Important: At least one Packet Services Card (PSC/PSC2) must be made active prior to service configuration. Information and instructions for configuring PSCs/PSC2s to be active can be found in the Configuring System Settings chapter of the System Administration Guide.
Caution: While configuring any base-service or enhanced feature, it is highly recommended to avoid conflicting or blocked IP addresses and port numbers when binding or assigning these to your configuration. In association with some service steering or access control features, the use of inappropriate port numbers may result in communication loss. Refer to the respective feature configuration document carefully before assigning any port number or IP address for communication with internal or external networks.
Important: Information about all commands in this chapter can be found in the Command Line Interface Reference.
This section provides a high-level series of steps and associated configuration file examples for configuring the system to perform as an MME in a test environment. For a more robust configuration example, refer to the Sample Configuration Files appendix.
This is required for static S-GW selection. Refer to the Required MME Policy Configuration Information section below.
Step 1 Set system configuration parameters such as activating PSCs by applying the example configurations found in the System Administration Guide.
Step 2
Step 3
Step 4
Step 5 Save your configuration to flash memory, an external memory device, and/or a network location using the Exec mode command save configuration. For additional information on how to verify and save configuration files, refer to the System Administration Guide and the Command Line Interface Reference.context <mme_context_name> -noconfirminterface <s1-mme_intf_name>ip address <ipv4_address>interface <s11_intf_name>ip address <ipv4_address>interface <s6a_intf_name>ip address <ipv4_address>interface <s13_intf_name>ip address <ipv4_address>mme-service <mme_svc_name> -noconfirmpgw-address <pgw_ip_address>bind s1-mme ipv4-address <ip_address>port ethernet <slot_number/port_number>
• All interfaces in this configuration can also be specified as IPv6 addresses using the ipv6 address command.
• Multi-homing is supported on the S1-MME and S6a interfaces. Refer to the Configuring SCTP Multi-homing Support section in this chapter for more information on configuring multi-homing for the S1-MME and/or S6a interface(s).
•
• The network-sharing command is used to configure an additional PLMN ID for this MME service.
•
• In the above example, the mobile equipment identity (IMEI) is checked during the attach procedure. This is configured in the policy attach command. Another option is to check IMEI during the tracking area update (TAU). This can be accomplished instead of, or, in addition to, the EIR query during the attach procedure. To check during the TAU, use the policy tau command.
• The pgw-address command is used to statically configure P-GW discovery.context <mme_context_name>egtp-service <egtp_service_name>gtpc bind ipv4-address <s11_infc_ip_address>port ethernet <slot_number/port_number>
• The gtpc bind command can be specified as an IPv6 address using the ipv6-address keyword. The interface specified for S11 communication must also be the same IPv6 address.context <mme_context_name>hss-peer-service hss_peer_service_namediameter endpoint <hss-endpoint_name>origin realm <realm_name>diameter endpoint <eir-endpoint_name>origin realm <realm_name>port ethernet <slot_number/port_number>port ethernet <slot_number/port_number>
• The origin host and peer commands can accept multiple IP addresses supporting multi-homing on each endpoint. Refer to the Configuring SCTP Multi-homing Support section for information on configuring SCTP multi-homing for the S6a interface.Important: Circuit Switched Fallback is a licensed feature and requires the purchase of the Circuit Switched Fallback feature license to enable it.
tai-mgnt-db <db_name>tai-mgmt-obj <object_name>context <mme_context_name> -noconfirminterface <sgs_intf_name>ip address <ipv4_address>sgs-service <name> -noconfirmsctp port <port_number>pool-area <pool_name>lac <area_code> +bind ipv4-address <sgs-intf_ipv4_address>mme-service <service_name>associate tai-mgmt-db <db_name>associate sgs-service <sgs_svc_name>
• The SGs IP address can also be specified as an IPv6 address. To support this, the ip address command can be changed to the ipv6 address command and the bind ipv4-address command can be changed to bind ipv6-address command.
• The VLR interface (vlr command) also supports IPv6 addressing and SCTP multi-homing.context <mme_context_name> -noconfirmmme-service <mme_svc_name>context <mme_context_name> -noconfirminterface <dns_intf_name>ip address <ipv4_address>ip name-servers <dns_ip_address>dns-client <name>bind address <dns_intf_ip_address>mme-service <mme_svc_name>
• For the dns pgw, dns sgw, dns peer-mme, and dns peer-sgsn commands, the DNS client service must exist in the same context as the MME service. If the DNS client resides in a different context, the contex <ctx_name> command/variable must be added to the command(s).lte-emergency-profile <profile_name>mme-service <mme_svc_name>associate lte-emergency-profile <profile_name>
•
• In the pgw command, the valid protocol types are: both, gtp, and pmip. A maximum of four P-GW IP addresses can be configured per profile. An FQDN can also be configured in place of the IP addresses but only one P-GW FQDN can be configured per profile.
• In the qos command, the valid preemption capabilities are: may and shall not. The valid vulnerability types are: not-preemptable and preemptable.
•
•
• context <mme_context_name> -noconfirminterface <Gn_intf_name>ip address <ipv4_address>sgtp-service <sgtp_svc_name>gtpc bind address <Gn_intf_ip_address>mme-service <mme_svc_name>associate sgtpc-service <sgtp_svc_name>peer-sgsn rai mcc <mcc_value> mnc <mnc_value> rac <value> lac <value> address <ip_address> capability gn
• The peer-sgsn command is used to statically configure a peer SGSN. SGSN selection can also be performed dynamically through the DNS client. For more information about dynamic peer selection, refer to the Configuring Dynamic Peer Selection section in this chapter.
• If dynamic peer-SGSN selection is configured, an additional gtpc command must be added to the SGTP service: gtpc dns-sgsn contex <cntxt_name>context <mme_context_name> -noconfirminterface <s10_intf_name>ip address <ipv4_address>egtp-service <egtp_service_name>gtpc bind ipv4-address <s10_infc_ip_address>mme-service <mme_svc_name>port ethernet <slot_number/port_number>
• The S10 IP address can also be specified as an IPv6 address. To support this, the ip address command can be changed to the ipv6 address command.
• The peer-mme command can also be configured to acquire a peer MME through the use of a TAI match as shown in this command example:
• The peer-mme command is used to statically configure a peer MME. MME selection can also be performed dynamically through the DNS client. For more information about dynamic peer selection, refer to the Configuring Dynamic Peer Selection section in this chapter.Important: Use of the IP Security feature requires that a valid license key be installed. Contact your local Sales or Support representative for information on how to obtain a license.
• The certificate name and ca-certificate list ca-cert-name commands specify the X.509 certificate and CA certificate to be used.context <mme_context_name>crypto template <crypto_template_name> ikev2-dynamiccertificate name <cert_name>ca-certificate list ca-cert-name <ca_cert_name>
• The certificate name and ca-certificate list ca-cert-name commands bind the certificate and CA certificate to the crypto template.
• The authentication local certificate and authentication remote certificate commands enable X.509 certificate-based peer authentication for the local and remote nodes.Important: Use of the IP Security feature requires that a valid license key be installed. Contact your local Sales or Support representative for information on how to obtain a license.
context <mme_context_name>ipsec transform-set <ipsec_transform-set_name>
• The encryption algorithm, aes-cbc-128, or Advanced Encryption Standard Cipher Block Chaining, is the default algorithm for IPSec transform sets configured on the system.
• The group none command specifies that no crypto strength is included and that Perfect Forward Secrecy is disabled. This is the default setting for IPSec transform sets configured on the system.
• The hmac command configures the Encapsulating Security Payload (ESP) integrity algorithm. The sha1-96 keyword uses a 160-bit secret key to produce a 160-bit authenticator value. This is the default setting for IPSec transform sets configured on the system.
• The mode tunnel command specifies that the entire packet is to be encapsulated by the IPSec header including the IP header. This is the default setting for IPSec transform sets configured on the system.context <mme_context_name>ikev2-ikesa transform-set <ikev2_transform-set_name>lifetime <sec>
• The encryption algorithm, aes-cbc-128, or Advanced Encryption Standard Cipher Block Chaining, is the default algorithm for IKEv2 transform sets configured on the system.
• The group 2 command specifies the Diffie-Hellman algorithm as Group 2, indicating medium security. The Diffie-Hellman algorithm controls the strength of the crypto exponentials. This is the default setting for IKEv2 transform sets configured on the system.
• The hmac command configures the Encapsulating Security Payload (ESP) integrity algorithm. The sha1-96 keyword uses a 160-bit secret key to produce a 160-bit authenticator value. This is the default setting for IKEv2 transform sets configured on the system.
• The lifetime command configures the time the security key is allowed to exist, in seconds.
• The prf command configures the IKE Pseudo-random Function, which produces a string of bits that cannot be distinguished from a random bit string without knowledge of the secret key. The sha1 keyword uses a 160-bit secret key to produce a 160-bit authenticator value. This is the default setting for IKEv2 transform sets configured on the system.context <mme_context_name>crypto template <crypto_template_name> ikev2-dynamicpayload <name> match childsa match ipv4
• The ikev2-ikesa transform-set list command specifies up to six IKEv2 transform sets.
• The ipsec transform-set list command specifies up to four IPSec transform sets.context <mme_context_name>mme-service <mme_svc_name>
• The bind command in the MME service configuration can also be specified as an IPv6 address using the ipv6-address command.
• This example shows the bind command using multi-homed addresses. The multi-homing feature also supports the use of IPv6 addresses.Important: Use of the IP Security feature requires that a valid license key be installed. Contact your local Sales or Support representative for information on how to obtain a license.
context <mme_context_name>ip access-list <acl_name>
• The permit command in this example routes IPv4 traffic from the server with the specified source host IPv4 address to the server with the specified destination host IPv4 address.context <mme_context_name>ipsec transform-set <ipsec_transform-set_name>
• The encryption algorithm, aes-cbc-128, or Advanced Encryption Standard Cipher Block Chaining, is the default algorithm for IPSec transform sets configured on the system.
• The group none command specifies that no crypto strength is included and that Perfect Forward Secrecy is disabled. This is the default setting for IPSec transform sets configured on the system.
• The hmac command configures the Encapsulating Security Payload (ESP) integrity algorithm. The sha1-96 keyword uses a 160-bit secret key to produce a 160-bit authenticator value. This is the default setting for IPSec transform sets configured on the system.
• The mode tunnel command specifies that the entire packet is to be encapsulated by the IPSec header including the IP header. This is the default setting for IPSec transform sets configured on the system.context <mme_context_name>ikev2-ikesa transform-set <ikev2_transform-set_name>lifetime <sec>
• The encryption algorithm, aes-cbc-128, or Advanced Encryption Standard Cipher Block Chaining, is the default algorithm for IKEv2 transform sets configured on the system.
• The group 2 command specifies the Diffie-Hellman algorithm as Group 2, indicating medium security. The Diffie-Hellman algorithm controls the strength of the crypto exponentials. This is the default setting for IKEv2 transform sets configured on the system.
• The hmac command configures the Encapsulating Security Payload (ESP) integrity algorithm. The sha1-96 keyword uses a 160-bit secret key to produce a 160-bit authenticator value. This is the default setting for IKEv2 transform sets configured on the system.
• The lifetime command configures the time the security key is allowed to exist, in seconds.
• The prf command configures the IKE Pseudo-random Function which produces a string of bits that cannot be distinguished from a random bit string without knowledge of the secret key. The sha1 keyword uses a 160-bit secret key to produce a 160-bit authenticator value. This is the default setting for IKEv2 transform sets configured on the system.context <mme_context_name>crypto map <crypto_map_name> ikev2-ipv4match address <acl_name>peer <ipv4_address>payload <name> match ipv4lifetime <seconds>interface <s1-mme_intf_name>ip address <ipv4_address>crypto-map <crypto_map_name>port ethernet <slot_number/port_number>
• The ipsec transform-set list command specifies up to four IPSec transform sets.context <mme_context_name>mme-service <mme_svc_name>relative-capacity <number>
• The relative-capacity command specifies a weight factor used in comparing the capacity of the MME to other MMEs in a pool.Important: Mobility restriction support is only available through the operator policy configuration. For more information on operator policy, refer to the Operator Policy chapter in this guide.
ho-restrict-list <name>ho-restrict-list <name>
• Up to 128 location area codes can be entered in a single lac command line.ho-restrict-list <name>
• Up to 128 tracking area codes can be entered in a single tac command line.Important: Optimized Paging is a licensed feature and requires the purchase of the Optimized Paging feature license to enable it.
context <mme_context_name>mme-service <mme_svc_name>context <mme_context_name> -noconfirminterface <s3_interface_name>ip address <ipv4_address>mme-service <mme_svc_name>peer-sgsn rai mcc <mcc_value> mnc <mnc_value> rac <value> lac <value> address <ip_address> capability s3port ethernet <slot_number/port_number>
• The S3 IP address can also be specified as an IPv6 address. To support this, the ip address command can be changed to the ipv6 address command.
• The peer-sgsn command is used to statically configure a peer SGSN. SGSN selection can also be performed dynamically through the DNS client. For more information about dynamic peer selection, refer to the Configuring Dynamic Peer Selection section in this chapter.The configuration example in this section is intended as a replacement for the S1-MME interface configuration located in the Creating and Configuring the MME Context and Service section. Use the following example to configure S1-MME multi-homing between the MME and the eNodeB:context <mme_context_name> -noconfirminterface <s1-mme_intf_name>ip address <ipv4_address>ip address <secondary_ipv4_address>mme-service <mme_svc_name>port ethernet <slot_number/port_number>
• The S1-MME IP addresses can also be specified as IPv6 addresses using the ipv6 address keyword.
• The IP addresses in the bind s1-mme ipv4-address command can also be specified as IPv6 addresses using the ipv6-address keyword.The configuration example in this section is intended as a replacement for the S6a interface configuration located in the Creating and Configuring the MME Context and Service section and the Diameter configuration for the S6a interface located in the Creating and Configuring the HSS Peer Service and Interface Associations section. Use the following example to configure S6a multi-homing between the MME and theHLR/HSS:context <mme_context_name>interface <s6a_intf_name>diameter endpoint <hss-endpoint_name>origin realm <realm_name>origin host <name> address <s6a_intf_primary_ip_addr> port <number> address <s6a_intf_secondary_ip_addr2> port <number> address <s6a_intf_secondary_ip_addr3> port <number>peer <peer_name> realm <realm_name> address <hss_ip_addr1> port <number> address <hss_ip_addr2> port <number> sctpport ethernet <slot_number/port_number>
• The S6a IP addresses can also be specified as IPv6 addresses using the ipv6 address keyword.
sctp-max-path-retx <value>context <name>diameter endpoint <endpoint_name>associate sctp-parameter-template <template_name>device-watchdog-request max-retries <retry_count>watchdog-timeout <timeout>sctp-max-path-retx 10 (default in the parameter template is 5)timeout sctp-heart-beat 30 (default for the parameter template as well)The configuration example in this section is intended as a replacement for the SGs interface configuration located in the Configuring Circuit Switched Falllback section. Use the following example to configure SGs multi-homing between the MME and the MSC/VLR:context <mme_context_name> -noconfirminterface <s1-mme_intf_name>ip address <ipv4_address>ip address <secondary_ipv4_address>sgs-service <mme_svc_name>port ethernet <slot_number/port_number>
• The SGs IP addresses can also be specified as IPv6 addresses using the ipv6 address keyword.
• The IP addresses in the bind ipv4-address command can also be specified as IPv6 addresses using the ipv6-address keyword.context <mme_context_name>interface <sv_intf_name>ip address <ipv4_address>egtp-service <egtpc_sv_service_name>gtpc bind ipv4-address <sv_infc_ip_address>mme-service <mme_service_name>associate egtpc-sv-service <egtpc_sv_service_name>msc <ip_address>port ethernet <slot_number/port_number>
• The gtpc bind command can be specified as an IPv6 address using the ipv6-address keyword. The interface specified for Sv communication must also be the same IP address type.tai-mgmt-db <db_name>tai-mgmt-obj <object_name>
• The sgw-address variable can also be specified as an IPv6 address.
• context <mme_context_name>mme-service <mme_svc_name>associate tai-mgmt-db <database_name>associate tai-mgmt-db <database_name>context <mme_service_context>mme-service <service_name>
• Overlapping ranges can be identified in the output of the show configuration errors command.Important: User Location Information Reporting is a licensed feature and requires the purchase of the ULI Reporting feature license to enable it.
Use the following example to configure User Location Information (ULI) reporting support on the MME:context <mme_context_name>mme-service <mme_svc_name>
|
| Cisco Systems Inc. |
| Tel: 408-526-4000 |
| Fax: 408-527-0883 |