Important: Once the trace is provisioned it can be provisioned through the access cloud via various signaling interfaces.
Important: This section provides the minimum instruction set to enable the Subscriber Session Trace functionality to collect session traces on network elements on EPC networks. Commands that configure additional function for this feature are provided in the Command Line Interface Reference.
These instructions assume that you have already configured the system level configuration as described in the System Administration Guide and specific product Administration Guide.
Step 1 Enable the subscriber session trace functionality with NE interface and TCE address at the Exec Mode level on an EPC network element by applying the example configurations presented in the Enabling Subscriber Session Trace on EPC Network Element section.
Step 2 Configure the network and trace file transportation parameters by applying the example configurations presented in the Trace File Collection Configuration section.
Step 3 Save your configuration to flash memory, an external memory device, and/or a network location using the Exec mode command save configuration. For additional information on how to verify and save configuration files, refer to the System Administration Guide and the Command Line Interface Reference.
Step 4 Verify the configuration of Subscriber Session Trace related parameters by applying the commands provided in the Verifying Your Configuration section of this chapter.session trace subscriber network-element { ggsn | mme | pgw | sgw } { imei <imei_id> } { imsi <imsi_id> } { interface { all | <interface> } } trace-ref <trace_ref_id> collection-entity <ip_address>
• <interface> is the name of the interfaces applicable for specific NE on which subscriber session traces have to be collected. For more information, refer to the session trace subscriber command in the Command Line Interface Reference.
• <trace_ref_id> is the configured Trace Id to be used for this trace collection instance. It is composed of MCC (3 digit)+MNC (3 digit)+Trace Id (3 byte octet string).
• <ip_address> is the IP address of Trace collection Entity in IPv4 notation.session trace subscriber network-element { all | ggsn | mme | pgw | sgw } [ collection-timer <dur> ] [ tce-mode { none | push transport { ftp | sftp } path <string> username <name> { encrypted password <enc_pw> ] | password <password> } } ]
• <string> is the location/path on the trace collection entity (TCE) where trace files will be stored on TCE. For more information, refer to the session trace command in the Command Line Interface Reference.This section explains how to display and review the configurations after saving them in a .cfg file as described in the System Administration Guide and also to retrieve errors and warnings within an active configuration for a service.Important: All commands listed here are under Exec mode. Not all commands are available on all platforms.
Appendix A
Direct TunnelImportant: Direct tunnel is a licensed Cisco feature. A separate feature license may be required. Contact your Cisco account representative for detailed information on specific licensing requirements. For information on installing and verifying licenses, refer to the Managing License Keys section of the Software Management Operations chapter in the System Administration Guide.
The direct tunnel architecture allows the establishment of a direct user plane (GTP-U) tunnel between the radio access network equipment (RNC) and the GGSN/P-GW.Once a direct tunnel is established, the SGSN/S-GW continues to handle the control plane (RANAP/GTP-C) signaling and retains the responsibility of making the decision to establish direct tunnel at PDN context activation.
• 3G network: The SGSN establishes a user plane (GTP-U) tunnel directly between the RNC and the GGSN, using an Updated PDN Context Request toward the GGSN.
• LTE network: When Gn/Gp interworking with pre-release 8 (3GPP) SGSNs is enabled, the GGSN service on the P-GW supports direct tunnel functionality. The SGSN establishes a user plane (GTP-U) tunnel directly between the RNC and the GGSN/P-GW, using an Update PDN Context Request toward the GGSN/P-GW.
• LTE network: The SGSN establishes a user plane tunnel (GTP-U tunnel over an S12 interface) directly between the RNC and the S-GW, using an Update PDN Context Request toward the S-GW.
• disallowed on the SGSN/S-GW
• allowed on the GGSN/P-GW.For more information about operator policies and configuration details, refer to the Operator Policy chapter also in this guide.Important: If direct tunnel is allowed in the default operator policy, then any incoming call that does not have an applicable operator policy configured will have direct tunnel allowed.
Before beginning any of the following procedures, you must have completed (1) the basic service configuration for the SGSN, as described in the Cisco ASR Serving GPRS Support Node Administration Guide, and (2) the creation and configuration of a valid operator policy, as described in the Operator Policy chapter in this guide.
Step 1 Configure the SGSN to setup GTP-U direct tunnel between an RNC and an access gateway by applying the example configuration presented in the Enabling Setup of GTP-U Direct Tunnels section below.
Step 2 Configure the SGSN to allow GTP-U direct tunnels to an access gateway, for a call filtered on the basis of the APN, by applying the example configuration presented in the Enabling Direct Tunnel per APN section below.Important: It is only necessary to complete either step 2 or step 3 as a direct tunnel can not be setup on the basis of call filtering matched with both an APN profile and an IIMEI profile.
Step 3 Configure the SGSN to allow GTP-U direct tunnels to a GGSN, for a call filtered on the basis of the IMEI, by applying the example configuration presented in the Enabling Direct Tunnel per IMEI section below.
Step 4 Configure the SGSN to allow GTP-U direct tunnel setup from a specific RNC by applying the example configuration presented in the Enabling Direct Tunnel to Specific RNCs section below.
Step 5 (Optional) Configure the SGSN to disallow direct tunnel setup to a single GGSN that has been configured to allow it in the APN profile. This command allows the operator to restrict use of a GGSN for any reason, such as load balancing. Refer to the direct-tunnel-disabled-ggsn command in the SGTP Service Configuration Mode chapter of the Command Line Interface Reference.
Step 6 Save your configuration to flash memory, an external memory device, and/or a network location using the Exec mode command save configuration. For additional information on how to verify and save configuration files, refer to the System Administration Guide and the Command Line Interface Reference.
Step 7 Check that your configuration changes have been saved by using the sample configuration found in the Verifying the SGSN Direct Tunnel Configuration section in this chapter.call-control-profile <policy_name>
• By default, APN-based direct tunnel functionality is allowed so any existing direct tunnel configuration must be removed to return to default and to ensure that the setup has not been restricted.apn-profile <profile_name>
• By default, direct tunnel functionality is enabled for all RNCs.imei-profile <profile_name>
• By default, direct tunnel functionality is enabled for all RNCs.context <ctx_name>iups-service <service_name>rnc id <rnc_id>
• Command details for configuration can be found in the Command Line Interface Reference.show operator-policy full name <policy_name>Operator Policy Name = oppolicy1Call Control Profile Name : ccprofile1IMEI Profile Name : imeiprofile1APN Profile Name : apnprofile1APN NI visitors2APN Profile Name : apnprofile2
• The operator policy itself will only be valid if one or more IMSI ranges have been associated with it - refer to the Operator Policy chapter, in this guide, for details.show call-control-profile full name <profile_name>Call Control Profile Name = ccprofile1show apn-profile full name <profile_name>Call Control Profile Name = apnprofile1Use the following command to display and verify the direct tunnel configuration in the IMEI profile:show imei-profile full name <profile_name>IMEI Profile Name = imeiprofile1show iups-service name <service_name>context <egress_context_name> -noconfirminterface <s12_interface_name>ip address <s12_ipv4_address_primary>ip address <s12_ipv4_address_secondary>context <egress_context_name> -noconfirmgtpu-service <s12_gtpu_egress_service_name>bind ipv4-address <s12_interface_ip_address>egtp-service <s12_egtp_egress_service_name>associate gtpu-service <s12_gtpu_egress_service_name>gtpc bind address <s12_interface_ip_address>sgw-service <sgw_service_name> -noconfirmassociate egress-proto gtp egress-context <egress_context_name> egtp-service <s12_egtp_egress_service_name>
• The S12 interface IP address(es) can also be specified as IPv6 addresses using the ipv6 address command.Appendix B
IP SecurityImportant: The IP Security is a licensed Cisco feature. A separate feature license may be required. Contact your Cisco account representative for detailed information on specific licensing requirements. For information on installing and verifying licenses, refer to the Managing License Keys section of the Software Management Operations chapter in the System Administration Guide.
Caution: IPSec parameter configurations saved using this release may not function properly with older software releases.
•
• PDN Access: Subscriber IP traffic is routed over an IPSec tunnel from the system to a secure gateway on the packet data network (PDN) as determined by access control list (ACL) criteria. This application can be implemented for both core network service and HA-based systems. The following figure shows IPSec configurations.
• Mobile IP: Mobile IP control signals and subscriber data is encapsulated in IPSec tunnels that are established between foreign agents (FAs) and home agents (HAs) over the Pi interfaces.Important: Once an IPSec tunnel is established between an FA and HA for a particular subscriber, all new Mobile IP sessions using the same FA and HA are passed over the tunnel regardless of whether or not IPSec is supported for the new subscriber sessions. Data for existing Mobile IP sessions is unaffected.
• L2TP: L2TP-encapsulated packets are routed from the system to an LNS/secure gateway over an IPSec tunnel.
As described in the IP Access Control Lists chapter of this guide, ACLs on the system define rules, usually permissions, for handling subscriber data packets that meet certain criteria. Crypto ACLs, however, define the criteria that must be met in order for a subscriber data packet to be routed over an IPSec tunnel.Important: Because manual crypto map configurations require the use of static security keys (associations), they are not as secure as crypto maps that rely on dynamically configured keys. Therefore, it is recommended that they only be configured and used for testing purposes.
Important: These instructions assume that the system was previously configured to support subscriber data sessions either as a core service or an HA. In addition, parameters configured using this procedure must be configured in the same destination context on the system.
Step 1 Configure one or more IP access control lists (ACLs) according to the information and instructions located in IP Access Control Lists chapter of this guide.
Step 2
Step 3
Step 4
Step 5
Step 6 Save your configuration to flash memory, an external memory device, and/or a network location using the Exec mode command save configuration. For additional information on how to verify and save configuration files, refer to the System Administration Guide and the Command Line Interface Reference.
The FA determines the appropriate crypto map to use for IPSec protection based on the HA address attribute. It does this by comparing the address received to those configured using the isakmp peer-ha command. From the crypto map, the system determines the following:
• The HA determines the appropriate crypto map to use for IPSec protection based on the FA’s address. It does this by comparing the address received to those configured using the isakmp peer-fa command. From the crypto map, the system determines the following:Important: Once an IPSec tunnel is established between an FA and HA for a particular subscriber, all new Mobile IP sessions using the same FA and HA are passed over the tunnel regardless of whether or not IPSec is supported for the new subscriber sessions. Data for existing Mobile IP sessions is unaffected.
Important: These instructions assume that the systems were previously configured to support subscriber data sessions either as an FA or an HA.
Step 1
Step 2
Step 3
Step 4Important: Though the use of DPD is optional, it is recommended in order to ensure service availability.
Step 5
Step 6
Step 7
Step 8
Step 9Important: Though the use of DPD is optional, it is recommended in order to ensure service availability.
Step 11
Step 12 Save your configuration to flash memory, an external memory device, and/or a network location using the Exec mode command save configuration. For additional information on how to verify and save configuration files, refer to the System Administration Guide and the Command Line Interface Reference.
Important: These instructions assume that the system was previously configured to support subscriber data sessions and L2TP tunneling either as a PDSN or an HA. In addition, with the exception of subscriber attributes, all other parameters configured using this procedure must be configured in the same destination context on the system as the LAC service.
Step 1
Step 2
Step 3
Step 4
Step 5 Save your configuration to flash memory, an external memory device, and/or a network location using the Exec mode command save configuration. For additional information on how to verify and save configuration files, refer to the System Administration Guide and the Command Line Interface Reference.
Important: These instructions assume that the system was previously configured to support PDSN compulsory tunneling subscriber data sessions. In addition, all parameters configured using this procedure must be configured in the same destination context on the system as the LAC service.
Step 1
Step 2
Step 3
Step 4
Step 5 Save your configuration to flash memory, an external memory device, and/or a network location using the Exec mode command save configuration. For additional information on how to verify and save configuration files, refer to the System Administration Guide and the Command Line Interface Reference.
Important: These instructions assume that the system was previously configured to support subscriber PDP contexts and L2TP tunneling either as a GGSN. In addition, all parameters configured using this procedure must be configured in the same destination context on the system as the LAC service.
Step 1
Step 2
Step 3
Step 4
Step 5 Save your configuration to flash memory, an external memory device, and/or a network location using the Exec mode command save configuration. For additional information on how to verify and save configuration files, refer to the System Administration Guide and the Command Line Interface Reference.Important: This section provides the minimum instruction set for configuring transform set on your system. For more information on commands that configure additional parameters and options, refer to the Context Configuration Mode Commands and Crypto Transform Configuration Mode chapters in the Command Line Interface Reference.
Step 1
Step 2
Step 3 Save your configuration to flash memory, an external memory device, and/or a network location using the Exec mode command save configuration. For additional information on how to verify and save configuration files, refer to the System Administration Guide and the Command Line Interface Reference.crypto ipsec transform-set <transform_name> ah hmac { md5-96 | none |sha1-96 } esp hmac { { md5-96 | none | sha1-96 } { cipher {des-cbc | 3des-cbc | aes-cbc } | none }
• <ctxt_name> is the system context in which you wish to create and configure the crypto transform set(s).
• <transform_name> is the name of the crypto transform set in the current context that you want to configure for IPSec configuration.
• For more information on parameters, refer to the IPSec Transform Configuration Mode Commands chapter in the Command Line Interface Reference.show crypto transform-set transform_nameImportant: This section provides the minimum instruction set for configuring ISAKMP policies on the system. For more information on commands that configure additional parameters and options, refer to the Context Configuration Mode Commands and ISAKMP Configuration Mode Commands chapters in the Command Line Interface Reference.
Step 1
Step 2
Step 3 Save your configuration to flash memory, an external memory device, and/or a network location using the Exec mode command save configuration. For additional information on how to verify and save configuration files, refer to the System Administration Guide and the Command Line Interface Reference.
• <ctxt_name> is the system context in which you wish to create and configure the ISAKMP policy.
• <priority> dictates the order in which the ISAKMP policies are proposed when negotiating IKE SAs.
• For more information on parameters, refer to the ISAKMP Configuration Mode Commands chapter in the Command Line Interface Reference.Caution: Modification(s) to an existing ISAKMP policy configuration will not take effect until the related security association has been cleared. Refer to the clear crypto security-association command located in the Exec Mode Commands chapter of the Command Line Interface Reference for more information.
Important: This section provides the minimum instruction set for configuring ISAKMP crypto maps on the system. For more information on commands that configure additional parameters and options, refer to the Context Configuration Mode Commands and Crypto Map ISAKMP Configuration Mode chapters in the Command Line Interface Reference.
Step 1
Step 2
Step 3 Save your configuration to flash memory, an external memory device, and/or a network location using the Exec mode command save configuration. For additional information on how to verify and save configuration files, refer to the System Administration Guide and the Command Line Interface Reference.
• <ctxt_name> is the system context in which you wish to create and configure the ISAKMP crypto maps.
• <map_name> is name by which the ISAKMP crypto map will be recognized by the system.
• <acl_name> is name of the pre-configured ACL. It is used for configurations not implementing the IPSec Tunnel Failover feature and match the crypto map to a previously defined crypto ACL. This is an optional parameter.
• <group_name> is name of the Crypto group configured in the same context. It is used for configurations using the IPSec Tunnel Failover feature. This is an optional parameter. For more information, refer to the Redundant IPSec Tunnel Fail-Over section of this chapter.
• For more information on parameters, refer to the Crypto Map ISAKMP Configuration Mode Commands chapter in the Command Line Interface Reference.show crypto map [ tag map_name | type ipsec-isakmp ]Caution: Modification(s) to an existing ISAKMP crypto map configuration will not take effect until the related security association has been cleared. Refer to the clear crypto security-association command located in the Exec Mode Commands chapter of the Command Line Interface Reference for more information.
Important: This section provides the minimum instruction set for configuring dynamic crypto maps on the system. For more information on commands that configure additional parameters and options, refer to the Context Configuration Mode Commands and Crypto Map Dynamic Configuration Mode chapters in the Command Line Interface Reference.
Step 1
Step 2
Step 3 Save your configuration to flash memory, an external memory device, and/or a network location using the Exec mode command save configuration. For additional information on how to verify and save configuration files, refer to the System Administration Guide and the Command Line Interface Reference.
• <ctxt_name> is the system context in which you wish to create and configure the dynamic crypto maps.
• <map_name> is name by which the dynamic crypto map will be recognized by the system.
• For more information on parameters, refer to the Crypto Map Dynamic Configuration Mode Commands chapter in the Command Line Interface Reference.show crypto map [ tag map_name | type ipsec-dynamic ]Caution: Modification(s) to an existing dynamic crypto map configuration will not take effect until the related security association has been cleared. Refer to the clear crypto security-association command located in the Exec Mode Commands chapter of the Command Line Interface Reference for more information.
Important: Because manual crypto map configurations require the use of static security keys (associations), they are not as secure as crypto maps that rely on dynamically configured keys. Therefore, it is recommended that they only be configured and used for testing purposes.
Important: This section provides the minimum instruction set for configuring manual crypto maps on the system. For more information on commands that configure additional parameters and options, refer to the Context Configuration Mode Commands and Crypto Map Manual Configuration Mode chapters in the Command Line Interface Reference.
Step 1
Step 2
Step 3 Save your configuration to flash memory, an external memory device, and/or a network location using the Exec mode command save configuration. For additional information on how to verify and save configuration files, refer to the System Administration Guide and the Command Line Interface Reference.set session-key { inbound | outbound } { ah <ah_spi> [ encrypted ] key <ah_key> | esp <esp_spi> [ encrypted ] cipher <encryption_key> [ encrypted ] authenticator <auth_key> }
• <ctxt_name> is the system context in which you wish to create and configure the manual crypto maps.
• <map_name> is name by which the manual crypto map will be recognized by the system.
• <acl_name> is name of the pre-configured ACL. It is used for configurations not implementing the IPSec Tunnel Failover feature and match the crypto map to a previously defined crypto ACL. This is an optional parameter.
• <group_name> is name of the Crypto group configured in the same context. It is used for configurations using the IPSec Tunnel Failover feature. This is an optional parameter.
• For more information on parameters, refer to the Crypto Map Manual Configuration Mode Commands chapter in the Command Line Interface Reference.show crypto map [ tag map_name | type ipsec-manual ]Caution: Modification(s) to an existing manual crypto map configuration will not take effect until the related security association has been cleared. Refer to the clear crypto security-association command located in the Exec Mode Commands chapter of the Command Line Interface Reference for more information.
Important: This section provides the minimum instruction set for applying manual or ISAKMP crypto maps to an interface on the system. For more information on commands that configure additional parameters and options, refer to the Command Line Interface Reference.
Step 2
Step 3
Step 4 Save your configuration to flash memory, an external memory device, and/or a network location using the Exec mode command save configuration. For additional information on how to verify and save configuration files, refer to the System Administration Guide and the Command Line Interface Reference.
• <ctxt_name> is the system context in which the interface is configured to apply crypto map.
• <interface_name> is the name of a specific interface configured in the context to which the crypto map will be applied.
• <map_name> is name of the preconfigured ISAKMP or a manual crypto map.interface 20/6Important: This section provides the minimum instruction set for configuring an FA service to support IPSec on the system. For more information on commands that configure additional parameters and options, refer to the Command Line Interface Reference.
Step 1
Step 2
Step 3 Save your configuration to flash memory, an external memory device, and/or a network location using the Exec mode command save configuration. For additional information on how to verify and save configuration files, refer to the System Administration Guide and the Command Line Interface Reference.
• <ctxt_name> is the system context in which the FA service is configured to support IPSec.
• <fa_svc_name> is name of the FA service for which you are configuring IPSec.
• <ha_address> is IP address of the HA service to which FA service will communicate on IPSec.
• <map_name> is name of the preconfigured ISAKMP or a manual crypto map.Important: This section provides the minimum instruction set for configuring an HA service to support IPSec on the system. For more information on commands that configure additional parameters and options, refer to the Command Line Interface Reference.
Step 1
Step 2
Step 3 Save your configuration to flash memory, an external memory device, and/or a network location using the Exec mode command save configuration. For additional information on how to verify and save configuration files, refer to the System Administration Guide and the Command Line Interface Reference.
• <ctxt_name> is the system context in which the FA service is configured to support IPSec.
• <ha_svc_name> is name of the HA service for which you are configuring IPSec.
• <fa_address> is IP address of the FA service to which HA service will communicate on IPSec.
• <aaa_ctxt_name> name of the context through which the HA service accesses the HAAA server to fetch the IKE S Key and S Lifetime parameters.
• <map_name> is name of the preconfigured ISAKMP or a manual crypot map.As described in the How the IPSec-based Mobile IP Configuration Works section of this chapter, the system uses attributes stored in a subscriber’s RADIUS profile to determine how IPSec should be implemented.
•
•
3 : Enables IPSec for tunnels and registration messages4 : Disables IPSecImportant: These instructions are required for compulsory tunneling. They should only be performed for attribute-based tunneling if the Tunnel-Service-Endpoint, the SN1-Tunnel-ISAKMP-Crypto-Map, or the SN1 -Tunnel-ISAKMP-Secret are not configured in the subscriber profile.
Important: This section provides the minimum instruction set for configuring an LAC service to support IPSec on the system. For more information on commands that configure additional parameters and options, refer to the Command Line Interface Reference.
Step 1
Step 2
Step 3 Save your configuration to flash memory, an external memory device, and/or a network location using the Exec mode command save configuration. For additional information on how to verify and save configuration files, refer to the System Administration Guide and the Command Line Interface Reference.peer-lns <ip_address> [encrypted] secret <secret> [crypto-map <map_name> { [encrypted] isakmp-secret <secret> } ] [ description <text> ] [ preference <integer>]
• <ctxt_name> is the destination context where the LAC service is configured to support IPSec.
• <lac_svc_name> is name of the LAC service for which you are configuring IPSec.
• <lns_address> is IP address of the LNS node to which LAC service will communicate on IPSec.
• <aaa_ctxt_name> name of the context through which the HA service accesses the HAAA server to fetch the IKE S Key and S Lifetime parameters.
• <map_name> is name of the preconfigured ISAKMP or a manual crypot map.In addition to the subscriber profile attributes listed in the RADIUS and Subscriber Profile Attributes Used section of the L2TP Access Concentrator chapter in this guide, the table below lists the attributes required to support IPSec for use with attribute-based L2TP tunneling.
•
This section provides the minimum instruction set for configuring an L2TP service on the PDSN system. For more information on commands that configure additional parameters and options, refer to the Command Line Interface Reference.
Step 2
Step 3 Save your configuration to flash memory, an external memory device, and/or a network location using the Exec mode command save configuration. For additional information on how to verify and save configuration files, refer to the System Administration Guide and the Command Line Interface Reference.context <ctxt_name>pdsn-service <pdsn_svc_name>ppp tunnel-context <lac_ctxt_name>
• <ctxt_name> is the destination context where the PDSN service is configured.
• <pdsn_svc_name> is name of the PDSN service for which you are configuring attribute-based L2TP tunneling.
• <lac_ctxt_name> is the name of the destination context where the LAC service is located.context <ctxt_name>
• <ctxt_name> is the destination context where the PDSN service is configured.
• <pdsn_svc_name> is name of the PDSN service for which you are configuring attribute-based L2TP tunneling.
• <lac_ctxt_name> is name of the destination context where the LAC service is located.Important: The peer security gateway must support RFC 3706 in order for this functionality to function properly.
• Primary Tunnel is down: A primary tunnel that was previously "up" is now "down" representing an error condition.
• Primary Tunnel is up: A primary tunnel that was previously "down" is now "up".
• Secondary tunnel is down: A secondary tunnel that was previously "up" is now "down" representing an error condition.
• Secondary Tunnel is up: A secondary tunnel that was previously "down" is now "up".
• Fail-over successful: The switchover of user traffic was successful. This is generated for both primary-to-secondary and secondary-to-primary switchovers.
• Unsuccessful fail-over: An error occurred when switching user traffic from either the primary to secondary tunnel or the secondary to primary tunnel.
•Important: Parameters configured using this procedure must be configured in the same context on the system.
Important: The system supports a maximum of 32 crypto groups per context. However, configuring crypto groups to use the same loopback interface for secondary IPSec tunnels is not recommended and may compromise redundancy on the chassis.
Important: This section provides the minimum instruction set for configuring crypto groups on the system. For more information on commands that configure additional parameters and options, refer Command Line Interface Reference.
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7 Save your configuration to flash memory, an external memory device, and/or a network location using the Exec mode command save configuration. For additional information on how to verify and save configuration files, refer to the System Administration Guide and the Command Line Interface Reference.
• <ctxt_name> is the destination context where the Crypto Group is to be configured.
• <group_name> is name of the Crypto group you want to configure for IPSec tunnel failover support.
• <acl_name> is name of the pre-configured crypto ACL. It is used for configurations not implementing the IPSec Tunnel Failover feature and match the crypto map to a previously defined crypto ACL. For more information on crypto ACL, refer Crypto Access Control List (ACL) section of this chapter.
• <ctxt_name> is the system context in which you wish to create and configure the ISAKMP crypto maps.
• <group_name> is name of the Crypto group configured in the same context for IPSec Tunnel Failover feature.
• <map_name1> is name of the preconfigured ISAKMP crypto map to match with crypto group as primary.
• <map_name2> is name of the preconfigured ISAKMP crypto map to match with crypto group as secondary.DPD is configured at the context level and is used in support of the IPSec Tunnel Failover feature (refer to the Redundant IPSec Tunnel Fail-Over section) and/or to help prevent tunnel state mismatches between an FA and HA when IPSec is used for Mobile IP applications. When used with Mobile IP applications, DPD ensures the availability of tunnels between the FA and HA. (Note that the starIPSECDynTunUp and starIPSECDynTunDown SNMP traps are triggered to indicate tunnel state for the Mobile IP scenario.)Regardless of the application, DPD must be supported/configured on both security peers. If the system is configured with DPD but it is communicating with a peer that does not have DPD configured, IPSec tunnels still come up. However, the only indication that the remote peer does not support DPD exists in the output of the show crypto isakmp security-associations summary command.Important: If DPD is enabled while IPSec tunnels are up, it will not take affect until all of the tunnels are cleared.
Step 1
Step 2
Step 3 Save your configuration to flash memory, an external memory device, and/or a network location using the Exec mode command save configuration. For additional information on how to verify and save configuration files, refer to the System Administration Guide and the Command Line Interface Reference.
• <ctxt_name> is the destination context where the Crypto Group is to be configured.Important: This section provides the minimum instruction set for configuring an APN template to support L2TP for APN. For more information on commands that configure additional parameters and options, refer to the Command Line Interface Reference. To configure the APN to support L2TP:
Step 1
Step 2
Step 3 Save your configuration to flash memory, an external memory device, and/or a network location using the Exec mode command save configuration. For additional information on how to verify and save configuration files, refer to the System Administration Guide and the Command Line Interface Reference.tunnel l2tp [ peer-address <lns_address> [ [ encrypted ] secret <l2tp_secret> ] [ preference <num> ] [ tunnel-context <tunnel_ctxt_name> ] [ local-address <agw_ip_address> ] [ crypto-map <map_name> { [ encrypted ] isakmp-secret <crypto_secret> } ]
• <ctxt_name> is the system context in which the APN template is configured.
• <apn_name> is name of the preconfigured APN template in which you want to configure L2TP support.
• <lns_address> is IP address of the LNS node to which this APN will communicate.
• <tunnel_ctxt_name> is the L2TP context in which the L2TP tunnel is configured.
• <agw_ip_address> is the local IP address of the GGSN in which this APN template is configured.
• <map_name> is the preconfigured crypto map (ISAKMP or manual) which is to use for L2TP.For more information on ACLs, see the System Administration Guide.
• PSK (Pre-Shared Key) Authentication: A pre-shared key is a shared secret that was previously shared between two network nodes. IPSec for LTE/SAE supports PSK such that both IPSec nodes must be configured to use the same shared secret.
• X.509 Certificate-based Peer Authentication: IPSec for LTE/SAE supports X.509 certificate-based peer authentication and CA (Certificate Authority) certificate authentication as described below.
• Idle Tunnel Termination: When a session manager for a service detects that all subscriber sessions using a given IPSec tunnel have terminated, the IPSec tunnel also gets terminated after a timeout period.
• Service Termination: When a service running on a network node is brought down for any reason, all corresponding IPSec tunnels get terminated. This may be caused by the interface for a service going down, a service being stopped manually, or a task handling an IPSec tunnel restarting.
• Unreachable Peer: If a network node detects an unreachable peer via Dead Peer Detection (DPD), the IPSec tunnel between the nodes gets terminated. DPD can be enabled per P-GW, S-GW, and MME service via the system CLI during crypto template configuration.
• E-UTRAN Handover Handling: Any IPSec tunnel that becomes unusable due to an E-UTRAN network handover gets terminated, while the network node to which the session is handed initiates a new IPSec tunnel for the session.Appendix C
Sample Configuration Filesconfigure /flash/flashconfig/<sgw_license_name>.cfgcard <slot_number>card <slot_number>interface <name>port ethernet <slot#/port#>bind interface <lcl_cntxt_intrfc_name> localsnmp heartbeat interval <minutes>snmp community <string> read-writesystem contact <string>system location <string>context <sgw_context_name> -noconfirminterface <s1u-s11_interface_name>ip address <ipv4_address_primary>ip address <ipv4_address_secondary>interface <s4_interface_name>ip address <ipv4_address_primary>ip address <ipv4_address_secondary>ipv6 address <address>gtpu-service <gtpu_s1us11_ingress_service_name>bind ipv4-address <s1-us11_interface_ip_address>bind ipv6-address <s1-us11_interface_ip_address>gtpu-service <gtpu_s4_ingress_service_name>bind ipv4-address <s4_interface_ip_address>bind ipv6-address <s4_interface_ip_address>egtp-service <egtp_s1u-s11_ingress_service_name>associate gtpu-service <gtpu_ingress_service_name>gtpc bind address <s1u-s11_interface_ip_address>egtp-service <egtp_s4_ingress_service_name>associate gtpu-service <gtpu_ingress_service_name>gtpc bind address <s4_interface_ip_address>sgw-servers <sgw_service_name> -noconfirmassociate ingress egtp-service <egtp_ingress_service_name>associate egress-proto gtp egress-context <egress_context_name>qci-qos-mapping <map_name>context <egress_context_name> -noconfirminterface <s5s8_interface_name>ipv6 address <address>source interface <name>destination address <ipv4_or_ipv6_address>ip address <ipv4_address>interface <s12_interface_name>ip address <ipv4_address_primary>ip address <ipv4_address_secondary>ipv6 address <address>gtpu-service <gtpu_s5s8_egress_service_name>bind ipv4-address <s5s8_interface_ip_address>bind ipv6-address <s5s8_interface_ip_address>gtpu-service <gtpu_s12_egress_service_name>bind ipv4-address <s12_interface_ip_address>bind ipv6-address <s12_interface_ip_address>egtp-service <egtp_s5s8_egress_service_name>associate gtpu-service <gtpu_egress_service_name>gtpc bind address <s5s8_interface_ip_address>egtp-service <egtp_s12_egress_service_name>associate gtpu-service <gtpu_egress_service_name>gtpc bind address <s12_interface_ip_address>context <ingress_context_name>lifetime <seconds>crypto template <name> ikev2-dynamicikev2-ikesa transform-set list <list_name>payload <payload_name> match childsalifetime <seconds>qci-qos-mapping <name>Appendix D
S-GW Engineering RulesThis appendix provides Serving Gateway-specific engineering rules or guidelines that must be considered prior to configuring the ASR 5x00 for your network deployment. General and network-specific rules are located in the appendix of the System Administration Guide for the specific network type.
•
|
| Cisco Systems Inc. |
| Tel: 408-526-4000 |
| Fax: 408-527-0883 |