Cisco Prime Nerk 43 User Guide
Have a look at the manual Cisco Prime Nerk 43 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
27-67 Cisco Prime Network 4.3.2 User Guide EDCS-1524415 Chapter 27 Managing Mobile Networks GPRS/UMTS Networks Modify Iucontext>Mobile>HNB GW > expand the hnb gw service > right-click Iu node > Commands > ConfigurationUse this command to modify Iu Interface details for the selected HNB service. Modify Pagingcontext>Mobile>HNB GW >expand the hnb gw service > right-click Paging node > Commands > ConfigurationUse this command to modify the paging configuration for a HNB GW service. Modify SCTPcontext>Mobile>HNB GW >expand the hnb gw service > right-click SCTP node > Commands > ConfigurationUse this command to modify the Stream Control Transmission Protocol (SCTP) configuration. Modify Securitycontext>Mobile>HNB GW > expand the hnb gw service > right-click Security node > Commands > ConfigurationUse this command to modify security-specific policies and configurations for the selected HNB service. Modify UEcontext>Mobile>HNB GW >expand the hnb gw service > right-click UE node > Commands > ConfigurationUse this command to modify the user equipment details for the selected HNB service. Modify HNB Globallocal>Mobile>right-click the HNB GW node >Commands >ConfigurationUse this command to modify the HNB Global configuration details. Show HNB Globalcontext>Commands>ShowUse this command to view the HNB Global configuration details. Create HeNB Networkcontext >Commands>ConfigurationUse this command to create a new HeNB network. NoteYou can configure only one HeNB network for a device. Create Cell Configurationcontext>Mobile > HeNB GW >right-click the HeNB service>Commands > ConfigurationUse this command to create cell configuration details. Modify Cell Configurationcontext >Mobile > HeNB GW >networkService>In the content pane, right-click on the Cell Configuration entry>Commands > ConfigurationUse this command to modify cell configuration details. Delete Cell ConfigurationUse this command to delete cell configuration details. Delete HeNB Networkcontext>Mobile > HeNB GW >right-click on the HeNB service>Commands > ConfigurationUse this command to delete an HeNB network. Show HeNB Networkcontext>Mobile > HeNB GW >right-click on the network service>Commands > ShowUse this command to view HeNB network details. Command Navigation Input Required and Notes
27-68 Cisco Prime Network 4.3.2 User Guide EDCS-1524415 Chapter 27 Managing Mobile Networks GPRS/UMTS Networks Working with Wireless Security Gateway The Wireless Security Gateway (WSG) is a highly scalable solution for tunneling femtocell, Unlicensed Mobile Access (UMA)/Generic Access Network (GAN), and 3G/4G macrocell voice and data traffic over fixed broadband networks back to the mobile operator’s core network. In a femtocell deployment, WSG uses IP Security (IPsec) to secure the connection between the mobile operator’s core network and the “Home Node B” (3G femtocell access point) located at the subscriber’s home. In this environment, WSG provides security for trusted hosts (femtocell access points) when they communicate across an external untrusted broadband network such as the Internet. WSG adheres to the latest Third Generation Partnership Project (3GPP) standards for secure remote access over untrusted networks. In addition to femtocell deployments, WSG can also secure UMA/GAN traffic where the subscriber has a UMA-capable mobile handset that communicates via a Wi-Fi access point over an untrusted network and back to the mobile operator’s data center. It can also be deployed to secure 3G/4G base stations that are connected to the mobile operator’s network through a third party’s carrier Ethernet service. WSG plays an important role in cost-effectively securing backhaul networks for mobile operators, helping to reduce backhaul costs, which represent a significant part of their operating expenses (OpEx). To view the security gateway configuration details: Step 1Right-click the required device in the Vision client and choose Inventory. Step 2In the Logical Inventory window, choose Logical Inventory > Context> SEC GW. The Sec GW details are displayed in the content pane. Create HeNB Accesscontext >Commands>ConfigurationUse this command to create HeNB access. NoteYou can configure only one HeNB access for a device. Modify HeNB Accesscontext>Mobile>HeNB GW>right-click the HeNB access service > Commands>Configuration > Modify HeNB Access context>Mobile>HeNB Access>right-click on a HeNB access service >Commands > Configuration > Delete HeNB AccessUse this command to modify HeNB access details. Delete HeNB AccessUse this command to delete HeNB access details. Show HeNB Accesscontext>Mobile>HeNB GW>right-click the access service > Commands>ShowUse this command to view the HeNB access details. Modify S1U Relay Configurationcontext>Mobile>HeNB GW>HeNB service>right-click on the S1U Relay Configuration node>Commands>ConfigurationUse this command to modify the S1U Relay Configuration details. Command Navigation Input Required and Notes
27-69 Cisco Prime Network 4.3.2 User Guide EDCS-1524415 Chapter 27 Managing Mobile Networks GPRS/UMTS Networks Table 27-47 describes the Sec GW service details. Table 27-47 Sec-GW Service Details Field Description Sec GW Lookup tab Priority The priority value for the source and destination subnet size combination, which can be any value between 1 and 6. Source Net Mask The subnet size of the source net mask, which can be any value between 1 and 128. Destination Net Mask The subnet size of the destination net mask, which can be any value between 1 and 128. Sec GW Service tab Name The name of the Wireless Security Gateway service. Status The status of the WSG service, which can be any one of the following: Initial Started Bind Indicates whether the WSG service is binded or not. A binded WSG service will have an associated IP Address and Crypto Template. Max. Sessions The maximum number of sessions that can be supported by the WSG service, which can be any value between 0 and 8000. IP Address The IP address of the WSG service. UDP Port The UDP port number of the WSG service. MTU The Maximum Transmission Unit (MTU) size before encryption, which can be any value between 576 and 2048. Crypto Template The name of the Crypto Template associated with the WSG service. Deployment Mode The mode of deployment for the WSG service, which can be any one of the following: Remote Access—Remote access VPNs connect individual hosts to private networks. Every host must have the VPN client software so that when the host tries to send any traffic, the software encapsulates and encrypts the data before sending it through the VPN gateway at the edge of the target network. Site to Site—Site to Site VPNs connect networks to each other. In this mode of deployment, the hosts do not have the VPN client software. TCP/IP traffic is sent and received through a VPN gateway, which is responsible for encapsulating and encrypting outbound traffic and sending it to a peer VPN gateway at the target site through a VPN tunnel. Peer List The peer list name for WSG service site-to-site mode. Initiator Mode Duration The duration WSG tries to initiate or retry a call when peer list is activated (default is 10 seconds). Responder Mode DurationThe duration WSG waits for the peer to initiate a call when the peer list is activated. Duplicate Session DetectionEnable duplicate session detection to allow only one IKESA per remote IKE-ID. Default: allow multiple IKESA per remote IKE-ID.
27-70 Cisco Prime Network 4.3.2 User Guide EDCS-1524415 Chapter 27 Managing Mobile Networks GPRS/UMTS Networks Viewing the Connected Applications Configuration Details Connected Applications (CA) provide the ability to host third party applications on or adjacent to Cisco networking infrastructure, and enable programmatic access to networking services in a controlled and consistent manner. Enabling CA will allow the ability to host applications on forge blade on an ASR9K platform. The WSG will be the first application to run on the forge blade, which will then interact with the ASR9K device through the CA. To view the connected applications configuration details: Step 1Right-click the required device in the Vision client and choose Inventory. Step 2In the Logical Inventory window, choose Logical Inventory > Context> SEC GW. The Vision client displays the connected applications details in the content pane. Table 27-48 describes the connected applications details. IPAllocation Type The IP address from DHCP server. DHCP Service Name The DHCP service to be used when the allocation method is dhcp-proxy. DHCP Context Name The context in which the DHCP service is configured. IP Access Group The name of an access group. DHCP IPv4 The IPv4 address of the DHCP server to be sent to the peer. DHCP IPv6 The IPv6 address of the DHCP server to be sent to the peer. Table 27-47 Sec-GW Service Details (continued) Field Description Table 27-48 Connected Applications Details Field Description Session User ID The ID of the user who has connected into the Connected Application session. Session Name The name of the Connected Applications session. The name is configured statically through the StarOS CLI before the session is established. Session ID The unique ID of the Connected Applications session. The ID is configured statically through the StarOS CLI before the session is established. Session IP Address The IP Address of the Connected Applications session. This address is configured statically through the StarOS CLI before the session is established. Session Activation Indicates whether the Connected Applications session is active. NoteTwo different connected applications clients must be able to connect to the same CA server so that one is considered active and the other standby. RRI Mode The Recursive Route Injection mode applicable to the Connected Applications session, which can be RAS, S2S, Both, and None. CA Certificate Name CA Certificate Name in the connected applications session.
27-71 Cisco Prime Network 4.3.2 User Guide EDCS-1524415 Chapter 27 Managing Mobile Networks GPRS/UMTS Networks The following nodes in Prime Network are also configured for WSG: Crypto Template—A Crypto Template is a master file that is used to configure an IKEv2 IPSec policy. It includes most of the IPSec parameters and IKEv2 dynamic parameters for cryptographic and authentication algorithms. A security gateway service will not function without a configured crypto template and you can configure only one crypto template for a service. Crypto Map—Crypto Maps define the tunnel policies that determine how IPSec is implemented for subscriber data packets. It selects data flows that need security processing and then defines policy for these flows and the crypto peer that traffic needs to go to. It is ultimately applied to an interface. IKE SA— Internet Key Exchange (IKE or IKEv2) is the protocol used to set up a security association (SA) in the IPsec protocol suite. The security associations define which protocols and algorithms should be applied to sensitive packets, and also specifies the keying material to be used by the two peers. If IKE is used to establish the security associations, the security associations will have lifetimes set so that they periodically expire and require renegotiation, thus providing an additional level of security. Child IPSec SA—A Child-SA is created by IKE for use in Authentication Header (AH) or Encapsulating Security Payload (ESP) security. Two Child-SAs are created as a result of one exchange – Inbound and Outbound. A Child-SA is identified by a single four-byte SPI, Protocol and Gateway IP Address and is carried in each AH/ESP packet. Transform Sets—Transform Sets define the negotiable algorithms for IKE SAs (Security Associations) and Child SAs to enable calls to connect to the ePDG. For more information, see Viewing the Transform Set Details, page 27-139. CA-Certificates—Certificate or Certification Authority (CA) is an entity that issues digital certificates, which certifies the ownership of a public key by the named subject of the certificate. This allows others (that is, relying parties) to rely upon signatures or assertions made by the private key that corresponds to the public key that is certified. In this model of trust relationships, CA is a trusted third party that is trusted by both the subject (that is, owner) of the certificate and the party relying upon the certificate. Viewing the Crypto Template Configuration Details To view the crypto template configuration details: Step 1Right-click the required device in the Vision client and choose Inventory. HA Chassis Mode The Chassis mode applicable to the Connected Applications session, which can be Inter, Intra, and Standalone. HA Network Mode The network mode for the Connected Applications session, which can be L2, L3, and NA. SRP Status The Service Redundancy Protocol status of the Connected Applications session, which can be any one of the following: UP, DOWN, ON, OFF, INIT, FAIL, REMOVED, ADMIN DOWN. SRP State The state of the connected applications session, which can be any one of the following: UP, DOWN, ON, OFF, INIT, FAIL, REMOVED, ADMIN DOWN. Table 27-48 Connected Applications Details (continued) Field Description
27-72 Cisco Prime Network 4.3.2 User Guide EDCS-1524415 Chapter 27 Managing Mobile Networks GPRS/UMTS Networks Step 2In the Logical Inventory window, choose Logical Inventory > Context> Security Association > Crypto Template > Double click on any template name and check NATT attributes. Choose > Context> Security Association > Crypto Template > Double-click on any Crypto Template> Payload Tab > Double Click on any entries and check remaining attributes here. The Vision client displays the details of Crypto Template in the content pane. Table 27-49 NATT Attributes Field Description NATT Include Header Specifies that NATT includes header. NATT Indicates that the NAT-T initiation is enabled for all security association, which is derived from the crypto map. NATT Send Keepalive Interval Shows the NAT-T sending frequency for security gateway keepalive interval in seconds. NATT Send Keepalive IdleInterval Displays the waiting period in seconds. The displayed waiting period is before the security gateway starts sending NAT keepalive. IKEv2 MTU Size IPv4 The MTU size of the IKEv2 payload for IPv4 tunnel. IKEv2 MTU Size IPv6 The MTU size of the IKEv2 payload for IPv6 tunnel. CERT Enc Type URL Allowed Indicates that CERT enc type other than the default type is enabled or not. Custom FQDN Allowed Shows whether the custom FQDN is enabled or disabled for a SecGW service. DNS Handling Indicates the DNS handling behavior for a crypto template.
27-73 Cisco Prime Network 4.3.2 User Guide EDCS-1524415 Chapter 27 Managing Mobile Networks GPRS/UMTS Networks Table 27-50 describes the Crypto Template configuration details. Table 27-50 Crypto Template Properties in Logical Inventory Field Description Type Indicates the version of the Internet Key Exchange protocol that is configured, which can be IKE v1 or IKE v2. Status The completion status of the template, which indicates whether the template is configured with the required properties to establish secure tunnel between local and remote peers. The status can be: Incomplete–The template needs to be configured further before applying or associating to a security gateway service. Complete–All properties/attributes are configured. Access Control List The status of the blacklist/whitelist subscribers attached to the crypto template, which can be enabled or disabled. NoteThe Blacklist or Whitelist is a list based on which the ISP allows traffic or denies services to a particular subscriber. Rules are configured on each list, and this list is then applied to the traffic. Remote Secret List The remote secret list applicable to the crypto template. NoteThe remote secret list contains a list of secret IP addresses. When an authorization request is received, peer ID is checked in this list OCSP Status Indicates whether the Online Certificate Status Protocol applicable to the crypto template is enabled or disabled. NoteThe OCSP is an Internet protocol that is used to obtain the revocation status of an x.509 digital certificate. OCSP Nonce Status Indicates whether the OCSP nonce applicable to the crypto template is enabled or disabled. NoteAn OCSP may contain a nonce request extension to improve security against replay attacks. Self Certificate ValidationIndicates whether the self certificate validation for the crypto template is enabled or disabled. NoteSelf Certificate Validation indicates the certificate that is signed by the entity whose identity it certifies.
27-74 Cisco Prime Network 4.3.2 User Guide EDCS-1524415 Chapter 27 Managing Mobile Networks GPRS/UMTS Networks Dead Peer Detection Indicates whether the Dead Peer Detection for the crypto template is enabled or disabled. NoteThe Dead Peer Detection method detects a dead Internet Key Exchange peer and reclaims the lost resource. This method uses IPSec traffic patterns to minimize the number of messages required to confirm the availability of a peer. It is also used to perform IKE peer failover. Payload Identifier The name of the payload, which can be any one of the following: Phase-1—contains IPv4 Address and Key ID as the payload values. Phase-2 SA—contains IPv4 Address and Subnet as the payload values. IKE Mode The Internet Key Exchange (IKE) mode for the crypto template, which can be any one of the following: Main Mode–In this mode, the initiator sends a proposal to the responder. In the first exchange, the initiator proposes the encryption and authentication algorithms to be used and the responder chooses the appropriate proposal. In the second exchange, the Diffie-Hellman public keys and other data are exchanged. In the last and final exchange, the ISAKMP session is authenticated. Once the IKE SA is established, IPSec negotiation begins. Aggressive Mode–In this mode, the initiator sends three packets that contain the IKE SA negotiation along with the data required by the security association. The responder chooses the proposal, key material, and ID and authenticates the session in the next packet. The initiator replies to this by authenticating the session. When compared to the Main Mode, negotiation is much quicker in this mode. Perfect Forward SecrecyThe Perfect Forward Secrecy (PFS) value for the crypto template. NoteTo ensure that derived session keys are not compromised and to prevent a third party discovering a key value, IPSec uses PFS to create a new key value based on values supplied by both parties in the exchange. Number of IPSec TransformsThe number of IPSec transforms applicable for the crypto template. NoteAn IPSec transform specifies a single IPSec security protocol (either AH or ESP) with its corresponding security algorithms and mode. For example, the AH protocol with HMAC with MD5 authentication algorithm in tunnel mode is used for authentication. Local Gateway Address The IP Address of the responder, which represents the local end of the security associations. Remote Gateway AddressThe IP address of the initiator, which represents the remote end of the security associations. Table 27-50 Crypto Template Properties in Logical Inventory (continued) Field Description
27-75 Cisco Prime Network 4.3.2 User Guide EDCS-1524415 Chapter 27 Managing Mobile Networks GPRS/UMTS Networks Viewing the Crypto Map Configuration Details To view the crypto map configuration details: Step 1Right-click the required device in the Vision client and choose Inventory. Step 2In the Logical Inventory window, choose Logical Inventory > Context> Security Association > Crypto Map > Crypto Maps. The Vision client displays the map details in the content pane. Table 27-51 describes the crypto map configuration details. Payload Attributes IPv4 PCSCF Payload Va l u eDefines the IPv4 PCSCF payload value. IPv6 PCSCF Payload Va l u eDefines the IPv6 PCSCF payload value. IMEI Payload Value Defines the IMEI payload value. IPv4 Fragment Type The fragment type when User Payload is ipv4 type and DF bit is not set. Maximum Child SA The maximum number of IPsec child security associations, which is derived from a single IKEve IKE security association. Ignore Rekeying RequestsIgnores rekeying requests for IPsec SA Lifetime The lifetime in seconds for IPsec Child Security Associations derived from a Crypto Template. Lifetime (KB) Shows the lifetime in kilo bytes for IPsec Child Security Associations derived from a Crypto Template. TSI Start Address The starting address for the IKEv2 initiator traffic selector payload. TSI End Address The ending address for the IKEv2 initiator traffic selector payload. TSR Start/End Address The starting or ending address for the IKEv2 responder traffic selector payload. Table 27-50 Crypto Template Properties in Logical Inventory (continued) Field Description Table 27-51 Crypto Map Properties in Logical Inventory Field Description Name The unique name of the crypto map. Status The current status of the crypto map, which can be Complete or Incomplete. Type The type of the crypto map, which can be any one of the following: IPSEC IKEv2 over IPv4 IPSEC IKEv2 over IPv6 OCSP Status Indicates whether the OCSP request status is enabled for the crypto map.
27-76 Cisco Prime Network 4.3.2 User Guide EDCS-1524415 Chapter 27 Managing Mobile Networks GPRS/UMTS Networks Step 3In the Crypto map Payload tab, right-click a Payload name and select Properties. The Crypto Map Payload Properties window is displayed. Table 27-52 describes the crypto map configuration details. Local Authentication The local authentication method to be used by the crypto map, which can be Certificate, Pre-shared-key, or EAP_Profile. Remote Authentication The remote authentication method to be used by the crypto map, which can be Certificate, Pre-shared-key, or EAP_Profile. OCSP Nonce Status Indicates whether the OCSP Nonce Status is enabled for the crypto map. Don’t Fragment The Control Don’t Fragment number that is available in the IPSec outer header. Remote Gateway The IP Address of the remote gateway that is configured in the peer parameters. Access Control List The status of the blacklist/whitelist subscribers attached to the crypto template, which can be enabled or disabled. NoteThe Blacklist or Whitelist is a list based on which the ISP allows traffic or denies services to a particular subscriber. Rules are configured on each list, and this list is then applied to the traffic. Crypto Map Payload tab Name The name of the crypto map payload. IKESA Transform Sets tab Id The unique ID of the crypto map IKSEA transform set. Encryption The encryption algorithm and encryption key length for the IKEv2 IKE security association. This field defaults to AESCBC-128. PRF The PRF associated to the crypto map. NoteThe PRF is used to generate keying material for all cryptographic algorithms used in IKE SA and the child SAs. This PRF produces a string that an attacker cannot distinguish from random bit without the secret key. HMAC The Hash Message Authentication Code applicable for the crypto map. The HMAC is used to simultaneously verify both data integrity and the authentication of the message. DH Group The Diffie-Hellman group that is associated to the crypto map. This group is used to determine the length of the base prime numbers used during the key exchange in IKEv2. The cryptographic strength of any derived key partly depends on the DH group upon which the prime number is based. Table 27-51 Crypto Map Properties in Logical Inventory (continued) Field Description