Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS XE Release 3S
GPRS Tunneling Protocol V2 Support
Downloads: This chapterpdf (PDF - 1.47MB) The complete bookPDF (PDF - 7.06MB) | The complete bookePub (ePub - 1.26MB) | The complete bookMobi (Mobi - 2.87MB) | Feedback

GPRS Tunneling Protocol V2 Support

Contents

GPRS Tunneling Protocol V2 Support

General Packet Radio Service (GPRS) Tunneling Protocol Version 2 (GTPv2) is introduced by the 3rd Generation Partnership Project (3GPP) Technical Specification (TS) 29.274, which modifies and enhances the GPRS Tunneling Protocol used in 2G and 3G mobile networks. GTPv2 enhances the GTP Application Inspection and Control (AIC) policies to provide security to subscriber data.

This module describes how to configure GTPv2 on a zone-based policy firewall.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Restrictions for GPRS Tunneling Protocol V2 Support

  • The limit for the number of match statements in a Layer 7 class map is 64.
  • The limit for the number of classes (including the default class) in a Layer 7 policy map is 255.
  • The limit for the number of characters in a pattern string for a regular expression (regex) parameter map is 245.
  • The data path supports up to 512 regular expressions.
  • No statistics are available for the match command. Statistics are available for only packets and bytes in a class.
  • 3GPP Technical Specification 29.274 release 8 and 9 are not compatible with GPRS Tunneling Protocol Version 2 (GTPv2).

Information About GPRS Tunneling Protocol V2 Support

GTPv2 Overview

General Packet Radio Service (GPRS) Tunneling Protocol Version 2 (GTPv2), also known as evolved packet services—GTP or eGTP, is modified and enhanced from the GPRS Tunneling Protocol used in 2G and 3G mobile networks. GTPv2 has two flavors, a control plane protocol (GTPv2-C) and a user plane protocol (GTPv2-U). GTPv2 is primarily used for control signaling between the Serving Gateway (SGW) and the Packet Data Network (PDN) Gateway (PGW) in an Evolved Packet Core (EPC) network.

The 3rd-Generation Partnership Project (3GPP) develops globally acceptable specifications for 3rd-Generation (3G) mobile systems. GPRS integrates with the existing Global System for Mobile Communication (GSM) networks and provides always-on packet-switched data services to corporate networks and the Internet.

For more information on GTPv0 and GTPv1, see the “Configuring GPRS Tunneling Protocol Support” chapter in the Security Configuration Guide: Zone-Based Policy Firewall.

Figure 1. General Format of the GTPv2-C Header

Figure 2. Format of Echo and Version Not Supported Message GTPv2-C Header

The usage of the GTPv2-C header for EPC-specific interfaces is defined below:

Octet 1:

  • Octet 1 represents Version (bits 8 through 6) that is set to decimal 2 (“010”).
  • If the “T” flag (bit 4) is set to 1, the Tunnel Endpoint Identifier (TEID) field immediately follows the Length field in octets 5 through 8.
  • The “P” flag (Piggybacking Support) is not supported.

Octet 2:

  • Octet 2 represents the Message Type field. This field supports GTPv2-C message type values.

Octets 3-4:

  • Octets 3 and 4 represent the Length field. This is the length of the message in octets excluding the mandatory part of the GTPv2-C header (the first 4 octets).

Octets 5-8:

  • Octets 5 through 8 represent the Tunnel Identifier field if the “T” flag is set in the first octet.

Octets 9-10:

  • Octets 9 and 10 represent the Sequence Number field if the TEID is present. If the TEID field is not present, the Sequence Number field will be contained in octets 5 and 6.
Octets 11-12:
  • Octets 11 and 12 are two spare octets followed by the Sequence Number field.

Note


Apart from the following messages, all other GTPv2-C messages contain the TEID in their headers.
  • Echo Request
  • Echo Response
  • Version Not Supported Indication

Figure 3. General Format of GTPv2 Message for Control Plane

Stateful Inspection

Stateful inspection, also referred to as dynamic packet filtering, examines a packet based on the information in its header and tracks and validates each connection to which a firewall is connected. During stateful inspection, firewalls close ports until a connection request to a specific port is received.

A global database is built on the GTP Application Inspection and Control (AIC) policies for stateful inspection of the GTPv2 traffic. When GTPv2 messages traverse the zone-based firewall, GTP AIC policies inspect messages based on the Packet Data Protocol (PDP) context database. Packets that require Layer 7 inspection (the packet payload must be inspected or altered) are passed to the control plane.

Information Elements

A GTP header contains a number of options fields called Information Elements (IEs). An IE may be present in a GTP protocol data unit (PDU). The IE may be included in a message header.

An IE is identified by an IE type and an instance value. The combination of IE type and instance value uniquely identifies an IE in a message. Grouped IEs contain more than one IE and have a 4-octet IE header. Each IE within a grouped IE also has a 4-octet IE header. The IE format in GTPv2 is TLIV (Type, Length, Instance, Value) encoded. The length value of a grouped IE is the total length of the embedded IEs.

Figure 4. General Format of an Information Element (IE) in a GTPv2-C Message

Octet 1:

Octet 1 represents the IE Type field. The IE Type field supports GTPv2-C IE type values.

Octets 2-3:

Octets 2 and 3 represent the length of the IE excluding the Type and the Length field.

Octet 4:

Octet 4 represents the instance number (bit 4-1) of the IE.

Octets 5-n:

Octets 5 through n represent the actual data contained in the IE.

How to Configure GPRS Tunneling Protocol V2 Support

Configuring GPRS Tunneling Protocol V2 Support

GPRS Tunneling Protocol Version 2 (GTPv2) is configured using the zone-based firewall structure of policies and class maps. Because GTPv2 and GTPv1 protocols share the same destination port, Layer 4 class maps cannot classify GTPv2 and GTPv1; they are classified by Layer 7 class maps.

Configuring a Parameter Map for GPRS Tunneling Protocol V2 Support

SUMMARY STEPS

    1.    enable

    2.    configure terminal

    3.    parameter-map type regex parameter-map-name

    4.    pattern expression

    5.    exit

    6.    parameter-map type inspect-global gtp

    7.    gtpv2 {request-queue elements | tunnel-limit tunnels}

    8.    end


DETAILED STEPS
     Command or ActionPurpose
    Step 1 enable


    Example:
    Device> enable
     

    Enables privileged EXEC mode.

    • Enter your password if prompted.
     
    Step 2 configure terminal


    Example:
    Device# configure terminal
     

    Enters global configuration mode.

     
    Step 3 parameter-map type regex parameter-map-name


    Example:
    Device(config)# parameter-map type regex PARAM-REG
     

    Configures a regex parameter-map type to match a specific traffic pattern and enters parameter map type configuration mode.

     
    Step 4 pattern expression


    Example:
    Device(config-profile)# pattern apn.cisco.com
     

    Configures a matching pattern that specifies a list of domains, URL keywords, or URL meta-characters that should be allowed or blocked by local URL filtering.

     
    Step 5 exit


    Example:
    Device(config-profile)# exit
     

    Exits parameter map type configuration mode and returns to global configuration mode.

     
    Step 6 parameter-map type inspect-global gtp


    Example:
    Device(config)# parameter-map type inspect-global gtp
     

    Configures an inspect-type parameter map for connecting thresholds, timeouts, and other parameters pertaining to the inspect action and enters parameter map type configuration mode.

     
    Step 7 gtpv2 {request-queue elements | tunnel-limit tunnels}


    Example:
    Device(config-profile)# gtpv2 request-queue 429496
     

    Configures inspection parameters for GTP.

     
    Step 8 end


    Example:
    Device(config-profile)# end
     

    Exits parameter-map type inspect mode and returns to privileged EXEC mode.

     

    Example: Parameter Map for GPRS Tunneling Protocol V2 Support

    The following is sample output from the show parameter-map type command:

    Device# show parameter-map type inspect-global gtp
     
    parameter-map type inspect-global gtp
      gtp request-queue 40000 (default)
      gtp tunnel-limit 40000 (default)
      gtp pdp-context timeout 300 (default)
      gtp request-queue timeout 60 (default)
      permit-error Disable (default)
      gtpv2 request-queue 429496729
      gtpv2 tunnel-limit 42949672
    

    Configuring a Class Map and a Policy Map for GPRS Tunneling Protocol V2 Support

    SUMMARY STEPS

      1.    enable

      2.    configure terminal

      3.    class-map type inspect protocol-name {match-any | match-all} class-map-name

      4.    match {apn regex parameter-name | {mcc country-code mnc network-code | message-length msisdn regex parameter-name | version number}

      5.    exit

      6.    policy-map type inspect protocol-name policy-map-name

      7.    class type inspect protocol-name class-map-name

      8.    inspect

      9.    service-policy protocol-name policy-map

      10.    end


    DETAILED STEPS
       Command or ActionPurpose
      Step 1 enable


      Example:
      Device> enable
       

      Enables privileged EXEC mode.

      • Enter your password if prompted.
       
      Step 2 configure terminal


      Example:
      Device# configure terminal
       

      Enters global configuration mode.

       
      Step 3 class-map type inspect protocol-name {match-any | match-all} class-map-name


      Example:
      Device(config)# class-map type inspect gtpv1 match-any gtpv2-cl7-1
       

      Creates a Layer 7 (application-specific) inspect-type class map and enters class map configuration mode.

       
      Step 4 match {apn regex parameter-name | {mcc country-code mnc network-code | message-length msisdn regex parameter-name | version number}


      Example:
      Device(config-cmap)# match version 2
       

      Configures the classification criteria for the inspect-type class map for the GTP.

       
      Step 5 exit


      Example:
      Device(config-cmap)# exit
       

      Exits class map configuration mode and returns to global configuration mode.

       
      Step 6 policy-map type inspect protocol-name policy-map-name


      Example:
      Device(config)# policy-map type inspect gtpv1 gtpv2-POLICY-MAP
       

      Creates a Layer 7 (protocol-specific) inspect-type policy map and enters policy map configuration mode.

       
      Step 7 class type inspect protocol-name class-map-name


      Example:
      Device(config-pmap)# class type inspect gtpv1 gtpv2-cl7-1
       

      Specifies the traffic (class) on which an action is to be performed and enters policy-map class configuration mode.

       
      Step 8 inspect


      Example:
      Device(config-pmap-c)# inspect
       

      Enables stateful packet inspection.

       
      Step 9 service-policy protocol-name policy-map


      Example:
      Device(config-pmap-c)# service-policy gtpv1 gtpv2-POLICY-MAP
       

      Attaches a Layer 7 policy map to the top-level Layer 3 or Layer 4 policy map.

       
      Step 10 end


      Example:
      Device(config-pmap-c)# end
       

      Exits policy-map class configuration mode and returns to privileged EXEC mode.

       

      Configuring Zones and Zone Pairs for GPRS Tunneling Protocol V2 Support

      SUMMARY STEPS

        1.    enable

        2.    configure terminal

        3.    zone security {zone-name | default}

        4.    exit

        5.    zone-pair securityzone-pair-namesource {source-zone-name | self | default} destination {destination-zone-name | self | default}

        6.    service-policy type inspect policy-map-name

        7.    exit

        8.    interface type number

        9.    zone-member security zone-name

        10.    end


      DETAILED STEPS
         Command or ActionPurpose
        Step 1 enable


        Example:

        Device> enable
         

        Enables privileged EXEC mode.

        • Enter your password if prompted.

         

        Step 2 configure terminal


        Example:

        Device# configure terminal
         

        Enters global configuration mode.

         
        Step 3 zone security {zone-name | default}


        Example:

        Device(config)# zone security z1
        Device(config)# zone security z2
         

        Creates a security zone to which interfaces can be assigned and enters security zone configuration mode.

        Note   

        To create a security zone pair, you must configure two security zones (z1 and z2) to which interfaces can be assigned.

         
        Step 4 exit


        Example:

        Device(config-sec-zone)# exit
         

        Exits security zone configuration mode and returns to global configuration mode.

         
        Step 5 zone-pair securityzone-pair-namesource {source-zone-name | self | default} destination {destination-zone-name | self | default}


        Example:

        Device(config)# zone-pair security clt2srv1 source z1 destination z2
         

        Creates a security zone pair and enters security zone-pair configuration mode.

        Note   

        To apply a policy, you must configure a zone pair.

         
        Step 6 service-policy type inspect policy-map-name


        Example:

        Device(config-sec-zone-pair)# service-policy type inspect gtpv2-POLICY-MAP
         

        Attaches a firewall policy map to the destination zone pair.

        Note   

        If a policy is not configured between a pair of security zones, traffic is dropped by default.

         
        Step 7 exit


        Example:

        Device(config-sec-zone-pair)# exit
         

        Exits security zone-pair configuration mode and returns to global configuration mode.

         
        Step 8 interface type number


        Example:

        Device(config)# interface gigabitethernet 0/0/0
         

        Configures an interface and returns interface configuration mode.

         
        Step 9 zone-member security zone-name


        Example:

        Device(config-if)# zone-member security z1
         

        Assigns an interface to a specified security zone.

        Note   

        When you make an interface a member of a security zone, all traffic in and out of that interface (except traffic bound for the device or initiated by the device) is dropped by default. To let traffic through the interface, you must make the zone part of a zone pair to which you apply a policy. If the policy permits traffic, traffic can flow through that interface.

         
        Step 10 end


        Example:

        Device(config-if)# end
         

        Exits interface configuration mode and returns to privileged EXEC mode.

         

        Configuration Examples for GPRS Tunneling Protocol V2 Support

        Example: Configuring GPRS Tunneling Protocol V2 Support

        The following example shows how to configure GTPv2 support:

        Device> enable 
        Device# configure terminal
        Device(config)# parameter-map type regex PARAM-REG 
        Device(config-profile)# pattern apn.cisco.com
        Device(config-profile)# exit 
        Device(config)# parameter-map type inspect-global 
        Device(config-profile)# gtpv2 tunnel-limit 100 
        Device(config-profile)# exit 
        Device(config)# class-map type inspect gtpv1 match-any gtpv2-cl7-1
        Device(config-cmap)# match version 2 
        Device(config-cmap)# exit 
        Device(config)# policy-map type inspect gtpv1 gtpv2-POLICY-MAP 
        Device(config-pmap)# class type inspect gtpv1 gtpv2-cl7-1 
        Device(config-pmap-c)# inspect
        Device(config-pmap-c)# service-policy gtpv1 gtpv2-POLICY-MAP
        Device(config-pmap)# end

        Example: Configuring Zones and Zone Pairs for GPRS Tunneling Protocol V2 Support

        The following example shows how to configure zones and zone pairs for GTPv2:

        Device> enable
        Device# configure terminal
        Device(config)# zone security z1
        Device(config-sec-zone)# exit
        Device(config)# zone-pair security clt2srv1 source z1 destination z2  
        Device(config-sec-zone-pair)# service-policy type inspect gtpv2-POLICY-MAP
        Device(config-sec-zone-pair)# exit
        Device(config)# interface gigabitethernet 0/0/0
        Device(config-if)# ip address 5.0.0.1 255.255.255.0
        Device(config-if)# zone-member security z1
        Device(config-if)# exit
        Device(config)# interface gigabitethernet0/0/2
        Device(config-if)# ip address 4.0.0.1 255.255.255.0
        Device(config-if)# zone-member security z2
        Device(config)# end
        

        Additional References for GPRS Tunneling Protocol V2 Support

        Related Documents

        Related Topic Document Title

        Cisco IOS commands

        Cisco IOS Master Command List, All Releases

        Security commands

        Security Command Reference: Commands A to C

        Security Command Reference: Commands D to L

        Security Command Reference: Commands M to R

        Security Command Reference: Commands S to Z

        Security configuration

        Security Configuration Guide: Zone-Based Policy Firewall

        Technical Assistance

        Description Link

        The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

        To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

        Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

        http:/​/​www.cisco.com/​support

        Feature Information for GPRS Tunneling Protocol V2 Support

        The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

        Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

        Table 1 Feature Information for GPRS Tunneling Protocol Version 2 Support

        Feature Name

        Releases

        Feature Information

        GTPv2 Support

        Cisco IOS XE Release 3.9S

        The GTPv2 Support feature is introduced by the 3rd-Generation Partnership Project (3GPP) TS 29.274, which modifies and enhances the GPRS Tunneling Protocol used in 2G and 3G mobile networks. GTPv2 enhances the GTP Application Inspection and Control (AIC) policies to provide security to subscriber data.

        This module describes how to configure GTPv2 on a zone-based policy firewall.

        The following commands have been newly introduced or modified: show parameter-map type inspect-global, zone-pair security.