Enhanced Wireless Access Gateway Configuration

This chapter provides information on configuring the Enhanced Wireless Access Gateway (eWAG) service.

The following topics are covered in this chapter:

Before You Begin

Before you can configure the eWAG service:

  1. Confirm that the chassis on which the eWAG software will be configured has been set up as described in the System Administration Guide.

    IMPORTANT:

    In this release, the following combo deployment options are not fully qualified and are not supported, they are available only for lab testing purposes.

    For eWAG + GGSN combo deployments, confirm that the GGSN is already configured as described in the Gateway GPRS Support Node Administration Guide.For eWAG + TTG combo deployments, confirm that the TTG is already configured as described in the Packet Data Gateway/Tunnel Termination Gateway Administration Guide.For eWAG + GGSN + TTG combo deployments, confirm that the GGSN and TTG are already configured as described in the Gateway GPRS Support Node Administration Guide and the Packet Data Gateway/Tunnel Termination Gateway Administration Guide respectively.
  2. Confirm that the Enhanced Charging Service (ECS) in-line service is configured as described in the Enhanced Charging Service Administration Guide. Also, confirm that the required license is installed.
  3. Confirm that the Network Address Translation in-line service is configured as described in the Network Address Translation Administration Guide. Also, confirm that the required license is installed.
  4. Confirm that the eWAG license is installed.The eWAG is a licensed Cisco product. Separate session and feature licenses may be required. Contact your Cisco account representative for detailed information on licensing requirements.For information on installing and verifying licenses, refer to the Managing License Keys section of the Software Management Operations chapter in the System Administration Guide.

eWAG Configuration

This section describes how to configure the eWAG service.

  1. Create and configure the eWAG service as described in the Creating and Configuring the eWAG Service section.
  2. Create and configure an APN for eWAG as described in the Configuring the APN section.
  3. Create and configure an SGTP service for eWAG as described in the Configuring the SGTP Service section.
  4. Configure the NAT in-line service for eWAG as described in the Configuring NATALG Support section.
  5. Save your configuration to the flash memory, an external memory device, and/or a network location using the Exec Mode command save configuration. For additional information on how to verify and save configuration files, refer to the System Administration Guide and the Command Line Interface Reference.

IMPORTANT:

Commands used in the configuration examples in this section provide base functionality to the extent that the most common or likely commands and/or keyword options are presented. In many cases, other optional commands and/or keyword options are available. Refer to the Command Line Interface Reference for complete information regarding all commands.

Creating and Configuring the eWAG Service

This section describes how to create and configure an eWAG service.

Creating the eWAG Service

To create the eWAG service use the following configuration:

configure
   context <context_name> [ -noconfirm ]
      ipsg-service <ipsg_service_name> mode radius-server
ewag [ -noconfirm ]
      end

Notes:

  • The ewag keyword enables the eWAG service (IPSG service in eWAG mode), and enters the IPSG RADIUS Server Configuration Mode, which is common for the eWAG and IPSG services.
  • You can configure a maximum of 64 eWAG/IPSG services in the system, one per context. Only one IPSG service must be configured per context. Multiple eWAG services must not be configured in the same context as they will not be able to differentiate between uplink and downlink packets.

Configuring the eWAG Service

This section describes how to configure the eWAG service for the following deployments:

Configuring Stand-alone eWAG Deployment

For a stand-alone eWAG deployment use the following configuration:

configure
   context <context_name>
      ipsg-service <ipsg_service_name> mode radius-server
ewag
#To associate
an SGTP service:
         associate
sgtp-service <sgtp_service_name> [ context <sgtp_context_name> ]
#To bind the
eWAG service to a logical AAA interface and configure the number
of subscriber sessions allowed:
         bind
address   <ipv4/ipv6_address> [ max-subscribers <max_sessions> | port <port_number> | source-context <source_context_name> ]
#To configure
location-specific mobile network identifiers:
         plmn
id mcc <mcc_number> mnc <mnc_number>
#To enable
APN profile for eWAG and optionally configure the default APN:
         profile
APN [ default-apn <default_apn_name> ]
#To configure
QoS DSCP parameters:
         ip { gnp-qos-dscp | qos-dscp } qci { { { 1 | 2 | 3 | 4 | 9 } | { 5 | 6 | 7 | 8 } allocation-retention-priority { 1 | 2 | 3 } } { af11 | af12 | af13 | af21 | af22 | af23 | af31 | af32 | af33 | af41 | af42 | af43 | be | ef | pt } } +
#To configure
RADIUS dictionary:
         radius
dictionary <dictionary_name>
#To configure
RADIUS accounting parameters:
         radius
accounting { client { <ipv4/ipv6_address> | <ipv4/ipv6_address/mask> } [ encrypted ] key <key> [ acct-onoff [ aaa-context <aaa_context_name> ] [ aaa-group <aaa_server_group_name> ] [ clear-sessions ] + ] [ dictionary <dictionary_name> ] [ disconnect-message [ dest-port <destination_port_number> ] + | interim create-new-call }
#To configure
timeout for eWAG session setup attempts:
         setup-timeout <setup_timeout>
         end

Notes:

  • In the APN profile configuration, <default_apn_name> specifies the default APN to be used for the eWAG service. It should be configured as NI+OI for proper DNS resolution. Also, note that eWAG does not support subscriber profile.
  • <dictionary_name> specifies the RADIUS dictionary to use for the eWAG service. In this release, only the starent-vsa1 dictionary is supported for eWAG. .
  • In the RADIUS accounting parameter configurations, the disconnect-message option enables sending RADIUS accounting messages to the configured RADIUS accounting client if the call goes down due to any failure. If this option is not configured, the eWAG will not send Disconnect-Message in call failure scenarios.
  • In the binding configuration, the source-context option specifies the source context where RADIUS accounting requests are received. This keyword should be configured if the source of the RADIUS requests is in a different context than the eWAG service. If not configured, the system will default to the context in which the eWAG service is configured.

Configuring eWAG + GGSN Combo Deployment

IMPORTANT:

In this release, the eWAG + GGSN combo deployment option is not fully qualified and is not supported, it is available only for lab testing purposes.

To configure the eWAG service for an eWAG + GGSN combo deployment use the following configuration:

configure
   context <context_name>
      ipsg-service <ipsg_service_name> mode radius-server
ewag
#To associate
an SGTP service:
         associate
sgtp-service <sgtp_service_name> [ context <sgtp_context_name> ]
#To bind the
eWAG service to a logical AAA interface and configure the number
of subscriber sessions allowed:
         bind
address   <ipv4/ipv6_address> [ max-subscribers <max_sessions> | port <port_number> | source-context <source_context> ]
#To configure
location-specific mobile network identifiers:
         plmn
id mcc <mcc_number> mnc <mnc_number>
#To enable
APN profile for eWAG and optionally configure the default APN:
         profile
APN [ default-apn <apn_name> ]
#To configure
QoS DSCP parameters:
         ip { gnp-qos-dscp | qos-dscp } qci { { { 1 | 2 | 3 | 4 | 9 } | { 5 | 6 | 7 | 8 } allocation-retention-priority { 1 | 2 | 3 } } { af11 | af12 | af13 | af21 | af22 | af23 | af31 | af32 | af33 | af41 | af42 | af43 | be | ef | pt } } +
#To configure
RADIUS dictionary:
         radius
dictionary <dictionary_name>
#To configure
RADIUS accounting parameters:
         radius
accounting { client { <ipv4/ipv6_address> | <ipv4/ipv6_address/mask> } [ encrypted ] key <key> [ acct-onoff [ aaa-context <aaa_context_name> ] [ aaa-group <aaa_server_group_name> ] [ clear-sessions ] + ] [ dictionary <dictionary> ] [ disconnect-message [ dest-port <destination_port_number> ] + | interim create-new-call }
#To configure
timeout for eWAG session setup attempts:
         setup-timeout <setup_timeout>
         end

Notes:

  • In the APN profile configuration, <default_apn_name> specifies the default APN to be used for the eWAG service. It should be configured as NI+OI for proper DNS resolution. Also, note that eWAG does not support subscriber profile.
  • <dictionary_name> specifies the RADIUS dictionary to use for the eWAG service. In this release, only the starent-vsa1 dictionary is supported for eWAG. .
  • In the RADIUS accounting parameter configurations, the disconnect-message option enables the sending of RADIUS accounting messages to the configured RADIUS accounting client when call goes down due to any failure. Note that without this enabled, eWAG will not send Disconnect-Message in call failure scenarios.
  • In the binding configuration, the source-context option specifies the source context where RADIUS accounting requests are received. This keyword should be configured if the source of the RADIUS requests is in a different context than the eWAG service. If not configured, the system will default to the context in which the eWAG service is configured.

Configuring the APN

This section describes how to configure an APN for the eWAG service. The eWAG uses APN configuration to specify certain attributes in the subscriber profile.

To create and configure an APN for eWAG use the following configuration:

configure
   context <context_name>
      apn <apn_name>
#To configure
the accounting mode:
         accounting-mode none
#To specify
the ACS rulebase:
         active-charging
rulebase <ecs_rulebase_name>
#To specify
the IP access group:
         ip
access-group <access_list_name> in
         ip
access-group <access_list_name> out
#To specify
the Firewall-and-NAT policy to use for NAT support:
         fw-and-nat
policy <fw_nat_policy_name>
#To configure
alternative APN to be used by eWAG:
         virtual-apn
preference <preference> apn <virtual_apn_name> access-gw-address { <radius_client_ipv4/ipv6_address> | <radius_client_ipv4/ipv6_address/mask> }
         end

Notes:

  • In the ASR 5000 chassis, virtual APN selection can be based on other criteria apart from Access Gateway address (access-gw-address) selection, such as the MSISDN range, RAT type, and so on. However, only the access gateway address criteria is applicable to the eWAG, which is the RADIUS accounting client from which the initial Accounting-Start message is received.Note that for stand-alone eWAG deployments virtual APN is not mandatory.
  • For more information on virtual APN in eWAG + GGSN combo deployments, refer to the Enhanced Wireless Access Gateway Overview chapter.
  • In the IP access group configuration, the access list (<access_list_name>) specified must be configured in the destination context with ECS redirect ACL. See the Access List Configuration section.
  • For eWAG, the Firewall-and-NAT policy for subscribers can be specified either in the APN template or in the ECS rulebase. For selection, the policy specified in the APN configuration has higher priority than the one specified in the ECS rulebase configuration.

Configuring the SGTP Service

To create and configure the SGTP service use the following configuration:

configure
   context <context_name>
      sgtp-service <sgtp_service_name>
#To configure
GTP-C parameters:
         gtpc { bind
address <ipv4_address> | dns-sgsn
context  <context_name> | echo-interval
 <echo_interval_seconds> | echo-retransmission { exponential-backoff [ [ min-timeout <min_retrans_timeout_seconds> ] [ smooth-factor <smooth_factor> ] + ] | timeout <retrans_timeout_seconds> } | guard-interval <guard_interval_seconds> | ignore response-port-validation | ip
qos-dscp { af11 | af12 | af13 | af21 | af22 | af23 | af31 | af32 | af33 | af41 | af42 | af43 | be | ef } | max-retransmissions <max_retransmissions> | retransmission-timeout <retrans_timeout_seconds> | send { common
flags | rab-context | target-identification-preamble } }
#To configure
GTP-U parameters:
         gtpu { bind
address <ipv4_address> | echo-interval <echo_interval_seconds> | echo-retransmission { exponential-backoff [ [ min-timeout <min_retrans_timeout_seconds> ] [ smooth-factor <smooth_factor> ] + ] | timeout <retrans_timeout_seconds> } | max-retransmissions <max_retransmissions> | retransmission-timeout <retrans_timeout_seconds> }
#To configure
path failure detection policy:
         path-failure
detection-policy gtp { echo | non-echo } +
#To configure
the restart counter change window to avoid service deactivations
and activations that could cause large bursts of network traffic
if the restart counter change messages from the GGSN are erroneous:
         max-remote-restart-counter-change <variance>
         end

Notes:

  • The SGTP service must be associated in the eWAG service configuration.

Configuring NAT/ALG Support

This section explains NAT/ALG related configurations.

For eWAG, the Firewall-and-NAT policy for a subscriber can be specified either in the APN template or in the ECS rulebase. For selection, the policy specified in the APN configuration has higher priority than the one specified in the ECS rulebase configuration.

Configuring ECS Rulebase with Firewall-and-NAT Policy

To specify the Firewall-and-NAT policy in an ECS rulebase use the following configuration:

configure
   active-charging
service <ecs_service_name>
      rulebase <rulebase_name>
         fw-and-nat
default-policy <fw_nat_policy_name>
         end

Configuring APN with Firewall-and-NAT Policy

To specify the Firewall-and-NAT policy to use in an APN use the following configuration:

configure
   context <context_name>
      apn <apn_name>
         fw-and-nat
policy <fw_nat_policy_name>
         end

Configuring Routing Rules and NAT ALG

The routing rules must be configured in the ECS service and the routing rule priorities must be configured in the ECS rulebase for routing packets to the respective analyzers for performing NAT ALG processing.

configure
   active-charging
service <ecs_service_name>
#To configure
routing ruledefs:
#FTP ALG:
      ruledef <ftp_control_ruledef_name>
         tcp
either-port <operator>
<value>
         rule-application routing
         exit
      ruledef <ftp_data_ruledef_name>
         tcp
either-port <operator>
<value>
         rule-application routing
         exit
#SIP ALG:
      ruledef <sip_ruledef_name>
         udp
either-port <operator>
<value>
         rule-application routing
         exit
#RTSP ALG:
      ruledef <rtsp_ruledef_name>
         tcp
either-port <operator>
<value>
         rule-application routing
         exit
#PPTP ALG:
      ruledef <pptp_ruledef_name>
         tcp
either-port <operator>
<value>
         rule-application routing
         exit
#TFTP ALG:
      ruledef <tftp_ruledef_name>
         tcp
either-port <operator>
<value>
         rule-application routing
         exit
#H323 ALG:
      ruledef <h323_ruledef_name>
         udp
either-port <operator>
<value>
         rule-application routing
         exit
      ruledef <h323_multi_ruledef_name>
         udp
either-port <operator>
<value>
         rule-application routing
         exit
      ruledef <h323_tcp_ruledef_name>
         tcp
either-port <operator>
<value>
         rule-application routing
         exit
#To configure
the routing rule priorities in the rulebase:
      rulebase <rulebase_name>
         route
priority <route_priority> ruledef <ftp_control_ruledef_name> analyzer ftp-control
         route
priority <route_priority> ruledef <ftp_data_ruledef_name> analyzer ftp-data
         route
priority <route_priority> ruledef <rtsp_ruledef_name> analyzer rtsp
         route
priority <route_priority> ruledef <pptp_ruledef_name> analyzer pptp
         route
priority <route_priority> ruledef <tftp_ruledef_name> analyzer tftp
         route
priority <route_priority> ruledef <sip_ruledef_name> analyzer sip advanced
         route
priority <route_priority> ruledef <h323_ruledef_name> analyzer h323
         route
priority <route_priority> ruledef <h323_multi_ruledef_name> analyzer h323
         route
priority <route_priority> ruledef <h323_tcp_ruledef_name> analyzer h323
         exit
#To enable
payload (Layer 7) translation of IP packets, in the ECS service:
      firewall
nat-alg ftp
      firewall
nat-alg pptp
      firewall
nat-alg rtsp
      firewall
nat-alg sip
      firewall
nat-alg h323
      end

Notes:

  • For more information on ECS ruledef and rulebase configurations, refer to the Enhanced Charging Service Administration Guide.

Additional Configurations

This section covers the following configurations:

Configuring Access Lists

To create and configure an ACL to use in steering subscriber traffic through ECS, use the following configuration:

configure
   context <context_name>
      ip
access-list <access_list_name>
         redirect
css service <ecs_service_name>
<keywords> <options>
         end

Notes:

  • <ecs_service_name> must be the name of the enhanced charging service; no CSS service has to be configured.

Configuring Bulk Statistics

To configure bulk statics collection for eWAG service, use the following configuration:

configure
   bulkstats mode
      ipsg
schema <schema_name> format <schema_format>
      end

Notes:

  • For detailed information on eWAG-related bulk statistics available in the IPSG schema, refer to the IPSG Schema chapter of the Statistics and Counters Reference, and for those available in the System schema, refer to the System Schema chapter of the Statistics and Counters Reference.
  • Apart from the IPSG and System schema, as needed you can also configure variables available in the other schema, including:
    • APN: For Access Point Name (APN) related statistics
    • Card: For card-level statistics
    • Context: For context service related statistics
    • ECS: For Enhanced Charging Service related statistics
    • Port: For port-level statistics
    • RADIUS: For per-RADIUS server statistics
  • The following is a sample schema format for eWAG statistics:“eWAG Schema: Test\n ----------------------\nVPN Name:%vpnname%,\nService Name:%servname%,\n Session Statistics: \n Total Current Sessions :%total_current_sessions%,\n Total Sessions Setup: %total_sessions_setup%,\n ----------------------\n”

Configuring Congestion Control

To enable Congestion Control, use the following configuration:

configure
#To enable
Congestion Control:
   congestion-control
#To configure
Congestion Control policy:
   congestion-control
policy ipsg-service action { drop | none }
#To configure
Congestion Control thresholds:
   congestion-control
threshold { { license-utilization | max-sessions-per-service-utilization | message-queue-utilization | port-rx-utilization | port-specific { <slot/port> | all { rx-utilization | tx-utilization } } | port-specific-rx-utilization | port-specific-tx-utilization | port-tx-utilization | service-control-cpu-utilization | system-cpu-utilization | system-memory-utilization | tolerance } [ critical ] <percentage> | message-queue-wait-time [ critical ] <seconds> | { port-specific-rx-utilization | port-specific-tx-utilization } [ critical ] }
   end

Notes:

  • Congestion policies are configurable for each service. These policies dictate how the services respond when the system detects that a congestion condition threshold has been crossed. For more information on the Congestion Control feature, refer to the Congestion Control chapter of the System Administration Guide.
  • In the above configuration, the Congestion Control thresholds featured are at the system level and are not specific to eWAG.
  • eWAG supports only critical threshold values.

Verifying your Configuration

To verify your Congestion Control configuration, in the Exec Mode issue the following command:

show congestion-control configuration

The output of this command displays information including whether or not Congestion Control is enabled/disabled, Congestion Control threshold parameter settings, Congestion Control policy, and more.

Configuring Session Recovery

To enable Session Recovery, use the following configuration:

configure
   require
session recovery
   end

Notes:

  • For more information on the Session Recovery feature, refer to the Session Recovery chapter of the System Administration Guide.
  • A valid feature key is required for this configuration. This command enables/disables the feature to try to perform hitless session recovery for all session types supported by the software release. After enabling session recovery through this configuration, make sure that session recovery status is “ready”.

eWAG Administration

This section describes eWAG administrative procedures.

This section includes the following topics:

Logging Support

To view IPSG-related logs, in the Exec Mode use the following command:

logging filter active
facility { ipsg | ipsgmgr } level <severity_level> [ critical-info | no-critical-info ]

To view SGTP-related logs, in the Exec Mode use the following command:

logging filter active
facility { sgsn-gtpc | sgsn-gtpu | sgtpcmgr } level <severity_level> [ critical-info | no-critical-info ]

To view SessMgr-related logs, in the Exec Mode use the following command.

SessMgr info level log having event ID 12077 displays the mapping between WLAN IP address and MPC IP address along with subscriber information, including Username, IMSI, MSISDN, and APN.

logging filter active
facility sessmgr level <severity_level> [ critical-info | no-critical-info ]

Protocol Monitoring Support

The system provides protocol monitor and test utilities that can are useful when troubleshooting or verifying configurations. The information generated by these utilities can in many cases either identify the root cause of a software or network configuration issue or, at the very least, greatly reduce the number of possibilities.

For troubleshooting purposes, the system provides a powerful protocol monitoring utility. This tool can be used to display protocol information for a particular subscriber session or for every session being processed.

For more information on Monitor Protocol and Monitor Subscriber, refer to the System Administration Guide.

Monitor Protocol

The system’s protocol monitor displays information for every session that is currently being processed. Depending on the number of protocols monitored, and the number of sessions in progress, a significant amount of data is generated. It is highly recommended that logging be enabled on your terminal client in order to capture all of the information that is generated.

To view monitor protocol based logging information, in the Exec Mode use the following command:

monitor protocol

For eWAG use the following filters:

  • 41 - IPSG RADIUS Signal: Must be used to view the RADIUS accounting messages on the control path for IPSG session management.
  • 24 - GTPC
  • 26 - GTPU

Monitor Subscriber

The system’s protocol monitor can be used to display information for a specific subscriber session that is currently being processed. Depending on the number of protocols monitored, and the number of sessions in progress, a significant amount of data is generated. It is highly recommended that logging be enabled on your terminal client in order to capture all of the information that is generated.

To view monitor subscriber based logging information, in the Exec Mode use the following command:

monitor subscriber

The following filters are available for monitor subscriber based logging in eWAG.

  • By MSID/IMSI
  • By IP Address
  • By MSISDN
  • Next-IPSG Call
  • By Username

Gathering eWAG-related Statistics and Information


Table 1. eWAG Statistics and Information
eWAG-related statistics or information CLI command to use

To view concise eWAG service-level information.

show ipsg service all

To view detailed eWAG service-level information.

show ipsg service all verbose

To view eWAG service-level statistics, including session and RADIUS message-level statistics.

show ipsg statistic

To view eWAG session counter information.

show ipsg sessions counters

To view eWAG subscriber information.

show subscribers ipsg-only

To view detailed eWAG session information, for all sessions.

show ipsg sessions full all

To view detailed subscriber information, for all subscribers.

show subscribers full all

To view session progress information for in-progress calls.

show session progress

To view IPSG Manager related information.

show session subsystem facility ipsgmgr

To view APN-related information.

show apn name <apn_name>

To view APN-related statistics.

show apn statistics

To view SNMP trap history.

show snmp trap history | grep IPSG

To view SNMP trap statistics, for all services including eWAG and SGTP.

show snmp trap statistics

To view Congestion Control statistics for IPSG Manager.

show congestion-control statistics ipsgmgr

To view Congestion Control configuration.

show congestion-control configuration

To view NAT-related statistics.

show active-charging firewall statistics

To view ECS session-level information.

show active-charging sessions

To view detailed ECS session-level information.

show active-charging sessions full

To view information for subscribers with NAT enabled.

show subscribers nat required

To view information for ECS flows with NAT enabled.

show active-charging flows full nat required

To view information for all ECS flows.

show active-charging flows all

To view ECS statistics for specific analyzer.

show active-charging analyzer statistics name <analyzer_name>

To view ECS statistics for specific rulebase.

show active-charging rulebase name <rulebase_name>

To view detailed ECS subsystem-level information.

show active-charging subsystem all