Note: The wlan-gw commands apply only to the 7750 SR platform. |
This command creates a text description stored in the configuration file for a configuration context.
The description command associates a text string with a configuration context to help identify the context in the configuration file.
The no form of this command removes any description string from the context.
No description is associated with the configuration context.
The shutdown command administratively disables the entity. When disabled, an entity does not change, reset, or remove any configuration settings or statistics. Many entities must be explicitly enabled using the no shutdown command.
The shutdown command administratively disables an entity. The operational state of the entity is disabled as well as the operational state of any entities contained within. Many objects must be shut down before they can be deleted.
Unlike other commands and parameters where the default state is not indicated in the configuration file, shutdown and no shutdown are always indicated in system generated configuration files.
The no form of the command puts an entity into the administratively enabled state.
no shutdown
This command enables the context to configure subscriber management entities. A subscriber is uniquely identified by a subscriber identification string. Each subscriber can have several DHCP sessions active at any time. Each session is referred to as a subscriber host and is identified by its IP address and MAC address.
All subscriber hosts belonging to the same subscriber are subject to the same hierarchical QoS (HQoS) processing. The HQoS processing is defined in the sub-profile (the subscriber profile). A sub-profile refers to an existing scheduler policy (configured in the config>qos>scheduler-policy context) and offers the possibility to overrule the rate of individual schedulers within this policy.
Because all subscriber hosts use the same scheduler policy instance, they must all reside on the same complex.
Note: The wlan-gw commands apply only to the 7750 SR platform. |
This command enables the context to configure WLAN Gateway parameters.
This command enables the context to configure profiles, templates, and policies that can be applied to DSM subscribers.
This command configures a set of filter rules that can be applied to a DSM UE.
The no form of the command can only be executed if no entries are configured under this filter.
none
This command creates a text description stored in the configuration file for a configuration context.
The description command associates a text string with a configuration context to help identify the context in the configuration file.
The no form of the command removes any description string from the context.
none
This command specifies what should happen to packets that do not match any of the configured entries.
The no form of the command reverts to the default value.
default-action drop
This command creates a new entry for this filter. When processing a packet, entries are matched in order, starting with the lowest entry-id. A maximum of 128 IPv4 and 128 IPv6 DSM filter entries are allowed.
The no form of the command reverts to the default value.
none
This command specifies what should happen to packets that do match this entry. If the configured action is none, this entry is not applied and processing continues to match against subsequent entries.
The no form of the command reverts to the default value.
action none
This command creates a match context for this entry. The protocol value specifies which Layer-4 protocol the packet should match.
The no form of the command removes the match context of this entry.
no match
This command specifies that the packet’s UDP/TCP dst-port must match a specific value. This command is not valid in a match context that is not specific to UDP or TCP.
The no form of the command removes matching of the layer-4 port.
no dst-port
This command specifies that the packet’s destination IP address must match the specified IP prefix and mask.
The no form of the command disables the match on the destination IP.
no dst-ip
This command creates a policer profile that can be applied to a DSM host. When creating a profile the first time, the create and type parameters are required.
The WLAN-GW allows configuration of single-rate and dual-rate bucket policers.
The no form of the command removes the profile.
none
This command specifies what happens to packets that are in-profile and out-of-profile.
The no form of the command reverts to the default value.
action permit-deny
This command specifies what happens to packets that are in-profile and out-of-profile.
The no form of the command reverts to the default value.
action permit-deny
This command specifies the committed burst-size value of this policer. This can only be set on dual-bucket-bandwidth policers.
The no form of the command reverts to the default value.
cbs 0
This command specifies the maximum burst-size value of this policer. This can only be set on dual-bucket-bandwidth policers.
The no form of the command reverts to the default value.
mbs 0
This command specifies the rate at which the policer drains packets. The cir rate value is only supported on dual-bucket-bandwidth policers. If rate max is configured, no rate limitations are applied.
The no form of the command reverts to the default value.
rate max
This command specifies a virtual chassis identifier that can link two wlan-gw’s together.
The no form of the command removes the dual-homing-key
none
This command enables the context to configure profiles, templates and policies that can be applied to DSM subscribers.
This command specifies the value used for TCP-MSS-adjust in the IPv6 upstream direction for DSM. The downstream direction for both IPv4 and IPv6 are both configured under the group-interface. The upstream direction for IPv4 NAT hosts is configured under the NAT policy.
The defined segment size is inserted in a TCP SYN message if there is no existing MSS option or the value in the MSS option is bigger than the configured value.
The no form of the command disables upstream TCP MSS adjust for IPv6 DSM.
no ipv6-tcp-mss-adjust
This command enters the configuration context of mobility-triggered-accounting in wlan-gw context under router or VPRN service.
none
This command enables generation of a flash interim accounting-update to the accounting service when change in location of the UE is detected.
The no form of the command disables generation of flash interim accounting- update to RADIUS when change in location of the UE is detected.
Not enabled
This command creates the profile Bridged Residential Gateway (BRG) devices. The BRG profile specifies default parameters that are used for host management under a single BRG.
The no form of the command removes the profile name from the configuration.
none
This command configures the BRG connectivity verification. The system uses ICMP Echo request messages for connectivity verification.
When the last host associated to a BRG is removed, a ping mechanism is used to verify if the BRG is still active. This command specifies the parameters used in this mechanism.
The no form of this command disables the BRG ping mechanism and removes the BRG without verification. Any configured hold-time still applies.
count 3 timeout 30 retry-time 900
This command enables the context to configure per-subscriber IPv4 address pool parameters to be used for address allocation. Pools for different subscribers can overlap. Specific pool parameters can be overridden by RADIUS.
This command configures the lease time, in seconds, to be used when allocating addresses from the pool. This time should always be larger than the renew/rebind time.
The no form of the command reverts to the default.
600
This command enables the context to configure options that are reflected in DHCP.
none
This command configures DHCP options.
none
This command defines how long these addresses will be kept aside when standby addresses are signaled to the pool. During this time these addresses can only be used by devices explicitly requesting the IP (for example datatrigger or DHCP renew/rebind). When the timer expires the addresses will again become available for dynamic allocation.
21600
This command configures the subnet that will be used for the l2aware-subscriber. This subnet is only locally significant and can overlap with other subscribers. The subnet is derived by ignoring the host-bits of the ip-address. The ip address specifies the default gateway that will be signaled in DHCP along with the netmask derived from the prefix-length.
The start and end addresses specify the addresses that are suitable for allocation within the given subnet, the start and end address included. If the subnet address (host-bits 0), broadcast address (host-bits 1) or default-gw address fall in this range, they will not be considered for allocation.
Changing the subnet will only have effect for new subscribers. New and existing hosts for existing subscribers will keep allocating from the original subnet.
The no form of this command removes the subnet configuration. New l2-aware subscribers will no longer use this pool and fall back to a pool from radius. Existing subscribers will keep using the original subnet.
no subnet
When the BRG should be deleted this still holds the BRG object for the specified time. This applies when connectivity-verification fails or when the last host is removed and no connectivity-verification is enabled. Hold time does not apply to an explicit removal via radius or clear commands.
The no form of the command deletes the hold-time.
no hold-time
This command configures the time to hold on to a BRG immediately after the system detected its presence. The hold time does not apply in case this system removes the BRG context upon an explicit request
300
This command configures RADIUS authentication of the BRG.
This command enables BRG processing on the specified RADIUS proxy server. Whenever an Access-Accept is received with the attribute Alc-BRG-Id present, this will trigger the creation of a BRG. The BRG will use the BRG profile specified in Access-Accept or otherwise fall-back to this BRG profile. When the specified radius-proxy-server has a cache enabled, no cache entries will be created for a transaction identified as BRG. A RADIUS proxy server can only be listed in one BRG profile.
This command can be executed multiple times.
The no form of this command removes BRG processing for the specified RADIUS proxy server.
none
This command is used if the BRG needs to be authenticated to the PCMP by the BRG. This is required if the BRG does not perform radius authentication via the proxy itself. The BRG will originate a valid Access Request using the BRG ID as username.
The no form of this command removes the radius-server-policy from the configuration. Setup of an unauthenticated BRG will now fail.
no radius-server-policy
This command configures the SLA profile string which will be used as a default for SLA-profile lookup. This string can be overridden during BRG or host authentication.
The no form of the command removes the string from the configuration.
no sla-profile-string
This string will be used as a default for subscriber-profile lookup. This string can be overridden during BRG or host authentication. The no form of the command removes the string from the configuration.
no sub-profile-string
This command enables the context to configure parameters related to the call trace debugging tool
This command specifies the compact flash (CF) configuration to store call trace files.
When configured, the specified compact flash will not be used by call-trace.The no form of this command enables the compact flash for use by call-trace.
no disable
This command limits the total size of call-trace files on the specified compact flash card.The no form of this command removes the size restriction.
1000
This command configures the maximum number of files call-trace can create.
200
This command specifies which compact-flash will be used as the primary CF for call-trace operation.
cf1
This command creates a profile that can be applied to a specific trace job.
none
This command specifies a live output destination for this trace. When configured, captures will not be stored locally but sent (over UDP) to the server in the specified routing context. The destination can be specified as either an IP address or a DNS FQDN. The no form of this command disables live output streaming.
no live-output
This command specifies a maximum of how big a trace may grow before it is stopped.
10
This command specifies how long a trace may run before it is stopped.
86400
This command creates an acct-on-off-group.
An acct-on-off-group can be referenced by:
The no form of the command deletes the acct-on-off-group.
none
This command creates a radius-server-policy.
A radius-server-policy can be used in
The no form of the command removes the policy name from the configuration.
none
This command specifies name of the radius-script-policy to be applied for access-accept.
none
This command controls the sending of Accounting-On and Accounting-Off messages and the acct-on-off oper-state of the radius-server-policy:
acct-on-off: enables the sending of Accounting-On and Accounting-Off messages for this radius-server-policy. The acct-on-off oper-state is always not blocked.
acct-on-off oper-state-change [group group-name]: enables the sending of Accounting-On and Accounting-Off messages for this radius-server-policy. The acct-on-off oper-state is function of the Accounting-response received for the Accounting-On and Accounting-Off. Optionally, sets the acct-on-off oper-state of the acct-on-off-group.
acct-on-off monitor-group group-name: no Accounting-On and Accounting-Off messages are sent for this radius-server-policy. The acct-on-off oper-state is inherited from the acct-on-off-group.
The no form of the command disables the sending of Accounting-On and Accounting-Off messages.
no acct-on-off
This command creates an acct-on-off-group.
An acct-on-off-group can be referenced by:
-a single radius-server-policy as controller: the acct-on-off oper-state of the acct-on-off-group is set to the acct-on-off oper-state of the radius-server-policy (acts as master)
-multiple radius-server-policies as monitor: the acct-on-off oper-state of the radius-server-policy is inherited from the acct-on-off oper-state of the acct-on-off group. (acts as a slave)
The no form of the command deletes the acct-on-off-group.
none
This command specifies the name of the acct-request-script-policy pointing to the Python script to be applied for RADIUS accounting request messages.
no acct-request-script-policy
This command specifies the name of the auth-request-script-policy pointing to the Python script to be applied for RADIUS access request messages.
no auth-request-script-policy
This command enables the context to configure RADIUS message buffering.
The no form of the command disables RADIUS message buffering.
none
This command enables RADIUS accounting interim update message buffering.
The no form of the command disables RADIUS accounting interim update message buffering.
no acct-interim
This command enables RADIUS accounting stop message buffering.
The no form of the command disables RADIUS accounting stop message buffering.
no acct-interim
This command enables the context to configure radius-server-policy parameters.
This command configures the algorithm used to select a RADIUS server from the pool of configured RADIUS servers.
direct
This command disables a subscriber RADIUS accounting session from sticking with a single server under normal working conditions. If a direct algorithm is used, all subscriber RADIUS sessions will go directly to the server with the lowest configured index. If a failure occurs, a new in-service server with the next lowest index will be used. When the original server recovers, if stickiness is not disabled, all existing sessions will continue to use the new server. This command disables stickiness, and as a result, the recovered original RADIUS server will again service every subscriber. If a round-robin algorithm is used and stickiness is not disabled, an accounting session for a particular subscriber (or host, depending on the accounting mode) will stay with the same server. This command removes the stickiness and all subscriber accounting messages will go through the list of servers in a round-robin manner.
n/a
This command performs a health check of the RADIUS server.
This command sets up a test account as a probing mechanism to check the connectivity of all configured RADIUS authentication servers within the RADIUS server policy.
This command specifies the intervals at which the test account will send its access requests to probe the RADIUS servers.
no interval
This command specifies the password that the test account will use to send access requests to probe the RADIUS servers.
no password
This command disables the test account that probes the RADIUS server.
no shutdown
This command specifies the username that the test account will use to send its access requests to probe the RADIUS servers.
no user-name
This command configures the number of times the router attempts to contact the RADIUS server, if not successful the first time.
3
This command specifies the virtual router instance applicable for the set of configured RADIUS servers. This value cannot be changed once a RADIUS server is configured for this policy.
no router
service-name | Service name up to 64 characters. | |
router-instance: | router-name, service-id | |
router-name: | Base, management | |
service-id: | 1 to 2147483647 |
This command adds a RADIUS server.
The no form of the command removes a RADIUS server.
none
This command configures the source address of the RADIUS packet. The system IP address must be configured in order for the RADIUS client to work. See Configuring a System Interface in the 7750 SR OS Configuration Guide.
Note: The system IP address must only be configured if the source-address is not specified. When the no source-address command is executed, the source address is determined at the moment the request is sent. This address is also used in the nas-ip-address attribute: over there it is set to the system IP address if no source-address was given. |
The no form of the command reverts to the default value.
no source-address
This command configures the time the router waits for a response from a RADIUS server.
The no form of the command reverts to the default value.
5 seconds
This command configures the hold time before re-using a RADIUS server.
The no form of the command reverts to the default value.
30 seconds
This command configures the source address of an IPv6 RADIUS packet.
When no ipv6-source-address is configured, the system IPv6 address (inband RADIUS server connection) or Boot Option File (BOF) IPv6 address (outband RADIUS server connection) must be configured in order for the RADIUS client to work with an IPv6 RADIUS server.
This address is also used in the NAS-IPv6-Address attribute.
The no form of the command reverts to the default value.
no ipv6-source-address
This command enters the radius-server configuration context under router or VPRN service.
none
This command either specifies an external RADIUS server in the corresponding routing instance or enters configuration context of an existing server. The configured server could be referenced in the radius-server-policy.
The no form of the command removes the parameters from the server configuration.
no
This command configures this server for Change of Authorization messages. The system will process the CoA request from the external server if configured with this command; otherwise the CoA request will be dropped.
The no form of the command disables the command.
This command specifies the UDP listening port for RADIUS accounting requests.
The no form of the commands resets the UDP port to its default value (1813)
acct-port 1813
This command specifies the UDP listening port for RADIUS authentication requests.
The no form of the commands resets the UDP port to its default value (1812)
auth-port 1812
This command specifies radius-script-policy for CoA-Request sent from this RADIUS server.
The no form of the command removes the policy name from the configuration.
none
This command specifies the per-server maximum number of outstanding requests sent to the RADIUS server. If the maximum number is exceeded, the next RADIUS server in the pool is selected.
The no form of the command removes the limit value from the configuration.
none
This command context to configure RADIUS proxy parameters.
This command creates a RADIUS-proxy server in the corresponding routing instance. The proxy server can be configured for the purpose of proxying authentication or accounting or both.
If a WLAN-GW ISA group is specified, then the RADIUS proxy server is instantiated on the set of ISAs in the specified wlan-gw group. The RADIUS messages from the AP are load-balanced to these ISAs. The ISA that processes the RADIUS message then hashes this message to the ISA that anchors the UE. The hash is based on UE MAC address (required to be present in the calling-station-id attribute) in the RADIUS message.
If the create parameter is not specified, then this command enters configuration context of the specified RADIUS-proxy server.
The no form of the command removes the server-name and parameters from the radius-proxy configuration.
purpose authentication
This command enables the context for selecting the RADIUS policy for authentication and accounting based on the RADIUS attribute. This feature is supported for both the ESM RADIUS proxy and the ISA RADIUS proxy.
This command matches the specified prefix or suffix string with the selected accounting server policy or authentication server policy.
n/a
This command specifies the RADIUS VSA type for the entries to be matched with.
no type
This command enters the cache configuration context under radius-proxy server. The cache contains per-subscriber authentication information learned from RADIUS authentication messages, and is used to authorize subsequent DHCP requests.
none
This command specifies the default radius-server-policy for RADIUS accounting. This policy will be used when there is no specific match based on username.
The no form of the command removes the policy name from the configuration.
none
This command specifies the default radius-server-policy for RADIUS authentication. This policy will be used when there is no specific match based on username.
The no form of the command removes the policy name from the configuration.
none
This command configures the IP interface the RADIUS-proxy server will bind to. One RADIUS-proxy server could bind to multiple interfaces.
none
This command specifies the key(s) used in calculating a hash to select an external RADIUS server from the pool of configured servers.
The key(s) can be the source ip and source udp port tuple, or the specified radius attribute(s) in radius packets.
The no form of the command removes the parameters from the configuration.
no load-balance-key
This command specifies the Python policy used to change the RADIUS attributes of the different RADIUS messages.
This command configures the shared secret key. The RADIUS client must have the same key to communicate with the RADIUS-proxy server.
The no form of the command removes the parameters from the configuration.
none
This command results in the system to always generate RADIUS accounting-response to acknowledge RADIUS accounting-request received from the RADIUS client.
The no form of the command disables the command.
no send-accounting-response
This command specifies the RADIUS cache key that is used to match the information in subsequent DHCP requests for authorization.
no key
This command configures the time for which the cache entry is kept if there is no corresponding DHCP DISCOVER. At the expiry of this time, the cache entry is deleted.
The no form of the command reverts to the default value.
timeout min 5
This command specifies the type of RADIUS accounting packets from RADIUS client (a WIFI AP) that the router should track.
The no form of the command removes the parameters from the configuration.
no track-accounting
This command specifies if RADIUS authentication (from the AP) should be tracked in order to update the ESM host with the RADIUS client (for example, WIFI AP) on UE mobility. It also specifies the authentication packet from RADIUS client (for example, a WIFI AP) that the router should track for mobility.
The no form of this command stops tracking authentication for UE mobility.
Not enabled
This command specifies the delete hold-time in case the DHCP host gets a trigger to delete from the matched RADIUS Proxy server.
0
This command enables the context to configure a local user database.
not enabled
This command configures DHCP host parameters.
This command enables the context to configure DHCP host parameters.
This command enables the context to configure match-radius-proxy-cache parameters.
This command specifies the router’s action when failed to find matched radius-proxy-server cache entry.
The no form of the command reverts to the default.
drop
This command specifies the format of MAC address used for matching incoming DHCP DISCOVER against the RADIUS proxy cache.
The no form of the command reverts to the default.
mac-format "aa:"
mac-format: (only when match is equal to mac) | |
like ab: for 00:0c:f1:99:85:b8 | |
or XY- for 00-0C-F1-99-85-B8 | |
or mmmm. for 0002.03aa.abff | |
or xx for 000cf19985b8 |
This command specifies the field/option of DHCP packet that is used to match against the radius-proxy-server cache.
The no form of the command reverts to the default.
mac
This command specifies the name of radius-proxy-server and optionally id of the service that the radius-proxy-server resides in.
The no form of the command removes the parameters from the configuration.
no server
This command creates a WLAN GW group.
Note: The wlan-gw-group ID shares the same number space with the nat-group. |
The no form of the command removes the group
none
This command specifies the number of WLAN-GW IOMs used as active IOMs from the total number of configured WLAN-GW IOMs. If there are more configured IOM than active-iom-limit, then the remaining number of IOMs will be designated as backup(s).
The no form of the command removes the number from the configuration.
This command configures the WLAN gateway distributed subscriber management.
This command configures an ISA application assurance group for WLAN gateway DSM subscribers.
This command designates the specified IOM as a WLAN-GW IOM. Each WLAN-GW IOM must be provisioned with two ISA-BB modules on a hardware chassis and with an ISA-BB module in the first MDA slot in the VSR.
The no form of the command removes the IOM from the configuration.
none
This command enables the context to configure NAT parameters under wlan-gw-group.
This command configures the RADIUS accounting policy to use for each MDA in this ISA group.
The no form of the command removes the accounting policy from the configuration.
none
This command configures the ISA NAT group session limits.
This command configures the number of sessions per block that will be reserved for prioritized sessions.
This command configures the ISA NAT group watermarks.
This command either creates a new port-policy with create parameter or enters the configuration context of an existing port-policy.
none
This command specifies the port-scheduler-policy to use in the egress direction for the internal port connecting the WLAN-GW IOM to the MS-ISA.
none
Note: The wlan-gw commands apply only to the 7750 SR platform. |
This command creates a group interface. This interface is designed for triple-play services where multiple SAPs are part of the same subnet. A group interface may contain one or more SAPs.
Use the no form of the command to remove the group interface from the subscriber interface.
no group interfaces configured
This command specifies the maximum size of frames on this group-interface. Packets larger than this will get fragmented.
The no form of the command removes this functionality.
none
This command enables the context to configure parameters that can be applied to automatically-generated internal SAPs.
N/A
This command configures the anti-spoof type of the SAP.
The type of anti-spoof filtering defines what information in the incoming packet is used to generate the criteria to lookup an entry in the anti-spoof filter table. The type parameter (ip-mac or nh-mac) defines the anti-spoof filter type enforced by the SAP when anti-spoof filtering is enabled.
The no form of the command reverts back to the default.
no anti-spoof
This command enables the context to configure wlan-gw parameters.
none
This command enables the context to configure egress QoS parameters for wlan-gw tunnels.
This command is used to control an HQoS aggregate rate limit. It is used in conjunction with the following parameter commands: rate, limit-unused-bandwidth, and queue-frame-based-accounting.
This command defines the enforced aggregate rate for all queues associated with the agg-rate context. A rate must be specified for the agg-rate context to be considered to be active on the context’s object (SAP, subscriber, Vport, etc.).
This command is used to enable (or disable) aggregate rate overrun protection on the agg-rate context.
This command is used to enabled (or disable) frame based accounting on all policers and queues associated with the agg-rate context. Only supported on Ethernet ports. Not supported on HSMDA Ethernet ports. Packet byte offset settings are not included in the applied rate when queue frame based accounting is configured, however the offsets are applied to the statistics.
This command configures the time for which egress shaping resources associated with a wlan-gw tunnel are held after the last subscriber on a tunnel is deleted.
This command configures the identifier of the egress QoS policy associated with each wlan-gw tunnel of this interface.
The no form of the command removes the policy ID from the configuration.
1
This command configures the identifier of the egress scheduler policy associated with each wlan-gw tunnel of this interface.
The no form of the command removes the scheduler policy name from the configuration.
none
This command enables the egress shaping is only enabled for a wlan-gw tunnel while there are multiple UE (User Equipment) using it.
The no form of the command disables the egress shaping.
This command configures the the granularity of the egress shaping for wlan-gw on this group interface.
The no form of the command removes the parameter from the configuration.
This command specifies gateway endpoint address for the wlan-gw tunnel.
The no form of the command removes the value from the wlan-gw configuration.
none
This command specifies a gateway IPv6 endpoint address for the wlan-gw tunnel.
The no form of the command removes the IPv6 the gateway IPv6 endpoint address for the wlan-gw tunnel.
none
ipv6-address : | x:x:x:x:x:x:x:x (eight 16-bit pieces) |
x:x:x:x:x:x:d.d.d.d | |
x - [0 to FFFF]H | |
d - [0 to 255]D |
This command enables the sending of ARP or ND packets on the wlan-gw GRE tunnel upon certain events. The target IP address in the ARP/ND packet will be the endpoint IP address of the AP. The ARP/ND response from the AP should contain the AP MAC, which subsequently can be reported in called-station-id. When enabled this will be sent for following events:
This configuration is ignored for l2-ap and l2tpv3 access.
The no form of this command disables this mechanism.
This command enables the context to configure Layer 2 Access Points in WLAN Gateway Group-Interfaces.
This command adds a specific SAP where Layer-2 WLAN-GW aggregation will be performed. The following SAPs are supported.
This command can be repeated multiple times to create multiple Layer-2 access points.
The no form of the command removes the Layer-2 access point. This is only allowed if the l2-ap SAP is shutdown.
No SAPs are defined
If different from default, this command overrides the value specified by l2-ap-encap-type on wlan-gw level. See the description of l2-ap-encap-type for more detail. This value can only be changed while the l2-ap is shutdown.
The no form of the command sets the default value.
default
This command specifies which SAP parameter template should be applied to the l2-ap SAP. This can only be changed when the l2-ap is shutdown.
The no form of the command removes the template, the SAP will use default parameters.
none
This command administratively enables this SAP to begin accepting Layer 2 packets for WIFI offloading.
The no form of the command disables this SAP.
shutdown
This parameter specifies the number of AP identifying VLAN tags for an AP. This is the default value that can be overridden per SAP. This value should at least be equal to the number of VLANs configured in the SAP or enabling a SAP will fail.
A SAP VLAN is explicitly configured, for example l2-ap 1/1/1:25. Other VLANs on the same port can still be used in other contexts.
The number of VLAN tags Epiped to WLAN-GW IOM equal the l2-ap-encap-type minus the encaps of the SAP. Upon receipt of a packet these VLANs will be stored as a Layer 2 tunnel identifier, and are only used in context of WLAN-GW.
The no form of the command sets the default value.
null
This command enables the context to configure mobility parameters.
This command configures the minimum time that a User Equipment will be held associated with its current Access Point (AP) before being associated with a new AP.
The hold time is used to prevent overwhelming the system with mobility triggers, by limiting the rate at which a UE can move from one AP to another while the system is very busy already.
no default
This command specifies the type of packet used as a mobility trigger.
Ths no form of the command removes the parameters from the configuration and disables data-plane mobility.
This command enables terminating multiple types of tunnels.
The no form of the command disables terminating multiple types of tunnels.
This command operationally brings down the WLAN-GW group if the total number of operational WLAN-GW IOMs in the WLAN-GW group fall below the configured number of active WLAN-GW IOMs. This triggers withdrawal of the route to tunnel endpoint and subscriber subnets in routing.
none
This command specifies the routing instance that wlan-gw gateway endpoint resides in.
The no form of the command removes the value from the wlan-gw configuration.
none
This command configures the TCP Maximum Segment Size (MSS) adjustment for the wlan-gw gateway.
The no form of the command disables adjusting tcp-mss values.
none
This command enables the context to configure tunnel encapsulation parameters.
This command specifies when this system will learn the cookie from L2TP tunnels terminating on this interface. Learning the cookie means that the value of the octets 3-8 of the cookie is interpreted as an access point’s MAC address, and used as such, for example in the Called-Station-Id attribute of RADIUS Interim-Update messages.
This command enables the context to configure vlan-to-retail-map parameters to map dot1Q tags to retail-service-id. The WIFI AP could insert a dot1Q tag in the Layer 2 frame within the GRE tunnel to indicate the retail service provider for the subscriber.
none
This command specifies the id of default retail service if there is no match found in VLAN to retail map configuration (specified by the vlan command). For DSM and migrant, this command is only applicable for non-NAT stacks.
none
This command configures the retailer service.
This command configures IPv6 router advertisements for this group-interface.
This command configures the hop-limit advertised for this group-interface.
64
This command creates a mapping from a range of VLANs (appearing in the wlan-gw encapsulated Layer 2 frame) to a retail service ID.
The no form of the command removes the parameters from the configuration.
none
This command specifies the id of wlan-gw-group that the wlan-gw gateway binds to.
The no form of the command removes the value from the wlan-gw configuration.
none
This command enables the context to configure pool manager data for a WLAN GW subscriber interface.
This command configures the DHCPv6 client for the pool manager.
This node enables address pools for DHCPv4 NAT inside addresses. This configuration is only available in wholesale interfaces.
This command configures the DHCPv6 client for the pool manager.
This command specifies the ipv6-address that should be included in the link-address field of the relay header. This can be used for pool-selection by the DHCPv6 server.
The no form of this command falls back to the default.
0::0
This command specifies the pool name that should be sent in the DHCPv6 messages. This will be reflected in the Nokia vendor specific pool option (vendor-id 6527, option-id 0x02).
The no form of this command removes pool-name and the option will not be sent in DHCPv6.
This command enables lease-query. If this is specified the dhcpv6-client will retrieve any existing addresses when becoming active. The lease-query is performed for all of the configured servers
The no form of this command disables lease-query.
This specifies the DHCPv6 servers that are used for requesting addresses. Up to 8 servers can be used simultaneously.
The no form of this command removes the server. This cannot be executed while any dhcpv6 client application is not shutdown.
none
This command configures SLAAC for the DHCPv6 client.
This command specifies the source-ip to be used by the DHCPv6 client.
The no form of this command removes the specific source-ip. In this case the DHCPv6 client will fall back to the IP address configured on the outgoing interface.
This command configures the watermarks used to determine if a new prefix should be allocated or an old prefix should be removed. A new prefix will be allocated when the total usage level for the ISA reaches the high watermark. A prefix will be freed if no addresses are currently in use and the usage level without this prefix would be below the low watermark.
The no form of this command resets the watermarks to its default values of 95% high and 90% low.
watermarks high 95 low 90
This command specifies the ISA WLAN Gateway group.
none
This command enables the context to configure WLAN-GW redundancy-related parameters.
none
This command specifies an IPv4 route (prefix/length) per subscriber-interface to be exported (announced) to indicate liveness of the subscriber-interface on the WLAN-GW. This route is the one that is monitored in routing by the peer WLAN-GW to decide its state with respect.
none
This command specifies an IPv4 route (prefix/length) per subscriber-interface to be monitored in the FIB to determine liveness of the subscriber-interface (and consequently all associated group-interfaces of type wlangw) on a peer WLAN-GW. This route is the one that is advertised in routing by the peer WLAN-GW when the subscriber-interface and WLAN-GW group are operationally up
none
This command configures the redirect policy to constrain forwarding of an unauthenticated “migrant” WIFI user.
none
Enters the context to configure entries that need to be forwarded
none
This command specifies the port to match the destination port in the HTTP request.
HTTP traffic that does not match this port, is not redirected.
80
This command configures traffic flow to be forwarded via match in the redirect policy.
none
This command configures the time for which the forwarding state applicable during redirect phase is held in the system, after the user has been authenticated on the portal. This allows the http response from the portal to be forwarded back on the existing connection.
none
This command configures the HTTP URL to re-direct the matching traffic to. It also can specify inclusion of original URL, MAC address and IP address of the subscriber in the redirect URL.
none
rdr-url-string | [255 chars max] | |
macro substitutions: | ||
$URL | Request-URI in the HTTP GET Request received | |
$MAC | A string that represents the MAC address of the subscriber host | |
$IP | A string that represents the IP address of the subscriber host |
This command enables the context to configure wlan-gw parameters.
This command enters the context for per vlan range configuration.
none
This command configures the default retailer service for WIFI users.
none
This command creates or enters the context of specified VLAN range for configuration applicable to that range of VLANs.
none
This command enables the context to configure distributed-sub-mgmt configuration per vlan-range. This also includes vlan-range default, which makes this configuration applicable to the wlan-gw group-interface.
none
This command specifies the isa-radius-policy used for accounting messages originated from the ISAs in the wlan-gw group. The policy can specify up to five accounting servers and configuration-specific to these accounting servers. It also specifies configuration specific to RADIUS client on ISAs and RADIUS attributes to be included in accounting messages.
none
This command enables the interim accounting and specifies the interim accounting interval.
none
This command enables Application Assurance account statistics collection.
This command configures the default application profile.
This command configures an IP filter that is distributed on ISA cards.
This command specifies the IP filter applied to all UEs corresponding to default vlan-range (such as a group-interface) or the specified vlan-range. The IP filter can be created in the subscr-mgmt>wlan-gw>distributed-sub-mgmt context, and can contain up to 1024 match entries. The IP filter can be overridden per UE from RADIUS via access-accept or COA.
none
This command specifies the egress policer applied to all UEs corresponding to default vlan-range (such as, group-interface) or the specified vlan-range. The policer can be created in the subscr-mgmt>wlan-gw>distributed-sub-mgmt context. The egress policer can be overridden per UE from RADIUS via access-accept or COA.
none
.This command specifies the ingress policer applied to all UEs corresponding to default vlan-range (such as group-interface) or the specified vlan-range. The policer can be created in the subscr-mgmt>wlan-gw>distributed-sub-mgmt context. The ingress policer can be overridden per UE from RADIUS via access-accept or COA.
none
This command enables one-time http-redirect to specified redirect URL for traffic matching the specified destination port.
none
Enters the context to create DHCP configuration for WLAN-GW ISA subscribers (e.g. migrant subscribers).
none
Enters the context to create DHCP6 configuration for WLAN-GW ISA subscribers.
none
This command specifies the signaled preferred lifetime in DHCPv6 or SLAAC after full authentication. This is only applicable to DSM.
min 10
This command specifies the signaled valid lifetime in DHCPv6 or SLAAC after full authentication. This is only applicable to DSM.
min 10
This command configures the lease time for an authenticated user.
none
This command specifies the signaled preferred lifetime in DHCPv6 or SLAAC after full authentication (DSM and/or ESM).
min 10
This command specifies the signaled preferred lifetime in DHCPv6 or SLAAC during a migrant phase.
min 5
This command configures the lease time for a user which is migrant (unauthenticated).
none
This command configures the l2-aware NAT inside IP address to be assigned via DHCP on WLAN-GW ISA.
If the from-pool parameter is specified instead of an IPv4 address, a unique address is allocated to each UE. The pool used is managed by the dhcpv4-nat pool manager, configured under the same subscriber interface. This option is only available when auth-on-dhcp is also configured.
none
This command configures the primary DNS address to be returned via DHCP on WLAN-GW ISA.
none
This command configures the secondary DNS address to be returned via DHCP on WLAN-GW ISA.
none
This command configures the primary NBNS address to be returned via DHCP on WLAN-GW ISA.
none
This command configures the secondary NBNS address to be returned via DHCP on WLAN-GW ISA.
none
This command specifies idle-timeout behavior for DSM UEs and UEs undergoing (ISA-based) portal authentication. This knob only specifies the desired action, idle-timeout is activated by RADIUS on a per-UE basis.
The no form of the command resets the idle-timeout to its default
idle-timeout action remove
This command specifies http redirect policy on ISA to redirect http traffic to the URL specified in the policy.
none
This command specifies the VPLS service used for L2 wholesale. When such a service is configured no other configuration is allowed under the vlan-range.
The no form of the command removes the L2 wholesale service, this is only allowed if the l2-service node is shutdown.
This command specifies the NAT policy for WLAN-GW ISA subscribers.
none
Enters the context to create configuration for authenticating a user from the WLAN-GW ISA.
none
This command enables initial authentication (when there is no state for the UE on the ISA), to be triggered by DHCP DISCOVER or REQUEST. The default behavior s authentication based on first Layer 3 packet.
none
This command specifies authentication policy configured under aaa context for authenticating users on WLAN-GW ISA.
none
This command configures the minimum time that a user is held down after a failed authentication attempt.
.none
This command configures the timeout value for the RADIUS proxy cache if a packet is received with a non-matching VLAN tag. The new timeout value will be the lesser of the vlan-mismatch-timeout value and the currently remaining proxy cache timeout value.
The no form of the command disables the timeout behavior. The cache timeout value will remain unchanged.
no vlan-mismatch-timeout
This command enables the context to configure BRG parameters. In the config>service>ies>sub-if>grp-if and config>service>vprn>sub-if>grp-if contexts, these commands are only available in the vlan-range level.
This command indicates that only BRGs that are pre-authenicated using the RADIUS proxy are allowed in this context.
The no form of the command removes the restriction
no authentication-brg-only
This command indicates that the default BRG profile must be used for new BRGs. This profile can be overridden by RADIUS.
no default-brg-profile
This command enables or disables data-triggered subscriber creation for WIFI subscribers. Data triggered UE creation is currently only supported for UDP and TCP packets.
none
This command enters the context to configure RADIUS-proxy cache information required for subscribers that are created via “data-triggered” authentication. The RADIUS proxy cache enables efficient handling of UE mobility.
none
This command configures how the MAC address is represented by the RADIUS proxy server.
none
mac-format | like ab: for 00:0c:f1:99:85:b8 |
or XY- for 00-0C-F1-99-85-B8 | |
or mmmm. for 0002.03aa.abff | |
or xx for 000cf19985b8 |
This command specifies the RADIUS-proxy server to allow subscribers created via data-triggered authentication to create an entry. This RADIUS proxy cache entry allows efficient handling of UE mobility.
none
router-name | Base |
service-id | 1 to 2147483647 |
This command specifies the vpls-sap-template that will be applied on the internal SAPs created for communication between the VPLS and the ISAs.
The no form of the command removes the SAP template.
This command configures a set of filter rules that can be applied to a DSM UE.
The no form of this command can only be executed if no entries are configured under this filter.
The default action specifies what should happen to packets that do not match any of the configured entries.
The no form of this command reverts to the default.
default-action drop
This command configures a new entry for this filter. When processing a packet, entries are matched in order, starting with the lowest entry-id. A maximum of 128 IPv4 and 128 IPv6 DSM filter entries are allowed box-wide.
The no form of this command reverts to the default.
The action specifies what should happen to packets that do match this entry. If the configured action is none, this entry is not applied and processing will continue to match against subsequent entries.
The no form of this command reverts to the default.
action none
This command creates a match context for this entry. The protocol specifies which Layer-4 protocol the packet should match.
The no form of this command removes the match context of this entry.
no match
This command specifies that the packet’s destination IP address must match the specified IP prefix + mask.
The no form of this command disables the match on destination IP.
no dst-ip
This command specifies that the packet’s destination IP address must match the specified IP prefix + mask.
The no form of this command disables the match on destination IP.
no dst-ip
This command creates a policer profile that can be applied to a DSM host. When creating a profile the first time, both the create and type parameters are required.
The WLAN-GW allows configuration of both single-rate and dual-rate bucket policers.
The no form of this command removes the profile.
This command specifies what should happen with packets that are in-profile and out-of-profile.
The no value of this command reverts to its default.
action permit-deny
For operational efficiency, the operational rate of a policer cannot take on every value in the configurable range. This configuration defines a rule that must be followed when mapping a configured rate to an operational rate.
The cir adaptation-rule can only be set on dual-bucket-bandwidth policers.
The no form of this command reverts to its default.
adaptation-rule pir closest cir closest
This command specifies the committed burst-size value of this policer. This can only be set on dual-bucket-bandwidth policers.
The no form of this command reverts to its default.
cbs 0
This command specifies the maximum burst-size value of this policer.
The no form of this command reverts to its default.
mbs 0
This command specifies at which rate the policer drains packets. The cir value is only supported on dual-bucket-bandwidth policers. If rate max is configured, no actual rate limitations are applied.
The no form of this command reverts to the default.
rate max
Note: The command outputs in the following section are examples only; actual displays may differ depending on supported functionality and user configuration. |
This command enables the context to display information related to the call-trace module.
This command gives an overview of all the files in use by the call-trace module, either for running or finished jobs.
The following output displays call trace local log files information.
This command gives a router-wide overview of call-trace operational data, such as number of configured profile, number of jobs and status of the compact flash.
The following output displays call trace status information.
This command provides an overview of all configured profiles or details of a specific profile. If the detail option is specified the full information for all configured profiles will be displayed.
The following output displays call-trace trace-profile information.
The command enables the context to display information related to the wlan-gw call-trace functionality.
This command gives an overview of either all traces or a specific trace on the WLAN-GW.
This command displays information about the traces of the UE being monitored.
This command displays Acct-On-Off group information and the associated RADIUS server policies.
Label | Description |
acct on off group name | Displays the name of a RADIUS server policy Accounting-On-Off-Group. |
controlling Radius-Server-policy | Specifies the RADIUS policy that controls the Acct-On-Off group. |
monitored by Radius-Server-policy | Specifies the RADIUS policy that monitors the Acct-On-Off group. |
Nbr of Acct-on-off-groups displayed | Displays the number of acct-on-off-group. |
This command displays summary of RADIUS-proxy cache or specific entries.
Label | Description |
Description | Displays the description of this RADIUS proxy server. |
Purpose | Displays the purpose of the RADIUS server, either accounting or authentication. |
Administrative state | Displays the administrative state of this RADIUS server. |
Default acct server policy | Displays the name of the default RADIUS server policy associated with this RADIUS proxy server for accounting purposes. |
Default auth server policy | Displays the name of the default RADIUS server policy associated with this RADIUS proxy server for authentication purposes. |
Send accounting response | Specifies if this RADIUS Proxy server itself responds with an Accounting-Response message to each received Accounting-Request instead of proxying them to a configured RADIUS server. |
Last management change | Displays the sysUpTime at the time of the most recent management-initiated change |
Key packet type | Displays the packet type of the RADIUS messages to use to generate the key for the cache of this RADIUS proxy server, access-request, access-accept, access-reject, access-challenge |
Key attribute type | Displays the RADIUS attribute type to cache for this RADIUS proxy server. Refer to RFC 2865, Remote Authentication Dial In User Service (RADIUS), Section 5 Attributes. |
Key vendor ID | Displays the RADIUS Vendor-Id. Refer to RFC 2865, Remote Authentication Dial In User Service (RADIUS), Section 5.25 Vendor-Specific. |
Timeout (s) | Displays, in seconds, the timeout after which an entry in the cache will expire. |
Track accounting | Displays the RADIUS accounting packets that have impact on the cache of this RADIUS proxy server. |
Load balance key | Displays the key for load-balancing RADIUS messages between RADIUS servers. |
Id | Displays the specifies the RADIUS Vendor-Id. |
Username | Displays the user name. |
RADIUS-server-policy | Displays the RADIUS server name. |
Purpose | Displays the purpose of the RADIUS server, either accounting or authentication. |
This command displays Wireless LAN Gateway information.
This command outputs all the prefixes in use by the wlan-gw pool-manager.
This command displays the mobile gateway's DNS lookup address cache.
This command displays the Mobile Gateway map.
This command displays Mobile Gateway information.
ip-address: | ipv4-address - a.b.c.d |
ipv6-address : | x:x:x:x:x:x:x:x (eight 16-bit pieces) |
x:x:x:x:x:x:d.d.d.d | |
x - [0 to FFFF]H | |
d - [0 to 255]D |
ip-address: | ipv4-address - a.b.c.d |
ipv6-address : | x:x:x:x:x:x:x:x (eight 16-bit pieces) |
x:x:x:x:x:x:d.d.d.d | |
x - [0 to FFFF]H | |
d - [0 to 255]D |
This command displays soft-GRE tunnel-QoS resource information.
ip-address: | ipv4-address - a.b.c.d |
ipv6-address : | x:x:x:x:x:x:x:x (eight 16-bit pieces) |
x:x:x:x:x:x:d.d.d.d | |
x - [0 to FFFF]H | |
d - [0 to 255]D |
ip-address: | ipv4-address - a.b.c.d |
ipv6-address : | x:x:x:x:x:x:x:x (eight 16-bit pieces) |
x:x:x:x:x:x:d.d.d.d | |
x - [0 to FFFF]H | |
d - [0 to 255]D |
This command displays soft-GRE tunnel-QoS resource information.
ip-address: | ipv4-address - a.b.c.d |
ipv6-address : | x:x:x:x:x:x:x:x (eight 16-bit pieces) |
x:x:x:x:x:x:d.d.d.d | |
x - [0 to FFFF]H | |
d - [0 to 255]D |
ip-address: | ipv4-address - a.b.c.d |
ipv6-address : | x:x:x:x:x:x:x:x (eight 16-bit pieces) |
x:x:x:x:x:x:d.d.d.d | |
x - [0 to FFFF]H | |
d - [0 to 255]D |
This command displays tunnel operation information.
ip-address: | ipv4-address - a.b.c.d |
ipv6-address : | x:x:x:x:x:x:x:x (eight 16-bit pieces) |
x:x:x:x:x:x:d.d.d.d | |
x - [0 to FFFF]H | |
d - [0 to 255]D |
ip-address: | ipv4-address - a.b.c.d |
ipv6-address : | x:x:x:x:x:x:x:x (eight 16-bit pieces) |
x:x:x:x:x:x:d.d.d.d | |
x - [0 to FFFF]H | |
d - [0 to 255]D |
Note: The remote/local IP addresses are locally generated for VLAN tunnels. |
This command displays RADIUS server policy information.
This command displays WLAN-GW group information including wlan-gw tunnels.
This command lists all addresses that the vRGW currently keeps aside for data-triggered host creation.
This command displays GTP session information.
This command displays GTP statistics.
This command displays Mobile Gateway profile information.
This command displays SSID information.
This command displays statistics information.
This command displays user equipment information.
The following output displays wlan-gw information.
This command enables the context to set up various call-trace debug sessions.
This node will contain all the parameters to set up specific call-trace debug sessions for wlan-gw. The no form of this command will stop all configured wlan-gw traces.
This command will start tracing of the UE with the specified MAC address. The trace will be started with default parameters or optionally parameters specified in the trace-profile.The no form of this command will stop the trace and make sure no new traces are started.
This command triggers a RADIUS Accounting-On message:
The Accounting-On message is not sent when the last successful event for the radius server policy was an Accounting-On message. In this case, an Accounting-Off should be sent first. By specifying the keyword “force”, this is overruled.
This command triggers a RADIUS Accounting-Off message:
The Accounting-Off message is not sent when the last successful event for the radius server policy was an Accounting-Off message. In this case, an Accounting-On should be sent first. By specifying the keyword “force”, this is overruled.
This command shows all available termination causes and their respective number values. The TermCause is equivalent to VSA 226 alc-error-code numeric values. The description is equivalent to VSA 227alc-error-message string.
This command dumps the RADIUS message buffer content for the specified radius-server-policy:
When specifying the session-id, the message details are displayed.
This command dumps user equipment (UE) information.
This command displays UE information.
This command dumps the RADIUS message buffer content for the specified radius-server-policy:
When specifying the session-id, the message details are displayed.
This command clears specific subnets from the pool-manager. Associated UE’s will be removed from the system.
When clearing the last subnet on an ISA the pool-manager will automatically allocate a new subnet with allocation-level 0%.