1. Manuals
  2. Brands
  3. Cisco Manuals
  4. Gateway
  5. Intelligent Wireless Access Gateway
  6. Configuration manual

Cisco Intelligent Wireless Access Gateway Configuration Manual

Intelligent wireless access gateway
Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
Intelligent Wireless Access Gateway Configuration Guide
First Published: July 26, 2013
Last Modified: March 28, 2014
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
Text Part Number: OL-30226-03

Advertisement

Table of Contents
loading

Related Manuals for Cisco Intelligent Wireless Access Gateway

Summary of Contents for Cisco Intelligent Wireless Access Gateway

  • Page 1 Intelligent Wireless Access Gateway Configuration Guide First Published: July 26, 2013 Last Modified: March 28, 2014 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 Text Part Number: OL-30226-03...
  • Page 2 Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks . Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company.

  • Page 3: Table Of Contents

    Configuring Authentication, Authorization, and Accounting for the iWAG Configuring DHCP when the iWAG Acts as a DHCP Proxy Configuring the Cisco ISG Class Map and Policy Map for the iWAG Configuring a Session Initiator for the iWAG Configuring a Tunnel Interface for the iWAG...
  • Page 4 Feature Information for Configuring Ethernet Over GRE GTPv2 Support in the iWAG C H A P T E R 5 Finding Feature Information Restrictions for GTPv2 of the iWAG Information About GTPv2 in the iWAG Intelligent Wireless Access Gateway Configuration Guide OL-30226-03...
  • Page 5 Finding Feature Information Information About Cisco ISG Accounting Accuracy for LNS Sessions Additional References Feature Information for Cisco ISG Accounting Accuracy for LNS Sessions Dual Stack Support for PMIPv6 and GTP C H A P T E R 9 Finding Feature Information...
  • Page 6 Activating and Deactivating the Flow-Based Redirect Feature Through Vendor-Specific Attributes Configuring Flow-Based Redirect for a Traffic Class Service Examples Best Practices for Configuring the NAT on the Cisco ASR 1000 Series Routers NAT Overloading and Port Parity NAT Interface Overloading with VRF Additional References...
  • Page 7 Dual-Stack Mobile IPoE Session with IPv6 ND as FSOL for GTP Call Flow Additional References Feature Information for Call Flows for Dual-Stack PMIPv6 and GTP iWAG Scalability and Performance C H A P T E R 1 4 Intelligent Wireless Access Gateway Configuration Guide OL-30226-03...
  • Page 8 Contents iWAG Scaling Restrictions for iWAG Scalability Layer 4 Redirect Scaling Configuring Call Admission Control Walk-by User Support for PWLAN in iWAG Additional References Feature Information for iWAG Scalability and Performance Intelligent Wireless Access Gateway Configuration Guide viii OL-30226-03...

  • Page 9: C H A P T E

    Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

  • Page 10: Prerequisites For The Iwag

    • Enable the ipv6 unicast-routing command. Restrictions for the iWAG • Roaming from a 3G mobility network to a WLAN is not supported for the GTP and Cisco ISG sessions. • IP subscriber-routed (L3) sessions are not supported. • IPv6 and quality of service (QoS) are not supported in a 3G mobility network.

  • Page 11: Benefits Of The Iwag

    Overview of the Intelligent Wireless Access Gateway Benefits of the iWAG The following figure shows a deployment model of the iWAG on a Cisco ASR 1000 Series Aggregation Services Router. Figure 1: iWAG Deployment on a Cisco ASR 1000 Series Aggregation Services Router...
  • Page 12 Overview of the Intelligent Wireless Access Gateway AAA Attributes The following indicate the availability of the attributes: Note C: Conditional M: Mandatory O: Optional N: Not present Table 1: iWAG AAA Attributes Attrib Attri Value Description bute /Subattri Name bute...
  • Page 13 Overview of the Intelligent Wireless Access Gateway AAA Attributes Attrib Attri Value Description bute /Subattri Name bute 26/9/1 Cisco String Mobile Subscriber ISDN number -MSISDN 26/9/1 Cisco-MN ENUM Mobile Node Service type -Service • none • ipv4 • ipv6 • dual...
  • Page 14 Overview of the Intelligent Wireless Access Gateway AAA Attributes Attrib Attri Value Description bute /Subattri Name bute 26/9/1 Cisco String Mobile node's Visited LMA IPv6 address -Visited -LMA -IPv6 -Address 26/9/1 Cisco IPv4 Address Mobile node's Home LMA IPv4 address...

  • Page 15: Supported Hardware And Software Compatibility Matrix For The Iwag

    Overview of the Intelligent Wireless Access Gateway Supported Hardware and Software Compatibility Matrix for the iWAG Attrib Attri Value Description bute /Subattri Name bute THREEGENPP IPv4 Address GGSN's Address /10415 _GGSN _ADDRESS 26/9/1 Cisco String Access-side VRF ID -Access -Vrf...

  • Page 16: How To Configure The Iwag

    How to Configure the iWAG Configuring the iWAG for Simple IP Users You must configure the Cisco Intelligent Services Gateway (ISG) for the iWAG to enable simple IP users to access Internet services. The tasks listed below enable IP sessions and indicate how these sessions are identified. For detailed steps, see the "Creating ISG Sessions for IP Subscribers"...
  • Page 17 Overview of the Intelligent Wireless Access Gateway Configuring the iWAG for 3G Mobile IP Users SUMMARY STEPS 1. enable 2. configure terminal 3. aaa new-model 4. aaa group server radius group-name 5. server-private ip-address [auth-port port-number | acct-port port-number ] [non-standard] [timeout seconds ] [retransmit retries ] [ key string] 6.

  • Page 18: Configuring Dhcp When The Iwag Acts As A Dhcp Proxy

    Overview of the Intelligent Wireless Access Gateway Configuring the iWAG for 3G Mobile IP Users Command or Action Purpose Step 6 aaa authentication login {default | list-name} { [passwd-expiry] Sets AAA authentication at login. method1 [method2...]} Example: Router(config-sg-radius)# aaa authentication login...
  • Page 19 Overview of the Intelligent Wireless Access Gateway Configuring the iWAG for 3G Mobile IP Users SUMMARY STEPS 1. enable 2. configure terminal 3. ip dhcp excluded-address [vrf vrf-name] ip-address 4. ip dhcp pool pool-name 5. network network-number [ mask [secondary] | /prefix-length [secondary] 6.

  • Page 20: Configuring The Cisco Isg Class Map And Policy Map For The Iwag

    GGSN or PGW. Configuring the Cisco ISG Class Map and Policy Map for the iWAG This section describes how to configure the Cisco ISG class map and policy map for the iWAG. SUMMARY STEPS 1. enable 2.
  • Page 21 Overview of the Intelligent Wireless Access Gateway Configuring the iWAG for 3G Mobile IP Users DETAILED STEPS Command or Action Purpose Step 1 enable Enables the privileged EXEC mode. Enter your password, if prompted. Example: Router> enable Step 2 Enters the global configuration mode.
  • Page 22 Overview of the Intelligent Wireless Access Gateway Configuring the iWAG for 3G Mobile IP Users Command or Action Purpose Step 9 [ priority ] class type traffic { class-map-name | default {in-out | Creates or modifies a traffic class map that is used...

  • Page 23: Configuring A Session Initiator For The Iwag

    MAC address, an unclassified MAC address, a RADIUS message with the Cisco ASR 1000 Series Aggregation Services Router acting as RADIUS proxy or a DHCP DISCOVER message with the Cisco ASR 1000 Series Aggregation Services Router acting as DHCP proxy.

  • Page 24: Configuring A Tunnel Interface For The Iwag

    Router(config-if)# ip subscriber l2-connected method. Step 9 initiator {dhcp | radius-proxy | static ip subscriber list Enables the Cisco ISG to create an IP subscriber session listname | unclassified ip | unclassified mac-address} upon receipt of a specified type of packet. Example:...

  • Page 25: Enabling Mobile Client Service Abstraction

    Overview of the Intelligent Wireless Access Gateway Configuring the iWAG for 3G Mobile IP Users SUMMARY STEPS 1. enable 2. configure terminal 3. interface GigabitEthernet slot/subslot/port 4. description string 5. ip address ip-address mask [secondary [vrf vrf-name ]] 6. negotiation auto...

  • Page 26: Configuring The Gtp Of The Iwag

    Overview of the Intelligent Wireless Access Gateway Configuring the iWAG for 3G Mobile IP Users Enabling MCSA is mandatory before you enable the Mobility feature in the Cisco ASR 1000 Series Note Aggregation Services Routers. SUMMARY STEPS 1. enable 2. configure terminal 3.
  • Page 27 Step 2 configure terminal Enters the global configuration mode. Example: Router# configure terminal Step 3 Configures the GTP for the iWAG solution on the Cisco ASR 1000 Series Aggregation Services Router. Example: Router(config)# gtp Step 4 n3-request number of requests Specifies the number of times a control message must be retried before a failure message is sent.
  • Page 28 192.168.10.1 Step 13 dhcp-lease seconds Configures the duration (in seconds) of the lease for an IP address that is assigned from a Cisco IOS DHCP Server to a DHCP client. Example: Router(config-gtp-apn)# dhcp-lease 3000 Intelligent Wireless Access Gateway Configuration Guide...

  • Page 29: Configuring The Iwag For 4G Mobile Ip Users

    • Configuring a Detailed Configuration for an LMA Enabling Mobile Client Service Abstraction This section describes how to enable Mobile Client Service Abstraction (MCSA) for PMIPv6. Enabling MCSA is mandatory before you enable the Mobility feature in the Cisco ASR 1000 Series Note Aggregation Services Routers.

  • Page 30: Additional References

    Enters the global configuration mode. configure terminal Example: Router# configure terminal Step 3 mcsa Enables MCSA on the Cisco ASR 1000 Series Aggregation Services Router. Example: Router(config)# mcsa Step 4 Enables MCSA to receive notifications from the Cisco ISG. enable sessionmgr...

  • Page 31: Feature Information For The Intelligent Wireless Access Gateway

    Overview of the Intelligent Wireless Access Gateway Feature Information for the Intelligent Wireless Access Gateway Standards and RFCs Standard/RFC Title RFC 3775 Mobility Support in IPv6 RFC 5213 Proxy Mobile IPv6 RFC 5844 IPv4 Support for Proxy Mobile IPv6 RFC 5845...
  • Page 32 ASR 1000 Series Aggregation Services Routers. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: http://www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company.

  • Page 33: Restrictions For Ipogec

    Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

  • Page 34: Information About Ip Sessions Over Gigabit Etherchannel

    11. initiator {dhcp | radius-proxy | static ip subscriber list listname | unclassified ip | unclassified mac-address} DETAILED STEPS Command or Action Purpose Step 1 Enters the global configuration mode. configure terminal Example: Router# configure terminal Intelligent Wireless Access Gateway Configuration Guide OL-30226-03...
  • Page 35 The iWAG does not support the routed access method. Step 10 initiator {dhcp | radius-proxy | static ip subscriber list Enables the Cisco ISG to create an IP subscriber session listname | unclassified ip | unclassified mac-address} upon receipt of a specified type of packet. Example:...

  • Page 36: Configuring Member Links For Ip Sessions Over Gigabit Etherchannel

    Command or Action Purpose Step 11 initiator {dhcp | radius-proxy | static ip subscriber list Enables the Cisco ISG to create an IP subscriber session listname | unclassified ip | unclassified mac-address} upon receipt of a specified type of packet. Example:...

  • Page 37: Configuration Examples For Ip Sessions Over Gigabit Etherchannel

    3000 channel-group 1 mode active Additional References Related Documents Related Topic Document Title Cisco IOS commands Cisco IOS Master Commands List, All Releases iWAG commands Cisco IOS Intelligent Wireless Access Gateway Command Reference Intelligent Wireless Access Gateway Configuration Guide OL-30226-03...

  • Page 38: Feature Information For Ip Sessions Over Gigabit Etherchannel

    Unless noted otherwise, subsequent releases of that software release train also support that feature. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
  • Page 39 Cisco ASR 1000 Series Aggregation Services Routers. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: http://www.cisco.com/go/trademarks.
  • Page 40 IP Sessions Over Gigabit EtherChannel Intelligent Wireless Access Gateway Configuration Guide OL-30226-03...

  • Page 41: Multiple-Flow Tunnel

    Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

  • Page 42: Additional References

    PMIPv6 subscribers can be attached. Cisco high-end routing platforms, such as the Cisco ASR 1000 Series Route Processor 2, the Cisco ASR 1000 Series 40-Gbps ESP, and the Cisco ASR 1000 Series 100-Gbps ESP support 128,000 scaling for the LMA.

  • Page 43: Feature Information For Multiple-Flow Tunnel

    Cisco ASR 1000 Series Aggregation Services Routers. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: http://www.cisco.com/go/trademarks.
  • Page 44 Multiple-Flow Tunnel Intelligent Wireless Access Gateway Configuration Guide OL-30226-03...

  • Page 45: Service Provider Wifi: Support For Integrated Ethernet Over Gre

    Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

  • Page 46: Information About Ethernet Over Gre

    Restrictions for Configuring Ethernet Over GRE The following features are not supported on the Cisco ASR 1000 Series Aggregation Services Routers: • IPsec tunnel between the Cisco ASR 1000 Series Aggregation Services Routers and the CPE devices • Native multicast coexistence for subscribers •...

  • Page 47: Prerequisites For Configuring Ethernet Over Gre

    Prerequisites for Configuring Ethernet Over GRE Prerequisites for Configuring Ethernet Over GRE Before you configure the Ethernet over GRE feature on the Cisco ASR 1000 Series Aggregation Services Routers, ensure that the following prerequisites are met: • A physical interface or dot1Q interface should be configured.
  • Page 48 Information About Configuring Ethernet Over GRE The following figure shows the structure of the EoGRE feature with PMIP/GTP integrated for mobility service. Figure 3: Structure of the EoGRE Feature with PMIP/GTP Integrated for Mobility Service Intelligent Wireless Access Gateway Configuration Guide OL-30226-03...
  • Page 49 The EoGRE feature supports the following deployments: • EoGRE Deployment with PMIPv6 Integrated for Mobility Service • EoGRE Deployment with GTP Integrated for Mobility Service • EoGRE Deployment with ISG Integrated for Simple IP Service Intelligent Wireless Access Gateway Configuration Guide OL-30226-03...

  • Page 50: Eogre Deployment With Pmipv6 Integrated For Mobility Service

    WLCs are used as residential gateways or CPE devices. CPEs are preconfigured with a point-to-multipoint GRE IP tunnel to the Cisco ASR 1000 Series Aggregation Services Routers as the MAG. The tunnel from the CPE device can be configured with a static GRE key. The CPEs are provisioned to forward the Ethernet traffic from both public and private customers to the GRE tunnel, and to add a VLAN tag on the Ethernet frame before forwarding the traffic.

  • Page 51: Eogre Deployment With Gtp Integrated For Mobility Service

    The ISG provides simple IP service to mobile nodes that are connected to ISG via the EoGRE tunnel, as shown in the following figure. The Cisco ASR 1000 Series Aggregation Services Routers use the ISG Intelligent Wireless Access Gateway Configuration Guide...

  • Page 52: Supported Features

    Figure 7: Structure of the EoGRE Deployment with ISG Integrated for Simple IP Service Supported Features The following features are supported as part of the EoGRE feature on the Cisco ASR 1000 Series Aggregation Services Routers: • Ethernet over GRE traffic termination on the routers •...

  • Page 53: How To Configure The Eogre Feature

    For a simple IP scenario, only a specified IP address can be configured on the tunnel interface. This IP address can be used Router(config-if)# ip unnumbered loopback 0 as a default gateway IP address. Router(config-if)# ip address 20.1.1.2 255.255.255.0 Intelligent Wireless Access Gateway Configuration Guide OL-30226-03...

  • Page 54: Example: Configuring The Eogre Feature

    Router(config-if)# end Example: Configuring the EoGRE Feature aaa new-model aaa group server radius AAA_SERVER_CAR server-private 5.3.1.76 auth-port 2145 acct-port 2146 key cisco aaa authentication login default none aaa authentication login ISG_PROXY_LIST group AAA_SERVER_CAR aaa authorization network ISG_PROXY_LIST group AAA_SERVER_CAR aaa authorization subscriber-service default local group AAA_SERVER_CAR...
  • Page 55 172.16.254.254 domain-name cisco.com policy-map type control EOGRE_L2_ISG class type control always event session-start 2 authorize aaa list ISG_PROXY_LIST password cisco identifier mac-address 4 set-timer IP_UNAUTH_TIMER 5 class type control always event service-start 1 service-policy type service identifier service-name 2 collect identifier nas-port interface Loopback0 ip address 9.9.9.9 255.255.255.255...

  • Page 56: Additional References

    No new or modified MIBs are supported by this To locate and download MIBs for selected platforms, feature. Cisco software releases, and feature sets, use Cisco MIB Locator found at the following URL: http://www.cisco.com/go/mibs Intelligent Wireless Access Gateway Configuration Guide...

  • Page 57: Feature Information For Configuring Ethernet Over Gre

    Unless noted otherwise, subsequent releases of that software release train also support that feature. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
  • Page 58 ASR 1000 Series Aggregation Services Routers. The following sections provide information about this feature: • Information About Configuring Ethernet Over GRE, on page 39 • How to Configure the EoGRE Feature, on page Intelligent Wireless Access Gateway Configuration Guide OL-30226-03...

  • Page 59: Gtpv2 Support In The Iwag

    Effective from Cisco IOS XE Release 3.10S, the support for GPRS Tunneling Protocol Version 2 (GTPv2) is offered on the Cisco ASR 1000 Series Aggregation Services Routers as an enhancement to the GTPv1 offering in the iWAG solution that was introduced in Cisco IOS XE Release 3.8S. GTPv2 provides support for both the 4G and 3G mobile users, whereas GTPv1 provides support only for 3G mobile users.

  • Page 60: Information About Gtpv2 In The Iwag

    AAA attributes. However, the new gtpv2 enum value for the Cisco-MPC-Protocol-Interface attribute is necessary to specify the use of GTPv2. The AAA server identifies a subscriber depending upon whether the subscriber profile is sent over GTPv1 tunnel or GTPv2 tunnel from the iWAG back to the Evolved Packet Core (EPC).

  • Page 61: Radius Configuration

    98 Intra-iWAG Roaming Effective from Cisco IOS XE Release 3.10S, both GTPv1 and GTPv2 support connected subscriber roaming across different access interfaces of the iWAG. GTPv1 and GTPv2 preserve and update their existing sessions to allow their data traffic to flow through the new ingress interfaces from the access network.

  • Page 62: Additional References

    No new or modified MIBs are supported by this To locate and download MIBs for selected platforms, feature. Cisco software releases, and feature sets, use Cisco MIB Locator found at the following URL: http://www.cisco.com/go/mibs Intelligent Wireless Access Gateway Configuration Guide...

  • Page 63: Feature Information For Gtpv2 Support In The Iwag

    Cisco ASR 1000 Series Aggregation Services Routers. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: http://www.cisco.com/go/trademarks.
  • Page 64 GTPv2 Support in the iWAG Intelligent Wireless Access Gateway Configuration Guide OL-30226-03...

  • Page 65: Iwag Sso Support For Gtp

    (FSOL) triggers that are supported on SSO include DHCP proxy (where the iWAG acts as the DHCP proxy server) and DHCP proxy plus unclassified MAC. For more information about ISSU, see the “Overview of ISSU on the Cisco ASR 1000 Series Routers” section of the Cisco ASR 1000 Series Aggregation Services Routers Software Configuration Guide.

  • Page 66: Enabling Sso Support For The Gtp

    If traffic interruption exceeds the configured t3 and n3 limits, the session is disconnected. Enabling SSO Support for the GTP This section describes how to enable SSO support for the GTP on the Cisco ASR 1000 Series Aggregation Services Routers. SUMMARY STEPS 1.

  • Page 67: Additional References

    No new or modified MIBs are supported by this To locate and download MIBs for selected platforms, feature. Cisco software releases, and feature sets, use Cisco MIB Locator found at the following URL: http://www.cisco.com/go/mibs Intelligent Wireless Access Gateway Configuration Guide...

  • Page 68: Feature Information For Iwag Sso Support For Gtp

    Cisco ASR 1000 Series Aggregation Services Routers. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: http://www.cisco.com/go/trademarks.

  • Page 69: Configuring Isg Policy Templates

    ISG policies on IPv4 and IPv6 subscriber sessions. It enables support of up to 128,000 IP subscriber sessions with more complex ISG policies at a higher churn rate on the Cisco ASR 1000 Series Aggregation Services Routers.

  • Page 70: How To Configure Isg Policy Templates

    No new or modified MIBs are supported by this To locate and download MIBs for selected platforms, feature. Cisco software releases, and feature sets, use Cisco MIB Locator found at the following URL: http://www.cisco.com/go/mibs Intelligent Wireless Access Gateway Configuration Guide...

  • Page 71: Feature Information For Configuring Isg Policy Templates

    Cisco ASR 1000 Series Aggregation Services Routers. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: http://www.cisco.com/go/trademarks.
  • Page 72 Configuring ISG Policy Templates Intelligent Wireless Access Gateway Configuration Guide OL-30226-03...

  • Page 73: Chapter 8 Cisco Isg Accounting Accuracy For Lns Sessions

    Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

  • Page 74: Additional References

    Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password. Intelligent Wireless Access Gateway Configuration Guide...

  • Page 75: Feature Information For Cisco Isg Accounting Accuracy For Lns Sessions

    Cisco ASR 1000 Series Aggregation Services Routers. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: http://www.cisco.com/go/trademarks.
  • Page 76 Cisco ISG Accounting Accuracy for LNS Sessions Intelligent Wireless Access Gateway Configuration Guide OL-30226-03...

  • Page 77: Dual Stack Support For Pmipv6 And Gtp

    C H A P T E R Dual Stack Support for PMIPv6 and GTP Effective from Cisco IOS XE Release 3.11S, the Intelligent Wireless Access Gateway (iWAG) supports dual-stack session for Proxy Mobile IPv6 (PMIPv6) and GPRS Tunneling Protocol (GTP) sessions.

  • Page 78: Features Supported For Dual-Stack Pmipv6 Sessions

    This feature enables the assignment of both an IPv4 address and an IPv6 address to a client. Therefore, the overall number of supported subscribers on the Cisco ASR 1000 Series Aggregation Services Routers are not affected by a mix of IPv4 and IPv6 traffic.

  • Page 79: Configuration Examples For Dual-Stack Pmipv6

    ACL_OUT_INTERNET match access-group input name ACL_IN_INTERNET class-map type traffic match-any TC_INTERNET_IPV6 match access-group output name IPV6_ACL_INTERNET match access-group input name IPV6_ACL_INTERNET class-map type traffic match-any TC_INTERNET_IPV6_2 match access-group output name IPV6_ACL_INTERNET2 Intelligent Wireless Access Gateway Configuration Guide OL-30226-03...

  • Page 80: Example: Configuring A Policymap For Dual-Stack Pmipv6

    30 authorize aaa list default identifier mac-address #performs MAC TAL authorization class type control always event session-restart 10 service-policy type service name DRL_V4 #applying services during dual stack 11 service-policy type service name DRL_V6 #applying services during dual Intelligent Wireless Access Gateway Configuration Guide OL-30226-03...

  • Page 81: Example: Configuring An Access Interface For Dual-Stack Pmipv6

    #DHCP control packets are used as FSOL to create DHCPv4 only session Example: Configuring the Local Mobility Anchor for Cisco ASR 5000 Routers context pgw ip pool PMIP_POOL 70.70.0.1 255.255.0.0 public 0 subscriber-gw-address 70.70.70.1 ip pool v4_staticpool 9.9.9.1 255.255.0.0 static...

  • Page 82: Example: Configuring Mobile Access Gateways For Dual-Stack Pmipv6

    2002::4 address ipv4 15.1.1.2 binding maximum 40000 replay-protection timestamp window 255 interface GigabitEthernet0/0/2 enable pmipv6 default MN1@example.com lma lma1 D1 ipv6-address 2003::4 ipv4-address 16.1.1.2 encap gre-ipv4 Intelligent Wireless Access Gateway Configuration Guide OL-30226-03...

  • Page 83: Configuration Examples For Dual-Stack Gtp

    Example: Configuring a Control Policy for Dual-Stack GTP policy-map type control BB_PMAP class type control always event session-start 10 authorize aaa list BB_1 password cisco identifier mac-address Example: Configuring an Access Interface for Dual-Stack GTP interface GigabitEthernet0/0/3 ip address 21.0.0.1 255.255.0.0...

  • Page 84: Enabling Ipv6 Routing

    Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password. Intelligent Wireless Access Gateway Configuration Guide...

  • Page 85: Feature Information For Dual-Stack Support For Pmipv6 And Gtp

    Cisco ASR 1000 Series Aggregation Services Routers. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: http://www.cisco.com/go/trademarks.
  • Page 86 Dual Stack Support for PMIPv6 and GTP Intelligent Wireless Access Gateway Configuration Guide OL-30226-03...

  • Page 87: Flow-Based Redirect

    Configuring Flow-Based Redirect for a Traffic Class Service, page 82 • Examples, page 85 • Best Practices for Configuring the NAT on the Cisco ASR 1000 Series Routers, page 87 • NAT Overloading and Port Parity, page 88 • NAT Interface Overloading with VRF, page 88 •...

  • Page 88: Flow-Based Redirect For Adult Content Filtering

    Flow-Based Redirect Flow-Based Redirect for Adult Content Filtering Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required. Flow-Based Redirect for Adult Content Filtering In a typical WiFi hotspot deployment, all subscriber traffic goes through Cisco ISG (Intelligent Service Gateway) after successful authentication.

  • Page 89: Flow-Based Redirect For Selective Ip Traffic Offload

    Flow-Based Redirect for Selective IP Traffic Offload Mobile IP sessions are provisioned with a traffic class service in the Cisco Intelligent Wireless Access Gateway (iWAG) for routing web traffic to a next hop device, depending on the local policies or the policies that are downloaded from the Cisco IOS authentication, authorization, and accounting (AAA) network security services.

  • Page 90: Activating And Deactivating The Flow-Based Redirect Feature Through Vendor-Specific Attributes

    14. 1 service-policy type service unapply identifier service-name 15. class type control always event service-start 16. 10 service-policy type service identifier service-name 17. class type control always event account-logoff 18. 10 service disconnect delay 5 Intelligent Wireless Access Gateway Configuration Guide OL-30226-03...
  • Page 91 Example: Router (config-service-policymap)# class type traffic ACF_ACL Step 9 reroute to next-hop ip IP address Redirects traffic to the specified IP address. Example: Router (config-service-policymap-class-traffic)# reroute to next-hop ip 44.0.0.22 Intelligent Wireless Access Gateway Configuration Guide OL-30226-03...
  • Page 92 Router (config-control-policymap)# class type control always event account-logoff Step 18 10 service disconnect delay 5 Disconnects upon an account-logoff event, after a 5 second delay. Example: Router (config-control-policymap-class-control)# 10 service disconnect delay 5 Intelligent Wireless Access Gateway Configuration Guide OL-30226-03...

  • Page 93: Examples

    Class-id Packets Bytes Pri. Definition 31936 Match Any Match Any 31936 Match ACL WEB_ACL_IN Match ACL WEB_ACL_OUT Template Id : 1 Features: Absolute Timeout: Class-id Timeout Value Time Remaining Source 3000 00:48:16 Peruser Intelligent Wireless Access Gateway Configuration Guide OL-30226-03...
  • Page 94 Router# Show platform hardware qfp active statistics drop ------------------------------------------------------------------------- Global Drop Stats Packets Octets ------------------------------------------------------------------------- Disabled 1166 essipsubfsoldrop 2327 216495 UnconfiguredIpv6Fia 9492 Intelligent Wireless Access Gateway Configuration Guide OL-30226-03...

  • Page 95: Best Practices For Configuring The Nat On The Cisco Asr 1000 Series Routers

    Best Practices for Configuring the NAT on the Cisco ASR 1000 Series Routers The following are the recommended best practices to configure the NAT on the Cisco ASR 1000 Series Aggregation Services Routers: • Restriction on the total QFP DRAM usage At 97 percent DRAM utilization, depletion messages are displayed in the syslog as a warning message to make the operator aware of low QFP DRAM availability.

  • Page 96: Nat Overloading And Port Parity

    NAT Overloading and Port Parity • The ip nat translation max-entries all-host command can be used in scenarios where the Cisco ASR 1000 Series Router acting as ISG, performs NAT on all or most of the subscriber traffic. This helps the operator to prevent a single host from occupying the entire translation table, while allowing a reasonable upper limit to each host.

  • Page 97: Additional References

    Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password. Feature Information for Flow-Based Redirect The following table provides release information about the feature or features described in this module.
  • Page 98 Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: http://www.cisco.com/go/trademarks.

  • Page 99: Call Flows For Simple Ip Users

    Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
  • Page 100 • User redirection to the portal (on user authorization failure only) • User authentication at the RADIUS server • Profile download and auto-login service activation • Access to features such as change of authorization (CoA), account logout, account stop, account ping Intelligent Wireless Access Gateway Configuration Guide OL-30226-03...

  • Page 101: Simple Ip Unclassified Mac With Mac Tal Authentication Call Flow

    IP user. Figure 10: Simple IP Unclassified MAC with MAC TAL Authentication Call Flow The following steps describe the call flow for a successful MAC TAL Web authorization for a simple IP subscriber: Intelligent Wireless Access Gateway Configuration Guide OL-30226-03...
  • Page 102 6 An Accounting Start message is sent to the application provider to indicate the start of the subscriber’s service. The subscriber can now access the Internet services applicable as part of the subscription. Intelligent Wireless Access Gateway Configuration Guide OL-30226-03...

  • Page 103: Simple Ip Unclassified Mac With Web Login Authentication Call Flow

    1 The subscriber initiates IP traffic to get connected to the Internet service. ISG notices a new subscriber address and creates an unauthenticated subscriber session. 2 ISG then sends an authorization request to the RADIUS server with the subscriber’s MAC address as the username. Intelligent Wireless Access Gateway Configuration Guide OL-30226-03...

  • Page 104: Simple Ip Unclassified Mac Authentication Call Flow Configuration

    #---------------------------------------------- interface GigabitEthernet0/0/2.10 #Connected to the client, access interface. encapsulation dot1Q 10 ip address 11.11.11.1 255.255.255.0 service-policy type control TAL ip subscriber l2-connected initiator unclassified mac-address interface GigabitEthernet0/0/3 #Connected to the RADIUS server Intelligent Wireless Access Gateway Configuration Guide OL-30226-03...
  • Page 105 10 authenticate aaa list IP_AUTHEN_LIST 20 service-policy type service unapply name OPENGARDEN_SERVICE 30 service-policy type service unapply name L4REDIRECT_SERVICE class type control UNAUTHEN_COND event timed-policy-expiry 10 service disconnect #---------------------------------------------- # ACL Intelligent Wireless Access Gateway Configuration Guide OL-30226-03...

  • Page 106: Additional References

    No new or modified MIBs are supported by this To locate and download MIBs for selected platforms, feature. Cisco software releases, and feature sets, use Cisco MIB Locator found at the following URL: http://www.cisco.com/go/mibs Intelligent Wireless Access Gateway Configuration Guide...

  • Page 107: Feature Information For Call Flows For Simple Ip Users

    Cisco ASR 1000 Series Aggregation Services Routers. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: http://www.cisco.com/go/trademarks.
  • Page 108 Call Flows for Simple IP Users Feature Information for Call Flows for Simple IP Users Intelligent Wireless Access Gateway Configuration Guide OL-30226-03...

  • Page 109: C H A P T E

    Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
  • Page 110 The following figures and steps describe the call flow pertaining to DHCP Discover authentication for a 3G user: Figure 12: 3G DHCP Discover Call Flow (Part 1) Figure 13: 3G DHCP Discover Call Flow (Part 2) Intelligent Wireless Access Gateway Configuration Guide OL-30226-03...
  • Page 111 5 After the subscriber is authenticated, the AAA server caches its entire user profile that includes the information about IMSI, MSISDN, APN, and the Cisco AV pair having ssg-service-info set to GTP-service. The cached data also includes the client's MAC address, which is set as the calling-station-ID in the incoming EAP messages.

  • Page 112: 3G Dhcp Discover Call Flow Configuration

    The following example shows a 3G DHCP Discover call flow configuration: aaa new-model //authentication, authorization, and accounting configurations aaa group server radius AAA_SERVER1 server-private 99.0.7.10 auth-port 1812 acct-port 1813 key cisco aaa authentication login default none aaa authentication login WEB_LOGON group AAA_SERVER1...
  • Page 113 10 service-policy type service name OPENGARDEN_SERVICE 20 service-policy type service name SERVICE_POSTPAID 25 service-policy type service name SERVICE_TIMEOUT 30 authorize aaa list ISG_PROXY_LIST password lab1 identifier mac-address Intelligent Wireless Access Gateway Configuration Guide OL-30226-03...
  • Page 114 5.28.0.1 ip forward-protocol nd no ip http server no ip http secure-server ip route 5.28.0.0 255.255.0.0 5.28.0.1 ip route vrf Mgmt-intf 5.28.0.0 255.255.0.0 5.28.0.1 ip route vrf Mgmt-intf 223.0.0.0 255.0.0.0 5.28.0.1 Intelligent Wireless Access Gateway Configuration Guide OL-30226-03...
  • Page 115 98.0.7.13 # details for the iWAG to reach the GGSN default-gw 192.168.0.1 prefix-len 16 dns-server 192.168.255.253 dhcp-lease 3000 apn 2356 apn-name cisco1.com # you can have multiple APNs ip address ggsn 98.0.7.14 default-gw 10.254.0.1 prefix-len 16 dns-server 10.254.255.253 dhcp-lease 3000 Intelligent Wireless Access Gateway Configuration Guide OL-30226-03...

  • Page 116: 4G Dhcp Discover Call Flow

    5 The LMA responds with a PBA message that includes IP address, gateway, and mask. 6 Now the PMIP tunnel is established between the iWAG and the LMA. 7 The iWAG offers an IP address to the client and creates a binding. Intelligent Wireless Access Gateway Configuration Guide OL-30226-03...
  • Page 117 1 The client sends an EAP authentication request to the AP or WLC. 2 The WLC sends an Access Request message to AAA server. 3 On receiving Access Accept message from the AAA server, the WLC authenticates the client or mobile node. Intelligent Wireless Access Gateway Configuration Guide OL-30226-03...

  • Page 118: Dhcp Discover Call Flow Configuration

    198.0.100.250 exit lma-service lma1 no aaa accounting reg-lifetime 40000 timestamp-replay-protection tolerance 0 mobility-option-type-value standard revocation enable bind address 2001:DB8:0:1::1 pgw-service pgw1 plmn id mcc 100 mnc 200 session-delete-delay timeout 60000 associate lma-service lma1 Intelligent Wireless Access Gateway Configuration Guide OL-30226-03...

  • Page 119: 4G Roaming Call Flow

    MAC address, the iWAG creates a session and sends an Access Request message to the AAA server. The iWAG downloads mobility parameters from the AAA server through an Access Accept message. The iWAG initiates PMIP signaling by sending a PBU message. The LMA responds with a PBA message. Intelligent Wireless Access Gateway Configuration Guide OL-30226-03...
  • Page 120 This call flow covers the following: • Session roaming from iWAG 1 to another iWAG 2 • PMIP tunnel creation between LMA and iWAG 2 • Assigning same IP address to the MN after roaming • Session termination Intelligent Wireless Access Gateway Configuration Guide OL-30226-03...
  • Page 121 1 A mobile node roams from iWAG 1 to iWAG 2. The mobile node directly sends the IP packet to iWAG 2. The iWAG 2 creates sessions and send access request to the AAA server. Intelligent Wireless Access Gateway Configuration Guide OL-30226-03...

  • Page 122: 4G Roaming Call Flow Configuration

    #---------------------------------------------- IWAG2 (ASR 1000) Local Profile without AAA (Simple Configuration using the MN’s MAC) #---------------------------------------------- ipv6 unicast-routing policy-map type control PROXYRULE class type control always event session-start 10 proxy aaa list RP Intelligent Wireless Access Gateway Configuration Guide OL-30226-03...

  • Page 123: Additional References

    No new or modified MIBs are supported by this To locate and download MIBs for selected platforms, feature. Cisco software releases, and feature sets, use Cisco MIB Locator found at the following URL: http://www.cisco.com/go/mibs Intelligent Wireless Access Gateway Configuration Guide...

  • Page 124: Feature Information For Call Flows For 3G And 4G Mobile Ip Users

    Cisco ASR 1000 Series Aggregation Services Routers. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: http://www.cisco.com/go/trademarks.

  • Page 125: C H A P T E

    Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

  • Page 126: Call Flows For Dual-Stack Pmipv6 And Gtp

    The following figure and steps describe the call flow pertaining to a Dual-Stack Mobile IP over Ethernet (IPoE) session with Dynamic Host Configuration Protocol version 4 (DHCPv4) as first sign of life (FSOL) for PMIPv6. Figure 16: Dual-Stack Mobile IPoE Session with DHCPv4 as FSOL for PMIPv6 Call Flow Intelligent Wireless Access Gateway Configuration Guide OL-30226-03...
  • Page 127 Dual-Stack Mobile IPoE Session with DHCPv4 as FSOL for PMIPv6 Call Flow 1 A mobile device is automatically associated to the service set identifier (SSID) broadcast by the access points to establish and maintain wireless connectivity. Intelligent Wireless Access Gateway Configuration Guide OL-30226-03...
  • Page 128 8 The AAA server sends the RADIUS Access Accept message to the iWAG. 9 If the received profile has "cisco-mpc-protocol-interface" attribute with value as pmipv6, then iWAG initiates PMIPv6 tunneling by sending a Proxy Binding Update (PBU) message to the local mobility anchor (LMA).

  • Page 129: Dual-Stack Mobile Ipoe Session With Ipv6 Nd As Fsol For Pmipv6 Call Flow

    The following figure and steps describe the call flow pertaining to a Dual-Stack Mobile IP over Ethernet (IPoE) session with IPv6 Neighbor Discovery (ND) as first sign of life (FSOL) for PMIPv6 Call Flow. Figure 17: Dual-Stack Mobile IPoE Session with IPv6 ND as FSOL for PMIPv6 Call Flow Intelligent Wireless Access Gateway Configuration Guide OL-30226-03...
  • Page 130 Dual-Stack Mobile IPoE Session with IPv6 ND as FSOL for PMIPv6 Call Flow 1 A mobile device is automatically associated to the service set identifier (SSID) broadcast by the access points to establish and maintain wireless connectivity. Intelligent Wireless Access Gateway Configuration Guide OL-30226-03...
  • Page 131 8 The AAA server sends the RADIUS Access Accept message to the iWAG. 9 If the received profile has "cisco-mpc-protocol-interface" attribute with value as pmipv6, then iWAG initiates PMIPv6 tunneling by sending a Proxy Binding Update (PBU) message to the local mobility anchor (LMA).

  • Page 132: Dual-Stack Mobile Ipoe Session With Dhcpv4 As Fsol For Gtp Call Flow

    The following figure and steps describe the call flow pertaining to a Dual-Stack Mobile IP over Ethernet (IPoE) session with Dynamic Host Configuration Protocol version 4 (DHCPv4) as first sign of life (FSOL) for GTP. Figure 18: Dual-Stack Mobile IPoE Session with DHCPv4 as FSOL for GTP Call Flow Intelligent Wireless Access Gateway Configuration Guide OL-30226-03...
  • Page 133 8 The AAA server sends the RADIUS Access Accept message to the iWAG. 9 If the received profile has "cisco-mpc-protocol-interface" attribute with value as GTP, then iWAG initiates GTP tunneling by sending a Create PDP Context Request to the GGSN.

  • Page 134: Dual-Stack Mobile Ipoe Session With Ipv6 Nd As Fsol For Gtp Call Flow

    The following figure and steps describe the call flow pertaining to a Dual-Stack Mobile IP over Ethernet (IPoE) session with IPv6 Neighbor Discovery (ND) as first sign of life (FSOL) for GTP. Figure 19: Dual-Stack Mobile IPoE Session with IPv6 ND as FSOL for GTP Call Flow Intelligent Wireless Access Gateway Configuration Guide OL-30226-03...
  • Page 135 Dual-Stack Mobile IPoE Session with IPv6 ND as FSOL for GTP Call Flow 1 A mobile device is automatically associated to the service set identifier (SSID) broadcast by the access points to establish and maintain wireless connectivity. Intelligent Wireless Access Gateway Configuration Guide OL-30226-03...

  • Page 136: Additional References

    8 The AAA server sends the RADIUS Access Accept message to the iWAG. 9 If the received profile has "cisco-mpc-protocol-interface" attribute with value as GTP, then iWAG initiates GTP tunneling by sending a Create PDP Context Request to the GGSN.

  • Page 137: Feature Information For Call Flows For Dual-Stack Pmipv6 And Gtp

    Unless noted otherwise, subsequent releases of that software release train also support that feature. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
  • Page 138 Call Flows for Dual-Stack PMIPv6 and GTP Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: http://www.cisco.com/go/trademarks.

  • Page 139: C H A P T E

    Internet service provider (ISP) wants to offer its subscribers. The service provider must also be able to scale up to an expanding subscriber base. You can configure IWAG on the Cisco ASR1000 Series Routers for high scalability and performance.

  • Page 140: Restrictions For Iwag Scalability

    128000 384000 Restrictions for iWAG Scalability The following are the restrictions pertaining to iWAG scalability: The Intelligent Wireless Access Gateway (iWAG) feature is not supported on the following hardware. • RP1 with ESP10 or ESP20 • ASR1002 • ASR1002F Intelligent Wireless Access Gateway Configuration Guide...

  • Page 141: Layer 4 Redirect Scaling

    CAC can restrict creation of new sessions when system resources exceed configured thresholds. For examples about configuring the CAC for IPoE feature, see the “Call Admission Control” section in the Intelligent Wireless Access Gateway Configuration Guide located at: http://www.cisco.com/en/US/docs/routers/asr1000/configuration/guide/chassis/IWAG_Config_Guide_ BookMap_chapter_01001.html...

  • Page 142: Additional References

    Title None — MIBs MIBs Link None To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at this URL: http://www.cisco.com/go/mibs RFCs Title None — Intelligent Wireless Access Gateway Configuration Guide...

  • Page 143: Feature Information For Iwag Scalability And Performance

    Feature Information for IWAG Scalability and Performance table lists the features in this module and provides links to specific configuration information. Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which software images support a specific software release, feature set, or platform.
  • Page 144 Scalability and Performance Feature Information for iWAG Scalability and Performance Intelligent Wireless Access Gateway Configuration Guide OL-30226-03...

This manual is also suitable for:

Iwag

Table of Contents