GGSN Basics
Need for GPRS/Class of Handsets Protocol Links for GPRS GGSN interfaces Transmission Plane Mobility Management-PDP context MS IPv4 Network Host Brief IP UDP structure TCP structure Router configuration modes MS GPRS/IMSI attach procedure Basics GGSN configuration DNS- Domain Name Server DNS Query Response log GPRS DNS Query Configuring Access Point Name APN Parameters GGSN IP address allocation RADIUS features APN n/w selection flow chart PDP Context Activation procedure NSAPI TLLI TUNNEL ID GTP protocol structure Gn/Gp GTP messages RADIUS Message flow GGSN RADIUS WAP gateway flow Create PDP context request log Create PDP context response log GTP messages log RA area update for different SGSN GPRS GGSN Roaming GGSN PDP context Ga Charging CDR GGSN customization (GTP & GTP') Concept of Tunnel for Security Node Network(IPSec) Security WAP Architecture GSM a subnet INTERNET GGSN Summary
�Why GPRS ?
General Packet Radio Service
�Protocol Links for GPRS
Air Int Um Bluetooth,IR Serial cable GPRS MS TE Laptop Gb Frame Relay E1 link Packet switching BSS A SS7 Circuit switching
SMSC
BTS
BSC
PCU
MSC/VLR
HLR
Gr SS7
PSTN
AUC
Internet
GSN
NMS IP GTP BGP Border Fire Wall Gateway Gp Other GPRS Networks
SGSN
GTP
IP BACKBONE
DNS
IP GTP IP Router with Access Policy
GTP CG
GGSN
IP
Fire Wall
Private network
VPN GTP
Corporate Network
Intranet
�GGSN interfaces
�GPRS Transmission Plane
WAP / HTTP-XML
Application
IP
IP / X.25
NSAPI ( during PDP ) TID (NSAPI / IMSI)
IP / X.25
SNDCP LLC RLC MAC GSM RF
TFI (TSTBF)
TLLI (IMSI / PTMSI) BVCIcell ID NSVCI DLCI
SNDCP LLC BSSGP
GTP
GTP
TCP UDP IP
TCP UDP IP Layer 2 Layer 1
RLC MAC
BSSGP Network Service
Network Layer 2 Service L1 bis Layer 1
GSM RF L1 bis
MS Um
BSS Gb
SGSN Gn
GGSN Gi
�Mobility Management
GPRS
IDLE
Attach/Detach (towards SGSN/HLR) Makes MS available for SMS over GPRS Paging via SGSN Notification of incoming packet PDP Context Activation/Deactivation Associate with a GGSN Obtain PDP address (e.g. IP)
SGSN does not know about the location of mobile No logical PDP context activated No network address (IP) registered for the terminal No routing of external data possible
STANDBY
SGSN tracks the mobile (Routing Area). When downlink data is available, packet paging message is sent to routing area Upon reception, MS sends it's cell location to the SGSN and enters the ACTIVE state
IDLE
GPRS Attach GPRS Detach
IDLE
GPRS Attach
Mobile Reachable time expiry
GPRS Detach
READY
SGSN knows the cell of the MS PDP contexts can be activated/deactivated May remain in this state even if no data is transmitted (controlled by timer)
READY
READY
PDU Reception
PDP Contexts
READY Timer expiry PDU Transmission READY Timer expiry
STANDBY MOBILE
STANDBY SGSN
Packet Data Protocol (PDP) Session Logical tunnel between MS and GGSN Anchors SGSN & GGSN for session PDP activities Activation Modification Deactivation
�IP Address Classes
IP Address as a 32-Bit Binary Number
Hosts for Classes of IP Addresses
�IP
UDP
�TCP
�Different Router Modes
Router>enable
User EXEC Mode Privileged EXEC Mode Global Configuration Mode
Router#config term
Ctrl-Z (end) Exit
Router(config)#
Configuration Mode
Interface Line Router Access-list mode
Prompt
Router(config-if)# Router(config-line)# Router(config-router)# Router(access-list)#
��The GGSN requires a logical interface called a virtual template to be configured. A virtual template interface is a logical entitya configuration for an interface but not tied to a physical interfacethat can be applied dynamically as needed to facilitate configuration of connections between the GGSN and SGSN, and the GGSN and PDNs
�DNS-Domain Name Server
DNS Message Format
HEADER
QUESTIONS
ANSWERS (Resource Records) AUTHORITY (Resource Records) ADDITIONAL (Resource Records)
�DNS response
��APN Parameters
��The GGSN uses the Dynamic Host Configuration Protocol (DHCP) to assign IP addresses to mobile station users who need to access the PDN.(Packet Data Networks) The GGSN can use local DHCP services within the Cisco IOS Software or configure the GGSN to use an external DHC P server
Remote Authentication Dial-In User Service
The GGSN uses the RADIUS server for a particular access point to authenticate mobile users for access to a PDN. Security-(AAA) Authentication, Authorization, and Accounting Mobile user access.
��APN Flow diagram
����Tunnel ID creation
An IP address is a Logical address, not a Hardware address-similarly - mapped to the IMSI or MSISDN of any MS SIM card . TID -IP addressing is designed to allow a host to communicate with a host on a different network.eg Internet or Inter PLMN .
�GTP v0 : UDP Port 3386 GPRS Signal + Data GTP v1 : UDP Port 2123 GTP-C UDP Port 2152 GTP-U
�Gn /Gp GTP Messages
Signalling Plane Tunnel Management messages
Create PDP Context Request Create PDP Context Response Update PDP Context Request Update PDP Context Response Delete PDP Context Request Error Indication PDU Notification Request PDU Notification PDU Notification Reject Request PDU Notification Reject Response
Transmission Plane
Protocol Stack Usage of the GTP Header Usage of the Sequence Number Tunnelling between SGSN and GGSN
Path Protocols
UDP /IP UDP Header Signalling request messages Signalling response messages Encapsulated T-PDUs IP Header TCP Header
Mobility Management messages
Identification Request Identification Response SGSN Context Request SGSN Context Response SGSN Context Acknowledge
Error handling
Protocol errors Different GTP version GTP Message too short Unknown GTP signalling message Unexpected GTP signalling message Missing mandatorily present information element Invalid Length Invalid mandatory information element Invalid optional information element Unknown information element Out of sequence information elements Unexpected information element Repeated information elements Incorrect optional information elements Path failure
Information elements
Cause International Mobile Subscriber Identity (IMSI) Temporary Logical Link Identity (TLLI) Quality of Service (QoS) Profile PDP Context Access Point Name MS International PSTN/ISDN Number (MSISDN) Charging ID End User Address Protocol Configuration Options GSN Address Charging Gateway
��GGSN RADIUS gateway WAP flow
�����Data Record Transfer Reponse
Delete PDP Context Request
T-PDU
Delete PDP Context Response
��GPRS Roaming
��GGSN MM Records
�Ga interface GTP protocol CDR overview
MOBILITY MANAGEMENT CONTEXT MS PDP CONTEXT WITH UNIQUE TUNNEL ID ISP
SGSN
GGSN
S-CDRs
M-CDRs
G-CDRs
CG
gprs default charging-gateway ip address or name (primary secondary)
�GGSN customization
GTP
gprs maximum-pdp-context-allowed: The maximum number of PDP contexts (mobile sessions) that can be activated on the GGSN gprs gtp path-echo-interval : The number of seconds that the GGSN waits before sending an echo-request message to check for GTP path failure gprs gtp n3-requests: The maximum number of times that the GGSN attempts to send a signaling request. gprs gtp t3-response: The maximum time that the GGSN waits to respond to a signaling request message. gprs idle-pdp-context purge-timer: The time that the GGSN waits before purging idle mobile sessions .
Charging Gateway
gprs charging transfer interval : The number of seconds that the GGSN waits before it transfers charging data to the charging gateway gprs charging cdr-aggregation-limit: The maximum number of call detail records (CDRs) that the GGSN aggregates in a charging data transfer message to a charging gateway. gprs charging cg-path-requests:The number of minutes that the GGSN waits before trying to establish the TCP/UDP path to the Charging gateway when TCP/UDP is the specified path protocol. gprs charging cdr-option node-id : The GGSN uses the node ID field in CDRs gprs charging cdr-option local-record-sequence-number:The local record sequence number field is used in CDRs on the GGSN
�GGSN parameters and statistics
�Routes
Tunnel ID 0 IP adress _._._._/_ Source IP _._._._ Destination IP _._._._
Tunnel ID 1 IP adress _._._._/_ Source IP _._._._ Destination IP _._._._
GPRS Network
VirtualTemplate
��Network Security
User name and Password: secret password enryption (Does not display the username and password plain text the same is displayed in encrypted formMD5).(Telnet Console Auxillary) AAA(authentication-authorization-accounting) RADIUS(Remote Authentication Dial-in User Service) Server implementation auth-portSpecifies the UDP destination port for authentication requests acct-portSpecifies the UDP destination port for accounting requests radius-server key stringSpecifies the authentication and encryption key for GGSN and the RADIUS daemon
Access Policy Standard Access List Deny/Permit a particular host or network using the source address . Extended Access List Added value of being Protocol specific for host/network Deny/Permit policy Route Map policy Traffic Tunnelling VPN creation using Source and Destination tunnel and a unique Network for each APN. Vlan policy created on Layer3 switch for interface with GGSN which does not permit any other traffic to reach the private network
�IPSec Network Security
IP Security Protocol (IPSec) The IP security protocol is implemented for data authentication, confidentiality, encryption and integrity between the GGSN and another router on the PDN
Configuring an IKE ( Internet Key Exchange )Policy (Required) crypto isakmp policy priority (config-isakmp mode) encryption algorithm * des 56-bit Data Encryption Standard (DES)-Cipher Block Chaining (CBC) -3des 168-bit hash algorithm * sha(Secure Hash Algorithm ) md5 Message Digest 5 authentication method * rsa-sig | rsa-encr | pre-share Diffie-Hellman group identifier * 768-bit or 1024-bit Configuring Pre-Shared Keys (Required, when pre-shared authentication is configured) crypto isakmp key keystring address peer-address or crypto isakmp key keystring hostname peer-hostname Configuring Transform Sets (Optional) A combination of security protocols and algorithms to transform set for protecting a particular data flow during the IPSec security association negotiation. Transform set * crypto ipsec transform-set transform-set-name transform1 (Crypto transform configuration mode) Encapsulation of IP packet * mode [tunnel | transport]
Configuring Crypto Map Entries that Use IKE to Establish Security Associations (Optional) **Defines the settings for IPSec peer negotiation using a crypto map entry. crypto map map-name seq-num ipsec-isakmp (crypto map configuration mode.) match address access-list-id (The traffic to be protected by IPSec) set peer {hostname | ip-address} ( A remote IPSec peer) set transform-set
�WAP access via GGSN
��GGSN Summary
