Important: Information about all commands in this chapter can be found in the Command Line Interface Reference.
This section provides a high-level series of steps and the associated configuration file examples for configuring the system to perform as a eGTP S-GW in a test environment. For a more robust configuration example, refer to the Sample Configuration Files appendix. Information provided in this section includes the following:
4.
Step 2
Step 3
Step 4
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6 interface <lcl_cntxt_intrfc_name>port ethernet <slot#/port#>bind interface <lcl_cntxt_intrfc_name> localcontext <ingress_context_name> -noconfirminterface <s1u-s11_interface_name>ip address <ipv4_address_primary>ip address <ipv4_address_secondary>
• The S1-U/S11 interface IP address(es) can also be specified as IPv6 addresses using the ipv6 address command.context <ingress_context_name>egtp-service <egtp_ingress_service_name> -noconfirmcontext <egress_context_name> -noconfirminterface <s5s8_interface_name> tunnelipv6 address <address>source interface <name>destination address <ipv4 or ipv6 address>
• Use the following configuration example to create an eGTP egress service in the S-GW egress context:context <egress_context_name>egtp-service <egtp_egress_service_name> -noconfirmcontext <ingress_context_name>sgw-service <sgw_service_name> -noconfirm
Step 1
Step 2
Step 3 context <sgw_ingress_context_name>gtpu-service <gtpu_ingress_service_name>bind ipv4-address <s1-u_s11_interface_ip_address>egtp-service <egtp_ingress_service_name>associate gtpu-service <gtpu_ingress_service_name>gtpc bind address <s1u-s11_interface_ip_address>context <sgw_egress_context_name>gtpu-service <gtpu_egress_service_name>bind ipv4-address <s5s8_interface_ip_address>egtp-service <egtp_egress_service_name>associate gtpu-service <gtpu_egress_service_name>gtpc bind address <s5s8_interface_ip_address>
• The bind command in the GTP-U ingress and egress service configuration can also be specified as an IPv6 address using the ipv6-address command.context <ingress_context_name>sgw-service <sgw_service_name> -noconfirmassociate ingress egtp-service <egtp_ingress_service_name>associate egress-proto gtp egress-context <egress_context_name>qci-qos-mapping <map_name>context <egress_context_name>Save your configuration to flash memory, an external memory device, and/or a network location using the Exec mode command save configuration. For additional information on how to verify and save configuration files, refer to the System Administration Guide and the Command Line Interface Reference.context <ingress_context_name>gtpp charging-agent address <gz_ipv4_address>gtpp echo-interval <seconds>gtpp dictionary <name>policy accounting <gz_policy_name>operator-string <string>sgw-service <sgw_service_name>accounting context <ingress_context_name> gtpp group defaultassociate accounting-policy <gz_policy_name>context <ingress_context_name>interface <gz_interface_name>ip address <address>port ethernet <slot_number/port_number>
• gtpp single-source is enabled to allow the system to generate requests to the accounting server using a single UDP port (by way of a AAA proxy function) rather than each AAA manager generating requests on unique UDP ports.
• gtpp is the default option for the accounting mode command.
• accounting-level types are: flow, PDN, PDN-QCI, QCI, and subscriber. Refer to the Accounting Profile Configuration Mode Commands chapter in the Command Line Interface Reference for more information on this command.operator-policy name <policy_name>associate call-control-profile <call_cntrl_profile_name>call-control-profile <call_cntrl_profile_name>subscriber-map <map_name>context <ingress_context_name>policy accounting <rf_policy_name>operator-string <string>sgw-service <sgw_service_name>associate accounting-policy <rf_policy_name>associate subscriber-map <map_name>aaa group <rf-radius_group_name>radius dictionary <name>diameter accounting endpoint <rf_cfg_name>diameter endpoint <rf_cfg_name>origin realm <realm_name>route-entry peer <rf_cfg_name>context <ingress_context_name>interface <rf_interface_name>ip address <rf_ipv4_address>port ethernet <slot_number/port_number>
• accounting-level types are: flow, PDN, PDN-QCI, QCI, and subscriber. Refer to the Accounting Profile Configuration Mode Commands chapter in the Command Line Interface Reference for more information on this command.
• The Rf interface IP address can also be specified as an IPv6 address using the ipv6 address command.apn-profile <apn_profile_name>qos rate-limit downlink non-gbr-qci committed-auto-readjust duration <seconds> exceed-action {action} violate-action {action}qos rate-limit uplink non-gbr-qci committed-auto-readjust duration <seconds> exceed-action {action} violate-action {action}operator-policy name <policy_name>apn default-apn-profile <apn_profile_name>subscriber-map <map_name>sgw-service <sgw_service_name>associate subscriber-map <map_name>
• For the qos rate-limit command, the actions supported for violate-action and exceed-action are: drop, lower-ip-precedence, and transmit.Important: Use of the IP Security feature requires that a valid license key be installed. Contact your local Sales or Support representative for information on how to obtain a license.
The following configuration example enables X.509 certificate-based peer authentication on the S-GW.
• The certificate name and ca-certificate list ca-cert-name commands specify the X.509 certificate and CA certificate to be used.context <sgw_context_name>crypto template <crypto_template_name> ikev2-dynamiccertificate name <cert_name>ca-certificate list ca-cert-name <ca_cert_name>
• The certificate name and ca-certificate list ca-cert-name commands bind the certificate and CA certificate to the crypto template.
• The authentication local certificate and authentication remote certificate commands enable X.509 certificate-based peer authentication for the local and remote nodes.Important: Use of the IP Security feature requires that a valid license key be installed. Contact your local Sales or Support representative for information on how to obtain a license.
context <sgw_context_name>ipsec transform-set <ipsec_transform-set_name>
• The encryption algorithm, aes-cbc-128, or Advanced Encryption Standard Cipher Block Chaining, is the default algorithm for IPSec transform sets configured on the system.
• The group none command specifies that no crypto strength is included and that Perfect Forward Secrecy is disabled. This is the default setting for IPSec transform sets configured on the system.
• The hmac command configures the Encapsulating Security Payload (ESP) integrity algorithm. The sha1-96 keyword uses a 160-bit secret key to produce a 160-bit authenticator value. This is the default setting for IPSec transform sets configured on the system.
• The mode tunnel command specifies that the entire packet is to be encapsulated by the IPSec header, including the IP header. This is the default setting for IPSec transform sets configured on the system.context <sgw_context_name>ikev2-ikesa transform-set <ikev2_transform-set_name>lifetime <sec>
• The encryption algorithm, aes-cbc-128, or Advanced Encryption Standard Cipher Block Chaining, is the default algorithm for IKEv2 transform sets configured on the system.
• The group 2 command specifies the Diffie-Hellman algorithm as Group 2, indicating medium security. The Diffie-Hellman algorithm controls the strength of the crypto exponentials. This is the default setting for IKEv2 transform sets configured on the system.
• The hmac command configures the Encapsulating Security Payload (ESP) integrity algorithm. The sha1-96 keyword uses a 160-bit secret key to produce a 160-bit authenticator value. This is the default setting for IKEv2 transform sets configured on the system.
• The lifetime command configures the time the security key is allowed to exist, in seconds.
• The prf command configures the IKE Pseudo-random Function, which produces a string of bits that cannot be distinguished from a random bit string without knowledge of the secret key. The sha1 keyword uses a 160-bit secret key to produce a 160-bit authenticator value. This is the default setting for IKEv2 transform sets configured on the system.context <sgw_context_name>crypto template <crypto_template_name> ikev2-dynamicpayload <name> match childsa match ipv4
• The ikev2-ikesa transform-set list command specifies up to six IKEv2 transform sets.
• The ipsec transform-set list command specifies up to four IPSec transform sets.context <sgw_ingress_context_name>gtpu-service <gtpu_ingress_service_name>egtp-service <egtp_ingress_service_name>associate gtpu-service <gtpu_ingress_service_name>gtpc bind address <s1u_interface_ip_address>context <sgw_egress_context_name>gtpu-service <gtpu_egress_service_name>egtp-service <egtp_egress_service_name>associate gtpu-service <gtpu_egress_service_name>gtpc bind address <s5_interface_ip_address>context <sgw_ingress_context_name>sgw-service <sgw_service_name> -noconfirmegtp-service ingress service <egtp_ingress_service_name>egtp-service egress context <sgw_egress_context_name>
• The bind command in the GTP-U ingress and egress service configuration can also be specified as an IPv6 address using the ipv6-address command.Important: Use of the IP Security feature requires that a valid license key be installed. Contact your local Sales or Support representative for information on how to obtain a license.
context <sgw_context_name>ip access-list <acl_name>
• The permit command in this example routes IPv4 traffic from the server with the specified source host IPv4 address to the server with the specified destination host IPv4 address.context <sgw_context_name>ipsec transform-set <ipsec_transform-set_name>
• The encryption algorithm, aes-cbc-128, or Advanced Encryption Standard Cipher Block Chaining, is the default algorithm for IPSec transform sets configured on the system.
• The group none command specifies that no crypto strength is included and that Perfect Forward Secrecy is disabled. This is the default setting for IPSec transform sets configured on the system.
• The hmac command configures the Encapsulating Security Payload (ESP) integrity algorithm. The sha1-96 keyword uses a 160-bit secret key to produce a 160-bit authenticator value. This is the default setting for IPSec transform sets configured on the system.
• The mode tunnel command specifies that the entire packet is to be encapsulated by the IPSec header including the IP header. This is the default setting for IPSec transform sets configured on the system.context <sgw_context_name>ikev2-ikesa transform-set <ikev2_transform-set_name>lifetime <sec>
• The encryption algorithm, aes-cbc-128, or Advanced Encryption Standard Cipher Block Chaining, is the default algorithm for IKEv2 transform sets configured on the system.
• The group 2 command specifies the Diffie-Hellman algorithm as Group 2, indicating medium security. The Diffie-Hellman algorithm controls the strength of the crypto exponentials. This is the default setting for IKEv2 transform sets configured on the system.
• The hmac command configures the Encapsulating Security Payload (ESP) integrity algorithm. The sha1-96 keyword uses a 160-bit secret key to produce a 160-bit authenticator value. This is the default setting for IKEv2 transform sets configured on the system.
• The lifetime command configures the time the security key is allowed to exist, in seconds.
• The prf command configures the IKE Pseudo-random Function which produces a string of bits that cannot be distinguished from a random bit string without knowledge of the secret key. The sha1 keyword uses a 160-bit secret key to produce a 160-bit authenticator value. This is the default setting for IKEv2 transform sets configured on the system.context <sgw_ingress_context_name>crypto map <crypto_map_name> ikev2-ipv4match address <acl_name>peer <ipv4_address>payload <name> match ipv4lifetime <seconds>interface <s1-u_intf_name>ip address <ipv4_address>crypto-map <crypto_map_name>port ethernet <slot_number/port_number>
• The ipsec transform-set list command specifies up to four IPSec transform sets.context <sgw_egress_context_name>crypto map <crypto_map_name> ikev2-ipv4match address <acl_name>peer <ipv4_address>payload <name> match ipv4lifetime <seconds>interface <s5_intf_name>ip address <ipv4_address>crypto map <crypto_map_name>port ethernet <slot_number/port_number>
• The ipsec transform-set list command specifies up to four IPSec transform sets.context <ingress_context_name> -noconfirminterface <s4_interface_name>ip address <ipv4_address_primary>ip address <ipv4_address_secondary>context <ingress_context_name> -noconfirmgtpu-service <s4_gtpu_ingress_service_name>bind ipv4-address <s4_interface_ip_address>egtp-service <s4_egtp_ingress_service_name>associate gtpu-service <s4_gtpu_ingress_service_name>gtpc bind address <s4_interface_ip_address>sgw-service <sgw_service_name> -noconfirmassociate ingress egtp-service <s4_egtp_ingress_service_name>
• The S4 interface IP address(es) can also be specified as IPv6 addresses using the ipv6 address command.
|
| Cisco Systems Inc. |
| Tel: 408-526-4000 |
| Fax: 408-527-0883 |