies the low watermark for packet rate alarms. The value must be lower than or equal to the packet-rate-high-wmark high-watermark value.
Values—
0 to 14880952 packets per second

 

protocol

Syntax 
protocol protocol-name
Context 
config>app-assure
Description 

This command configures the shutdown of protocols system-wide.

Parameters 
protocol-name—
Specifies a shut-able (disable) protocol name.

shutdown

Syntax 
[no] shutdown
Context 
config>app-assure>protocol
Description 

This command administratively disables the protocol specified in protocol protocol-name.

The no form of the command enables the protocol.

radius-accounting-policy

Syntax 
radius-accounting-policy rad-acct-plcy-name [create]
no radius-accounting-policy rad-acct-plcy-name
Context 
config>app-assure
config>app-assure>group>statistics>aa-sub
Description 

This command specifies an existing subscriber RADIUS-based accounting policy to use for AA. RADIUS accounting policies are configured in the config>app-assure>radius-accounting-policy context.

Default 

none

Parameters 
rad-acct-plcy-name—
Specifies the policy name. The string is case sensitive and limited to 32 ASCII 7-bit printable characters with no spaces.
create—
Keyword used to create the policy.

interim-update-interval

Syntax 
interim-update-interval minutes
no interim-update-interval
Context 
config>app-assure>rad-acct-plcy
Description 

This command configures the interim update interval.

The no form of the command reverts to the default.

Default 

no interim-update-interval

Parameters 
minutes—
Specifies the interval at which subscriber accounting data will be updated. If set no value is specified then no interim updates will be sent.
Values—
5 to 1080

 

radius-accounting-server

Syntax 
radius-accounting-server
Context 
config>app-assure>rad-acct-plcy
Description 

This command creates the context for defining RADIUS accounting server attributes under a given session authentication policy.

access-algorithm

Syntax 
access-algorithm {direct | round-robin}
Context 
config>app-assure>rad-acct-plcy>server
Description 

This command configures the algorithm used to access the list of configured RADIUS servers.

Default 

access-algorithm direct

Parameters 
direct —
Specifies that the first server will be used as primary server for all requests, the second as secondary and so on.
round-robin—
Specifies that the first server will be used as primary server for the first request, the second server as primary for the second request, and so on. If the router gets to the end of the list, it starts again with the first server.

retry

Syntax 
retry count
Context 
config>app-assure>rad-acct-plcy>server
Description 

This command configures the number of times the router attempts to contact the RADIUS server for authentication, if not successful the first time.

The no form of the command reverts to the default value.

Default 

retry 3

Parameters 
count—
Specifies the retry count.
Values—
1 to 10

 

router

Syntax 
router router-instance
router service-name service-name
no router
Context 
config>app-assure>rad-acct-plcy>server
Description 

This command specifies the number of times the router attempts to contact the RADIUS server for authentication, if not successful the first time.

The no form of the command reverts to the default value.

Default 

no router

Parameters 
router-instance—
Specifies the router name or service ID used to specify the router instance.
service-name—
Specifies the service name to identify the service, up to 64 characters.

server

Syntax 
server server-index address ip-address secret key [hash | hash2] [port port] [create]
no server server-index
Context 
config>app-assure>rad-acct-plcy>server
Description 

This command adds a RADIUS server and configures the RADIUS server IP address, index, and key values.

Up to five RADIUS servers can be configured at any one time. RADIUS servers are accessed in order from lowest to highest index for authentication requests until a response from a server is received. A higher indexed server is only queried if no response is received from a lower indexed server (which implies that the server is not available). If a response from a server is received, no other RADIUS servers are queried.

The no form of the command removes the server from the configuration.

Parameters 
server-index—
The index for the RADIUS server. The index determines the sequence in which the servers are queried for authentication requests. Servers are queried in order from lowest to highest index.
Values—
1 to 16 (a maximum of 5 accounting servers)

 

address ip-address—
The IP address of the RADIUS server. Two RADIUS servers cannot have the same IP address. An error message is generated if the server address is a duplicate.
secret key
Specifies the secret key value.
Values—
The secret key to access the RADIUS server. This secret key must match the password on the RADIUS server.
secret-key — A string up to 20 characters in length.
hash-key — A string up to 33 characters in length.
hash2-key — A string up to 55 characters in length.

 

hash—
Specifies the key is entered in an encrypted form. If the hash or hash2 parameter is not used, the key is assumed to be in an unencrypted, clear text form. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 parameter specified
hash2—
Specifies the key is entered in a more complex encrypted form that involves more variables than the key value alone, meaning that the hash2 encrypted variable cannot be copied and pasted. If the hash or hash2 parameter is not used, the key is assumed to be in an unencrypted, clear text form. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 parameter specified.
port—
Specifies the UDP port number on which to contact the RADIUS server for authentication.
Values—
1 to 65535

 

source-address

Syntax 
source-address ip-address
no source-address
Context 
config>app-assure>rad-acct-plcy>server
Description 

This command configures the source address of the RADIUS packet. The system IP address must be configured in order for the RADIUS client to work. See “Configuring a System Interface” in the 7450 ESS, 7750 SR, 7950 XRS, and VSR Router Configuration Guide. The system IP address must only be configured if the source-address is not specified. When the no source-address command is executed, the source address is determined at the moment the request is sent. This address is also used in the nas-ip-address attribute: over there it is set to the system IP address if no source address was given.

The no form of the command reverts to the default value, where the source address is the system IP address.

Default 

no source-address

Parameters 
ip-address—
The IP prefix for the IP match criterion in dotted decimal notation.
Values—
0.0.0.0 - 255.255.255.255

 

timeout

Syntax 
timeout seconds
Context 
config>app-assure>rad-acct-plcy>server
Description 

This command configures the number of seconds the router waits for a response from a RADIUS server.

The no form of the command reverts to the default value.

Default 

default 5

Parameters 
seconds—
Specifies the time the router waits for a response from a RADIUS server.
Values—
1 to 90

 

significant-change

Syntax 
significant-change delta
no significant-change
Context 
config>app-assure>rad-acct-plcy
Description 

This command configures the significant change required to generate the record.

The no form of the command reverts to the default.

Default 

no significant-change

Parameters 
delta—
Specifies the delta change (significant change) that is required for the charging-group counts to be included in the RADIUS Accounting VSAs.
Values—
0 to 4294967295

 

aa-interface

Syntax 
aa-interface aa-if-name [create]
no aa-interface aa-if-name
Context 
config>service>ies
config>service>vprn
Description 

This commands creates a new AA interface within an IES or VPRN service. It is used by the aa-isa to send/receive IPv4 traffic. In the context of ICAP url-filtering this interface is used by the ISA to establish ICAP TCP connections to the ICAP servers.

This interface supports /31 subnet only, and uses by default .1q encapsulation.

The system will automatically configure the ISA IP address based on the address configured by the operator under the aa-interface object (which represents the ISA sap facing interface on the ISA).

Parameters 
aa-if-name—
specifies the name of the AA Interface.
create—
Keyword that specifies to create the interface.

address

Syntax 
address {ip-address/mask | ip-address netmask}
no address [ip-address/mask | ip-address netmask]
Context 
config>service>ies>aa-interface
config>service>vprn>aa-interface
Description 

This command assigns an IP address to the interface.

Default 

no address

Parameters 
ip-address/mask—
Specifies an IP address/IP subnet format to the interface.
ip-address netmask—
Specifies a string of 0s and 1s that mask or screen out the network part of an IP address so that only the host computer part of the address remains.
create—
Keyword that specifies to create the interface.

ip-mtu

Syntax 
ip-mtu octets
no ip-mtu
Context 
config>service>ies>aa-interface
config>service>vprn>aa-interface
Description 

This command configures the AA interface IP MTU.

Default 

no ip-mtu

Parameters 
octets—
Specifies the MTU value.
Values—
512 to 9000

 

sap

Syntax 
sap sap-id [create]
no sap sap-id
Context 
config>service>ies>aa-interface
config>service>vprn>aa-interface
Description 

This command configures the AA interface SAP.

Parameters 
sap-id—
specifies the physical port identifier portion of the SAP definition.
create—
creates the SAP instance.

egress

Syntax 
egress
Context 
config>service>ies>aa-interface>sap
config>service>vprn>aa-interface>sap
Description 

This command enables the context to configure egress parameters.

ingress

Syntax 
ingress
Context 
config>service>ies>aa-interface>sap
config>service>vprn>aa-interface>sap
Description 

This command enables the context to configure ingress parameters.

filter

Syntax 
filter ip ip-filter-id
no filter [ip ip-filter-id]
Context 
config>service>ies>aa-if>sap>egress
config>service>vprn>aa-if>sap>egress
Description 

This command applies an IP filter to the SAP.

Default 

no filter

Parameters 
ip-filter-id—
Specifies an existing IP filter ID.
Values—
1 to 65535, or name up to 64 characters maximum

 

qos

Syntax 
qos policy-id
no qos [policy-id]
Context 
config>service>ies>aa-if>sap>egress
config>service>ies>aa-if>sap>ingress
config>service>vprn>aa-if>sap>egress
config>service>vprn>aa-if>sap>ingress
Description 

This command applies an QoS policy to the SAP.

Default 

qos 1

Parameters 
policy-id—
Specifies an existing QoS policy ID.

3.4.2.4.7. System Persistence Commands

persistence

Syntax 
persistence
Context 
config>system
Description 

This command enables the context to configure persistence parameters on the system.

The persistence feature enables state on information learned through DHCP snooping across reboots to be retained. This information includes data such as the IP address and MAC binding information, lease-length information, and ingress SAP information (required for VPLS snooping to identify the ingress interface).

If persistence is enabled when there are no DHCP relay or snooping commands enabled, it will simply create an empty file.

Default 

no persistence

application-assurance

Syntax 
application-assurance
Context 
config>system>persistence
Description 

This command enables the context to configure application assurance persistence parameters.

location

Syntax 
location cflash-id
no location
Context 
config>system>persistence>application-assurance
Description 

This command instructs the system where to write the file. The name of the file is: appassure.db. On boot the system scans the file systems looking for appassure.db, if it finds it, it starts to load it.

The no form of this command returns the system to the default. If there is a change in file location while persistence is running, a new file will be written on the new flash, and then the old file will be removed.

Default 

no location

Parameters 
cflash-id—
Specifies the compact flash type.
Values—
cf1:, cf2:, cf3:

 

3.4.2.5. ISA Commands

3.4.2.5.1. Application Assurance Group Commands

application-assurance-group

Syntax 
application-assurance-group application-assurance-group-index [create] [aa-sub-scale sub-scale]
no application-assurance-group application-assurance-group-index
Context 
config>isa
Description 

This command enables the context to create an application assurance group with the specified system-unique index and enables the context to configure that group’s parameters.

The no form of the command deletes the specified application assurance group from the system. The group must be shutdown first.

Default 

none

Parameters 
application-assurance-group-index —
Specifies an integer to identify the AA group
Values—
1 to 255

 

create—
Mandatory keyword used when creating an application assurance group in the ISA context. The create keyword requirement can be enabled/disabled in the environment>create context.
sub-scale—
Specifies the set of scaling limits that are supported with regards to the maximum number of AA subscribers per ISA and the corresponding policies that can be specified.
Values—

residential:

Scaling limits for residential operation.

vpn:

Scaling limits for VPNs.

mobile-gateway:

Scaling limits for Mobile Gateway.

lightweight-internet

Scaling limits for operation as a wireless LAN gateway using DSM subscribers.

 

Default—
residential

backup

Syntax 
[no] backup mda-id
Context 
config>isa>aa-grp
Description 

This command assigns an AA ISA configured in the specified slot to this application assurance group. The backup module provides the application assurance group with warm redundancy when the primary module in the group is configured. Primary and backup modules have equal operational status and when both module are coming up, the ones that becomes operational first becomes the active module. A module can serve as a backup for multiple AA ISA cards but only one can fail to it at one time.

On an activity switch from the primary module, configurations are already on the backup MDA but flow state information must be re-learned. Any statistics not yet spooled will be lost. Auto-switching from the backup to primary, once the primary becomes available again, is not supported.

Operator is notified through SNMP events when:

  1. When the AA service goes down (all modules in the group are down) or comes back up (a module in the group becomes active).
  2. When AA redundancy fails (one of the modules in the group is down) or recovers (the failed module comes back up).
  3. When an AA activity switch occurred.

The no form of the command removes the specified module from the application assurance group.

Parameters 
mda-id—
Specifies the card/slot identifying a provisioned module to be used as a backup module.
Values—

mda-id:

slot/mda

slot

1 to 10 depending on chassis model

mda

1 to 2

 

divert-fc

Syntax 
[no] divert-fc fc-name
Context 
config>isa>aa-grp
Description 

This command selects a forwarding class in the system to be diverted to an application assurance engine for this application assurance group. Only traffic to/from subscribers with application assurance enabled is diverted.

To divert multiple forwarding classes, the command needs to be executed multiple times specifying each forwarding class to be diverted at a time.

The no form of the command stops diverting of the traffic to an application assurance engine for this application assurance group.

Parameters 
fc-name—
Creates a class instance of the forwarding class fc-name.
Values—
be, l2, af, l1, h2, ef, h1, nc

 

fail-to-open

Syntax 
[no] fail-to-open
Context 
config>isa>aa-grp
Description 

This command configures the mode of operation during an operational failure of this application assurance group when no application assurance engines are available to service traffic. When enabled, all traffic that was to be inspected will be dropped. When disabled, all traffic that was to be inspected will be forwarded without any inspection as if the group was not configured at all.

Default 

no fail-to-open

http-enrich-maximum

Syntax 
[no] http-enrich-maximum
Context 
config>isa>aa-grp
Description 

This command configures the maximum HTTP enriched packet size.

isa-capacity-cost-high-threshold

Syntax 
isa-capacity-cost-high-threshold threshold
no isa-capacity-cost-high-threshold
Context 
config>isa>aa-grp
Description 

This command configures the ISA-AA capacity cost high threshold.

The no form of the command reverts the threshold to the default value.

Default 

isa-capacity-cost-high-threshold 4294967295

Parameters 
threshold—
Specifies the capacity cost high threshold for the ISA-AA group.
Values—
0 to 4294967295

 

isa-capacity-cost-low-threshold

Syntax 
isa-capacity-cost-low-threshold threshold
no isa-capacity-cost-low-threshold
Context 
config>isa>aa-grp
Description 

This command configures the ISA-AA capacity cost low threshold.

The no form of the command reverts the threshold to the default value.

Default 

isa-capacity-cost-low-threshold 0

Parameters 
threshold—
Specifies the capacity cost low threshold for the ISA-AA group.
Values—
0 to 4294967295

 

isa-overload-cut-through

Syntax 
[no] isa-overload-cut-through
Context 
config>isa>aa-grp
Description 

This command configures the ISA group to enable cut-through of traffic if an overload event occurs, triggered when the IOM weighted average queues depth exceeds the wa-shared-high-wmark. In this ISA state, packets are cut-through from application analysis but retain subscriber context with default subscriber policy applied.

The no form of the command disables cut-through processing on overload.

Default 

no isa-overload-cut-through

minimum-isa-generation

Syntax 
minimum-isa-generation min-isa-generation
Context 
config>isa>aa-grp
Description 

This command configures the scale parameters for the ISA group. When min-isa-generation is configured as 1, the group and per-ISA limits are the MS-ISA scale.

If there is a mix of ISA 1s and 2s, the min-isa-generation must be left as 1.

When min-isa-gen is configured as 2, the per-isa resource limits shown in the show isa application-assurance-group 1 load-balance output will increase to show ISA2 limits.

Default 

minimum-isa-generation 1

Parameters 
min-isa-generation—
Specifies the minimum ISA Generation allowed in this group.
Values—
1 – ISA (ISA1)
2 – ISA2

 

overload-sub-quarantine

Syntax 
overload-sub-quarantine
Context 
config>isa>aa-grp
Description 

This command enables the context for overload subscriber detection for this application assurance group.

shutdown

Syntax 
[no] shutdown
Context 
config>isa>aa-grp>overload-sub-quarantine
Description 

This command disables the overload subscriber detection algorithm in the ISA group for the purpose of quarantining an overloaded subscriber. It is possible to manually quarantine an AA subscriber even when this command is disabled (shutdown).

The no form of this command enables the overload subscriber detection algorithm in the ISA group. When enabled, each ISA monitors the traffic on a continuous basis to identify AA subscribers that occupy more than their fair share of ISA resources and need to be quarantined

Default 

shutdown

partitions

Syntax 
[no] partitions
Context 
config>isa>aa-grp
Description 

This command enables partitions within an ISA-AA group. When enabled, partitions can be created

The no form of the command disables partitions within an ISA-AA group.

Default 

no partitions

primary

Syntax 
[no] primary mda-id
Context 
config>isa>aa-grp
Description 

This command assigns an AA ISA module configured in the specified slot to this application assurance group. Primary and backup ISAs have equal operational status and when both ISAs are coming up, the one that becomes operational first becomes the active ISA.

On an activity switch from the primary ISA, all configurations are already on the backup ISA but flow state information must be re-learned. Any statistics not yet spooled will be lost. Auto-switching from the backup to primary, once the primary becomes available again, is not supported.

Operator is notified through SNMP events when:

  1. When AA service goes down (all ISAs in the group are down) or comes back up (an ISA in the group becomes active)
  2. When AA redundancy fails (one of the ISAs in the group is down) or recovers (the failed MDA comes back up)
  3. When an AA activity switch occurred.

The no form of the command removes the specified ISA from the application assurance group.

Parameters 
mda-id —
Specifies the slot/mda identifying a provisioned AA ISA.
Values—

mda-id:

slot/mda

slot

1 to 10 depending on chassis model

mda

1 to 2

 

qos

Syntax 
qos
Context 
config>isa>aa-grp
Description 

This command enables the context for Quality of Service configuration for this application assurance group.

statistics

Syntax 
statistics
Context 
config>isa>aa-grp
Description 

This command enables the context to configure statistics generation.

performance

Syntax 
performance
Context 
config>isa>aa-grp>statistics
Description 

This command configures the ISA group to enable the aa-performance statistic record. This record contains information on the traffic load and resource consumption for each ISA in the group, to allow tracking of ISA load for long term capacity planning and short term anomalies. The user can configure the accounting policy to be used, and enables the record using the [no] collect-stats command.

egress

Syntax 
egress
Context 
config>isa>aa-grp>qos
Description 

This command enables the context for IOM port-level Quality of Service configuration for this application assurance group in the egress direction (traffic entering an application assurance engine).

from-subscriber

Syntax 
from-subscriber
Context 
config>isa>aa-grp>qos>egress
Description 

This command enables the context for Quality of Service configuration for this application assurance group from-subscriber logical port, traffic entering the system from AA subscribers and entering an application assurance engine.

pool

Syntax 
pool [pool-name]
no pool
Context 
config>isa>aa-grp>qos>egress>from-subscriber
config>isa>aa-grp>qos>egress>to-subscriber
Description 

This command enables the context to configure an IOM pool as applicable to the specific application assurance group traffic. The user can configure resv-cbs (as percentage) values and slope-policy similarly to other IOM pool commands.

Default 

pool default

Parameters 
pool-name—
Specifies the name of the pool, up to 32 characters.

resv-cbs

Syntax 
resv-cbs percent-or-default
no resv-cbs
Context 
config>isa>aa-grp>qos>egress>from-subscriber>pool
config>isa>aa-grp>qos>egress>to-subscriber>pool
Description 

This command defines the percentage or specifies the sum of the pool buffers that are used as a guideline for CBS calculations for access and network ingress and egress queues. Two actions are accomplished by this command.

  1. A reference point is established to compare the currently assigned (provisioned) total CBS with the amount the buffer pool considers to be reserved. Based on the percentage of the pool reserved that has been provisioned, the over provisioning factor can be calculated.
  2. The size of the shared portion of the buffer pool is indirectly established. The shared size is important to the calculation of the instantaneous-shared-buffer-utilization and the average-shared-buffer-utilization variables used in Random Early Detection (RED) per packet slope plotting.

This command does not actually set aside buffers within the buffer pool for CBS reservation. The CBS value per queue only determines the point at which enqueuing packets are subject to a RED slope. Oversubscription of CBS could result in a queue operating within its CBS size and still not able to enqueue a packet due to unavailable buffers. The resv-cbs parameter can be changed at any time.

If the total pool size is 10 MB and the resv-cbs set to 5, the ‘reserved size’ is 500 KB.

The no form of this command restores the default value.

Default 

default (30%)

Parameters 
percent-or-default—
Specifies the pool buffer size percentage.
Values—
0 to 100, default

 

slope-policy

Syntax 
slope-policy slope-policy-name
no slope-policy
Context 
config>isa>aa-grp>qos>egress>from-subscriber>pool
config>isa>aa-grp>qos>egress>to-subscriber>pool
Description 

This command specifies an existing slope policy which defines high and low priority RED slope parameters and the time average factor. The slope policy is defined in the config>qos>slope-policy context.

Parameters 
slope-policy-name —
The name of the slope policy, up to 32 characters.

port-scheduler-policy

Syntax 
port-scheduler-policy port-scheduler-policy-name
no port-scheduler-policy
Context 
config>isa>aa-grp>qos>egress>from-subscriber
config>isa>aa-grp>qos>egress>to-subscriber
Description 

This command assigns an existing port scheduler policy as applicable to the specific application assurance group traffic.

Default 

no port-scheduler-policy

Parameters 
port-scheduler-policy-name —
Specifies the name of an existing port scheduler policy.

queue-policy

Syntax 
queue-policy network-queue-policy-name
no queue-policy
Context 
config>isa>aa-grp>qos>egress>from-subscriber
config>isa>aa-grp>qos>egress>to-subscriber
Description 

This command assigns an IOM network queue policy as applicable to specific application assurance group traffic.

Default 

queue-policy default

Parameters 
network-queue-policy-name —
The name of the network queue policy defined in the system.

wa-shared-high-wmark

Syntax 
wa-shared-high-wmark percent
no wa-shared-high-wmark
Context 
config>isa>aa-grp>qos>egress>from-sub
config>isa>aa-grp>qos>egress>to-sub
Description 

This command configures the high watermark for the weighted average utilization of the shared buffer space in the from-subscriber buffer pool for each ISA. When a buffer pool is not in the overload state and the wa-shared buffer utilization for an ISA crosses above the high watermark value in the ISA from-subscriber buffer pool enters an overload state and an overload notification is raised.

The no version of this command reverts to the default.

Default 

wa-shared-high-wmark max

Parameters 
percent—
Specifies the weighted average shared buffer utilization high watermark.
Values—
1 to 100, max percent (disabled)

 

wa-shared-low-wmark

Syntax 
wa-shared-low-wmark percent
no wa-shared-low-wmark
Context 
config>isa>aa-grp>qos>egress>from-sub
config>isa>aa-grp>qos>egress>to-sub
Description 

This command configures the low watermark for the weighted average utilization of the shared buffer space in the from-subscriber buffer pool. When a buffer pool is in an overloaded state and the wa-shared buffer utilization for an ISA drops below low watermark value ISA from-subscriber buffer pool leaves the overload state and a is sent to indicate the overload state has cleared.

The no version of this command reverts to the default.

Default 

wa-shared-low-wmark 0

Parameters 
percent—
Specifies the weighted average shared buffer utilization low watermark
Values—
0 to 99

 

shared-resources

Syntax 
shared-resources
Context 
config>isa>aa-grp
Description 

This command enables the context to configure the shared resources pool.

tcp-adv-func

Syntax 
tcp-adv-func size
Context 
config>isa>aa-grp>shr-res-pool
Description 

This command configures the allocation of shared resource pool for TCP advanced functions.

Default 

tcp-adv-func 100

Parameters 
size—
Specifies the allocation of the shared resource pool
Values—
0 to 100

 

to-subscriber

Syntax 
to-subscriber
Context 
config>isa>aa-grp>qos>egress
Description 

This command enables the context for Quality of Service configuration for this application assurance group to-subscriber logical port, traffic destined to AA subscribers and entering an application assurance engine.

ingress

Syntax 
ingress
Context 
config>card>mda>network>ingress
Description 

This command enables the context for MDA-level IOM Quality of Service (QoS) configuration.