Академический Документы
Профессиональный Документы
Культура Документы
System Integration
Issue Date
02 2009-04-10
Huawei Technologies Co., Ltd. provides customers with comprehensive technical support and service. For any assistance, please contact our local office or company headquarters.
Website: Email:
Copyright Huawei Technologies Co., Ltd. 2009. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd.
Notice
The information in this document is subject to change without notice. Every effort has been made in the preparation of this document to ensure accuracy of the contents, but the statements, information, and recommendations in this document do not constitute a warranty of any kind, express or implied.
Contents
Contents
About This Document.....................................................................................................................1 1 Basis of System Integration......................................................................................................1-1
1.1 Starting the LMT.............................................................................................................................................1-2 1.2 Overview of CLI Views..................................................................................................................................1-6 1.3 Configuring Data by Using CLI Commands...................................................................................................1-9
Contents
HUAWEI PDSN9660 Packet Data Serving Node System Integration 3.9.2 Configuring the IPSec Proposal...........................................................................................................3-20 3.9.3 Configuring the IKE Security Proposal...............................................................................................3-22 3.9.4 Configuring the IKE Peer Attributes....................................................................................................3-23 3.9.5 Configuring the IKE Local ID.............................................................................................................3-24 3.9.6 Configuring the IKE DPD Function.....................................................................................................3-25 3.9.7 Configuring the Attributes of the IKE Keepalive Mechanism.............................................................3-25 3.9.8 Configuring the IPSec Policy...............................................................................................................3-26 3.9.9 Applying an IPSec Policy to an Interface............................................................................................3-29
3.10 Configuring the Static Route to the AAA Server........................................................................................3-30 3.11 Configuring the Dynamic Route to the AAA Server..................................................................................3-32 3.12 Configuring the AAA Authentication/Accounting Server..........................................................................3-34 3.13 Commissioning the Data for the Interworking with the AAA Server.........................................................3-36 3.14 Configuration Example...............................................................................................................................3-36 3.14.1 Inband Networking.............................................................................................................................3-37 3.14.2 Outband Networking..........................................................................................................................3-41 3.14.3 GRE VPN in Inband Networking.......................................................................................................3-47 3.14.4 GRE VPN in Outband Networking....................................................................................................3-52 3.14.5 IPSec Policy Applied to the Pi Interface............................................................................................3-60
Contents
6.2 Planning the Networking for Connecting to the PDN.....................................................................................6-3 6.3 Creating a VPN Instance.................................................................................................................................6-7 6.4 Configuring the Physical Interface..................................................................................................................6-8 6.5 Configuring the Eth-trunk Interface................................................................................................................6-9 6.6 Configuring the Sub-interface.......................................................................................................................6-10 6.7 Configuring the L2TP VPN..........................................................................................................................6-11 6.8 Configuring the GRE VPN...........................................................................................................................6-12 6.8.1 Creating the Loopback Interface..........................................................................................................6-13 6.8.2 Creating the Tunnel Interface...............................................................................................................6-14 6.8.3 Configuring the Keepalive Function....................................................................................................6-15 6.9 Configuring the IPSec Policy........................................................................................................................6-16 6.9.1 Configuring the Protected Data Flows.................................................................................................6-18 6.9.2 Configuring the IPSec Proposal...........................................................................................................6-19 6.9.3 Configuring the IKE Security Proposal...............................................................................................6-21 6.9.4 Configuring the IKE Peer Attributes....................................................................................................6-22 6.9.5 Configuring the IKE Local ID.............................................................................................................6-23 6.9.6 Configuring the IKE DPD Function.....................................................................................................6-24 6.9.7 Configuring the Attributes of the IKE Keepalive Mechanism.............................................................6-24 6.9.8 Configuring the IPSec Policy...............................................................................................................6-25 6.9.9 Applying an IPSec Policy to an Interface............................................................................................6-28 6.10 Configuring the Static Route to the PDN....................................................................................................6-29 6.11 Configuring the Dynamic Route to the PDN..............................................................................................6-31 6.12 Configuring the Downlink Route from the P Interface to the MS..............................................................6-33 6.13 Commissioning the Data for the Interworking with the PDN.....................................................................6-35 6.14 Configuration Example...............................................................................................................................6-35 6.14.1 Eth-trunk Load-sharing Mode + Dynamic Routing...........................................................................6-36 6.14.2 Dynamic Routing + L2TP VPN Tunnel.............................................................................................6-40 6.14.3 IPSec Policy Applied to the Tunnel Interface....................................................................................6-44
Contents
HUAWEI PDSN9660 Packet Data Serving Node System Integration 7.2.2 Configuring the Packet Filtering Policy...............................................................................................7-41 7.2.3 Configuring the Anti-DDoS Function..................................................................................................7-43 7.2.4 Configuring the Pi Redirection Function.............................................................................................7-43 7.2.5 Configuring the IPSec Policy...............................................................................................................7-44 7.2.6 Maintaining the Data for the Security Function...................................................................................7-58 7.2.7 Configuration Example........................................................................................................................7-59
7.3 Configuring the Data for the FA...................................................................................................................7-68 7.3.1 Application Scheme for the FA............................................................................................................7-69 7.3.2 Configuring the Foreign Agent Care-of Address.................................................................................7-70 7.3.3 Configuring the FA..............................................................................................................................7-71 7.3.4 Configuring the SA Between the MN and the FA...............................................................................7-73 7.3.5 Configuring the SA Between the FA and the HA................................................................................7-74 7.3.6 Commissioning the Data for the FA Function.....................................................................................7-75 7.3.7 Configuration Example........................................................................................................................7-75 7.4 Configuring the Data for RADIUS Authentication and Accounting............................................................7-78 7.4.1 Planning the Application Scheme for RADIUS Authentication and Accounting................................7-79 7.4.2 Configuring RADIUS Authentication..................................................................................................7-80 7.4.3 Configuring RADIUS Accounting.......................................................................................................7-81 7.4.4 Configuring the Charging Characteristic.............................................................................................7-82 7.4.5 Configuring the Charging Parameters..................................................................................................7-83 7.4.6 Configuring the Tariff Switch Function...............................................................................................7-84 7.4.7 Configuring the UDR Cache Function.................................................................................................7-85 7.4.8 Maintaining the Data for RADIUS Authentication and Accounting...................................................7-86 7.4.9 Example of RADIUS Authentication and Accounting........................................................................7-86 7.5 Configuring the Data for the Diameter Online Charging Function...............................................................7-89 7.5.1 Application Schemes for Online Charging..........................................................................................7-90 7.5.2 Configuring the Gy Interface...............................................................................................................7-93 7.5.3 Configuring the OCS Information........................................................................................................7-94 7.5.4 Configuring the Primary and Secondary OCSs....................................................................................7-94 7.5.5 Configuring the Quota Threshold........................................................................................................7-95 7.5.6 Configuring the Mode for Sending a CCR Message............................................................................7-96 7.5.7 Configuring the Conditions for Sending a CCR Message...................................................................7-97 7.5.8 Configuring the Tx Timer....................................................................................................................7-98 7.5.9 Configuring the Service Processing Actions........................................................................................7-99 7.5.10 Maintaining the Data for the Diameter Online Charging Function..................................................7-100 7.5.11 Configuration Example....................................................................................................................7-101 7.6 Configuring the Data for the Content-based Charging Function................................................................7-108 7.6.1 Application Schemes for Content-based Charging............................................................................7-108 7.6.2 Configuring the Content-based Charging Function...........................................................................7-110 7.6.3 Maintaining the Data for the Content-based Charging Function.......................................................7-113 7.6.4 Configuration Example......................................................................................................................7-115 7.7 Configuring the Data for the Service Resolution and Control Function.....................................................7-121 iv Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2009-04-10)
Contents
7.7.1 Planning the Application Scheme for Service Control......................................................................7-121 7.7.2 Configuring the Service Control Function.........................................................................................7-123 7.7.3 Maintaining the Data for the Service Control Function.....................................................................7-126 7.7.4 Configuration Example......................................................................................................................7-127
A Glossary.....................................................................................................................................A-1 B Abbreviation..............................................................................................................................B-1
Issue 02 (2009-04-10)
Figures
Figures
Figure 1-1 User login...........................................................................................................................................1-3 Figure 1-2 Office Management dialog box........................................................................................................1-4 Figure 1-3 Add dialog box...................................................................................................................................1-4 Figure 1-4 User login...........................................................................................................................................1-5 Figure 1-5 CLI view structure on the PDSN9660 V900R007.............................................................................1-7 Figure 2-1 Networking for the interworking between the PDSN9660 and the PCF............................................2-4 Figure 2-2 Networking for the interworking between the PDSN9660 and the PCF..........................................2-12 Figure 2-3 Reliability networking for the interworking between the PDSN9660 and the PCF.........................2-15 Figure 3-1 Configuration procedure.....................................................................................................................3-4 Figure 3-2 Inband networking and outband networking......................................................................................3-7 Figure 3-3 Configuration procedure for the IPSec policy..................................................................................3-18 Figure 3-4 Configuration of the IPSec proposal................................................................................................3-20 Figure 3-5 IKE proposal configuration map......................................................................................................3-22 Figure 3-6 IKE peer configuration procedure....................................................................................................3-23 Figure 3-7 IPSec policy through manual configuration.....................................................................................3-26 Figure 3-8 IPSec policy through the IKE negotiation........................................................................................3-27 Figure 3-9 Networking for the interworking between the PDSN9660 and the AAA server.............................3-37 Figure 3-10 Networking for the interworking between the PDSN9660 and the AAA server...........................3-42 Figure 3-11 GRE VPN networking....................................................................................................................3-47 Figure 3-12 GRE VPN networking....................................................................................................................3-53 Figure 3-13 Networking of setting up a security tunnel between the PDSN9660 and the AAA server............3-60 Figure 4-1 Configuration procedure.....................................................................................................................4-4 Figure 4-2 Networking for the interworking between the PDSN9660 and the OCS.........................................4-16 Figure 5-1 Configuration procedure for the interworking between the PDSN9660 and the HA.........................5-4 Figure 5-2 Networking for the interworking between the PDSN9660 and the HA...........................................5-10 Figure 6-1 Configuration procedure.....................................................................................................................6-4 Figure 6-2 Configuration procedure for the IPSec policy..................................................................................6-17 Figure 6-3 Configuration of the IPSec proposal................................................................................................6-19 Figure 6-4 IKE proposal configuration map......................................................................................................6-21 Figure 6-5 IKE peer configuration procedure....................................................................................................6-22 Figure 6-6 IPSec policy through manual configuration.....................................................................................6-25 Figure 6-7 IPSec policy through the IKE negotiation........................................................................................6-26 Figure 6-8 Networking for the interworking between the PDSN9660 and the PDN.........................................6-36 Issue 02 (2009-04-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. vii
Figures
HUAWEI PDSN9660 Packet Data Serving Node System Integration Figure 6-9 L2TP VPN networking.....................................................................................................................6-41
Figure 6-10 Networking of setting up a security tunnel between the PDSN9660 and the enterprise gateway .............................................................................................................................................................................6-44 Figure 7-1 Configuring the domain......................................................................................................................7-4 Figure 7-2 Principles for DNS selection............................................................................................................7-18 Figure 7-3 Address assignment from the local address pool with a complete address segment........................7-20 Figure 7-4 Address assignment from the local address pool with an incomplete address segment...................7-21 Figure 7-5 Address assignment by the RADIUS server (address segment known in advance).........................7-22 Figure 7-6 Networking for an MS to access the IP network of an operator.......................................................7-25 Figure 7-7 Networking for an MS to access the network of an ISP...................................................................7-28 Figure 7-8 Networking for an MS to access an intranet.....................................................................................7-31 Figure 7-9 Address assignment from the local address pool with a complete address segment........................7-34 Figure 7-10 Address assignment from the local address pool with an incomplete address segment.................7-34 Figure 7-11 Address assignment by the RADIUS server (address segment known in advance).......................7-37 Figure 7-12 Data transmission...........................................................................................................................7-42 Figure 7-13 Configuration procedure for the IPSec policy................................................................................7-45 Figure 7-14 Configuration of the IPSec proposal..............................................................................................7-47 Figure 7-15 IKE proposal configuration map....................................................................................................7-50 Figure 7-16 IKE peer configuration procedure..................................................................................................7-51 Figure 7-17 IPSec policy through manual configuration...................................................................................7-54 Figure 7-18 IPSec policy through the IKE negotiation......................................................................................7-54 Figure 7-19 Preventing attacks from an MS or a PDN user to devices on the core network.............................7-60 Figure 7-20 Packet redirection through the PDSN.............................................................................................7-64 Figure 7-21 Networking of setting up a security tunnel between the PDSN9660 and the AAA server............7-66 Figure 7-22 Configuring the FA function..........................................................................................................7-69 Figure 7-23 Networking for the MIP service.....................................................................................................7-76 Figure 7-24 Networking for a MS to access the enterprise network..................................................................7-87 Figure 7-25 Configuration procedure for online charging.................................................................................7-91 Figure 7-26 Networking of Diameter online charging.....................................................................................7-102 Figure 7-27 Networking of Diameter online charging.....................................................................................7-105 Figure 7-28 Configuration procedure for content-based charging...................................................................7-109 Figure 7-29 Networking for CBC....................................................................................................................7-115 Figure 7-30 Networking for CBC....................................................................................................................7-118 Figure 7-31 Configuring Procedure.................................................................................................................7-122
viii
Issue 02 (2009-04-10)
Tables
Tables
Table 1-1 Description of the CLI views...............................................................................................................1-7 Table 1-2 Command syntax..................................................................................................................................1-9 Table 2-1 Common networking schemes.............................................................................................................2-6 Table 2-2 Displaying the data for the interworking between the PDSN and the PCF.......................................2-11 Table 2-3 Deleting the data for the interworking between the PDSN and the PCF...........................................2-12 Table 3-1 Common networking schemes.............................................................................................................3-7 Table 3-2 Concepts of the OSPF dynamic routing mode...................................................................................3-32 Table 3-3 Displaying the data for the interworking between the PDSN and the AAA server...........................3-36 Table 3-4 Deleting the data for the interworking between the PDSN and the AAA server...............................3-36 Table 4-1 Common networking schemes.............................................................................................................4-6 Table 4-2 Concepts of the OSPF dynamic routing mode...................................................................................4-12 Table 4-3 Displaying the data for the interworking between the PDSN9660 and the OCS...............................4-15 Table 4-4 Deleting the data for the interworking between the PDSN9660 and the OCS..................................4-15 Table 5-1 Common networking scheme...............................................................................................................5-5 Table 6-1 Common networking schemes.............................................................................................................6-7 Table 6-2 Concepts of the OSPF dynamic route................................................................................................6-31 Table 7-1 Common application schemes of the domain...................................................................................... 7-6 Table 7-2 Authentication negotiation between the MS and the PDSN9660........................................................7-9 Table 7-3 Common application schemes of the security function.....................................................................7-40 Table 7-4 Displaying the configuration of the security function........................................................................7-58 Table 7-5 Deleting the configuration of the security function...........................................................................7-59 Table 7-6 Common application scheme.............................................................................................................7-70 Table 7-7 Displaying the RADIUS authentication and accounting configuration.............................................7-86 Table 7-8 Deleting the RADIUS authentication and accounting configuration.................................................7-86 Table 7-9 Common application schemes of online charging.............................................................................7-92 Table 7-10 Displaying the Diameter online charging configuration................................................................7-101 Table 7-11 Deleting the Diameter online charging configuration....................................................................7-101 Table 7-12 Common application schemes of content-based charging.............................................................7-110 Table 7-13 Displaying the CBC configuration.................................................................................................7-113 Table 7-14 Deleting the CBC configuration.....................................................................................................7-114 Table 7-15 Common networking schemes.......................................................................................................7-123 Table 7-16 Displaying the service control configuration.................................................................................7-126 Table 7-17 Deleting the service control configuration.....................................................................................7-127 Issue 02 (2009-04-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. ix
Related Versions
The following table lists the product version related to this document. Product Name PDSN9660 Version V900R007C02
Intended Audience
This document is intended for:
l l
Update History
Updates between document versions are cumulative. Therefore, the latest document version contains all updates made to previous issues. Updates in Issue 02 (2009-04-10) The second commercial release has the following updates: The mistakes are corrected. Updates in Issue 01 (2009-01-05) Initial commercial release.
Organization
1 Basis of System Integration Before system integration, you need to set up the configuration environment and learn how to use the local maintenance terminal (LMT) and the command line interface (CLI) commands. 2 Configuring the Data for the PCF
Issue 02 (2009-04-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 1
The PDSN9660 interworks with the packet control function (PCF) through a physical interface and the R-P interface. 3 Configuring the Data for the AAA Server The PDSN9660 supports Remote Authentication Dial In User Service (RADIUS) authentication and accounting. It can assign an IP address to a mobile station (MS) through the authorization, authentication and accounting (AAA) server. Before setting parameters of authentication, accounting, or address assignment, ensure that the PDSN9660 interworks with the AAA server. 4 Configuring the Data for the OCS The PDSN9660 provides the traffic plane function (TPF). With the TPF function, the PDSN9660 differentiates various content-based charging (CBC) services and collects the charging information. The PDSN9660 performs the online charging for normal users and CBC users by interworking with the online charging system (OCS) through the Gy interface. 5 Configuring the Data for the HA This describes how to configure the data for the home agent (HA). 6 Configuring the Data for the PDN The PDSN9660 is a gateway device that enables a mobile station (MS) to access an external packet data network (PDN). To carry out data service for an MS, the PDSN9660 needs to interwork with network elements (NEs) on the PDN. 7 Configuring Service Data This describes how to configure service data such as domain, security, Remote Authentication Dial In User Service (RADIUS) authentication and accounting, content-based charging, and service control. A Glossary B Abbreviation
Conventions
Symbol Conventions The symbols that may be found in this document are defined as follows. Symbol Description Indicates a hazard with a high level of risk, which if not avoided,will result in death or serious injury. Indicates a hazard with a medium or low level of risk, which if not avoided, could result in minor or moderate injury. Indicates a potentially hazardous situation, which if not avoided,could result in equipment damage, data loss, performance degradation, or unexpected results.
2 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2009-04-10)
Symbol
Description Indicates a tip that may help you solve a problem or save time. Provides additional information to emphasize or supplement important points of the main text.
General Conventions The general conventions that may be found in this document are defined as follows. Convention Times New Roman Boldface Italic Courier New Description Normal paragraphs are in Times New Roman. Names of files, directories, folders, and users are in boldface. For example, log in as user root. Book titles are in italics. Examples of information displayed on the screen are in Courier New.
Command Conventions The command conventions that may be found in this document are defined as follows. Convention Boldface Italic [] { x | y | ... } [ x | y | ... ] { x | y | ... }* Description The keywords of a command line are in boldface. Command arguments are in italics. Items (keywords or arguments) in brackets [ ] are optional. Optional items are grouped in braces and separated by vertical bars. One item is selected. Optional items are grouped in brackets and separated by vertical bars. One item is selected or no item is selected. Optional items are grouped in braces and separated by vertical bars. A minimum of one item or a maximum of all items can be selected. Optional items are grouped in brackets and separated by vertical bars. Several items or no item can be selected.
[ x | y | ... ]*
GUI Conventions The GUI conventions that may be found in this document are defined as follows.
Issue 02 (2009-04-10)
Description Buttons, menus, parameters, tabs, window, and dialog titles are in boldface. For example, click OK. Multi-level menus are in boldface and separated by the ">" signs. For example, choose File > Create > Folder .
Keyboard Operations The keyboard operations that may be found in this document are defined as follows. Format Key Key 1+Key 2 Key 1, Key 2 Description Press the key. For example, press Enter and press Tab. Press the keys concurrently. For example, pressing Ctrl+Alt +A means the three keys should be pressed concurrently. Press the keys in turn. For example, pressing Alt, A means the two keys should be pressed in turn.
Mouse Operations The mouse operations that may be found in this document are defined as follows. Action Click Double-click Drag Description Select and release the primary mouse button without moving the pointer. Press the primary mouse button twice continuously and quickly without moving the pointer. Press and hold the primary mouse button and move the pointer to a certain position.
Issue 02 (2009-04-10)
1
About This Chapter
Before system integration, you need to set up the configuration environment and learn how to use the local maintenance terminal (LMT) and the command line interface (CLI) commands. 1.1 Starting the LMT This describes how to start the local maintenance terminal (LMT) and set up the connection with the PDSN9660. 1.2 Overview of CLI Views This describes the command line interface (CLI) views. In addition to the graphical user interface (GUI), the local maintenance terminal (LMT) provides the CLI. The PDSN9660 provides abundant CLI commands for you to operate and maintain the system. 1.3 Configuring Data by Using CLI Commands The local maintenance terminal (LMT) provides a set of configuration commands. Users can configure and manage the PDSN9660 by entering these commands in the command line interface (CLI) to ensure that the system runs normally.
Issue 02 (2009-04-10)
1-1
Prerequisite
l l
The LMT software is installed. See Checking the Installation of the LMT Software. The LMT is connected to the PDSN9660.
Context
CAUTION
Logging in to the PDSN9660 through Telnet is prohibited.
WARNING
Do not modify the system time when the LMT programs are running. This helps to prevent system errors. You can modify the system time only after all the LMT application programs are stopped.
Procedure
Step 1 Check whether the icon taskbar. Condition of LMT Service Manager exists in the notification area of the
Operation
The icon of LMT Service Manager exists. It indicates that the LMT service manager is started. Go to Step 2. The icon of LMT Service Manager does not exist. Choose Start > Programs > Huawei Local Maintenance Terminal > LMT Service Manager to start the LMT service manager on the computer where the LMT is installed. Then, go to Step 2.
Step 2 Choose Start > Programs > Huawei Local Maintenance Terminal > Local Maintenance Terminal . The User Login dialog box is displayed. See Figure 1-1.
1-2
Issue 02 (2009-04-10)
Start for the First Time? Operation Yes No Go to Step 3. Select an office to which the LMT is connected in the Office dropdown list box. Go to Step 6.
NOTE
l l
Domain user: indicates that this user is managed by the M2000 domain. Local user: indicates that this user is managed by the local LMT.
NOTE
l l
You can also log in to the LMT by clicking Offline. Thus, you can use some of the functions of the LMT offline, such as help browsing, eliminating the need to log in to the PDSN9660. You can log out of the LMT by clicking Exit.
Step 3 Set the office information if you log in to the PDSN9660 for the first time. Click Management dialog box is displayed. See Figure 1-2.
. The Office
Issue 02 (2009-04-10)
1-3
NOTE
Office: specifies the PDSN9660 connected to the LMT. You can define the office name. It is recommended that you name the office in a way that makes the office easy to be distinguished from others. IP Address: specifies the IP address of the SRU or LPU of the PDSN9660 connected to the LMT. NE Type: specifies the type of a network element (NE). The LMT can manage the NEs of different types. Thus, you can choose the type of the NE to be managed. Port: specifies the port through which the SRU or LPU of the PDSN is connected to the LMT. Connect Type: specifies the connection type of the LMT.
l l l l
Step 4 Click Add.... The Add dialog box is displayed. See Figure 1-3. Figure 1-3 Add dialog box
In the Add dialog box, specify Office and enter IP Address of the PDSN9660. Then, click OK. The Office Management dialog box is displayed.
1-4 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2009-04-10)
If the M2000 proxy server is located between the LMT and the PDSN9660, set the IP address of Proxy Server in the Add dialog box.
Step 5 Click Close in the Office Management dialog box. The office configuration is complete. The User Login dialog box is displayed. See Figure 1-4. Figure 1-4 User login
Step 6 Enter the user name and the password, and specify the user type. Then, click Login to access the main interface of the LMT. If the status is "Connected" and the IP address displayed in the bottom of the window, it indicates that the LMT is correctly connected to the PDSN9660. Thus, you can perform service and data configurations for the PDSN9660 by using command line interface (CLI) commands on this window.
NOTE
When logging in to the LMT for the first time, you must log in as an admin user. The password is determined when the PDSN9660 software is installed.
NOTE
EMS user are managed by the M2000. The element management system (EMS) user account is used for management during routine maintenance. For the user that logs in to the M2000, the PDSN9660 sends the information about user authentication to the M2000, and then the M2000 performs user authentication. Local users are managed by the LMT of the PDSN9660. The local user account is used for deployment and upgrade. For the user that logs in to the LMT, the PDSN9660 performs user authentication by using the local user profile.
----End
Issue 02 (2009-04-10)
1-5
Charge view: The information related to charging is configured in this view. Domain view: The information related to domains is configured in this view. MIP view: The information related to mobile IP (MIP) is configured in this view. Interface view: The information related to interfaces such as physical interfaces, logical interfaces, and sub-interfaces is configured in this view. Access view: The access resources, including the Remote Authentication Dial In User Service (RADIUS) information, address pool, quality of service (QoS), and Layer 2 Tunneling Protocol (L2TP) group, are configured in this view. Service view: The information related to service control is configured in this view. Operation and maintenance view: The information related to alarm management, performance measurement, and software management is configured in this view. Security view: The information related to the IP Security (IPSec) protocol and the Internet Key Exchange (IKE) protocol is configured in this type of view. Security views consist of the IPSec view, IPSec policy view, IKE peer view, and IKE proposal view.
l l
1-6
Issue 02 (2009-04-10)
MIP view
RADIUS view
Interface view
Access view
QoS view
Service view
OM view
IPSec view
<PDSN>system-view [PDSN]
Issue 02 (2009-04-10)
1-7
Prerequisite The system view is displayed. The charge view is displayed. The charge view is displayed. The system view is displayed. The system view is displayed. The system view is displayed. The system view is displayed. The Eth-trunk interface view or physical interface view is displayed. The system view is displayed. The system view is displayed. The system view is displayed. The system view is displayed. The access view is displayed.
Command
<PDSN>system-view [PDSN]charge-view [PDSN-charge] <PDSN>system-view [PDSN]charge-view [PDSN-charge]dcc-template test [PDSN-dcc-test] <PDSN>system-view [PDSN]charge-view [PDSN-charge]dcc-global-view [PDSN-dcc-global] <PDSN>system-view [PDSN]domain testdomain [PDSN-domain-testdomain] <PDSN>system-view [PDSN]mip enable [PDSN-mip-view] <PDSN>system-view [PDSN]interface GigabitEthernet 0/0/0 [PDSN-GigabitEthernet0/0/0] <PDSN>system-view [PDSN]interface rpif3/0/0 [PDSN-rpif3/0/0] <PDSN>system-view [PDSN]interface Eth-Trunk 0 [PDSN-Eth-Trunk0] [PDSN]interface Eth-Trunk0.1 [PDSN-Eth-Trunk0.1] <PDSN>system-view [PDSN]interface Eth-Trunk 0 [PDSN-Eth-Trunk0] <PDSN>system-view [PDSN]interface LoopBack 0 [PDSN-LoopBack0] <PDSN>system-view [PDSN]interface Tunnel 1/0/0 [PDSN-Tunnel1/0/0] <PDSN>access-view [PDSN]access-view [PDSN-access] <PDSN>system-view [PDSN]access-view [PDSN-access]radius-server group testaaa [PDSN-access-radius-testaaa] <PDSN>system-view [PDSN]access-view [PDSN-access]ip pool testpool [PDSN-access-ip-pool-testpool] <PDSN>system-view [PDSN]access-view [PDSN-access]qos-view [PDSN-access-qos]
Domain view MIP view Physical interface view Logical interface view Sub-interface view
Eth-trunk interface view Loopback interface view Tunnel interface view Access view RADIUS view
QoS view
1-8
Issue 02 (2009-04-10)
Prerequisite The access view is displayed. The system view is displayed. The system view is displayed. The service view is displayed. The service view is displayed.
Command
<PDSN>system-view [PDSN]access-view [PDSN-access]l2tp group 1 [PDSN-l2tp-group-1] <PDSN>system-view [PDSN]li-view [PDSN-li] <PDSN>system-view [PDSN]service-view [PDSN-service] [PDSN-service]user-profile testprofile [PDSN-service-profile-testprofile] <PDSN>system-view [PDSN]service-view [PDSN-service] [PDSN-service]ip-farm testfarm [PDSN-service-ip-farm-testfarm] <PDSN>system-view [PDSN]om-view [PDSN-om-view] <PDSN>system-view [PDSN]ipsec proposal testproposal [PDSN-ipsec-proposal-testproposal] <PDSN>system-view [PDSN]ipsec policy testpolicy 100 manual [PDSN-ipsec-policy-manualtestpolicy-100] <PDSN>system-view [PDSN]ike peer testpeer [PDSN-ike-peer-testpeer] <PDSN>system-view [PDSN]ike proposal 1 [PDSN-ike-proposal-1]
Lawful interception view Service view User profile view IP farm view
Operation and maintenance view IPSec proposal view IPSec policy view
The system view is displayed. The system view is displayed. The system view is displayed.
Issue 02 (2009-04-10)
1-9
Description Command arguments are in italics. Items (keywords or arguments) in square brackets [ ] are optional. Alternative items are grouped in braces and separated by vertical bars. One is selected. Optional alternative items are grouped in square brackets and separated by vertical bars. One or none is selected. Alternative items are grouped in braces and separated by vertical bars. A minimum of one or a maximum of all can be selected. Optional items are grouped in brackets and separated by vertical bars. Several items or no item can be selected.
Take the command radius-server accounting ip-address [ port port-number ] [ vpninstance vpn-instance ] key key-string as an example. Here, radius-server accounting is the command line keywords. port, vpn-instance, and key are command keywords. ip-address, port-number, vpn-instance, and key-string are command arguments.
Full help Enter a question mark (?) in a command line view to display all the commands and their description in this view. Enter a command and a question mark (?) separated by a space. If the question mark is in the position of a keyword, all keywords and their description are displayed. Enter a command and a question mark (?) separated by a space. If the question mark is in the position of a parameter, the related parameter names and parameter description are displayed.
Partial help Enter a character string followed by a question mark (?) without any space to display all commands that begin with this character string and their description. Enter a character string followed by a question mark (?) without any space to display all keywords that begin with this character string.
2.
Configure the RADIUS accounting server. Create the RADIUS server group group1.
1-10
Issue 02 (2009-04-10)
Set the IP address of the accounting server to 10.1.1.1, port number to 1813, and key to 12345.
[PDSN-access-radius-group1]radius-server accounting ip 10.1.1.1 port 1813 key 12345
3.
After all parameters are set, press Enter to run the command.
Issue 02 (2009-04-10)
1-11
2
Prerequisite
l
The hardware of the PDSN9660 and the base station controller (BSC)/PCF is installed and checked. The hardware is switched on and operates normally. For details, see Checking the Installation. The local maintenance terminal (LMT) of the PDSN9660 is installed. For details, see Checking the LMT System. The software of the PDSN9660 and the BSC/PCF is installed and checked. For details, see Checking the Installation of the Host Software.
Context
Based on the 3rd Generation Partnership Project 2 (3GPP2) protocol, the PCF uses the Generic Routing Encapsulation (GRE) protocol to encapsulate uplink data packets from a mobile station (MS). The destination IP address of the encapsulated packets is the IP address of the R-P interface on the PDSN9660. The packets are forwarded to the PDSN9660 through the GRE tunnel between the PCF and the PDSN9660. Then, the PDSN9660 GRE decapsulates the packets and forwards them to the packet data network (PDN). The PDSN9660 GRE encapsulates downlink data packets to the MS from the PDN. The destination IP address of the encapsulated packets is the IP address of the R-P interface on the PCF. The packets are forwarded through the GRE tunnel to the PCF. Then, the PCF removes the GRE headers and obtains the original packets. The original packets are then forwarded to the MS. The PDSN9660 sets up the physical path with the PCF through a physical interface. The logical interworking with the PCF is realized through the A10 connection. The interworking with the PCF at the network layer is realized through the routing protocol. The R-P logical interface is created through A11 messages. To ensure that the A11 messages are valid and reliable, you must set the security parameter index (SPI) parameters. Then, you need to specify relevant parameters of A11 messages by configuring the A11 timer.
Issue 02 (2009-04-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-1
2.1 Configuration Preparation This provides concepts related to the connection between the PDSN9660 and the packet control function (PCF). 2.2 Networking for Connecting to the PCF This describes the networking for connecting to the packet control function (PCF). 2.3 Configuring the Physical Interface This describes how to configure a physical interface to establish the physical path between the PDSN9660 and the network entity. 2.4 Configuring the Eth-trunk Interface This describes how to configure the Eth-trunk interface. To enhance networking reliability, configure the Eth-trunk interface to establish path between the PDSN9660 and the network entity, and enable the Address Resolution Protocol (ARP) probe function. 2.5 Configuring the R-P Interface This describes how to create the logical communication path between the packet control function (PCF) and the PDSN9660. 2.6 Configuring the Static Route to the PCF This describes how to configure the static route to realize the interworking between the PDSN9660 and the packet control function (PCF) at the network layer. 2.7 Setting the SPI Parameters This describes how to set the security parameter index (SPI). The SPI is an extended option in an A11 message. It provides security parameters, such as the authentication mode and key, for reliable transmission of the A11 message. 2.8 Configuring the A11 Timer This describes how to configure the A11 timer and the Point-to-Point Protocol (PPP) timer. 2.9 Commissioning the Data for the Interworking with the PCF This provides the commands for commissioning the configuration data for the interworking with the packet control function (PCF). 2.10 Configuration Example This provides an example of the configuration for the interworking between the PDSN9660 and the packet control function (PCF).
2-2
Issue 02 (2009-04-10)
Related Concepts
Related Concept Reference Concepts related to interfaces Physical interface
l l l
Overview of NEs and Interfaces Physical Interfaces Relation Between Logical Interfaces and Physical Interfaces Interface Naming Rules Logical Interfaces Interface Naming Rules
Eth-trunk interface
l l
Logical Interfaces Relation Between Logical Interfaces and Physical Interfaces Interface Naming Rules
Concepts related to networking modes Networking of the single physical interface mode Networking of Eth-trunk active/standby mode and static routing mode Networking of Eth-trunk load-sharing mode and dynamic routing mode Networking of Single Physical Interface and Static Routing Mode Networking of Eth-trunk Active/Standby Mode and Static Routing Mode Networking of Eth-trunk Load-sharing Mode and Dynamic Routing Mode
Configuration Roadmap
For the interworking between the PDSN9660 and the base station controller (BSC)/PCF, you must establish the physical path and the logical link, and configure the routing protocol for the interworking at the network layer. See Figure 2-1.
Issue 02 (2009-04-10)
2-3
Figure 2-1 Networking for the interworking between the PDSN9660 and the PCF
Configure data for interworking with the PCF.
Choose a networking mode. Simple networking Configure the physical interface. Reliability networking Configure the Eth-trunk interface.
End
By clicking the following operations, you can check the corresponding configuration tasks.
l l l l l l
2.3 Configuring the Physical Interface 2.4 Configuring the Eth-trunk Interface 2.5 Configuring the R-P Interface 2.6 Configuring the Static Route to the PCF 2.7 Setting the SPI Parameters 2.8 Configuring the A11 Timer
Networking Scheme
Characteristic
Simple networking
It is easy to configure the physical path by using a single physical interface. This method is suitable for simple networks. One configured physical interface can be shared by two links. Eth-trunk active/standby mode: It can enhance reliability. When a member link is faulty, the traffic is automatically switched to an available link. Eth-trunk load-sharing mode: It can improve bandwidth usage and enhance reliability. The bandwidth of the Eth-trunk interface is the total bandwidth of all physical interfaces. If a physical interface is Down, other member interfaces are still available for data transmission.
Reliability networking
2. 3.
Establish the logical path. For details, see 2.5 Configuring the R-P Interface. Configure the route to the BSC/PCF for the interworking at the network layer with the BSC/ PCF. Routing Protocol Static routing mode Characteristic The static routing mode is applicable for a small stable network with simple topology.
4.
Set the parameters related to the security parameter index (SPI), such as the IP address of the signaling plane on the PCF, IP address of the R-P interface on the PDSN9660, SPI value, authentication algorithm, authentication mode, key, and anti-replay mode. For details, see 2.7 Setting the SPI Parameters. (Optional) Set the parameters related to the A11 timer and the PPP timer. For details, see 2.8 Configuring the A11 Timer.
5.
Issue 02 (2009-04-10)
2-5
Table 2-1 Common networking schemes Networkin g Scheme Networking Requirement Configura tion Example
The Eth-trunk active/standby mode can improve reliability. When a member link is faulty, the traffic is automatically switched to an available link. This scheme simplifies the configurations when the PDSN9660 interworks with multiple BSCs/PCFs. This scheme features easy management. If the IP addresses or the planning of the BSCs/PCFs are changed, no configuration change is required on the PDSN9660.
Prerequisite
The network environment between the PDSN9660 and the network entity is established.
Context
Single physical interface is a simple method to set up a physical path.
Configuration Principle
l l
The configuration steps are not transposable. You must follow the order strictly. To bind an interface to a Virtual private network (VPN), you must associate the interface with the specific VPN instance in the interface view and then set the IP address for the interface.
Data Planning
No. 1 2 3 Data Name of the physical interface that is connected to the networking entities (Optional) VPNs to which the interfaces are bound IP addresses and subnet masks of the physical interfaces
Procedure
Step 1 Run interface to enter the interface view. Step 2 Optional: Run ip binding vpn-instance to bind the interface to the specific VPN instance. Step 3 Run ip address to set the IP address of the physical interface. ----End
2-6 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2009-04-10)
Prerequisite
The network environment between the PDSN9660 and the network entity is established.
Context
An Eth-trunk interface can work in either active/standby mode or load-sharing mode.
l
Active/standby mode: It can enhance reliability. When a member link is Down, the traffic is automatically switched to another available link. Load-sharing mode: It can improve bandwidth usage and enhance reliability. The bandwidth of the Eth-trunk interface is the total bandwidth of all physical interfaces. If a physical interface is Down, other member interfaces are still available for data transmission. The working mode of active and standby Eth-trunk interfaces that each operate in loadsharing mode can further enhance reliability and ensure connectivity of the physical path. You can configure the cost value for running Open Shortest Path First (OSPF) on an interface to specify whether the interface is active or standby. The interface with a larger cost value serves as the standby interface.
Configuration Principle
l l
The configuration steps are not transposable. You must follow the order strictly. To bind an interface to a VPN, you must associate the interface with the specific VPN instance in the interface view and then set the IP address for the interface.
Data Planning
Data planning for configuring the Eth-trunk interface No. 1 2 3 4 Data Physical interfaces that are bound to an Eth-trunk logical interface Operating modes of the Eth-trunk logical interfaces (Optional) VPNs to which the interfaces are bound IP addresses of the Eth-trunk logical interfaces
Procedure
Step 1 Run interface eth-trunk to create an Eth-trunk interface. Step 2 Run workmode to set the operating mode of the Eth-trunk trunk to active/standby or loadsharing.
Issue 02 (2009-04-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-7
Step 3 Optional: Run ip binding vpn-instance to bind the interface to the specific VPN instance. Step 4 Run ip address to set the IP address of the Eth-trunk interface. Step 5 Run quit to return to the system view. Step 6 Run interface to enter the physical interface view. Step 7 Run eth-trunk to bind the physical interface to the specific Eth-trunk interface. ----End
Prerequisite
l l
The network environment between the PDSN9660 and the PCF is established. The physical interface is configured and commissioned. For details, see 2.3 Configuring the Physical Interface.
Data Planning
No. 1 2 Data Name of the R-P interface that is used to interwork with the PCF IP address of the interface
Procedure
Step 1 Run interface to enter the interface view and create the R-P interface.
NOTE
The created interface must be the planned R-P interface. The interface name consists of the interface type rpif and the interface number. The interface number is in the format of SPU group number/virtual interface card number/virtual port number. The R-P interface is created on the SPU and can be configured only when the SPU runs normally and no user exists on the SPU. You cannot configure the R-P interface if the SPU is not started or when it is starting.
When you set the IP address of theR-P interface, the subnet mask must be set to 255.255.255.255.
----End
Prerequisite
l l
The network environment between the PDSN9660 and the PCF is established. The physical interface is configured. For details, see 2.3 Configuring the Physical Interface. The R-P interface is configured. For details, see 2.5 Configuring the R-P Interface.
Configuration Principle
You can configure only the static route between the PDSN9660 and the PCF.
Data Planning
No. 1 2 Data IP address and subnet mask of the R-P interface (signaling plane on the PCF) IP address of the next hop router or firewall to the PCF
Procedure
Run ip route-static to configure a static route.
NOTE
The destination address of the static route is an IP address of the network segment to which the R-P interface (signaling plane of the PCF) belongs. The next hop address is the IP address of the router or the firewall to which the PDSN9660 connects.
CAUTION
On the next hop router or firewall, you must configure the static route to the PDSN9660. The destination address of the static route is the IP address of the R-P interface on the PDSN9660, and the next hop address is the IP address of the physical interface on the PDSN9660 used for interworking with the PCF, or the next hop address can be the IP address of the Eth-trunk interface when reliability networking is adopted. ----End
Prerequisite
The R-P interface is configured. For details, see 2.5 Configuring the R-P Interface.
Issue 02 (2009-04-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-9
CAUTION
On the packet control function (PCF), you must set the same SPI value, authentication mode, and key as those on the PDSN9660. Otherwise, the A10 connection between the PDSN9660 and the PCF cannot be established.
Data Planning
No. 1 2 3 Data IP address of the R-P interface on the PCF, and that of the R-P interface on the PDSN9660 SPI value, authentication algorithm, authentication mode, and key between the PDSN9660 and the PCF Anti-replay mode between the PDSN9660 and the PCF
Procedure
Step 1 Run access-view to enter the access view. Step 2 Run pcf to set the SPI parameters, such as the IP address of the signaling plane on the PCF, IP address of the R-P interface on the PDSN9660, SPI value, authentication algorithm, authentication mode, key, and anti-replay mode.
NOTE
Anti-replay is to prevent any user from repeatedly sending a data packet. The receiver rejects an old or a duplicate packet.
----End
Context
An A10 connection between the PDSN9660 and the packet control function (PCF) is set up, refreshed or released through A11 messages.
l
When a mobile station (MS) initiates a packet data session, the base station controller (BSC) coordinates the air channel. After the radio access network (RAN) is set up, the PCF sends an A11 registration request to the PDSN9660 for establishing an A10 connection. If the PDSN9660 accepts the A11 registration request, the PDSN9660 returns an A11 registration reply containing the accept indication to inform the PCF that the A10 connection is established. The establishment of the A10 connection indicates that the data path for the user is set up. Then, the PPP negotiation between the MS and the PDSN9660 can be started through this path.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2009-04-10)
2-10
The user data over the path is encapsulated by using the Generic Routing Encapsulation (GRE) protocol. For details about GRE, see RFC1701.
Data Planning
No. 1 2 3 4 Data Number of retransmission times of registration update messages Timeout interval of the dormant timer Timeout interval of the registration update timer Interval for the registration lifetime timer of the A10 connection
Procedure
Step 1 Run access-view to enter the access view. Step 2 Run a11timer to configure the A11 timer, that is, set the number of retransmission times of registration update messages, timeout interval of the dormant timer, timeout interval of the registration update timer, and interval for the registration lifetime timer of the A10 connection. ----End
2.9 Commissioning the Data for the Interworking with the PCF
This provides the commands for commissioning the configuration data for the interworking with the packet control function (PCF).
Context
When the preceding configuration is complete, you can run the following commands to check the running status or configuration result. Table 2-2 Displaying the data for the interworking between the PDSN and the PCF Command display current-configuration display ip interface display ip routing-table Function Displays the current configuration of the interface. Displays the running status of the interface. Displays the abstract information about the routing table and information about the route with a specified destination IP address. Displays the security parameter index (SPI) parameters and PCF-related information. Displays the parameters of the A11 timer.
2-11
When some configuration is incorrect or requires modification, you can run the following commands to delete the current configuration and reconfigure the system. Table 2-3 Deleting the data for the interworking between the PDSN and the PCF Command undo interface shutdown undo ip address undo ip route-static undo pcf Function Deletes the configuration of the interface. Shuts down the physical interface. Deletes the IP address of the interface. Deletes a specified static route. Deletes the SPI parameters and PCF-related information.
Networking Requirement
In the CDMA2000 core network, the PDSN9660 connects to the PCF through router A. See Figure 2-2. The PDSN9660 must interwork with the PCF. Figure 2-2 Networking for the interworking between the PDSN9660 and the PCF
PCF
rpif3/0/0 10.8.20.1/32
10.8.10.1/24
2-12
Issue 02 (2009-04-10)
Data Collection
Plan the data as follows: Physical interface Ethernet interface IP address and subnet mask of the Ethernet2/0/0 interface IP address of the interface on router A that is connected to the Ethernet2/0/0 interface Ethernet2/0/0 10.8.60.1/255.255.255.0 10.8.60.3/255.255.255.0
R-P interface IP address and subnet mask of the rpif3/0/0 interface 10.8.20.1/255.255.255.255 SPI IP address of the control plane of the PCF IP address of the signaling plane of the PDSN9660 Security parameter index (SPI) between the PDSN9660 and the PCF Key Authentication algorithm Security mode Anti-replay mode 10.8.10.1 10.8.20.1 256 0123456789abcdef MD5 prefix-postfix Timestamp Parameters about the A11 timer and the dormant timer Number of retransmission times of registration update messages Timeout interval of the dormant timer Timeout interval of the registration update timer Timeout interval of the registration life cycle timer of the A10 connection 2 10 minutes 3 seconds 1800 seconds
Configuration Procedure
1. Set the IP address and subnet mask of the Ethernet2/0/0 interface.
[PDSN]interface ethernet2/0/0 [PDSN-ethernet2/0/0]ip address 10.8.60.1 255.255.255.0 [PDSN-ethernet2/0/0]quit
2.
Issue 02 (2009-04-10)
2-13
3. 4.
Set the SPI parameters. # Set the IP address of control plane of the PCF to 10.8.10.1, IP address of the R-P interface of the PDSN9660 to 10.8.20.1, SPI to 256, encryption algorithm for A11 messages to MD5, key to 0123456789abcdef, authentication mode to prefix-postfix, and anti-replay mode to timestamp.
[PDSN]access-view [PDSN-access]pcf pcfip 10.8.10.1 pdsnip 10.8.20.1 spi 256 share-key 0123456789abcdef authalgo 1 authmode 1 replaymode 1
NOTE
On router A, you need to configure a static route to the PDSN9660. The destination address of the static route is 10.8.20.1. This is the IP address of the rpif3/0/0 interface on the PDSN9660. The next hop address is 10.8.60.1. This is the IP address of the physical interface Ethernet2/0/0 on the PDSN9660.
5.
Set the parameters for the A11 timer. Set the number of retransmission times of registration update messages to 2, timeout interval of the dormant timer to 10 minutes, timeout interval of the registration update timer to 3 seconds, and timeout interval of the registration life cycle timer of the A10 connection to 1800 seconds.
[PDSN-access]a11timer resndnum 2 tdormant 10 tregupd 3 trp 1800 [PDSN-access]quit [PDSN]quit
6.
Interworking Test
Run ping to check whether the link to the PCF is normal.
NOTE
l l
If the link is normal, the number of received packets is displayed. If "timeout" is displayed, the link is abnormal. When checking the connectivity of the R-P interface, specify the parameter SRCIP as the IP address of the R-P interface. If SRCIP is not set, the PDSN9660 takes the address of the physical interface that sends the ping packets as the source IP address by default. In this case, you can check the connectivity between the peer and the physical interface sending the ping packets rather than the connectivity between the R-P interface and the peer.
Networking Requirement
To guarantee communication reliability between the PDSN9660 and the PCF, reliability networking is adopted. When the active link fails, the system automatically switches the traffic to the standby link. In the CDMA2000 core network, the PDSN9660 connects to the PCF through router A. See Figure 2-3. Therefore, the PDSN9660 must interwork with the PCF.
2-14 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2009-04-10)
Figure 2-3 Reliability networking for the interworking between the PDSN9660 and the PCF
PCF
rpif3/0/0 10.8.20.1/32
10.8.10.1/28
Data Collection
Plan the data as follows: Eth-trunk0 Eth-trunk0 Operating mode of the Eth-trunk0 interface IP address and subnet mask of the Eth-trunk0 interface IP address of the interface on router A that is connected to the Eth-trunk0 interface Bound with GigabitEthernet1/0/0 and GigabitEthernet1/0/1 Active/standby mode 10.3.37.94/255.255.255.240 10.3.37.81
R-P interface IP address and subnet mask of the rpif3/0/0 interface 10.8.20.1/255.255.255.255 SPI IP address of the control plane of the PCF IP address of the signaling plane of the PCF Security parameter index (SPI) between the PDSN9660 and the PCF Key Authentication algorithm Security mode Anti-replay mode 10.8.10.1 10.8.20.1 256 0123456789abcdef MD5 prefix-postfix Timestamp Parameters about the A11 timer and the dormant timer Number of retransmission times of registration update messages Timeout interval of the dormant timer
Issue 02 (2009-04-10)
2 10 minutes
2-15
Timeout interval of the registration update timer Timeout interval of the registration life cycle timer of the A10 connection
Configuration Procedure
1. Configure the Eth-trunk0 interface.
[PDSN]interface eth-trunk 0 [PDSN-Eth-Trunk0]workmode backup [PDSN-Eth-Trunk0]ip address 10.3.37.94 255.255.255.240 [PDSN-Eth-Trunk0]quit
2.
Bind the physical interfaces to the Eth-trunk0 interface. Bind the GigabitEthernet1/0/0 interface to the Eth-trunk0 interface.
[PDSN]interface GigabitEthernet1/0/0 [PDSN-GigabitEthernet1/0/0]eth-trunk 0 [PDSN-GigabitEthernet1/0/0]quit
3.
4. 5.
Set the SPI parameters. # Set the IP address of control plane of the PCF to 10.8.10.1, IP address of the R-P interface of the PDSN9660 to 10.8.20.1, SPI to 256, encryption algorithm for A11 messages to MD5, key to 0123456789abcdef, authentication mode to prefix-postfix, and anti-replay mode to timestamp.
[PDSN]access-view [PDSN-access]pcf pcfip 10.8.10.1 pdsnip 10.8.20.1 spi 256 share-key 0123456789abcdef authalgo 1 authmode 1 replaymode 1
NOTE
On router A, you need to configure a static route to the PDSN9660. The destination address of the static route is 10.8.20.1. This is the IP address of the rpif3/0/0 interface on the PDSN9660. The next hop address is 10.8.60.1. This is the IP address of the physical interface Ethernet2/0/0 on the PDSN9660.
6.
Set the parameters for the A11 timer. Set the number of retransmission times of registration update messages to 2, timeout interval of the dormant timer to 10 minutes, timeout interval of the registration update timer to 3 seconds, and timeout interval of the registration life cycle timer of the A10 connection to 1800 seconds.
[PDSN-access]a11timer resndnum 2 tdormant 10 tregupd 3 trp 1800 [PDSN-access]quit [PDSN]quit
7.
2-16
Issue 02 (2009-04-10)
Interworking Test
Run ping to check whether the link to the PCF is normal.
NOTE
l l
If the link is normal, the number of received packets is displayed. If "timeout" is displayed, the link is abnormal. When checking the connectivity of the R-P interface, specify the parameter SRCIP as the IP address of the R-P interface. If SRCIP is not set, the PDSN9660 takes the address of the physical interface that sends the ping packets as the source IP address by default. In this case, you can check the connectivity between the peer and the physical interface sending the ping packets rather than the connectivity between the R-P interface and the peer.
Issue 02 (2009-04-10)
2-17
The default port number for RADIUS authentication is 1812 and the default port number for RADIUS accounting is 1813.
Prerequisite
l l
The PDSN9660 and the AAA server are installed. The data for interworking with the PDSN9660 is configured on the AAA server.
3.1 Configuration Preparation This describes the concepts related to the connection between the PDSN9660 and the authentication, authorization and accounting (AAA) server. 3.2 Planning the Networking for Connecting to the AAA Server This describes the networking for connecting to the authentication, authorization and accounting (AAA) server. 3.3 Creating a VPN Instance This describes how to create a virtual private network (VPN) instance to identify a VPN. 3.4 Configuring the Physical Interface This describes how to configure a physical interface to establish the physical path between the PDSN9660 and the network entity. 3.5 Configuring the Eth-trunk Interface
Issue 02 (2009-04-10)
3-1
This describes how to configure the Eth-trunk interface. To enhance networking reliability, configure the Eth-trunk interface to establish path between the PDSN9660 and the network entity, and enable the Address Resolution Protocol (ARP) probe function. 3.6 Configuring the Sub-interface This describes how to configure the sub-interface. To solve the problem of limited physical interfaces, configure the sub-interface to establish paths between the PDSN9660 and the network entity. 3.7 Configuring the Pi Interface This describes how to create the logical communication path between the Pi and the authorization, authentication and accounting (AAA) server. 3.8 Configuring the GRE VPN This describes how to configure the Generic Routing Encapsulation (GRE) virtual private network (VPN). 3.9 Configuring the IPSec Policy This describes how to configure the IP Security (IPSec) policy. 3.10 Configuring the Static Route to the AAA Server This describes how to configure the static route for the interworking between the PDSN9660 and the authorization, authentication and accounting (AAA) server at the network layer. 3.11 Configuring the Dynamic Route to the AAA Server You can configure a dynamic route for the interworking between the PDSN9660 and the authorization, authentication and accounting (AAA) server at the network layer. 3.12 Configuring the AAA Authentication/Accounting Server You must configure the authentication, authorization and accounting (AAA) server for authentication when the access mode is Point-to-Point Protocol (PPP) authentication access, or when the address assignment mode is assignment by the Remote Authentication Dial In User Service (RADIUS) server. You must configure the AAA server for accounting when an Internet service provider (ISP) or intranet requires RADIUS accounting for users. 3.13 Commissioning the Data for the Interworking with the AAA Server This describes how to commission the data for the interworking with the authentication, authorization and accounting (AAA) server. 3.14 Configuration Example This provides an example of the configuration for the interworking between the PDSN9660 and the authentication, authorization and accounting (AAA) server.
3-2
Issue 02 (2009-04-10)
Related Concepts
Related Concept Reference Concepts related to interfaces Physical interface Overview of NEs and Interfaces, Physical Interfaces, Relation Between Logical Interfaces and Physical Interfaces, and Interface Naming Rules Logical Interfaces and Interface Naming Rules Logical Interfaces and Interface Naming Rules Logical Interfaces, Relation Between Logical Interfaces and Physical Interfaces, and Interface Naming Rules Concepts related to networking modes Networking of the single physical interface mode Networking of Eth-trunk active/standby mode and static routing mode Networking of the Eth-trunk load-sharing mode and dynamic routing mode Inband or outband networking with the AAA server Networking of Single Physical Interface and Static Routing Mode Networking of Eth-trunk Active/Standby Mode and Static Routing Mode Networking of Eth-trunk Load-sharing Mode and Dynamic Routing Mode Inband or Outband Networking with the AAA Server
Configuration Roadmap
See Figure 3-1. For the interworking between the PDSN9660 and the AAA server, you must establish the physical path and the logical link and configure the routing protocol for the interworking at the network layer.
Issue 02 (2009-04-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-3
YES
Create a VPN instance
NO
Choose a networking mode Simple networking Configure the physical interface Reliability networking Configure the Eth-trunk interface
GRE VPN
Configure the GRE VPN Common connection
IPSec
Configure the IPSec
Whether to configure the static or dynamic route Static route Configure the static route to the AAA Server Dynamic route Configure the dynamic route to the AAA Server
End
3-4
Issue 02 (2009-04-10)
By clicking the following operations, you can check the corresponding configuration tasks.
l l l l l l l l l
3.3 Creating a VPN Instance 3.4 Configuring the Physical Interface or 3.6 Configuring the Sub-interface 3.5 Configuring the Eth-trunk Interface or 3.6 Configuring the Sub-interface 3.7 Configuring the Pi Interface 3.8 Configuring the GRE VPN 3.9 Configuring the IPSec Policy 3.10 Configuring the Static Route to the AAA Server 3.11 Configuring the Dynamic Route to the AAA Server 3.12 Configuring the AAA Authentication/Accounting Server
NOTE
You can configure sub-interfaces to solve the problem of limited physical interfaces. Data traffic of different types can share one physical interface. You do not need to use a sub-interface if the physical interface or Eth-trunk interface can meet the requirements.
3.4 Configuring the Physical Interface 3.6 Configuring the Subinterface 3.5 Configuring the Ethtrunk Interface
Reliability networking
Issue 02 (2009-04-10)
3-5
Networking Scheme
Method
Characteristic Load-sharing mode: It can improve bandwidth usage and enhance reliability. The bandwidth of the Ethtrunk interface is the total bandwidth of all physical interfaces. If a physical interface is Down, other member interfaces are still available for data transmission.
3. 4.
Configure the logical path. For details, see 3.7 Configuring the Pi Interface. Select the connection mode in which the AAA server is connected. Connection Mode Characteristic Communication within the multi-protocol local network is implemented over the single-protocol backbone network. The coverage area of the network that runs over a hop-limited protocol is expanded. Discontinuous sub-networks are connected. 3.9 Configuring the IPSec Policy High-quality, interactive, and encryption-based security are provided for data packets transmitted on the Internet. Security services, such as access control, connectionless packet integrity, data source authentication, anti-replay protection, confidentiality, and limited transport stream confidentiality, are provided through the encryption and data source authentication mode at the IP layer between specified parties.
5.
Configure the route to the AAA server for the interworking at the network layer with the AAA server. Routing Protocol 3.10 Configuring the Static Route to the AAA Server 3.11 Configuring the Dynamic Route to the AAA Server Characteristic A static routing mode is applicable to a small stable network with simple topology.
A dynamic routing mode is suitable for a network with complex topology and a certain number of Layer 3 devices. The dynamic routing can automatically adapt to changes in network topology.
6.
See 3.12 Configuring the AAA Authentication/Accounting Server to implement the authentication and accounting for the code division multiple access (CDMA) users.
Domainx1~Domainxn, Eth-trunk1, Piif3/1/1 and AAA server binding VPN2 Piif3/1/1 Domainx1~Domainxn binding AAA server Data packets and signaling packets employ the same VPN.
Outband networking
VPN 1 VPN ding r in b e 0 runk AA serv A Eth-t N2 ainn, n binding g VP m o D indin r in ~ b a 1 1 m k in e o a -trun AA serv Dom main1~D A d Eth Do xn an n binding in a m x o in D a ~ ~Dom ainx1 Dom omainx1 D 1 2
PDN
V PN
Data packets and signaling packets employ different VPNs. Separate physical interface(or Eth-trunk interface).
Eth-trunk2
Eth-t runk 2,
g VPN _R adius
Piif3/0/0 AAA server
Table 3-1 Common networking schemes Networkin g Scheme Networking Requirement Configura tion Example
Inband networking
For the Domain, data packets and Remote Authentication Dial In User Service (RADIUS) signaling packets destined for a packet data network (PDN) are transmitted through the same physical interface or Eth-trunk interface. If the VPN is employed for improving the interworking security, bind the physical interface or Eth-trunk interface, Pi interface, AAA server, and the Domain to the VPN and specify this VPN as the VPN instance of the specified route.
Issue 02 (2009-04-10)
3-7
Networkin g Scheme
Networking Requirement
For an Domain, data packets and RADIUS signaling packets destined for a PDN are transmitted through different physical interfaces or Eth-trunk interfaces. Therefore, you must configure a different physical interface or Eth-trunk interface for RADIUS signaling packets from the different physical interfaces or Eth-trunk interfaces for data packets. When the VPN is employed for improving the interworking security, different VPNs are employed by data packets and signaling packets. Therefore, bind the physical interface or Eth-trunk interface, route, and Domain that are for data packets to a VPN, and the physical interface or Eth-trunk interface, route, and AAA server that are for signaling packets to another VPN. Inband networking is employed for the interworking between the PDSN9660 and the AAA server. A Generic Routing Encapsulation (GRE) VPN tunnel can be established between the PDSN9660 and the routers or firewalls that are in the network segment with the AAA server. Bind the tunnel to the VPN to which the AAA server is bound. Outband networking is employed for the interworking between the PDSN9660 and the AAA server. A GRE VPN tunnel can be established between the PDSN9660 and the routers or firewalls that are in the network segment with the PDN. For details, see 3.14.2 Outband Networkin g.
Outband networking
For details, see 3.14.3 GRE VPN in Inband Networkin g. For details, see 3.14.4 GRE VPN in Outband Networkin g. For details, see 3.14.5 IPSec Policy Applied to the Pi Interface.
IPSec is enabled on the Pi interface. This interface is used to establish the security tunnel between the Pi and the AAA server. This tunnel can protect the data flows between the PDSN9660 and the AAA server.
Configuration Principle
l
You must configure the router distinguisher (RD) when establishing a VPN. A VPN can take effect only if the RD is configured.
3-8
Issue 02 (2009-04-10)
The value of the RD cannot be modified directly after it is configured. You must delete all VPN instances that employ this RD and the RD value is deleted, and then re-establish VPNs by using a new RD value.
Data Planning
No. 1 2 Data Name of the VPN instance Global RD
Procedure
Step 1 Run ip vpn-instance to create a VPN instance. Step 2 Run route-distinguisher to specify the RD of a VPN instance. ----End
Prerequisite
The network environment between the PDSN9660 and the network entity is established.
Context
Single physical interface is a simple method to set up a physical path.
Configuration Principle
l l
The configuration steps are not transposable. You must follow the order strictly. To bind an interface to a Virtual private network (VPN), you must associate the interface with the specific VPN instance in the interface view and then set the IP address for the interface.
Data Planning
No. 1 2 3 Data Name of the physical interface that is connected to the networking entities (Optional) VPNs to which the interfaces are bound IP addresses and subnet masks of the physical interfaces
Issue 02 (2009-04-10)
3-9
Procedure
Step 1 Run interface to enter the interface view. Step 2 Optional: Run ip binding vpn-instance to bind the interface to the specific VPN instance. Step 3 Run ip address to set the IP address of the physical interface. ----End
Prerequisite
The network environment between the PDSN9660 and the network entity is established.
Context
An Eth-trunk interface can work in either active/standby mode or load-sharing mode.
l
Active/standby mode: It can enhance reliability. When a member link is Down, the traffic is automatically switched to another available link. Load-sharing mode: It can improve bandwidth usage and enhance reliability. The bandwidth of the Eth-trunk interface is the total bandwidth of all physical interfaces. If a physical interface is Down, other member interfaces are still available for data transmission. The working mode of active and standby Eth-trunk interfaces that each operate in loadsharing mode can further enhance reliability and ensure connectivity of the physical path. You can configure the cost value for running Open Shortest Path First (OSPF) on an interface to specify whether the interface is active or standby. The interface with a larger cost value serves as the standby interface.
Configuration Principle
l l
The configuration steps are not transposable. You must follow the order strictly. To bind an interface to a VPN, you must associate the interface with the specific VPN instance in the interface view and then set the IP address for the interface.
Data Planning
Data planning for configuring the Eth-trunk interface No. 1 2 3 4
3-10
Data Physical interfaces that are bound to an Eth-trunk logical interface Operating modes of the Eth-trunk logical interfaces (Optional) VPNs to which the interfaces are bound IP addresses of the Eth-trunk logical interfaces
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2009-04-10)
Procedure
Step 1 Run interface eth-trunk to create an Eth-trunk interface. Step 2 Run workmode to set the operating mode of the Eth-trunk trunk to active/standby or loadsharing. Step 3 Optional: Run ip binding vpn-instance to bind the interface to the specific VPN instance. Step 4 Run ip address to set the IP address of the Eth-trunk interface. Step 5 Run quit to return to the system view. Step 6 Run interface to enter the physical interface view. Step 7 Run eth-trunk to bind the physical interface to the specific Eth-trunk interface. ----End
Prerequisite
The network environment between the PDSN9660 and the network entity is established.
Context
Data traffic of different types can share one physical interface with the sub-interface. You can configure multiple logical interfaces over one physical interface.
Configuration Principle
l l
The configuration steps are not transposable. You must follow the order strictly. To bind an interface to a VPN, you must associate the interface with the specific VPN instance in the interface view and then set the IP address for the interface.
Data Planning
Data planning for configuring the sub-interface No. 1 3 Data Names of the sub-interfaces IP addresses and subnet masks of the sub-interfaces
Procedure
Step 1 Run interface to create a sub-interface and enter the sub-interface view.
Issue 02 (2009-04-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-11
Step 2 Optional: Run description to configure the description information about the interface. Step 3 Optional: Run ip binding vpn-instance to bind the sub-interface to the specific VPN instance. Step 4 Run ip address to set the IP address of the sub-interface. ----End
Context
The Pi interface is required for the interworking between the Pi and the AAA server. If the SPU is equipped with double CPUs, you must configure a Pi interface for each CPU. Only one global IP address of the Pi interface can be configured for each CPU on the active SPU. If new IP addresses are added for the Pi interface, the new IP addresses must be bound to virtual private networks (VPNs).
Prerequisite
The specified SPU is configured.
Configuration Principle
l l
The configuration steps are not transposable. You must follow the order strictly. You can specify a VPN for the logical interface to ensure security. In this case, you must bind the physical interface that corresponds to the logical interface to the VPN. To bind an interface to a VPN, you must associate the interface with the specific VPN instance in the interface view and then set the IP address for the interface.
Data Planning
No. 1 2 3 Data Name of the Pi interface that interworks with the AAA server. (Optional) VPNs to which the interfaces are bound IP address of the Pi interface
Procedure
Step 1 Run interface to create the Pi logical interface.
3-12
Issue 02 (2009-04-10)
The interface to be created must be the planned Pi interface. The interface name consists of the interface type piif and the interface number. The interface number is in the format of SPU group number/CPU number/virtual port number. If the SPUs work in 1+1 backup mode, the SPU group number must be the odd slot number. If the PDSN9660 works in load-sharing mode, the SPU group number is the number of the slot where the SPU resides.
Step 2 Optional: Run ip binding vpn-instance to bind the interface to the specific VPN instance. Step 3 Run ip address to set the IP address of the Pi interface.
NOTE
When the IP address of the Pi interface is set, the subnet mask must be 255.255.255.255.
----End
Prerequisite
The VPN instance is created. For details, see 3.3 Creating a VPN Instance.
Procedure
----End 1. 3.8.1 Creating the Loopback Interface This describes how to create a loopback interface. In a Generic Routing Encapsulation (GRE) tunnel, the source address of a tunnel interface is obtained through the loopback interface. 3.8.2 Creating the Tunnel Interface This describes how to create the tunnel interface. You can create multiple virtual private network (VPN) tunnels on the PDSN9660. These tunnels may belong to one VPN instance or different VPN instances. 3.8.3 Configuring the Keepalive Function This describes how to configure the Generic Routing Encapsulation (GRE) that supports the Keepalive function on the PDSN. If GRE that supports Keepalive is configured on the PDSN, the PDSN can detect the tunnel status to avoid data hole due to the unreachability of the remote end.
2.
3.
Configuration Principle
l
After a loopback interface is created, you need to set the IP address for the interface, configure the mapping between the loopback interface and the SPU, and bind GRE to the
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-13
Issue 02 (2009-04-10)
interface. Thus, when the outbound tunnel interface of a packet is the loopback interface, the packet is directly sent to the SPU.
l
When you configure the GRE VPN tunnel, run binding tunnel gre to bind GRE to the loopback interface.
Data Planning
No. 1 2 3 4 Data Name of the loopback interface IP address of the loopback interface Board to which the loopback interface is bound Tunnel protocol that is bound to the loopback interface
Procedure
Step 1 Run interface to create the loopback interface. Step 2 Run ip binding vpn-instance to bind the loopback interface to the VPN instance. Step 3 Run ip address to set the IP address of the loopback interface. Step 4 Run target-board to set the mapping between the loopback interface and the SPU. Step 5 Run binding tunnel gre to bind GRE to the loopback interface. ----End
Context
Creating a VPN tunnel is similar to creating a physical path. 1. There must be a path between two devices for them to communicate with each other. Therefore, two Generic Routing Encapsulation (GRE) peers must be configured with virtual tunnel interfaces. A link-layer protocol must be specified to encapsulate data packets on a physical path. Similarly, a tunnel encapsulation mode must be specified for data packets on a tunnel. A tunnel, similar to a physical path, has a start point and an end point. Therefore, you must configure the source and destination IP addresses for a tunnel. With the source and destination IP addresses, a tunnel can be uniquely identified. To make the tunnel support the dynamic routing protocols, the IP address of the tunnel interface needs to be configured.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2009-04-10)
2. 3.
4.
3-14
5.
There are some other optional configurations. For example, security and reliability configurations of a tunnel.
Configuration Principle
l
When you create the tunnel interface, it is recommended that the slot where the tunnel interface resides is the same as the slot where the source interface resides. That is, the slot where the interface sending GRE packets resides is employed, thus improving forwarding efficiency. The PDSN9660 supports the GRE VPN encapsulation. You must also create a tunnel on the peer router or firewall. The source IP address and destination IP address of the tunnel on the peer router or firewall are the destination IP address and source IP address of the tunnel on the PDSN9660 respectively. If you configure the identification keyword for the tunnel interface on the PDSN9660, the peer device must be configured with the same identification keyword.
l l
Data Planning
No. 1 2 3 4 5 6 7 Data Number of the tunnel interface VPN instance to which the tunnel interface is bound Network address of the tunnel interface Encapsulation mode for the packets on the tunnel interface Source IP address of the tunnel interface Destination IP address of the tunnel interface (Optional) Identity key of the tunnel interface
Procedure
Step 1 Run interface tunnel to create a virtual tunnel interface. Step 2 Run ip binding vpn-instance to bind the tunnel interface to the VPN instance. Step 3 Run ip address to set the IP address of the tunnel interface.
NOTE
If the IP addresses are insufficient or must be used efficiently, you can run ip address unnumbered to configure the tunnel interface to borrow the IP address of another interface. If you configure the tunnel interface to borrow the IP address of another interface, you cannot enable a dynamic routing protocol on the tunnel interface because it has no its own IP address. In this case, you must configure a static route to the peer network segment and set the next hop to the peer tunnel interface to realize the connectivity between routers.
Step 4 Run tunnel-protocol to set the packet encapsulation mode of the tunnel interface. Step 5 Run source to set the source IP address of the tunnel interface. The source IP address is obtained through the loopback interface that is specified as the tunnel interface.
Issue 02 (2009-04-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-15
Step 6 Run destination to set the destination IP address of the tunnel interface. Step 7 Optional: Run gre checksum to set the end-to-end check at the two ends of a GRE tunnel. Step 8 Optional: Run gre key to set the identification keyword of the GRE tunnel interface. ----End
Prerequisite
l l l
The link layer attributes of the interfaces are configured. The IP addresses for the interfaces are assigned. The GRE tunnel is established and the status of the tunnel is Up.
Context
The Keepalive function of the GRE tunnel is unidirectional. The support of the Keepalive function on the remote end has no impact on the Keepalive function of the local end. To enable Keepalive on both ends, you need to enable the Keepalive function on both ends of the GRE tunnel. It is recommended to enable the Keepalive function on both ends of a tunnel. Before configuring a GRE tunnel, you must enable the Keepalive function of the GRE tunnel. This can avoid VPN from selecting GRE tunnel with an unreachable remote end and thus can avoid data loss because of the following reasons:
l
If the Keepalive function is not enabled, the tunnel interface of the local end may be Up, even though the remote end is unreachable. If the Keepalive function is enabled on the local end, the tunnel interface of the local end is set to Down, when the remote end is unreachable.
Data Planning
No. 1 2 Data Interval for sending Keepalive packets Parameter of the counter on unreachable packets
Procedure
Step 1 Run interface tunnel to enter the tunnel interface view. Step 2 Run link-alive to enable the Keepalive function. ----End
3-16 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2009-04-10)
Configuration Roadmap
The IPSec policy can be implemented through manual configuration or Internet Key Exchange (IKE) negotiation. If the IKE negotiation mode is adopted, the IKE data must be configured in advance. Figure 3-3 shows how to implement the IPSec policy configuration.
Issue 02 (2009-04-10)
3-17
Choose the configuration mode. IKE negotiation Configure the IKE security proposal.
End
By clicking the following operations, you can check the corresponding configuration tasks. 3.9.1 Configuring the Protected Data Flows This describes how to configure the protected data flows. With the IP Security (IPSec) function, the PDSN9660 can apply different security measures to different data flows. Therefore, you must set the access control rule for the protected data flows.
3-18 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2009-04-10)
3.9.2 Configuring the IPSec Proposal This describes how to configure the IP Security (IPSec) proposal. An IPSec proposal defines the security protocol, encapsulation mode, authentication algorithm, and encryption algorithm to be applied to protect data flows. 3.9.3 Configuring the IKE Security Proposal This describes how to configure the Internet Key Exchange (IKE) security proposal. 3.9.4 Configuring the IKE Peer Attributes This describes how to configure the Internet Key Exchange (IKE) peer attributes. 3.9.5 Configuring the IKE Local ID This describes how to configure the Internet Key Exchange (IKE) local ID. 3.9.6 Configuring the IKE DPD Function This describes how to configure the Internet Key Exchange (IKE) dead peer detection (DPD) function. 3.9.7 Configuring the Attributes of the IKE Keepalive Mechanism This describes how to configure the attributes of the Internet Key Exchange (IKE) keepalive mechanism. 3.9.8 Configuring the IPSec Policy This describes how to configure the IP Security (IPSec) policy. The IPSec policy or IPSec policy group defines the association between data flows and IPSec proposals, that is, the security measures for a specific type of data flows. 3.9.9 Applying an IPSec Policy to an Interface This describes how to apply an IP Security (IPSec) policy to an interface.
Context
A data flow is the aggregation of a group of traffic. The data flow is defined by the source IP address and mask, destination IP address and mask, protocol number of IP packets, source port number, and destination port number. A data flow can be a single Transmission Control Protocol (TCP) connection between two hosts or all traffic between two subnets. By determining whether the packets match the access control list (ACL), the PDSN9660 can distinguish the IP packets to be forwarded after IPSec processing from those to be forwarded directly. The packets permitted by the ACL are protected, whereas those denied by the ACL are not. By default, packets are denied by the ACL. Data flows need to be authenticated for the security purpose. Some data flows should be authenticated and encrypted for high security requirements. The IPSec policy can only provide a security protection method. You should, therefore, define various ACLs and IPSec policies for different data flows accordingly.
Issue 02 (2009-04-10)
3-19
Data Planning
No. 1 2 3 4 5 6 Data ACL number Source IP address of the IP packets Destination IP address of the IP packets Protocol number of the IP packets Source port number of the IP packets Destination port number of the IP packets
Operation Procedure
1. 2. Run acl to create an ACL and enter the ACL view. Run rule to set the access control rule for the data flows.
NOTE
ACLs defined on the local PDSN9660 and that on the remote router should correspond to each other. The encrypted data at one end can be authenticated and decrypted at the peer end.
Context
Figure 3-4 Configuration of the IPSec proposal
IPSec proposal
Transform
Encapsulation-mode
AH
or/and
ESP
Tansport
or
Tunnel
Authenticationalgorithm
Authenticationalgorithm
Encryptionalgorithm
MD5
or SHA-1
MD5 or SHA-1 or
Null
3DES or
DES
or
AES
or
Null
3-20
Issue 02 (2009-04-10)
See Figure 3-4, the PDSN9660 supports both the Authentication Header (AH) and Encapsulating Security Payload (ESP) protocols. The two protocols can be used separately or jointly. AH supports the Message-Digest Algorithm 5 (MD5) and Secure Hash Algorithm 1 (SHA-1) authentication algorithms. ESP supports the MD5 and SHA-1 authentication algorithms and the Data Encryption Standard (DES), 3DES, and Advanced Encryption Standard (AES) encryption/decryption algorithms. The PDSN9660 provides two encapsulation modes: transport mode and tunnel mode. The actual source and destination IP addresses are hidden in tunnel mode.
CAUTION
For the same data flow, the same protocol, algorithm, and encapsulation mode must be set for the peers at both ends of a security tunnel.
Configuration Principle
l
You can configure the authentication algorithm for AH only when the security protocol to be employed by the IPSec proposal is set to AH. You can configure the authentication algorithm and encryption algorithm for ESP only when the security protocol to be employed by the IPSec proposal is set to ESP.
Data Planning
No. 1 2 3 4 5 Data IPSec proposal name Security protocol to be employed Authentication algorithm to be employed Encryption algorithm to be employed Encapsulation mode to be employed
Operation Procedure
1. 2. 3. 4. 5. 6. Run ipsec proposal to create an IPSec proposal and enter the IPSec proposal view. Run transform to set the IPSec protocol. Run ah authentication-algorithm to set the authentication algorithm to be employed by the AH protocol. Run esp authentication-algorithm to set the authentication algorithm to be employed by the ESP protocol. Run esp encryption-algorithm to set the encryption algorithm to be employed by the ESP protocol. Run encapsulation-mode to set the encapsulation mode to be employed by the IPSec protocol to encapsulate IP packets.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-21
Issue 02 (2009-04-10)
By default, the tunnel mode is adopted. In transport mode, if the source and destination of packets are not the same as the two ends of the security tunnel, the packets will not be protected.
Context
The IKE security proposal is used for the IKE negotiation of the encryption algorithm, authentication algorithm, Diffie-Hellman algorithm (DH) group ID, and lifetime of the IKE security association (SA). The negotiation in this phase is performed to set up an Internet Security Association and Key Management Protocol (ISAKMP) SA. You can create multiple IKE security proposals of different priorities but the negotiation succeeds only when at least one IKE security proposal of one party matches that of the other party.
Data Planning
No. 1 2 Data Priority of the IKE security proposal Encryption algorithm, preshared authentication method, and authentication algorithm DH group ID Lifetime of the IKE SA
3 4
Operation Procedure
Figure 3-5 IKE proposal configuration map
IKE proposal
Authenticationalgorithm
Authenticationmethod
Encryptionalgorithm
DH
SA duration
MD5
or SHA-1
Pre-share
3DES or
DES
or
AES
Group1 or Group2
1. 2.
Run ike proposal to create an IKE security proposal and display the IKE proposal view. Run encryption-algorithm to specify the encryption algorithm to be used by the IKE proposal.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2009-04-10)
3-22
3. 4. 5. 6.
Run authentication-method to specify the authentication method to be used by the IKE proposal. Run authentication-algorithm to specify the authentication algorithm to be used by the IKE proposal. Run dh to specify the DH group ID to be used during the key negotiation in phase one of IKE negotiation. Run sa duration to set the lifetime of the IKE SA.
Prerequisite
l l
The local ID for the IKE negotiation is configured when the aggressive mode is employed. The IKE security proposal is configured.
Background
Figure 3-6 IKE peer configuration procedure
IKE peer
Exchange-mode
IKE-proposal
Pre-sharedkey
Local-id-type
Aggressive or Main
IP
or Name
Remoteaddress
Remotename
Configuration Principle
l
If the IKE proposal referenced by the IKE peer uses the preshared key authentication method, the two negotiation ends must be configured with the same authentication key. Otherwise, the IKE proposal cannot be used. When the aggressive mode is adopted for IKE negotiation, the ID of the IKE peer must be of the name type. As for the main mode, the ID of the IKE peer must be of the IP address type.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-23
Issue 02 (2009-04-10)
Data Planning
No. 1 2 3 4 5 Data Whether the main mode or aggressive mode is employed as the IKE negotiation mode IKE security proposal ID to be referenced by the IKE peer Character string used as the authentication key ID type of the IKE peer Name and IP address of the IKE peer
Operation Procedure
1. 2. 3. Run ike peer to create an IKE peer and display the IKE peer view. Run exchange-mode to set the IKE negotiation mode. Run ike-proposal to configure the IKE security proposal to be referenced by the IKE peer.
NOTE
By default, for the aggressive mode negotiation, the IKE proposal with the highest priority is referenced; for the main mode negotiation, all the IKE proposals of the local end are referenced.
4.
Run pre-shared-key to set the authentication key for the preshared key authentication method. If the IKE proposal referenced by the IKE peer uses the preshared key authentication method, the preshared key must be configured with this command. Run local-id-type to set the ID type of the IKE peer. Run remote-name to set the remote name of the IKE peer when the IKE peer ID is of the name type. Run remote-address to set the remote IP address of the IKE peer when the IKE peer ID is of the IP address type.
5. 6. 7.
Background
The aggressive mode is adopted for IKE negotiation when the IP address of the peer device is not specified or changes. The main mode is adopted for IKE negotiation when the IP address of the peer is specified.
Configuration Principle
The local ID is required for the IKE negotiation in aggressive mode. The local ID is not required for the main mode.
3-24
Issue 02 (2009-04-10)
Data Planning
No. 1 Data Local ID
Operation Procedure
Run ike local-name to set the local ID for the IKE negotiation.
Context
With the DPD function, the PDSN9660 sends Hello/Ack messages to check whether a peer operates normally. If the local device does not receive packets from a peer in a specified period and have IP Security (IPSec) encrypted packets to send to the peer, the local device sends an enquiry message to the peer. If the local device receives a response from the peer, it considers the peer normal. If the local device does not receive a response from the peer after sending the DPD message for several times, it considers the peer dead. In this case, the backup link or route is employed for forwarding IPSec service flows.
Data Planning
No. 1 2 Data Interval for sending DPD packets Number of times of retransmission of DPD packets
Procedure
Step 1 Run ike peer to enter the IKE peer view. Step 2 Run ike dpd to set the interval for sending DPD packets to the peer and number of times of retransmission of DPD packets. ----End
Context
The IKE provides the keepalive mechanism, which maintains the status of the IKE security association (SA) tunnel through Keepalive packets. The Keepalive packets are used to inform the peer of the Internet Security Association and Key Management Protocol (ISAKMP) SA that the local device is online.
Issue 02 (2009-04-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-25
If a timeout period is configured on the peer, an interval for sending Keepalive packets must be configured on the PDSN. If the timeout period expires before the peer receives a Keepalive packet, when the IKE SA carries the timeout mark, the PDSN deletes the IKE SA and the IP Security (IPSec) SA negotiated by the IKE SA; the IKE SA is marked as timeout when it carries no timeout mark. Generally, the timeout period is set to three times the interval for sending Keepalive packets.
Operation Procedure
1. 2. Run ike sa keepalive-timer interval to set the interval for sending Keepalive packets to the peer by the ISAKMP SA. Run ike sa keepalive-timer timeout to set the timeout period for the ISAKMP SA to wait for a Keepalive packet.
Context
An IPSec policy is uniquely co-defined by the name and the sequence number. An IPSec policy group comprises the security policies with the same name but different sequence numbers. In an IPSec policy group, smaller sequence number indicates higher priority. An IPSec policy employs an IPSec proposal to specify security protocol, algorithm, and encapsulation mode for specific data flows. The IPSec policy can be configured manually or obtained through the Internet Key Exchange (IKE) negotiation. Figure 3-7 IPSec policy through manual configuration
IPSec policy
Security ACL
Proposal
SA Key
SA SPI
Local-address
Tunnel remote
ACL
Rule
String-key
or
HEX-key
AH Inbound &Outbound
AH Inbound &Outbound
Authentication-hex
Encryption-hex
AH Inbound &Outbound
3-26
Issue 02 (2009-04-10)
Security ACL
Proposal
IKE peer
PFS
SA duration
Local-address
ACL
Rule
DH-group1
DH-group2
Permanent
Trafficbased
Timebased
See Figure 3-7. You must manually set the parameters such as the key, security parameter index (SPI), and peer IP address for the IPSec policy and you can optionally set the local IP address.
A key is used in the security services provided by the IPSec protocol to authenticate and encrypt data packets. The key can be either in the character string format or in the hexadecimal format. The SPI is a 32-bit value, which is carried in each IPSec packet. The SPI, destination IP address, and security protocol ID uniquely identify a security association (SA).
The IKE peer is used in the IKE negotiation for the IPSec policy. The parameters such as the key and the SPI are generated automatically through the IKE negotiation. You must set the SA lifetime and perfect forward secrecy (PFS) parameters and you can optionally set the local IP address. See Figure 3-8.
PFS is a security feature. With this feature, even if one key is cracked, other keys still remain secure because of no derivative relations among these keys. This feature is implemented by adding key exchange in phase two of the IKE negotiation. An SA has a lifetime. It means that if the specified duration or traffic volume is reached, the SA becomes ineffective. Before an SA becomes ineffective, the PDSN9660 obtains a new IPSec SA through the IKE negotiation. Before a new SA is set up through negotiation, the original SA is still employed to guarantee communication security. The new SA is used as soon as it is negotiated and set up.
Configuration Principle
l
You must configure the SA parameters for both inbound and outbound directions. The local inbound and outbound SA parameters must be consistent with the peer outbound and inbound SA parameters respectively. An IPSec policy can employ only one access control list (ACL). If more than one ACL is configured for an IPSec policy, the latest ACL is employed. If an IPSec policy is manually configured, only one IPSec proposal can be employed by the IPSec policy. If an IPSec policy is obtained through the IKE negotiation, up to six IPSec proposals can be employed by the IPSec policy. You must create an IKE peer before employing the IKE negotiation mode. For details, see 3.9.4 Configuring the IKE Peer Attributes. If the IPSec proposal employs the Authentication Header (AH) protocol, the keyword ah is adopted for the authentication key and the SPI of the SA. If the IPSec proposal employs
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-27
Issue 02 (2009-04-10)
the Encapsulating Security Payload (ESP) protocol, the keyword esp is adopted for the authentication key, encryption key, and the SPI of the SA.
l
You can enter the key either in the character string format or in the hexadecimal format. If you enter the key in both formats, the latest key is effective. You must enter the key in the same format at the two ends of a security tunnel. If the key formats are different, the security tunnel cannot be set up. You can set or modify the local address of an IPSec policy group only before the group is applied to an interface. Do not set the local address for the IPSec policy group that is applied to the IPSec tunnel interface. Do not set the local address for the IPSec policy that employs the transmission encapsulation mode. The interface whose IP address is used as the local address of the IPSec policy group must be a loopback interface. In addition, a valid IP address must be set for the loopback interface, and a target board and the IPSec tunnel protocol must be bound with the loopback interface. For the same data flow, the same protocol, algorithm, encapsulation mode, IPSec proposal, encryption key, and authentication key must be employed for both communication parties. Otherwise, the communication fails.
Data Planning
No. 1 Data Name of the IPSec policy and specify whether the manual mode or IKE negotiation mode is adopted ACL used by the IPSec policy IPSec proposal used by the IPSec policy SPI, key, and peer IP address of the security tunnel in manual mode IKE peer name, SA lifetime, and DiffieHellman algorithm (DH) group for PFS in IKE negotiation mode
2 3 4 5
Operation Procedure
Manual configuration mode 1. 2. 3. 4. Run ipsec policy to create an IPSec policy and enter the view. Run security acl to set the ACL used by the IPSec policy. Run proposal to set the IPSec proposal used by the IPSec policy. Run sa string-key to set the authentication key of the SA in manual configuration mode. Type a character string as the key. If you specify ah, the key is the AH authentication key. AH does not support packet encryption, and therefore no encryption key is required. If you specify esp, the key is the ESP authentication key and encryption key. Run sa authentication-hex to set the authentication key of the SA in manual configuration mode. Type a hexadecimal number as the key. If you specify ah, the key is the AH authentication key. If you specify esp, the key is the ESP authentication key.
5.
3-28
Issue 02 (2009-04-10)
6.
Run sa encryption-hex to set the encryption key of the ESP protocol in manual configuration mode. Type a hexadecimal string as the key. This command is applicable to ESP only. AH does not support packet encryption. Run sa spi to set the SPI of the SA in manual configuration mode. Run tunnel remote to set the peer IP address of the tunnel. Run ipsec policy local-address in the system view to set the local address of the IPSec policy group. You can also specify the name, interface type, and interface number of the IPSec policy. The interface whose IP address is used as the local address of the IPSec policy group must be a loopback interface. For the configuration procedure of a loopback interface, see 3.8.1 Creating the Loopback Interface.
NOTE
7. 8. 9.
If the local address of the IPSec policy group is specified, the IP address of the specified interface is used as the local address of the IPSec tunnel. If the local address of the IPSec policy group is not specified, the IP address of the interface to which the IPSec policy is applied is used as the local address of the IPSec tunnel.
You must create an IKE peer before employing the IKE negotiation mode. For details, see 3.9.4 Configuring the IKE Peer Attributes.
1. 2. 3. 4. 5. 6.
Run ipsec policy to create an IPSec policy and enter the view. Run security acl to set the ACL used by the IPSec policy. Run proposal to set the IPSec proposal used by the IPSec policy. Run ike-peer to set the IKE peer used in the IPSec policy in IKE negotiation mode. Run pfs to set the PFS feature of the IPSec policy template in IKE negotiation mode. Run sa duration to set the lifetime of the SA.
NOTE
In the case of SA generation through the IKE negotiation, if the IPSec policy is not configured with a lifetime, the global SA lifetime configured with ipsec sa global-duration can be used for the negotiation with the peer. A new lifetime does not affect the established SAs but will be employed to establish new SAs in later IKE negotiation.
7.
Run ipsec policy local-address in the system view to set the local address of the IPSec policy group. You can also specify the name, interface type, and interface number of the IPSec policy. The interface whose IP address is used as the local address of the IPSec policy group must be a loopback interface. For the configuration procedure of a loopback interface, see 3.8.1 Creating the Loopback Interface.
NOTE
If the local address of the IPSec policy group is specified, the IP address of the specified interface is used as the local address of the IPSec tunnel. When the IPSec policy group is applied to multiple interfaces, these interfaces employ the same SA to protect the same data flows. If the local address of the IPSec policy group is not specified, the IP address of the interface to which the IPSec policy is applied is used as the local address of the IPSec tunnel. The interfaces generate their respective SAs to protect the same data flows.
Prerequisite
Before applying an IPSec policy to an interface, you must complete the following tasks:
l l l
3.9.1 Configuring the Protected Data Flows 3.9.2 Configuring the IPSec Proposal 3.9.8 Configuring the IPSec Policy
Context
By applying an IPSec policy to an interface, you can apply different security measures to protect different data flows that are transmitted through the interface. If the IPSec policy to be applied is a security association (SA) established manually, the SA is generated at once. If the IPSec policy to be applied is an SA established through Internet Key Exchange (IKE) negotiation, the PDSN9660 is triggered to negotiate the IPSec SA through IKE only when the data flows that comply with an IPSec policy are sent out through the interface.
Configuration Principle
l l
Ensure that a valid IP address is set for the interface where the IPSec policy group is applied. Before applying the security policy to the tunnel interface, ensure that the tunnel interface is set with a source address. The IPSec policy group that is applied to the IPSec tunnel interface cannot be set with a local address, and the encapsulation mode proposed by the IPSec proposal and used by each IPSec policy must be the tunnel mode.
Data Planning
No. 1 2 Data Type, number, and IP address of the interface IPSec policy name
Operation Procedure
Apply an IPSec policy to the R-P, and Pi interfaces. 1. 2. 3. Run interface to enter the interface view. Run ip address to set the IP address of the interface. Run ipsec policy to apply the IPSec policy or IPSec policy group to the interface.
Apply an IPSec policy to the tunnel interface. 1. 2. Configure the tunnel interface. For details on the configuration procedure, see 3.8.2 Creating the Tunnel Interface. Run ipsec policy to apply the IPSec policy or IPSec policy group to the interface.
Context
A static routing mode is applicable to a small stable network with simple topology.
Configuration Principle
l
When the destination IP address and the mask are both 0.0.0.0, the configured route is the default route. If the PDSN9660 cannot find a route in the routing table, the default route is employed for packet forwarding. When configure a static route, usually specify the next hop address. For an interface-tointerface static route, you can specify the outbound interface. When establishing a Generic Routing Encapsulation (GRE) tunnel, the virtual private network (VPN) route is required as follows: the destination of the route is the network where the AAA server belongs and the next hop is the tunnel interface of the corresponding GRE tunnel.
NOTE
On the peer router or firewall of the tunnel, you must configure the route to the Pi interface. The next hop is the tunnel interface on the router or firewall.
Data Planning
No. 1 2 Data IP address and subnet mask of the AAA server IP address of the interface of the next hop router or the firewall to the AAA server
Procedure
Step 1 Run ip route-static to configure a static route. Step 2 Optional: If the VPN networking is employed, you must specify the VPN instance of the static route. Run ip route-static vpn-instance to configure the static route for a VPN instance and specify the next hop address. Step 3 Optional: If the GRE tunnel networking is employed, specify the VPN instance for the static routes. Run ip route-static vpn-instance to configure the static routes for a VPN instance and specify the tunnel interface as the outbound interface.
NOTE
l l
The destination address of the static route is the address of the network segment to which AAA server belongs. The next hop address is the address of the router or firewall that the PDSN9660 connects. If there are multiple AAA servers and they are not located in the same network segment, a static route must be configured for each AAA server.
Issue 02 (2009-04-10)
3-31
CAUTION
On the next hop router or firewall, you must configure the static route to the PDSN9660. The destination address of the static route is the address of the interface on the PDSN9660. The next hop address is the address of the physical interface on the Pi used for interworking with the PDSN9660, or the next hop address can be the address of the Eth-trunk interface when reliability networking is adopted. ----End
Context
The PDSN supports static route configuration as well as dynamic routing protocols such as the Routing Information Protocol (RIP), Open Shortest Path First (OSPF), Intermediate System to Intermediate System (IS-IS), and Border Gateway Protocol (BGP). The dynamic routing mode is suitable for a network with complex topology and a certain number of Layer 3 devices. The dynamic routing mode can automatically adapt to changes in network topology. If you plan to employ a dynamic routing protocol such as RIP, OSPF, IS-IS, and BGP, the PDSN9660 must support the protocol. Take OSPF as an example to describe the concepts and configurations of an OSPF dynamic route. Table 3-2 Concepts of the OSPF dynamic routing mode Concept OSPF process number Description When you start multiple OSPF processes on the PDSN9660, you must specify different process numbers. The OSPF process number is a local concept and it does not affect packet exchange between the PDSN9660 and other routers. Therefore, routers can exchange packets regardless of process numbers. A router ID is required for a router to employ the OSPF protocol. A router ID is a 32-bit unsigned integer. It identifies a router in an autonomous system. You can manually set a router ID. Generally, the router ID is set to the IP address of an interface on the router. If you do not specify the router ID, the system automatically selects an IP address of the existing interfaces as the router ID. The highest IP address of loopback interfaces is selected as the router ID. If no loopback interface is configured, the highest IP address of the interfaces is selected as the router ID. Area You must specify an area to which an interface running OSPF belongs. OSPF processes can share an area. For example, area 0 can be used by both OSPF 1 and OSPF 2.
3-32 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2009-04-10)
Router ID
Description OSPF supports packet authentication. Only the authenticated OSPF packets can be received; otherwise, the neighbor relation cannot be established normally. All the routers in an area must employ the same area authentication mode and password.
The network segment refers to the network segment of the IP addresses of the interface that runs OSPF. A network segment can belong to only one area. That is, you must specify the area for each interface running OSPF. OSPF can be run on an interface only when the following conditions are satisfied:
l
The length of the subnet mask of an interface is not shorter than that specified by using network. The primary IP address of an interface must be in the range of the network segment specified by using network.
DR priority
When configuring broadcast networks or non-broadcast multiple access (NBMA) networks, you can specify the designated router (DR) priorities of interfaces to determine the DR/backup designated router (BDR) election in the network. A larger value indicates a higher priority. A router with the priority 0 cannot be elected as the DR or BDR.
Configuration Principle
The principles for configuring an OSPF dynamic route are as follows:
l
If a virtual private network (VPN) instance is specified for the OSPF process, you must run vpn-instance-capability simple to directly calculate the route instead of conducting the routing loop detection. To deliver other static routes to the routers on the backbone network, you must run importroute to import routes that are learned from other protocols.
Data Planning
No. 1 2 3 Data OSPF process number and router ID. If the OSPF process is to be bound to a VPN instance, plan the name of the VPN instance. OSPF area, authentication mode, and authentication key Network segment and wildcard mask of an OSPF area To facilitate future network expansion, you can configure a network segment containing multiple IP addresses for both the physical and logical interfaces. Thus, no further configuration is required when new interfaces are added. The wildcard mask is the inverse of the mask of an IP address. That is, the wildcard mask can be obtained by changing 0 in the mask to 1 and 1 to 0. Here, 1 indicates that this bit in the IP address can be ignored and 0 indicates that this bit must be reserved. 4
Issue 02 (2009-04-10)
Procedure
Step 1 Run system-view to enter the system view. Step 2 Run interface to enter the interface view. Step 3 Run ospf cost to set the cost values of the OSPF interfaces.
NOTE
If the cost values for the OSPF interfaces are the same, the load of data transmission is shared among multiple links. If the cost values are different, only the active route with the highest priority is employed to transmit data, thus realizing route redundancy.
Step 4 Run ospf dr-priority to set the DR priorities of the OSPF interfaces. Step 5 Run quit to exit from the interface view. Step 6 Run ospf to start the OSPF process and enter the OSPF view. Step 7 Optional: Run import-route to import routes that are learned from other protocols and deliver them to the routers on the backbone network. Step 8 If a VPN instance is specified for the OSPF process in the previous step, you must run vpninstance-capability simple to directly calculate the route instead of conducting the routing loop detection. Step 9 Run area to create the OSPF area and enter the OSPF area view. Step 10 Optional: Run authentication-mode to specify the authentication mode and key for the OSPF area. Step 11 Run network to set the network segments that the area contains. ----End
Configuration Principle
l
You can employ one AAA server for authentication and accounting. Alternatively, you can employ two AAA servers, one for authentication, and the other for accounting. You can optionally configure the standby AAA server.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2009-04-10)
3-34
You can set up a virtual private network (VPN) tunnel between the PDSN9660 and the AAA server for communication security.
Data Planning
No. 1 Data
l
IP address, destination port, and VPN instance of the active AAA authentication server (Optional) IP address, destination port, and VPN instance of the standby AAA authentication server
Shared key between the PDSN9660 and the active AAA authentication server and that between the PDSN9660 and the standby AAA authentication server
l
IP address, destination port, and VPN instance of the active AAA accounting server (Optional) IP address, destination port, and VPN instance of the standby AAA accounting server
Shared key between the PDSN9660 and the active AAA accounting server and that between the PDSN9660 and the standby AAA accounting server
Operation Procedure
Configure the AAA authentication servers. 1. 2. 3. 4. Run access-view to enter the access view. Run radius-server group to enter the RADIUS view. Run radius-server authentication to set the IP address, destination port number, VPN, and key for the active AAA authentication server. Run radius-server authentication to set the IP address, destination port number, VPN, and key for the standby AAA authentication server.
Configure the AAA accounting servers. 1. 2. 3. 4. Run access-view to enter the access view. Run radius-server group to enter the RADIUS view. Run radius-server accounting to set the IP address, destination port number, VPN, and key for the active AAA accounting server. Run radius-server accounting to set the IP address, destination port number, VPN, and key for the standby AAA accounting server.
Issue 02 (2009-04-10)
3-35
3.13 Commissioning the Data for the Interworking with the AAA Server
This describes how to commission the data for the interworking with the authentication, authorization and accounting (AAA) server. When the preceding configuration is complete, you can run the following commands to check the running status or configuration result. Table 3-3 Displaying the data for the interworking between the PDSN and the AAA server Command display current-configuration display ip interface display ip routing-table Function Displays the current configuration of the interface. Displays the running status of the interface. Displays the abstract information about the routing table and information about the route with a specified destination IP address.
When some configuration is incorrect or requires modification, you can run the following commands to delete the current configuration and reconfigure the system. Table 3-4 Deleting the data for the interworking between the PDSN and the AAA server Command undo interface shutdown undo ip address undo ip route-static Function Deletes the configuration of the interface. Shuts down the physical interface. Deletes the IP address of the interface. Deletes a specified static route.
This provides an example of the configuration in the case that the authentication, authorization and accounting (AAA) server in an intranet performs user authentication. That is, the Generic Routing Encapsulation (GRE) virtual private network (VPN) is employed in inband networking. 3.14.4 GRE VPN in Outband Networking This provides an example of the configuration in the case that the authentication, authorization and accounting (AAA) server of an operation performs user authentication. That is, the Generic Routing Encapsulation (GRE) virtual private network (VPN) is employed in outband networking. 3.14.5 IPSec Policy Applied to the Pi Interface This provides an example of configuration for the IP Security (IPSec) function by establishing security tunnels between the PDSN and the authentication, authorization and accounting (AAA) server through the Pi interface.
Networking Requirement
See Figure 3-9. The PDSN9660 is connected to the AAA server through router A and router B. The interworking is realized through inband networking. The PDSN9660 must interwork with the AAA server to perform the authentication, charging, and address assignment for the users. Therefore, you must configure the interworking between the PDSN9660 and the AAA server.
l
To improve bandwidth and enhance reliability, you can employ the load-sharing mode for the Eth-trunk interface to distribute traffic to different links to the same destination. To further enhance reliability, the Eth-trunk2 and Eth-trunk3 interfaces that each work in load-sharing mode can serve as backup interfaces for each other. The Open Shortest Path First (OSPF) dynamic routing mode is employed for complex network topology with a large number of network devices and IP routes to implement reliability networking through redundant routes. The PDSN interworks with the AAA server through outband networking. The data packets to the packet data network (PDN) and the Remote Authentication Dial In User Service (RADIUS) signaling packets are sent through different physical interfaces. The virtual private network (VPN) networking mode is employed to improve communication security. Bind the physical interface, logical interface, Domain, and AAA server to the same VPN. Specify this VPN as the VPN instance of the specified route.
Figure 3-9 Networking for the interworking between the PDSN9660 and the AAA server
Piif3/0/0 10.8.20.1/32 PDSN9660 Piif3/1/0 10.8.20.2/32 Eth-Trunk 3 10.3.37.78/28 Router A 10.3.37.81 AAA server IP/MPLS backbone 192.168.110.1 Router B 10.3.37.65
3-37
Eth-Trunk 2 10.3.37.94/28
Issue 02 (2009-04-10)
Data Collection
Plan the data as follows. VPN Name of a VPN instance Router distinguisher (RD) value vpn_Pi 300:1 Eth-Trunk2 Eth-Trunk2 IP address and subnet mask of the Eth-trunk2 interface Operating mode of the Eth-trunk2 interface Cost value of the Eth-trunk2 interface Priority for selecting a designated router (DR) IP address of the interface on router A that is connected to the Eth-trunk2 interface IP address segment of the Eth-trunk2 interface Wildcard mask of the Eth-trunk2 interface Bound with GigabitEthernet1/0/2 and GigabitEthernet1/0/3 10.3.37.94/255.255.255.240 Load-sharing mode 100 0 10.3.37.81 10.3.37.80/28 0.0.0.15
Eth-Trunk3 Eth-Trunk3 IP address and subnet mask of the Eth-trunk3 interface Operating mode of the Eth-trunk3 interface Cost value of the Eth-trunk3 interface Priority for selecting a DR IP address of the interface on router B that is connected to the Eth-trunk3 interface IP address segment of the Eth-trunk3 interface Wildcard mask of the Eth-trunk3 interface IP address network segments of the Piif3/0/0 and Piif3/1/0 interfaces Bound with GigabitEthernet2/0/2 and GigabitEthernet2/0/3 10.3.37.78/255.255.255.240 Load-sharing mode 200 0 10.3.37.65 10.3.37.64/28 0.0.0.15 10.8.20.0/30
3-38
Issue 02 (2009-04-10)
0.0.0.3
OSPF OSPF process number Router ID Area ID Authentication mode Authentication ID Authentication password 2 10.8.20.1 0 md5 1 abcd in encrypted texts RADIUS server RADIUS server group IP address of the RADIUS authentication server Destination port number VPN instance Key IP address of the RADIUS accounting server Destination port number VPN instance Key Domain bound to the RADIUS server group isprg 10.168.10.1 1812 vpn_Pi ispchina 10.168.10.1 1813 vpn_Pi ispchina Domain1
Configuration Procedure
1. Create a VPN instance.
<PDSN>system-view [PDSN]ip vpn-instance vpn_Pi [PDSN-vpn-instance-vpn_Pi]route-distinguisher 300:1
2.
3.
Bind the physical interfaces to the Eth-trunk2 interface. Bind the GigabitEthernet1/0/2 interface to the Eth-trunk2 interface.
[PDSN]interface GigabitEthernet1/0/2 [PDSN-GigabitEthernet1/0/2]eth-trunk 2
Issue 02 (2009-04-10)
3-39
4.
5.
Bind the physical interfaces to the Eth-trunk3 interface. Bind the PigabitEthernet2/0/2 interface to the Eth-trunk3 interface.
[PDSN]interface GigabitEthernet2/0/2 [PDSN-GigabitEthernet2/0/2]eth-trunk 3 [PDSN-GigabitEthernet2/0/2]quit
6.
7.
8.
9.
Configure the RADIUS server. # Configure the RADIUS server group isprg.
[PDSN-access]radius-server group isprg
# Configure the RADIUS authentication server. The IP address is 10.168.10.1. The destination port number is 1812. The RADIUS authentication server is bound to the VPN instance vpn_Pi. The key is ispchina.
[PDSN-access-radius-isprg]radius-server authentication ip 10.168.10.1 vpninstance vpn_Pi port 1812 key ispchina
# Configure the RADIUS accounting server. The IP address is 10.168.10.1. The destination port number is 1813. The RADIUS accounting server is bound to the VPN instance vpn_Pi. The key is ispchina.
3-40 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2009-04-10)
[PDSN-access-radius-isprg]radius-server accounting ip 10.168.10.1 vpn-instance vpn_Pi port 1813 key ispchina [PDSN-access-radius-isprg]quit [PDSN-access]quit
10. Bind the RADIUS server group to the domain. # Enter the domain view.
[PDSN]domain domain1 [PDSN-domain-domain1]vpn-instance vpn_Pi
# Bind the RADIUS server group isprg to the domain instance domain 1.
[PDSN-domain-domain1]radius-server group isprg [PDSN-domain-domain1]quit [PDSN]quit
l l
If the link is normal, the number of received packets is displayed. If "timeout" is displayed, the link is abnormal. You must specify the IP address of the Pi interface to check whether the connection between the Pi interface and the peer device is normal.
Interworking Test
Run ping to check whether the link to the AAA server is normal.
<PDSN>ping -vpn-instance vpn_Pi -a 10.8.20.1 10.168.10.1 <PDSN>ping -vpn-instance vpn_Pi -a 10.8.20.2 10.168.10.1
Networking Requirement
The PDSN9660 is connected to a packet data network (PDN), which is the Internet or an intranet, through router A and router B. The PDSN9660 is connected to the AAA server through router C and interworks with the AAA server through outband networking. See Figure 3-10. The PDSN9660 must interwork with the AAA server to perform authentication, charging, and address assignment for users. Therefore, you must configure the interworking between the PDSN9660 and the AAA server.
l
The networking for the interworking between the PDSN and a PDN is as follows:
To improve bandwidth and enhance reliability, you can employ the Eth-trunk loadsharing mode to distribute traffic to different links to the same destination. The Eth-trunk8 and Eth-trunk9 interfaces that each work in load-sharing mode can be a backup for each other. This can further enhance reliability. The Open Shortest Path First (OSPF) dynamic routing mode is employed for complex network topology with a large number of network devices and IP routes to implement reliability networking through redundant routes.
The Eth-trunk active/standby mode is employed for the networking between the PDSN and the AAA server. The Eth-trunk interface and the Pi interface are bound to the virtual private network (VPN) respectively. Packets are forwarded through the default routes of the VPN.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-41
Issue 02 (2009-04-10)
The PDSN interworks with the AAA server through outband networking. The data packets to a PDN and the Remote Authentication Dial in User Service (RADIUS) signaling packets are sent through different physical interfaces. When the VPNs are employed, the physical interface and route for data packets and the Domain are bound to a VPN and the physical interface for RADIUS signaling packets, Pi interface, route, and AAA server are bound to another VPN.
Figure 3-10 Networking for the interworking between the PDSN9660 and the AAA server
Eth-Trunk 8 10.3.37.46/28 PDSN9660 Piif3/1/0 10.8.50.1/32 Eth-Trunk 9 10.3.37.62/28 Router B Eth-Trunk 2 10.3.37.94/28 10.3.37.49 Router A 10.3.37.33 PDN IP/MPLS backbone AAA server Router C 10.3.37.81 192.168.110.1
Data Collection
l
Plan the data for the interworking with a PDN as follows: VPN Name of the VPN instance Router distinguisher (RD) value vpn_pdn 200:1 Eth-trunk8 Eth-trunk8 IP address and subnet mask of the Ethtrunk8 interface Operating mode of the Eth-trunk8 interface Cost value of the Eth-trunk8 interface Priority for selecting a designated router (DR) IP address of the interface on router A that is connected to the Eth-trunk8 interface IP address segment of the Eth-trunk8 interface Wildcard mask of the Eth-trunk8 interface Bound with GigabitEthernet1/0/8 and GigabitEthernet1/0/9 10.3.37.46/255.255.255.240 Load-sharing mode 100 0 10.3.37.33 10.3.37.32/28 0.0.0.15
Issue 02 (2009-04-10)
3-42
Eth-trunk9 Eth-trunk9 IP address and subnet mask of the Ethtrunk9 interface Operating mode of the Eth-trunk9 interface Cost value of the Eth-trunk9 interface Priority for selecting a DR IP address of the interface on router B that is connected to the Eth-trunk9 interface IP address segment of the Eth-trunk9 interface Wildcard mask of the Eth-trunk9 interface Bound with GigabitEthernet2/0/8 and GigabitEthernet2/0/9 10.3.37.62/255.255.255.240 Load-sharing mode 200 0 10.3.37.49 10.3.37.48/28 0.0.0.15
OSPF OSPF process number Router ID Area ID Authentication mode Authentication ID Authentication password 2 10.8.20.1 0 md5 1 abcd in encrypted texts Domain Address segment for the mobile station (MS) Next hop P interface of downlink routes
l
Plan the data for the interworking with the AAA server as follows: VPN Name of the VPN instance RD value vpn_Pi 300:1 Eth-trunk2 Eth-trunk2 IP address and subnet mask of the Ethtrunk2 interface Operating mode of the Eth-trunk2 interface Bound with GigabitEthernet1/0/2 and GigabitEthernet2/0/2 10.3.37.94/255.255.255.240 Active/standby mode
Issue 02 (2009-04-10)
3-43
10.3.37.94
Pi interface Name of the Pi interface IP address and subnet mask Piif3/0/0 10.8.50.1/255.255.255.255 RADIUS server RADIUS server group IP address of the RADIUS authentication server Destination port number VPN instance Key IP address of the RADIUS accounting server Destination port number VPN instance Key Domain bound to the RADIUS server group isprg 10.168.10.1 1812 vpn_Pi ispchina 10.168.10.1 1813 vpn_Pi ispchina domain1
Configuration Procedure
1. Configure the interworking with a PDN. (1) Create a VPN instance.
<PDSN>system-view [PDSN]ip vpn-instance vpn_pdn [PDSN-vpn-instance-vpn_pdn]route-distinguisher 200:1
(3) Bind the physical interfaces to the Eth-trunk8 interface. Bind the GigabitEthernet1/0/8 interface to the Eth-trunk8 interface.
[PDSN]interface GigabitEthernet1/0/8 [PDSN-GigabitEthernet1/0/8]eth-trunk 8 [PDSN-GigabitEthernet1/0/8]quit
3-44
Issue 02 (2009-04-10)
(5) Bind the physical interfaces to the Eth-trunk9 interface. Bind the GigabitEthernet2/0/8 interface to the Eth-trunk9 interface.
[PDSN]interface GigabitEthernet2/0/8 [PDSN-GigabitEthernet2/0/8]eth-trunk 9 [PDSN-GigabitEthernet2/0/8]quit
(7) Configure the routes for downlink packets to an MS. # Set the destination IP addresses to 192.168.200.0/24 and 192.168.210.0/24, which are the network segments of the MS. Set the next hops to pif3/0/0 and pif3/1/0.
[PDSN]ip route-static vpn-instance vpn_pdn 192.168.200.0 24 pif3/0/0 [PDSN]ip route-static vpn-instance vpn_pdn 192.168.210.0 24 pif3/1/0
(8) Bind the VPN to the domain and configure the PDSN9660 not to automatically generate downlink routes for users of the domain.
[PDSN]domain domain1 [PDSN-domain-domain1]vpn-instance vpn_pdn [PDSN-domain-domain1]static-ip route disable [PDSN-domain-domain1]quit
2.
Configure the interworking with the AAA server. (1) Create a VPN instance.
[PDSN]ip vpn-instance vpn_Pi [PDSN-vpn-instance-vpn_Pi]route-distinguisher 300:1
(3) Bind the physical interfaces to the Eth-trunk2 interface. Bind the GigabitEthernet1/0/2 interface to the Eth-trunk2 interface.
[PDSN]interface GigabitEthernet1/0/2 [PDSN-GigabitEthernet1/0/2]eth-trunk 2 [PDSN-GigabitEthernet1/0/2]quit
Issue 02 (2009-04-10)
3-45
(4) Configure the Pi interface. # Create the Pi interface on the SPU of group 3.
[PDSN]interface Piif3/0/0
# Bind the Pi interface to the VPN instance before configuring the IP address of the interface. Otherwise, the configured IP address is deleted when the binding operation is performed.
[PDSN-Piif3/0/0]ip binding vpn-instance vpn_Pi
# Set the IP address of the Pi interface to 10.8.50.1 and the subnet mask to 255.255.255.255.
[PDSN-Piif3/0/0]ip address 10.8.50.1 255.255.255.255
(5) Configure the default route to the AAA server. Set the IP address of the next hop router to 10.3.37.81.
[PDSN]ip route-static vpn-instance vpn_Pi 0.0.0.0 0.0.0.0 10.3.37.81
NOTE
On router C, you need to configure a static route to the PDSN9660. The destination IP address of the static route is 10.8.50.1. This is the IP address of the piif3/0/0 interface on the PDSN9660. The next hop is the Eth-trunk2 interface on the PDSN9660.
(6) Configure the RADIUS server. # Configure the RADIUS server group isprg.
[PDSN-access]radius-server group isprg
# Configure the RADIUS authentication server. The IP address is 10.168.10.1. The destination port number is 1812. The RADIUS authentication server is bound to the VPN instance vpn_Pi. The key is ispchina.
[PDSN-access-radius-isprg]radius-server authentication ip 10.168.10.1 vpninstance vpn_Pi port 1812 key ispchina
# Configure the RADIUS accounting server. The IP address is 10.168.10.1. The destination port number is 1813. The RADIUS accounting server is bound to the VPN instance vpn_Pi. The key is ispchina.
[PDSN-access-radius-isprg]radius-server accounting ip 10.168.10.1 vpninstance vpn_Pi port 1813 key ispchina [PDSN-access-radius-isprg]quit [PDSN-access]quit
(7) Bind the RADIUS server group to the domain. # Enter the domain view.
[PDSN]domain domain1
3-46
Issue 02 (2009-04-10)
Interworking Test
Run ping to check whether the link to the AAA server is normal.
<PDSN>ping -vpn-instance vpn_Pi -a 10.8.50.1 10.168.10.1
NOTE
l l
If the link is normal, the number of received packets is displayed. If "timeout" is displayed, the link is abnormal. You must specify the IP address of the Pi interface to check whether the connection between the Pi interface and the peer device is normal.
Networking Requirement
Figure 3-11 shows the networking. The domain name of the intranet is enterprise.com. Data packets and signaling packets are transmitted through one VPN tunnel. One VPN instance is created. The physical interface or Eth-trunk interface, Pi interface, route, Domain, AAA server, and GRE tunnel are all bound to this VPN instance. Figure 3-11 GRE VPN networking
AAA server
MS
BSC/PCF
Data Collection
Plan the data as follows. VPN Name of the VPN instance Router distinguisher (RD) value ispvpn 100:1
Tunnel information
The start point of the tunnel is the Ethernet interface on the LPU in slot 1. The IP address of this interface is 192.168.1.10/24. The end point is the outbound interface on firewall B in the intranet. The IP address of this interface is 202.1.1.1/24. 1.1.1.9/32 CPU 0 on the SPU in group 3 GRE tunnel3/0/0 192.168.5.1/24 192.168.5.2/24 IP address of the loopback1 interface, that is, 1.1.1.9/32 2.2.2.9/32 192.168.1.20/24 End-to-end check Authentication key: 123456 Domain
IP address of the loopback1 interface Target board of the loopback1 interface Protocol employed on the loopback1 interface Tunnel interface Network address of the local tunnel interface Network address of the peer tunnel interface Source address of the tunnel interface Destination address of the tunnel interface Next hop address of the route from source to destination of the tunnel interface Check mode on both ends of the tunnel Key authentication
Network segment of the intranet Domain name VPN instance Network segment of the mobile station (MS)
AAA server RADIUS server group Active AAA server group1 The IP address is 10.110.100.1. The active AAA server is bound to the VPN instance ispvpn. The key is ispchina. The IP address is 10.110.100.2. The active AAA server is bound to the VPN instance ispvpn. The key is chinaisp. IP address of the piif3/0/0 interface: 10.73.98.8/32
3-48
Issue 02 (2009-04-10)
Configuration Procedure
1. 2. The physical interface or Eth-trunk interface and route for the interworking are configured. For details, see 3.14.1 Inband Networking. Create a VPN instance. # Create a VPN instance. The name is ispvpn.
[PDSN]ip vpn-instance ispvpn
3.
# Set the mapping between the loopback1 interface and CPU 0 on the SPU in group 3.
[PDSN-LoopBack1]target-board spu 3 0
# Set the source address of the tunnel interface. The source address is obtained through the loopback1 interface specified as the tunnel interface.
[PDSN-Tunnel3/0/0]source loopback1
CAUTION
The source address and destination address of the tunnel on firewall B are the destination address and source address of the tunnel on the PDSN9660 respectively. That is, the source address and destination address of the tunnel on firewall B are 2.2.2.9 and 1.1.1.9 respectively. # Configure the end-to-end check for the tunnel.
CAUTION
You must also configure the end-to-end check for the tunnel on firewall B.
Issue 02 (2009-04-10)
3-49
CAUTION
You must set the same key on firewall B.
[PDSN-Tunnel3/0/0]gre key 123456
# Set the route from source to destination of the tunnel interface. The next hop address is 192.168.1.20/24.
[PDSN]ip route-static vpn-instance ispvpn 2.2.2.9 32 192.168.1.20
4.
Bind the domain and the GRE tunnel to the VPN instance. # Set the domain of the user to enterprise.com.
[PDSN]domain enterprise.com
# Set the name of the VPN instance bound with the domain to ispvpn.
[PDSN-domain-enterprise.com]vpn-instance ispvpn
NOTE
For the configurations related to domain-specific address pool, authentication, and domain name server (DNS), see 7.1 Configuring the Domain Data.
CAUTION
Bind the GRE tunnel to the VPN instance before setting the IP address of the tunnel interface. Otherwise, the set IP address is deleted when the binding operation is performed.
[PDSN-Tunnel3/0/0]ip binding vpn-instance ispvpn
CAUTION
The IP address of the tunnel interface on firewall B must be in the same network segment as tunnel3/0/0. # Return to the system view.
3-50 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2009-04-10)
5.
Bind the AAA server and the Pi interface to the VPN instance. # Configure the RADIUS server group group1.
[PDSN-access]radius-server group group1
# Configure the AAA authentication. Set the IP address of the active AAA server to 10.110.100.1. The active AAA server is bound to the VPN instance ispvpn. The key is ispchina.
[PDSN-access-radius-group1]radius-server authentication ip 10.110.100.1 vpninstance ispvpn key ispchina
# Set the IP address of the standby AAA server to 10.110.100.2. The standby AAA server is bound to the VPN instance ispvpn. The key is chinaisp.
[PDSN-access-radius-group1]radius-server authentication ip 10.110.100.2 vpninstance ispvpn key chinaisp secondary
CAUTION
Bind the Pi interface to the VPN instance before setting the IP address of the interface. Otherwise, the set IP address is deleted when the binding operation is performed.
[PDSN-Piif3/0/0]ip binding vpn-instance ispvpn
One GRE tunnel is used and the binding relation between the GRE tunnel and the VPN instance is already configured. Therefore, you do not need to configure the binding relation again.
6.
Configure the route of the VPN instance. # Configure a route for the VPN instance. Set a static route. The destination is the network segment 10.110.0.0/16 where the intranet enterprise.com belongs. The next hop is the tunnel3/0/0 interface.
[PDSN]ip route-static vpn-instance ispvpn 10.110.0.0 16 tunnel3/0/0
Issue 02 (2009-04-10)
3-51
The AAA server is located in the intranet and one GRE tunnel is used, the route that is configured here is also the route for the VPN instance between the PDSN9660 and the AAA server.
CAUTION
You must configure a tunnel route to the PDSN9660 on the peer of the tunnel. If the GRE tunnel connects the PDSN9660 and the AAA server, the peer must be configured with a router to the Pi interface on the PDSN9660. If the GRE tunnel connects the PDSN9660 and the intranet, the peer must be configured with a route to the network segment where the MS belongs. 7. Check the connectivity of the tunnel. # Ping the peer IP address of the tunnel interface. If the connection is normal, the number of received packets is displayed. If "timeout" is displayed, the link is abnormal.
[PDSN]ping -vpn-instance ispvpn -a 192.168.5.1 192.168.5.2
CAUTION
When checking the connectivity of a tunnel, you must set the source address to the IP address of the tunnel interface. If the source address is not specified, by default the PDSN9660 takes the IP address of the physical interface through which the PING packets are sent as the source address. This means that you can only test whether the physical interface connects properly to the peer end. You cannot test the connectivity of the tunnel. # Exit the system view.
[PDSN]quit
8.
Networking Requirement
Figure 3-12 shows the networking. The domain name of the intranet is enterprise.com. Data packets and signaling packets are transmitted through separate VPN tunnels. Two VPN instances are created. The physical interface or Eth-trunk interface, route, Domain, and GRE tunnel for data packets are bound to one VPN. The physical interface or Eth-trunk interface, route, Domain interface, AAA server, and GRE tunnel for the Remote Authentication Dial In User Service (RADIUS) authentication and accounting packets are bound to the other VPN.
3-52
Issue 02 (2009-04-10)
Data Collection
Plan the data as follows. VPN Name of the VPN instance used to access the intranet Router distinguisher (RD) value Name of the VPN instance used to access the AAA server RD value ispvpn 100:1 aaavpn 111:1 GRE tunnel of the intranet Tunnel information The start point of the tunnel is the Ethernet interface on the LPU in slot 1. The IP address of this interface is 192.168.1.10/24. The end point is the outbound interface on firewall B in the intranet. The IP address of this interface is 202.1.1.1/24. 1.1.1.9/32 CPU 0 on the SPU in group 3 GRE tunnel3/0/0 IP address of the loopback1 interface, that is, 1.1.1.9/32 2.2.2.9/32 192.168.1.20/24
IP address of the loopback1 interface Target board of the loopback1 interface Protocol employed on the loopback1 interface Tunnel interface Source address of the tunnel interface Destination address of the tunnel interface Next hop address of the route from source to destination of the tunnel interface
Issue 02 (2009-04-10)
3-53
Network address of the local tunnel interface Network address of the peer tunnel interface Check mode on both ends of the tunnel Key authentication
GRE tunnel of the AAA server Tunnel information The start point of the tunnel is the Ethernet interface on the LPU in slot 2. The IP address of this interface is 192.168.4.1/24. The endpoint is the outbound interface on firewall C to the AAA server. The IP address of this interface is 223.1.1.1/24. 3.3.3.9/32 CPU 0 on the SPU in group 7 GRE tunnel7/0/0 192.168.7.1/24 192.168.7.2/24 IP address of the loopback2 interface, that is, 3.3.3.9/32 4.4.4.9/32 192.168.4.2/24 End-to-end check Authentication key: 654321 Domain Network segment of the intranet Domain name VPN instance Network segment of the mobile station (MS) 10.110.0.0/16 enterprise.com ispvpn 192.168.10.0/24
IP address of the loopback2 interface Target board of the loopback2 interface Protocol employed on the loopback2 interface Tunnel interface Network address of the local tunnel interface Network address of the peer tunnel interface Source address of the tunnel interface Destination address of the tunnel interface Next hop address of the route from source to destination of the tunnel interface Check mode on both ends of the tunnel Key authentication
AAA server RADIUS server group Active AAA server group1 The IP address is 172.16.1.1. The active AAA server is bound to the VPN instance aaavpn and the key is abcdefg.
3-54
Issue 02 (2009-04-10)
The IP address is 172.16.1.2. The standby AAA server is bound to the VPN instance aaavpn and the key is gfedcba. IP address of the piif3/0/0 interface: 10.73.98.8/32
Configuration Procedure
1. 2. The physical interface or Eth-trunk interface and route for the interworking are configured. For details, see 3.14.2 Outband Networking. Configure the GRE VPN between the PDSN9660 and the intranet.
l
# Set the mapping between the loopback1 interface and CPU 0 on the SPU in group 3.
[PDSN-LoopBack1]target-board spu 3 0
# Set the source address of the tunnel interface. The source address is obtained through the loopback1 interface specified as the tunnel interface.
[PDSN-Tunnel3/0/0]source loopback1
CAUTION
The source address and destination address of the tunnel on firewall B are the destination address and source address of the tunnel on the PDSN9660 respectively. That is, the source address and destination address of the tunnel on firewall B are 2.2.2.9/32 and 1.1.1.9 respectively.
Issue 02 (2009-04-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-55
CAUTION
You must also configure the end-to-end check for the tunnel on firewall B.
[PDSN-Tunnel3/0/0]gre checksum
CAUTION
You must set the same key on firewall B.
[PDSN-Tunnel3/0/0]gre key 123456
# Set the route from source to destination of the tunnel interface. The next hop address is 192.168.1.20/24.
[PDSN]ip route-static vpn-instance ispvpn 2.2.2.9 32 192.168.1.20 l
Bind the domain and the GRE tunnel to the VPN instance. # Set the domain of the user to enterprise.com.
[PDSN]domain enterprise.com
# Set the name of the VPN instance bound with the domain to ispvpn.
[PDSN-domain-enterprise.com]vpn-instance ispvpn
NOTE
For the configurations related to domain-specific address pool, authentication, and domain name server (DNS), see 7.1 Configuring the Domain Data.
CAUTION
# Bind the GRE tunnel to the VPN instance before setting the IP address of the tunnel interface. Otherwise, the set IP address is deleted when the binding operation is performed.
[PDSN-Tunnel3/0/0]ip binding vpn-instance ispvpn
3-56
Issue 02 (2009-04-10)
CAUTION
The IP address of the tunnel interface on firewall B must be in the same network segment as tunnel3/0/0. You do not need to set the IP address for the tunnel interface if the tunnel connectivity is not checked. # Return to the system view.
[PDSN-Tunnel3/0/0]quit l
Configure the route of the VPN instance. # Configure a route for the VPN instance. Set a static route. The destination is the network segment 10.110.0.0/16 where the intranet enterprise.com belongs. The next hop is the tunnel3/0/0 interface.
[PDSN]ip route-static vpn-instance ispvpn 10.110.0.0 16 tunnel3/0/0
CAUTION
For firewall B at the peer end, you must configure the route to the network segment where the MS belongs for downlink packets to the MS. The next hop is the tunnel interface on firewall B.
l
Check the connectivity of the tunnel. # Ping the peer IP address of the tunnel interface. If the connection is normal, the number of received packets is displayed. If "timeout" is displayed, the link is abnormal.
[PDSN]ping -vpn-instance ispvpn -a 192.168.5.1 192.168.5.2
CAUTION
When checking the connectivity of a tunnel, you must set the source address to the IP address of the tunnel interface. If the source address is not specified, by default the PDSN9660 takes the IP address of the physical interface through which the PING packets are sent as the source address. This means that you can only test whether the physical interface connects properly to the peer end. You cannot test the connectivity of the tunnel. 3. Configure the GRE VPN between the PDSN9660 and the AAA server.
l
Issue 02 (2009-04-10)
3-57
# Set the mapping between the loopback2 interface and CPU 0 on the SPU in group 7.
[PDSN-LoopBack2]target-board spu 7 0
# Set the source address and destination address of the tunnel. For the PDSN9660, the source address is 3.3.3.9 and the destination address is 4.4.4.9.
[PDSN-Tunnel7/0/0]source loopback2 [PDSN-Tunnel7/0/0]destination 4.4.4.9
CAUTION
The source address and destination address of the tunnel on firewall C are the destination address and source address of the tunnel on the PDSN9660 respectively. That is, the source address and destination address of the tunnel on firewall C are 4.4.4.9 and 3.3.3.9 respectively. # Configure the end-to-end check for the tunnel.
CAUTION
You must also configure the end-to-end check for the tunnel on firewall C.
[PDSN-Tunnel7/0/0]gre checksum
CAUTION
You must set the same key on firewall C.
[PDSN-Tunnel7/0/0]gre key 654321
# Set the route from source to destination of the tunnel interface. The next hop address is 192.168.4.2/24.
[PDSN]ip route-static vpn-instance ispvpn 4.4.4.9 32 192.168.4.2 l
Bind the AAA server, Pi interface, and GRE tunnel to the VPN instance. # Configure the RADIUS server group group1.
[PDSN-access]radius-server group group1
3-58
Issue 02 (2009-04-10)
# Configure the AAA authentication. Set the IP address of the active AAA server to 172.16.1.1. The active AAA server is bound to the VPN instance aaavpn. The key is abcdefg.
[PDSN-access-radius-group1]radius-server authentication ip 172.16.1.1 vpninstance aaavpn key abcdefg
# Set the IP address of the standby AAA server to 172.16.1.2. The standby AAA server is bound to the VPN instance aaavpn. The key is gfedcba.
[PDSN-access-radius-group1]radius-server authentication ip 172.16.1.2 vpninstance aaavpn key gfedcba secondary
CAUTION
# Bind the Pi interface to the VPN instance before setting the IP address of the interface. Otherwise, the set IP address is deleted when the binding operation is performed.
[PDSN-Piif3/0/0]ip binding vpn-instance aaavpn
CAUTION
# Bind the GRE tunnel to the VPN instance before setting the IP address of the tunnel interface. Otherwise, the set IP address is deleted when the binding operation is performed. If the connectivity of the tunnel is not checked, you do not need to set the IP address of the tunnel interface.
[PDSN-Tunnel7/0/0]ip binding vpn-instance aaavpn
CAUTION
The IP address of the tunnel interface on firewall C must be in the same network segment as tunnel7/0/0.
[PDSN-Tunnel7/0/0]ip address 192.168.7.1 24
Configure the route of the VPN instance. # Configure a route for the VPN instance. Set a static route. The destination is the network segment 172.16.1.0/24 where the AAA server belongs. The next hop is the tunnel7/0/0 interface.
[PDSN]ip route-static vpn-instance aaavpn 172.16.1.0 24 tunnel7/0/0
Check the connectivity of the tunnel. # Ping the peer IP address of the tunnel interface. If the connection is normal, the number of received packets is displayed. If "timeout" is displayed, the link is abnormal.
[PDSN]ping -vpn-instance aaavpn -a 192.168.7.1 192.168.7.2
4.
Networking Requirement
The PDSN9660 supports the IPSec function on the Pi interface. The PDSN9660 sets up a security tunnel to the AAA server that also supports the IPSec function. This security tunnel can protect the data traffic between the PDSN9660 and the AAA server. See Figure 3-13. Figure 3-13 Networking of setting up a security tunnel between the PDSN9660 and the AAA server
AAA server
Data Collection
Manually set up a security association (SA) for performing the IPSec processing for the data flows from the PDSN9660 to the AAA server. Plan the data as follows.
3-60 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2009-04-10)
Protected data flows Access control list (ACL) number Data flows 3101 IP packets from the giif3/0/0 interface (10.8.20.1) on the PDSN9660 to the interface (10.8.10.1) of the AAA server IPSec proposal IPSec proposal name Security protocol Authentication algorithm Encryption algorithm Encapsulation mode propo1 ESP SHA-1 DES Tunnel mode IPSec policy IPSec policy name Sequence number Negotiation mode Security parameter index (SPI) of the outbound Encapsulating Security Payload (ESP) SA SPI of the inbound ESP SA Outbound ESP SA key, which is a character string Inbound ESP SA key, which is a character string Peer IP address of the tunnel map1 10 Manual configuration mode 12345
Configuration Procedure
1. 2. The interworking between the PDSN9660 and the AAA server is configured. For details, see 3.14.1 Inband Networking and 3.14.2 Outband Networking. Configure the data flows to be protected. # Enter the system view.
<PDSN>system-view
# Configure the ACL rules. Set the IP address of the source PDSN to 10.8.20.1 and wildcard mask to 0.0.0.0. Set the IP address of the destination AAA server to 10.8.10.1 and wildcard mask to 0.0.0.0.
[PDSN-acl-3101]rule permit ip source 10.8.20.1 0.0.0.0 destination 10.8.10.1 0.0.0.0
Issue 02 (2009-04-10)
3-61
3.
Create an IPSec proposal. # Create the IPSec proposal propo1 and enter the IPSec proposal view.
[PDSN]ipsec proposal propo1
4.
Create an IPSec policy on the PDSN9660. # Create an IPSec policy and enter the IPSec policy view. Set the name of the IPSec policy to map1, sequence number to 10, and negotiation mode to manual.
[PDSN]ipsec policy map1 10 manual
# Set the peer IP address of the tunnel, that is, IP address of the AAA server, to 10.8.10.1.
[PDSN-ipsec-policy-manual-map1-10]tunnel remote 10.8.10.1 [PDSN-ipsec-policy-manual-map1-10]quit
5.
Apply the IPSec policy group to the interface. # Enter the view of the piif3/0/0 interface.
[PDSN]interface Piif3/0/0
# Set the IP address of the Pi interface to 10.8.20.1 and the subnet mask to 255.255.255.255.
[PDSN-Piif3/0/0]ip address 10.8.20.1 255.255.255.255
6.
3-62
Issue 02 (2009-04-10)
4
Prerequisite
l l
The PDSN9660 and the OCS are installed. The data configuration for interworking with the PDSN9660 is configured on the OCS.
4.1 Planning the Networking for Connecting to the OCS This describes the networking for connecting to the online charging system (OCS). 4.2 Creating a VPN Instance This describes how to create a virtual private network (VPN) instance to identify a VPN. 4.3 Configuring the Physical Interface This describes how to configure a physical interface to establish the physical path between the PDSN9660 and the network entity. 4.4 Configuring the Eth-trunk Interface This describes how to configure the Eth-trunk interface. To enhance networking reliability, configure the Eth-trunk interface to establish path between the PDSN9660 and the network entity, and enable the Address Resolution Protocol (ARP) probe function. 4.5 Configuring the Sub-interface This describes how to configure the sub-interface. To solve the problem of limited physical interfaces, configure the sub-interface to establish paths between the PDSN9660 and the network entity. 4.6 Configuring the Gy Interface This describes how to create the logical communication path between the online charging system (OCS) and thePDSN9660. 4.7 Configuring the Static Route to the OCS This describes how to configure the static route to realize the interworking between the PDSN9660 and the online charging system (OCS) at the network layer.
Issue 02 (2009-04-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 4-1
4.8 Configuring the Dynamic Route to the OCS You can configure a dynamic route for the interworking between the PDSN9660 and the online charging system (OCS) at the network layer. 4.9 Configuring the OCS Information This describes how to configure the information about the online charging system (OCS). 4.10 Commissioning the Data for the Interworking with the OCS This describes how to commission the data for the interworking with the online charging system (OCS). 4.11 Configuration Example This provides an example of the configuration for the interworking between the PDSN9660 and the online charging system (OCS).
4-2
Issue 02 (2009-04-10)
Configuration Roadmap
See Figure 4-1. For the interworking between the PDSN9660 and the OCS, you must establish the physical path and the logical link and configure the routing protocol for the interworking at the network layer. You must also add the OCS information on the PDSN9660.
Issue 02 (2009-04-10)
4-3
NO
Choose a networking mode. Simple networking Configure the physical interface. Reliability networking Configure the Eth-trunk interface.
Whether to configure the static or dynamic route Static route Configure the static route to the OCS. Dynamic route Configure the dynamic route to the OCS.
End
By clicking the following operations, you can check the corresponding configuration tasks.
l l l
4.2 Creating a VPN Instance 4.3 Configuring the Physical Interface or 4.5 Configuring the Sub-interface 4.4 Configuring the Eth-trunk Interfaceor 4.5 Configuring the Sub-interface
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2009-04-10)
4-4
4.6 Configuring the Gy Interface 4.7 Configuring the Static Route to the OCS 4.8 Configuring the Dynamic Route to the OCS 4.9 Configuring the OCS Information
NOTE
You can configure sub-interfaces to solve the problem of limited physical interfaces. Data traffic of different types can share one physical interface. You do not need to use a sub-interface if the physical interface or Eth-trunk interface can meet the requirements.
It is easy to configure the physical path by using a single physical interface. This method is suitable for simple networks. One configured physical interface can be shared by two links. You can configure sub-interfaces to solve the problem of limited physical interfaces. Data traffic of different types can share one physical interface. You do not need to use a sub-interface if the physical interface or Ethtrunk interface can meet the requirements. Active/standby mode: It can enhance reliability. When a member link is faulty, the traffic is automatically switched to another available link. Load-sharing mode: It can improve bandwidth and enhance reliability. The bandwidth of the Eth-trunk interface is the total bandwidth of all physical interfaces. If a physical interface is Down, other member interfaces are still available for data transmission.
3. 4.
Configure the logical path. For details, see 4.6 Configuring the Gy Interface. Configure the route to the OCS for the interworking at the network layer with the OCS.
Issue 02 (2009-04-10)
4-5
Routing Protocol 3.10 Configuring the Static Route to the AAA Server 3.11 Configuring the Dynamic Route to the AAA Server 5.
Characteristic The static routing mode is applicable for a small stable network with simple topology.
A dynamic routing mode is applicable for a network with complex topology and a certain number of Layer 3 devices. The dynamic routing can automatically adapt to changes in network topology.
Add the OCS information. For details, see 4.9 Configuring the OCS Information.
The Eth-trunk active/standby mode can improve reliability. When a member link is faulty, the traffic is automatically switched to another available link. This scheme simplifies the configurations when the PDSN9660 interworks with multiple OCSs. This scheme features easy management. If the IP addresses or the planning of the OCSs changes, no configuration change is required on the PDSN9660. The VPN networking mode is employed to improve security. Bind the physical interface and the logical interface to the same VPN. Specify the VPN as the VPN instance of the specified static route. For details, see 4.11 Configurat ion Example.
Configuration Principle
l
You must configure the router distinguisher (RD) when establishing a VPN. A VPN can take effect only if the RD is configured. The value of the RD cannot be modified directly after it is configured. You must delete all VPN instances that employ this RD and the RD value is deleted, and then re-establish VPNs by using a new RD value.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2009-04-10)
4-6
Data Planning
No. 1 2 Data Name of the VPN instance Global RD
Procedure
Step 1 Run ip vpn-instance to create a VPN instance. Step 2 Run route-distinguisher to specify the RD of a VPN instance. ----End
Prerequisite
The network environment between the PDSN9660 and the network entity is established.
Context
Single physical interface is a simple method to set up a physical path.
Configuration Principle
l l
The configuration steps are not transposable. You must follow the order strictly. To bind an interface to a Virtual private network (VPN), you must associate the interface with the specific VPN instance in the interface view and then set the IP address for the interface.
Data Planning
No. 1 2 3 Data Name of the physical interface that is connected to the networking entities (Optional) VPNs to which the interfaces are bound IP addresses and subnet masks of the physical interfaces
Procedure
Step 1 Run interface to enter the interface view. Step 2 Optional: Run ip binding vpn-instance to bind the interface to the specific VPN instance.
Issue 02 (2009-04-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 4-7
Step 3 Run ip address to set the IP address of the physical interface. ----End
Prerequisite
The network environment between the PDSN9660 and the network entity is established.
Context
An Eth-trunk interface can work in either active/standby mode or load-sharing mode.
l
Active/standby mode: It can enhance reliability. When a member link is Down, the traffic is automatically switched to another available link. Load-sharing mode: It can improve bandwidth usage and enhance reliability. The bandwidth of the Eth-trunk interface is the total bandwidth of all physical interfaces. If a physical interface is Down, other member interfaces are still available for data transmission. The working mode of active and standby Eth-trunk interfaces that each operate in loadsharing mode can further enhance reliability and ensure connectivity of the physical path. You can configure the cost value for running Open Shortest Path First (OSPF) on an interface to specify whether the interface is active or standby. The interface with a larger cost value serves as the standby interface.
Configuration Principle
l l
The configuration steps are not transposable. You must follow the order strictly. To bind an interface to a VPN, you must associate the interface with the specific VPN instance in the interface view and then set the IP address for the interface.
Data Planning
Data planning for configuring the Eth-trunk interface No. 1 2 3 4 Data Physical interfaces that are bound to an Eth-trunk logical interface Operating modes of the Eth-trunk logical interfaces (Optional) VPNs to which the interfaces are bound IP addresses of the Eth-trunk logical interfaces
Procedure
Step 1 Run interface eth-trunk to create an Eth-trunk interface.
4-8 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2009-04-10)
Step 2 Run workmode to set the operating mode of the Eth-trunk trunk to active/standby or loadsharing. Step 3 Optional: Run ip binding vpn-instance to bind the interface to the specific VPN instance. Step 4 Run ip address to set the IP address of the Eth-trunk interface. Step 5 Run quit to return to the system view. Step 6 Run interface to enter the physical interface view. Step 7 Run eth-trunk to bind the physical interface to the specific Eth-trunk interface. ----End
Prerequisite
The network environment between the PDSN9660 and the network entity is established.
Context
Data traffic of different types can share one physical interface with the sub-interface. You can configure multiple logical interfaces over one physical interface.
Configuration Principle
l l
The configuration steps are not transposable. You must follow the order strictly. To bind an interface to a VPN, you must associate the interface with the specific VPN instance in the interface view and then set the IP address for the interface.
Data Planning
Data planning for configuring the sub-interface No. 1 3 Data Names of the sub-interfaces IP addresses and subnet masks of the sub-interfaces
Procedure
Step 1 Run interface to create a sub-interface and enter the sub-interface view. Step 2 Optional: Run description to configure the description information about the interface. Step 3 Optional: Run ip binding vpn-instance to bind the sub-interface to the specific VPN instance. Step 4 Run ip address to set the IP address of the sub-interface.
Issue 02 (2009-04-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 4-9
----End
Configuration Principle
l l
The configuration steps are not transposable. You must follow the order strictly. You can specify a virtual private network (VPN) for the logical interface to ensure security. In this case, you must bind the physical interface that corresponds to the logical interface to the VPN. To bind an interface to a VPN, you must associate the interface with the specific VPN instance in the interface view and then set the IP address for the interface. The Gy interface is created on the SPU and can be modified only when the SPU runs normally and no user exists on the SPU. You cannot configure the Gy interface if the SPU is not started or when it is starting.
Data Planning
No. 1 2 3 Data Name of the Gy interface that is used to interwork with the OCS (Optional) VPNs to which the interfaces are bound IP address of the Gy interface
Procedure
Step 1 Run interface to create the logical Gy interface.
NOTE
The interface to be created must be the planned Gy interface. The interface name consists of the interface type gyif and the interface number. The interface number is in the format of SPU group number/CPU number/virtual port number. The Gy interface is created on the SPU and can be modified only when the SPU runs normally and no user exists on the SPU. You cannot configure the Gy interface if the SPU is not started or when it is starting. If the SPUs work in 1+1 backup mode, the SPU group number must be the odd slot number. If the PDSN9660 works in load-sharing mode, the SPU group number is the number of the slot where the SPU resides.
Step 2 Optional: Run ip binding vpn-instance to bind the interface to the specific VPN instance. Step 3 Run ip address to set the IP address of the Gy interface.
NOTE
When the IP address of the Gy interface is set, the subnet mask must be 255.255.255.255.
----End
4-10 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2009-04-10)
Context
A static routing mode is applicable to a small stable network with simple topology.
Configuration Principle
l
When the destination IP address and the mask are both 0.0.0.0, the configured route is the default route. If the PDSN9660 cannot find a route in the routing table, the default route is employed for packet forwarding. When configure a static route, usually specify the next hop address. For an interface-tointerface static route, you can specify the outbound interface.
Data Planning
No. 1 2 Data IP address and subnet mask of the OCS IP address of the interface of the next hop router or the firewall to the OCS
Procedure
Step 1 Run ip route-static to configure a static route. Step 2 Optional: If the VPN networking is employed, you must specify the VPN instance of the static route. Run ip route-static vpn-instance to configure the static route for the VPN instance.
NOTE
l l
The destination address of the static route is the address of the network segment to which the OCS belongs. The next hop address is the address of the router or firewall that the PDSN9660 connects. If there are multiple OCSs and they are not located in the same network segment, a static route must be configured for each OCS.
CAUTION
On the next hop router or firewall, you must configure the static route to the PDSN9660. The destination address of the static route is the address of the Gy interface on the PDSN9660. The next hop address is the address of the physical interface on the PDSN9660 used for interworking with the OCS, or the next hop address can be the address of the Eth-trunk interface when reliability networking is adopted. ----End
Issue 02 (2009-04-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 4-11
Context
The PDSN9660 supports static route configuration as well as dynamic routing protocols such as the Routing Information Protocol (RIP), OSPF, Intermediate System to Intermediate System (IS-IS), and Border Gateway Protocol (BGP). A dynamic routing mode is applicable for a network with complex topology and a certain number of Layer 3 devices. The dynamic routing can automatically adapt to changes in network topology. If you plan to employ a dynamic routing protocol such as RIP, OSPF, IS-IS, and BGP, the PDSN9660 must support the protocol. Take OSPF as an example to describe the concepts and configurations of an OSPF dynamic route. Table 4-2 Concepts of the OSPF dynamic routing mode Concept OSPF process number Description When you start multiple OSPF processes on the PDSN9660, you must specify different process numbers. The OSPF process number is a local concept and it does not affect packet exchange between the PDSN9660 and other routers. Therefore, routers can exchange packets regardless of process numbers. A router ID is required for a router to employ the OSPF protocol. A router ID is a 32-bit unsigned integer. It identifies a router in an autonomous system. You can manually set a router ID. Generally, the router ID is set to the IP address of an interface on the router. If you do not specify the router ID, the system automatically selects an IP address of the existing interfaces as the router ID. The highest IP address of loopback interfaces is selected as the router ID. If no loopback interface is configured, the highest IP address of the interfaces is selected as the router ID. Area You must specify an area to which an interface running OSPF belongs. Different OSPF processes can share an area. For example, area 0 can be used by both OSPF 1 and OSPF 2. Area authentication OSPF supports packet authentication. Only the authenticated OSPF packets can be received; otherwise, the neighbor relation cannot be established normally. All the routers in an area must employ the same area authentication mode and password.
Router ID
4-12
Issue 02 (2009-04-10)
Description The network segment refers to the network segment of the IP addresses of the interface that runs OSPF. A network segment can belong to only one area. That is, you must specify the area for each interface running OSPF. OSPF can be run on an interface only when the following conditions are satisfied:
l
The length of the subnet mask of an interface is not shorter than that specified by using network. The primary IP address of an interface must be in the range of the network segment specified by using network.
DR priority
When configuring broadcast networks or non-broadcast multiple access (NBMA) networks, you can specify the designated router (DR) priorities of interfaces to determine the DR/backup designated router (BDR) election in the network. A larger value indicates a higher priority. A router with the priority 0 cannot be elected as the DR or BDR.
Configuration Principle
The principles for configuring an OSPF dynamic route are as follows:
l
If a virtual private network (VPN) instance is specified for the OSPF process, you must run vpn-instance-capability simple to directly calculate the route instead of conducting the routing loop detection. To deliver other static routes to the routers on the backbone network, you must run importroute to import routes that are learned from other protocols.
Data Planning
No. 1 2 3 Data OSPF process number and router ID or the name of the VPN instance. If the OSPF process is to be bound to a VPN instance, plan the name of the VPN instance. OSPF area, authentication mode, and authentication key Network segment and wildcard mask of an OSPF area To facilitate future network expansion, you can configure a network segment containing multiple IP addresses for both the physical and logical interfaces. Thus, no further configuration is required when new interfaces are added. The wildcard mask is the inverse of the mask of an IP address. That is, the wildcard mask can be obtained by changing 0 in the mask to 1 and 1 to 0. Here, 1 indicates that this bit in the IP address can be ignored and 0 indicates that this bit must be reserved. 4 Cost value and DR priority of the OSPF interface
Procedure
Step 1 Run system-view to enter the system view.
Issue 02 (2009-04-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 4-13
Step 2 Run interface to enter the interface view. Step 3 Run ospf cost to set the cost values of the OSPF interfaces.
NOTE
If the cost values for the OSPF interfaces are the same, the load of data transmission is shared among multiple links. If the cost values are different, only the active route with the highest priority is employed to transmit data, thus realizing route redundancy.
Step 4 Run ospf dr-priority to set the DR priorities of the OSPF interfaces. Step 5 Run quit to exit the interface view. Step 6 Run ospf to start the OSPF process and enter the OSPF view. Step 7 Optional: Run import-route to import routes that are learned from other protocols and deliver them to the routers on the backbone network. Step 8 If a VPN instance is specified for the OSPF process in the previous step, you must run vpninstance-capability simple to directly calculate the route instead of conducting the routing loop detection. Step 9 Run area to create the OSPF area and enter the OSPF area view. Step 10 Optional: Run authentication-mode to specify the authentication mode and key for the OSPF area. Step 11 Run network to set the network segments that the area contains. ----End
Context
Unique device information is assigned to each device on the network. The device information consists of the host name and the home domain name. The service context uniquely identifies a Diameter credit control (DCC) service.
Data Planning
No. 1 2 Data PDSN9660 information, domain name, group number of the SPU where the Gy interface resides, and CPU number OCS information, domain name, and IP address
Procedure
Step 1 Run charge-view to enter the charge view. Step 2 Run gy-local-info to add the information about the PDSN9660.
4-14 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2009-04-10)
Step 3 Optional: Run set-gy-integrated to configure the PDSN9660 to use only one Gy interface. Step 4 Run ocs-info to set the OCS information. ----End
4.10 Commissioning the Data for the Interworking with the OCS
This describes how to commission the data for the interworking with the online charging system (OCS). When the preceding configuration is complete, you can run the following commands to check the running status or configuration result. Table 4-3 Displaying the data for the interworking between the PDSN9660 and the OCS Command display gy-local-info display ocs-info display current-configuration display ip interface display ip routing-table Function Displays the local information and the service context. Displays the OCS information. Displays the current configuration of the interface. Displays the running status of the interface. Displays the abstract information about the routing table and information about the route with a specified destination IP address.
When some configuration is incorrect or requires modification, you can run the following commands to delete the current configuration and reconfigure the system. Table 4-4 Deleting the data for the interworking between the PDSN9660 and the OCS Command undo gy-local-info undo ocs-info undo interface shutdown undo ip address undo ip route-static Function Deletes the local information and the service context. Deletes the OCS information. Deletes the configuration of the interface. Shuts down the physical interface. Deletes the IP address of the interface. Deletes a specified static route.
Issue 02 (2009-04-10)
4-15
Networking Requirement
The PDSN9660 is connected to the OCS through router B. See Figure 4-2. The PDSN9660 must interwork with the OCS to perform the online charging for the users. Therefore, you must configure the interworking between the PDSN9660 and the OCS. The Eth-trunk active/standby mode is employed for the networking between the PDSN9660 and the OCS. The Eth-trunk interface and the Gy interface are bound to the same virtual private network (VPN). Packets are forwarded through the default routes of the VPN. This solution features the following advantages:
l
Easy configuration: The solution simplifies the configurations when the PDSN9660 interworks with multiple OCSs. Easy management. If the IP addresses or the planning of the OCSs changes, no configuration change is required on the PDSN9660. High security: Network security is enhanced with the configuration of VPN instances. High reliability: The active/standby mode of the Eth-trunk interface can enhance reliability. When a member link is faulty, the traffic is automatically switched to an available link.
l l
Figure 4-2 Networking for the interworking between the PDSN9660 and the OCS
OCS
gyif7/0/0 10.8.10.1/32
10.110.218.59
Data Collection
Plan the data as follows. VPN Name of the VPN instance Router distinguisher (RD) value vpn_Gy 600:1 Eth-trunk6
4-16
Issue 02 (2009-04-10)
Eth-trunk6 IP address and subnet mask of the Eth-trunk6 interface Operating mode of the Eth-trunk6 interface IP address of the interface on router B that is connected to the Eth-trunk6 interface
Gy interface Gy interface name IP address and subnet mask of the Gy interface gyif7/0/0 10.8.10.1/255.255.255.255
Information about the local PDSN9660 and the OCS Local device ID Group number of the SPU: 7; CPU ID: 0; host name: PDSN; home domain name: isp.com; service context: context; product name: huawei.com Host name: ocs1; home domain name: isp.com; IP address: 10.110.218.59
OCS ID
Configuration Procedure
1. Create a VPN instance.
<PDSN>system-view [PDSN]ip vpn-instance vpn_Gy [PDSN-vpn-instance-vpn_Gy]route-distinguisher 600:1 [PDSN-vpn-instance-vpn_Gy]quit
2.
3.
Bind the physical interfaces to the Eth-trunk6 interface. Bind the GigabitEthernet1/0/6 interface to the Eth-trunk6 interface.
[PDSN]interface GigabitEthernet1/0/6 [PDSN-GigabitEthernet1/0/6]eth-trunk 6 [PDSN-GigabitEthernet1/0/6]quit
4.
Configure the Gy interface. # Create the Gy logical interface on the SPU of group 7.
[PDSN]interface gyif7/0/0
Issue 02 (2009-04-10)
4-17
# Bind the Gy interface to the VPN instance before configuring the IP address of the interface. Otherwise, the configured IP address is deleted when the binding operation is performed.
[PDSN-Gyif7/0/0]ip binding vpn-instance vpn_Gy
# Set the IP address of the Gy interface to 10.8.10.1 and the subnet mask to 255.255.255.255.
[PDSN-Gyif7/0/0]ip address 10.8.10.1 255.255.255.255 [PDSN-Gyif7/0/0]quit
5.
Configure the information about the local PDSN and the OCS. # Enter the charge view.
[PDSN]charge-view
# Configure the local information. The group number of the SPU is 7. The CPU ID is 0. The host name is PDSN. The home domain name is isp.com. The service context is context. The product name is huawei.com.
[PDSN-charge]gy-local-info spu 7 cpu 0 host PDSN realm isp.com service-context context product-name huawei.com
# Add information about the OCS whose IP address is 10.110.218.59. The host name is ocs1. The name of the home domain is isp.com.
[PDSN-charge]ocs-info ocs-host ocs1 realm isp.com ip 10.110.218.59 [PDSN-charge]quit
6.
Configure the default route to the OCS. The IP address of the next hop router is 10.3.37.81.
[PDSN]ip route-static vpn-instance vpn_Gy 0.0.0.0 0.0.0.0 10.3.37.81 [PDSN]quit
NOTE
On router B, you need to configure a static route to the PDSN9660. The static route is destined for 10.8.10.1, which is the IP address of the gyif3/0/0 interface on the PDSN9660. The next hop is the Eth-trunk6 interface on the PDSN9660.
7.
Interworking Test
Run ping to check whether the link to the OCS is normal.
<PDSN>ping -vpn-instance vpn_Gy -a 10.8.10.1 10.110.218.59
NOTE
l l
If the connection is normal, the number of received packets is displayed. If "timeout" is displayed, the link is abnormal. You must specify the IP address of the Gy interface to check whether the connection between the Gy interface and the peer device is normal.
4-18
Issue 02 (2009-04-10)
5
Prerequisite
l l
The PDSN9660 and the HA are installed. The data for interworking with the PDSN9660 is configured on the HA.
5.1 Configuration Preparation This describes concepts related to the connection between the PDSN9660 and the home agent (HA). 5.2 Networking for Connecting to the HA This describes the networking for connecting to the home agent (HA). 5.3 Configuring the Physical Interface This describes how to configure a physical interface to establish the physical path between the PDSN9660 and the network entity. 5.4 Configuring the Eth-trunk Interface This describes how to configure the Eth-trunk interface. To enhance networking reliability, configure the Eth-trunk interface to establish path between the PDSN9660 and the network entity, and enable the Address Resolution Protocol (ARP) probe function. 5.5 Configuring the Pi Interface This describes how to create the logical communication path between the PDSN9660 and the home agent (HA). 5.6 Configuring the Static Route to the HA This describes how to configure the static route to realize the interworking between the PDSN9660 and the home agent (HA) at the network layer. 5.7 Commissioning the Data for the Interworking with the HA This provides the commands for commissioning the configuration data for the interworking with the home agent (HA). 5.8 Configuration Example
Issue 02 (2009-04-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 5-1
This provides an example of the configuration for the interworking with the home agent (HA) to implement the mobile IP (MIP) function.
5-2
Issue 02 (2009-04-10)
Related Concepts
Related Concept Physical interface Reference
l l l
Overview of NEs and Interfaces Physical Interfaces Relation Between Logical Interfaces and Physical Interfaces Interface Naming Rules Logical Interfaces Interface Naming Rules Networking Reliability Logical Interfaces Relation Between Logical Interfaces and Physical Interfaces Interface Naming Rules
Eth-trunk interface
l l l
Logical interface
l l
Configuration Roadmap
For the interworking between the PDSN9660 and the HA, you must establish the physical path and the logical link, and configure the routing protocol for the interworking at the network layer. See Figure 5-1.
Issue 02 (2009-04-10)
5-3
Figure 5-1 Configuration procedure for the interworking between the PDSN9660 and the HA
Configure data for interworking with the HA.
Choose a networking mode. Simple networking Configure the physical interface. Reliability networking Configure the Eth-trunk interface.
End
By clicking the following operations, you can check the corresponding configuration tasks.
l l l l
5.3 Configuring the Physical Interface 5.4 Configuring the Eth-trunk Interface 5.5 Configuring the Pi Interface 5.6 Configuring the Static Route to the HA
Simple networking
It is easy to configure the physical path by using a single physical interface. This method is suitable for simple networks. One configured physical interface can be shared by two links.
Issue 02 (2009-04-10)
5-4
Networking Scheme
Networking Requireme nt
Characteristic
Reliability networking
Eth-trunk active/standby mode: It can enhance reliability. When a member link is faulty, the traffic is automatically switched to an available link. Eth-trunk load-sharing mode: It can improve bandwidth usage and enhance reliability. The bandwidth of the Eth-trunk interface is the total bandwidth of all physical interfaces. If a physical interface is Down, other member interfaces are still available for data transmission.
2. 3.
Configure the Pi interface for establishing the logical link. For details, see 5.5 Configuring the Pi Interface. Configure the route to the HA for the interworking at the network layer with the HA. For details, see 5.6 Configuring the Static Route to the HA.
Configuration Example
The Eth-trunk active/standby mode can improve reliability. When a member link is faulty, the traffic is automatically switched to an available link. This scheme simplifies the configurations when the PDSN9660 interworks with multiple HAs. This scheme features easy management. If the IP addresses or the planning of the HAs changes, no configuration change is required on the PDSN9660. For details, see 5.8 Configuration Example.
Prerequisite
The network environment between the PDSN9660 and the network entity is established.
Issue 02 (2009-04-10)
5-5
Context
Single physical interface is a simple method to set up a physical path.
Configuration Principle
l l
The configuration steps are not transposable. You must follow the order strictly. To bind an interface to a Virtual private network (VPN), you must associate the interface with the specific VPN instance in the interface view and then set the IP address for the interface.
Data Planning
No. 1 2 3 Data Name of the physical interface that is connected to the networking entities (Optional) VPNs to which the interfaces are bound IP addresses and subnet masks of the physical interfaces
Procedure
Step 1 Run interface to enter the interface view. Step 2 Optional: Run ip binding vpn-instance to bind the interface to the specific VPN instance. Step 3 Run ip address to set the IP address of the physical interface. ----End
Prerequisite
The network environment between the PDSN9660 and the network entity is established.
Context
An Eth-trunk interface can work in either active/standby mode or load-sharing mode.
l
Active/standby mode: It can enhance reliability. When a member link is Down, the traffic is automatically switched to another available link. Load-sharing mode: It can improve bandwidth usage and enhance reliability. The bandwidth of the Eth-trunk interface is the total bandwidth of all physical interfaces. If a physical interface is Down, other member interfaces are still available for data transmission. The working mode of active and standby Eth-trunk interfaces that each operate in loadsharing mode can further enhance reliability and ensure connectivity of the physical path. You can configure the cost value for running Open Shortest Path First (OSPF) on an
5-6
Issue 02 (2009-04-10)
interface to specify whether the interface is active or standby. The interface with a larger cost value serves as the standby interface.
Configuration Principle
l l
The configuration steps are not transposable. You must follow the order strictly. To bind an interface to a VPN, you must associate the interface with the specific VPN instance in the interface view and then set the IP address for the interface.
Data Planning
Data planning for configuring the Eth-trunk interface No. 1 2 3 4 Data Physical interfaces that are bound to an Eth-trunk logical interface Operating modes of the Eth-trunk logical interfaces (Optional) VPNs to which the interfaces are bound IP addresses of the Eth-trunk logical interfaces
Procedure
Step 1 Run interface eth-trunk to create an Eth-trunk interface. Step 2 Run workmode to set the operating mode of the Eth-trunk trunk to active/standby or loadsharing. Step 3 Optional: Run ip binding vpn-instance to bind the interface to the specific VPN instance. Step 4 Run ip address to set the IP address of the Eth-trunk interface. Step 5 Run quit to return to the system view. Step 6 Run interface to enter the physical interface view. Step 7 Run eth-trunk to bind the physical interface to the specific Eth-trunk interface. ----End
Data Planning
No. 1 2
Issue 02 (2009-04-10)
Data Name of the Pi interface that is used to interwork with the HA IP address of the Pi interface
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 5-7
Procedure
Step 1 Run interface to create the logical Pi interface.
NOTE
The created interface must be the planned Pi interface. The interface name consists of the interface type piif and the interface number. The interface number is in the format of SPU group number/CPU number/virtual port number. The Pi interface is created on the SPU. If the SPUs work in 1+1 backup mode, the SPU group number must be the odd slot number. If the PDSN works in load-sharing mode, the SPU group number is the number of the slot where the SPU resides.
l l
Step 2 Run ip address to set the IP address and subnet mask of the Pi interface.
NOTE
When you set the IP address of the Pi interface, the subnet mask must be set to 255.255.255.255.
----End
Context
The static routing mode is applicable for a small stable network with simple topology.
Configuration Principle
l
If both the destination IP address and the subnet mask are 0.0.0.0, the configured route is the default route. If the PDSN9660 cannot find a route in the routing table, the default route is employed for packet forwarding. When configuring a static route, you can specify the outbound interface or the next hop address as required. For a point-to-point interface or an interface supporting translation from network addresses to link-layer addresses, you can specify the outbound interface or the next hop address. The point-to-multipoint interfaces for non broadcast multiple access (NBMA), such as X.25 interface, dial-up interface, and interface for trunk encapsulation, are excluded. At the link layer, in addition to the IP route, you must configure the secondary route, that is, mappings between IP addresses and link-layer addresses, for example, dialer map ip, x. 25 map ip, and frame-relay map ip. In this case, you can specify only the next hop address instead of the outbound interface when configuring the static route. If the IP address of the outbound interface is a broadcast address, you must specify the next hop address. Under certain circumstances, for example, packets are encapsulated into Point-to-Point Protocol (PPP) packets, you can specify the outbound interface when configuring the router even if the peer address is unavailable. Therefore, no change in the configurations on the router is required when the peer address is changed.
5-8
Issue 02 (2009-04-10)
Data Planning
No. 1 2 Data IP address and subnet mask of the HA IP address of the outbound interface to the HA, or IP address of the interface on the next hop router or the firewall to the HA
Procedure
Run ip route-static to configure a static route.
NOTE
l l
The destination address of the static route is the address of the network segment to which the HA belongs. The next hop address is the address of the router or firewall that the PDSN9660 connects. If there are multiple HAs and they are not located in the same network segment, a static route must be configured for each HA.
CAUTION
On the next hop router or firewall, you must configure the static route to the PDSN9660. The destination address of the static route is the IP address of the Pi interface on the PDSN9660, and the next hop address is the IP address of the physical interface on the PDSN9660 used for interworking with the HA, or the next hop address can be the IP address of the Eth-trunk interface when reliability networking is adopted. ----End
Context
After the data for the interworking with the HA is configured, you must check the running status or configuration result.
Procedure
Step 1 Run display interface { ethernet | gigabitethernet } or display interface to check the parameter settings and running status of an interface. l If the interface is abnormal, rectify the fault according to the fault information. If the fault persists, run undo interface to delete the interface, and then configure the Ethernet interface and the Pi interface. For details, see 5.3 Configuring the Physical Interface, 5.4 Configuring the Eth-trunk Interface, and 5.5 Configuring the Pi Interface.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 5-9
Issue 02 (2009-04-10)
Step 2 Run display ip interface to check the parameter settings and statistics on the IP interface. l If the parameter settings are inconsistent with the planning, run undo ip address to delete the IP address of the interface, and then set the IP address. For details, see 5.3 Configuring the Physical Interface, 5.4 Configuring the Eth-trunk Interface, and 5.5 Configuring the Pi Interface. If the parameter settings are consistent with the planning, proceed with Step 3.
Step 3 Run display ip routing-table to check abstract information about the routing table and information about the route with a specified destination IP address. l If the routing information is incorrect, run undo ip route-static to delete the static route, and then configure the static route. For details, see 5.6 Configuring the Static Route to the HA. If the routing information is correct, proceed with Step 4.
Step 4 Run ping to check whether the link to the HA is normal. l l If "timeout" is displayed, the link is abnormal. It indicates that the physical path may be faulty. If the number of received or sent packets is displayed, it indicates that the link is normal.
NOTE
You must specify the IP address of the Pi interface to check whether the connection between the Pi interface and the peer device is normal.
----End
Networking Requirement
SeeFigure 5-2. The PDSN9660 is connected to the HA on the packet data network (PDN) through router A. The PDSN9660 employs the Eth-trunk active/standby mode to improve networking reliability. When a member link is faulty, the traffic is automatically switched to an available link. Figure 5-2 Networking for the interworking between the PDSN9660 and the HA PDSN9660 Eth-Trunk10 10.3.37.94/28 Router A 10.3.37.81/28 Network 192.168.1.1/24 HA
piif3/0/0 10.8.50.1/32
5-10
Issue 02 (2009-04-10)
Data Collection
Plan the data as follows: Eth-trunk10 Eth-trunk10 IP address and subnet mask of the Ethtrunk10 interface Operating mode of the Eth-trunk10 interface IP address of the interface on router A that is connected to the Eth-trunk10 interface Bound with GigabitEthernet1/0/10 and GigabitEthernet2/0/10 10.3.37.94/255.255.255.240 Active/standby mode 10.3.37.81
HA IP address of the HA 192.168.1.1 Pi interface Name of the Pi interface IP address and subnet mask of the Pi interface piif3/0/0 10.8.50.1/32
Configuration Procedure
1. Configure the Eth-trunk10 interface. # Enter the system view.
<PDSN>system-view
# Set the IP address of the Eth-trunk10 interface to 10.3.37.94 and the subnet mask to 255.255.255.240.
[PDSN-Eth-Trunk10]ip address 10.3.37.94 255.255.255.240
2.
Bind the physical interfaces to the Eth-trunk10 interface. # Enter the physical interface view of GigabitEthernet1/0/10.
[PDSN]interface GigabitEthernet1/0/10
[PDSN-GigabitEthernet2/0/10]eth-trunk 10
3.
# Set the IP address of the Pi interface to 10.8.50.1 and the subnet mask to 255.255.255.255.
[PDSN-piif3/0/0]ip address 10.8.50.1 255.255.255.255
4.
Configure the static route to the HA. The IP address of the next hop router is 10.3.37.81.
[PDSN]ip route-static 192.168.1.1 255.255.255.0 10.3.37.81 [PDSN]quit
NOTE
On router A, you need to configure a static route to the PDSN9660. The destination address of the static route is 10.8.50.1. This is the IP address of the piif3/0/0 interface on the PDSN9660. The next hop is the Eth-trunk10 interface on the PDSN9660.
5.
Interworking Test
Run ping to check whether the link to the HA is normal.
<PDSN>ping -a 10.8.50.1 192.168.1.1
NOTE
l l
If the link is normal, the number of received packets is displayed. If "timeout" is displayed, the link is abnormal. You must specify the IP address of the Pi interface to check whether the connection between the Pi interface and the peer device is normal.
5-12
Issue 02 (2009-04-10)
6
l
l l
The mechanisms used by the PDSN9660 to network-layer interwork with various NEs are the same. The PDSN9660 sets up a physical path with the PDN through a physical interface. The network-layer interworking with the PDN is realized through routing protocols. The downlink data packets to an MS are distinguished from common data packets through the P interface mechanism.
NOTE
The PDSN9660 interworks with the LNS and home agent (HA) through tunneling. When the PDSN9660 performs tunnel encapsulation for uplink packets, the source IP address of the encapsulated packet is the IP address of the Pi interface on the PDSN9660. This is different from the interworking with other NEs on the PDN.
Prerequisite
l l
The PDSN9660 and the NEs on the PDN are installed. The data for interworking with the PDSN9660 is configured on the NEs on the PDN.
6.1 Configuration Preparation This describes concepts related to the connection between the PDSN9660 and the packet data network (PDN). 6.2 Planning the Networking for Connecting to the PDN This describes the networking for connecting to the packet data network (PDN).
Issue 02 (2009-04-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 6-1
6.3 Creating a VPN Instance This describes how to create a virtual private network (VPN) instance to identify a VPN. 6.4 Configuring the Physical Interface This describes how to configure a physical interface to establish the physical path between the PDSN9660 and the network entity. 6.5 Configuring the Eth-trunk Interface This describes how to configure the Eth-trunk interface. To enhance networking reliability, configure the Eth-trunk interface to establish path between the PDSN9660 and the network entity, and enable the Address Resolution Protocol (ARP) probe function. 6.6 Configuring the Sub-interface This describes how to configure the sub-interface. To solve the problem of limited physical interfaces, configure the sub-interface to establish paths between the PDSN9660 and the network entity. 6.7 Configuring the L2TP VPN This describes how to configure the Layer 2 Tunneling Protocol (L2TP) virtual private network (VPN). The mobile station (MS) can access an intranet through the data service bearer mode of Point-to-Point Protocol (PPP) relay. 6.8 Configuring the GRE VPN This describes how to configure the Generic Routing Encapsulation (GRE) virtual private network (VPN). 6.9 Configuring the IPSec Policy This describes how to configure the IP Security (IPSec) policy. 6.10 Configuring the Static Route to the PDN This describes how to configure the static route to realize the interworking between the PDSN9660 and the packet data network (PDN) at the network layer. 6.11 Configuring the Dynamic Route to the PDN This describes how to configure the dynamic route to realize the interworking between the PDSN9660 and the packet data network (PDN) at the network layer. 6.12 Configuring the Downlink Route from the P Interface to the MS This describes how to configure the downlink route from the P interface to the MS.The system differentiates downlink packets to the MS from ordinary packets so that proper processing can be employed. 6.13 Commissioning the Data for the Interworking with the PDN This describes how to commission the data for the interworking with the packet data network (PDN). 6.14 Configuration Example This provides an example of the configuration for the interworking between the PDSN9660 and the packet data network (PDN).
6-2
Issue 02 (2009-04-10)
Related Concepts
Related Concept Reference Concepts related to interfaces Physical interface Overview of NEs and Interfaces, Physical Interfaces, Relation Between Logical Interfaces and Physical Interfaces, and Interface Naming Rules Logical Interfaces and Interface Naming Rules Logical Interfaces and Interface Naming Rules Logical Interfaces, Relation Between Logical Interfaces and Physical Interfaces, and Interface Naming Rules Concepts related to networking modes Networking of the single physical interface mode Networking of the Eth-trunk active/standby mode and static routing mode Networking of the Eth-trunk load-sharing mode and dynamic routing mode Networking of Single Physical Interface and Static Routing Mode Networking of Eth-trunk Active/Standby Mode and Static Routing Mode Networking of Eth-trunk Load-sharing Mode and Dynamic Routing Mode
Configuration Roadmap
See Figure 6-1. For the interworking between the PDSN9660 and the PDN, you must establish the physical path and the logical link and configure the routing protocol for the interworking at the network layer. You must also configure the downlink route from the interface of the Pi to a mobile station (MS) to distinguish data packets to the MS from common data packets.
Issue 02 (2009-04-10)
6-3
NO
Choose a networking mode. Simple networking Configure the physical interface. Reliability networking Configure the Eth-trunk interface.
Choose a mode to connect to the PDN. L2TP VPN Common connection GREVPN IPSec Configure the IPSec function.
YES Configure the downlink route from the P interface to the MS.
End
By clicking the following operations, you can check the corresponding configuration tasks.
6-4 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2009-04-10)
6.3 Creating a VPN Instance 6.4 Configuring the Physical Interface or 6.6 Configuring the Sub-interface 6.5 Configuring the Eth-trunk Interface or 6.6 Configuring the Sub-interface 6.7 Configuring the L2TP VPN 6.8 Configuring the GRE VPN 6.9 Configuring the IPSec Policy 6.10 Configuring the Static Route to the PDN 6.11 Configuring the Dynamic Route to the PDN 6.12 Configuring the Downlink Route from the P Interface to the MS
NOTE
You can configure sub-interfaces to solve the problem of limited physical interfaces. Data traffic of different types can share one physical interface. You do not need to use a sub-interface if the physical interface or Eth-trunk interface can meet the requirements.
It is easy to configure the physical path by using a single physical interface. This method is suitable for simple networks. One configured physical interface can be shared by two links. You can configure sub-interfaces to solve the problem of limited physical interfaces. Data traffic of different types can share one physical interface. You do not need to use a sub-interface if the physical interface or Ethtrunk interface can meet the requirements. Active/standby mode: It can enhance reliability. When a member link is faulty, the traffic is automatically switched to another available link. Load-sharing mode: It can improve bandwidth and enhance reliability. The bandwidth of the Eth-trunk interface is the total bandwidth of all physical interfaces. If a physical interface is Down, other member interfaces are still available for data transmission.
3.
Issue 02 (2009-04-10)
Connection Mode
Multiprotocol transmission is supported. Authentication by the AAA server is supported. Internal address assignment is supported. Flexible network charging is supported. Communication within the multi-protocol local network is implemented over the single-protocol backbone network. The coverage area of the network that runs over a hop-limited protocol is expanded. Discontinuous sub-networks are connected.
High-quality, interactive, and encryption-based security are provided for data packets transmitted over the Internet. Security services, such as access control, connectionless packet integrity, data source authentication, anti-replay protection, confidentiality, and limited transport stream confidentiality, are provided through the encryption and data source authentication mode at the IP layer between specified parties.
4.
Configure the route to the PDN for the interworking at the network layer with the PDN. Routing Protocol 3.10 Configuring the Static Route to the AAA Server 3.11 Configuring the Dynamic Route to the AAA Server Characteristic The static routing mode is applicable for a small stable network with simple topology.
The dynamic routing mode is suitable for a network with complex topology and a certain number of Layer 3 devices. The dynamic routing mode can automatically adapt to changes in network topology.
5.
Configure the downlink route of the user whose IP address is assigned by the RASIUS server. For details, see 6.12 Configuring the Downlink Route from the P Interface to the MS.
6-6
Issue 02 (2009-04-10)
Table 6-1 Common networking schemes Networkin g Scheme Networking Requirement Configura tion Example
To improve bandwidth and enhance reliability, you can employ the load-sharing mode for the Eth-trunk interface to distribute traffic to different links to the same destination. To further enhance reliability, two Eth-trunk interfaces that each work in load-sharing mode can be a backup for each other. The Open Shortest Path First (OSPF) dynamic routing mode is employed for complex network topology with a large number of network devices and IP routes to implement reliability networking through redundant routes. The VPN networking mode is employed to improve communication security. Bind the physical interface and the logical interface to the same VPN. Specify the VPN as the VPN instance of the specified dynamic route. The sub-interface is employed because of limited physical interfaces. The OSPF dynamic routing mode is employed for complex network topology with a large number of network devices and IP routes to implement reliability networking through redundant routes. The VPN networking mode is employed to improve communication security. Bind the physical interfaces, logical interface, and L2TP group to the same VPN. Specify this VPN as the VPN instance of the specified route. For details, see 6.14.2 Dynamic Routing + L2TP VPN Tunnel. For details, see 6.14.1 Eth-trunk Loadsharing Mode + Dynamic Routing.
IPSec is enabled on the tunnel interface. The tunnel interface is used to establish the security tunnel between the PDSN9660 and the intranet. This tunnel can protect the data flows between the PDSN9660 and the intranet.
For details, see 6.14.3 IPSec Policy Applied to the Tunnel Interface.
Configuration Principle
l
You must configure the router distinguisher (RD) when establishing a VPN. A VPN can take effect only if the RD is configured. The value of the RD cannot be modified directly after it is configured. You must delete all VPN instances that employ this RD and the RD value is deleted, and then re-establish VPNs by using a new RD value.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 6-7
Issue 02 (2009-04-10)
Data Planning
No. 1 2 Data Name of the VPN instance Global RD
Procedure
Step 1 Run ip vpn-instance to create a VPN instance. Step 2 Run route-distinguisher to specify the RD of a VPN instance. ----End
Prerequisite
The network environment between the PDSN9660 and the network entity is established.
Context
Single physical interface is a simple method to set up a physical path.
Configuration Principle
l l
The configuration steps are not transposable. You must follow the order strictly. To bind an interface to a Virtual private network (VPN), you must associate the interface with the specific VPN instance in the interface view and then set the IP address for the interface.
Data Planning
No. 1 2 3 Data Name of the physical interface that is connected to the networking entities (Optional) VPNs to which the interfaces are bound IP addresses and subnet masks of the physical interfaces
Procedure
Step 1 Run interface to enter the interface view. Step 2 Optional: Run ip binding vpn-instance to bind the interface to the specific VPN instance.
6-8 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2009-04-10)
Step 3 Run ip address to set the IP address of the physical interface. ----End
Prerequisite
The network environment between the PDSN9660 and the network entity is established.
Context
An Eth-trunk interface can work in either active/standby mode or load-sharing mode.
l
Active/standby mode: It can enhance reliability. When a member link is Down, the traffic is automatically switched to another available link. Load-sharing mode: It can improve bandwidth usage and enhance reliability. The bandwidth of the Eth-trunk interface is the total bandwidth of all physical interfaces. If a physical interface is Down, other member interfaces are still available for data transmission. The working mode of active and standby Eth-trunk interfaces that each operate in loadsharing mode can further enhance reliability and ensure connectivity of the physical path. You can configure the cost value for running Open Shortest Path First (OSPF) on an interface to specify whether the interface is active or standby. The interface with a larger cost value serves as the standby interface.
Configuration Principle
l l
The configuration steps are not transposable. You must follow the order strictly. To bind an interface to a VPN, you must associate the interface with the specific VPN instance in the interface view and then set the IP address for the interface.
Data Planning
Data planning for configuring the Eth-trunk interface No. 1 2 3 4 Data Physical interfaces that are bound to an Eth-trunk logical interface Operating modes of the Eth-trunk logical interfaces (Optional) VPNs to which the interfaces are bound IP addresses of the Eth-trunk logical interfaces
Procedure
Step 1 Run interface eth-trunk to create an Eth-trunk interface.
Issue 02 (2009-04-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 6-9
Step 2 Run workmode to set the operating mode of the Eth-trunk trunk to active/standby or loadsharing. Step 3 Optional: Run ip binding vpn-instance to bind the interface to the specific VPN instance. Step 4 Run ip address to set the IP address of the Eth-trunk interface. Step 5 Run quit to return to the system view. Step 6 Run interface to enter the physical interface view. Step 7 Run eth-trunk to bind the physical interface to the specific Eth-trunk interface. ----End
Prerequisite
The network environment between the PDSN9660 and the network entity is established.
Context
Data traffic of different types can share one physical interface with the sub-interface. You can configure multiple logical interfaces over one physical interface.
Configuration Principle
l l
The configuration steps are not transposable. You must follow the order strictly. To bind an interface to a VPN, you must associate the interface with the specific VPN instance in the interface view and then set the IP address for the interface.
Data Planning
Data planning for configuring the sub-interface No. 1 3 Data Names of the sub-interfaces IP addresses and subnet masks of the sub-interfaces
Procedure
Step 1 Run interface to create a sub-interface and enter the sub-interface view. Step 2 Optional: Run description to configure the description information about the interface. Step 3 Optional: Run ip binding vpn-instance to bind the sub-interface to the specific VPN instance. Step 4 Run ip address to set the IP address of the sub-interface.
6-10 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2009-04-10)
----End
Prerequisite
l
The interworking between the PDSN9660 and the authentication server is configured. For details, see 3 Configuring the Data for the AAA Server. The PPP negotiation parameters are configured. For details, see 7.1.2 Configuring PPP Negotiation Parameters. The L2TP-related attributes of the authentication server are configured.
Context
L2TP is a Layer 2 tunneling protocol which is set for the transparent transmission of PPP packets between users and enterprise servers.
l
The L2TP access concentrator (LAC) is a device that is attached to a switched network with the PPP terminal system and the L2TP processing functions. On a packet switched network, an LAC is a network access server (NAS), providing users with the access service through the public switched telephone network/integrated services digital network (PSTN/ ISDN). On a CDMA2000 network, the PDSN9660 acts as the LAC to provide the access service for MSs. The LNS is a server-side device that is used to process L2TP on the PPP terminal system. It is an edge device on an intranet.
An LAC is located between an LNS and a remote system such as an MS. The LAC L2TP encapsulates the packet received from a remote system and then sends it to the LNS. The LAC decapsulates the packet sent from the LNS and then sends it to the remote system.
Configuration Roadmap
1. Configure the physical interface to set up a physical path. You can employ the Eth-trunk load-sharing mode or active/standby mode to set up the physical path to improve bandwidth and enhance reliability. You can configure sub-interfaces to solve the problem of limited physical interfaces. Data traffic of different types can share one physical interface. You can configure multiple logical interfaces over one physical interface. Configure the Pi interface for the interworking between the Pi and the LNS. Configure the L2TP information. Configure the route to the LNS for the interworking at the network layer with the LNS. A static routing mode is applicable to a small stable network with simple topology. A dynamic route is suitable for a network with complex topology and a certain number of Layer 3 devices.
2. 3. 4.
Set up a VPN.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 6-11
2.
Bind the physical interface, logical interface, and L2TP group to the same VPN. Specify this VPN as the VPN instance of the specified route. Bind the L2TP group to the Domain.
When the Domain allows PPP access, a PPP negotiation is required between an MS and the PDSN9660 to set up a PPP session. Therefore, PPP negotiation parameters need to be configured.
Data Planning
No. 1 2 3 Data IP address of the peer LNS Domain name that is used to identify L2TP users Domain name separator that is used to separate the domain name from the L2TP user name
Procedure
Step 1 Run access-view to enter the access view. Step 2 Run l2tp group to set the L2TP group. Step 3 Run common to configure the common information about the L2TP group, including the domain name, local host name, authentication, Hello packets interval, number of transmission retry times, and VPN instance to which the L2TP tunnel is bound. Step 4 Run lns to set the LNS information. The LNS with high priority serves as the active LNS while that with low priority serves as the standby LNS. Step 5 Run quit to exit the L2TP group view. Step 6 Run separator to set the prefix or suffix separator. Step 7 Run l2tp default to set the default L2TP parameters, including the default name of the LAC, the number of retransmission times of Hello packets and the default interval for sending Hello packets. Step 8 Run quit to exit the access view. Step 9 Run domain to specify the domain and enter the domain view. Step 10 Run l2tp to enable L2TP. Step 11 Run l2tp group to specify the L2TP group to be used by the users of the domain. ----End
Prerequisite
The VPN instance is created. For details, see 6.3 Creating a VPN Instance.
6-12 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2009-04-10)
Procedure
----End 6.8.1 Creating the Loopback Interface This describes how to create a loopback interface. In a Generic Routing Encapsulation (GRE) tunnel, the source address of a tunnel interface is obtained through the loopback interface. 6.8.2 Creating the Tunnel Interface This describes how to create the tunnel interface. You can create multiple virtual private network (VPN) tunnels on the PDSN9660. These tunnels may belong to one VPN instance or different VPN instances. 6.8.3 Configuring the Keepalive Function This describes how to configure the Generic Routing Encapsulation (GRE) that supports the Keepalive function on the PDSN. If GRE that supports Keepalive is configured on the PDSN, the PDSN can detect the tunnel status to avoid data hole due to the unreachability of the remote end.
Configuration Principle
l
After a loopback interface is created, you need to set the IP address for the interface, configure the mapping between the loopback interface and the SPU, and bind GRE to the interface. Thus, when the outbound tunnel interface of a packet is the loopback interface, the packet is directly sent to the SPU. When you configure the GRE VPN tunnel, run binding tunnel gre to bind GRE to the loopback interface.
Data Planning
No. 1 2 3 4 Data Name of the loopback interface IP address of the loopback interface Board to which the loopback interface is bound Tunnel protocol that is bound to the loopback interface
Procedure
Step 1 Run interface to create the loopback interface. Step 2 Run ip binding vpn-instance to bind the loopback interface to the VPN instance. Step 3 Run ip address to set the IP address of the loopback interface.
Issue 02 (2009-04-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 6-13
Step 4 Run target-board to set the mapping between the loopback interface and the SPU. Step 5 Run binding tunnel gre to bind GRE to the loopback interface. ----End
Context
Creating a VPN tunnel is similar to creating a physical path. 1. There must be a path between two devices for them to communicate with each other. Therefore, two Generic Routing Encapsulation (GRE) peers must be configured with virtual tunnel interfaces. A link-layer protocol must be specified to encapsulate data packets on a physical path. Similarly, a tunnel encapsulation mode must be specified for data packets on a tunnel. A tunnel, similar to a physical path, has a start point and an end point. Therefore, you must configure the source and destination IP addresses for a tunnel. With the source and destination IP addresses, a tunnel can be uniquely identified. To make the tunnel support the dynamic routing protocols, the IP address of the tunnel interface needs to be configured. There are some other optional configurations. For example, security and reliability configurations of a tunnel.
2. 3.
4. 5.
Configuration Principle
l
When you create the tunnel interface, it is recommended that the slot where the tunnel interface resides is the same as the slot where the source interface resides. That is, the slot where the interface sending GRE packets resides is employed, thus improving forwarding efficiency. The PDSN9660 supports the GRE VPN encapsulation. You must also create a tunnel on the peer router or firewall. The source IP address and destination IP address of the tunnel on the peer router or firewall are the destination IP address and source IP address of the tunnel on the PDSN9660 respectively. If you configure the identification keyword for the tunnel interface on the PDSN9660, the peer device must be configured with the same identification keyword.
l l
Data Planning
No. 1 2 3
6-14
Data Number of the tunnel interface VPN instance to which the tunnel interface is bound Network address of the tunnel interface
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2009-04-10)
No. 4 5 6 7
Data Encapsulation mode for the packets on the tunnel interface Source IP address of the tunnel interface Destination IP address of the tunnel interface (Optional) Identity key of the tunnel interface
Procedure
Step 1 Run interface tunnel to create a virtual tunnel interface. Step 2 Run ip binding vpn-instance to bind the tunnel interface to the VPN instance. Step 3 Run ip address to set the IP address of the tunnel interface.
NOTE
If the IP addresses are insufficient or must be used efficiently, you can run ip address unnumbered to configure the tunnel interface to borrow the IP address of another interface. If you configure the tunnel interface to borrow the IP address of another interface, you cannot enable a dynamic routing protocol on the tunnel interface because it has no its own IP address. In this case, you must configure a static route to the peer network segment and set the next hop to the peer tunnel interface to realize the connectivity between routers.
Step 4 Run tunnel-protocol to set the packet encapsulation mode of the tunnel interface. Step 5 Run source to set the source IP address of the tunnel interface. The source IP address is obtained through the loopback interface that is specified as the tunnel interface. Step 6 Run destination to set the destination IP address of the tunnel interface. Step 7 Optional: Run gre checksum to set the end-to-end check at the two ends of a GRE tunnel. Step 8 Optional: Run gre key to set the identification keyword of the GRE tunnel interface. ----End
Prerequisite
l l l
The link layer attributes of the interfaces are configured. The IP addresses for the interfaces are assigned. The GRE tunnel is established and the status of the tunnel is Up.
Context
The Keepalive function of the GRE tunnel is unidirectional. The support of the Keepalive function on the remote end has no impact on the Keepalive function of the local end. To enable
Issue 02 (2009-04-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 6-15
Keepalive on both ends, you need to enable the Keepalive function on both ends of the GRE tunnel. It is recommended to enable the Keepalive function on both ends of a tunnel. Before configuring a GRE tunnel, you must enable the Keepalive function of the GRE tunnel. This can avoid VPN from selecting GRE tunnel with an unreachable remote end and thus can avoid data loss because of the following reasons:
l
If the Keepalive function is not enabled, the tunnel interface of the local end may be Up, even though the remote end is unreachable. If the Keepalive function is enabled on the local end, the tunnel interface of the local end is set to Down, when the remote end is unreachable.
Data Planning
No. 1 2 Data Interval for sending Keepalive packets Parameter of the counter on unreachable packets
Procedure
Step 1 Run interface tunnel to enter the tunnel interface view. Step 2 Run link-alive to enable the Keepalive function. ----End
Configuration Roadmap
The IPSec policy can be implemented through manual configuration or Internet Key Exchange (IKE) negotiation. If the IKE negotiation mode is adopted, the IKE data must be configured in advance. Figure 6-2 shows how to implement the IPSec policy configuration.
6-16
Issue 02 (2009-04-10)
Choose the configuration mode. IKE negotiation Configure the IKE security proposal.
End
By clicking the following operations, you can check the corresponding configuration tasks. 6.9.1 Configuring the Protected Data Flows This describes how to configure the protected data flows. With the IP Security (IPSec) function, the PDSN9660 can apply different security measures to different data flows. Therefore, you must set the access control rule for the protected data flows.
Issue 02 (2009-04-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 6-17
6.9.2 Configuring the IPSec Proposal This describes how to configure the IP Security (IPSec) proposal. An IPSec proposal defines the security protocol, encapsulation mode, authentication algorithm, and encryption algorithm to be applied to protect data flows. 6.9.3 Configuring the IKE Security Proposal This describes how to configure the Internet Key Exchange (IKE) security proposal. 6.9.4 Configuring the IKE Peer Attributes This describes how to configure the Internet Key Exchange (IKE) peer attributes. 6.9.5 Configuring the IKE Local ID This describes how to configure the Internet Key Exchange (IKE) local ID. 6.9.6 Configuring the IKE DPD Function This describes how to configure the Internet Key Exchange (IKE) dead peer detection (DPD) function. 6.9.7 Configuring the Attributes of the IKE Keepalive Mechanism This describes how to configure the attributes of the Internet Key Exchange (IKE) keepalive mechanism. 6.9.8 Configuring the IPSec Policy This describes how to configure the IP Security (IPSec) policy. The IPSec policy or IPSec policy group defines the association between data flows and IPSec proposals, that is, the security measures for a specific type of data flows. 6.9.9 Applying an IPSec Policy to an Interface This describes how to apply an IP Security (IPSec) policy to an interface.
Context
A data flow is the aggregation of a group of traffic. The data flow is defined by the source IP address and mask, destination IP address and mask, protocol number of IP packets, source port number, and destination port number. A data flow can be a single Transmission Control Protocol (TCP) connection between two hosts or all traffic between two subnets. By determining whether the packets match the access control list (ACL), the PDSN9660 can distinguish the IP packets to be forwarded after IPSec processing from those to be forwarded directly. The packets permitted by the ACL are protected, whereas those denied by the ACL are not. By default, packets are denied by the ACL. Data flows need to be authenticated for the security purpose. Some data flows should be authenticated and encrypted for high security requirements. The IPSec policy can only provide a security protection method. You should, therefore, define various ACLs and IPSec policies for different data flows accordingly.
6-18
Issue 02 (2009-04-10)
Data Planning
No. 1 2 3 4 5 6 Data ACL number Source IP address of the IP packets Destination IP address of the IP packets Protocol number of the IP packets Source port number of the IP packets Destination port number of the IP packets
Operation Procedure
1. 2. Run acl to create an ACL and enter the ACL view. Run rule to set the access control rule for the data flows.
NOTE
ACLs defined on the local PDSN9660 and that on the remote router should correspond to each other. The encrypted data at one end can be authenticated and decrypted at the peer end.
Context
Figure 6-3 Configuration of the IPSec proposal
IPSec proposal
Transform
Encapsulation-mode
AH
or/and
ESP
Tansport
or
Tunnel
Authenticationalgorithm
Authenticationalgorithm
Encryptionalgorithm
MD5
or SHA-1
MD5 or SHA-1 or
Null
3DES or
DES
or
AES
or
Null
Issue 02 (2009-04-10)
6-19
See Figure 6-3, the PDSN9660 supports both the Authentication Header (AH) and Encapsulating Security Payload (ESP) protocols. The two protocols can be used separately or jointly. AH supports the Message-Digest Algorithm 5 (MD5) and Secure Hash Algorithm 1 (SHA-1) authentication algorithms. ESP supports the MD5 and SHA-1 authentication algorithms and the Data Encryption Standard (DES), 3DES, and Advanced Encryption Standard (AES) encryption/decryption algorithms. The PDSN9660 provides two encapsulation modes: transport mode and tunnel mode. The actual source and destination IP addresses are hidden in tunnel mode.
CAUTION
For the same data flow, the same protocol, algorithm, and encapsulation mode must be set for the peers at both ends of a security tunnel.
Configuration Principle
l
You can configure the authentication algorithm for AH only when the security protocol to be employed by the IPSec proposal is set to AH. You can configure the authentication algorithm and encryption algorithm for ESP only when the security protocol to be employed by the IPSec proposal is set to ESP.
Data Planning
No. 1 2 3 4 5 Data IPSec proposal name Security protocol to be employed Authentication algorithm to be employed Encryption algorithm to be employed Encapsulation mode to be employed
Operation Procedure
1. 2. 3. 4. 5. 6. Run ipsec proposal to create an IPSec proposal and enter the IPSec proposal view. Run transform to set the IPSec protocol. Run ah authentication-algorithm to set the authentication algorithm to be employed by the AH protocol. Run esp authentication-algorithm to set the authentication algorithm to be employed by the ESP protocol. Run esp encryption-algorithm to set the encryption algorithm to be employed by the ESP protocol. Run encapsulation-mode to set the encapsulation mode to be employed by the IPSec protocol to encapsulate IP packets.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2009-04-10)
6-20
By default, the tunnel mode is adopted. In transport mode, if the source and destination of packets are not the same as the two ends of the security tunnel, the packets will not be protected.
Context
The IKE security proposal is used for the IKE negotiation of the encryption algorithm, authentication algorithm, Diffie-Hellman algorithm (DH) group ID, and lifetime of the IKE security association (SA). The negotiation in this phase is performed to set up an Internet Security Association and Key Management Protocol (ISAKMP) SA. You can create multiple IKE security proposals of different priorities but the negotiation succeeds only when at least one IKE security proposal of one party matches that of the other party.
Data Planning
No. 1 2 Data Priority of the IKE security proposal Encryption algorithm, preshared authentication method, and authentication algorithm DH group ID Lifetime of the IKE SA
3 4
Operation Procedure
Figure 6-4 IKE proposal configuration map
IKE proposal
Authenticationalgorithm
Authenticationmethod
Encryptionalgorithm
DH
SA duration
MD5
or SHA-1
Pre-share
3DES or
DES
or
AES
Group1 or Group2
1. 2.
Run ike proposal to create an IKE security proposal and display the IKE proposal view. Run encryption-algorithm to specify the encryption algorithm to be used by the IKE proposal.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 6-21
Issue 02 (2009-04-10)
3. 4. 5. 6.
Run authentication-method to specify the authentication method to be used by the IKE proposal. Run authentication-algorithm to specify the authentication algorithm to be used by the IKE proposal. Run dh to specify the DH group ID to be used during the key negotiation in phase one of IKE negotiation. Run sa duration to set the lifetime of the IKE SA.
Prerequisite
l l
The local ID for the IKE negotiation is configured when the aggressive mode is employed. The IKE security proposal is configured.
Background
Figure 6-5 IKE peer configuration procedure
IKE peer
Exchange-mode
IKE-proposal
Pre-sharedkey
Local-id-type
Aggressive or Main
IP
or Name
Remoteaddress
Remotename
Configuration Principle
l
If the IKE proposal referenced by the IKE peer uses the preshared key authentication method, the two negotiation ends must be configured with the same authentication key. Otherwise, the IKE proposal cannot be used. When the aggressive mode is adopted for IKE negotiation, the ID of the IKE peer must be of the name type. As for the main mode, the ID of the IKE peer must be of the IP address type.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2009-04-10)
6-22
Data Planning
No. 1 2 3 4 5 Data Whether the main mode or aggressive mode is employed as the IKE negotiation mode IKE security proposal ID to be referenced by the IKE peer Character string used as the authentication key ID type of the IKE peer Name and IP address of the IKE peer
Operation Procedure
1. 2. 3. Run ike peer to create an IKE peer and display the IKE peer view. Run exchange-mode to set the IKE negotiation mode. Run ike-proposal to configure the IKE security proposal to be referenced by the IKE peer.
NOTE
By default, for the aggressive mode negotiation, the IKE proposal with the highest priority is referenced; for the main mode negotiation, all the IKE proposals of the local end are referenced.
4.
Run pre-shared-key to set the authentication key for the preshared key authentication method. If the IKE proposal referenced by the IKE peer uses the preshared key authentication method, the preshared key must be configured with this command. Run local-id-type to set the ID type of the IKE peer. Run remote-name to set the remote name of the IKE peer when the IKE peer ID is of the name type. Run remote-address to set the remote IP address of the IKE peer when the IKE peer ID is of the IP address type.
5. 6. 7.
Background
The aggressive mode is adopted for IKE negotiation when the IP address of the peer device is not specified or changes. The main mode is adopted for IKE negotiation when the IP address of the peer is specified.
Configuration Principle
The local ID is required for the IKE negotiation in aggressive mode. The local ID is not required for the main mode.
Issue 02 (2009-04-10)
6-23
Data Planning
No. 1 Data Local ID
Operation Procedure
Run ike local-name to set the local ID for the IKE negotiation.
Context
With the DPD function, the PDSN9660 sends Hello/Ack messages to check whether a peer operates normally. If the local device does not receive packets from a peer in a specified period and have IP Security (IPSec) encrypted packets to send to the peer, the local device sends an enquiry message to the peer. If the local device receives a response from the peer, it considers the peer normal. If the local device does not receive a response from the peer after sending the DPD message for several times, it considers the peer dead. In this case, the backup link or route is employed for forwarding IPSec service flows.
Data Planning
No. 1 2 Data Interval for sending DPD packets Number of times of retransmission of DPD packets
Procedure
Step 1 Run ike peer to enter the IKE peer view. Step 2 Run ike dpd to set the interval for sending DPD packets to the peer and number of times of retransmission of DPD packets. ----End
Context
The IKE provides the keepalive mechanism, which maintains the status of the IKE security association (SA) tunnel through Keepalive packets. The Keepalive packets are used to inform the peer of the Internet Security Association and Key Management Protocol (ISAKMP) SA that the local device is online.
6-24 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2009-04-10)
If a timeout period is configured on the peer, an interval for sending Keepalive packets must be configured on the PDSN. If the timeout period expires before the peer receives a Keepalive packet, when the IKE SA carries the timeout mark, the PDSN deletes the IKE SA and the IP Security (IPSec) SA negotiated by the IKE SA; the IKE SA is marked as timeout when it carries no timeout mark. Generally, the timeout period is set to three times the interval for sending Keepalive packets.
Operation Procedure
1. 2. Run ike sa keepalive-timer interval to set the interval for sending Keepalive packets to the peer by the ISAKMP SA. Run ike sa keepalive-timer timeout to set the timeout period for the ISAKMP SA to wait for a Keepalive packet.
Context
An IPSec policy is uniquely co-defined by the name and the sequence number. An IPSec policy group comprises the security policies with the same name but different sequence numbers. In an IPSec policy group, smaller sequence number indicates higher priority. An IPSec policy employs an IPSec proposal to specify security protocol, algorithm, and encapsulation mode for specific data flows. The IPSec policy can be configured manually or obtained through the Internet Key Exchange (IKE) negotiation. Figure 6-6 IPSec policy through manual configuration
IPSec policy
Security ACL
Proposal
SA Key
SA SPI
Local-address
Tunnel remote
ACL
Rule
String-key
or
HEX-key
AH Inbound &Outbound
AH Inbound &Outbound
Authentication-hex
Encryption-hex
AH Inbound &Outbound
Issue 02 (2009-04-10)
6-25
Security ACL
Proposal
IKE peer
PFS
SA duration
Local-address
ACL
Rule
DH-group1
DH-group2
Permanent
Trafficbased
Timebased
See Figure 6-6. You must manually set the parameters such as the key, security parameter index (SPI), and peer IP address for the IPSec policy and you can optionally set the local IP address.
A key is used in the security services provided by the IPSec protocol to authenticate and encrypt data packets. The key can be either in the character string format or in the hexadecimal format. The SPI is a 32-bit value, which is carried in each IPSec packet. The SPI, destination IP address, and security protocol ID uniquely identify a security association (SA).
The IKE peer is used in the IKE negotiation for the IPSec policy. The parameters such as the key and the SPI are generated automatically through the IKE negotiation. You must set the SA lifetime and perfect forward secrecy (PFS) parameters and you can optionally set the local IP address. See Figure 6-7.
PFS is a security feature. With this feature, even if one key is cracked, other keys still remain secure because of no derivative relations among these keys. This feature is implemented by adding key exchange in phase two of the IKE negotiation. An SA has a lifetime. It means that if the specified duration or traffic volume is reached, the SA becomes ineffective. Before an SA becomes ineffective, the PDSN9660 obtains a new IPSec SA through the IKE negotiation. Before a new SA is set up through negotiation, the original SA is still employed to guarantee communication security. The new SA is used as soon as it is negotiated and set up.
Configuration Principle
l
You must configure the SA parameters for both inbound and outbound directions. The local inbound and outbound SA parameters must be consistent with the peer outbound and inbound SA parameters respectively. An IPSec policy can employ only one access control list (ACL). If more than one ACL is configured for an IPSec policy, the latest ACL is employed. If an IPSec policy is manually configured, only one IPSec proposal can be employed by the IPSec policy. If an IPSec policy is obtained through the IKE negotiation, up to six IPSec proposals can be employed by the IPSec policy. You must create an IKE peer before employing the IKE negotiation mode. For details, see 6.9.4 Configuring the IKE Peer Attributes. If the IPSec proposal employs the Authentication Header (AH) protocol, the keyword ah is adopted for the authentication key and the SPI of the SA. If the IPSec proposal employs
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2009-04-10)
6-26
the Encapsulating Security Payload (ESP) protocol, the keyword esp is adopted for the authentication key, encryption key, and the SPI of the SA.
l
You can enter the key either in the character string format or in the hexadecimal format. If you enter the key in both formats, the latest key is effective. You must enter the key in the same format at the two ends of a security tunnel. If the key formats are different, the security tunnel cannot be set up. You can set or modify the local address of an IPSec policy group only before the group is applied to an interface. Do not set the local address for the IPSec policy group that is applied to the IPSec tunnel interface. Do not set the local address for the IPSec policy that employs the transmission encapsulation mode. The interface whose IP address is used as the local address of the IPSec policy group must be a loopback interface. In addition, a valid IP address must be set for the loopback interface, and a target board and the IPSec tunnel protocol must be bound with the loopback interface. For the same data flow, the same protocol, algorithm, encapsulation mode, IPSec proposal, encryption key, and authentication key must be employed for both communication parties. Otherwise, the communication fails.
Data Planning
No. 1 Data Name of the IPSec policy and specify whether the manual mode or IKE negotiation mode is adopted ACL used by the IPSec policy IPSec proposal used by the IPSec policy SPI, key, and peer IP address of the security tunnel in manual mode IKE peer name, SA lifetime, and DiffieHellman algorithm (DH) group for PFS in IKE negotiation mode
2 3 4 5
Operation Procedure
Manual configuration mode 1. 2. 3. 4. Run ipsec policy to create an IPSec policy and enter the view. Run security acl to set the ACL used by the IPSec policy. Run proposal to set the IPSec proposal used by the IPSec policy. Run sa string-key to set the authentication key of the SA in manual configuration mode. Type a character string as the key. If you specify ah, the key is the AH authentication key. AH does not support packet encryption, and therefore no encryption key is required. If you specify esp, the key is the ESP authentication key and encryption key. Run sa authentication-hex to set the authentication key of the SA in manual configuration mode. Type a hexadecimal number as the key. If you specify ah, the key is the AH authentication key. If you specify esp, the key is the ESP authentication key.
5.
Issue 02 (2009-04-10)
6-27
6.
Run sa encryption-hex to set the encryption key of the ESP protocol in manual configuration mode. Type a hexadecimal string as the key. This command is applicable to ESP only. AH does not support packet encryption. Run sa spi to set the SPI of the SA in manual configuration mode. Run tunnel remote to set the peer IP address of the tunnel. Run ipsec policy local-address in the system view to set the local address of the IPSec policy group. You can also specify the name, interface type, and interface number of the IPSec policy. The interface whose IP address is used as the local address of the IPSec policy group must be a loopback interface. For the configuration procedure of a loopback interface, see 6.8.1 Creating the Loopback Interface.
NOTE
7. 8. 9.
If the local address of the IPSec policy group is specified, the IP address of the specified interface is used as the local address of the IPSec tunnel. If the local address of the IPSec policy group is not specified, the IP address of the interface to which the IPSec policy is applied is used as the local address of the IPSec tunnel.
You must create an IKE peer before employing the IKE negotiation mode. For details, see 6.9.4 Configuring the IKE Peer Attributes.
1. 2. 3. 4. 5. 6.
Run ipsec policy to create an IPSec policy and enter the view. Run security acl to set the ACL used by the IPSec policy. Run proposal to set the IPSec proposal used by the IPSec policy. Run ike-peer to set the IKE peer used in the IPSec policy in IKE negotiation mode. Run pfs to set the PFS feature of the IPSec policy template in IKE negotiation mode. Run sa duration to set the lifetime of the SA.
NOTE
In the case of SA generation through the IKE negotiation, if the IPSec policy is not configured with a lifetime, the global SA lifetime configured with ipsec sa global-duration can be used for the negotiation with the peer. A new lifetime does not affect the established SAs but will be employed to establish new SAs in later IKE negotiation.
7.
Run ipsec policy local-address in the system view to set the local address of the IPSec policy group. You can also specify the name, interface type, and interface number of the IPSec policy. The interface whose IP address is used as the local address of the IPSec policy group must be a loopback interface. For the configuration procedure of a loopback interface, see 6.8.1 Creating the Loopback Interface.
NOTE
If the local address of the IPSec policy group is specified, the IP address of the specified interface is used as the local address of the IPSec tunnel. When the IPSec policy group is applied to multiple interfaces, these interfaces employ the same SA to protect the same data flows. If the local address of the IPSec policy group is not specified, the IP address of the interface to which the IPSec policy is applied is used as the local address of the IPSec tunnel. The interfaces generate their respective SAs to protect the same data flows.
Prerequisite
Before applying an IPSec policy to an interface, you must complete the following tasks:
l l l
6.9.1 Configuring the Protected Data Flows 6.9.2 Configuring the IPSec Proposal 6.9.8 Configuring the IPSec Policy
Context
By applying an IPSec policy to an interface, you can apply different security measures to protect different data flows that are transmitted through the interface. If the IPSec policy to be applied is a security association (SA) established manually, the SA is generated at once. If the IPSec policy to be applied is an SA established through Internet Key Exchange (IKE) negotiation, the PDSN9660 is triggered to negotiate the IPSec SA through IKE only when the data flows that comply with an IPSec policy are sent out through the interface.
Configuration Principle
l l
Ensure that a valid IP address is set for the interface where the IPSec policy group is applied. Before applying the security policy to the tunnel interface, ensure that the tunnel interface is set with a source address. The IPSec policy group that is applied to the IPSec tunnel interface cannot be set with a local address, and the encapsulation mode proposed by the IPSec proposal and used by each IPSec policy must be the tunnel mode.
Data Planning
No. 1 2 Data Type, number, and IP address of the interface IPSec policy name
Operation Procedure
Apply an IPSec policy to the R-P, and Pi interfaces. 1. 2. 3. Run interface to enter the interface view. Run ip address to set the IP address of the interface. Run ipsec policy to apply the IPSec policy or IPSec policy group to the interface.
Apply an IPSec policy to the tunnel interface. 1. 2. Configure the tunnel interface. For details on the configuration procedure, see 6.8.2 Creating the Tunnel Interface. Run ipsec policy to apply the IPSec policy or IPSec policy group to the interface.
Context
A static routing mode is applicable to a small stable network with simple topology.
Configuration Principle
l
When the destination IP address and the mask are both 0.0.0.0, the configured route is the default route. If the PDSN9660 cannot find a route in the routing table, the default route is employed for packet forwarding. When configure a static route, usually specify the next hop address. For an interface-tointerface static route, you can specify the outbound interface. When establish Generic Routing Encapsulation (GRE) tunnel, the virtual private network (VPN) route is required as follows: the destination of the route is the network where the enterprise intranet belongs and the next hop is the tunnel interface of the corresponding GRE tunnel.
NOTE
On the peer router or firewall of the tunnel, you must configure the route to the network segment to which the mobile station (MS) belongs. The next hop is the tunnel interface on the router or firewall.
Data Planning
No. 1 Data IP address of the interface of the next hop router or firewall to the PDN
Procedure
Step 1 Run ip route-static to configure a static route. Step 2 Optional: If the VPN networking is employed, you must specify the VPN instance of the static route. Run ip route-static vpn-instance to configure the static route for a VPN instance and specify the next hop address. Step 3 Optional: If employ GRE networking, specify the VPN instance for static route. Run ip routestatic vpn-instance to configure the static routes for a VPN instance and specify the tunnel interface as the outbound interface.
NOTE
The destination address of the static route is the address of the network segment to which the PDN belongs. The next hop address is the address of the router or firewall that the PDSN9660 connects.
CAUTION
On the next hop router or firewall, you must configure the static route to the PDSN9660. The destination address of the static route is the address of the PDSN9660, and the next hop address is the address of the physical interface on the PDSN9660 used for interworking with the PDN, or the next hop address can be the address of the Eth-trunk interface when reliability networking is adopted. ----End
6-30 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2009-04-10)
Context
The PDSN9660 supports static route configuration as well as dynamic routing protocols such as the Routing Information Protocol (RIP), Open Shortest Path First (OSPF), Intermediate System to Intermediate System (IS-IS), and Border Gateway Protocol (BGP). A dynamic routing mode is suitable for a network with complex topology and a certain number of Layer 3 devices. The dynamic routing can automatically adapt to changes in network topology. If you plan to employ a dynamic routing protocol such as RIP, OSPF, IS-IS, and BGP, the PDSN9660 must support the protocol. Take OSPF as an example to describe the concepts and configurations of an OSPF dynamic route. Table 6-2 Concepts of the OSPF dynamic route Concept OSPF process number Description When you start multiple OSPF processes on the PDSN9660, you must specify different process numbers. The OSPF process number is a local concept and it does not affect packet exchange between the PDSN9660 and other routers. Therefore, routers can exchange packets regardless of process numbers. A router ID is required for a router to run OSPF. A router ID is a 32-bit unsigned integer. It uniquely identifies a router in an autonomous system. You can manually set a router ID. Generally, the router ID is set to the IP address of an interface on the router. If you do not specify the router ID, the system automatically selects an IP address of the existing interfaces as the router ID. The largest IP address of loopback interfaces is selected as the router ID. If no loopback interface is configured, the largest IP address of the interfaces is selected as the router ID. Area You must specify an area to which an interface running OSPF belongs. Different OSPF processes can share an area. For example, area 0 can be used by both OSPF 1 and OSPF 2. Area authentication OSPF supports packet authentication. Only the authenticated OSPF packets can be received; otherwise, the neighbor relation cannot be established normally. All the routers in an area must employ the same area authentication mode and password.
ROUTER ID
Issue 02 (2009-04-10)
6-31
Description This network segment refers to the network segment of the IP addresses of the interface that runs OSPF. A network segment can belong to only one area. That is, you must specify the area for each interface running OSPF. OSPF can be run on an interface only when the following conditions are satisfied:
l
The mask length of IP address of an interface is not shorter than that specified by using the network command. The primary IP address of an interface must be in the range of the network segment specified by using the network command.
DR priority
When configuring broadcast networks or non-broadcast multiple access (NBMA) networks, you can specify the designated router (DR) priorities of interfaces to determine the DR/backup designated router (BDR) election in the network. A larger value indicates a higher priority. A router with the priority 0 cannot be elected as the DR or BDR.
Configuration Principle
The principles for configuring an OSPF dynamic route are as follows:
l
If a virtual private network (VPN) instance is specified for the OSPF process, you must run vpn-instance-capability simple to directly calculate the route instead of conducting the routing loop detection. To deliver other static routes to the routers on the backbone network, you must run importroute to import routes that are learned from other protocols.
Data Planning
No. 1 Data OSPF process number and router ID. If the OSPF process is to be bound to a VPN instance, plan the name of the VPN instance. OSPF area, authentication mode, and authentication key Network segment and wildcard mask of an OSPF area To facilitate future network expansion, you can configure a network segment containing multiple IP addresses for both the physical and logical interfaces. Thus, no further configuration is required when new interfaces are added. The wildcard mask is the inverse of the mask of an IP address. That is, the wildcard mask can be obtained by changing 0 in the mask to 1 and 1 to 0. Here, 1 indicates that this bit in the IP address can be ignored and 0 indicates that this bit must be reserved. 4 Cost value and DR priority of the OSPF interface
2 3
6-32
Issue 02 (2009-04-10)
Procedure
Step 1 Run system-view to enter the system view. Step 2 Run interface to enter the interface view. Step 3 Run ospf cost to set the cost values of the OSPF interfaces.
NOTE
If the cost values for the OSPF interfaces are the same, the load of data transmission is shared among multiple links. If the cost values are different, only the active route with the highest priority is employed to transmit data, thus realizing route redundancy.
Step 4 Run ospf dr-priority to set the DR priorities of the OSPF interfaces. Step 5 Run quit to exit the interface view. Step 6 Run ospf to start the OSPF process and enter the OSPF view. Step 7 Optional: Run import-route to import routes that are learned from other protocols and deliver them to the routers on the backbone network. Step 8 If a VPN instance is specified for the OSPF process in the previous step, you must run vpninstance-capability simple to directly calculate the route instead of conducting the routing loop detection. Step 9 Run area to create the OSPF area and enter the OSPF area view. Step 10 Optional: Run authentication-mode to specify the authentication mode and key for the OSPF area. Step 11 Run network to set the network segments that the area contains. ----End
Context
When the PDSN9660 receives an IP packet from a packet data network (PDN), it determines whether the packet is a downlink packet to the MS or an ordinary IP packet. If it is an ordinary packet, the PDSN9660 searches the routing table and forwards the packet. This is the function of an ordinary router. If the packet is a downlink packet to the MS, the PDSN9660 performs Generic Routing Encapsulation (GRE) encapsulation, and then forwards the encapsulated packet to the PCF. This is a special function of the PDSN. The PDSN9660 performs this special function by adding a P interface. The next hop address of the downlink packet to the MS is set to the address of the P interface. By checking whether the next hop address in the IP packet is the address of the P interface, the PDSN9660 can determine whether the received IP packet is a downlink packet to the MS. Then, the packet can be processed accordingly.
Issue 02 (2009-04-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 6-33
The wireless route (WLR), developed by Huawei for the PDSN V900R007, is a downlink route to a mobile station (MS). When an MS is accessing a service, the PDSN9660 automatically generates a downlink route to the MS, that is, a WLR, according to the IP address of the user during the activation. The PDSN9660 then advertises the route through a dynamic routing protocol to servers and routers. When the user is deactivated, the PDSN9660 automatically deletes the route.
Configuration Principle
Configuring the downlink route from the P interface to the MS depends on the IP address assignment mode of the MS.
l
If the IP address is assigned by PDSN9660, the PDSN9660 automatically generates a WLR route whose next hop is the P interface connected to the PDSN9660. If the IP address is assigned by the Remote Authentication Dial In User Service (RADIUS) server and the assigned address segment can be obtained in advance, you must manually configure the downlink route from the P interface to the MS on the PDSN9660.
NOTE
l l
The interface is generated automatically after the SPU is inserted. The interface number is fixed and is in the format of SPU board number/CPU number/virtual port number. No IP address is required for the P interface.
Data Planning
No. 1 2 3 Data Name of the P interface IP address of the MS Domain associated with the PDN
Procedure
Step 1 Run ip route-static to configure a static route to the network segment where the MS belongs.
NOTE
l l
The destination address of the static route is the address of the network segment to which the MS belongs. The next hop address is the address of the P interface. If there are multiple network addresses of the MS, each must be configured with a static route.
Step 2 Run domain to specify the name of the Domain and enter the Domain view. Step 3 Run static-ip to specify that the static route is not dynamically issued to the specified Domain and the static route must be manually configured. Step 4 If the Open Shortest Path First (OSPF) dynamic route is employed in the networking, you must run import-route in the OSPF view to import the static route information and deliver it to the routers on the backbone network. ----End
6-34 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2009-04-10)
6.13 Commissioning the Data for the Interworking with the PDN
This describes how to commission the data for the interworking with the packet data network (PDN). When the preceding configuration is complete, you can run the following commands to check the running status or configuration result.
Configuration Procedure
1. Run display interface { ethernet | gigabitethernet } or display interface to check the parameter settings and running status of an interface.
l
If the interface is abnormal, rectify the fault according to the fault information. If the fault persists, run undo interface to delete the interface, and then configure the interface. For details, see 6.4 Configuring the Physical Interface, 6.5 Configuring the Ethtrunk Interface, and 6.6 Configuring the Sub-interface. If the interface is normal, proceed with 2. If the parameter settings are inconsistent with the planning, run undo ip address to delete the IP address of the interface, and then set the IP address. For details, see 6.4 Configuring the Physical Interface, 6.5 Configuring the Eth-trunk Interface, and 6.6 Configuring the Sub-interface. If the parameter settings are consistent with the planning, proceed with 3.
2.
Run display ip interface to check the parameter settings and statistics on the IP interface.
l
3.
Run display ip routing-table to check the abstract information about the routing table and information about the route with a specified destination IP address.
l
If the routing information is incorrect, run undo ip route-static to delete the static route, and then configure the static route. For details, see 6.10 Configuring the Static Route to the PDN. If the routing information is correct, proceed with 4. If "timeout" is displayed, the link is abnormal. It indicates that the physical path may be faulty. If the number of received or sent packets is displayed, it indicates that the link is normal.
4.
This provides an example of the configuration for the networking scheme of dynamic routing plus Layer 2 Tunneling Protocol (L2TP) virtual private network (VPN) tunnel to implement the interworking between the PDSN9660 and an intranet. 6.14.3 IPSec Policy Applied to the Tunnel Interface This provides an example of configuration for the IP Security (IPSec) function by establishing security tunnels between the PDSN9660 and an enterprise gateway through the tunnel interface.
Networking Requirement
The PDSN9660 is connected to a PDN, which is the Internet or an intranet, through router A and router B. See Figure 6-8. The PDSN9660 must interwork with the service servers on the PDN to provide the data services for the MS. Therefore, you must configure the interworking between the PDSN9660 and the PDN.
l
To improve bandwidth and enhance reliability, you can employ the Eth-trunk load-sharing mode to distribute traffic to different links to the same destination. The Eth-trunk8 and Eth-trunk9 interfaces that each work in load-sharing mode can be a backup for each other. This can further enhance reliability. The Open Shortest Path First (OSPF) dynamic routing mode is employed for complex network topology with a large number of network devices and IP routes to implement reliability networking through redundant routes. The virtual private network (VPN) networking mode is employed to improve security. Bind the physical interface and the Domain to the VPN. Specify the VPN as the VPN instance of the specified route.
Figure 6-8 Networking for the interworking between the PDSN9660 and the PDN
PDSN
Router A 10.3.37.33
Piif3/1/0 10.8.50.1/32
Router B 10.3.37.49
AAA server
LNS
6-36
Issue 02 (2009-04-10)
Data Collection
Plan the data as follows. VPN Name of the VPN instance Router distinguisher (RD) value vpn_pdn 200:1 Eth-trunk8 Eth-trunk8 IP address and subnet mask of the Eth-trunk8 interface Operating mode of the Eth-trunk8 interface Cost value of the Eth-trunk8 interface Priority for selecting a designated router (DR) IP address of the interface on router A that is connected to the Eth-trunk8 interface IP address segment of the Eth-trunk8 interface Wildcard mask of the Eth-trunk8 interface Bound with GigabitEthernet1/0/8 and GigabitEthernet1/0/9 10.3.37.46/255.255.255.240 Load-sharing mode 100 0 10.3.37.33 10.3.37.32/28 0.0.0.15
Eth-trunk9 Eth-trunk9 IP address and subnet mask of the Eth-trunk9 interface Operating mode of the Eth-trunk9 interface Cost value of the Eth-trunk9 interface Priority for selecting a DR IP address of the interface on router B that is connected to the Eth-trunk9 interface IP address segment of the Eth-trunk9 interface Wildcard mask of the Eth-trunk9 interface Bound with GigabitEthernet2/0/8 and GigabitEthernet2/0/9 10.3.37.62/255.255.255.240 Load-sharing mode 200 0 10.3.37.49 10.3.37.48/28 0.0.0.15 OSPF OSPF process number Router ID 2 10.8.20.1
Issue 02 (2009-04-10)
6-37
Domain name Address segment for the mobile station (MS) Next hop P interface of downlink routes
Configuration Procedure
1. Create a VPN instance. # Enter the system view.
<PDSN>system-view
2.
# Set the IP address of the Eth-trunk8 interface to 10.3.37.46 and the subnet mask to 255.255.255.240.
[PDSN-Eth-Trunk8]ip address 10.3.37.46 255.255.255.240
# Set the cost value for the Eth-trunk8 interface to run OSPF to 100.
[PDSN-Eth-Trunk8]ospf cost 100
3.
Bind the physical interfaces to the Eth-trunk8 interface. Bind the GigabitEthernet1/0/8 interface to the Eth-trunk8 interface. # Enter the physical interface view of GigabitEthernet1/0/8.
[PDSN]interface GigabitEthernet1/0/8
6-38
Issue 02 (2009-04-10)
Bind the GigabitEthernet1/0/9 interface to the Eth-trunk8 interface. # Enter the physical interface view of GigabitEthernet1/0/9.
[PDSN]interface GigabitEthernet1/0/9
4.
# Set the IP address of the Eth-trunk9 interface to 10.3.37.62 and the subnet mask to 255.255.255.240.
[PDSN-Eth-Trunk9]ip address 10.3.37.62 255.255.255.240
# Set the cost value for the Eth-trunk9 interface to run OSPF to 200.
[PDSN-Eth-Trunk9]ospf cost 200
5.
Bind the physical interfaces to the Eth-trunk9 interface. Bind the GigabitEthernet2/0/8 interface to the Eth-trunk9 interface. # Enter the physical interface view of GigabitEthernet2/0/8.
[PDSN]interface GigabitEthernet2/0/8
Bind the GigabitEthernet2/0/9 interface to the Eth-trunk9 interface. # Enter the physical interface view of GigabitEthernet2/0/9.
[PDSN]interface GigabitEthernet2/0/9
6.
7.
Configure the routes for downlink packets to an MS. # Set the destination IP addresses to 192.168.200.0/24 and 192.168.210.0/24, which are the network segments of the MS. Set the next hops to pif3/0/0 and pif3/1/0.
[PDSN]ip route-static vpn-instance vpn_pdn 192.168.200.0 24 pif3/0/0 [PDSN]ip route-static vpn-instance vpn_pdn 192.168.210.0 24 pif3/1/0
8.
Bind the VPN to the Domain and configure the PDSN9660 not to automatically generate downlink routes for users of the Domain. # Create a domain and enter the view of the domain.
[PDSN]domain domain1.com
# Disable the automatic generation of downlink routes for users of the domain.
[PDSN-domain-domain1.com]static-ip route disable [PDSN-domain-domain1.com]quit [PDSN]quit
9.
Networking Requirement
The PDSN9660 allows a mobile station (MS), as an L2TP user, to access an intranet through the L2TP VPN. The domain name of the intranet is enterprise.com. See Figure 6-9.
l l
Sub-interfaces are employed because the number of interfaces is limited. The Open Shortest Path First (OSPF) dynamic routing mode is employed for complex network topology with a large number of network devices and IP routes to implement reliability networking through redundant routes. The VPN networking mode is employed to improve security. Bind the physical interface, logical interface, and L2TP group to the same VPN. Specify this VPN as the VPN instance of the specified route.
6-40
Issue 02 (2009-04-10)
Firewall Internet
Firewall
Backbone Network
MS
BSC/PCF
Data Collection
VPN Name of the VPN instance Router distinguisher (RD) value vpn_l2tp 400:1
GigabitEthernet1/0/4.1 sub-interface IP address and subnet mask IP address of the interface on router A that is connected to the GigabitEthernet1/0/4.1 subinterface Cost value of the GigabitEthernet1/0/4.1 subinterface Priority for selecting a designated router (DR) 10.5.3.206/255.255.255.240 10.5.3.193
100 0
GigabitEthernet2/0/4.1 sub-interface IP address and subnet mask IP address of the interface on router B that is connected to the GigabitEthernet2/0/4.1 subinterface Cost value of the GigabitEthernet2/0/4.1 subinterface Priority for selecting a DR IP address network segments of the Piif3/0/0 and Piif3/1/1 interfaces 10.5.3.222/255.255.255.240 10.5.3.209
200 0 10.8.20.0/255.255.255.255
Pi interface IP address and subnet mask of the Piif3/0/0 interface IP address and subnet mask of the Piif3/1/1 interface
Issue 02 (2009-04-10)
10.8.20.1/255.255.255.255 10.8.20.2/255.255.255.255
6-41
10.8.20.0/30
OSPF OSPF process number Router ID Area ID Authentication mode Authentication ID Authentication password OSPF network segment 1 and its wildcard mask OSPF network segment 2 and its wildcard mask Wildcard masks of the Piif3/0/0 and Piif3/1/1 interfaces 2 10.8.20.1 0 md5 1 abcd in encrypted texts 10.5.3.192/0.0.0.15 10.5.3.208/0.0.0.15 10.8.20.0/0.0.0.3
L2TP tunnel Domain name L2TP Number of the L2TP group IP address of the active L2TP network server (LNS) Priority of the active LNS server Tunnel authentication password Name of the L2TP access concentrator (LAC) end of the tunnel Tunnel authentication Attribute value pair (AVP) transmission in hidden mode Interval for sending Hello packets VPN instance to which the tunnel is bound enterprise.com enable 1 10.10.10.1 1 tunnel PDSN enable enable 120 seconds vpn_l2tp
NOTE
In this example, only one LNS is planned. In actual networking, two LNSs, one active and one standby, can be deployed.
6-42
Issue 02 (2009-04-10)
Configuration Procedure
1. Create a VPN instance.
<PDSN>system-view [PDSN]ip vpn-instance vpn_l2tp [PDSN-vpn-instance-vpn_l2tp]route-distinguisher 400:1
2.
3.
4.
5.
6.
# Set the IP address of the active LNS to 10.10.10.1 and the password for tunnel authentication to tunnel.
[PDSN-access-l2tp-group-1]lns ip 10.10.10.1 priority 1 password tunnel
# Set the name of the LAC end of the tunnel to PDSN. Tunnel authentication is enabled. The AVP is transmitted in hidden mode. The interval for sending Hello packets through the tunnel is 120 seconds. The tunnel is bound to the VPN instance vpn_l2tp.
[PDSN-access-l2tp-group-1]common authentication enable local PDSN avp-hidden enable hello-interval 120 vpn-instance vpn_l2tp [PDSN-access-l2tp-group-1]quit [PDSN-access]quit
Issue 02 (2009-04-10)
6-43
If the LAC side supports the tunnel authentication, the peer LNS must also support the tunnel authentication and be configured with a tunnel authentication password, which is the same as the password of the LAC. The user name and password of the LNS side must be the same as the registered user name and password of the MS.
7.
8.
Interworking Test
Run ping to check whether the link to the LNS is normal.
<PDSN>ping -vpn-instance vpn_l2tp -a 10.8.20.1 192.168.110.1 <PDSN>ping -vpn-instance vpn_l2tp -a 10.8.20.2 192.168.110.1
NOTE
l l
If the link is normal, the number of received packets is displayed. If "timeout" is displayed, the link is abnormal. You must specify the IP address of the Pi interface to check whether the connection between the Pi interface and the peer device is normal.
Networking Requirement
The PDSN9660 supports the IPSec function based on the tunnel interface. A security tunnel is established between the PDSN9660 and the enterprise gateway to protect the data flows between them. See Figure 6-10. A mobile station (MS) employs a private IP address of the intranet to access the server on the intranet through the PDSN9660. The data packets are encapsulated through the IPSec tunnel on the PDSN9660 and then sent to the enterprise gateway through a public network. Figure 6-10 Networking of setting up a security tunnel between the PDSN9660 and the enterprise gateway
Router Intranet
6-44
Issue 02 (2009-04-10)
Data Collection
A security association (SA) is set up through the IKE negotiation to process the data flows from the PDSN9660 to the intranet by using the IPSec protocol. Plan the data as follows. Protected data flows Access control list (ACL) number Data flows 3101 IP packets sent from the MS (in the network segment of 10.110.1.1 to 10.110.1.254) to other IP addresses IPSec proposal IPSec proposal name Security protocol Authentication algorithm Encryption algorithm Encapsulation mode propo1 ESP SHA-1 DES Tunnel mode IPSec policy IPSec policy name Sequence number Negotiation mode IKE peer Diffie-Hellman algorithm (DH) group for perfect forward secrecy (PFS) Volume-based IPSec SA lifetime map1 10 isakmp corporate DH2 300 kilobytes IPSec tunnel IP address of the loopback1 interface Target board of the loopback1 interface Protocol employed on the loopback1 interface Tunnel interface Network address of the local tunnel interface Source address of the tunnel interface Destination address of the tunnel interface 1.1.1.9/32 CPU 1 on SPU 3 IPSec tunnel3/1/0 192.168.5.1/24 IP address of the loopback1 interface, that is, 1.1.1.9/32 2.2.2.9/32
Issue 02 (2009-04-10)
6-45
map1
Configuration Procedure
1. 2. 3. The interfaces for the interworking are configured. Configure the IKE negotiation parameters. For details, see Configuration Example. Configure the data flows to be protected. # Create the ACL 3101 and enter the view.
[PDSN]acl number 3101
# Configure the ACL rules. Set the source IP address to 10.110.1.0, wildcard mask to 0.0.0.255, and destination address to any.
[PDSN-acl-3101]rule permit ip source 10.110.1.0 0.0.0.255 destination any [PDSN-acl-3101]quit
4.
Create an IPSec proposal. # Create the IPSec proposal propo1 and enter the IPSec proposal view.
[PDSN]ipsec proposal propo1
5.
Create an IPSec policy on the PDSN. # Create an IPSec policy and enter the IPSec policy view. Set the name of the IPSec policy to map1, sequence number to 10, and negotiation mode to isakmp.
[PDSN]ipsec policy map1 10 isakmp
6.
Create a loopback interface whose IP address serves as the source address of the IPSec tunnel. # Create a loopback interface.
[PDSN]interface loopback1
# Bind the loopback interface to the virtual private network (VPN) to which the IPSec encapsulated packets belong.
6-46 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2009-04-10)
# Set the IP address of the loopback interface to 1.1.1.9 and the subnet mask to 255.255.255.255.
[PDSN-Loopback1]ip address 1.1.1.9 255.255.255.255
# Set the mapping between the loopback1 interface and CPU 1 on SPU 3.
[PDSN-Loopback1]target-board spu 3 1
7.
# Set the IP address of the tunnel interface to 192.168.5.1 and the subnet mask to 255.255.255.0.
[PDSN-Tunnel3/1/0]ip address 192.168.5.1 255.255.255.0
8.
Configure the default route. # Configure the default route so that the data packets of the VPN of the intranet can be sent to the tunnel interface.
[PDSN]ip route-static 0.0.0.0 0.0.0.0 vpn-instance vpn_corp tunnel3/1/0
9.
Issue 02 (2009-04-10)
6-47
7
About This Chapter
This describes how to configure service data such as domain, security, Remote Authentication Dial In User Service (RADIUS) authentication and accounting, content-based charging, and service control. 7.1 Configuring the Domain Data When a mobile station (MS) initiates a packet data service request, the request carries the domain information that specifies the external network to which the MS belongs. Based on the attributes of the domain configured on the PDSN9660, the PDSN9660 determines which external packet data network (PDN) that the user will access, the access mode, and the address assignment mode. 7.2 Configuring the Security This describes the security function and how to configure the security function, and provides a configuration example. 7.3 Configuring the Data for the FA To meet increasing requirements for the mobile station (MS) mobility, the CDMA2000 system provides the mobile IP (MIP) service in which the PDSN9660 serves as a foreign agent (FA). 7.4 Configuring the Data for RADIUS Authentication and Accounting This describes the Remote Authentication Dial In User Service (RADIUS) authentication and accounting functions and how to configure the functions, and provides a configuration example. 7.5 Configuring the Data for the Diameter Online Charging Function The Diameter online charging system of the PDSN9660 enables prepaid charging for both normal users and content-based charging (CBC) users. 7.6 Configuring the Data for the Content-based Charging Function Content-based charging (CBC) is a charging mode that adapts to different service types. It comes into being to meet the application of 3G data services. 7.7 Configuring the Data for the Service Resolution and Control Function This describes the service resolution and control function and how to configure the service resolution and control function, and provides a configuration example.
Issue 02 (2009-04-10)
7-1
Prerequisite
The interworking between the PDSN9660 and neighboring network elements (NEs) is configured. 7.1.1 Application Scheme for the Domain This describes the application scheme for the domain on the PDSN9660. 7.1.2 Configuring PPP Negotiation Parameters This describes how to set the parameters for the Point-to-Point Protocol (PPP) negotiation, such as the host name for the authentication, maximum receive unit, timeout interval for the PPP negotiation request, authentication mode, and authentication algorithm, on the PDSN9660. 7.1.3 Configuring the Basic Domain Information The domain identifies the external packet data networks (PDNs) such as an Internet service provider (ISP) network and an intranet, which can be connected through the PDSN9660, or associated services such as Internet access and Wireless Application Protocol (WAP) services. You can configure the parameters related to the Remote Authentication Dial In User Service (RADIUS) authentication and domain name server (DNS) only after the basic information about the domain is configured. 7.1.4 Configuring the Constructed Domain When authentication is required for a mobile station (MS) to access a network, if the domain information is carried in the request but the domain is not configured on the PDSN9660 or the user does not carry any domain information, the constructed domain information (default domain information) can be used for authentication and other domain-associated services. If no authentication is required for an MS, the PDSN9660 can construct a network access identifier (NAI) in the format of IMSI@construct_domain based on the configured constructed domain. The MS can access an external packet data network (PDN) with the NAI IMSI@construct_domain and use this NAI for charging. 7.1.5 Configuring the Authentication Data and Accounting Data for the Domain If the Point-to-Point Protocol (PPP) authentication access mode is employed, you must configure the domain-specific Remote Authentication Dial In User Service (RADIUS) authentication. The PDSN9660 serves as an authentication, authorization and accounting (AAA) client to send the authentication request and accounting request to the AAA server. 7.1.6 Configuring the Local Address Pool After accessing an IP network, a mobile station (MS) must have an IP address for accessing packet data services. You can configure domain-specific address assignment modes on the PDSN9660. 7.1.7 Configuring the DNS Information When a mobile station (MS) accesses an external network, the domain name of the external network is translated into an IP address. Therefore, you must configure the information about the domain name server (DNS) on the external packet data network (PDN) on the PDSN9660.
7-2 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2009-04-10)
Thus, the MS can request for domain name resolution from this DNS when the MS is activated for accessing a network. 7.1.8 Configuring the Downlink Route to the MS The downlink route from the service server to a mobile station (MS) must be configured to ensure that the downlink packets to the MS can be forwarded and the MS can enjoy packet data services. 7.1.9 Commissioning the Domain Data This provides the commands for commissioning the configuration data for the domain. 7.1.10 Configuration Example This provides the examples of configuration for the domain.
Configuration Roadmap
Figure 7-1 shows the roadmap to configure the domain and related attributes on the PDSN9660.
Issue 02 (2009-04-10)
7-3
RADIUS assignment
Local assignment
End
7-4
Issue 02 (2009-04-10)
When the domain allows Point-to-Point Protocol (PPP) access, a PPP negotiation is required between a mobile station (MS) and the PDSN9660 to set up a PPP session. If the Layer 2 Tunneling Protocol (L2TP) virtual private network (VPN) is used, a PPP negotiation is required between the PDSN9660 and the L2TP network server (LNS) to set up an L2TP tunnel.
For the packet data network (PDN) to be accessed, you must configure the domain and related attributes on the PDSN9660 to enable MSs of the domain to access an external PDN such as an Internet service provider (ISP) network or intranet, or an associated service such as Internet access or Wireless Application Protocol (WAP) service.
l
Constructed domain
When authentication is required for a user to access a network, if the domain information is carried in the request but the domain is not configured on the PDSN9660 or the user does not carry any domain information, the constructed domain information (default domain information) can be used for authentication and other domain-associated services. If no authentication is required for an MS, the PDSN9660 can construct a network access identifier (NAI) in the format of IMSI@construct_domain based on the configured constructed domain. The MS can access an external PDN with the NAI IMSI@construct_domain and use this NAI for charging.
If the PPP negotiation determines that authentication is required, and the authentication mode of domain is RADIUS authentication, you must configure the domain-specific Remote Authentication Dial In User Service (RADIUS) authentication. The PDSN9660 serves as an authentication, authorization and accounting (AAA) client to send the authentication request to the AAA server.
For details, see 7.1.5 Configuring the Authentication Data and Accounting Data for the Domain.
Issue 02 (2009-04-10)
7-5
Characteristic
Configuration Procedure For details, see 7.1.6 Configuring the Local Address Pool.
After accessing an IP network, an MS must have an IP address for accessing packet data services. You can configure domain-specific address assignment modes on the PDSN9660. If you set the address assignment mode for a PPP user to local assignment or RADIUS assignment by preference when configuring the basic domain information, you must configure a local address pool for the domain. The DNS translates a domain name to the IP address for an MS to access a page on the Internet. The downlink route from the service server to an MS must be configured to ensure that the downlink packets to the MS can be forwarded and the MS can enjoy packet data services. The downlink route to an MS varies with the address assignment mode. The downlink routes can be classified into:
l
For details, see 7.1.7 Configuring the DNS Information. For details, see:
l
7.1.8.1 Configuring the Downlink Route to the MS in Local Address Assignment Mode 7.1.8.2 Configuring the Downlink Route to the MS in RADIUS Address Assignment Mode
Downlink route in local address assignment mode Downlink route in RADIUS address assignment mode
Configuration Example For details, see 7.1.10.1 MS Accessing the IP Network of an Operator.
The PPP negotiation determines that the negotiable authentication is employed. The authentication algorithm on the PDSN9660 is the Challenge Handshake Authentication Protocol (CHAP). The domain is configured and bound to a VPN instance. L2TP is disabled. The PDSN9660 assigns an IP address from the local address pool to a user and authenticates the user. The local DNS configuration is preferred.
7-6
Issue 02 (2009-04-10)
Application Requirement
l
Configuration Example For details, see 7.1.10.2 MS Accessing the Network of an ISP.
The PPP negotiation determines that the forcible authentication is employed. The authentication algorithm on the PDSN9660 is the Password Authentication Protocol (PAP) or CHAP. The domain is configured and bound to a VPN instance. L2TP is disabled. The RADIUS server assigns an IP address to a user and authenticates the user. The local DNS configuration is preferred. The PPP negotiation determines that the forcible authentication is employed. The authentication algorithm on the PDSN9660 is PAP or CHAP. The domain is configured and bound to a VPN instance. L2TP is enabled. The PDSN9660 assigns an IP address from the local address pool to a user and performs authentication for the user. The local DNS configuration is preferred. If the local address pool contains a complete network segment (the local address pool can be expressed by a mask) and holds more than 32 IP addresses, static routes are imported and then advertised to the backbone network. If the local address pool contains an incomplete network segment or holds fewer than 32 IP addresses, static routes and wireless routes (WLRs) are imported, advertised to the backbone network, and then aggregated.
MS accessing an intranet
For details, see 7.1.10.4 Configuring the Downlink Route in Local Address Assignment Mode.
Issue 02 (2009-04-10)
7-7
Application Requirement
l
Configuration Example For details, see 7.1.10.5 Configuring the Downlink Route in RADIUS Address Assignment Mode.
If the address segments assigned by the RADIUS server can be known in advance, you can configure static routes on the PDSN9660 and set the next hops of routes to different address segments to the corresponding P interfaces. Then, the PDSN9660 imports the static routes to the routing protocol and advertises them to routers on the backbone network. If the address segments assigned by the RADIUS server cannot be known in advance, you cannot configure static routes on the PDSN9660. The PDSN9660 generates WLRs automatically according to the IP addresses of the MSs when the MSs are activated.
Prerequisite
The software of the PDSN9660 is installed and commissioned.
Context
Similar to the network access server (NAS) in traditional dial-up access mode, the PDSN9660 needs to set up a PPP session with a mobile station (MS) through the PPP negotiation to enable the MS to access the external packet data network (PDN).
l
If the domain allows PPP access, a PPP negotiation is required between an MS and the PDSN9660 to set up a PPP session. If the Layer 2 Tunneling Protocol (L2TP) virtual private network (VPN) is used, a PPP negotiation is required between the PDSN9660 and the L2TP network server (LNS).
The parameter settings for the PPP negotiation take effect for the entire PDSN9660. That is, the parameter settings are effective for any domain that allows PPP access, and any L2TP tunnel. The PPP negotiation is divided into the following stages: 1. Link Control Protocol (LCP) negotiation stage A link is set up between the MS and the PDSN9660.
7-8
Issue 02 (2009-04-10)
Table 7-2 Authentication negotiation between the MS and the PDSN9660 Authenticatio n Mode Set on the PDSN9660 Nonauthentication Forcible authentication Authentication Algorithm Set on the PDSN9660 CHAP Authentication Algorithm Set on the MS CHAP PAP Both Authentication not supported PAP CHAP PAP Both Authentication not supported Both CHAP PAP BOTH Authentication not supported Negotiable authentication CHAP CHAP PAP Both Authentication not supported PAP CHAP PAP Both Authentication not supported Both CHAP PAP Both Negotiation Result
Non-authentication CHAP Negotiation failure CHAP Negotiation failure Negotiation failure PAP PAP Negotiation failure CHAP PAP CHAP Negotiation failure CHAP Non-authentication CHAP Non-authentication Non-authentication PAP PAP Non-authentication CHAP PAP CHAP
Issue 02 (2009-04-10)
7-9
Negotiation Result
Non-authentication
2.
Authentication stage In local authentication mode, the PDSN9660 performs authentication for the MS. In agent authentication mode, the authentication, authorization and accounting (AAA) server performs authentication for the MS. An MS can access an external PDN in two modes, authentication access and nonauthentication access.
l
If the LCP negotiation result requires authentication (PAP or CHAP), the authentication process starts. If the LCP negotiation result is non-authentication access, the Network Control Protocol (NCP) negotiation starts.
3.
NCP negotiation stage The protocol at the network layer is negotiated and an IP address is assigned to the MS.
Data Planning
No. 1 2 3 4 5 Data Authentication mode on the PDSN9660 Authentication algorithm on the PDSN9660 Host name used by the PDSN9660 for authentication Maximum receive unit of the PDSN9660 Timeout interval for the request during the PPP negotiation between the MS and the PDSN9660
Procedure
Step 1 Run access-view to enter the access view. Step 2 Run ppp to set the parameters for the PPP negotiation on the PDSN9660. ----End
Prerequisite
l
Plan the domain for the entire network so that it is consistent with the domain information on the packet control function (PCF), mobile station (MS), and DNS. The interworking between the PDSN9660 and neighboring network elements (NEs) is configured.
Context
l
The data service request initiated by the MS carries the user information username@domain, where domain represents the external network domain to which the MS belongs. If the PDSN9660 is configured with the corresponding domain, the PDSN9660 sends the authentication request for the MS to the authentication server. After the authentication succeeds, the PDSN9660 enables the MS to access the external PDN and performs charging for the MS. The data service request initiated by the MS carries the user information username@domain. If the PDSN9660 is not configured with the corresponding domain, the PDSN9660 sends the authentication request for the MS to the authentication, authorization and accounting (AAA) server whose IP address is specified in the constructed domain. The authentication request contains the original user name. If the authentication succeeds, the PDSN9660 enables the MS to access the external PDN and performs charging for the MS. If the authentication fails, the PDSN9660 denies the service request. If the data service request initiated by the MS carries the user information username@construct_domain (the domain name represents a constructed domain), the authentication request sent to the AAA server carries the user information username@construct_domain. The data service request initiated by the MS does not carry the domain information. The PDSN9660 sends the authentication request for the MS to the AAA whose IP address is specified in the constructed domain. The authentication request contains the original user name. If the authentication succeeds, the PDSN9660 enables the MS to access the external PDN and performs charging for the MS. If the authentication fails, the PDSN9660 rejects the service request. A locked domain means that this domain denies access of any new user. The users who already have accessed the PDSN9660 through this domain, however, can continue with their data services. The lock flag is used for maintenance. For example, when replacing an SPU, you can lock the domain first so that it does not admit any new user. Replace the SPU when all the activated users are deactivated. Thus, the services are not interrupted when an SPU is replaced. Generally it is recommended that you do not lock a domain.
Data Planning
No. 1 2 3 4 5 Data Domain name Virtual private network (VPN) instance to which the domain is bound Layer 2 Tunneling Protocol (L2TP) function of the domain Address assignment mode of the domain Authentication mode of the domain
Issue 02 (2009-04-10)
7-11
No. 6 7
Data Whether to remove the domain name from user information Whether to enable the Disconnect Messages (DM) from the AAA server
Procedure
Step 1 Run domain to enter the domain view. Step 2 Optional: Run vpn-instance to configure the VPN instance for the domain. Step 3 Optional: Run l2tp to enable L2TP.
NOTE
l l
When the MS accesses the Internet, the VPN is not used. Therefore, you do not need to configure the VPN instance or L2TP flag for the domain. When the MS accesses an intranet, you must run vpn-instance to specify the name of the VPN instance to be accessed if the Layer 3 VPN is used; you must run l2tp to enable L2TP if the Layer 2 VPN is used.
Step 4 Run address-allocate to set the address assignment mode for the domain to local assignment, RADIUS assignment, or RADIUS assignment by preference. Step 5 Run authentication to set the authentication mode for the domain. Step 6 Optional: Run strip-domain-name to specify whether to enable the stripping domain name function for the domain.
NOTE
When the AAA server cannot identify domains, you can run strip-domain-name to remove the domain information so that the authentication requests and accounting requests to the AAA server contain only the user name.
Step 7 Optional: Run radius-disconnect to configure the PDSN9660 to support the DM messages from the AAA Server for the users of the specified domain.
NOTE
This function enables deactivation according to the charging ID. The PDSN9660 receives the RADIUS Disconnect-Request message from the RADIUS server and deactivates a specified user according to the international mobile subscriber identity (IMSI) field in this message. To configure the activation not to be controlled by the AAA server, you can run radius-disconnect to disable this function. Then, the PDSN9660 discards the RADIUS Disconnect-Request message.
Step 8 Optional: Run proxy-mip to enable the proxy mobile IP (PMIP) service for the domain. ----End
Postrequisite
CAUTION
Before deactivating users of a domain, you must run lock in the domain view to lock the domain. The locked domain rejects new access requests. Then, run deactivate usercontext in the access view to deactivate users of this domain.
7-12
Issue 02 (2009-04-10)
Prerequisite
l
Plan the domain for the entire network so that it is consistent with the domain information on the packet control function (PCF), MS, and domain name server (DNS). The interworking between the PDSN9660 and neighboring network elements (NEs) is configured.
Context
The PDSN9660 can construct an NAI for the MS based on the configured constructed domain. The format of the NAI is IMSI@construct_domain, where:
l
The international mobile subscriber identity (IMSI) is unique globally. It is assigned to each user in the mobile telecommunications system. construct_domain is the name of the constructed domain configured on the PDSN9660.
The MS can access an external PDN with the NAI IMSI@construct_domain and use this NAI for charging.
NOTE
You can configure multiple domains on the PDSN9660 for an MS to access a network of an operator or Internet service provider (ISP), or an intranet. Only one constructed domain, however, can be configured with a changeable domain name. The constructed domain does not support L2TP service. The non-authentication access mode is generally employed for system tests, or special requirements of operators. Generally, the authentication access mode is recommended.
Data Planning
No. 1 2 3 4 5 6 Data Domain name Virtual private network (VPN) instance to which the domain is bound Address assignment mode of the domain Authentication mode of the domain Whether to remove the domain name from user information Whether to enable the Disconnect Messages (DM) from the authentication, authorization and accounting (AAA) server
Issue 02 (2009-04-10)
7-13
Procedure
Step 1 Run construct domain to create a constructed domain and enter the view of the domain. Step 2 Run vpn-instance to configure the VPN instance for the domain.
NOTE
l l
When the MS accesses the Internet, the VPN is not used. Therefore, you do not need to configure the VPN instance for the domain. When the MS accesses an intranet, you must run vpn-instance to specify the name of the VPN instance to be accessed if the Layer 3 VPN is used.
Step 3 Run address-allocate to set the address assignment mode for the domain to local assignment, RADIUS assignment, or RADIUS assignment by preference. Step 4 Run authentication to set the authentication mode for the domain. Step 5 Optional: Run strip-domain-name to specify whether to enable the stripping domain name function for the domain.
NOTE
When the AAA server cannot identify domains, you can run strip-domain-name to remove the domain information so that the authentication requests and accounting requests to the AAA server contain only the user name.
Step 6 Optional: Run radius-disconnect to configure the PDSN9660 to support the DM messages from the AAA Server for the users of the specified domain.
NOTE
This function enables deactivation according to the charging ID. The PDSN9660 receives the RADIUS Disconnect-Request message from the RADIUS server and deactivates a specified user according to the international mobile subscriber identity (IMSI) field in this message. To configure the activation not to be controlled by the AAA server, you can run radius-disconnect to disable this function. Then, the PDSN9660 discards the RADIUS Disconnect-Request message.
Step 7 Optional: Run proxy-mip to enable the proxy mobile IP (PMIP) service for the domain. ----End
Postrequisite
CAUTION
Before deactivating users of a domain, you must run lock in the domain view to lock the domain. The locked domain rejects new access requests. Then, run deactivate usercontext in the access view to deactivate users of this domain.
7.1.5 Configuring the Authentication Data and Accounting Data for the Domain
If the Point-to-Point Protocol (PPP) authentication access mode is employed, you must configure the domain-specific Remote Authentication Dial In User Service (RADIUS) authentication. The PDSN9660 serves as an authentication, authorization and accounting (AAA) client to send the authentication request and accounting request to the AAA server.
7-14 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2009-04-10)
Prerequisite
l
The basic domain information is configured. For details, see 7.1.3 Configuring the Basic Domain Information. The AAA authentication and accounting servers are configured. For details, see 3.12 Configuring the AAA Authentication/Accounting Server.
Context
l
Each domain can be configured with one RADIUS server group. Before modifying the bound RADIUS server group, unbind the original RADIUS server group from the domain. If the name of the bound RADIUS server group does not exist, the binding fails. A RADIUS server group can be configured with only one active server and one standby server. You can configure up to 1000 RADIUS server groups and 2000 authentication servers on the PDSN9660. The virtual private network (VPN) of the AAA authentication/accounting server can be different from the VPN bound with the domain.
l l
Data Planning
No. 1 2 Data Domain name Name of the RADIUS server group bound with the domain name
Procedure
Step 1 Run domain to enter the domain view. Step 2 Run radius-server group to bind a RADIUS server group to the domain. ----End
Prerequisite
The associated domain must be configured before you configure the local address pool. For details, see 7.1.3 Configuring the Basic Domain Information.
Context
The PDSN9660 supports two address assignment modes:
l
RADIUS assignment: The IP addresses are assigned by the Remote Authentication Dial In User Service (RADIUS) server. If the RADIUS server does not assign an IP address to the MS, the address assignment fails.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 7-15
Issue 02 (2009-04-10)
Local assignment: The IP addresses are assigned from the local address pool. If the PDSN9660 does not assign an IP address to the MS from the local address pool, the address assignment fails.
NOTE
The PDSN9660 supports RADIUS assignment by preference. That is, you can configure RADIUS assignment with a higher priority than local assignment. If the RADIUS server returns an IP address during the authentication, this IP address is used. If the RADIUS server does not return any IP address or returns an invalid IP address, the PDSN9660 assigns an IP address from the local address pool to the MS. You must configure the local address pool when the address assignment mode is local assignment or RADIUS assignment by preference.
Data Planning
No. 1 2 3 4 5 Data Name of the local address pool Virtual private network (VPN) instance bound with the address pool IPv4 address segments in the address pool of the domain Conflicted IP addresses in the local address pool Waiting time to release an IP address to the local address pool
Procedure
l Configure the local address pool. 1. 2. 3. Run access-view to enter the access view. Run ip pool to create an address pool and enter the view of the address pool. Optional: Run vpn-instance to specify the VPN instance to which the local address pool is bound. If the domain is bound with a VPN, the address pool must be bound to this VPN; otherwise, the domain cannot be bound with the address pool. Run section to set IPv4 address segments in the local address pool. You must set address segments after configuring an address pool. The user activation fails if no address segment is available. Optional: Run conflict-ip to set the status of IP addresses to conflict in the local address pool.
NOTE
4.
5.
To avoid conflicts between IP addresses of the devices and those in the address pool, you can run conflict-ip to set the status of conflicted IP addresses to conflict when configuring the address pool. This can prevent the PDSN9660 from assigning conflicted IP addresses to MSs.
6.
Optional: Run release-time to set the duration that the PDSN9660 waits to release an IP address to the local address pool after it is released by an MS.
NOTE
After IP addresses in the local address pool are released, they may not be assigned immediately to MSs. That is, there may be a lag between IP address release by MSs and IP address release in the address pool. You can set the time lag by running release-time. By default, the time lag is zero, that is, an IP address is released in the address pool once it is released by an MS.
7.
7-16
8. 9. l
Run quit to exit the access view. Run domain to enter the domain view.
10. Run address-pool to bind the local address pool to the domain. Modify or delete an address pool.
CAUTION
If you intend to dynamically modify or delete an address pool or segment, ensure that no MS is using an IP address in this address pool or segment. Lock the address pool, and then forcibly recycle the assigned IP addresses or address segments. Then, you can dynamically modify or delete the address pool or segment. 1. 2. 3. 4. 5. 6. 7. 8. 9. Run access-view to enter the access view. Run ip pool to create an address pool and enter the view of the address pool. Run lock to lock the local address pool. Run recycle to recycle an IP address or address segment in the local address pool. Run undo section to delete the IPv4 address segments in the local address pool. Run quit to exit the local address pool view. Run quit to exit the access view. Run domain to enter the domain view. Run undo address-pool to unbind the address pool from the domain.
10. Run quit to exit the domain view. 11. Run access-view to enter the access view. 12. Run undo ip pool to delete the address pool. ----End
Prerequisite
The basic domain information is configured. For details, see 7.1.3 Configuring the Basic Domain Information.
Context
The IP address of the DNS can be obtained through any of the following methods:
l l
From the authentication, authorization and accounting (AAA) server during authentication By using the DNS information configured on the PDSN9660
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 7-17
Issue 02 (2009-04-10)
Through negotiation with the L2TP network server (LNS) when an MS accesses the network through the Layer 2 Tunneling Protocol (L2TP) virtual private network (VPN) By using the DNS information configured on the MS
NOTE
For local DNS information, the PDSN9660 supports two classes of DNS configuration, domainspecific DNS information and default global DNS information. The default DNS information is global. If no DNS information is configured for a domain, the MS adopts the default DNS information on the PDSN9660. If both the AAA server and the PDSN9660 provide the DNS information, you can configure the priorities of the DNS information.
The local DNS information and the DNS information returned from the AAA server are of different priorities. Figure 7-2 shows the principles for DNS selection. Figure 7-2 Principles for DNS selection
DNS selection is required.
No
Both the AAA server and the PDSN9660 can provide DNS information?
Yes
The DNS information with the higher priority configured on the PDSN9660 is used.
No Either the AAA server or the PDSN9660 can provide DNS information? Yes The DNS information delivered by the AAA server or configured on the PDSN9660 is used.
No The MS is configured with DNS information? Yes The DNS information obtained from the MS is used.
No
No DNS is available.
7-18
Issue 02 (2009-04-10)
Data Planning
No. 1 2 3 4 5 Data IP address of the active DNS IP address of the standby DNS DNS priority IP address of the default active DNS IP address of the default standby DNS
Procedure
Step 1 Run domain to enter the domain view. Step 2 Run dns to set the IP addresses of the active and standby DNSs and the DNS priorities. Step 3 Run quit to exit the domain view. Step 4 Run access-view to enter the access view. Step 5 Run defdns to set the default DNS information for the entire PDSN9660, including the IP addresses of the active and standby DNSs and the DNS priorities. ----End
Context
l
Assume that the local address pool contains a complete address segment (expressed by one subnet mask) and holds more than 32 IP addresses. During the configuration of the local address pool, the PDSN9660 automatically creates a black hole route destined for the local address pool. The black hole route is a static route whose next hop is the null interface. When an MS is activated on the PDSN9660, the PDSN9660 obtains a part of the address pool and generates a wireless route (WLR) whose next hop is the P interface on the PDSN9660. The part of the address pool obtained by the PDSN9660 holds 32 IP addresses. See Figure 7-3.
Issue 02 (2009-04-10)
7-19
The PDSN9660 advertises the black hole route destined for the address pool to routers on the backbone network. Then, all packets destined for IP addresses in the address pool are sent to the PDSN9660. When a packet arrives, the PDSN9660 searches the local routing table and then forwards the packet to the SPU through the WLR route according to the longest match rule. In the case of address assignment from the local address pool, you do not need to configure the downlink route to the MS on the PDSN9660. You must configure the PDSN9660 to import static routes to the routing protocol and advertise routes to the network segments of the address pool to the backbone network. Figure 7-3 Address assignment from the local address pool with a complete address segment
PDSN Local IP Pool 10.0 .0.3 1 10.0.0.0/27 Pif3/0/0 (wlr) 3 10.0.0.0~10.0.255.255 6 . 0 0. 10. ~ 2 .0.3 0.0 1 Pif3/1/0 10.0.0.0/16 Null (static) 10.0.0.32/27 Pif3/1/0 (wlr) Pif3/0/0
10.0 .0.0 ~
The local address pool contains an incomplete address segment or holds fewer than 32 IP addresses. Assume that the local address pool is an incomplete network segment. For example, assume that the range of the address pool is 10.0.0.0 to 10.1.0.31. See Figure 7-4. The PDSN9660 automatically generates two black hole routes, namely, 10.0.0.0/16 null and 10.1.0.0/27 null. When an MS is activated in the 10.1.0.0/27 null network segment, the PDSN9660 generates the WLR route 10.1.0.0/27 Pif3/1/0. The static route 10.1.0.0/27 null does not take effect in the routing table because the WLR route takes precedence over the static route. If the method of importing static routes is adopted, the downlink routes to the MSs in the 10.1.0.0/27 network segment cannot be advertised. Therefore, the downlink data to these MSs cannot be transmitted. Assume that the PDSN9660 employs the Open Shortest Path First (OSPF) protocol as the dynamic routing protocol. To solve the previous problem, you can configure the PDSN9660 to import both the static route and the WLR. This solution, however, brings another problem. After WLRs are imported, many 27-bit-mask WLRs exist in the 10.0.0.0/16 network segment. Advertising all these WLRs will bring huge workload to routers on the backbone network. In addition, it is unnecessary to advertise all WLRs. Thus, the routes must be aggregated and then advertised. Through route aggregation, the routes in the 10.0.0.0/16 network segment are aggregated into a 16-bit-mask route and advertised to the backbone network.
CAUTION
This case should be avoided in actual networking to simplify the configuration.
7-20 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2009-04-10)
Figure 7-4 Address assignment from the local address pool with an incomplete address segment
PDSN Pif3/0/0
10. 0.0 .0~ 1
0.0 .0
Local IP Pool
.31
Pif3/1/0
10.
1.0
.0~
10
.3 .1.0
10.0.0.010.1.0.31 10.0.0.0/16 Null (static) 10.1.0.0/27 Null (static) 10.0.0.0/27 Pif3/0/0 (wlr) 10.1.0.0/27 Pif3/1/0 (wlr)
Data Planning
No. 1 2 3 4 Data OSPF as the dynamic routing protocol OSPF process number Address segment of the local address pool Domain name
Operation Procedure
l
The local address pool contains a complete address segment and holds more than 32 IP addresses. 1. 2. 3. Run system-view to enter the system view. Run ospf to start the OSPF process. Run import-route to import the routes learned through the static routing protocol and advertise the imported routes to the backbone network.
The local address pool contains an incomplete address segment or holds fewer than 32 IP addresses. 1. 2. 3. 4. 5. Run system-view to enter the system view. Run ospf to start the OSPF process. Run import-route to import the routes learned through the static routing protocol and advertise the imported routes to the backbone network. Run import-route to import the WLR and advertise the WLR to the backbone network. Run asbr-summary to aggregate the imported routes.
Context
l
Assume that the address segment assigned by the RADIUS server managed by an Internet service provider (ISP) or intranet is known. See Figure 7-5. The address pools on the clients contain different address segments. Different SPUs employ address pools of different clients. When an MS is activated on an SPU, the PDSN9660 assigns an IP address from the address segment of this SPU to the MS. In this case, you must manually configure downlink routes to MSs on the PDSN9660. The destination is the address segment of the SPU and the next hop is the P interface of the SPU. Then, these static routes are imported to the routing protocol and advertised.
CAUTION
You must disable the automatic generation of downlink routes during user activation for users of the domain.
Figure 7-5 Address assignment by the RADIUS server (address segment known in advance)
PDSN
Pif3/1/0
Assume that the address segment assigned by the RADIUS server managed by an ISP or intranet is unknown. In this case, static downlink routes to MSs cannot be configured on the PDSN9660. The PDSN9660 can automatically generate wireless routes (WLRs) according to IP addresses of the MSs during user activation. Then, the WLR routes are imported in the dynamic routing protocol and advertised.
7-22
Issue 02 (2009-04-10)
CAUTION
This should be avoided in actual networking because a large number of WLRs will adversely affect routers on the backbone network and the PDSN9660 supports only 50000 host routes for users with static IP addresses.
Data Planning
No. 1 2 3 4 Data Dynamic routing protocol Open Shortest Path First (OSPF) process number Address segments assigned by the RADIUS server Domain name
Operation Procedure
l
Assume that the address segment assigned by the RADIUS server is known. 1. 2. 3. 4. 5. 6. Run system-view to enter the system view. Run ip route-static to configure the static routes to the address segments. Run ospf to start the OSPF process. Run import-route to import the routes learned through the static routing protocol and advertise the imported routes to the backbone network. Run domain to specify a domain and enter the domain view. Run static-ip to disable automatic generation of downlink routes for users of the domain.
Assume that the address segment assigned by the RADIUS server cannot be known in advance. 1. 2. 3. Run system-view to enter the system view. Run ospf to start the OSPF process. Run import-route to import the WLR and advertise the WLR to the backbone network.
Prerequisite
The domain data is configured.
Procedure
Step 1 Run display ppp to check whether the displayed parameter settings for the PPP negotiation are as configured.
Issue 02 (2009-04-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 7-23
l l
If the displayed parameter settings for the PPP negotiation are not as configured, run ppp to reconfigure them. If the displayed parameter settings for the PPP negotiation are as configured, proceed with Step 2.
Step 2 Run lst domain to check whether the displayed domain information is as configured. l If the displayed VPN instance of the domain is not as configured, run undo vpninstance to delete the VPN instance and then run vpn-instance to bind the domain with the correct VPN instance. If other domain information is not as configured, run l2tp, address-allocate, authentication, strip-domain-name and address-pool to reconfigure the domain information. Else, proceed with Step 3.
Step 3 Run display radius-server to check whether the RADIUS server group bound with the domain is as configured. l If the RADIUS server group bound with the domain is not as configured, run undo radiusserver group to unbind the RADIUS server group from the domain and then run radiusserver group to bind the correct RADIUS server group with the domain. If the RADIUS server group bound with the domain is as configured, proceed with Step 4.
Step 4 Run display ip pool to check whether information about the local address pool bound with the domain is as configured. l If the displayed conflicted IP addresses are not as configured, run conflict-ip to reconfigure them. If the displayed time to release IP addresses is not as configured, run release-time to reconfigure it. If the displayed address segments are not as configured, run undo section to delete them and then run section to reconfigure the static address segments. If information about the local address pool bound with the domain is as configured, proceed with Step 5.
l l
Step 5 Run display dns to check whether the displayed DNS information is as configured. l l If the displayed DNS information is not as configured, run dns to change DNS information of the domain. To delete DNS information of a specified domain, run undo dns. If the displayed DNS information is as configured, proceed with Step 6.
Step 6 Run display defdns to check whether the default DNS information is as configured. l l If the default DNS information is not as configured, run defdns to change the default DNS information. To delete the default DNS information, run undo defdns. If the default DNS information is as configured, the commissioning is complete.
----End
7-24
Issue 02 (2009-04-10)
7.1.10.1 MS Accessing the IP Network of an Operator This provides an example of configuration of the domain for a mobile station (MS) to access the IP network of an operator. 7.1.10.2 MS Accessing the Network of an ISP This provides an example of configuration of the domain for a mobile station (MS) to access the network of an Internet service provider (ISP). 7.1.10.3 MS Accessing an Intranet This provides an example of configuration of the domain for a mobile station (MS) to access an intranet, that is, the network of an enterprise. 7.1.10.4 Configuring the Downlink Route in Local Address Assignment Mode This provides an example of the configuration for the downlink route to a mobile station (MS) in the case of address assignment from the local address pool. 7.1.10.5 Configuring the Downlink Route in RADIUS Address Assignment Mode This provides an example of the configuration for the downlink route to a mobile station (MS) in the case of address assignment by the Remote Authentication Dial In User Service (RADIUS) server.
Networking Requirement
The PDSN9660 allows an MS to access the IP network of an operator with the domain name operator.com. See Figure 7-6. Figure 7-6 Networking for an MS to access the IP network of an operator
Active Standby AAA Server AAA Server
PDN
Data Collection
Authentication mode during the Point-toPoint Protocol (PPP) negotiation
Issue 02 (2009-04-10)
Negotiable authentication
7-25
Authentication algorithm supported by the PDSN9660 Host name for PPP negotiation Maximum receive unit Timeout interval for a request during PPP negotiation Domain name Virtual private network (VPN) instance to which the domain is bound Layer 2 Tunneling Protocol (L2TP) function of the domain Address assignment mode of the domain Authentication mode of the domain Whether to remove the domain name from user information Whether to enable the Disconnect Messages (DM) from the authentication, authorization and accounting (AAA) server Name of the local address pool Address segment 0 in the local address pool Conflicted IP addresses in the local address pool Waiting time to release an IP address in the local address pool Domain name server (DNS) priority IP addresses of the active and standby DNSs
CHAP PDSN 1500 5 seconds operator.com operatorvpn disable local Local authentication enable enable
Configuration Procedure
1. Configure the global PPP negotiation parameters. # Enter the system view.
<PDSN>system-view
# Set the authentication mode to negotiable authentication, authentication algorithm supported by the PDSN9660 to CHAP, host name for authentication to PDSN, maximum receive unit to 1500 bytes, and timeout interval to 5 seconds during the PPP negotiation.
[PDSN-access]ppp authmod negoauth authoption chap hostname PDSN mru 1500 timeout 5
2.
Configure the domain operator.com. # Create the domain operator.com and enter the view of the domain.
[PDSN]domain operator.com
# Disable L2TP.
[PDSN-domain-operator.com]l2tp disable
# Configure the domain to enable the DM messages from the AAA server.
[PDSN-domain-operator.com]radius-disconnect enable
3.
Configure the local address assignment mode. # Enter the access view.
[PDSN]access-view
# Set address segment 0 of the local address pool to the segment from 10.1.1.1 to 10.1.1.254.
[PDSN-access-ip-pool-operatorpool]section 0 10.1.1.1 10.1.1.254
# Set the waiting time to release an IP address in the local address pool to 60 seconds.
[PDSN-access-ip-pool-operatorpool]release-time 60
4.
Configure information about the DNS that is bound with the domain. Set the DNS selection mode to local configuration by preference, IP address of the active DNS to 10.3.1.1, and IP address of the standby DNS to 10.3.1.2.
[PDSN-domain-operator.com]dns primary-ip 10.3.1.1 secondary-ip 10.3.1.2 priority local
Issue 02 (2009-04-10)
7-27
5.
Networking Requirement
The PDSN9660 allows an MS to access the ISP network with the domain name isp.com. See Figure 7-7. Figure 7-7 Networking for an MS to access the network of an ISP
Active Standby AAA Server AAA Server
isp.com
Data Collection
Authentication mode during the Point-to-Point Protocol (PPP) negotiation Authentication algorithm supported by the PDSN9660 Host name for PPP negotiation Maximum receive unit Timeout interval for a request during PPP negotiation Domain name Virtual private network (VPN) instance to which the domain is bound Layer 2 Tunneling Protocol (L2TP) function of the domain Address assignment mode of the domain Authentication mode of the domain
7-28 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.
Forcible authentication Both PDSN 1500 5 seconds isp.com ispvpn disable radius radius
Issue 02 (2009-04-10)
Whether to remove the domain name from user information Whether to enable the Disconnect Messages (DM) from the AAA server Domain name server (DNS) priority IP addresses of the active and standby DNSs Remote Authentication Dial In User Service (RADIUS) server group IP address of the active authentication server Destination port number of the active authentication server VPN to which the active authentication server belongs Key of the active authentication server IP address of the standby authentication server Destination port number of the standby authentication server VPN to which the standby authentication server belongs Key of the standby authentication server Timeout interval of a RADIUS authentication message Number of retransmission times of a RADIUS authentication message
enable enable Local configuration by preference 10.3.1.1/10.3.1.2 isprg 192.168.10.1 5188 ispvpn ispchina 192.168.10.2 5199 ispvpn chinaisp 5 seconds 2
Configuration Procedure
1. Configure the global PPP negotiation parameters. # Enter the system view.
<PDSN>system-view
# Set the authentication mode during the PPP negotiation to forcible authentication, authentication algorithm supported by the PDSN9660 to both PAP and CHAP, host name for authentication to PDSN, maximum receive unit to 1500 bytes, and timeout interval to 5 seconds.
[PDSN-access]ppp authmod auth authoption both hostname PDSN mru 1500 timeout 5
2.
Configure the domain isp.com. # Create the domain isp.com and enter the view of the domain.
[PDSN]domain isp.com
[PDSN-domain-isp.com]vpn-instance ispvpn
# Disable L2TP.
[PDSN-domain-isp.com]l2tp disable
# Configure the domain to enable the DM messages from the AAA server.
[PDSN-domain-isp.com]radius-disconnect enable
3.
Configure information about the DNS that is bound with the domain. Set the DNS selection mode to local configuration by preference, IP address of the active DNS to 10.3.1.1, and IP address of the standby DNS to 10.3.1.2.
[PDSN-domain-isp.com]dns primary-ip 10.3.1.1 secondary-ip 10.3.1.2 priority local
4.
Configure the active and standby RADIUS authentication servers. # Enter the access view.
[PDSN]access-view
# Create the RADIUS server group isprg and enter the view of the RADIUS server group.
[PDSN-access]radius-server group isprg
# Configure the AAA authentication for the domain. Set the IP address of the active authentication server to 192.168.10.1 and destination port number to 5188. Bind the active authentication server to the VPN instance ispvpn. Set the key to ispchina.
[PDSN-access-radius-isprg]radius-server authentication 192.168.10.1 vpninstance ispvpn port 5188 key ispchina
# Set the IP address of the standby authentication server to 192.168.10.2 and destination port number to 5199. Bind the standby authentication server to the VPN instance ispvpn. Set the key to chinaisp.
[PDSN-access-radius-isprg]radius-server authentication 192.168.10.2 vpn-instance ispvpn port 5199 key chinaisp secondary
# Set the timeout interval for a RADIUS authentication message to 5 seconds and the number of retransmission times of a RADIUS authentication message to 2.
[PDSN-access-radius-isprg]radius-server retransmit 2 timeout 5
5.
Bind the RADIUS server group to the domain. # Enter the domain view.
[PDSN]Domain isp.com
7-30
Issue 02 (2009-04-10)
6.
MS Accessing an Intranet
This provides an example of configuration of the domain for a mobile station (MS) to access an intranet, that is, the network of an enterprise.
Networking Requirement
The PDSN9660 allows an MS to access the intranet with the domain name enterprise.com. See Figure 7-8. Figure 7-8 Networking for an MS to access an intranet
AAA Server AAA Server
Firewall B
10.10.10.1/24
Data Collection
Authentication mode during the Point-to-Point Protocol (PPP) negotiation Authentication algorithm supported by the PDSN9660 Host name for PPP negotiation Maximum receive unit Timeout interval for a request during PPP negotiation Domain name Virtual private network (VPN) instance to which the domain is bound Layer 2 Tunneling Protocol (L2TP) function of the domain Address assignment mode of the domain Authentication mode of the domain
Issue 02 (2009-04-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.
Forcible authentication Both PDSN 1500 5 seconds enterprise.com enterprisevpn enable local Local authentication
7-31
Whether to remove the domain name from user information Whether to enable the Disconnect Messages (DM) from the AAA server Domain name server (DNS) priority IP addresses of the active and standby DNSs Number of the L2TP group IP address of the active L2TP network server (LNS) Priority of the active LNS server Password for tunnel authentication Name of the L2TP access concentrator (LAC) end of the tunnel Tunnel authentication Attribute value pair (AVP) transmission in hidden mode Interval for sending Hello packets VPN instance to which the tunnel is bound
enable enable Local configuration by preference 10.3.1.1/10.3.1.2 1 10.10.10.1 1 tunnel pdsn enable enable 120 seconds vpn_l2tp
Configuration Procedure
1. Configure the global PPP negotiation parameters. # Enter the system view.
<PDSN>system-view
# Set the authentication mode during the PPP negotiation to forcible authentication, authentication algorithm supported by the PDSN9660 to both PAP and CHAP, host name for authentication to PDSN, maximum receive unit to 1500 bytes, and timeout interval to 5 seconds.
[PDSN-access]ppp authmod 1 hostname PDSN mru 1500 timeout 5 authoption 0
2.
Configure the domain enterprise.com. # Create the domain enterprise.com and enter the view of the domain.
[PDSN]domain enterprise.com
# Enable L2TP.
[PDSN-domain-enterprise.com]l2tp enable
# Configure the domain to enable the DM messages from the AAA server.
[PDSN-domain-enterprise.com]radius-disconnect enable
3.
Configure information about the DNS that is bound with the domain. Set the DNS selection mode to local configuration by preference, IP address of the active DNS to 10.3.1.1, and IP address of the standby DNS to 10.3.1.2.
[PDSN-domain-enterprise.com]dns primary-ip 10.3.1.1 secondary-ip 10.3.1.2 priority local
4.
# Set the IP address of the active LNS to 10.10.10.1, priority to 1, and password for tunnel authentication to tunnel.
[PDSN-access-l2tp-group-1]lns ip 10.10.10.1 priority 1 password tunnel
# The name of the LAC end of the tunnel is pdsn. Tunnel authentication is enabled. The AVP is transmitted in hidden mode. The interval for sending Hello packets through the tunnel is 120 seconds. The tunnel is bound to the VPN instance vpn_l2tp.
[PDSN-access-l2tp-group-1]common authentication enable local pdsn avp-hidden enable hello-interval 120 vpn-instance vpn_l2tp
5.
6.
Networking Requirement
In the case of address assignment from the local address pool, two methods are available for configuring downlink routes to MSs. The configuration procedure varies with the planned address segments of the address pool.
l
See Figure 7-9. If the local address pool is a complete address segment that holds more than 32 IP addresses, that is, if the local address pool can be expressed by a mask, static black hole routes are imported and then advertised to the backbone network.
Figure 7-9 Address assignment from the local address pool with a complete address segment
PDSN Pif3/0/0
10.0 .0.0 ~
Pif3/1/0
.32 0.0 . 0 1
See Figure 7-10. If the local address pool contains an incomplete address segment or holds fewer than 32 IP addresses, static routes and wireless routes (WLRs) are imported, advertised to the backbone network, and then aggregated.
CAUTION
This should be avoided in actual networking for simple configuration. Figure 7-10 Address assignment from the local address pool with an incomplete address segment
PDSN Pif3/0/0
10. 0.0 .0~ 1
0.0 .0
Local IP Pool
.31
Pif3/1/0
10.0.0.010.1.0.31 10.0.0.0/16 Null (static) 10.1.0.0/27 Null (static) 10.0.0.0/27 Pif3/0/0 (wlr) 10.1.0.0/27 Pif3/1/0 (wlr)
7-34
Issue 02 (2009-04-10)
Data Collection
Dynamic routing protocol OSPF process number Address segment assigned from the local address pool Domain name of the user Open Shortest Path First (OSPF) 100 10.0.0.0 to 10.0.255.255 for a complete address segment and 10.0.0.0 to 10.1.0.31 for an incomplete address segment test
Configuration Procedure
l
Assume that the local address pool is a complete address segment that holds more than 32 IP addresses. 1. Configure the downlink route to the MS. # Enter the system view.
<PDSN>system-view
# Import the route information learned through the static routing protocol and advertise the imported routes to the backbone network.
[PDSN-ospf-100]import-route static [PDSN-ospf-100]quit [PDSN]quit
2.
l
Assume that the local address pool contains a complete address segment or holds fewer than 32 IP addresses. 1. Configure the downlink route to the MS. # Enter the system view.
<PDSN>system-view
# Import the route information learned through the static routing protocol and advertise the route to the backbone network.
[PDSN-ospf-100]import-route static
2.
Issue 02 (2009-04-10)
7-35
Networking Requirement
In the case of address assignment by the RADIUS server, two methods are available for configuring downlink routes to MSs based on whether the address segments assigned by the RADIUS server managed by an Internet service provider (ISP) or intranet can be known in advance.
l
If the address segments assigned by the RADIUS server can be known in advance, you can configure downlink routes to MSs on the PDSN9660 and set the next hops of the routes to different address segments to the corresponding P interfaces. See Figure 7-11. These routes are imported through the dynamic routing protocol and advertised to the backbone network.
CAUTION
You must disable the automatic generation of downlink routes during user activation.
l
If the address segments assigned by the RADIUS server cannot be known in advance, static downlink routes to MSs cannot be configured on the PDSN9660. The PDSN9660 can automatically generate wireless routes (WLRs) according to IP addresses of the MSs during user activation. Then, the WLR routes are imported in the dynamic routing protocol and advertised.
CAUTION
This should be avoided in actual networking because a large number of WLRs will adversely affect routers on the backbone network and the PDSN9660 supports only 50000 users with static IP addresses that require host routes.
7-36
Issue 02 (2009-04-10)
Figure 7-11 Address assignment by the RADIUS server (address segment known in advance)
PDSN
Pif3/1/0
Data Collection
Dynamic routing protocol OSPF process number Address segment assigned by the RADIUS server Domain name of the user Open Shortest Path First (OSPF) 100 The destination address is 10.0.0.0/24 and the next hop is the Pif3/0/0 interface. The destination address is 10.1.0.0/24 and the next hop is the Pif3/1/0 interface. test
Configuration Procedure
l
Assume that the address segments assigned by the RADIUS server can be known in advance. 1. Configure the downlink route to the MS. # Enter the system view.
<PDSN>system-view
Configure the static route to the address segments. The destination address is 10.0.0.0/24 and the next hop is the Pif3/0/0 interface. The destination address is 10.1.0.0/24 and the next hop is the Pif3/1/0 interface.
[PDSN]ip route-static 10.0.0.0 24 Pif3/0/0 [PDSN]ip route-static 10.0.1.0 24 Pif3/1/0
# Import the route information learned through the static routing protocol and advertise the imported routes to the backbone network.
[PDSN-ospf-100]import-route static
Issue 02 (2009-04-10)
7-37
Disable the automatic generation of downlink routes for users of the domain.
[PDSN-domain-test]static-ip route disable [PDSN-domain-test]quit [PDSN]quit
2.
l
Assume that the address segments assigned by the RADIUS server cannot be known in advance. 1. Configure the downlink route to the MS. # Enter the system view.
<PDSN>system-view
2.
Prerequisite
l
The interworking between the PDSN9660 and neighboring network elements (NEs) is configured. The Domain is configured.
7.2.1 Application Schemes for the Security Function This describes the application schemes for the security function on the PDSN9660. 7.2.2 Configuring the Packet Filtering Policy This describes how to configure the packet filtering policy. For security purpose, you can configure the packet filtering policy to control specified packets transmitted through the PDSN9660. The packet filtering policy is realized through the configuration of the access control list (ACL). 7.2.3 Configuring the Anti-DDoS Function This describes how to configure the anti-distributed denial of service (anti-DDoS) function. 7.2.4 Configuring the Pi Redirection Function This describes how to configure the Pi redirection function. The Pi redirection function is used to redirect packets to and from mobile users within the same Pi. 7.2.5 Configuring the IPSec Policy This describes how to configure the IP Security (IPSec) policy.
7-38 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2009-04-10)
7.2.6 Maintaining the Data for the Security Function This provides the commands used to maintain the data for the security function. 7.2.7 Configuration Example This provides the example of configuration for the security features.
Configuration Roadmap
The roadmap to configure the security function on the PDSN is as follows: Optional Function Packet filtering policy Characteristic The packet filtering policy is adopted by the PDSN to analyze the received data packets and discard unqualified ones. The CDMA2000 can protect devices in the core network-packet switched (CN-PS) domain of the general packet radio service/universal mobile telecommunications system (GPRS/ UMTS) from traffic attacks of specific packets, thus ensuring the security of the core network. The PDSN9660 implements the antiDDoS function through traffic control on the uplink TCP SYN packets, thus protecting devices on the packet data network (PDN) from the DDoS attack by mobile stations (MSs). The redirection function can prevent attacks from uplink packets, thus ensuring security for data forwarding between MSs on the same PDSN9660. Configuration Procedure For details, see 7.2.2 Configuring the Packet Filtering Policy.
Anti-DDoS
For details, see 7.2.3 Configuring the Anti-DDoS Function. For details, see 7.2.4 Configuring the Pi Redirection Function.
Pi redirection
Issue 02 (2009-04-10)
7-39
Configuration Example For details, see 7.2.7.1 Example of Preventing Attacks from an MS or a PDN User to Devices on the Core Network.
Forbid unauthorized MS access to devices on the CDMA2000 core network and the M2000. For details, see 7.2.7.2 Example of Preventing Mutual Access Between MSs.
Operators can configure the packet filtering policy on the PDSN9660 to discards packets of mutual access among MSs. Thus, the PDSN9660 can prevent an MS from attacking another MS, ensure MS security, and improve customer satisfaction. The PDSN9660 can determine the type of a user based on the source and destination IP addresses. If the user is for Web services, the PDSN9660 prevents the user from accessing any address in the address pool for the users of Web services.
7-40
Issue 02 (2009-04-10)
Application Scheme Preventing the DDoS attack from MSs to the devices on the PDN
Application Requirement An MS sends a Transmission Control Protocol (TCP) connection setup request to a device on the PDN. Normally, the MS sends the ACK message after receiving the SYN+ACK message, and then the TCP connection is set up. If the MS does not send the ACK packet after receiving the SYN +ACK packet, the server on the PDN retains this semi-connection until the semi-connection expires. If the MS sends numerous SYN packets in a short period, the server will hold excessive semi-connections accordingly. Thus, resources are consumed so much that the server cannot process services normally. The PDSN9660 implements the antiDDoS function to protect devices on the PDN from attacks by MSs.
Configuration Example For details, see 7.2.7.3 Example of Preventing the DDoS Attack from an MS to the Devices on the PDN.
If an uplink packet is destined for another mobile user on the same PDSN9660, the PDSN9660 does not send the packet to the firewall for filtering. Instead, the PDSN9660 encapsulates and forwards the packet directly. This results in the possibility of attacks to an MS from another MS on the same PDSN9660. The Pi redirection function is used to eliminate this possibility.
For details, see 7.2.7.4 Example of Redirecting Packets of Mutual Access Between MSs on the Same PDSN.
Context
Data can be transmitted in four directions: uplink inbound, uplink outbound, downlink inbound, and downlink outbound. See Figure 7-12.
l l l
Uplink inbound direction: The PDSN9660 receives data from the PCF. Uplink outbound direction: The PDSN9660 sends data to the Internet. Downlink inbound direction: The PDSN9660 receives data from the Internet.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 7-41
Issue 02 (2009-04-10)
MS
PCF
PDSN9660
Uplink out-bound
One ACL can be bound to the access point name (Domain) for each direction to realize the packet filtering policy.
Configuration Principle
l
The default ACL is employed when an ACL is required but no ACL is available for a Domain. One ACL is bound to a Domain in each of the four directions. Therefore, four default ACLs can be set. The ACL action for the inbound direction can be gate or remark only. The ACL action for the outbound direction can be redirect only. You can specify a validity time range for the four ACLs of a Domain. If no time range is specified, the ACLs bound to the Domain take effect immediately.
Data Planning
No. 1 2 3 4 5 Data Layer 3/Layer 4 filter Name of the ACL node and the ACL Default ACL Validity time range of the filter Domain to which the ACL is bound
Procedure
Step 1 Run service-view to enter the service view. Step 2 Run filter to set the Layer 3/Layer 4 filter. Step 3 Run acl-node to set the ACL node, that is, set the action for the Layer 3/Layer 4 filter. Step 4 Run acl to set the ACL name and matching mode. Step 5 Optional: Run acl-default to set the default ACL. Step 6 Run refresh-service to make the newly configured the ACL or ACL node take effect. Step 7 Run acl-node-binding to bind the ACL node to an ACL.
7-42 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2009-04-10)
Step 8 Optional: Run time-range-service to define the validity period of the filter. Step 9 Run quit to exit the service view. Step 10 Run domain to specify the domain and enter the domain view. Step 11 Run pdsn-acl-binding to bind the ACL to the Domain. ----End
Context
A mobile station (MS) sends a Transmission Control Protocol (TCP) connection setup request to a device on the packet data network (PDN). Normally, the MS sends the ACK message after receiving the SYN+ACK message, and then the TCP connection is set up. If the MS does not send the ACK packet after receiving the SYN+ACK packet, the server on the PDN retains this semi-connection until the semi-connection expires. If the MS sends numerous SYN packets in a short period, the server will hold excessive semi-connections accordingly. Thus, resources are consumed so much that the server cannot process services normally. The PDSN9660 implements the anti-DDoS function through traffic control on the uplink TCP SYN packets, thus protecting devices on the PDN from the DDoS attack by MSs. When the threshold for DDoS traffic control is configured, the number of TCP SYN requests sent by users in one second cannot exceed this threshold. If this threshold is reached, the later requests are discarded.
Procedure
Step 1 Run service-view to enter the service view. Step 2 Run ddos threshold to set the flow control threshold for the anti-DDoS function. Step 3 Run user-profile to enter the user profile view. Step 4 Run ddos-check to enable the anti-DDoS function. Step 5 Run quit to exit the user profile view. Step 6 Run quit to exit the service view. Step 7 Run domain to specify the domain and enter the domain view. Step 8 Run user-profile-binding to bind a user profile to the Domain. ----End
Prerequisite
l
Plan one or more access point names (Domains) that support the virtual private network (VPN). That is, the users of the Domain belong to a VPN. A security filtering policy is configured between the outbound and inbound interfaces on the firewall. The interworking between the PDSN and the firewall is configured.
Data Planning
No. 1 2 Data Plan whether to enable the global Pi redirection function. Plan whether to enable the Pi redirection function for a VPN. If the redirection function is enabled, plan the destination IP address of the redirected packets. Plan whether to enable the redirection function for the user that is not bound to any VPN. If the redirection function is enabled, plan the destination IP address of the redirected packets.
Procedure
Step 1 Run service-view to enter the service view. Step 2 Run pi redirect to enable the global Pi redirection function. The parameter is global. Step 3 Run pi redirect to enable the Pi redirection function for a VPN. The parameters are single and vpn. Step 4 Run pi redirect to enable the redirection function for non-VPN users. The parameters are single and default-vpn. ----End
Configuration Roadmap
The IPSec policy can be implemented through manual configuration or Internet Key Exchange (IKE) negotiation. If the IKE negotiation mode is adopted, the IKE data must be configured in advance. Figure 7-13 shows how to implement the IPSec policy configuration.
7-44
Issue 02 (2009-04-10)
Choose the configuration mode. IKE negotiation Configure the IKE security proposal.
End
By clicking the following operations, you can check the corresponding configuration tasks. 7.2.5.1 Configuring the Protected Data Flows This describes how to configure the protected data flows. With the IP Security (IPSec) function, the PDSN9660 can apply different security measures to different data flows. Therefore, you must set the access control rule for the protected data flows.
Issue 02 (2009-04-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 7-45
7.2.5.2 Configuring the IPSec Proposal This describes how to configure the IP Security (IPSec) proposal. An IPSec proposal defines the security protocol, encapsulation mode, authentication algorithm, and encryption algorithm to be applied to protect data flows. 7.2.5.3 Configuring the IKE Local ID This describes how to configure the Internet Key Exchange (IKE) local ID. 7.2.5.4 Configuring the IKE Security Proposal This describes how to configure the Internet Key Exchange (IKE) security proposal. 7.2.5.5 Configuring the IKE Peer Attributes This describes how to configure the Internet Key Exchange (IKE) peer attributes. 7.2.5.6 Configuring the IKE DPD Function This describes how to configure the Internet Key Exchange (IKE) dead peer detection (DPD) function. 7.2.5.7 Configuring the Attributes of the IKE Keepalive Mechanism This describes how to configure the attributes of the Internet Key Exchange (IKE) keepalive mechanism. 7.2.5.8 Configuring the IPSec Policy This describes how to configure the IP Security (IPSec) policy. The IPSec policy or IPSec policy group defines the association between data flows and IPSec proposals, that is, the security measures for a specific type of data flows. 7.2.5.9 Applying an IPSec Policy to an Interface This describes how to apply an IP Security (IPSec) policy to an interface.
Context
A data flow is the aggregation of a group of traffic. The data flow is defined by the source IP address and mask, destination IP address and mask, protocol number of IP packets, source port number, and destination port number. A data flow can be a single Transmission Control Protocol (TCP) connection between two hosts or all traffic between two subnets. By determining whether the packets match the access control list (ACL), the PDSN9660 can distinguish the IP packets to be forwarded after IPSec processing from those to be forwarded directly. The packets permitted by the ACL are protected, whereas those denied by the ACL are not. By default, packets are denied by the ACL. Data flows need to be authenticated for the security purpose. Some data flows should be authenticated and encrypted for high security requirements. The IPSec policy can only provide a security protection method. You should, therefore, define various ACLs and IPSec policies for different data flows accordingly.
7-46
Issue 02 (2009-04-10)
Data Planning
No. 1 2 3 4 5 6 Data ACL number Source IP address of the IP packets Destination IP address of the IP packets Protocol number of the IP packets Source port number of the IP packets Destination port number of the IP packets
Operation Procedure
1. 2. Run acl to create an ACL and enter the ACL view. Run rule to set the access control rule for the data flows.
NOTE
ACLs defined on the local PDSN9660 and that on the remote router should correspond to each other. The encrypted data at one end can be authenticated and decrypted at the peer end.
Context
Figure 7-14 Configuration of the IPSec proposal
IPSec proposal
Transform
Encapsulation-mode
AH
or/and
ESP
Tansport
or
Tunnel
Authenticationalgorithm
Authenticationalgorithm
Encryptionalgorithm
MD5
or SHA-1
MD5 or SHA-1 or
Null
3DES or
DES
or
AES
or
Null
Issue 02 (2009-04-10)
7-47
See Figure 7-14, the PDSN9660 supports both the Authentication Header (AH) and Encapsulating Security Payload (ESP) protocols. The two protocols can be used separately or jointly. AH supports the Message-Digest Algorithm 5 (MD5) and Secure Hash Algorithm 1 (SHA-1) authentication algorithms. ESP supports the MD5 and SHA-1 authentication algorithms and the Data Encryption Standard (DES), 3DES, and Advanced Encryption Standard (AES) encryption/decryption algorithms. The PDSN9660 provides two encapsulation modes: transport mode and tunnel mode. The actual source and destination IP addresses are hidden in tunnel mode.
CAUTION
For the same data flow, the same protocol, algorithm, and encapsulation mode must be set for the peers at both ends of a security tunnel.
Configuration Principle
l
You can configure the authentication algorithm for AH only when the security protocol to be employed by the IPSec proposal is set to AH. You can configure the authentication algorithm and encryption algorithm for ESP only when the security protocol to be employed by the IPSec proposal is set to ESP.
Data Planning
No. 1 2 3 4 5 Data IPSec proposal name Security protocol to be employed Authentication algorithm to be employed Encryption algorithm to be employed Encapsulation mode to be employed
Operation Procedure
1. 2. 3. 4. 5. 6. Run ipsec proposal to create an IPSec proposal and enter the IPSec proposal view. Run transform to set the IPSec protocol. Run ah authentication-algorithm to set the authentication algorithm to be employed by the AH protocol. Run esp authentication-algorithm to set the authentication algorithm to be employed by the ESP protocol. Run esp encryption-algorithm to set the encryption algorithm to be employed by the ESP protocol. Run encapsulation-mode to set the encapsulation mode to be employed by the IPSec protocol to encapsulate IP packets.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2009-04-10)
7-48
By default, the tunnel mode is adopted. In transport mode, if the source and destination of packets are not the same as the two ends of the security tunnel, the packets will not be protected.
Background
The aggressive mode is adopted for IKE negotiation when the IP address of the peer device is not specified or changes. The main mode is adopted for IKE negotiation when the IP address of the peer is specified.
Configuration Principle
The local ID is required for the IKE negotiation in aggressive mode. The local ID is not required for the main mode.
Data Planning
No. 1 Data Local ID
Operation Procedure
Run ike local-name to set the local ID for the IKE negotiation.
Context
The IKE security proposal is used for the IKE negotiation of the encryption algorithm, authentication algorithm, Diffie-Hellman algorithm (DH) group ID, and lifetime of the IKE security association (SA). The negotiation in this phase is performed to set up an Internet Security Association and Key Management Protocol (ISAKMP) SA. You can create multiple IKE security proposals of different priorities but the negotiation succeeds only when at least one IKE security proposal of one party matches that of the other party.
Data Planning
No. 1 2 Data Priority of the IKE security proposal Encryption algorithm, preshared authentication method, and authentication algorithm
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 7-49
Issue 02 (2009-04-10)
No. 3 4
Operation Procedure
Figure 7-15 IKE proposal configuration map
IKE proposal
Authenticationalgorithm
Authenticationmethod
Encryptionalgorithm
DH
SA duration
MD5
or SHA-1
Pre-share
3DES or
DES
or
AES
Group1 or Group2
1. 2. 3. 4. 5. 6.
Run ike proposal to create an IKE security proposal and display the IKE proposal view. Run encryption-algorithm to specify the encryption algorithm to be used by the IKE proposal. Run authentication-method to specify the authentication method to be used by the IKE proposal. Run authentication-algorithm to specify the authentication algorithm to be used by the IKE proposal. Run dh to specify the DH group ID to be used during the key negotiation in phase one of IKE negotiation. Run sa duration to set the lifetime of the IKE SA.
Prerequisite
l l
The local ID for the IKE negotiation is configured when the aggressive mode is employed. The IKE security proposal is configured.
7-50
Issue 02 (2009-04-10)
Background
Figure 7-16 IKE peer configuration procedure
IKE peer
Exchange-mode
IKE-proposal
Pre-sharedkey
Local-id-type
Aggressive or Main
IP
or Name
Remoteaddress
Remotename
Configuration Principle
l
If the IKE proposal referenced by the IKE peer uses the preshared key authentication method, the two negotiation ends must be configured with the same authentication key. Otherwise, the IKE proposal cannot be used. When the aggressive mode is adopted for IKE negotiation, the ID of the IKE peer must be of the name type. As for the main mode, the ID of the IKE peer must be of the IP address type.
Data Planning
No. 1 2 3 4 5 Data Whether the main mode or aggressive mode is employed as the IKE negotiation mode IKE security proposal ID to be referenced by the IKE peer Character string used as the authentication key ID type of the IKE peer Name and IP address of the IKE peer
Issue 02 (2009-04-10)
7-51
Operation Procedure
1. 2. 3. Run ike peer to create an IKE peer and display the IKE peer view. Run exchange-mode to set the IKE negotiation mode. Run ike-proposal to configure the IKE security proposal to be referenced by the IKE peer.
NOTE
By default, for the aggressive mode negotiation, the IKE proposal with the highest priority is referenced; for the main mode negotiation, all the IKE proposals of the local end are referenced.
4.
Run pre-shared-key to set the authentication key for the preshared key authentication method. If the IKE proposal referenced by the IKE peer uses the preshared key authentication method, the preshared key must be configured with this command. Run local-id-type to set the ID type of the IKE peer. Run remote-name to set the remote name of the IKE peer when the IKE peer ID is of the name type. Run remote-address to set the remote IP address of the IKE peer when the IKE peer ID is of the IP address type.
5. 6. 7.
Context
With the DPD function, the PDSN9660 sends Hello/Ack messages to check whether a peer operates normally. If the local device does not receive packets from a peer in a specified period and have IP Security (IPSec) encrypted packets to send to the peer, the local device sends an enquiry message to the peer. If the local device receives a response from the peer, it considers the peer normal. If the local device does not receive a response from the peer after sending the DPD message for several times, it considers the peer dead. In this case, the backup link or route is employed for forwarding IPSec service flows.
Data Planning
No. 1 2 Data Interval for sending DPD packets Number of times of retransmission of DPD packets
Procedure
Step 1 Run ike peer to enter the IKE peer view. Step 2 Run ike dpd to set the interval for sending DPD packets to the peer and number of times of retransmission of DPD packets. ----End
7-52 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2009-04-10)
Context
The IKE provides the keepalive mechanism, which maintains the status of the IKE security association (SA) tunnel through Keepalive packets. The Keepalive packets are used to inform the peer of the Internet Security Association and Key Management Protocol (ISAKMP) SA that the local device is online. If a timeout period is configured on the peer, an interval for sending Keepalive packets must be configured on the PDSN. If the timeout period expires before the peer receives a Keepalive packet, when the IKE SA carries the timeout mark, the PDSN deletes the IKE SA and the IP Security (IPSec) SA negotiated by the IKE SA; the IKE SA is marked as timeout when it carries no timeout mark. Generally, the timeout period is set to three times the interval for sending Keepalive packets.
Operation Procedure
1. 2. Run ike sa keepalive-timer interval to set the interval for sending Keepalive packets to the peer by the ISAKMP SA. Run ike sa keepalive-timer timeout to set the timeout period for the ISAKMP SA to wait for a Keepalive packet.
Context
An IPSec policy is uniquely co-defined by the name and the sequence number. An IPSec policy group comprises the security policies with the same name but different sequence numbers. In an IPSec policy group, smaller sequence number indicates higher priority. An IPSec policy employs an IPSec proposal to specify security protocol, algorithm, and encapsulation mode for specific data flows. The IPSec policy can be configured manually or obtained through the Internet Key Exchange (IKE) negotiation.
Issue 02 (2009-04-10)
7-53
Security ACL
Proposal
SA Key
SA SPI
Local-address
Tunnel remote
ACL
Rule
String-key
or
HEX-key
AH Inbound &Outbound
AH Inbound &Outbound
Authentication-hex
Encryption-hex
AH Inbound &Outbound
Security ACL
Proposal
IKE peer
PFS
SA duration
Local-address
ACL
Rule
DH-group1
DH-group2
Permanent
Trafficbased
Timebased
See Figure 7-17. You must manually set the parameters such as the key, security parameter index (SPI), and peer IP address for the IPSec policy and you can optionally set the local IP address.
A key is used in the security services provided by the IPSec protocol to authenticate and encrypt data packets. The key can be either in the character string format or in the hexadecimal format. The SPI is a 32-bit value, which is carried in each IPSec packet. The SPI, destination IP address, and security protocol ID uniquely identify a security association (SA).
The IKE peer is used in the IKE negotiation for the IPSec policy. The parameters such as the key and the SPI are generated automatically through the IKE negotiation. You must set the SA lifetime and perfect forward secrecy (PFS) parameters and you can optionally set the local IP address. See Figure 7-18.
PFS is a security feature. With this feature, even if one key is cracked, other keys still remain secure because of no derivative relations among these keys. This feature is implemented by adding key exchange in phase two of the IKE negotiation. An SA has a lifetime. It means that if the specified duration or traffic volume is reached, the SA becomes ineffective. Before an SA becomes ineffective, the PDSN9660 obtains
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2009-04-10)
7-54
a new IPSec SA through the IKE negotiation. Before a new SA is set up through negotiation, the original SA is still employed to guarantee communication security. The new SA is used as soon as it is negotiated and set up.
Configuration Principle
l
You must configure the SA parameters for both inbound and outbound directions. The local inbound and outbound SA parameters must be consistent with the peer outbound and inbound SA parameters respectively. An IPSec policy can employ only one access control list (ACL). If more than one ACL is configured for an IPSec policy, the latest ACL is employed. If an IPSec policy is manually configured, only one IPSec proposal can be employed by the IPSec policy. If an IPSec policy is obtained through the IKE negotiation, up to six IPSec proposals can be employed by the IPSec policy. You must create an IKE peer before employing the IKE negotiation mode. For details, see 7.2.5.5 Configuring the IKE Peer Attributes. If the IPSec proposal employs the Authentication Header (AH) protocol, the keyword ah is adopted for the authentication key and the SPI of the SA. If the IPSec proposal employs the Encapsulating Security Payload (ESP) protocol, the keyword esp is adopted for the authentication key, encryption key, and the SPI of the SA. You can enter the key either in the character string format or in the hexadecimal format. If you enter the key in both formats, the latest key is effective. You must enter the key in the same format at the two ends of a security tunnel. If the key formats are different, the security tunnel cannot be set up. You can set or modify the local address of an IPSec policy group only before the group is applied to an interface. Do not set the local address for the IPSec policy group that is applied to the IPSec tunnel interface. Do not set the local address for the IPSec policy that employs the transmission encapsulation mode. The interface whose IP address is used as the local address of the IPSec policy group must be a loopback interface. In addition, a valid IP address must be set for the loopback interface, and a target board and the IPSec tunnel protocol must be bound with the loopback interface. For the same data flow, the same protocol, algorithm, encapsulation mode, IPSec proposal, encryption key, and authentication key must be employed for both communication parties. Otherwise, the communication fails.
Data Planning
No. 1 Data Name of the IPSec policy and specify whether the manual mode or IKE negotiation mode is adopted ACL used by the IPSec policy IPSec proposal used by the IPSec policy SPI, key, and peer IP address of the security tunnel in manual mode
2 3 4
Issue 02 (2009-04-10)
7-55
No. 5
Data IKE peer name, SA lifetime, and DiffieHellman algorithm (DH) group for PFS in IKE negotiation mode
Operation Procedure
Manual configuration mode 1. 2. 3. 4. Run ipsec policy to create an IPSec policy and enter the view. Run security acl to set the ACL used by the IPSec policy. Run proposal to set the IPSec proposal used by the IPSec policy. Run sa string-key to set the authentication key of the SA in manual configuration mode. Type a character string as the key. If you specify ah, the key is the AH authentication key. AH does not support packet encryption, and therefore no encryption key is required. If you specify esp, the key is the ESP authentication key and encryption key. Run sa authentication-hex to set the authentication key of the SA in manual configuration mode. Type a hexadecimal number as the key. If you specify ah, the key is the AH authentication key. If you specify esp, the key is the ESP authentication key. Run sa encryption-hex to set the encryption key of the ESP protocol in manual configuration mode. Type a hexadecimal string as the key. This command is applicable to ESP only. AH does not support packet encryption. Run sa spi to set the SPI of the SA in manual configuration mode. Run tunnel remote to set the peer IP address of the tunnel. Run ipsec policy local-address in the system view to set the local address of the IPSec policy group. You can also specify the name, interface type, and interface number of the IPSec policy. The interface whose IP address is used as the local address of the IPSec policy group must be a loopback interface. For the configuration procedure of a loopback interface, see 6.8.1 Creating the Loopback Interface.
NOTE
5.
6.
7. 8. 9.
If the local address of the IPSec policy group is specified, the IP address of the specified interface is used as the local address of the IPSec tunnel. If the local address of the IPSec policy group is not specified, the IP address of the interface to which the IPSec policy is applied is used as the local address of the IPSec tunnel.
You must create an IKE peer before employing the IKE negotiation mode. For details, see 7.2.5.5 Configuring the IKE Peer Attributes.
1. 2. 3. 4. 5. 6.
7-56
Run ipsec policy to create an IPSec policy and enter the view. Run security acl to set the ACL used by the IPSec policy. Run proposal to set the IPSec proposal used by the IPSec policy. Run ike-peer to set the IKE peer used in the IPSec policy in IKE negotiation mode. Run pfs to set the PFS feature of the IPSec policy template in IKE negotiation mode. Run sa duration to set the lifetime of the SA.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2009-04-10)
In the case of SA generation through the IKE negotiation, if the IPSec policy is not configured with a lifetime, the global SA lifetime configured with ipsec sa global-duration can be used for the negotiation with the peer. A new lifetime does not affect the established SAs but will be employed to establish new SAs in later IKE negotiation.
7.
Run ipsec policy local-address in the system view to set the local address of the IPSec policy group. You can also specify the name, interface type, and interface number of the IPSec policy. The interface whose IP address is used as the local address of the IPSec policy group must be a loopback interface. For the configuration procedure of a loopback interface, see 6.8.1 Creating the Loopback Interface.
NOTE
If the local address of the IPSec policy group is specified, the IP address of the specified interface is used as the local address of the IPSec tunnel. When the IPSec policy group is applied to multiple interfaces, these interfaces employ the same SA to protect the same data flows. If the local address of the IPSec policy group is not specified, the IP address of the interface to which the IPSec policy is applied is used as the local address of the IPSec tunnel. The interfaces generate their respective SAs to protect the same data flows.
Prerequisite
Before applying an IPSec policy to an interface, you must complete the following tasks:
l l l
7.2.5.1 Configuring the Protected Data Flows 7.2.5.2 Configuring the IPSec Proposal 7.2.5.8 Configuring the IPSec Policy
Context
By applying an IPSec policy to an interface, you can apply different security measures to protect different data flows that are transmitted through the interface. If the IPSec policy to be applied is a security association (SA) established manually, the SA is generated at once. If the IPSec policy to be applied is an SA established through Internet Key Exchange (IKE) negotiation, the PDSN9660 is triggered to negotiate the IPSec SA through IKE only when the data flows that comply with an IPSec policy are sent out through the interface.
Configuration Principle
l l
Ensure that a valid IP address is set for the interface where the IPSec policy group is applied. Before applying the security policy to the tunnel interface, ensure that the tunnel interface is set with a source address. The IPSec policy group that is applied to the IPSec tunnel interface cannot be set with a local address, and the encapsulation mode proposed by the IPSec proposal and used by each IPSec policy must be the tunnel mode.
Issue 02 (2009-04-10)
7-57
Data Planning
No. 1 2 Data Type, number, and IP address of the interface IPSec policy name
Operation Procedure
Apply an IPSec policy to the R-P, and Pi interfaces. 1. 2. 3. Run interface to enter the interface view. Run ip address to set the IP address of the interface. Run ipsec policy to apply the IPSec policy or IPSec policy group to the interface.
Apply an IPSec policy to the tunnel interface. 1. 2. Configure the tunnel interface. For details on the configuration procedure, see 6.8.2 Creating the Tunnel Interface. Run ipsec policy to apply the IPSec policy or IPSec policy group to the interface.
When some configuration is incorrect or requires modification, you can run the following commands to delete the current configuration and reconfigure the system.
7-58 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2009-04-10)
Table 7-5 Deleting the configuration of the security function Command undo filter undo acl-node undo acl undo acl-node-binding undo acl-default undo time-range-service Function Deletes the configuration of a filter or all filters. Deletes the configuration of an ACL node or all ACL nodes. Deletes the configuration of an ACL or all ACLs. Deletes the binding relation of an ACL node or of all ACL nodes in an ACL. Deletes the configuration of the default ACL on a condition. Deletes the configured validity time range.
Example of Preventing Attacks from an MS or a PDN User to Devices on the Core Network
This provides an example of configuration for the packet filtering function to protect devices on the general packet radio service/universal mobile telecommunications system (CDMA2000) core network from attacks by mobile stations (MSs) or devices on the packet data network (PDN).
Issue 02 (2009-04-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 7-59
Networking Requirement
A firewall is usually deployed between the CDMA2000 core network and the external PDN. This firewall is used to protect the core network from attacks by users on the external PDN. A mobile user can attack the core network after learning about information such as IP addresses of devices. This poses a security threat to the core network. This problem can be avoided by configuring the packet filtering policy on the PDSN. See Figure 7-19. The following solution is taken:
l
Prohibit unauthorized MS access to devices such as the M2000 on the CDMA2000 core network.
Figure 7-19 Preventing attacks from an MS or a PDN user to devices on the core network
Other devices of CN PC
Data Collection
Prohibiting unauthorized MS access to devices on the CDMA2000 core network Filter Layer 3/Layer 4 protocol IP address of the MS Wildcard mask IP address of a device on the core network Wildcard mask Name of the ACL node Gate control action of the filter to-cn Name of the ACL Matching order Name of the validity time range Validity time range
7-60
to-cn UDP 202.57.90.1 0.0.0.31 217.164.95.67 0.0.0.31 node-upflow-cn discard acl-upflow auto range1 8:30 Friday to 18:00 Saturday
Issue 02 (2009-04-10)
Configuration Procedure
1. Prohibit unauthorized MSs from accessing devices on the CDMA2000 core network. # Enter the system view.
<PDSN>system-view
# Configure the Layer 3/Layer 4 filter. The filter name is to-cn. The Layer 3/Layer 4 protocol is UDP. The MS IP address is 202.57.90.1 and the wildcard mask is 0.0.0.31. The IP address of a device on the core network is 217.164.95.67 and the wildcard mask is 0.0.0.31.
[PDSN-service]filter to-cn l34-protocol udp ms-ip 202.57.90.1 0.0.0.31 serverip 217.164.95.67 0.0.0.31
NOTE
The wildcard mask is the reverse of the subnet mask. The number 0 in a wildcard mask means that this bit must be matched and the number 1 means that this bit does not need to be matched. An IP address range is obtained by the "and" calculation of the reverse of wildcard masks and IP addresses. For example, in the filter to-cn, you can calculate the network address 217.164.95.64 of the network segment to which the device on the core network belongs from the subnet mask 255.255.255.224. This address can also be calculated from the wildcard mask. IP address = 217.164.95.67 11011001.10100100.1011111.01000011 Wildcard mask = 0.0.0.31 00000000.00000000.00000000.00011111 Network address = 217.164.95.64 11011001.10100100.1011111. 01000000
# Associate the filter with the flow action. Set the ACL node to node-upflow-cn and the action for the filter to-cn to discard.
[PDSN-service]acl-node node-upflow-cn filter to-cn gate discard
# Set the validity time range, range1, to 8:30 Friday to 18:00 Saturday.
[PDSN-service]time-range-service range1 Fri 8:30 to Sat 18:00
# Bind the ACL acl-upflow to the domain instance isp.com. Set the direction to up-in and validity time range to range1.
[PDSN-isp.com]pdsn-acl-binding direction up-in acl acl-upflow time-range range1
2.
Issue 02 (2009-04-10)
7-61
3.
Networking Requirement
Operators can configure the packet filtering policy on the PDSN to discard packets of mutual access between MSs. Thus, the PDSN can prevent an MS from attacking another MS, ensure MS security, and improve customer satisfaction. The PDSN can determine the type of a user based on the source and destination IP addresses. If the user is not a Web-service user, the PDSN prevents the user from accessing any address in the address pool for Web-service users.
Data Collection
Filter Layer 3/Layer 4 protocol IP address of the MS Wildcard mask Destination IP address Wildcard mask Name of the ACL node Gate control action of the filter ft-protect-ip Name of the ACL Matching order Name of the Domain Direction of the ACL ft-protect-ip any 10.193.1.0 0.0.0.255 110.193.0.0 0.0.0.255 node-protect-ip discard acl-protect-ip auto isp.com Uplink inbound
Configuration Procedure
1. Configure the filter. # Enter the system view.
<PDSN>system-view
# Configure the Layer 3/Layer 4 filter. Set the filter name to ft-protect-ip and Layer 3/Layer 4 protocol to any. Set the MS IP address to 10.193.1.0 and wildcard mask to 0.0.0.255. Set the destination IP address to 110.193.0.0 and wildcard mask to 0.0.0.255.
[PDSN-service]filter ft-protect-ip l34-protocol any ms-ip 10.193.1.0 0.0.0.255 server-ip 110.193.0.0 0.0.0.255
2.
Associate the filter with the flow action. # Set the ACL node to node-protect-ip and the gate control action for the filter ft-protectip to discard.
[PDSN-service]acl-node node-protect-ip filter ft-protect-ip gate discard
3.
Apply the ACL to the domain. # Enter the domain view of isp.com.
[PDSN]domain isp.com
# Bind the ACL acl-protect-ip to the domain instance. Set the direction to up-in and configure the ACL to take effect immediately.
[PDSN-isp.com]pdsn-acl-binding direction up-in acl acl-protect-ip
4.
Example of Preventing the DDoS Attack from an MS to the Devices on the PDN
This provides an example of configuration for the packet filtering function to protect devices on the packet data network (PDN) from distributed denial of service (DDoS) attacks by mobile stations (MSs).
Networking Requirement
An MS sends a Transmission Control Protocol (TCP) connection setup request to a device on the PDN. Normally, the MS returns the ACK message after receiving the SYN+ACK message, and then the TCP connection is set up. If the MS does not return the ACK packet after receiving the SYN+ACK packet, the server on the PDN retains this semi-connection until the semiconnection expires. If the MS sends numerous SYN packets in a short period, the server will hold excessive semi-connections accordingly. Thus, resources are consumed so much that the server cannot process services normally. The PDSN9660 implements the anti-DDoS function to protect devices on the PDN from attacks by MSs.
Data Collection
Traffic control threshold for anti-DDoS User profile name Name of the Domain to which the user profile profile1 is bound
Issue 02 (2009-04-10)
45 profile1 isp.com
7-63
Configuration Procedure
1. Set the traffic control threshold for anti-DDoS. # Enter the service view.
[PDSN]service-view
# Set the value of the traffic control threshold for anti-DDoS to 45.
[PDSN-service]ddos threshold 45
2.
# Enable the anti-DDoS function. # Create the user profile profile1 and enter the user profile view of profile1.
[PDSN-service]user-profile profile1
3.
Bind the user profile to the domain instance. # Enter the domain view.
[PDSN]domain isp.com
4.
Example of Redirecting Packets of Mutual Access Between MSs on the Same PDSN
This provides an example of configuration for the Pi redirection function to redirect packets of mutual access between mobile stations (MSs) on the same PDSN.
Networking Requirement
Enable the Pi redirection function on the PDSN. See Figure 7-20. Figure 7-20 Packet redirection through the PDSN
1.1.1.1
Firewall
7-64
Issue 02 (2009-04-10)
Data Collection
Plan the data as follows. Global Pi redirection function Global Pi redirection function enable
VPN-based Pi redirection function Name of the VPN instance Pi redirection function based on the VPN instance ispvpn1 IP address for redirection Name of the VPN instance Pi redirection function based on the VPN instance ispvpn2 ispvpn1 enable 1.1.1.1 ispvpn2 disable
Pi redirection function for non-VPN users Pi redirection function for non-VPN users IP address for redirection enable 1.1.1.1
Configuration Procedure
1. Configure the interworking between the PDSN9660 and the firewall.
l
Ensure that the IP address of the ethernet1/0/0 interface on the PDSN is in the same network segment as the inbound physical interface a on the firewall. Ensure that the IP address of the ethernet1/0/1 interface of the PDSN is in the same network segment as the outbound physical interface b on the firewall.
For details, see Configuring the Data for the Interworking Between NEs. 2. Configure the global Pi redirection function. # Enter the system view.
<PDSN>system-view
3.
Configure the VPN-specific Pi redirection function. # Enable the Pi redirection function for the VPN instance ispVPN1. Set the redirection destination IP address to 1.1.1.1.
[PDSN-service]pi redirect single vpn ispvpn1 enable redirect-dstip 1.1.1.1
4.
Configure the Pi redirection function for non-VPN users. # Enable the Pi redirection function for non-VPN users. Set the redirection destination IP address to 1.1.1.1.
Issue 02 (2009-04-10)
7-65
5.
Networking Requirement
The PDSN9660 supports the IPSec function on the Pi interface. The PDSN9660 sets up a security tunnel to the AAA server that also supports the IPSec function. This security tunnel can protect the data traffic between the PDSN9660 and the AAA server. See Figure 7-21. Figure 7-21 Networking of setting up a security tunnel between the PDSN9660 and the AAA server
AAA server
Data Collection
Manually set up a security association (SA) for performing the IPSec processing for the data flows from the PDSN9660 to the AAA server. Plan the data as follows. Protected data flows Access control list (ACL) number Data flows 3101 IP packets from the giif3/0/0 interface (10.8.20.1) on the PDSN9660 to the interface (10.8.10.1) of the AAA server IPSec proposal IPSec proposal name Security protocol Authentication algorithm Encryption algorithm Encapsulation mode propo1 ESP SHA-1 DES Tunnel mode IPSec policy IPSec policy name
7-66
map1
Issue 02 (2009-04-10)
Sequence number Negotiation mode Security parameter index (SPI) of the outbound Encapsulating Security Payload (ESP) SA SPI of the inbound ESP SA Outbound ESP SA key, which is a character string Inbound ESP SA key, which is a character string Peer IP address of the tunnel
Configuration Procedure
1. 2. The interworking between the PDSN9660 and the AAA server is configured. For details, see 3.14.1 Inband Networking and 3.14.2 Outband Networking. Configure the data flows to be protected. # Enter the system view.
<PDSN>system-view
# Configure the ACL rules. Set the IP address of the source PDSN to 10.8.20.1 and wildcard mask to 0.0.0.0. Set the IP address of the destination AAA server to 10.8.10.1 and wildcard mask to 0.0.0.0.
[PDSN-acl-3101]rule permit ip source 10.8.20.1 0.0.0.0 destination 10.8.10.1 0.0.0.0 [PDSN-acl-3101]quit
3.
Create an IPSec proposal. # Create the IPSec proposal propo1 and enter the IPSec proposal view.
[PDSN]ipsec proposal propo1
4.
Create an IPSec policy on the PDSN9660. # Create an IPSec policy and enter the IPSec policy view. Set the name of the IPSec policy to map1, sequence number to 10, and negotiation mode to manual.
[PDSN]ipsec policy map1 10 manual
# Set the peer IP address of the tunnel, that is, IP address of the AAA server, to 10.8.10.1.
[PDSN-ipsec-policy-manual-map1-10]tunnel remote 10.8.10.1 [PDSN-ipsec-policy-manual-map1-10]quit
5.
Apply the IPSec policy group to the interface. # Enter the view of the piif3/0/0 interface.
[PDSN]interface Piif3/0/0
# Set the IP address of the Pi interface to 10.8.20.1 and the subnet mask to 255.255.255.255.
[PDSN-Piif3/0/0]ip address 10.8.20.1 255.255.255.255
6.
Prerequisite
The interworking between the PDSN9660 and the home agent (HA) is configured. For details, see 5 Configuring the Data for the HA. 7.3.1 Application Scheme for the FA This describes the application scheme for the foreign agent (FA) function on the PDSN9660. 7.3.2 Configuring the Foreign Agent Care-of Address This describes how to specify the IP address of a Pi interface that is not bound to any virtual private network (VPN) instance as the foreign agent care-of address for mobile nodes (MNs). 7.3.3 Configuring the FA The CDMA2000 system supports the mobile IP (MIP) service and the PDSN9660 serves as a foreign agent (FA). Therefore, you must configure the data for the FA function on the PDSN9660. 7.3.4 Configuring the SA Between the MN and the FA
7-68 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2009-04-10)
This describes how to set the parameters of the security association (SA) to guarantee the communication security between the mobile node (MN) and the foreign agent (FA). 7.3.5 Configuring the SA Between the FA and the HA This describes how to set the parameters of the security association (SA) to guarantee the communication security between the foreign agent (FA) and the home agent (HA). 7.3.6 Commissioning the Data for the FA Function This provides the commands for commissioning the configuration data for the foreign agent (FA) function. 7.3.7 Configuration Example This provides an example of the configuration for the interworking with the home agent (HA) to implement the mobile IP (MIP) function.
Configuration Roadmap
Figure 7-22 shows the configuration roadmap when the PDSN9660 serves as the FA. Figure 7-22 Configuring the FA function
Configure the FA data.
End
Issue 02 (2009-04-10)
7-69
Context
A care-of address is an IP address closely related to the foreign link of an MN. The care-of address of an MN indicates the current location of the MN. When an MN is on a foreign link, a tunnel is set up between the home agent (HA) and the care-of address so that packets can be forwarded to the MN.
Data Planning
No. 1 2 3 Data Name of the Pi interface that is used to interwork with the HA IP address of the Pi interface Foreign agent care-of address
Procedure
Step 1 Run interface to create the Pi logical interface.
7-70
Issue 02 (2009-04-10)
The created interface must be the planned Pi interface. The interface name consists of the interface type piif and the interface number. The interface number is in the format of SPU group number/CPU number/virtual port number. The Pi interface is created on the SPU. If the SPUs work in 1+1 backup mode, the SPU group number must be the odd slot number. If the PDSN works in load-sharing mode, the SPU group number is the number of the slot where the SPU resides.
l l
Step 2 Run ip address to set the IP address and subnet mask of the Pi interface.
NOTE
When you set the IP address of thePi interface, the subnet mask must be set to 255.255.255.255.
Step 3 Run cofaddr to specify the IP address of the Pi interface as the foreign agent care-of address. ----End
Prerequisite
The interworking between the PDSN9660 and the home agent (HA) is configured. For details, see 5 Configuring the Data for the HA.
Context
Serving as the FA, the PDSN9660 must perform the following functions:
l
Searching for an agent By sending agent advertisements, the PDSN9660 helps a mobile node (MN) to know whether it roams out of the home network. The PDSN9660 also provides the MN the foreign agent care-of address and other information.
Processing registration messages The PDSN9660 determines whether a registration message of the MN is valid according to the values of the fields in the message. If necessary, the PDSN9660 can send the registration message to the authentication, authorization and accounting (AAA) server for authentication and forward the valid registration message to the HA.
Forwarding packets The PDSN9660 obtains the packets that are forwarded by the HA through the forward tunnel and sends them to the MN. The PDSN9660 forwards the packets from the MN by following the simple IP forwarding process or through the reverse tunnel.
The data configuration for the FA function involves the settings of parameters related to the agent advertisement, registration process, and tunnel. According to the agent advertisement, the MN can:
l
Issue 02 (2009-04-10)
Obtain the foreign agent care-of address if the MN roams to a foreign network. Obtain the challenge required for constituting the registration request. The PDSN9660 checks the validity of the challenge for anti-replay purpose.
When an MN determines that it is on a foreign network according to the agent advertisement message, the MN sends a registration request containing the care-of address to the PDSN9660. If the home address is unavailable, the PDSN9660 requires the HA to assign a home address. The PDSN9660 forwards the registration request to the HA. The registration message must be authenticated for security. The authentication extension in the registration message is checked and the MN is authenticated by the Remote Authentication Dial In User Service (RADIUS) server. For details on security parameter settings, see 7.3.4 Configuring the SA Between the MN and the FA and 7.3.5 Configuring the SA Between the FA and the HA.
Configuration Principle
If you do not specify the parameters related to the agent advertisement, registration process, or tunnel, the PDSN9660 employs the default settings for the MIP service.
Data Planning
No. 1 2 3 4 5 6 7 8 9 Data Number of FA sent agent advertisements Interval for sending agent advertisements by FA Lifetime of the FA sent agent advertisement Size of the window containing the challenge value in an agent advertisement Maximum time for the FA to wait for an MIP registration request initiated by an MN Maximum time for the FA to wait for a registration response returned by the HA MIP service duration allowed by the FA Whether to enable the GRE extension for the MIP service Whether the reverse tunnel is supported
Procedure
Step 1 Run mip enable to enter the MIP view. Step 2 Run mip-fa to set the parameters for the FA function on the PDSN9660. Step 3 Run quit to exit MIP view. Step 4 Enter the view of the domain where the user belongs.
7-72 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2009-04-10)
l l
For a user in authentication access mode, run domain to enter the view of the domain where the user belongs. For a user in non-authentication access mode, run construct domain to enter the view of the constructed domain where the user belongs.
Step 5 Run proxy-mip to enable the proxy MIP function for the specified domain. ----End
Context
When the service request from an MN contains the MN-FA extension field, the request must be authenticated according to the SA between the MN and the FA to guarantee the communication security.
Data Planning
No. 1 2 3 4 5 6 7 Data Domain name IP address of the FA Security parameter index Authentication key Authentication algorithm Security mode Anti-replay mode
Procedure
Step 1 Run mip enable to enter the MIP view. Step 2 Run mn-fa-sa to set the SA parameters between the MN and the FA.
NOTE
l l l l
The authentication key must be a string of 16 characters. Only the Message Digest 5 (MD5) authentication algorithm is employed. If you do not specify the authentication algorithm, MD5 is used by default. Only the prefix-postfix security mode is employed. If you do not specify the security mode, the prefixpostfix security mode is used by default. Only the timestamp mode is employed for anti-replay. If you do not specify the anti-replay mode, the timestamp mode is used by default.
Issue 02 (2009-04-10)
7-73
Step 3 Optional: Run force-mn-fa-auth to forcibly include the MN-FA extension field in authentication messages between the MN and the FA. ----End
Context
You must set the SA parameters between the FA and the HA to guarantee the communication security between the FA and the HA before a user accesses the mobile IP (MIP) service. According to the SA parameters, the FA generates the FA-HA Authentication Extension value and includes it in the registration request of the mobile node (MN). The HA authenticates the registration request forwarded by the FA to guarantee the communication security.
Data Planning
No. 1 2 3 4 5 6 7 Data IP address of the FA IP address of the HA Security parameter index Authentication key Authentication algorithm Security mode Anti-replay mode
Procedure
Step 1 Run mip enable to enter the MIP view. Step 2 Run fa-ha-sa to set the SA parameters between the FA and the HA.
NOTE
l l l l
The authentication key must be a string of 16 characters. Only the Message Digest 5 (MD5) authentication algorithm is employed. If you do not specify the authentication algorithm, MD5 is used by default. Only the prefix-postfix security mode is employed. If you do not specify the security mode, prefixpostfix is used by default. Only the timestamp mode is employed for anti-replay. If you do not specify the anti-replay mode, the timestamp mode is used by default.
----End
7-74
Issue 02 (2009-04-10)
Context
After the data for the FA function is configured, you must check the running status or configuration result.
Procedure
Step 1 Run display cofaddr to query the foreign agent care-of address of the mobile node (MN). l l If the care-of address is inconsistent with the current location of the MN, run undo cofaddr to delete the care-of address and run cofaddr to set the care-of address. If the care-of address is consistent with the current location of the MN, proceed with Step 2.
Step 2 Run display mip-fa to set the parameters for the FA function on the PDSN9660. l l If the parameter settings are inconsistent with the planning, run mip-fa to change the settings. You can also run undo mip-fa to revert to the default settings. If the parameter settings are consistent with the planning, proceed with Step 3.
Step 3 Run display fa-ha-sa to query the parameters of the security association (SA) between the FA and the home agent (HA). l Incorrect SA parameter settings may cause FA authentication failure. In this case, run undo fa-ha-sa to delete the SA parameters between the FA and the HA, and run fa-ha-sa to set the correct SA parameters. If the authentication of the FA by the HA is successful, proceed with Step 4.
Step 4 Run display mn-fa-sa to query the parameters of the SA between the MN and the FA. l Incorrect SA parameter settings may cause MN authentication failure. In this case, run undo mn-fa-sa to delete the SA parameters between the MN and the FA, and run mn-fasa to set the correct SA parameters. If the MN sent request is authenticated successfully, it indicates that the configurations are correct and the user can access the mobile IP (MIP) service normally.
----End
Networking Requirement
SeeFigure 7-23. The PDSN9660 is connected to the HA on the packet data network (PDN) through router A. Thus, the CDMA2000 network can support the MIP service. Serving as the foreign agent (FA), the PDSN9660 allows a mobile node (MN) enabled with the MIP function to roam across networks with uninterrupted communication.
Issue 02 (2009-04-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 7-75
Ethernet1/0/1 10.2.1.1/24 Backbone Network BTS BSC/PCF PDN PDSN/FA RouterA 10.2.1.2/24 HA 192.168.1.1
10.10.10.1/32
Piif3/0/0
Data Collection
Plan the data as follows: Ethernet Name of the Ethernet interface IP address and subnet mask of the Ethernet1/0/1 interface IP address and subnet mask of the interface on router A that is connected to the Ethtrunk10 interface Ethernet1/0/1 10.2.1.2/255.255.255.0 10.2.1.2/255.255.255.0
Authentication, authorization and accounting (AAA) server to perform authentication and accounting for MIP users IP address of the active AAA server IP address of the standby AAA server 172.16.10.1 172.16.10.2 Pi interface Name of the Pi interface IP address and subnet mask of the Pi interface piif3/0/0 10.10.10.1/32
3
Issue 02 (2009-04-10)
Interval for sending agent advertisements by FA Maximum time for the FA to wait for an MIP registration request initiated by an MN Maximum time for the FA to wait for a registration response returned by the HA Lifetime of the FA sent agent advertisement Whether to enable the Generic Routing Encapsulation (GRE) extension for the MIP service MIP service duration allowed by the FA Whether the reverse tunnel is supported Size of the window containing the challenge value in an agent advertisement Foreign agent care-of address
Security association (SA) between the FA and the HA Security parameter index (SPI) Key Authentication algorithm Security mode Anti-replay mode 299 gfedcba987654321 MD5 prefix-postfix Timestamp SA between the MN and the FA Domain name IP address of the FA SPI Key Authentication algorithm Security mode Anti-replay mode isp.com 10.10.10.1 256 ABCDEFGHIJKLMNOP MD5 prefix-postfix Timestamp
Configuration Procedure
1. 2. Configure the interworking between the FA and the HA. For details, see 5 Configuring the Data for the HA. Configure the Pi interface. # Enter the system view.
Issue 02 (2009-04-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 7-77
# Set the IP address of the Pi interface to 10.10.10.1 and the subnet mask to 255.255.255.255.
[PDSN-piif3/0/0]ip address 10.10.10.1 255.255.255.255
# Specify the IP address of the piif3/0/0 interface as the foreign agent care-of address.
[PDSN-piif3/0/0]cofaddr
3.
Set the parameters for the PDSN9660 to serve as the FA. # Enter the MIP view.
[PDSN]mip enable
# Set the parameters for the PDSN9660 to serve as the FA. The number of FA sent agent advertisements FA is 3. The interval for sending agent advertisements by FA is 10 seconds. The maximum time for the FA to wait for an MIP registration request initiated by an MN is 180 seconds. The maximum time for the FA to wait for a registration response returned by the HA is 10 seconds. The lifetime of the FA sent agent advertisement is 1800 seconds. The GRE extension is enabled for the MIP service. The MIP service duration allowed by the FA is 1800 seconds. The reverse tunnel is supported. The size of the window containing the challenge value in an agent advertisement is 5.
[PDSN-mip-view]mip-fa adv-times 3 adv-intera 10 waitrrq 180 waitrrp 10 agenttime 1800 gre-extend enable lifetime 1800 revtunnl enable challwin 5
4.
# Set the parameters of the SA between the FA and the HA. The IP address of the FA is 10.10.10.1. The IP address of the HA is 192.168.1.1. The SPI is 299. The authentication algorithm is MD5. The security mode of the algorithm is prefix-postfix. The key is gfedcba987654321. The anti-replay mode is timestamp.
[PDSN-mip-view]fa-ha-sa faip 10.10.10.1 haip 192.168.1.1 spi 299 share-key gfedcba987654321 authalgo md5 authmode prefix-postfix replaymode timestamps
5.
# Set the parameters of the SA between the MN and the FA. The domain name is isp.com. The IP address of the FA is 10.10.10.1. The SPI is 256. The authentication algorithm is MD5. The security mode of the algorithm is prefix-postfix. The key is ABCDEFGHIJKLMNOP. The anti-replay mode is timestamp.
[PDSN-mip-view]mn-fa-sa domain isp.com faip 10.10.10.1 spi 256 share-key ABCDEFGHIJKLMNOP authalgo md5 authmode prefix-postfix replaymode timestamps
6.
7.4.1 Planning the Application Scheme for RADIUS Authentication and Accounting This describes the application scheme for Remote Authentication Dial In User Service (RADIUS) authentication and accounting. 7.4.2 Configuring RADIUS Authentication You must configure the Remote Authentication Dial In User Service (RADIUS) authentication information when the access mode is Point-to-Point Protocol (PPP) authentication access, or when the address assignment mode is assignment by the RADIUS server. 7.4.3 Configuring RADIUS Accounting This describes how to configure Remote Authentication Dial In User Service (RADIUS) accounting. You must configure the data for RADIUS accounting if Internet service providers (ISPs) or enterprise network owners require the RADIUS accounting mode. 7.4.4 Configuring the Charging Characteristic This describes how to configure the charging characteristics for users of different types. 7.4.5 Configuring the Charging Parameters This describes how to configure the charging parameters, including the global time threshold and volume threshold and domain-specific time threshold and volume threshold for generating a usage data record (UDR). 7.4.6 Configuring the Tariff Switch Function This describes how to configure the tariff switch function. 7.4.7 Configuring the UDR Cache Function This describes how to configure the usage data records (UDRs) cache function. 7.4.8 Maintaining the Data for RADIUS Authentication and Accounting This describes the commands for displaying the configuration data of Remote Authentication Dial In User Service (RADIUS) authentication and accounting. 7.4.9 Example of RADIUS Authentication and Accounting This provides an example of configuration for Remote Authentication Dial In User Service (RADIUS) authentication and accounting.
7.4.1 Planning the Application Scheme for RADIUS Authentication and Accounting
This describes the application scheme for Remote Authentication Dial In User Service (RADIUS) authentication and accounting.
Configuration Roadmap
The procedure for configuring RADIUS authentication and accounting on the PDSN9660 is as follows: 1. 2. 3. Bind the RADIUS server group to the specified Domain. Set the timeout interval and the number of retransmission times for RADIUS messages. (Optional) Configure the RADIUS authentication or accounting attributes.
For details, see 7.4.2 Configuring RADIUS Authentication and7.4.3 Configuring RADIUS Accounting.
Issue 02 (2009-04-10)
7-79
Prerequisite
l
The domain related data is configured. For details, see 7.1 Configuring the Domain Data. The data for interworking with the authentication, authorization and accounting (AAA) server is configured. For details, see 3 Configuring the Data for the AAA Server.
Context
l
The PDSN9660 interworks with the AAA server to perform the RADIUS authentication. This prevents unauthorized users from accessing the network. If IP addresses are assigned by the RADIUS server and the access mode is authentication access, the PDSN9660 serves as an AAA client to send authentication requests to the AAA server to authenticate a user or assign a dynamic IP address to the user during the RADIUS authentication process.
If the IP address assigned by the AAA server is preferred and this IP address is different from the static IP address, the PDSN does not allow user activation. If the AAA server does not return an IP address, the PDSN returns a message indicating activation failure.
Configuration Principle
l
Each Domain can be configured with only one RADIUS server group.
Data Planning
No. 1 3 Data RADIUS server group bound to the Domain (Optional) Whether to carry the domain name for the authentication by the AAA server
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2009-04-10)
7-80
No. 4 5 6
Data Timeout interval and number of retransmission times of RADIUS messages Optional attributes in an authentication request of the RADIUS server group Operator private attributes returned by the RADIUS server group
Procedure
Step 1 Run domain to specify the Domain and enter the Domain view. Step 2 Run radius-server group to bind the RADIUS server group to the Domain. Step 3 Run common-user to set a common user name and password of the Domain. Step 4 Optional: Run strip-domain-name to specify whether to enable the stripping domain name function for the Domain. That is, whether the domain name is carried for the authentication by the AAA server. Step 5 Run quit to exit the Domain view. Step 6 Run access-view to enter the access view. Step 7 Run radius-server group to enter the RADIUS server group view. Step 8 Run radius-server retransmit timeout to set the timeout interval and number of retransmission times of RADIUS messages. ----End
Prerequisite
l
The domain related data is configured. For details, see 7.1 Configuring the Domain Data. The authorization, authentication and accounting (AAA) server related data is configured. For details, see 3 Configuring the Data for the AAA Server.
Context
The PDSN9660 interworks with the AAA server to perform the RADIUS accounting for ISPs to charge the users.
Configuration Principle
l
Each access point name (Domain) can be configured with one RADIUS server group.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 7-81
Issue 02 (2009-04-10)
Data Planning
No. 1 5 7 Data RADIUS server group bound to the Domain Timeout interval and number of retransmission times of RADIUS messages Optional attributes of accounting messages
Procedure
Step 1 Run domain to specify the name of the Domain and enter the Domain view. Step 2 Run radius-server group to bind the RADIUS server group to the Domain. Step 3 Run quit to exit the Domain view. Step 4 Run access-view to enter the access view. Step 5 Run to enter the RADIUS-Server Group view. Step 6 Run radius-server retransmit to configure the timeout interval of RADIUS messages and number of retransmission times. Step 7 Optional: Run radius-server acct-onoffsig to configure the optional attributes for accounting messages of the RADIUS server group. ----End
Context
The charging characteristic can be online charging, offline charging, online and offline charging, 3rd Generation Partnership Project 2 (3GPP2) postpaid charging, and 3GPP2 prepaid charging. The 3GPP2 prepaid charging characteristic can only be issued by the authentication, authorization and accounting (AAA) server. The other four charging characteristics can be configured on the PDSN9660.
Configuration Principle
l
If a domain is configured with a charging characteristic, the existing settings will be replaced by the new settings. The charging characteristic of a domain can be issued by the AAA server or configured on the PDSN9660. The charging characteristic issued by the AAA server is of higher priority. If the AAA server does not issue a charging characteristic during user authentication, the domain is not configured with a charging characteristic, or the content-based charging function is disabled, the 3GPP2 postpaid charging characteristic is employed for the users of the domain by default.
7-82
Issue 02 (2009-04-10)
Data Planning
No. 1 2 3 4 5 6 Data Domain name of the user Whether the user supports the content-based charging function Charging mode of the user, offline charging, online charging, online and offline charging Whether to send the 3GPP2 usage data records (UDRs) of content-based charging users Whether to send the offline charging UDRs for online contentbased charging users Whether to send the 3GPP2 UDRs for 3GPP2 prepaid users
Procedure
Step 1 Run domain to specify a domain and enter the domain view. Step 2 Run charge-characteristic to configure the charging characteristic for users of the domain. Step 3 Run quit to return to the system view. Step 4 Run charge-view to enter the charge view. Step 5 Run accountswitch to specify whether to send 3GPP2 UDRs for content-based charging users and 3GPP2 prepaid users. ----End
Context
The domain-specific time threshold and volume threshold for generating a UDR are employed for users of a domain. If the domain is not configured with the domain-specific time threshold and volume threshold for generating a UDR, the global thresholds are employed.
Configuration Principle
Low time threshold and volume threshold can ensure that charging information will not be lost; however, this will result in high frequency in sending UDRs, which may affect system performance. High time threshold and volume threshold can guarantee system performance but may result in loss of a large amount of charging information. You must set the thresholds properly as required.
Issue 02 (2009-04-10)
7-83
Data Planning
No. 1 2 3 4 5 Data Global time threshold for generating a UDR Global volume threshold for generating a UDR Domain name of the user Domain-specific time threshold for generating a UDR Domain-specific volume threshold for generating a UDR
Procedure
Step 1 Set the global time threshold and volume threshold for generating a UDR. 1. 2. Run charge-view to enter the charge view. Run charge-general-property to set the global time threshold and volume threshold for generating a UDR.
Step 2 Set the domain-specific time threshold and volume threshold for generating a UDR. 1. 2. Run domain to specify a domain and enter the domain view. Run threshold to set the domain-specific time threshold and volume threshold for generating a UDR.
----End
Context
On the PDSN9660, you can set tariffs for different time segments: festivals, workdays, and weekends. After the tariff segments are specified, the PDSN9660 generates usage data records (UDRs) at the time points when the tariff changes. Two charging types are available for the configuration of the tariff segments: offline charging and postpaid charging. Flat rate charging is not a charging type because no tariff switch is required. The tariff for flat rate charging never changes; therefore, you do not need to configure it.
Configuration Principle
l
To set the same workdays or weekends for users of all the charging types, you must set workdays or weekends twice by using different parameters. After configuring the tariff switch group, run charging-binding to bind it to a domain. Each domain can be bound with only one tariff switch group. If a domain is already bound with a tariff switch group, you must run undo charging-binding to unbind the group from the domain before you bind another group to the domain.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2009-04-10)
l l
7-84
You can add tariff switch points to or delete tariff switch points from a tariff switch group bound to a domain. If the tariff switch group contains only one tariff switch point, you must unbind the tariff switch group from the domain before deleting the tariff switch point.
Data Planning
No. 1 2 3 Data Festivals Workdays and weekends Time segments to apply the workday tariff, festival tariff, and weekend tariff
Procedure
Step 1 Configure the tariff switch function. 1. 2. 3. 4. Run charge-view to enter the charge view. Run festival to set the holidays and festivals, that is, set the tariff type of a specified date to festival. Run weekday to set the week table for charging, that is, set the tariff type of a specified day to workday or weekend. Run tariff to set the tariff switch points, that is, specify the time segments when the tariff types of festivals/holidays, workdays, and weekends are adopted.
Step 2 Bind the tariff switch group to a domain. 1. 2. 3. Run domain to specify a domain and enter the domain view. Run charging-binding to bind a tariff switch group to the domain. Run quit to return to the system view.
----End
Context
The PDSN9660 supports the UDR cache function. If the AAA Server is disconnected from the PDSN9660, the PDSN9660 automatically caches the generated UDRs on the hard disk or other storage media. When the AAA Server is restored, the PDSN9660 sends the cached UDRs to the AAA Server. This enhances the troubleshooting ability of the PDSN9660, thus minimizing risks. The PDSN9660 allows you to manually operate the UDR files cached on the hard disk, for example, to copy UDR files. Before processing a UDR file, you must lock the directory where the UDR file is cached. After processing the UDR file, unlock the directory.
Data Planning
None
Issue 02 (2009-04-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 7-85
Procedure
Step 1 Run charge-view to enter the charge view. Step 2 Run set-charge-dir-status to set the status of the directory where the UDRs are cached. ----End
When some configuration is wrong or requires modification, you can run the following commands to delete the current configuration and reconfigure the system. Table 7-8 Deleting the RADIUS authentication and accounting configuration Command undo domain undo radius-server accounting undo radius-server retransmit timeout Function Deletes the basic domain information. Deletes the accounting configuration of the RADIUS server. Deletes the timeout interval and number of retransmission times of a RADIUS accounting message.
Networking Requirement
Configure that the PDSN allows mobile stations (MSs) to access the enterprise network named enterprise.com. The PDSN9660 interworks with the authentication, authorization, and
7-86 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2009-04-10)
accounting (AAA) server to implement RADIUS authentication and accounting, thus preventing unauthorized users from accessing the enterprise network and enabling Internet service providers (ISPs) to charge users. See Figure 7-24. Figure 7-24 Networking for a MS to access the enterprise network
Backbone Network
MS
BSC/PCF
Data Collection
Plan the data as follows. Access point name (Domain) information Name of the Domain Access mode of Point-to-Point Protocol (PPP) users Address assignment mode Name of the bound virtual private network (VPN) instance enterprise.com Authentication access RADIUS assignment enterprisevpn
RADIUS server Name of the RADIUS server group IP address of the active RADIUS authentication server Destination port number Name of the bound VPN instance Key IP address of the standby RADIUS authentication server Destination port number Name of the bound VPN instance Key
Issue 02 (2009-04-10)
7-87
IP address of the active RADIUS accounting server Destination port number Name of the bound VPN instance Key IP address of the standby RADIUS accounting server Destination port number Name of the bound VPN instance Key Whether to carry optional accounting attributes of the RADIUS server group Timeout interval Number of retransmission times
Configuration Procedure
1. Configure the domain.
<PDSN>system-view [PDSN]domain enterprise.com
# Set the access mode of PPP users to authentication access and the address assignment mode to RADIUS assignment.
[PDSN]access-view [PDSN-access]ppp authmod auth
2.
Configure the RADIUS server. # Configure the RADIUS server group isprg.
[PDSN-access]radius-server group isprg
# Configure the RADIUS authentication server. Set the IP address of the active RADIUS authentication server to 10.168.10.1 and destination port number to 1812. Bind the active RADIUS authentication server to the VPN instance enterprisevpn. Set the key to ispchina.
[PDSN-access-radius-isprg]radius-server authentication ip 10.168.10.1 vpninstance enterprisevpn port 1812 key ispchina
# Set the IP address of the standby RADIUS authentication server to 10.168.10.2 and destination port number to 1812. Bind the standby RADIUS authentication server to the VPN instance enterprisevpn. Set the key to ispchina.
[PDSN-access-radius-isprg]radius-server authentication ip 10.168.10.2 vpninstance enterprisevpn port 1812 key ispchina secondary
# Configure the RADIUS accounting server. Set the IP address of the active RADIUS accounting server to 10.168.10.1 and destination port number to 1813. Bind the active RADIUS accounting server to the VPN instance enterprisevpn. Set the key to ispchina.
7-88 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2009-04-10)
# Set the IP address of the standby RADIUS accounting server to 10.168.10.2 and destination port number to 1813. Bind the standby RADIUS accounting server to the VPN instance enterprisevpn. Set the key to ispchina.
[PDSN-access-radius-isprg]radius-server accounting ip 10.168.10.2 vpn-instance enterprisevpn port 1813 key ispchina secondary
# Configure the optional accounting attributes. Configure that optional accounting messages are supported. Set the timeout interval to 3 seconds, number of retransmission times to 3, and wait time to 3 seconds. Configure that users are not activated before response messages are received.
[PDSN-access-radius-isprg]radius-server acct-onoffsig optional-accountmessage enable timeout 3 retransmit 3 waittime3 active disable [PDSN-access-radius-isprg]quit [PDSN-access]quit
3.
Bind the RADIUS server group to the domain. # Enter the domain view.
[PDSN]domain enterprise.com
4.
7.5 Configuring the Data for the Diameter Online Charging Function
The Diameter online charging system of the PDSN9660 enables prepaid charging for both normal users and content-based charging (CBC) users. 7.5.1 Application Schemes for Online Charging This describes the application schemes for online charging on the PDSN9660. 7.5.2 Configuring the Gy Interface This describes how to create the logical communication path between the online charging system (OCS) and thePDSN9660. 7.5.3 Configuring the OCS Information This describes how to configure the information about the online charging system (OCS). 7.5.4 Configuring the Primary and Secondary OCSs This describes how to configure the primary and secondary online charging systems (OCSs) on the PDSN9660. 7.5.5 Configuring the Quota Threshold This describes how to configure the quota threshold. 7.5.6 Configuring the Mode for Sending a CCR Message This describes how to configure the mode in which the PDSN9660 sends a credit control request (CCR) message. 7.5.7 Configuring the Conditions for Sending a CCR Message
Issue 02 (2009-04-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 7-89
This describes how to configure the conditions for the PDSN9660 to send a credit control request (CCR) message. 7.5.8 Configuring the Tx Timer This describes how to configure the Tx timer. 7.5.9 Configuring the Service Processing Actions This describes how to configure the service processing actions. 7.5.10 Maintaining the Data for the Diameter Online Charging Function This provides the commands used to maintain the data for the Diameter online charging function. 7.5.11 Configuration Example This provides the example of configuration for the Diameter online charging function.
Prerequisite
l
The interworking between the PDSN9660 and neighboring network elements (NEs) is configured. The Domain is configured.
7-90
Issue 02 (2009-04-10)
Configuration Roadmap
Figure 7-25 Configuration procedure for online charging
Start
The procedure for configuring the Diameter online charging function on the PDSN9660 is as follows: 1. 7.5.2 Configuring the Gy Interface Configure the Gy interface and its IP address for communication between the PDSN and the online charging system (OCS). 2.
Issue 02 (2009-04-10)
End
Identify the PDSN and OCS used for online charging for enabling them to set up a Diameter connection. 3. Configure online charging parameters. On the PDSN9660, you can configure a global, user-profile-specific, Domain Diameter credit control (DCC) template. Commands in the global DCC view are the same as those in the DCC template view. The primary and secondary OCSs must be configured. You can optionally set other parameters as required. To set parameters in the DCC template, you must run dcc-binding to bind the DCC template to a user profile or Domain.
l l
If no user profile is specified, the template specific to the Domain is employed by default. If none of the user profile and Domain is specified, configurations for the global DCC template are employed by default.
Configuration Example For details, see 7.5.11.1 Example of Global Online Charging.
The global settings of online charging is applied to users on the entire PDSN regardless of the user profiles, Domain, or charging characteristics. Configure the online charging function according to service requirements. When the balance of a user is insufficient and the user cannot obtain a quota because the OCS does not allocate any quota through the CCA message, the PDSN terminates the service of the user. When a user applies for a nonsubscribed service, the PDSN blocks the service.
7-92
Issue 02 (2009-04-10)
Application Requirement
l
Configuration Example For details, see 7.5.11.2 Example of User-profilespecific, Domain-specific Online Charging.
The settings of online charging is effective to users of a specified user profile or Domain. Configure the online charging function according to service requirements. When the balance of a user is insufficient and the user cannot obtain a quota because the OCS does not allocate any quota through the CCA message, the PDSN terminates the service of the user. When a user applies for a nonsubscribed service, the PDSN blocks the service.
Configuration Principle
l l
The configuration steps are not transposable. You must follow the order strictly. You can specify a virtual private network (VPN) for the logical interface to ensure security. In this case, you must bind the physical interface that corresponds to the logical interface to the VPN. To bind an interface to a VPN, you must associate the interface with the specific VPN instance in the interface view and then set the IP address for the interface. The Gy interface is created on the SPU and can be modified only when the SPU runs normally and no user exists on the SPU. You cannot configure the Gy interface if the SPU is not started or when it is starting.
Data Planning
No. 1 2 3 Data Name of the Gy interface that is used to interwork with the OCS (Optional) VPNs to which the interfaces are bound IP address of the Gy interface
Procedure
Step 1 Run interface to create the logical Gy interface.
Issue 02 (2009-04-10)
7-93
The interface to be created must be the planned Gy interface. The interface name consists of the interface type gyif and the interface number. The interface number is in the format of SPU group number/CPU number/virtual port number. The Gy interface is created on the SPU and can be modified only when the SPU runs normally and no user exists on the SPU. You cannot configure the Gy interface if the SPU is not started or when it is starting. If the SPUs work in 1+1 backup mode, the SPU group number must be the odd slot number. If the PDSN9660 works in load-sharing mode, the SPU group number is the number of the slot where the SPU resides.
Step 2 Optional: Run ip binding vpn-instance to bind the interface to the specific VPN instance. Step 3 Run ip address to set the IP address of the Gy interface.
NOTE
When the IP address of the Gy interface is set, the subnet mask must be 255.255.255.255.
----End
Context
Unique device information is assigned to each device on the network. The device information consists of the host name and the home domain name. The service context uniquely identifies a Diameter credit control (DCC) service.
Data Planning
No. 1 2 Data PDSN9660 information, domain name, group number of the SPU where the Gy interface resides, and CPU number OCS information, domain name, and IP address
Procedure
Step 1 Run charge-view to enter the charge view. Step 2 Run gy-local-info to add the information about the PDSN9660. Step 3 Optional: Run set-gy-integrated to configure the PDSN9660 to use only one Gy interface. Step 4 Run ocs-info to set the OCS information. ----End
Context
The PDSN9660 supports primary and secondary OCSs. When the PDSN9660 detects that the primary OCS does not respond to a request within a certain period, the PDSN9660 sends the request to the secondary OCS. If the OCSs support primary/secondary switchover, the service is not interrupted.
NOTE
When the OCSs work in primary/secondary mode, you can run active-ocs to forcibly specify the secondary OCS as the primary OCS. You can run auto-failback to specify whether the PDSN9660 switches the services from the secondary OCS to the primary OCS when the primary OCS reverts to the normal state.
Data Planning
No. 1 2 Data Name of the primary OCS Name of the secondary OCS
Context
l
For global users 1. 2. 3. 4. 5. 6. Run charge-view to enter the charge view. Run dcc-global-view to enter the Diameter credit control (DCC) global view. Run ocs-host-name to set the names of the primary and secondary OCSs. Run ocs-init to specify whether the exchange between the PDSN9660 and the OCS is required when an online charging user is being activated. Run ccfh to specify the fault handling method after the Tx timer expires. Run ccsf to configure whether the CC message stream is forwarded to the backup server during an ongoing CC session.
For users of a specific user profile, Domain, or charging characteristic 1. 2. 3. 4. 5. 6. Run charge-view to enter the charge view. Run dcc-template to enter the DCC template view. Run ocs-host-name to set the names of the primary and secondary OCSs. Run ocs-init to specify whether the exchange between the PDSN9660 and the OCS is required when an online charging user is being activated. Run ccfh to specify the fault handling method after the Tx timer expires. Run ccsf to configure whether the CC message stream is forwarded to the backup server during an ongoing CC session.
Issue 02 (2009-04-10)
7-95
Context
The PDSN9660 applies for quotas from the online charging system (OCS). If the consumed quota exceeds the configured threshold, the PDSN9660 must report the quota utilization to the OCS immediately. The configuration on the OCS determines whether the OCS delivers all quotas or a part of quotas to the PDSN at a time. If the OCS delivers a part of quotas each time, the PDSN must apply for quotas again when the applied quotas are exhausted. If quotas are not available on the OCS when the PDSN applies for quotas, the user is prompted to recharge the account.
Context
l
For global users 1. 2. 3. 4. 5. Run charge-view to enter the charge view. Run dcc-global-view to enter the Diameter credit control (DCC) global view. Run valid-time to set the validity period of quotas. The validity period of quotas refers to the duration in which the applied quotas can be used. Run qct to set the quota consumption time. When the packet transmission gap reaches this threshold, the charging is suspended. Run qht to set the quota holding time. When the duration of no quota usage after packet transmission stops reaches this threshold, the PDSN9660 reports the quota usage to the OCS. Run vqt to set the volume quota threshold. If the PDSN concludes that the remaining volume quotas are equal to or lower than this threshold, it sends a credit control request (CCR) message. Run tqt to set the time quota threshold. If the remaining time quotas are equal to or lower than this threshold, the PDSN9660 sends a CCR message. Run charge-view to enter the charge view. Run dcc-template to enter the DCC template view. Run valid-time to set the validity period of quotas. The validity period of quotas refers to the duration in which the applied quotas can be used. Run qct to set the quota consumption time. When the packet transmission gap reaches this threshold, the charging is suspended. Run qht to set the quota holding time. When the duration of no quota usage after packet transmission stops reaches this threshold, the PDSN9660 reports the quota usage to the OCS. Run vqt to set the volume quota threshold. If the PDSN9660 concludes that the remaining volume quotas are equal to or lower than this threshold, it sends a CCR message. Run tqt to set the time quota threshold. If the remaining time quotas are equal to or lower than this threshold, the PDSN9660 sends a CCR message.
6.
7.
l
6.
7.
Context
On the PDSN9660, in addition to the number of rating groups (RGs) carried in the credit control request initial (CCR-I) message, you can configure whether the CCR message carries the tariff switch points issued in the credit control answer (CCA) message, and whether the charging information is reported in cumulative mode or incremental mode through the Gy interface.
Data Planning
No. 1 2 Data Whether the CCR message carries the tariff switch point issued in the CCA message Number of RGs carried in the CCR-I message
Context
l
For global users 1. 2. 3. 4. Run charge-view to enter the charge view. Run dcc-global-view to enter the Diameter credit control (DCC) global view. Run ccr-tariff-switch to specify whether the CCR message carries the tariff switch time carried in the CCA message. Run ccr-init-rg-num to set the number of RGs carried in the CCR-I message.
For users of a specific user profile, Domain, or charging characteristic 1. 2. 3. 4. Run charge-view to enter the charge view. Run dcc-template to enter the DCC template view. Run ccr-tariff-switch to specify whether the CCR message carries the tariff switch time carried in the CCA message. Run ccr-init-rg-num to set the number of RGs carried in the CCR-I message.
Context
When a user is using an online charging service, the PDSN checks the quota usage in real time and records the charging information about the service in the corresponding container at a specified time. When the quotas of this service are consumed to a certain degree, the PDSN reports quota consumption to the online charging system (OCS) and applies for new quotas. The PDSN9660 can send a CCR message on any of the following conditions:
l l
Issue 02 (2009-04-10)
7-97
Data Planning
No. 1 2 Data Conditions for sending a CCR message for a global user Conditions for sending a CCR message for a user of a specific user profile, access point name (Domain), or charging characteristic
Context
l
For global users 1. 2. 3. 4. Run charge-view to enter the charge view. Run dcc-global-view to enter the Diameter credit control (DCC) global view. Run pcf-ho-trigger to specify whether the PDSN9660 sends a CCR message when the PCF IP address changes. Run service-trigger to specify whether the CCR message is sent when service changes.
For users of a specific user profile, Domain, or charging characteristic 1. 2. 3. 4. Run charge-view to enter the charge view. Run dcc-template to enter the DCC template view. Run pcf-ho-trigger to specify whether the PDSN9660 sends a CCR message when the PCF IP address changes. Run service-trigger to specify whether the CCR message is sent when service changes.
Context
The online charging system (OCS) periodically reports quota information. You can configure the timeout interval of the Tx timer to control the duration that the PDSN9660 waits for a response from the OCS. If the PDSN9660 does not receive a response from the OCS before the Tx timer expires, the PDSN9660 considers that the OCS fails to respond and then handles the fault according to the configuration.
Data Planning
No. 1 2 Data Timeout interval of the Tx timer Service holding time
7-98
Issue 02 (2009-04-10)
Context
l
For global users 1. 2. 3. 4. 5. Run charge-view to enter the charge view. Run dcc-global-view to enter the Diameter credit control (DCC) global view. Run txtimer to specify the timeout interval of the Tx timer. Run ccfh to specify the fault handling method after the Tx timer expires. Run holding-time to specify the service holding time after the Tx timer expires. Run charge-view to enter the charge view. Run dcc-template to enter the DCC template view. Run txtimer to specify the timeout interval of the Tx timer. Run ccfh to specify the fault handling method after the Tx timer expires. Run holding-time to specify the service holding time after the Tx timer expires.
Context
The PDSN9660 takes different actions in the following scenarios:
l
Insufficient balance: When a user attempts to access a service and the online charging system (OCS) finds that the user balance is insufficient for the service, the OCS instructs the PDSN9660 to redirect the user request to a recharge page. Non-subscribed service: When the OCS finds that a user applies for a non-subscribed service, the PDSN9660 redirects the user request to a subscription page. Non-successful command-level message code: When the credit control answer (CCA) message received by the PDSN carries a non-successful command-level message code, the PDSN either allows the user to access the service and adopts the offline charging mode, or terminates the current service of the user. Non-successful MSCC-level message code: When the CCA message received by the PDSN carries a non-successful MSCC-level message code, the PDSN either allows the user to access the service and adopts the offline charging mode, or terminates the current service of the user. No rating group (RG) in the Re-Auth-Request (RAR) message: When the RAR message sent by the OCS received by the PDSN does not carry an RG, the PDSN specifies whether the credit control request (CCR) message carries the information about the usage of all RGs. RG applying for the quota: When the RG applies for the quota, the PDSN either caches or discards the data packets.
Context
l
For global users 1. 2. Run charge-view to enter the charge view. Run dcc-global-view to enter the Diameter credit control (DCC) global view.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 7-99
Issue 02 (2009-04-10)
3.
Run mscc-4012-action to set the action for multiple services credit control (MSCC) 4012. When the balance of a user is insufficient and the user cannot obtain quotas through the CCA message, the PDSN9660 determines whether to terminate the service of the user based on the setting of this command. Run mscc-5003-action to set the action for MSCC 5003. When a user applies for a non-subscribed service, the PDSN9660 determines whether to allow the user to access this service based on the setting of this command. Run command-level-default-behavior to set the default action when the CCA message received by the PDSN9660 carries a non-successful command-level message code. Run mscc-level-default-behavior to set the default action when the CCA message received by the PDSN9660 carries a non-successful MSCC-level message code. Run rar-no-rg-action to set the action when the RAR message received by the PDSN9660 does not carry an RG.
NOTE
4.
5.
6. 7.
When the RG applies for the quota, run quota-application-action to set the action to cache or discard the data packets.
l
For users of a specific user profile, Domain, or charging characteristic 1. 2. 3. Run charge-view to enter the charge view. Run dcc-template to enter the DCC template view. Run mscc-4012-action to set the action for MSCC 4012. When the balance of a user is insufficient and the user cannot obtain quotas through the CCA message, the PDSN9660 determines whether to terminate the service of the user based on the setting of this command. Run mscc-5003-action to set the action for MSCC 5003. When a user applies for a non-subscribed service, the PDSN9660 determines whether to allow the user to access this service based on the setting of this command. Run command-level-default-behavior to set the default action when the CCA message received by the PDSN9660 carries a non-successful command-level message code. Run mscc-level-default-behavior to set the default action when the CCA message received by the PDSN9660 carries a non-successful MSCC-level message code. Run rar-no-rg-action to set the action when the RAR message received by the PDSN9660 does not carry an RG.
NOTE
4.
5.
6. 7.
When the RG applies for the quota, run quota-application-action in the user profile view to set the action that the PDSN9660 takes to process the data packets during quota application.
7.5.10 Maintaining the Data for the Diameter Online Charging Function
This provides the commands used to maintain the data for the Diameter online charging function. When the preceding configuration is complete, you can run the following commands to query the running status or check the configuration.
7-100
Issue 02 (2009-04-10)
Table 7-10 Displaying the Diameter online charging configuration Command display gy-local-info display ocs-info display dcc-binding Function Displays the local device information and the local service context. Displays the online charging system (OCS) information. Displays the user-profile-specific, Domainspecific Diameter credit control (DCC) templates. Displays the configurations in the DCC template. Displays the configurations in the DCC global template. Displays the mode of the Gy interface: singleinterface (centralized mode) or multiple-interface (distributed mode).
When some configuration is incorrect or requires modification, you can run the following commands to delete the current configuration and reconfigure the system. Table 7-11 Deleting the Diameter online charging configuration Command undo gy-local-info undo ocs-info undo dcc-binding undo dcc-template undo ocs-host-name undo set-gy-integrated Function Deletes the local device information and the local service context. Deletes the OCS information. Deletes the user-profile-specific, Domainspecific DCC templates. Deletes the DCC template. Deletes the OCS servers configured in the DCC global view. Disables the centralized mode on the Gy interface.
Networking Requirement
The PDSN supports Diameter online charging by connecting to the online charging system (OCS) based on the Diameter protocol. See Figure 7-26. Figure 7-26 Networking of Diameter online charging
OCS
Data Collection
Plan the data as follows. Gy interface Gy interface name IP address of the Gy interface Subnet mask of the Gy interface gyif7/0/0 10.8.10.1 255.255.255.255
Online charging device information PDSN SPU number PDSN CPU number PDSN host name PDSN home domain Service context Service product name OCS host name OCS home domain IP address of the OCS
7-102
Charging option for users Domain Charging type for the users of the Domain isp.com online
Primary OCS Name of the primary OCS OCS1 Quota threshold Quota consumption time Quota holding time Volume quota threshold Time quota threshold 10 seconds 15 seconds 10% 20% CCR triggering mechanism Whether to send a CCR message when the PCF changes Whether to send a CCR message when there is a new service Number of the RGs carried in a CCR-I message enable enable 10 Timer Timeout interval of the Tx timer Error handling mode after the Tx timer expires 5 seconds Terminate
Service processing actions Action when the balance is insufficient Action when a user applies for a nonsubscribed service Terminate Block
Configuration Procedure
1. Configure the Gy interface. # Enter the system view.
<PDSN>system-view
# Set the IP address of the Gy interface to 10.8.10.1 and the subnet mask to 255.255.255.255.
[PDSN-Gyif7/0/0]ip address 10.8.10.1 255.255.255.255
Issue 02 (2009-04-10)
7-103
2.
# Add the local information for CPU 0 on the SPU in slot 7. The host name is pdsn. The name of the home domain is isp.com. The service context is context. The product name is huawei.com.
[PDSN-charge]gy-local-info spu 7 cpu 0 host pdsn realm isp.com service-context context product-name huawei.com
# Add information about the OCS whose IP address is 10.110.218.59. The host name is ocs1. The name of the home domain is isp.com.
[PDSN-charge]ocs-info ocs-host ocs1 realm isp.com ip 10.110.218.59
3.
Configure the primary and secondary OCSs. # Enter the DCC global view.
[PDSN-charge]dcc-global-view
# Set the name of the primary OCS to ocs1 and no secondary OCS is available.
[PDSN-dcc-global]ocs-host-name primary ocs1
4.
Configure the quota threshold. # Set the quota consumption time to 10 seconds.
[PDSN-dcc-global]qct 10
5.
Configure the conditions for sending a CCR message. # Configure the PDSN9660 to send a CCR message when the IP address of the PCF changes.
[PDSN-dcc-global]pcf-ho-trigger enable
# Configure the PDSN9660 to send a CCR message when there is a new service.
[PDSN-dcc-global]service-trigger enable
6.
Configure the Tx timer. # Set the timeout interval of the Tx timer to five seconds.
[PDSN-dcc-global]txtimer 5
# Configure the PDSN9660 to terminate the service of a user after the Tx timer expires.
[PDSN-dcc-global]ccfh terminate
7.
Configure the service processing actions. # Configure the PDSN9660 to terminate a service when the balance of a user is insufficient and the CCA message does not carry any quota.
[PDSN-dcc-global]mscc-4012-action terminate
# Configure the PDSN9660 to block the service when a user applies for a non-subscribed service.
[PDSN-dcc-global]mscc-5003-action block
8.
7-104
Networking Requirement
The PDSN supports Diameter online charging by connecting to the online charging system (OCS) based on the Diameter protocol. See Figure 7-27. Figure 7-27 Networking of Diameter online charging
OCS
Data Collection
Plan the data as follows. Gy interface Gy interface name IP address of the Gy interface Subnet mask of the Gy interface gyif7/0/0 10.8.10.1 255.255.255.255
Online charging device information PDSN SPU number PDSN CPU number PDSN host name PDSN home domain Service context Service product name OCS host name
Issue 02 (2009-04-10)
isp.com online
Primary OCS Online charging template Name of the primary OCS dcct OCS1 Quota threshold Quota consumption time Quota holding time Volume quota threshold Time quota threshold 10 seconds 15 seconds 10% 20% CCR triggering mechanism Whether to send a CCR message when the PCF changes Whether to send a CCR message when there is a new service Number of the RGs carried in a CCR-I message enable enable 10 Timer Timeout interval of the Tx timer Error handling mode after the Tx timer expires 5 seconds Terminate
Service processing actions Action when the balance is insufficient Action when a user applies for a nonsubscribed service User profile to which the online charging template is bound Terminate Block up
Configuration Procedure
1. Configure the Gy interface. # Enter the system view.
<PDSN>system-view
7-106
Issue 02 (2009-04-10)
# Set the IP address of the Gy interface to 10.8.10.1 and the subnet mask to 255.255.255.255.
[PDSN-Gyif7/0/0]ip address 10.8.10.1 255.255.255.255
2.
# Add the local information for CPU 0 on the SPU in slot 7. The host name is pdsn. The name of the home domain is isp.com. The service context is context. The product name is huawei.com.
[PDSN-charge]gy-local-info spu 7 cpu 0 host pdsn realm isp.com service-context context product-name huawei.com
# Add information about the OCS whose IP address is 10.110.218.59. The host name is ocs1. The name of the home domain is isp.com.
[PDSN-charge]ocs-info ocs-host ocs1 realm isp.com ip 10.110.218.59
3.
Configure the primary and secondary OCSs. # Set the name of the DCC template to dcct, and enter the DCC template view.
[PDSN-charge]dcc-template dcct
# Set the name of the primary OCS to ocs1 and no secondary OCS is available.
[PDSN-dcc-template-dcct]ocs-host-name primary ocs1
4.
Configure the quota threshold. # Set the quota consumption time to 10 seconds.
[PDSN-dcc-template-dcct]qct 10
5.
Configure the conditions for sending a CCR message. # Configure the PDSN9660 to send a CCR message when the IP address of the PCF changes.
[PDSN-dcc-template-dcct]pcf-ho-trigger enable
# Configure the PDSN9660 to send a CCR message when there is a new service.
[PDSN-dcc-template-dcct]service-trigger enable
6.
Configure the Tx timer. # Set the timeout interval of the Tx timer to five seconds.
[PDSN-dcc-template-dcct]txtimer 5
# Configure the PDSN9660 to terminate the service of a user after the Tx timer expires.
[PDSN-dcc-template-dcct]ccfh terminate
7.
Issue 02 (2009-04-10)
# Configure the PDSN9660 to terminate a service when the balance of a user is insufficient and the CCA message does not carry any quota.
[PDSN-dcc-template-dcct]mscc-4012-action terminate
# Configure the PDSN9660 to block the service when a user applies for a non-subscribed service.
[PDSN-dcc-template-dcct]mscc-5003-action block
8. 9.
Prerequisite
l
The interworking between the PDSN9660 and neighboring network elements (NEs) is configured. The Domain is configured.
7.6.1 Application Schemes for Content-based Charging This describes the application schemes for content-based charging on the PDSN9660. 7.6.2 Configuring the Content-based Charging Function This describes how to configure the content-based charging (CBC) function. 7.6.3 Maintaining the Data for the Content-based Charging Function This provides the commands used to maintain the data for the content-based charging (CBC) function. 7.6.4 Configuration Example This provides the example of configuration for the content-based charging (CBC) function on the PDSN9660.
7-108
Issue 02 (2009-04-10)
Configuration Roadmap
Figure 7-28 Configuration procedure for content-based charging
Start
End
The procedure for configuring the content-based charging function on the PDSN9660 is as follows: 1. Configure the Layer 3/Layer 4 filter. Configure the filter for content-based charging. Set the Layer 3 filter (source and destination IP addresses), Layer 4 filter (port range), Layer 3/Layer 4 protocol type, and value of the type of service (ToS) field. The PDSN9660 can distinguish the contents of the user uplink and downlink packets through Layer 3/Layer 4 packet filtering and analysis. 2. Configure the charging property. Set the content-based billing (CBB) ID and the charging mode that are used when the service is initiated by the upstream or downstream device. The charging mode can be timebased, volume-based, or free of charge. 3. Configure the Layer 7 protocol related information. Configure the Layer 7 filter for the Hypertext Transfer Protocol (HTTP), Wireless Application Protocol 2.0 (WAP 2.0), WAP 1.X, File Transfer Protocol (FTP), Real-Time Streaming Protocol (RTSP), and domain name server (DNS). Set the uniform resource
Issue 02 (2009-04-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 7-109
locator (URL) and the corresponding charging properties. The PDSN9660 distinguishes the contents of uplink and downlink packets, and then performs the charging accordingly. 4. Configure the service policy combination. Specify the content-based charging rule, including the filter group, Layer 7 information group, default charging properties for service packets and signaling packets, and validity time range of the rule. Specify whether associated charging is enabled. Then, bind the rule to the user profile. 5. Apply the service policy combination to the Domain.
NOTE
In a content-based charging rule, you can define the Layer 3/Layer 4 filter only or both Layer 3/Layer 4 filter and Layer 7 filter. If the Layer 7 filter is for HTTP, WAP 1.X, WAP 2.0, RTSP or DNS packets, you can also define the URLs. For the Layer 3/Layer 4 filter, you are recommended to precisely specify the parameters to improve the capability of the PDSN9660 of matching packets. To realize deep packet inspection (DPI) for service packets, you must configure the action properties before configuring the Layer 7 filter. Thus, the PDSN9660 can take actions accordingly for uplink and downlink packets when the service is initiated by the upstream or downstream device. The action can be gate, car, redirect, remark, or charge-point. The actions are taken according to the configured sequence.
Configuration Example For details, see 7.6.4.1 Example of Content-based Charging for a Specified Service. For details, see 7.6.4.2 Example of Content-based Charging and Service Control for a Specified Service.
The PDSN9660 performs contentbased charging for the phone daily service of the users of the Domain. The Layer 3/Layer 4 protocol is the TCP. The Layer 7 protocol is HTTP. The URL is www.sina.com*/*. Different actions are taken for uplink and downlink packets to control the content-based charging service.
7-110
Issue 02 (2009-04-10)
Associated Charging
You can run rule to apply the charging properties for service packets to link setup packets. The link setup packets are transmitted before service packets. The charging properties for service packets can be applied to link setup packets in real time or not.
l
Real-time The PDSN9660 performs charging for link setup packets according to the Layer 3/Layer 4 rule and reports the charging data immediately. If service packets arrive before the charging data for link setup packets is reported, the charging properties of the first unblocked service packet are applied to the charging of link setup packets.
Non-realtime The PDSN9660 performs charging for link setup packets according to the Layer 3/Layer 4 rule but does not report the charging data within the configured association time. After service packets arrive, the charging properties of the first unblocked service packet are applied to the charging of link setup packets. If the association time expires before service packets arrive, the PDSN9660 reports the charging data of link setup packets according to the Layer 3/Layer 4 rule.
Link release packets generally arrive after services packets and adopt the charging properties of the last unblocked service packet.
Configuration Principle
l
Run filter to configure the filter before running filter-group to configure the filter group. After configuring the filter, run refresh-service to make the configured filter take effect. Run cbb-id to configure the content-based billing (CBB) ID before running chargeproperty to configure the charging properties. Run charge-property to configure the charging properties before running l7-info to configure the Layer 7 information.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 7-111
Issue 02 (2009-04-10)
Run l7-info to configure the Layer 7 information before running l7-info-group to configure the Layer 7 information group. The Layer 7 information and Layer 7 information group are not required if the PDSN9660 does not perform Layer 7 filtering for packets. Run filter-group, l7-info-group, and charge-property to configure the filter group, Layer 7 information group, and charging properties respectively before running rule to configure the rule. The Layer 7 information and Layer 7 information group are not required if the PDSN9660 does not perform Layer 7 filtering for packets. Run rule to configure the rule before binding the rule to a user profile.
Data Planning
No. 1 Data Plan the filter and the filter group. The filter includes the Layer 3/Layer 4 parsing parameters such as Layer 3/Layer 4 protocol type, mobile station (MS) IP address and wildcard mask, MS port range, server IP address and wildcard mask, and server port range. Plan the CBB IDs and the charging properties. (Optional) Plan the Layer 7 information and the Layer 7 information group. Plan the CBC rule. The rule includes the filter group, Layer 7 protocol, Layer 7 information group, default charging properties for signaling and service, and validity time rang of the rule. Plan the user profile to which a rule is bound. Plan the domain to which a user profile is bound.
2 3 4
5 6
Procedure
Step 1 Configure the Layer 3/Layer 4 filter. 1. 2. 3. 4. Run service-view to enter the service view. Run filter to set the Layer 3/Layer 4 filter. Run refresh-service to make the newly configured filter take effect. Run filter-group to configure the filter group and bind the configured filter to the group.
Run cbb-id to set a CBB ID. Run charge-property to configure the charging properties, including the CBB IDs for uplink-initiated and downlink-initiated services. (Optional) Run cbb-id global-service to set the global CBB ID for service packets.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2009-04-10)
4. 1. 2. 3.
(Optional) Run cbb-id global-signaling to set the global CBB ID for signaling packets. Run l7-info to configure the Layer 7 information. Run l7-info-group to set the Layer 7 information group and bind the configured Layer 7 information to this group. (Optional) Run flow-node-agetime to configure the aging time of the quintuple for various Layer 7 protocols. Run rule to specify the content-based charging rule, including the filter group, Layer 7 information group, charging property, the time when the rule takes effect, and whether to apply the charging properties for service packets to link setup packets. (Optional) If you have configured associated charging by running rule, run cbbassociation-method to specify whether the associated charging is real-time or not. (Optional) If you have configured non-realtime associated charging by running cbbassociation-method, run associate-time to set the default association time for signaling packets to apply charging properties of service packets. Run user-profile to enter the user profile view. Run rule-binding to bind the content-based charging rule to the user profile. (Optional) Run charge-property-binding to configure the charging properties for service packets, signaling packets, retransmitted Transmission Control Protocol (TCP) packets, and captive portal redirection packets respectively. These charging properties are employed when no charging property of a rule can be matched. Run quit to exit the user profile view. Run quit to exit the service view. Run domain to specify the name of the Domain and enter the Domain view. Run user-profile-binding to bind the user profile to the Domain.
2. 3.
4. 5. 6.
7. 8. 1. 2.
----End
Function Displays the filters. Displays the filter groups. Displays the content-based billing (CBB) IDs.
7-113
Command display charge-property display action-list display action-property display l7-info display l7-info-group display rule display rule-binding display user-profile display charge-property-binding display user-profile-binding
Function Displays the charging properties. Displays the action lists. Displays the action properties. Displays the Layer 7 information. Displays the Layer 7 information groups. Displays the rules. Displays all the rules bound to the user profile. Displays the information about the user profile. Displays the default charging properties. Displays all the user profiles bound to the domain.
When some configuration is incorrect or requires modification, you can run the following commands to delete the current configuration and reconfigure the system.
NOTE
If a filter or rule is bound, it cannot be deleted. Therefore, unbind the filter or rule before deleting it.
Table 7-14 Deleting the CBC configuration Command undo filter undo filter-group undo cbb-id undo charge-property undo action-list undo action-property undo l7-info undo l7-info-group undo rule undo rule-binding undo charge-property-binding undo user-profile undo user-profile-binding Function Deletes the filters. Deletes the filter groups. Deletes the CBB IDs. Deletes the charging properties. Deletes the action lists. Deletes the action properties. Deletes the Layer 7 information. Deletes the Layer 7 information groups. Deletes the rules. Deletes all the rules bound to the user profile. Deletes the default charging properties. Deletes the information about the user profile. Deletes all the user profiles bound to the Domain.
Issue 02 (2009-04-10)
7-114
Networking Requirement
The CBC function is realized on the PDSN9660 through software. Therefore, the networking for CBC is the same as that for normal charging. See Figure 7-29. Figure 7-29 Networking for CBC
WAP HTTP FTP ... Core network PDSN9660
MS
BSC/PCF
Data Collection
Plan the data as follows. Layer 3/Layer 4 filter Filter Layer 3/Layer 4 protocol Server port number Filter group to which the filter is bound filter1 TCP 80 group1
Content-based billing (CBB) ID Rating group (RG) Charging property CBB ID for packets sent by the upstream or downstream device
Layer 7 information Layer 7 information name Uniform resource locator (URL) Charging property Layer 7 information group to which the Layer 7 information is bound Aging time of the Hypertext Transfer Protocol (HTTP) quintuple http www.sina.com*/* cp1 httpg 120 seconds
Service policy combination Rule Filter group Layer 7 protocol Layer 7 information group Default charging property for service packets User profile to which the rule is bound Priority Default charging property for service packets of the user profile rule1 group1 http httpg cp1 up1 9 cp1
Service policy combination applied to the domain Name of the Domain to which the user profile is bound isp.com
Configuration Procedure
1. Configure the Layer 3/Layer 4 filter. # Enter the system view.
<PDSN>system-view
# Configure the Layer 3/Layer 4 filter. Set the filter name to filter1, Layer 3/Layer 4 protocol to TCP, and server port number to 80.
[PDSN-service]filter filter1 l34-protocol TCP server-port eq 80
7-116
Issue 02 (2009-04-10)
2.
Set the charging processing parameters for packets. # Set the CBB ID to cbb1 and RG to 10.
[PDSN-service]cbb-id cbb1 rg 10
# Set the charging property to cp1. The CBB ID cbb1 is adopted for packets sent by the upstream or downstream device.
[PDSN-service]charge-property cp1 up-initial cbb1 down-initial cbb1
3.
Configure the Layer 7 information. # Set the charging property to cp1 when the URL of the Layer 7 information http is www.sina.com*/*.
[PDSN-service]l7-info http url www.sina.com*/* charge-property cp1
# Bind the Layer 7 information http to the Layer 7 information group httpg.
[PDSN-service]l7-info-group httpg l7-info http sequence 1
# Set the aging time of the quintuple specific to the HTTP protocol to 120 seconds.
[PDSN-service]flow-node-agetime l7-protocol http time 120
4.
Configure the service policy combination. # Configure the rule rule1. Set the filter group to group1, Layer 7 protocol to HTTP, Layer 7 information group to httpg, and default charging property for service packets to cp1.
[PDSN-service]rule rule1 filter-group group1 l7-protocol http l7-info-group httpg service charge-property cp1
# Create the user profile up1 and enter the user profile view.
[PDSN-service]user-profile up1
# Bind the rule rule1 to the user profile and set the priority to 9.
[PDSN-service-profile-up1]rule-binding rule1 priority 9
# Set the default charging property for service packets of the user profile to cp1.
[PDSN-service-profile-up1]charge-property-binding service-charge-property cp1
5.
Apply the service policy combination to the domain. # Enter the domain view.
[PDSN]domain isp.com
6.
Networking Requirement
The CBC function is realized on the PDSN9660 through software. Therefore, the networking for CBC is the same as that for normal charging. See Figure 7-30. Figure 7-30 Networking for CBC
WAP HTTP FTP ... Core network PDSN9660
MS
BSC/PCF
Data Collection
Plan the data as follows. Layer 3/Layer 4 filter Filter Layer 3/Layer 4 protocol Server port number Filter group to which the filter is bound filter1 TCP 80 group1
Actions on packets Action list Gate control action Charging point Action property Action list for uplink and downlink packets sent by the upstream or downstream device al pass After the action ap al
Charging processing parameters Content-based billing (CBB) ID Rating group (RG) Charging property
7-118
cbb1 10 cp1
Issue 02 (2009-04-10)
cbb1
Layer 7 information Layer 7 information name Uniform resource locator (URL) Charging property Action property Layer 7 information group to which the Layer 7 information is bound Aging time of the Hypertext Transfer Protocol (HTTP) quintuple http www.sina.com*/* cp1 ap httpg 120 seconds
Service policy combination Rule Filter group Layer 7 protocol Layer 7 information group Default charging property for service packets User profile to which the rule is bound Priority Default charging property for service packets of the user profile rule1 group1 http httpg cp1 up1 9 cp1
Service policy combination applied to the domain Name of the Domain to which the user profile is bound isp.com
Configuration Procedure
1. Configure the Layer 3/Layer 4 filter. # Enter the system view.
<PDSN>system-view
# Configure the Layer 3/Layer 4 filter. Set the filter name to filter1, Layer 3/Layer 4 protocol to TCP, and server port number to 80.
[PDSN-service]filter filter1 l34-protocol tcp server-port eq 80
2.
Configure the actions for packets. # Set the gate control action of the action list al to pass. Configure the charging to be performed after the action is taken.
[PDSN-service]action-list al gate pass charge-point
# Set the action property to ap. Set the action list for uplink and downlink packets sent by the upstream or downstream device to al.
[PDSN-service]action-property ap up-initial up-action-list al down-action-list al down-initial up-action-list al down-action-list al
3.
Set the charging processing parameters for packets. # Set the CBB ID to cbb1 and RG to 10.
[PDSN-service]cbb-id cbb1 rg 10
# Set the charging property to cp1. The CBB ID cbb1 is adopted for packets sent by the upstream or downstream device.
[PDSN-service]charge-property cp1 up-initial cbb1 down-initial cbb1
4.
Configure the Layer 7 information. # Set the charging property to cp1 and action property to ap when the URL of the Layer 7 information http is www.sina.com*/*.
[PDSN-service]l7-info http url www.sina.com*/* charge-property cp1 actionproperty ap
# Bind the Layer 7 information http to the Layer 7 information group httpg.
[PDSN-service]l7-info-group httpg l7-info http sequence 1
# Set the aging time of the quintuple specific to the HTTP protocol to 120 seconds.
[PDSN-service]flow-node-agetime l7-protocol http time 120
5.
Configure the service policy combination. # Configure the rule rule1. Set the filter group to group1, Layer 7 protocol to HTTP, Layer 7 information group to httpg, and default charging property for service packets to cp1.
[PDSN-service]rule rule1 filter-group group1 l7-protocol http l7-info-group httpg service charge-property cp1
# Create the user profile up1 and enter the user profile view.
[PDSN-service]user-profile up1
# Bind the rule rule1 to the user profile and set the priority to 9.
[PDSN-service-profile-up1]rule-binding rule1 priority 9
# Set the default charging property for service packets of the user profile to cp1.
[PDSN-service-profile-up1]charge-property-binding service-charge-property cp1
6.
Apply the service policy combination to the domain. # Enter the domain view.
[PDSN]domain isp.com
7.
7-120
Issue 02 (2009-04-10)
7.7 Configuring the Data for the Service Resolution and Control Function
This describes the service resolution and control function and how to configure the service resolution and control function, and provides a configuration example.
Prerequisite
l
The interworking between the PDSN9660 and neighboring network elements (NEs) is configured. The Domain is configured.
7.7.1 Planning the Application Scheme for Service Control This describes the application scheme for service control. 7.7.2 Configuring the Service Control Function This describes how to configure the service control function. 7.7.3 Maintaining the Data for the Service Control Function This provides the commands used to maintain the data for the service control function. 7.7.4 Configuration Example This provides the example of configuration for the service resolution and control function on the PDSN9660.
Issue 02 (2009-04-10)
7-121
Configuration Roadmap
Figure 7-31 Configuring Procedure
End
See Figure 7-31. The procedure for configuring service control on the PDSN9660 is as follows: 1. Configure the Layer 3/Layer 4 filter. Configure the filter for service control. Set the Layer 3 filter (source and destination IP addresses), Layer 4 filter (port range), Layer 3/Layer 4 protocol type, and value of the type of service (ToS) field. The PDSN9660 can distinguish the contents of the user uplink and downlink packets through Layer 3/Layer 4 packet filtering and analysis. 2.
7-122
Set the CBB ID and the charging mode that are used when the service is initiated by the upstream or downstream device. The charging mode can be time-based, volume-based, or free of charge. 3. Configure the action property. Set the actions for uplink and downlink packets when a service is initiated by the uplink or downlink device. The actions in an action list contain gate, redirect, remark, committed access rate (CAR), and charge-point. The actions are taken according to the configured sequence. 4. (Optional) Configure the Layer 7 parsing function. Specify the conditions for parsing packets at Layer 7 and configure the charging property and action property. 5. (Optional) Configure the common policy. Configure the alias marking function, anti-DDoS function, and default charging property for a user profile. 6. Configure the service policy combination. Bind a rule to a user profile. The PDSN9660 performs service control to determine the charging policy, action policy, and QoS assurance for service packets that are filtered. 7. Apply the service policy combination to the domain.
Configuration Principle
l
Run filter to configure the filter before running filter-group to configure the filter group. After configuring the filter, run refresh-service to make the configured filter take effect. Run cbb-id to configure the content-based billing (CBB) ID before running chargeproperty to configure the charging properties. Configure the features of access rate (CAR), charge point, gate, redirect, or remark before running action-list to specify these actions in an action list.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 7-123
Issue 02 (2009-04-10)
Run action-list to configure the action list before running action-property to configure the action properties. Run charge-property and action-property to configure the charging properties and action properties respectively before running l7-info to configure the Layer 7 information. Run l7-info to configure the Layer 7 information before running l7-info-group to configure the Layer 7 information group. The Layer 7 information and Layer 7 information group are not required if the PDSN9660 does not perform Layer 7 filtering for packets. The principle of dividing l7-info-group is based on the protocol such as Hypertext Transfer Protocol (HTTP), Real-Time Streaming Protocol (RTSP), Wireless Application Protocol (WAP) and so on. Different l7-info-group corresponds with different protocols. l7-info of the same protocol is in one l7-info-group. Run filter-group, l7-info-group, charge-property, and action-property to configure the filter group, Layer 7 information group, charging properties, and action properties respectively before running rule to configure the rule. The Layer 7 information and Layer 7 information group are not required if the PDSN9660 does not perform Layer 7 filtering for packets. Only one filter-group, one charge property and one action property can be configured. Employ the same charging and action policy to the packets mapping with the filter-group. If you want to employ different charging and action policy, set another rule and filter-group. Run rule to configure the rule before binding the rule to a user profile. The principle of configuring rule-binding priority is as follows:
If the filter range of rule x includes those of rule y and rule x and rule y are bound to the same user-profile, it is suggested that the binding priority of rule y is higher than that of rule x. Otherwise, rule y will never be matched. If the filter intersection between two rules bound with one user-profile is existed, define the priority according to service plan and deployment. Another way is to modify the filters of one of the rules to remove the intersection. If the filters of two rules bound with one user-profile are independent, no restriction for the binding priorities of the rules.
Data Planning
No. 1 Data Plan the filter and the filter group. The filter includes the Layer 3/Layer 4 parsing parameters such as Layer 3/Layer 4 protocol type, mobile station (MS) IP address and wildcard mask, MS port range, server IP address and wildcard mask, and server port range. Plan the content-based billing (CBB) IDs and the charging properties. Plan the action list. (Optional) Plan the Layer 7 information and the Layer 7 information group.
2 3 4
7-124
Issue 02 (2009-04-10)
No. 5
Data Plan the service control rule. The rule includes the filter group, Layer 7 protocol, Layer 7 information group, default charging properties and action properties for signaling and service packets, and validity time range of the rule. Plan the user profile to which a rule is bound. Plan the Domain to which a user profile is bound.
6 7
Procedure
Step 1 Configure the Layer 3/Layer 4 filter. 1. 2. 3. 4. Run service-view to enter the service view. Run filter to set the Layer 3/Layer 4 filter. Run refresh-service to make the newly configured filter take effect. Run filter-group to configure the filter group and bind the configured filter to the group.
Step 2 Configure the charging properties. 1. 2. Run cbb-id to set a CBB ID. Run charge-property to configure the charging properties, including the CBB IDs for uplink-initiated and downlink-initiated services and metering (charging mode, which can be time-based, volume-based, or free of charge). (Optional) Run cbb-id global-service to set the global CBB ID for service packets. (Optional) Run cbb-id global-signaling to set the global CBB ID for signaling packets.
3. 4.
Step 3 Configure the action properties. 1. Run action-list to configure an action list.
NOTE
l l l l
If the action is CAR in the action list, you must run car to configure the CAR parameters before configuring the CAR action in the action list. If the action is redirect in the action list, you must run redirect to configure the redirect parameters before configuring the redirect action in the action list. You must configure the gate action in the action list before configuring other actions. The charge point is optional in the action list. When this action is not configured, the charge point is the last action in the action list by default.
2.
Step 4 (Optional) Configure the Layer 7 information. 1. 2. 3. Run l7-info to configure the Layer 7 information. Run l7-info-group to set the Layer 7 information group and bind the configured Layer 7 information to this group. (Optional) Run flow-node-agetime to configure the aging time of the quintuple for various Layer 7 protocols.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 7-125
Issue 02 (2009-04-10)
Step 5 Configure the service policy combination. 1. 2. 3. Run rule to specify the content-based charging rule, including the filter group, Layer 7 information group, charging property, and validity time range of the rule. Run user-profile to enter the user profile view. Run rule-binding to bind the content-based charging rule to the user profile.
Step 6 (Optional) Configure the common policy. 1. 2. 3. For configuring the DDoS check function, see 7.2.3 Configuring the Anti-DDoS Function. For configuring the action when an RG applies for the quota, see Action for Applying for the Quota. Run charge-property-binding to configure the charging properties for service packets, signaling packets, retransmitted Transmission Control Protocol (TCP) packets, and packets redirected to a captive portal respectively. Run quit to exit the user profile view. Run quit to exit the service view.
4. 5.
Step 7 Apply the service policy combination to the Domain. 1. 2. Run domain to specify the name of the Domain instance and enter the Domain view. Run user-profile-binding to bind the user profile to the Domain instance.
----End
Function Displays the filters. Displays the filter groups. Displays the content-based billing (CBB) IDs. Displays the charging properties. Displays the action lists. Displays the action properties. Displays the Layer 7 information. Displays the Layer 7 information groups. Displays the rules. Displays all the rules bound to the user profile.
Issue 02 (2009-04-10)
Function Displays the information about the user profile. Displays the default charging properties. Displays the user profiles bound to the Domain.
When some configuration is incorrect or requires modification, you can run the following commands to delete the current configuration and reconfigure the system.
NOTE
If a filter or rule is bound, it cannot be deleted. Therefore, unbind the filter or rule before deleting it.
Table 7-17 Deleting the service control configuration Command undo filter undo filter-group undo cbb-id undo charge-property undo action-list undo action-property undo l7-info undo l7-info-group undo rule undo rule-binding undo charge-property-binding undo user-profile undo user-profile-binding Function Deletes the filters. Deletes the filter groups. Deletes the CBB IDs. Deletes the charging properties. Deletes the action lists. Deletes the action properties. Deletes the Layer 7 information. Deletes the Layer 7 information groups. Deletes the rules. Deletes all the rules bound to the user profile. Deletes the default charging properties. Deletes the information about the user profile. Deletes all the user profiles bound to the Domain.
This provides an example of the configuration for service control through Layer 3/Layer 4 filtering and Layer 7 parsing. The PDSN filters packets based on Layer 3/Layer 4 configuration and parses packets based on Layer 7 configuration.
Data Collection
Plan the data as follows. Layer 3/Layer 4 filter Filter Layer 3/Layer 4 protocol Server port number Filter group to which the filter is bound filter1 TCP 80 group1
Actions on packets Action list Gate control action Charging point Action property Action list for uplink and downlink packets sent by the upstream or downstream device al pass After the action ap al
Charging processing parameters Content-based billing (CBB) ID Rating group (RG) Charging property CBB ID for packets sent by the upstream or downstream device Another CBB ID RG of cbb2 Charging property CBB ID for packets sent by the upstream or downstream device cbb1 10 cp1 cbb1 cbb2 20 cp2 cbb2
rule
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2009-04-10)
Filter group Default charging property for service packets Default action property for service packets User profile to which the rule is bound and the priority
Common policy Default charging property for service and signaling packets of the user profile Anti-DDoS function Traffic control threshold for anti-DDoS cp2 enable 45
Domain to which the service policy combination is applied Name of the Domain to which the user profile is bound isp.com
Configuration Procedure
1. Configure the Layer 3/Layer 4 filter. # Enter the system view.
<PDSN>system-view
# Configure the Layer 3/Layer 4 filter. Set the filter name to filter1, Layer 3/Layer 4 protocol to TCP, and server port number to 80.
[PDSN-service]filter filter1 l34-protocol tcp server-port eq 80
2.
Configure the actions for packets. # Set the gate control action of the action list al to pass. Configure the charging to be performed after the action is taken.
[PDSN-service]action-list al gate pass charge-point
# Set the action property to ap. Set the action list for uplink and downlink packets sent by the upstream or downstream device to al.
[PDSN-service]action-property ap up-initial up-action-list al down-action-list al down-initial up-action-list al down-action-list al
3.
Set the charging processing parameters for packets. # Set the CBB ID to cbb1 and RG to 10.
[PDSN-service]cbb-id cbb1 rg 10
# Set the charging property to cp1. The CBB ID cbb1 is adopted for packets sent by the upstream or downstream device.
[PDSN-service]charge-property cp1 up-initial cbb1 down-initial cbb1
Issue 02 (2009-04-10)
7-129
# Set the charging property to cp2. The CBB ID cbb2 is adopted for packets sent by the upstream or downstream device.
[PDSN-service]charge-property cp2 up-initial cbb2 down-initial cbb2
4.
Configure the service policy combination. # Configure the rule rule1. Set the filter group to group1, default charging property for service packets to cp1, and action property to ap.
[PDSN-service]rule rule1 filter-group group1 service charge-property cp1 action-property ap
# Create the user profile up1 and enter the user profile view.
[PDSN-service]user-profile up1
# Bind the rule rule1 to the user profile and set the priority to 9.
[PDSN-service-profile-up1]rule-binding rule1 priority 9
5.
Configure the common policy. # Set the default charging property for service and signaling packets of the user profile to cp2.
[PDSN-service-profile-up1]charge-property-binding service-charge-property cp2 signaling-charge-property cp2
# Set the value of the traffic control threshold for anti-DDoS to 45.
[PDSN-service]ddos threshold 45 [PDSN-service]quit
6.
Apply the service policy combination to the Domain. # Enter the Domain view.
[PDSN]domain isp.com
7.
Data Collection
Plan the data as follows. Layer 3/Layer 4 filter Filter
7-130
filter1
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2009-04-10)
Layer 3/Layer 4 protocol Server port number Filter group to which the filter is bound
TCP 80 group1
Actions on packets Action list Gate control action Charging point Action property Action list for uplink and downlink packets sent by the upstream or downstream device al pass After the action ap al
Charging processing parameters Content-based billing (CBB) ID Rating group (RG) Charging property CBB ID for packets sent by the upstream or downstream device Another CBB ID RG of cbb2 Charging property CBB ID for packets sent by the upstream or downstream device cbb1 10 cp1 cbb1 cbb2 20 cp2 cbb2
Layer 7 information Layer 7 information name URL Charging property Action property Layer 7 information group to which the Layer 7 information is bound Aging time of the quintuple specific to HTTP http www.sina.com*/* cp1 ap httpg 120 seconds
Layer 7 information group Default charging property for service packets Default action property for service packets User profile to which the rule is bound and the priority
Common policy Default charging property for service and signaling packets of the user profile cp2
Domain to which the service policy combination is applied Name of the Domain to which the user profile is bound isp.com
Configuration Procedure
1. Configure the filter. # Enter the system view.
<PDSN>system-view
# Configure the Layer 3/Layer 4 filter. Set the filter name to filter1, Layer 3/Layer 4 protocol to TCP, and server port number to 80.
[PDSN-service]filter filter1 l34-protocol tcp server-port eq 80
2.
Configure the actions for packets. # Set the gate control action of the action list al to remark and the remark value to CS6. Configure the charging to be performed after the action is taken.
[PDSN-service]action-list al remark CS6 pass charge-point
# Set the action property to ap. Set the action list for uplink and downlink packets sent by the upstream or downstream device to al.
[PDSN-service]action-property ap up-initial up-action-list al down-action-list al down-initial up-action-list al down-action-list al
3.
Set the charging processing parameters for packets. # Set the CBB ID to cbb1 and RG to 10.
[PDSN-service]cbb-id cbb1 rg 10
# Set the charging property to cp1. The CBB ID cbb1 is adopted for packets sent by the upstream or downstream device.
[PDSN-service]charge-property cp1 up-initial cbb1 down-initial cbb1
7-132
Issue 02 (2009-04-10)
# Set the charging property to cp2. The CBB ID cbb2 is adopted for packets sent by the upstream or downstream device.
[PDSN-service]charge-property cp2 up-initial cbb2 down-initial cbb2
4.
Configure the Layer 7 information. # Set the charging property to cp1 and the action property to ap when the URL of the Layer 7 information http is www.sina.com*/*.
[PDSN-service]l7-info http url www.sina.com*/* charge-property cp1 actionproperty ap
# Bind the Layer 7 information http to the Layer 7 information group httpg.
[PDSN-service]l7-info-group httpg l7-info http sequence 1
# Set the aging time of the quintuple specific to the HTTP protocol to 120 seconds.
[PDSN-service]flow-node-agetime l7-protocol http time 120
5.
Configure the service policy combination. # Configure the rule rule1. Set the filter group to group1, Layer 7 protocol to HTTP, Layer 7 information group to httpg, default charging property for service packets to cp1, and action property to ap.
[PDSN-service]rule rule1 filter-group group1 l7-protocol http l7-info-group httpg service charge-property cp2 action-property ap
# Create the user profile up1 and enter the user profile view.
[PDSN-service]user-profile up1
# Bind the rule rule1 to the user profile and set the priority to 9.
[PDSN-service-profile-up1]rule-binding rule1 priority 9
6.
Configure the common policy. # Set the default charging property for service and signaling packets of the user profile to cp2.
[PDSN-service-profile-up1]charge-property-binding service-charge-property cp2 signaling-charge-property cp2 [PDSN-service-profile-up1]quit [PDSN-service]quit
7.
Apply the service policy combination to the Domain. # Enter the Domain view.
[PDSN]domain isp.com
8.
Issue 02 (2009-04-10)
7-133
A Glossary
A
A A10 A11 AAA Server Agent broadcast AH
Glossary
This interface is for transmitting user data. The uppermost layer of the A10 interface protocol stack is GRE. The GRE layer encapsulates and transmits the upper layer PPP data into GRE frame. This interface is for transmitting the signaling between the PDSN and the PCF to create or release A10 connection. The PCF also transmits charging parameters through A11 messages. The remote server that provides authentication, authorization, accounting, and value-added services for the dialed-in users. The broadcast obtained by adding special extension to the router broadcast. Authentication Header. It provides data source authentication, data integrity authentication, and replay protection, but does not encrypt the protected message.
B BAM The operation and maintenance module of the PDSN9660. Responsible for reporting the performance measurement data to the M2000. Border Gateway Protocol. A protocol used by routers to exchange routing information in an internet connecting autonomous networks. BGP exchanges reachability information with other BGP systems. Functional entity that is responsible for the control and management of the BTS, establishment and removing of call connection, power control, wireless resource management, and that provides stable and reliable wireless connection for the upperlayer service through soft and hard switching.
BGP
BSC
Issue 02 (2009-04-10)
A-1
A Glossary
BTS
The station that sends and receives wireless signals to realize the communication between the wireless network and the mobile station.
C Congestion avoidance A mechanism of inspecting the usage of network resources. If the congestion becomes severe, the packet is discarded. The purpose is to avoid network overload by adjusting the traffic. A mechanism of putting the packets in the queue for buffering and arranging the forwarding sequence of the packets based on certain scheduling algorithm.
Congestion management
D Default route DMB The route used only when the matched routing list entry is not found, or, in other words, when there is no proper route available. Power distribution monitor & control board. It is responsible fro the control of the power distribution box, checks the input power voltage and the status of the power after distribution, and generates alarms when the input power voltage or the status of the power after distribution is abnormal. Transfer unprocessed data from one part of a system to another or from one storage system to another
Dump
E ESP Encapsulating Security Payload. It provides data source authentication, data integrity authentication, replay protection, and encryption of the IP message. The act or process of expanding system capacity.
Expansion
F FA A router on the link that the MN visits. The FA is responsible for the routing service for the registered MN and forwarding the packet that is forwarded through the tunnel from the HA to the MN. The FA can serve as the default router for the MN when the MN sends packets. A collection of related data or program records. A combination of a series of components set between different networks or network security domains. By monitoring, limiting, and changing the data traffic across the firewall, it masks the interior information, structure and running state of the network as much as possible to protect the network security.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2009-04-10)
File Firewall
A-2
A Glossary
Forwarding
The packet is forwarded directly to the upper-layer service software to perform content charging of the third, forth, and seventh layer.
G glossary gateway Terms for the concepts in a professional field. A device to connect two network segments which use different protocols. It is used to translate the data in the two network segments.
H HA HLR The accessory node for the mobile IP user to access the Internet. The database that manages the mobile user, stores the user account information (subscription data and the subscriber status), the location of the mobile station, the MDN, the IMSI (MIN) and so on. A program which can be connected to other computers, Telnet sites, BBSs (Bulletin Boards System), online services, and hosts by using the Modem, zero Modem cable, or TCP/IP (Winsock).
HyperTerminal
I IKE Internet Key Exchange. It is established on the frame defined by the Internet security alliance and the ISAKMP and provides automatic negotiation of key switching and security alliance establishment for the IPSec to simplify the use and management of the IPSec. International Mobile Subscriber Identity. It is a unique identifier allocated to each mobile subscriber (MS) in a GSM network. It is effective everywhere including the roaming area. It is stored in the SIM, the HLR, and the VLR. It contains 15 bits (0 to 9) at most and is transmitted through the radio interface and the MAP interface. A series of protocols defined by IETF. It provides a framework of open standards dealing with data confidentiality, integrity, and the authentication between participating hosts. Intermediate System-to-Intermediate System. OSI link-state hierarchical routing protocol based on DECnet Phase V routing whereby ISs (routers) exchange routing information based on a single metric to determine network topology.
IMSI
IPSec
IS-IS
Issue 02 (2009-04-10)
A-3
A Glossary
A device or medium through which a node carries out link-layer communications. It is under the network layer. An address used to identify the communication endpoints of a physical link. Typically, it is the MAC address of an interface. The software that is installed in the local computer and communicates with the PDSN9660 through the TCP/IP for operation and maintenance of the PDSN9660 system. An interface that does not exist physically and comes into being through configuration. It can also exchange data. Line interface processing unit. It is one of the boards of the PDSN9660 and provides physical interfaces to the network entities such as the PCF, the PDN, and the AAA server.
M M2000 Huawei's unified management platform for the mobile network. The functions of the M2000 include integrated faults management, integrated performance management, integrated configuration management, integrated topology management, integrated security management, and system management. Sets up the relationship between the home address and the careof address and defines the existence period of the relationship. Mobile Switching Centre. It is a telecommunication switch or exchange within a cellular network architecture which is responsible for the call establishment, routes selection, call control, wireless resource distribution, user mobility management, location registration, channel switching in the switching area, UDR generation, negotiation of the service with the PSTN and the interface between the No.7 signaling and the network.
N NTP Network Time Protocol. Protocol base on the IP and the UDP that ensures accurate local time-keeping with reference to radio and atomic clocks located on the Internet. This protocol is capable of synchronizing distributed clocks within milliseconds over long time periods.
O O&M system Operation & Management System. A system that provides such functions as command input, authority management, equipment management, and user tracing.
A-4
Issue 02 (2009-04-10)
A Glossary
OPT OSPF
Optical interface board is the data transmission and processing board that provides optical interfaces. Open Shortest Path First. Link-state, hierarchical IGP routing algorithm proposed as a successor to RIP in the Internet community. OSPF features include least-cost routing, multipath routing, and load balancing. OSPF was derived from an early version of the IS-IS protocol. Overvoltage protection transfer board controls and generates alarms when the voltage is abnormal.
OTB
P Patch PCF A separate software package used to modify the main programs. Packet Control Function. It is logic functional entity in the wireless core network. It processes the signaling and data between the PCF and the PDSN through the R-P interface. Packet Data Network. It is a set of network entities that provide packet data service. Packet Data Serving Node. A gateway device that connects the mobile network to the IP backbone network. The PDSN provides packet data access services for the mobile subscribers. The tangible interface with hardware support. Provides physical connection to the external networking entities. A service that allows user to prepay for a certain amount of service (a certain duration or traffic in the data prepaid service). Point-to-Point Protocol. A widely used WAN protocol designed to provide router to router and host to network connections over synchronous and asynchronous circuits. In addition, PPP has a built-in security mechanism.
PDN PDSN
R Rack RADIUS A cabinet without the back door, the side door, and the top cover. Remote Authentication Dial in User Service. An authentication system, based on username and password, used by Internet service providers (ISP). The password and user name information supplied by the user is validated on a RADIUS server which allows or rejects access to the ISP's system. Certification mechanism used by a mobile node for informing the home agent the current care-of address and then writing off the care-of address when the mobile node returns to the home link. The mobile node can also obtain the address of the home agent by registration.
Register
Issue 02 (2009-04-10)
A-5
A Glossary
Capability of a product to implement specified functions in specified conditions and within a specified period. A mechanism used for improving network reliability. If the active route fails, the standby one automatically takes effect.
S SCP A key component in the intelligent network. It stores the user data and the service logic. The main function of the SCP is to receive the query message from the SSP and query the database to perform the decoding. The SCP can start different service logic according to the call from the SSP, and sends call control instruction to the corresponding SSP according to the service logic to realize intelligent calls. Consists of protocols, algorithms, keys, and so on. Defines how to provide different level security protection for different data streams. Simple Network Management Protocol. It enables the remote users to view and modify the management information of a network element. This protocol ensures that the management information is transmitted between any two points. The poll mechanism is adopted to provide basic function sets. Service processing unit. It is one of the boards of the PDSN9660 and provides all service processing functionality of the PDSN9660. Switching and routing unit. It is one of the boards of the PDSN9660 and is the core circuit board for system management. A special route which is configured by the administrator manually. Basic configuration needed by the communication devices. It includes equipment name configuration, system time configuration, current configuration file saving and viewing, and system running state viewing.
Security alliance
SNMP
SPU
T Traffic classification The act of identifying the packets that matches specific rules. The purpose is to provide different services for different type of packets. The act of inspecting the specifications of the traffic that goes through the router. Limitation or penalty measures can be taken if the traffic is not consistent with the specific specifications, thus to protect the profit of the operator and the network resources.
Traffic policing
A-6
Issue 02 (2009-04-10)
A Glossary
Traffic shaping
A traffic control measure that adjusts the output rate of the traffic automatically. The purpose is to make the traffic match the network resource that can be provided by the downstream router and thus to avoid unnecessary packet discarding or congestion. A mechanism of putting the packets in the queue for buffering and arranging the forwarding sequence of the packets based on certain scheduling algorithm.
Tunnel
U UDR The entire record of the PDSN9660 sending charging messages to the charging server.
V VLAN Visual LAN. The network resource and users are divided logically according to certain rules and a physical network is divided into small logic networks. Virtual Private Network. It is a private network established on packet-switched networks. Virtual Router Redundancy Protocol. It is used for multicast or multicast LANs such as an Ethernet. A group of routers (including a mater router and several backup routers) in a LAN is regarded as a virtual router, which is called a backup group. The virtual router has its own IP address. The host in the network communicates with other networks through this virtual router. If the master router in the backup group fails, one of the backup routers become the master one and provides routing service for the host in the network.
VPN VRRP
Issue 02 (2009-04-10)
A-7
B Abbreviation
B
3 3GPP2 A AAA AC ACL AES AH ANSI ARP AS ASBR ASCII AUC AUX Authentication Center Access Control List Advanced Encryption Standard Authentication Header
Abbreviation
American National Standards Institute Address Resolution Protocol Autonomous System Autonomous System Boundary Router American Standard Code for Information Interchange Authentication Center Auxiliary (port)
B BA BAM BC BDR BE
Issue 02 (2009-04-10)
Behaviour Aggregate Back Administration Module Bearer Control Backup Designated Router Best-Effort
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. B-1
B Abbreviation
Border Gateway Border Gateway Protocol Billing System Base Station Controller Base Station Subsystem
C CAR CBS CC CCITT CDMA UDR CE CHAP CIDR CIR CON CoS cPOS CPU CQ CR CRC CSPC Committed Access Rate Committed Burst Size Content of Communication International Telegraph and Telephone Consultative Committee Code Division Multiple Access Usage Data Record Customer Edge Challenge Handshake Authentication Protocol Classless Inter-Domain Routing Committed Information Rate Console (port) Class of Service channelized-POS Central Processing Unit Custom Queueing Core Router Cyclic Redundancy Code Compress Service Processing Card
D DC DCE DDF DDN DES Direct Current Data Circuit-terminating Equipment Digital Distribution Frame Digital Data Network Data Encryption Standard
B-2
Issue 02 (2009-04-10)
B Abbreviation
Dynamic Host Configuration Protocol Distribution Monitoring Board Domain Name Server Destination Point Code Dispatcher Server Dispatcher DiffServ Code Point Data Terminal Equipment
E EACL EBGP EBS EF EFU EGP EIA EIR EMC ESN ESP ETS ETSI Enhanced Access Control List External BGP Excess Burst Size Expedited Forwarding Express Forwarding Unit Exterior Gateway Protocol Electronics Industry Association Equipment Identification Register Electromagnetic Compatibility Electronic Serial Number Encapsulating Security Payload European Telecommunication Standards European Telecommunications Standards Institute
F FA FIB FIFO FQ FR FTP Foreign Agent Forward Information Base First In First Out Fair Queue Frame Relay File Transfer Protocol
Issue 02 (2009-04-10)
B-3
B Abbreviation
G GB GBIC GE GLMS GMSC GRE GUI Gigabit GigaBit Interface Converter Gigabit Ethernet Group and List Management Server Gateway Mobile Switching Center Generic Routing Encapsulation Graphic User Interface
H HA HDLC HLR HPLMN Home Agent High level Data Link Control Home Location Register Home PLMN
I IBGP ICMP IEC IEEE IETF IKE IMEI IMSI IP IPSec IPX ISDN IS-IS ISO ISP ISUP Interior Border Gateway Protocol Internet Control Message Protocol International Electro Commission Institute of Electrical and Electronics Engineers Internet Engineering Task Force Internet Key Exchange International Mobile Equipment Identity International Mobile Subscriber Identity Internet Protocol IP Security Protocol Internet Packet Exchange Integrated Services Digital Network Intermediate System-to-Intermediate System Protocol International Standards Organization Internet Service Provider ISDN User Part
B-4
Issue 02 (2009-04-10)
B Abbreviation
Internet Engineering Task Force International Telecommunication Union International Telecommunication Union - Telecommunication Standardization Sector InterWorking Function
K KVM Keyboard/Video/Mouse
L L2TP LAC LAN LCP LIG LLC LMT LNS LPU LSP LZS Layer 2 Tunneling Protocol L2TP Access Concentrator Local Area Network Link Control Protocol Lawful Interception Gateway Logical Link Control Local Maintenance Terminal L2TP Network Server Line interface Processing Unit Label Switching Path Lempel-Ziv Stacker compression algorithm
Media Access Control Mobile Application Part Multiprotocol Border Gateway Protocol Message Center Message Digest 5 Mobile Directory Number Multi-Exit discrimination Management Information Base Mobile Identification Number Mobile IP
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. B-5
B Abbreviation
MM MML MMS MMSC MPLS MPPC MRTIE MS MSC MT MTBF MTTR MTU MVPN
Mobility Management Man-Machine Language Multimedia Messaging Service Short Message Service Centre Multi-Protocol Label Switching Microsoft Point-to-Point Compression Maximum Relative Time Interval Error Mobile Station Mobile Switching Center Mobile Termination Mean Time Between Failure Mean Time To Repair Maximum Transmission Unit Mobile Virtual Private Network
N NAT NBMA NCP NMS NP NS NSAPI NSEI NTP Network Address Translation Non Broadcast Multiple Access Network Control Protocol Network Management System Network Processing Network Service Network layer Service Access Point Identifier Network Service Entity Identifier Network Time Protocol
O OAM OMC OPB OSI OSPF Operation, Administration and Maintenance Operation & Maintenance Center Overvoltage Protection Board Open System Interconnection Open Shortest Path First
B-6
Issue 02 (2009-04-10)
B Abbreviation
OTB
P PAP PBS PCF PCM PCU PDN PDSN PDU PE PFC PFS PHB PIN PLMN PMM POS PPP PPS PS PSTN PTM PTP PVC PVP Password Authentication Protocol Peak Burst Size Packet Control Function Pulse Code Modulation Packet Control Unit Packet Data Network Packet Data Serving Node Protocol Data Unit Provider Edge Packet Flow Context Perfect Forward Secrecy Per-Hop Behavior Personal Identification Number Public Land Mobile Network Packet Mobility Management Packet Over SDH Point-to-Point Protocol Prepaid Service Packet Switched Public Switched Telephone Network Point To Multipoint Point To Point Permanent Virtual Connection Permanent Virtual Path
Issue 02 (2009-04-10)
B-7
B Abbreviation
RADIUS RAID RAN RD RED RFC RIP RIP-2 RNC R-P RSTP RSVP
Remote Authentication Dial in User Service Redundant Arrays of Inexpensive Disks Radio Access Network Router Distinguisher Random Early Detection Request for Comments Routing Information Protocol Routing Information Protocol 2 Radio Network Controller RN-PDSN Rapid Spanning Tree Protocol Resource Reservation Protocol
S SA SAC SAU SCCP SCMG SCP SDB SDH SHA SLC SLS SMT SNDCP SNMP SONET SPF SPT SPU Security Association Service Area Code Signaling Access Unit Signaling Connection Control Part SCCP Management Service Control Point Subscriber Database Synchronous Digital Hierarchy Secure Hash Algorithm Signaling Link Code Signaling Link Selection Service Maintenance Terminal SubNetwork Dependent Convergence Protocol Simple Network Management Protocol Synchronous Optical Network Shortest Path First Shortest Path Tree Service Processing Unit
B-8
Issue 02 (2009-04-10)
B Abbreviation
Switching and Routing Unit Sub-System Number Service Switching Point Signals Transfer Board
T TCAP TCP TDD TE TIA ToS TTL TUP Transaction Capabilities Application Part Transport Control Protocol Time Division Duplex Terminal Equipment Telecommunications Industry Association Type of Service time to live Telephone User Part
U UDP UDR UE UI URL USR User Datagram Protocol Usage Data Record User Equipment Unit interval Uniform Resource Locator Universal Switching Router
V VLAN VLR VPI VPN VRF VRP VRRP Virtual Local Area Network Visitor Location Register Virtual Path Identifier Virtual Private Network Virtual Route Forward Versatile Routing Platform Virtual Router Redundancy Protocol
Issue 02 (2009-04-10)
B-9
B Abbreviation
W WAN WAP WFQ WRED WWW Wide Area Network Wireless Application Protocol Weighted Fair Queuing Weighted Random Early Detection World Wide Web
B-10
Issue 02 (2009-04-10)