Cisco ASR 5000 Series 3G Home NodeB Administration Manual

Cisco ASR 5000 Series 3G Home NodeB Administration Manual

3g home nodeb gateway
Table of Contents

Quick Links

Cisco ASR 5000 Series 3G Home NodeB
Gateway Administration Guide
Version 12.1
Last Updated May 31, 2012
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
Text Part Number: OL-25069-03
Table of Contents
loading

Summary of Contents for Cisco ASR 5000 Series 3G Home NodeB

  • Page 1 Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide Version 12.1 Last Updated May 31, 2012 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883...
  • Page 2 ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks.
  • Page 3: Table Of Contents

    Management System Overview ..................... 32 Bulk Statistics Support ........................33 Threshold Crossing Alerts (TCA) Support ..................34 ANSI T1.276 Compliance ......................35 Features and Functionality - Optional Enhanced Feature Software ............37 Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide ▄ OL-25069-03...
  • Page 4 HNB-GW Service Configuration ......................80 GTP-U Service Configuration ......................81 x.509 Certificate Configuration ......................82 Security Gateway and Crypto map Template Configuration .............. 83 Multiple MSC Selection without Iu-Flex Configuration ............... 84 ▄ Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide OL-25069-03...
  • Page 5 CoA and DM Error-Cause Attribute ..................... 118 Viewing CoA and DM Statistics ....................119 Session Redirection (Hotlining) ......................122 Overview ............................122 License Requirements ......................... 122 Operation ............................122 Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide ▄ OL-25069-03...
  • Page 6 FA Services Configuration to Support IPSec ..................166 Modifying FA service to Support IPSec .................... 166 Verifying the FA Service Configuration with IPSec ................167 HA Service Configuration to Support IPSec ..................168 ▄ Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide OL-25069-03...
  • Page 7 Child SA Rekey Support ........................188 IKEv2 Keep-Alive Messages (Dead Peer Detection) ............... 189 E-UTRAN/EPC Logical Network Interfaces Supporting IPSec Tunnels .......... 189 IPSec Tunnel Termination ........................ 190 Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide ▄ OL-25069-03...
  • Page 9: About This Guide

    About this Guide This document pertains to the features and functionality that run on and/or that are related to the Cisco® ASR 5000 Chassis. This preface includes the following sections:  Conventions Used  Contacting Customer Support  Additional Information Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide ▄...
  • Page 10: Conventions Used

    Required keywords and variables are surrounded by braces. They must be entered as part of the keyword command syntax. variable Optional keywords or variables that may or may not be used are surrounded by brackets. keyword variable ▄ Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide OL-25069-03...
  • Page 11 These variables can be used in conjunction with required or optional keywords or variables. For example: { nonce | timestamp } count number_of_packets size number_of_bytes Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide ▄ OL-25069-03...
  • Page 12: Contacting Customer Support

    Go to http://www.cisco.com/cisco/web/support/ to submit a service request. A valid Cisco account (username and password) is required to access this site. Please contact your Cisco account representative for additional information. ▄ Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide...
  • Page 13: Additional Information

     SNMP MIB Reference  Web Element Manager Installation and Administration Guide  Product-specific and feature-specific administration guides  Release notes that accompany updates and upgrades to StarOS Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide ▄ OL-25069-03 xiii...
  • Page 15: Hnb Gateway In Wireless Network

    Chapter 1 HNB Gateway in Wireless Network The Cisco® provides 3GPP wireless carriers with a flexible solution that functions as a Home NodeB Gateway (HNB- GW) in HNB Access Network to connect UEs with existing UMTS networks. The Home NodeB Gateway works as a gateway for Home NodeBs (HNBs) to access the core networks. The HNB-GW concentrates connections from a large amount of HNBs through IuH interface and terminates the connection to existing Core Networks (CS or PS) using standard Iu (IuCS or IuPS) interface.
  • Page 16: Product Description

    The HNB-GW provides interworking and aggregation of large amount of Femtocell sessions toward standard CN interfaces (IuPS/IuCS). In this approach services and mobility are completely transparent to CN elements (e.g. MSC, xGSN). ▄ Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide OL-25069-03...
  • Page 17: Hnb Access Network Elements

     IuH User-plan Transport Bearer Handling  Iu Link Management Functions Important: Some of the features may not be available in this release. Kindly contact your local Cisco representative for more information on supported features. HNB Access Network Elements This section provides the brief description and functionality of various network elements involved in the UMTS Femto access network.
  • Page 18: Security Gateway (Segw)

    (HMS) Licenses The HNB-GW is a licensed Cisco product. Separate session and feature licenses may be required. Contact your Cisco account representative for detailed information on specific licensing requirements. For information on installing and verifying licenses, refer to the Managing License Keys section of the Software Management Operations chapter in the System Administration Guide.
  • Page 19: Platform Requirements

    Product Description ▀ Platform Requirements The HNB-GW service runs on a Cisco® ASR 5x00 chassis running StarOS Rel. 10 or later. The chassis can be configured with a variety of components to meet specific network deployment requirements. For additional information, refer to the Installation Guide for the chassis and/or contact your Cisco account representative.
  • Page 20: Network Deployment And Interfaces

     IuH Interface: This interface is the reference point for the control plane protocol between Home NodeB and HNB-GW. IuH uses SCTP over IPSec IKEv2 tunnel as the transport layer protocol for guaranteed delivery of signaling messages between HNB-GW and Home NodeB. ▄ Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide OL-25069-03...
  • Page 21 IKEv2 (Internet Key Exchange v2) and IPsec (IP Security) protocols to authenticate the operator and subscriber and then guarantee the privacy of the data exchanged. One TR-069 interface can be configured per HNB node. Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide ▄ OL-25069-03...
  • Page 22: Features And Functionality - Base Software

    Up to 1,600 accounting, authentication and/or mediation servers are supported per chassis and may be distributed across a maximum of 1,000 nodes. This feature also enables the AAA servers to be distributed across multiple nodes within the same context. ▄ Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide OL-25069-03...
  • Page 23: Aal2 Establish And Release Support

    Iu interface towards core network elements could either by IP based or ATM based. To provide ATM based interface support, Cisco HNB-GW provides AAL2 support on system in order to establish a voice bearer with MSC. Access Control List Support Access Control Lists provide a mechanism for controlling (i.e permitting, denying, redirecting, etc.) packets in and out...
  • Page 24: Ansi T1.276 Compliance

    Typically, these conditions are temporary (for example, high CPU or memory utilization) and are quickly resolved. However, continuous or large numbers of these conditions within a specific time interval may have an ▄ Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide OL-25069-03...
  • Page 25: Emergency Call Handling

    “Emergency”. If UE-registration was due to emergency then RUA-CONNECT must contain “Emergency”. If RUA-CONNECT contains “normal” then HNB-GW rejects it. While rejecting RUA connection or RAB connection the HNB-GW uses following reject cause:  RUA - Misc: unspecified Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide ▄ OL-25069-03...
  • Page 26: Gtp-U Tunnels Management Support

    HMS and is downloaded to HNB-GW when HNB-REGISTRATION procedure happens. HNB Management Function Support for HNB registration and de-registration in 3G UMTS HNB Access Network accordance with the following standards: ▄ Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide OL-25069-03...
  • Page 27: Multiple Msc Selection Without Iu-Flex

     Ensures geographical redundancy, as a pool can be distributed across sites.  Minimizes subscriber impact during service, maintenance, or node additions or replacements.  Increases overall capacity via load sharing across the MSCs/SGSNs in a pool. Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide ▄ OL-25069-03...
  • Page 28: Iu Signalling Link Management Support

    These functions enable secure user and device level authentication between the authenticator component of the HNB- GW and a 3GPP HSS/AuC and RADIUS-based AAA interface support. This section describes following features:  Authentication and Key Agreement (AKA) ▄ Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide OL-25069-03...
  • Page 29: Authentication And Key Agreement (Aka)

    HNB-GW for traffic quality management in accordance with following standards:  3GPP TS 25.414 V9.0.0 (2009-12): 3rd Generation Partnership Project; Technical Specification Group Radio Access Network; UTRAN Iu interface data transport and transport signalling (Release 9) Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide ▄ OL-25069-03...
  • Page 30: Qos Management With Dscp Marking

    IP headers of the traffic such that intermediate IP nodes can provide differentiated QoS treatment to the traffic for an acceptable end-user experience. ▄ Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide OL-25069-03...
  • Page 31: Radius Support

     3GPP TS 25.469 V8.1.0 (2009-03): 3rd Generation Partnership Project; Technical Specification Group Radio Access Network; UTRAN Iuh interface Home Node B Application Part (HNBAP) signalling (Release 8)  IETF RFC 4960, Stream Control Transmission Protocol, December 2007 Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide ▄ OL-25069-03...
  • Page 32: System Management Features

     Can be easily integrated with higher-level network, service, and business layer applications using the Object Management Group's (OMG’s) Interface Definition Language (IDL) The following figure demonstrates these various element management options and how they can be utilized within the wireless carrier network. ▄ Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide OL-25069-03...
  • Page 33: Bulk Statistics Support

    When used in conjunction with the Web Element Manager, the data can be parsed, archived, and graphed. Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide ▄ OL-25069-03...
  • Page 34: Threshold Crossing Alerts (Tca) Support

    Typically, these conditions are temporary (i.e high CPU utilization, or packet collisions on a network) and are quickly resolved. However, continuous or large numbers of these error conditions within a specific time interval may be ▄ Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide OL-25069-03...
  • Page 35: Ansi T1.276 Compliance

    Furthermore, the platforms support a variety of authentication methods such as RADIUS and SSH which are dependent on external elements. ANSI T1.276 Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide ▄ OL-25069-03...
  • Page 36 ▀ Features and Functionality - Base Software compliance in such cases will be the domain of the external element. ANSI T1.276 guidelines will only be implemented for locally configured operators. ▄ Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide OL-25069-03...
  • Page 37: Features And Functionality - Optional Enhanced Feature Software

    Radius Change of Authorization (CoA) extension. Important: For more information on dynamic RADIUS extensions support, refer CoA, RADIUS, And Session Redirection (Hotlining) in this guide. Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide ▄ OL-25069-03...
  • Page 38: Ip Security (Ipsec)

    In this mode, the standby packet processing card is made active and the “standby-mode” session manager and AAA manager tasks on the newly activated packet processing card perform session recovery. ▄ Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide OL-25069-03...
  • Page 39: Web Element Management System

    This architecture allows remote clients with Java-enabled web browsers to manage one or more systems via the server component which implements the CORBA interfaces. The server component is fully compatible with the fault-tolerant Sun® Solaris® operating system. The following figure demonstrates various interfaces between the Cisco Web Element Manager and other network components. Figure 4.
  • Page 40: How Hnb-Gw Works

    This section describes the call flow for HNB provisioning and registration procedure. The following figure and the text that follows describe the message flow for HNB provisioning and registration with HNB-GW procedure. ▄ Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide OL-25069-03...
  • Page 41  HNB Location Information: The HNB provides location information via use of one or more of the following mechanisms:  detected macro coverage information (e.g. GERAN and/or UMTS cell information)  geographical co-ordinates (e.g. via use of GPS, etc) Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide ▄ OL-25069-03...
  • Page 42: Ue Registration Procedure

    This procedure is applicable for non-CSG UEs or HNBs. The following figure and the text that follows describe the message flow for UE registration procedure of Non-CSG UEs or Non-CSG HNBs: ▄ Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide OL-25069-03...
  • Page 43 1. Upon camping on the HNB, the UE initiates an initial NAS procedure (e.g. LU Procedure) by establishing an RRC connection with the HNB. UE capabilities are reported to the HNB as part of the RRC Connection establishment procedure. Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide ▄ OL-25069-03...
  • Page 44: Iu Connection Procedures

    This procedure is applicable for establishment of IuH and IuPS/IuCS connection between HNB to HNB-GW and HNB- GW to SGSN/MSC in core network. The following figure and the text that follows describe the message flow for an Iu connection establishment procedure. ▄ Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide OL-25069-03...
  • Page 45 4. The UE then continue with the authentication and security procedures towards the CN, via HNB and the HNB- 5. The SGSN/MSC performs Direct Transfer procedure with HNB-GW and sends SCCP-DATA-FORM1 REQ to HNB-GW. Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide ▄ OL-25069-03...
  • Page 46: Network Initiated Iu Connection Release Procedure

    This procedure is applicable for release of IuH and IuPS/IuCS connection between HNB to HNB-GW and HNB-GW to SGSN/MSC in core network. The following figure and the text that follows describe the message flow for an Iu connection release procedure initiated by CN (SGSN/MSC). ▄ Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide OL-25069-03...
  • Page 47 4. On reception of successful RANAP Iu Release Complete command in RUA-DISCONNECT Response message from HNB, the HNB-GW sends RANAP Iu Release Complete command in SCCP-DATA-FORM1 Response message to CN (SGSN/MSC). Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide ▄ OL-25069-03...
  • Page 48: Paging And Serving Rns Relocation Procedures

    3. . If the request contains IMSI, HNB-GW finds the list of registered HNBs which have this IMSI in their white- list. If there is no such HNB found, HNB-GW sends Relocation-Request-Reject with appropriate cause. ▄ Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide OL-25069-03...
  • Page 49: Ranap Reset Procedures

    HNB-GW Initiated RANAP Reset Procedure This procedure is applicable for HNB-GW-initiated RANAP Reset procedure between HNB, HNB-GW, and SGSN/MSC in core network. The HNB-GW initiates RESET towards CN node in following scenarios: Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide ▄ OL-25069-03...
  • Page 50  If SSN Allowed indication comes after timer expiry, HNB-GW sends RANAP-RESET command message to the CN node. The RANAP-RESET from HNB-GW is sent only if HNB-GW-initiated RANAP-RESET is configured in HNB-GW service. ▄ Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide OL-25069-03...
  • Page 51: Supported Standards

     3GPP TS 25.469 V9.2.0 (2010-06): 3rd Generation Partnership Project; Technical Specification Group Radio Access Network; UTRAN Iuh interface Home Node B (HNB) Application Part (HNBAP) signalling (Release Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide ▄ OL-25069-03...
  • Page 52: Ietf References

     RFC-1902, Structure of Management Information for Version 2 of the Simple Network Management Protocol (SNMPv2), January 1996  RFC-1903, Textual Conventions for Version 2 of the Simple Network Management Protocol (SNMPv2), January 1996 ▄ Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide OL-25069-03...
  • Page 53  RFC-2572, Message Processing and Dispatching for the Simple Network Management Protocol (SNMP), April 1999  RFC-2573, SNMP Applications, April 1999  RFC-2574, User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3), April 1999 Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide ▄ OL-25069-03...
  • Page 54: Itu-T Recommendations

     RFC-4306, Internet Key Exchange (IKEv2) Protocol, December 2005 ITU-T Recommendations  ITU-T Recommendation Q.2630.1 - AAL type2 signalling protocol (Capability Set 1)  ITU-T Recommendation Q.2630.2 - AAL type2 signalling protocol (Capability Set 2) ▄ Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide OL-25069-03...
  • Page 55: Object Management Group (Omg) Standards

     ITU-T Recommendation E.164 - The international public telecommunication numbering plan  ITU-T Recommendation E.191 - B-ISDN addressing Object Management Group (OMG) Standards  CORBA 2.6 Specification 01-09-35,Object Management Group Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide ▄ OL-25069-03...
  • Page 57: Understanding The Service Operation

    Prior to connecting to the command line interface (CLI) and beginning the system's configuration, there are important things to understand about how the system supports these applications. This chapter provides terminology and background information that must be considered before attempting to configure the system. Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide ▄ OL-25069-03...
  • Page 58: Terminology

     Local context: This is the default context on the system used to provide out-of-band management functionality. Logical Interfaces This section describes the logical interface supported on HNB-GW. ▄ Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide OL-25069-03...
  • Page 59  RADIUS: This interface is the reference point between a Security Gateway (SeGW) and a 3GPP AAA Server or 3GPP AAA proxy (OCS/CGF/AAA/HSS) over RADIUS protocol for AAA procedures for Femto user. Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide ▄ OL-25069-03...
  • Page 60: Bindings

     Radio Network PLMN: The Radio Network PLMN is configured in HNB-GW service is required to associate PLMNs with HNB-GW. The PLMN specific configuration e.g. RNC id and association of CS or PS network shall be configured under this configuration mode. ▄ Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide OL-25069-03...
  • Page 61 DNS. Once a UE has established a bearer context with an HNB-GW, the HNBs continue to use the same context as the subscriber anchored to that HNB-GW. Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide ▄ OL-25069-03...
  • Page 62 The system determines the configuration used in destination context based on the parameter contained within the information received from HNB and also the configuration in HNB-GW service. The AAA context or AAA configuration in source context uses that context for subscriber authentication. ▄ Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide OL-25069-03...
  • Page 63: Hnb-Gw Service Configuration Procedures

    Access Control List configuration, use of inappropriate port number may result in communication loss. Refer respective feature configuration document carefully before assigning any port number or IP address for communication with internal or external network. Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide ▄ OL-25069-03...
  • Page 64: Information Required To Configure The System As An Hnb-Gw

    Open or encrypted passwords can be used. administrator password Remote access The type of remote access that will be used to access the system such as telnetd, sshd, and/or ftpd. type(s) ▄ Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide OL-25069-03...
  • Page 65: Required System-Level Configuration Information

    A peer server id configuration may contain:  Routing context for peer server to use  Self point code in SS7 type address  Operational Mode  Peer Server Process (PSP) instance Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide ▄ OL-25069-03...
  • Page 66 HNB-GW is to be connected to only one MSC with in a CS network or as default MSC for all HNBs connected through specific HNB-CS network instance. Packet Switched Network Configuration ▄ Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide OL-25069-03...
  • Page 67: Required Source Context Configuration Information

    17/1 identifies connector number 1 on the card in slot 17. A single physical port can facilitate multiple interfaces. Gateway IP address Used when configuring static IP routes from the management interface(s) to a specific network. Iuh Interface Configuration (To/from Home-NodeB) Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide ▄ OL-25069-03...
  • Page 68 RTP IP address to session manager instances over Iuh towards HNB. It is to be associated with HNB-GW service. Radio Network PLMN Configuration ▄ Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide OL-25069-03...
  • Page 69: Required Destination Context Configuration Information

    Required Destination Context Configuration Information The following table lists the information that is required to configure the destination context. Table 4. Required Information for Destination Context Configuration Required Description Information Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide ▄ OL-25069-03...
  • Page 70 RTP IP address to session amanager instances over IuCS towards CS core networks. It is to be associated with PS network configuration. ▄ Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide OL-25069-03...
  • Page 71: Rtp Pool Configuration

    Use the following example to create the IPv4 address RTP pool for RTP address allocation over IuCS interface towards CS core network. configure context ip pool Notes: Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide ▄ OL-25069-03...
  • Page 72: Ipv4 Rtp Pool Creation Over Iuh

     Each PSC2 card requires 16 RTP pools to be configured.  Setting different priorities on individual pools can cause addresses in some pools to be used more frequently. ▄ Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide OL-25069-03...
  • Page 73: Rtp Ip Pool Configuration Verification

    ----- --------- --------------- --------------- ------ ------ PG00 ipsec 12.12.12.0 255.255.255.0 RG00 pool3 30.30.0.0 255.255.0.0 65534 SG00 pool2 20.20.0.0 255.255.0.0 65524 PG00 pool1 10.10.0.0 255.255.0.0 65534 SG00 vpnpool 192.168.1.250 192.168.1.254 Total Pool Count: 5 Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide ▄ OL-25069-03...
  • Page 74: Hnb-Gw Service Configuration

    Configure CS network parameters by applying the example configuration in the HNB-CS Network Configuration section. Step 12 Configure PS network parameters by applying the example configuration in the HNB-PS Network Configuration section. ▄ Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide OL-25069-03...
  • Page 75: Hashing Algorithm Configuration

     If this option is not chosen, system uses IP Source Address, IP Destination Address, IP Protocol and Source Boxer Internal Address as inputs to the hashing algorithm for ECMP-LAG distribution. Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide ▄ OL-25069-03...
  • Page 76: Iuh Interface Configuration

    Peer Server Id Configuration for PS Core Network Use the following example to configure the Peer Server Id in SS7 routing domain for PS core network on system: configure ss7-routing-domain variant ▄ Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide OL-25069-03...
  • Page 77: Peer Server Id Configuration For Cs Core Network

    variant peer-server id name mode {loadshare | standby} routing-context self-point-code psp instance psp-mode {client | server} exchange-mode [double-ended | single-ended] end-point address Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide ▄ OL-25069-03...
  • Page 78: Sccp Network Instance Configuration

    SCCP network instance. HNB-PS Network Configuration Use the following example to configure the packet switched network parameters to be associated with HNB-GW service on system: configure ▄ Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide OL-25069-03...
  • Page 79: Hnb-Cs Network Configuration

    > is name of the IP pool configured in destination context named < > to cs_ip_pool_name dest_ctxt_name allocate RTP end point address in this CS network over IuCS interface. Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide ▄ OL-25069-03...
  • Page 80: Hnb-Gw Service Configuration

    { sctp | udp } payload { all | gtpu | rtcp | rtp } radio-network-plmn mcc mnc rnc-id associate ps-network associate cs-network ▄ Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide OL-25069-03...
  • Page 81: Gtp-U Service Configuration

    Notes:  < > is name of the destination context in which GTP-U service configured to provide GTP-U dest_ctxt_name tunnel over IuPS interface towards core network. Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide ▄ OL-25069-03...
  • Page 82: X.509 Certificate Configuration

    payload match childsa [match {ipv4 | ipv6}] ip-address-alloc dynamic ipsec transform-setlist configure context subscriber default ip context-name ip address pool name ▄ Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide OL-25069-03...
  • Page 83: Security Gateway And Crypto Map Template Configuration

    authentication eap-profile exit ikev2-ikesa transform-set list payload match childsa [match {ipv4 | ipv6}] ip-address-alloc dynamic ipsec transform-setlist exit ikev2-ikesa keepalive-user-activity Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide ▄ OL-25069-03...
  • Page 84: Multiple Msc Selection Without Iu-Flex Configuration

    Use the following example to configure the Open Access Mode for open HNBs in an HNB-GW service instance. It also includes the paging optimization configuration for open HNBs. configure context hnbgw-service -noconfirm ▄ Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide OL-25069-03...
  • Page 85: Verifying Hnb-Gw Configuration

    Verify configuration errors of your HNB-GW services by entering the following command in Exec Mode: show configuration errors section hnbgw-service} The output of this command displays current configuration errors and warning information for the target configuration file as specified for HNB-GW service Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide ▄ OL-25069-03...
  • Page 86: Iucs Over Atm Configuration

    Configuring Linkset Id and ATM Parameters To configure the linkset id and ATM parameters you need to modify existing SS7 Routing domain configuration by applying the following example: ▄ Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide OL-25069-03...
  • Page 87: Configuring Alcap Service And Aal2 Node

    To configure the ALCAP service with AAL2 node a nd AAL2 path parameters apply the following example: configure context alcap-service -noconfirm associate ss7-routing-domain self-point-code aal2-route endpoint aal2-node aal2-node point-code aal2-path-id [block] Notes: Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide ▄ OL-25069-03...
  • Page 88: Configuring The Atm Port

    Associating ALCAP Service with HNB-CS Network Service To associate a pre-configured ALCAP service with HNB-CS Network Service for IuCS-over-ATM function, apply the following example configuration: configure cs-network ▄ Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide OL-25069-03...
  • Page 89  < > is name of the ALCAP service configured in destination context named alcap_svc_name < > to provide IuCS over ATM support through this CS network. alcap_ctxt_name Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide ▄ OL-25069-03...
  • Page 90: Iu-Flex Configuration

    HNB-GW node. Important: Offload check is only for the primary point code and NOT for the backup point code. This command can be used for planned maintenance as well. ▄ Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide OL-25069-03...
  • Page 91: Iu-Flex Over Iups Interface Configuration

    Flex functionality on HNB-GW node. Important: Offload check is only for the primary point code and NOT for the backup point code. This command can be used for planned maintenance as well. Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide ▄ OL-25069-03...
  • Page 92: Logging Facility Configuration

    Refer System Administration Guide for more information on logging facility configuration. Displaying Logging Facility This section shows the logging facility event logs for logging facilities enabled on HNB-GW node. ▄ Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide OL-25069-03...
  • Page 93 Verify the logging facilities configured on HNB-GW system node by entering the following command in Exec Mode: show logging [ active | verbose] The output of this command provides the display of event logs for configured logging facilities. Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide ▄ OL-25069-03...
  • Page 94: Congestion Control Configuration

    Configuring Service Congestion Policies To create a congestion control policy, apply the following example configuration: configure congestion-control policy hnbgw-service action { drop | none | reject } Notes: ▄ Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide OL-25069-03...
  • Page 95: Configuring New Call Policy

    [all | name ] reject Notes:  For HNB-GW service sessions is the default action for all new calls coming on a specific or all HNB- reject GW service instance. Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide ▄ OL-25069-03...
  • Page 96: Alarm And Alert Trap Configuration

    Command Line Interface Reference for more information.  For more information on SNMP Traps, refer System SNMP-MIB Reference.  Repeat this configuration as needed for additional traps. ▄ Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide OL-25069-03...
  • Page 97: Snmp-Mib Traps For Hnb-Gw Service

    1157 starALCAPPathReset starentTraps 1158 starALCAPBlock starentTraps 1159 starALCAPUnBlock starentTraps 1160 Important: For more information on SNMP trap configuration and supported object ids, refer System SNMP- MIB Reference. Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide ▄ OL-25069-03...
  • Page 98: Event Ids For Hnb-Gw Service

    Network Access Signaling Facility Events 153000-153999 Statistics Facility Events 31000-31999 System Facility Events 1000-1999 System Initiation Task (SIT) Main Facility Events 4000-4999 Threshold Facility Events 61000-61999 Virtual Private Network Facility Events 5000-5999 ▄ Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide OL-25069-03...
  • Page 99: Monitoring The Service

    In addition to the CLI, the system supports the sending of Simple Network Management Protocol (SNMP) traps that indicate status and alarm conditions. Refer to the SNMP MIB Reference Guide for a detailed listing of these traps. Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide ▄ OL-25069-03...
  • Page 100: Monitoring System Status And Performance

     HNBAP   RANAP  SCCP  ALCAP  AAL2  GTP-U  View Subscriber Information Display Session Resource Status View session resource status show resources session ▄ Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide OL-25069-03...
  • Page 101 View ALCAP service facility statistics show logs facility alcapmgr View ALCAP Manager facility statistics View HNB-GW Manager facility statistics show logs facility hnb-gw show logs facility hnbmgr View HNB Manager facility statistics Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide ▄ OL-25069-03...
  • Page 102 View HNB-GW service statistics filtered by an HNB id show hnbgw statistics hnbid hnb_identifier View GTP-U Service Statistics show gtpu statistics peer-address ip_address View GTP-U peer information View GTP-U Service information show gtpu statistics gtpu-service gtpu_svc_name ▄ Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide OL-25069-03...
  • Page 103: Monitoring Logging Facility

    Monitor threshold logging facility on HNB- logging filter active facility threshold { critical | error | warning | unusual | info | trace | debug } GW system Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide ▄ OL-25069-03...
  • Page 104: Clearing Statistics And Counters

    (AAL2, ALCAP, HNB, HNB-GW, GTP-U, etc.). Statistics and counters can be cleared using the CLI command. Refer to Command Line Interface Reference for clear detailed information on using this command. ▄ Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide OL-25069-03...
  • Page 105: Troubleshooting The Service

    Chapter 5 Troubleshooting the Service This chapter provides information and instructions for using the system command line interface (CLI) for troubleshooting issues that may arise during service operation. Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide ▄ OL-25069-03...
  • Page 106: Test Commands

    SGSNs which can be useful troubleshooting and/or monitoring. The test is performed by the system sending GTPv0 echo request messages to the specified SGSN(s) and waiting for a response. ▄ Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide OL-25069-03...
  • Page 107: Using The Ipsec Tunnel Test Command

    The IP address of destination node of IPsec tunnel. src_ip_address The IP address of source node of IPsec tunnel. Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide ▄ OL-25069-03...
  • Page 108: Performance Improvement Commands

    Configure the number of IPC messages to aggregate before flushing. : Enter the integer 1 (to disable aggregation) or an integer from 2 to 164 to define number_msgs the number of messages. Default is 10. ▄ Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide OL-25069-03...
  • Page 109: Engineering Rules

    This section provides engineering rules or guidelines that must be considered prior to configuring the system for your network deployment. This appendix describes following engineering rules for HNB-GW service:  DHCP Service Engineering Rules  HNB-GW Engineering Rules  Service Engineering Rules Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide ▄ OL-25069-03...
  • Page 110: Dhcp Service Engineering Rules

    The following engineering rule applies to the DHCP Service:  Up to 8 DHCP servers may be configured per DHCP service.  A maximum of 3 DHCP server can be tried for a call. ▄ Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide OL-25069-03...
  • Page 111: Hnb-Gw Engineering Rules

     A maximum of 4 PLMN ids can be configured in an HNB-GW service.  A maximum of 1 SeGW IP address can be associated with an HNB-GW service. Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide ▄ OL-25069-03...
  • Page 112: Interface And Port Engineering Rules

     PS Network services must be configured within the egress context.  Multiple SGSNs (maximum 25) can be configured through IuPS interfaces within the HNB-GW service instance. ▄ Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide OL-25069-03...
  • Page 113: Service Engineering Rules

    (i.e. resulting from such things as system handoffs). Therefore, it is recommended that a large number of services only be configured if your application absolutely requires it. Please contact your local service representative for more information. Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide ▄ OL-25069-03...
  • Page 115: Coa, Radius Dm, And Session Redirection (Hotlining)

    Administration Guide, before using the procedures in this chapter. Important: Not all commands and keywords/variables are available or supported. This depends on the platform type and the installed license(s). Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide ▄ OL-25069-03...
  • Page 116: Radius Change Of Authorization And Disconnect Message

    Commands used in the configuration examples in this section provide base functionality to the extent that the most common or likely commands and/or keyword options are presented. In many cases, ▄ Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide OL-25069-03...
  • Page 117: Enabling Coa And Dm

     Framed-IP-Address: The values should exactly match the framed IP address of the session.  Calling-station-id: The value should match the Mobile Station ID. Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide ▄ OL-25069-03...
  • Page 118: Coa And Dm Error-Cause Attribute

     406 - Unsupported Extension  501 - Administratively Prohibited  503 - Session Context Not Found  504 - Session Context Not Removable  506 - Resources Unavailable ▄ Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide OL-25069-03...
  • Page 119: Viewing Coa And Dm Statistics

    0 Total acct keepalive timeout 0 Total acct keepalive purged 0 Total aaa acct cancelled 426 Total radius acct requests 0 Current radius acct requests 0 Total radius acct requests retried Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide ▄ OL-25069-03...
  • Page 120 0 Total prepaid online success 0 Current prepaid online failure 0 Total prepaid online retried 0 Total prepaid online cancelled 0 Current prepaid online purged 0 Total aaamgr purged requests ▄ Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide OL-25069-03...
  • Page 121 RADIUS Change of Authorization and Disconnect Message ▀ 0 SGSN: Total db records 0 SGSN: Total sub db records 0 SGSN: Total mm records 0 SGSN: Total pdp records 0 SGSN: Total auth records Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide ▄ OL-25069-03...
  • Page 122: Session Redirection (Hotlining)

    Changing ACL and rulebase together in a single CoA is not supported. For this, two separate CoA requests can be sent through AAA server requesting for one attribute change per request. ▄ Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide OL-25069-03...
  • Page 123: Session Limits On Redirection

    The following command displays debug information for a subscriber with the MSID 0000012345: show subscribers debug-info msid 0000012345 The following is a sample output of this command: username: user1 callid: 01ca11b1 msid: 0000100003 Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide ▄ OL-25069-03...
  • Page 124 IPv4 Reassembly Statistics: Success: 0 In Progress: 0 Failure (timeout): 0 Failure (no buffers): 0 Failure (other reasons): 0 Redirected Session Entries: Allowed: 2000 Current: 0 Added: 0 Deleted: 0 ▄ Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide OL-25069-03...
  • Page 125 Redundancy Status: Original Session Checkpoints Attempts Success Last-Attempt Last-Success Full: 27 26 15700ms 15700ms Micro: 76 76 4200ms 4200ms Current state: SMGR_STATE_CONNECTED FSM Event trace: State Event SMGR_STATE_OPEN SMGR_EVT_NEWCALL SMGR_STATE_NEWCALL_ARRIVED SMGR_EVT_ANSWER_CALL Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide ▄ OL-25069-03...
  • Page 126 Peer callline: Redundancy Status: Original Session Checkpoints Attempts Success Last-Attempt Last-Success Full: 0 0 0ms 0ms Micro: 0 0 0ms 0ms Current state: SMGR_STATE_CONNECTED FSM Event trace: State Event ▄ Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide OL-25069-03...
  • Page 127 Failure (timeout): 0 Failure (no buffers): 0 Failure (other reasons): 0 Redirected Session Entries: Allowed: 2000 Current: 0 Added: 0 Deleted: 0 Revoked for use by different subscriber: 0 Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide ▄ OL-25069-03...
  • Page 129: Ip Security

    Administration Guide, before using the procedures in this chapter. Important: The IP Security is a licensed Cisco feature. A separate feature license may be required. Contact your Cisco account representative for detailed information on specific licensing requirements. For information on installing and verifying licenses, refer to the Managing License Keys section of the Software Management Operations chapter in the System Administration Guide.
  • Page 130 IP Security ▀ Session Redirection (Hotlining)  APN Template Configuration to Support L2TP  IPSec for LTE/SAE Networks ▄ Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide OL-25069-03...
  • Page 131: Overview

    IPSec is supported for the new subscriber sessions. Data for existing Mobile IP sessions is unaffected.  L2TP: L2TP-encapsulated packets are routed from the system to an LNS/secure gateway over an IPSec tunnel. Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide ▄ OL-25069-03...
  • Page 132: Applicable Products And Relevant Sections

    LAC Service Configuration to Support IPSec  Subscriber Attributes for L2TP Application IPSec Support  PDSN Service Configuration for L2TP Support  Redundant IPSec Tunnel Fail-Over  Dead Peer Detection (DPD) Configuration ▄ Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide OL-25069-03...
  • Page 133 RADIUS Attributes for IPSec-based Mobile IP Applications  LAC Service Configuration to Support IPSec  Redundant IPSec Tunnel Fail-Over  Dead Peer Detection (DPD) Configuration  TAPN Template Configuration to Support L2TP Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide ▄ OL-25069-03...
  • Page 134 RADIUS Attributes for IPSec-based Mobile IP Applications  LAC Service Configuration to Support IPSec  Subscriber Attributes for L2TP Application IPSec Support  Redundant IPSec Tunnel Fail-Over  Dead Peer Detection (DPD) Configuration ▄ Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide OL-25069-03...
  • Page 135: Ipsec Terminology

    Crypto Maps define the tunnel policies that determine how IPSec is implemented for subscriber data packets. There are three types of crypto maps supported by the system. They are:  Manual crypto maps Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide ▄ OL-25069-03...
  • Page 136: Manual Crypto Maps

    The system determines when to implement IPSec for Mobile IP based on RADIUS attribute values as well as the configurations of the FA and HA service(s). ▄ Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide OL-25069-03...
  • Page 137: Implementing Ipsec For Pdn Access Applications

    Transform Set(s) ISAKMP Services Policy(ies) ISAKMP Context Crypto (Ctx.) Source Ctx. Destination Interface Ctx. Service or Local Ctx. Configuration (Cfg. Table 9. IPSec PDN Access Processing Step Description Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide ▄ OL-25069-03...
  • Page 138: Configuring Ipsec Support For Pdn Access

    Transform Set Configuration section of this chapter. Step 3 Configure one or more ISAKMP policies according to the instructions located in the ISAKMP Policy Configuration section of this chapter. ▄ Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide OL-25069-03...
  • Page 139 Save your configuration to flash memory, an external memory device, and/or a network location using the Exec mode command . For additional information on how to verify and save configuration files, refer to the save configuration System Administration Guide and the Command Line Interface Reference. Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide ▄ OL-25069-03...
  • Page 140: Implementing Ipsec For Mobile Ip Applications

    Configuring IPSec Support for Mobile IP How the IPSec-based Mobile IP Configuration Works The following figure and the text that follows describe how Mobile IP sessions using IPSec are processed by the system. ▄ Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide OL-25069-03...
  • Page 141: Aaa Server

    Policy(ies) Crypto Map Service Services Service Destination MIP Dest. Source Ctx. Ctx. Source Ctx. Ctx. Local Ctx. Local Ctx. Table 10. IPSec-based Mobile IP Session Processing Step Description Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide ▄ OL-25069-03...
  • Page 142 3GPP2-S indicating the “S” secret used to generate the HA’s response to the D-H exchange  3GPP2-S-Lifetime indicating the length of time that the “S” secret is valid  3GPP2-Security-Level set to 3 for IPSec tunnels and registration messages (optional) ▄ Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide OL-25069-03...
  • Page 143: Configuring Ipsec Support For Mobile Ip

    Configure an ipsec-isakmp crypto map or the FA system according to the instructions located in the Dynamic Crypto Map Configuration section of this chapter. The crypto map(s) must be configured in the same context as the FA service. Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide ▄ OL-25069-03...
  • Page 144 Save your configuration to flash memory, an external memory device, and/or a network location using the Exec mode command . For additional information on how to verify and save configuration files, refer to the save configuration System Administration Guide and the Command Line Interface Reference. ▄ Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide OL-25069-03...
  • Page 145: Implementing Ipsec For L2Tp Applications

    Configuring GGSN Support for L2TP Tunneling with IPSec How IPSec is Used for Attribute-based L2TP Configurations The following figure and the text that follows describe how IPSec-encrypted attribute-based L2TP sessions are processed by the system. Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide ▄ OL-25069-03...
  • Page 146 L2TP. In addition, attributes specifying a crypto map name and ISAKMP secret are also supplied indicating that IP security is also required. The system determines that the crypto map name supplied matches a configured crypto map. ▄ Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide OL-25069-03...
  • Page 147: Configuring Support For L2Tp Attribute-Based Tunneling With Ipsec

    Save your configuration to flash memory, an external memory device, and/or a network location using the Exec mode command . For additional information on how to verify and save configuration files, refer to the save configuration System Administration Guide and the Command Line Interface Reference. Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide ▄ OL-25069-03...
  • Page 148: How Ipsec Is Used For Pdsn Compulsory L2Tp Configurations

    The LAC service dictates the peer LNS to use and also specifies the following parameters indicating that IP security is also required:  Crypto map name  ISAKMP secret The system determines that the crypto map name supplied matches a configured crypto map. ▄ Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide OL-25069-03...
  • Page 149: Configuring Support For L2Tp Pdsn Compulsory Tunneling With Ipsec

    Save your configuration to flash memory, an external memory device, and/or a network location using the Exec mode command . For additional information on how to verify and save configuration files, refer to the save configuration System Administration Guide and the Command Line Interface Reference. Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide ▄ OL-25069-03...
  • Page 150: How Ipsec Is Used For L2Tp Configurations On The Ggsn

    Whether perfect forward secrecy (PFS) should be enabled for the IPSec SA and if so, what group should be used  IPSec SA lifetime parameters  The name of one or more configured transform set defining the IPSec SA ▄ Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide OL-25069-03...
  • Page 151: Configuring Ggsn Support For L2Tp Tunneling With Ipsec

    Save your configuration to flash memory, an external memory device, and/or a network location using the Exec mode command . For additional information on how to verify and save configuration files, refer to the save configuration System Administration Guide and the Command Line Interface Reference. Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide ▄ OL-25069-03...
  • Page 152: Transform Set Configuration

     For more information on parameters, refer to the IPSec Transform Configuration Mode Commands chapter in the Command Line Interface Reference. Verifying the Crypto Transform Set Configuration These instructions are used to verify the crypto transform set(s) was/were configured. ▄ Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide OL-25069-03...
  • Page 153 This command produces an output similar to that displayed below using the configuration of a transform set named test1. Transform-Set test1 : AH : none ESP :hmac md5-96, 3des-cbc Encaps Mode: TUNNEL Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide ▄ OL-25069-03...
  • Page 154: Isakmp Policy Configuration

    > dictates the order in which the ISAKMP policies are proposed when negotiating IKE SAs. priority  For more information on parameters, refer to the ISAKMP Configuration Mode Commands chapter in the Command Line Interface Reference. ▄ Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide OL-25069-03...
  • Page 155: Verifying The Isakmp Policy Configuration

    Refer to the clear crypto security-association command located in the Exec Mode Commands chapter of the Command Line Interface Reference for more information. Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide ▄ OL-25069-03...
  • Page 156: Isakmp Crypto Map Configuration

    { primary | secondary } Notes:  < > is the system context in which you wish to create and configure the ISAKMP crypto maps. ctxt_name ▄ Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide OL-25069-03...
  • Page 157: Verifying The Isakmp Crypto Map Configuration

    Perfect Forward Secrecy : Group2 Hard Lifetime : 28800 seconds 4608000 kilobytes Number of Transforms: 1 Transform : test1 AH : none ESP: md5 3des-cbc Encaps mode: TUNNEL Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide ▄ OL-25069-03...
  • Page 158 Refer to the clear crypto security-association command located in the Exec Mode Commands chapter of the Command Line Interface Reference for more information. ▄ Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide OL-25069-03...
  • Page 159: Dynamic Crypto Map Configuration

     For more information on parameters, refer to the Crypto Map Dynamic Configuration Mode Commands chapter in the Command Line Interface Reference. Verifying the Dynamic Crypto Map Configuration These instructions are used to verify the dynamic crypto map configuration. Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide ▄ OL-25069-03...
  • Page 160 Refer to the clear crypto security-association command located in the Exec Mode Commands chapter of the Command Line Interface Reference for more information. ▄ Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide OL-25069-03...
  • Page 161: Manual Crypto Map Configuration

    | esp [ encrypted ] cipher [ encrypted ] authenticator } Notes:  < > is the system context in which you wish to create and configure the manual crypto maps. ctxt_name Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide ▄ OL-25069-03...
  • Page 162: Verifying The Manual Crypto Map Configuration

    SPI : 0x102 (258) Hmac : md5, key: 23d32d23cs89 Cipher : 3des-cbc, key: 1234asd3c3d Receive Flow Protocol : ESP SPI : 0x101 (257) Hmac : md5, key: 008j90u3rjp ▄ Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide OL-25069-03...
  • Page 163 Refer to the clear crypto security-association command located in the Exec Mode Commands chapter of the Command Line Interface Reference for more information. Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide ▄ OL-25069-03...
  • Page 164: Crypto Map And Interface Association

    > is name of the preconfigured ISAKMP or a manual crypto map. map_name Verifying the Interface Configuration with Crypto Map These instructions are used to verify the interface configuration with crypto map. ▄ Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide OL-25069-03...
  • Page 165 The interface configuration aspect of the display should look similar to that shown below. In this example an interface named 20/6 was configured with a crypto map called isakmp_map1. interface 20/6 ip address 192.168.4.10 255.255.255.0 crypto-map isakmp_map1 Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide ▄ OL-25069-03...
  • Page 166: Fa Services Configuration To Support Ipsec

    IPSec SAs to all HAs. Note that once an IPSec tunnel is established between the FA and HA for a particular subscriber, all new Mobile IP sessions using the same FA and HA are passed over the ▄ Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide OL-25069-03...
  • Page 167: Verifying The Fa Service Configuration With Ipsec

    { name service_name | all } The output of this command is a concise listing of FA service parameter settings configured on the system. Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide ▄ OL-25069-03...
  • Page 168: Ha Service Configuration To Support Ipsec

    > name of the context through which the HA service accesses the HAAA server to fetch the aaa_ctxt_name IKE S Key and S Lifetime parameters.  < > is name of the preconfigured ISAKMP or a manual crypot map. map_name ▄ Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide OL-25069-03...
  • Page 169: Verifying The Ha Service Configuration With Ipsec

    { name service_name | all } The output of this command is a concise listing of HA service parameter settings configured on the system. Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide ▄ OL-25069-03...
  • Page 170: Radius Attributes For Ipsec-Based Mobile Ip Applications

    'S' secret parameter used to make the IKE January 1, 1970 00:00 pre-shared secret. UTC. Note that this is equivalent to the Unix operating system expression of time. ▄ Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide OL-25069-03...
  • Page 171: Lac Service Configuration To Support Ipsec

    isakmp peer-fa crypto-map [ secret ] Notes:  < > is the destination context where the LAC service is configured to support IPSec. ctxt_name Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide ▄ OL-25069-03...
  • Page 172: Verifying The Lac Service Configuration With Ipsec

    Verify that your LAC service is configured properly with IPSec by entering the following command in Exec Mode in specific context: show lac-service nameservice_name The output of this command is a concise listing of LAC service parameter settings configured on the system. ▄ Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide OL-25069-03...
  • Page 173: Subscriber Attributes For L2Tp Application Ipsec Support

    D-H secret. It can be tagged, in which case it is exchange to negotiate an IKE treated as part of a tunnel group. Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide ▄ OL-25069-03...
  • Page 174: Pdsn Service Configuration For L2Tp Support

    Use the following example to modify an existing PDSN service to support attribute-based L2TP tunneling on your system: configure context pdsn-service ppp tunnel-context Notes:  < > is the destination context where the PDSN service is configured. ctxt_name ▄ Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide OL-25069-03...
  • Page 175: Modifying Pdsn Service To Support Compulsory L2Tp Tunneling

    Verify that your PDSN service is configured properly with L2TP by entering the following command in Exec Mode in specific context: show pdsn-service name service_name The output of this command is a concise listing of PDSN service parameter settings configured on the system. Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide ▄ OL-25069-03...
  • Page 176: Redundant Ipsec Tunnel Fail-Over

    Support for the following standards and requests for comments (RFCs) has been added with the Redundant IPSec Tunnel Fail-over functionality:  RFC 3706, A Traffic-Based Method of Detecting Dead Internet Key Exchange (IKE) Peers, February 2004 ▄ Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide OL-25069-03...
  • Page 177: Redundant Ipsec Tunnel Fail-Over Configuration

    Use the following example to configure a crypto group on your system for redundant IPSec tunnel fail-over support: configure context ikev1 keepalive dpd interval timeout num-retry Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide ▄ OL-25069-03...
  • Page 178: Modify Isakmp Crypto Map Configuration To Match Crypto Group

    > is name of the preconfigured ISAKMP crypto map to match with crypto group as secondary. map_name2 Verifying the Crypto Group Configuration These instructions are used to verify the crypto group configuration. ▄ Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide OL-25069-03...
  • Page 179 [ summary | name group_name ] The output of this command is a concise listing of crypto group parameter settings configured on the system. Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide ▄ OL-25069-03...
  • Page 180: Dead Peer Detection (Dpd) Configuration

    ikev1 keepalive dpd interval timeout num-retry Notes:  < > is the destination context where the Crypto Group is to be configured. ctxt_name ▄ Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide OL-25069-03...
  • Page 181: Verifying The Dpd Configuration

    Mode in specific context: sshow crypto group [ summary | name group_name ] The output of this command is a concise listing of crypto group parameter settings configured on the system. Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide ▄ OL-25069-03...
  • Page 182: Apn Template Configuration To Support L2Tp

    > is the local IP address of the GGSN in which this APN template is configured. agw_ip_address  < > is the preconfigured crypto map (ISAKMP or manual) which is to use for L2TP. map_name ▄ Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide OL-25069-03...
  • Page 183: Verifying The Apn Configuration For L2Tp

    Verify that your APN is configured properly with L2TP by entering the following command in Exec Mode in specific context: show apn { all | name apn_name } The output of this command is a concise listing of FA service parameter settings configured on the system. Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide ▄ OL-25069-03...
  • Page 184: Ipsec For Lte/Sae Networks

    ▀ IPSec for LTE/SAE Networks IPSec for LTE/SAE Networks The Cisco MME (Mobility Management Entity), S-GW (Serving Gateway), and P-GW (Packet Data Network Gateway) support IPSec and IKEv2 encryption using IPv4 and IPv6 addressing in LTE/SAE (Long Term Evolution/System Architecture Evolution) networks. IPSec and IKEv2 encryption enables network domain security for all IP packet- switched networks, providing confidentiality, integrity, authentication, and anti-replay protection via secure IPSec tunnels.
  • Page 185: Dynamic Node-To-Node Ipsec Tunnels

    Database (SPD), the subsystem must protect the packet via IPSec tunneling. Traffic selectors enable an IPSec subsystem to accomplish this by allowing two endpoints to share information from their SPDs. Traffic selector payloads contain Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide ▄ OL-25069-03...
  • Page 186: Authentication Methods

    CA certificates can be bound to one crypto template. For configuration instructions for X.509 certificate-based peer authentication, see the configuration chapter in the administration guides for the MME, S-GW, and P-GW. ▄ Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide OL-25069-03...
  • Page 187 CA certificate that is in the trust chain of the peer certificate. At this point in the negotiation, the IKE_SA_INIT exchange is complete and all but the headers of all the messages that follow are encrypted and integrity-protected. Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide ▄ OL-25069-03...
  • Page 188: Certificate Revocation Lists

    Child SA are processed by the IPSec node and not dropped. Child SA rekeying is disabled by default, and rekey requests are ignored. This feature gets enabled in the Crypto Configuration Payload Mode of the system’s CLI. ▄ Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide OL-25069-03...
  • Page 189: Ikev2 Keep-Alive Messages (Dead Peer Detection)

    E-UTRAN/EPC Logical Network Interfaces Supporting IPSec Tunnels E-UTRAN Signaling Interface Bearer Interface S-GW P-GW S1-MME S1-U eNodeB Table 17. E-UTRAN/EPC Logical Network Interfaces Supporting IPSec Tunnels Interface Description Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide ▄ OL-25069-03...
  • Page 190: Ipsec Tunnel Termination

     E-UTRAN Handover Handling: Any IPSec tunnel that becomes unusable due to an E-UTRAN network handover gets terminated, while the network node to which the session is handed initiates a new IPSec tunnel for the session. ▄ Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide OL-25069-03...

This manual is also suitable for:

Asr 5000 series

Table of Contents