Important: Information about all commands in this chapter can be found in the Command Line Interface Reference.
This section provides a high-level series of steps and the associated configuration file examples for configuring the system to perform as a eGTP P-GW in a test environment. For a complete configuration file example, refer to the Sample Configuration Files appendix. Information provided in this section includes the following:
•
2. The P-GW service determines which context to use to provide AAA functionality for the session. This process is described in the How the System Selects Contexts section located in the Understanding the System Operation and Configuration chapter of the System Administration Guide.
Step 1 Set system configuration parameters such as activating PSCs by applying the example configurations found in the System Administration Guide.
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7 interface <lcl_cntxt_intrfc_name>port ethernet <slot#/port#>bind interface <lcl_cntxt_intrfc_name> localcontext <pgw_context_name> -noconfirminterface <s5s8_interface_name>ip address <ipv4_address>gtpp charging-agent address <gz_ipv4_address>gtpp echo-interval <seconds>gtpp dictionary <name>policy accounting <rf_policy_name> -noconfirmaccounting-level {level_type}operator-string <string>port ethernet <slot_number/port_number>
• gtpp single-source is enabled to allow the system to generate requests to the accounting server using a single UDP port (by way of a AAA proxy function) rather than each AAA manager generating requests on unique UDP ports.
•
• Set the accounting policy for the Rf (off-line charging) interface. The accounting level types are: flow, PDN, PDN-QCI, QCI, and subscriber. Refer to the Accounting Profile Configuration Mode Commands chapter in the Command Line Interface Reference for more information on this command.context <pgw_context_name> -noconfirmapn <name>associate accounting-policy <rf_policy_name>ims-auth-service <gx_ims_service_name>aaa group <rf-radius_group_name>dns primary <ipv4_address>dns secondary <ipv4_address>ip access-group <name> inip access-group <name> outmediation-device context-name <pgw_context_name>ip context-name <pdn_context_name>ipv6 access-group <name> inipv6 access-group <name> out
• context <pgw_context_name> -noconfirmapn <name>gtpp group default accounting-context <aaa_context_name>ims-auth-service <gx_ims_service_name>ip access-group <name> inip access-group <name> outip context-name <pdn_context_name>active-charging rulebase <gz_rulebase_name>context <pgw_context_name> -noconfirmaaa group <rf-radius_group_name>radius dictionary <name>diameter accounting endpoint <rf_cfg_name>radius attribute nas-ip-address address <ipv4_address>diameter accounting endpoint <rf_cfg_name>context <pgw_context_name>egtp-service <egtp_service_name> -noconfirmassociate gtpu-service <gtpu_service_name>gtpc bind address <s5s8_interface_address>
• Co-locating a GGSN service on the same ASR 5x00 requires that the gtpc bind address command uses the same IP address the GGSN service is bound to.context <pgw_context_name>gtpu-service <gtpu_service_name> -noconfirmbind ipv4-address <s5s8_interface_address>
• context <pdn_context_name> -noconfirminterface <sgi_ipv4_interface_name>ip address <ipv4_address>interface <sgi_ipv6_interface_name>ipv6 address <address>
Step 1
Step 2 context <pgw_context_name>pgw-service <pgw_service_name> -noconfirmassociate egtp-service <egtp_service_name>
• QCI-QoS mapping configurations are created in the AAA context. Refer to the Configuring QCI-QoS Mapping section for more information.
• Co-locating a GGSN service on the same ASR 5x00 requires the configuration of the associate ggsn-servie name command within the P-GW service.context <pgw_context_name>context <pdn_context_name> -noconfirminterface <sgi_ipv4_interface_name>ip address <ipv4_address>interface <sgi_ipv6_interface_name>ip address <ipv6_address>ip access-list <name>redirect css service <name> anyipv6 access-list <name>redirect css service <name> anyruledef <name><rule_definition><rule_definition>ruledef icmp-pktsruledef qci3ruledef staticcharging-action <name><action><action>charging-action icmpcharging-action qci3content-id <id>allocation-retention-priority <priority>tft-packet-filter qci3charging-action staticallocation-retention-priority <priority>tft-packet-filter qci3rulebase <name><rule_base><rule_base>rulebase <gx_rulebase_name>egcdr threshold interval <interval>
• The billing-action egcdr command in the charging-action qc13, icmp, and static examples is required for Gz accounting.
• The Gz rulebase example supports the Gz interface for off-line charging. The billing-records egcdr command is required for Gz accounting. All other commands are optional.
Step 1
Step 2 context <aaa_context_name> -noconfirminterface <gx_interface_name>ipv6 address <address>interface <gy_interface_name>ipv6 address <address>interface <gz_interface_name>ip address <ipv4_address>interface <rf_interface_name>ip address <ipv4_address>ims-auth-service <gx_ims_service_name>p-cscf discovery table <#> algorithm round-robindiameter origin endpoint <gx_cfg_name>diameter host-select table <#> algorithm round-robindiameter endpoint <gx_cfg_name>origin realm <realm_name>route-entry peer <gx_cfg_name>diameter endpoint <gy_cfg_name>origin realm <realm_name>connection retry-timeout <seconds>route-entry peer <gy_cfg_name>diameter endpoint <rf_cfg_name>origin realm <realm_name>route-entry peer <rf_cfg_name>port ethernet <slot_number/port_number>port ethernet <slot_number/port_number>port ethernet <slot_number/port_number>port ethernet <slot_number/port_number>
•
• The Gx interface IP address can also be specified as an IPv4 address using the ip address command.
• The Gy interface IP address can also be specified as an IPv4 address using the ip address command.
• The Rf interface IP address can also be specified as an IPv6 address using the ipv6 address command.qci-qos-mapping <name>
• The above configuration only shows one keyword example. Refer to the QCI - QOS Mapping Configuration Mode Commands chapter in the Command Line Interface Reference for more information on the qci command and other supported keywords.Save your configuration to flash memory, an external memory device, and/or a network location using the Exec mode command save configuration. For additional information on how to verify and save configuration files, refer to the System Administration Guide and the Command Line Interface Reference.This section provides a high-level series of steps and the associated configuration file examples for configuring the system to perform as a P-MIP P-GW supporting an eHRPD test environment. For a complete configuration file example, refer to the Sample Configuration Files appendix. Information provided in this section includes the following:
•
2. The P-GW service determines which context to use to provide AAA functionality for the session. This process is described in the How the System Selects Contexts section located in the Understanding the System Operation and Configuration chapter of the System Administration Guide.
Step 1 Set system configuration parameters such as activating PSCs by applying the example configurations found in the System Administration Guide.
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6 interface <lcl_cntxt_intrfc_name>port ethernet <slot#/port#>bind interface <lcl_cntxt_intrfc_name> localcontext <pgw_context_name> -noconfirminterface <s2a_interface_name> tunnelipv6 address <address>source interface <name>destination address <ipv4 or ipv6 address>policy accounting <rf_policy_name> -noconfirmaccounting-level {level_type}operator-string <string>port ethernet <slot_number/port_number>bind interface <s2a_interface_name> <pgw_context_name>
• Set the accounting policy for the Rf (off-line charging) interface. The accounting level types are: flow, PDN, PDN-QCI, QCI, and subscriber. Refer to the Accounting Profile Configuration Mode Commands chapter in the Command Line Interface Reference for more information on this command.context <pgw_context_name> -noconfirmapn <name>associate accounting-policy <rf_policy_name>ims-auth-service <gx_ims_service_name>aaa group <rf-radius_group_name>dns primary <ipv4_address>dns secondary <ipv4_address>ip access-group <name> inip access-group <name> outmediation-device context-name <pgw_context_name>ip context-name <pdn_context_name>ipv6 access-group <name> inipv6 access-group <name> out
• context <pgw_context_name> -noconfirmaaa group <rf-radius_group_name>radius dictionary <name>diameter authentication endpoint <s6b_cfg_name>diameter accounting endpoint <rf_cfg_name>radius attribute nas-ip-address address <ipv4_address>diameter authentication endpoint <s6b_cfg_name>diameter accounting endpoint <rf_cfg_name>context <pgw_context_name>lma-service <lma_service_name> -noconfirmbind address <s2a_ipv6_address>
• The no aaa acounting command is used to prevent duplicate accounting packets.context <pdn_context_name> -noconfirminterface <sgi_ipv4_interface_name>ip address <ipv4_address>interface <sgi_ipv6_interface_name>ipv6 address <address>
Step 1
Step 2 context <pgw_context_name>pgw-service <pgw_service_name> -noconfirmassociate lma-service <lma_service_name>
• QCI-QoS mapping configurations are created in the AAA context. Refer to the Configuring QCI-QoS Mapping section for more information.
• The fqdn host command configures a Fully Qualified Domain Name for the P-GW service used in messages between the P-GW and a 3GPP AAA server over the S6b interface.context <pgw_context_name>context <pdn_context_name> -noconfirmip access-list <name>redirect css service <name> anyipv6 access-list <name>redirect css service <name> anyruledef <name><rule_definition><rule_definition>ruledef <name><rule_definition><rule_definition>charging-action <name><action><action>charging-action <name><action><action>rulebase <name><rule_base><rule_base>
Step 1
Step 2 context <aaa_context_name> -noconfirminterface <s6b_interface_name>ip address <ipv4_address>interface <gx_interface_name>ipv6 address <address>interface <rf_interface_name>ip address <ipv4_address>interface <gy_interface_name>ipv6 address <address>ims-auth-service <gx_ims_service_name>p-cscf discovery table <#> algorithm round-robindiameter origin endpoint <gx_cfg_name>diameter host-select table <#> algorithm round-robindiameter endpoint <s6b_cfg_name>origin realm <realm_name>route-entry peer <s6b_cfg_name>diameter endpoint <gx_cfg_name>origin realm <realm_name>route-entry peer <gx_cfg_name>diameter endpoint <rf_cfg_name>origin realm <realm_name>route-entry peer <rf_cfg_name>diameter endpoint <gy_cfg_name>origin realm <realm_name>connection retry-timeout <seconds>route-entry peer <gy_cfg_name>port ethernet <slot_number/port_number>port ethernet <slot_number/port_number>port ethernet <slot_number/port_number>port ethernet <slot_number/port_number>
•
• The S6b interface IP address can also be specified as an IPv6 address using the ipv6 address command.
• The Gx interface IP address can also be specified as an IPv4 address using the ip address command.
• The Gy interface IP address can also be specified as an IPv4 address using the ip address command.
• The Rf interface IP address can also be specified as an IPv6 address using the ipv6 address command.qci-qos-mapping <name>
• The above configuration only shows one keyword example. Refer to the QCI - QOS Mapping Configuration Mode Commands chapter in the Command Line Interface Reference for more information on the qci command and other supported keywords.Save your configuration to flash memory, an external memory device, and/or a network location using the Exec mode command save configuration. For additional information on how to verify and save configuration files, refer to the System Administration Guide and the Command Line Interface Reference.Important: Use of the IP Security feature requires that a valid license key be installed. Contact your local Sales or Support representative for information on how to obtain a license.
context <pgw_context_name> -noconfirmip access-list <acl_name>
• The permit command in this example routes IPv4 traffic from the server with the specified source host IPv4 address to the server with the specified destination host IPv4 address.context <pgw_context_name> -noconfirmipsec transform-set <ipsec_transform-set_name>
• The encryption algorithm, aes-cbc-128, or Advanced Encryption Standard Cipher Block Chaining, is the default algorithm for IPSec transform sets configured on the system.
• The group none command specifies that no crypto strength is included and that Perfect Forward Secrecy is disabled. This is the default setting for IPSec transform sets configured on the system.
• The hmac command configures the Encapsulating Security Payload (ESP) integrity algorithm. The sha1-96 keyword uses a 160-bit secret key to produce a 160-bit authenticator value. This is the default setting for IPSec transform sets configured on the system.
• The mode tunnel command specifies that the entire packet is to be encapsulated by the IPSec header including the IP header. This is the default setting for IPSec transform sets configured on the system.context <pgw_context_name> -noconfirmikev2-ikesa transform-set <ikev2_transform-set_name>lifetime <sec>
• The encryption algorithm, aes-cbc-128, or Advanced Encryption Standard Cipher Block Chaining, is the default algorithm for IKEv2 transform sets configured on the system.
• The group 2 command specifies the Diffie-Hellman algorithm as Group 2, indicating medium security. The Diffie-Hellman algorithm controls the strength of the crypto exponentials. This is the default setting for IKEv2 transform sets configured on the system.
• The hmac command configures the Encapsulating Security Payload (ESP) integrity algorithm. The sha1-96 keyword uses a 160-bit secret key to produce a 160-bit authenticator value. This is the default setting for IKEv2 transform sets configured on the system.
• The lifetime command configures the time the security key is allowed to exist, in seconds.
• The prf command configures the IKE Pseudo-random Function which produces a string of bits that cannot be distinguished from a random bit string without knowledge of the secret key. The sha1 keyword uses a 160-bit secret key to produce a 160-bit authenticator value. This is the default setting for IKEv2 transform sets configured on the system.context <pgw_context_name>crypto map <crypto_map_name> ikev2-ipv4match address <acl_name>peer <ipv4_address>payload <name> match ipv4lifetime <seconds>interface <s5_intf_name>ip address <ipv4_address>crypto-map <crypto_map_name>port ethernet <slot_number/port_number>
• The ipsec transform-set list command specifies up to four IPSec transform sets.context <pgw_context_name> -noconfirmapn <name>timeout emergency-inactivity <seconds>p-cscf fqdn <fqdn>
• The timeout emergency-inactivity command specifies the timeout duration, in seconds, to check inactivity on the emergency session. <seconds> must be an integer value from 1 through 3600.
• The p-cscf fqdn command configures the P-CSCF FQDN server name for the APN. <fqdn> must be a string from 1 to 256 characters in length.Important: Use of the IP Security feature requires that a valid license key be installed. Contact your local Sales or Support representative for information on how to obtain a license.
context <pgw_context_name> -noconfirmipsec transform-set <ipsec_transform-set_name>
• The encryption algorithm, aes-cbc-128, or Advanced Encryption Standard Cipher Block Chaining, is the default algorithm for IPSec transform sets configured on the system.
• The group none command specifies that no crypto strength is included and that Perfect Forward Secrecy is disabled. This is the default setting for IPSec transform sets configured on the system.
• The hmac command configures the Encapsulating Security Payload (ESP) integrity algorithm. The sha1-96 keyword uses a 160-bit secret key to produce a 160-bit authenticator value. This is the default setting for IPSec transform sets configured on the system.
• The mode tunnel command specifies that the entire packet is to be encapsulated by the IPSec header, including the IP header. This is the default setting for IPSec transform sets configured on the system.context <pgw_context_name> -noconfirmikev2-ikesa transform-set <ikev2_transform-set_name>lifetime <sec>
• The encryption algorithm, aes-cbc-128, or Advanced Encryption Standard Cipher Block Chaining, is the default algorithm for IKEv2 transform sets configured on the system.
• The group 2 command specifies the Diffie-Hellman algorithm as Group 2, indicating medium security. The Diffie-Hellman algorithm controls the strength of the crypto exponentials. This is the default setting for IKEv2 transform sets configured on the system.
• The hmac command configures the Encapsulating Security Payload (ESP) integrity algorithm. The sha1-96 keyword uses a 160-bit secret key to produce a 160-bit authenticator value. This is the default setting for IKEv2 transform sets configured on the system.
• The lifetime command configures the time the security key is allowed to exist, in seconds.
• The prf command configures the IKE Pseudo-random Function, which produces a string of bits that cannot be distinguished from a random bit string without knowledge of the secret key. The sha1 keyword uses a 160-bit secret key to produce a 160-bit authenticator value. This is the default setting for IKEv2 transform sets configured on the system.context <pgw_context_name> -noconfirmcrypto template <crypto_template_name> ikev2-dynamicpayload <name> match childsa match ipv4
• The ikev2-ikesa transform-set list command specifies up to six IKEv2 transform sets.
• The ipsec transform-set list command specifies up to four IPSec transform sets.context <pgw_ingress_context_name> -noconfirmgtpu-service <gtpu_ingress_service_name>egtp-service <egtp_ingress_service_name>associate gtpu-service <gtpu_ingress_service_name>gtpc bind ipv4-address <s5_interface_ip_address>pgw-service <pgw_service_name> -noconfirmassociate egtp-service <egtp_ingress_service_name>
• The bind command in the GTP-U and eGTP service configuration can also be specified as an IPv6 address using the ipv6-address command.Important: Local QoS Policy is a licensed feature and requires the purchase of the Local Policy Decision Engine feature license to enable. it.
local-policy-service <name> -noconfirmruledef <ruledef_name> -noconfirmactiondef <actiondef_name> -noconfirmaction priority <priority> <action_name> <arguments>action priority <priority> <action_name> <arguments>actiondef <actiondef_name> -noconfirmaction priority <priority> <action_name> <arguments>action priority <priority> <action_name> <arguments>eventbase <eventbase_name> -noconfirm
• The condition command can be entered multiple times to configure multiple conditions for a ruledef. The conditions are examined in priority order until a match is found and the corresponding condition is applied.
• The action command can be entered multiple times to configure multiple actions for an actiondef. The actions are examined in priority order until a match is found and the corresponding action is applied.
• The rule command can be entered multiple times to configure multiple rules for an eventbase.
• Rules are executed in priority order, and if the rule is matched the action specified in the actiondef is executed. If an event qualifier is associated with a rule, the rule is matched only for that specific event. If a qualifier of continue is present at the end of the rule, the subsequent rules are also matched; otherwise, rule evaluation is terminated on first match.context <pgw_context_name> -noconfirmapn <name>ims-auth-service <local-policy-service name>Important: Use of the IP Security feature requires that a valid license key be installed. Contact your local Sales or Support representative for information on how to obtain a license.
The following configuration example enables X.509 certificate-based peer authentication on the P-GW.
• The certificate name and ca-certificate list ca-cert-name commands specify the X.509 certificate and CA certificate to be used.context <pgw_context_name> -noconfirmcrypto template <crypto_template_name> ikev2-dynamiccertificate name <cert_name>ca-certificate list ca-cert-name <ca_cert_name>
• The certificate name and ca-certificate list ca-cert-name commands bind the certificate and CA certificate to the crypto template.
• The authentication local certificate and authentication remote certificate commands enable X.509 certificate-based peer authentication for the local and remote nodes.
|
| Cisco Systems Inc. |
| Tel: 408-526-4000 |
| Fax: 408-527-0883 |