APN Restriction

This chapter describes the APN Restriction feature and provides detailed information on the following:

Feature Description

The reception, storage, and transfer of APN Restriction values is used to determine whether a UE is allowed to establish PDP Context or EPS bearers with other APNs. This feature is supported by both the Gn/Gp-SGSN and the S4-SGSN.

During default bearer activation, the SGSN sends the current maximum APN restriction value for the UE to the GGSN/P-GW in a Create PDP Context Request/ Create Session Request (CSR). The GGSN/P-GW will have an APN restriction value for each APN. The UE's APN Restriction value determines the type of application data the subscriber is allowed to send. If the maximum APN restriction of the UE (received in the CSR) and the APN Restriction value of the APN (for which activation is being requested) do not concur, then the GGSN/P-GW rejects activation. The maximum APN restriction for a UE is the most restrictive based on all already active default EPS bearers. The purpose of enabling APN Restriction in S4-SGSN is to determine whether the UE is allowed to establish EPS Bearers with other APNs based on the Maximum APN Restriction value associated with that UE.

This feature provides the operator with increased control to restrict certain APNs to UEs based on the type of APN. This feature requires no special license.

APN Restriction for SGSN is enabled/ disabled in the Call-control-profile configuration mode using the apn-restriction command.

Relationships to Other Features

APN Restriction value corresponding to each APN is known by the GGSN/P-GW. The Gn/S4-SGSN sends the Maximum APN Restriction of the UE to the GGSN/P-GW in a Create PDP Context Request/ Create Session Request. The GGSN/P-GW accepts or rejects the activation based on the Maximum APN Restriction of UE and APN Restriction value of that APN which is sent the Create PDP Context Request/ Create Session Request

How it Works

During default bearer activation the Gn/S4-SGSN sends the current Maximum APN Restriction value for the UE to the GGSN/ P-GW in the Create PDP Context Request/ Create Session Request (if it is the first activation for that UE or if the APN Restriction is disabled, Maximum APN restriction will be "0" in the Create PDP Context Request/ Create Session Request). The GGSN/P-GW has an APN restriction value for each APN. If the Maximum APN Restriction for the subscriber is received in the Create PDP Context Request/ Create Session Request and APN Restriction value of the APN to which activation is being requested do not concur then the GGSN/P-GW rejects the activation by sending a Create PDP Context / Create Session Response failure message to the G/S4-SGSN with EGTP cause "EGTP_CAUSE_INCOMPATIBLE_APN_REST_TYPE (0x68)".

If the Maximum APN Restriction of the subscriber and APN Restriction of the APN to which activation is ongoing agree as per APN Restriction rules, the GGSN/P-GW sends the APN Restriction value of the APN in the Create PDP Context / Create Session Response as success during activation. The Gn/S4-SGSN updates the APN restriction value of that PDN connection with the value received from GGSN/P-GW in the Create PDP Context/ Create Session Response. The APN restriction value can be received by a new SGSN through context response and forward re-location request messages.

The combination of APN Restriction values of all the PDN connections of a particular UE should be valid and the maximum APN restriction value of the UE should be updated whenever the APN restriction value of a PDN connection is updated.

Table below displays the valid combinations of APN restriction values:

Table 1. APN restriction values

Maximum APN Restriction Value

Type of APN

Application Example

APN Restriction Value allowed to be established

0

No Existing Contexts or Restriction

All

1

Public-1

WAP or MMS

1, 2, 3

2

Public-2

Internet or PSPDN

1, 2

3

Private-1

Corporate (for example MMS subscribers)

1

4

Private-2

Corporate (for example non-MMS subscribers)

None

The valid combination of APN restriction values is achieved in the Gn/ S4-SGSN based on the APN restriction value of the most restrictive PDN connection. If the bearer with the most restrictive APN restriction value gets de-activated, the maximum APN restriction value is re-calculated from among the remaining active default bearers.

In the Create PDP Context /Create Session Request during default bearer activation, the Gn/S4-SGSN sends the Maximum APN Restriction Value for the UE. If no value is available (if this default bearer is the first activation) then, the Maximum APN restriction value will be "0" in Create Session Request. A value of "0" in the Create PDP Context / Create Session Request for Maximum APN restriction indicates there are no other existing PDN connections for the UE or APN restriction is disabled.

If the APN restriction value received in the Create PDP Context / Create Session Response during activation violates the current Maximum APN restriction, then the SGSN rejects the activation and also de-activates any other PDN connection to the same APN. The SGSN considers the APN restriction received in latest Create PDP Context / Create Session Response as the latest value of the APN restriction associated with that APN. If there are any other PDN connections to this APN, the SGSN updates the APN restriction associated with those PDN connections. If the APN restriction value is not violated then the SGSN updates the APN restriction value for that PDN connection and any other PDN connection to the same APN with the value received in the Create PDP Context / Create Session Response and re-calculates the Maximum APN restriction value for MS.

If APN restriction is enabled, but the SGSN does not receive any APN restriction value in the Create PDP Context / Create Session Response and if another PDN connection exists to the same APN, the value of APN restriction is copied from that APN. If no value is available, the APN restriction value is assumed to be "0".

If the current Maximum APN restriction value for the UE is present and the SGSN receives a new default bearer activation request to another APN, while the APN restriction feature is enabled, the activation is rejected with the appropriate sm cause.

If the Gn/ S4-SGSN receives a Create PDP Context/Create Session Response as failure from the P-GW with EGTP cause "EGTP_CAUSE_INCOMPATIBLE_APN_REST_TYPE (0x68)", then the Gn/ S4-SGSN sends an activate reject to the MS with SM cause "(112) APN restriction value incompatible with active PDP context". Any de-activate request sent to the MS due to APN Restriction violation also has the same SM cause.

For every new activation request, the SGSN re-calculates the Maximum APN Restriction from among other currently active PDN connections (excluding those PDNs for which any de-activation is ongoing.)

The APN restriction values are recovered during session recovery. In old SGSN ISRAU, the APN restriction associated with each PDN is sent to the peer in Context Response. In old SGSN SRNS re-location, the APN restriction associated with each PDN connection is sent to the peer in Forward Re-location Request.

In IRAT procedures, the APN restriction for each PDN connection is transferred internally during IRAT and these values are used for subsequent activations after IRAT.

In new SGSN ISRAU, the APN restriction values received in context response are used in the subsequent activations after ISRAU.

In new SGSN SRNS, the APN restriction values received in the forward re-location are used in subsequent activations after SRNS re-location.

Limitations

Consider the scenario where APN restriction is enabled, but no value for APN restriction is received in the Create PDP Context / Create Session Response and no other PDN connections exists to the same APN. An APN restriction value of "0" is assigned to that PDN connection to denote that APN restriction value is invalid for that PDN. During subsequent activations for the subscriber, if the SGSN receives a valid APN Restriction corresponding to the same APN, then the APN Restriction value will be updated for the existing PDNs as well. If not, when a subsequent activation happens with an APN for which SGSN receives valid APN Restriction value, the existing PDNs with invalid (that is "0") APN Restriction values will be de-activated. This behaviour is also observed when the subscriber changes from one PLMN to another PLMN, where the APN Restriction is enabled in the new PLMN but disabled in the old PLMN.

The SGSN does not support APN Restriction if it is enabled during an ongoing call. For APN Restriction to be applied correctly for a subscriber, all the PDP contexts of the subscriber should be created after the APN Restriction is enabled.

Standards Compliance

The APN Restriction feature complies with the following standards:

  • 3GPP TS 23.060 (version 10)
  • 3GPP TS 29.274 (version 10)

Configuring APN Restriction

This section describes how to configure the APN Restriction feature. The following command is used to configure the APN restriction feature: 

config
 call-control-profile  profile_name
  apn-restriction update-policy deactivate { least-restrictive | most-restrictive }
  exit

Notes:

  • The least or most restrictive values of the APN restriction are applicable only for the Gn SGSN, as the APN restriction can be present in UPCQ/UPCR for Gn SGSN and this configuration is required to determine the PDN to be de-activated when an APN restriction violation occurs during modification procedures in the Gn SGSN. In the case of S4-SGSN, the APN restriction value is received by the S4-SGSN only in Create Session Response during activation. During activation in S4-SGSN, a PDN connection that violates the current Maximum APN restriction is always de-activated. Therefore in the case of S4-SGSN, this CLI is used only for enabling or disabling APN restriction.

For more information on this CLI refer to the Command Line Interface Reference manual.

Verifying the APN Restriction Configuration

The show configuration command is used to verify the configuration of the APN Restriction feature. Listed below is an example of the show configuration command where APN restriction is configured: 

show configuration 
 config 
  call-control-profile test 
   apn-restriction update-policy deactivate least-restrictive 
   exit 
   end

Monitoring and Troubleshooting the APN Restriction

This section provides information on how to monitor APN restriction and to determine that it is working correctly. The following show commands support the monitoring and trouble shooting of the APN restriction feature:

  • The show subscribers SGSN-only full and show subscribers gprs-only full commands display the APN Restriction value of each PDP Context.
  • The session-disconnect reason for APN Restriction is sgsn-apn-restrict-vio.
  • The show gmm-sm statistics verbose command displays following counters related to the cause "APN restriction value incompatible with active PDP context":
    • Deactivation Causes Tx
    • 3G-APN Restr val Incomp With Ctx
    • 2G-APN Restr val Incomp With Ctx
    • Activate Primary PDP Context Denied
    • 3G-APN-Restriction Incompatible
    • 2G-APN-Restriction Incompatible

For detailed parameter descriptions see the Statistics and Counters Reference.