3.4. Application Assurance Command Reference

— persistence - Refer to the 7450 ESS, 7750 SR, 7950 XRS, and VSR Basic System Configuration Guide for a complete list of persistence commands and descriptions.

— application-assurance

— description description-string

— no description

— location cflash-id

— no location

Application Assurance uses system components for some of its functionality. Refer to the following for details on:

Configuration of Application Assurance Accounting policy including per accounting type record selection and customization of AA subscriber records.
Configuration of AA ISA IOM QoS.

3.4.2.1. Generic Commands

description

Syntax

description description-string

no description

Context

config>app-assure>aarp

config>app-assure>group

config>app-assure>group>statistics>aa-sub

config>app-assure>group>cflowd>collector

config>app-assure>group>cflowd>group>cflowd

config>app-assure>group>cflowd>group>cflowd>collector

config>app-assure>group>cflowd>group>cflowd>volume

config>app-assure>group>certificate-profile

config>app-assure>group>dns-ip-cache

config>app-assure>group>event-log>syslog

config>app-assure>group>gtp>gtp-filter

config>app-assure>group>http-enrich

config>app-assure>group>http-error-redirect

config>app-assure>group>http-notification

config>app-assure>group>http-redirect

config>app-assure>group>ip-prefix-list

config>app-assure>group>policer

config>app-assure>group>policer>tod-override

config>app-assure>group>policy>app-filter>entry

config>app-assure>group>policy>app-group

config>app-assure>group>policy>application

config>app-assure>group>policy>app-profile

config>app-assure>group>policy>app-qos-policy>entry

config>app-assure>group>policy>aqp>entry

config>app-assure>group>policy>aqp>entry>action>url-filter

config>app-assure>group>policy>charging-group

config>app-assure>group>policy>custom-protocol

config>app-assure>group>policy>transit-ip-policy

config>app-assure>group>port-list

config>app-assure>group>sctp-filter

config>app-assure>group>session-filter

config>app-assure>group>session-filter>entry

config>app-assure>group>tcp-validate

config>app-assure>group>tod-override

config>app-assure>group>transit-prefix-policy

config>app-assure>group>url-filter

config>app-assure>group>url-filter>icap>server

config>app-assure>group>url-filter>web-service>profile

config>app-assure>group>url-list

config>app-assure>protocol

config>app-assure>rad-acct-plcy

config>isa

config>isa>aa-group

config>service>ies>aa-interface

config>service>vprn>aa-interface

config>system>persistence>ancp

config>system>persistence>application-assurance

Description

This command creates a text description which is stored in the configuration file to help identify the content of the entity.

The no form of this command removes the string from the configuration.

Parameters

string—

The description character string, up to 80 characters. Allowed values are any string composed of printable, 7-bit ASCII characters. If the string contains special characters (#, $, spaces, and so on), the entire string must be enclosed within double quotes.

description

Syntax

description long-description-string

no description

Context

config>service>ies>aa-interface>sap

config>service>vprn>aa-interface>sap

Description

This command creates a text description which is stored in the configuration file to help identify the content of the entity.

The no form of this command removes the string from the configuration.

Parameters

string—

The description character string, up to 160 characters. Allowed values are any string composed of printable, 7-bit ASCII characters. If the string contains special characters (#, $, spaces, and so on), the entire string must be enclosed within double quotes.

shutdown

Syntax

[no] shutdown

Context

config>app-assure>aarp

config>app-assure>group>aa-sub-cong

config>app-assure>group>cflowd

config>app-assure>group>cflowd>collector

config>app-assure>group>cflowd>comp

config>app-assure>group>cflowd>comp>template>dynamic-fields

config>app-assure>group>cflowd>rtp-perf

config>app-assure>group>cflowd>rtp-perf>audio-template>dynamic-fields

config>app-assure>group>cflowd>rtp-perf>video-template>dynamic-fields

config>app-assure>group>cflowd>rtp-perf>voice-template>dynamic-fields

config>app-assure>group>cflowd>tcp-perf

config>app-assure>group>cflowd>tcp-perf>template>dynamic-fields

config>app-assure>group>cflowd>volume

config>app-assure>group>cflowd>volume>template>dynamic-fields

config>app-assure>group>certificate-profile

config>app-assure>group>dns-ip-cache

config>app-assure>group>event-log

config>app-assure>group>gtp

config>app-assure>group>http-enrich

config>app-assure>group>http-error-redirect

config>app-assure>group>http-notification

config>app-assure>group>http-redirect

config>app-assure>group>policer>tod-override

config>app-assure>group>policy>app-filter>entry

config>app-assure>group>policy>app-qos-policy>entry

config>app-assure>group>policy>custom-protocol

config>app-assure>group>statistics>protocol

config>app-assure>group>tethering-detection

config>app-assure>group>transit-ip-policy>dhcp

config>app-assure>group>transit-ip-policy>radius

config>app-assure>group>transit-ip-policy>transit-auto-create

config>app-assure>group>url-filter

config>app-assure>group>url-filter>icap>server

config>app-assure>group>url-list

config>app-assure>group>wap1x

config>app-assure>protocol

config>isa>aa-grp

config>service>ies>aa-interface

config>service>ies>aa-interface>sap

config>service>vprn>aa-interface

config>service>vprn>aa-interface>sap

Description

This command administratively disables the entity. When disabled, an entity does not change, reset, or remove any configuration settings or statistics. Many entities must be explicitly enabled using the no shutdown command.

The shutdown command administratively disables an entity. The operational state of the entity is disabled as well as the operational state of any entities contained within. Many objects must be shut down before they may be deleted.

3.4.2.2. Admin Commands

application-assurance

Syntax

application-assurance

Context

admin

Description

This command enables the context to perform Application Assurance (AA) configuration operations.

upgrade

Syntax

upgrade

Context

admin>app-assure

Description

Use this command to load a new isa-aa.tim file as part of a router-independent signature upgrade. An AA ISA reboot is required.

3.4.2.3. Application Assurance Commands

aarp

Syntax

aarp aarpId [create]

no aarp aarpId

Context

config>application-assurance

Description

This command defines an Application Assurance Redundancy Protocol (AARP) instance. This instance is paired with the same aarpId in a peer node as part of a configuration to provide flow and packet asymmetry removal for traffic for a multi-homed SAP or spoke SDP.

The no form of this command removes the instance from the configuration.

Parameters

aarpid—

An integer that identifies an AARP instance.

Values—

1 to 65535

create—

Keyword used to create the AARP instance.

master-selection-mode

Syntax

master-selection-mode mode

Context

config>app-assure>aarp

Description

This command configures the AARP mode of operation with the peer instance. The modes affect the AARP state machine behavior according to the desired behavior. Minimize-switchover will change AARP state based on Master ISA failure, and be non-revertive in that when the priority ISA returns a switch does not occur, which is optimal for AA flow identification. Inter-chassis efficiency mode considers both priority (revertive) and the endpoint status of the AARP instance and will switch activity in case of EP failure in order to avoid sending all the traffic over the ICL. The priority-based-balance mode will be revertive after a priority master returns to service, but excludes EP status. The master-selection-mode configuration must match on both peer AARP instances, or the AARP operational status will stay down.

Default

master-selection-mode minimize-switchovers

Parameters

mode—

Specifies the AARP master selection mode.

Values—

minimize-switchovers — Optimal AA flow detection continuity by minimizing AARP switchovers.

inter-chassis-efficiency — Minimizes inter-chassis traffic.

priority-based-balance — AA load balance between AARP peers based on configured priority.

peer

Syntax

peer ip-address

no peer

Context

config>app-assure>aarp

Description

This command defines the IP address of the peer router which must be a routable system IP address.

If no peer is configured and the AARP is no shutdown, it is configured as a single node AARP instance.

The no form of this command removes the IP address from the AARP instance.

Default

no peer

Parameters

ip-address —

Specifies the IP address in the a.b.c.d format.

peer-endpoint

Syntax

peer-endpoint sap sap-id encap-type {dot1q | null | qinq}

peer-endpoint spoke-sdp sdp-id:vc-id

no peer-endpoint

Context

config>app-assure>aarp

Description

This command defines the peer endpoint ID of the SAP or spoke-SDP parent-aa-sub of the AARP peer.

The no form of this command removes the peer endpoint from the AARP instance.

Default

no peer-endpoint

Parameters

sap-id—

Specifies the physical port identifier portion of the SAP definition.

sdp-id:vc-id—

Specifies the spoke SDP ID and VC ID.

Values—

1 to 32767

1 to 4294967295

dot1q | null | qinq—

Specifies the encapsulation type.

priority

Syntax

priority value

no priority

Context

config>app-assure>aarp

Description

This command defines the priority for the AARP instance. The priority value is used to determine the master/backup upon initialization or re-balance.

The no form of this command reverts to the default value.

Default

priority 100

Parameters

value—

Specifies an integer that defines the priority of an AARP instance.

Values—

0 to 255

bit-rate-high-wmark

Syntax

bit-rate-high-wmark high-watermark

Context

config>application-assurance

Description

This command configures the high watermark for bit rate alarms.

Default

bit-rate-high-wmark max

Parameters

high-watermark—

Specifies the high watermark for bit rate alarms, in Mb/s. The value must be larger than or equal to the low watermark value.

Values—

1 to 40000, max (disabled)

bit-rate-low-wmark

Syntax

bit-rate-low-wmark low-watermark

no bit-rate-low-wmark

Context

config>application-assurance

Description

This command configures the utilization of the flow records on the ISA-AA Group when the full alarm will be cleared by the agent.

Default

bit-rate-low-wmark 0

Parameters

low-watermark—

Specifies the low watermark for bit rate alarms, in Mb/s. The value must be lower than or equal to the high watermark value.

Values—

0 to 39999

datapath-cpu-high-wmark

Syntax

datapath-cpu-high-wmark high-watermark

datapath-cpu-high-wmark max

Syntax

packet-rate-low-wmark low-watermark

no packet-rate-low-wmark

Context

config>app-assure

Description

This command configures the system wide low watermark threshold for per-ISA throughput in packets/second when an high packet rate alarm will be cleared by the agent. The value must be less than or equal to the packet-rate-high-wmark parameter.

The no form of this command sets the parameter to minimum (watermark disabled).

Default

packet-rate-low-wmark 0

Parameters

low-watermark—

Specifies the low watermark for packet rate alarms. The value must be lower than or equal to the packet-rate-high-wmark value.

Values—

0 to 59523807 packets/sec

flow-setup-high-wmark

Syntax

flow-setup-high-wmark high-watermark

Context

config>app-assure

Description

This command configures the system wide high watermark threshold for per-ISA throughput in packets/second when an alarm will be raised by the agent. The value must be larger than or equal to the packet-rate-low-wmark parameter.

Default

flow-setup-high-wmark max

Parameters

high-watermark—

Specifies the high watermark for flow setup rate alarms. The value must be larger than or equal to the flow-setup-low-wmark value.

Values—

1 to 800000, max flows/sec (disabled)

flow-setup-low-wmark

Syntax

flow-setup-low-wmark low-watermark

no flow-setup-low-wmark

Context

config>app-assure

Description

This command configures the flow setup rate on the ISA-AA when a flow setup alarm will be raised by the agent.

Default

flow-setup-low-wmark 0

Parameters

low-watermark—

Specifies the low watermark for flow setup rate alarms. The value must be larger than or equal to the flow-setup-high-wmark value.

Values—

1 to 799999 flows/sec

application-assurance

Syntax

application-assurance

Context

config

Description

This command enables the context to perform Application Assurance (AA) configuration operations.

flow-table-high-wmark

Syntax

flow-table-high-wmark high-watermark

no flow-table-high-wmark

Context

config>app-assure

Description

This command configures the system-wide high watermark threshold as a percentage of the flow table size for the per-ISA utilization of the flow records when a full alarm will be raised by the agent.

Default

flow-table-high-wmark 95

Parameters

high-watermark—

Specifies the high watermark for flow table full alarms, in percent.

Values—

0 to 100

Default—

flow-table-low-wmark

Syntax

flow-table-low-wmark low-watermark

no flow-table-low-wmark

Context

config>app-assure

Description

This command configures the system-wide low watermark threshold as a percentage of the flow table size for per-ISA. The value must be lower than or equal to the flow-table-high-wmark high-watermark parameter.

Default

flow-table-low-wmark 90

Parameters

low-watermark—

Specifies the low watermark for flow table full alarms, in percent.

Values—

0 to 100

Default—

protocol

Syntax

protocol protocol-name

Context

config>app-assure

Description

This command configures the shutdown of protocols system-wide.

Parameters

protocol-name—

A string of up to 32 characters identifying a predefined protocol.

group

Syntax

group aa-group-id[:partition-id [create]

no group aa-group-id:partition-id

Context

config>app-assure

Description

This command configures and enables the context to configure an application assurance group and partition parameters.

Parameters

aa-group-id—

Specifies a group of ISA MDAs.

Values—

1 to 255

partition-id—

Specifies a partition within a group.

Values—

1 to 65535

create—

Keyword used to create the partition in the group.

aa-sub-congestion-detection

Syntax

aa-sub-congestion-detection

Context

config>app-assure>group

Description

This command enables the context to configure Non-Location Based DEM (NLB-DEM) parameters.

Note:

NLB-DEM and Access-Network Location (ANL) DEM mode are mutually exclusive, and cannot operate simultaneously.

aa-sub-remote

Syntax

[no] aa-sub-remote

Context

config>app-assure>group

Description

This command specifies whether or not the from subscriber and to subscriber traffic direction is reversed for this group-partition.

Default

no aa-sub-remote

cflowd

Syntax

cflowd

Context

config>app-assure>group

Description

This command enables the context to configure cflowd parameters for the application assurance group.

certificate-profile

Syntax

certificate-profile cert-prof-name [create]

no certificate-profile cert-prof-name

Context

config>app-assure>group

Description

This command creates a certificate profile to be used for certificate-based encryption in HTTP header enrichment.

The no form of this command removes the certificate profile.

Parameters

cert-profile-name—

Specifies the name of the profile, up to 32 characters.

certificate

Syntax

certificate certificate-file

no certificate

Context

Parameters

dns-ip-cache-name—

Specifies the Application Assurance DNS IP cache name.

create—

Specifies a keyword used to create the DNS IP cache.

dns-match

Syntax

dns-match

Context

config>app-assure>group>dns-ip-cache

Description

This command enters the context to configure match parameters in the DNS IP cache.

domain

Syntax

domain domain-name expression expression

no domain domain-name

Context

config>app-assure>group>dns-ip-cache>dns-match

Description

This command configures a domain expression to populate the DNS IP cache. Up to 32 domains can be configured.

Parameters

domain-name—

Specifies the name of the domain expression entry.

expression—

Specifies a domain name expression string, up to 64 characters, used to define a pattern match. This domain expression uses the same syntax as the expressions used in app-filters.

server-address

Syntax

server-address server-address [name server-name]

no server-address server-address

Context

config>app-assure>group>dns-ip-cache>dns-match

Description

This command configures a DNS server address. DNS responses from this DNS server are used to populate the dns-ip-cache. Up to 64 server addresses can be configured.

Parameters

server-address—

Specifies the IPv4 or IPv6 address of the DNS.

Values—

ipv4-address	a.b.c.d[/mask]
		mask - [1 to 32]
ipv6-address	x:x:x:x:x:x:x:x/prefix-length
		x:x:x:x:x:x:d.d.d.d
		x - [0 to FFFF]H
		d - [0 to 255]D
	prefix-length	[1 to 128]

server-name—

Specifies an optional server name for a given server address.

ip-cache

Syntax

ip-cache

Context

config>app-assure>group>dns-ip-cache

Description

This command configures the dns-ip-cache cache parameters.

high-wmark

Syntax

high-wmark percent

Context

config>app-assure>group>dns-ip-cache>ip-cache

Description

This command configures the high watermark value for the DNS IP cache. When the number of IP addresses stored in the cache crosses above this threshold, the system will generate a trap.

Default

high-wmark 90

Parameters

percent—

Specifies the high watermark value, in percent.

Values—

0 to 100

Default—

low-wmark

Syntax

low-wmark percent

Context

config>app-assure>group>dns-ip-cache>ip-cache

Description

This command configures the low watermark value for the dns-ip-cache. If the dns-ip-cache has previously crossed the high-watermark value, the system will clear the trap in case the number of IP addresses stored in the cache crosses below the low watermark value.

Default

low-wmark 80

Parameters

percent—

Specifies the low watermark value, in percent.

Values—

0 to 100

Default—

size

Syntax

size cache-size

Context

config>app-assure>group>dns-ip-cache>ip-cache

Description

This command configures the maximum number of entries in the cache.

Default

size 10

Parameters

cache-size—

Specifies the maximum number of IP addresses that can be stored in the cache.

Values—

10 to 32000

Default—

static-address

Syntax

[no] static-address {ip-address | ipv6-address}

Context

config>app-assure>group>dns-ip-cache>ip-cache

Description

This command configures a static address in the cache.

Parameters

ip-address | ipv6-address—

Specifies a character string up to 64 characters.

collector

Syntax

collector ip-address[:port] [create]

no collector ip-address[:port]

Context

config>app-assure>group>cflowd

Description

This command defines a flow data collector for cflowd data. The IP address of the flow collector must be specified. The UDP port number is an optional parameter. If it is not set, the default of 2055 is used.

Parameters

ip-address—

Specifies the IP address of the flow data collector in dotted decimal notation.

port—

Specifies the UDP port of flow data collector.

Values—

1 to 65535

Default—

2055

create—

Keyword used to create the flow data collector.

comprehensive

Syntax

comprehensive

Context

config>app-assure>group>cflowd

Description

This command enables the context to configure cflowd comprehensive statistics output parameters.

export-override

Syntax

export-override mode

no export-override

Context

configure>app-assure>group>cflowd

Description

This command configures the AA sub-type used in cflowd record export. The cflowd stats exported to the cflowd collector to look identical to when AA is on the type of system defined by the mode. The following cflowd export fields are affected:

cflowd export observation point (field 138), the mode will be derived from the export-override category that is selected.
cflowd export AA_Subscriber_Type (field 12) modified as configured, using existing field types.
cflowd interface name is used as the sub-ID field, optionally modified to use the export-override mode prefix as a global identifier.

All AA cflowd record types are affected by export-override. To change any of the export-override and/or prefix, cflowd must be shutdown first. When the export-override is set back to default (no export-override) the prefix will also be set back to default.

The no form of this command removes the export override.

Default

no export-override

Parameters

mode—

The type of system emulated by stats export.

Values—

mobile(mobile gateway mode, cflowd field 138 = 2)

prefix

Syntax

prefix prefix-string

no prefix

Context

config>app-assure>group>cflowd>export-override

Description

This command specifies the prefix-string associated with the export-override.

Parameters

prefix-string—

Up to an 8 character string. If the 8 character prefix is "ABCDEFG_" for a particular node, the cflowd export override would generate IPv4 interface names such as ABCDEFG_255.255.255.255 or IPv6 as ABCDEFG_2001:DB8:EF01:2345::/64. By default the prefix will be left blank.

rtp-performance

Syntax

rtp-performance

Context

config>app-assure>group>cflowd

Description

This command configures the cflowd RTP performance export.

event-log

Syntax

event-log event-log-name [create]

no event-log event-log-name

Context

config>app-assure>group

Description

This command configures an event log.

Parameters

event-log-name—

Specifies the name of the event log.

buffer-type

Syntax

buffer-type buffer-type

Context

config>app-assure>group>evt-log

Description

This command specifies the type of buffer to be used in the event log.

Default

buffer-type linear

Parameters

buffer-type—

Specifies the type of event type.

Values—

linear — Specifies a linear buffer which once full will stop recording events until it is cleared.

circular — Specifies a circular buffer whereby older entries will be overwritten by newer entries.

syslog—Specifies that events are stored offline on a syslog host.

max-entries

Syntax

max-entries max-entries

no shutdown

Context

config>app-assure>group>evt-log

Description

This command configures the number of entries in the buffer.

Default

max-entries 500

Parameters

max-entries—

Specifies the maximum number of entries for the event log.

Values—

1 to 100000

Default—

500

syslog

Syntax

syslog

Context

config>app-assure>group>evt-log

Description

This command enables the context for configuring the target syslog server.

address

Syntax

address ip-address

no address

Context

config>app-assure>group>evt-log>syslog

Description

This command configures the target syslog host IP address.

Default

no address

Parameters

ip-address—

Specifies the IP address of the target syslog host, either IPv4 or IPv6.

severity info

Parameters

syslog-severity—

Specifies the severity level for the syslog message.

Values—

emergency, alert, critical, error, warning, notice, info, debug

vlan-id

Syntax

vlan-id service-port-vlan-id

no vlan-id

Context

config>app-assure>group>evt-log>syslog

Description

This command configures the service port VLAN ID to be used by application assurance to inject the syslog events inband. This VLAN ID needs also to be configured for application assurance interface.

Default

no vlan-id

Parameters

service-port-vlan-id—

Specifies the service port VLAN identifier.

Values—

1 to 4094

app-group

Syntax

app-group app-group-name [rate]

no app-group app-group-name

Context

config>app-assure>group>cflowd>rtp-perf

config>app-assure>group>cflowd>tcp-perf

config>app-assure>group>cflowd>comp

Description

This command configures application groups to export performance records with cflowd.

The no form of this command removes the parameters from the configuration.

Parameters

app-group-name —

Specifies the application group name.

rate —

Specifies which sampling flow rate to use; flow-rate or flow-rate2.

Values—

flow-rate, flow-rate2

Default—

flow-rate

application

Syntax

application application-name [rate]

no application application-name

Context

config>app-assure>group>cflowd>rtp-perf

config>app-assure>group>cflowd>tcp-perf

config>app-assure>group>cflowd>comp

Description

This command configures applications to export performance records with cflowd.

The no form of this command removes the parameters from the configuration.

Parameters

application-name—

Specifies the name defined for the application.

rate—

Specifies which sampling flow rate to use; flow-rate or flow-rate2.

Values—

flow-rate, flow-rate2

Default—

flow-rate

Syntax

flow-rate sample-rate

no flow-rate

Context

config>app-assure>group>cflowd>rtp-perf

config>app-assure>group>cflowd>tcp-perf

config>app-assure>group>cflowd>comp

Description

This command specifies the per-flow sampling rate for the cflowd export of Application Assurance performance statistics.

The no form of this command reverts to the default.

Default

no flow-rate

Parameters

sample-rate—

Specifies the rate at which to sample flows that are eligible for TCP performance measurement.

Values—

1 to 1000

flow-rate2

Syntax

flow-rate2 sample-rate

no flow-rate2

Context

config>app-assure>group>cflowd>rtp-perf

config>app-assure>group>cflowd>tcp-perf

config>app-assure>group>cflowd>comp

Description

This command specifies the per-flow second sampling rate for the cflowd export of Application Assurance performance statistics.

The no form of this command reverts to the default.

Default

no flow-rate2

Parameters

sample-rate —

Specifies the rate at which to sample flows that are eligible for TCP and/or RTP performance measurement.

Values—

1 to 1000

template

Syntax

template

Syntax

[no] dynamic-fields

Context

config>app-assure>group>cflowd>comp>template

config>app-assure>group>cflowd>rtp-perf>audio-template

config>app-assure>group>cflowd>rtp-perf>video-template

config>app-assure>group>cflowd>rtp-perf>voice-template

config>app-assure>group>cflowd>tcp-perf>template

config>app-assure>group>cflowd>volume>template

Description

This command enables the context to configure which fields are included in the exported cflowd template.

The no form of this command removes all configured dynamic fields from the template.

Note:

This command is only supported if the dynamic option is configured in the field-selection command.

field

Syntax

[no] field field-name

Context

config>app-assure>group>cflowd>comp>template>dynamic-fields

config>app-assure>group>cflowd>rtp-perf>audio-template>dynamic-fields

config>app-assure>group>cflowd>rtp-perf>video-template>dynamic-fields

config>app-assure>group>cflowd>rtp-perf>voice-template>dynamic-fields

config>app-assure>group>cflowd>tcp-perf>template>dynamic-fields

config>app-assure>group>cflowd>volume>template>dynamic-fields

Description

This command specifies which fields to include in the exported cflowd template.

The no form of this command removes the specified field from the template.

Note:

Certain fields (for example, source, destination, IP addresses, and ports) may not be allowed in certain templates.

Parameters

field-name—

Specifies the name of the field to include in the exported cflowd template, up to 256 characters.

Values—

Common to all templates	flowStartSeconds, flowDurationMilliseconds, postIpPrecedence, ipTTL, aaProt, aaApp, aaAppGrp, hostName, deviceId, deviceMfgId, deviceOsId, ipFamily, deviceOsVer1, deviceOsVer2, deviceOsVer3, anlType, anlTopology, anlCongestionState, timeZone, aaChargingGrp, flowAttr_video, flowAttr_abr_service, flowAttr_audio, flowAttr_encrypted, flowAttr_download, flowAttr_upload, flowAttr_realtime_communication, aaSubTetheringState
For the volume and comprehensive templates only	tcpSessionEstDelay, tcpRetransmittedBytes, tcpRetransmittedPackets
For the rtp-voice template only	flowStartSeconds, flowDurationMilliseconds, postIpPrecedence, aaProt, aaApp, aaAppGrp, rtpBurstCount, rtpAvgBurstLengthMs, rtpGapCount, rtpAvgGapLengthMs, MAPDV, RBurst, RGap, SSRC
For the rtp-video template only	flowStartSeconds, flowDurationMilliseconds, postIpPrecedence, aaProt, aaApp, aaAppGrp, rtpRefClockRate, MOSAV, VSTQ, estimatedPSNR, GoPType, avgGoPLength, avgInterIFrameGap, imageWidth, imageHeight, frameRate, slicesPerIFrame, SSRC, videoInterlaced, IFrameReceived, IFrameImpaired, PFrameReceived, PFrameImpaired, BFrameReceived, BFrameImpaired, SIFrameReceived, SIFrameImpaired, SPFrameReceived, SPFrameImpaired, frameInterArrivalJitter, IFrameInterArrivalJitter, avgFrameArrivalDelay
For the rtp-audio template only	flowStartSeconds, flowDurationMilliseconds, postIpPrecedence, aaProt, aaApp, aaAppGrp, rtpBurstCount, rtpAvgBurstLengthPkts, rtpGapCount, rtpAvgGapLengthPkts, PPDVM, rtpNumAudioChannels, rtpRefClockRate, rtpPeakAudioBw, SSRC, hostName

field-selection

Syntax

field-selection field-selection

no field-selection

Context

config>app-assure>group>cflowd>comp>template

config>app-assure>group>cflowd>rtp-perf>audio-template

config>app-assure>group>cflowd>rtp-perf>video-template

config>app-assure>group>cflowd>rtp-perf>voice-template

config>app-assure>group>cflowd>tcp-perf>template

config>app-assure>group>cflowd>volume>template

Description

This command configures how fields included in the exported cflowd template are selected.

The no form of this command reverts to the legacy field selection type.

Default

field-selection legacy

Parameters

field-selection—

Specifies how fields are selected.

legacy	Specifies that the fields within the cflowd template are set and fixed and as per SR OS release 17 (or earlier).
dynamic	Specifies that the operator can select which fields are included in the cflowd template.

template-retransmit

Syntax

template-retransmit seconds

no template-retransmit

Context

config>app-assure>group>cflowd

Description

This command configures the period of time, in seconds, for the template to be retransmitted.

Default

template-retransmit 600

Parameters

seconds—

Specifies the time period for the template to be retransmitted.

Values—

10 to 600

Default—

600

tcp-performance

Syntax

tcp-performance

Context

config>app-assure>group>cflowd

Description

This command enables the context to configure Cflowd TCP performance export parameters.

volume

Syntax

volume

Context

config>app-assure>group>cflowd

Description

This command configures the cflowd volume export.

rate

Syntax

rate sample-rate

no rate

Context

config>app-assure>group>cflowd>volume

Description

This command configures the sampling rate of packets for the cflowd export of application assurance volume statistics.

The no form of this command reverts to the default value.

Parameters

sample-rate—

Specifies the rate at which to sample packets for the cflowd export of application assurance volume statistics.

Values—

1 to 10000

tls-extension

Syntax

tls-extension

Context

config>app-assure>group>http-enrich

Description

This command enables the context to configure the TLS extension field name.

subtype

Syntax

[no] subtype tls extension subtype

Context

config>app-assure>group>http-enrich>tls-extension

Description

This command configures a TLS subtype.

The no form of this command removes the TLS subtype from the configuration.

Parameters

tls extension subtype—

Specifies a TLS subtype, up to 32 characters

http-error-redirect

Syntax

http-error-redirect redirect-name [create]

no http-error-redirect redirect-name

Context

config>app-assure>group

Description

This command configures an HTTP error redirect policy. The policy contains important information relevant to the redirect server.

The no form of this command removes the redirect name from the group configuration.

Parameters

redirect-name—

Specifies a string, up to 32 characters, that identifies the HTTP error redirect policy.

create—

Keyword to create the HTTP error redirect policy.

error-code

Syntax

error-code error-code [custom-msg-size custom-msg-size]

no error-code error-code

Context

config>app-assure>group>http-error-redirect

Description

This command refers to which HTTP status codes a redirect action is applied. Only messages with sizes less than that configured here (custom-msg-size) are eligible for redirect action.

The no form of this command removes the parameters from the configuration.

Parameters

error-code—

Specifies the error code for an HTTP error redirect.

Values—

0 to 4294967295, of which 400, 401, 402, 403, 404, 405, 406, 407, 408, 409, 410, 411, 412, 413, 414, 415, 416, 417, 421, 422, 423, 424, 425, 426, 427, 428, 429, 430, 431, 451, 500, 501, 502, 503, 504, 505, 506, 507, 508, 509, 510, 511, 730, 731, and 735 are supported for redirect

custom-msg-size—

Specifies the maximum message size above which redirect will not be done.

Values—

0 to 4294967295

http-host

Syntax

http-host http-host

no http-host

Context

config>app-assure>group>http-error-redirect

Description

This command refers to the http host name of the landing server (Barefruit or Xerocole). It is used in the HTTP GET operation from the client (which is being redirected) to the redirect search landing server. It must contain a valid IP address or HTTP host name / URI for the HTTP GET from the client to the landing server to work.

The no form of this command removes the HTTP host string from the configuration.

Default

no http-host

Parameters

http-host—

Specifies a string of 255 chars max length, that refers to the HTTP host name of the landing server (barefruit or xerocole).

participant-id

Syntax

participant-id participant-id

no participant-id

Context

config>app-assure>group>http-error-redirect

Description

This command specifies a 32-character string assigned to the operator by Barefruit. It is used by barefruit landing servers (applies to template # 1 only).

Default

no participant-id

Parameters

participant-id—

Specifies the 32-character string supplied by Barefruit.

template

Syntax

template template-id

no template

Context

config>app-assure>group

config>app-assure>group>http-error-redirect

Description

This command refers to the template of parameters passed from the AA-ISA to the redirect server via JavaScript in the redirect packet. The template is specific to the redirect server being used in the network.

Currently, two partners are used and tested with AA-ISA redirect solution, Barefruit and Xerocole.

The no form of this command reverts to the default.

Parameters

template-id—

Specifies an HTTP error redirect template.

1 = Barefruit specific template

2 = xerocole.specific template.

Values—

0 to 4294967295

http-match-all-requests

Syntax

[no] http-match-all-requests

Context

config>app-assure>group

config>app-assure>group>policy>app-filter>entry

Description

This command enables HTTP matching for all requests for a given HTTP expression.

The no form of this command restores the default (removes http-match-all-request for this particular expression) by this app-filter entry.

Default

no http-match-all-requests

http-notification

Syntax

http-notification http-notification-name [create]

no http-notification http-notification-name

Context

config>app-assure>group

Description

This command configures an http-notification object for subscriber in browser notification.

The no form of this command removes the http notification policy from the configuration.

Parameters

http-notification-name—

Specifies the name of the HTTP Notification policy.

create—

Specifies the mandatory keyword to create the policy.

interval

Syntax

interval {one-time | minimum-interval}

Context

config>app-assure>group>http-notif

Description

This command configures the minimum interval in between notification messages. It can be set to one-time or a value in minutes from 1 to 1440.

The no form of this command removes the interval from the http-notification policy.

Default

interval one-time

Parameters

minimum-interval—

Represents the minimum interval value in minutes in between two http notifications.

Values—

1 to 1440

script-url

Syntax

script-url script-url-name

no script-url

Context

config>app-assure>group>http-notif

Description

This command configures the URL of the script used by the http notification policy.

The no form of this command removes the script URL from the http-notification policy.

Default

no script-url

Parameters

script-url-name—

Specifies the string representing the URL of the script used in the http notification policy, up to 255 characters.

create—

Keyword to create the script URL.

template

Syntax

template value

no template

Context

config>app-assure>group>http-notif

Description

This command configures the template which defines the format and parameters included in the http notification message.

The no form of this command removes the template from the configuration.

Default

no template

Parameters

value—

Specifies the template id of this HTTP Notification.

Values—

1 — Javascript-url with SubID and optional Http-Url-Param

2 — Javascript-url and optional Http-Url-Param

http-redirect

Syntax

http-redirect redirect-name [create]

no http-redirect redirect-name

Context

config>app-assure>group

Description

This command configures an HTTP redirect.

The no form of this command removes the HTTP redirect policy from the configuration.

Parameters

redirect-name—

Specifies the HTTP redirect that will be applied. If no redirect name is specified, then HTTP redirect is not enabled.

create—

Keyword to create the HTTP redirect policy.

captive-redirect

Syntax

captive-redirect

Context

config>app-assure>group>http-redirect

Description

This command configures the captive redirect capability for an HTTP redirect policy. HTTP redirect policies using captive redirect can be used in conjunction with a session filter policy and will terminate TCP flows in the ISA-AA card before reaching the Internet to redirect subscribers to the predefined redirect URL. Non-HTTP TCP flows are TCP reset. Captive redirect uses the provisioned VLAN id to send the HTTP response to subscribers; therefore this VLAN id must be properly assigned in the same VPN as the subscriber. The operator can select the URL arguments to include in the redirect URL using either a specific template id or by configuring the redirect URL using one of the supported macro substitution keywords.

vlan-id

Syntax

vlan-id service-port-vlan-id

no vlan-id

Context

config>app-assure>group>http-redirect>captive-redirect

Description

This command configures the VLAN ID for captive redirect. Captive redirect uses the provisioned VLAN ID to send the HTTP response to subscribers; therefore this VLAN ID must be properly assigned in the same VPN as the subscriber.

Parameters

service-port-vlan-id —

Specifies the VLAN ID.

Values—

1 to 4094

redirect-https

Syntax

redirect-https

no redirect-https

Context

config>app-assure>group>http-redirect

Description

This command configures the http-redirect policy to redirect HTTPS sessions to the configured redirect-url.

The no form of this command removes the redirect-https.

redirect-url

Syntax

redirect-url redirect-url

no redirect-hurl

Context

config>app-assure>group>http-redirect

Description

This command configures the http redirect URL which is the URL (page) that the user is redirected to when an HTTP redirect takes effect.

The operator can select the URL arguments to include in the redirect-url using either a specific template-id or by configuring the redirect-url using any of the supported macro substitution keywords. Only ESM and ESM-MAC sub types support $MAC, $SAP, $CID, and $RID macro substitution.

The no form of this command removes the redirect-url field from the configuration.

Parameters

redirect-url—

Specifies the URL of the landing page

Values—

macro substitutions:

$CATID	The category ID.
$CATNAME	The category name of the URL.
$URL	The Request-URI in the HTTP GET Request received.
$SUB	A string that represents the subscriber ID.
$IP	A string that represents the IP address of the subscriber host.
$RTRID	A string that represents the router ID.
$URLPRM	The HTTP URL parameter associated with the subscriber.
$MAC	A string that represents the MAC address of the subscriber host.
$SAP	A string that represents a SAP ID.
$CID	A string that represents the circuit-id or interface-id of the subscriber host (hexadecimal format).
$RID	A string that represents the remote-id of the subscriber host (hexadecimal format).

tcp-client-reset

Syntax

[no] tcp-client-reset

Context

config>app-assure>group>http-redirect

Description

This command enables an HTTP-redirect policy to initiate a TCP reset towards the client if the AA policy results in a redirect with packet drop but the http redirect cannot be delivered. Scenarios for this include HTTPs (TLS) sessions, blocking of non-HTTP TCP traffic, and blocking of existing flows after a policy re-evaluate of an existing subscriber.

The no form of this command disables the command.

template

Syntax

template template-id

no template

Context

config>app-assure>group>http-redirect

Description

This command configures the template that defines which parameters are appended to the HTTP host redirect field in the redirect message.

The HTTP redirect template provides HTTP 302 redirect containing only the URL specified in the redirect policy, with no other parameters.

The no form of this command removes the template from the configuration.

Default

no template

Parameters

template-id —

Specifies the HTTP Policy Redirect template.

Values—

1 — Javascript based redirect embedded in HTTP 200 OK response with a predefine.d number of arguments automatically appended to the redirect URL

2 — HTTP 302 Redirect with a predefined number of arguments automatically appended to the redirect URL.

3 — HTTP 302 Redirect with no parameters appended to the URL (empty).

4 — Empty Redirect format using Javascript.

5 — Redirect supporting macro substitution using HTTP 302.

6 — Redirect supporting macro substitution using Javascript.

http-x-online-host

Syntax

[no] http-x-online-host

Context

config>app-assure>group

Description

This command specifies whether X-Online-Host header field is used as a replacement for the HTTP Host header field.

The no form of this command disables the use of X-Online-Host header field used as a replacement.

Default

no http-x-online-host

ip-prefix-list

Syntax

ip-prefix-list ip-prefix-list-name [create]

no ip-prefix-list ip-prefix-list-name

Context

config>app-assure>group

Description

This command configures an IP prefix list.

Parameters

ip-prefix-list-name—

Specifies the name of the IP prefix list, up to 32 characters.

create—

Mandatory keyword used when creating an application profile. The create keyword requirement can be enabled or disabled in the environment>create context.

prefix

Syntax

prefix ip-prefix/ip-prefix-length [name prefix-name]

no prefix ip-prefix/ip-prefix-length

Context

config>app-assure>group>ip-prefix-list

Description

This command configures an IP prefix within the list.

The no form of this command removes the IP prefix from the configuration.

Parameters

ip-prefix/ip-prefix-length—

The IP address in dotted decimal notation.

Values—

ipv4-prefix	a.b.c.d (host bits must be 0)
ipv4-prefix-length	0 to 32
ipv6-prefix	x:x:x:x:x:x:x:x (eight 16-bit pieces)
	x:x:x:x:x:x:d.d.d.d
	x:	[0 to FFFF]H
	d:	[0 to 255]D
prefix-name	32 characters max

http-enrich

Syntax

http-enrich http-enrich_name [create]

no http-enrich http-enrich_name

Context

config>app-assure>group

Description

This command configures an HTTP enrichment policy.

The no form of this command removes the http enrichment policy from the configuration.

Parameters

http-enrich-name—

Specifies the name of the http enrichment policy up to 32 characters.

create—

Mandatory keyword used when creating an application profile. The create keyword requirement can be enabled and disabled in the environment>create context.

field

Syntax

[no] field field-name

Context

config>app-assure>group>http-enrich

Description

This command configures what fields to be inserted into the HTTP header. The command is repeated for each field to be inserted. The same field cannot be inserted twice into the header under different header names.

The no form of this command removes the specified parameter so that it is not inserted into the http header.

Parameters

field-name—

Specifies which parameters to inserted into the header.

Values—

subscriber-ip, static-string

Where:

subscriber-ip: header name for the subscriber IP

static-string: header name for inserted string

subscriber-id: header name for subscriber ID

none

anti-spoof

Syntax

[no] anti-spoof

Context

config>app-assure>group>http-enrich>field

Description

This command configures the HTTP header enrichment anti-spoofing functionality.

The no form of this command disables anti-spoofing functionality.

Default

no anti-spoof

encode

Syntax

encode type type key key

encode type type key hash-key hash

encode type type key hash2-key hash2

encode type type key custom-key custom

encode type type cert-profile cert-profile-name

no encode

Context

config>app-assure>group>http-enrich>field

Description

This command configures an HTTP header enrichment template field static string.

The no form of this command removes the template field static string.

Default

no encode

Parameters

type—

Specifies whether the parameters are hashed with MD5 or encrypted with RC4 using the configured key, or if certificate-based encryption is used with RSA.

Values—

md5, rc4, certificate

key—

Specifies the key string, 64 characters maximum.

hash-key—

Specifies the first hashed key.

hash-key2—

Specifies the second hashed key.

hash—

Specifies the key is entered in an encrypted form. If the hash or hash2 parameter is not used, the key is assumed to be in an unencrypted, clear text form. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 parameter specified.

hash2—

Specifies the key is entered in a more complex encrypted form that involves more variables than the key value alone, meaning that the hash2 encrypted variable cannot be copied and pasted. If the hash or hash2 parameter is not used, the key is assumed to be in an unencrypted, clear text form. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 parameter specified.

custom—

Specifies the custom encryption to management interface.

cert-profile-name—

Specifies the name of the certificate profile to be used. This profile must have already been created using the certificate-profile command.

name

Syntax

name header-name

Context

config>app-assure>group>http-enrich>field

Description

This command configures an HTTP enrichment template field header name.

The no form of this command removes the http enrichment template field header name from the configuration.

Parameters

header-name—

Specifies the name of the http enrichment policy. It is inserted before the actual field name (e.g. x-subId = subscriberID).

static-string

Syntax

static-string static-string

no static-string

Context

config>app-assure>group>http-enrich>field

Description

This command configures an HTTP header enrichment template field static string.

The no form of this command removes the template field static string.

Default

no static-string

Parameters

static-string—

Specifies a static string.

3.4.2.4. Group Commands

3.4.2.4.1. Transit Subscriber Commands

transit-ip-policy

Syntax

transit-ip-policy ip-policy-id [create]

no transit-ip-policy ip-policy-id

Context

config>app-assure>group

Description

This command defines a transit AA subscriber IP policy. Transit AA subscribers are managed by the system through the use of this policy assigned to services, which determines how transit subs are created and removed for that service.

The no form of this command deletes the policy from the configuration. All associations must be removed in order to delete a policy.

Parameters

ip-policy-id —

An integer that identifies a transit IP profile entry.

Values—

1 to 65535

create —

Keyword used to create the entry.

3.4.2.4.2. Policer Commands

policer

Syntax

policer policer-name type type granularity granularity [create]

policer policer-name

no policer policer-name

Context

config>app-assure>group

Description

This command creates application assurance policer profile of a specified type. Policers can be bandwidth or flow limiting and can have a system scope (limits traffic entering AA ISA for all or a subset of AA subscribers), subscriber scope or granularity (limits apply to each AA subscriber traffic).

The policer type and granularity can only be configured during creation. They cannot be modified. The policer profile must be removed from all AQPs in order to be removed. Changes to policer profile parameters take effect immediately for policers instantiated as result of AQP actions using this profile.

The no form of this command deletes the specified policer from the configuration.

Parameters

policer-name —

Specifies a string of up to 32 characters that identifies the policer.

type—

Specifies the policer type.

Values—

single-bucket-bandwidth — Creates a profile for a single bucket (PIR) bandwidth limiting policer.

dual-bucket-bandwidth — Creates profile for a dual bucket (PIR, CIR) bandwidth limiting policer.

flow-rate-limit — Creates profile for a policer limiting rate of flow set-ups.

flow-count-limit — Creates profile for a policer limiting total flow count.

granularity—

Specifies the granularity type.

Values—

system — Creates a system policer profile for a policer that limits the traffic in the scope of all or a subset of AA subscribers on a given AA ISA.

subscriber — Creates a policer profile for a policer for each AA subscriber that limits the traffic in the scope of that subscriber.

access-network-location — Creates a policer profile for a policer instance for each ANL that limits traffic bandwidth in the scope of that ANL. For ANL, only single-bucket bandwidth policers can be configured.

create—

Keyword used to create the policer name and parameters.

action

Syntax

action {priority-mark | permit-deny}

Context

config>app-assure>group>policer

Description

This command configures the action to be performed by single-bucket bandwidth policers for non-conformant traffic.

Dual bucket bandwidth policers cannot have their action configured and always mark traffic below CIR in profile, between CIR and PIR out of profile, and drop traffic above PIR. Flow policers always discard non-conformant traffic.

When multiple application assurance policers are configured against a single flow (including policers at both subscriber and system), the final action done to the flow/packet will be a logical OR of all policers actions. For example, if only of the policers requires the packet to be discarded, the packet will be dropped regardless of the action of the other policers.

Default

action permit-deny

Parameters

priority-mark —

Non-conformant traffic will be marked out of profile and the conformant traffic will be marked in profile. The new marking will overwrite any previous IOM QoS marking done to a packet.

permit-deny —

Non-conformant traffic will be dropped.

adaptation-rule

Syntax

adaptation-rule pir adaptation rule [cir {adaptation rule}]

no adaptation-rule

Context

config>app-assure>group>policer

Description

This command defines the method used by the system to derive the operational CIR and PIR settings when the queue is provisioned in hardware. For the CIR and PIR parameters individually, the system attempts to find the best operational rate depending on the defined option. To change the CIR adaptation rule only, the current PIR rule must be part of the command executed.

The no form of this command removes any explicitly defined constraints used to derive the operational CIR and PIR created by the application of the policy. When a specific adaptation-rule is removed, the default constraints for rate and cir apply.

Default

adaptation-rule pir closest cir closest

Parameters

max—

The operational PIR or CIR for the queue will be equal to or less than the administrative rate specified using the rate command.

min —

The operational PIR or CIR for the queue will be equal to or greater than the administrative rate specified using the rate command.

closest —

The operational PIR or CIR for the queue will be the rate closest to the rate specified using the rate command.

congestion-override

Syntax

congestion-override

Context

config>app-assure>group>policer

Description

This command enables the context to configure per subscriber congestion bandwidth policer override rates.

cbs

Syntax

cbs committed-burst-size

cbs congested-cbs

no cbs

Context

config>app-assure>group>policer

config>app-assure>group>policer>congestion-override

config>app-assure>group>tod-override

Description

This command provides a mechanism to configure the committed burst size for the policer. It is recommended that CBS is configured larger than twice the maximum MTU for the traffic handled by the policer to allow for some burstiness of the traffic. CBS is configurable for dual-bucket bandwidth policers only.

The no form of this command resets the CBS value to its default.

Default

no cbs

Parameters

committed-burst-size | congested-cbs—

Specifies an integer value defining size, in kbytes, for the CBS of the policer.

Values—

0 to 131071

cir

Syntax

cir congested-cir

no cir

Context

config>app-assure>group>policer>congestion-override

Description

This command provides a mechanism to configure the CIR for the congestion override policer. It is recommended that the CIR is configured larger than twice the maximum MTU for the traffic handled by the policer to allow for some burstiness of the traffic. The CIR is configurable for dual-bucket bandwidth policers only.

The no form of this command resets the CIR value to its default.

Default

cir 0

Parameters

congested-cir —

Specifies an integer value defining size, in kilobytes, for the CIR of thepolicer.

Values—

0 to 100000000

pir

Syntax

pir congested-pir

no pir

Context

config>app-assure>group>policer>congestion-override

Description

This command provides a mechanism to configure the PIR for the congestion override policer. It is recommended that the PIR is configured larger than twice the maximum MTU for the traffic handled by the policer to allow for some burstiness of the traffic.

The no form of this command resets the PIR value to its default.

Default

pir 0

Parameters

congested-pir —

Specifies an integer value defining size, in kbytes, for the PIR of thepolicer.

Values—

0 to 100000000

flow-count

Syntax

flow-count flow-count

no flow-count

Context

config>app-assure>group>policer

config>app-assure>group>tod-override

Description

This command configures the flow count for the flow-count-limit policer. It is recommended to configure flow count subscriber-level policer for AA subscribers to ensure fair usage of flow resources between AA subscribers.

Default

no flow-count

Parameters

flow-count—

Specifies the flow count for the flow-count-limit policer.

Values—

0 to 100000000, max

gtp-traffic

Syntax

[no] gtp-traffic

Context

config>app-assure>group>policer

Description

This command provides a mechanism to configure a policer to function at the GTP tunnel level. GTP tunnels are defined by a TEID and destination IP address as oppose to normal flows that are defined by IP 5 tuple values. By setting this value, the policer then can be used to limit GTP traffic (SeGW GTP firewall application).

The no form of this command resets policer behavior to act at the normal 5 tuple flow level and not at the GTP tunnel level.

Default

no gtp-traffic

mbs

Syntax

mbs congested-mbs

mbs maximum-burst-size

no mbs

Context

config>app-assure>group>policer

config>app-assure>group>policer>congestion-override

config>app-assure>group>tod-override

Description

This command provides a mechanism to configure the maximum burst size for the policer. It is recommended that MBS is configured larger than twice the MTU for the traffic handled by the policer to allow for some burstiness of the traffic. MBS is configurable for single-bucket, dual-bucket bandwidth and flow setup rate policers only.

The no form of this command resets the MBS value to its default.

Default

no mbs

Parameters

maximum-burst-size | congested-mbs—

Specifies an integer value defining either size, in kbytes, for the MBS of the bandwidth policer, or flow count for the MBS of the flow setup rate policers.

Values—

0 to 131071

rate

Syntax

rate pir-rate [cir cir-rate]

no rate

Context

config>app-assure>group>policer

config>app-assure>group>tod-override

Description

This command configures the administrative PIR and CIR for bandwidth policers and flow setup rate limits for flow policers. The actual rate sustained by the flow can be limited by other policers that may be applied to that flow’s traffic. This command does not apply to flow-count-limit policers.

The cir option is applicable only to dual-bucket bandwidth policers. It is recommended to configure flow setup rate subscriber-level policer for AA subscribers to ensure fair usage of flow resources between AA subscribers.

The no form of this command resets the values to defaults.

Default

rate max cir 0

Parameters

pir-rate—

Specifies an integer for the PIR rate in kb/s for bandwidth policers.

Values—

1 to 100000000, max or flows/sec

cir-rate —

Specifies an integer for the CIR rate in kb/s.

Values—

0 to 100000000, max

rate-percentage

Syntax

rate-percentage rate-percentage

no rate-percentage

Context

config>app-assure>group>policer

Description

This command indirectly configures the rate used by Access-Network-Location (ANL) policers. Because ANL total bandwidth is dynamically measured and estimated by AA, this command allows the operator to configure the ratio of that measured bandwidth to be used by the ANL policer as the policer rate.

The no form of this command resets the values to defaults.

Default

no rate-percentage

Parameters

rate-percentage—

Specifies an integer value that specifies a percentage that is applied against the ANL estimate maximum bandwidth to produce the actual rate that is used by the policer when ANL congestion occurs.

Values—

0 to 200 (0: means drop all traffic)

Default—

tod-override

Syntax

tod-override tod-override-id [create]

no tod-override tod-override-id

Context

config>app-assure>group>policer

Description

This commands creates a time of day override policy for a given policer. Up to 8 overrides can be configured per policer. Rate/mbs/cbs/flow-rate/flow-count configured in each override-id will override the default policer values at the specified time of day configured in the override.

Parameters

tod-override-id —

Specifies the time of day override ID.

Values—

1 to 255

create—

Keyword used to create the time of day override policy.

time-range

Syntax

time-range daily start start-time end end-time [on day [day]]

time-range weekly start start-time end end-time

no time-range

Context

config>app-assure>group>tod-override

Description

This command configures up to seven time-ranges applicable to a particular override-id. The time-range can be configured as daily or weekly policies.

When using a daily override the operator can select which days during the week from Sunday to Saturday it is applicable along with the start/end hour/min time range repeated over these days.

When using a weekly override the operator can select between which days in the week the policy start up to the hours/min for both start day and end day.

Default

no time-range

Parameters

daily —

Schedule the override as a daily occurrence.

weekly —

Schedule the override as a weekly occurrence.

Values—

start-time	daily	<hh>:<mm>
	weekly	<day>,<hh>:<mm>
		<hh> : 0..23
		<mm> : 0 \| 15 \| 30 \| 45
end-time	daily	<hh>:<mm>
	weekly	<day>,<hh>:<mm>
		<hh> 0..23
		<mm> 0 \| 15 \| 30 \| 45
day	sunday \| monday \| tuesday \| wednesday \| thursday \| friday \| saturday

This command begins a policy editing session.

The editing session continues until one of the following conditions takes place:

Abort or commit is issued.
Control complex resets.

The editing session is not interrupted by:

HA activity switch.
CLI session termination (for example, as result of closing a Telnet session).

commit

Syntax

commit

Context

config>app-assure>group>policy

Description

This command commits changes made during the current editing session. None of the policy changes done will take effect until commit command is issued. If the changes can be successfully committed, no errors detected during the commit during cross-reference verification against exiting application assurance configuration, the editing session will also be closed.

The newly committed policy takes effect immediately for all new flows, existing flows will transition onto the new policy shortly after the commit.

app-group

Syntax

app-group application-group-name [create]

no app-group application-group-name

Context

config>app-assure>group>policy

Description

This command creates an application group for an application assurance policy.

The no form of this command deletes the application group from the configuration. All associations must be removed in order to delete a group.

Default

no app-group

Parameters

application-group-name —

A string of up to 32 characters uniquely identifying this application group in the system.

create—

Mandatory keyword used when creating an application group. The create keyword requirement can be enabled/disabled in the environment>create context.

charging-group

Syntax

charging-group charging-group-name

no charging-group

Context

config>app-assure>group>policy>app-group

config>app-assure>group>policy>application

Description

This command associates an application or app-group to an application assurance charging group.

The no form of this command deletes the charging group association.

Default

no charging-group

Parameters

charging-group-name—

Specifies a string of up to 32 characters uniquely identifying an existing charging group in the system.

charging-group

Syntax

charging-group {eq | neq} charging-group-name

no charging-group

Context

config>app-assure>group>policy>aqp>entry>match

Description

This command associates an application or app-group to an application assurance charging group.

The no form of this command deletes the charging group association.

Default

no charging-group

Parameters

charging-group-name—

Specifies a string of up to 32 characters uniquely identifying an existing charging group in the system.

charging-group

Syntax

charging-group charging-group-name [create]

no charging-group charging-group-name

Context

config>app-assure>group>policy

Description

This command creates a charging group for an application assurance policy.

The no form of this command deletes the charging group from the configuration. All associations must be removed to delete a group.

Default

no charging-group

Parameters

charging-group-name—

Specifies a string of up to 32 characters uniquely identifying an existing charging group in the system.

create—

Mandatory keyword used when creating an charging group. The create keyword requirement can be enabled or disabled in the environment>create context.

export-id

Syntax

export-id export-id

no export-id

Context

config>app-assure>group>policy>application

config>app-assure>group>policy>application>charging-group

config>app-assure>group>policy>app-group

Description

This command assigns an export-id value to a charging group app-group or application to be used for accounting export identification in RADIUS accounting. This ID is encoded in the top 2 bytes of the RADIUS accounting VSA to identify which charging group the counter value represents.

If no export-id is assigned, that counter cannot be added to the aa-sub stats RADIUS export-type. Once a charging group index is referenced, it cannot be deleted without removing the reference.

The no form of this command removes the export-id from the configuration.

Default

no export-id

Parameters

export-id—

config>app-assure>group>policy

Description

This command enables the context to configure application service option characteristics.

default-charging-group

Syntax

default-charging-group charging-group-name

no default-charging-group

Context

The no form of this command deletes the application. To delete an application, all associations to the application must be removed.

Parameters

application-name—

Specifies a string of up to 32 characters uniquely identifying this application in the system.

create—

Mandatory keyword used when creating an application. The create keyword requirement can be enabled/disabled in the environment>create context.

policy-override

Syntax

policy-override

Context

config>app-assure>group

Description

This command enables the context to configure policy override parameters.

policy

Syntax

policy aa-sub {sap sap-id | spoke-sdp sdp-id:vc-id | transit transit-aasub-name} [create]

no policy aa-sub {sap sap-id | spoke-sdp sdp-id:vc-id | transit transit-aasub-name}

Context

config>app-assure>group>policy-override

Description

This command specifies a given SAP or SDP to be used for a static policy override.

The no form of this command removes the policy override.

Parameters

sap-id—

Specifies the physical port identifier portion of the SAP definition.

sdp-id:vc-id—

Specifies the spoke SDP ID and VC ID.

Values—

1 to 32767

1 to 4294967295

transit-aasub-name—

Specifies an existing transit subscriber name, up to 32 characters.

create—

Keyword used to create the policy override.

characteristic

Syntax

characteristic characteristic-name value value-name

no characteristic characteristic-name

Context

config>app-assure>group>policy-override>policy

Description

This command configure an override characteristic and value.

Parameters

characteristic-name—

Specifies the characteristic name, up to 32 characters.

value-name—

Specifies the override characteristic value for the application profile characteristic used by the Application assurance subscriber.

port-list

Syntax

port-list port-list-name [create]

no port-list port-list-name

Context

config>app-assure>group

Description

This command defines an AA group or partition named port-list, which contains a list of port numbers or port ranges. The port list is then referenced in AA policy app-filters, allowing increased flexibility in the use of server ports or HTTP proxy ports for application definition.

The no form of this command removes the list.

Parameters

port-list-name—

Specifies the name of the port list.

Default—

default

port

Syntax

[no] port port-number

[no] port range start-port-num end-port-num

Context

config>app-assure>group>port-list

Description

This command specifies the server TCP or UDP port number to use in the port list definition.

The no form of this command restores the default by removing port number from the port list.

Default

no port

Parameters

port-number—

Specifies the port number.

Values—

0 to 65535

start-port-number—

Specifies the start port number.

Values—

0 to 65535

end-port-number—

Specifies the end port number.

Values—

0 to 65535

app-group

Syntax

app-group app-group-name

Context

config>app-assure>group>policy>application

Description

This command associates an application with an application group of an application assurance policy.

Parameters

app-group-name —

A string of up to 32 characters uniquely identifying an existing application in the system.

3.4.2.4.3.1. Application Filter Commands

entry

Syntax

entry entry-id [create]

no entry entry-id

Context

config>app-assure>group>policy>app-filter

Description

This command creates an application filter entry.

App filter entries are an ordered list, the lowest numerical entry that matches the flow defines the application for that flow.

An application filter entry or entries configures match attributes of an application.

The no form of this command deletes the specified application filter entry.

Parameters

entry-id —

Specifies an integer that identifies an app-filter entry.

Values—

1 to 65535

create—

Keyword used to create the entry.

application

Syntax

application application-name

Context

config>app-assure>group>policy>application

config>app-assure>group>policy>app-filter>entry

Description

This command assigns this application filter entry to an existing application. Assigning the entry to Unknown application restores the default configuration.

Parameters

application-name —

Specifies an existing application name.

expression

Syntax

expression expr-index expr-type {eq | neq} expr-string

no expression expr-index

Context

config>app-assure>group>policy>app-filter>entry

Description

This command configures string values to use in the application definition.

Parameters

expr-index—

Specifies an index value which represents expression substrings.

Values—

1 to 4

expr-type—

Represents a type (and thereby the expression substring).

http-host — Matches the string against the HTTP Host field or TLS Server Name Indicator (SNI).

http-uri — Matches the string against the HTTP URI field.

http-referer — Matches the string against the HTTP Referer field.

http-user-agent — Matches the string against the HTTP User Agent field.

sip-ua — Matches the string against the SIP UA field.

sip-uri — Matches the string against the SIP URI field.

sip-mt — Matches the string against the SIP MT field.

citrix-app — Matches the string against the Citrix app field.

h323-product-id — Matches the string against the h323-product-id field.

tls-cert-subj-org-name — Matches the TLS Certificate Subject Organization Name substring.

tls-cert-subj-common-name — Matches the TLS Certificate Subject Common Name substring.

rtsp-host — Matches the Real Time Streaming Protocol (RTSP) substring host.

rtsp-uri — Matches the RTSP URI substring.

rtsp-ua — Matches the RTSP UA substring.

rtmp-page-host — Matches against the RTMP Page Host Field

rtmp-page-uri — Matches against the RTMP Page URI Field

rtmp-swf-host — Matches against the RTMP Swf Host Field

rtmp-swf-uri — Matches against the RTMP Swf URI Field

eq—

Specifies the equal to comparison operator to match the specified HTTP string.

neq—

Specifies the not equal to comparison operator to match the specified HTTP string.

expr-string—

Specifies an expression string, up to 64 characters, used to define a pattern match. Denotes a printable ASCII substring used as input to an application assurance filter match criteria object.

The following syntax is permitted within the substring to define the pattern match criteria:

^<substring>* - matches when <substring> is at the beginning of the object.

*<substring>* - matches when <substring> is at any place within the object.

*<substring>$ - matches when <substring> is at the end of the object.

^<substring>$ - matches when <substring> is the entire object.

* - matches zero to many of any character. A single wildcard as infix in the expression is allowed.

\. - matches any single character

\d - matches any single decimal digit [0-9]

\I - forces case sensitivity (by default, the expression match are case insensitive), the \I can be specified anywhere between

the leading [^*] and trailing [$*]

\* - matches the asterisk character

Rules for <substring> characters:

<substring> must contain printable ASCII characters.

<substring> must not contain the “double quote” character or the “ ” (space) character on its own.

<substring> match is case in sensitive by default.

<substring> must not include any regular expression meta-characters other than "*", "\I", "\.", "\*" and "\d".

The “\” (slash) character is used as an ESCAPE sequence. The following ESCAPE sequences are permitted within the <substring>:

Character to match <substring> input

Hexadecimal Octet YY \xYY

A <substring> that uses the '\' (backslash) ESCAPE character which is not followed by a “\” or “\x” and a 2-digit hex octet is not valid.

Operational notes:

When matching a TCP flow against HTTP-string based applications, the HTTP header fields are collected from the first HTTP request (for example a GET or a POST) for a given TCP flow. The collected strings are then evaluated against each HTTP flow created within the given TCP flow to determine whether a given HTTP flow matches the application. By not specifying a protocol, the HTTP expressions are matched against all protocols in the HTTP family. By specifying a specific HTTP protocol (for example, http_video) the expression match can be constrained to a subset of the HTTP protocols.
To uniquely identify a SIP-based application a protocol match is not required in the app-filter entry with the SIP expression. The SIP expression match is performed against any protocol in the SIP family (such as sip and rtp_sip). By specifying a specific SIP protocol (like rtp_sip) the expression match can be constrained to a subset of the SIP protocols.

flow-setup-direction

Syntax

flow-setup-direction {subscriber-to-network | network-to-subscriber | both}

Context

config>app-assure>group>policy>app-filter>entry

Description

This command configures the direction of flow setup to which the application filter entry is to be applied.

Default

flow-setup-direction both

Parameters

subscriber-to-network—

Specifies that the app-filter entry will be applied to flows initiated by a local subscriber.

network-to-subscriber —

Specifies that the app-filter entry will be applied to flows initiated from a remote destination towards a local subscriber.

both —

Specifies that the app filter entry will be applied for subscriber-to-network and network-to-subscriber traffic.

http-port

Syntax

http-port {eq | neq} port-num

http-port {eq | neq} port-list port-list-name

no http-port

Context

config>app-assure>group>policy>app-filter>entry

Description

This command specifies an HTTP server TCP or UDP port number or port list to use in the application definition.

The no form of this command restores the default by removing the HTTP port or port list from the application criteria defined by this app-filter entry.

Default

no http-port

Parameters

eq —

Specifies that the value configured and the value in the flow are equal.

neq —

Specifies that the value configured differs from the value in the flow.

port-list-name—

Specifies the name of the port list containing a set or range of ports, up to 32 characters.

port-num —

Specifies a valid server port number.

Values—

0 to 65535

ip-protocol-num

Syntax

ip-protocol-num {eq | neq} protocol-id

no ip-protocol-num

Context

config>app-assure>group>policy>app-filter>entry

config>app-assure>group>policy>aqp>entry>match

Description

This command configures the IP protocol to use in the application definition.

The no form of this command restores the default (removes IP protocol number from application criteria defined by this app-filter entry).

Default

no ip-protocol-num

Parameters

eq—

Specifies that the value configured and the value in the flow must be equal.

neq —

Specifies that the value configured differs from the value in the flow.

protocol-id —

Specifies the decimal value representing the IP protocol to be used as an IP filter match criterion. Well known protocol numbers include ICMP (1), TCP (6), UDP (17).

The no form the command removes the protocol from the match criteria.

Values—

1 to 255 (Decimal, Hexadecimal, or Binary representation).

Supported IANA IP protocol names:

none, crtp, crudp, egp, eigrp, encap, ether-ip, gre, icmp, idrp, igmp, igp, ip, ipv6, ipv6-frag, ipv6-icmp, ipv6-no-nxt, ipv6-opts, ipv6-route, isis, iso-ip, l2tp, ospf-igp, pim, pnni, ptp, rdp, rsvp, sctp, stp, tcp, udp, vrrp

* - udp/tcp wildcard

network-address

Syntax

network-address {eq | neq} ip-address

network-address {eq | neq} ip-prefix-list ip-prefix-list-name

no network-address

Context

config>app-assure>group>policy>app-filter>entry

Description

This command configures the network address to use in application definition. The network address will match the destination IP address in a from-sub flow or the source IP address in a to-sub flow.

The no form of this command restores the default (removes the network address from application criteria defined by this entry).

Default

no network-address

Parameters

eq —

Specifies a comparison operator indicating that the value configured and the value in the flow are equal.

neq —

Specifies a comparison operator indicating that the value configured differs from the value in the flow.

ip-address—

Specifies a valid unicast address.

Values—

ipv4-address	a.b.c.d[/mask]
	mask - [1..32]
ipv6-address	x:x:x:x:x:x:x:x/prefix-length
	x:x:x:x:x:x:d.d.d.d
	x - [0..FFFF]H
	d - [0..255]D
	prefix-length [1..128]

ip-prefix-list-name—

Specifies the name of an IP prefix list, up to 32 characters.

protocol

Syntax

protocol {eq | neq} protocol-name

no protocol

Context

config>app-assure>group>policy>app-filter>entry

Description

This command configures protocol signature in the application definition.

The no form of this command restores the default (removes protocol from match application defined by this app-filter entry).

Default

no protocol

Parameters

eq—

Specifies that the value configured and the value in the flow are equal.

neq —

Specifies that the value configured differs from the value in the flow.

protocol-name —

A string of up to 32 characters identifying a predefined protocol.

server-address

Syntax

server-address {eq | neq} ip-address

server-address {eq | neq} dns-ip-cache dns-ip-cache-name

server-address {eq | neq} ip-prefix-list ip-prefix-list-name

no server-address

Context

config>app-assure>group>policy>app-filter>entry

Description

This command configures the server address to use in application definition. The server IP address may be the source or destination, network or subscriber IP address.

The no form of this command restores the default (removes the server address from application criteria defined by this entry).

Default

no server-address

Parameters

eq —

Specifies a comparison operator that the value configured and the value in the flow are equal.

neq —

Specifies a comparison operator that the value configured differs from the value in the flow.

ip-address—

Specifies a valid unicast address.

Values—

ipv4-address	a.b.c.d[/mask]
	mask - [1..32]
ipv6-address	x:x:x:x:x:x:x:x/prefix-length
	x:x:x:x:x:x:d.d.d.d
	x - [0..FFFF]H
	d - [0..255]D
	prefix-length [1..128]

dns-ip-cache-name—

Specifies a DNS IP cache name, up to 32 characters.

ip-prefix-list-name—

Specifies the name of an IP prefix list, up to 32 characters.

server-port

Syntax

server-port {eq | neq | gt | lt} port-num

server-port {eq | neq} range start-port-num end-port-num

server-port {eq} {port-num | range start-port-num end-port-num} {first-packet-trusted | first-packet-validate}

server-port {eq | neq} port-list port-list-name

server-port {eq} port-list port-list-name {first-packet-trusted | first-packet-validate}

no server-port

Context

config>app-assure>group>policy>app-filter>entry

Description

This command specifies the server TCP or UDP port number to use in the application definition.

The no form of this command restores the default (removes server port number from application criteria defined by this app-filter entry).

Default

no server-port (the server port is not used in the application definition)

Parameters

eq —

Specifies that the value configured and the value in the flow are equal.

neq —

Specifies that the value configured differs from the value in the flow.

gt—

Specifies all port numbers greater than server-port-number match.

lt —

Specifies all port numbers less than server-port-number match.

port-list-name—

Specifies a named port list containing a set or range of ports.

port-num —

Specifies a valid server port number.

Values—

0 to 65535

start-port-num, end-port-num—

Specifies the starting or ending port number.

Values—

0 to 65535

Server Port Options:—

No option specified: TCP/UDP port applications with full signature verification:
1. AA ensures that other applications that can be identified do not run over a well-known port.
2. Application-aware policy applied once signature-based identification completes (likely requiring several packets).
first-packet-validate: TCP/UDP trusted port applications with signature verification:
1. Application identified using well known TCP/UDP port based filters and re-identified once signature identification completes.
2. AA policy applied from the first packet of a flow while continuing signature-based application identification. Policy re-evaluated once the signature identification completes, allowing to detect improper/unexpected applications on a well-known port.
first-packet-trusted: TCP/UDP trusted port applications - no signature verification:
1. Application identified using well known TCP/UDP port based filters only.
2. Application Aware policy applied from the first packet of a flow.
3. No signature processing assumes operator/customer trusts that no other applications can run on the well-known TCP/UDP port (statistics collected against trusted_tcp or trusted_udp protocol).

3.4.2.4.3.2. Application Profile Commands

app-profile

Syntax

app-profile app-profile-name [create]

no app-profile app-profile-name

Context

config>app-assure>group>policy

Description

This command creates an application profile and enables the context to configure the profile parameters.

The no form of this command removes the application profile from the configuration.

Parameters

app-profile-name —

Specifies the name of the application profile up to 32 characters.

create—

Mandatory keyword used when creating an application profile. The create keyword requirement can be enabled/disabled in the environment>create context.

aa-sub-suppressible

Syntax

aa-sub-suppressible

no aa-sub-suppressible

Context

config>app-assure>group>policy>app-profile

Description

This command configures an app-profile as “aa-sub-suppressible”, this function is used in the context of an SRRP group interface. If an SRRP group interface is configured as “suppress-aa-sub” then subscribers with an app-profile configured as “aa-sub-suppressible” will not be diverted to Application Assurance.

The no form of this command restores the default behavior.

Default

no aa-sub-suppressible

capacity-cost

Syntax

capacity-cost cost

no capacity-cost

Context

config>app-assure>group>policy>app-profile

Description

This command configures an application profile capacity cost. Capacity-Cost based load balancing allows a cost to be assigned to diverted SAPs (with the app-profile) and this is then used for load-balancing SAPs between ISAs as well as for a threshold that notifies the operator if/when capacity planning has been exceeded.

Default

capacity-cost 1

Parameters

cost—

Specifies the profile capacity cost.

Values—

1 to 65535

characteristic

Syntax

characteristic characteristic-name value value-name

no characteristic characteristic-name

Context

config>app-assure>group>policy>app-profile

Description

This command assigns one of the existing values of an existing application service option characteristic to the application profile.

The no form of this command removes the characteristic from the application profile.

Parameters

characteristic-name —

Specifies the name of an existing ASO characteristic.

value-name—

Specifies the name for the application profile characteristic up to 32 characters.

divert

Syntax

[no] divert

Context

config>app-assure>group>policy>app-profile

Description

This command enables the redirection of traffic to AA ISA for the system-wide forwarding classes diverted to application assurance (divert-fc) for AA subscribers using this application profile.

The no form of this command stops redirect of traffic to AA ISAs for the AA subscribers using this application profile.

Default

no divert

3.4.2.4.3.3. Application QoS Policy Commands

entry

Syntax

entry entry-id [create]

no entry entry-id

Context

config>app-assure>group>policy>aqp

Description

This command creates an application QoS policy entry. A flow that matches multiple Application QoS policies (AQP) entries will have multiple AQP entries actions applied. When a conflict occurs for two or more actions, the action from the AQP entry with the lowest numerical value takes precedence.

The no form of this command deletes the specified application QoS policy entry.

Parameters

entry-id —

An integer identifying the AQP entry.

Values—

1 to 65535

create—

Mandatory keyword creates the entry. The create keyword requirement can be enabled/disabled in the environment>create context.

action

Syntax

action

Context

config>app-assure>group>policy>aqp>entry

Description

This command enables the context to configure AQP actions to be performed on flows that match the AQP entry’s match criteria.

bandwidth-policer

Syntax

bandwidth-policer policer-name

no bandwidth-policer

Context

config>app-assure>group>policy>aqp>entry>action

Description

This command assigns an existing bandwidth policer as an action on flows matching this AQP entry. The match criteria for the AQP entry must specify a uni-directional traffic direction before a policer action can be configured. If a policer is used in one direction in an AQP match entry the same policer name cannot be used by another AQP entry which uses a different traffic direction match criteria.

When multiple policers apply to a single flow, the final action on a packet is the worst case of all policer outcomes (for example, if one of the policers marks packet out of profile, the final marking will reflect that).

The no form of this command removes bandwidth policer from actions on flows matching this AQP entry.

Default

no bandwidth-policer

Parameters

policer-name —

Specifies the name of the existing flow setup rate policer for this application assurance profile. The policer-name is configured in the config>app-assure>group>policer context.

drop

Syntax

[no] drop

Context

config>app-assure>group>policy>aqp>entry>action

Description

This command configures the drop action on flows matching this AQP entry. When enabled, all flow traffic matching this AQP entry will be dropped. When drop action is part of a set of multiple actions to be applied to a single flow as result of one or more AQP entry match, drop action will be performed first and no other action will be invoked on that flow.

The no form of this command disables the drop action on flows matching this AQP entry.

Default

no drop

error-drop

Syntax

error-drop [event-log event-log-name]

no error-drop

Context

config>app-assure>group>policy>aqp>entry>action

Description

This command configures a drop action for error flows (bad IP checksums, tcp/udp port 0, and so on).

Default

no error-drop

Parameters

event-log-name —

Specifies the event log name, up to 32 characters.

flow-count-limit

Syntax

flow-count-limit policer-name [event-log event-log-name]

no flow-count-limit

Context

config>app-assure>group>policy>aqp>entry>action

Description

This command assigns an existing flow count limit policer as an action on flows matching this AQP entry.

The match criteria for the AQP entry must specify a uni-directional traffic direction before a policer action can be configured. If a policer is used in one direction in an AQP match entry the same policer name cannot be used by another AQP entry which uses a different traffic direction match criteria.

The no form of this command removes this flow policer from actions on flows matching this AQP entry.

Default

no flow-count-limit

Parameters

policer-name —

Specifies the name of the existing flow setup rate policer for this application assurance profile. The policer-name is configured in the config>app-assure>group>policer context.

event-log-name —

Specifies the name of the event log used when event logging is enabled, up to 32 characters, which is used when event logging is enabled.

flow-rate-limit

Syntax

flow-rate-limit policer-name [event-log event-log-name]

no flow-rate-limit

Context

config>app-assure>group>policy>aqp>entry>action

Description

This command assigns an existing flow setup rate limit policer as an action on flows matching this AQP entry.

The no form of this command removes this flow policer from actions on flows matching this AQP entry.

Default

no flow-rate-limit

Parameters

policer-name —

Specifies the policer name up to 32 characters.

event-log event-log-name—

Specifies the event-log-name up to 32 characters, which will be used when event logging is enabled.

fragment-drop

Syntax

fragment-drop {all | out-of-order} [event-log event-log-name]

no fragment-drop

Context

config>app-assure>group>policy>aqp>entry>action

Description

This command specifies the action to apply to fragments.

Default

no fragment-drop

Parameters

all—

All the fragments will be dropped.

out-of-order—

All out of order fragments will be dropped.

event-log-name—

Specifies if the dropping of fragments should be logged to the specified event log name.

gtp-filter

Syntax

gtp-filter gtp-filter-name

no gtp-filter

Context

config>app-assure>group>policy>aqp>entry>action

Description

Description

This command assigns an existing http redirect policy as an action on flows matching this AQP entry.

The redirect only takes effect if the matching flows are HTTP and the condition specified after the http-redirect command, admitted flows or dropped-flows, is met. The condition specified by “dropped-flows” means the flow is dropped due to an AQP actions such as “flow rate/count policers” or “drop” actions. HTTP Policy Redirect on admitted-flows allows the operator to redirect HTTP traffic to a web portal while allowing non-HTTP matching the same AQP rule to be forwarded.

No HTTP redirect will take place if HTTP redirect action and a “drop/flow-police” action are part of the default AQP policy, because in this case, any flow drop actions will take place before identification of the application/application-group.

The no form of this command removes http redirect from actions on flows matching this AQP entry.

Default

no http-redirect

Parameters

http-redirect-name —

Specifies the name of the existing http policy redirect for this application assurance profile. The HTTP redirect name is configured in the config>app-assure>group>http-redirect context.

flow-type—

Specifies the flow type.

Values—

admitted-flows — Redirect HTTP flows matching the AQP criteria.

dropped-flows — Redirects those HTTP flows that are dropped due to an AQP action.

mirror-source

Syntax

mirror-source [all-inclusive] mirror-service-id

no mirror-source

Context

config>app-assure>group>policy>aqp>entry>action

Description

This command configures an application-based policy mirroring service that uses this AA ISA group’s AQP entry as a mirror source. When configured, AQP entry becomes a mirror source for IP packets seen by the AA (the mirrored packet is an IP packet analyzed by AA and does not include encapsulations present on the incoming interfaces).

Default

no mirror-source

Parameters

all-inclusive—

Specifies that all packets during identification phase that could match a given AQP rule are mirrored in addition to packets after an application identification completes that match the AQP rule. This ensures all packets of a given flow are mirrored at a cost of sending unidentified packets that once the application is identified will no longer match this AQP entry.

mirror-service-id—

Specifies the mirror source service ID to use for flows that match this policy.

Values—

1 to 2147483647

svc-name: 64 characters maximum

overload-drop

Syntax

overload-drop [event-log event-log-name]

no overload-drop

Context

config>app-assure>group>policy>aqp>entry>action

Description

This command configures a drop action for cases where flow records are not created (overload).

Parameters

event-log-name—

Specifies the event log name, up to 32 characters.

remark

Syntax

remark

Context

config>app-assure>group>policy>aqp>entry>action

Description

This command configures remark action on flows matching this AQP entry.

dscp

Syntax

dscp in-profile dscp-name out-profile dscp-name

no dscp

Context

config>app-assure>group>policy>aqp>entry>action>remark

Description

This command enables the context to configure DSCP remark action or actions on flows matching this AQP entry. When enabled, all packets for all flows matching this AQP entry will be remarked to the configured DSCP name.

DSCP remark can only be applied when the entry remarks forwarding class or forwarding class and priority. In-profile and out-of profile of a given packet for DSCP remark is assessed after all AQP policing and priority remarking actions took place.

The no form of this command stops DSCP remarking action on flows matching this AQP entry.

Default

no dscp

Parameters

in-profile dscp-name —

Specifies the DSCP name to use to remark in-profile flows that match this policy.

out-profile dscp-name—

Specifies the DSCP name to use to remark out-of-profile flows that match this policy.

Values—

be, cp1, cp2, cp3, cp4, cp5, cp6, cp7, cs1, cp9, af11, cp11, af12, cp13, af13, cp15, cs2, cp17, af21, cp19, af22, cp21, af23, cp23, cs3, cp25, af31, cp27, af32, cp29, af33, cp31, cs4, cp33, af41, cp35, af42, cp37, af43, cp39, cs5, cp41, cp42, cp43, cp44, cp45, ef, cp47, nc1, cp49, cp50, cp51, cp52, cp53, cp54, cp55, nc2, cp57, cp58, cp59, cp60, cp61, cp62, cp63

fc

Syntax

fc fc-name

no fc

Context

config>app-assure>group>policy>aqp>entry>action>remark

Description

This command configures remark FC action on flows matching this AQP entry. When enabled, all packets for all flows matching this AQP entry will be remarked to the configured forwarding class.

The no form of this command stops FC remarking action on packets belonging to flows matching this AQP entry.

Default

no fc

Parameters

fc-name—

Configure the FC remark action for flows matching this entry.

Values—

be, l2, af, l1, h2, ef, h1, nc

priority

Syntax

priority priority-level

no priority

Context

config>app-assure>group>policy>aqp>entry>action>remark

Description

This command configures remark discard priority action on flows matching this AQP entry. When enabled, all packets for all flows matching this AQP entry will be remarked to the configured discard priority.

Default

no priority

Parameters

priority-level—

Specifies the priority to apply to a packet.

Values—

high, low

sctp-filter

Syntax

sctp-filter sctp-filter-name

no sctp-filter

Context

config>app-assure>group>policy>aqp>entry>action

Description

This command assigns an existing SCTP filter as an action on flows matching this AQP entry.

The no form of this command removes this SCTP filter from actions on flows matching this AQP entry.

Default

no sctp-filter

Parameters

sctp-filter-name—

Specifies the name of the existing SCTP filter for this application assurance profile. The sctp-filter-name is configured in the config>app-assure>group[:partition]>sctp-filter context.

tcp-mss-adjust

Syntax

tcp-mss-adjust segment-size

no tcp-mss-adjust

Context

config>app-assure>group>aqp>entry>action

Description

This command configures the value to adjust the TCP Maximum Segment Size (MSS) option. The no form of this command disables the segment size adjustment.

Default

no tcp-mss-adjust

Parameters

segment-size—

Specifies the value to put into the TCP Maximum Segment Size (MSS) option if not already present, or if the present value is higher.

Values—

160 to 10240

tcp-validate

Syntax

tcp-validate tcp-validate-name

no tcp-validate

Context

config>app-assure>group>policy>aqp>entry>action

Description

This command assigns an existing TCP validation policy as an action on flows matching this AQP entry.

tcp-validate can only be called from AQP entries that:

have no matching conditions that relate to information extracted from the incoming IP packets; for example, no application or IP address.
allow the following match conditions:
1. none
2. aa-sub
3. characteristic
4. traffic-direction (both only)
  traffic-direction cannot be unidirectional (from or to sub). It can either be set to both or left unspecified.

The no form of this command removes the TCP validation policy action from flows matching this AQP entry.

Default

no tcp-validate

Parameters

tcp-validate-name—

Specifies the name of the TCP validation policy for this application assurance profile. The TCP validation policy is configured using the config>app-assure>group>tcp-validate tcp-validate-name command.

url-filter

Syntax

url-filter url-filter-name [characteristic characteristic-name]

no url-filter

Context

config>app-assure>group>aqp>entry>action

Description

This command configures a url-filter action for flows matching this entry.

Parameters

url-filter-name—

Specifies the name of the url-filter policy.

characteristic-name—

Specifies the name of the characteristic.

characteristic

Syntax

characteristic characteristic-name

Context

config>app-assure>group>aqp>entry>action

Description

This command enables the system to use the value of the characteristic name specified in the app-qos-policy url-filter action for the configurable ICAP x-header name provisioned in the url-filter policy. The ICAP server can then use this value to decide which url-filter policy to apply instead of applying a filter policy based on the subscriber name.

Parameters

characteristic-name—

Specifies the name of the characteristic.

session-filter

Syntax

session-filter session-filter-name

no session-filter

Context

config>app-assure>group>policy>aqp>entry>action

Description

This command specifies the Application-Assurance session filter that will be evaluated. If no session filters are specified then no session filters will be evaluated.

Default

no session-filter

Parameters

session-filter-name—

Specifies the session filter to be applied.

match

Syntax

match

Context

config>app-assure>group>policy>aqp>entry

Description

This command enables the context to configure flow match rules for this AQP entry. A flow matches this AQP entry only if it matches all the match rules defined (logical and of all rules). If no match rule is specified, the entry will match all flows.

aa-sub

Syntax

aa-sub esm {eq | neq} sub-ident-string

aa-sub esm-mac {eq | neq} esm-mac-name

aa-sub sap {eq | neq} sap-id

aa-sub spoke-sdp {eq | neq} sdp-id:vc-id

aa-sub transit {eq | neq} transit-aasub-name

no aa-sub

Context

config>app-assure>group>policy>aqp>entry>match

Description

This command specifies a Service Access Point (SAP) or an ESM subscriber as matching criteria.

The no form of this command removes the SAP or ESM matching criteria.

Parameters

eq—

Specifies that the value configured and the value in the flow are equal.

neq —

Specifies that the value configured differs from the value in the flow.

sub-ident-string—

Specifies the name of an existing application assurance subscriber.

esm-mac-name —

Specifies the name of an ESM-MAC subscriber.

sap-id—

Specifies the SAP ID.

sap sap-id—

Specifies the physical port identifier portion of the SAP definition.

sdp-id:vc-id—

Specifies the spoke SDP ID and VC ID.

Values—

1 to 32767

1 to 4294967295

transit-aa-sub-name —

Specifies the name of a transit AA subscriber.

aa-sub-tethering-state

Syntax

aa-sub-tethering-state {detected | not-detected}

no aa-sub-tethering-state

Context

config>app-assure>group>policy>aqp>entry>match

Description

This command specifies the tethering state of the subscriber where the AQP match entry will be applied.

The tethering state match condition is meaningful when configured in non-default subscriber policy AQP. Default subscriber policy consists of those AQPs that include match criteria based on the subscriber’s configuration. Tethering state match condition is also applicable in those AQPs that include matching criteria that are derived from actual subscriber’s traffic.

The no form of this command removes detection of sub-tethering state from the configuration.

Default

no aa-sub-tethering-state

Parameters

detected —

Specifies that the subscriber is in the tethering state.

not-detected —

Specifies that the subscriber is not in the tethering state.

app-group

Syntax

app-group {eq | neq} application-group-name

no app-group

Context

config>app-assure>group>policy>aqp>entry>match

Description

This command adds app-group to match criteria used by this AQP entry.

The no form of this command removes the app-group from match criteria for this AQP entry.

Default

no app-group

Parameters

eq—

Specifies that the value configured and the value in the flow are equal.

neq —

Specifies that the value configured differs from the value in the flow.

application-group-name —

Specifies the name of the existing application group entry. The application-group-name is configured in the config>app-assure>group>policy>aqp>entry>match context.

application

Syntax

application {eq | neq} application-name

no application

Context

config>app-assure>group>policy>aqp>entry>match

Description

This command adds an application to match criteria used by this AQP entry.

The no form of this command removes the application from match criteria for this AQP entry.

Default

no application

Parameters

eq—

Specifies that the value configured and the value in the flow are equal.

neq —

Specifies that the value configured differs from the value in the flow.

application-name —

Specifies the name of name existing application name. The application-group-name is configured in the config>app-assure>group>policy>aqp>entry>match context.

characteristic

Syntax

characteristic characteristic-name eq value-name

no characteristic

Context

config>app-assure>group>policy>aqp>entry>match

Description

This command adds an existing characteristic and its value to the match criteria used by this AQP entry.

The no form of this command removes the characteristic from match criteria for this AQP entry.

Parameters

eq—

Specifies that the value configured and the value in the flow are equal.

characteristic-name —

Specifies the name of the existing ASO characteristic up to 32 characters in length.

value-name —

Specifies the name of an existing value for the characteristic up to 32 characters in length.

charging-group

Syntax

charging-group {eq | neq} charging-group-name

no charging-group

Context

config>app-assure>group>policy>aqp>entry>match

Description

This command adds charging-group to match criteria used by this AQP entry.

The no form of this command removes the charging-group from match criteria for this AQP entry.

Default

no charging-group

Parameters

eq —

Specifies that the value configured and the value in the flow are equal.

neq —

Specifies that the value configured differs from the value in the flow.

charging-group-name —

Specifies the name of the existing application group entry. The application-group name is configured in the config>app-assure>group>policy>aqp>entry>match context.

dscp

Syntax

dscp {eq | neq} dscp-name

no dscp

Context

config>app-assure>group>policy>aqp>entry>match

config>app-assure>group>sess-fltr>entry>match

Description

This command adds a DSCP name to the match criteria used by this entry.

The no form of this command removes dscp from match criteria for this entry.

Default

no dscp

Parameters

eq—

Specifies that the value configured and the value in the flow are equal.

neq —

Specifies that the value configured differs from the value in the flow.

dscp-name —

Specifies the DSCP name to be used in the match.

Values—

dst-ip

Syntax

dst-ip {eq | neq} ip-address

dst-ip {eq | neq} ip-prefix-list ip-prefix-list-name

no dst-ip

Context

config>app-assure>group>policy>aqp>entry>match

Description

This command specifies a destination IP address to use as match criteria.

Default

no dst-ip

Parameters

eq—

Specifies that a successful match occurs when the flow matches the specified address or prefix.

neq —

Specifies that a successful match occurs when the flow does not match the specified address or prefix.

ip-address—

Specifies a valid unicast address.

Values—

ipv4-address	a.b.c.d[/mask]
	mask - [1..32]
ipv6-address	x:x:x:x:x:x:x:x/prefix-length
	x:x:x:x:x:x:d.d.d.d
	x - [0..FFFF]H
	d - [0..255]D
	prefix-length [1..128]

ip-prefix-list-name—

Specifies the name of an IP prefix list, up to 32 characters.

dst-port

Syntax

dst-port {eq | neq} port-num

dst-port {eq | neq} port-list port-list-name

dst-port {eq | neq} range start-port-num end-port-num

no dst-port

Context

config>app-assure>group>policy>aqp>entry>match

Description

This command specifies a destination TCP/UDP port, destination port list, or destination range to use as match criteria.

The no form of this command removes the parameters from the configuration.

Default

no dst-port

Parameters

eq—

Specifies that a successful match occurs when the flow matches the specified port.

neq —

Specifies that a successful match occurs when the flow does not match the specified port.

port-num—

Specifies the destination port number.

Values—

0 to 65535

start-port-num end-port-num—

Specifies the start or end destination port number.

Values—

0 to 65535

port-list-name —

Specifies a named port-list, up to 32 characters, containing a set of ports or ranges of ports.

flow-attribute

Syntax

[no] flow-attribute flow-attribute name

Context

config>app-assure>group>policy>aqp>entry>match

Description

This command configures a flow attribute to use as match criteria.

The no form of this command reverts to the default value.

Default

no flow-attribute

Parameters

flow-attribute name—

Specifies the name of the flow attribute, up to 256 characters.

confidence

Syntax

confidence eq equal-value

confidence gte greater-than-or-equal-value

confidence lt less-than-value

Context

config>app-assure>group>policy>aqp>entry>match>flow-attribute

Description

This command configures the confidence level of the flow attribute for use as match criteria.

Parameters

eq equal-value—

Specifies that a successful match occurs when the flow attribute confidence level is equal to the specified value.

Values—

0 to 100

gte greater-than-or-equal-value—

Specifies that a successful match occurs when the flow attribute confidence level is greater than or equal to the specified value.

Values—

0 to 100

lt less-than-value—

Specifies that a successful match occurs when the flow attribute confidence level is less than the specified value.

Values—

1 to 100

ip-protocol-num

Syntax

ip-protocol-num {eq | neq} protocol-id

no ip-protocol-num

Context

config>app-assure>group>policy>aqp>entry>match

Description

This command configures the IP protocol to use to use as match criteria.

The no form the command removes the protocol from the match criteria.

Default

no ip-protocol-num

Parameters

eq —

Specifies that the value configured and the value in the flow must be equal.

neq —

Specifies that the value configured differs from the value in the flow.

protocol-id —

Specifies the decimal value representing the IP protocol to be used as an IP filter match criterion. Well known protocol numbers include ICMP (1), TCP (6), UDP (17).

Values—

1 to 255 (Decimal, Hexadecimal, or Binary representation).

Supported IANA IP protocol names:

crtp, crudp, egp, eigrp, encap, ether-ip, gre, icmp, idrp, igmp, igp, ip, ipv6, ipv6-

frag, ipv6-icmp, ipv6-no-nxt, ipv6-opts, ipv6-route, isis, iso-ip, l2tp, ospf-igp, pim,

pnni, ptp, rdp, rsvp, sctp, stp

src-ip

Syntax

src-ip {eq | neq} ip-address

src-ip {eq | neq} ip-prefix-list ip-prefix-list-name

no src-ip

Context

config>app-assure>group>policy>aqp>entry>match

Description

This command specifies a source TCP/UDP address to use as match criteria.

Default

no src-ip

Parameters

eq—

Specifies that a successful match occurs when the flow matches the specified address or prefix.

neq —

Specifies that a successful match occurs when the flow does not match the specified address or prefix.

ip-address—

Specifies a valid unicast address.

Values—

ipv4-address	a.b.c.d[/mask]
	mask - [1..32]
ipv6-address	x:x:x:x:x:x:x:x/prefix-length
	x:x:x:x:x:x:d.d.d.d
	x - [0..FFFF]H
	d - [0..255]D
	prefix-length [1..128]

ip-prefix-list-name—

Specifies an IP prefix list name, up to 32 characters.

src-port

Syntax

src-port {eq | neq} port-num

src-port {eq | neq} port-list port-list-name

src-port {eq | neq} range start-port-num end-port-num

no src-port

Context

config>app-assure>group>policy>aqp>entry>match

Description

This command specifies a source IP port, source port list, or source range to use as match criteria.

The no form of this command removes the parameters from the configuration.

Default

no src-port

Parameters

eq—

Specifies that a successful match occurs when the flow matches the specified port.

neq —

Specifies that a successful match occurs when the flow does not match the specified port.

port-num—

Specifies the source port number.

Values—

0 to 65535

start-port-num end-port-num—

Specifies the start or end source port number.

Values—

0 to 65535

port-list-name —

Specifies a named port-list, up to 32 characters, containing a set of ports or ranges of ports.

traffic-direction

Syntax

traffic-direction {subscriber-to-network | network-to-subscriber | both}

Context

config>app-assure>group>policy>aqp>entry>match

Description

This command specifies the direction of traffic where the AQP match entry will be applied.

To use a policer action with the AQP entry the match criteria must specify a traffic-direction of either subscriber-to-network or network-to-subscriber.

Default

traffic-direction both

Parameters

subscriber-to-network—

Traffic from a local subscriber will match this AQP entry.

network-to-subscriber —

Traffic to a local subscriber will match this AQP entry.

both—

Combines subscriber-to-network and network-to-subscriber.

3.4.2.4.3.4. Application Service Options Commands

characteristic

Syntax

characteristic characteristic-name [create]

no characteristic characteristic-name

Context

config>app-assure>group>policy>aso

Description

This command creates the characteristic of the application service options.

The no form of this command deletes characteristic option. To delete a characteristic, it must not be referenced by other components of application assurance.

Parameters

characteristic-name—

Specifies a string of up to 32 characters uniquely identifying this characteristic.

create—

Mandatory keyword used to create when creating a characteristic. The create keyword requirement can be enabled or disabled in the environment>create context.

default-value

Syntax

default-value value-name

no default-value

Context

config>app-assure>group>policy>aso>char

Description

This command assigns one of the characteristic values as default.

When a default value is specified, app-profile entries that do not explicitly include this characteristic inherit the default value and use it as part of the AQP match criteria based on that app-profile.

A default-value is required for each characteristic. This is evaluated at commit time.

The no form of this command removes the default value for the characteristic.

Parameters

value-name—

Specifies the name of an existing characteristic value.

value

Syntax

[no] value value-name

Context

config>app-assure>group>policy>aso>char

Description

This command configures a characteristic value.

The no form of this command removes the value for the characteristic.

Parameters

value-name —

Specifies a string of up to 32 characters uniquely identifying this characteristic value.

3.4.2.4.3.5. Custom Protocol Commands

custom-protocol

Syntax

custom-protocol custom-protocol-id ip-protocol-num protocol-id [create]

custom-protocol custom-protocol-id

no custom-protocol custom-protocol-id

Context

config>app-assure>group>policy

Description

This command creates and enters configuration context for custom protocols. Custom protocols allow the creation of TCP and UDP-based custom protocols (based on the ip-protocol-num option) that employ pattern-match at offset in protocol signature definition.

Operator-configurable custom-protocols are evaluated ahead of any Nokia-provided protocol signature in order of custom-protocol-id (the lower ID is matched first in case of flow matching multiple custom-protocols) within the context the protocol is defined.

Custom protocols must be created before they can be used in application definition but do not have to be enabled. To reference a custom protocol in application definition, or any other CLI configuration one must use protocol name that is a concatenation of “custom_” and <custom-protocol-id>, (for example custom_01, custom_02 ... custom_10, and so on). This concatenation is also used when reporting custom protocol statistics.

Parameters

custom-protocol-id—

Specifies the index into the protocol list that defines a custom protocol for application assurance.

Values—

1 to 10

protocol-id —

Specifies the IP protocol to match against for the custom protocol.

Values—

6, 17, Protocol numbers accepted in DHB, keywords: tcp, udp

create—

Mandatory keyword used when creating custom protocol. The create keyword requirement can be enabled/disabled in the environment>create context.

expression

Syntax

expression expr-index eq expr-string offset payload-octet-offset direction direction

no expression expr-index

Context

config>app-assure>group>policy>custom-protocol

Description

This command configures an expression string value for pattern-based custom protocols match. A flow matches a custom protocol if the specified string is found at an offset of a TCP/UDP of the first payload packet.

Options:

client-to-server — A pattern will be matched against a flow from a TCP client.
server-to-client — A pattern will be matched against a flow from a TCP server.
any – A pattern will be matched against a TCP/UDP flow in any direction (towards or from AA subscriber)

The no form of this command deletes a specified string expression from the definition.

Parameters

expr-index—

Specifies the expression substring index.

Values—

expr-string—

Denotes a printable ASCII string, up to 16 characters, used to define a custom protocol match. Rules for expr-string characters:

Must contain printable ASCII characters.
Must not contain the “double quote” character or the “ ” (space) character on its own.
Match is case sensitive.
Must not include any regular expression meta-characters.

The “\” (slash) character is used as an ESCAPE sequence. The following ESCAPE sequences are permitted within the expr-string:

Character to match expr-string input

Hexadecimal Octet YY \xYY

An expr-string that uses the '\' (backslash) ESCAPE character which is not followed by a “\” or “\x” and a 2-digit hex octet is not valid.

offset payload-octet-offset—

specifies the offset (in octets) into the protocol payload, where the expr-string match criteria will start.

Values—

0 to 127

direction direction—

Specifies the protocol direction to match against to resolve to a custom protocol.

Values—

client-to-server, server-to-client, any

3.4.2.4.3.6. Session Filter Commands

session-filter

Syntax

session-filter session-filter-name [create]

no session-filter session-filter-name

Context

config>app-assure>group

Description

This command creates a session filter.

Parameters

session-filter-name—

Creates a session filter name up to 32 characters.

create—

Keyword used to create the session filter.

default-action

Syntax

default-action {permit | deny} [event-log event-log-name]

Context

config>app-assure>group>sess-fltr

Description

This command specifies the default action to take for packets that do not match any filter entries.

The no form of this command reverts the default action to the default value (forward).

Default

default-action deny

Parameters

deny—

Indicates that packets matching the criteria are denied.

permit—

Indicates that packets matching the criteria are permitted.

event-log-name—

Specifies the event log name, up to 32 characters.

entry

Syntax

entry entry-id [create]

no entry entry-id

Context

config>app-assure>group>sess-fltr

Description

This command configures a particular Application-Assurance session filter match entry. Every session filter can have zero or more session filter match entries. An application filter entry or entries configures match attributes of an application.

The no form of this command deletes the specified entry.

Parameters

entry-id —

Specifies an integer that identifies the entry.

Values—

1 to 65535

create—

Keyword used to create the entry.

action

Syntax

action {permit | deny} [event-log event-log-name]

action http-redirect http-redirect-name [event-log event-log-name]

Context

config>app-assure>group>sess-fltr>entry

Description

This command configures the action for this entry.

Parameters

deny—

Packets matching the criteria are denied.

permit—

Packets matching the criteria are permitted.

event-log-name—

Specifies the event log name, up to 32 characters.

http-redirect-name—

Specifies the HTTP redirect name, up to 32 characters.

match

Syntax

match

Context

config>app-assure>group>sess-fltr>entry

Description

This command enables the context to configure session conditions for this entry.

dst-ip

Syntax

dst-ip ip-address

dst-ip dns-ip-cache dns-ip-cache-name

dst-ip ip-prefix-list ip-prefix-list-name

no dst-ip

Context

config>app-assure>group>sess-fltr>entry>match

Description

This command configures the destination IP address to match.

Default

no dst-ip

Parameters

ip-address—

Specifies a valid unicast address.

Values—

ipv4-address	a.b.c.d[/mask]
	mask - [1..32]
ipv6-address	x:x:x:x:x:x:x:x/prefix-length
	x:x:x:x:x:x:d.d.d.d
	x - [0..FFFF]H
	d - [0..255]D
	prefix-length [1..128]

dns-ip-cache-name—

Specifies the name of the dns-ip-cache policy.

dst-port

Syntax

dst-port {eq | gt | lt} port-num

dst-port port-list port-list-name

dst-port range start-port-num end-port-num

no dst-port

Context

config>app-assure>group>sess-fltr>entry>match

Description

This command specifies a destination TCP/UDP port, destination port list, or destination range to use as match criteria.

The no form of this command removes the parameters from the configuration.

Default

no dst-port

Parameters

eq—

Specifies that a successful match occurs when the flow matches the specified port.

gt —

Specifies all port numbers greater than the port-number match.

lt —

Specifies all port numbers less than the port-number match.

port-num—

Specifies the destination port number.

Values—

0 to 65535

start-port-num end-port-num—

Specifies the start or end destination port number.

Values—

0 to 65535

port-list-name —

Specifies a named port-list, up to 32 characters, containing a set of ports or ranges of ports.

ip-protocol-num

Syntax

ip-protocol-num ip-protocol number

no ip-protocol-num

Context

config>app-assure>group>policy>sess-fltr>entry>match

Description

This command configures the IP protocol to use in the application definition.

The no form of this command restores the default (removes IP protocol number from application criteria defined by this app-filter entry).

Default

no ip-protocol-num

Parameters

ip-protocol-number —

Specifies the decimal value representing the IP protocol to be used as an IP filter match criterion. Well known protocol numbers include ICMP (1), TCP (6), UDP (17).

The no form the command removes the protocol from the match criteria.

Values—

protocol-number: 0 to 255 (decimal, hexadecimal, or binary representation)

protocol-name: Supported IANA IP protocol names:

* - udp/tcp wildcard

src-ip

Syntax

src-ip ip-address

src-ip ip-prefix-list ip-prefix-list-name

no src-ip

Context

config>app-assure>group>sess-fltr>entry>match

Description

This command specifies a source TCP/UDP address to use as match criteria.

Default

no src-ip

Parameters

ip-address—

Specifies a valid unicast address.

Values—

ipv4-address	a.b.c.d[/mask]
	mask - [1..32]
ipv6-address	x:x:x:x:x:x:x:x/prefix-length
	x:x:x:x:x:x:d.d.d.d
	x - [0..FFFF]H
	d - [0..255]D
	prefix-length [1..128]

ip-prefix-list-name—

Specifies an IP prefix list name, up to 32 characters.

src-port

Syntax

src-port {eq | gt | lt} port-num

src-port port-list port-list-name

src-port range start-port-num end-port-num

no src-port

Context

config>app-assure>group>sess-fltr>entry>match

Description

This command specifies a source IP port, source port list, or source range to use as match criteria.

The no form of this command removes the parameters from the configuration.

Default

no src-port

Parameters

eq—

Specifies that a successful match occurs when the flow matches the specified port.

gt —

Specifies all port numbers greater than the port-number match.

lt —

Specifies all port numbers less than the port-number match.

port-num—

Specifies the source port number.

Values—

0 to 65535

start-port-num end-port-num—

Specifies the start or end source port number.

Values—

0 to 65535

port-list-name —

Specifies a named port-list, up to 32 characters, containing a set of ports or ranges of ports.

dns-ip-cache

Syntax

dns-ip-cache dns-ip-cache-name

Context

config>app-assure>group>sess-fltr>entry>match

Description

This command configures a DNS IP cache using session filter DST IP match criteria. It is typically combine with an allow action in the context of captive-redirect.

Parameters

dns-ip-cache-name—

Specifies the name of the dns-ip-cache policy.

http-redirect

Syntax

http-redirect http-redirect-name

aa-admit-deny

Context

config>app-assure>group>statistics

Description

This command enables the context to configure admit-deny statistics generation.

accounting-policy

Syntax

accounting-policy acct-policy-id

no accounting-policy

Context

config>app-assure>group>statistics>aa-admit-deny

config>app-assure>group>statistics>aa-partition

config>app-assure>group>statistics>aa-sub

config>app-assure>group>statistics>aa-sub-study

config>app-assure>group>statistics>application

config>app-assure>group>statistics>app-grp

config>app-assure>group>statistics>protocol

config>isa>aa-grp>statistics

Description

This command specifies the existing accounting policy to use for AA. Accounting policies are configured in the config>log>accounting-policy context.

Parameters

acct-policy-id—

Specifies the existing accounting policy to use for applications.

Values—

1 to 99

collect-stats

Syntax

[no] collect-stats

Context

config>app-assure>group>statistics>aa-admit-deny

config>app-assure>group>statistics>aa-partition

config>app-assure>group>statistics>aa-sub

config>app-assure>group>statistics>aa-sub-study

config>app-assure>group>statistics>app-grp

[no] tethering-summary

Context

config>app-assure>group>statistics>aa-partition

Description

This command enables tethering summary statistics collection within an aa-partition.

The no form of this command disables tethering summary statistics collection.

traffic-type

Syntax

[no] traffic-type

Context

config>app-assure>group>statistics>aa-partition

Description

This command enables traffic type statistics collection within an aa-partition.

The no form of this command disables traffic type statistics collection.

aa-sub

Syntax

aa-sub

Context

config>app-assure>group>statistics

Description

This command enables the context to configure accounting and statistics collection parameters per application assurance subscribers.

aggregate-stats

Syntax

aggregate-stats export-using export-method [export-method...(up to 2 max)]

aggregate-stats no-export

Context

config>app-assure>group>statistics>aa-sub

Description

This command configures aa-sub accounting statistics for export of aggregate statistics of a given subscriber.

Default

aggregate-stats no-export

Parameters

export-method—

Specifies the method of statistics export to be used.

Values—

accounting-policy (this is the only option for sub-aggregate statistics, and it is only supported in residential and VPN sub-scale modes).

no-export—

Disables the export.

app-group

Syntax

app-group app-group-name export-using export-method [export-method...(up to 2 max)]

app-group app-group-name no-export

no app-group app-group-name

Context

config>app-assure>group>statistics>aa-sub

Description

This command enables the context to configure accounting and statistics collection parameters per system for application groups of application assurance for a given AA ISA group/partition.

The no form of this command removes the application group name.

Parameters

app-group-name—

Specifies an existing application group name, up to 32 characters.

export-method —

Specifies the method of statistics export to be used.

Values—

accounting-policy, radius-accounting-policy

no-export—

Allows the operator to enable the referred to application group to be selected (via Diameter) for Gx-usage monitoring. Gx usage monitoring is enabled automatically (and this command is not shown) if the export-using parameter is selected for the respective application group.

Usage monitoring must be enabled at the group:partition level (config>app-assure>group>statistics>aa-sub>usage-monitoring) as well in order to allow any application/application group/charging group usage monitoring.

aa-sub-study

Syntax

aa-sub-study study-type

Context

config>app-assure>group>statistics

Description

This command enables the context to configure accounting and statistics collection parameters per application assurance special study subscribers.

Parameters

study-type—

Specifies special study protocol subscriber stats.

Values—

application, protocol

application

Syntax

application application-name export-using export-method [export-method...(up to 2 max)]

application application-name no-export

no application application-name

Context

config>app-assure>group>statistics>aa-sub

Description

This command configures aa-sub accounting statistics for export of applications of a given AA ISA group/partition.

The no form of this command removes the application name.

Parameters

application-name —

Specifies an existing application name, up to 32 characters.

export-method —

Specifies the method of statistics export to be used.

Values—

accounting-policy, radius-accounting-policy

no-export—

Allows the operator to enable the referred application group to be selected (via Diameter) for Gx-usage monitoring. Gx usage monitoring is enabled automatically (and this command is not shown) if the export-using parameter is selected for the respective application group.

charging-group

Syntax

charging-group charging-group-name export-using export-method [export-method...(up to 2 max)]

charging-group charging-group-name no-export

no charging-group charging-group-name

Context

config>app-assure>group>statistics>aa-sub

Description

This command configures aa-sub accounting statistics for export of charging groups of a given AA ISA group/partition.

The no form of this command removes the parameters from the configuration.

Parameters

charging-group-name —

Specifies the name of the charging group. The string is case sensitive and limited to 32 ASCII 7-bit printable characters with no spaces.

export-using export-method—

Specifies that the method of stats export to be used.

Values—

accounting-policy, radius-accounting-policy

no-export—

Allows the operator to enable the referred to a charging group to be selected (via Diameter) for Gx-usage monitoring. Gx usage monitoring is enabled automatically (and this command is not shown) if the export-using parameter is selected for the respective charging group.

exclude-tcp-retrans

Syntax

[no] exclude-tcp-retrans

Context

config>app-assure>group>statistics>aa-sub

Description

This command is to only to EPC. When enabled, TCP errors and retransmission packets are not counted for the purpose of CBC. This setting has no impact on app/app-group aggregate AA stats.

Default

no exclude-tcp-retrans

max-throughput-stats

Syntax

[no] max-throughput-stats

Context

config>app-assure>group>statistics>aa-sub

Description

This command enables the collection of max-throughput statistics.

The no form of this command disables the collection.

Default

no max-throughput-stats

protocol

Syntax

protocol protocol-name export-using export-method

no protocol protocol-name

Context

config>app-assure>group>statistics>aa-sub

Description

This command configures aa-sub accounting statistics for export of protocols of a given AA ISA group/partition.

The no form of this command removes the protocol name.

Parameters

protocol-name —

Specifies an existing protocol name up to 32 characters in length.

export-using export-method—

Specifies that the method of stats export to be used. Accounting-policy is the only option for protocol statistics.

protocol

Syntax

protocol

Context

config>app-assure>group>statistics

Description

This command enables the context to configure accounting and statistics collection parameters per-system for protocols of application assurance for a given AA ISA group/partition.

aa-sub

Syntax

[no] aa-sub {esm sub-ident-string | sap sap-id | spoke-sdp sdp-id:vc-id | transit transit-aasub-name | esm-mac esm-mac-name}

Context

config>app-assure>group>statistics>aa-sub-study

Description

This command adds an existing subscriber identification to a group of special study subscribers (for example, subscribers for which per subscriber statistics and accounting records can be collected for protocols and applications of application assurance).

The no form of this command removes the subscriber from the special study subscribers.

Up to 100 subscribers can be configured into the special study group for protocols and up to a 100 potentially different subscribers can be configured into the special study group for applications.

When adding a subscriber to the special study group, accounting records and statistics generation will commence immediately. When removing a subscriber from the group, special study statistics and accounting records for that subscriber in the current interval will be lost.

Parameters

sub-ident-string —

Specifies the name of a subscriber ID. The subscriber does not need to be currently active. Any sub-ident-string will be accepted. When the subscriber becomes active, statistics generation will start automatically at that time.

sap-id—

Specifies the physical port identifier portion of the SAP definition.

spoke-id sdp-id:vc-id—

Specifies the spoke SDP ID and VC ID.

Values—

1 to 32767

1 to 4294967295

transit-aasub-name —

Specifies an existing transit subscriber name string, up to 32 characters in length.

esm-mac-name —

Specifies an existing ESM-MAC subscriber name, up to 32 characters.

radius-accounting-policy

Syntax

radius-accounting-policy rad-acct-plcy-name

no radius-accounting-policy

Context

config>app-assure>group>statistics>aa-sub

Description

This command specifies an existing subscriber RADIUS based accounting policy to use for AA. RADIUS Accounting policies are configured in the config>app-assure>radius-accounting-policy context.

Default

no radius-accounting-policy

Parameters

rad-acct-plcy-name—

Specifies the name of the policy. The string is case sensitive and limited to 32 ASCII 7-bit printable characters with no spaces.

usage-monitoring

Syntax

[no] usage-monitoring

Context

config>app-assure>group>statistics>aa-sub

Description

This command enables Gx usage monitoring the given AA group/partition. It can only be enabled if there is enough usage monitoring resources for all existing subs. Once disabled, all monitoring instances for AA subscribers are silently removed (no PCRF notifications) and all subsequent AA Gx usage monitoring messages are ignored.

Default

no usage-monitoring.

threshold-crossing-alert

Syntax

threshold-crossing-alert

Context

config>app-assure>group>statistics

Description

This command enables the context to configure the generation of threshold crossing alerts (TCAs).

error-drop

Syntax

error-drop direction direction [create]

no error-drop direction direction

Context

config>app-assure>group>statistics>tca

Description

This command configures a TCA for the counter capturing error drops. An error drop TCA can be created for traffic generated from the subscriber side of AA (from-sub) or for traffic generated from the network toward the AA subscriber (to-sub). The create keyword is mandatory when creating an error-drop TCA.

Parameters

direction—

Specifies the traffic direction.

Values—

from-sub, to-sub

create—

Keyword used to create the error drop TCA.

fragment-drop-all

Syntax

fragment-drop-all direction [create]

no fragment-drop-all direction

Context

config>app-assure>group>statistics>tca

Description

This command configures a TCA for the counter capturing drops due to the fragment-drop- all AQP command. A fragment-drop-all TCA can be created for traffic generated from the subscriber side of AA (from-sub) or for traffic generated from the network toward the AA subscriber (to-sub). The create keyword is mandatory when creating a fragment-drop-all TCA.

Parameters

direction—

Specifies the traffic direction.

Values—

from-sub, to-sub

create—

Keyword used to create the TCA.

fragment-drop-out-of-order

Syntax

fragment-drop-out-of-order direction [create]

no fragment-drop-out-of-order direction

Context

config>app-assure>group>statistics>tca

Description

This command configures a TCA for the counter capturing drops due to the fragment-drop- out-of-order AQP command. A fragment-drop-out-of-order TCA can be created for traffic generated from the subscriber side of AA (from-sub) or for traffic generated from the network toward the AA subscriber (to-sub). The create keyword is mandatory when creating a fragment-drop-out-of-order TCA.

Parameters

direction—

Specifies the traffic direction.

Values—

from-sub, to-sub

create—

Keyword used to create the TCA.

gtp-filter

Syntax

gtp-filter filter-name

Context

config>app-assure>group>statistics>tca

Description

This command configures TCA generation for a GTP filter.

Parameters

filter-name—

Specifies the name of the GTP filter, up to 32 characters.

default-gtp-tunnel-endpoint-limit

Syntax

default-gtp-tunnel-endpoint-limit direction direction [create]

no default-gtp-tunnel-endpoint-limit direction direction

Context

config>app-assure>group>statistics>tca>gtp-filter

Description

This command configures a TCA for the counter capturing drops due to the GTP endpoint limits create requests exceeding the configured allowed limit (set by the default-tunnel-endpoint-limit command). A default-gtp-tunnel-endpoint-limit drop TCA can be created for traffic generated from the subscriber side of AA (from-sub). The create keyword is mandatory when creating a TCA.

Parameters

direction—

Specifies the traffic direction.

Values—

from-sub

create—

Keyword used to create the TCA.

gtp-in-gtp

Syntax

gtp-in-gtp direction direction [create]

no gtp-in-gtp direction direction

Context

config>app-assure>group>statistics>tca>gtp-filter

Description

This command configures a TCA for the counter capturing drops due to the GTP filter GTP-in-GTP packet check. A gtp-in-gtp drop TCA can be created for traffic generated from the subscriber side of AA (from-sub) or for traffic generated from the network toward the AA subscriber (to-sub). The create keyword is mandatory when creating a gtp-in-gtp TCA.

Parameters

direction—

Specifies the traffic direction.

Values—

from-sub, to-sub

create—

Keyword used to create the TCA.

max-payload-length

Syntax

max-payload-length direction direction [create]

no max-payload-length direction direction

Context

config>app-assure>group>statistics>tca>gtp-filter

Description

This command configures a TCA for the counter capturing drops due to the GTP filter maximum payload length. A maximum payload length drop TCA can be created for traffic generated from the subscriber side of AA (from-sub) or for traffic generated from the network toward the AA subscriber (to-sub). The create keyword is mandatory when creating a maximum payload length drop TCA.

Default

none

Parameters

direction—

Specifies the traffic direction.

Values—

from-sub, to-sub

create—

Keyword used to create the TCA.

message-type

Syntax

message-type

Context

config>app-assure>group>statistics>tca>gtp-filter

Description

This command configures a TCA for the counter capturing hits due to the GTP filter message type.

default-action

Syntax

default-action direction direction [create]

no default-action direction direction

Context

config>app-assure>group>statistics>tca>gtp-fltr>msg

Description

This command configures a TCA for the counter capturing hits for the specified GTP filter default action. A default action TCA can be created for traffic generated from the subscriber side of AA (from-sub) or for traffic generated from the network toward the AA subscriber (to-sub). The create keyword is mandatory when creating a default action TCA.

Parameters

direction—

Specifies the traffic direction.

Values—

from-sub, to-sub

create—

Keyword used to create the TCA.

entry

Syntax

entry entry-id direction direction [create]

no entry entry-id direction direction

Context

config>app-assure>group>statistics>tca>gtp-fltr>msg

Description

This command configures a TCA for the counter capturing hits for the specified GTP filter entry. A GTP filter entry TCA can be created for traffic generated from the subscriber side of AA (from-sub) or for traffic generated from the network toward the AA subscriber (to-sub). The create keyword is mandatory when creating a default action TCA.

Parameters

entry-id—

Specifies the GTP filter message-type entry identifier.

Values—

1 to 255

direction—

Specifies the traffic direction.

Values—

from-sub, to-sub

create—

Keyword used to create the TCA.

header-sanity

Syntax

header-sanity direction direction [create]

no header-sanity direction direction

Context

config>app-assure>group>statistics>tca>gtp-fltr>msg

Description

This command configures a TCA for the counter capturing hits for the GTP filter header sanity. A GTP filter header-sanity TCA can be created for traffic generated from the subscriber side of AA (from-sub) or for traffic generated from the network toward the AA subscriber (to-sub). The create keyword is mandatory when creating a TCA.

Parameters

direction—

Specifies the traffic direction.

Values—

from-sub, to-sub

create—

Keyword used to create the TCA.

message-type-gtpv2

Syntax

message-type-gtpv2

Context

config>app-assure>group>statistics>tca>gtp-filter

Description

This command configures a TCA for the counter capturing hits due to the GTPv2 message type filter.

default-action

Syntax

default-action direction direction [create]

no default-action direction direction

Context

config>app-assure>group>statistics>tca>gtp-fltr>msg-gtpv2

Description

This command configures a TCA for the counter capturing hits due to the default action specified for the GTPv2 message type filter. A default action TCA can be created for traffic generated from the subscriber side of AA (from-sub) or for traffic generated from the network toward the AA subscriber (to-sub). The create keyword is mandatory when creating a default action TCA.

Parameters

direction—

Specifies the traffic direction.

Values—

from-sub, to-sub

create—

Keyword used to create the TCA.

entry

Syntax

entry entry-id direction direction [create]

no entry entry-id direction direction

Context

config>app-assure>group>statistics>tca>gtp-fltr>msg-gtpv2

Description

This command configures a TCA for the counter capturing hits for the specified GTPv2 message type filter entry. A GTP filter entry TCA can be created for traffic generated from the subscriber side of AA (from-sub) or for traffic generated from the network toward the AA subscriber (to-sub). The create keyword is mandatory when creating an entry TCA.

Parameters

entry-id—

Specifies the GTP filter message-type-gtpv2 entry identifier.

Values—

516 to 770

direction—

Specifies the traffic direction.

Values—

from-sub, to-sub

create—

Keyword used to create the TCA.

imsi-apn-filter

Syntax

imsi-apn-filter

Context

config>app-assure>group>statistics>tca>gtp-filter

Description

This command configures a TCA for the counter capturing hits due to the GTP IMSI-APN filter.

default-action

Syntax

default-action direction direction [create]

no default-action direction direction

Context

config>app-assure>group>statistics>tca>gtp-fltr>imsi-apn

Description

This command configures a TCA for the counter capturing hits for the specified GTP IMSI-APN filter default action. A default action TCA can be created for traffic generated from the subscriber side of AA (from-sub) or for traffic generated from the network toward the AA subscriber (to-sub). The create keyword is mandatory when creating a default action TCA.

Parameters

direction—

Specifies the traffic direction.

Values—

from-sub, to-sub

create—

Keyword used to create the TCA.

entry

Syntax

entry entry-id direction direction [create]

no entry entry-id direction direction

Context

config>app-assure>group>statistics>tca>gtp-fltr>imsi-apn

Description

This command configures a TCA for the counter capturing hits for the specified IMSI-APN filter entry. A GTP IMSI-APN filter entry TCA can be created for traffic generated from the subscriber side of AA (from-sub) or for traffic generated from the network toward the AA subscriber (to-sub). The create keyword is mandatory when creating an entry TCA.

Parameters

entry-id—

Specifies the identifier for the IMSI-APN filter entry.

Values—

1031 to 2030

direction—

Specifies the traffic direction.

Values—

from-sub, to-sub

create—

Keyword used to create the TCA.

missing-mandatory-ie

Syntax

missing-mandatory-ie direction direction [create]

no missing-mandatory-ie direction direction

Context

config>app-assure>group>statistics>tca>gtp-filter

Description

This command configures a TCA for the counter capturing drops due to the GTP filter missing mandatory IE check. A missing-mandatory-ie drop TCA can be created for traffic generated from the subscriber side of AA (from-sub) or for traffic generated from the network toward the AA subscriber (to-sub). The create keyword is mandatory when creating a missing-mandatory-ie TCA.

Parameters

direction—

Specifies the traffic direction.

Values—

from-sub, to-sub

create—

Keyword used to create the TCA.

tunnel-resource-limit

Syntax

tunnel-resource-limit direction direction [create]

no tunnel-resource-limit direction direction

Context

config>app-assure>group>statistics>tca>gtp-filter

Description

This command configures a TCA for the counter capturing the usage of the total number of GTP tunnel resources. A tunnel-resource-limit TCA can be created for traffic generated from the subscriber side of AA (from-sub) or from the network side (to-sub). The create keyword is mandatory when creating a TCA.

Parameters

direction—

Specifies the traffic direction.

Values—

from-sub, to-sub

create—

Keyword used to create the TCA.

validate-gtp-tunnels

Syntax

validate-gtp-tunnels direction direction [create]

no validate-gtp-tunnels direction direction

Context

config>app-assure>group>statistics>tca>gtp-filter

Description

This command configures a TCA for the counter capturing drops due to the validation of GTP tunnel check. A validate-gtp-tunnels drop TCA can be created for traffic generated from the subscriber side of AA (from-sub) or for traffic generated from the network toward the AA subscriber (to-sub). The create keyword is mandatory when creating a validate-gtp-tunnels TCA.

Parameters

direction—

Specifies the traffic direction.

Values—

from-sub, to-sub

create—

Keyword used to create the TCA.

validate-sequence-number

Syntax

validate-sequence-number direction direction [create]

no validate-sequence-number direction direction

Context

config>app-assure>group>statistics>tca>gtp-filter

Description

This command configures a TCA for the counter capturing drops due to the GTP filter invalid GTP sequence number. A validate-sequence-number drop TCA can be created for traffic generated from the subscriber side of AA (from-sub) or for traffic generated from the network toward the AA subscriber (to-sub). The create keyword is mandatory when creating a validate-sequence-number TCA.

Parameters

direction—

Specifies the traffic direction.

Values—

from-sub, to-sub

create—

Keyword used to create the TCA.

validate-src-ip-addr

Syntax

validate-src-ip-addr direction direction [create]

no validate-src-ip-addr direction direction

Context

config>app-assure>group>statistics>tca>gtp-filter

Description

This command configures a TCA for the counter capturing drops due to the GTP filter anti-spoofing of the UE IP address check. A validate-src-ip-addr drop TCA can be created for traffic generated from the subscriber side of AA (from-sub). The create keyword is mandatory when creating a validate-src-ip-addr TCA.

Parameters

direction—

Specifies the traffic direction.

Values—

from-sub

create—

Keyword used to create the TCA.

gtp-sanity-drop

Syntax

gtp-sanity-drop direction direction [create]

no gtp-sanity-drop direction direction

Context

config>app-assure>group>statistics>tca

Description

This command configures a TCA for the counter capturing drops due to basic GTP header sanity checks, such as validating that the GTP-U version is 1 and that the protocol bit is set to 1 for UDP traffic destined to port 2152. A GTP sanity drop TCA can be created for traffic generated from the subscriber side of AA (from-sub) or for traffic generated from the network toward the AA subscriber (to-sub). The create keyword is mandatory when creating a default action TCA.

Parameters

direction—

Specifies the traffic direction.

Values—

from-sub, to-sub

create—

Keyword used to create the TCA.

overload-drop

Syntax

overload-drop direction direction [create]

no overload-drop direction direction

Context

config>app-assure>group>statistics>tca

Description

This command configures a TCA for the counter capturing drops due to the overload-drop AQP command. An overload-drop TCA can be created for traffic generated from the subscriber side of AA (from-sub) or for traffic generated from the network toward the AA subscriber (to-sub). The create keyword is mandatory when creating an overload-drop TCA.

Parameters

direction—

Specifies the traffic direction.

Values—

from-sub, to-sub

create—

Keyword used to create the TCA.

policer

Syntax

policer policer-name direction direction [create]

no policer policer-name direction direction

Context

config>app-assure>group>statistics>tca

Description

This command configures a TCA for the counter capturing drops or admit events due to the specified flow policer. A policer TCA can be created for traffic generated from the subscriber side of AA (from-sub) or for traffic generated from the network toward the AA subscriber (to-sub). The create keyword is mandatory when creating a policer TCA.

Parameters

policer-name—

Specifies the name of the flow policer, up to 32 characters

direction—

Specifies the traffic direction.

Values—

from-sub, to-sub

create—

Keyword used to create the TCA.

sctp-filter

Syntax

sctp-filter sctp-filter-name

Context

config>app-assure>group>statistics>tca

Description

This command configures TCA generation for an SCTP filter.

Parameters

sctp-filter-name—

Specifies the name of the SCTP filter, up to 32 characters

packet-sanity

Syntax

packet-sanity direction direction [create]

no packet-sanity direction direction

Context

config>app-assure>group>statistics>tca>sctp-filter

Description

This command configures a TCA for the counter capturing packet sanity hits for the specified SCTP filter. A packet sanity TCA can be created for traffic generated from the subscriber side of AA (from-sub) or for traffic generated from the network toward the AA subscriber (to-sub). The create keyword is mandatory when creating a TCA.

Parameters

direction—

Specifies the traffic direction.

Values—

from-sub, to-sub

create—

Keyword used to create the TCA.

ppid

Syntax

ppid

Context

config>app-assure>group>statistics>tca>sctp-filter

Description

This command configures a TCA for the counter capturing PPID hits for the specified SCTP filter.

default-action

Syntax

default-action direction direction [create]

Context

config>app-assure>group>statistics>tca>sctp-fltr>ppid

Description

This command configures a TCA for the counter capturing hits for the specified SCTP filter default PPID. A default action TCA can be created for traffic generated from the subscriber side of AA (from-sub) or for traffic generated from the network toward the AA subscriber (to-sub). The create keyword is mandatory when creating a default action TCA.

Parameters

direction—

Specifies the traffic direction.

Values—

from-sub, to-sub

create—

Keyword used to create the TCA.

entry

Syntax

entry entry-id direction direction [create]

no entry entry-id direction direction

Context

config>app-assure>group>statistics>tca>sctp-fltr>ppid

Description

This command configures a TCA for the counter capturing hits for the specified SCTP filter PPID entry. An SCTP filter entry TCA can be created for traffic generated from the subscriber side of AA (from-sub) or for traffic generated from the network toward the AA subscriber (to-sub). The create keyword is mandatory when creating a TCA.

Parameters

entry-id—

Specifies the SCTP filter PPID entry identifier.

Values—

1 to 255

direction—

Specifies the traffic direction.

Values—

from-sub, to-sub

create—

Keyword used to create the TCA.

ppid-range

Syntax

ppid-range direction direction [create]

no ppid-range direction direction

Context

config>app-assure>group>statistics>tca>sctp-filter

Description

This command configures a TCA for the counter capturing hits for the specified SCTP filter PPID range command. An PPIPD range TCA can be created for traffic generated from the subscriber side of AA (from-sub) or for traffic generated from the network toward the AA subscriber (to-sub). The create keyword is mandatory when creating a TCA.

Parameters

direction—

Specifies the traffic direction.

Values—

from-sub, to-sub

create—

Keyword used to create the TCA.

session-filter

Syntax

session-filter session-filter-name

Context

config>app-assure>group>statistics>tca

Description

This command configures TCA generation for a session filter.

Parameters

session-filter-name—

Specifies the name of the session filter, up to 32 characters.

default-action

Syntax

default-action direction direction [create]

no default-action direction direction

Context

config>app-assure>group>statistics>tca>session-filter

Description

This command configures a TCA for the counter capturing hits for the specified session filter default action. A default action TCA can be created for traffic generated from the subscriber side of AA (from-sub) or for traffic generated from the network toward the AA subscriber (to-sub). The create keyword is mandatory when creating a default action TCA.

Parameters

direction—

Specifies the traffic direction.

Values—

from-sub, to-sub

create—

Keyword used to create the TCA.

entry

Syntax

entry entry-id direction direction [create]

no entry entry-id direction direction

Context

config>app-assure>group>statistics>tca>session-filter

Description

This command configures a TCA for the counter capturing hits for the specified session filter entry. A session filter entry TCA can be created for traffic generated from the subscriber side of AA (from-sub) or for traffic generated from the network toward the AA subscriber (to-sub). The create keyword is mandatory when creating a TCA.

Parameters

entry-id—

Specifies the SCTP filter PPID entry identifier.

Values—

1 to 65535

direction—

Specifies the traffic direction.

Values—

from-sub, to-sub

create—

Keyword used to create the TCA.

high-wmark

Syntax

high-wmark high-watermark low-wmark low-watermark

Context

config>app-assure>group>statistics>tca>error-drop

config>app-assure>group>statistics>tca>fragment-drop-all

config>app-assure>group>statistics>tca>fragment-drop-out-of-order

config>app-assure>group>statistics>tca>gtp-fltr>gtp-in-gtp

config>app-assure>group>statistics>tca>gtp-fltr>imsi-apn>default-action

config>app-assure>group>statistics>tca>gtp-fltr>imsi-apn>entry

config>app-assure>group>statistics>tca>gtp-fltr>max-payload-length

config>app-assure>group>statistics>tca>gtp-fltr>missing mandatory-ie

config>app-assure>group>statistics>tca>gtp-fltr>msg>default-action

config>app-assure>group>statistics>tca>gtp-fltr>default-gtp-tunnel-endpoint-limit

config>app-assure>group>statistics>tca>gtp-fltr>msg>entry

config>app-assure>group>statistics>tca>gtp-fltr>msg>header-sanity

config>app-assure>group>statistics>tca>gtp-fltr>msg-gtpv2>default-action

config>app-assure>group>statistics>tca>gtp-fltr>msg-gtpv2>entry

config>app-assure>group>statistics>tca>gtp-fltr>tunnel-resource-limit

config>app-assure>group>statistics>tca>gtp-fltr>validate-gtp-tunnels

config>app-assure>group>statistics>tca>gtp-fltr>validate-sequence-number

config>app-assure>group>statistics>tca>gtp-fltr>validate-src-ip-addr

config>app-assure>group>statistics>tca>gtp-sanity-drop

config>app-assure>group>statistics>tca>overload-drop

config>app-assure>group>statistics>tca>policer

config>app-assure>group>statistics>tca>sctp-fltr>packet-sanity

config>app-assure>group>statistics>tca>sctp-fltr>ppid>default-action

config>app-assure>group>statistics>tca>sctp-fltr>ppid>entry

config>app-assure>group>statistics>tca>sctp-fltr>ppid>ppid-range

config>app-assure>group>statistics>tca>sess-fltr>default-action

config>app-assure>group>statistics>tca>sess-fltr>entry

config>app-assure>group>statistics>tca>tcp-validate

Description

This command configures the high watermark and low watermark thresholds for the specified TCA.

Default

high-wmark 4294967295 low-wmark 0

Parameters

high-watermark—

Specifies the TCA high watermark.

Values—

1 to 4294967295

Default—

4294967295

low-watermark—

Specifies the TCA low watermark.

Values—

0 to 4294967294

Default—

tcp-validate

Syntax

tcp-validate tcp-validate-name direction direction [create]

no tcp-validate tcp-validate-name direction direction

Context

config>app-assure>group>statistics>tca

Description

This command configures TCA for the counter, and enables the capture of drop or admit events due to the specified TCP validation function.

Parameters

tcp-validate-name—

Specifies the name of the TCP validation policy up to 32 characters.

direction—

Specifies the traffic direction in relation to the AA subscriber.

Values—

from-sub, to-sub

create—

This keyword is mandatory when creating a TCA instance.

3.4.2.4.5. TCP Validation Commands

tcp-validate

Syntax

tcp-validate tcp-validate-name [create]

no tcp-validate tcp-validate-name

Context

config>app-assure>group

Description

This command configures a TCP validation policy.

The no form of this command removes the specified TCP validation policy.

Default

no tcp-validate

Parameters

tcp-validate-name—

Specifies the name of the TCP validation policy up to 32 characters.

create—

This keyword is mandatory when creating a TCP validation policy.

event-log

Syntax

event-log event-log-name [all]

no event-log

Context

config>app-assure>group>tcp-validate

Description

This command enables logging of traffic dropped by TCP validation.

The no form of this command disables logging of traffic dropped by TCP validation.

Default

no event-log

Parameters

event-log-name—

Specifies the name of the event log up to 32 characters.

all—

Logs all dropped traffic. Using the all option allows the operator to capture all discards made by the TCP validation policy, including those related to:

packets that were received after an RST and discarded
packets received before TCP session establishment (before SYN) and discarded

Without the all option, discards related to these cases are not captured in any event log.

strict

Syntax

[no] strict

Context

config>app-assure>group>tcp-validate

Description

This command specifies whether enforcement of TCP sequence and acknowledgment numbers is applied. If a packet does not meet the expected sequence or acknowledgment number, it is dropped.

This command should only be enabled if the expected bit error rate or packet loss is low. For example, if acknowledgments are lost before being detected by AA, the server timeouts are triggered and retransmissions occur. If strict is enabled, these retransmissions would resemble a reply attack and would be dropped by AA.

The no form of this command removes TCP sequence and acknowledgment number enforcement.

Default

no strict

3.4.2.4.6. Tethering Commands

tethering-detection

Syntax

tethering-detection

Context

config>app-assure>group

Description

This command enables the context to configure tethering detection for the group. The shutdown and no shutdown commands are used in this context to enable or disable tethering detection.

Default

tethering-detection shutdown

3.4.2.4.7. Policy Commands

transit-ip-policy

Syntax

transit-ip-policy ip-policy-id [create]

no transit-ip-policy ip-policy-id

Context

config>app-assure>group

Description

The no form of this command deletes the policy from the configuration. All associations must be removed in order to delete a policy.

Default

no transit-ip-policy

Parameters

ip-policy-id —

Specifies an integer that identifies a transit IP profile entry.

Values—

1 to 65535

create —

A keyword used to create the entry.

diameter

Syntax

diameter

Context

config>app-assure>group>transit-ip

Description

This command enables the context to configure dynamic Diameter-based management of transit AA subs for the transit IP policy. This is mutually exclusive to other types of management of transit subs for a given transit IP policy.

application-policy

Syntax

[no] application-policy name

Context

config>app-assure>group>transit-ip>diameter

Description

This command specifies the Diameter application to be used by seen IP transit subs. The application policy is defined using the config>subscr-mgmt>diameter-application-policy command.

The no form of this command removes the policy.

Default

no application-policy

Parameters

name—

Specifies the name of the application policy configured using the diameter-application-policy command up to 32 characters.

shutdown

Syntax

[no] shutdown

Context

config>app-assure>group>transit-ip>diameter

Description

This command removes all transit AA subscribers created via Diameter on this transit AA subscriber IP policy and clears all corresponding Diameter sessions.

gtp

Syntax

gtp

Context

config>app-assure>group

Description

This command enters the context to configure GTP parameters.

event-log

Syntax

event-log event-log-name

no event-log

Context

config>app-assure>group>gtp

config>app-assure>group>gtp>gtp-filter

Description

This command allows AA to treat traffic on UDP port number 2152 as GTP-u. Without further specifying any other parameters within this GTP context, AA performs basic GTP-u header sanity checks and discards packets that are malformed. This GTP context allows the operator to configure various GTP filters (maximum of 128 GTP filters).

Default

no event-log

Parameters

event-log-name—

Specifies the event log name to be used to log discards due to GTP-u basic header sanity checks.

gtpc-inspection

Syntax

[no] gtpc-inspection

Context

config>app-assure>group>gtp

Description

This command configures the inspection of GTP-C packets. This is relevant only when AA GTP FW is deployed on S8/S5/Gp/Gn interfaces. The gtpc-inspection command must be enabled before configuring related features, such as APN filtering, GTP tunnel validation, message-type-v2 filtering, sequence number validation, SRC IP validation.

The no form of this command disables GTP-C packet inspection.

Default

no gtpc-inspection

gtp-filter

Syntax

gtp-filter gtp-filter-name [create]

no gtp-filter gtp-filter-name

Context

config>app-assure>group>gtp

Description

Parameters

gtp-filter-name—

Specifies a GTP filter name, up to 32 characters.

create—

Keyword used to create the GTP filter name and parameters.

gtp-in-gtp

Syntax

gtp-in-gtp

Context

config>app-assure>group>gtp>gtp-fltr

Description

This command configures GTP-in-GTP packet filtering.

Default

gtp-in gtp permit

Parameters

permit | deny—

Specifies the action to take for GTP packets that are encapsulated in GTP (GTP-in-GTP).

gtp-tunnel-database

Syntax

gtp-tunnel-database

Context

config>app-assure>group>gtp>gtp-fltr

Description

This command enables the context to configure GTP advanced firewall functions (such as validating GTP tunnels, sequence numbers, source IP addresses).

default-tunnel-endpoint-limit

Syntax

default-tunnel-endpoint-limit default-endpoint

no default-tunnel-endpoint-limit

Context

config>app-assure>group>gtp>gtp-fltr>gtp-tunnel-database

Description

This command configures the maximum number of GTP endpoints requested in GTP-C messages by using, for example, the PDP Context Create message type.

The validate-gtp-tunnels command must be enabled before using this command.

The no form of this command sets the limit to 4294967295 (the maximum number of GTP endpoints supported by AA FW minus one).

Default

no default-tunnel-endpoint-limit

Parameters

Default

default-action permit

Parameters

permit—

Specifies to permit packets that do not match any message entries.

deny—

Specifies to deny packets that do not match any message entries.

entry

Syntax

entry entry-id [create]

no entry entry-id

Context

config>app-assure>group>gtp>gtp-fltr>imsi-apn-fltr

Description

This command configures an entry within the IMSI-APN filter to allow for IMSI-APN match and action configuration.

Parameters

entry-id—

Specifies the index into the IMSI-APN list that defines a custom filtering action.

Values—

1031 to 2030

create—

Keyword used to create the entry.

action

Syntax

action {permit | deny}

Context

config>app-assure>group>gtp>gtp-fltr>imsi-apn-fltr>entry

Description

This command configures an action for the IMSI-APN filter entry.

Default

action permit

Parameters

permit—

Specifies to permit packets that do not match any message entries.

deny—

Specifies to deny packets that do not match any message entries.

mcc-mnc-prefix

Syntax

mcc-mnc-prefix imsi-prefix-string

no mcc-mnc-prefix

Context

config>app-assure>group>gtp>gtp-fltr>imsi-apn-fltr>entry

Description

This command configures a matching condition for the IMSI (MCC-MNC) prefix.

Parameters

imsi-prefix-string—

Specifies a string of 1 to 6 decimal digits representing the IMSI prefix to be matched against the IMSI IE of the packet, or the special value ANY_IMSI to indicate that an IMSI IE must be present as a matching condition regardless of the IMSI IE value.

If no MCC-MNC prefix is specified, the entry will match GTP packets that have an IMSI IE containing any value.

Values—

0 to 999999, ANY_IMSI

apn

Syntax

apn apn-string

no apn

Context

config>app-assure>group>gtp>gtp-fltr>imsi-apn-fltr>entry

Description

This command configures a matching condition for an APN configured as a GTP filter.

Parameters

apn-string—

Specifies the match string, which can include 1 to 32 characters.

If no APN is specified, the entry will not check for the APN IE in GTP-C packets.

Values—

string: The extracted APN must match string exactly.

^string: The extracted APN must start with string.

string$: The extracted APN must end with string.

WILDCARD_APN: Special string that indicates that the extracted APN must be “*” (that is, a length octet with value one, followed by the ASCII code for the asterisk)

EMPTY_APN: Special string that indicates that the extracted APN must be empty (that is, “”)

ANY_APN: Special string that indicates that the extracted APN IE must be present and can have any value in order for the filter entry to match

src-gsn

Syntax

src-gsn ip address

src-gsn ip-prefix-list ip-prefix-list-name

no src-gsn

Context

config>app-assure>group>gtp>gtp-fltr>imsi-apn-fltr>entry

Description

This command configures a matching condition for the GSN IP address. The IP address value is checked only against the source IP address of the GTP packets that contain an APN IE or an IMSI IE.

Parameters

ip address—

Specifies a valid unicast address associated with the IMSI-APN filter entry.

Values—

ipv4-address	a.b.c.d[/mask]
	mask - [1..32]
ipv6-address	x:x:x:x:x:x:x:x/prefix-length
	x:x:x:x:x:x:d.d.d.d
	x - [0..FFFF]H
	d - [0..255]D
	prefix-length [1..128]

ip-prefix-list-name—

Specifies an IP address prefix list for the source IP address match criteria, up to 32 characters.

action

Syntax

action {permit | deny}

Context

config>app-assure>group>gtp>gtp-fltr>imsi-apn-filter>entry

Description

This command specifies the context for configuring an action for the IMSI-APN filter entry.

Default

action permit

message-type

Syntax

message-type

Context

config>app-assure>group>gtp>gtp-filter

Description

This command specifies the context for configuration of GTP message-type filtering. If no message-type is specified within a filter, then all GTP message types are allowed.

default-action

Syntax

default-action {permit | deny}

Context

config>app-assure>group>gtp>gtp-fltr>msg

config>app-assure>group>gtp>gtp-fltr>msg-gtpv2

Description

This command configures the default action for all GTP message types.

Default

default-action permit

Parameters

permit—

Specifies to permit packets that do not match any message entries.

deny—

Specifies to deny packets that do not match any message entries.

entry

Syntax

entry entry-id value gtp-message-value action {permit | deny}

no entry entry-id

Context

config>app-assure>group>gtp>gtp-fltr>msg

Description

This command configures an entry for a specific GTPv1 message type value.

Parameters

entry-id—

Specifies the index into the GTP message value list that defines a custom message-type action.

Values—

1 to 255

gtp-message-value—

Specifies the GTPv1 message type, either as a numeric value or as a string.

Values—

1 to 255 or 256 characters {echo-request, echo-response, error-indication, g-pdu, supported-extension-headers-notification}

permit | deny—

Specifies the action to take for packets that match this GTP filter message entry.

max-payload-length

Syntax

max-payload-length bytes

no max-payload-length

Context

config>app-assure>group>gtp>gtp-filter

Description

This command specifies the maximum allowed GTP payload size.

The no form of this command removes this GTP message length filter.

Default

no max-payload-length

Parameters

bytes—

Specifies the packet length in bytes.

Values—

0 to 65535

message-type-gtpv2

Syntax

message-type-gtpv2

Context

config>app-assure>group>gtp>gtp-fltr

Description

This command specifies the context for the configuration of GTP-v2 message-type filtering. If no message-type-gtpv2 is specified within a filter, then all GTP message types are allowed, except for the messages that are dropped by GTP-C inspection because they violate the expected GTP protocol for the deployment interface (for example, roaming deployment).

The gtpc-inspection command must be enabled before configuring message-type-gtpv2 filtering.

entry

Syntax

entry entry-id value gtpv2-message-value action {permit | deny}

no entry entry-id

Context

config>app-assure>group>gtp>gtp-fltr>msg-gtpv2

Description

This command configures an entry for a specific GTPv2 message type value.

Default

entry permit

Parameters

entry-id—

Specifies the index into the GTP message value list that defines a custom message-type action.

Values—

516 to 770

gtpv2-message-value—

Specifies the GTPv2 message type, either as a numeric value or as a string.

Values—

1 to 255 or 256 characters (such as: echo-request, echo-response, create-session-request, modify-bearer-request, change-notification-request, change-notification-response, modify-bearer-response, create-session-response, delete-session-request, delete-session-response, remote-ue-report-notification, remote-ue-report-acknowledge)

permit | deny—

Specifies the action to take for packets that match this GTP filter message entry.

mode

Syntax

mode mode

Context

config>app-assure>group>gtp

Description

This command is used to either untunnel GTP-U traffic received on UDP port number 2152, or apply GTP filtering/firewall rules as specified under this GTP CLI context.

Default

mode filtering

Parameters

mode—

Specifies the operational mode of the command.

Values—

filtering — AA applies GTP filtering rules to GTP-U traffic, without further analysis of IP traffic tunneled within GTP.

untunneling — AA untunnels GTP traffic and provides analytical reporting of the applications running within the GTP tunnels. The rest of the commands under GTP CLI context (such as GTP-filter and event-log) are not applicable in this mode.

For AA to untunnel GTP traffic, the operator must configure “gtp” under the partition by using the config>app-assure>group>gtp command.

The following caveats apply:

Only GTP-U traffic with TID <> 0 is untunneled.

Any UDP but non-GTP traffic that uses port 2152 will be identified as UDP traffic.

Only GTP-U packets with message type: G-PDU (0xFF) is untunneled. Other GTP-U packets with different message types are reported as GTP Protocol.

Only GTP-u packets with non-fragmented outer IP and no IPv4 options or IPv6 extension headers are untunneled. Otherwise, no inner GTP tunnel classification is performed and the traffic is identified and reported as GTP protocol.

sctp-filter

Syntax

sctp-filter sctp-filter-name [create]

no sctp-filter sctp-filter-name

Context

config>app-assure>group

Description

This command enables the context to configure Stream Control Transmission Protocol (SCTP) parameters.

The no form of this command removes this filter.

Parameters

sctp-filter-name—

Specifies the SCTP filter name, up to 32 characters.

create—

Keyword used to create the SCTP filter.

event-log

Syntax

event-log event-log-name

no event-log

Context

config>app-assure>group>sctp-filter

Description

This command configures an event log for packets dropped by the SCTP filter.

Default

no event-log

Parameters

event-log-name—

Specifies the event log name to be used.

ppid

Syntax

ppid

Context

config>app-assure>group>sctp-filter

Description

This command enables the context to configure actions for specific or default Payload Protocol Identifiers (PPIDs).

default-action

Syntax

default-action {permit | deny}

Context

config>app-assure>group>sctp-fltr>ppid

Description

This command configures the default action for all SCTP PPIDs.

Default

default-action permit

Parameters

permit—

Specifies to permit packets that do not match any PPID entries.

deny—

Specifies to deny packets that do not match any PPID entries.

entry

Syntax

entry entry-id value ppid-value action {permit | deny}

no entry entry-id

Context

config>app-assure>group>sctp-fltr>ppid

Description

This command specifies if an SCTP PPID value is allowed or not.

The no form of this command removes this PPID. In which case, the default action for the sctp-filter>ppid is applied.

Parameters

entry-id—

Specifies the SCTP filter PPID entry identifier.

ppid-value—

Specifies the PPID value, either as numeric value or as a string.

Values—

0 to 4294967295 D, 256 chars max

action {permit | deny}—

Specifies to allow or deny the configured PPID.

ppid-range

Syntax

ppid-range min min-ppid max max-ppid

no ppid-range

Context

config>app-assure>group>sctp-filter

Description

This command specifies the range of PPID values that are allowed by AA SCTP filter firewall.

The no form of this command removes this PPID range.

Default

no ppid-range

Parameters

min-ppid —

Specifies the minimum SCTP Payload Protocol Identifier (PPID) to be permitted by the SCTP filter. The value must be less than or equal to the max max-ppid value.

Values—

0 to 4294967295

max-ppid —

Specifies the minimum SCTP Payload Protocol Identifier (PPID) to be permitted by the SCTP filter. The value must be greater or equal to the min min-ppid value.

Values—

0 to 4294967295

access-network-location

Syntax

access-network-location

Context

config>app-assure>group

Description

This command provides the context to configure parameters related to dynamic experience management, also known as Access Network Location (ANL).

These parameters include location source type congestion point and congestion detection parameters (such as roundtrip delay thresholds), if applicable.

source

Syntax

source source-type

source source-type level level

no source source-type

Context

config>app-assure>group>anl

Description

This command configures location sources for the dynamic experience management. The location source types are, for example, 3G and congestion point.

Default

source mobile-3g

Parameters

source-type—

Specifies the location or access technology.

Values—

access-point — Provides Dynamic Experience Management (DEM) for the WLGW access point.

Note:

The access points do not need to support the Nokia CEA function.

level—

Specifies which congestion point within the specified source-type to monitor for congestion.

Values—

MAC+VLAN — WLGW access point (MAC) and radio (VLAN).

Note:

The access points do not need to support the Nokia CEA function.

rtt-threshold

Syntax

rtt-threshold threshold

no rtt-threshold

Context

config>app-assure>group>anl>source

config>app-assure>group>aa-sub-cong

Description

This command configures the roundtrip delay threshold used by the DEM gateway algorithm to determine ANL congestion or subscriber congestion for NLB-DEM.

Default

rtt-threshold 173

Parameters

threshold—

Specifies the maximum acceptable round trip time (RTT), in milliseconds, for TCP connections with no congestion. Any measured RTT above the threshold is considered an indication of possible congestion.

Values—

0 to 500

rtt-threshold-tolerance

Syntax

rtt-threshold-tolerance tolerance

no rtt-threshold-tolerance

Context

config>app-assure>group>anl>source

config>app-assure>group>aa-sub-cong

Description

This command configures the ANL roundtrip delay threshold tolerance used by the DEM gateway algorithm to determine ANL-level or subscriber-level congestion.

Default

rtt-threshold-tolerance 50

Parameters

tolerance—

Specifies the ratio, in percentage, of RTTs above the configured threshold (rtt-threshold) over the total RTT measurements.

The ratio is calculated as follows, measured across a one-minute period:

rtt-threshold-tolerance = #(RTTs > rtt-threshold)/ (Total #RTTs)

If the rtt-threshold-tolerance ratio is exceeded, the ANL is declared congested.

Values—

0 to 100

Default—

aqp-initial-lookup

Syntax

aqp-initial-lookup

no aqp-initial-lookup

Context

config>app-assure>group:[partition]

Description

This command allows AA to perform AQP lookups on flows prior to complete application identification. As usual, AQP will be looked up again on identification complete. Without this, AA executes AQPs that are part of what so called “sub-default policy”. Sub-default policy is formed by regular AQPs that contain ASOs, subID and/or flow direction as matching conditions.

This behavior is required, for example, in order to be able apply GTP and SCTP filtering on the first packet of a new GTP/SCTP flow (AQP matching conditions in this case contains protocol id).

The no form of this command forces complete AQP look up on identification finish stage only.

Default

no aqp-initial-lookup

dhcp

Syntax

dhcp

Context

config>app-assure>group>transit-ip-policy

Description

This command enables dynamic DHCP-based management of transit aa-subs for the transit-ip-policy. This is mutually exclusive to other types management of transit subs for a given transit-ip-policy.

ipv6-address-prefix-length

Syntax

ipv6-address-prefix-length IPv6-prefix-length

no ipv6-address-prefix-length

Context

config>app-assure>group>transit-ip-policy

Description

This command configures a transit IP policy IPv6 address prefix length.

Default

no ipv6-address-prefix-length

Parameters

IPv6-prefix-length—

Specifies the prefix length of IPv6 addresses in this policy for both static and dynamic transits.

Values—

32 to 64

def-app-profile

Syntax

def-app-profile app-profile-name

no def-app-profile

Context

config>app-assure>group>transit-ip-policy

Description

This command configures a default application profile.

Default

no def-app-profile

Parameters

app-profile-name—

Specifies the application profile name, up to 32 characters.

detect-seen-ip

Syntax

[no] detect-seen-ip

Context

config>app-assure>group>transit-ip-policy

Description

This command enables the detection of transit subscribers based on the IP address.

radius

Syntax

radius

Context

config>app-assure>group>transit-ip-policy

Description

This command enables dynamic radius based management of transit aa-subs for the transit-ip-policy. This is mutually exclusive to other types management of transit subs for a given transit-ip-policy.

authentication-policy

Syntax

authentication-policy name

no authentication-policy

Context

config>app-assure>group>transit-ip>radius

Description

This command configures the RADIUS authentication-policy for the IP transit policy.

Default

no authentication-policy

Parameters

name—

Specifies the authentication policy name, up to 32 characters.

seen-ip-radius-acct-policy

Syntax

seen-ip-radius-acct-policy rad-acct-plcy-name

no seen-ip-radius-acct-policy

Context

config>app-assure>group>transit-ip-policy>radius

Description

This command refers to a RADIUS accounting-policy to enable seen-IP notification.

The no form of this command removes the policy.

Default

no seen-ip-radius-acct-policy

Parameters

rad-acct-plcy-name—

Specifies the RADIUS accounting policy name, up to 32 characters.

static-aa-sub

Syntax

static-aa-sub transit-aasub-name

static-aa-sub transit-aasub-name app-profile app-profile-name [create]

no static-aa-sub transit-aasub-name

Context

config>app-assure>group>transit-ip-policy

Description

This command configures static transit aa-subs with a name and an app-profile. A new transit sub with both a name and an app-profile is configured with the create command. Static transit aa-sub must have an explicitly assigned app-profile. An existing transit sub can optionally be assigned a different app-profile, or this command can be used to enter the static-aa-sub context.

The no form of this command deletes the named static transit aa-sub from the configuration.

Parameters

transit-aasub-name —

Specifies the name of a transit subscriber up to 32 characters in length.

app-profile-name—

Specifies the name of an existing application profile up to 32 characters in length.

create —

Keyword used to create a new app-profile entry.

ip

Syntax

[no] ip ip-address[/mask]

Context

config>app-assure>group>policy>transit-ip-policy>static-aa-sub

Description

This command configures the /32 IP address for a static transit aa-sub.

The no form of this command deletes the ip address assigned to the static transit aa-sub from the configuration.

Parameters

ip-address —

Specifies the IP address in a.b.c.d form.

Values—

ipv6-address/prefix:	ipv6-address x:x:x:x:x:x:x:x (eight 16-bit pieces)
	x:x:x:x:x:x:d.d.d.d
	x [0 to FFFF]H
	d [0 to 255]D
	prefix-length /32 to /64

sub-ident-policy

Syntax

sub-ident-policy sub-ident-policy-name

no sub-ident-policy

Context

config>app-assure>group>transit-ip-policy

Description

This command associates a subscriber identification policy to this SAP. The subscriber identification policy must be defined prior to associating the profile with a SAP in the config>subscribermgmt>sub-ident-policy context.

Subscribers are managed by the system through the use of subscriber identification strings. A subscriber identification string uniquely identifies a subscriber. For static hosts, the subscriber identification string is explicitly defined with each static subscriber host.

For dynamic hosts, the subscriber identification string must be derived from the DHCP ACK message sent to the subscriber host. The default value for the string is the content of Option 82 CIRCUIT-ID and REMOTE-ID fields interpreted as an octet string. As an option, the DHCP ACK message may be processed by a subscriber identification policy which has the capability to parse the message into an alternative ASCII or octet string value.

When multiple hosts on the same port are associated with the same subscriber identification string they are considered to be host members of the same subscriber.

A sub-ident-policy can also be used for identifying dynamic transit subscriber names.

The no form of this command removes the default subscriber identification policy from the SAP configuration.

Default

no sub-ident-policy

Parameters

sub-ident-policy-name—

Specifies the subscriber identification policy name, up to 32 characters.

transit-auto-create

Syntax

transit-auto-create

Context

config>app-assure>group>transit-ip-policy

Description

This command enables seen-IP auto creation of transit subscribers using the transit-IP-policy name and subscriber IP address as the AA-sub name. The default app-profile configured against the transit-ip-policy is applied to these subscribers.

transit-prefix-ipv4-entries

Syntax

transit-prefix-ipv4-entries entries

no transit-prefix-ipv4-entries

Context

config>isa>aa-grp

Description

This command defines the number of transit-prefix IPv4 entries for an ISA.

The no form of this command removes the assignment of entries space from the configuration. All entries must be removed in order to delete the configuration.

Default

no transit-prefix-ipv4-entries

Parameters

entries—

Specifies an integer that determines the number of transit-prefix-ipv4 entries.

Values—

0 to 16383

transit-prefix-ipv4-remote-entries

Syntax

transit-prefix-ipv4-remote-entries entries

no transit-prefix-ipv4-remote-entries

Context

config>isa>aa-grp

Description

This command configures the ISA-AA-group transit prefix IPv4 remote entry limit. This entry space is allocated on the IOM within a common area with the second MDA/ISA position of the IOM and also used for IPv4filter entries for system SDPs. The per-ISA size allocated for transit-prefix-ipv4 entries should be set to allow sufficient space on the IOM for SDP IPv4 filters.

The no form of this command removes the assignment of entries space from the configuration. All entries must be removed in order to delete the configuration.

Default

no transit-prefix-ipv4-remote-entries

Parameters

entries —

Specifies the ISA-AA-Group transit prefix IPv4 remote entry limit.

Values—

0 to 2047

transit-prefix-ipv6-entries

Syntax

transit-prefix-ipv6-entries entries

no transit-prefix-ipv6-entries

Context

config>isa>aa-grp

Description

This command configures the ISA-AA-group transit prefix IPv6 entry limit for each ISA in the group. This entry space is allocated on the IOM within a common area with the second MDA / ISA position of the IOM and also used for ipv6-filter entries for system SDPs. The per-ISA size allocated for transit-prefix-ipv6 entries should be set to allow sufficient space on the IOM for SDP ipv6-filters.

The no form of this command removes the assignment of entries space from the configuration. All entries must be removed in order to delete the configuration.

Default

no transit-prefix-ipv6-entries

Parameters

entries—

Specifies the ISA-AA-Group transit prefix IPv6 entry limit.

Values—

0 to 8191

transit-prefix-ipv6-remote-entries

Syntax

transit-prefix-ipv6-remote-entries entries

no transit-prefix-ipv6-remote-entries

Context

config>isa>aa-grp

Description

This command configures the ISA-AA-group transit prefix IPv6 remote entry limit. This entry space is allocated on the IOM within a common area with the second MDA/ISA position of the IOM and also used for IPv6filter entries for system SDPs. The per-ISA size allocated for transit-prefix-ipv6 entries should be set to allow sufficient space on the IOM for SDP IPv6 filters.

The no form of this command removes the assignment of entries space from the configuration. All entries must be removed in order to delete the configuration.

Default

no transit-prefix-ipv6-remote-entries

Parameters

entries—

Specifies the ISA-AA-Group transit prefix IPv6 remote entry limit.

Values—

0 to 1023

vm-traffic-distribution-by-teid

Syntax

[no] vm-traffic-distribution-by-teid

Context

config>isa>aa-grp

Description

This command configures AA in VSR mode to load-balance traffic across different VM cores using TEID. Load-balancing is required when VSR is deployed on 3GPP S5/S8 (Gn/Gp) interfaces to provide GTP firewalling.

The no form of this command disables load-balancing of the traffic across the VM cores.

Default

no vm-traffic-distribution-by-teid

transit-policy

Syntax

transit-policy ip ip-aasub-policy-id

transit-policy prefix prefix-aasub-policy-id

no transit-policy

Context

config>service>ies>if>sap

config>service>ies>if>spoke-sdp

config>service>vprn>if>sap

config>service>vprn>if>spoke-sdp

config>service>epipe>sap

config>service>epipe>spoke-sdp

config>service>ipipe>sap

config>service>ipipe>spoke-sdp

config>service>vpls>sap

config>service>vpls>spoke-sdp

Description

This command associates a transit AA subscriber IP or prefix policy to the service. The transit policy must be defined prior to associating the policy with a SAP in the config>app-assure>group>transit-ip-policy or transit-prefix-policy context.

The no form of this command removes the association of the policy to the service.

Parameters

ip-aasub-policy-id—

Specifies a transit IP policy ID.

Values—

1 to 65535

prefix-aasub-policy-id—

Specifies a transit prefix policy ID.

Values—

1 to 65535

transit-prefix-policy

Syntax

transit-prefix-policy prefix-policy-id [create]

no transit-prefix-policy prefix-policy-id

Context

config>app-assure>group

Description

This command defines a transit aa subscriber prefix policy. Transit AA subscribers are managed by the system through the use of this policy assigned to services, which determines how transit subs are created and removed for that service.

The no form of this command deletes the policy from the configuration. All associations must be removed in order to delete a policy.

Parameters

prefix-policy-id —

Indicates the transit prefix policy to which this subscriber belongs.

Values—

1 to 65535

create—

Mandatory keyword used when creating transit prefix policy. The create keyword requirement can be enabled/disabled in the environment>create context.

entry

Syntax

entry entry-id [create]

entry entry-id

no entry entry-id

Context

config>app-assure>group>transit-prefix-policy

Description

This command configures the index to a specific entry of a transit prefix policy.

The no form of this command removes the entry ID from the transit prefix policy configuration.

Parameters

entry-id—

Specifies a transit prefix policy entry.

Values—

1 to 4294967295

create—

Keyword used when creating an entry.

aa-sub

Syntax

aa-sub transit-aasub-name

no aa-sub

Context

config>app-assure>group>transit-prefix-policy>entry

Description

This command configures a transit prefix policy entry subscriber.

The no form of this command removes the transit subscriber name from the transit prefix policy configuration.

Parameters

transit-aasub-name—

specifies the name of the transit prefix AA subscriber up to 32 characters.

match

Syntax

match

Context

config>app-assure>group>transit-prefix-policy>entry

Description

This command enables the context to configure transit prefix policy entry match criteria.

aa-sub-ip

Syntax

aa-sub-ip ip-address[/mask]

no aa-sub-ip

Context

config>app-assure>group>transit-prefix-policy>entry>match

Description

This command configures a transit prefix subscriber ip address prefix. It is used when the site is on the local side, being the same side of the system as the parent SAP. The local aa-sub-ip addresses represent the src-IP in the from-SAP direction and dest-IP in the to-SAP direction.

The no form of this command deletes the aa-sub-ip address assigned from the entry configuration.

Default

no aa-sub-ip

Parameters

ip-address[/mask]—

Specifies the address type of the subscriber address prefix associated with this transit prefix policy entry.

Values—

ip-address[/mask] :	ipv4-address - a.b.c.d[/mask]
	mask - [1..32]
	ipv6-address - x:x:x:x:x:x:x:x/prefix-length
	x:x:x:x:x:x:d.d.d.d
	x - [0..FFFF]H
	d - [0..255]D
	prefix-length [1..128]

network-ip

Syntax

network-ip ip-address[/mask]

no network-ip

Context

config>app-assure>group>transit-prefix-policy>entry>match

Description

This command configures an entry for an address of prefix transit aa-sub and is used when the site is a remote site on the same opposite side of the system as the parent SAP. The network IP addresses represents the dest-IP in the from-SAP direction and src-IP in the to-SAP direction.

The no form of this command removes the network IP address/mask from the match criteria.

Parameters

ip-address[/mask]—

specifies the network address prefix and length associated with this transit prefix policy entry.

Values—

ip-address[/mask] :	ipv4-address - a.b.c.d[/mask]
	mask - [1..32]
	ipv6-address - x:x:x:x:x:x:x:x/prefix-length
	x:x:x:x:x:x:d.d.d.d
	x - [0..FFFF]H
	d - [0..255]D
	prefix-length [1..128]

static-aa-sub

Syntax

static-aa-sub transit-aasub-name

static-aa-sub transit-aasub-name app-profile app-profile-name [create]

no static-aa-sub transit-aasub-name

Context

config>app-assure>group>transit-prefix-policy

config>app-assure>group>transit-ip-policy>static

Description

This command configures a static transit aa-sub with a name and an app-profile. A new transit sub with both a name and an app-profile is configured with the create command. Static transit aa-sub must have an explicitly assigned app-profile. An existing transit sub can optionally be assigned a different app-profile, or this command can be used to enter the static-aa-sub context.

The no form of this command deletes the named static transit aa-sub from the configuration.

Parameters

transit-aasub-name—

Specifies a transit aasub-name up to 32 characters.

app-profile-name —

Specifies the name of an existing application profile up to 32 characters.

create —

Keyword used to create a new app-profile entry

static-remote-aa-sub

Syntax

static-remote-aa-sub transit-aasub-name

static-remote-aa-sub transit-aasub-name app-profile app-profile-name [create]

no static-remote-aa-sub transit-aasub-name

Context

config>app-assure>group>transit-prefix-policy

Description

This command configures static remote transit aa-subs with a name and an app-profile. Remote transit subscribers are configured for sites on the opposite side of the system as the parent SAP/spoke- SDP. A new remote transit sub with both a name and an app-profile is configured with the create command. Static remote transit aa-subs must have an explicitly assigned app-profile. An existing remote transit sub can optionally be assigned a different app-profile.

The no form of this command removes the name from the transit prefix policy.

Parameters

transit-aasub-name—

Specifies a transit aasub-name up to 32 characters.

app-profile-name —

Specifies the name of an existing application profile up to 32 characters.

create —

Keyword used to create a new app-profile entry.

sap

Syntax

sap card/mda/aa-svc:vlan [create]

no sap

Context

config>service>vprn>aa-if

config>service>ies>aa-if

Description

This commands specifies which ISA card and which VLAN is used by a given AA Interface.

Default

no sap

Parameters

card/mda/aa-svc:vlan—

Specifies the AA ISA card slot/port and VLAN information.

create—

Keyword used to create the AARP instance.

group

Syntax

group aa-group-id

Context

admin>app-assure

Description

This commands performs a group-specific upgrade.

Parameters

aa-group-id—

Specifies the AA group identifier.

Values—

1 to 255

url-list

Syntax

url-list url-list-name [create]

no url-list url-list-name

Context

config>app-assure>group

Description

This command configures a url-list object. The url-list points to a file containing a list of URLs located on the system Compact Flash. The url-list is then referenced in a url-filter object in order to filter and redirect subscribers when a URL from this file is accessed.

The no form of this command removes the url-list object.

Parameters

url-list-name—

Specify the Application-Assurance url-list

create—

Keyword used to create the URL list.

decrypt-key

Syntax

decrypt-key key | hash-key | hash2-key [hash | hash2 | custom]

no decrypt-key

Context

config>app-assure>group>url-list

Description

In case the file is encrypted this command is used to configure the decryption key used to read the file.

The no form of this command removes the url-list object.

Default

no decrypt-key

Parameters

key | hash-key | hash2-key—

Specifies the Application-Assurance url-list decryption key.

hash—

hash2—

custom—

Specifies the custom encryption to management interface.

file

Syntax

file file-url

no file

Context

config>app-assure>group>url-list

Description

This command specifies the file for the URL list.

The no form of this command removes the url-list object.

Default

no file

Parameters

file-url—

Specifies the flash ID or file path.

Values—

[cflash-id/] file-path: [200 chars max]

cflash-id: - cf1: | cf1-A: | cf1-B: | cf2: | cf2-A: | cf2-B: | cf3: | cf3-A: | cf3-B:

size

Syntax

size url-list-size

Context

config>app-assure>group>url-list

Description

This command specifies the size of the URL list that can be filtered. The size can be set to either standard or extended. Configuring the specified url-list as extended provides support for filtering on a larger number of URLs.

Default

size standard

Parameters

url-list-size—

Specifies the size of the AA url-list for URL filtering.

Values—

standard, extended

url-filter

Syntax

url-filter url-filter-name [create]

no url-filter url-filter-name

Context

config>app-assure>group

Description

This command configures a URL filter action for flows of a specific type matching this entry.

If no URL filters are specified then no URL filters will be evaluated.

Parameters

url-filter-name—

Specifies the Application-Assurance URL filter that will be evaluated.

default-action

Syntax

default-action allow

default-action block-all

default-action block-http-redirect http-redirect-name

no default-action

Context

config>app-assure>group>policy>aqp>entry>action>url-filter

Description

This command configures the default action to take when the ICAP server is unreachable.

Default

no default-action

Parameters

allow—

Allows all requests.

block-all—

Blocks all requests.

block-http-redirect http-redirect-name—

Blocks and redirects requests.

http-request-filtering

Syntax

http-request-filtering {all | first}

Context

config>app-assure>group>url-filter

Description

HTTP Filtering can either be enabled for all HTTP request within a flow or limited to the first HTTP request in a flow.

Default

http-request-filtering all

Parameters

all —

Specifies all HTTP Request within a flow.

first —

Specifies the first HTTP Request within a flow.

http-redirect

Syntax

http-redirect http-redirect-name

no http-redirect

Context

config>app-assure>group>url-filter

Description

This command specifies the HTTP redirect that will be applied when the Internet Content Adaptation Protocol (ICAP) server blocks an HTTP request.

Default

no http-redirect

Parameters

http-redirect-name—

Specifies the ICAP HTTP redirect name up to 32 characters.

server

Syntax

server ip-address[:port] [create]

no server ip-address[:port]

Context

config>app-assure>group>url-filter>icap

Description

This command configures the IP address and server port of the ICAP server.

Parameters

ip-address[:port]—

Specifies the ICAP server IP address and port.

vlan-id

Syntax

vlan-id service-port-vlan-id

no vlan-id

Context

config>app-assure>group>url-filter>icap

Description

This command configures the VLAN ID on which the ISA-AA is expected to be emitting traffic mapping to a pre-configured aa-interface.

Default

no vlan-id

Parameters

service-port-vlan-id—

Specifies the VLAN ID.

Values—

1 to 4094

custom-x-header

Syntax

custom-x-header x-header-name

no custom-x-header

Context

config>app-assure>group>url-filter>icap

Description

This command configures the url-filter ICAP policy to include a new x-header field; the content of the x-header is populated based on AQP url-filter action which can optionally specify the ASO characteristic value to include in the x-header.

Default

no custom-x-header

Parameters

x-header-name —

Specifies the name of the x-header added to the ICAP request.

local-filtering

Syntax

local-filtering

Context

config>app-assure>group>url-filter

Description

This command configures a URL filter policy for local filtering in order to filter traffic based on a list of URLs located on a file stored in the router compact flash.

url-list

Syntax

[no] url-list url-list-name

Context

admin>app-assure>group>url-filter>local-filtering

Description

This command adds a URL list to the local filtering URL filter policy.

The no form of this command removes the URL list object.

Parameters

url-list-name—

Specify the URL list.

web-service

Syntax

web-service

Context

config>app-assure>group>url-filter

Description

This command enables the context to configure the URL filter policy using web-service filtering. The operator must configure the web service, host name, DNS server to use, the AA interface VLAN ID, and provision the category profiles.

classifier

Syntax

classifier classifier category-set-id category-set

no classifier

Context

config>app-assure>group>url-filter>web-service

Description

This command selects the web service to use from the supported web services.

The no form of this command removes the selected web service.

Default

no classifier

Parameters

classifier—

Specifies the web service to use.

Values—

web-service-1 | web-service-2

category-set—

Specifies the category ID set to use for URL categorization. A category-set ID defines the list of categories that the web service uses to perform URL categorization.

Values—

1 to 2

default-profile

Syntax

default-profile profile-name

no default-profile

Context

config>app-assure>group>url-filter>web-service

Description

This command configures the default category profile to use when no category profile is explicitly selected for the subscriber.

The no form of this command removes the selected default profile configuration.

Default

no default-profile

Parameters

profile-name—

Specifies a configured category profile to use as the default profile name, up to 256 characters.

dns-server

Syntax

dns-server ip-address

no dns-server

Context

config>app-assure>group>url-filter>web-service

Description

This command configures the DNS server that is used to resolve the web service host name.

The no form of this command removes the DNS server configuration.

Default

no dns-server

Parameters

ip-address—

Specifies the IP address of the DNS server to use.

Values—

a.b.c.d[/mask] (IPv4),

x:x:x:x:x:x:x:x/prefix-length (IPv6)

no vlan-id

Parameters

vlan-id—

Specifies the VLAN ID to connect to the web service.

Values—

1 to 4094

wap1x

Syntax

wap1x

Context

config>app-assure>group

Description

This command configures the Wireless Application Protocol (WAP) 1.X.

packet-rate-high-wmark

Syntax

packet-rate-high-wmark high-watermark

no packet-rate-high-wmark

Context

config>app-assure

Description

This command configures the packet rate on the ISA-AA when a packet rate alarm will be raised by the agent.

The no form of this command reverts to the default.

Default

packet-rate-high-wmark max

Parameters

high-watermark—

Specifies the high watermark for packet rate alarms. The value must be larger than or equal to the packet-rate-low-wmark low-watermark value.

Values—

1 to 14880952, max packets/sec (disabled)

packet-rate-low-wmark

Syntax

packet-rate-low-wmark low-watermark

no packet-rate-low-wmark

Context

config>app-assure

Description

This command configures the packet rate on the ISA-AA when a packet rate alarm will be cleared by the agent.

The no form of this command reverts to the default.

Default

packet-rate-low-wmark 0

Parameters

low-watermark—

Specifies the low watermark for packet rate alarms. The value must be lower than or equal to the packet-rate-high-wmark high-watermark value.

Values—

0 to 14880952 packets per second

protocol

Syntax

protocol protocol-name

Context

config>app-assure

Description

This command configures the shutdown of protocols system-wide.

Parameters

protocol-name—

Specifies a shut-able (disable) protocol name.

shutdown

Syntax

[no] shutdown

Context

config>app-assure>protocol

Description

This command administratively disables the protocol specified in protocol protocol-name.

The no form of this command enables the protocol.

radius-accounting-policy

Syntax

radius-accounting-policy rad-acct-plcy-name [create]

no radius-accounting-policy rad-acct-plcy-name

Context

config>app-assure

config>app-assure>group>statistics>aa-sub

Description

This command specifies an existing subscriber RADIUS-based accounting policy to use for AA. RADIUS accounting policies are configured in the config>app-assure>radius-accounting-policy context.

Default

no radius-accounting-policy

Parameters

rad-acct-plcy-name—

Specifies the policy name. The string is case sensitive and limited to 32 ASCII 7-bit printable characters with no spaces.

create—

Keyword used to create the policy.

interim-update-interval

Syntax

interim-update-interval minutes

no interim-update-interval

Context

config>app-assure>rad-acct-plcy

Description

This command configures the interim update interval.

The no form of this command reverts to the default.

Default

no interim-update-interval

Parameters

minutes—

Specifies the interval at which subscriber accounting data will be updated. If set no value is specified then no interim updates will be sent.

Values—

5 to 1080

radius-accounting-server

Syntax

radius-accounting-server

Context

config>app-assure>rad-acct-plcy

Description

This command creates the context for defining RADIUS accounting server attributes under a given session authentication policy.

access-algorithm

Syntax

access-algorithm {direct | round-robin}

Context

config>app-assure>rad-acct-plcy>server

Description

This command configures the algorithm used to access the list of configured RADIUS servers.

Default

access-algorithm direct

Parameters

direct —

Specifies that the first server will be used as primary server for all requests, the second as secondary and so on.

round-robin—

Specifies that the first server will be used as primary server for the first request, the second server as primary for the second request, and so on. If the router gets to the end of the list, it starts again with the first server.

retry

Syntax

retry count

Context

config>app-assure>rad-acct-plcy>server

Description

This command configures the number of times the router attempts to contact the RADIUS server for authentication, if not successful the first time.

The no form of this command reverts to the default value.

Default

retry 3

Parameters

count—

Specifies the retry count.

Values—

1 to 10

router

Syntax

router router-instance

router service-name service-name

no router

Context

config>app-assure>rad-acct-plcy>server

Description

This command specifies the number of times the router attempts to contact the RADIUS server for authentication, if not successful the first time.

The no form of this command reverts to the default value.

Default

no router

Parameters

router-instance—

Specifies the router name or service ID used to specify the router instance.

service-name—

Specifies the service name to identify the service, up to 64 characters.

server

Syntax

server server-index address ip-address secret key [hash | hash2 | custom] [port port] [create]

no server server-index

Context

config>app-assure>rad-acct-plcy>server

Description

This command adds a RADIUS server and configures the RADIUS server IP address, index, and key values.

Up to five RADIUS servers can be configured at any one time. RADIUS servers are accessed in order from lowest to highest index for authentication requests until a response from a server is received. A higher indexed server is only queried if no response is received from a lower indexed server (which implies that the server is not available). If a response from a server is received, no other RADIUS servers are queried.

The no form of this command removes the server from the configuration.

Parameters

server-index—

The index for the RADIUS server. The index determines the sequence in which the servers are queried for authentication requests. Servers are queried in order from lowest to highest index.

Values—

1 to 16 (a maximum of 5 accounting servers)

address ip-address—

The IP address of the RADIUS server. Two RADIUS servers cannot have the same IP address. An error message is generated if the server address is a duplicate.

secret key—

Specifies the secret key value.

Values—

The secret key to access the RADIUS server. This secret key must match the password on the RADIUS server.

secret-key — A string up to 20 characters in length.

hash-key — A string up to 33 characters in length.

hash2-key — A string up to 55 characters in length.

hash—

hash2—

custom—

Specifies the custom encryption to management interface.

port—

Specifies the UDP port number on which to contact the RADIUS server for authentication.

Values—

1 to 65535

source-address

Syntax

source-address ip-address

no source-address

Context

config>app-assure>rad-acct-plcy>server

Description

This command configures the source address of the RADIUS packet. The system IP address must be configured in order for the RADIUS client to work. See “Configuring a System Interface” in the 7450 ESS, 7750 SR, 7950 XRS, and VSR Router Configuration Guide. The system IP address must only be configured if the source-address is not specified. When the no source-address command is executed, the source address is determined at the moment the request is sent. This address is also used in the nas-ip-address attribute: over there it is set to the system IP address if no source address was given.

The no form of this command reverts to the default value, where the source address is the system IP address.

Default

no source-address

Parameters

ip-address—

The IP prefix for the IP match criterion in dotted decimal notation.

Values—

0.0.0.0 - 255.255.255.255

timeout

Syntax

timeout seconds

Context

config>app-assure>rad-acct-plcy>server

Description

This command configures the number of seconds the router waits for a response from a RADIUS server.

The no form of this command reverts to the default value.

Default

timeout 5

Parameters

seconds—

Specifies the time the router waits for a response from a RADIUS server.

Values—

1 to 90

significant-change

Syntax

significant-change delta

no significant-change

Context

config>app-assure>rad-acct-plcy

Description

This command configures the significant change required to generate the record.

The no form of this command reverts to the default.

Default

no significant-change

Parameters

delta—

Specifies the delta change (significant change) that is required for the charging-group counts to be included in the RADIUS Accounting VSAs.

Values—

0 to 4294967295

aa-interface

Syntax

aa-interface aa-if-name [create]

no aa-interface aa-if-name

Context

config>service>ies

config>service>vprn

Description

This commands creates a new AA interface within an IES or VPRN service. It is used by the aa-isa to send/receive IPv4 traffic. In the context of ICAP url-filtering this interface is used by the ISA to establish ICAP TCP connections to the ICAP servers.

This interface supports /31 subnet only, and uses by default .1q encapsulation.

The system will automatically configure the ISA IP address based on the address configured by the operator under the aa-interface object (which represents the ISA sap facing interface on the ISA).

Parameters

aa-if-name—

specifies the name of the AA Interface.

create—

Keyword that specifies to create the interface.

address

Syntax

address {ip-address/mask | ip-address netmask}

no address [ip-address/mask | ip-address netmask]

Context

config>service>ies>aa-interface

config>service>vprn>aa-interface

Description

This command assigns an IP address to the interface.

Default

no address

Parameters

ip-address/mask—

Specifies an IP address/IP subnet format to the interface.

ip-address netmask—

Specifies a string of 0s and 1s that mask or screen out the network part of an IP address so that only the host computer part of the address remains.

create—

Keyword that specifies to create the interface.

ip-mtu

Syntax

ip-mtu octets

no ip-mtu

Context

config>service>ies>aa-interface

config>service>vprn>aa-interface

Description

This command configures the AA interface IP MTU.

Default

no ip-mtu

Parameters

octets—

Specifies the MTU value.

Values—

512 to 9786

sap

Syntax

sap sap-id [create]

no sap sap-id

Context

config>service>ies>aa-interface

config>service>vprn>aa-interface

Syntax

filter ip ip-filter-id

no filter [ip ip-filter-id]

Context

config>service>ies>aa-if>sap>egress

config>service>vprn>aa-if>sap>egress

Description

This command applies an IP filter to the SAP.

Default

no filter

Parameters

ip-filter-id—

Specifies an existing IP filter ID.

Values—

1 to 65535, or name up to 64 characters maximum

qos

Syntax

qos policy-id

no qos [policy-id]

Context

config>service>ies>aa-if>sap>egress

config>service>ies>aa-if>sap>ingress

config>service>vprn>aa-if>sap>egress

config>service>vprn>aa-if>sap>ingress

Description

This command applies an QoS policy to the SAP.

Default

qos 1

Parameters

policy-id—

Specifies an existing QoS policy ID.

3.4.2.4.8. System Persistence Commands

persistence

Syntax

persistence

Context

config>system

Description

This command enables the context to configure persistence parameters on the system.

The persistence feature enables state on information learned through DHCP snooping across reboots to be retained. This information includes data such as the IP address and MAC binding information, lease-length information, and ingress SAP information (required for VPLS snooping to identify the ingress interface).

If persistence is enabled when there are no DHCP relay or snooping commands enabled, it will simply create an empty file.

Default

no persistence

application-assurance

Syntax

application-assurance

Context

config>system>persistence

Description

This command enables the context to configure application assurance persistence parameters.

location

Syntax

location cflash-id

no location

Context

config>system>persistence>application-assurance

Description

This command instructs the system where to write the file. The name of the file is: appassure.db. On boot the system scans the file systems looking for appassure.db, if it finds it, it starts to load it.

The no form of this command returns the system to the default. If there is a change in file location while persistence is running, a new file will be written on the new flash, and then the old file will be removed.

Default

no location

Parameters

cflash-id—

Specifies the compact flash type.

Values—

cf1:, cf2:, cf3:

3.4.2.5. ISA Commands

3.4.2.5.1. Application Assurance Group Commands

application-assurance-group

Syntax

application-assurance-group application-assurance-group-index [create] [aa-sub-scale sub-scale]

no application-assurance-group application-assurance-group-index

Context

config>isa

Description

This command enables the context to create an application assurance group with the specified system-unique index and enables the context to configure that group’s parameters.

The no form of this command deletes the specified application assurance group from the system. The group must be shutdown first.

Parameters

application-assurance-group-index —

Specifies an integer to identify the AA group

Values—

1 to 255

create—

Mandatory keyword used when creating an application assurance group in the ISA context. The create keyword requirement can be enabled or disabled in the environment>create context.

sub-scale—

Specifies the set of scaling limits that are supported with regards to the maximum number of AA subscribers per ISA, the max flow scale, and the corresponding policy scale that can be specified.

Values—

residential	Scaling limits for ISA2 residential operation (on VSR, it has the same scale as residential-8k)
residential-8k	Scaling limits for VSR or ESA-vm residential 8k sub operation
residential-16k	Scaling limits for VSR or ESA-vm residential 16k sub operation
residential-32k	Scaling limits for VSR or ESA-vm residential 32k sub operation
residential-64k	Scaling limits for VSR or ESA-vm residential 64k sub operation
vpn	Scaling limits for SR AA VPN operation
vpn-1k	Scaling limits for VSR or ESA-vm AA VPN 1k sub operation
vpn-2k	Scaling limits for VSR or ESA-vm AA VPN 2k sub operation
vpn-4k	Scaling limits for VSR or ESA-vm AA VPN 4k sub operation
vpn-8k	Scaling limits for VSR or ESA-vm AA VPN 8k sub operation
lightweight-internet	Scaling limits for ISA2 or VSR operation as a wireless LAN gateway using DSM subscribers

Default—

residential

backup

Syntax

[no] backup [mda-id | esa-vm-id]

Context

config>isa>aa-grp

Description

This command assigns an AA ISA or ESA-VM configured in the specified location to this application assurance group. The backup module provides the application assurance group with warm redundancy when the primary module in the group is configured. Primary and backup modules have equal operational status and when both module are coming up, the ones that becomes operational first becomes the active module. A module can serve as a backup for multiple AA ISA cards but only one can fail to it at one time.

On an activity switch from the primary module, configurations are already on the backup MDA but flow state information must be re-learned. Any statistics not yet spooled will be lost. Auto-switching from the backup to primary, once the primary becomes available again, is not supported.

Operator is notified through SNMP events when:

When the AA service goes down (all modules in the group are down) or comes back up (a module in the group becomes active).
When AA redundancy fails (one of the modules in the group is down) or recovers (the failed module comes back up).
When an AA activity switch occurred.

The no form of this command removes the specified module from the application assurance group.

Parameters

mda-id—

Specifies the slot and MDA, identifying a provisioned module to use as a backup module.

Values—

slot/mda
slot	1 to 10, depending on chassis model
mda	1 to 2

esa-vm-id—

Specifies the ESA and VM, identifying a provisioned module to use as a backup module; for example, an ESA 1 with VM2 would be referred to as esa-1/2.

Values—

esa-esa-id/vm-id
esa-id	1 to 16
vm-id	1 to 4

divert-fc

Syntax

[no] divert-fc fc-name

Context

config>isa>aa-grp

Description

This command selects a forwarding class in the system to be diverted to an application assurance engine for this application assurance group. Only traffic to/from subscribers with application assurance enabled is diverted.

To divert multiple forwarding classes, the command needs to be executed multiple times specifying each forwarding class to be diverted at a time.

The no form of this command stops diverting of the traffic to an application assurance engine for this application assurance group.

Parameters

fc-name—

Creates a class instance of the forwarding class fc-name.

Values—

be, l2, af, l1, h2, ef, h1, nc

fail-to-open

Syntax

[no] fail-to-open

Context

config>isa>aa-grp

Description

This command configures the mode of operation during an operational failure of this application assurance group when no application assurance engines are available to service traffic. When enabled, all traffic that was to be inspected will be dropped. When disabled, all traffic that was to be inspected will be forwarded without any inspection as if the group was not configured at all.

Default

no fail-to-open

flow-attribute

Syntax

[no] flow-attribute flow-attribute name

Context

config>isa>aa-grp

Description

This command enables the specified flow attribute.

The no form of this command disables the attribute.

Parameters

flow-attribute name—

Specifies the name of the flow attribute, up to 256 characters.

Values—

video	This attribute specifies streaming or real-time video media traffic transferred between a sender and receiver. It does not differentiate adaptive and nonadaptive video streaming. Assigned to flows based on packet payload inspection (many protocols) or behavioral mechanisms, and may be used together with the RTC attribute to identify video call traffic.
abr_service	This attribute is assigned to adaptive bit rate traffic exchanges where the traffic rate or behavior can be automatically adjusted based on changes in network conditions. Assigned by application filter configuration or by behavioral mechanisms.
audio	This attribute is assigned to streaming or real-time audio media traffic transferred between a sender and receiver. Assigned to flows based on packet payload inspection or behavioral mechanisms, and may be used together with the RTC attribute to identify voice call traffic.
encrypted	This attribute is assigned to traffic exchanges where the initial payload or the entirety of the exchange is encrypted. Assigned to sessions based on packet payload inspection or by behavioral mechanisms.
download	This attribute is assigned to traffic that has a high likelihood of exchanging data predominantly in the network to subscriber direction over the lifetime of a session. May be assigned to sessions based on behavioral mechanisms.
upload	This attribute is assigned to traffic that has a high likelihood of exchanging data predominantly in the subscriber to network direction over the lifetime of the session. The upload and download attributes are mutually exclusive. Assigned to sessions based on behavioral mechanisms.
real_time_communication	This attribute is assigned to traffic that provides a low latency or real-time exchange of information between two or more communicating endpoints. Assigned by packet payload inspection of an RTP protocol being used or by behavioral mechanisms.
esni	This attribute is assigned to traffic that uses an encrypted server name indication (eSNI), as part of the TLS layer negotiation

http-enrich-max-pkt

Syntax

[no] http-enrich-max-pkt size

Context

config>isa>aa-grp

Description

This command configures the maximum HTTP enriched packet size.

Parameters

size—

Specifies the maximum HTTP enriched packet size in octets.

Values—

576 to 9212

Default—

1500

isa-capacity-cost-high-threshold

Syntax

isa-capacity-cost-high-threshold threshold

no isa-capacity-cost-high-threshold

Context

config>isa>aa-grp

Description

This command configures the ISA-AA capacity cost high threshold.

The no form of this command reverts the threshold to the default value.

Default

isa-capacity-cost-high-threshold 4294967295

Parameters

threshold—

Specifies the capacity cost high threshold for the ISA-AA group.

Values—

0 to 4294967295

isa-capacity-cost-low-threshold

Syntax

isa-capacity-cost-low-threshold threshold

no isa-capacity-cost-low-threshold

Context

config>isa>aa-grp

Description

This command configures the ISA-AA capacity cost low threshold.

The no form of this command reverts the threshold to the default value.

Default

isa-capacity-cost-low-threshold 0

Parameters

threshold—

Specifies the capacity cost low threshold for the ISA-AA group.

Values—

0 to 4294967295

isa-overload-cut-through

Syntax

[no] isa-overload-cut-through

Context

config>isa>aa-grp

Description

This command configures the ISA group to enable cut-through of traffic if an overload event occurs, triggered when the IOM weighted average queues depth exceeds the wa-shared-high-wmark. In this ISA state, packets are cut-through from application analysis but retain subscriber context with default subscriber policy applied.

The no form of this command disables cut-through processing on overload.

Default

no isa-overload-cut-through

minimum-isa-generation

Syntax

minimum-isa-generation min-isa-generation

Context

config>isa>aa-grp

Description

This command configures the scale parameters for the ISA group. When min-isa-generation is configured as 1, the group and per-ISA limits are the MS-ISA scale.

If there is a mix of ISA 1s and 2s, the min-isa-generation must be left as 1.

When min-isa-gen is configured as 2, the per-isa resource limits shown in the show isa application-assurance-group 1 load-balance output will increase to show ISA2 limits.

Default

minimum-isa-generation 1

Parameters

min-isa-generation—

Specifies the minimum ISA Generation allowed in this group.

Values—

1 – ISA (ISA1)

2 – ISA2

overload-sub-quarantine

Syntax

overload-sub-quarantine

This command assigns an AA ISA or ESA-VM configured in the specified location to this application assurance group. Primary and backup ISAs have equal operational status and when both ISAs are coming up, the one that becomes operational first becomes the active ISA.

On an activity switch from the primary ISA, all configurations are already on the backup ISA but flow state information must be re-learned. Any statistics not yet spooled will be lost. Auto-switching from the backup to primary, once the primary becomes available again, is not supported.

Operator is notified through SNMP events when:

When AA service goes down (all ISAs in the group are down) or comes back up (an ISA in the group becomes active)
When AA redundancy fails (one of the ISAs in the group is down) or recovers (the failed MDA comes back up)
When an AA activity switch occurred.

The no form of this command removes the specified ISA from the application assurance group.

Parameters

mda-id—

Specifies the slot/mda or esa/vm, identifying a provisioned AA ISA.

Values—

slot/mda
slot	1 to 10, depending on chassis model
mda	1 to 2

esa-vm-id—

Specifies the ESA and VM, identifying a provisioned ESA-VM. The value of the esa-vm-id for application assurance is used as the esa-id plus 128. For example, an ESA 1 with VM2 would be referred to as esa-129/2.

Values—

esa-id+128/vm-id
esa-id	1 to 16
vm-id	1 to 4

pool

Syntax

pool [name]

no pool

Context

config>isa>aa-grp>qos>egress>from-subscriber

config>isa>aa-grp>qos>egress>to-subscriber

Description

This command enables the context to configure an IOM pool as applicable to the specific application assurance group traffic. The user can configure resv-cbs (as percentage) values and slope-policy similarly to other IOM pool commands.

Default

pool default

Parameters

name—

If specified, the name must be default.

resv-cbs

Syntax

resv-cbs percent-or-default

no resv-cbs

Context

config>isa>aa-grp>qos>egress>from-subscriber>pool

config>isa>aa-grp>qos>egress>to-subscriber>pool

Description

This command defines the percentage or specifies the sum of the pool buffers that are used as a guideline for CBS calculations for access and network ingress and egress queues. Two actions are accomplished by this command.

A reference point is established to compare the currently assigned (provisioned) total CBS with the amount the buffer pool considers to be reserved. Based on the percentage of the pool reserved that has been provisioned, the over provisioning factor can be calculated.
The size of the shared portion of the buffer pool is indirectly established. The shared size is important to the calculation of the instantaneous-shared-buffer-utilization and the average-shared-buffer-utilization variables used in Random Early Detection (RED) per packet slope plotting.

This command does not actually set aside buffers within the buffer pool for CBS reservation. The CBS value per queue only determines the point at which enqueuing packets are subject to a RED slope. Oversubscription of CBS could result in a queue operating within its CBS size and still not able to enqueue a packet due to unavailable buffers. The resv-cbs parameter can be changed at any time.

If the total pool size is 10 MB and the resv-cbs set to 5, the ‘reserved size’ is 500 KB.

The no form of this command restores the default value of 30.

Default

resv-cbs default

Parameters

percent-or-default—

Specifies the pool buffer size percentage.

Values—

0 to 100, default

slope-policy

Syntax

slope-policy slope-policy-name

no slope-policy

Context

Description

This command configures the high watermark for the weighted average utilization of the shared buffer space in the from-subscriber buffer pool for each ISA. When a buffer pool is not in the overload state and the wa-shared buffer utilization for an ISA crosses above the high watermark value in the ISA from-subscriber buffer pool enters an overload state and an overload notification is raised.

The no form of this command reverts to the default.

Default

wa-shared-high-wmark max

Parameters

percent—

Specifies the weighted average shared buffer utilization high watermark.

Values—

1 to 100, max percent (disabled)

wa-shared-low-wmark

Syntax

wa-shared-low-wmark percent

no wa-shared-low-wmark

Context

config>isa>aa-grp>qos>egress>from-sub

config>isa>aa-grp>qos>egress>to-sub

Description

This command configures the low watermark for the weighted average utilization of the shared buffer space in the from-subscriber buffer pool. When a buffer pool is in an overloaded state and the wa-shared buffer utilization for an ISA drops below low watermark value ISA from-subscriber buffer pool leaves the overload state and a is sent to indicate the overload state has cleared.

The no form of this command reverts to the default.

Default

wa-shared-low-wmark 0

Parameters

percent—

Specifies the weighted average shared buffer utilization low watermark.

Values—

0 to 99

shared-resources

Syntax

shared-resources

Context

Specifies the amount of shared memory as a percentage.

Values—

0 to 100

to-subscriber

Syntax

to-subscriber

Context

config>isa>aa-grp>qos>egress

Description

This command enables the context for Quality of Service configuration for this application assurance group to-subscriber logical port, traffic destined to AA subscribers and entering an application assurance engine.

ingress

Syntax

ingress

Context

config>card>mda>network>ingress

Description

This command enables the context for MDA-level IOM Quality of Service (QoS) configuration.