Cisco 7600 Wireless Security Gateway

Cisco Wireless Security Gateway R3

  • Viewing Options

  • PDF (427.4 KB)
  • Feedback

Product Overview

The Cisco ® Wireless Security Gateway (WSG) is a highly scalable solution for securing Long-Term Evolution (LTE) traffic, tunneling femtocell, Unlicensed Mobile Access (UMA) and Generic Access Network (GAN), and third-generation (3G) and fourth-generation (4G) macrocell voice and data traffic over fixed broadband networks back to the mobile operator's core network.
The increase in 3G mobile wireless broadband usage is the precursor of the accelerating growth expected to result from the introduction of High-Speed Packet Access (HSPA), Evolved HSPA (HSPA+), and LTE technologies. To meet the demand and deliver these ever-increasing bandwidth-hungry services at cost levels previously established by wireline operators, mobile wireless operators are evolving their network landscape to an open environment where resources and assets may be shared. Today, it is not uncommon for a mobile wireless operator to own and control the end-to-end (E2E) network. This model will continue, although it will now be in combination with a deployment model using third-party and Internet Service Provider (ISP) networks to connect LTE eNodeBs to the IP networks.
The S1-U and S1-MME interconnection from the eNodeB to the serving gateway and Mobility Management Entity (MME) respectively, as well as the X2 interconnections between eNodeBs, are unprotected and in many cases will traverse third-party and ISP networks. Cost benefits aside, it is essential for mobile wireless operators to secure these connections or risk exposing their eNodeB control (S1-MME and X2-C) and subscriber traffic (S1-U and X2-U) to malicious behavior from unknown entities or persons. To prevent this exposure, mobile wireless operators will use IP Security (IPsec) tunnels to help ensure secure connections between their eNodeBs and their IP networks (Figure 1).

Figure 1. Cisco Wireless Security Gateway at LTE Service Provider Network

In a femtocell deployment, the Cisco WSG uses IPsec to secure the connection between the mobile operator's core network and the "Home Node B" (HNB), a 3G femtocell access point located at the subscriber's home. In this environment, the Cisco WSG provides security for trusted hosts (femtocell access points) when they communicate across an external untrusted broadband network such as the Internet (Figure 2).
Cisco WSG adheres to the latest 3 rd Generation Partnership Project (3GPP) standards for secure remote access over untrusted networks. In addition to femtocell deployments, the Cisco WSG can also secure UMA and GAN traffic where the subscriber has a UMA-capable mobile handset that communicates through a Wi-Fi access point over an untrusted network and back to the mobile operator's data center. Cisco WSG can also be deployed to secure 3G and 4G base stations that are connected to the mobile operator's network through a third party's carrier Ethernet service. Cisco WSG plays an important role in cost-effectively securing backhaul networks for mobile operators, helping to reduce backhaul costs, which represent a significant part of their operating expenses (OpEx).

Figure 2. Cisco Wireless Security Gateway at Femtocell Service Provider Network

Cisco WSG is built on the Cisco Service and Application Module for IP (SAMI) for the Cisco 7600 Series Router. Each Cisco SAMI blade with Cisco WSG software can support up to 100,000 IPsec sessions using Internet Key Exchange (IKE) Version 1 or Version 2. IKEv2 has been specified by the 3GPP for use in UMA and GAN, femtocell, and LTE applications. IKEv1 is available to support earlier solutions that have not migrated to IKEv2. An optimally configured Cisco 7613 Series Router with 10 SAMI blades can support 1,000,000 IPsec sessions.

Cisco 7600 Series Routers

Cisco 7600 Series Routers deliver comprehensive, high-performance IP/MPLS features for a range of service provider edge applications. The physical interfaces supported on the Cisco 7600 Series platform include Fast Ethernet and Gigabit Ethernet, FlexWAN (ATM and Frame Relay), and the new line of Cisco shared port adapter (SPA) and SPA interface processor (SIP) line cards. Each Cisco 7600 Series Router provides Layer 2 connectivity and Layer 3 routing services and can host a variety of specialized applications on the Cisco SAMI module.

Figure 3. Cisco 7600 Series Router with SAMI Blade


Cisco WSG in a Femtocell Deployment

As the build-out of the mobile Internet accelerates, technology such as femtocells has moved to the forefront as a way to cost-effectively scale mobile capacity to meet the expected 66-fold growth in mobile data traffic over the next few years (source: Cisco Visual Networking Index - Forecast, 2008-2013). The Cisco WSG will play a critical role in supporting femtocell deployments. Figure 3 provides an example of how a Cisco WSG can be deployed.

Figure 4. Cisco WSG in an End-to-End Femtocell Architecture

Features and Benefits

Table 1. Cisco Wireless Security Gateway Features




Standards compliance

• Complies with IETF RFCs
• Provides interoperability with other standards-compliant components


• IPSec peer authentication with PKI and PSK
• Secondary endpoint authentications with EAP Protocol
• Allows users to uniquely authenticate using X.509 certificate
• Support of EAP facilitates RADIUS-based authentication

Address allocation

• IP local pool and DHCP support
• Increases flexibility of network design and address allocation
• Uses local pools for user address assignments
• Enhances end-node address management efficiency, and minimizes provisioning

IPsec and other services

• Support of IKEv1 and IKEv2
• Creation of IPsec ESP tunnels
• Cryptographic algorithm negotiations
• Packet encryption/decryption: AES/AES-CBC 128 bits, DES, 3DES
• Hash algorithms: MD5, SHA-1, SHA-2 (256, 384 and 512), and XCBC-AES
• Diffie-Hellman Groups: 1 (768 bit), 2 (1024 bit), 5 (1536 bit)
• Rekeying, time, and volume based
• Traffic selector negotiations
• Encryption and DH Group Negotiations
• Anti-replay
• Preshared keys
• Extended Sequence Number (ESN)
• IKE Call Admission Control (CAC) mechanism
• Support of X.509 certificates
• CRL, CMPv2, and OCSP Certificate management protocol support
• Blacklist
• IPv6
• Reverse Route Injection (RRI)
• Protects data flow between Home Node B or eNode B and WSG
• Offers security services at IP level
• Provides secure tunnel between Home Node B or eNode B and WSG
• Protects data confidentiality, integrity, and authentication

Dead Peer Detection (DPD)

• DPD for IKE transactions
• Facilitates faster failover

Redundancy and load balancing

• 1+1 Stateful inter- or intra-chassis redundancy
• N+1 inter- or intra-chassis redundancy
• ACE HW Module based server load balancing
• PBR (Packet Based Routing) based server load balancing
• Peace of mind
• Service availability
• Minimum user disruption

Network Address Translation (NAT) traversal

• Supports an intermediate device performing NAT
• Allows the home or mobile node to be behind a NAT entity address
• Offers increased flexibility of network design and address allocation

Quality of service (QoS)

• Reflects inner-to-outer type of service and differentiated services code point (ToS/DSCP) marking
• Supports the appropriate QoS and class of service (CoS) for application


• High-end based on Cisco 7600 Series and SAMI
• Network Equipment Building Standards (NEBS) 3- compliant
• Flexibility of choice for better offering
• Distributed, not centralized
• Feature-comprehensive line card for 10G and 4G needs


• High throughput per application blade
• Right subscriber density per blade for 3G and 4G nodes
• Load-balancing mechanism
• Up to 270 tunnels per second
• Up to 2.1 Gbps per blade for small packets - voice
• Up to 9 Gbps per blade for large packets - data
• Up to 72 Gbps per chassis
• Up to 100,000 subs per blade
• Up to 1,000,000 subs per chassis

Co-location of hardware and software

• Co-location of other wireless services in the same chassis; that is, IP-RAN and other wireless gateways can coexist in the same chassis
• Facilitates use of existing Cisco 7600 platform
• Provides a more competitive solution

Standard Cisco hardware and software platforms

• Multiple service modules (such as Cisco Application Control Engine [ACE], SAMI, and Firewall Service Module [FWSM]) can be integrated in the same chassis
• Cisco hardware platforms are proven in some of the largest networks in the world
• Cisco devices run with the standard Cisco IOS ® Software feature set, which includes comprehensive IP, security, mobile IP, and voice and data integration capability
• Minimizes risk; speeds deployment of network
• Helps accelerate time to market with advanced features

Configuration and Performance

Cisco 7600 Series with SAMI Provides

• Up to 100,000 Home Node Bs per Cisco WSG module in a femtocell deployment (up to 100,000 dual-mode phones in a UMA and GAN deployment)

• Up to 16,000 eNodeBs per Cisco WSG module in a LTE deployment (up to 160,000 per chassis)

• Up to 10 Cisco SAMI blades with Wireless Security Gateway can be installed in a Cisco 7613 Router

• Up to 2.1 Gbps bandwidth per module for small packets: voice

• Up to 9 Gbps bandwidth per module for large packets: data

• Chassis throughput of 21 Gbps for voice and 72 Gbps for large packets

Cisco 7600 Series Platform Requirements

• All Cisco 7600 Series chassis are supported: Cisco 7604, 7606, 7609, and 7613, with a minimum Cisco IOS Software release requirement of 12.2(33)SRC2

• Supported supervisor engines: Cisco 7600 Series Supervisor Engine 720 and Route Switch Processor 720

• Single or redundant supervisor engine configurations are permitted

• No restriction on other cards (such as service and network modules) on the chassis

Ordering Information

Table 2 lists the product numbers for the Cisco WSG right-to-use (RTU) licenses, subscriber licenses, and SAMI hardware. The software license provides for unlimited use of features in the release with a defined number of connected subscribers, which may be limited by hardware resource capacity and traffic mix. The Cisco WSG subscriber license allows for increasing the number of connected subscribers in increments of 10,000 connected subscribers.

Table 2. Cisco WSG Ordering Information for Cisco 7600 Series

Product Number


SAMI Module


Service Application Module for IP 6 x PPC with 2GB (Crypto)


Service Application Module for IP 6 x PPC with 2GB Spare (Crypto)

Software RTU Licenses*


SAMI Wireless Security Gateway R3.0 RTU License


SAMI Wireless Security Gateway R3.0 RTU License (Spare)

Connected Subscriber Licenses, per Chassis


SAMI Wireless Security Gateway 10,000 Connected Subscriber Feature License


SAMI Wireless Security Gateway 10,000 Connected Subscriber Feature License (Spare)

* One RTU license is required per software module.

** No subscriber license is required for a redundant software module.

Service and Support

Cisco offers a wide range of service programs to accelerate customer success. These innovative service programs are delivered through a unique combination of people, processes, tools, and partners, resulting in high levels of customer satisfaction. Cisco Services help you to protect your network investment, optimize network operations, and prepare your network for new applications to extend network intelligence and the power of your business. For more information about Cisco Services, see Cisco Technical Support Services or Cisco Advanced Services.

For More Information

Cisco ACE Application Control Engine Solution for High Availability:
Cisco Firewall Services Module for Cisco Catalyst 6500 and Cisco 7600 Series:
Cisco 7600 Series Router:
For more information about Cisco mobile wireless products and solutions, visit
For more information about Mobile Wireless Center for the Cisco Service Exchange Framework, visit or contact your Cisco account manager.