Enhanced Whitelisting in MME

Feature Summary and Revision History

Summary Data

Applicable Product(s) or Functional Area

MME

Applicable Platform(s)

  • ASR 5500

  • VPC-DI

  • VPC-SI

Default Setting

Disabled - Configuration Required

Related Changes in This Release

Not Applicable

Related Documentation

  • Command Line Interface Reference

  • MME Administration Guide

  • Statistics and Counters Reference

Revision History

Revision Details

Release

First introduced.

21.16

Feature Description

Enhancement to the whitelisting feature enables the MME to use IMSI or MSISDN subscriber identity to restrict network access to group of subscribers. This feature caters to operator requirements of more than 10000 subscriber identities (IMSI/MSISDN) configuration.

Subscriber whitelisting is done in one of the following ways:

  • Whitelist based on IMSI in TAC level.

  • Whitelist based on MSISDN in TAC level.

This feature supports both IMSI group and MSISDN group configurations which can contain discrete and range of IMSI and MSISDN.

How it Works

This section describes how this feature works.

IMSI Group

IMSI-based configuration supports IMSI groups. An IMSI group can contain upto 500 elements of either individual IMSI or range of IMSI.

Up to 50 IMSI groups can be configured per MME and once an IMSI group is created, each group can be configured with up to 500 unique IMSI values and/or up to 20 IMSI ranges, which can overlap.

The operator policy to whitelist or blacklist IMSI is configured using MME. The restriction considers the handover (TAU) process as well as the attach process.

The IMSI group or IMSI+IMEI-TAC groups are created and associated with operator policies in the CLI.

MSISDN Group

Whitelisting in MME is enhanced to support specific MSISDN and ranges of MSISDN. The operator policy to whitelist or blacklist MSISDN is configured using MME. The restriction considers the handover (TAU) process as well as the attach process.

MSISDN-based configuration supports MSISDN groups. An MSISDN group can contain upto 500 elements of either individual MSISDN or range of MSISDN. Up to 50 MSISDN groups can be configured per MME and once an MSISDN group is created, each group can be configured with up to 500 unique MSISDN values and/or up to 20 MSISDN ranges, which can overlap.

The MSISDN group or MSISDN+IMEI-TAC groups are created and associated with operator policies in the CLI.

The following table lists the whitelist enhancement for MME.

Table 1. Whitelist Enhancement
White List TAC
Specific IMSI Supported
Range of IMSI Supported
Group of IMSI (discrete + range) Supported from Release 21.16 onwards
Group of MSISDN (discrete + range) Supported from Release 21.16 onwards

Configuring IMSI Group

Use the following configuration to create the IMSI group.

configure 
   lte-policy 
      imsi-group group_name 
      end

NOTES:

  • 50 IMSI groups and a combination of discrete IMSI and range of IMSIs with a maximum of 500 IMSI values and 20 lines per group are supported.

Configuring Discrete IMSI Numbers

Use the following configuration to configure discrete IMSI numbers.

configure 
   lte-policy 
      imsi-group group_name 
         imsi mcc mcc_value mnc mnc_value msin msin_value 
         exit

NOTES:

  • mcc mcc_value : Specifies the mobile country code (MCC) portion of the IMSI identifier.

  • mnc mnc_value : Specifies the mobile network code (MNC) portion of the IMSI identifier.

  • msin msin_value : Specifies the Mobile Subscriber Identification Number of the IMSI identifier.

  • If previously configured, use the no imsi mcc mcc_value mnc mnc_value msin msin_value CLI command to delete the discrete IMSI values.

Configuring IMSI Range

Use the following configuration to configure IMSI range.

configure 
   lte-policy 
      imsi-group group_name 
         range mcc mcc_value mnc mnc_value msin first start_range last end_range 
         exit

NOTES:

  • mcc mcc_value : Specifies the mobile country code (MCC) portion of the IMSI identifier.

  • mnc mnc_value : Specifies the mobile network code (MNC) portion of the IMSI identifier.

  • msin first start_range last end_range : Specifies the range of Mobile Subscriber Identification Number of the IMSI identifier.

  • If previously configured, use the no range mcc mcc_value mnc mnc_value msin first start_range last end_range CLI command to delete the IMSI range.

Associating IMSI Group and IMEI-TAC Group with Operator Policy

Use the following configuration to associate IMSI-group and IMEI-TAC group with operator policy.

configure 
   lte-policy 
      subscriber-map subscriber_map_name 
         precedence number match-criteria imei-tac group imeitac_group_name imsi-group imsi_group_name operator-policy-name op_name 
         end

NOTES:

  • number : Specifies the order of precedence for the subscriber map. 1 (the lowest number) takes the highest precedence.

  • match-criteria : Specifies that the keyword following this keyword is the criteria to be used to match a UE.

  • imei-tac group imeitac_group_name : Identifies a previously configured IMEI-TAC group (with imei-tac-group command LTE-Policy configuration mode) to associate with this precedence definition.

  • operator-policy-name op_name : Sets the operator policy with which the matching criteria is associated.

Verifying IMSI Group Configuration

Use the following show commands to display details related to IMSI group.

  • show lte-policy imsi-group name group_name

  • show lte-policy imsi-group summary

Configuring MSISDN Group

Use the following configuration to create a new MSISDN group.

configure 
   msisdn-group group_name 
   end

NOTE:

  • MSISDN is a subscriber number which provides the functionality with TAC and it decides whether to allow or block the subscribers based on the subscriber number. The MSISDN group name is used to create a new MSISDN group and it can have a maximum of 50 groups.

Configuring Discrete MSISDN Numbers

Use the following configuration to configure discrete MSISDN numbers.

configure 
   msisdn-group group_name 
      msisdn cc cc_value number value 
      exit

NOTES:

  • msisdn : Specifies the discrete list of MSISDN numbers (Combination of discrete and range line is 20 per group).

Configuring MSISDN Range

Use the following configuration to configure MSISDN range.

configure 
   msisdn-group group_name 
      range cc cc_value number first start_range last end_range 
      exit

NOTES:

  • number first start_range last end_range : Specifies the MSISDN range.

Associating MSISDN Group and IMEI-TAC Group with Operator Policy

Use the following configuration to associate MSISDN group and IMEI-TAC group with operator policy.

configure 
   lte-policy 
      subscriber-map subscriber_map_name 
         precedence number match-criteria msisdn-group namemsisdn_group name operator-policy-name op_name 
         end

NOTES:

  • number : Specifies the order of precedence for the subscriber map. 1 (the lowest number) takes the highest precedence.

  • match-criteria : Specifies that the keyword following this keyword is the criteria to be used to match a UE.

  • msisdn-group name msisdn_group_name : Identifies a previously configured IMEI-TAC group (with imei-tac-group command LTE-Policy configuration mode) to associate with this precedence definition.

  • operator-policy-name op_name : Sets the operator policy with which the matching criteria is associated.

Verifying MSISDN Group Configuration

Use the following show commands to display details related to MSISDN group.

  • show config msisdn-group name group_name

  • show config msisdn-group summary

Configuring Operator Policy based on IMSI Group and MSISDN Group

The match-criteria in precedence command is enhanced to take parameter that is "matched-to" the configure selection based on IMSI group and MSISDN group. It supports the selection of operator policy based on a combination of IMEI-TAC group and IMSI group (IMEI-TAC + IMSI group) or of IMEI-TAC group and MSISDN group (IMEI-TAC + MSISDN group). The configuration involves:

  • IMSI-group

  • MSISDN group

  • IMEI-TAC + IMSI-group

  • IMEI-TAC + MSISDN group

Associating IMSI Group with Operator Policy

Use the following configuration to associate IMSI group with operator policy.

configure 
   lte-policy 
      subscriber-map map_name 
         precedence precedence_number match-criteria [ imsi-group group_name ]  [ operator-policy-name policy_name ] 
         end

For information about these commands and keywords, refer to the Command Line Interface Reference.

Associating IMSI Group in Combination with IMEI-TAC with Operator Policy

Use the following configuration to associate IMSI group in combination with IMEI-TAC with operator policy.

configure 
   lte-policy 
      subscriber-map map_name 
         precedence precedence_number match-criteria imei-tac group group_name [ imsi-group group_name ]  [ operator-policy-name policy_name ] 
         end

For information about these commands and keywords, refer to the Command Line Interface Reference.

Associating MSISDN Group with Operator Policy

Use the following configuration to associate MSISDN group with operator policy.

configure 
   lte-policy 
      subscriber-map map_name 
         precedence precedence_number match-criteria [ msisdn-group group_name ]  [ operator-policy-name policy_name ] 
         end

For information about these commands and keywords, refer to the Command Line Interface Reference.

Associating MSISDN Group in Combination with IMEI-TAC with Operator Policy

Use the following configuration to associate IMSI group in combination with IMEI-TAC with operator policy.

configure 
   lte-policy 
      subscriber-map map_name 
         precedence precedence_number match-criteria imei-tac group group_name [ msisdn-group group_name ]  [ operator-policy-name policy_name ] 
         end

For information about these commands and keywords, refer to the Command Line Interface Reference.