Cisco IOS Mobile Wireless Configuration Guide, Release 12.2 - GGSN Configuration Examples [Cisco IOS Software Releases 12.2 Mainline]

Table Of Contents

GGSN Configuration Examples

Virtual Template Interface Configuration on GGSN Example

Static Route to SGSN Example

Access Point List Configuration Example

VPN Tunnel Configuration Example

AAA Security Configuration Example

RADIUS Server Global Configuration Example

RADIUS Server Access Point Configuration Example

IPSec Configuration Example

DHCP Server Configuration Example

Charging Gateway Configuration Example

Complete GGSN Configuration Example

GGSN Configuration Examples

This chapter contains GGSN configuration examples. For a complete description of the GPRS commands in this chapter, refer to the Cisco IOS Mobile Wireless Command Reference. To locate documentation of other commands that appear in this chapter, use the command reference master index or search online.

This chapter includes the following sections:

•Virtual Template Interface Configuration on GGSN Example

•Static Route to SGSN Example

•Access Point List Configuration Example

•VPN Tunnel Configuration Example

•AAA Security Configuration Example

•RADIUS Server Global Configuration Example

•RADIUS Server Access Point Configuration Example

•IPSec Configuration Example

•DHCP Server Configuration Example

•Charging Gateway Configuration Example

•Complete GGSN Configuration Example

Virtual Template Interface Configuration on GGSN Example

The following example shows a sample configuration for virtual template 1 on the GGSN:
! Virtual Template configuration
interface virtual-template 1
 ip address 10.10.10.1 255.255.255.0
 no ip directed-broadcast
 encapsulation gtp
 gprs fastswitch
 gprs access-point-list abc
 ip classless
Note The gprs access-point-list command is configured in global configuration, but the show running-configuration command on the router automatically includes it in the virtual template interface section of the output.

Static Route to SGSN Example

The following example shows how to configure a static route from a physical interface on the GGSN to the SGSN. This configures what is known as the GPRS Gn interface.
! Gn Interface on GGSN to communicate with SGSN 
interface FastEthernet0/0
 ip address 10.0.0.2 255.0.0.0
 no ip directed-broadcast
 no ip route-cache
 no ip mroute-cache
 no keepalive
!
ip route 192.168.1.1 255.255.255.255 FastEthernet0/0
In the first part of the sample configuration, physical interface FastEthernet0/0 on the GGSN is shown as the interface to the SGSN. In this example, the SGSN is located at IP address 192.168.1.1. Using the ip route command, a static route is configured to the SGSN located at 192.168.1.1 from the FastEthernet0/0 interface on the GGSN.

Note For the SGSN to successfully communicate with the GGSN, the SGSN must configure a static route, or be able to dynamically route to the IP address used by the GGSN virtual template.

Access Point List Configuration Example

The following example shows the configuration of a GPRS access point list on the GGSN:
! Defines a GPRS access point list
! named abc
gprs access-point-list abc
!
! Defines an APN number 1 called gprs.company.com,
! which defines access to a PDN through the domain gprs.company.com
!
 access-point 1
  access-point-name gprs.company.com
!
!DHCP server at 10.100.0.3 assigns IP addresses to
!mobile users who access APN gprs.company.com.
!
  dhcp-server 10.100.0.3     
  exit
!Defines an APN number 2 called xyz.com, 
!which defines access to a private network through xyz.com
!
 access-point 2
  access-point-name xyz.com
  dhcp-server 10.0.0.1       
  dhcp-gateway-address 10.0.0.1       
!Configures the router to use the Tunnel0 interface to 
!set up an IP tunnel to the private network
!
  use-interface Tunnel0 next-hop-address 10.10.0.21
  exit
! Defines an APN number 3 called www.gprs_mycompany,
! which defines access to a PDN through the domain www.gprs_mycompany
!
 access-point 3
  access-point-name www.gprs_mycompany
! Requires security authorization for access to this network.
! GGSN acts as a client to the RADIUS server at 10.100.0.2.
!
  access-mode non-transparent
  radius-server 10.100.0.2     
  exit
VPN Tunnel Configuration Example

The following example shows the configuration for the physical interface that is used to connect to the PDN (Gi interface) from which you can access a private network:
! interface to communicate with the PDN
interface FastEthernet1/0
 ip address 10.0.0.1 255.0.0.0
 no ip directed-broadcast
 no ip route-cache
 no ip mroute-cache
!
In addition, a logical interface called Tunnel0 defines an IP tunnel to the private networks:
interface Tunnel0
 ip address 97.0.0.1 255.0.0.0
 no ip directed-broadcast
 ip mtu 1476
 tunnel source 4.0.0.1
 tunnel destination 131.108.164.19
!
AAA Security Configuration Example

The following example shows how to enable AAA security globally on the router, and specify global RADIUS authentication and authorization:
! Enables AAA globally
aaa new-model
!
! Creates a local authentication list for use on
! serial interfaces running PPP using RADIUS
!
aaa authentication ppp default group radius
!
! Enables authorization and creates an authorization 
! method list for all network-related service requests
! and enables authorization using a RADIUS server
!
aaa authorization network default group radius
For more information about configuring AAA, refer to the Cisco IOS Security Configuration Guide and Cisco IOS Security Command Reference publications.

RADIUS Server Global Configuration Example

The following example shows how to globally configure RADIUS server communication on the router:
! Specifies a global RADIUS server host at IP address 10.100.0.2
! Port 1645 is destination port for authentication requests
! Port 1646 is the destination port for accounting requests
! Specifies the key "foo" for this radius host only
!
radius-server host 10.100.0.2 auth-port 1645 acct-port 1646 key foo
!
! Sets the authentication and encryption key to mykey for all 
! RADIUS communications between the router and the RADIUS daemon
!
radius-server key mykey
Note Although you can configure the radius-server host command multiple times, the Cisco IOS software supports only one RADIUS server at the same IP address.

For more information about configuring RADIUS security, refer to the Cisco IOS Security Configuration Guide and Cisco IOS Security Command Reference publications.

RADIUS Server Access Point Configuration Example

The following example shows a complete RADIUS configuration, including global AAA and RADIUS configuration, and RADIUS configuration at one of the GGSN access points:
! Enables AAA globally
aaa new-model
!
! Configures AAA authentication
! and authorization
!
aaa authentication ppp default group radius
aaa authorization network default group radius
! Configures global RADIUS server hosts
! and specifies destination ports for 
! authentication and accounting requests
!
radius-server host 10.10.10.1 auth-port 1645 acct-port 1646
radius-server host 10.11.11.1 auth-port 1645 acct-port 1646
radius-server key mykey
gprs default ip-address-pool radius-client
!
! Configures a primary RADIUS server for the GGSN
! 
gprs default radius-server 10.10.10.1
!
! Virtual Template configuration
interface virtual-template 1
 ip address 10.10.10.1 255.255.255.0
 no ip directed-broadcast
 encapsulation gtp
 gprs access-point-list abc
!
!
! Access point list configuration
gprs access-point-list abc
 access-point 1
  access-point-name gprs.somewhere.com
  access-mode transparent
  exit
!
 access-point 2
  access-point-name xyz.com
  access-mode transparent
  exit
 !
 access-point 3
  access-point-name www.gprs_somewhere.fr
  access-mode non-transparent
! 
! Specifies a RADIUS server
! for use by the GGSN to authenticate
! mobile users at this access point
!
  radius-server 10.11.11.1 
  exit
Notice the following areas of interest in the RADIUS configuration shown in this example:

•Two global RADIUS server hosts are configured for the router at 10.10.10.1 and 10.11.11.1 using the radius-server host global configuration command.

•The default RADIUS server for all GGSN access points is configured as 10.10.10.1 using the gprs default radius-server global configuration command.

•The first two access points are configured for transparent access. For mobile users attempting access at these APNs, the GGSN does not perform authentication.

•The third access point specifies a RADIUS server located at 10.11.11.1, using the radius-server access-point configuration command.

Note Although you can configure the radius-server host command multiple times, the Cisco IOS software supports only one RADIUS server at the same IP address.

IPSec Configuration Example

IP Security Protocol is configured between two peers to establish data security services. For GPRS, IPSec configuration is applicable between the GGSN and a router on a PDN. The following example shows configuration of IPSec on the GGSN and an associated PDN, including the complete global and GPRS configuration commands:

GGSN configuration
hostname ggsn1
enable password ggsn1password
ip host pdn1a 10.58.0.8
interface Ethernet5/0
 description TFTP D0OWNLOAD
 ip address 10.103.0.7 255.255.0.0
 ip helper-address 10.100.0.3
 no shut
interface FastEthernet0/0
 description CONNECT TO sgsn-a
 ip address 10.56.0.7 255.255.0.0
 no shut
interface FastEthernet4/0
 description CONNECT TO Gi
 ip address 10.58.0.7 255.255.0.0
 no shut
 ip classless
ip route 10.100.0.0 255.255.0.0 Ethernet5/0
! IPSec configuration for GGSN
crypto isakmp policy 1
 authentication pre-share
 group 2
!
! 10.58.0.8 is address of peer, or PDN
!
 crypto isakmp key sharedkey address 10.58.0.8
crypto ipsec transform-set auth2 esp-des esp-sha-hmac 
crypto map test 10 ipsec-isakmp   
 set peer 10.58.0.8
 set transform-set auth2 
 match address 133
! ISA card is required for IPSec support
!
controller ISA 1/1
interface FastEthernet4/0
 crypto map test
router eigrp 10
 network 10.56.0.0
 network 10.58.0.0
access-list 133 permit ip 10.56.0.0 0.0.255.255 10.59.0.0 0.0.255.255
! GPRS configuration on the GGSN
service gprs ggsn
ip dhcp-server 10.40.0.3
ip dhcp-server 10.100.0.3
ip address-pool dhcp-proxy-client
interface Virtual-Template1
 ip address 10.7.7.7 255.255.255.0
 encapsulation gtp
 ip mroute-cache
 no gprs fastswitch
 gprs access-point-list abc
router eigrp 10
 network 10.2.0.0
ip route 10.5.5.5 255.255.255.255 FastEthernet0/0
access-list 133 permit ip 10.2.0.0 0.0.255.255 10.59.0.0 0.0.255.255
gprs access-point-list abc
 access-point 1
  access-point-name apn1.cisco.com
  dhcp-server 10.100.0.3
  exit
!
 access-point 2
  access-point-name apn2.cisco.com
  dhcp-server 10.100.0.3
  exit
!
 access-point 3
  access-point-name www.apn3.com
  dhcp-server 10.100.0.3
  exit
!
!
gprs default charging-gateway 10.58.0.4 10.58.0.2
gprs charging server-switch-timer 0
line con 0
 exec-timeout 0 0
 transport input none
line aux 0
 exec-timeout 0 0
line vty 0 4
 exec-timeout 0 0
 password vtypassword
 login
 end
PDN configuration
hostname pdn1a
enable password pdn1apassword
ip host ggsn1 10.58.0.7
interface Ethernet5/0
 description TFTP DOWNLOAD
 ip address 10.103.0.8 255.255.0.0
 ip helper-address 10.100.0.3
 no shut
interface FastEthernet2/0
 description CONNECT TO  Gn
 ip address 10.56.0.8 255.255.0.0
 shutdown
interface FastEthernet4/0
 description CONNECT TO  Gi
 ip address 10.58.0.8 255.255.0.0
 no shut
interface FastEthernet0/0
 description CONNECT TO  Intranet
 ip address 10.59.0.8 255.255.0.0
 no shut
ip route 10.100.0.0 255.255.0.0 Ethernet5/0
! IPSec configuration on the PDN
crypto isakmp policy 1
 authentication pre-share
 group 2
!
! 10.58.0.7 is address of peer, or GGSN
!
crypto isakmp key sharedkey address 10.58.0.7
crypto ipsec transform-set auth2 ah-sha-hmac esp-des esp-sha-hmac 
crypto map test 10 ipsec-isakmp   
 set peer 10.58.0.7
 set transform-set auth2 
 match address 144
!
! ISA card is required for IPSec support
!
controller ISA 1/1
interface FastEthernet4/0
 crypto map test
router eigrp 10
 network 10.58.0.0
 network 10.59.0.0
access-list 144 permit ip 10.59.0.0 0.0.255.255 10.56.0.0 0.0.255.255
!
! GPRS configuration on the PDN
!
router eigrp 10
 network 10.2.0.0
ip route 10.2.0.0 255.255.0.0 FastEthernet4/0
access-list 144 permit ip 10.59.0.0 0.0.255.255 10.2.0.0 0.0.255.255
line con 0
 exec-timeout 0 0
 transport input none
line aux 0
 exec-timeout 0 0
line vty 0 4
 exec-timeout 0 0
 password vtypassword
 login
 end
DHCP Server Configuration Example

The following example shows a complete DHCP configuration, including global DHCP configuration, default GPRS DHCP configuration, and DHCP configuration at the GGSN access points:
ip address-pool dhcp-proxy-client 
ip dhcp-server 10.60.0.1
ip dhcp-server 10.101.100.3
ip dhcp-server 10.102.100.3 
ip dhcp excluded address 10.60.0.1
gprs default ip-address-pool dhcp-proxy-client
gprs default dhcp-server 10.101.100.3 
!
interface virtual-template 1
 ip address 10.10.10.1 255.255.255.0
 no ip directed-broadcast
 encapsulation gtp
 gprs access-point-list abc
!
gprs access-point-list abc
 access-point 1
  access-point-name gprs.everywhere.com
  ip-address-pool dhcp-proxy-client
  dhcp-server 10.101.100.3     
  ip-access-group 101 in
  exit
!
 access-point 2
  access-point-name xyz.com
  ip-address-pool dhcp-proxy-client
  dhcp-server 10.60.0.1       
  dhcp-gateway-address 10.60.0.1       
  exit
!
 access-point 3
  access-point-name www.my_isp.com
  exit
!
Notice the following areas of interest in the DHCP configuration shown in this example:

•Three global DHCP servers are configured for the router at 10.60.0.1, 10.101.100.3, and 10.102.100.3 using the ip dhcp-server global configuration command.

•The default DHCP server for all GGSN access points is configured as 10.101.100.3 using the gprs default dhcp-server global configuration command.

•The first access point specifies a DHCP server located at 10.101.100.3, using the dhcp-server access-point configuration command. This DHCP server is the same as the DHCP server specified by the gprs default dhcp-server command, and therefore is not a necessary command.

•The second access point specifies a DHCP server located at 10.60.0.1, using the dhcp-server access-point configuration command. This DHCP server is different than the DHCP server specified by the gprs default dhcp-server global configuration command.

•The third access point does not include any additional DHCP server configuration. For mobile users attempting access at these APNs, the GGSN uses the DHCP server 10.101.100.3 to assign IP addresses, according to the value of the gprs default dhcp-server command.

Charging Gateway Configuration Example

The following example configures a primary charging gateway at IP address 10.100.0.3, and a backup charging gateway at IP address 10.100.0.2:
gprs default charging-gateway 10.100.0.3 10.100.0.2
Complete GGSN Configuration Example

This example shows a complete GGSN router configuration. For detailed information on commands used with the GPRS interface, refer to the "Command Reference" section on page 45. For detailed information on the basic Cisco IOS commands shown in the example, refer to the Cisco IOS Interface Command Reference, the Cisco IOS IP Command References, or the Cisco IOS Security Command Reference.
!
version 12.0
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
service gprs ggsn
!
hostname c7206-4
!
aaa new-model
aaa authentication ppp default radius
aaa authorization network default radius
enable password mypass
!
ip subnet-zero
ip domain-name gprs.com
ip name-server 99.100.0.2
ip dhcp excluded-address 60.0.0.1
!
! local IP address pool
ip dhcp pool 1
 network 60.0.0.0 255.255.255.0
!
ip address-pool dhcp-proxy-client
ip dhcp-server 60.0.0.1
ip dhcp-server 99.100.0.3
!
interface Loopback0
 ip address 60.0.0.1 255.0.0.0
 no ip directed-broadcast
 no ip route-cache
 no ip mroute-cache
!
interface Tunnel0
 ip address 97.0.0.1 255.0.0.0
 no ip directed-broadcast
 ip mtu 1476
 tunnel source 4.0.0.1
 tunnel destination 131.108.164.19
!
! Interface to communicate with Virtual Template on SGSN
interface FastEthernet0/0
 ip address 35.0.0.2 255.0.0.0
 ip helper-address 99.100.0.3
 no ip directed-broadcast
 no ip route-cache
 no ip mroute-cache
 no keepalive
!
! interface to communicate with the PDN
interface FastEthernet1/0
 ip address 4.0.0.1 255.0.0.0
 no ip directed-broadcast
 no ip route-cache
 no ip mroute-cache
!
! Interface to TFTP server
interface Ethernet2/0
 ip address 99.102.0.54 255.255.0.0
 no ip directed-broadcast
 no ip route-cache
 no ip mroute-cache
!
!
! Virtual Template configuration
interface virtual-template 1
 ip address 10.10.10.1 255.255.255.0
 no ip directed-broadcast
 encapsulation gtp
 gprs access-point-list abc
 ip classless
!
! Route for the virtual template on the SGSN
ip route 1.1.1.1 255.255.255.255 FastEthernet0/0
access-list 101 deny   ip host 4.0.0.2 host 2.0.0.1
dialer-list 1 protocol ip permit
snmp-server community public RW
!
!
! Global DHCP server, charging server, and RADIUS server information
gprs default dhcp-server 99.100.0.3     
gprs default charging-gateway 99.100.0.3 99.100.0.2
gprs charging server-switch-timer 0
!
radius-server host 99.100.0.2 auth-port 1645 acct-port 1646
radius-server key mykey
!
!
! access-point list configuration
! access point for access to PDN
gprs access-point-list abc
 access-point 1
  access-point-name gprs.company.com
  dhcp-server 99.100.0.3     
  exit
!
!access point for access to a private network
 access-point 2
  access-point-name xyz.com
  dhcp-server 60.0.0.1       
  dhcp-gateway-address 60.0.0.1       
  use-interface Tunnel0 next-hop-address 97.0.0.21
  exit
!
! access point for access to PDN
 access-point 3
  access-point-name www.gprs_mycompany
  access-mode non-transparent
  radius-server  99.100.0.2     
  exit
!
line con 0
 exec-timeout 0 0
 transport input none
line aux 0
 exec-timeout 0 0
 transport input all
line vty 0 4
 exec-timeout 0 0
 password mypass
!
end

	Cisco IOS Mobile Wireless Configuration Guide, Release 12.2
	GGSN Configuration Examples
Cisco IOS Mobile Wireless Configuration Guide, Release 12.2 About Cisco IOS Software Documentation Using Cisco IOS Software Mobile Wireless Overview General Packet Radio Service (GPRS) Overview of GPRS Planning to Configure the GGSN Configuring GGSN Services Configuring Charging on the GGSN Configuring Network Access to the GGSN Optimizing GPRS Performance Configuring Security on the GGSN Configuring DHCP on the GGSN Verifying the GPRS Configuration Monitoring and Maintaining GPRS GGSN Configuration Examples Index	Download this chapter GGSN Configuration Examples Download the complete book Book-level PDF: Cisco IOS Mobile Wireless Configuration Guide, Release 12.2 (PDF - 1 MB) Table Of Contents GGSN Configuration Examples Virtual Template Interface Configuration on GGSN Example Static Route to SGSN Example Access Point List Configuration Example VPN Tunnel Configuration Example AAA Security Configuration Example RADIUS Server Global Configuration Example RADIUS Server Access Point Configuration Example IPSec Configuration Example DHCP Server Configuration Example Charging Gateway Configuration Example Complete GGSN Configuration Example GGSN Configuration Examples This chapter contains GGSN configuration examples. For a complete description of the GPRS commands in this chapter, refer to the Cisco IOS Mobile Wireless Command Reference. To locate documentation of other commands that appear in this chapter, use the command reference master index or search online. This chapter includes the following sections: •Virtual Template Interface Configuration on GGSN Example •Static Route to SGSN Example •Access Point List Configuration Example •VPN Tunnel Configuration Example •AAA Security Configuration Example •RADIUS Server Global Configuration Example •RADIUS Server Access Point Configuration Example •IPSec Configuration Example •DHCP Server Configuration Example •Charging Gateway Configuration Example •Complete GGSN Configuration Example Virtual Template Interface Configuration on GGSN Example The following example shows a sample configuration for virtual template 1 on the GGSN: ! Virtual Template configuration interface virtual-template 1 ip address 10.10.10.1 255.255.255.0 no ip directed-broadcast encapsulation gtp gprs fastswitch gprs access-point-list abc ip classless Note The gprs access-point-list command is configured in global configuration, but the show running-configuration command on the router automatically includes it in the virtual template interface section of the output. Static Route to SGSN Example The following example shows how to configure a static route from a physical interface on the GGSN to the SGSN. This configures what is known as the GPRS Gn interface. ! Gn Interface on GGSN to communicate with SGSN interface FastEthernet0/0 ip address 10.0.0.2 255.0.0.0 no ip directed-broadcast no ip route-cache no ip mroute-cache no keepalive ! ip route 192.168.1.1 255.255.255.255 FastEthernet0/0 In the first part of the sample configuration, physical interface FastEthernet0/0 on the GGSN is shown as the interface to the SGSN. In this example, the SGSN is located at IP address 192.168.1.1. Using the ip route command, a static route is configured to the SGSN located at 192.168.1.1 from the FastEthernet0/0 interface on the GGSN. Note For the SGSN to successfully communicate with the GGSN, the SGSN must configure a static route, or be able to dynamically route to the IP address used by the GGSN virtual template. Access Point List Configuration Example The following example shows the configuration of a GPRS access point list on the GGSN: ! Defines a GPRS access point list ! named abc gprs access-point-list abc ! ! Defines an APN number 1 called gprs.company.com, ! which defines access to a PDN through the domain gprs.company.com ! access-point 1 access-point-name gprs.company.com ! !DHCP server at 10.100.0.3 assigns IP addresses to !mobile users who access APN gprs.company.com. ! dhcp-server 10.100.0.3 exit !Defines an APN number 2 called xyz.com, !which defines access to a private network through xyz.com ! access-point 2 access-point-name xyz.com dhcp-server 10.0.0.1 dhcp-gateway-address 10.0.0.1 !Configures the router to use the Tunnel0 interface to !set up an IP tunnel to the private network ! use-interface Tunnel0 next-hop-address 10.10.0.21 exit ! Defines an APN number 3 called www.gprs_mycompany, ! which defines access to a PDN through the domain www.gprs_mycompany ! access-point 3 access-point-name www.gprs_mycompany ! Requires security authorization for access to this network. ! GGSN acts as a client to the RADIUS server at 10.100.0.2. ! access-mode non-transparent radius-server 10.100.0.2 exit VPN Tunnel Configuration Example The following example shows the configuration for the physical interface that is used to connect to the PDN (Gi interface) from which you can access a private network: ! interface to communicate with the PDN interface FastEthernet1/0 ip address 10.0.0.1 255.0.0.0 no ip directed-broadcast no ip route-cache no ip mroute-cache ! In addition, a logical interface called Tunnel0 defines an IP tunnel to the private networks: interface Tunnel0 ip address 97.0.0.1 255.0.0.0 no ip directed-broadcast ip mtu 1476 tunnel source 4.0.0.1 tunnel destination 131.108.164.19 ! AAA Security Configuration Example The following example shows how to enable AAA security globally on the router, and specify global RADIUS authentication and authorization: ! Enables AAA globally aaa new-model ! ! Creates a local authentication list for use on ! serial interfaces running PPP using RADIUS ! aaa authentication ppp default group radius ! ! Enables authorization and creates an authorization ! method list for all network-related service requests ! and enables authorization using a RADIUS server ! aaa authorization network default group radius For more information about configuring AAA, refer to the Cisco IOS Security Configuration Guide and Cisco IOS Security Command Reference publications. RADIUS Server Global Configuration Example The following example shows how to globally configure RADIUS server communication on the router: ! Specifies a global RADIUS server host at IP address 10.100.0.2 ! Port 1645 is destination port for authentication requests ! Port 1646 is the destination port for accounting requests ! Specifies the key "foo" for this radius host only ! radius-server host 10.100.0.2 auth-port 1645 acct-port 1646 key foo ! ! Sets the authentication and encryption key to mykey for all ! RADIUS communications between the router and the RADIUS daemon ! radius-server key mykey Note Although you can configure the radius-server host command multiple times, the Cisco IOS software supports only one RADIUS server at the same IP address. For more information about configuring RADIUS security, refer to the Cisco IOS Security Configuration Guide and Cisco IOS Security Command Reference publications. RADIUS Server Access Point Configuration Example The following example shows a complete RADIUS configuration, including global AAA and RADIUS configuration, and RADIUS configuration at one of the GGSN access points: ! Enables AAA globally aaa new-model ! ! Configures AAA authentication ! and authorization ! aaa authentication ppp default group radius aaa authorization network default group radius ! Configures global RADIUS server hosts ! and specifies destination ports for ! authentication and accounting requests ! radius-server host 10.10.10.1 auth-port 1645 acct-port 1646 radius-server host 10.11.11.1 auth-port 1645 acct-port 1646 radius-server key mykey gprs default ip-address-pool radius-client ! ! Configures a primary RADIUS server for the GGSN ! gprs default radius-server 10.10.10.1 ! ! Virtual Template configuration interface virtual-template 1 ip address 10.10.10.1 255.255.255.0 no ip directed-broadcast encapsulation gtp gprs access-point-list abc ! ! ! Access point list configuration gprs access-point-list abc access-point 1 access-point-name gprs.somewhere.com access-mode transparent exit ! access-point 2 access-point-name xyz.com access-mode transparent exit ! access-point 3 access-point-name www.gprs_somewhere.fr access-mode non-transparent ! ! Specifies a RADIUS server ! for use by the GGSN to authenticate ! mobile users at this access point ! radius-server 10.11.11.1 exit Notice the following areas of interest in the RADIUS configuration shown in this example: •Two global RADIUS server hosts are configured for the router at 10.10.10.1 and 10.11.11.1 using the radius-server host global configuration command. •The default RADIUS server for all GGSN access points is configured as 10.10.10.1 using the gprs default radius-server global configuration command. •The first two access points are configured for transparent access. For mobile users attempting access at these APNs, the GGSN does not perform authentication. •The third access point specifies a RADIUS server located at 10.11.11.1, using the radius-server access-point configuration command. Note Although you can configure the radius-server host command multiple times, the Cisco IOS software supports only one RADIUS server at the same IP address. IPSec Configuration Example IP Security Protocol is configured between two peers to establish data security services. For GPRS, IPSec configuration is applicable between the GGSN and a router on a PDN. The following example shows configuration of IPSec on the GGSN and an associated PDN, including the complete global and GPRS configuration commands: GGSN configuration hostname ggsn1 enable password ggsn1password ip host pdn1a 10.58.0.8 interface Ethernet5/0 description TFTP D0OWNLOAD ip address 10.103.0.7 255.255.0.0 ip helper-address 10.100.0.3 no shut interface FastEthernet0/0 description CONNECT TO sgsn-a ip address 10.56.0.7 255.255.0.0 no shut interface FastEthernet4/0 description CONNECT TO Gi ip address 10.58.0.7 255.255.0.0 no shut ip classless ip route 10.100.0.0 255.255.0.0 Ethernet5/0 ! IPSec configuration for GGSN crypto isakmp policy 1 authentication pre-share group 2 ! ! 10.58.0.8 is address of peer, or PDN ! crypto isakmp key sharedkey address 10.58.0.8 crypto ipsec transform-set auth2 esp-des esp-sha-hmac crypto map test 10 ipsec-isakmp set peer 10.58.0.8 set transform-set auth2 match address 133 ! ISA card is required for IPSec support ! controller ISA 1/1 interface FastEthernet4/0 crypto map test router eigrp 10 network 10.56.0.0 network 10.58.0.0 access-list 133 permit ip 10.56.0.0 0.0.255.255 10.59.0.0 0.0.255.255 ! GPRS configuration on the GGSN service gprs ggsn ip dhcp-server 10.40.0.3 ip dhcp-server 10.100.0.3 ip address-pool dhcp-proxy-client interface Virtual-Template1 ip address 10.7.7.7 255.255.255.0 encapsulation gtp ip mroute-cache no gprs fastswitch gprs access-point-list abc router eigrp 10 network 10.2.0.0 ip route 10.5.5.5 255.255.255.255 FastEthernet0/0 access-list 133 permit ip 10.2.0.0 0.0.255.255 10.59.0.0 0.0.255.255 gprs access-point-list abc access-point 1 access-point-name apn1.cisco.com dhcp-server 10.100.0.3 exit ! access-point 2 access-point-name apn2.cisco.com dhcp-server 10.100.0.3 exit ! access-point 3 access-point-name www.apn3.com dhcp-server 10.100.0.3 exit ! ! gprs default charging-gateway 10.58.0.4 10.58.0.2 gprs charging server-switch-timer 0 line con 0 exec-timeout 0 0 transport input none line aux 0 exec-timeout 0 0 line vty 0 4 exec-timeout 0 0 password vtypassword login end PDN configuration hostname pdn1a enable password pdn1apassword ip host ggsn1 10.58.0.7 interface Ethernet5/0 description TFTP DOWNLOAD ip address 10.103.0.8 255.255.0.0 ip helper-address 10.100.0.3 no shut interface FastEthernet2/0 description CONNECT TO Gn ip address 10.56.0.8 255.255.0.0 shutdown interface FastEthernet4/0 description CONNECT TO Gi ip address 10.58.0.8 255.255.0.0 no shut interface FastEthernet0/0 description CONNECT TO Intranet ip address 10.59.0.8 255.255.0.0 no shut ip route 10.100.0.0 255.255.0.0 Ethernet5/0 ! IPSec configuration on the PDN crypto isakmp policy 1 authentication pre-share group 2 ! ! 10.58.0.7 is address of peer, or GGSN ! crypto isakmp key sharedkey address 10.58.0.7 crypto ipsec transform-set auth2 ah-sha-hmac esp-des esp-sha-hmac crypto map test 10 ipsec-isakmp set peer 10.58.0.7 set transform-set auth2 match address 144 ! ! ISA card is required for IPSec support ! controller ISA 1/1 interface FastEthernet4/0 crypto map test router eigrp 10 network 10.58.0.0 network 10.59.0.0 access-list 144 permit ip 10.59.0.0 0.0.255.255 10.56.0.0 0.0.255.255 ! ! GPRS configuration on the PDN ! router eigrp 10 network 10.2.0.0 ip route 10.2.0.0 255.255.0.0 FastEthernet4/0 access-list 144 permit ip 10.59.0.0 0.0.255.255 10.2.0.0 0.0.255.255 line con 0 exec-timeout 0 0 transport input none line aux 0 exec-timeout 0 0 line vty 0 4 exec-timeout 0 0 password vtypassword login end DHCP Server Configuration Example The following example shows a complete DHCP configuration, including global DHCP configuration, default GPRS DHCP configuration, and DHCP configuration at the GGSN access points: ip address-pool dhcp-proxy-client ip dhcp-server 10.60.0.1 ip dhcp-server 10.101.100.3 ip dhcp-server 10.102.100.3 ip dhcp excluded address 10.60.0.1 gprs default ip-address-pool dhcp-proxy-client gprs default dhcp-server 10.101.100.3 ! interface virtual-template 1 ip address 10.10.10.1 255.255.255.0 no ip directed-broadcast encapsulation gtp gprs access-point-list abc ! gprs access-point-list abc access-point 1 access-point-name gprs.everywhere.com ip-address-pool dhcp-proxy-client dhcp-server 10.101.100.3 ip-access-group 101 in exit ! access-point 2 access-point-name xyz.com ip-address-pool dhcp-proxy-client dhcp-server 10.60.0.1 dhcp-gateway-address 10.60.0.1 exit ! access-point 3 access-point-name www.my_isp.com exit ! Notice the following areas of interest in the DHCP configuration shown in this example: •Three global DHCP servers are configured for the router at 10.60.0.1, 10.101.100.3, and 10.102.100.3 using the ip dhcp-server global configuration command. •The default DHCP server for all GGSN access points is configured as 10.101.100.3 using the gprs default dhcp-server global configuration command. •The first access point specifies a DHCP server located at 10.101.100.3, using the dhcp-server access-point configuration command. This DHCP server is the same as the DHCP server specified by the gprs default dhcp-server command, and therefore is not a necessary command. •The second access point specifies a DHCP server located at 10.60.0.1, using the dhcp-server access-point configuration command. This DHCP server is different than the DHCP server specified by the gprs default dhcp-server global configuration command. •The third access point does not include any additional DHCP server configuration. For mobile users attempting access at these APNs, the GGSN uses the DHCP server 10.101.100.3 to assign IP addresses, according to the value of the gprs default dhcp-server command. Charging Gateway Configuration Example The following example configures a primary charging gateway at IP address 10.100.0.3, and a backup charging gateway at IP address 10.100.0.2: gprs default charging-gateway 10.100.0.3 10.100.0.2 Complete GGSN Configuration Example This example shows a complete GGSN router configuration. For detailed information on commands used with the GPRS interface, refer to the "Command Reference" section on page 45. For detailed information on the basic Cisco IOS commands shown in the example, refer to the Cisco IOS Interface Command Reference, the Cisco IOS IP Command References, or the Cisco IOS Security Command Reference. ! version 12.0 no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption service gprs ggsn ! hostname c7206-4 ! aaa new-model aaa authentication ppp default radius aaa authorization network default radius enable password mypass ! ip subnet-zero ip domain-name gprs.com ip name-server 99.100.0.2 ip dhcp excluded-address 60.0.0.1 ! ! local IP address pool ip dhcp pool 1 network 60.0.0.0 255.255.255.0 ! ip address-pool dhcp-proxy-client ip dhcp-server 60.0.0.1 ip dhcp-server 99.100.0.3 ! interface Loopback0 ip address 60.0.0.1 255.0.0.0 no ip directed-broadcast no ip route-cache no ip mroute-cache ! interface Tunnel0 ip address 97.0.0.1 255.0.0.0 no ip directed-broadcast ip mtu 1476 tunnel source 4.0.0.1 tunnel destination 131.108.164.19 ! ! Interface to communicate with Virtual Template on SGSN interface FastEthernet0/0 ip address 35.0.0.2 255.0.0.0 ip helper-address 99.100.0.3 no ip directed-broadcast no ip route-cache no ip mroute-cache no keepalive ! ! interface to communicate with the PDN interface FastEthernet1/0 ip address 4.0.0.1 255.0.0.0 no ip directed-broadcast no ip route-cache no ip mroute-cache ! ! Interface to TFTP server interface Ethernet2/0 ip address 99.102.0.54 255.255.0.0 no ip directed-broadcast no ip route-cache no ip mroute-cache ! ! ! Virtual Template configuration interface virtual-template 1 ip address 10.10.10.1 255.255.255.0 no ip directed-broadcast encapsulation gtp gprs access-point-list abc ip classless ! ! Route for the virtual template on the SGSN ip route 1.1.1.1 255.255.255.255 FastEthernet0/0 access-list 101 deny ip host 4.0.0.2 host 2.0.0.1 dialer-list 1 protocol ip permit snmp-server community public RW ! ! ! Global DHCP server, charging server, and RADIUS server information gprs default dhcp-server 99.100.0.3 gprs default charging-gateway 99.100.0.3 99.100.0.2 gprs charging server-switch-timer 0 ! radius-server host 99.100.0.2 auth-port 1645 acct-port 1646 radius-server key mykey ! ! ! access-point list configuration ! access point for access to PDN gprs access-point-list abc access-point 1 access-point-name gprs.company.com dhcp-server 99.100.0.3 exit ! !access point for access to a private network access-point 2 access-point-name xyz.com dhcp-server 60.0.0.1 dhcp-gateway-address 60.0.0.1 use-interface Tunnel0 next-hop-address 97.0.0.21 exit ! ! access point for access to PDN access-point 3 access-point-name www.gprs_mycompany access-mode non-transparent radius-server 99.100.0.2 exit ! line con 0 exec-timeout 0 0 transport input none line aux 0 exec-timeout 0 0 transport input all line vty 0 4 exec-timeout 0 0 password mypass ! end
	Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks