Access Restriction based on Regional Zone Code

This chapter describes access restrictions based on regional zone codes, which are configured under a TAI-Object.

Feature Description

Zone codes are used to identify the group of Tracking Area Identities (mcc-mnc-tac), and to further restrict or allow services under those TAI, based on Call Control and/or Operator policies. The scope of zone code is defined as a set of TAIs. This is configurable under LTE TAI Management Object.

Until release 21.0, only one zone code value was configurable under each TAI-Object. Due to this limitation, configuring and managing different access restrictions per TAI-Object separately for each PLMN required a complex configuration or a separate TAI-DB for each PLMN.

To overcome this limitation, in release 21.1, this feature is modified to configure multiple zone code values under the same TAI-Object. It allows specific zone codes to be managed based on call-control-profile / HSS (per roaming partner). Also, this feature supports overlapping of zones by allowing multiple zone code values to which a TAI-Object belongs.

How It Works

Regional Zone Code Identity

A PLMN-specific regional subscription unambiguously defines the region in which roaming is allowed, for the entire PLMN. It consists of one or more regional subscription zones. The regional subscription zone is identified by a Regional Subscription Zone Identity (RSZI).

The RSZI elements are defined below:

  • Country Code (CC): This defines the country in which the PLMN is located.

  • National Destination Code (NDC): Identifies the PLMN in that country.

  • Zone Code (ZC) identifies a regional subscription zone as a pattern of "allowed" and "not allowed" location areas uniquely within that PLMN. ZC has a fixed length of two octets and is coded in full hexadecimal representation.

RSZIs, including ZCs, are assigned by the VPLMN operator.

Information Storage

If a mobile subscriber has a regional subscription, the HSS stores a list - up to 10 Regional Subscription Zone Identities (RSZIs), for each PLMN involved. This is sufficient to store the Zone Code List per CC NDC. On updating the MME, HSS identifies the VPLMN and NDC given by the MME and transfers the corresponding Zone Code List to the MME. The UE is allowed access to all zone codes provided in the subscription data received from the HSS. The Zone Code List maintained by the MME, consists of Zone Codes without CC and NDC.

Regional Zone Code Restriction

Regional Zone Code Restriction allows an operator to control the areas in which a UE can roam in to receive service. The code representing the zone in which a UE is to be offered service by the network can be configured in the HSS or using local provisioning in the MME.

Once provisioned, the following restriction types are supported on the MME:

  • HSS subscription based zone code restriction - if the subscription data in the HSS contains zone codes, the UE is allowed to attach/connect only in those zones. Support for Regional Zone Code restriction based on HSS subscription data allows operators to offer zone based EPC subscriptions to home subscribers.


    Note

    Regional subscription zone codes are populated only when HSS returns the zone codes configured in the subscription profile (as shown below). HSS returned zone codes are only configured as Allowed, not as Restricted. 

    Subscription Profile
  Regional Subscription Zone Codes 
    Zone Code: 1
    Zone Code: 12
    Zone Code: 234
    Zone Code: 4567
    Zone Code: 890

  • Local policy based zone code restrictions - using the operator policy on the MME, certain ranges of IMSI or specific PLMN(s) could be restricted from or allowed to camp on, zones within the MME service area. This policy could apply to any PLMN. Local policy based zone code restriction allows operators to control access of EPC by roaming subscribers on a zone basis.

  • Call-Control-Profile based restriction:

    • In the call-control-profile, the operator can configure zone codes as a list of allowed zone codes for a TAI-list. 
      config
call-control-profile ccp
lte-zone-code allow zone-code-list 100 147 170

      If the "allow" zone code configured in the call-control-profile matches with a zone code from the TAI-Object list, the operation succeeds, else fails.

    • In the call-control-profile, the operator can configure zone codes as a list of restricted zone codes for a TAI-list. 
      config
call-control-profile ccp
lte-zone-code restrict zone-code-list 100 147 170

      If the “restrict” zone codes configured under Call Control Profile matches with any one zone code from TAI-Object then the zone code validation fails, else it succeeds.

    Local policy based zone code restriction allows operators to control access of EPC by roaming subscribers on a zone basis.

When zone code validation fails (either with HSS or call-control-profile), the EMM Cause Code to be sent in the reject message can be configured in the call-control-profile.

  • On failure, if no EMM Cause Codes is configured, the default EMM Cause Code is sent in reject message is #13, 'roaming-not-allowed-in-this-tracking-area' for roaming subscribers and #12, 'tracking-area-not-allowed' for home subscribers.

  • The other EMM Cause Codes are: 'no-suitable-cell-in-tracking-area', 'eps-service-not-allowed-in-this-plmn', and 'plmn-not-allowed'.

  • When a UE is rejected either because the zone code was not in the allowed list or because it was not in the restricted list, the above mentioned EMM Cause Codes can be configured.

Use the following CLI commands to configure EMM Cause Codes during a zone code validation failure: 

config
   call-control-profile profile_name
      local-cause-code-mapping restricted-zone-code emm-cause-code [ eps-service-not-allowed-in-this-plmn | no-suitable-cell-in-tracking-area | plmn-not-allowed | roaming-not-allowed-in-this-tracking-area | tracking-area-not-allowed ]
      [ remove ] local-cause-code-mapping restricted-zone-code
      end

Notes:

  • The local-cause-code-mapping restricted-zone-code command configures the reject cause code to send to a UE when a UE requests access to a restricted zone.

  • The emm-cause-code command specifies the EPS Mobility Management (EMM) cause code to return when a UE requests access to a restricted zone. The emm-cause-code value must be one of the following options:

    • eps-service-not-allowed-in-this-plmn

    • no-suitable-cell-in-tracking-area - Default.

    • plmn-not-allowed

    • roaming-not-allowed-in-this-tracking-area

    • tracking-area-not-allowed

  • The remove local-cause-code-mapping restricted-zone-code command removes the configured cause code mapping.

Standards Compliance

The Access Restrictions based on Regional Zone Codes feature complies with the following standards:

  • 3GPP TS 24.301 V9.5.0 (2010-12), 3rd Generation Partnership Project; Technical Specification Group Core Network and Terminals; Non-Access-Stratum (NAS) protocol for Evolved Packet System (EPS); Stage 3 (Release 9)

  • 3GPP TS 29.272 V9.5.0 (2010-12), 3rd Generation Partnership Project; Technical Specification Group Core Network and Terminals; Evolved Packet System (EPS); Mobility Management Entity (MME) and Serving GPRS Support Node (SGSN) related interfaces based on Diameter protocol (Release 9)

  • 3GPP TS 29.274 V9.4.0 (2010-09), 3rd Generation Partnership Project; Technical Specification Group Core Network and Terminals; 3GPP Evolved Packet System (EPS); Evolved General Packet Radio Service (GPRS) Tunnelling Protocol for Control plane (GTPv2-C); Stage 3 (Release 9)

  • 3GPP TS 29.002 V9.4.0 (2010-09), 3rd Generation Partnership Project; Technical Specification Group Core Network and Terminals; 3GPP Evolved Packet System (EPS); Mobile Application Part (MAP); (Release 9)

  • 3GPP TS 23.008 V9.4.0 (2010-09), 3rd Generation Partnership Project; Technical Specification Group Core Network and Terminals; 3GPP Evolved Packet System (EPS); Organization of Subscription Data; (Release 9)

  • 3GPP TS 23.003 V9.4.0 (2010-09), 3rd Generation Partnership Project; Technical Specification Group Core Network and Terminals; 3GPP Evolved Packet System (EPS); Numbering, Addressing and Identification; (Release 9)

Limitations

The Access Restriction based on Regional Zone Code feature have the following limitations:

  • If an ISDR is received from the HSS for an attached subscriber, the MME does not detach the subscriber, rejects the next TAU request.

  • If both call control policy based restrictions and HSS subscription based zone code restrictions are present during a call, only HSS based restrictions will be processed. For a zone code in a HSS accept list, the call will be progressed, and for a zone code that is not in the HSS accept list, the message will be rejected, regardless of any call control profile being active for the call.

  • Changes to zone code mapping or call control profile mapping will not detach the currently attached subscribers. The call control profile changes, and also, the changes to mapping of TAI to Zone codes affects the processing of any incoming messages after the change.


Note

This feature should be configured with either a HSS provided zone-code policy or a locally configured zone-code policy, but not together. If both are configured, the MME selects the HSS provided zone-code policy leading to an unexpected behavior.

Configuring Access Restriction based on Regional Zone Code

In release 21.1, the CLI command to configure zone code under a TAI-Object is extended to configure multiple zone code values under the same TAI-Object. A maximum of 10 zone codes is configurable under each TAI-Object.

During the configuration, the operator should be mindful of the following:

  • Zone codes can be configured as single zone code per configuration line or multiple zone codes per configuration line. It is recommended to enter multiple zone codes per configuration line to reduce the configuration load time.

  • Duplicate zone codes are not allowed under the same TAI-Object. However, duplicate zone code can be configured in a different TAI-Object.

  • If multiple zone codes are entered in a single line configuration - duplicate zone codes and unique zone codes, only the duplicate zone codes will be rejected whereas the unique zone codes are accepted.

  • If number of zone codes entered in single configuration line is greater than 10, then only 10 minus the initial configured zone codes will be accepted and configured.

  • During the configuration, if all the 10 slots are configured, the extra configured zone code values are rejected with a suitable error.

  • If the zone codes are configured when the subscribers are already attached, the currently attached subscribers are not detached. Changes to the mapping of TAI to Zone codes affect the processing of any incoming messages. So, if the mapping of TAI to zone codes is changed after an initial attach, the next TAU message zone code validation with a HSS/call-control-profile is processed with the newly updated zone code configuration. The initial attach message for new subscribers uses the updated zone code configuration.

    The session manager instance, as displayed in the log, must be reloaded to push the correct configuration to the respective session manager after session manager recovery. This will ensure that the configuration in the session manager and the SCT are in sync.

Use the following CLI commands to enable Access Restriction based on Regional Zone Codes: 
configure
   lte-policy
      tai-mgmt-db database_name
         tai-mgmt-obj object_name
            [ no ] zone-code zonecode_value  [ zonecode_value2 [...[ zonecode_value10 ] ] ]
           end

Notes:

  • The zone-code command configures zone code values under a TAI object. In release 21.1, the number of zone codes values configurable in a single line configuration is extended to 10 values under a TAI-list. For example, zone-code 10 11 12 13 14 15 16 17 18 19

  • By default, the zone-code command is not enabled.

  • The no zone-code <zonecode_value2>…<zonecode_value10>, removes the selected zone code values entered from the TAI-list. For example, in the following configuration: no zone-code 10 11 12, only the zone code value 10 11 12 is removed from the existing TAI-list, whereas the other zone code values remain configured in the TAI-list.

Example Configuration

The following is an example configuration to allow access to TAIs for PLMN with a specific value of mcc/mnc, and a configuration to restrict access to specific TAI values for a different PLMN. 

config
   operator-policy name Partner-1-policy
      associate call-control-profile CCP1
   #exit
   operator-policy name Partner-2-policy
      associate call-control-profile CCP2
   #exit
   lte-policy
      subscriber-map sm1
         precedence 100 match-criteria imsi mcc 111 mnc 222 operator-policy-name Partner-1-policy
         precedence 101 match-criteria imsi mcc 111 mnc 333 operator-policy-name Partner-2-policy
      exit
      tai-mgmt-db TMD
         tai-mgmt-obj OBJ1
            zone-code 11 21
            tai mcc 123 mnc 456 tac 1234
            tai mcc 123 mnc 456 tac 1235
            tai mcc 123 mnc 456 tac 1236
            tai mcc 123 mnc 456 tac 1237
         #exit
         tai-mgmt-obj OBJ2
            zone-code 12
            tai mcc 123 mnc 456 tac 2234
            tai mcc 123 mnc 456 tac 2235
            tai mcc 123 mnc 456 tac 2236
         #exit
         tai-mgmt-obj OBJ3
            zone-code 13 22
            tai mcc 321 mnc 456 tac 1244
            tai mcc 321 mnc 456 tac 1245
            tai mcc 321 mnc 456 tac 1248
            tai mcc 321 mnc 456 tac 1249
         #exit
         tai-mgmt-obj OBJ4
            zone-code 23
            tai mcc 321 mnc 456 tac 2244
            tai mcc 321 mnc 456 tac 2245
            tai mcc 321 mnc 456 tac 2247
            tai mcc 321 mnc 456 tac 2248
         #exit
      #exit
   #exit
   call-control-profile CCP1
      lte-zone-code allow zone-code-list 11 12 13
      associate tai-mgmt-db TMD
   #exit
   call-control-profile CCP2
      lte-zone-code restrict zone-code-list 21 22 23
      associate tai-mgmt-db TMD
   #exit
end

Configuration Description

In the above configurations, UEs are mapped to separate zone code numbers. Each zone code can be associated to TAIs independent of each other.

From the example above, for “allow” access:

UEs from PLMN – with mcc = 111 and mnc = 222, operator policy = Partner-1-policy and call-control-profile = CCP1 applies. With reference to CCP1, zone codes 11, 12 and 13 are allowed from the associated tai-mgmt-db = TMD. UEs from this PLMN will be allowed with access to TAI values in tai-mgmt-obj = OBJ1, OBJ3 and OBJ2 (For example, tai mcc 123 mnc 456 tac 1234).

From the above example, for “restrict” access:

UEs from PLMN – with mcc = 111 and mnc = 333, operator policy = Partner-2-policy and call-control-profile = CCP2 applies. With reference to CCP2, zone codes 11, 12 and 13 are restricted from the associated tai-mgmt-db = TMD. UEs from this PLMN will be restricted from access to TAI values in tai-mgmt-obj = OBJ1, OBJ3 and OBJ2 (For example, tai mcc 123 mnc 456 tac 1234).

Verifying Access Restriction based on Regional Zone Codes

Use the following command to verify Access Restriction based on Regional Zone Codes configuration on the MME.

show lte-policy tai-mgmt-db name database_name 

TAI Management DB: db_test
   TAI Management Object: obj_test
      Zone Code: 103 104 105 106 107 108 109

Notes:

  • TAI Management DB: Denotes the name of the database object.

  • TAI Management Object: Identifies the TAI-Object list where the zone codes are configured.

  • Zone Code: Displays the configured zone code values under a specified TAI-Object.

Monitoring and Troubleshooting Access Restriction based on Regional Zone Codes

This section provides information on how to monitor Access Restriction based on Regional Zone Codes.

Show Command(s) and/or Outputs

This section provides information regarding show commands and/or their outputs in support of Access Restriction based on Regional Zone Codes feature.

show mme-service statistics

On running this command, the following fields are displayed for this feature:

  • Roaming restricted TA

  • PLMN Not allowed

  • TA not allowed

  • No suitable cells in TA

  • No EPS Service in PLMN

Field

Description

Roaming restricted TA

The total number of EMM Attach Reject messages sent with the cause code #13: "Roaming restricted in TA".

PLMN Not allowed

The total number of EMM Attach Reject messages sent with the cause code #11: "PLMN not allowed".

TA not allowed

The total number of EMM Attach Reject messages sent with the cause code 12: "Tracking Area not allowed".

No suitable cells in TA

The total number of EMM Attach Reject messages sent with the cause code #15: "No suitable cells in TA".

No EPS Service in PLMN

The total number of EMM Attach Reject messages sent with the cause code #14: "EPS service not allowed in this plmn".

show mme-service db record imsi imsi_value

On running this command, zone codes allowed for a particular UE are displayed. The following field is displayed for this feature:

  • Regional Subscription Zone Codes

Field

Description

Regional Subscription Zone Codes

This field displays all the Zone Code values (up to 10 zone code values), returned by the HSS in the Update Location Answer message or Insert Subscriber Data message for a UE, based on the values configured in its subscription profile.


Note

If zone code restriction is applied under the call-control-profile, then the Regional Subscription Zone Codes field will not be captured in any of the show CLI output.