Cisco ASR 1000 Series Aggregation Services Routers Software Configuration Guide
iWAG on Cisco ASR 1000 Series Routers for Service Provider WiFi Offload
Downloads: This chapterpdf (PDF - 413.0KB) The complete bookPDF (PDF - 7.89MB) | Feedback

Table Of Contents

iWAG on Cisco ASR 1000 Series Routers for Service Provider WiFi Offload

Finding Feature Information

Contents

Overview of the iWAG Deployment

Restrictions for the GTP of the iWAG

Information About IP Address Assignment

Information About Authentication Methods

Information About GGSN Selection

How to Configure Authentication, Authorization, and Accounting for the iWAG

How to Configure DHCP when the iWAG Acts as a DHCP Proxy

How to Configure the Cisco ISG Class Map and Policy Map for the iWAG

How to Configure a Subscriber Initiator for the iWAG

How to Configure a Tunnel Initiator for the iWAG

How to Enable Mobile Client Service Abstraction and Access Lists

How to Configure the GTP of the iWAG

Configuration Examples for the iWAG

Example: Configuring the iWAG Using the TAL Authentication Method

Example: Configuring the iWAG Using the EAP-SIM Authentication Method

Example: Configuring the iWAG Using the Web Logon Authentication Method

Multiple-Flow Tunnel

GTP Version 2 in the iWAG on the Cisco ASR 1000 Series Aggregation Services Routers

Restrictions for GTPv2 of the iWAG

GTPv2 Configuration

RADIUS Configuration

Intra-iWAG Roaming

iWAG SSO Support for GTP on the Cisco ASR 1000 Series Aggregation Services Routers

Enabling SSO Support for the GTP

Configuring ISG Policy Templates on the Cisco ASR 1000 Series Aggregation Services Routers

Restrictions for Configuring ISG Policy Templates

How to Configure ISG Policy Templates

Additional References

Related Documents

Standards

MIBs

RFCs

Technical Assistance

Feature Information for the iWAG on the Cisco ASR 1000 Series Routers for Service Provider WiFi Offload


iWAG on Cisco ASR 1000 Series Routers for Service Provider WiFi Offload


First Published: November 28, 2012
Last Updated: July 30, 2013

The deployment of the Intelligent Wireless Access Gateway (iWAG) feature on the Cisco ASR 1000 Series Aggregation Services Routers involves two main technologies: the General Packet Radio Service (GPRS) Tunneling Protocol (GTP) for connecting to the Cisco Gateway GPRS Support Node (Cisco GGSN) and the Mobile Access Gateway (MAG) using Proxy Mobile IPv6 (PMIPv6) for connecting to the Cisco Packet Data Network Gateway (PGW). The integration of these two technologies with the Cisco Intelligent Service Gateway (ISG), in combination with the Service Provider WiFi, is the key concept of the iWAG.

The iWAG on the Cisco ASR 1000 Series Aggregation Services Routers provides a clientless solution to integrate with existing 3G mobile cores through Cisco GGSN using the GTP. Leveraging the Cisco ISG framework, the iWAG can selectively divert user traffic towards a mobile network, or offload to the Internet directly. This document provides information about the GTP of the iWAG and its configurations.

For more information about PMIPv6 and ISG configurations for the iWAG, see the Intelligent Wireless Access Gateway Configuration Guide, Cisco IOS XE Release 3S.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest information about features and caveats, see the release notes document pertaining to your platform and software release. To find information about the features documented in this module and to view a list of the releases in which each feature is supported, see the "Feature Information for the iWAG on the Cisco ASR 1000 Series Routers for Service Provider WiFi Offload" section.

Use the Cisco Feature Navigator to find information about platform support and Cisco IOS and Cisco Catalyst operating system software image support. To access the Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.

Contents

Overview of the iWAG Deployment

Restrictions for the GTP of the iWAG

Information About IP Address Assignment

Information About Authentication Methods

Information About GGSN Selection

How to Configure Authentication, Authorization, and Accounting for the iWAG

How to Configure DHCP when the iWAG Acts as a DHCP Proxy

How to Configure the Cisco ISG Class Map and Policy Map for the iWAG

How to Configure a Subscriber Initiator for the iWAG

How to Configure a Tunnel Initiator for the iWAG

How to Enable Mobile Client Service Abstraction and Access Lists

How to Configure the GTP of the iWAG

Configuration Examples for the iWAG

Multiple-Flow Tunnel

GTP Version 2 in the iWAG on the Cisco ASR 1000 Series Aggregation Services Routers

iWAG SSO Support for GTP on the Cisco ASR 1000 Series Aggregation Services Routers

Configuring ISG Policy Templates on the Cisco ASR 1000 Series Aggregation Services Routers

Additional References

Feature Information for the iWAG on the Cisco ASR 1000 Series Routers for Service Provider WiFi Offload

Overview of the iWAG Deployment

Service providers use a combination of WiFi and mobility offerings to offload their mobility networks in the area of high-concentration service usage. Providing both WiFi and mobility simultaneously is considered a desirable deployment, which in turn leads to the evolution of the iWAG feature.

The iWAG deployment includes a combination of simple IP users (traditional ISG and WiFi) and mobile IP users (GTP tunneling and PMIPv6). The term mobility service is used to refer to either the GTP service or the PMIPv6 service applied to user traffic. The iWAG provides mobility services to mobile IP users, and as a result, a mobile client can seamlessly access a 3G or 4G mobility network. The iWAG does not provide mobility services to simple IP users. Therefore, simple IP users can access the Public Wireless LAN (PWLAN) network through the Cisco ISG. Clients are devices that access WiFi Internet (public wireless), where possible. However, if WiFi is not available, the same clients connect to the Internet service using a 3G or 4G mobility network.

The iWAG has a transport or switching element with Cisco ISG-subscriber awareness. The iWAG has RADIUS-based authentication and accounting, and policy-based subscriber routing for the WiFi wholesale model.

Figure 1 shows a deployment model of the iWAG on a Cisco ASR 1000 Series Aggregation Services Router.

Figure 1 iWAG Deployment on a Cisco ASR 1000 Series Aggregation Services Router

Restrictions for the GTP of the iWAG

The following restrictions apply to the GTP of the iWAG feature:

Roaming from a 3G mobility network to a WLAN is not supported for the GTP and Cisco ISG sessions.

IPv6 and quality of service (QoS) are not supported.

Only newly established calls are offloaded to the WLAN Third-Generation Partnership Project (3GPP) IP access.

The iWAG solution for WLAN offload is currently available only for the 3G Universal Mobile Telecommunications System (UMTS) and not for 4G Long Term Evolution (LTE).


Note In Cisco IOS XE Release 3.8S, the iWAG may fail to establish the GTPv1 tunnel with the GGSN, for example, with the Cisco ASR 5000 platform. To address this issue, a workaround that involves prepending 19 to the original MSISDN number was introduced in Cisco IOS XE Release 3.8S. The original issue of the iWAG failing to establish the GTPv1 tunnel with the GGSN is fixed in Cisco IOS XE Release 3.8.1S. Therefore, for customers using Cisco IOS XE Release 3.8.1S and later releases, this workaround is not required. For customers who are using the workaround provided in Cisco IOS XE Release 3.8S, the following commands have been added in the Cisco IOS XE Release 3.8.1S to customize MSISDN encoding:

· information-element msisdn [npi npi-value | ton ton-value]
· radius msisdn leading-digits number of digits


Information About IP Address Assignment

GGSN over GTP tunnel assigns a unique IP address to each subscriber based on the service provider domain. For single IP address assignment (no NAT), the following host configuration parameters must be provisioned for a Microsoft client because the access is WLAN:

Default gateway

Subnet mask and prefix length

Domain Name System (DNS) server address

Dynamic Host Configuration Protocol (DHCP) server address

Information About Authentication Methods

Authentication is the way of identifying users prior to allowing access to a network and its services. The iWAG supports the following authentication methods:

802.1x authentication (such as, Extensible Authentication Protocol Method for GSM Subscriber Identity Module (EAP-SIM), and Extensible Authentication Protocol Method for Authentication and Key Agreement (EAP-AKA)

Web authentication

Media Access Control-Transparent Auto Logon (MAC-TAL) authentication

802.1x Authentication

The 802.1x Authentication method is used in a trusted WiFi network. In this method, the Microsoft client is authenticated before it is assigned an IP address for use.

Web Authentication

The Web authentication method is used in an untrusted WiFi network. In this method, the Microsoft client is authenticated after it is assigned an IP address for use.

The iWAG uses the Cisco ISG functionalities in enforcing the Open Garden policy and L4 Redirect to complete the authentication before tunneling a client's session to the corresponding GGSN.

MAC-TAL Authentication

The MAC-TAL authentication method is associated with the Web authentication method in which the Microsoft client tries to reauthenticate after moving from one access point to another access point and attempting to reconnect while the AAA server on which it is authenticated still keeps a record of the client's past results. Thus, when such a reconnect occurs, the iWAG gets an Access Accept message for reauthentication using the client's MAC address as the calling station ID.

Information About GGSN Selection

When the GTP has to create a Packet Data Protocol (PDP) context for a Microsoft client, it should also identify the GGSN to which the Create PDP Context Request must be sent. The user profile usually consists of an access point name (APN) or a GGSN address or both. If neither of these is present, a per-box default GGSN address is configured on the iWAG.

The GGSN selection algorithm performs the following procedure to identify a GGSN:

1. If a GGSN address is configured in a user profile, the address will have the highest precedence, and will be picked for use.

If a GGSN address is not present, but an APN is present in a user profile, the APN will be picked for use. The GTP then sends a DNS query to the DNS servers configured on the box to resolve this name into an address or a list of addresses (when the DNS server performs load balancing). If a list of addresses is received in return, the GTP records this entire list and performs round-robin assignments using this list when establishing new PDP contexts.

If both the GGSN address and the APN are not present, the default GGSN address is used.

2. After a GGSN address is picked, it is possible that the picked GGSN is not reachable. If the allowed number of attempts to contact the GGSN fails, the GGSN is considered dead. In such a scenario, further retries with a different GGSN address having higher or lower precedence is not performed. The Microsoft client's PDP context simply fails to establish. If this GGSN address comes from DNS resolution, its entry from the GGSN address list for this APN is removed so that an effort to use the APN will not be made again.

How to Configure Authentication, Authorization, and Accounting for the iWAG

This section describes how to configure authentication, authorization, and accounting (AAA) for the iWAG on the Cisco ASR 1000 Series Aggregation Services Routers.

SUMMARY STEPS

1. enable

2. configure terminal

3. aaa new-model

4. aaa group server radius group-name

5. server-private ip-address [auth-port port-number | acct-port port-number] [non-standard] [timeout seconds] [retransmit retries] [key string]

6. aaa authentication login {default | list-name} {[passwd-expiry] method1 [method2...]}

7. aaa authorization network authorization-name group server-group name

8. aaa authorization subscriber-service {default {cache | group | local} | list-name} method1 [method2...]

9. aaa accounting {auth-proxy | system | network | exec | connection | commands level | dot1x} {default | list-name} [vrf vrf-name] {start-stop | stop-only | none} [broadcast] group group-name

10. action-type {none | start-stop | stop-only}

11. group {tacacs+ server-group}

12. aaa accounting {auth-proxy | system | network | exec | connection | commands level | dot1x} {default | list-name} [vrf vrf-name] {start-stop | stop-only | none} [broadcast] group group-name

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables the privileged EXEC mode.

Enter your password, if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters the global configuration mode.

Step 3 

aaa new-model

Example:

Router(config)# aaa new-model

Enables the AAA access control model.

Step 4 

aaa group server radius group-name

Example:

Router(config)# aaa group server radius AAA_SERVER_CAR

Groups different RADIUS server hosts into distinct lists and distinct methods.

Step 5 

server-private ip-address [auth-port port-number | acct-port port-number] [non-standard] [timeout seconds] [retransmit retries] [key string]

Example:

Router(config-sg-radius)# server-private 5.3.1.76 auth-port 2145 acct-port 2146 key cisco

Configures the IP address of the private RADIUS server for the group server.

Step 6 

aaa authentication login {default | list-name} {[passwd-expiry] method1 [method2...]}

Example:

Router(config-sg-radius)# aaa authentication login default none

Sets AAA authentication at login.

Step 7 

aaa authorization network authorization-name group server-group name

Example:

Router(config)# aaa authorization network ISG_PROXY_LIST group AAA_SERVER_CAR

Runs authorization for all network-related service requests, including Serial Line Internet Protocol (SLIP), Point-to-Point Protocol (PPP), PPP Network Control Programs (NCPs), and AppleTalk Remote Access (ARA).

Step 8 

aaa authorization subscriber-service {default {cache | group | local} | list-name} method1 [method2...]

Example:

Router(config)# aaa authorization subscriber-service default local group AAA_SERVER_CAR

Specifies one or more AAA authorization methods for the Cisco ISG to provide subscriber service.

Step 9 

aaa accounting {auth-proxy | system | network | exec | connection | commands level | dot1x} {default | list-name} [vrf vrf-name] {start-stop | stop-only | none} [broadcast] group group-name

Example:

Router(config)# aaa accounting network PROXY_TO_CAR

Enables AAA of requested services for billing and security purposes when RADIUS or TACACS+ is used.

Step 10 

action-type {none | start-stop | stop-only}

Example:

Router(cfg-acct-mlist)# action-type start-stop

Enables the type of actions to be performed on accounting records.

Step 11 

group {tacacs+ server-group}

Example:

Router(cfg-preauth)# group AAA_SERVER_CAR

Specifies the AAA TACACS+ server group to use for preauthentication.

Step 12 

aaa accounting {auth-proxy | system | network | exec | connection | commands level | dot1x} {default | list-name} [vrf vrf-name] {start-stop | stop-only | none} [broadcast] group group-name

Example:

Router(config)# aaa accounting network ISG_PROXY_LIST start-stop group AAA_SERVER_CAR

Enables AAA of requested services for billing and security purposes when using RADIUS or TACACS+.

DETAILED STEPS

How to Configure DHCP when the iWAG Acts as a DHCP Proxy

This section describes how to configure a Dynamic Host Configuration Protocol (DHCP) for the iWAG on the Cisco ASR 1000 Series Aggregation Services Routers when the iWAG acts as a DHCP proxy.

SUMMARY STEPS

1. enable

2. configure terminal

3. ip dhcp excluded-address [vrf vrf-name] ip-address [last-ip-address]

4. ip dhcp pool pool-name

5. network network-number [mask [secondary] | /prefix-length [secondary]

6. default-router ip-address

7. domain-name domain

8. lease {days [hours [minutes]] | infinite}

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables the privileged EXEC mode.

Enter your password, if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters the global configuration mode.

Step 3 

ip dhcp excluded-address [vrf vrf-name] ip-address

Example:

Router(config)# ip dhcp excluded-address 192.168.10.1

Specifies the IP address that a DHCP server should not assign to DHCP clients.

Step 4 

ip dhcp pool pool-name

Example:

Router(config)# ip dhcp pool test

Configures a DHCP address pool on a DHCP server and enters the DHCP pool configuration mode.

Step 5 

network network-number [mask [secondary] | /prefix-length [secondary]

Example:

Router(dhcp-config)# network 192.168.0.0 255.255.0.0

Configures the network number and mask for a DHCP address pool primary subnet or DHCP address pool secondary subnet on a Cisco IOS DHCP server.

Step 6 

default-router ip-address [last-ip-address]

Example:

Router(dhcp-config)# default-router 192.168.10.1

Specifies the default router list for a DHCP client.

Step 7 

domain-name domain

Example:

Router(dhcp-config)# domain-name starent.com

Specifies the domain name for a DHCP client.

Step 8 

lease {days [hours [minutes]] | infinite}

Example:

Router(dhcp-config)# lease 1 2 2

Configures the duration of the lease for an IP address that is assigned from a Cisco IOS DHCP server to a DHCP client.

How to Configure the Cisco ISG Class Map and Policy Map for the iWAG

This section describes how to configure the Cisco ISG class map and policy map for the iWAG.

SUMMARY STEPS

1. enable

2. configure terminal

3. class-map type traffic match-any class-map-name

4. match access-group output {access-group | name access-group-name}

5. match access-group input {access-group | name access-group-name}

6. policy-map type service policy-map-name

7. [priority] class type traffic {class-map-name | default {in-out | input | output}}

8. accounting aaa list aaa-method-list

9. [priority] class type traffic {class-map-name | default {in-out | input | output}}

10. drop

11. policy-map type control policy-map-name

12. class type control {control-class-name | always} [event {access-reject | account-logoff | account-logon | acct-notification | credit-exhausted | dummy-event | quota-depleted | radius-timeout | service-failed | service-start | service-stop | session-default-service | session-restart | session-service-found | session-start | timed-policy-expiry}]

13. action-number service-policy type service [unapply] [aaa list list-name] {name service-name | identifier {authenticated-domain | authenticated-username | dnis | nas-port | tunnel-name | unauthenticated-domain | unauthenticated-username}}

14. action-number authorize [aaa {list-name | list {list-name | default}} [password password]] [upon network-service-found {continue | stop}] [use method authorization-type] identifier identifier-type [plus identifier-type]

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables the privileged EXEC mode.

Enter your password, if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters the global configuration mode.

Step 3 

class-map type traffic match-any class-map-name

Example:

Router(config)# class-map type traffic match-any TC_OPENGARDEN

Creates or modifies a traffic class map that is used for matching packets to a specified Cisco ISG traffic class.

Step 4 

match access-group output {access-group | name access-group-name}

Example:

Router(config-traffic-classmap)# match access-group output name ACL_OUT_OPENGARDEN

Configures the match criteria for a Cisco ISG traffic class map on the basis of the specified access control list (ACL).

Step 5 

match access-group input {access-group | name access-group-name}

Example:

Router(config-traffic-classmap)# match access-group input name ACL_IN_OPENGARDEN

Configures the match criteria for a Cisco ISG traffic class map on the basis of the specified ACL.

Step 6 

policy-map type service policy-map-name

Example:

Router(config)# policy-map type service OPENGARDEN_SERVICE

Creates or modifies a service policy map that is used to define a Cisco ISG subscriber service.

Step 7 

[priority] class type traffic {class-map-name | default {in-out | input | output}}

Example:

Router(config-service-policymap)# 20 class type traffic TC_OPENGARDEN

Creates or modifies a traffic class map that is used for matching packets to a specified Cisco ISG traffic class.

Step 8 

accounting aaa list aaa-method-list

Example:

Router(config-service-policymap)# accounting aaa list PROXY_TO_CAR

Enables Cisco ISG accounting and specifies an AAA method list to which accounting updates are forwarded.

Step 9 

[priority] class type traffic {class-map-name | default {in-out | input | output}}

Example:

Router(config-service-policymap)# class type traffic default in-out

Creates or modifies a traffic class map that is used for matching packets to a specified Cisco ISG traffic class.

Step 10 

drop

Example:

Router(config-service-policymap)# drop

Configures a Cisco ISG to discard packets belonging to the default traffic class.

Step 11 

policy-map type control policy-map-name

Example:

Router(config)# policy-map type control BB_PROFILE

Creates or modifies a control policy map that defines a Cisco ISG control policy.

Step 12 

class type control {control-class-name | always} [event {access-reject | account-logoff | account-logon | acct-notification | credit-exhausted | dummy-event | quota-depleted | radius-timeout | service-failed | service-start | service-stop | session-default-service | session-restart | session-service-found | session-start | timed-policy-expiry}]

Example:

Router (config-control-policymap)# class type control always event session-start

Specifies a control class for which actions can be configured in a Cisco ISG control policy.

Step 13 

action-number service-policy type service [unapply] [aaa list list-name] {name service-name | identifier {authenticated-domain | authenticated-username | dnis | nas-port | tunnel-name | unauthenticated-domain | unauthenticated-username}}

Example:

Router(config-control-policymap-class-control)# 10 service-policy type service name OPENGARDEN_SERVICE

Activates a Cisco ISG service.

Step 14 

action-number authorize [aaa {list-name | list {list-name | default}} [password password]] [upon network-service-found {continue | stop}] [use method authorization-type] identifier identifier-type [plus identifier-type]

Example:

Router(config-control-policymap-class-control)# 20 authorize aaa list ISG_PROXY_LIST password cisco identifier mac-address

Initiates a request for authorization based on a specified identifier in a Cisco ISG control policy.

How to Configure a Subscriber Initiator for the iWAG

This section describes how to configure a subscriber initiator for the iWAG.

SUMMARY STEPS

1. enable

2. configure terminal

3. interface GigabitEthernet slot/subslot/port

4. description string

5. ip address ip-address mask [secondary [vrf vrf-name]]

6. negotiation auto

7. service-policy type control policy-map-name

8. ip subscriber {l2-connected | routed}

9. initiator {dhcp [class-aware] | radius-proxy | static ip subscriber list listname | unclassified ip | unclassified mac}

10. initiator {dhcp [class-aware] | radius-proxy | static ip subscriber list listname | unclassified ip | unclassified mac}

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables the privileged EXEC mode.

Enter your password, if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters the global configuration mode.

Step 3 

interface GigabitEthernet slot/subslot/port

Example:

Router(config)# interface GigabitEthernet 1/3/3

Enters the interface configuration mode for Gigabit Ethernet.

Step 4 

description string

Example:

Router(config-if)# description access interface connected to subscriber

Adds a description to an interface configuration.

Step 5 

ip address ip-address mask [secondary [vrf vrf-name]]

Example:

Router(config-if)# ip address 192.171.10.1 255.255.0.0

Sets a primary IP address or secondary IP address for an interface.

Step 6 

negotiation auto

Example:

Router(config-if)# negotiation auto

Enables auto negotiation on a Gigabit Ethernet interface.

Step 7 

service-policy type control policy-map-name

Example:

Router(config-if)# service-policy type control BB_Profile

Applies a control policy to a context.

Step 8 

ip subscriber {l2-connected | routed}

Example:

Router(config-if)# ip subscriber l2-connected

Enables Cisco ISG IP subscriber support on an interface and specifies the access method that IP subscribers use for connecting to the Cisco ISG on an interface.

Step 9 

initiator {dhcp [class-aware] | radius-proxy | static ip subscriber list listname | unclassified ip | unclassified mac-address}

Example:

Router(config-subscriber)# initiator unclassified mac-address

Enables Cisco ISG to create an IP subscriber session upon receipt of a specified type of packet.

Step 10 

initiator {dhcp [class-aware] | radius-proxy | static ip subscriber list listname | unclassified ip | unclassified mac-address}

Example:

Router(config-subscriber)# initiator dhcp

Enables Cisco ISG to create an IP subscriber session upon receipt of a specified type of packet.

How to Configure a Tunnel Initiator for the iWAG

This section describes how to configure a tunnel initiator for the iWAG.

SUMMARY STEPS

1. enable

2. configure terminal

3. interface GigabitEthernet slot/subslot/port

4. description string

5. ip address ip-address mask [secondary [vrf vrf-name]]

6. negotiation auto

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables the privileged EXEC mode.

Enter your password, if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters the global configuration mode.

Step 3 

interface GigabitEthernet slot/subslot/port

Example:

Router(config)# interface GigabitEthernet 1/3/5

Enters the interface configuration mode for Gigabit Ethernet interface.

Step 4 

description string

Example:

Router(config-if)# description interface connected to GGSN

Adds a description to an interface configuration.

Step 5 

ip address ip-address mask [secondary [vrf vrf-name]]

Example:

Router(config-if)# ip address 192.170.10.1 255.255.0.0

Sets a primary IP address or secondary IP address for an interface.

Step 6 

negotiation auto

Example:

Router(config-if)# negotiation auto

Enables auto negotiation on a Gigabit Ethernet interface.

How to Enable Mobile Client Service Abstraction and Access Lists

This section describes how to enable mobile client service abstraction and access lists on the Cisco ASR 1000 Series Aggregation Services Routers.

SUMMARY STEPS

1. enable

2. configure terminal

3. mcsa

4. enable sessionmgr

5. ip access-list {{standard | extended} {access-list-name | access-list-number} | helper egress check}

6. permit ip any any

7. permit udp any any

8. ip access-list {{standard | extended} {access-list-name | access-list-number} | helper egress check}

9. permit ip any any

10. permit udp any any

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables the privileged EXEC mode.

Enter your password, if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters the global configuration mode.

Step 3 

mcsa

Example:

Router(config)# mcsa

Enables mobile client service abstraction on the Cisco ASR 1000 Series Aggregation Services Routers.

Step 4 

enable sessionmgr

Example:

Router(config-mcsa)# enable sessionmgr

Enables mobile client service abstraction to receive notifications from the Cisco ISG.

Step 5 

ip access-list {{standard | extended} {access-list-name | access-list-number} |

helper egress check}

Example:

Router(config)# ip access-list extended ACL_IN_OPENGARDEN

Defines an IP access list by name or number, or enables filtering for packets with IP helper address destinations.

Step 6 

permit ip any any

Example:

Router(config-ext-nacl)# permit ip any any

Sets conditions to allow a packet to pass a named IP access list.

Step 7 

permit udp any any

Example:

Router(config-ext-nacl)# permit udp any any

Sets conditions to allow a packet to pass a named UDP access list.

Step 8 

ip access-list {{standard | extended} {access-list-name | access-list-number} |

helper egress check}

Example:

Router(config)# ip access-list extended ACL_OUT_OPENGARDEN

Defines an IP access list by name or number, or enables filtering for packets with IP helper-address destinations.

Step 9 

permit ip any any

Example:

Router(config-ext-nacl)# permit ip any any

Sets conditions to allow a packet to pass a named IP access list.

Step 10 

permit udp any any

Example:

Router(config-ext-nacl)# permit udp any any

Sets conditions to allow a packet to pass a named UDP access list.

How to Configure the GTP of the iWAG

This section describes how to configure the GTP of the iWAG on the Cisco ASR 1000 Series Aggregation Services Routers.

SUMMARY STEPS

1. enable

2. configure terminal

3. gtp

4. n3-request request-number

5. interval t3-response response-number

6. interval echo-request request-number

7. interface local GigabitEthernet slot/subslot/port

8. apn apn-name

9. ip address ggsn ip-address

10. default-gw address prefix-len value

11. dns-server ip-address

12. dhcp-server ip-address

13. dhcp-lease seconds

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables the privileged EXEC mode.

Enter your password, if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters the global configuration mode.

Step 3 

gtp

Example:

Router(config)# gtp

Configures the GTP for the iWAG on the Cisco ASR 1000 Series Aggregation Services Routers.

Step 4 

n3-request number of requests

Example:

Router(config-gtp)# n3-request 3

Specifies the number of times a control message must be retried before a failure is issued. The default value is 5.

Step 5 

interval t3-response number of seconds

Example:

Router(config-gtp)# interval t3-response 10

Specifies the time interval, in seconds, for which the Serving GPRS Support Node (SGSN) of the iWAG waits for a response for the control message sent. The default value is 1.

Step 6 

interval echo-request request-number

Example:

Router(config-gtp)# interval echo-request 60

Specifies the time interval, in seconds, for which the SGSN for the iWAG waits for before sending an echo request message. The range is from 60 to 65535. The default value is 60. The value of 0 disables the Echo Request feature.

Step 7 

interface local GigabitEthernet slot/subslot/port

Example:

Router(config-gtp)# interface local GigabitEthernet 0/0/3

Configures the transport interface to communicate with the GGSN.

Step 8 

apn apn-name

Example:

Router(config-gtp)# apn starent.com

Configures an ASCII regular expression string to be matched against the APN for general packet radio service (GPRS) load balancing.

Step 9 

ip address ggsn ip-address

Example:

Router(config-gtp-apn)# ip address ggsn 192.170.10.2

Sets the IP address for the GGSN.

Step 10 

default-gw address prefix-len value

Example:

Router(config-gtp-apn)# default-gw 192.171.10.1 prefix-len 16

Specifies the default gateway address of the subscriber.

Step 11 

dns-server ip-address

Example:

Router(config-gtp-apn)# dns-server 192.165.1.1

Specifies the Domain Name System (DNS) IP servers that are available for a DHCP client.

Step 12 

dhcp-server ip-address

Example:

Router(config-gtp-apn)# dhcp-server 192.168.10.1

Specifies primary and backup DHCP servers to allocate IP addresses to mobile station users entering a particular public data network (PDN) access point.

Step 13 

dhcp-lease seconds

Example:

Router(config-gtp-apn)# dhcp-lease 3000

Configures the duration of the lease for an IP address that is assigned from a Cisco IOS DHCP Server to a DHCP client.

Configuration Examples for the iWAG

This section provides the following configuration examples:

Example: Configuring the iWAG Using the TAL Authentication Method

Example: Configuring the iWAG Using the EAP-SIM Authentication Method

Example: Configuring the iWAG Using the Web Logon Authentication Method

Example: Configuring the iWAG Using the TAL Authentication Method

The following example shows how to configure the iWAG using the TAL authentication method:

aaa new-model
!
!
aaa group server radius AAA_SERVER_CAR
server-private 5.3.1.76 auth-port 2145 acct-port 2146 key cisco
!
aaa authentication login default none
aaa authorization network ISG_PROXY_LIST group AAA_SERVER_CAR 
aaa authorization subscriber-service default local group AAA_SERVER_CAR 
aaa accounting network PROXY_TO_CAR
action-type start-stop
group AAA_SERVER_CAR
!
aaa accounting network ISG_PROXY_LIST start-stop group AAA_SERVER_CAR
!
!
!
ip dhcp excluded-address 192.168.10.1
ip dhcp excluded-address 192.168.10.2
ip dhcp excluded-address 192.168.10.3
!
ip dhcp pool TEST
network 192.168.0.0 255.255.0.0
default-router 192.168.10.1 
domain-name starent.com
lease 1 2 2
!
class-map type traffic match-any TC_OPENGARDEN
match access-group output name ACL_OUT_OPENGARDEN
match access-group input name ACL_IN_OPENGARDEN
!
policy-map type service OPENGARDEN_SERVICE
20 class type traffic TC_OPENGARDEN
accounting aaa list PROXY_TO_CAR
!
class type traffic default in-out
drop
!
!
policy-map type control BB_PROFILE
class type control always event session-start
10 service-policy type service name OPENGARDEN_SERVICE
20 authorize aaa list ISG_PROXY_LIST password cisco identifier mac-address 
 !
!
interface GigabitEthernet1/3/3
descriptions interface connected to LS-IP APP Node
ip address 192.171.10.1 255.255.0.0
negotiation auto
service-policy type control BB_PROFILE
ip subscriber l2-connected
initiator unclassified mac-address
initiator dhcp
!
interface GigabitEthernet1/3/5
descriptions connected to LS-GGSN
ip address 192.170.10.1 255.255.0.0
negotiation auto
!         
mcsa
enable sessionmgr
!
!
ip access-list extended ACL_IN_OPENGARDEN
permit ip any any
permit udp any any
ip access-list extended ACL_OUT_OPENGARDEN
permit ip any any
permit udp any any
!
!
gtp
n3-request 3
interval t3-response 10
interval echo-request 60
interface local GigabitEthernet0/0/3
apn 1
apn-name starent.com
ip address ggsn 192.170.10.2
default-gw 192.168.10.1 prefix-len 16
dns-server 192.165.1.1
dhcp-server 192.168.10.1
dhcp-lease 30000
!
End
 
 

Example: Configuring the iWAG Using the EAP-SIM Authentication Method

The following example shows how to configure the iWAG using the Extensible Authentication Protocol Method for the GSM Subscriber Identity Module (EAP-SIM) authentication method with the RADIUS proxy initiator:

aaa new-model
!
!
aaa group server radius AAA_SERVER_CAR
server-private 192.171.10.2 auth-port 1812 acct-port 1813 key cisco
!
aaa authentication login default none
aaa authorization subscriber-service default local group AAA_SERVER_CAR 
aaa authorization radius-proxy ISG_PROXY_LIST group AAA_SERVER_CAR 
aaa accounting delay-start
aaa accounting network default start-stop group AAA_SERVER_CAR
aaa accounting network PROXY_TO_CAR
action-type start-stop
group AAA_SERVER_CAR
!
aaa accounting network ISG_ACCOUNTING_LIST start-stop group AAA_SERVER_CAR
!
!
aaa server radius proxy 
key cisco
calling-station-id format mac-address
authentication port 1812
re-authentication do-not-apply
accounting method-list PROXY_TO_CAR
accounting port 1813
timer ip-address 43200
timer request 43200
timer reconnect 43200
client 192.168.10.3 255.255.255.255
  !
!
ip dhcp excluded-address 192.168.10.1
ip dhcp excluded-address 192.168.10.2
ip dhcp excluded-address 192.168.10.3
!
ip dhcp pool TEST
network 192.168.0.0 255.255.0.0
default-router 192.168.10.1 
domain-name starent.com
lease 1 2 2
!
!
class-map type traffic match-any TC_OPENGARDEN
match access-group output name ACL_OUT_OPENGARDEN
match access-group input name ACL_IN_OPENGARDEN
!
policy-map type service OPENGARDEN_SERVICE
20 class type traffic TC_OPENGARDEN
accounting aaa list ISG_ACCOUNTING_LIST
!
!
policy-map type control BB_PROFILE
class type control always event session-start
1 proxy aaa list ISG_PROXY_LIST 
20 service-policy type service name OPENGARDEN_SERVICE
!
!
interface GigabitEthernet1/3/3
description connected to subscriber 
ip address 192.171.10.1 255.255.0.0
negotiation auto
service-policy type control BB_PROFILE
ip subscriber l2-connected
initiator dhcp
initiator radius-proxy
!
interface GigabitEthernet1/3/4
description interface connected to AAA server
ip address 192.171.10.1 255.255.0.0
negotiation auto
!
interface GigabitEthernet1/3/5
description connected to GGSN
ip address 192.170.10.1 255.255.0.0
negotiation auto
!
!
mcsa
enable sessionmgr
!
ip access-list extended ACL_IN_OPENGARDEN
permit ip any any
permit udp any any
ip access-list extended ACL_OUT_OPENGARDEN
permit ip any any
permit udp any any
!
radius-server attribute 44 include-in-access-req default-vrf
radius-server attribute 44 extend-with-addr
radius-server attribute 8 include-in-access-req
radius-server attribute 32 include-in-access-req
radius-server attribute 32 include-in-accounting-req 
radius-server attribute 55 include-in-acct-req
radius-server attribute 55 access-request include
radius-server attribute 31 send nas-port-detail
radius-server source-ports extended
radius-server throttle accounting 50
radius-server unique-ident 49
radius-server vsa send accounting
radius-server vsa send authentication
!
!
gtp
n3-request 3
interval t3-response 10
interval echo-request 60
information-element rat-type wlan
interface local GigabitEthernet0/0/3
apn 1
apn-name starent.com
ip address ggsn 192.170.10.2
default-gw 192.168.10.1 prefix-len 16
dns-server 192.165.1.1
dhcp-server 192.168.10.1
!
End
 
 

Example: Configuring the iWAG Using the Web Logon Authentication Method

The following example shows how to configure the iWAG using the Web logon authentication method:

aaa new-model
!
!
aaa group server radius AAA_SERVER_CAR
server-private 5.3.1.76 auth-port 2145 acct-port 2146 key cisco
!
aaa authentication login default none
aaa authentication login ISG_PROXY_LIST group AAA_SERVER_CAR
aaa authorization network ISG_PROXY_LIST group AAA_SERVER_CAR 
aaa authorization subscriber-service default local group AAA_SERVER_CAR 
aaa accounting network PROXY_TO_CAR
action-type start-stop
group AAA_SERVER_CAR
!
aaa accounting network ISG_PROXY_LIST start-stop group AAA_SERVER_CAR
!
aaa server radius dynamic-author
client 5.3.1.76 server-key cisco
auth-type any
ignore server-key
!
ip dhcp excluded-address 192.168.10.1
ip dhcp excluded-address 192.168.10.2
ip dhcp excluded-address 192.168.10.3
!         
ip dhcp pool TEST
network 192.168.0.0 255.255.0.0
default-router 192.168.10.1 
domain-name starent.com
lease 1 2 2
!
!
redirect server-group REDIRECT-SERVER-GROUP1
server ip 5.3.1.76 port 10080
!
!
ip tftp source-interface GigabitEthernet0
class-map type traffic match-any TC_L4R_class
match access-group input name TC_L4R
!
class-map type traffic match-any TC_OPENGARDEN
match access-group output name ACL_OUT_OPENGARDEN
match access-group input name ACL_IN_OPENGARDEN
!
policy-map type service OPENGARDEN_SERVICE
20 class type traffic TC_OPENGARDEN
accounting aaa list PROXY_TO_CAR
!
class type traffic default in-out
drop
!
!
policy-map type service L4Redirect_service
10 class type traffic TC_L4R_class
redirect to group REDIRECT-SERVER-GROUP1
!
!
policy-map type control BB_PROFILE
class type control always event session-start
10 service-policy type service name L4Redirect_service
20 service-policy type service name OPENGARDEN_SERVICE
!
class type control always event account-logon
10 authenticate aaa list ISG_PROXY_LIST 
20 service-policy type service unapply name L4Redirect_service
!
!
interface GigabitEthernet1/3/3
description interface connected to subscriber
ip address 192.171.10.1 255.255.0.0
negotiation auto
service-policy type control BB_PROFILE
ip subscriber l2-connected
initiator unclassified mac-address
initiator dhcp
!
!
interface GigabitEthernet1/3/5
descriptions interface connected to GGSN
ip address 192.170.10.1 255.255.0.0
negotiation auto
!
!
mcsa
enable sessionmgr
!
!
ip access-list extended ACL_IN_OPENGARDEN
permit ip any any
permit udp any any
ip access-list extended ACL_OUT_OPENGARDEN
permit ip any any
permit udp any any
ip access-list extended TC_L4R
permit udp any any
permit tcp any any
!
!
radius-server attribute 44 include-in-access-req default-vrf
radius-server attribute 8 include-in-access-req
radius-server attribute 32 include-in-access-req 
radius-server attribute 32 include-in-accounting-req 
radius-server attribute 55 include-in-acct-req
radius-server attribute 55 access-request include
no radius-server attribute nas-port
radius-server source-ports extended
radius-server unique-ident 73
!
gtp
n3-request 3
interval t3-response 10
interval echo-request 60
information-element rat-type wlan
interface local GigabitEthernet 0/0/3
apn 1
apn-name starent.com
ip address ggsn 192.170.10.2
default-gw 192.168.10.1 prefix-len 16
dns-server 192.165.1.1
dhcp-server 192.168.10.1
dhcp-lease 30000
!
End

Multiple-Flow Tunnel

A tunnel facilitates bidirectional transport or acts as a conduit for forwarding subscriber traffic. In PMIPv6, subscriber traffic is transported between the MAG and the Local Mobility Anchor (LMA) through the Generic Routing Encapsulation (GRE) tunnel. In the GTP, subscriber traffic is transported between the iWAG and the GGSN through the GTP tunnel. The tunnel information structure is associated with each tunnel and specifies common tunnel attributes, such as source address, destination address, protocol, port, key, tunnel transport VRF, and tunnel mode.

Both the GTP and PMIPv6 support multiple flows per tunnel. A multiple-flow tunnel mechanism configures and manages multiple flows of traffic within the same tunnel. Each flow is identified by a flow key. A flow identifier or flow key is a 32-bit integer. The key is globally unique per system for the GTP. However, the key can be unique per tunnel for PMIPv6. The flow key for the GTP is the Tunnel Endpoint Identifier (TEID), and for PMIPv6, it is the GRE key. Each flow has parameters to describe the per-flow attributes.

PMIPv6 uses a multipoint GRE tunnel per LMA, and creates one adjacency per flow. An LMA can support scaling numbers up to 128,000 MAG. From the LMA perspective, only one multipoint GRE tunnel interface is created and 128,000 tunnel endpoints are populated. This scaling level supports the MAG functionality that is implemented on access points or hotspots, from which only one or few PMIPv6 subscribers can be attached. Cisco high-end routing platforms, such as the Cisco ASR 1000 Series Route
Processor 2, the Cisco ASR 1000 Series 40-Gbps ESP, and the Cisco ASR 1000 Series 100-Gbps ESP support 128,000 scaling for the LMA.

To support 128,000 scaling, configure the following on the LMA:

ipv6 mobile pmipv6-lma LMA1 domain D1
bce maximum 128000

GTP Version 2 in the iWAG on the Cisco ASR 1000 Series Aggregation Services Routers

Effective from Cisco IOS XE Release 3.10S, the support for GPRS Tunneling Protocol Version 2 (GTPv2) is offered on the Cisco ASR 1000 Series Aggregation Services Routers as an enhancement to the GTPv1 offering in the iWAG solution that was introduced in Cisco IOS XE Release 3.8S. GTPv2 provides support for both the 4G and 3G mobile users, whereas GTPv1 provides support only for 3G mobile users.

A GTP session with GTPv2 support uses more memory than a GTP session with GTPv1 support. GTPv2 support does not require any new AAA attributes. However, the new gtpv2 enum value for the Cisco-MPC-Protocol-Interface attribute is necessary to specify the use of GTPv2. The AAA server identifies a subscriber depending upon whether the subscriber profile is sent over GTPv1 tunnel or GTPv2 tunnel from the iWAG back to the Evolved Packet Core (EPC). The GTPv1 and GTPv2 sessions can exist simultaneously on the iWAG.

Restrictions for GTPv2 of the iWAG

The same domain name cannot be configured in different APNs, for example:

gtp
n3-request 7  
interval t3-response 1
interval echo-request 64
information-element rat-type wlan
interface local GigabitEthernet1/3/0
apn 1
apn-name example.com #Same donamin name as apn2356, not supported, should be 
different
ip address ggsn 98.0.7.13
default-gw 192.168.0.1 prefix-len 16
dns-server 192.168.255.253
dhcp-lease 3000
apn 2356
apn-name example.com #Same domain name as apn1, not supported, should be different
ip address ggsn 98.0.7.14
default-gw 10.254.0.1 prefix-len 16
dns-server 10.254.255.253
dhcp-lease 3000
!

The same pool cannot be associated with different APNs. The PGW or GGSN must have different IPs for pools configured on different domains, for example:

Example:
gtp
n3-request 7  
interval t3-response 1
interval echo-request 64
information-element rat-type wlan
interface local GigabitEthernet1/3/0
apn 1
apn-name example.com
ip address ggsn 98.0.7.13
default-gw 192.168.0.1 prefix-len 16 #different domain name but same pool ip; this 
is not supported
dns-server 192.168.255.253
dhcp-lease 3000
apn 2356
apn-name example.com #Same domain name as apn1, not supported, should be different
ip address ggsn 98.0.7.14
default-gw 192.168.0.1 prefix-len 16 #different domain name but same pool ip; this 
is not supported
dns-server 10.254.255.253
dhcp-lease 3000

!

GTPv2 Configuration

All the configurations required for GTPv1 support are also needed for GTPv2 support.

RADIUS Configuration

The following configurations are required on the RADIUS server to differentiate between a GTPv1 subscriber and a GTPv2 subscriber:

subscriber-profile profile1 { # this is a GTPv2 profile 
access-accept { 
reply-msg "Default profile" 
cisco-avpair { "cisco-mn-service=ipv4" } 
cisco-avpair { "cisco-mpc-protocol-interface=gtpv2" } 
cisco-avpair { "cisco-service-selection=example.com" } 
cisco-avpair { "cisco-msisdn=4910000000" } 
3gpp { 
imsi 406091000000000 
} 
} 
} 
subscriber-profile profile2 { # this is a GTPv1 profile
access-accept { 
reply-msg "Default profile" 
cisco-avpair { "cisco-mn-service=ipv4" } 
cisco-avpair { "cisco-mpc-protocol-interface=gtpv1" } 
cisco-avpair { "cisco-service-selection=example.com" } 
cisco-avpair { "cisco-msisdn=4900000000" } 
3gpp { 
imsi 406090000000000 
} 
} 
} 
sub-grp-mgr sub-grp1 { 
control-by round-robin 
group-profiles { 
subscriber-profile profile1 profile-priority 99 
subscriber-profile profile2 profile-priority 98 
} 
}

Intra-iWAG Roaming

Effective from Cisco IOS XE Release 3.10S, both GTPv1 and GTPv2 support connected subscriber roaming across different access interfaces of the iWAG. GTPv1 and GTPv2 preserve and update their existing sessions to allow their data traffic to flow through the new ingress interfaces from the access network.

Configuration for the GTPv1 and GTPv2 Roaming Scenario

The initiator unclassified mac-address command must be configured on every iWAG access interface to support subscriber roaming between these interfaces. As shown in the following configuration, all the access interfaces must be specified under the GTP configuration before bringing up the IP subscriber sessions. If the access interface is not specified under the GTP, a subscriber's roaming option is not enabled for that interface. Also, adding interfaces under the GTP after the sessions bring up fails subscriber roaming.

The following example shows the configuration for GTPv1 and GTPv2 roaming scenario:

interface GigabitEthernet0/0/2 
description To client facing interface 
ip address 192.1.1.1 255.255.0.0 
negotiation auto 
service-policy type control ISG_GTP_CONTROL 
ip subscriber l2-connected 
initiator unclassified mac-address # must for roaming config 
initiator dhcp 
! 
interface GigabitEthernet0/0/3 
description To client facing interface
ip address 192.2.1.1 255.255.0.0 
negotiation auto 
service-policy type control ISG_GTP_CONTROL 
ip subscriber l2-connected 
initiator unclassified mac-address # must for roaming config 
initiator dhcp 
!
gtp
n3-request 3
interval t3-response 10
interval echo-request 64
information-element rat-type wlan
interface local GigabitEthernet1/3/0
apn 1200
apn-name example.com
ip address ggsn 98.0.7.13
default-gw 192.168.0.1 prefix-len 16
dns-server 192.168.255.253
dhcp-lease 3000
interface access GigabitEthernet0/0/2
interface access GigabitEthernet0/0/3

iWAG SSO Support for GTP on the Cisco ASR 1000 Series Aggregation Services Routers

Effective from Cisco IOS XE Release 3.10S, the per-session Stateful Switchover (SSO)/In Service Software Upgrade (ISSU) feature supports iWAG mobility sessions that are tunneled to MNO using GTP. The SSO feature takes advantage of Route Processor (RP) redundancy by establishing one of the RPs as the active processor, while the other RP is designated as the standby processor, and then synchronizing the critical state information between them. When a failover occurs, the standby device seamlessly takes over, starts performing traffic-forwarding services, and maintains a dynamic routing table.

The SSO/ISSU feature supports only the Cisco ASR 1000 Series Aggregation Services Routers intrachassis (RP-to-RP) SSO, but not the interchassis (Cisco ASR1K-to-Cisco ASR1K) SSO. The First Sign Of Life (FSOL) triggers that are supported on SSO include DHCP proxy (where the iWAG acts as the DHCP proxy server) and DHCP proxy plus unclassified MAC.

For more information about ISSU, see the "Overview of ISSU on the Cisco ASR 1000 Series Routers" section of the Cisco ASR 1000 Series Aggregation Services Routers Software Configuration Guide.

The process as part of iWAG SSO handling GTP checkpoints to the standby RP the information that is necessary to create a copy of the session on the standby RP. Such an inactive copy of the session becomes active when the standby RP becomes active.

When an iWAG mobility session with GTP tunneling is enabled using the SSO/ISSU feature, the Cluster Control Manager on the active RP needs to wait for a few more components, including the GTP, to become ready before checkpoint data collection, and polls these additional components for checkpoint data during data collection. A very similar operation is performed on the standby RP as well. Although such additional CPU consumption is per session, it is not expected to be too heavy since processing in each of these components should include the time spent on a few data structure lookups and memory-copying operations.

During ISSU SIP and SPA upgrade, there is traffic interruption. To avoid session disconnect because of dropped echo messages during such traffic interruption, a user has the following options:

Option 1 (preferred):

1. Disable the echo messages on the iWAG and GGSN for the duration of the ISSU.

2. Re-enable the echo messages after ISSU is completed on the iWAG and GGSN.

Option 2: Extend the t3 and n3 configurations to exceed the expected traffic interruption. The traffic interruption characterized in the Cisco IOS XE Release 3.10S is 127 seconds. Hence, we recommend the following t3 and n3 settings (t3_response: 1 and n3_request: 7, resulting in 127 seconds on both the iWAG and GGSN) but the duration of the traffic interruption may depend on the types of SIPs and SPAs and how loaded the router is. If traffic interruption exceeds the configured t3 and n3 limits, the session is disconnected.

Enabling SSO Support for the GTP

This section describes how to enable SSO support for the GTP on the Cisco ASR 1000 Series Aggregation Services Routers.

SUMMARY STEPS

1. enable

2. configure terminal

3. redundancy

4. mode SSO

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables the privileged EXEC mode.

Enter your password, if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters the global configuration mode.

Step 3 

redundancy

Example:

Router(config)# redundancy

Enters the redundancy configuration mode.

Step 4 

mode SSO

Example:

Router(config-redundan)# mode SSO

Configures the SSO redundancy mode of operation.

Configuring ISG Policy Templates on the Cisco ASR 1000 Series Aggregation Services Routers

In Cisco IOS XE Release 3.10S, the Configuring Intelligent Services Gateway (ISG) Policy Templates feature optimizes the provisioning of ISG policies on IPv4 and IPv6 subscriber sessions. It enables support of up to 128,000 IP subscriber sessions with more complex ISG policies at a higher churn rate on the Cisco ASR 1000 Series Aggregation Services Routers.

A typical ISG configuration has very few distinct policies and many sessions that use these policies. ISG policy templates take advantage of this to optimize resource consumption and enable support for higher scale. Instead of provisioning an ISG policy with all its individual services and features on each target IP subscriber session, it provisions a template of the policy through the system only once and references the template after that to apply the policy on each target session. Enabling policy templates in the ISG does not impact session SSO.

Restrictions for Configuring ISG Policy Templates

Enabling policy templates in the ISG is not supported for any type of PPP sessions and IP interface sessions.

How to Configure ISG Policy Templates

By default, the ISG policy templates are disabled. The platform subscriber template command enables the ISG policy templates.


Note The platform subscriber template command does not take effect until the router is reloaded. For example, if this command is entered at the configuration prompt, policy templating remains disabled until the router is reloaded. Similarly, if templating is enabled, the router has to be reloaded after the no subscriber template command is entered to disable ISG policy templating.


Additional References

The following sections provide references related to the iWAG feature.

Related Documents

Related Topic
Document Title

Cisco IOS commands

Cisco IOS Master Commands List, All Releases

Intelligent Services Gateway

Intelligent Services Gateway Configuration Guide, Cisco IOS XE Release 3S

Cisco IOS Configuration Fundamentals

Cisco IOS Configuration Fundamentals Command Reference


Standards

Standard
Title

No new or modified standards are supported by this feature.


MIBs

MIB
MIBs Link

None

To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use the Cisco MIB Locator found at the following URL:

http://www.cisco.com/go/mibs


RFCs

RFC 1
Title

RFC 5213

Proxy Mobile IPv6

RFC 5844

IPv4 Support for Proxy Mobile IPv6

RFC 5845

Generic Routing Encapsulation (GRE) Key Option for Proxy Mobile IPv6

1 Not all the supported RFCs are listed.


Technical Assistance

Description
Link

The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

http://www.cisco.com/cisco/web/support/index.html


Feature Information for the iWAG on the Cisco ASR 1000 Series Routers for Service Provider WiFi Offload

Table 1 lists the features in this module and provides links to specific configuration information. Only features that were introduced or modified in Cisco IOS Release 3.8.0S or a later release appear in the table.

Not all commands may be available in your Cisco IOS software release. For release information about a specific command, see the corresponding command reference documentation.

Use the Cisco Feature Navigator to find information about platform support and software image support. The Cisco Feature Navigator enables you to determine which Cisco IOS and Cisco Catalyst operating system software images support a specific software release, feature set, or platform. To access the Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.

Table 1 Feature Information for the iWAG on the Cisco ASR 1000 Series Aggregation Services Routers  

Feature Name
Releases
Feature Information

GTP Version 2 in the iWAG on the Cisco ASR 1000 Series Aggregation Services Routers

3.10S

In Cisco IOS XE Release 3.10S, this feature was implemented on the Cisco ASR 1000 Series Aggregation Services Routers.

For information on this feature, see the "GTP Version 2 in the iWAG on the Cisco ASR 1000 Series Aggregation Services Routers" section.

iWAG SSO Support for GTP on the Cisco ASR 1000 Series Aggregation Services Routers

3.10S

In Cisco IOS XE Release 3.10S, this feature was implemented on the Cisco ASR 1000 Series Aggregation Services Routers.

For information on this feature, see the "iWAG SSO Support for GTP on the Cisco ASR 1000 Series Aggregation Services Routers" section.

Configuring ISG Policy Templates on the Cisco ASR 1000 Series Aggregation Services Routers

3.10S

In Cisco IOS XE Release 3.10S, this feature was implemented on the Cisco ASR 1000 Series Aggregation Services Routers.

For information on this feature, see the "Configuring ISG Policy Templates on the Cisco ASR 1000 Series Aggregation Services Routers" section.

iWAG Access Tunnels for PMIPv6 LMA (128,000 tunnels)

3.9S

In Cisco IOS XE Release 3.9S, this feature was implemented on the Cisco ASR 1000 Series Aggregation Services Routers.

For information on this feature, see "Multiple-Flow Tunnel" section.

iWAG on the Cisco ASR 1000 Series Aggregation Services Routers for Service Provider WiFi Offload

3.8S

The iWAG deployment involves two main technologies: GTP for connecting to the Cisco GGSN and MAG using PMIPv6 for connecting to the Cisco PGW. The integration of these two technologies with Cisco ISG in combination with service provider WiFi is the key concept of the iWAG feature.

In Cisco IOS XE Release 3.8S, this feature was implemented on the Cisco ASR 1000 Series Aggregation Services Routers.