Need for GPRS/Class of Handsets Protocol Links for GPRSGGSN interfaces Transmission Plane Mobility Management-PDP context MS IPv4 Network Host BriefIP UDP structure TCP structureRouter configuration modes MS GPRS/IMSI attach procedureBasics GGSN configuration DNS- Domain Name Server DNS Query Response log GPRS DNS QueryConfiguring Access Point Name APN Parameters GGSN IP address allocation RADIUS featuresAPN n/w selection flow chartPDP Context Activation procedureNSAPI TLLI TUNNEL ID GTP protocol structureGn/Gp GTP messages RADIUS Message flowGGSN RADIUS WAP gateway flowCreate PDP context request logCreate PDP context response logGTP messages logRA area update for different SGSNGPRS GGSN Roaming GGSN PDP contextGa Charging CDRGGSN customization (GTP & GTP')Concept of Tunnel for SecurityNode Network(IPSec) SecurityWAP ArchitectureGSM a subnet INTERNETGGSN Summary

GGSN Basics

Why GPRS ?General Packet Radio Service

SGSNGGSNIP BACKBONEGSNC GDNSNMSGPRS MSCorporate NetworkBTSBSCMSC/VLRHLRPSTNInternetGrSS7IntranetSMSCTELaptopAir IntUmBSSGbFrame RelayASS7IPIPBorder GatewayRouter withAccess PolicyFire WallOther GPRS NetworksAUCFire WallGTPGTPPrivate networkIPGTPIPGTPVPNGTPProtocol Links for GPRS Packet switchingCircuitswitchingBluetooth,IR Serial cablePCUGpE1 linkBGP

GGSN interfaces

GPRS Transmission Plane

IDLEIDLEREADYREADYSTANDBYSTANDBYGPRSAttachPDUTransmissionMobile Reachabletime expiry

READY Timer expiry

READY Timer expiryPDUReceptionGPRSDetachMOBILESGSNGPRSAttachGPRSDetachIDLESGSN does not know aboutthe location of mobileNo logical PDP context activatedNo network address (IP) registered for the terminalNo routing of external data possible

STANDBYSGSN tracks the mobile (Routing Area). When downlink data is available, packet paging message is sent to routing areaUpon reception, MS sends it's cell location to the SGSN and enters the ACTIVE state

READYSGSN knows the cell of the MSPDP contexts can be activated/deactivatedMay remain in this state even if no data is transmitted (controlled by timer)

Mobility Management

GPRS Attach/Detach (towards SGSN/HLR)Makes MS available for SMS over GPRSPaging via SGSNNotification of incoming packetPDP Context Activation/DeactivationAssociate with a GGSNObtain PDP address (e.g. IP)

PDP ContextsPacket Data Protocol (PDP)SessionLogical tunnel between MS and GGSNAnchors SGSN & GGSN for sessionPDP activitiesActivationModificationDeactivation

IP Address as a 32-Bit Binary NumberIP Address ClassesHosts for Classes of IP Addresses

IPUDP

TCP

Different Router ModesRouter(config)#Router>enableRouter#config termExitCtrl-Z (end)User EXEC ModePrivileged EXEC ModeGlobal Configuration ModeConfiguration ModePromptInterface Router(config-if)#LineRouter(config-line)#RouterRouter(config-router)#Access-list mode Router(access-list)#

The GGSN requires a logical interface called a virtual template to be configured.A virtual template interface is a logical entitya configuration for an interface but not tied to a physical interfacethat can be applied dynamically as needed to facilitate configuration of connections between the GGSN and SGSN, and the GGSN and PDNs

DNS Message FormatHEADER QUESTIONSANSWERS (Resource Records)AUTHORITY (Resource Records) ADDITIONAL (Resource Records)DNS-Domain Name Server

DNS response

APN Parameters

The GGSN uses the Dynamic Host Configuration Protocol (DHCP) to assign IP addresses to mobile station users who need to access the PDN.(Packet Data Networks)The GGSN can use local DHCP services within the Cisco IOS Software or configure the GGSN to use an external DHC P server Remote Authentication Dial-In User Service The GGSN uses the RADIUS server for a particular access point to authenticate mobile users for access to a PDN. Security-(AAA) Authentication, Authorization, and AccountingMobile user access.

APN Flow diagram

Tunnel ID creation An IP address is a Logical address, not a Hardware address-similarly - mapped to the IMSI or MSISDN of any MS SIM card .TID -IP addressing is designed to allow a host to communicate with a host on a different network.eg Internet or Inter PLMN .

GTP v0 : UDP Port 3386 GPRS Signal + Data GTP v1 : UDP Port 2123 GTP-C UDP Port 2152 GTP-U

Signalling PlaneTunnel Management messages

Create PDP Context Request Create PDP Context Response Update PDP Context Request Update PDP Context Response Delete PDP Context RequestError Indication PDU Notification Request PDU Notification PDU Notification Reject Request PDU Notification Reject Response Mobility Management messages

Identification Request Identification ResponseSGSN Context RequestSGSN Context Response SGSN Context AcknowledgeInformation elements

CauseInternational Mobile Subscriber Identity (IMSI)Temporary Logical Link Identity (TLLI) Quality of Service (QoS) Profile PDP ContextAccess Point NameMS International PSTN/ISDN Number (MSISDN) Charging IDEnd User AddressProtocol Configuration Options GSN AddressCharging GatewayTransmission PlaneProtocol StackUsage of the GTP HeaderUsage of the Sequence NumberTunnelling between SGSN and GGSN Protocol errors Different GTP versionGTP Message too shortUnknown GTP signalling message Unexpected GTP signalling message Missing mandatorily present information element Invalid Length Invalid mandatory information element Invalid optional information element Unknown information element Out of sequence information elements Unexpected information element Repeated information elements Incorrect optional information elements Path failureError handlingPath ProtocolsUDP /IP UDP HeaderSignalling request messagesSignalling response messagesEncapsulated T-PDUsIP HeaderTCP Header

Gn /Gp GTP Messages

GGSN RADIUS gateway WAP flow

Delete PDP Context Request Delete PDP Context Response T-PDU Data Record Transfer Reponse

GPRS Roaming

GGSN MM Records

PDP CONTEXT WITH UNIQUE TUNNEL IDMOBILITY MANAGEMENT CONTEXTSGSNGGSNCGISPMSM-CDRsS-CDRsG-CDRsGa interface GTP protocol CDR overviewgprs default charging-gateway ip address or name (primary secondary)

GGSN customizationgprs maximum-pdp-context-allowed: The maximum number of PDP contexts (mobile sessions) that can be activated on the GGSN

gprs gtp path-echo-interval : The number of seconds that the GGSN waits before sending an echo-request message to check for GTP path failure

gprs gtp n3-requests: The maximum number of times that the GGSN attempts to send a signaling request.

gprs gtp t3-response: The maximum time that the GGSN waits to respond to a signaling request message.

gprs idle-pdp-context purge-timer: The time that the GGSN waits before purging idle mobile sessions .

gprs charging transfer interval : The number of seconds that the GGSN waits before it transfers charging data to the charging gateway

gprs charging cdr-aggregation-limit: The maximum number of call detail records (CDRs) that the GGSN aggregates in a charging data transfer message to a charging gateway.

gprs charging cg-path-requests:The number of minutes that the GGSN waits before trying to establish the TCP/UDP path to the Charging gateway when TCP/UDP is the specified path protocol.

gprs charging cdr-option node-id : The GGSN uses the node ID field in CDRs

gprs charging cdr-option local-record-sequence-number:The local record sequence number field is used in CDRs on the GGSN

GTPCharging Gateway

GGSN parameters and statistics

Tunnel ID 0

IP adress _._._._/_Source IP _._._._Destination IP _._._._

Tunnel ID 1

IP adress _._._._/_Source IP _._._._Destination IP _._._._GPRS NetworkVirtualTemplateRoutes

Network Security User name and Password:secret password enryption (Does not display the username and password plain text the same is displayed in encrypted formMD5).(Telnet Console Auxillary)

AAA(authentication-authorization-accounting) RADIUS(Remote Authentication Dial-in User Service) Server implementation

auth-portSpecifies the UDP destination port for authentication requestsacct-portSpecifies the UDP destination port for accounting requestsradius-server key stringSpecifies the authentication and encryption key for GGSN and the RADIUS daemon

Access Policy Standard Access List Deny/Permit a particular host or network using the source address .Extended Access List Added value of being Protocol specific for host/network Deny/Permit policyRoute Map policy

Traffic Tunnelling VPN creation using Source and Destination tunnel and a unique Network for each APN.Vlan policy created on Layer3 switch for interface with GGSN which does not permit any other traffic to reach the private network

IPSec Network Security

IP Security Protocol (IPSec)The IP security protocol is implemented for data authentication, confidentiality, encryption and integrity between the GGSN and another router on the PDN

Configuring an IKE ( Internet Key Exchange )Policy (Required) crypto isakmp policy priority (config-isakmp mode)encryption algorithm * des 56-bit Data Encryption Standard (DES)-Cipher Block Chaining (CBC) -3des 168-bithash algorithm * sha(Secure Hash Algorithm ) md5 Message Digest 5 authentication method * rsa-sig | rsa-encr | pre-shareDiffie-Hellman group identifier * 768-bit or 1024-bit

Configuring Pre-Shared Keys (Required, when pre-shared authentication is configured) crypto isakmp key keystring address peer-address orcrypto isakmp key keystring hostname peer-hostname

Configuring Transform Sets (Optional) A combination of security protocols and algorithms to transform set for protecting a particular data flow during the IPSec security association negotiation. Transform set * crypto ipsec transform-set transform-set-name transform1 (Crypto transform configuration mode) Encapsulation of IP packet * mode [tunnel | transport]

Configuring Crypto Map Entries that Use IKE to Establish Security Associations (Optional)**Defines the settings for IPSec peer negotiation using a crypto map entry.

crypto map map-name seq-num ipsec-isakmp (crypto map configuration mode.)match address access-list-id (The traffic to be protected by IPSec)set peer {hostname | ip-address} ( A remote IPSec peer)set transform-set

WAP access via GGSN

GGSN Summary