Cisco Prime Nerk 43 User Guide
Have a look at the manual Cisco Prime Nerk 43 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
27-137 Cisco Prime Network 4.3.2 User Guide EDCS-1524415 Chapter 27 Managing Mobile Networks LTE Networks Notify Payload - Half Open Session StartThe initial count of the number of half-open sessions per IPSec manager. Transmission of information will start only when the number of half-open sessions currently open exceed the starting count. NoteA session is considered half open if a Packet Data Interworking Function (PDIF) has responded to an IKEv2 INIT request with an IKEv2 INIT response, but no further messages were received on the particular IKE SA. Notify Payload - Half Open Session EndThe maximum count of half open sessions per IPSec manager. Transmission of information will stop when the number of half-open sessions currently open is less than this count. Authentication Local The local gateway key used for authentication. Authentication Remote The remote gateway key used for authentication. Keepalive Interval The period of time (in seconds) that must elapse before the next keepalive request is sent. Keepalive Retries The period of time (in seconds) that must elapse before the keepalive request is resent. Keepalive Timeout The keepalive time (in terms of seconds) for dead peer detection. Maxchild SA Count The maximum number of child SA per IKEv2 policy, which can be any value between 1 and 4. Maxchild SA Overload ActionThe action to be taken when the specified soft limit for the maximum number of SA is reached, which can be any one of the following: Ignore—The IKEv2 stack ignores the specified soft limit for the SA and allows new SA to be created. Terminate—The IKEv2 stack does not allow new child SA to be created when the specified soft limit is reached. NAI CustomIDr The unique user specified identification number to be used in the crypto template for Network Access Identifier (NAI). Crypto Template Payloads Payload Instance The payload instance configured for the crypto template. Payload Name The unique name of the crypto template payload. Ignore Rekeying RequestsIndicates whether IKESA rekeying requests must be ignored. IP Address Allocation The IP Address Allocation scheme configured for the crypto template payload. Lifetime The lifetime (in seconds) for the IPSec Child Security Associations derived from the crypto template. Lifetime (KB) The lifetime (in kilo bytes) for the IPSec Child Security Associations derived from the crypto template. Crypto Template IKESA IKESA Instance The IKESA instance configured for the crypto template. Table 27-88 Crypto Template Details (continued) Field Description
27-138 Cisco Prime Network 4.3.2 User Guide EDCS-1524415 Chapter 27 Managing Mobile Networks LTE Networks Allow Empty IKESA Indicates whether empty IKESA is allowed. By default, empty IKESA is not allowed. Certificate Sign The certificate sign to be used. This field defaults to pkcs1.5. Ignore Notify Protocol IDIndicates whether the IKEv2 Exchange Notify Payload Protocol-ID values must be ignored for strict RFCA 4306 compliance. Ignore Rekeying RequestsIndicates whether IKESA rekeying requests must be ignored. Keepalive User Activity Indicates whether the user inactivity timer must be reset when keepalive messages are received from the peer. Max Retransmission CountThe maximum number of retransmissions of an IKEv2 IKE exchange request that is allowed if a corresponding IKEv2 IKE exchange response is not received. Policy Congestion Rejection Notify StatusIndicates whether an error notification message must be sent in response to an IKE_SA INIT exchange, when IKESA sessions cannot be established anymore. Policy Error Notification Indicates whether an error notification message must be sent for invalid IKEv2 exchange message ID and syntax. Rekey Indicates whether IKESA rekeying must occur before the configured lifetime expires (which is approximately at 90% of the lifetime interval). By default, rekeying is not allowed. Retransmission Timeout The time period (in milliseconds) that must elapse before a retransmission of an IKEv2 IKE exchange request is sent when a corresponding response is not received. Setup Timer The number of seconds before a IKEv2 security association, which is not fully established, is terminated. Mobike Indicates that Mobike attribute is enabled for IKESA. RFC Notification Shows that RFC 5996 notifications is sent or received. Ignore Notify Protocol IDIndicates that IKEv2 Informational Exchange Notify Payload protocol ID is ignored for strict RFC 4306 compliance. Notify Payload Error Message Attributes Notify UE Displays the value for UE related errors. Network Transient Minor Displays the value for minor transient network errors. Network Transient Major Displays the value for major transient network errors. Network Permanent Displays the value for permanent network errors. OCSP Attributes OCSP Responder AddressDisplays the OCSP responder IPv4 address. OCSP Responder Port Displays the OCSP responder IPv4 port. OCSP HTTP Version Shows a http version 1.0 or 1.1 that is used for OCSP responder. Table 27-88 Crypto Template Details (continued) Field Description
27-139 Cisco Prime Network 4.3.2 User Guide EDCS-1524415 Chapter 27 Managing Mobile Networks LTE Networks Viewing the EAP Profile Details To view the EAP Profile details: Step 1Right-click the required device in the Vision client and choose Inventory. Step 2In the Logical Inventory window, choose Logical Inventory > Context> Security Association > EAP Profile. The list of profiles are displayed in the content pane. Step 3In the EAP Profile node, choose the profile. The profile details are displayed in the content pane. Table 27-89 displays the EAP Profile details. Viewing the Transform Set Details To view the Transform Set details for IKEv2 IPSec/IKEv2: Step 1Right-click the required device in the Vision client and choose Inventory. Step 2In the Logical Inventory window, choose Logical Inventory > Context> Security Association > Transform Set > IKEv2 IPSec Transform Set or IKEv2 Transform set. The list of profiles are displayed in the content pane. Table 27-89 EAP Profile Details Field Description Name The unique name of the EAP Profile. Mode The operative mode of the EAP profile, which can be any one of the following: Authenticator Pass Through—Indicates that the EAP Authentication Requests must be passed to an external EAP Server. Authenticator Terminate—Indicates that the EAP must act as an EAP Authentication Server. Authentication Method The EAP Authentication method to be used for the profile, which can be any one of the following: If the Mode is Authenticator Pass Through: –eap-aka –eap-gtc –eap-md5 –eap-sim –eap-tls If the Mode is Authenticator Terminate: –eap-gtc –eap-md5
27-140 Cisco Prime Network 4.3.2 User Guide EDCS-1524415 Chapter 27 Managing Mobile Networks LTE Networks Step 3In the IKEv2 IPSec Transform Set or IKEv2 Transform set node, choose the transform set. The relevant details are displayed in the content pane. Table 27-90 displays the IKEv2 IPSec Transform set or IKEv2 Transform set details.
27-141 Cisco Prime Network 4.3.2 User Guide EDCS-1524415 Chapter 27 Managing Mobile Networks LTE Networks Table 27-90 IKEv2 IPSec Transform Set/IKEv2 Transform set Details Field Description Name The name of the transform set. DH Group The Diffie-Hellman (DH) group for the transform set, which can be any one of the following: 1—Configure Diffie-Hellman Group 1:768-bit MODP Group 14—Configure Diffie-Hellman Group 14:2048-bit MODP Group 2—Configure Diffie-Hellman Group 2:1024-bit MODP Group 5—Configure Diffie-Hellman Group 5:1536-bit MODP Group This field defaults to 2—Configure Diffie-Hellman Group 2:1024-bit MODP Group. NoteThe DH group is used to determine the length of the base Prime numbers used during the key exchange process in IKEv2. The cryptographic strength of any key derived, depends in part, on the strength of the DH group upon which the prime numbers are based. Cipher The appropriate encryption algorithm and encryption key length for the IKEv2 IKE security association, which can be any one of the following: 3des-cbc aes-cbc-128 aes-cbc-256 des-cbc Null This field defaults to AESCBC-128. HMAC The Hash Message Authentication Code (HMAC) for the IKEv2 IPSec transform set, which can be any one of the following: aes-xcbc-96 md5-96 sha1-96 sha2-256-128 sha2-384-192 sha2-512-256 This field defaults to sha1-96. NoteHMAC is a type of message authentication code calculated using a cryptographic hash function in combination with a secret key to verify both data integrity and message authenticity. A hash takes a message of any size and transforms it into a message of fixed size (the authenticator value), which is truncated and transmitted.
27-142 Cisco Prime Network 4.3.2 User Guide EDCS-1524415 Chapter 27 Managing Mobile Networks LTE Networks Viewing the ePDG Configuration Details To view the ePDG configuration details: Step 1Right-click the required device in the Vision client and choose Inventory. Step 2In the Logical Inventory window, choose Logical Inventory > Context> Mobile > EPDG. The list of EPDG services configured in Prime Network are displayed in the content pane. Step 3From the EPDG node, choose an EPDG service. The EPDG service details are displayed in the content pane. Table 27-91 displays the EPDG service details. Mode The encapsulation mode for the transform set, which can be any one of the following: transport tunnel ESN Enable Extended Sequence Number (ESN) for IPSec (ESP/AH). PRF The Pseudo-random Function (PRF) for the transform set, which can be any one of the following: aes-xcbc-128 md5 sha1 sha2-256 sha2-384 sha2-512 This field defaults to SHA1. This field is applicable only for IKEv2 transform sets. NoteThis function is used to generate keying material for all cryptographic algorithms. It produces a string of bits that cannot be distinguished from random bit strings without the secret key. Life Time The time period for which the secret keys used for various aspects of a configuration is valid (before it times out). This field is applicable only for IKEv2 transform sets. Table 27-90 IKEv2 IPSec Transform Set/IKEv2 Transform set Details Field Description
27-143 Cisco Prime Network 4.3.2 User Guide EDCS-1524415 Chapter 27 Managing Mobile Networks LTE Networks Table 27-91 EPDG Service Details Field Description Service Name The unique name of the ePDG service. Status The status of the ePDG service, which can be any one of the following: Initiated Running Down Started Nonstarted IP Address The IPV4 address of the ePDG service. UDP Port The User Datagram Protocol (UDP) port of the ePDG service. Crypto Template The name of the IKEv2 crypto template to be used by the ePDG service. This template is used to define the cryptographic policy for the ePDG service. Max Sessions The maximum number of sessions allowed for the ePDG service. PLMN ID The unique identification code of the Public Land Mobile Network (PLMN) for the ePDG service. This id is made up of the Mobile Country Code (MCC) and the Mobile Network Code (MNC). MAG Service Context The name of the context where the Mobile Access Gateway (MAG) services are configured. If a MAG service is not configured for the ePDG service, then one of the MAG services defined in the context is selected. MAG Service The name of the MAG service that handles the mobile IPv6 sessions. Setup Timeout The maximum time (in seconds) allowed for the session setup. DNS PGWClient ContextThe name of the context where the Domain Name System (DNS) client is configured for the Packet Data Network Gateway (PWG) selection. DNS PGW Selection The criteria to select a PGW service from the DNS. This criteria is based on the topology and/or weight from the DNS. FQDN The Fully Qualified Domain Name (FQDN), which is used for longest suffix match during dynamic allocation. PGW Selection Agent Info Error ActionThe action to be taken when the expected MIP6 agent information is not received from Authentication, Authorization, and Accounting (AAA) or Hosting Solution Software (HSS). User Name MAC Address StrippingIndicates whether the MAC address in the username obtained from the user equipment must be stripped. User Name MAC Address ValidationIndicates whether the MAC address in the username obtained from the user equipment must be validated. User Name MAC Address Validation Failure ActionIndicates the action that must be taken on failure of the validation of the MAC address in the user name obtained from the user equipment. New Call Policy Indicates the busy-out policy that must be followed to reject the incoming calls from individual users.
27-144 Cisco Prime Network 4.3.2 User Guide EDCS-1524415 Chapter 27 Managing Mobile Networks LTE Networks Viewing EPDG S2b Service Interface Properties To view the ePDG S2b configuration details:PGW Selection MechanismThe ePDG service should be configured indicating preferred method of PGW selection, whether local configuration or DNS/AAA server based PGW selection. Local Configuration based PGW selection as fallback mechanism is default configuration behavior. QCI QOS Mapping It indicates the associated QCI QOS Mapping Table. MAC Address DelimiterConfigures MAC Address Delimiter for username. Subscriber Map Configures subscriber map association to get PGW address locally. IP Fragment Chain TimeoutThis command configures Internet Protocol (IP) parameters. This option configures ip fragment chain settings during TFT handling. This is the time to hold an ip fragment chain. Secs is an integer value between 1 and 10. The default value is 5. Max Out of Order FragmentThis is the number of fragments to buffer per fragment chain for out-of-order reception before receiving first fragment (for L4 packet filtering). Fragments are an integer value between 0 and 300. Bind Binds the service to an ip and associated max-subscribers. Custom SWm-SWu Error MappingCustomized mapping of SWm errors with SWu Notify Error Type. Custom S2b SWu Error MappingAllows duplicate precedence in a TFT for a S2b ePDG session. Data Buffering Allows downlink packets to be buffered, while session is in the connecting state. By default it is enabled. PDN Type Specifies the PDN type of IPv6 parameters for the ePDG service. GTPC Load Control ProfileAssociates the GTPC load control profile for ePDG. GTPC Overload Control ProfileAssociates the GTPC overload control profile for ePDG. Idle Timeout The subscribers time-to-live (TTL) settings for the EPDG service. Ebi End Value Indicates end value for ebi range. The end value can range greater than or equal to the start value. Reporting Action event RecordShows reporting of events. Micro Checkpoint PeriodicityThe micro checkpoint periodicity for a subscriber. Micro Checkpoint Deemed IdleThe micro checkpoint duration when UE is deemed idle for a subscriber. Ebi Start Value Indicates Start value of ebi range for bearer-id allocation (applicable only for GTPv2-S2b). Table 27-91 EPDG Service Details Field Description
27-145 Cisco Prime Network 4.3.2 User Guide EDCS-1524415 Chapter 27 Managing Mobile Networks LTE Networks Step 1Right-click the required device in the Vision client and choose Inventory. Step 2In the Logical Inventory window, choose Logical Inventory > Context> Mobile > EPDG. The list of EPDG services configured in Prime Network are displayed in the content pane. Step 3From the EPDG node, choose S2b Service Interface. The EPDG S2b Service Interface details are displayed in the content pane. Table 27-92 displays the EPDG S2b Service Interface details. Table 27-92 EPDG S2b Service Interface Details Configuration Commands for ePDG The following ePDG commands can be launched from the logical inventory by choosing the Context> Commands> Configuration or Context> Commands>Show. Your permissions determine whether you can run these commands (see Permissions Required to Perform Tasks Using the Prime Network Clients, page B-1). To find out if a device supports these commands, see the Cisco Prime Network 4.3.2 Supported Cisco VNEs. Field Description Vendor Specific DNS Server Request Configures the vendor-specific-attributes values on PMIP based S2b interface. Configures the DNS Server Address to be present in PCO/APCO IE. Default setting is to use the APCO IE. Duplicate Precedence in TFT Allows duplicate precedence in a TFT for an S2b ePDG session. Vendor Specific PCSCF Server Request The vendor-specific-attributes values on PMIP based S2b interface. Configures the PCSCF Server Address to be present in APCO/PrivateExtn IE. Default setting is to use PrivateExtension IE. Table 27-93 ePDG Configuration Commands Command Navigation Description Create ePDG ServiceRight-click context> Commands> Configuration> Mobility> Create ePDGUse this command to create a new ePDG service. Modify ePDG ServiceExpand EPDG Node> right-click EPDG service> Commands> ConfigurationUse this command to modify the configuration details for an ePDG service. Delete ePDG ServiceExpand EPDG Node> right-click EPDG service> Commands> ConfigurationUse this command to delete an ePDG service. Show ePDG ServiceExpand EPDG Node> right-click EPDG service> Commands> ShowUse this command to view and confirm the configuration details of an ePDG Service.
27-146 Cisco Prime Network 4.3.2 User Guide EDCS-1524415 Chapter 27 Managing Mobile Networks LTE Networks Monitoring Packet Data Serving Node (PDSN) Packet Data Serving Node, or PDSN, is a component of the Code Division Multiple Access (CDMA) 2000 mobile network. It acts as a connection point between the Radio Access Network (RAN) and IP Network. PDSN also manages PPP sessions between the mobile provider’s core IP network and the mobile node. In other words, it provides access to the Internet, intranets, and applications servers for mobile stations that utilize a CDMA2000 RAN. Acting as an access gateway, PDSN provides simple IP and mobile IP access, foreign agent support, and packet transport for virtual private networking. It acts as a client for Authentication, Authorization, and Accounting (AAA) servers and provides mobile stations with a gateway to the IP network. PDSN Configurations The following paragraphs list the different configurations for PDSN: Simple IP—In this protocol, the mobile user is assigned an IP address dynamically. The user can use this IP address within a defined geographical area, which is lost when the user moves out of the area. If the user moves out of the designated area, they must register with the service provider again to obtain a new IP address. Figure 27-16 depicts the working of this protocol. Figure 27-16 Simple IP configuration for PDSN Mobile IP—In this protocol, the mobile user is assigned a static or dynamic IP address, which is basically the “home address” assigned by the user’s Home Agent (HA). Even if the user moves out of the home network, the IP address does not change or is not lost. This enables the user to use applications that require seamless mobility such as transferring files. How does this work? The Mobile IP protocol provides a network-layer solution that allows mobile nodes to receive IP packets from their home network even when they are connected to a visitor network. The PDSN in the visitor’s network performs as a Foreign Agent (FA), which assigns a Care-of-Address (CoA) to the mobile node and establishes a virtual session with the mobile node’s HA. IP packets are encapsulated into IP tunnels and transported between the FA, HA and mobile node. Figure 27-17 depicts the working of this protocol. Radio To w e r Radio Access Network (RAN) BSC/PCF MN 320495 PDSN PPP Foreign AAA R-P Interface Internet or PDN IP