Configuring the System to Perform as a SaMOG Gateway
This section provides a high-level series of steps and the associated configuration file examples for configuring the system to perform as a SaMOG Gateway in a test environment.
Required Information
The following sections describe the minimum amount of information required to configure and make the SaMOG Gateway operational in the network. To make the process more efficient, it is recommended that this information be available prior to configuring the system.
The following table lists the information that is required to configure the SaMOG Gateway context and service.
| Required Information | Description |
|---|---|
|
SaMOG Context and MRME, CGW and SaMOG Service Configuration |
|
|
SaMOG context name |
The name of the SaMOG context, which can be from 1 to 79 alpha and/or numeric characters. |
|
MRME service name |
The name of the MRME service, which can be from 1 to 63 alpha and/or numeric characters. |
|
IPv4 address |
The IP address to which you want to bind the MRME service. |
|
context DNS |
The name of the context to use for PGW DNS. |
|
IPV4_address/subnetmask |
The IPv4 address and subnetmask for the destination RADIUS client the MRME service will use. |
|
Key |
The name of the encrypted key for use by the destination RADIUS server. |
|
Port Number |
The port number for RADIUS disconnect messages. |
|
IPv4 address |
The IPv4 address of the RADIUS client |
|
Key |
The encrypted key name for use by the RADIUS client. |
|
Port |
The port number used by the RADIUS client. |
|
CGW service name |
The name of the CGW service, which can be from 1 to 63 alpha and/or numeric characters. |
|
IPv4 address |
The IPv4 address to which the CGW service will bind. |
|
Egress EGTP service name |
The name of the egress EGTP service that the CGW service will use. This name must match the name of the EGTP service configured later in this procedure. |
|
Timeout |
The session delete delay timeout setting for use by CGW service. |
|
SaMOG service name |
The name of the SaMOG service, which can be from 1 to 63 alpha and/or numeric characters. |
|
MRME service name |
The name of the MRME service to associate with this SaMOG service. This is the MRME service name configured previously in this procedure. |
|
CGW service name |
The name of the CGW service to associate with this SaMOG service. This is the CGW service name configured previously in this procedure. |
|
Subscriber map name |
The subscriber map name to associate with the SaMOG service. This name must match the subscriber map name configured later in this procedure. |
|
LTE Policy Configuration |
|
|
Subscriber map name |
The name of the subscriber map to associate with the LTE policy, which can be from which can be from 1 to 64 alpha and/or numeric characters. |
|
Precedence priority |
Specifies the prcedence for the subscriber map. Must be an integer from 1 to 1024. |
|
Service criteria type |
Specifies the service criteria that must be matched for the subscriber map. Must be one of imsi , service-plmnid or all . |
|
MCC number |
The Mobile Country Code for use in this LTE policy. |
|
MNC |
The Mobile Network code for use in this LTE policy. |
|
Operator policy name |
The name of the operator policy use with the subscriber map, which can be from 1 to 64 alpha and/or numeric characters. |
|
TAI mgmt db name |
The name of the Tracking Area Identifier database for use with the LTE policy, which can be from 1 to 64 alpha and/or numeric characters. |
|
GTPU and EGTP Service Configuration |
|
|
SaMOG context name |
The name of the SaMOG context configured previously. |
|
EGTP service name |
The name for this EGTP service, which can be from 1 to 63 alpha and/or numeric characters. |
|
EGTP service name |
The name of the EGTP service name that you want to associate with the GTPU service. This is the EGTP service name configured previously. |
|
IPv4 address |
The IPv4 address to which you want to use to bind the EGTP service to the GTPU service. |
|
GTPU service name |
The name of the GTPU service, which can be from 1 to 63 alpha and/or numeric characters. |
|
IPv4 address |
The IP address to which the GTPU service will bind. |
|
AAA and Diameter Endpoint Configuration |
|
|
AAA context name |
The name assigned to the AAA context, which can be from 1 to 79 alpha and/or numeric characters. |
|
AAA interface name |
The name assigned to the AAA interface, which can be from 1 to 79 alpha and/or numeric characters. |
|
IPv4 address/subnetmask |
The primary IPv4 address and subnetmask for use by the AAA interface. |
|
IPv4 address subnetmask |
The secondary IPv4 address and subnetmask for use by the AAA interface. |
|
SaMOG context name |
The name of the SaMOG context configured earlier. |
|
AAA DIAMETER STa1 group name |
The primary AAA group name for use over the STa interface, which can be from 1 to 63 alpha and/or numeric characters. |
|
DIAMETER endpoint name |
The DIAMETER authentication endpoint name for use with this AAA group. |
|
AAA DIAMETER STa2 group name |
The secondary AAA group name for use over the STa interface, which can be from 1 to 63 alpha and/or numeric characters. |
|
DIAMETER endpoint name |
The DIAMETER authentication endpoint name for use with the secondary AAA group. |
|
AAA Accounting Group Name |
The name of the AAA Accounting group, which can be from 1 to 63 alpha and/or numeric characters. |
|
Diameter authentication dictionary |
The name of the Diameter dictionary used for authentication. This must be configured as the aaa-custom13 dictionary. |
|
DIAMETER endpoint name |
The name of the DIAMETER endpoint, which can be from 1 to 63 alpha and/or numeric characters. This is the name of the external 3GPP AAA server. |
|
STa endpoint name |
The name of the DIAMETER endpoint, which can be from 1 to 63 alpha and/or numeric characters. This is the name of the external 3GPP AAA server. |
|
Origin real name |
Name of the local Diameter realm, which can be a a string from 1 to 127 alpha and/or numeric characters. |
|
Origin host STa endpoint IPv4 address |
The IPv4 address of the origin host STa endpoint. |
|
IPv4 address |
The IPv4 address used for the origin host STa endpoint. |
|
Port |
The port used for the origin host STa endpoint. |
|
Peer name |
The name of the Diameter peer, which can be from 1 to 63 alpha and/or numeric characters. |
|
SaMOG realm name |
The name of the peer Diameter realm, which can be from 1 to 63 alpha and/or numeric characters. |
|
IPv4 address |
The IPv4 address for the peer STa endpoint. |
|
Port |
The port used for the peer STa endpoint. |
|
DNS Configuration |
|
|
DNS context name |
The name of the context in which DNS will be configured, which can be from 1 to 79 alpha and/or numeric characters. |
|
DNS interface name |
The name of the DNS interface, which can be from 1 to 79 alpha and/or numeric characters. |
|
IPv4 address |
The IPv4 address of the DNS server. |
|
IP name server IP address |
The IP name server IPv4 address. |
|
DNS client |
The name of the DNS client, which can be from 1 to 63 alpha and/or numeric characters. |
|
IPv4 address |
The IPv4 address to which you want to bind the DNS client service. |
|
Configuring and Binding the Interfaces |
|
|
SaMOG service Interface port/slot |
The slot and port number to which you want to bind the SaMOG service. |
|
GTP SaMOG interface name and context |
The SaMOG interface and context name that will be bound to the SaMOG interface port/slot. |
|
STa Accounting service interface port/slot |
The slot and port number to which you want to bind the STa accounting interface. |
|
STa Accounting service name and context |
The name and context name of the STa accounting interface that you want to bind to the STa accounting port/slot. |
|
DNS service Interface slot/port |
The slot and port number that to which you want to bind the DNS service. |
|
DNS service interface name and context. |
The name and context name that you want to bind to the DNS interface slot/port. |
|
Radius PMIP-side service interface port/slot. |
The slot and port number to which you want to bind the PMIP-side RADIUS interface. |
|
Radius PMIP-side service interface name and context. |
The name and context name of the PMIP side RADIUS interface you want to bind to the RADIUS interface port/slot. |
|
Radius SaMOG-side service interface port/slot. |
The slot and port number to which you want to bind the SaMOG-side RADIUS interface. |
|
GTPU interface port/slot. |
The slot and port number to which you want to bind the GTPU-interface. |
SaMOG Gateway Configuration
The high-level steps below summarize the SaMOG gateway configuration tasks. Steps 1 through 8 are mandatory. Steps 8 through 11 are optional. Note that the SaMOG Gateway is a licensed Cisco product. Separate session and feature licenses may be required. Contact your Cisco account representative for detailed information on specific licensing requirements. For information on installing and verifying licenses, see "Managing License Keys" in the System Administration Guide.
Procedure
| Step 1 |
Set system configuration parameters such as activating PSC2s, ports, and enabling session recovery by following the configuration examples in the System Administration Guide. |
| Step 2 |
Create the SaMOG context by applying the example configuration in Creating the SaMOG Gateway Context. |
| Step 3 |
Configure the MRME, CGW, and SaMOG services by applying the example configuration in Configuring the MRME, CGW and SaMOG Services. |
| Step 4 |
Configure the LTE policy by applying the example configuration in Configuring the LTE Policy. |
| Step 5 |
Create the GTPU and EGTP services by applying the example configuration in Configuring the GTPU and EGTP Services. |
| Step 6 |
Create MAG services for a PMIPv6-based S2a interface by applying the example configuration in Configuring MAG Services. |
| Step 7 |
Optional. Configure the IP over GRE (IPoGRE) encapsulation for processing DHCP Layer 3 IP packets by applying the example configuration in Configuring IPoGRE. |
| Step 8 |
Optional. Configure the IP over VLAN (IPoVLAN) encapsulation for processing DHCP Layer 3 IP packets by applying the example configuration in Configuring IPoVLAN. |
| Step 9 |
Create and configure the AAA group for Diameter and AAA authentication and accounting by applying the example configuration in Configuring AAA. |
| Step 10 |
Configure the GTPP group consisting of the GTPP dictionary and CDR attributes, to be used for SGW and SGSN CDRs, and associate the GTPP group to the SaMOG Call Control Profile by applying the example configuration in Configuring GTPP Dictionary and CDR Attributes. |
| Step 11 |
Configure the DNS service by applying the example configuration in Configuring DNS. |
| Step 12 |
Optional. Enable Local breakout for an APN by applying the example configuration in Configuring Local Breakout. |
| Step 13 |
Optional. Enable web-based authorization by applying the example configuration in Configuring Web-based Authorization. |
| Step 14 |
Configure and bind interfaces to the relevant interfaces by applying the example configuration in Configuring and Binding the Interfaces. |
| Step 15 |
Optional. Enable event logging by applying the example configuration in Enabling Logging. |
| Step 16 |
Optional. Enable the sending of CGW and SaMOG SNMP traps by applying the example configuration in Enabling SNMP Traps. |
| Step 17 |
Optional. Configure the system to gather and transfer bulk statistics by applying the example configuration in Configuring Bulk Statistics. |
| Step 18 |
Save the completed configuration by following the instructions in Saving the Configuration. |
Creating the SaMOG Gateway Context
Create the context in which the SaMOG service will reside. The MRME, CGW, SaMOG and other related services will be configured in this context. Create the SaMOG context by applying the configuration example below.
config
context samog_context_name
end Configuring the MRME, CGW and SaMOG Services
The MRME and CGW services provide the SaMOG functionality. They must be configured in the SaMOG context and then associated with a SaMOG service name. Configure the MRME, CGW, and SaMOG services by applying the example configuration below.
context context_name
twan-profile twan_profile_name
radius client { ipv4/ipv6_address [/mask ] } [ encrypted ] key value [ disconnect-message [ dest-port destination_port_number ] ] [ dictionary { custom70 | custom71 } ]
ue-address [ dhcp | twan ]
exit
mrme-service mrme_service_name
# Release 18 and earlier:
bind address ip4_address
# Release 19 and later:
bind { ipv4-address ipv4_address [ ipv6-address ipv6_address ] | ipv6-address ipv6_address [ ipv4-address ipv4_address ] }
associate twan-profile twan_profile_name
dns-pgw context dns
radius client ip4_address/subnetmask encrypted key key disconnect-message dest-port port_no
exit
cgw-service cgw_service_name
bind { ipv4-address ipv4_address [ ipv6-address ipv6_address ] | ipv6-address ipv6_address [ ipv4-address ipv4_address ] }
associate egress-egtp_service egress-egtp_service_name
revocation enable
session-delete-delay timeout timeout_msecs
exit
samog-service samog_service_name
associate mrme-service mrme_service_name
assoicate cgw-service cgw_service_name
associate subscriber-map subscriber_map_name
associate dhcp-service dhcp_service_name [ level { system | user } ]
# Associate a DHCPv6 service
associate dhcpv6-service dhcpv6_service_name
exit  Important |
Configure the custom71 dictionary when Cisco WLC is used with PMIPv6 as the access-type. Configuring the custom71 dictionary enables attributes like the UE's permanent identity (NAI), subscribed APN, network protocol (PMIPv6), and LMA address (CGW service's bind address) to be sent in the Cisco Vendor-specific attributes to WLC. The WLC uses this information to build the PMIPv6 PBU to the SaMOG gateway when the aaa-override option is enabled on the Cisco WLC. These attributes are not sent when the custom70 dictionary is configured. |
- Use the ue-address command to configure Layer 3 IP access-type only.
- When the associate dhcpv6-service dhcpv6_service_name is configured, SaMOG will use the bind address configured under the DHCPv6 Service Configuration Mode for DHCPv6 server functionality.
Configuring the LTE Policy
Configure the LTE policy by applying the example configuration below.
config
operator-policy policy-name
apn network-identifier apn_net_id apn-profile apn_profile_name
associate call-control-profile profile_id
exit
call-control-profile profile_name
accounting mode gtpp
authenticate context context_name aaa-group aaa_group_name
accounting context context_name aaa-group aaa_group_name
accounting context context_name gtpp-group gtpp_group_name
assocaite accounting-policy policy_name
exit
apn-profile profile_name
accounting mode none
local-offload
address-resolution-mode local
pgw-address IP_address
qos default-bearer qci qci_id
qos default-bearer arp arp_value preemption-capability may vulnerability not-preemptable
qos apn-ambr max-ul mbr-up max-dl mbr-dwn
pdp-type-ipv4v6-override ipv4
virtual-mac { mac_address | violation drop }
twan default-gateway ipv4/ipv6_address/mask
exit
lte-policy
subscriber-map subscriber_map_name
precedence precedence_priority match-criteria service_criteria_type mcc mcc_number mnc mnc_number operator-policy-name operator_policy_name
precedence precedence_priority match-criteria service_criteria_type operator-policy-name operator_policy_name
exit
tai-mgmt-db tai_mgmt_db_name
exit Configuring the GTPU and EGTP Services
Configure the GTPU and EGTP services by applying the example configuration below.
config
context samog_context_name
egtp-service egtp_service_name
associate gtpu-service egtp_service_name
gtpc bind ipv4-address ipv4_address
exit
gtpu-service gtpu_service_name
bind ipv4-address ipv4_address
exit Configuring MAG Services
Create MAG services to configure a PMIPv6-based S2a interface by applying the example configuration below.
config
context context_name
cgw-service cgw_service_name
bind ipv4-address ipv4_address
associate mag-service mag_service_name
exit
mag-service mag_service_name
bind ipv4-address ipv4_address
reg-lifetime max_reg_duration
mobility-option-type-value standard
end Configuring IPoGRE
Important |
The IP over GRE functionality requires an additional GRE Interface Tunneling license to create IP-GRE tunnels. For more information, contact your Cisco account representative. |
Configure IP over GRE (IPoGRE) encapsulation for processing DHCP Layer 3 IP packets by applying the example configuration below.
config
context context_name
ip vrf vrf_name
exit
interface interface_name
ip address ip_address[/mask ]ipv4/v6_address
exit
interface interface_name1
ip address ip_address[/mask ]ipv4/v6_address
exit
interface interface_tunnel_name tunnel
ip vrf forwarding gre_vrf_name
ip address ip_address[/mask ]ipv4/v6_address
tunnel-mode gre
source interface interface_name
destination address ipv4_address
exit
exit
ip route ipv4_address ipv4_address tunnel interface_tunnel_name
port ethernet port_number
no shutdown
bind interface interface_name1 context_name
vlan vlan_number
no shutdown
ingress-mode
bind interface interface_name context_name
end Notes:
- Use the interface interface_name1 configuration only if a VRF-GRE tunnel is required.
- Use the ip vrf forwarding command to associate a GRE tunnel with the VRF.
Configuring IPoVLAN
Configure IP over VLAN (IPoVLAN) encapsulation for processing DHCP Layer 3 IP packets by applying the example configuration below.
config
context context_name
ip vrf vrf_name
exit
interface interface_name
ip address ip_address ip_address
exit
interface interface_name1
ip vrf forwarding vrf_name
ip address ip_address ip_address
exit
ip route ip_address[/mask ] next-hop ip_address interface_name1 vrf vrf_name
ip route ip_address[/mask ] next-hop ip_address interface_name1 vrf vrf_name
port ethernet port_number
no shutdown
ingress-mode
bind interface interface_name context_name
vlan vlan_number
ingress-mode
bind interface interface_name1 context_name
no shutdown
end
config
context context_name
twan-profile twan_profile_name
ue-address dhcp
access-type client ipv4_address[/mask ] ip
access-type ip vrf vrf_name
radius ip vrf vrf_name
radius client ipv4_address[/mask ] key shared_secret_key disconnect-message dest-port port_number dictionary custom71
end Notes:
- Use the ip vrf forwarding command to associate a GRE tunnel with the VRF.
- Use the ingress-mode command to process UL user packets for L3IP access-type.
- Each TWAN Profile creates a "aaa group" in all AAAMgrs with the name samog_rad_grp_ twan_profile_name .
Configuring AAA
Create the AAA group for DIAMETER authentication and then configure AAA accounting and authentication by applying the example configuration below.
config
contextaaa_context_name
interface aaa_interface_name
ip address ipv4_address/subnetmask
ip address ipv4_address/subnetmask secondary
end
config
context samog_context_name
aaa group aaa_diameterSTa1_group_name
diameter authentication dictionary aaa-custom13
diameter authentication endpoint endpoint_name
exit
aaa group aaa_group_diameter_STa2_name
diameter authentication dictionary aaa-custom13
diameter authentication endpoint endpoint_name
exit
aaa group aaa_acct_group_name
radius attribute nas-ip-address address ipv4-address
radius accounting server ipv4_address encrypted key key port port_no
exit
aaa group default
exit
gtpp group default
exit
diameter endpoint STA_endpoint_name
origin realm realm_name
use-proxy
origin host STa_endpoint_ipv4_address address ipv4_address port port_no
no watchdog-timeout
peer peer_name realm samog_realm_name address ipv4_address port port_no
exit Configuring GTPP Dictionary and CDR Attributes
Configure the GTPP dictionary to be used for SGW and SGSN CDRs and the CDR attributes for the SaMOG gateway by applying the example configuration below.
config
context samog_context_name
gtpp group gttp_group_name
gtpp charging-agent IPv4/IPv6_Address
gtpp server Server_IPv4/IPv6_Address max Maximum_GTPP_Messages
gtpp trigger volume-limit
gtpp trigger time-limit
gtpp dictionary custom24
gtpp attribute local-record-sequence-number
gtpp attribute local-record-sequence-number
gtpp attribute msisdn
gtpp attribute diagnostics
gtpp attribute dynamic-flag
gtpp attribute record-type sgsnpdprecord
gtpp attribute record-type sgwrecord
gtpp attribute qos max-length qos_max_length
end
config
call-control-profile call_control_profile_name
accounting context samog_context_name gtpp group gtpp_group_name Configuring DNS
Configure DNS for the SaMOG gateway by applying the example configuration below.
config
context dns_context_name
interface dns_interface_name
ip address ipv4_address/subnetmask
exit
subscriber default
exit
aaa group default
exit
gtpp group default
ip domain-lookup
ip name-servers ipv4-address
dns-client dns_client_name
bind address ipv4_address
exit Configuring Local Breakout
Optionally, configure the local breakout - enhanced, or local breakout - basic, or flow-based (with or without external NAT) local breakout model for an APN (assuming that a P-GW service is configured) by applying the appropriate example configuration below:
Important |
The Local Breakout (LBO) feature is license dependent. Each LBO models require separate feature licenses. While the LBO - Basic and Flow-based LBO licenses can co-exist, they are mutually exclusive with the LBO - Enhanced license. Contact your local Cisco account representative for licensing requirements. |
Local Breakout - Enhanced
config
context context_name
cgw-service service_name
associate pgw-service service_name
exit
exit
apn-profile profile_name
local-offload
end Local Breakout - Basic
config
apn-profile apn_profile_name
local-offload
ip address pool name pool_name
ip context-name vpn_context_name
dns primary ipv4_address
dns secondary ipv4_address
ip access-group access_list_name [ in | out ]
active-charging rulebase rulebase_name
exit
context context_name
ip pool pool_name ip_address/mask public priority subscriber-gw-address router_ip_address
ip access-list access_list_name
redirect css service acs_service_name any
exit
exit
active-charging service acs_service_name
access-ruledef access_ruledef_name
ip any-match = TRUE
exit
fw-and-nat policy policy_name
access-rule priority priority access-ruledef access_ruledef_name permit nat-realm nat_realm_name
exit
rulebase rulebase_name
fw-and-nat default-policy policy_name
end Flow-based Local Breakout
config
apn-profile apn_profile_name
local-offload flow
ip context-name vpn_context_name
ip access-group access_list_name [ in | out ]
active-charging rulebase rulebase_name
exit
context context_name
ip access-list access_list_name
redirect css service acs_service_name any
exit
exit After applying the above initial configuration for Flow-based LBO, you can configure either a flow-based LBO whitelist or a blacklist.
Flow-based LBO with External NAT
SaMOG can also perform flow-based LBO with external NAT devices based on nex-hop. Configure flow-based LBO with an external NAT by applying the example configuration below:
config
active-charging service acs_service_name
rulebase rulebase_name
action priority action_priority_1 ruledef ruledef_name_1 charging-action charging_action_name
action priority action_priority_2 ruledef ruledef_name_2 charging-action charging_action_name
exit
ruledef ruledef_name_1
ip dst-address = ipv6_address[/mask ]
exit
ruledef ruledef_name_2
ip dst-address = ipv4_address[/mask ]
exit
charging-action charging_action_name
nexthop-forwarding-address ipv4_address
exit
exit
# To configure IPv6 Access List
context context_name
ipv6 access-list ipv6_acl_name
redirect css service css_service_name any
exit
exit
# To configure the APN profile to use the IPv6 access list
apn-profile apn_profile_name
ip access-group ipv6_acl_name in
ip access-group ipv6_acl_name out
# To configure IPv6 DNS servers for GTPv2 sessions on flow-based LBO
dns ipv6 { primary | secondary } ipv6_address
end Flow-based LBO Whitelist
active-charging service acs_service_name
access-ruledef access_ruledef_name
ip dst-address = ipv4_destination_address[/mask ]
exit
fw-and-nat policy policy_name
access-rule priority priority access-ruledef access_ruledef_name permit bypass-nat
access-rule no-ruledef-matches uplink action permit nat-realm nat_realm_name
access-rule no-ruledef-matches downlink action permit nat-realm nat_realm_name
exit
rulebase rulebase_name
fw-and-nat default-policy policy_name
end Notes:
- The nat_realm_name is the IP pool used by the NAT service for dynamic NATting. This IP pool may have one-to-one or many-to-one users mapping to conserve IP addresses.
Flow-based LBO Blacklist
active-charging service acs_service_name
access-ruledef access_ruledef_name
ip dst-address = ipv4_destination_address[/mask ]
exit
fw-and-nat policy policy_name
access-rule priority priority access-ruledef access_ruledef_name permit nat-realm nat_realm_name
access-rule no-ruledef-matches uplink action permit bypass-nat
access-rule no-ruledef-matches downlink action permit bypass-nat
exit
rulebase rulebase_name
fw-and-nat default-policy policy_name
end Notes:
- The nat_realm_name is the IP pool used by the NAT service for dynamic NATting. This IP pool may have one-to-one or many-to-one users mapping to conserve IP addresses.
Configuring Web-based Authorization
Important |
The Web Authorization feature is license dependent. Contact your local Cisco account representative for licensing requirements. |
Optionally, configure the SaMOG web-based authorization by applying the example configuration below.
HTTP Redirection for Web-based Authorization
For HTTP redirection, apply the following rulebase, ruledef and charging action example:
config
active-charging service acs_service_name
#Rule to analyze HTTP packets
ruledef http_ruledef_name
tcp either-port = 80
tcp either-port = 8080
rule-application routing
exit
#Rule to check if packet is a DNS packet
ruledef is_DNS_ruledef_name
udp either-port = port_number
tcp either-port = port_number
multi-line-or all-lines
exit
#Rule to check if packet is destined to HTTP portal (to avoid redirect loop)
ruledef is_redirected_ruledef_name
ip server-ip-address = http_web_portal_ipv4_address/mask
exit
#Rule for HTTP redirection to HTTP portal
ruledef http_redirect_ruledef_name
http any-match = TRUE
ip any-match = TRUE
multi-line-or all-lines
exit
#Action to allow packets without throttling at ECS
charging-action allow_charging_action_name
content-id content_id_2
exit
#Action to perform HTTP 302 redirection
charging-action page_redirect_charging_action_name
content-id content_id_3
flow action redirect-url http_web_portal_url
exit
#Rulebase with all above rules and actions
rulebase rulebase_name
retransmissions-counted
#Run protocol analyzers
route priority route_priority ruledef http_ruledef_name analyzer http
#Take action based on protocol analyzer result
action priority action_priority ruledef is_DNS_ruledef_name charging-action allow_charging_action_name
action priority action_priority ruledef is_redirected_ruledef_name charging-action allow_charging_action_name
action priority action_priority ruledef http_redirect_ruledef_name charging-action page_redirect_charging_action_name
end HTTPS Redirection for Web-based Authorization
For HTTPS redirection, as the HTTPS packets are encrypted using SSL/TLS between the client and server, the ACS service will not be able to perform HTTP request inspection. All HTTPS packets are redirected to an external web portal using Layer 3/Layer 4 redirection rules. The web portal performs an SSL handshake with the UE and redirects for authenticaiton.
Apply the following rulebase, ruledef and charging action example for HTTPS redirection:
config
active-charging service acs_service_name
#Rule to allow DNS packets
ruledef is_dns_ruledef_name
udp either-port = 53
tcp either-port = 53
multi-line-or all-lines
exit
#Rule to check if the packet is destined to the web portal, to avoid redirect loop
ruledef is_redirect_ruledef_name
ip server-ip-address = web_portal_ip_address
exit
#Rule to check if the packet is an HTTPS packet
ruledef is_https_ruledef_name
tcp either-port = 443
multi-line-or all-lines
exit
#Action to allow packets without throttling at ECS
charging-action allow_charging_action_name
content-id content_id_1
exit
#Charging action to redirect all HTTPS packets (including initial TCP SYN/SYNACK/ACK) to web portal
charging-action l4_redirect_charging_action_name
content-id content_id_2
flow action readdress server web_portal_ip_address port port_number
exit
rulebase rulebase_name
action priority priority ruledef is_dns_ruledef_name charging_action allow_charging_action_name
action priority priority ruledef is_redirect_ruledef_namecharging_action allow_charging_action_name
action priority priority ruledef is_https_ruledef_name charging_action l4_redirect_charging_action_name Once the ruledef, charging action and rulebase are configured based on HTTP or HTTPS redirection, apply the rest of the configuration for web authorization as specified below:
configure
operator-policy { default | name policy_name }
apn webauth-apn-profile apn_profile_name
exit
apn-profile profile_name
active-charging rulebase rulebase_name
dns { primary | secondary } IPv4_address
dhcp lease { short duration | time duration }
ip address pool name pool_name
ip context-name context_name
ip access-group group_name [ in | out ]
ipv6 address prefix-pool pool_name
exit
call-control-profile profile_name
timeout imsi cache timer_value
subscriber multi-device
authenticate context context_name auth-method { [ eap ] [non-eap] }
end Configuring and Binding the Interfaces
The interfaces created previously now must be bound to physical ports. Bind the system interfaces by applying the example configuration below.
config
port ethernet slot no/port no
no shutdown
bind interface gtp_samog_interface_name gtp_samog_context name
exit
port ethernet slot no/port no
bind interface interface STa_acct_interface_name STa_acct_context_name
exit
port ethernet slot no/port no
bind interface dns_interface_name dns_context name
exit
port ethernet slot no/port no
bind interface wlc_pmip_side_interface_name wlc_pmip_side_context_name
exit
port ethernet slot no/port no
bind interface wlc_side_samog_interface_name wlc_side_samog_context name
port ethernet slot no/port no
bind interface gtpu_interface_name gtpu/gtpc_context name
end Enabling Logging
Optional. Enable event logging for the SaMOG Gateway by applying the example configuration below from the Command Line Interface Exec Mode.
[local]asr5000# logging filter active facility mrme level error_reporting_level
[local]asr5500# logging filter active facility cgw level error_reporting_level
[local]asr5500# logging filter active facility ipsgmgr level error_reporting_level
[local]asr5500# logging filter active facility radius-coa level error_reporting_level
[local]asr5500# logging filter active facility radius-auth level error_reporting_level
[local]asr5500# logging filter active facility radius-acct level error_reporting_level
[local]asr5500# logging filter active facility diabase level error_reporting_level
[local]asr5500# logging filter active facility diameter-auth level error_reporting_level
[local]asr5500# logging filter active facility aaamgr level error_reporting_level
[local]asr5500# logging filter active facility aaa-client level error_reporting_level
[local]asr5500# logging filter active facility diameter level error_reporting_level
[local]asr5500# logging filter active facility mobile-ipv6 level error_reporting_level
[local]asr5500# logging filter active facility hamgr level error_reporting_level
[local]asr5500# logging filter active facility ham diameter-ecs level error_reporting_level
[local]asr5500# logging filter active facility egtpc level error_reporting_level
[local]asr5500# logging filter active facility egtpmgr level error_reporting_level Enabling SNMP Traps
Optional. Enable the sending of SaMOG gateway-related SNMP traps by applying the example configuration below.
config
context samog_context_name
snmp trap enable SaMOGServiceStart
snmp trap enable SaMOGServiceStop
snmp trap enable CGWServiceStart
snmp trap enable CGWServiceStop
end To disable the generation of an SNMP trap:
config
contextsamog_context_name
snmp trap suppress trap_name
end Configuring Bulk Statistics
Use the following configuration example to enable SaMOG bulk statistics:
config
bulkstats collection
bulkstats mode
sample-interval minutes
transfer-interval minutes
file no
remotefile format format /localdisk/bulkstats/bulkstat%date%%time%.txt
receiver ipv4_or_ipv6_address primary mechanism sftp login login_name encrypted password samog schema schema_name format schema_format Notes:
- The bulkstats collection command in this example enables bulk statistics, and the system begins collecting pre-defined bulk statistical information.
- The bulkstats mode command enters Bulk Statistics Configuration Mode, where you define the statistics to collect.
- The sample-interval command specifies the time interval, in minutes, to collect the defined statistics. The minutes value can be in the range of 1 to 1440 minutes. The default value is 15 minutes.
- The transfer-interval command specifies the time interval, in minutes, to transfer the collected statistics to the receiver (the collection server). The minutes value can be in the range of 1 to 999999 minutes. The default value is 480 minutes.
- The file command specifies a file in which to collect the bulk statistics. A bulk statistics file is used to group bulk statistics schema, delivery options, and receiver configuration. The number can be in the range of 1 to 4.
- The receiver command in this example specifies a primary and secondary collection server, the transfer mechanism (in this example, ftp), and a login name and password.
- The samog schema command specifies that the SaMOG schema is used to gather statistics. The schema_name is an arbitrary name (in the range of 1 to 31 characters) to use as a label for the collected statistics defined by the format option. The format option defines within quotation marks the list of variables in the SaMOG schema to collect. The format string can be in the range of 1 to 3599.
For descriptions of the SaMOG schema variables, see "SaMOG Schema Statistics" in the Statistics and Counters Reference. For more information on configuring bulk statistics, see the System Administration Guide.
Saving the Configuration
Save the SaMOG configuration file to flash memory, an external memory device, and/or a network location using the Exec mode command save configuration .
For additional information on how to verify and save configuration files, see the System Administration Guide and the Command Line Interface Reference.
Feedback