PDN Gateway Configuration


PDN Gateway Configuration
 
This chapter provides configuration information for the PDN Gateway (P-GW).
Important: Information about all commands in this chapter can be found in the Command Line Interface Reference.
Because each wireless network is unique, the system is designed with a variety of parameters allowing it to perform in various wireless network environments. In this chapter, only the minimum set of parameters are provided to make the system operational. Optional configuration commands specific to the P-GW product are located in the Command Line Interface Reference.
The following procedures are located in this chapter:
Configuring the System as a Standalone eGTP P-GW
This section provides a high-level series of steps and the associated configuration file examples for configuring the system to perform as a eGTP P-GW in a test environment. For a complete configuration file example, refer to the Sample Configuration Files appendix. Information provided in this section includes the following:
Information Required
The following sections describe the minimum amount of information required to configure and make the P-GW operational on the network. To make the process more efficient, it is recommended that this information be available prior to configuring the system.
There are additional configuration parameters that are not described in this section. These parameters deal mostly with fine-tuning the operation of the P-GW in the network. Information on these parameters can be found in the appropriate sections of the Command Line Interface Reference.
Required Local Context Configuration Information
The following table lists the information that is required to configure the local context on an P-GW.
Required Information for Local Context Configuration
Required P-GW Context Configuration Information
The following table lists the information that is required to configure the P-GW context on a P-GW.
Required Information for P-GW Context Configuration
Required PDN Context Configuration Information
The following table lists the information that is required to configure the PDN context on a P-GW.
Required Information for PDN Context Configuration
Required AAA Context Configuration Information
The following table lists the information that is required to configure the AAA context on a P-GW.
Required Information for AAA Context Configuration
How This Configuration Works
The following figure and supporting text describe how this configuration with a single source and destination context is used by the system to process a subscriber call originating from the GTP LTE network.
1.
2.
The P-GW service determines which context to use to provide AAA functionality for the session. This process is described in the How the System Selects Contexts section located in the Understanding the System Operation and Configuration chapter of the System Administration Guide.
3.
4.
5.
6.
7.
eGTP P-GW Configuration
To configure the system to perform as a standalone eGTP P-GW:
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
Initial Configuration
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
Modifying the Local Context
Use the following example to set the default subscriber and configure remote access capability in the local context:
configure
   context local
      interface <lcl_cntxt_intrfc_name>
         ip address <ip_address> <ip_mask>
         exit
      server ftpd
         exit
      server telnetd
         exit
      subscriber default
         exit
      administrator <name> encrypted password <password> ftp
      ip route <ip_addr/ip_mask> <next_hop_addr> <lcl_cntxt_intrfc_name>
      exit
   port ethernet <slot#/port#>
      no shutdown
      bind interface <lcl_cntxt_intrfc_name> local
      end
Creating and Configuring an eGTP P-GW Context
Use the following example to create a P-GW context, create an S5/S8 IPv4 interface (for data traffic to/from the S-GW), and bind the S5/S8 interface to a configured Ethernet port:
configure
   gtpp single-source
   context <pgw_context_name> -noconfirm
      interface <s5s8_interface_name>
         ip address <ipv4_address>
         exit
      gtpp group default
         gtpp charging-agent address <gz_ipv4_address>
         gtpp echo-interval <seconds>
         gtpp attribute diagnostics
         gtpp attribute local-record-sequence-number
         gtpp attribute node-id-suffix <string>
         gtpp dictionary <name>
         gtpp server <ipv4_address> priority <num>
         gtpp server <ipv4_address> priority <num> node-alive enable
         exit
      policy accounting <rf_policy_name> -noconfirm
         accounting-level {level_type}
         accounting-event-trigger interim-timeout action stop-start
         operator-string <string>
         cc profile <index> interval <seconds>
         exit
      exit
   subscriber default
      exit
   port ethernet <slot_number/port_number>
      no shutdown
      bind interface <s5s8_interface_name> <pgw_context_name>
      end
Notes:
gtpp single-source is enabled to allow the system to generate requests to the accounting server using a single UDP port (by way of a AAA proxy function) rather than each AAA manager generating requests on unique UDP ports.
Set the accounting policy for the Rf (off-line charging) interface. The accounting level types are: flow, PDN, PDN-QCI, QCI, and subscriber. Refer to the Accounting Profile Configuration Mode Commands chapter in the Command Line Interface Reference for more information on this command.
Creating and Configuring APNs in the P-GW Context
Use the following configuration to create an APN:
configure
   context <pgw_context_name> -noconfirm
      apn <name>
         accounting-mode radius-diameter
         associate accounting-policy <rf_policy_name>
         ims-auth-service <gx_ims_service_name>
         aaa group <rf-radius_group_name>
         dns primary <ipv4_address>
         dns secondary <ipv4_address>
         ip access-group <name> in
         ip access-group <name> out
         mediation-device context-name <pgw_context_name>
         ip context-name <pdn_context_name>
         ipv6 access-group <name> in
         ipv6 access-group <name> out
         active-charging rulebase <name>
         end
Notes:
Use the following configuration to create an APN that includes Gz interface parameters:
configure
   context <pgw_context_name> -noconfirm
      apn <name>
         bearer-control-mode mixed
         selection-mode sent-by-ms
         accounting-mode gtpp
         gtpp group default accounting-context <aaa_context_name>
         ims-auth-service <gx_ims_service_name>
         ip access-group <name> in
         ip access-group <name> out
         ip context-name <pdn_context_name>
         active-charging rulebase <gz_rulebase_name>
         end
Notes:
Creating and Configuring AAA Groups in the P-GW Context
Use the following example to create and configure AAA groups supporting RADIUS and Rf accounting:
configure
   context <pgw_context_name> -noconfirm
      aaa group <rf-radius_group_name>
         radius attribute nas-identifier <id>
         radius accounting interim interval <seconds>
         radius dictionary <name>
         radius mediation-device accounting server <address> key <key>
         diameter authentication dictionary <name>
         diameter accounting dictionary <name>
         diameter accounting endpoint <rf_cfg_name>
         diameter accounting server <rf_cfg_name> priority <num>
         exit
      aaa group default
         radius attribute nas-ip-address address <ipv4_address>
         radius accounting interim interval <seconds>
         diameter authentication dictionary <name>
         diameter accounting dictionary <name>
         diameter accounting endpoint <rf_cfg_name>
         diameter accounting server <rf_cfg_name> priority <num>
Creating and Configuring an eGTP Service
Use the following configuration example to create the eGTP service:
configure
   context <pgw_context_name>
      egtp-service <egtp_service_name> -noconfirm
         interface-type interface-pgw-ingress
         validation mode default
         associate gtpu-service <gtpu_service_name>
         gtpc bind address <s5s8_interface_address>
         end
Notes:
Co-locating a GGSN service on the same ASR 5x00 requires that the gtpc bind address command uses the same IP address the GGSN service is bound to.
Creating and Configuring a GTP-U Service
Use the following configuration example to create the GTP-U service:
configure
   context <pgw_context_name>
      gtpu-service <gtpu_service_name> -noconfirm
         bind ipv4-address <s5s8_interface_address>
         end
Notes:
The bind command can also be specified as an IPv6 address using the ipv6-address command.
Creating a P-GW PDN Context
Use the following example to create a P-GW PDN context and Ethernet interface, and bind the interface to a configured Ethernet port.
configure
   context <pdn_context_name> -noconfirm
      interface <sgi_ipv4_interface_name>
         ip address <ipv4_address>
      interface <sgi_ipv6_interface_name>
         ipv6 address <address>
         end
P-GW Service Configuration
Step 1
Step 2
Configuring the P-GW Service
Use the following example to configure the P-GW service:
configure
   context <pgw_context_name>
      pgw-service <pgw_service_name> -noconfirm
         plmn id mcc <id> mnc <id>
         associate egtp-service <egtp_service_name>
         associate qci-qos-mapping <name>
         end
Notes:
Co-locating a GGSN service on the same ASR 5x00 requires the configuration of the associate ggsn-servie name command within the P-GW service.
Configuring a Static IP Route
Use the following example to configure an IP Route for control and user plane data communication with an eGTP Serving Gateway:
configure
   context <pgw_context_name>
      ip route <sgw_ip_addr/mask> <sgw_next_hop_addr> <pgw_intrfc_name>
      end
P-GW PDN Context Configuration
Use the following example to configure an IP Pool and APN, and bind a port to the interface in the PDN context:
configure
   context <pdn_context_name> -noconfirm
      interface <sgi_ipv4_interface_name>
         ip address <ipv4_address>
         exit
      interface <sgi_ipv6_interface_name>
         ip address <ipv6_address>
         exit
      ip pool <name> range <start_address end_address> public <priority>
      ipv6 pool <name> range <start_address end_address> public <priority>
      subscriber default
         exit
      ip access-list <name>
         redirect css service <name> any
         permit any
         exit
      ipv6 access-list <name>
         redirect css service <name> any
         permit any
         exit
      aaa group default
         exit
      exit
   port ethernet <slot_number/port_number>
      no shutdown
      bind interface <sgi_ipv4_interface_name> <pdn_context_name>
      exit
   port ethernet <slot_number/port_number>
      no shutdown
      bind interface <sgi_ipv6_interface_name> <pdn_context_name>
      end
Active Charging Service Configuration
Use the following example to enable and configure active charging:
configure
   require active-charging optimized-mode
   active-charging service <name>
      ruledef <name>
         <rule_definition>
               .
               .
         <rule_definition>
         exit
      ruledef default
         ip any-match = TRUE
         exit
      ruledef icmp-pkts
         icmp any-match = TRUE
         exit
      ruledef qci3
         icmp any-match = TRUE
         exit
      ruledef static
         icmp any-match = TRUE
         exit
      charging-action <name>
         <action>
            .
            .
         <action>
         exit
      charging-action icmp
         billing-action egcdr
         exit
      charging-action qci3
         content-id <id>
         billing-action egcdr
         qos-class-identifier <id>
         allocation-retention-priority <priority>
         tft-packet-filter qci3
         exit
      charging-action static
         service-identifier <id>
         billing-action egcdr
         qos-class-identifier <id>
         allocation-retention-priority <priority>
         tft-packet-filter qci3
         exit
      rulebase default
         exit
      rulebase <name>
         <rule_base>
            .
            .
         <rule_base>
         exit
      rulebase <gx_rulebase_name>
         dynamic-rule order first-if-tied
         egcdr tariff minute <minute> hour <hour>(optional)
         billing-records egcdr
         action priority 5 dynamic-only ruledef qci3 charging-action qci3
         action priority 100 ruledef static charging-action static
         action priority 500 ruledef default charging-action icmp
         action priority 570 ruledef icmp-pkts charging-action icmp
         egcdr threshold interval <interval>
         egcdr threshold volume total <bytes>
         end
Notes:
The billing-action egcdr command in the charging-action qc13, icmp, and static examples is required for Gz accounting.
The Gz rulebase example supports the Gz interface for off-line charging. The billing-records egcdr command is required for Gz accounting. All other commands are optional.
Policy Configuration
Step 1
Step 2
Creating and Configuring the AAA Context
Use the following example to create and configure a AAA context including diameter support and policy control, and bind Ethernet ports to interfaces supporting traffic between this context and a PCRF, an OCS, and an OFCS:
configure
   context <aaa_context_name> -noconfirm
      interface <gx_interface_name>
         ipv6 address <address>
         exit
      interface <gy_interface_name>
         ipv6 address <address>
         exit
      interface <gz_interface_name>
         ip address <ipv4_address>
         exit
      interface <rf_interface_name>
         ip address <ipv4_address>
         exit
      subscriber default
         exit
      ims-auth-service <gx_ims_service_name>
         p-cscf discovery table <#> algorithm round-robin
         p-cscf table <#> row-precedence <#> ipv6-address <pcrf_ipv6_adr>
         policy-control
            diameter origin endpoint <gx_cfg_name>
            diameter dictionary <name>
            diameter host-select table <#> algorithm round-robin
            diameter host-select row-precedence <#> table <#> host <gx_cfg_name>
            exit
         exit
      diameter endpoint <gx_cfg_name>
         origin realm <realm_name>
         origin host <name> address <aaa_ctx_ipv6_address>
         peer <gx_cfg_name> realm <name> address <pcrf_ipv4_or_ipv6_addr>
         route-entry peer <gx_cfg_name>
         exit
      diameter endpoint <gy_cfg_name>
         origin realm <realm_name>
         origin host <name> address <gy_ipv6_address>
         connection retry-timeout <seconds>
         peer <gy_cfg_name> realm <name> address <ocs_ipv4_or_ipv6_addr>
         route-entry peer <gy_cfg_name>
         exit
      diameter endpoint <rf_cfg_name>
         use-proxy
         origin realm <realm_name>
         origin host <name> address <rf_ipv4_address>
         peer <rf_cfg_name> realm <name> address <ofcs_ipv4_or_ipv6_addr>
         route-entry peer <rf_cfg_name>
         exit
      exit
   port ethernet <slot_number/port_number>
      no shutdown
      bind interface <gx_interface_name> <aaa_context_name>
      exit
   port ethernet <slot_number/port_number>
      no shutdown
      bind interface <gy_interface_name> <aaa_context_name>
      exit
   port ethernet <slot_number/port_number>
      no shutdown
      bind interface <gz_interface_name> <aaa_context_name>
      exit
   port ethernet <slot_number/port_number>
      no shutdown
      bind interface <rf_interface_name> <aaa_context_name>
      end
Notes:
The p-cscf table command under ims-auth-service can also specify an IPv4 address to the PCRF.
Configuring QCI-QoS Mapping
Use the following example to create and map QCI values to enforceable QoS parameters:
configure
   qci-qos-mapping <name>
      qci 1 user-datagram dscp-marking <hex>
      qci 3 user-datagram dscp-marking <hex>
      qci 9 user-datagram dscp-marking <hex>
      exit
Notes:
The above configuration only shows one keyword example. Refer to the QCI - QOS Mapping Configuration Mode Commands chapter in the Command Line Interface Reference for more information on the qci command and other supported keywords.
Verifying and Saving the Configuration
Save your configuration to flash memory, an external memory device, and/or a network location using the Exec mode command save configuration. For additional information on how to verify and save configuration files, refer to the System Administration Guide and the Command Line Interface Reference.
Configuring the System as a Standalone PMIP P-GW Supporting an eHRPD Network
This section provides a high-level series of steps and the associated configuration file examples for configuring the system to perform as a P-MIP P-GW supporting an eHRPD test environment. For a complete configuration file example, refer to the Sample Configuration Files appendix. Information provided in this section includes the following:
Information Required
The following sections describe the minimum amount of information required to configure and make the P-GW operational on the network. To make the process more efficient, it is recommended that this information be available prior to configuring the system.
There are additional configuration parameters that are not described in this section. These parameters deal mostly with fine-tuning the operation of the P-GW in the network. Information on these parameters can be found in the appropriate sections of the Command Line Interface Reference.
Required Local Context Configuration Information
The following table lists the information that is required to configure the local context on an P-GW.
Required Information for Local Context Configuration
Required P-GW Context Configuration Information
The following table lists the information that is required to configure the P-GW context on a P-GW.
Required Information for P-GW Context Configuration
Required PDN Context Configuration Information
The following table lists the information that is required to configure the PDN context on a P-GW.
Required Information for PDN Context Configuration
Required AAA Context Configuration Information
The following table lists the information that is required to configure the AAA context on a P-GW.
Required Information for AAA Context Configuration
How This Configuration Works
The following figure and supporting text describe how this configuration with a single source and destination context is used by the system to process a subscriber call originating from the GTP LTE network.
1.
2.
The P-GW service determines which context to use to provide AAA functionality for the session. This process is described in the How the System Selects Contexts section located in the Understanding the System Operation and Configuration chapter of the System Administration Guide.
3.
4.
5.
6.
7.
P-MIP P-GW (eHRPD) Configuration
To configure the system to perform as a standalone P-MIP P-GW in an eHRPD network environment, review the following graphic and subsequent steps.
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
Initial Configuration
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Modifying the Local Context
Use the following example to set the default subscriber and configure remote access capability in the local context:
configure
   context local
      interface <lcl_cntxt_intrfc_name>
         ip address <ip_address> <ip_mask>
         exit
      server ftpd
         exit
      server telnetd
         exit
      subscriber default
         exit
      administrator <name> encrypted password <password> ftp
      ip route <ip_addr/ip_mask> <next_hop_addr> <lcl_cntxt_intrfc_name>
      exit
   port ethernet <slot#/port#>
      no shutdown
      bind interface <lcl_cntxt_intrfc_name> local
      end
Creating and Configuring a P-MIP P-GW Context
Use the following example to create a P-GW context, create an S2a IPv6 interface (for data traffic to/from the HSGW), and bind the S2a interface to a configured Ethernet port:
configure
   context <pgw_context_name> -noconfirm
      interface <s2a_interface_name> tunnel
         ipv6 address <address>
         tunnel-mode ipv6ip
            source interface <name>
            destination address <ipv4 or ipv6 address>
            exit
         exit
      policy accounting <rf_policy_name> -noconfirm
         accounting-level {level_type}
         accounting-event-trigger interim-timeout action stop-start
         operator-string <string>
         cc profile <index> interval <seconds>
         exit
      subscriber default
         exit
      exit
   port ethernet <slot_number/port_number>
      no shutdown
      bind interface <s2a_interface_name> <pgw_context_name>
      end
Notes:
Set the accounting policy for the Rf (off-line charging) interface. The accounting level types are: flow, PDN, PDN-QCI, QCI, and subscriber. Refer to the Accounting Profile Configuration Mode Commands chapter in the Command Line Interface Reference for more information on this command.
Creating and Configuring APNs in the P-GW Context
Use the following configuration to create an APN:
configure
   context <pgw_context_name> -noconfirm
      apn <name>
         accounting-mode radius-diameter
         associate accounting-policy <rf_policy_name>
         ims-auth-service <gx_ims_service_name>
         aaa group <rf-radius_group_name>
         dns primary <ipv4_address>
         dns secondary <ipv4_address>
         ip access-group <name> in
         ip access-group <name> out
         mediation-device context-name <pgw_context_name>
         ip context-name <pdn_context_name>
         ipv6 access-group <name> in
         ipv6 access-group <name> out
         active-charging rulebase <name>
Notes:
Creating and Configuring AAA Groups in the P-GW Context
Use the following example to create and configure AAA groups supporting RADIUS and Rf accounting:
configure
   context <pgw_context_name> -noconfirm
      aaa group <rf-radius_group_name>
         radius attribute nas-identifier <id>
         radius accounting interim interval <seconds>
         radius dictionary <name>
         radius mediation-device accounting server <address> key <key>
         diameter authentication dictionary <name>
         diameter accounting dictionary <name>
         diameter authentication endpoint <s6b_cfg_name>
         diameter accounting endpoint <rf_cfg_name>
         diameter authentication server <s6b_cfg_name> priority <num>
         diameter accounting server <rf_cfg_name> priority <num>
         exit
      aaa group default
         radius attribute nas-ip-address address <ipv4_address>
         radius accounting interim interval <seconds>
         diameter authentication dictionary <name>
         diameter accounting dictionary <name>
         diameter authentication endpoint <s6b_cfg_name>
         diameter accounting endpoint <rf_cfg_name>
         diameter authentication server <s6b_cfg_name> priority <num>
         diameter accounting server <rf_cfg_name> priority <num>
Creating and Configuring an LMA Service
Use the following configuration example to create the LMA service:
configure
   context <pgw_context_name>
      lma-service <lma_service_name> -noconfirm
         no aaa accounting
         revocation enable
         bind address <s2a_ipv6_address>
         end
Notes:
The no aaa acounting command is used to prevent duplicate accounting packets.
Creating a P-GW PDN Context
Use the following example to create a P-GW PDN context and Ethernet interfaces.
configure
   context <pdn_context_name> -noconfirm
      interface <sgi_ipv4_interface_name>
         ip address <ipv4_address>
         exit
      interface <sgi_ipv6_interface_name>
         ipv6 address <address>
         end
P-GW Service Configuration
Step 1
Step 2
Configuring the P-GW Service
Use the following example to configure the P-GW service:
configure
   context <pgw_context_name>
      pgw-service <pgw_service_name> -noconfirm
         associate lma-service <lma_service_name>
         associate qci-qos-mapping <name>
         authorize external
         fqdn host <domain_name> realm <realm_name>
         plmn id mcc <id> mnc <id>
         end
Notes:
The fqdn host command configures a Fully Qualified Domain Name for the P-GW service used in messages between the P-GW and a 3GPP AAA server over the S6b interface.
Configuring a Static IP Route
Use the following example to configure static IP routes for data traffic between the P-GW and the HSGW:
configure
   context <pgw_context_name>
      ipv6 route <ipv6_addr/prefix> next-hop <hsgw_addr> interface <pgw_hsgw_intrfc_name>
      end
Notes:
P-GW PDN Context Configuration
Use the following example to configure IP pools and IP Access Control Lists (ACLs), and bind ports to the interfaces in the PDN context:
configure
   context <pdn_context_name> -noconfirm
      ip pool <name> range <start_address end_address> public <priority>
      ipv6 pool <name> range <start_address end_address> public <priority>
      subscriber default
         exit
      ip access-list <name>
         redirect css service <name> any
         permit any
         exit
      ipv6 access-list <name>
         redirect css service <name> any
         permit any
         exit
      aaa group default
         exit
      exit
   port ethernet <slot_number/port_number>
      no shutdown
      bind interface <pdn_sgi_ipv4_interface_name> <pdn_context_name>
      exit
   port ethernet <slot_number/port_number>
      no shutdown
      bind interface <pdn_sgi_ipv6_interface_name> <pdn_context_name>
      end
Active Charging Service Configuration
Use the following example to enable and configure active charging:
configure
   require active-charging optimized-mode
   active-charging service <name>
      ruledef <name>
         <rule_definition>
               .
               .
         <rule_definition>
         exit
      ruledef <name>
         <rule_definition>
               .
               .
         <rule_definition>
         exit
       charging-action <name>
         <action>
            .
            .
         <action>
         exit
      charging-action <name>
         <action>
            .
            .
         <action>
         exit
      rulebase default
         exit
      rulebase <name>
         <rule_base>
            .
            .
         <rule_base>
         end
Notes:
AAA and Policy Configuration
Step 1
Step 2
Creating and Configuring the AAA Context
Use the following example to create and configure a AAA context including diameter support and policy control, and bind ports to interfaces supporting traffic between this context, a PCRF, a 3GPP AAA server, an on-line charging server, and an off-line charging server:
configure
   context <aaa_context_name> -noconfirm
      interface <s6b_interface_name>
         ip address <ipv4_address>
         exit
      interface <gx_interface_name>
         ipv6 address <address>
         exit
      interface <rf_interface_name>
         ip address <ipv4_address>
         exit
      interface <gy_interface_name>
         ipv6 address <address>
         exit
      subscriber default
         exit
      ims-auth-service <gx_ims_service_name>
         p-cscf discovery table <#> algorithm round-robin
         p-cscf table <#> row-precedence <#> ipv6-address <pcrf_adr>
         policy-control
            diameter origin endpoint <gx_cfg_name>
            diameter dictionary <name>
            diameter host-select table <#> algorithm round-robin
            diameter host-select row-precedence <#> table <#> host <gx_cfg_name>
            exit
         exit
      diameter endpoint <s6b_cfg_name>
         origin realm <realm_name>
         origin host <name> address <aaa_ctx_ipv4_address>
         peer <s6b_cfg_name> realm <name> address <aaa_ip_addr>
         route-entry peer <s6b_cfg_name>
         exit
      diameter endpoint <gx_cfg_name>
         origin realm <realm_name>
         origin host <name> address <aaa_context_ip_address>
         peer <gx_cfg_name> realm <name> address <pcrf_ipv6_addr>
         route-entry peer <gx_cfg_name>
         exit
      diameter endpoint <rf_cfg_name>
         origin realm <realm_name>
         origin host <name> address <aaa_ip_address>
         peer <rf_cfg_name> realm <name> address <ofcs_ip_addr>
         route-entry peer <rf_cfg_name>
         exit
      diameter endpoint <gy_cfg_name>
         use-proxy
         origin realm <realm_name>
         origin host <name> address <aaa_ip_address>
         connection retry-timeout <seconds>
         peer <gy_cfg_name> realm <name> address <ocs_ip_addr>
         route-entry peer <gy_cfg_name>
         exit
      exit
   port ethernet <slot_number/port_number>
      no shutdown
      bind interface <s6b_interface_name> <aaa_context_name>
      exit
   port ethernet <slot_number/port_number>
      no shutdown
      bind interface <gx_interface_name> <aaa_context_name>
      exit
   port ethernet <slot_number/port_number>
      no shutdown
      bind interface <gy_interface_name> <aaa_context_name>
      exit
   port ethernet <slot_number/port_number>
      no shutdown
      bind interface <rf_interface_name> <aaa_context_name>
         end
Notes:
The p-cscf table command under ims-auth-service can also specify an IPv4 address to the PCRF.
Configuring QCI-QoS Mapping
Use the following example to create and map QCI values to enforceable QoS parameters:
configure
   qci-qos-mapping <name>
      qci 1 user-datagram dscp-marking <hex>
      qci 3 user-datagram dscp-marking <hex>
      qci 9 user-datagram dscp-marking <hex>
      exit
Notes:
The above configuration only shows one keyword example. Refer to the QCI - QOS Mapping Configuration Mode Commands chapter in the Command Line Interface Reference for more information on the qci command and other supported keywords.
Verifying and Saving the Configuration
Save your configuration to flash memory, an external memory device, and/or a network location using the Exec mode command save configuration. For additional information on how to verify and save configuration files, refer to the System Administration Guide and the Command Line Interface Reference.
Configuring Optional Features on the P-GW
The configuration examples in this section are optional and provided to cover the most common uses of the P-GW in a live network. The intent of these examples is to provide a base configuration for testing.
The following optional configurations are provided in this section:
Configuring ACL-based Node-to-Node IP Security on the S5 Interface
The configuration example in this section creates an IKEv2/IPSec ACL-based node-to-node tunnel endpoint on the S5 interface.
Important: Use of the IP Security feature requires that a valid license key be installed. Contact your local Sales or Support representative for information on how to obtain a license.
The following configuration examples are included in this section:
Creating and Configuring a Crypto Access Control List
 
The following example configures a crypto ACL (Access Control List), which defines the matching criteria used for routing subscriber data packets over an IPSec tunnel:
configure
   context <pgw_context_name> -noconfirm
      ip access-list <acl_name>
         permit tcp host <source_host_address> host <dest_host_address>
         end
Notes:
The permit command in this example routes IPv4 traffic from the server with the specified source host IPv4 address to the server with the specified destination host IPv4 address.
Creating and Configuring an IPSec Transform Set
 
The following example configures an IPSec transform set, which is used to define the security association that determines the protocols used to protect the data on the interface:
configure
   context <pgw_context_name> -noconfirm
      ipsec transform-set <ipsec_transform-set_name>
         encryption aes-cbc-128
         group none
         hmac sha1-96
         mode tunnel
         end
Notes:
The encryption algorithm, aes-cbc-128, or Advanced Encryption Standard Cipher Block Chaining, is the default algorithm for IPSec transform sets configured on the system.
The group none command specifies that no crypto strength is included and that Perfect Forward Secrecy is disabled. This is the default setting for IPSec transform sets configured on the system.
The hmac command configures the Encapsulating Security Payload (ESP) integrity algorithm. The sha1-96 keyword uses a 160-bit secret key to produce a 160-bit authenticator value. This is the default setting for IPSec transform sets configured on the system.
The mode tunnel command specifies that the entire packet is to be encapsulated by the IPSec header including the IP header. This is the default setting for IPSec transform sets configured on the system.
Creating and Configuring an IKEv2 Transform Set
 
The following example configures an IKEv2 transform set:
configure
   context <pgw_context_name> -noconfirm
      ikev2-ikesa transform-set <ikev2_transform-set_name>
         encryption aes-cbc-128
         group 2
         hmac sha1-96
         lifetime <sec>
         prf sha1
         end
Notes:
The encryption algorithm, aes-cbc-128, or Advanced Encryption Standard Cipher Block Chaining, is the default algorithm for IKEv2 transform sets configured on the system.
The group 2 command specifies the Diffie-Hellman algorithm as Group 2, indicating medium security. The Diffie-Hellman algorithm controls the strength of the crypto exponentials. This is the default setting for IKEv2 transform sets configured on the system.
The hmac command configures the Encapsulating Security Payload (ESP) integrity algorithm. The sha1-96 keyword uses a 160-bit secret key to produce a 160-bit authenticator value. This is the default setting for IKEv2 transform sets configured on the system.
The lifetime command configures the time the security key is allowed to exist, in seconds.
The prf command configures the IKE Pseudo-random Function which produces a string of bits that cannot be distinguished from a random bit string without knowledge of the secret key. The sha1 keyword uses a 160-bit secret key to produce a 160-bit authenticator value. This is the default setting for IKEv2 transform sets configured on the system.
Creating and Configuring a Crypto Map
 
The following example configures an IKEv2 crypto map:
configure
   context <pgw_context_name>
      crypto map <crypto_map_name> ikev2-ipv4
         match address <acl_name>
         peer <ipv4_address>
         authentication local pre-shared-key key <text>
         authentication remote pre-shared-key key <text>
         ikev2-ikesa transform-set list <name1> . . . name6>
         payload <name> match ipv4
            lifetime <seconds>
            ipsec transform-set list <name1> . . . <name4>
            exit
         exit
      interface <s5_intf_name>
         ip address <ipv4_address>
         crypto-map <crypto_map_name>
         exit
      exit
   port ethernet <slot_number/port_number>
      no shutdown
      bind interface <s5_intf_name> <pgw_context_name>
      end
Notes:
The ipsec transform-set list command specifies up to four IPSec transform sets.
Configuring APN as Emergency
The configuration example in this section configures an emergency APN for VoLTE based E911 support.
In APN Configuration Mode, specify the name of the emergency APN and set the emergency inactivity timeout as follows. You may also configure the P-CSCF FQDN server name for the APN.
configure
   context <pgw_context_name> -noconfirm
      apn <name>
         emergency-apn
         timeout emergency-inactivity <seconds>
         p-cscf fqdn <fqdn>
         end
Notes:
The timeout emergency-inactivity command specifies the timeout duration, in seconds, to check inactivity on the emergency session. <seconds> must be an integer value from 1 through 3600.
The p-cscf fqdn command configures the P-CSCF FQDN server name for the APN. <fqdn> must be a string from 1 to 256 characters in length.
Configuring Dynamic Node-to-Node IP Security on the S5 Interface
The configuration example in this section creates an IPSec/IKEv2 dynamic node-to-node tunnel endpoint on the S5 interface.
Important: Use of the IP Security feature requires that a valid license key be installed. Contact your local Sales or Support representative for information on how to obtain a license.
The following configuration examples are included in this section:
Creating and Configuring an IPSec Transform Set
 
The following example configures an IPSec transform set, which is used to define the security association that determines the protocols used to protect the data on the interface:
configure
   context <pgw_context_name> -noconfirm
      ipsec transform-set <ipsec_transform-set_name>
         encryption aes-cbc-128
         group none
         hmac sha1-96
         mode tunnel
         end
Notes:
The encryption algorithm, aes-cbc-128, or Advanced Encryption Standard Cipher Block Chaining, is the default algorithm for IPSec transform sets configured on the system.
The group none command specifies that no crypto strength is included and that Perfect Forward Secrecy is disabled. This is the default setting for IPSec transform sets configured on the system.
The hmac command configures the Encapsulating Security Payload (ESP) integrity algorithm. The sha1-96 keyword uses a 160-bit secret key to produce a 160-bit authenticator value. This is the default setting for IPSec transform sets configured on the system.
The mode tunnel command specifies that the entire packet is to be encapsulated by the IPSec header, including the IP header. This is the default setting for IPSec transform sets configured on the system.
Creating and Configuring an IKEv2 Transform Set
 
The following example configures an IKEv2 transform set:
configure
   context <pgw_context_name> -noconfirm
      ikev2-ikesa transform-set <ikev2_transform-set_name>
         encryption aes-cbc-128
         group 2
         hmac sha1-96
         lifetime <sec>
         prf sha1
         end
Notes:
The encryption algorithm, aes-cbc-128, or Advanced Encryption Standard Cipher Block Chaining, is the default algorithm for IKEv2 transform sets configured on the system.
The group 2 command specifies the Diffie-Hellman algorithm as Group 2, indicating medium security. The Diffie-Hellman algorithm controls the strength of the crypto exponentials. This is the default setting for IKEv2 transform sets configured on the system.
The hmac command configures the Encapsulating Security Payload (ESP) integrity algorithm. The sha1-96 keyword uses a 160-bit secret key to produce a 160-bit authenticator value. This is the default setting for IKEv2 transform sets configured on the system.
The lifetime command configures the time the security key is allowed to exist, in seconds.
The prf command configures the IKE Pseudo-random Function, which produces a string of bits that cannot be distinguished from a random bit string without knowledge of the secret key. The sha1 keyword uses a 160-bit secret key to produce a 160-bit authenticator value. This is the default setting for IKEv2 transform sets configured on the system.
Creating and Configuring a Crypto Template
 
The following example configures an IKEv2 crypto template:
configure
   context <pgw_context_name> -noconfirm
      crypto template <crypto_template_name> ikev2-dynamic
         ikev2-ikesa transform-set list <name1> . . . <name6>
         ikev2-ikesa rekey
         payload <name> match childsa match ipv4
            ipsec transform-set list <name1> . . . <name4>
            rekey
            end
Notes:
The ikev2-ikesa transform-set list command specifies up to six IKEv2 transform sets.
The ipsec transform-set list command specifies up to four IPSec transform sets.
Binding the S5 IP Address to the Crypto Template
 
The following example configures the binding of the S5 interface to the crypto template:
configure
   context <pgw_ingress_context_name> -noconfirm
      gtpu-service <gtpu_ingress_service_name>
         bind ipv4-address <s5_interface_ip_address> crypto-template <sgw_s5_crypto_template>
         exit
      egtp-service <egtp_ingress_service_name>
         interface-type interface-pgw-ingress
         associate gtpu-service <gtpu_ingress_service_name>
         gtpc bind ipv4-address <s5_interface_ip_address>
         exit
      pgw-service <pgw_service_name> -noconfirm
         plmn id mcc <id> mnc <id> primary
         associate egtp-service <egtp_ingress_service_name>
         end
Notes:
The bind command in the GTP-U and eGTP service configuration can also be specified as an IPv6 address using the ipv6-address command.
Configuring Local QoS Policy
The configuration examples in this section creates a local QoS policy. A local QoS policy service can be used to control different aspects of a session, such as QoS, data usage, subscription profiles, or server usage, by means of locally defined policies.
Important: Local QoS Policy is a licensed feature and requires the purchase of the Local Policy Decision Engine feature license to enable. it.
The following configuration examples are included in this section:
Creating and Configuring a Local QoS Policy
 
The following configuration example enables a local QoS policy on the P-GW:
configure
   local-policy-service <name> -noconfirm
      ruledef <ruledef_name> -noconfirm
         condition priority <priority> <variable> match <string_value>
         condition priority <priority> <variable> match <int_value>
         condition priority <priority> <variable> nomatch <regex>
         exit
      actiondef <actiondef_name> -noconfirm
         action priority <priority> <action_name> <arguments>
         action priority <priority> <action_name> <arguments>
         exit
      actiondef <actiondef_name> -noconfirm
         action priority <priority> <action_name> <arguments>
         action priority <priority> <action_name> <arguments>
         exit
      eventbase <eventbase_name> -noconfirm
         rule priority <priority> event <list_of_events> ruledef <ruledef_name> actiondef <actiondef_name>
         end
Notes:
The condition command can be entered multiple times to configure multiple conditions for a ruledef. The conditions are examined in priority order until a match is found and the corresponding condition is applied.
The action command can be entered multiple times to configure multiple actions for an actiondef. The actions are examined in priority order until a match is found and the corresponding action is applied.
The rule command can be entered multiple times to configure multiple rules for an eventbase.
Binding a Local QoS Policy
 
The following configuration example binds the previously configured local QoS policy:
configure
   context <pgw_context_name> -noconfirm
      apn <name>
         ims-auth-service <local-policy-service name>
         end
Notes:
Verifying Local QoS Policy
 
The following configuration example verifies if local QoS service is enforced:
logging filter active facility local-policy level debug
logging active
show local-policy statistics all
Notes:
Configuring X.509 Certificate-based Peer Authentication
The configuration example in this section enables X.509 certificate-based peer authentication, which can be used as the authentication method for IP Security on the P-GW.
Important: Use of the IP Security feature requires that a valid license key be installed. Contact your local Sales or Support representative for information on how to obtain a license.
The following configuration example enables X.509 certificate-based peer authentication on the P-GW.
In Global Configuration Mode, specify the name of the X.509 certificate and CA certificate, as follows:
configure
   certificate name <cert_name> pem url <cert_pem_url> private-key pem url <private_key_url>
   ca-certificate name <ca_cert_name> pem url <ca_cert_url>
   end
Notes:
The certificate name and ca-certificate list ca-cert-name commands specify the X.509 certificate and CA certificate to be used.
When creating the crypto template for IPSec in Context Configuration Mode, bind the X.509 certificate and CA certificate to the crypto template and enable X.509 certificate-based peer authentication for the local and remote nodes, as follows:
configure
   context <pgw_context_name> -noconfirm
      crypto template <crypto_template_name> ikev2-dynamic
         certificate name <cert_name>
         ca-certificate list ca-cert-name <ca_cert_name>
         authentication local certificate
         authentication remote certificate
         end
Notes:
The certificate name and ca-certificate list ca-cert-name commands bind the certificate and CA certificate to the crypto template.
The authentication local certificate and authentication remote certificate commands enable X.509 certificate-based peer authentication for the local and remote nodes.
 
 

Cisco Systems Inc.
Tel: 408-526-4000
Fax: 408-527-0883