Guest

Cisco ASR 1000 Series Aggregation Services Routers

Intelligent Wireless Access Gateway on ASR 1000 Routers for Service Provider WiFi Offload

Hierarchical Navigation

Downloads

 Feedback

Table Of Contents

iWAG on ASR 1000 Series Aggregation Services Routers for Service Provider WiFi Offload

Finding Feature Information

Contents

Overview of the iWAG Deployment

Restrictions for the GTP of the iWAG

Information About IP Address Assignment

Information About Authentication Methods

Information About GGSN Selection

How to Authenticate, Authorize, and Account for the iWAG

How to Configure DHCP when the iWAG Acts as a DHCP Proxy

How to Configure the Cisco ISG Class Map and Policy Map for the iWAG

How to Configure a Subscriber Initiator for the iWAG

How to Configure a Tunnel Initiator for the iWAG

How to Enable Mobile Client Service Abstraction and Access Lists

How to Configure the GTP of the iWAG

Configuration Examples for the iWAG

Example: Configuring the iWAG Using the TAL Authentication Method

Example: Configuring the iWAG Using the EAP-SIM Authentication Method

Example: Configuring the iWAG Using the Web Logon Authentication Method

Multiple Flows Tunnel

Additional References

Related Documents

Standards

MIBs

RFCs

Technical Assistance

Feature Information for the iWAG on the Cisco ASR 1000 Series Routers for Service Provider WiFi Offload


iWAG on ASR 1000 Series Aggregation Services Routers for Service Provider WiFi Offload

First Published: November 28, 2012
Last Updated: March 28, 2013

The deployment of the Intelligent Wireless Access Gateway (iWAG) feature on the Cisco ASR 1000 Series Aggregation Services Routers involves two main technologies: the General Packet Radio Service (GPRS) Tunneling Protocol (GTP) for connecting to the Cisco Gateway GPRS Support Node (Cisco GGSN) and the Mobile Access Gateway (MAG) using Proxy Mobile IPv6 (PMIPv6) for connecting to the Cisco Packet Data Network Gateway (PGW). The integration of these two technologies with the Cisco Intelligent Service Gateway (ISG), in combination with the Service Provider (SP) WiFi, is the key concept of the iWAG.

The iWAG on the Cisco ASR 1000 Series Aggregation Services Routers provides a clientless solution to integrate with existing 3G mobile cores through Cisco GGSN using the GTP. Leveraging the Cisco ISG framework, the iWAG can selectively divert user traffic towards a mobile network or offload to the Internet directly. This document provides information about the GTP of the iWAG and its configurations.

For more information about PMIPv6 and ISG configurations for iWAG, see Intelligent Wireless Access Gateway Configuration Guide, Cisco IOS XE Release 3S.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest information about features and caveats, see the release notes document pertaining to your platform and software release. To find information about the features documented in this module and to view a list of the releases in which each feature is supported, see the "Feature Information for the iWAG on the Cisco ASR 1000 Series Routers for Service Provider WiFi Offload" section.

Use the Cisco Feature Navigator to find information about platform support and Cisco IOS and Cisco Catalyst operating system software image support. To access the Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.

Contents

Overview of the iWAG Deployment

Restrictions for the GTP of the iWAG

Information About IP Address Assignment

Information About Authentication Methods

Information About GGSN Selection

How to Authenticate, Authorize, and Account for the iWAG

How to Configure DHCP when the iWAG Acts as a DHCP Proxy

How to Configure the Cisco ISG Class Map and Policy Map for the iWAG

How to Configure a Subscriber Initiator for the iWAG

How to Configure a Tunnel Initiator for the iWAG

How to Enable Mobile Client Service Abstraction and Access Lists

How to Configure the GTP of the iWAG

Configuration Examples for the iWAG

Multiple Flows Tunnel

Additional References

Feature Information for the iWAG on the Cisco ASR 1000 Series Routers for Service Provider WiFi Offload

Overview of the iWAG Deployment

Service providers use a combination of WiFi and mobility offerings to offload their mobility networks in the area of high-concentration service usage. Providing both WiFi and mobility simultaneously is considered a desirable deployment, which in turn, led to the evolution of the iWAG feature.

The iWAG deployment includes a combination of simple IP users (traditional ISG and WiFi) and mobile IP users (GTP tunneling and PMIPv6). The term mobility service is used to refer to either the GTP service or the PMIPv6 service applied to user traffic. The iWAG provides mobility services to mobile IP users, and as a result, a mobile client can seamlessly access a 3G or 4G mobility network. The iWAG does not provide mobility services to simple IP users. Therefore, simple IP users can access the Public Wireless LAN (PWLAN) network through the Cisco ISG. Clients are devices that access WiFi Internet (public wireless), where possible. However, if WiFi is not available, the same clients connect to the Internet service using a 3G or 4G mobility network.

The iWAG has a transport or switching element with Cisco ISG-subscriber awareness. The iWAG has RADIUS-based authentication and accounting, and policy-based subscriber routing for the WiFi wholesale model.

Figure 1 shows a deployment model of the iWAG on a Cisco ASR 1000 Series Aggregation Services Router.

Figure 1 iWAG Deployment on a Cisco ASR 1000 Series Aggregation Services Router

Restrictions for the GTP of the iWAG

The following restrictions apply to the GTP of the iWAG feature:

Roaming from a 3G mobility network to a WLAN is not supported for the GTP and Cisco ISG sessions.

IPv6 and quality of service (QoS) are not supported.

Only newly established calls are offloaded to the WLAN Third-Generation Partnership Project (3GPP) IP access.

The iWAG solution for WLAN offload is currently available only for the 3G Universal Mobile Telecommunications System (UMTS) and not for 4G Long Term Evolution (LTE).

Note In Cisco IOS XE Release 3.8S, the iWAG may fail to establish the GTPv1 tunnel with the GGSN, for example, with the Cisco ASR 5000 platform. To address this issue, a workaround that involves prepending 19 to the original MSISDN number was introduced in Cisco IOS XE Release 3.8S. The original issue of the iWAG failing to establish the GTPv1 tunnel with the GGSN is fixed in Cisco IOS XE Release 3.8.1S. Therefore, for customers using Cisco IOS XE Release 3.8.1S and later, this workaround is not required. For customers who are using the workaround provided in Cisco IOS XE Release 3.8S, the following commands have been added in the Cisco IOS XE Release 3.8.1S to customize MSISDN encoding:
· information-element msisdn [npi npi-value | ton ton-value]
· radius msisdn leading-digits number of digits

Information About IP Address Assignment

GGSN over GTP tunnel assigns a unique IP address to each subscriber based on the service provider domain. For single IP address assignment (no NAT), the following host configuration parameters must be provisioned for a Microsoft client because the access is WLAN:

Default gateway

Subnet mask and prefix length

Domain Name System (DNS) server address

Dynamic Host Configuration Protocol (DHCP) server address

Information About Authentication Methods

Authentication is the way of identifying users prior to allowing access to a network and its services. The iWAG supports the following authentication methods:

802.1x authentication (such as, Extensible Authentication Protocol Method for GSM Subscriber Identity Module (EAP-SIM), and Extensible Authentication Protocol Method for Authentication and Key Agreement (EAP-AKA)

Web authentication

Media Access Control-Transparent Auto Logon (MAC-TAL) authentication

802.1x Authentication

The 802.1x Authentication method is used in a trusted WiFi network. In this method, the Microsoft client is authenticated before it is assigned an IP address for use.

Web Authentication

The Web authentication method is used in an untrusted WiFi network. In this method, the Microsoft client is authenticated after it is assigned an IP address for use.

The iWAG uses the Cisco ISG functionalities in enforcing the Open Garden policy and L4 Redirect to complete the authentication before tunneling the client's session to the corresponding GGSN.

MAC-TAL Authentication

The MAC-TAL authentication method is associated with the Web authentication method, in which the Microsoft client tries to reauthenticate after moving from one access point to another access point and attempting to reconnect while the AAA server on which it is authenticated still keeps a record of the client's past results. Thus, when such a reconnect occurs, the iWAG gets an Access Accept message for reauthentication using the client's MAC address as the calling station ID.

Information About GGSN Selection

When the GTP has to create a Packet Data Protocol (PDP) context for a Microsoft client, it should also identify the GGSN to which the Create PDP Context Request must be sent. The user profile usually consists of an access point name (APN) or a GGSN address or both. If neither of these is present, a per-box default GGSN address is configured on the iWAG.

The GGSN selection algorithm performs the following procedure to identify a GGSN:

1. If a GGSN address is configured in a user profile, the address will have the highest precedence, and will be picked for use.

If a GGSN address is not present, but an APN is present in a user profile, the APN will be picked for use. The GTP then sends a DNS query to the DNS servers configured on the box to resolve this name into an address or a list of addresses (when the DNS server performs load balancing). If a list of addresses are received in return, GTP records this entire list and performs round-robin assignments from this list when establishing new PDP contexts.

If both the GGSN address and the APN are not present, the default GGSN address is used.

2. After a GGSN address is picked, it is possible that the picked GGSN is not reachable. If the allowed number of attempts to contact the GGSN fails, the GGSN is considered dead. In such a scenario, further retries with a different GGSN address having higher or lower precedence is not performed. The Microsoft client's PDP context simply fails to establish. If this GGSN address comes from DNS resolution, its entry from the GGSN address list for this APN is removed so that an effort to use the APN will not be made again.

How to Authenticate, Authorize, and Account for the iWAG

This section describes how to configure authentication, authorization, and accounting (AAA) for the iWAG on the Cisco ASR 1000 Series Aggregation Services Routers.

SUMMARY STEPS

1. enable

2. configure terminal

3. aaa new-model

4. aaa group server radius group-name

5. server-private ip-address [auth-port port-number | acct-port port-number] [non-standard] [timeout seconds] [retransmit retries] [key string]

6. aaa authentication login {default | list-name} {[passwd-expiry] method1 [method2...]}

7. aaa authorization network authorization-name group server-group name

8. aaa authorization subscriber-service {default {cache | group | local} | list-name} method1 [method2...]

9. aaa accounting {auth-proxy | system | network | exec | connection | commands level | dot1x} {default | list-name} [vrf vrf-name] {start-stop | stop-only | none} [broadcast] group group-name

10. action-type {none | start-stop | stop-only}

11. group {tacacs+ server-group}

12. aaa accounting {auth-proxy | system | network | exec | connection | commands level | dot1x} {default | list-name} [vrf vrf-name] {start-stop | stop-only | none} [broadcast] group group-name

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables the privileged EXEC mode.

Enter your password, if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters the global configuration mode.

Step 3 

aaa new-model

Example:

Router(config)# aaa new-model

Enables the AAA access control model.

Step 4 

aaa group server radius group-name

Example:

Router(config)# aaa group server radius AAA_SERVER_CAR

Groups different RADIUS server hosts into distinct lists and distinct methods.

Step 5 

server-private ip-address [auth-port port-number | acct-port port-number] [non-standard] [timeout seconds] [retransmit retries] [key string]

Example:

Router(config-sg-radius)# server-private 5.3.1.76 auth-port 2145 acct-port 2146 key cisco

Configures the IP address of the private RADIUS server for the group server.

Step 6 

aaa authentication login {default | list-name} {[passwd-expiry] method1 [method2...]}

Example:

Router(config-sg-radius)# aaa authentication login default none

Sets AAA authentication at login.

Step 7 

aaa authorization network authorization-name group server-group name

Example:

Router(config)# aaa authorization network ISG_PROXY_LIST group AAA_SERVER_CAR

Runs authorization for all network-related service requests, including Serial Line Internet Protocol (SLIP), Point-to-Point Protocol (PPP), PPP Network Control Programs (NCPs), and AppleTalk Remote Access (ARA).

Step 8 

aaa authorization subscriber-service {default {cache | group | local} | list-name} method1 [method2...]

Example:

Router(config)# aaa authorization subscriber-service default local group AAA_SERVER_CAR

Specifies one or more AAA authorization methods for the Cisco ISG to provide subscriber service.

Step 9 

aaa accounting {auth-proxy | system | network | exec | connection | commands level | dot1x} {default | list-name} [vrf vrf-name] {start-stop | stop-only | none} [broadcast] group group-name

Example:

Router(config)# aaa accounting network PROXY_TO_CAR

Enables AAA accounting of requested services for billing and security purposes when RADIUS or TACACS+ is used.

Step 10 

action-type {none | start-stop | stop-only}

Example:

Router(cfg-acct-mlist)# action-type start-stop

Enables the type of actions to be performed on accounting records.

Step 11 

group {tacacs+ server-group}

Example:

Router(cfg-preauth)# group AAA_SERVER_CAR

Specifies the AAA TACACS+ server group to use for preauthentication.

Step 12 

aaa accounting {auth-proxy | system | network | exec | connection | commands level | dot1x} {default | list-name} [vrf vrf-name] {start-stop | stop-only | none} [broadcast] group group-name

Example:

Router(config)# aaa accounting network ISG_PROXY_LIST start-stop group AAA_SERVER_CAR

Enables AAA accounting of requested services for billing and security purposes when you use RADIUS or TACACS+.

DETAILED STEPS

How to Configure DHCP when the iWAG Acts as a DHCP Proxy

This section describes how to configure a Dynamic Host Configuration Protocol (DHCP) for the iWAG on Cisco ASR 1000 Series Aggregation Services Routers when the iWAG acts as a DHCP proxy.

SUMMARY STEPS

1. enable

2. configure terminal

3. ip dhcp excluded-address [vrf vrf-name] ip-address [last-ip-address]

4. ip dhcp pool pool-name

5. network network-number [mask [secondary] | /prefix-length [secondary]

6. default-router ip-address

7. domain-name domain

8. lease {days [hours [minutes]] | infinite}

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables the privileged EXEC mode.

Enter your password, if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters the global configuration mode.

Step 3 

ip dhcp excluded-address [vrf vrf-name] ip-address

Example:

Router(config)# ip dhcp excluded-address 192.168.10.1

Specifies the IP address that a DHCP server should not assign to DHCP clients.

Step 4 

ip dhcp pool pool-name

Example:

Router(config)# ip dhcp pool test

Configures a DHCP address pool on a DHCP server and enters the DHCP pool configuration mode.

Step 5 

network network-number [mask [secondary] | /prefix-length [secondary]

Example:

Router(dhcp-config)# network 192.168.0.0 255.255.0.0

Configures the network number and mask for a DHCP address pool primary subnet or DHCP address pool secondary subnet on a Cisco IOS DHCP server.

Step 6 

default-router ip-address [last-ip-address]

Example:

Router(dhcp-config)# default-router 192.168.10.1

Specifies the default router list for a DHCP client.

Step 7 

domain-name domain

Example:

Router(dhcp-config)# domain-name starent.com

Specifies the domain name for a DHCP client.

Step 8 

lease {days [hours [minutes]] | infinite}

Example:

Router(dhcp-config)# lease 1 2 2

Configures the duration of the lease for an IP address that is assigned from a Cisco IOS DHCP server to a DHCP client.

How to Configure the Cisco ISG Class Map and Policy Map for the iWAG

This section describes how to configure the Cisco ISG class map and policy map for the iWAG.

SUMMARY STEPS

1. enable

2. configure terminal

3. class-map type traffic match-any class-map-name

4. match access-group output {access-group | name access-group-name}

5. match access-group input {access-group | name access-group-name}

6. policy-map type service policy-map-name

7. [priority] class type traffic {class-map-name | default {in-out | input | output}}

8. accounting aaa list aaa-method-list

9. [priority] class type traffic {class-map-name | default {in-out | input | output}}

10. drop

11. policy-map type control policy-map-name

12. class type control {control-class-name | always} [event {access-reject | account-logoff | account-logon | acct-notification | credit-exhausted | dummy-event | quota-depleted | radius-timeout | service-failed | service-start | service-stop | session-default-service | session-restart | session-service-found | session-start | timed-policy-expiry}]

13. action-number service-policy type service [unapply] [aaa list list-name] {name service-name | identifier {authenticated-domain | authenticated-username | dnis | nas-port | tunnel-name | unauthenticated-domain | unauthenticated-username}}

14. action-number authorize [aaa {list-name | list {list-name | default}} [password password]] [upon network-service-found {continue | stop}] [use method authorization-type] identifier identifier-type [plus identifier-type]

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables the privileged EXEC mode.

Enter your password, if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters the global configuration mode.

Step 3 

class-map type traffic match-any class-map-name

Example:

Router(config)# class-map type traffic match-any TC_OPENGARDEN

Creates or modifies a traffic class map that is used for matching packets to a specified Cisco ISG traffic class.

Step 4 

match access-group output {access-group | name access-group-name}

Example:

Router(config-traffic-classmap)# match access-group output name ACL_OUT_OPENGARDEN

Configures the match criteria for a Cisco ISG traffic class map on the basis of the specified access control list (ACL).

Step 5 

match access-group input {access-group | name access-group-name}

Example:

Router(config-traffic-classmap)# match access-group input name ACL_IN_OPENGARDEN

Configures the match criteria for a Cisco ISG traffic class map on the basis of the specified ACL.

Step 6 

policy-map type service policy-map-name

Example:

Router(config)# policy-map type service OPENGARDEN_SERVICE

Creates or modifies a service policy map that is used to define a Cisco ISG subscriber service.

Step 7 

[priority] class type traffic {class-map-name | default {in-out | input | output}}

Example:

Router(config-service-policymap)# 20 class type traffic TC_OPENGARDEN

Creates or modifies a traffic class map that is used for matching packets to a specified Cisco ISG traffic class.

Step 8 

accounting aaa list aaa-method-list

Example:

Router(config-service-policymap)# accounting aaa list PROXY_TO_CAR

Enables Cisco ISG accounting and specifies an AAA method list to which accounting updates are forwarded.

Step 9 

[priority] class type traffic {class-map-name | default {in-out | input | output}}

Example:

Router(config-service-policymap)# class type traffic default in-out

Creates or modifies a traffic class map that is used for matching packets to a specified Cisco ISG traffic class.

Step 10 

drop

Example:

Router(config-service-policymap)# drop

Configures a Cisco ISG to discard packets belonging to the default traffic class.

Step 11 

policy-map type control policy-map-name

Example:

Router(config)# policy-map type control BB_PROFILE

Creates or modifies a control policy map that defines a Cisco ISG control policy.

Step 12 

class type control {control-class-name | always} [event {access-reject | account-logoff | account-logon | acct-notification | credit-exhausted | dummy-event | quota-depleted | radius-timeout | service-failed | service-start | service-stop | session-default-service | session-restart | session-service-found | session-start | timed-policy-expiry}]

Example:

Router (config-control-policymap)# class type control always event session-start

Specifies a control class for which actions can be configured in a Cisco ISG control policy.

Step 13 

action-number service-policy type service [unapply] [aaa list list-name] {name service-name | identifier {authenticated-domain | authenticated-username | dnis | nas-port | tunnel-name | unauthenticated-domain | unauthenticated-username}}

Example:

Router(config-control-policymap-class-control)# 10 service-policy type service name OPENGARDEN_SERVICE

Activates a Cisco ISG service.

Step 14 

action-number authorize [aaa {list-name | list {list-name | default}} [password password]] [upon network-service-found {continue | stop}] [use method authorization-type] identifier identifier-type [plus identifier-type]

Example:

Router(config-control-policymap-class-control)# 20 authorize aaa list ISG_PROXY_LIST password cisco identifier mac-address

Initiates a request for authorization based on a specified identifier in a Cisco ISG control policy.

How to Configure a Subscriber Initiator for the iWAG

This section describes how to configure a subscriber initiator for the iWAG.

SUMMARY STEPS

1. enable

2. configure terminal

3. interface GigabitEthernet slot/subslot/port

4. description string

5. ip address ip-address mask [secondary [vrf vrf-name]]

6. negotiation auto

7. service-policy type control policy-map-name

8. ip subscriber {l2-connected | routed}

9. initiator {dhcp [class-aware] | radius-proxy | static ip subscriber list listname | unclassified ip | unclassified mac}

10. initiator {dhcp [class-aware] | radius-proxy | static ip subscriber list listname | unclassified ip | unclassified mac}

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables the privileged EXEC mode.

Enter your password, if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters the global configuration mode.

Step 3 

interface GigabitEthernet slot/subslot/port

Example:

Router(config)# interface GigabitEthernet 1/3/3

Enters the interface configuration mode for Gigabit Ethernet.

Step 4 

description string

Example:

Router(config-if)# description access interface connected to subscriber

Adds a description to an interface configuration.

Step 5 

ip address ip-address mask [secondary [vrf vrf-name]]

Example:

Router(config-if)# ip address 192.171.10.1 255.255.0.0

Sets a primary IP address or secondary IP address for an interface.

Step 6 

negotiation auto

Example:

Router(config-if)# negotiation auto

Enables auto negotiation on a Gigabit Ethernet interface.

Step 7 

service-policy type control policy-map-name

Example:

Router(config-if)# service-policy type control BB_Profile

Applies a control policy to a context.

Step 8 

ip subscriber {l2-connected | routed}

Example:

Router(config-if)# ip subscriber l2-connected

Enables Cisco ISG IP subscriber support on an interface and specifies the access method that IP subscribers use for connecting to the Cisco ISG on an interface.

Step 9 

initiator {dhcp [class-aware] | radius-proxy | static ip subscriber list listname | unclassified ip | unclassified mac-address}

Example:

Router(config-subscriber)# initiator unclassified mac-address

Enables Cisco ISG to create an IP subscriber session upon receipt of a specified type of packet.

Step 10 

initiator {dhcp [class-aware] | radius-proxy | static ip subscriber list listname | unclassified ip | unclassified mac-address}

Example:

Router(config-subscriber)# initiator dhcp

Enables Cisco ISG to create an IP subscriber session upon receipt of a specified type of packet.

How to Configure a Tunnel Initiator for the iWAG

This section describes how to configure a tunnel initiator for the iWAG.

SUMMARY STEPS

1. enable

2. configure terminal

3. interface GigabitEthernet slot/subslot/port

4. description string

5. ip address ip-address mask [secondary [vrf vrf-name]]

6. negotiation auto

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables the privileged EXEC mode.

Enter your password, if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters the global configuration mode.

Step 3 

interface GigabitEthernet slot/subslot/port

Example:

Router(config)# interface GigabitEthernet 1/3/5

Enters the interface configuration mode for Gigabit Ethernet interface.

Step 4 

description string

Example:

Router(config-if)# description interface connected to GGSN

Adds a description to an interface configuration.

Step 5 

ip address ip-address mask [secondary [vrf vrf-name]]

Example:

Router(config-if)# ip address 192.170.10.1 255.255.0.0

Sets a primary IP address or secondary IP address for an interface.

Step 6 

negotiation auto

Example:

Router(config-if)# negotiation auto

Enables auto negotiation on a Gigabit Ethernet interface.

How to Enable Mobile Client Service Abstraction and Access Lists

This section describes how to enable mobile client service abstraction and access lists on the Cisco ASR 1000 Series Aggregation Services Routers.

SUMMARY STEPS

1. enable

2. configure terminal

3. mcsa

4. enable sessionmgr

5. ip access-list {{standard | extended} {access-list-name | access-list-number} | helper egress check}

6. permit ip any any

7. permit udp any any

8. ip access-list {{standard | extended} {access-list-name | access-list-number} | helper egress check}

9. permit ip any any

10. permit udp any any

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables the privileged EXEC mode.

Enter your password, if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters the global configuration mode.

Step 3 

mcsa

Example:

Router(config)# mcsa

Enables mobile client service abstraction on the Cisco ASR 1000 Series Aggregation Services Routers.

Step 4 

enable sessionmgr

Example:

Router(config-mcsa)# enable sessionmgr

Enables mobile client service abstraction to receive notifications from the Cisco ISG.

Step 5 

ip access-list {{standard | extended} {access-list-name | access-list-number} |

helper egress check}

Example:

Router(config)# ip access-list extended ACL_IN_OPENGARDEN

Defines an IP access list by name or number, or enables filtering for packets with IP helper address destinations.

Step 6 

permit ip any any

Example:

Router(config-ext-nacl)# permit ip any any

Sets conditions to allow a packet to pass a named IP access list.

Step 7 

permit udp any any

Example:

Router(config-ext-nacl)# permit udp any any

Sets conditions to allow a packet to pass a named UDP access list.

Step 8 

ip access-list {{standard | extended} {access-list-name | access-list-number} |

helper egress check}

Example:

Router(config)# ip access-list extended ACL_OUT_OPENGARDEN

Defines an IP access list by name or number, or enables filtering for packets with IP helper-address destinations.

Step 9 

permit ip any any

Example:

Router(config-ext-nacl)# permit ip any any

Sets conditions to allow a packet to pass a named IP access list.

Step 10 

permit udp any any

Example:

Router(config-ext-nacl)# permit udp any any

Sets conditions to allow a packet to pass a named UDP access list.

How to Configure the GTP of the iWAG

This section describes how to configure the GTP of the iWAG on Cisco ASR 1000 Series Aggregation Services Routers.

SUMMARY STEPS

1. enable

2. configure terminal

3. gtp

4. n3-request request-number

5. interval t3-response response-number

6. interval echo-request request-number

7. interface local GigabitEthernet slot/subslot/port

8. apn apn-name

9. ip address ggsn ip-address

10. default-gw address prefix-len value

11. dns-server ip-address

12. dhcp-server ip-address

13. dhcp-lease seconds

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables the privileged EXEC mode.

Enter your password, if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters the global configuration mode.

Step 3 

gtp

Example:

Router(config)# gtp

Configures the GTP for the iWAG on the Cisco ASR 1000 Series Aggregation Services Routers.

Step 4 

n3-request number of requests

Example:

Router(config-gtp)# n3-request 3

Specifies the number of times a control message must be retried before a failure is issued. The default value is 5.

Step 5 

interval t3-response number of seconds

Example:

Router(config-gtp)# interval t3-response 10

Specifies the time interval, in seconds, for which the Serving GPRS Support Node (SGSN) of the iWAG waits for a response for the control message sent. The default value is 1.

Step 6 

interval echo-request request-number

Example:

Router(config-gtp)# interval echo-request 60

Specifies the time interval, in seconds, for which the SGSN for the iWAG waits for before sending an echo request message. The range is from 60 to 65535. The default value is 60. The value of 0 disables the Echo Request feature.

Step 7 

interface local GigabitEthernet slot/subslot/port

Example:

Router(config-gtp)# interface local GigabitEthernet 0/0/3

Configures the transport interface to communicate with the GGSN.

Step 8 

apn apn-name

Example:

Router(config-gtp)# apn starent.com

Configures an ASCII regular expression string to be matched against the APN for general packet radio service (GPRS) load balancing.

Step 9 

ip address ggsn ip-address

Example:

Router(config-gtp-apn)# ip address ggsn 192.170.10.2

Sets the IP address for the GGSN.

Step 10 

default-gw address prefix-len value

Example:

Router(config-gtp-apn)# default-gw 192.171.10.1 prefix-len 16

Specifies the default gateway address of the subscriber.

Step 11 

dns-server ip-address

Example:

Router(config-gtp-apn)# dns-server 192.165.1.1

Specifies the Domain Name System (DNS) IP servers that are available for a DHCP client.

Step 12 

dhcp-server ip-address

Example:

Router(config-gtp-apn)# dhcp-server 192.168.10.1

Specifies primary and backup DHCP servers to allocate IP addresses to mobile station users entering a particular public data network (PDN) access point.

Step 13 

dhcp-lease seconds

Example:

Router(config-gtp-apn)# dhcp-lease 3000

Configures the duration of the lease for an IP address that is assigned from a Cisco IOS DHCP Server to a DHCP client.

Configuration Examples for the iWAG

This section provides the following configuration examples:

Example: Configuring the iWAG Using the TAL Authentication Method

Example: Configuring the iWAG Using the EAP-SIM Authentication Method

Example: Configuring the iWAG Using the Web Logon Authentication Method

Example: Configuring the iWAG Using the TAL Authentication Method

The following example shows how to configure the iWAG using the TAL authentication method: 

aaa new-model

!

!

aaa group server radius AAA_SERVER_CAR

server-private 5.3.1.76 auth-port 2145 acct-port 2146 key cisco

!

aaa authentication login default none

aaa authorization network ISG_PROXY_LIST group AAA_SERVER_CAR 

aaa authorization subscriber-service default local group AAA_SERVER_CAR 

aaa accounting network PROXY_TO_CAR

action-type start-stop

group AAA_SERVER_CAR

!

aaa accounting network ISG_PROXY_LIST start-stop group AAA_SERVER_CAR

!

!

!

ip dhcp excluded-address 192.168.10.1

ip dhcp excluded-address 192.168.10.2

ip dhcp excluded-address 192.168.10.3

!

ip dhcp pool TEST

network 192.168.0.0 255.255.0.0

default-router 192.168.10.1 

domain-name starent.com

lease 1 2 2

!

class-map type traffic match-any TC_OPENGARDEN

match access-group output name ACL_OUT_OPENGARDEN

match access-group input name ACL_IN_OPENGARDEN

!

policy-map type service OPENGARDEN_SERVICE

20 class type traffic TC_OPENGARDEN

accounting aaa list PROXY_TO_CAR

!

class type traffic default in-out

drop

!

!

policy-map type control BB_PROFILE

class type control always event session-start

10 service-policy type service name OPENGARDEN_SERVICE

20 authorize aaa list ISG_PROXY_LIST password cisco identifier mac-address 

 !

!

interface GigabitEthernet1/3/3

descriptions interface connected to LS-IP APP Node

ip address 192.171.10.1 255.255.0.0

negotiation auto

service-policy type control BB_PROFILE

ip subscriber l2-connected

initiator unclassified mac-address

initiator dhcp

!

interface GigabitEthernet1/3/5

descriptions connected to LS-GGSN

ip address 192.170.10.1 255.255.0.0

negotiation auto

!         

mcsa

enable sessionmgr

!

!

ip access-list extended ACL_IN_OPENGARDEN

permit ip any any

permit udp any any

ip access-list extended ACL_OUT_OPENGARDEN

permit ip any any

permit udp any any

!

!

gtp

n3-request 3

interval t3-response 10

interval echo-request 60

interface local GigabitEthernet0/0/3

apn 1

apn-name starent.com

ip address ggsn 192.170.10.2

default-gw 192.168.10.1 prefix-len 16

dns-server 192.165.1.1

dhcp-server 192.168.10.1

dhcp-lease 30000

!

End

Example: Configuring the iWAG Using the EAP-SIM Authentication Method

The following example shows how to configure the iWAG using the Extensible Authentication Protocol Method for GSM Subscriber Identity Module (EAP-SIM) authentication method with RADIUS proxy initiator: 

aaa new-model

!

!

aaa group server radius AAA_SERVER_CAR

server-private 192.171.10.2 auth-port 1812 acct-port 1813 key cisco

!

aaa authentication login default none

aaa authorization subscriber-service default local group AAA_SERVER_CAR 

aaa authorization radius-proxy ISG_PROXY_LIST group AAA_SERVER_CAR 

aaa accounting delay-start

aaa accounting network default start-stop group AAA_SERVER_CAR

aaa accounting network PROXY_TO_CAR

action-type start-stop

group AAA_SERVER_CAR

!

aaa accounting network ISG_ACCOUNTING_LIST start-stop group AAA_SERVER_CAR

!

!

aaa server radius proxy 

key cisco

calling-station-id format mac-address

authentication port 1812

re-authentication do-not-apply

accounting method-list PROXY_TO_CAR

accounting port 1813

timer ip-address 43200

timer request 43200

timer reconnect 43200

client 192.168.10.3 255.255.255.255

  !

!

ip dhcp excluded-address 192.168.10.1

ip dhcp excluded-address 192.168.10.2

ip dhcp excluded-address 192.168.10.3

!

ip dhcp pool TEST

network 192.168.0.0 255.255.0.0

default-router 192.168.10.1 

domain-name starent.com

lease 1 2 2

!

!

class-map type traffic match-any TC_OPENGARDEN

match access-group output name ACL_OUT_OPENGARDEN

match access-group input name ACL_IN_OPENGARDEN

!

policy-map type service OPENGARDEN_SERVICE

20 class type traffic TC_OPENGARDEN

accounting aaa list ISG_ACCOUNTING_LIST

!

!

policy-map type control BB_PROFILE

class type control always event session-start

1 proxy aaa list ISG_PROXY_LIST 

20 service-policy type service name OPENGARDEN_SERVICE

!

!

interface GigabitEthernet1/3/3

description connected to subscriber 

ip address 192.171.10.1 255.255.0.0

negotiation auto

service-policy type control BB_PROFILE

ip subscriber l2-connected

initiator dhcp

initiator radius-proxy

!

interface GigabitEthernet1/3/4

description interface connected to AAA server

ip address 192.171.10.1 255.255.0.0

negotiation auto

!

interface GigabitEthernet1/3/5

description connected to GGSN

ip address 192.170.10.1 255.255.0.0

negotiation auto

!

!

mcsa

enable sessionmgr

!

ip access-list extended ACL_IN_OPENGARDEN

permit ip any any

permit udp any any

ip access-list extended ACL_OUT_OPENGARDEN

permit ip any any

permit udp any any

!

radius-server attribute 44 include-in-access-req default-vrf

radius-server attribute 44 extend-with-addr

radius-server attribute 8 include-in-access-req

radius-server attribute 32 include-in-access-req

radius-server attribute 32 include-in-accounting-req 

radius-server attribute 55 include-in-acct-req

radius-server attribute 55 access-request include

radius-server attribute 31 send nas-port-detail

radius-server source-ports extended

radius-server throttle accounting 50

radius-server unique-ident 49

radius-server vsa send accounting

radius-server vsa send authentication

!

!

gtp

n3-request 3

interval t3-response 10

interval echo-request 60

information-element rat-type wlan

interface local GigabitEthernet0/0/3

apn 1

apn-name starent.com

ip address ggsn 192.170.10.2

default-gw 192.168.10.1 prefix-len 16

dns-server 192.165.1.1

dhcp-server 192.168.10.1

!

End

Example: Configuring the iWAG Using the Web Logon Authentication Method

The following example shows how to configure the iWAG using the Web logon authentication method: 

aaa new-model

!

!

aaa group server radius AAA_SERVER_CAR

server-private 5.3.1.76 auth-port 2145 acct-port 2146 key cisco

!

aaa authentication login default none

aaa authentication login ISG_PROXY_LIST group AAA_SERVER_CAR

aaa authorization network ISG_PROXY_LIST group AAA_SERVER_CAR 

aaa authorization subscriber-service default local group AAA_SERVER_CAR 

aaa accounting network PROXY_TO_CAR

action-type start-stop

group AAA_SERVER_CAR

!

aaa accounting network ISG_PROXY_LIST start-stop group AAA_SERVER_CAR

!

aaa server radius dynamic-author

client 5.3.1.76 server-key cisco

auth-type any

ignore server-key

!

ip dhcp excluded-address 192.168.10.1

ip dhcp excluded-address 192.168.10.2

ip dhcp excluded-address 192.168.10.3

!         

ip dhcp pool TEST

network 192.168.0.0 255.255.0.0

default-router 192.168.10.1 

domain-name starent.com

lease 1 2 2

!

!

redirect server-group REDIRECT-SERVER-GROUP1

server ip 5.3.1.76 port 10080

!

!

ip tftp source-interface GigabitEthernet0

class-map type traffic match-any TC_L4R_class

match access-group input name TC_L4R

!

class-map type traffic match-any TC_OPENGARDEN

match access-group output name ACL_OUT_OPENGARDEN

match access-group input name ACL_IN_OPENGARDEN

!

policy-map type service OPENGARDEN_SERVICE

20 class type traffic TC_OPENGARDEN

accounting aaa list PROXY_TO_CAR

!

class type traffic default in-out

drop

!

!

policy-map type service L4Redirect_service

10 class type traffic TC_L4R_class

redirect to group REDIRECT-SERVER-GROUP1

!

!

policy-map type control BB_PROFILE

class type control always event session-start

10 service-policy type service name L4Redirect_service

20 service-policy type service name OPENGARDEN_SERVICE

!

class type control always event account-logon

10 authenticate aaa list ISG_PROXY_LIST 

20 service-policy type service unapply name L4Redirect_service

!

!

interface GigabitEthernet1/3/3

description interface connected to subscriber

ip address 192.171.10.1 255.255.0.0

negotiation auto

service-policy type control BB_PROFILE

ip subscriber l2-connected

initiator unclassified mac-address

initiator dhcp

!

!

interface GigabitEthernet1/3/5

descriptions interface connected to GGSN

ip address 192.170.10.1 255.255.0.0

negotiation auto

!

!

mcsa

enable sessionmgr

!

!

ip access-list extended ACL_IN_OPENGARDEN

permit ip any any

permit udp any any

ip access-list extended ACL_OUT_OPENGARDEN

permit ip any any

permit udp any any

ip access-list extended TC_L4R

permit udp any any

permit tcp any any

!

!

radius-server attribute 44 include-in-access-req default-vrf

radius-server attribute 8 include-in-access-req

radius-server attribute 32 include-in-access-req 

radius-server attribute 32 include-in-accounting-req 

radius-server attribute 55 include-in-acct-req

radius-server attribute 55 access-request include

no radius-server attribute nas-port

radius-server source-ports extended

radius-server unique-ident 73

!

gtp

n3-request 3

interval t3-response 10

interval echo-request 60

information-element rat-type wlan

interface local GigabitEthernet 0/0/3

apn 1

apn-name starent.com

ip address ggsn 192.170.10.2

default-gw 192.168.10.1 prefix-len 16

dns-server 192.165.1.1

dhcp-server 192.168.10.1

dhcp-lease 30000

!

End

Multiple Flows Tunnel

A tunnel provides a bidirectional transport or conduit to forward subscriber traffic. In PMIPv6, subscriber traffic is transported between the MAG and the Local Mobility Anchor (LMA) through the Generic Routing Encapsulation (GRE) tunnel. In the GTP, subscriber traffic is transported between the iWAG and the GGSN through the GTP tunnel. Tunnel information structure is associated with each tunnel and specifies common tunnel attributes, such as source address, destination address, protocol, port, key, tunnel transport VRF, and tunnel mode.

Both the GTP and PMIPv6 support multiple flows per tunnel. A multiple flow tunnel mechanism configures and manages multiple flows of traffic transported within the same tunnel. Each flow is identified by a flow key. A flow identifier or key is a 32-bit integer. The key is globally unique per system for the GTP. However, the key can be unique per tunnel for PMIPv6. The flow key for the GTP is the Tunnel Endpoint Identifier (TEID) and for PMIPv6, it is the GRE key. Each flow has a per-flow associated context, having parameters to describe per-flow attributes.

PMIPv6 uses multipoint GRE tunnel per LMA, and creates one adjacency per flow. An LMA can support scaling numbers up to 128,000 MAG. From the LMA perspective, only one multipoint GRE tunnel interface is created and 128,000 tunnel endpoints are populated. This scaling level supports the MAG functionality that is implemented on access points or hotspots, from which only one or few PMIPv6 subscribers can be attached. Cisco high-end routing platforms, such as the Cisco ASR 1000 Series Route
Processor 2, the Cisco ASR 1000 Series 40-Gbps ESP, and the Cisco ASR 1000 Series 100-Gbps ESP support 128,000 scaling for the LMA.

To support 128,000 scaling, configure the following on the LMA: 

ipv6 mobile pmipv6-lma LMA1 domain D1

bce maximum 128000

Additional References

The following sections provide references related to the iWAG feature.

Related Documents

Related Topic
Document Title

Cisco IOS commands

Cisco IOS Master Commands List, All Releases

Intelligent Services Gateway

Intelligent Services Gateway Configuration Guide, Cisco IOS XE Release 3S

Cisco IOS Configuration Fundamentals

Cisco IOS Configuration Fundamentals Command Reference


Standards

Standard
Title

No new or modified standards are supported by this feature.


MIBs

MIB
MIBs Link

None

To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use the Cisco MIB Locator found at the following URL:

http://www.cisco.com/go/mibs


RFCs

RFC1
Title

RFC 5213

Proxy Mobile IPv6

RFC 5844

IPv4 Support for Proxy Mobile IPv6

RFC 5845

Generic Routing Encapsulation (GRE) Key Option for Proxy Mobile IPv6

1 Not all the supported RFCs are listed.


Technical Assistance

Description
Link

The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

http://www.cisco.com/cisco/web/support/index.html


Feature Information for the iWAG on the Cisco ASR 1000 Series Routers for Service Provider WiFi Offload

Table 1 lists the features in this module and provides links to specific configuration information. Only features that were introduced or modified in Cisco IOS Release 3.8.0S or a later release appear in the table.

Not all commands may be available in your Cisco IOS software release. For release information about a specific command, see the corresponding command reference documentation.

Use the Cisco Feature Navigator to find information about platform support and software image support. The Cisco Feature Navigator enables you to determine which Cisco IOS and Cisco Catalyst operating system software images support a specific software release, feature set, or platform. To access the Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.

Table 1 Feature Information for the iWAG on the Cisco ASR 1000 Series Aggregation Services Routers

Feature Name
Releases
Feature Information

iWAG Access Tunnels for PMIPv6 LMA (128,000 tunnels)

3.9S

In Cisco IOS XE Release 3.9S, this feature was implemented on the Cisco ASR 1000 Series Aggregation Services Routers.

For information on this feature, see "Multiple Flows Tunnel" section.

iWAG on the Cisco ASR 1000 Series Aggregation Services Routers for Service Provider WiFi Offload

3.8S

The iWAG deployment involves two main technologies: GTP for connecting to the Cisco GGSN and MAG using PMIPv6 for connecting to the Cisco PGW. The integration of these two technologies with Cisco ISG in combination with service provider WiFi is the key concept of the iWAG feature.

In Cisco IOS XE Release 3.8S, this feature was implemented on the Cisco ASR 1000 Series Aggregation Services Routers.


Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.

© 2012-2013 Cisco Systems, Inc. All rights reserved.