Cisco Prime Nerk 43 User Guide
Have a look at the manual Cisco Prime Nerk 43 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
27-77 Cisco Prime Network 4.3.2 User Guide EDCS-1524415 Chapter 27 Managing Mobile Networks GPRS/UMTS Networks Viewing the IKE SA Configuration Details To view the IKE SA configuration details: Step 1Right-click the required device in the Vision client and choose Inventory. Step 2In the Logical Inventory window, choose Logical Inventory > Context> Security Association > IKE IPSec SA. The Vision client displays a list of IKE Security Associations in the content pane. Step 3Right-click a IKE SA and choose Properties. The IKE IPSec Security Association – Properties window is displayed. Table 27-53 describes the IKE SA configuration details. Table 27-52 Crypto Map Payload Properties Field Description IPSecSA Transform Sets tab ID The unique ID that identifies the crypto map IPSecSA transform set. Protocol The transport protocol used at the inbound site, which can be ESP or AH. Encryption The encryption algorithm and encryption key length for the IKEv2 IKE security association. This field defaults to AESCBC-128. HMAC The Hash Message Authentication Code applicable for the crypto map. DH Group The Diffie-Hellman group that is associated to the crypto map. Table 27-53 IKE SA Configuration Details Field Description Remote IP Address The IP address of the remote gateway. Local IP Address The IP address of the local gateway. Remote WSG Port Port number of the remote gateway. Local WSG Port Port number of the local gateway. Crypto Map Name The name of the Crypto Map facilitating the security association. Authentication Status The status of the IKE Security Association. This is defined based on the authentication of phase 1 and phase 2 of the SA establishment and can be any one of the following: Authentication Completed–if authentication is successful for both phase 1 and phase 2. Authentication Initialization–if authentication is successful for phase 1 but awaiting request from IKE peer for phase 2. Redundancy Status The redundancy status of the IKE security association, which can be any one of the following: Original tunnel—Session recovery is successful. Recovered tunnel—Session recovery is configured and the IPSec manager instance, on which the tunnel is created, is killed.
27-78 Cisco Prime Network 4.3.2 User Guide EDCS-1524415 Chapter 27 Managing Mobile Networks GPRS/UMTS Networks Role The role of the entity that is establishing the security association, which can be any one of the following: Initiator–The entity that initiated the security association. Responder–The entity that is responding to the security association. IPSec Manager The IPSec manager of the IKE Security Association, which is created and associated to a tunnel. Send Rekey Requests Indicates whether the rekey request to be sent to the peer host is enabled. NoteRekey refers to the process of changing the encryption key of the ongoing communication, which helps to limit the amount of data encrypted using the same key. Process Rekey Requests Indicates whether the rekey request must be processed. Soft Lifetime The soft lifetime of the IKE security association. When this lifetime expires, a warning message is given to implement the setup for the SA. Setting up involves refreshing the encryption or authentication keys. NoteThe security gateway initiates the rekey request after the soft lifetime expires. This lifetime is calculated as 90 percent of the hard lifetime. Hard Lifetime The hard lifetime of the IKE security association. The current SA is deleted on expiration of the hard lifetime. The policies accessing the SA will exist, but they are not associated to an SA. Dead Peer Detection Indicates whether the dead peer detection feature is enabled for the security association. NoteThis feature is used to detect dead IKE peer. It also reclaims lost resources if the peer is found dead. Initiator Cookie The cookie of the entity that initiated the SA establishment, notification or deletion. Responder Cookie The cookie of the entity that is responding to the establishment, notification or deletion request. Algorithms tab DH Group The Diffie-Hellman group for the IKE SA. HMAC The Hash Message Authentication Code applicable for the IKE SA. Encryption The encryption algorithm for the IKE security association, which is used to encrypt the data. Information is made into meaningless cipher text, and you need a key to transform this text back into the original form. PRF The PRF associated to the IKE SA. Child-SA Parameters tab Table 27-53 IKE SA Configuration Details (continued) Field Description
27-79 Cisco Prime Network 4.3.2 User Guide EDCS-1524415 Chapter 27 Managing Mobile Networks GPRS/UMTS Networks Viewing the Child IPSec SA Configuration Details To view the Child IPSec SA Configuration Details: Step 1Right-click the required device in the Vision client and choose Inventory. Step 2In the Logical Inventory window, choose Logical Inventory > Context> Security Association > Child IPSec SAs. The Vision client displays a list of IPSec Security Associations in the content pane. Step 3Right-click an IPSec SA and choose Properties. The Child IPSec Security Association Properties window is displayed. Table 27-54 describes the Child IPSec SA configuration details. Current Child-SA InstantiationsThe number of instantiations for the child security association. Total Child-SA InstantiationsThe total number of times the child security association is instantiated. Lifetime The number of times the child security association is deleted due to lifetime expiration. Terminations (Other) The number of times the child security association is deleted due to reasons other than lifetime expiration. NAT tab Sent Indicates whether the Network Address Translator (NAT) payload can be sent from a peer to NAT gateway. Received Indicates whether the NAT payload can be received by the NAT gateway from the peer. Behind Local Indicates whether the NAT is available for the local entity. Behind Remote Indicates whether the NAT is available for the remote entity. Encapsulation in Use Indicates whether encapsulation of payload is enabled for IKE SA. IKEv2 Fragmentation Indicates whether IKESA fragmentation or re-assembly support. Child SAs tab Id The unique code of the child security association that is associated to the IKE SA. SPI The Security Parameter Index (SPI) that is added to the header while using IP Security for tunneling the traffic. This tag helps the kernel to distinguish between two traffic streams that use different encryption rules and algorithms. Table 27-53 IKE SA Configuration Details (continued) Field Description
27-80 Cisco Prime Network 4.3.2 User Guide EDCS-1524415 Chapter 27 Managing Mobile Networks GPRS/UMTS Networks Table 27-54 Child IPSec SA Configuration Details Field Description IP Address The IP address of the local wireless security gateway service that is facilitating the security association. Remote Peer Address The IP address of the remote WSG service that is facilitating the security association. Outbound SPI The Security Parameter Index (SPI) of the outbound security association. Inbound SPI The SPI of the inbound security association. SA Status The status of the security association, which can be any one of the following: Established Not Established No SAs Redundancy Status The redundancy status of the security association, which can be any one of the following: Original Tunnel–No failure has occurred. Recovered Session–A failure has occurred and a recovery session has been created. Crypto Map Name The name of the crypto map facilitating the security association. This name is derived from the crypto template that is applied to the transform set parameters. Crypto Map Type The type of crypto map facilitating the security association, which can be any one of the following: Manual Tunnel, MIP Tunnel, L2TP Tunnel, Subscriber Tunnel, IKEv2 Simulator Tunnel, Dynamic Tunnel, IKEv1 Tunnel, IKEv2 Tunnel, IKEv2 IPv4 Tunnel, IKEv2 IPv6 Tunnel, IKEv2 Simulator Tunnel, IKEv2 Subscriber, IKEv2 IPv4, IKEv2 IPv6, CSCF Subscriber, IMS CSCF Template, IKEv2 Template, IKEv2 Simulator Template. Allocated Address The IP address allocated to the Network Access Identifiers (NAI) of the users. ESN Enable Extended Sequence Number (ESN) for IPSec (ESP/AH). Network Address IdentifierThe Network Address Identifier (NAI) applicable to the security association, which is used to identify the user as well as to assist in routing the authentication request. IPSec Manager InstancesThe number of IPSec managers facilitating the security association. Rekeying Indicates whether rekeying is applicable for the security association. Rekey Count The total number of times the tunnel has been rekeyed. DH Group The Diffie-Hellman group to which the security association belongs. Inbound/Outbound tab SPI The SPI of the inbound/outbound security association.
27-81 Cisco Prime Network 4.3.2 User Guide EDCS-1524415 Chapter 27 Managing Mobile Networks GPRS/UMTS Networks Viewing the CA Certificate Configuration Details To view the CA certificate configuration details: Step 1Right-click the required device in the Vision client and choose Inventory. Protocol The transport protocol used at the inbound/outbound side, which can be any one of the following: ESP – Encapsulating Security Payload AH – Authentication Header PCP – Payload Compression Payload HMAC Algorithm The keyed HMAC used for the inbound/outbound security association, which can be shal-96 or md5-96. Encryption Algorithm The encryption algorithm used for the inbound/outbound security association, which can be Null, des, 3des, aes-cbc-128, or aes-cbc-256. Hard Lifetime The hard lifetime of the security association, on the expiration of which the currently used security association will be deleted. Soft Lifetime The soft lifetime of the security association, on the expiration of which WSG initiates a rekey. Anti Replay Indicates whether the anti replay feature is enabled for the security association. NoteAnti replay is a sub-protocol of IPSec that prevents hackers from injecting or making changes in packets that travel from a source to destination. Anti Replay Window SizeThe window size (in bits) of the anti-replay feature, which can be 32, 64, 128, 256, 384 and 512. Traffic Selectors tab Id The unique ID assigned to the traffic selector. NoteA packet arriving at an IPSec subsystem must be protected through the IPSec tunneling. This is accomplished through the traffic selector, which allows two endpoints to share their information from the SDPs. Role The role of the IKE security association, which can be Initiator or Responder. Protocol ID The protocol ID for the security association. Port Range The range of ports applicable for the security association. IP Range The range of IP addresses applicable for the security association. Table 27-54 Child IPSec SA Configuration Details (continued) Field Description
27-82 Cisco Prime Network 4.3.2 User Guide EDCS-1524415 Chapter 27 Managing Mobile Networks GPRS/UMTS Networks Step 2In the Logical Inventory window, choose Logical Inventory > Context> Security Association > CA Certificates. The Vision client displays a list of CA Certificates in the content pane. Step 3Right-click the CA Certificate and choose Properties. The CA Certificate Properties window is displayed. Table 27-55 describes the CA certificate configuration details. Configuring Wireless Security Gateway The following commands can be launched from the inventory by right-clicking AAA group and then choosing Commands > Configuration. Your permissions determine whether you can run these commands (see Permissions for Vision Client NE-Related Operations, page B-4). To find out if a device supports these commands, see the Cisco Prime Network 4.3.2 Supported Cisco VNEs. Table 27-55 CA Certificate Configuration Details Field Description Name The name of the CA certificate. Status The status of the CA certificate, which can Valid or Invalid. NoteA certificate can become invalid if there is an error during the download process, or if the file gets corrupted locally or remotely. Version The version of the CA certificate. This version indicates the functionality supported in each version. Serial Number The serial number of the CA certificate that is used to uniquely identify it. Signature Algorithm The algorithm used to sign the certificate issued with any public key algorithm supported by the CA. For example, ECC signing certificate can sign both ECC and RSA certificates as long as both these algorithms are supported by CA. Issuer The details of the CA certificate issues, such as the country, state, location, and organization. Public Key Algorithm The public key algorithm that is used to sign the digital signature supported by the CA. Subject The details of the owner of the CA certificate, such as the country, state, location, and organization. Validity Start Time The date and time from when the CA certificate is valid. Validity End Time The date and time up to which the CA certificate is valid. Command Navigation Input Required and Notes Create Sec GWRight-click a context >Commands> ConfigurationUse this command to create a new security gateway. Modify Sec GWcontext>Sec GW>right-click a Sec GW service >Commands > ConfigurationUse this command to modify a security gateway service. Delete Sec GWUse this command to delete a security gateway service.
27-83 Cisco Prime Network 4.3.2 User Guide EDCS-1524415 Chapter 27 Managing Mobile Networks GPRS/UMTS Networks Show Sec GWcontext>Sec GW>right-click a Sec GW service >Commands > ShowUse this command to view details of the selected security gateway service. Create Sec GW LookupRight-click the device >Commands > ConfigurationUse this command to create a new security gateway Lookup. Modify Sec GW Lookupcontext> SEC GW >In the Sec GW Lookup tab in the content pane, right-click the Priority field >Commands > ConfigurationUse this command to modify security gateway Lookup details. Delete Sec GW LookupUse this command to delete security gateway Lookup. Show SEC GW LookupRight-click the device >Commands > Show>Show SEC GW Lookup -OR- context > SEC GW >In the Sec GW Lookup tab in the content pane, right-click the Priority field >Commands > ShowUse this command to view security gateway lookup details. Create Crypto TemplateRight-click the context>Commands > ConfigurationUse this command to create a new crypto template. Modify Crypto Templatecontext>IP Security>Crypto Template> right-click a crypto template> Commands > ConfigurationUse this command to modify details of the selected crypto template. Delete Crypto TemplateUse this command to delete a crypto template. Show Crypto Templatecontext>IP Security>Crypto Template> right-click a crypto template> Commands > ShowUse this command to view crypto template details. Add Payload context>IP Security>Crypto Template> right-click a crypto template> Commands > ConfigurationUse this command to add a payload. Modify Payloadcontext>IP Security>Crypto Template> select a crypto template> In the Crypto Template Payloads tab in the content pane, right-click a Payload instance> Commands > ConfigurationUse this command to modify payload details. Delete PayloadUse this command to delete a payload. Modify Crypto Template IKESAcontext >IP Security>Crypto Template> right-click a crypto template> Commands > ConfigurationUse this command to modify details of the selected Crypto Template IKESA. Create CA CertificateRight-click the device >Commands>ConfigurationUse this command to create a new CA certificate. Delete CA Certificatecontext> IP Security > CA Certificate> right-click a certificate >Commands>ConfigurationUse this command to delete the selected CA certificate. Command Navigation Input Required and Notes
27-84 Cisco Prime Network 4.3.2 User Guide EDCS-1524415 Chapter 27 Managing Mobile Networks GPRS/UMTS Networks Show CA Certificatecontext> IP Security > CA Certificate> right-click a certificate >Commands>ShowUse this command to view the CA certificate details. Show IKE SAscontext>IP Security>right-click IKE IPsec SA > Commands>ShowUse this command to view details of the selected IKE SA. Create IKEv2 Tr a n s f o r m S e tRight-click the context>Commands>ConfigurationUse this command to create a new IKEv2 transform set. Modify IKEv2 Tr a n s f o r m S e tcontext> IP Security > Transform Set > IKEv2 >right-click a transform set> Commands ConfigurationUse this command to modify the IKEv2 transform set details. Delete IKEv2 Tr a n s f o r m S e tUse this command to delete the selected IKEv2 transform set. Show IKEv2 Transform Setcontext> IP Security > Transform Set > IKEv2 >right-click a transform set> Commands>ShowUse this command to view the IKEv2 transform set. Create IKEv2 IPSec Tr a n s f o r m S e tRight-click the context> Commands > ConfigurationUse this command to create a new IKEv2 IPSec transform set. Modify IKEv2 IPSec Tr a n s f o r m S e tcontext>IP Security>Tr a n s f o r m Set>IKEv2 IPSec >right-click a transform set>Commands>ConfigurationUse this command to modify the details of the selected IKEv2 IPSec transform set. Delete IKEv2 IPSec Tr a n s f o r m S e tUse this command to delete the selected IKEv2 IPSec transform set. Show IKEv2 IPSec Tr a n s f o r m S e tcontext>IP Security>Tr a n s f o r m Set> IKEv2 IPSec >right-click a transform set>Commands>ShowUse this command to view details of the selected IKEv2 IPSec transform set. Modify Connected AppsRight-click the device >Commands>ConfigurationUse this command to modify the connected application details. Show Connected AppsRight-click the device >Commands>Show > Show Connected AppsUse this command to view the connected application details. Create Crypto MapRight-click the context>Commands>ConfigurationUse this command to create a new crypto map. Modify Crypto Mapcontext>IP Security>Crypto Map> right-click a crypto map>Commands>ConfigurationUse this command to modify the crypto map details. Delete Crypto MapUse this command to delete the selected crypto map. Show Crypto Mapcontext>IP Security>Crypto Map> right-click a crypto map>Commands>ShowUse this command to view details of the selected crypto map. Create Crypto Map Payloadcontext>IP Security>Crypto Map> right-click a crypto map>Commands>ConfigurationUse this command to create a new crypto map payload. Command Navigation Input Required and Notes
27-85 Cisco Prime Network 4.3.2 User Guide EDCS-1524415 Chapter 27 Managing Mobile Networks LTE Networks LTE Networks These topics describe how to use Prime Network to monitor LTE networks and technologies: Overview of LTE Networks, page 27-85 Working with LTE Network Technologies, page 27-86 Overview of LTE Networks Long Term Evolution (LTE) is the latest step in moving forward from the cellular 3G services, such as GSM to UMTS to HSPA to LTE or CDMA to LTE. LTE is based on standards developed by the Third Generation Partnership Project (3GPP). LTE may also be referred more formally as Evolved UMTS Terrestrial Radio Access Network (E-UTRAN). Following are the main objectives of an LTE network. Increased downlink and uplink peak data rates Scalable bandwidth Improved spectral efficiency All IP network Figure 27-5 provides the topology of a basic LTE network. Modify Crypto Map Payloadcontext>IP Security>Crypto Map> select a crypto map >In the Crypto Map Payload tab in the content pane, right-click the Name>Commands>Configuration.Use this command to modify details of the selected crypto map payload. Delete Crypto Map PayloadUse this command to delete the crypto map payload. Show IPSec SAscontext>IP Security>right-click IKE IPsec SA > Commands>ShowUse this command to view details of the selected IPSec SA. Command Navigation Input Required and Notes
27-86 Cisco Prime Network 4.3.2 User Guide EDCS-1524415 Chapter 27 Managing Mobile Networks LTE Networks Figure 27-5 Basic LTE Network Topology Working with LTE Network Technologies The E-UTRAN uses a simplified single node architecture consisting of the eNodeBs (E-UTRAN Node B). The eNB communicates with the Evolved Packet Core (EPC) using the S1 interface, specifically with the Mobility Management Entity (MME) and Serving Gateway (S-GW) using S1-U interface. The PDN Gateway (P-GW0 provides connectivity to the external packet data networks. Following sections provide more details on these services and their support in Prime Network: Monitoring System Architecture Evolution Networks (SAE-GW), page 27-87 Working with PDN-Gateways (P-GW), page 27-88 Working with Serving Gateway (S-GW), page 27-92 Viewing QoS Class Index to QoS (QCI-QoS) Mapping, page 27-95 Viewing Layer 2 Tunnel Access Concentrator Configurations (LAC), page 27-96 Monitoring the HRPD Serving Gateway (HSGW), page 27-101 Monitoring Home Agent (HA), page 27-115 Monitoring the Foreign Agent (FA), page 27-122 Monitoring Evolved Packet Data Gateway (ePDG), page 27-133 Monitoring Packet Data Serving Node (PDSN), page 27-146