GGSN Basics

Need for GPRS/Class of Handsets Protocol Links for GPRS GGSN interfaces Transmission Plane Mobility Management-PDP context MS IPv4 Network Host Brief IP UDP structure TCP structure Router configuration modes MS GPRS/IMSI attach procedure Basics GGSN configuration DNS- Domain Name Server DNS Query Response log GPRS DNS Query Configuring Access Point Name APN Parameters GGSN IP address allocation RADIUS features APN n/w selection flow chart PDP Context Activation procedure NSAPI TLLI TUNNEL ID GTP protocol structure Gn/Gp GTP messages RADIUS Message flow GGSN RADIUS WAP gateway flow Create PDP context request log Create PDP context response log GTP messages log RA area update for different SGSN GPRS GGSN Roaming GGSN PDP context Ga Charging CDR GGSN customization (GTP & GTP') Concept of Tunnel for Security Node Network(IPSec) Security WAP Architecture GSM a subnet INTERNET GGSN Summary

Why GPRS ?

General Packet Radio Service

Protocol Links for GPRS

Air Int Um Bluetooth,IR Serial cable GPRS MS TE Laptop Gb Frame Relay E1 link Packet switching BSS A SS7 Circuit switching
SMSC

BTS

BSC
PCU

MSC/VLR
HLR
Gr SS7

PSTN

AUC

Internet

GSN
NMS IP GTP BGP Border Fire Wall Gateway Gp Other GPRS Networks

SGSN
GTP
IP BACKBONE

DNS
IP GTP IP Router with Access Policy

GTP CG

GGSN
IP
Fire Wall

Private network
VPN GTP

Corporate Network

Intranet

GGSN interfaces

GPRS Transmission Plane

WAP / HTTP-XML
Application

IP

IP / X.25
NSAPI ( during PDP ) TID (NSAPI / IMSI)

IP / X.25

SNDCP LLC RLC MAC GSM RF

TFI (TSTBF)
TLLI (IMSI / PTMSI) BVCIcell ID NSVCI DLCI

SNDCP LLC BSSGP

GTP

GTP

TCP UDP IP

TCP UDP IP Layer 2 Layer 1

RLC MAC

BSSGP Network Service

Network Layer 2 Service L1 bis Layer 1

GSM RF L1 bis

MS Um

BSS Gb

SGSN Gn

GGSN Gi

Mobility Management
GPRS

IDLE

Attach/Detach (towards SGSN/HLR) Makes MS available for SMS over GPRS Paging via SGSN Notification of incoming packet PDP Context Activation/Deactivation Associate with a GGSN Obtain PDP address (e.g. IP)

SGSN does not know about the location of mobile No logical PDP context activated No network address (IP) registered for the terminal No routing of external data possible

STANDBY
SGSN tracks the mobile (Routing Area). When downlink data is available, packet paging message is sent to routing area Upon reception, MS sends it's cell location to the SGSN and enters the ACTIVE state

IDLE
GPRS Attach GPRS Detach

IDLE
GPRS Attach
Mobile Reachable time expiry

GPRS Detach

READY
SGSN knows the cell of the MS PDP contexts can be activated/deactivated May remain in this state even if no data is transmitted (controlled by timer)

READY

READY

PDU Reception

PDP Contexts
READY Timer expiry PDU Transmission READY Timer expiry

STANDBY MOBILE

STANDBY SGSN

Packet Data Protocol (PDP) Session Logical tunnel between MS and GGSN Anchors SGSN & GGSN for session PDP activities Activation Modification Deactivation

IP Address Classes

IP Address as a 32-Bit Binary Number

Hosts for Classes of IP Addresses

IP

UDP

TCP

Different Router Modes

Router>enable
User EXEC Mode Privileged EXEC Mode Global Configuration Mode

Router#config term

Ctrl-Z (end) Exit

Router(config)#

Configuration Mode
Interface Line Router Access-list mode

Prompt
Router(config-if)# Router(config-line)# Router(config-router)# Router(access-list)#

The GGSN requires a logical interface called a virtual template to be configured. A virtual template interface is a logical entitya configuration for an interface but not tied to a physical interfacethat can be applied dynamically as needed to facilitate configuration of connections between the GGSN and SGSN, and the GGSN and PDNs

DNS-Domain Name Server

DNS Message Format

HEADER

QUESTIONS
ANSWERS (Resource Records) AUTHORITY (Resource Records) ADDITIONAL (Resource Records)

DNS response

APN Parameters

The GGSN uses the Dynamic Host Configuration Protocol (DHCP) to assign IP addresses to mobile station users who need to access the PDN.(Packet Data Networks) The GGSN can use local DHCP services within the Cisco IOS Software or configure the GGSN to use an external DHC P server

Remote Authentication Dial-In User Service

The GGSN uses the RADIUS server for a particular access point to authenticate mobile users for access to a PDN. Security-(AAA) Authentication, Authorization, and Accounting Mobile user access.

APN Flow diagram

Tunnel ID creation

An IP address is a Logical address, not a Hardware address-similarly - mapped to the IMSI or MSISDN of any MS SIM card . TID -IP addressing is designed to allow a host to communicate with a host on a different network.eg Internet or Inter PLMN .

GTP v0 : UDP Port 3386 GPRS Signal + Data GTP v1 : UDP Port 2123 GTP-C UDP Port 2152 GTP-U

Gn /Gp GTP Messages

Signalling Plane Tunnel Management messages
Create PDP Context Request Create PDP Context Response Update PDP Context Request Update PDP Context Response Delete PDP Context Request Error Indication PDU Notification Request PDU Notification PDU Notification Reject Request PDU Notification Reject Response

Transmission Plane
Protocol Stack Usage of the GTP Header Usage of the Sequence Number Tunnelling between SGSN and GGSN

Path Protocols
UDP /IP UDP Header Signalling request messages Signalling response messages Encapsulated T-PDUs IP Header TCP Header

Mobility Management messages

Identification Request Identification Response SGSN Context Request SGSN Context Response SGSN Context Acknowledge

Error handling
Protocol errors Different GTP version GTP Message too short Unknown GTP signalling message Unexpected GTP signalling message Missing mandatorily present information element Invalid Length Invalid mandatory information element Invalid optional information element Unknown information element Out of sequence information elements Unexpected information element Repeated information elements Incorrect optional information elements Path failure

Information elements
Cause International Mobile Subscriber Identity (IMSI) Temporary Logical Link Identity (TLLI) Quality of Service (QoS) Profile PDP Context Access Point Name MS International PSTN/ISDN Number (MSISDN) Charging ID End User Address Protocol Configuration Options GSN Address Charging Gateway

GGSN RADIUS gateway WAP flow

Data Record Transfer Reponse

Delete PDP Context Request

T-PDU

Delete PDP Context Response

GPRS Roaming

GGSN MM Records

Ga interface GTP protocol CDR overview

MOBILITY MANAGEMENT CONTEXT MS PDP CONTEXT WITH UNIQUE TUNNEL ID ISP

SGSN

GGSN

S-CDRs
M-CDRs

G-CDRs

CG

gprs default charging-gateway ip address or name (primary secondary)

GGSN customization
GTP
gprs maximum-pdp-context-allowed: The maximum number of PDP contexts (mobile sessions) that can be activated on the GGSN gprs gtp path-echo-interval : The number of seconds that the GGSN waits before sending an echo-request message to check for GTP path failure gprs gtp n3-requests: The maximum number of times that the GGSN attempts to send a signaling request. gprs gtp t3-response: The maximum time that the GGSN waits to respond to a signaling request message. gprs idle-pdp-context purge-timer: The time that the GGSN waits before purging idle mobile sessions .

Charging Gateway
gprs charging transfer interval : The number of seconds that the GGSN waits before it transfers charging data to the charging gateway gprs charging cdr-aggregation-limit: The maximum number of call detail records (CDRs) that the GGSN aggregates in a charging data transfer message to a charging gateway. gprs charging cg-path-requests:The number of minutes that the GGSN waits before trying to establish the TCP/UDP path to the Charging gateway when TCP/UDP is the specified path protocol. gprs charging cdr-option node-id : The GGSN uses the node ID field in CDRs gprs charging cdr-option local-record-sequence-number:The local record sequence number field is used in CDRs on the GGSN

GGSN parameters and statistics

Routes

Tunnel ID 0 IP adress _._._._/_ Source IP _._._._ Destination IP _._._._

Tunnel ID 1 IP adress _._._._/_ Source IP _._._._ Destination IP _._._._

GPRS Network
VirtualTemplate

Network Security
User name and Password: secret password enryption (Does not display the username and password plain text the same is displayed in encrypted formMD5).(Telnet Console Auxillary) AAA(authentication-authorization-accounting) RADIUS(Remote Authentication Dial-in User Service) Server implementation auth-portSpecifies the UDP destination port for authentication requests acct-portSpecifies the UDP destination port for accounting requests radius-server key stringSpecifies the authentication and encryption key for GGSN and the RADIUS daemon

Access Policy Standard Access List Deny/Permit a particular host or network using the source address . Extended Access List Added value of being Protocol specific for host/network Deny/Permit policy Route Map policy Traffic Tunnelling VPN creation using Source and Destination tunnel and a unique Network for each APN. Vlan policy created on Layer3 switch for interface with GGSN which does not permit any other traffic to reach the private network

IPSec Network Security

IP Security Protocol (IPSec) The IP security protocol is implemented for data authentication, confidentiality, encryption and integrity between the GGSN and another router on the PDN
Configuring an IKE ( Internet Key Exchange )Policy (Required) crypto isakmp policy priority (config-isakmp mode) encryption algorithm * des 56-bit Data Encryption Standard (DES)-Cipher Block Chaining (CBC) -3des 168-bit hash algorithm * sha(Secure Hash Algorithm ) md5 Message Digest 5 authentication method * rsa-sig | rsa-encr | pre-share Diffie-Hellman group identifier * 768-bit or 1024-bit Configuring Pre-Shared Keys (Required, when pre-shared authentication is configured) crypto isakmp key keystring address peer-address or crypto isakmp key keystring hostname peer-hostname Configuring Transform Sets (Optional) A combination of security protocols and algorithms to transform set for protecting a particular data flow during the IPSec security association negotiation. Transform set * crypto ipsec transform-set transform-set-name transform1 (Crypto transform configuration mode) Encapsulation of IP packet * mode [tunnel | transport]

Configuring Crypto Map Entries that Use IKE to Establish Security Associations (Optional) **Defines the settings for IPSec peer negotiation using a crypto map entry. crypto map map-name seq-num ipsec-isakmp (crypto map configuration mode.) match address access-list-id (The traffic to be protected by IPSec) set peer {hostname | ip-address} ( A remote IPSec peer) set transform-set

WAP access via GGSN

GGSN Summary