Cisco Prime Nerk 43 User Guide
Have a look at the manual Cisco Prime Nerk 43 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
27-127 Cisco Prime Network 4.3.2 User Guide EDCS-1524415 Chapter 27 Managing Mobile Networks LTE Networks Proxy Mobile IP—Proxy Mobile IP supports Mobile IP for wireless nodes without requiring specialized software for those devices. The wireless access point acts as a proxy on behalf of wireless clients that are not aware of the fact that they have roamed onto a different Layer 3 network. The access point handles the IRDP communications to the foreign agent and handles registrations to the home agent. Registration Revocation—Registration Revocation is a method by which a mobility agent (one that provides Mobile IP services to a mobile node) can notify the other mobility agent of the termination of a registration due to administrative reasons or MIP handoff. When a mobile changes its point of attachment (FA), or needs to terminate the session administratively, the HA sends a registration revocation message to the old FA. The old FA tears down the session and sends a registration revocation acknowledgement message to the HA. Additionally, if the PDSN/FA needs to terminate the session administratively, the FA sends a registration revocation message to the HA. The HA deletes the binding for the mobile, and sends a registration revocation acknowledgement to FA. Viewing the Advertisement Configuration Details To view the Advertisement configuration details for a foreign agent: Step 1Right-click the required device in the Vision client and choose Inventory. Step 2In the Logical Inventory window, choose Logical Inventory > Context> Mobile > FA> FA service> Advertisement. The details are displayed in the content pane. Table 27-81 displays the Advertisement configuration details. Viewing the Authentication Configuration Details To view the Authentication configuration details for a foreign agent: Step 1Right-click the required device in the Vision client and choose Inventory. Step 2In the Logical Inventory window, choose Logical Inventory > Context> Mobile > FA> FA service> Authentication. The details are displayed in the content pane. Table 27-82 displays the Authentication configuration details. Table 27-81 Advertisement Configuration Details Field Description Advertisement Delay The time delay (in milliseconds) for the first advertisement for a WiMax call. This time can be any value between 10 and 5000, and defaults to 1000. Advertisement Interval The advertisement interval time (in milliseconds). This time can be any value between 100 and 1800000, and defaults to 5000 milliseconds. Advertisement Life TimeThe maximum registration life time (in seconds) of the advertisement. This time can be any value between 1 and 65535, and defaults to 600 seconds. Number of Advertisements SentThe number of initial agent advertisements sent. This number can be any value between 1 and 65535, and defaults to 5. Prefix Length Extension Indicates whether the service address of the FA must be included in the Router Address field of the agent advertisement. If this field is set to Ye s, then a prefix-length extension is appended to the router address field. By default, this option is set to No.
27-128 Cisco Prime Network 4.3.2 User Guide EDCS-1524415 Chapter 27 Managing Mobile Networks LTE Networks Viewing the GRE Configuration Details To view the Generic Routing Encapsulation (GRE) configuration details for a foreign agent: Step 1Right-click the required device in the Vision client and choose Inventory. Step 2In the Logical Inventory window, choose Logical Inventory > Context> Mobile > FA> A service> GRE. The details are displayed in the content pane. Table 27-83 displays the GRE configuration details. Table 27-82 Authentication Configuration Details Field Description MN AAA Authentication PolicyThe MN AAA Authentication policy, which can be any one of the following: Ignore-after-handoff Init-reg Init-reg-except-handoff Always Renew-reg-noauth Renew-and-dereg-noauth This field defaults to Always. MN HA Authentication PolicyThe policy to authenticate Mobile Node HA in the RRP, which can be any one of the following: Always Allow-noauth This field defaults to Allow-noauth. AAA Distributed MIP Keys OverrideIndicates whether the AAA distributed MIP Keys Override option is enabled. In other words, if this feature is enabled, then the authentication parameters for the FA service will override the dynamic keys from AAA with static keys. NoteThis feature supports those MIP registrations with an HA that does not support dynamic keys. MN AAA Optimized RetriesIndicates whether the authentication request must be sent to the AA for each re-registration.
27-129 Cisco Prime Network 4.3.2 User Guide EDCS-1524415 Chapter 27 Managing Mobile Networks LTE Networks Viewing the HA Configuration Details To view the HA configuration details for a foreign agent: Step 1Right-click the required device in the Vision client and choose Inventory. Step 2In the Logical Inventory window, choose Logical Inventory > Context> Mobile > FA> FA service> HA. The details are displayed in the content pane. Table 27-84 displays the HA configuration details. Table 27-83 GRE Configuration Details Field Description Checksum Indicates whether the Checksum feature is enabled in outgoing GRE packets. By default, this option is disabled. GRE Encapsulation Indicates whether GRE is used when establishing a Mobile IP session. If this option is enabled, the FA requests HA to use GRE when establishing a MIP session. If this option is disabled, the FA will not set the GRE bit in agent advertisements to the mobile node. Checksum Verify Indicates whether the checksum field must be verified in the incoming GRE packets. By default, this option is disabled. Reorder Timeout The maximum time (in milliseconds) to wait before processing the GRE packets that are out of sequence. This time can be any value between 0 and 5000, and defaults to 100 milliseconds. Sequence Mode The mode used to handle the incoming out-of-sequence packets, which can be any one of the following: Reorder None This field defaults to None. Sequence Numbers Indicates whether GRE sequence numbers must be inserted into the data that is about to be transmitted over the A10 interface. This option is disabled by default.
27-130 Cisco Prime Network 4.3.2 User Guide EDCS-1524415 Chapter 27 Managing Mobile Networks LTE Networks Table 27-84 HA Configuration Details Field Description HA Monitoring The HA monitoring status of the FA. This option is disabled by default. AAA-HA Override Indicates whether AAA HA can override Mobile Node during call establishment for HA assignment. Dynamic HAFailover Indicates whether failover during call establishment for Home Agent assignment is allowed. HA Monitor Interval The time interval (in seconds) to send HA monitoring requests. This time can be any value between 1 and 36000, and defaults to 30 seconds. HA Monitor Maximum Inactivity TimeThe maximum amount of time (in seconds) when there is no MIP traffic between FA and HA, which triggers the HA monitoring feature. This time can be any value between 30 and 600, and defaults to 60 seconds. HA Monitor Retry CountThe number of times HA monitoring requests are sent before deciding that the HA is not reachable. This count can be any value between 0 and 10, and defaults to 5. FA SPI List Name The name of the SPI list linked with the FA service and configured for the selected context. Clicking on this link will take you to the relevant list under the SPI node. IKE Peer HA Address The IP address of the peer home agent. Crypto Map Name The IKE crypto map for the peer home agent. SPI SPI Number The unique SPI number that indicates a security context between the services. This number can be any value between 256 and 4294967295. Remote Address The IP address of the source service, which is expressed either in the IPv4 dotted decimal notation or IPv6 colon separated notation. Hash Algorithm The hash algorithm used between the source and destination services. Time Stamp Tolerance The acceptable time difference (in seconds) in timestamps, which can be any value between 0 and 65535. NoteIf the actual timestamp difference exceeds the value here, then the session is rejected. If this value is 0, then the timestamp tolerance checking is disabled at the receiving end. Replay Protection The replay protection scheme that is implemented by the service. Description The description of the SPI. Net Mask The net mask for the IP address of the SPI. This field defaults to 255.255.255.255. HA Monitor Indicates whether HA monitoring is enabled.
27-131 Cisco Prime Network 4.3.2 User Guide EDCS-1524415 Chapter 27 Managing Mobile Networks LTE Networks Viewing the Proxy Mobile IP Configuration Details To view the Proxy Mobile IP configuration details for a foreign agent: Step 1Right-click the required device in the Vision client and choose Inventory. Step 2In the Logical Inventory window, choose Logical Inventory > Context> Mobile > FA> FA service> Proxy Mobile IP. The details are displayed in the content pane. Table 27-85 displays the Proxy Mobile IP configuration details. Viewing the Registration Revocation Configuration Details To view the Registration Revocation configuration details for a foreign agent: Step 1Right-click the required device in the Vision client and choose Inventory. Step 2In the Logical Inventory window, choose Logical Inventory > Context> Mobile > FA> FA service> Registration Revocation. The details are displayed in the content pane. Table 27-86 displays the Registration Revocation configuration details. Table 27-85 Proxy Mobile IP Configuration Details Field Description Proxy MIP Indicates the status of the Proxy Mobile IP. Encapsulation Type The data encapsulation type to be u s e d i n P M I P c a l l f o r s p e c i fi c FA s e r v i c e s , which can be any one of the following: IPIP GRE This field defaults to IPIP. HA Failover The failover status of the FA. This option is disabled by default. HA Failover Max AttemptsThe maximum number of times for HA Failover. This can be any value between 1 and 10, and defaults to 4. HA Failover Timeout The timeout (in seconds) for the HA failover. This time can be any value between 1 and 50, and defaults to 2. HA Failover Attempts Before SwitchingThe number of times HA Failover was attempted, before switching over to an alternate HA. This can be any value between 1 and 5, and defaults to 2. HA Failover Reply Code TriggerThe action to be taken on receipt of the configured reject code. Max Retransmissions The maximum number of times the FA is allowed to retransmit Proxy Mobile IP registration requests to the HA. This number can be any value between 1 and 4294967295, and defaults to 5. Retransmission TimeoutThe retransmission timeout (in seconds) for Proxy Mobile IP messages on event of failover. This time can be any value between 1 and 100, and defaults to 3. Renew Time The percentage of lifetime at which point the renewal is sent. This percent can be between 0 and 100, and defaults to 75.
27-132 Cisco Prime Network 4.3.2 User Guide EDCS-1524415 Chapter 27 Managing Mobile Networks LTE Networks Configuration Commands for Foreign Agent To enable Mobile IP services on your network, you must determine which home agents will facilitate the tunneling for selected IP address, and where these devices or router will be allowed to roam. The areas, or subnets, into which the hosts are allowed to roam determine where foreign agent services need to be set up. Use the following commands to manage foreign agents. These commands can be launched from the logical inventory by choosing the Context> Commands> Configuration or Context> Commands> Show. Your permissions determine whether you can run these commands (see Permissions Required to Perform Tasks Using the Prime Network Clients, page B-1). To find out if a device supports these commands, see the Cisco Prime Network 4.3.2 Supported Cisco VNEs. Table 27-86 Registration Revocation Configuration Details Field Description Registration Revocation StateIndicates the status of the registration revocation. If this feature is enabled, then the FA can send a revocation message to the HA when revocation is negotiated with the HA and MIP binding is terminated. This feature is disabled by default. Revocation IBit The status of the Ibit on the registration revocation. If this feature is enabled, the FA can negotiate the Ibit via PRQ/RRP messages and process the Ibit revocation messages. This feature is disabled by default. Internal Failure Indicates whether a revocation message must be sent to the HA for those sessions that are affected by internal task failure. Revocation Maximum RetriesThe maximum number times a revocation message must be retransmitted before failure. This value can be any value between 0 and 10, and defaults to 3. Revocation Timeout The time period (in seconds) to wait for an acknowledgement from the HA before the revocation message is retransmitted. This time can be any value between 1 and 10, and defaults to 3. Table 27-87 Foreign Agent Configuration Commands Command Navigation Description Create FARight-click the context> Commands> Configuration > MobilityUse this command to create a new foreign agent service for the selected context. Modify FA Delete FAExpand FA node> Right-click FA service > Commands> ConfigurationUse these commands to modify/delete an existing foreign agent service configured for the selected context. Show FAExpand FA node> Right-click FA service > Commands> ShowUse this command to view and confirm the foreign agent configuration details. Create SPIExpand FA node > Right-click FA service > Commands> ConfigurationUse this command to configure Security Parameter Index (SPI) for a foreign agent service.
27-133 Cisco Prime Network 4.3.2 User Guide EDCS-1524415 Chapter 27 Managing Mobile Networks LTE Networks Monitoring Evolved Packet Data Gateway (ePDG) In today’s market, there are multiple access networks for mobile technologies. For example, the following access networks are available for 3rd Generation Partnership Project (3GPP) network: General Packet Radio Service (GPRS). See GPRS/UMTS Networks, page 27-1. Modify SPI Delete SPIExpand FA node> Expand FA service node > HA Configuration > Right-click on SPI Number in content pane > Commands> ConfigurationUse these commands to modify and delete an existing SPI configured for a foreign agent service. Create IKEExpand FA node> Right-click FA service > Commands> ConfigurationUse this command to configure Internet Key Exchange (IKE) for a foreign agent service. If foreign agent reverse tunneling creates a tunnel that transverses a firewall, any mobile node that knows the addresses of the tunnel endpoints can insert packets into the tunnel from anywhere in the network. It is recommended to configure Internet Key Exchange (IKE) or IP Security (IPSec) to prevent this. Modify IKE Delete IKEExpand FA node> Expand FA service node > HA Configuration > right-click on IKE Number in content pane > Commands> ConfigurationUse these commands to modify and delete an existing IKE configured for a foreign agent service. Modify AdvertisementExpand FA node> FA service> right-click Advertisement> Commands> ConfigurationUse this command to modify the advertisement configuration settings specified for a foreign agent. Modify AuthenticationExpand FA node> FA service> right-click Authentication> Commands> ConfigurationUse this command to modify the authentication configuration settings specified for a foreign agent. Modify GREExpand FA node> FA service> right-click GRE> Commands> ConfigurationUse this command to modify the Generic Routing Encapsulation (GRE) configuration settings specified for a foreign agent. Modify HA ConfigurationExpand FA node> FA service> right-click HA Configuration> Commands> Configuration Use this command to modify the Home Agent configuration settings specified for a foreign agent. Modify Proxy Mobile IPExpand FA node> FA service> right-click Proxy Mobile IP> Commands> ConfigurationUse this command to modify the Proxy Mobile IP configuration settings specified for a foreign agent. Modify Registration RevocationExpand FA node> FA service> right-click Registration Revocation> Commands> ConfigurationUse this command to modify the Registration revocation configuration settings specified for a foreign agent. Table 27-87 Foreign Agent Configuration Commands (continued) Command Navigation Description
27-134 Cisco Prime Network 4.3.2 User Guide EDCS-1524415 Chapter 27 Managing Mobile Networks LTE Networks Global System for Mobile communication (GSM) Universal Mobile Telecommunication System (UMTS). See GPRS/UMTS Networks, page 27-1. The following access network are available for Non-3GPP network: Worldwide Interoperability for Microwave Access (WiMAX) CDMA2000 Wireless local area network (WLAN) Fixed networks The Non-3GPP networks can be categorized into two—Trusted and Untrusted. While the trusted non-3GPP networks can interact directly with the Evolved Packet Core (EPC), the untrusted networks are required to pass through a security gateway to gain access to the EPC. This security gateway is called the Evolved Packet Data Gateway or ePDG. When a user transmits data to the EPC using an untrusted non-3GPP network access, the ePDG must act as a termination node of IPSec tunnels established with the user equipment and secure the data being sent. Figure 27-14 shows the ePDG architecture. Figure 27-14 ePDG Architecture IP Security (IPSec) Internet Protocol Security or IPSec is a protocol suite that interacts with one another to provide secure private communications across IP networks. These protocols allow the system to establish and maintain secure tunnels with peer security gateways. In accordance with the following standards, IPSec provides a mechanism for establishing secure channels from mobile subscribers to pre-defined end points (such as enterprise or home networks): RFC 2401, Security Architecture for the Internet Protocol RFC 2402, IP Authentication Header (AH) eNodeB Signaling Interface Bearer InterfaceS1-U S5 S2bSGi S1-MME S11 MME 320496 S6a Gx S2a Gxc HSS OFCSSWx SWm SWu AAA E-UTRANOperator’s IP Services Untrusted non-3GPP IP Access wPDG S-GWP-GW PCRF Trusted non-3GPP IP Access
27-135 Cisco Prime Network 4.3.2 User Guide EDCS-1524415 Chapter 27 Managing Mobile Networks LTE Networks RFC 2406, IP Encapsulating Security Payload (ESP) RFC 2409, The Internet Key Exchange (IKE) RFC-3193, Securing L2TP using IPSEC, November 2001 IPSec can be implemented for the following applications: PDN Access: Subscriber IP traffic is routed over an IPSec tunnel from the system to a secure gateway on the packet data network (PDN) as determined by access control list (ACL) criteria. Mobile IP: Mobile IP control signals and subscriber data is encapsulated in IPSec tunnels that are established between foreign agents (FAs) and home agents (HAs) over the Pi interfaces. IKEv2 and IPSec Encryption ePDG supports Internet Key Exchange Version 2 (IKEv2) and IP Security Encapsulating Security Payload (IPSec ESP) encryption over IPv4 transport. The IKEv2 and IPSec encryption takes care of network domain security for all IP packet switched networks. It uses cryptographic techniques to ensure ensures confidentiality, integrity, authentication, and anti-replay protection. ePDG Security In Prime Network, the following security services are available for ePDG: Crypto template—Used to define the IKEv2 and IPSec policies. In other words, it includes IKEv2 and IPSec parameters for keepalive, lifetime, NAT-T and cryptographic and authentication algorithms. EAP Profile—Defines the EAP authentication method and associated parameters. Transform Set—Define the negotiable algorithms for IKE SAs (Security Associations) and Child SAs to enable calls to connect to the ePDG. Viewing the Crypto Template Service Details To view the Crypto template details: Step 1Right-click the required device in the Vision client and choose Inventory. Step 2In the Logical Inventory window, choose Logical Inventory > Context> Security Association > Crypto Template. The list of crypto templates are displayed in the content pane. Step 3In the Crypto Template node, choose the crypto template. The template details are displayed in the content pane. Figure 27-15 displays the crypto template details.
27-136 Cisco Prime Network 4.3.2 User Guide EDCS-1524415 Chapter 27 Managing Mobile Networks LTE Networks Figure 27-15 Crypto Template Details Table 27-88 displays the Crypto template details. Table 27-88 Crypto Template Details Field Description Template Name The unique name of the template. Control Don’t Fragment The Don’t Fragment (DF) bit in the IPSec tunnel data packet, which is encapsulated in the IPSec headers at both ends. The values for this field are: clear-bit—Clear DF Bit copy-bit—Copy DF bit from inner header set-bit—Set DF Bit This field defaults to copy-bit. Cookie Challenge-Detect DOS AttackThe cookie challenge parameters for the crypto template, which is used to prevent malicious Denial of Service (DOS) attacks against the server. NoteThis feature prevents DOS attacks by sending a challenge cookie. If the response from the sender does not incorporate the expected cookie data, the packets are dropped.