IMPORTANT:
Configuring the System as a Standalone eGTP S-GW
Information Required
Required Local Context Configuration Information
Required Information | Description |
---|---|
Management Interface
Configuration
|
|
Interface name |
An identification
string between 1 and 79 characters (alpha and/or numeric)
by which the interface will be recognized by the system.
Multiple names are
needed if multiple interfaces will be configured.
|
IP address and subnet
|
IPv4 addresses assigned
to the interface.
Multiple addresses
and subnets are needed if multiple interfaces will be configured.
|
Physical port number
|
The physical port
to which the interface will be bound. Ports are identified by the
chassis slot number where the line card resides followed by the
number of the physical connector on the card. For example, port
17/1 identifies connector number 1 on the card in slot
17.
A single physical
port can facilitate multiple interfaces.
|
Gateway IP address
|
Used when configuring
static IP routes from the management interface(s) to a specific
network.
|
Security administrator name
|
The name or names
of the security administrator with full rights to the system.
|
Security administrator password
|
Open or encrypted
passwords can be used.
|
Remote access type(s)
|
The type of remote
access that will be used to access the system such as telnetd, sshd,
and/or ftpd.
|
Required S-GW Ingress Context Configuration Information
Required Information | Description |
---|---|
S-GW ingress context name
|
An identification
string from 1 to 79 characters (alpha and/or numeric) by
which the S-GW ingress context is recognized by the system.
|
Accounting policy name
|
An identification
string from 1 to 63 characters (alpha and/or numeric) by
which the accounting policy is recognized by the system. The accounting policy
is used to set parameters for the Rf (off-line charging) interface.
|
S1-U/S11
Interface Configuration (To/from eNodeB/MME)
Note: The configuration
provided in this guide assumes a shared S1-U/S11 interface.
These interfaces can be separated to support a different network
architecture. The information below applies to both.
|
|
Interface name
|
An identification
string between 1 and 79 characters (alpha and/or numeric)
by which the interface is recognized by the system.
Multiple names are
needed if multiple interfaces will be configured.
|
IP address and subnet
|
IPv4 or IPv6 addresses
assigned to the interface.
Multiple addresses
and subnets are needed if multiple interfaces will be configured.
|
Physical port number
|
The physical port
to which the interface will be bound. Ports are identified by the
chassis slot number where the line card resides followed by the
number of the physical connector on the card. For example, port
17/1 identifies connector number 1 on the card in slot
17.
A single physical
port can facilitate multiple interfaces.
|
Gateway IP address
|
Used when configuring
static IP routes from the interface(s) to a specific network.
|
Gateway IP address
|
Used when configuring
static IP routes from the interface(s) to a specific network.
|
GTP-U Service Configuration
|
|
GTP-U service name
(for S1-U/S11 interface)
|
An identification
string from 1 to 63 characters (alpha and/or numeric) by
which the GTP-U service bound to the S1-U/S11 interface
will be recognized by the system.
|
IP address
|
S1-U/S11
interface IPv4 or IPv6 address.
|
S-GW Service Configuration
|
|
S-GW service name
|
An identification
string from 1 to 63 characters (alpha and/or numeric) by
which the S-GW service is recognized by the system.
Multiple names are
needed if multiple S-GW services will be used.
|
eGTP Ingress Service
Configuration
|
|
eGTP S1-U/S11
ingress service name
|
An identification
string from 1 to 63 characters (alpha and/or numeric) by
which the eGTP S1-U/S11 ingress service is recognized by
the system.
|
Required S-GW Egress Context Configuration Information
Required Information | Description |
---|---|
S-GW egress context name
|
An identification
string from 1 to 79 characters (alpha and/or numeric) by
which the S-GW egress context is recognized by the system.
|
S5/S8 Interface
Configuration (To/from P-GW)
|
|
Interface name
|
An identification
string between 1 and 79 characters (alpha and/or numeric)
by which the interface is recognized by the system.
Multiple names are
needed if multiple interfaces will be configured.
|
IP address and subnet
|
IPv4 or IPv6 addresses
assigned to the interface.
Multiple addresses
and subnets are needed if multiple interfaces will be configured.
|
Physical port number
|
The physical port
to which the interface will be bound. Ports are identified by the
chassis slot number where the line card resides followed by the
number of the physical connector on the card. For example, port
17/1 identifies connector number 1 on the card in slot
17.
A single physical
port can facilitate multiple interfaces.
|
Gateway IP address
|
Used when configuring
static IP routes from the interface(s) to a specific network.
|
GTP-U Service Configuration
|
|
GTP-U service name
(for S5/S8 interface)
|
An identification
string from 1 to 63 characters (alpha and/or numeric) by
which the GTP-U service bound to the S5/S8 interface will
be recognized by the system.
|
IP address
|
S5/S8 interface
IPv4 or IPv6 address.
|
eGTP Egress Service
Configuration
|
|
eGTP Egress Service Name
|
An identification
string from 1 to 63 characters (alpha and/or numeric) by
which the eGTP egress service is recognized by the system.
|
How This Configuration Works
Modifying the Local Context
configure
context
local
interface <lcl_cntxt_intrfc_name>
ip
address <ip_address> <ip_mask>
exit
server
ftpd
exit
server
telnetd
exit
subscriber
default
exit
administrator
<name>
encrypted password <password>
ftp
ip
route <ip_addr/ip_mask> <next_hop_addr> <lcl_cntxt_intrfc_name>
exit
port
ethernet <slot#/port#>
no
shutdown
bind
interface <lcl_cntxt_intrfc_name>
local
end
Creating an S-GW Ingress Context
configure
context
<ingress_context_name>
-noconfirm
subscriber
default
exit
interface
<s1u-s11_interface_name>
ip
address <ipv4_address_primary>
ip
address <ipv4_address_secondary>
exit
ip
route 0.0.0.0 0.0.0.0 <next_hop_address> <sgw_interface_name>
exit
port
ethernet <slot_number/port_number>
no
shutdown
bind
interface <s1u-s11_interface_name> <ingress_context_name>
end
Creating an eGTP Ingress Service
Creating an S-GW Egress Context
configure
context
<egress_context_name>
-noconfirm
interface
<s5s8_interface_name> tunnel
ipv6
address <address>
tunnel-mode
ipv6ip
source
interface <name>
destination
address <ipv4
or ipv6 address>
end
configure
port
ethernet <slot_number/port_number>
no
shutdown
bind
interface <s5s8_interface_name> <egress_context_name>
end
Setting the System’s Role as an eGTP S-GW and Configuring GTP-U and eGTP Service Settings
configure
context <sgw_ingress_context_name>
gtpp
group default
exit
gtpu-service <gtpu_ingress_service_name>
bind
ipv4-address <s1-u_s11_interface_ip_address>
exit
egtp-service <egtp_ingress_service_name>
interface-type
interface-sgw-ingress
validation-mode
default
associate
gtpu-service <gtpu_ingress_service_name>
gtpc
bind address <s1u-s11_interface_ip_address>
exit
exit
context <sgw_egress_context_name>
gtpu-service <gtpu_egress_service_name>
bind
ipv4-address <s5s8_interface_ip_address>
exit
egtp-service <egtp_egress_service_name>
interface-type
interface-sgw-egress
validation-mode
default
associate
gtpu-service <gtpu_egress_service_name>
gtpc
bind address <s5s8_interface_ip_address>
end
Configuring Optional Features on the eGTP S-GW
Configuring X.509 Certificate-based Peer Authentication
IMPORTANT:
configure
certificate
name <cert_name>
pem url <cert_pem_url>
private-key pem url <private_key_url>
ca-certificate
name <ca_cert_name> pem
url <ca_cert_url>
end
configure
context <sgw_context_name>
crypto
template <crypto_template_name>
ikev2-dynamic
certificate
name <cert_name>
ca-certificate
list ca-cert-name <ca_cert_name>
authentication
local certificate
authentication
remote certificate
end
Configuring Dynamic Node-to-Node IP Security on the S1-U and S5 Interfaces
Creating and Configuring an IPSec Transform Set
configure
context <sgw_context_name>
ipsec
transform-set <ipsec_transform-set_name>
encryption
aes-cbc-128
group
none
hmac
sha1-96
mode
tunnel
end
Creating and Configuring an IKEv2 Transform Set
configure
context <sgw_context_name>
ikev2-ikesa
transform-set <ikev2_transform-set_name>
encryption
aes-cbc-128
group
2
hmac
sha1-96
lifetime <sec>
prf
sha1
end
Creating and Configuring a Crypto Template
configure
context <sgw_context_name>
crypto
template <crypto_template_name>
ikev2-dynamic
ikev2-ikesa
transform-set list <name1>
. . . <name6>
ikev2-ikesa
rekey
payload
<name>
match childsa match ipv4
ipsec
transform-set list <name1>
. . . <name4>
rekey
end
Binding the S1-U and S5 IP Addresses to the Crypto Template
configure
context <sgw_ingress_context_name>
gtpu-service <gtpu_ingress_service_name>
bind
ipv4-address <s1-u_interface_ip_address>
crypto-template <enodeb_crypto_template>
exit
egtp-service <egtp_ingress_service_name>
interface-type
interface-sgw-ingress
associate
gtpu-service <gtpu_ingress_service_name>
gtpc
bind address <s1u_interface_ip_address>
exit
exit
context <sgw_egress_context_name>
gtpu-service <gtpu_egress_service_name>
bind
ipv4-address <s5_interface_ip_address>
crypto-template <enodeb_crypto_template>
exit
egtp-service <egtp_egress_service_name>
interface-type
interface-sgw-egress
associate
gtpu-service <gtpu_egress_service_name>
gtpc
bind address <s5_interface_ip_address>
exit
exit
context <sgw_ingress_context_name>
sgw-service
<sgw_service_name>
-noconfirm
egtp-service
ingress service <egtp_ingress_service_name>
egtp-service
egress context <sgw_egress_context_name>
end
Configuring ACL-based Node-to-Node IP Security on the S1-U and S5 Interfaces
Creating and Configuring a Crypto Access Control List
Creating and Configuring an IPSec Transform Set
configure
context <sgw_context_name>
ipsec
transform-set <ipsec_transform-set_name>
encryption
aes-cbc-128
group
none
hmac
sha1-96
mode
tunnel
end
Creating and Configuring an IKEv2 Transform Set
configure
context <sgw_context_name>
ikev2-ikesa
transform-set <ikev2_transform-set_name>
encryption
aes-cbc-128
group
2
hmac
sha1-96
lifetime <sec>
prf
sha1
end
Creating and Configuring a Crypto Map
configure
context <sgw_ingress_context_name>
crypto
map <crypto_map_name> ikev2-ipv4
match
address <acl_name>
peer <ipv4_address>
authentication
local pre-shared-key key <text>
authentication
remote pre-shared-key key <text>
ikev2-ikesa
transform-set list <name1>
. . . <name6>
payload
<name>
match ipv4
lifetime <seconds>
ipsec
transform-set list <name1>
. . . <name4>
exit
exit
interface
<s1-u_intf_name>
ip
address <ipv4_address>
crypto-map <crypto_map_name>
exit
exit
port
ethernet <slot_number/port_number>
no
shutdown
bind
interface <s1_u_intf_name> <sgw_ingress_context_name>
end
configure
context <sgw_egress_context_name>
crypto
map <crypto_map_name> ikev2-ipv4
match
address <acl_name>
peer <ipv4_address>
authentication
local pre-shared-key key <text>
authentication
remote pre-shared-key key <text>
payload
<name>
match ipv4
lifetime <seconds>
ipsec
transform-set list <name1>
. . . <name4>
exit
exit
interface <s5_intf_name>
ip
address <ipv4_address>
crypto
map <crypto_map_name>
exit
exit
port
ethernet <slot_number/port_number>
no
shutdown
bind
interface <s5_intf_name> <sgw_egress_context_name>
end
Configuring S4 SGSN Handover Capability
configure
context
<ingress_context_name>
-noconfirm
interface <s4_interface_name>
ip
address <ipv4_address_primary>
ip
address <ipv4_address_secondary>
exit
exit
port
ethernet <slot_number/port_number>
no
shutdown
bind
interface <s4_interface_name> <ingress_context_name>
exit
context
<ingress_context_name>
-noconfirm
gtpu-service <s4_gtpu_ingress_service_name>
bind
ipv4-address <s4_interface_ip_address>
exit
egtp-service <s4_egtp_ingress_service_name>
interface-type
interface-sgw-ingress
validation-mode
default
associate
gtpu-service <s4_gtpu_ingress_service_name>
gtpc
bind address <s4_interface_ip_address>
exit
sgw-service
<sgw_service_name>
-noconfirm
associate
ingress egtp-service <s4_egtp_ingress_service_name>
end