Configuring Network Access on the GGSN
Available Languages
Table Of Contents
Configuring Network Access to the GGSN
Configuring an Interface to the SGSN
Verifying the Interface Configuration to the SGSN
Configuring a Route to the SGSN
Configuring a Static Route to the SGSN
Verifying the Route to the SGSN
Configuring Access Points on the GGSN
Description of Access Points in a GPRS/UMTS Network
Access Point Implementation on the Cisco GGSN
Basic Access Point Configuration Task List
Configuring the GPRS Access Point List on the GGSN
Creating an Access Point and Specifying Its Type on the GGSN
Configuring Real Access Points on the GGSN
PDN Access Configuration Task List
VPN Access Using VRF Configuration Task Lists
Configuring Other Access Point Options
Verifying the Access Point Configuration
Verifying the GGSN Configuration
Verifying Reachability of the Network Through the Access Point
Configuring Access to External Support Servers
Configuring Virtual APN Access on the GGSN
Overview of the Virtual APN Feature
Virtual APN Configuration Task List
Configuring Virtual Access Points on the GGSN
Verifying the Virtual APN Configuration
Blocking Access to the GGSN by Foreign Mobile Stations
Overview of Blocking Foreign Mobile Stations
Blocking Foreign Mobile Stations Configuration Task List
Configuring the MCC and MNC Values
Enabling Blocking of Foreign Mobile Stations on the GGSN
Verifying the Blocking of Foreign Mobile Stations Configuration
Controlling Access to the GGSN by MSs with Duplicate IP Addresses
Configuring Routing Behind the Mobile Station on an APN
Enabling Routing Behind the Mobile Station
Verifying the Routing Behind the Mobile Station Configuration
Access Point List Configuration Example
VRF Tunnel Configuration Example
Virtual APN Configuration Example
Blocking Access by Foreign Mobile Stations Configuration Example
Duplicate IP Address Protection Configuration Example
Configuring Network Access to the GGSN
This chapter describes how to configure access from the gateway GPRS support node (GGSN) to a serving GPRS support node (SGSN), public data network (PDN), and optionally to a Virtual Private Network (VPN). It also includes information about configuring access points on the GGSN.
For a complete description of the GGSN commands in this chapter, refer to the Cisco GGSN Release 5.2 Command Reference. To locate documentation of other commands that appear in this chapter, use the command reference master index or search online.
This chapter includes the following sections:
•
Configuring an Interface to the SGSN (Required)
•
•
•
•
•
•
•
Configuring an Interface to the SGSN
To establish access to an SGSN, you must configure an interface to the SGSN. In general packet radio service/Universal Mobile Telecommunication System (GPRS/UMTS), the interface between the GGSN and the SGSN is referred to as the Gn interface. GGSN Release 4.0 and later supports both a 2.5G and 3G Gn interface.
On the Cisco 7200 series router platform, this interface is a physical one. On the Catalyst 6500 series switch / Cisco 7600 series Internet router platform, this interface is logical one (on which IEEE 802.1Q encapsulation has been configured) to the Layer 3 routed Gn VLAN configured on the Supervisor/Multilayer Switch Feature Card 2 (MSFC2).
For more information about the Gn VLAN on the Supervisor/MSFC2, see Catalyst 6500 / Cisco 7600 Series Platform Prerequisites.
For more information about configuring interfaces, see the Cisco IOS Interface Configuration Guide and the Cisco IOS Interface Command Reference.
Configuring Physical Interfaces
The type of physical interface that you configure on the GGSN depends on whether you are supporting an SGSN that is collocated with a GGSN, or an enterprise GGSN that is connected to the SGSN through a WAN interface.
When a GGSN is collocated with the SGSN, the physical interface is frequently configured for Fast Ethernet. The supported WAN interfaces for a remote SGSN include T1/E1, T3/E3, and Frame Relay. For information on configuring WAN interfaces, see the Cisco IOS Interface Configuration Guide and the Cisco IOS Interface Command Reference.
To configure a physical Gn interface to the SGSN that supports Fast Ethernet on a Cisco 7200 series router, use the following commands, beginning in global configuration mode:
Configuring 802.1Q-Encapsulated Subinterfaces
To configure a subinterface that supports IEEE 802.1Q encapsulation to the Gn VLAN, use the following commands, beginning in global configuration mode:
Verifying the Interface Configuration to the SGSN
Cisco 7200 Platform
To verify the interface to the SGSN, you can first verify your GGSN configuration and then verify that the interface is available.
Step 1
GGSN# show running-configBuilding configuration...Current configuration : 2875 bytes!version 12.2. . .!interface FastEthernet0/0description Gn interface to SGSNip address 10.10.1.3 255.255.255.0no ip mroute-cacheduplex full. . .Step 2
GGSN# show ip interface briefInterface IP-Address OK? Method Status ProtocolFastEthernet0/0 10.10.1.3 YES NVRAM up upFastEthernet1/0 10.29.0.2 YES NVRAM up upFastEthernet1/1 10.13.0.2 YES NVRAM up upFastEthernet2/0 unassigned YES NVRAM administratively down downEthernet6/0 10.99.0.12 YES NVRAM up upEthernet6/1 unassigned YES NVRAM administratively down downEthernet6/2 unassigned YES NVRAM administratively down downEthernet6/3 unassigned YES NVRAM administratively down downEthernet6/4 unassigned YES NVRAM administratively down downEthernet6/5 unassigned YES NVRAM administratively down downEthernet6/6 unassigned YES NVRAM administratively down downEthernet6/7 10.35.35.2 YES NVRAM up upVirtual-Access1 10.44.44.1 YES TFTP up upVirtual-Template1 10.44.44.1 YES manual down downCatalyst 6500 / Cisco 7600 Platform
Step 1
Sup# show running-configBuilding configuration...Current configuration :12672 bytes!version 12.2...interface FastEthernet8/22no ip addressswitchportswitchport access vlan 302!interface Vlan101description Vlan to GGSN for GA/GNip address 10.1.1.1 255.255.255.0!interface Vlan302ip address 40.0.2.1 255.255.255.0Step 2
Sup# show ip interface brief FastEthernet8/22Interface IP-Address OK? Method Status ProtocolFastEthernet8/22 unassigned YES unset up upSup# show ip interface brief Vlan302Interface IP-Address OK? Method Status ProtocolVlan302 40.0.2.1 YES TFTP up upSup#Step 3
Sup# show vlan name Gn_1VLAN Name Status Ports---- -------------------------------- --------- -------------------------------302 Gn_1 active Gi4/1, Gi4/2, Gi4/3, Gi7/1Gi7/2, Gi7/3, Fa8/22, Fa8/26VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------302 enet 100302 1500 - - - - - 0 0Remote SPAN VLAN----------------DisabledPrimary Secondary Type Ports------- --------- ----------------- ------------------------------------------Step 4
GGSN# show running-configBuilding configuration...Current configuration :7390 bytes!! Last configuration change at 16:56:05 UTC Wed Jun 25 2003! NVRAM config last updated at 23:40:27 UTC Fri Jun 13 2003!version 12.3.....interface GigabitEthernet0/0.2description Ga/Gn Interfaceencapsulation dot1Q 101ip address 10.1.1.72 255.255.255.0no cdp enable!.....ip route 40.1.2.1 255.255.255.255 10.1.1.1Step 5
GGSN# show ip interface brief GigabitEthernet0/0.2Interface IP-Address OK? Method Status ProtocolGigabitEthernet0/0.2 10.1.1.72 YES NVRAM up upConfiguring a Route to the SGSN
To communicate with the SGSN, you can use static routes or a routing protocol, such as Open Shortest Path First (OSPF).
Note
The following sections provide some basic commands that you can use to configure a static route or enable OSPF routing on the GGSN. For more information about configuring IP routes, see the Cisco IOS IP Configuration Guide and Cisco IOS IP Command References.
The following topics are included in this section:
•
•
Configuring a Static Route to the SGSN
A static route establishes a fixed route to the SGSN that is stored in the routing table. If you are not implementing a routing protocol, such as OSPF, then you can configure a static route to the SGSN, to establish the path between network devices.
To configure a static route from an interface to the SGSN, use the following commands, beginning in global configuration mode:
Configuring OSPF
As with other routing protocols, enabling OSPF requires that you create an OSPF routing process, specify the range of IP addresses to be associated with the routing process, and assign area IDs to be associated with that range of IP addresses.
Note
To configure OSPF, use the following commands, beginning in global configuration mode:
Verifying the Route to the SGSN
To verify the route to the SGSN, you can first verify your GGSN configuration and then verify that a route has been established.
Cisco 7200 Platform
Step 1
GGSN# show running-configBuilding configuration...Current configuration : 2875 bytes!version 12.2. . .!interface FastEthernet0/0description Gn interface to SGSNip address 10.10.1.3 255.255.255.0no ip mroute-cacheduplex full!interface FastEthernet6/0ip address 172.16.43.243 255.255.255.240no ip mroute-cacheduplex half!!interface loopback 1ip address 10.11.11.1 255.255.255.0!interface Virtual-Template1ip unnumber loopback 1encapsulation gtp!router ospf 1log-adjacency-changesnetwork 10.10.0.0 0.0.255.255 area 0!ip default-gateway 172.16.43.241ip classlessip route 10.22.22.1 255.255.255.255 FastEthernet2/0ip route 192.64.0.0 255.0.0.0 172.16.43.241ip route 172.16.0.0 255.255.0.0 172.16.43.241no ip http serverno ip pim bidir-enable. . .Step 2
GGSN# show ip routeCodes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGPD - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter areaN1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGPi - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area* - candidate default, U - per-user static route, o - ODRP - periodic downloaded static routeGateway of last resort is not set10.11.11.0/24 is subnetted, 1 subnetsC 10.11.11.0 is directly connected, Virtual-Access1172.16.0.0/16 is variably subnetted, 1 subnets, 2 masksS 172.16.0.0/16 [1/0] via 172.16.43.241C 172.16.43.243/28 is directly connected, FastEthernet6/010.0.0.0/24 is subnetted, 1 subnetsO 10.10.1.0 [110/2] via 10.10.1.3, 00:00:10, FastEthernet0/0C 10.10.1.0 is directly connected, FastEthernet0/0
Catalyst 6500 / Cisco 7600 Platform
Step 1
Sup# show running-configBuilding configuration...Current configuration :3642 bytes!version 12.3...ip slb vserver V0-GGSNvirtual 10.10.10.10 udp 3386 service gtp!vlan 101name Internal_Gn/Ga!vlan 302name Gn_1!vlan 303name Ga_1!interface FastEthernet8/22no ip addressswitchportswitchport access vlan 302!interface FastEthernet8/23no ip addressswitchportswitchport access vlan 302!interface FastEthernet8/24no ip addressswitchportswitchport access vlan 303!interface Vlan101description Vlan to GGSN for GA/GNip address 10.1.1.1 255.255.255.0!interface Vlan302ip address 40.0.2.1 255.255.255.0!interface Vlan303ip address 40.0.3.1 255.255.255.0!router ospf 300log-adjacency-changessummary-address 9.9.9.0 255.255.255.0redistribute static subnets route-map GGSN-routesnetwork 40.0.2.0 0.0.0.255 area 300network 40.0.3.0 0.0.0.255 area 300!ip route 9.9.9.42 255.255.255.255 10.1.1.42ip route 9.9.9.43 255.255.255.255 10.1.1.43ip route 9.9.9.44 255.255.255.255 10.1.1.44ip route 9.9.9.45 255.255.255.255 10.1.1.45ip route 9.9.9.46 255.255.255.255 10.1.1.46ip route 9.9.9.72 255.255.255.255 10.1.1.72ip route 9.9.9.73 255.255.255.255 10.1.1.73ip route 9.9.9.74 255.255.255.255 10.1.1.74ip route 9.9.9.75 255.255.255.255 10.1.1.75ip route 9.9.9.76 255.255.255.255 10.1.1.76!access-list 1 permit 9.9.9.0 0.0.0.255!route-map GGSN-routes permit 10match ip address 1Step 2
Sup# show running-configBuilding configuration...Current configuration :3642 bytes!version 12.3!...interface GigabitEthernet0/0no ip address!interface GigabitEthernet0/0.2description Ga/Gn Interfaceencapsulation dot1Q 101ip address 10.1.1.72 255.255.255.0no cdp enable!ip route 40.1.2.1 255.255.255.255 10.1.1.1ip route 40.2.2.1 255.255.255.255 10.1.1.1ip route 40.1.3.10 255.255.255.255 10.1.1.1ip route 40.2.3.10 255.255.255.255 10.1.1.1Step 3
Sup# show ip route ospf 3009.0.0.0/8 is variably subnetted, 12 subnets, 2 masksO 9.9.9.0/24 is a summary, 1w1d, Null0!Sup# show ip route 9.9.9.72Routing entry for 9.9.9.72/32Known via "static", distance 1, metric 0Redistributing via ospf 300Routing Descriptor Blocks:* 10.1.1.72Route metric is 0, traffic share count is 1!
Configuring Access Points on the GGSN
Successful configuration of access points on the GGSN requires careful consideration and planning to establish the appropriate access for mobile sessions to external PDNs and private networks.
The following topics are included in this section:
•
•
•
•
Configuration of access points on the GGSN also requires properly establishing communication with any supporting DHCP and RADIUS servers that you might be using to provide dynamic IP addressing and user authentication functions at the access point.
Details about configuring other services such as DHCP and RADIUS for an access point are discussed in the "Configuring Dynamic Addressing on the GGSN" and "Configuring Security on the GGSN" chapters.
Overview of Access Points
This section includes the following topics:
•
•
Description of Access Points in a GPRS/UMTS Network
The GPRS and UMTS standards define a network identity called an access point name (APN). An APN identifies the part of the network where a user session is established. In the GPRS/UMTS backbone, the APN serves as a reference to a GGSN. An APN is configured on and accessible from a GGSN in a GPRS/UMTS network.
An APN can provide access to a public data network (PDN), or a private or corporate network. An APN also can be associated with certain types of services such as Internet access or a Wireless Application Protocol (WAP) service.
The APN is provided by either the mobile station (MS) or by the SGSN to the GGSN in a Create PDP Context request message when a user requests a session to be established.
To identify an APN, a logical name is defined that consists of two parts:
•
•
When the operator ID exists, it is placed after the network ID, and it corresponds to the Domain Name System (DNS) name of a GGSN. The maximum length of an APN is 100 bytes. When the operator ID does not exist, a default operator ID is derived from the mobile network code (MNC) and mobile country code (MCC) information contained in the international mobile subscriber identity (IMSI).
Access Point Implementation on the Cisco GGSN
Configuring access points is one of the central configuration tasks on the Cisco GGSN. Proper configuration of access points is essential to successful implementation of the GGSN in the GPRS/UMTS network.
To configure APNs, the Cisco GGSN software uses the following configuration elements:
•
•
•
•
Access Point Types on the GGSN
Cisco IOS GGSN Release 3.0 and later support the following access point types:
•
•
Cisco IOS GGSN Release 1.4 and earlier only support real access points.
GGSN Release 3.0 and later support virtual access point types to address provisioning issues in the PLMN. For more information about configuring virtual access point access to the GGSN from the PLMN, see the "Configuring Virtual APN Access on the GGSN" section.
Basic Access Point Configuration Task List
This section describes the basic tasks that are required to configure an access point on the GGSN. Detailed information about configuring access points for specialized functions such as for virtual APN access are described in separate sections of this chapter.
To configure an access point on the GGSN, perform the following basic tasks:
•
•
Configuring the GPRS Access Point List on the GGSN
The GGSN software requires that you configure an entity called an access point list. You configure the GPRS access point list to define a collection of virtual and real access points on the GGSN.
When you configure the access point list in global configuration mode, the GGSN software automatically associates the access point list with the virtual template interface of the GGSN. Therefore, the GGSN supports only a single access point list.
Note
To configure the GPRS access point list and configure access points within it, use the following command, beginning in global configuration mode:
Creating an Access Point and Specifying Its Type on the GGSN
You need to define access points within an access point list on the GGSN. Therefore, before you can create an access point, you must define a new access point list or specify the existing access point list on the GGSN to enter access-point list configuration mode.
When you create an access point, you must assign an index number to the access point, specify the domain name (network ID) of the access point, and specify the type of access point (virtual or real). Other options that you can configure for an access point are summarized in the "Configuring Other Access Point Options" section.
To create an access point and specify its type, use the following commands, beginning in global configuration mode:
Configuring Real Access Points on the GGSN
The GGSN uses real access points to communicate to PDNs or private networks that are available over a Gi interface on the GGSN. Use real access point types to configure the GGSN for direct access to a particular target network through an interface.
If you have configured a virtual access point, you must also configure real access points to reach the target networks.
The GGSN supports configuration of access points to public data networks and to private networks. The following sections describe how to configure different types of real access points:
•
•
PDN Access Configuration Task List
Configuring a connection to a public PDN includes the following tasks:
•
•
Configuring an Interface to a PDN
To establish access to a PDN in the GPRS/UMTS network, you must configure an interface on the GGSN to connect to the PDN. This interface is referred to as the Gi interface.
On the Cisco 7200 series router platform, this interface is a physical one. On the Catalyst 6500 series switch / Cisco 7600 series Internet router platform, this interface is a logical one (on which IEEE 802.1Q encapsulation has been configured) to a Layer 3 routed Gi VLAN configured on the Supervisor/MSFC2.
For more information about the Gi VLAN on the Supervisor/MSFC2, see "Catalyst 6500 / Cisco 7600 Series Platform Prerequisites" section.
For more information about configuring interfaces, see the Cisco IOS Interface Configuration Guide and the Cisco IOS Interface Command Reference.
Configuring Physical Interfaces
To configure a physical interface to the PDN using Fast Ethernet over the Gi interface (Cisco 7200 series router platform), use the following commands, beginning in global configuration mode:
Note
Configuring 802.1Q-Encapsulated Subinterfaces
To configure a subinterface that supports IEEE 802.1Q encapsulation to the Gi VLAN, use the following commands, beginning in global configuration mode:
Configuring an Access Point for a PDN
To configure an access point for a PDN, you must define a real access point in the GPRS access point list.
To configure a real access point on the GGSN, use the following commands, beginning in global configuration mode:
For an example of a GPRS access point configuration, see the "Access Point List Configuration Example" section.
VPN Access Using VRF Configuration Task Lists
The Cisco IOS GGSN software supports connectivity to a VPN using VPN routing and forwarding (VRF).
The GGSN software provides a couple of ways that you can configure access to a VPN, depending on your platform, network configuration over the Gi interface between the GGSN and your PDNs, and the VPN that you want to access.
Note
The Catalyst 6500 / Cisco 7600 Sup720 supports VRF.
To configure VPN access using VRF on the GGSN, perform the following tasks:
•
•
•
•
•
For sample configurations, see the "VRF Tunnel Configuration Example" section.
Enabling CEF Switching
When you enable CEF switching globally on the GGSN, all interfaces on the GGSN are automatically enabled for CEF switching.
Note
To enable CEF switching for all interfaces on the GGSN, use the following commands, beginning in global configuration mode:
Configuring a VRF Routing Table on the GGSN
To configure a VRF routing table on the GGSN, use the following commands, beginning in global configuration mode:
Configuring a Route to the VPN Using VRF
Be sure that a route exists between the GGSN and the private network that you want to access. You can verify connectivity by using the ping command from the GGSN to the private network address. To configure a route, you can use a static route or a routing protocol.
Configuring a Static Route Using VRF
To configure a static route using VRF, use the following command, beginning in global configuration mode:
Verifying a Static Route Using VRF
To verify that the GGSN has established the static VRF route that you configured, use the show ip route vrf privileged EXEC command as shown in the following example:
GGSN# show ip route vrf vpn1 static172.16.0.0/32 is subnetted, 1 subnetsU 172.16.0.1 [1/0] via 0.0.0.0, Virtual-Access210.0.0.0/8 is variably subnetted, 2 subnets, 2 masksS 10.100.0.3/32 [1/0] via 10.110.0.13Configuring an OSPF Route Using VRF
To configure an OSPF route using VRF, use the following command, beginning in global configuration mode:
Configuring an Interface to a PDN Using VRF
To establish access to a PDN, an interface on the GGSN to connect to the PDN. This interface is referred to as the Gi interface.
On the Cisco 7200 series router platform, this interface is physical. On the Catalyst 6500 series switch / Cisco 7600 series Internet router platform, this interface is a logical one (on which IEEE 802.1Q encapsulation has been configured) to a Layer 3 routed Gi VLAN configured on the Supervisor/MSFC2.
For more information about the Gi VLAN on the Supervisor/MSFC2, see "Catalyst 6500 / Cisco 7600 Series Platform Prerequisites" section.
For more information about configuring interfaces, see the Cisco IOS Interface Configuration Guide and the Cisco IOS Interface Command Reference.
Configuring Physical Interfaces
To configure a physical interface to the PDN using Fast Ethernet over the Gi interface, use the following commands, beginning in global configuration mode:
Note
Configuring 802.1Q-Encapsulated Subinterfaces
To configure a subinterface that supports IEEE 802.1Q encapsulation to the Gi VLAN, use the following commands, beginning in global configuration mode:
Configuring Access to a VPN
After you have completed the prerequisite configuration tasks on the Cisco 7200 platform, you can configure access to a VPN with a tunnel or without a tunnel.
VRF is not supported on the Catalyst 6500 / Cisco 7600 Supervisor II / MSFC2; therefore, if using the Supervisor II, you must tunnel encapsulated VRF traffic through the Supervisor via a generic routing encapsulation (GRE) tunnel from the GGSN to the PDN.
Note
Figure 7-1 is a logical view of a GRE tunnel configured between the VRF-aware GGSN and PDN, which tunnels the encapsulated VRF information through the "VRF-unaware" Superviso II / MSFC2.
Figure 7-1 Tunnel Configuration from the GGSN to PDN through the Catalyst 6500 / Cisco 7600 Supervisor II
The following sections describe the different methods you can use to configure access to a VPN:
•
•
Note
Configuring Access to a VPN Without a Tunnel
On the Cisco 7200 platform, if you configure more than one Gi interface to different PDNs, and need to access a VPN off one of those PDNs, then you can configure access to that VPN without configuring an IP tunnel. To configure access to the VPN in this case, you need to configure the vrf access point configuration command.
Note
To configure access to a VPN in the GPRS access point list, use the following commands, beginning in global configuration mode:
For information about the other access point configuration options, see the "Configuring Other Access Point Options" section.
Configuring Access to a VPN With a Tunnel
If you have only a single Gi interface to a PDN from which you need to access one or more VPNs, or if you are configuring access to a VPN via VRF on the Catalyst 6500 / Cisco 7600 platform, you can configure an IP tunnel to access those private networks. On the Catalyst 6500 / Cisco 7600 platform, you configure the tunnel to tunnel the VRF traffic through the Supervisor/MSFC2, which does not support VRF.
To configure access to the VPN using a tunnel, perform the following tasks:
•
•
Configuring the VPN Access Point
To configure access to a VPN in the GPRS access point list, use the following commands, beginning in global configuration mode:
For information about the other access point configuration options, see the "Configuring Other Access Point Options" section.
Configuring the IP Tunnel
When you configure a tunnel, you might consider using loopback interfaces as the tunnel endpoints instead of real interfaces because loopback interfaces are always up.
To configure an IP tunnel to a private network, use the following commands, beginning in global configuration mode:
Configuring Other Access Point Options
This section summarizes the configuration options that you can specify for a GGSN access point.
Some of these options are used in combination with other global router settings to configure the GGSN. Further details about configuring several of these options are discussed in other topics in this chapter and other chapters of this book.
Note
To configure options for a GGSN access point, use any of the following commands, beginning in access- point list configuration mode:
Step 1
Router(config-ap-list)# access-point access-point-index
Specifies an index number for a new access point definition, or references an existing access point definition, and enters access point configuration mode.
Step 2
Router(config-access-point)# access-point-name apn-name
Specifies the network (or domain) name for a PDN that users can access from the GGSN at a defined access point.
Note
Step 3
Router(config-access-point)# aaa-accounting {enable | disable}
Enables or disables accounting for a particular access point on the GGSN.
Note
Step 4
Router(config-access-point)# aaa-group {authentication | accounting} server-group
Specifies a default authentication, authorization, and accounting (AAA) server group and assigns the type of AAA services to be supported by the server group for a particular access point on the GGSN, where:
•
•
•
Note
Step 5
Router(config-access-point)# access-type {virtual | real}
(Optional) Specifies the type of access point. The available options are:
•
•
Step 6
Router(config-access-point)# access-mode {transparent | non-transparent}
(Optional) Specifies whether the GGSN requests user authentication at the access point to a PDN. The available options are:
•
•
Step 7
Router(config-access-point)# access-violation deactivate-pdp-context}
(Optional) Specifies that a user's session be ended and the user packets discarded when a user attempts unauthorized access to a PDN through an access point.
Step 8
Router(config-access-point)# aggregate {auto | ip-network-prefix{/mask-bit-length | ip-mask}}
(Optional) Configures the GGSN to create an aggregate route in its IP routing table when receiving PDP requests from MSs on the specified network through a particular access point on the GGSN.
Note
Step 9
Router(config-access-point)# anonymous user username [password]
(Optional) Configures anonymous user access at an access point.
Step 10
Router(config-access-point)# block-foreign-ms
(Optional) Restricts GGSN access at a particular access point based on the mobile user's home PLMN.
Step 11
Router(config-access-point)# dhcp-gateway-address ip-address
(Optional) Specifies a DHCP gateway to handle DHCP requests for mobile station (MS) users entering a particular PDN access point.
Step 12
Router(config-access-point)# dhcp-server {ip-address} [ip-address] [vrf]
(Optional) Specifies a primary (and backup) DHCP server to allocate IP addresses to MS users entering a particular PDN access point.
Step 13
Router(config-access-point)# dns primary ip-address secondary ip-address
(Optional) Specifies a primary (and backup) DNS to be sent in Create PDP Context responses at the access point.
For more information about configuring the DNS for an access point, see the "Configuring the NBNS and DNS Address for an APN" section.
Step 14
Router(config-access-point)# gtp pdp-context single pdp-session [mandatory]
(Optional) Configures the GGSN to delete the primary PDP context, and any associated secondary PDP contexts, of a hanging PDP session upon receiving a new create request from the same MS that shares the same IP address of the hanging PDP context.
A hanging PDP context is a PDP context on the GGSN whose corresponding PDP context on the SGSN has already been deleted for some reason.
When a hanging PDP session occurs and the gtp pdp-context single pdp-session command is not configured, if the same MS (on the same APN) sends a new Create PDP Context request that has a different NSAPI but has been assigned the same IP address used by the hanging PDP session, the GGSN rejects the new Create PDP Context request.
When configure without the mandatory keyword specified, this feature applies only to those users for whom the Cisco vendor-specific attribute (VSA) "gtp-pdp-session=single-session" has been defined in their RADIUS user profile.
To enable this feature and apply it to all users on an APN regardless of their RADIUS user profiles, specify the mandatory keyword option.
Note
Step 15
Router(config-access-point)# gtp response-message wait-accounting
(Optional) Configures the GGSN to wait for a RADIUS accounting response before sending a Create PDP Context response to the SGSN.
Step 16
Router(config-access-point)# ip-access-group access-list-number {in | out}
(Optional) Specifies access permissions between an MS and a PDN through the GGSN at a particular access point, where access-list-number specifies the IP access list definition to be used at the access point. The available options are:
•
•
Note
Step 17
Router(config-access-point)# ip-address-pool {dhcp-proxy-client | radius-client | local pool-name | disable}
(Optional) Specifies a dynamic address allocation method using IP address pools for the current access point. The available options are:
•
•
•
•
Note
Step 18
Router(config-access-point)# ip probe path ip_address protocol udp [port port ttl ttl]
(Optional) Enables the GGSN to send a probe packet to a specific destination for each PDP context that is successfully established on an APN.
Step 19
Router(config-access-point)# msisdn suppression [value]
(Optional) Specifies that the GGSN overrides the mobile station ISDN (MSISDN) number with a pre-configured value in its authentication requests to a RADIUS server.
Step 20
Router(config-access-point)# nbns primary ip-address secondary ip-address
(Optional) Specifies a primary (and backup) NetBIOS Name Service (NBNS) to be sent in the Create PDP Context responses to at the access-point.
For more information about configuring the NBNS for an access point, see the "Configuring the NBNS and DNS Address for an APN" section.
Step 21
Router(config-access-point)# ppp-regeneration [max-session number] [setup-time seconds]
(Optional) Enables an access point to support PPP regeneration, where:
•
•
Step 22
Router(config-access-point)# ppp-regeneration verify-domain
(Optional) Configures the GGSN to verify the domain sent in the protocol configuration option (PCO) IE sent in a Create PDP Context request against the APN sent out by the user when PPP-regeneration is being used.
Note
Note
Step 23
Router(config-access-point)# ppp-regeneration fix-domain
(Optional) Configures the GGSN to use the access point name as the domain name with which it initiates an L2TP tunnel to the user when PPP-regeneration is being used.
Note
Step 24
Router(config-access-point)# radius attribute acct-session-id charging-id
(Optional) Specifies that the charging ID in the Acct-Session-ID (attribute 44) is included in access requests.
Step 25
Router(config-access-point)# radius attribute nas-id format
(Optional) Specifies that the GGSN sends the NAS-Identifier in access requests at the APN where format is a string sent in attribute 32 containing an IP address (%i), a host name (%h), and a domain name (%d).
Step 26
Router(config-access-point)# radius attribute suppress imsi
(Optional) Specifies that the GGSN suppress the 3GPP-IMSI number in its authentication and accounting requests to a RADIUS server.
Step 27
Router(config-access-point)# radius attribute suppress qos
(Optional) Specifies that the GGSN suppress the 3GPP-GPRS-Qos Profile in its authentication and accounting requests to a RADIUS server.
Step 28
Router(config-access-point)# radius attribute suppress sgsn-address
(Optional) Specifies that the GGSN suppress the 3GPP-GPRS-SGSN-Address in its authentication and accounting requests to a RADIUS server.
Step 29
Router(config-access-point)# radius attribute user-name msisdn
(Optional) Specifies that the MSISDN is included in the User-Name (attribute 1) field in access requests.
Step 30
Router(config-access-point) redirect all ip ip address
(Optional) Specifies that all traffic be redirected to a specific IP address.
Step 31
Router(config-access-point) redirect intermobile ip ip address
(Optional) Specifies that mobile-to-mobile traffic be redirected.
Step 32
Router(config-access-point) security verify {source | destination}
Specifies that the GGSN verify the source or destination address in Transport Protocol Data Units (TPDUs) received from a Gn interface.
Step 33
Router(config-access-point)# session idle-time number
(Optional) Specifies the time (between 1 and 168 hours) that the GGSN waits before purging idle mobile sessions for the current access point.
Step 34
Router(config-access-point)# subscription-required
(Optional) Specifies that the GGSN checks the value of the selection mode in a PDP context request to determine if a subscription is required to access a PDN through the access point.
Step 35
Router(config-access-point)# vrf vrf-name
(Optional) Configures VPN routing and forwarding at a GGSN access point and associates the access point with a particular VRF instance.
Verifying the Access Point Configuration
This section describes how to verify that you have successfully configured access points on the GGSN, and includes the following tasks:
•
•
Verifying the GGSN Configuration
To verify that you have properly configured access points on the GGSN, use the show running-config command and the show gprs access-point commands.
Note
Step 1
GGSN# show running-configBuilding configuration...Current configuration : 3521 bytes!version 12.2no service single-slot-reload-enableservice timestamps debug uptimeservice timestamps log uptimeno service password-encryptionservice gprs ggsn!hostname ggsn!ip cef!no logging bufferedlogging rate-limit console 10 except errors!aaa new-modelaaa group server radius fooserver 172.18.43.7 auth-port 1645 acct-port 1646aaa authentication ppp foo group fooaaa authorization network foo group fooaaa accounting network foo start-stop group foo!ip subnet-zero!!ip cefno ip dhcp-client network-discovery!!interface Loopback1ip address 10.2.3.4 255.255.255.255!interface FastEthernet0/0ip address 172.18.43.174 255.255.255.240duplex half!interface Ethernet1/0description Gi interface to gprt.cisco.comip address 10.8.8.6 255.255.255.0duplex half!interface Ethernet1/1description Gi interface to gprs.cisco.comip address 10.9.9.4 255.255.255.0duplex half!interface Ethernet1/2ip address 10.15.15.10 255.255.255.0duplex half!interface loopback 1ip address 10.40.40.3 255.255.255.0!interface Virtual-Template1ip unnumber loopback 1encapsulation gtpgprs access-point-list gprs!ip default-gateway 172.18.43.161ip kerberos source-interface anyip classlessip route 10.7.7.0 255.255.255.0 10.8.8.2ip route 10.102.82.0 255.255.255.0 172.18.43.161ip route 192.168.0.0 255.255.0.0 172.18.43.161ip route 172.18.0.0 255.255.0.0 172.18.43.161no ip http server!. . .!gprs access-point-list gprs!access-point 1access-point-name gprs.cisco.comaccess-mode non-transparentaaa-group authentication foonetwork-request-activationexit!access-point 2access-point-name gprt.cisco.comexit!access-point 3access-point-name gpru.cisco.comip-address-pool radius-clientaccess-mode non-transparentaaa-group authentication fooexit!gprs maximum-pdp-context-allowed 90000gprs gtp path-echo-interval 0gprs default charging-gateway 10.15.15.1!gprs memory threshold 512!...radius-server host 172.18.43.7 auth-port 1645 acct-port 1646 non-standardradius-server retransmit 3radius-server key 7 12150415call rsvp-sync!no mgcp timer receive-rtcp!mgcp profile default!gatekeepershutdownendStep 2
GGSN# show gprs access-point 2apn_index 2 apn_name = gprt.cisco.comapn_mode: transparentapn-type: Realaccounting: Disablewait_accounting: Disabledynamic_address_pool: not configuredapn_dhcp_server: 0.0.0.0apn_dhcp_gateway_addr: 0.0.0.0apn_authentication_server_group:apn_accounting_server_group:apn_username: , apn_password:subscribe_required: Nodeactivate_pdp_context_on violation: Nonetwork_activation_allowed: NoBlock Foreign-MS Mode: DisableVPN: DisableGPRS vaccess interface: Virtual-Access1number of ip_address_allocated 0Total number of PDP in this APN :1aggregate:In APN: DisableIn Global: DisableStep 3
GGSN# show gprs access-point allThere are 3 Access-Points configuredIndex Mode Access-type AccessPointName VRF Name-----------------------------------------------------------------------1 non-transparent Real gprs.cisco.com-----------------------------------------------------------------------2 transparent Real gprt.cisco.com-----------------------------------------------------------------------3 non-transparent Real gpru.cisco.com-----------------------------------------------------------------------
Verifying Reachability of the Network Through the Access Point
The following procedure provides a basic methodology for verifying reachability from the MS to the destination network.
Note
To verify that you can reach the network from the MS, perform the following steps:
Step 1
Step 2
The following example shows one successful PDP context request:
GGSN# show gprs access-point 2apn_index 2 apn_name = gprt.cisco.comapn_mode: transparentapn-type: Realaccounting: Disablewait_accounting: Disabledynamic_address_pool: not configuredapn_dhcp_server: 0.0.0.0apn_dhcp_gateway_addr: 0.0.0.0apn_authentication_server_group:apn_accounting_server_group:apn_username: , apn_password:subscribe_required: Nodeactivate_pdp_context_on violation: Yesnetwork_activation_allowed: NoBlock Foreign-MS Mode: DisableVPN: DisableGPRS vaccess interface: Virtual-Access1number of ip_address_allocated 0Total number of PDP in this APN :1aggregate:In APN: DisableIn Global: DisableStep 3
ping 192.168.12.5
Note
In addition, the APN configuration and physical connectivity to the destination network through a Gi interface must be established. For example, if the host to be reached is in a VPN, the APN must be properly configured to provide access to the VPN.
Step 4
Tip
The following example shows sample output for a PDP context for TID 81726354453647FA:
GGSN# show gprs gtp pdp-context tid 81726354453647FATID MS Addr Source SGSN Addr APN81726354453647FA 10.2.2.1 Static 172.16.44.1 gprt.cisco.comcurrent time :Dec 06 2001 13:15:34user_name (IMSI): 18273645546374 MS address: 10.2.2.1MS International PSTN/ISDN Number (MSISDN): 243926901sgsn_addr_signal: 172.16.44.1 ggsn_addr_signal: 10.30.30.1signal_sequence: 7 seq_tpdu_up: 0seq_tpdu_down: 5380upstream_signal_flow: 371 upstream_data_flow: 372downstream_signal_flow: 1 downstream_data_flow: 1RAupdate_flow: 0pdp_create_time: Dec 06 2001 09:54:43last_access_time: Dec 06 2001 13:15:21mnrgflag: 0 tos mask map: 00gtp pdp idle time: 72gprs qos_req: 091101 canonical Qos class(req.): 01gprs qos_neg: 25131F canonical Qos class(neg.): 01effective bandwidth: 0.0rcv_pkt_count: 10026 rcv_byte_count: 1824732send_pkt_count: 5380 send_byte_count: 4207160cef_up_pkt: 10026 cef_up_byte: 1824732cef_down_pkt: 5380 cef_down_byte: 4207160cef_drop: 0charging_id: 12321224pdp reference count: 2ntwk_init_pdp: 0
Configuring Access to External Support Servers
You can configure the GGSN to access external support servers to provide services for dynamic IP addressing of MSs using the Dynamic Host Configuration Protocol (DHCP) or using Remote Authentication Dial-In User Service (RADIUS). You can also configure RADIUS services on the GGSN to provide security, such as authentication of users accessing a network at an APN.
The GGSN allows you to configure access to DHCP and RADIUS servers globally for all access points, or to specific servers for a particular access point. For more information about configuring DHCP on the GGSN, see the "Configuring Dynamic Addressing on the GGSN" chapter. For more information about configuring RADIUS on the GGSN, see the "Configuring Security on the GGSN" chapter.
Configuring Virtual APN Access on the GGSN
This section includes the following topics:
•
•
•
For a sample configuration, see the "Virtual APN Configuration Example" section.
Overview of the Virtual APN Feature
GGSN Release 3.0 and later support virtual APN access from the PLMN using the virtual access point type on the GGSN. The virtual APN feature on the GGSN allows multiple users to access different physical target networks through a shared APN access point on the GGSN.
In a GPRS/UMTS network, the user APN information must be configured at several of the GPRS/UMTS network entities, such as the home location register (HLR) and DNS server. In the HLR, the user subscription data associates the IMSI (unique per user) with each APN that the IMSI is allowed to access. At the DNS server, APNs are correlated to the GGSN IP address. If DHCP or RADIUS servers are in use, the APN configuration can also extend to those servers.
The virtual APN feature reduces the amount of APN provisioning required by consolidating access to all real APNs through a single virtual APN at the GGSN. Therefore, only the virtual APN needs to be provisioned at the HLR and DNS server, instead of each of the real APNs to be reached. The GGSN also must be configured for the virtual APN.
Note
The Cisco GGSN software determines the ultimate target network for the session by receiving the Create PDP Context request at the virtual access point and extracting the domain name to direct the packet to the appropriate real APN. The real APN is the actual destination network.
Figure 7-2 shows how the GGSN supports a Create PDP Context request from an MS processed through a virtual APN on the GGSN.
Figure 7-2 Virtual APN PDP Context Activation on the GGSN
Benefits of the Virtual APN Feature
The virtual APN feature provides the following benefits:
•
•
•
•
Restrictions of the Virtual APN Feature
The virtual APN feature has the following restrictions:
•
•
Virtual APN Configuration Task List
To configure the GGSN to support virtual APN access, you must configure one or more virtual access points. You also need to configure the real access points that provide the information required for connecting to the physical networks of the external PDNs or VPNs.
In addition to the configuring the GGSN, you must also ensure proper provisioning of other GPRS/UMTS network entities as appropriate to successfully implement the virtual APN feature on the GPRS/UMTS network.
To configure virtual APN access on the GGSN, perform the following tasks:
•
•
–
–
For a sample configuration, see the "Virtual APN Configuration Example" section.
Configuring Virtual Access Points on the GGSN
Use virtual access point types to consolidate access to multiple real target networks on the GGSN. Because the GGSN always uses real access points to reach an external network, virtual access points are used in combination with real access points on the GGSN.
You can configure multiple virtual access points on the GGSN. Multiple virtual access points can be used to access the same real networks. One virtual access point can be used to access different real networks.
Note
To configure a virtual access point on the GGSN, use the following commands, beginning in global configuration mode:
Note
Configuring Other GPRS/UMTS Network Entities With the Virtual APN
When you configure the GGSN to support virtual APN access, be sure that you also meet any necessary requirements for properly configuring other GPRS/UMTS network entities to support the virtual APN implementation.
The following GPRS/UMTS network entities might also require provisioning for proper implementation of virtual APN support:
•
•
•
•
•
Verifying the Virtual APN Configuration
This section describes how to verify that you have successfully configured virtual APN support on the GGSN, and includes the following tasks:
•
•
Verifying the GGSN Configuration
To verify that you have properly configured access points on the GGSN, use the show running-config command and the show gprs access-point commands.
Note
Step 1
GGSN# show running-configBuilding configuration...Current configuration : 3521 bytes!version 12.2no service single-slot-reload-enableservice timestamps debug uptimeservice timestamps log uptimeno service password-encryption!! Enable the router for GGSN services!service gprs ggsn!hostname ggsn!ip cef!no logging bufferedlogging rate-limit console 10 except errorsaaa new-modelaaa group server radius fooserver 172.18.43.7 auth-port 1645 acct-port 1646aaa authentication ppp foo group fooaaa authorization network foo group fooaaa accounting network foo start-stop group foo!ip subnet-zero!!no ip dhcp-client network-discovery!!interface Loopback1ip address 10.2.3.4 255.255.255.255!interface FastEthernet0/0ip address 172.18.43.174 255.255.255.240duplex half!interface FastEthernet2/0description Gn interfaceip address 192.168.10.56 255.255.255.0!! Define Gi physical interfaces to real networks!interface Ethernet1/0description Gi interface to corporatea.comip address 10.8.8.6 255.255.255.0no ip mroute-cacheduplex half!interface Ethernet1/1description Gi interface to corporateb.comip address 10.9.9.4 255.255.255.0no ip mroute-cacheduplex half!interface Ethernet1/2description Gi interface to corporatec.comip address 10.15.15.10 255.255.255.0no ip mroute-cacheduplex half!interface loopback 1ip address 10.40.40.3 255.255.255.0!interface Virtual-Template1ip unnumber loopback 1encapsulation gtpgprs access-point-list gprs!ip default-gateway 172.18.43.161ip kerberos source-interface anyip classlessip route 10.7.7.0 255.255.255.0 10.8.8.2ip route 10.102.82.0 255.255.255.0 172.18.43.161ip route 192.168.1.1 255.255.255.255 FastEthernet2/0ip route 172.18.0.0 255.255.0.0 172.18.43.161no ip http server!gprs access-point-list gprs!! Configure a virtual access point called corporate!access-point 1access-point-name corporateaccess-type virtualexit!! Configure three real access points called corporatea.com,! corporateb.com, and corporatec.com!access-point 2access-point-name corporatea.comaccess-mode non-transparentaaa-group authentication fooexit!access-point 3access-point-name corporateb.comexit!access-point 4access-point-name corporatec.comaccess-mode non-transparentaaa-group authentication fooexit!!gprs maximum-pdp-context-allowed 90000gprs gtp path-echo-interval 0gprs default charging-gateway 10.15.15.1!gprs memory threshold 512!radius-server host 172.18.43.7 auth-port 1645 acct-port 1646 non-standardradius-server retransmit 3radius-server key 7 12150415call rsvp-sync!no mgcp timer receive-rtcp!mgcp profile default!!gatekeepershutdown!endStep 2
The following output shows information about a real access point:
GGSN# show gprs access-point 2apn_index 2 apn_name = corporatea.comapn_mode: non-transparentapn-type: Realaccounting: Disablewait_accounting: Disabledynamic_address_pool: not configuredapn_dhcp_server: 0.0.0.0apn_dhcp_gateway_addr: 0.0.0.0apn_authentication_server_group: fooapn_accounting_server_group:apn_username: , apn_password:subscribe_required: Nodeactivate_pdp_context_on violation: Nonetwork_activation_allowed: NoBlock Foreign-MS Mode: DisableVPN: DisableGPRS vaccess interface: Virtual-Access1number of ip_address_allocated 0Total number of PDP in this APN :1aggregate:In APN: DisableIn Global: DisableThe following output shows information about a virtual access point:
GGSN# show gprs access-point 1apn_index 1 apn_name = corporateapn_mode: transparentapn-type: Virtualaccounting: Disablewait_accounting: Disabledynamic_address_pool: not configuredapn_dhcp_server: 0.0.0.0apn_dhcp_gateway_addr: 0.0.0.0apn_authentication_server_group:apn_accounting_server_group:apn_username: , apn_password:subscribe_required: Nodeactivate_pdp_context_on violation: Nonetwork_activation_allowed: NoBlock Foreign-MS Mode: DisableVPN: DisableGPRS vaccess interface: Virtual-Access2number of ip_address_allocated 0Total number of PDP in this APN :0aggregate:In APN: DisableIn Global: DisableStep 3
GGSN# show gprs access-point allThere are 4 Access-Points configuredIndex Mode Access-type AccessPointName VRF Name-----------------------------------------------------------------------1 transparent Virtual corporate-----------------------------------------------------------------------2 non-transparent Real corporatea.com-----------------------------------------------------------------------3 transparent Real corporateb.com-----------------------------------------------------------------------4 non-transparent Real corporatec.com-----------------------------------------------------------------------
Verifying Reachability of the Network Through the Virtual Access Point
To verify reachability of the real destination network through the virtual access point, you can use the same procedure described in the "Verifying Reachability of the Network Through the Access Point" section.
In addition, you should meet the following guidelines for virtual access point testing:
•
•
Blocking Access to the GGSN by Foreign Mobile Stations
This section describes how to restrict access to the GGSN from mobile stations outside their home PLMN. It includes the following topics:
•
•
Overview of Blocking Foreign Mobile Stations
The GGSN allows you to block access by mobile stations that are outside of the PLMN. When you enable blocking of foreign mobile stations, the GGSN determines whether an MS is inside or outside of the PLMN, based on the mobile country code (MCC) and mobile network code (MNC). You must specify the MCC and MNC codes on the GGSN to properly configure the home public land mobile network (HPLMN) values.
When you enable the blocking foreign MS access feature on the access point, then whenever the GGSN receives a Create PDP Context request, the GGSN compares the MCC and MNC in the TID against the home operator codes that you configure on the GGSN. If the MS mobile operator code fails the matching criteria on the GGSN, then the GGSN rejects the Create PDP Context request.
Blocking Foreign Mobile Stations Configuration Task List
To implement blocking of foreign mobile stations on the GGSN, you must enable the function and specify the supporting criteria for determining whether an MS is outside its home PLMN.
To configure blocking of foreign mobile stations on the GGSN, perform the following tasks:
•
•
•
Configuring the MCC and MNC Values
The MCC and MNC together identify a public land mobile network (PLMN). The values that you configure using the gprs mcc mnc command without the trusted keyword option specified, are those of the home PLMN ID, which is the PLMN to which the GGSN belongs.
Only one home PLMN can be defined for a GGSN at a time. The GGSN compares the IMSI in Create PDP Context requests with the values configured using this command to determine if a request is from a foreign MS.
You can also configure up to 5 trusted PLMNs by specifying the trusted keyword when issuing the gprs mcc mnc command. A Create PDP Context request from an MS in a trusted PLMN is treated the same as a Create PDP Context request from an MS in the home PLMN.
To configure the MCC and MNC values that the GGSN uses to determine whether a request is from a roaming MS, use the following command in global configuration mode:
Note
Enabling Blocking of Foreign Mobile Stations on the GGSN
To enable the GGSN to block foreign mobile stations from establishing PDP contexts, use the following command in access-point configuration mode:
Router(config-access-point)# block-foreign-ms
Restricts GGSN access at a particular access point based on the mobile user's HPLMN.
Note
Verifying the Blocking of Foreign Mobile Stations Configuration
This section describes how to verify the blocking of foreign mobile stations configuration on the GGSN. It includes the following topics:
•
•
Verifying Blocking of Foreign Mobile Stations at an Access Point
To verify whether the GGSN is configured to support blocking of foreign mobile stations at a particular access point, use the show gprs access-point command. Observe the value of the Block Foreign-MS Mode output field as shown in bold in the following example:
GGSN# show gprs access-point 1apn_index 1 apn_name = gprs.corporate.comapn_mode: transparentapn-type: Realaccounting: Disablewait_accounting: Disabledynamic_address_pool: dhcp-proxy-clientapn_dhcp_server: 10.99.100.5apn_dhcp_gateway_addr: 10.27.1.1apn_authentication_server_group: fooapn_accounting_server_group: foo1apn_username: , apn_password:subscribe_required: Nodeactivate_pdp_context_on violation: Yesnetwork_activation_allowed: YesBlock Foreign-MS Mode: EnableVPN: Enable (VRF Name : vpn1)GPRS vaccess interface: Virtual-Access2number of ip_address_allocated 0Total number of PDP in this APN :0aggregate:In APN: autoIn Global: 30.30.0.0/1621.21.0.0/16Verifying the MCC and MNC Configuration on the GGSN
To verify the configuration elements that the GGSN uses as matching criteria to determine whether a request is coming from a foreign mobile station, use the show gprs plmn privileged EXEC command. Observe the values of the output fields shown in bold in the following example. The example shows that the GGSN is configured for the USA country code (310) and for the Bell South network code (15) and four trusted PLMNs have been configured:
GGSN# show gprs plmnHome PLMNMCC = 302 MNC = 678Trusted PLMNMCC = 346 MNC = 123MCC = 234 MNC = 67MCC = 123 MNC = 45MCC = 100 MNC = 35
Note
Controlling Access to the GGSN by MSs with Duplicate IP Addresses
An MS cannot have the same IP address as another GPRS/UMTS network entity. You can configure the GGSN to reserve certain IP address ranges for use by the GPRS/UMTS network, and to disallow them from use by an MS.
During a Create PDP Context request, the GGSN verifies whether the IP address of an MS falls within the specified excluded range. If there is an overlap of the MS IP address with an excluded range, then the Create PDP Context request is rejected. This measure prevents duplicate IP addressing in the network.
You can configure up to 100 IP address ranges. A range can be one or more addresses. However, you can configure only one IP address range per command entry. To exclude a single IP address, you can repeat the IP address in the start-ip and end-ip arguments. IP addresses are 32-bit values.
Note
To reserve IP address ranges for use by the GPRS/UMTS network and block their use by an MS, use the following command in global configuration mode:
Router(config)# gprs ms-address exclude-range start-ip end-ip
Specifies the IP address ranges used by the GPRS/UMTS network, and thereby excluded from the MS IP address range.
Configuring Routing Behind the Mobile Station on an APN
The routing behind the MS feature enables the routing of packets to IP addresses that do not belong to the PDP context (the MS), but exist behind it. The network address of the destination can be different than the MS address.
Before enabling routing behind the MS, the following requirements must be met:
•
•
When configured, the Framed-Route attribute is automatically downloaded to the GGSN during the authentication and authorization phase of the PDP context creation. If routing behind the MS is not enabled, the GGSN ignores the Framed-Route attribute. If multiple Framed-Route attributes have been configured for an MS, the GGSN uses the first attribute configured. When the MS session is no longer active, the route is deleted.
•
•
Enabling Routing Behind the Mobile Station
To enable routing behind an MS, use the following command in access-point configuration mode:
Router(config-access-point)# network-behind-mobile
Enables an access point to support routing behind an MS.
Use the show ip route privilege EXEC command to view the current state of the routing table. To display a list of currently active mobile sessions, use the show pdp command.
Note
Verifying the Routing Behind the Mobile Station Configuration
To verify the routing behind the mobile station configuration, use the following show commands.
Step 1
GGSN#show gprs gtp pdp-context tid 1234567809000010TID MS Addr Source SGSN Addr APN1234567809000010 83.83.0.1 Static 2.1.1.1 ippdp1current time :Feb 09 2004 12:52:49user_name (IMSI):214365879000000 MS address:83.83.0.1MS International PSTN/ISDN Number (MSISDN):123456789sgsn_addr_signal:2.1.1.1 sgsn_addr_data: 2.1.1.1control teid local: 0x637F00ECcontrol teid remote:0x01204611data teid local: 0x637DFF04data teid remote: 0x01204612primary pdp:Y nsapi:1signal_sequence: 11 seq_tpdu_up: 0seq_tpdu_down: 0upstream_signal_flow: 0 upstream_data_flow: 0downstream_signal_flow:0 downstream_data_flow:0RAupdate_flow: 0pdp_create_time: Feb 09 2004 12:50:41last_access_time: Feb 09 2004 12:50:41mnrgflag: 0 tos mask map:00gtp pdp idle time:72gprs qos_req:000000 canonical Qos class(reg.):03gprs qos_neg:000000 canonical Qos class(neg.):03effective bandwidth:0.0rcv_pkt_count: 0 rcv_byte_count: 0send_pkt_count: 0 send_byte_count: 0cef_up_pkt: 0 cef_up_byte: 0cef_down_pkt: 0 cef_down_byte: 0cef_drop: 0 out-sequence pkt:0charging_id: 736730069pdp reference count:2primary dns: 0.0.0.0secondary dns: 0.0.0.0primary nbns: 0.0.0.0secondary nbns: 0.0.0.0ntwk_init_pdp: 0Framed_route 5.5.5.0 mask 255.255.255.0GGSN#GGSN#show ip routeCodes:C - connected, S - static, R - RIP, M - mobile, B - BGPD - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter areaN1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2E1 - OSPF external type 1, E2 - OSPF external type 2i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area* - candidate default, U - per-user static route, o - ODRP - periodic downloaded static routeGateway of last resort is not setC 2.0.0.0/8 is directly connected, FastEthernet6/05.0.0.0/24 is subnetted, 1 subnetsU 5.5.5.0 [1/0] via 83.83.0.183.0.0.0/32 is subnetted, 1 subnetsU 83.83.0.1 [1/0] via 0.0.0.0, Virtual-Access28.0.0.0/32 is subnetted, 1 subnetsC 8.8.0.1 is directly connected, Loopback0GGSN#GGSN#show ip route vrf vpn4Routing Table:vpn4Codes:C - connected, S - static, R - RIP, M - mobile, B - BGPD - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter areaN1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2E1 - OSPF external type 1, E2 - OSPF external type 2i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2ia - IS-IS inter area, * - candidate default, U - per-user static routeo - ODR, P - periodic downloaded static routeGateway of last resort is not set80.0.0.0/16 is subnetted, 1 subnetsC 80.1.0.0 is directly connected, FastEthernet3/05.0.0.0/24 is subnetted, 1 subnetsU 5.5.5.0 [1/0] via 123.123.123.123123.0.0.0/32 is subnetted, 1 subnetsU 123.123.123.123 [1/0] via 0.0.0.0, Virtual-Access9GGSN#Step 2
GGSN#show gprs gtp statisticsGPRS GTP Statistics:version_not_support 0 msg_too_short 0unknown_msg 0 unexpected_sig_msg 0unexpected_data_msg 0 unsupported_comp_exthdr 0mandatory_ie_missing 0 mandatory_ie_incorrect 0optional_ie_invalid 0 ie_unknown 0ie_out_of_order 0 ie_unexpected 0ie_duplicated 0 optional_ie_incorrect 0pdp_activation_rejected 2 tft_semantic_error 0tft_syntactic_error 0 pkt_ftr_semantic_error 0pkt_ftr_syntactic_error 0 non_existent 0path_failure 0 total_dropped 0signalling_msg_dropped 0 data_msg_dropped 0no_resource 0 get_pak_buffer_failure 0rcv_signalling_msg 7 snd_signalling_msg 7rcv_pdu_msg 0 snd_pdu_msg 0rcv_pdu_bytes 0 snd_pdu_bytes 0total created_pdp 3 total deleted_pdp 2total created_ppp_pdp 0 total deleted_ppp_pdp 0ppp_regen_pending 0 ppp_regen_pending_peak 0ppp_regen_total_drop 0 ppp_regen_no_resource 0ntwk_init_pdp_act_rej 0 total ntwkInit created pdp 0GPRS Network behind mobile Statistics:network_behind_ms APNs 1 total_download_route 5save_download_route_fail 0 insert_download_route_fail 2total_insert_download_route 3
Configuration Examples
This section includes the following configuration examples for configuring different types of network access to the GGSN:
•
•
•
•
•
Static Route to SGSN Example
Cisco 7200 Platform
The following example shows how to configure a static route from a physical interface on the GGSN to the SGSN.
Notice the following areas in the GGSN configuration shown in this example:
•
•
GGSN Configuration
! Configure Gn interface on GGSN to communicate with SGSN!interface FastEthernet0/0ip address 10.0.0.2 255.0.0.0no ip directed-broadcastno ip mroute-cacheno keepalive!ip route 192.168.1.1 255.255.255.255 FastEthernet0/0
Note
Catalyst 6500 / Cisco 7200 Platform
On the GGSN:
!...!interface Loopback100description GPRS GTP V-TEMPLATE IP ADDRESSip address 9.9.9.72 255.255.255.0!interface GigabitEthernet0/0.2description Ga/Gn Interfaceencapsulation dot1Q 101ip address 10.1.1.72 255.255.255.0no cdp enable!interface Virtual-Template1description GTP v-accessip unnumbered Loopback100encapsulation gtpgprs access-point-list gprs!ip route 40.1.2.1 255.255.255.255 10.1.1.1ip route 40.1.3.10 255.255.255.255 10.1.1.1ip route 40.2.2.1 255.255.255.255 10.1.1.1ip route 40.2.3.10 255.255.255.255 10.1.1.1!...!Related configuration on the Supervisor/MSFC2:
!...!interface FastEthernet8/22no ip addressswitchportswitchport access vlan 302!interface FastEthernet9/41no ip addressswitchportswitchport access vlan 303!interface Vlan101description Vlan to GGSN for GA/GNip address 10.1.1.1 255.255.255.0!interface Vlan302ip address 40.0.2.1 255.255.255.0!interface Vlan303ip address 40.0.3.1 255.255.255.0!ip route 9.9.9.72 255.255.255.255 10.1.1.72ip route 9.9.9.73 255.255.255.255 10.1.1.73ip route 9.9.9.74 255.255.255.255 10.1.1.74ip route 9.9.9.75 255.255.255.255 10.1.1.75ip route 9.9.9.76 255.255.255.255 10.1.1.76ip route 40.1.2.1 255.255.255.255 40.0.2.11ip route 40.1.3.10 255.255.255.255 40.0.3.10ip route 40.2.2.1 255.255.255.255 40.0.2.11ip route 40.2.3.10 255.255.255.255 40.0.3.10!...!Access Point List Configuration Example
The following example (from the Cisco 7200 platform) shows a portion of the GGSN configuration for a GPRS access point list:
!interface virtual-template 1ip unnumber loopback 1no ip directed-broadcastencapsulation gtpgprs access-point-list abc!! Defines a GPRS access point list named abc! with 3 access points!gprs access-point-list abcaccess-point 1access-point-name gprs.pdn1.comip-address-pool dhcp-proxy-clientdhcp-server 10.102.100.3dhcp-gateway-address 10.30.30.30exit!access-point 2access-point-name gprs.pdn2.comip-address-pool dhcp-proxy-clientdhcp-server 10.60.0.1dhcp-gateway-address 10.27.27.27exit!access-point 3access-point-name www.pdn3.comaccess-mode non-transparentdhcp-gateway-address 10.25.25.25aaa-group authentication fooexit!. . .
VRF Tunnel Configuration Example
Cisco 7200 Platform
The following example shows a partial configuration for a virtual private network named "vpn1" using VRF:
! Configure a VRF routing table! and define an identifier!ip vrf vpn1rd 100:1!! Enable CEF switching!ip cef!interface Loopback101ip address 10.14.101.1 255.255.255.255!! Configure a tunnel interface! to a private network using VRF!interface Tunnel1ip vrf forwarding vpn1ip address 10.1.101.1 255.255.255.0tunnel source 10.14.101.1tunnel destination 10.13.101.1!! Configure OSPF routing using VRF!router ospf 101 vrf vpn1log-adjacency-changesredistribute static subnetsnetwork 10.1.101.0 0.0.0.255 area 0!! Configure VRF at the access point!gprs access-point-list gprsaccess-point 1access-point-name gprs.cisco.comvrf vpn1exitCatalyst 6500 / Cisco 7600 Platform
The following examples show a partial configuration for two VPNs (vpn1 and vpn2) and their associated GRE tunnel configurations (Tunnel1 and Tunnel2).
On the GGSN:
service gprs ggsn!hostname 6500-7-2!ip cef!ip vrf vpn1description GRE Tunnel 1rd 100:1!ip vrf vpn2description GRE Tunnel 3rd 101:1!interface Loopback1ip address 150.1.1.72 255.255.0.0!interface Loopback100description GPRS GTP V-TEMPLATE IP ADDRESSip address 9.9.9.72 255.255.255.0!interface Tunnel1description VRF-GRE to PDN 7500(13) Fa0/1ip vrf forwarding vpn1ip address 50.50.52.72 255.255.255.0tunnel source 150.1.1.72tunnel destination 165.2.1.13!interface Tunnel2description VRF-GRE to PDN PDN 7200(12) Fa3/0ip vrf forwarding vpn2ip address 80.80.82.72 255.255.255.0tunnel source 150.1.1.72tunnel destination 167.2.1.12!interface GigabitEthernet0/0.1description Giencapsulation dot1Q 100ip address 10.1.2.72 255.255.255.0!interface Virtual-Template1description GTP v-accessip unnumbered Loopback100encapsulation gtpgprs access-point-list gprs!ip local pool vpn1_pool 100.2.0.1 100.2.255.255 group vpn1ip local pool vpn2_pool 100.2.0.1 100.2.255.255 group vpn2ip route vrf vpn1 0.0.0.0 0.0.0.0 Tunnel1ip route vrf vpn2 0.0.0.0 0.0.0.0 Tunnel2gprs access-point-list gprsaccess-point 1access-point-name apn.vrf1.comaccess-mode non-transparentaaa-group authentication ipdbfmsip-address-pool local vpn1_poolvrf vpn1!access-point 2access-point-name apn.vrf2.comaccess-mode non-transparentaaa-group authentication ipdbfmsip-address-pool local vpn2_poolvrf vpn2!Related configuration on the Supervisor / MSFC2:
interface FastEthernet9/5no ip addressswitchportswitchport access vlan 167no cdp enable!interface FastEthernet9/10no ip addressswitchportswitchport access vlan 165no cdp enable!interface Vlan165ip address 165.1.1.1 255.255.0.0!interface Vlan167ip address 167.1.1.1 255.255.0.0!! provides route to tunnel endpoints on GGSNs!ip route 150.1.1.72 255.255.255.255 10.1.2.72!! routes to tunnel endpoints on PDN!ip route 165.2.0.0 255.255.0.0 165.1.1.13ip route 167.2.0.0 255.255.0.0 167.1.1.12Virtual APN Configuration Example
The following example shows a GGSN that is configured for a virtual APN access point that serves as the focal connection for three different real corporate networks.
Notice the following areas in the GGSN configuration shown in this example:
•
•
–
–
Figure 7-3 Virtual APN Configuration Example
GGSN Configuration
!version 12.2no service single-slot-reload-enableservice timestamps debug uptimeservice timestamps log uptimeno service password-encryption!! Enable the router for GGSN services!service gprs ggsn!hostname ggsn!ip cef!no logging bufferedlogging rate-limit console 10 except errorsaaa new-modelaaa group server radius fooserver 172.18.43.7 auth-port 1645 acct-port 1646aaa authentication ppp foo group fooaaa accounting network foo start-stop group foo!ip subnet-zero!!no ip dhcp-client network-discovery!!interface Loopback1ip address 10.2.3.4 255.255.255.255!interface FastEthernet0/0ip address 172.18.43.174 255.255.255.240duplex half!interface FastEthernet2/0description Gn interfaceip address 192.168.10.56 255.255.255.0!! Define Gi physical interfaces to real networks!interface Ethernet1/0description Gi interface to corporatea.comip address 10.8.8.6 255.255.255.0no ip mroute-cacheduplex half!interface Ethernet1/1description Gi interface to corporateb.comip address 10.9.9.4 255.255.255.0no ip mroute-cacheduplex half!interface Ethernet1/2description Gi interface to corporatec.comip address 10.15.15.10 255.255.255.0no ip mroute-cacheduplex half!interface loopback 1ip address 10.40.40.3 255.255.255.0!interface Virtual-Template1ip unnumber loopback 1encapsulation gtpgprs access-point-list gprs!ip default-gateway 172.18.43.161ip kerberos source-interface anyip classlessip route 10.7.7.0 255.255.255.0 10.8.8.2ip route 10.21.21.0 255.255.255.0 Ethernet1/1ip route 10.102.82.0 255.255.255.0 172.18.43.161ip route 192.168.1.1 255.255.255.255 FastEthernet2/0ip route 172.18.0.0 255.255.0.0 172.18.43.161no ip http server!gprs access-point-list gprs!! Configure a virtual access point called corporate!access-point 1access-point-name corporateaccess-type virtualexit!! Configure three real access points called corporatea.com,! corporateb.com, and corporatec.com!access-point 2access-point-name corporatea.comaccess-mode non-transparentaaa-group authentication fooexitaccess-point 3access-point-name corporateb.comaccess-mode transparentip-address-pool dhcp-clientdhcp-server 10.21.21.1exit!access-point 4access-point-name corporatec.comaccess-mode non-transparentaaa-group authentication fooexit!!gprs maximum-pdp-context-allowed 90000gprs gtp path-echo-interval 0gprs default charging-gateway 10.15.15.1!gprs memory threshold 512!radius-server host 172.18.43.7 auth-port 1645 acct-port 1646 non-standardradius-server retransmit 3radius-server key 7 12150415call rsvp-sync!no mgcp timer receive-rtcp!mgcp profile default!!gatekeepershutdown!endBlocking Access by Foreign Mobile Stations Configuration Example
The following example shows a partial configuration in which access point 100 blocks access by foreign mobile stations:
!version 12.2no service single-slot-reload-enableservice timestamps debug uptimeservice timestamps log uptimeno service password-encryption!! Enables the router for GGSN services!service gprs ggsn!hostname ggsn!ip cef!gprs access-point-list gprs!access-point 100access-point-name blocking!! Enables blocking of MS to APN 100! that are outside ! of the PLMN!block-foreign-msexit!. . .!! Configures the MCC and MNC codes!gprs mcc 123 mnc 456Duplicate IP Address Protection Configuration Example
The following example shows a partial configuration that specifies three different sets of IP address ranges used by the GPRS/UMTS network (which are thereby excluded from the MS IP address range):
gprs ms-address exclude-range 10.0.0.1 10.20.40.50gprs ms-address exclude-range 172.16.150.200 172.30.200.255gprs ms-address exclude-range 192.168.100.100 192.168.200.255
Feedback