Download Print this page

Advertisement

Cisco ASR 5000 Series Femto Network
Gateway Administration Guide
Version 12.0
Last updated April 30, 2011
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
Text Part Number: OL-24872-01

Advertisement

   Summary of Contents for Cisco ASR 5000 Series

  • Page 1

    Cisco ASR 5000 Series Femto Network Gateway Administration Guide Version 12.0 Last updated April 30, 2011 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 Text Part Number: OL-24872-01...

  • Page 2

    ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks.

  • Page 3: Table Of Contents

    How the FNG Works .............................. 27 IPSec Tunnel Establishment ..........................27 IPSec Tunnel Establishment with EAP-AKA Authentication ................28 X.509 Certificate-based Peer Authentication ....................30 Supported Standards ............................... 33 Cisco ASR 5000 Series Femto Network Gateway Administration Guide ▄ OL-24872-01...

  • Page 4

    Clearing Statistics and Counters ..........................62 Sample Femto Network Gateway Configuration File ........63 Sample FNG Configuration ........................... 64 Femto Network Gateway Engineering Rules ..........69 IKEv2/IPSec Restrictions ............................70 ▄ Cisco ASR 5000 Series Femto Network Gateway Administration Guide OL-24872-01...

  • Page 5: About This Guide

    About this Guide This document pertains to the features and functionality that run on and/or that are related to the Cisco® ASR 5000 Chassis, formerly the Starent Networks ST40. Cisco ASR 5000 Series Femto Network Gateway Administration Guide ▄ OL-24872-01...

  • Page 6: Conventions Used

    Required keywords and variables are surrounded by grouped brackets. Required keywords and variables are those components that are required to be entered as part of the variable } command syntax. ▄ Cisco ASR 5000 Series Femto Network Gateway Administration Guide OL-24872-01...

  • Page 7

    Pipe filters can be used in conjunction with required or optional keywords or variables. For example: { nonce | timestamp } [ count number_of_packets | size number_of_bytes ] Cisco ASR 5000 Series Femto Network Gateway Administration Guide ▄ OL-24872-01...

  • Page 8: Contacting Customer Support

    Use the information in this section to contact customer support. For New Customers: Refer to the support area of http://www.cisco.com for up-to-date product documentation or to submit a service request. A valid username and password is required to this site. Please contact your local sales or service representative for additional information.

  • Page 9: Femto Network Gateway Overview

    Product Description • Summary of FNG Features and Functions • Product Specifications • Network Deployment(s) and Interfaces • Features and Functionality • How the FNG Works • Supported Standards Cisco ASR 5000 Series Femto Network Gateway Administration Guide ▄ OL-24872-01...

  • Page 10: Product Description

    ▀ Product Description Product Description The Cisco® ASR 5000 Chassis provides 3GPP mobile operators with a flexible solution that functions as a Femto Network Gateway (FNG) in CDMA2000 wireless voice and data networks. The FNG consists of new software for the ASR 5000.

  • Page 11: Summary Of Fng Features And Functions

    • IKEv2 keep-alive messages (dead peer detection) • DSCP marking • Custom DNS handling • Session recovery support • Congestion control • Bulk statistics • Threshold crossing alerts (TCAs) Cisco ASR 5000 Series Femto Network Gateway Administration Guide ▄ OL-24872-01...

  • Page 12: Product Specifications

    • Ethernet 10/100 and/or Ethernet 1000 Line Cards: Installed directly behind PSCs/PSC2s, these cards provide the physical interfaces to elements in the operator’s network. Up to 26 line cards can be installed for a fully ▄ Cisco ASR 5000 Series Femto Network Gateway Administration Guide OL-24872-01...

  • Page 13: Operating System Requirements

    CDMA2000 wireless voice and data services is located in the “Hardware Platform Overview” chapter of the Product Overview Guide. Operating System Requirements The FNG is available for the ASR 5000 running StarOS Release 10.0 or later. Cisco ASR 5000 Series Femto Network Gateway Administration Guide ▄ OL-24872-01...

  • Page 14: Network Deployment(s) And Interfaces

    The Femtocell Access Point (FAP) is a SIP-based CDMA2000 wireless access point that provides coverage in a small area, usually a private residence or small office, and connects the subscriber UEs to an operator’s core network via a ▄ Cisco ASR 5000 Series Femto Network Gateway Administration Guide OL-24872-01...

  • Page 15: Femtocell Management System

    The S-CSCF routes mobile-terminating traffic to the P-CSCF and routes mobile-originating traffic to the convergence server based on iFC (initial Filter Criteria) downloaded from the HSS. Cisco ASR 5000 Series Femto Network Gateway Administration Guide ▄ OL-24872-01...

  • Page 16: Pdsn/ha

    Network Interfaces The following table provides descriptions of the network interfaces supported by the FNG in a CDMA2000 network. Table 1. Network Interfaces in a CDMA2000 Network Interface Description ▄ Cisco ASR 5000 Series Femto Network Gateway Administration Guide OL-24872-01...

  • Page 17

    The FNG sends all SIP signaling and bearer traffic from the FAPs to the IMS core to access voice services. IMS Core Interface with the The FNG sends all signaling and bearer traffic from the FAPs to the PDSN/HA to access packet data services. PDSN/HA Cisco ASR 5000 Series Femto Network Gateway Administration Guide ▄ OL-24872-01...

  • Page 18: Features And Functionality

    IKEv2/IPSec policy. It includes most of the IKEv2 and IPSec parameters for keep-alive, lifetime, NAT-T, and cryptographic and authentication algorithms. There must be one crypto template per FNG service. ▄ Cisco ASR 5000 Series Femto Network Gateway Administration Guide OL-24872-01...

  • Page 19: Ikev2 And Ip Security (ipsec) Encryption

    AAA server sends a RADIUS Access-Accept message, the FNG proceeds with device authentication. Otherwise, the FNG terminates the IPSec tunnel setup by sending an IKEv2 Notification message indicating authentication failure. Cisco ASR 5000 Series Femto Network Gateway Administration Guide ▄ OL-24872-01...

  • Page 20: A12 Aggregation

    If a subsequent request is directed to that server and the server properly responds to the request, the system makes the server active again. Important: For more information on RADIUS AAA configuration, refer to the AAA Interface Administration and Reference. ▄ Cisco ASR 5000 Series Femto Network Gateway Administration Guide OL-24872-01...

  • Page 21: Aaa Server Group Selection

    Child SA are processed by the FNG and not dropped. FNG-initiated Child SA rekeying is disabled by default, and rekey requests are ignored. You can enable this feature in the Crypto Configuration Payload Mode of the system’s CLI. Cisco ASR 5000 Series Femto Network Gateway Administration Guide ▄ OL-24872-01...

  • Page 22: Multiple Child Sas

    The FNG supports IKEv2 keep-alive messages, also known as Dead Peer Detection (DPD), originating from both the FAPs and the FNG. You configure DPD per FNG service. You can also disable DPD, and the FNG will not initiate ▄ Cisco ASR 5000 Series Femto Network Gateway Administration Guide OL-24872-01...

  • Page 23: Dscp Marking

    The PSC/PSC2 used to host the VPN manager process is in active mode and is reserved by the operating system for this sole use when session recovery is enabled. Important: For more information about session recovery support, refer to the System Administration Guide. Cisco ASR 5000 Series Femto Network Gateway Administration Guide ▄ OL-24872-01...

  • Page 24: Congestion Control

    The individual statistics are grouped by schema. The following is a partial list of supported schemas: • System: Provides system-level statistics. • Card: Provides card-level statistics. • Port: Provides port-level statistics. • FNG: Provides FNG service statistics. ▄ Cisco ASR 5000 Series Femto Network Gateway Administration Guide OL-24872-01...

  • Page 25: Threshold Crossing Alerts

    Generation of specific traps can be enabled or disabled on the chassis, ensuring that only important faults get displayed. SNMP traps are supported in both Alert and Alarm modes. Cisco ASR 5000 Series Femto Network Gateway Administration Guide ▄ OL-24872-01...

  • Page 26

    Alarm Management menu in the Web Element Manager. Important: For more information on threshold crossing alert configuration, refer to the Thresholding Configuration Guide. ▄ Cisco ASR 5000 Series Femto Network Gateway Administration Guide OL-24872-01...

  • Page 27: How The Fng Works

    (HDR, SK {IDr(FQDNofFNG), CERT(FNG), AUTH}) 9. Verify FNG cert and AUTH signature; verify discovered GW ID (FQDN) matches the identity in the server cert IKE_SA and first CHILD_SA established Cisco ASR 5000 Series Femto Network Gateway Administration Guide ▄ OL-24872-01...

  • Page 28: Ipsec Tunnel Establishment With Eap-aka Authentication

    IPSec Tunnel Establishment with EAP-AKA Authentication The figure below shows the message flow during IPSec tunnel establishment with EAP-AKA authentication. The table that follows the figure describes each step in the message flow. ▄ Cisco ASR 5000 Series Femto Network Gateway Administration Guide OL-24872-01...

  • Page 29

    FNG. The FNG responds with an IKE_SA_INIT Response by choosing a cryptographic suite from the initiator’s offered choices, completing the Diffie-Hellman and nonce exchanges with the FAP. Cisco ASR 5000 Series Femto Network Gateway Administration Guide ▄ OL-24872-01...

  • Page 30: X.509 Certificate-based Peer Authentication

    X.509 Certificate-based Peer Authentication The figure below shows the message flow during X.509 certificate-based peer authentication. The table that follows the figure describes each step in the message flow. ▄ Cisco ASR 5000 Series Femto Network Gateway Administration Guide OL-24872-01...

  • Page 31

    FNG is configured with a list of root CA certificates corresponding to the trusted device certificate CAs. The FAP is also configured with a list of root CA certificates corresponding to the server certificates that the FAP will accept from the FNG. Cisco ASR 5000 Series Femto Network Gateway Administration Guide ▄ OL-24872-01...

  • Page 32

    An IPSec SA is established between the FAP and the FNG. If more IPSec SAs are needed, either the FAP or the FNG can initiate the creation of additional Child SAs using a CREATE_CHILD_SA exchange. ▄ Cisco ASR 5000 Series Femto Network Gateway Administration Guide OL-24872-01...

  • Page 33: Supported Standards

    • RFC 3948 (January 2005): “UDP Encapsulation of IPsec ESP Packets”. • RFC 4187 (January 2006): “Extensible Authentication Protocol Method for 3rd Generation Authentication and Key Agreement (EAP-AKA)”. • RFC 4306 (December 2005): “Internet Key Exchange (IKEv2) protocol”. Cisco ASR 5000 Series Femto Network Gateway Administration Guide ▄ OL-24872-01...

  • Page 34

    • RFC 4764 (January 2007): “The EAP-PSK Protocol: A Pre-Shared Key Extensible Authentication Protocol (EAP) Method”. • RFC 4894 (May 2007): “Use of Hash Algorithms in Internet Key Exchange (IKE)”. ▄ Cisco ASR 5000 Series Femto Network Gateway Administration Guide OL-24872-01...

  • Page 35: Femto Network Gateway Configuration

    In this chapter, only the minimum set of parameters are provided to make the system operational. The following sections are included in this chapter: • Configuring the System to Perform as a Femto Network Gateway • Configuring Optional Features Cisco ASR 5000 Series Femto Network Gateway Administration Guide ▄ OL-24872-01...

  • Page 36: Configuring The System To Perform As A Femto Network Gateway

    24/1 identifies connector number 1 on the card in slot 24. A single physical port can facilitate multiple interfaces. Gateway IP address Used when configuring static IP routes from the management interface(s) to a specific network. ▄ Cisco ASR 5000 Series Femto Network Gateway Administration Guide OL-24872-01...

  • Page 37: Required Fng Context Configuration Information

    Identifies the IP address of the RADIUS AAA server. information EAP profile name (required When the EAP method is used for FAP authentication, the name of the EAP profile to be used. for the EAP authentication method) Cisco ASR 5000 Series Femto Network Gateway Administration Guide ▄ OL-24872-01...

  • Page 38: Required Fng Service Configuration Information

    An identification string from 1 to 79 characters (alpha and/or numeric) by which the egress context is name recognized by the system. IP pool A logical name for the IPv4 address pool, which must be from 1 to 31 alpha and/or numeric characters. ▄ Cisco ASR 5000 Series Femto Network Gateway Administration Guide OL-24872-01...

  • Page 39: Femto Network Gateway Configuration

    Log system activity by applying the configuration example in the section Logging Configuration. Step 6 Save the configuration by following the steps in the Verifying and Saving Your Configuration chapter in this guide. Cisco ASR 5000 Series Femto Network Gateway Administration Guide ▄ OL-24872-01...

  • Page 40: Initial Configuration

    <name> encrypted password <password> ftp aaa group default exit gttp group default exit ip route 0.0.0.0 0.0.0.0 <gateway_ip_addr> <mgmt_interface_name> exit port ethernet <slot_number/port_number> no shutdown ▄ Cisco ASR 5000 Series Femto Network Gateway Administration Guide OL-24872-01...

  • Page 41: Fng Context Configuration

    FNG, and to bind the interface to an Ethernet port: configure context <fng_context_name> interface <fng_interface_name> ip address <ip_address> <subnet_mask> exit interface <fng_loopback_interface_name> loopback ip address <ip_address> <subnet_mask> Cisco ASR 5000 Series Femto Network Gateway Administration Guide ▄ OL-24872-01...

  • Page 42: Creating The Aaa Group

    <aaa_custom-dictionary> radius accounting interim interval <integer> radius server <ip_address> encrypted key <key> port <port_num> radius accounting server <ip_address> encrypted key <key> port <port_num> exit exit ▄ Cisco ASR 5000 Series Femto Network Gateway Administration Guide OL-24872-01...

  • Page 43: Creating The Eap Profile

    Use the following configuration example to create the required number of IKEv2 transform sets: configure context <fng_context_name> ikev2-ikesa transform-set <ikev2_ikesa_tset1> encryption aes-cbc-128 group 2 hmac sha1-96 prf sha1 exit Cisco ASR 5000 Series Femto Network Gateway Administration Guide ▄ OL-24872-01...

  • Page 44: Creating Ipsec Transform Sets

    <fng_context_name> crypto template <crypto_template_name> ikev2-subscriber certificate <name> natt authentication eap profile <eap_profile_name> ikev2-ikesa transform-set list <ikev2_ikesa_tset1> payload <payload_name_1> match childsa ip-address-allocation dynamic ipsec transform-set list <ipsec_tset1> exit ▄ Cisco ASR 5000 Series Femto Network Gateway Administration Guide OL-24872-01...

  • Page 45: Creating The Fng Service

    • Specify that the FNG service uses the selected AAA group for FAP authentication. • Bind the FNG service to the IP address of the FNG loopback interface. • Bind a crypto template to the FNG service. configure context <fng_context_name> Cisco ASR 5000 Series Femto Network Gateway Administration Guide ▄ OL-24872-01...

  • Page 46: Egress Context Configuration

    <name> < ip_address subnet_mask> public < priority> exit port ethernet <slot_number/port_number> no shutdown bind interface <egress_interface_name> < egress_context_name> Logging Configuration Use the following configuration example to enable logging: ▄ Cisco ASR 5000 Series Femto Network Gateway Administration Guide OL-24872-01...

  • Page 47: Verifying And Saving The Configuration

    Verifying and Saving the Configuration To verify and save changes made to the FNG configuration, follow the steps in the Verifying and Saving Your Configuration chapter in this guide. Cisco ASR 5000 Series Femto Network Gateway Administration Guide ▄ OL-24872-01...

  • Page 48: Configuring Optional Features

    <ip_address> encrypted key <key> port <port_num> exit configure context <fng_context_name> fng-service <fng_service_name> aaa aggregation a12-group context-name <fng_context_name> aaa group <group_name> aaa aggregation interface type a12 ▄ Cisco ASR 5000 Series Femto Network Gateway Administration Guide OL-24872-01...

  • Page 49: Multiple Child Sas And Dscp Marking Configuration

    <name> class-map name <name> qos encaps-header dscp-marking <0x2e> child_sa_id <2> exit policy-group name <policygroup_out> policy <name> precedence <number> exit subscriber default policy-group <policygroup_out> direction <out> exit Cisco ASR 5000 Series Femto Network Gateway Administration Guide ▄ OL-24872-01...

  • Page 50: Fap Id-based Duplicate Session Detection Configuration

    Clearing the old session and establishing the new session in parallel optimizes FNG processing functions. Use the following configuration example to configure FAP ID-based duplicate session detection: configure context <fng_context_name> fng-service <fng_service_name> duplicate-session-detection fapid-based ▄ Cisco ASR 5000 Series Femto Network Gateway Administration Guide OL-24872-01...

  • Page 51: Verifying And Saving Your Configuration

    Chapter 3 Verifying and Saving Your Configuration This chapter describes how to save your system configuration. Cisco ASR 5000 Series Femto Network Gateway Administration Guide ▄ OL-24872-01...

  • Page 52: Verifying The Configuration

    0 long duration action: Detection ip header compression: vj data compression: stac mppc deflate compression mode: normal min compression size: 128 ip output access-group: ip input access-group: ppp authentication: allow noauthentication: Enabled imsi ▄ Cisco ASR 5000 Series Femto Network Gateway Administration Guide OL-24872-01...

  • Page 53: Service Configuration

    Important: To configure features on the system, use the show commands specifically for these features. Refer to the Cisco Systems ASR 5000 Command Line Interface Reference for more information. Service Configuration Verify that your service was created and configured properly by entering the following command: show <service_type>...

  • Page 54: Context Configuration

    This command displays the entire configuration including the context and service configurations defined above. Finding Configuration Errors Identify errors in your configuration file by entering the following command: show configuration errors ▄ Cisco ASR 5000 Series Femto Network Gateway Administration Guide OL-24872-01...

  • Page 55

    If the configuration contains no errors, an output similar to the following is displayed: ################################################################################ Displaying Global AAA-configuration errors ################################################################################ Total 0 error(s) in this section ! Cisco ASR 5000 Series Femto Network Gateway Administration Guide ▄ OL-24872-01...

  • Page 56: Saving The Configuration

    Files saved locally can be stored in the SMC’s CompactFlash or on an installed PCMCIA memory card on the SMC. Files that are saved to a remote network node can be transmitted through FTP, or TFTP. ▄ Cisco ASR 5000 Series Femto Network Gateway Administration Guide OL-24872-01...

  • Page 57: Saving The Configuration On The Chassis

    Optional: Indicates that no confirmation is to be given prior to saving the configuration information to the specified filename (if one was specified) or to the currently active configuration file (if none was specified). Cisco ASR 5000 Series Femto Network Gateway Administration Guide ▄ OL-24872-01...

  • Page 58

    To save a configuration file called init_config.cfg to the root directory of a TFTP server with a hostname of config_server, enter the following command: save configuration tftp://config_server/init_config.cfg ▄ Cisco ASR 5000 Series Femto Network Gateway Administration Guide OL-24872-01...

  • Page 59: Monitoring The Fng Service

    The selection of keywords described in this chapter is intended to provided the most useful and in-depth information for monitoring the system. For additional information on these and other show command keywords, refer to the Command Line Interface Reference. Cisco ASR 5000 Series Femto Network Gateway Administration Guide ▄ OL-24872-01...

  • Page 60: Monitoring System Status And Performance

    View Congestion Control Information View congestion control show congestion-control statistics ipsecmgr statistics for FNG View Subscriber Information Display Session Resource Status View session resource status show resources session Display Subscriber Configuration Information ▄ Cisco ASR 5000 Series Femto Network Gateway Administration Guide OL-24872-01...

  • Page 61

    View Session Recovery Information View session recovery status show session recovery status [ verbose ] View Session Disconnect Reasons View session disconnect show session disconnect-reasons reasons Cisco ASR 5000 Series Femto Network Gateway Administration Guide ▄ OL-24872-01...

  • Page 62: Clearing Statistics And Counters

    Statistics and counters can be cleared using the CLI clear command. Refer to the Command Line Interface Reference for detailed information on using this command. ▄ Cisco ASR 5000 Series Femto Network Gateway Administration Guide OL-24872-01...

  • Page 63: Sample Femto Network Gateway Configuration File

    This appendix contains a sample Femto Network Gateway (FNG) configuration file. The following configuration is supported: Sample FNG Configuration In the following configuration example, commented lines are labeled with the number symbol (#) and variables are identified using italics within brackets (<variable>). Cisco ASR 5000 Series Femto Network Gateway Administration Guide ▄ OL-24872-01...

  • Page 64: Sample Fng Configuration

    <name> encrypted password <password> ftp aaa group default exit gttp group default exit ip route 0.0.0.0 0.0.0.0 <gateway_ip_addr> <mgmt_interface_name> exit port ethernet <slot_number/port_number> no shutdown bind interface <mgmt_interface_name> local exit ▄ Cisco ASR 5000 Series Femto Network Gateway Administration Guide OL-24872-01...

  • Page 65

    <ip_address> radius strip-domain authentication-only radius dictionary <aaa_custom-dictionary> radius accounting interim interval <integer> radius server <ip_address> encrypted key <key> port <port_num> Cisco ASR 5000 Series Femto Network Gateway Administration Guide ▄ OL-24872-01...

  • Page 66

    <ikev2_ikesa_tset1> encryption aes-cbc-128 group 2 hmac sha1-96 prf sha1 exit # Create the IPSec transform sets context <fng_context_name> ipsec transform-set <ipsec_tset1> encryption aes-cbc-128 group 2 hmac sha1-96 ▄ Cisco ASR 5000 Series Femto Network Gateway Administration Guide OL-24872-01...

  • Page 67

    # Create the FNG service configure context <fng_context_name> fng-service <fng_service_name> aaa authentication context-name <fng_context_name> aaa group default bind address <ip_address> crypto-template <crypto_template_name> # Create the Egress context Cisco ASR 5000 Series Femto Network Gateway Administration Guide ▄ OL-24872-01...

  • Page 68

    <critical/error> logging filter active facility ipsec level <critical/error> logging filter active facility ikev2 level <critical/error> logging filter active facility fng level <critical/error> logging active ▄ Cisco ASR 5000 Series Femto Network Gateway Administration Guide OL-24872-01...

  • Page 69: Femto Network Gateway Engineering Rules

    ASR 5000 for your network deployment. General and network-specific rules are located in the appendix of the System Administration and Configuration Guide for the specific network type. The following rules are covered in this appendix: IKEv2/IPSec Restrictions Cisco ASR 5000 Series Femto Network Gateway Administration Guide ▄ OL-24872-01...

  • Page 70: Ikev2/ipsec Restrictions

    • No more than 16 transform types may be present in a single IKE_SA_INIT or IKE_AUTH Request message. If a deviation from this format is used in the proposal format, the FNG returns an error of INVALID_SYNTAX. ▄ Cisco ASR 5000 Series Femto Network Gateway Administration Guide OL-24872-01...

  • Page 71

    Femto Network Gateway Engineering Rules IKEv2/IPSec Restrictions ▀ Cisco ASR 5000 Series Femto Network Gateway Administration Guide ▄ OL-24872-01...

Comments to this Manuals

Symbols: 0
Latest comments: