Table of Contents
Advertisement
Network and Security Manager Administration Guide
380
Setting the Network ID (APN Domain Name)
To set an APN filter, you need to know the network ID, which identifies the name of an
external network.
NOTE: Because the APN domain name (network ID) can potentially be very long and
contain many characters, you can use the wildcard " *" as the first character of the APN
to indicate that the APN also includes all preceding characters. However, because APN
filtering is based on perfect matches, using the wildcard " *" can prevent the inadvertent
exclusion of APNs that you would otherwise authorize.
Setting a Selection Mode
You must also set a Selection Mode, which indicates the origin of the APN and if the user
subscription has been verified by the Home Location Register (HLR). You can set one of
the following Selection Modes:
Mobile Station—MS-provided APN, subscription not verified. This Selection Mode
indicates that the mobile station (MS) provided the APN and that the HLR did not
verify the user's subscription to the network.
Network—Network-provided APN, subscription not verified. This Selection Mode
indicates that the network provided a default APN because the MS did not specify one,
and that the HLR did not verify the user's subscription to the network.
Verified—MS or Network-provided APN, subscription verified. This Selection Mode
indicates that the MS or the network provided the APN and that the HLR verified the
user's subscription to the network.
Creating an IMSI Prefix Filter
A GSN (GPRS Support Node) identifies a mobile station by its IMSI (International Mobile
Station Identity). An IMSI is composed of three elements:
The MCC (Mobile Country Code)
The MNC (Mobile Network Code)
The MSIN (Mobile Subscriber Identification Number)
The MCC and MNC combine to create the IMSI prefix, which identifies the mobile
subscriber's home network (PLMN). By default, a security device does not perform IMSI
prefix filtering on GTP packets. You can use the IMSI prefix to configure a security device
to deny GTP traffic sent from non-roaming partners.
When you set an IMSI prefix in the GTP object, the security device filters " create pdp
request" messages and permits only GTP packets with a matching IMSI prefix. If the
prefix does not match, the security device drops the GTP packet. You can set up to 1000
IMSI prefixes for each device (one per each filter).
To disable IMSI prefix filtering, remove all MCC-MNC pairs from the GTP object.
Copyright © 2010, Juniper Networks, Inc.
Advertisement
Table of Contents
