Professional Documents
Culture Documents
Information is subject to change without notice. Nortel Networks reserves the right to make changes in design or components as
progress in engineering and manufacturing may warrant.
Contivity, Shasta and Nortel are trademarks of Nortel Networks. All other trademarks are the property of their respective owners.
Trademarks are acknowledged with an asterisk (*) at their first appearance in the document.
iv Nortel Networks Confidential
Publication history
September 2002, Standard 3.05
This is the first Standard version of this student guide.
GPRS 4.0 & UMTS 2.0 Shasta GGSN OA&M - Student Guide GGSN 2.0
vi Publication history Nortel Networks Confidential
Contents 1
About this course ix
Introduction ix
Items of prerequisite knowledge ix
Course concepts xi
Course objectives xii
Course agenda xiv
Support material xiv
Lesson 1
Welcome and introduction 17
Course UM642 layout 18
Lesson 1 - slides 20
Lesson 2
Review: the GGSN in GPRS / UMTS networks 27
Lesson 2 - slides 28
Lesson 3
Software overview and installation 55
Lesson 3 - slides 56
Lesson 4
Configuration: basic 75
Lesson 4 - slides 76
Lesson 5
Configuration: network access models 95
Lesson 5 - slides 96
GPRS 4.0 & UMTS 2.0 Shasta GGSN OA&M - Student Guide GGSN 2.0
viii Contents Nortel Networks Confidential
Lesson 6
Configuration: IP services 129
Lesson 6 - slides 130
Lesson 7
Introduction to maintenance and troubleshooting 167
Lesson 7 - slides 168
List of tables
Table 1 Course UM642, prerequisite knowledge x
Table 2 Course UM642, concepts reviewed or taught in class xi
Table 3 Course UM642, objectives xii
Table 4 Course UM642, organization xiv
Table 5 Network model configuration options 98
Table 6 IP services and network access models 136
Table 7 Firewall policy 142
Table 8 Simple IP security rules 144
Table 9 Simple IP VPN security rules 144
Introduction 0
The Shasta GGSN OA&M course, building on your understanding of GPRS
and UMTS network concepts as well as the Shasta hardware, will give you
the theoretical and practical knowledge needed to perform the main tasks
associated with operating and provisioning a Shasta GGSN. This is a leader-
led, hands-on course. Each module has two types of activities: lecture by the
instructor, followed by structured activities (labs) performed by the student.
Each of these activities is described in this Student Guide, which in turn
references NTP #411-5221-927, Shasta GGSN Procedures Reference
Manual.
GPRS 4.0 & UMTS 2.0 Shasta GGSN OA&M - Student Guide GGSN 2.0
x Nortel Networks Confidential
10 understand the UNIX environment enough to issue the commands needed Desirable
to configure the Shasta SCS server
Course concepts 0
Table 2 contains a list of concepts reviewed or taught in class. Each concept is
mapped to the module in the course in which it is reviewed or taught.
Table 2: Course UM642, concepts reviewed or taught in class
GPRS 4.0 & UMTS 2.0 Shasta GGSN OA&M - Student Guide GGSN 2.0
xii Nortel Networks Confidential
20 know how to find and interpret software alarms, messages, and logs 7
Course objectives 0
Table 3 lists the tasks which are considered essential to the operation and
provisioning of a Shasta GGSN. The course’s objective is to have you be able
to perform the following tasks. Each task is mapped to the module in the
course in which it is taught.
Table 3: Course UM642, objectives
25 perform shut down & restart - includes put in service, take out of service 7
GPRS 4.0 & UMTS 2.0 Shasta GGSN OA&M - Student Guide GGSN 2.0
xiv Nortel Networks Confidential
Course agenda 0
The course will be organized as shown in Table 4 below.
Table 4: Course UM642, organization
Day 1
Pre-test 0.25
Day 2
4 - Configuration: basic (continued) 1.0 15-17 7-13
Day 3
Post-test 0.25
Support material 0
This is a list of other information sources which may help you understand the
operation of the GPRS and UMTS networks:
• GPRS Conformance Guide, 411-5221-201
• Core Network Troubleshooting Guide, 411-5221-501
• GGSN Users Guide (Shasta), 411-5221-926
• Shasta GGSN Procedures Reference Manual, 411-5221-927
• SGSN Users Guide, 411-5221-955
• SIG Users Guide, 411-5221-957
GPRS 4.0 & UMTS 2.0 Shasta GGSN OA&M - Student Guide GGSN 2.0
xvi Nortel Networks Confidential
Lesson 1
Welcome and introduction
This chapter contains slides and notes for the “Welcome and introduction”
session, and for Lesson 1.
GPRS 4.0 & UMTS 2.0 Shasta GGSN OA&M - Student Guide GGSN 2.0
18 Lesson 1 Welcome and introduction Nortel Networks Confidential
0
Course UM642 layout 0
The length of this lesson, and the material to be covered, is as follows:
Notes:
GPRS 4.0 & UMTS 2.0 Shasta GGSN OA&M - Student Guide GGSN 2.0
20 Lesson 1 Welcome and introduction Nortel Networks Confidential
0
Lesson 1 - slides 0
After an initial welcome, personal introductions, and a description of the
training facility (such as location of washrooms, cafeteria, and fire escapes),
the course will begin with an explanation of the course objectives.
Notes:
GPRS 4.0 & UMTS 2.0 Shasta GGSN OA&M - Student Guide GGSN 2.0
22 Lesson 1 Welcome and introduction Nortel Networks Confidential
The detailed list of objectives is contained in Table 2 (p. xi) and Table 3
(p. xii).
It is assumed that you are familiar with GPRS / UMTS and Internet Protocol
(IP) data-networking concepts.
Notes:
GPRS 4.0 & UMTS 2.0 Shasta GGSN OA&M - Student Guide GGSN 2.0
24 Lesson 1 Welcome and introduction Nortel Networks Confidential
Notes:
GPRS 4.0 & UMTS 2.0 Shasta GGSN OA&M - Student Guide GGSN 2.0
26 Lesson 1 Welcome and introduction Nortel Networks Confidential
Lesson 2
Review: the GGSN in GPRS / UMTS
networks
This chapter contains slides and notes for Lesson 2.
GPRS 4.0 & UMTS 2.0 Shasta GGSN OA&M - Student Guide GGSN 2.0
28 Lesson 2 Review: the GGSN in GPRS / UMTS networks Nortel Networks Confidential
0
Lesson 2 - slides 0
This module reviews the role of the GGSN in GSM/GPRS and UMTS
networks. It also details GGSN functionality, hardware, and basic subscriber
data flow.
Notes:
GPRS 4.0 & UMTS 2.0 Shasta GGSN OA&M - Student Guide GGSN 2.0
30 Lesson 2 Review: the GGSN in GPRS / UMTS networks Nortel Networks Confidential
The GSNs are responsible for mobile station (MS) connection to the network,
authentication, route initialization, packet routing to and from external packet
data networks, application of IP services, and charging functions.
• The serving GPRS support node (SGSN) which is at the same hierarchical
level as the MSC, keeps track of the individual MS location and performs
security functions and access control. The SGSN is connected to the base
station system with Frame Relay.
• The gateway GPRS support node (GGSN) provides internetworking with
external packet-switched networks, and is connected to SGSNs via an IP
based GPRS backbone network.
In order to access the GPRS services, an MS has to register with the SGSN.
The SGSN then facilitates setting up a packet data context between the MS
and the GGSN. Once a packet data context exists between the MS and GGSN,
interworking with external data networks can commence. All subscriber
traffic is tunneled between the SGSN and GGSN using the GTP protocol
PLMN 1
SMS-GMSC
MSC/VLR SMS-IWMSC HLR
Gs Gd Gr
TE MT BTS
R Um packet switched
data path (GPRS)
MS to external PDN
BSC SGSN GGSN
Gb Gn Gi
Gp
BTS
BG
data path
BG border gateway
BSC base station controller border gateways are
used to connect GSNs
BTS base transceiver station
in different PLMNs
GGSN gateway gprs support node
HLR home location register
MS mobile station
MT mobile terminal
PLMN 2
MSC mobile services switching centre BG
Notes:
GPRS 4.0 & UMTS 2.0 Shasta GGSN OA&M - Student Guide GGSN 2.0
32 Lesson 2 Review: the GGSN in GPRS / UMTS networks Nortel Networks Confidential
UMTS 0
Unlike GPRS which is a set of bearer services for GSM networks, UMTS is a
complete telecommunications network capable of delivering advanced
teleservices and bearer services. The integrated voice and data packet core
network and next generation technology for the radio access network offers
high data capacity that allows multimedia and a variety of services.
The GPRS standards have been modified for UMTS to include the following
enhancements.
• The reworking of the system’s quality-of-service (QoS) to enable more
effective QoS between the mobile station and the external packet data
networks. UMTS enables end-to-end quality of service between two
terminals. UMTS also enables multiple QoS flows for a single IP address.
• The replacement of Frame Relay with Asynchronous Transfer Mode
AAL5 between the SGSN and Radio Network Controller (RNC).
Asynchronous Transfer Mode is now the fundamental transport layer
protocol linking all the different nodes in the infrastructure domain.
• The introduction of a new version of the GPRS tunneling protocol. The
new version reduces encapsulation overhead. But more significantly, the
control plane (used for signalling) and the user plane (used for data
transfer) have been separated such that the user plane protocol can now be
used between the SGSN and RNC. This means that a GTP tunnel is
established between the SGSN and RNC for the transport of user traffic.
GPRS 2G-PLMN
Gb Gr
MS BSS SGSN HLR
Gp
BG
UMTS 3G-PLMN1
BG
Uu Node
UE B
Iub
RNC Gr
Node
B
VMG
SG
Iu Gn Gi
RNC 3G-SGSN 3G-GGSN PDN
Wireless Gateway
BG
BG border gateway
BSS base station system
GGSN gateway gprs support node
UMTS 3G-PLMN2
HLR home location register BG
MS mobile station
Gp
PDN packet data network
RNC radio network controller
VMG
SG signalling gateway
SGSN serving gprs support node SG
Iu Gn
UE user equipment RNC 3G-SGSN 3G-GGSN
VMG virtual media gateway Wireless Gateway
Notes:
GPRS 4.0 & UMTS 2.0 Shasta GGSN OA&M - Student Guide GGSN 2.0
34 Lesson 2 Review: the GGSN in GPRS / UMTS networks Nortel Networks Confidential
Notes:
GPRS 4.0 & UMTS 2.0 Shasta GGSN OA&M - Student Guide GGSN 2.0
36 Lesson 2 Review: the GGSN in GPRS / UMTS networks Nortel Networks Confidential
GGSN functionality 0
Previous sections have detailed where the GGSN is situated in GSM/GPRS or
UMTS networks. The gateway GPRS support node (GGSN) provides
interconnection between the PLMN network and a particular PDN, which can
be internet service provider (ISP) or corporate intranet. The GGSN supports
different network access models for connection with external PDNs and is
primarily responsible for packet routing and access control to these PDNs.
Within this context the GGSN carries out
• authentication: the GGSN authenticates (if required) the user and
determines what network services the user is entitled to. The GGSN
supports authentication via AAA RADIUS server.
• address allocation: the GGSN assigns the required network addresses to
the MS so that it can be identified to external networks. The type of
addresses depends on the network access model used for the session. The
following methods are supported:
— local address pools on the GGSN.
— external DHCP server (GGSN is the DHCP client on behalf of the MS
or DHCP relay agent).
— RADIUS (only if authentication is done by means of RADIUS): a
static address for each user is provisioned in the RADIUS server.
Dynamic allocation by RADIUS server is supported in GGSN 2.0.
• routing: the GGSN uses routing tables to determine where to forward
subscriber data packets. The GGSN converts the MS packets coming from
the SGSN into the appropriate packet data protocol (PDP) format and
forwards them to the corresponding PDN. In the reverse direction, it
receives data packets for mobile subscribers from the PDN. The packet
data network addresses of incoming data packets are mapped to the
destination user and sent to the SGSN serving that user. The GGSN
supports OSPF, RIP, BGP, and IS-IS routing protocols.
• tunneling: the GGSN supports the following types of outbound tunneling
on the Gi interface: L2TP tunnel, L2TP over IPSec, and IPSec tunnel. The
GGSN supports a GTP tunnel on the Gn interface only for communication
to the SGSN.
• IP services: the GGSN applies IP services to both inbound and outbound
traffic flows as they pass through the GGSN.
• wireless services: the GGSN supports wireless services such as tariffing
(Prepaid, Geozone) and wireless application protocol (WAP) services.
• accounting: the GGSN collects billing information and forwards the
information to a charging gateway function (CGF).
• OA&M: the GGSN collects logs, statistics, SNMP traps.
Notes:
GPRS 4.0 & UMTS 2.0 Shasta GGSN OA&M - Student Guide GGSN 2.0
38 Lesson 2 Review: the GGSN in GPRS / UMTS networks Nortel Networks Confidential
The card cage has fourteen vertically aligned slots that house control, switching,
service processing and input/output cards. Cards are inserted and removed from
the front of the chassis. Supported cards include:
• control and management card (CMC): the CMC is responsible for
basic system operation and management of the GGSN.
• switch fabric card (SFC): the SFC is an ATM switching matrix that
provides ATM layer interconnection and queuing between the various line
cards and the processor cards.
• subscriber services card (SSC): the SSC contains the processor arrays
(subscriber service modules) used to perform service and policy
operations on subscriber dataflows.
• line cards (LC): the following line cards provides connectivity from
subscriber to PDN (ingress) and from PDN to subscriber (egress): ATM
OC-3/STM-1, Fast Ethernet, Gigabit Ethernet.
Cards and the slots on the card cage are colour coded, so that it is easy to
determine which cards go in what slots. Four colours are used.
• Blue: slots 13 and 14.
— slot 14 is used exclusively for the primary control and management
card (CMC)
— slot 13 can be used for any card except an SFC card. Usually used for
redundant CMC.
• Yellow: slots 7 and 8.
— used exclusively for primary and redundant switch fabric cards (SFC).
• Green: slots 1 to 6 and 9 to 13.
— used for subscriber services cards (SSC) or line cards (LC).
• Red: slots 5, 6, 9, and 10.
— indicates slots capable of 1.2 Gbit/s throughput. Other slots are only
capable of 622 Mbps.
Notes:
GPRS 4.0 & UMTS 2.0 Shasta GGSN OA&M - Student Guide GGSN 2.0
40 Lesson 2 Review: the GGSN in GPRS / UMTS networks Nortel Networks Confidential
The Shasta GGSN uses the CMC-II, which features dual 10/100 BaseT ports,
and 1 GB RAM.
Note: The 10/100 BaseT ports on the CMC are not meant to carry
subscriber traffic (Gi). They can, however, be used for OA&M traffic,
RADIUS access, DHCP, DNS, Ga traffic, etc.
Notes:
GPRS 4.0 & UMTS 2.0 Shasta GGSN OA&M - Student Guide GGSN 2.0
42 Lesson 2 Review: the GGSN in GPRS / UMTS networks Nortel Networks Confidential
One SFC is required for operation, and a second may be added for
redundancy. SFCs are always installed in slots 7 or 8. No other cards can be
installed in slots 7 and 8.
Notes:
GPRS 4.0 & UMTS 2.0 Shasta GGSN OA&M - Student Guide GGSN 2.0
44 Lesson 2 Review: the GGSN in GPRS / UMTS networks Nortel Networks Confidential
The SSC contains up to four Subscriber Service Modules (SSMs); the SSC is
field-upgradeable so that SSMs can be added as needed. Each SSM contains
four Subscriber Service Processors (SSPs).
The SSC can be installed in any slot, except slots 7, 8, or 14. A typical chassis
contains two to six SSCs. If the chassis contains only one CMC in slot 14,
then slot 13 can be used for an SSC.
Notes:
GPRS 4.0 & UMTS 2.0 Shasta GGSN OA&M - Student Guide GGSN 2.0
46 Lesson 2 Review: the GGSN in GPRS / UMTS networks Nortel Networks Confidential
It has four ports that support either single or multi mode fibre connections.
Notes:
GPRS 4.0 & UMTS 2.0 Shasta GGSN OA&M - Student Guide GGSN 2.0
48 Lesson 2 Review: the GGSN in GPRS / UMTS networks Nortel Networks Confidential
The FELC
• provides eight ports of Ethernet connectivity. Each port operates at either
10/100BaseT. Each port is auto-sensing to the line rate and connects to the
user network via an RJ45 and UTP cable. The FELC translates the
incoming Ethernet frames into ATM cells and steers those frames to the
appropriate SSM. In the outgoing direction, ATM cells are converted into
Ethernet frames with the appropriate MAC header.
• must be equipped in the high-speed slots 5, 6, 9, 10 in order to have full
functionality.
The card can be installed in other slots: 1 to 4, 11 to 12, and slot 13 if the
chassis contains only one CMC in slot 14. If the FELC is installed in any
of these slots, only ports 1 to 4 will be able to process traffic; ports 5-8
cannot be used in this configuration.
Notes:
GPRS 4.0 & UMTS 2.0 Shasta GGSN OA&M - Student Guide GGSN 2.0
50 Lesson 2 Review: the GGSN in GPRS / UMTS networks Nortel Networks Confidential
GELC 0
The Gigabit Ethernet Line Card (GELC) has a single, full-duplex gigabit
Ethernet port that provides physical connectivity for subscriber traffic into
and out of the GGSN. It can be used on the Gi, Gn, and Gp interfaces.
The GELC:
• is primarily an egress-side interface and as such, a layer 3+ address
resolution facility is provided for the steering of packets to the correct
SSM (Subscriber Service Module) for service level processing.
• Gigabit Interface Converter (GBIC) modules allow for various media
types (e.g. short haul, long haul, copper or none) to be supported.
• The GELC must be installed in a high-speed slot (5, 6, 9, 10).
Notes:
GPRS 4.0 & UMTS 2.0 Shasta GGSN OA&M - Student Guide GGSN 2.0
52 Lesson 2 Review: the GGSN in GPRS / UMTS networks Nortel Networks Confidential
The intelligent cell parser on the line card uses table lookup to determine
which subscriber service processor on what subscriber service module the
packet should be sent to and routes the packet to the appropriate subscriber
service card using an internal ATM VC.
The data stream is modified by any IP services that are to be applied to the
ingress data flow. A lookup is done on the packet’s destination IP address and
the packet is dispatched to the appropriate output port.
Notes:
GPRS 4.0 & UMTS 2.0 Shasta GGSN OA&M - Student Guide GGSN 2.0
54 Lesson 2 Review: the GGSN in GPRS / UMTS networks Nortel Networks Confidential
Lesson 3
Software overview and installation
This chapter includes slides and notes for Lesson 3.
GPRS 4.0 & UMTS 2.0 Shasta GGSN OA&M - Student Guide GGSN 2.0
56 Lesson 3 Software overview and installation Nortel Networks Confidential
0
Lesson 3 - slides 0
This lesson introduces you to the Shasta GGSN software architecture.
The exercises that are included in this lesson consist of installing the various
types of software that are required, and becoming familiar with them. Based
on your lab equipment configuration and the time available, you will perform
some or all of these exercises. Your instructor will assign the exercises for this
lesson, and provide the information to complete them.
Notes:
GPRS 4.0 & UMTS 2.0 Shasta GGSN OA&M - Student Guide GGSN 2.0
58 Lesson 3 Software overview and installation Nortel Networks Confidential
Of these, only SCS Server, SCS Client, and the iSOS are covered in this
course. These are the software systems needed to actually provision the
GGSN equipment.
Notes:
GPRS 4.0 & UMTS 2.0 Shasta GGSN OA&M - Student Guide GGSN 2.0
60 Lesson 3 Software overview and installation Nortel Networks Confidential
iSOS software 0
iSOS is the VxWorks-based operating system that runs on the Shasta GGSN.
It comprises
• Image software is used to manage the GGSN processes. There are
separate images for the different circuit pack types. You interact with the
operating system through a CLI and/or the SCS.
Note: The Shasta GGSN supports all CLI commands that are supported
by the Shasta Broadband Services Node (BSN) platform. However, the
CLI is only to be used for setup and system diagnosis. All provisioning
and system administration is to be performed by means of the SCS.
Notes:
GPRS 4.0 & UMTS 2.0 Shasta GGSN OA&M - Student Guide GGSN 2.0
62 Lesson 3 Software overview and installation Nortel Networks Confidential
The CMC’s software has two main modules, CPU0 and CPU1. In CPU1 run
all the routing tasks - for example, RIP, OSPF, BGP, IS-IS. In CPU0 runs
everything else - for example, subscriber management, ISP management, card
management, VPN management, SCS agent, protocol management (PPP/
L2TP…), and virtual-circuit management.
Notes:
GPRS 4.0 & UMTS 2.0 Shasta GGSN OA&M - Student Guide GGSN 2.0
64 Lesson 3 Software overview and installation Nortel Networks Confidential
iSOS CLI 0
The iSOS command line interface (CLI) runs on one of the CMC processors
and can be accessed through a Telnet session or a terminal connected to the
Console Port on the CMC. (Telnet sessions are not available while the CMC is
booting.) The CLI supports multiple simultaneous user logins. There are three
types of users or access privilege levels for the CLI:
• “User” (U) has read-only access to the iSOS software.
• “Super-user” (SU) has read and write access to the iSOS software. Super-
users can change configuration parameters for the current session, but
cannot save configurations.
• “Super-super-user” (SSU) has read and write access to the iSOS software,
and can also save configurations. The default SSU login is admin and its
password is admin.
Each type of user has access to a different set of commands within the CLI.
For a listing of these sets, please consult Appendix A of NTP 411-5221-927,
Shasta GGSN Procedures Reference Manual.
The CLI prompt indicates the hostname and the user access level. For
example,
SSG-1(SU)#
The CLI is not to be used for configuring the Shasta GGSN because any
changes performed through the CLI are overwritten by the configuration
downloaded from the SCS server after a “resync” operation. The CLI can be
used for initial setup, and for performing diagnostics and troubleshooting.
Important notes:
• CLI users are completely independent from and unrelated to SCS GUI
users. CLI users are defined per-node while SCS users are defined (once)
in the SCS.
• CLI users can see information of all ISP contexts defined in the Shasta
node. (ISP contexts are described in the next lesson.) The “per-ISP”
separation of user privileges imposed on the SCS GUI is not enforced in
the CLI.
Notes:
GPRS 4.0 & UMTS 2.0 Shasta GGSN OA&M - Student Guide GGSN 2.0
66 Lesson 3 Software overview and installation Nortel Networks Confidential
SCS components 0
Service Creation System (SCS) is a powerful provisioning system designed to
allow rapid creation and delivery of network-based, value-added services to
the mass market. Using the SCS, service providers can economically deploy
managed network-based firewall, Virtual Private Network (VPN) and traffic
management services to millions of concurrent subscribers. The SCS is a
distributed client-server application that allows multiple concurrent users to
access the SCS server through a Java-based graphical user interface. The SCS
server communicates with a database that stores service policies, service
profiles, and subscriber-specific and ISP-specific information.
Versions of SCS Client, the graphical user interface, can be obtained to run on
operating systems such as Windows 95/98/2000/NT, Linux, or Solaris.
Notes:
GPRS 4.0 & UMTS 2.0 Shasta GGSN OA&M - Student Guide GGSN 2.0
68 Lesson 3 Software overview and installation Nortel Networks Confidential
2. A domain server maintains a Solid database with all the information about
the regions, and all non-device-specific information for the Device Owner
that is shared across the regions. A domain server supports up to 16
regional servers. When a GGSN boots up, information is pushed to it by
the domain server.
3. An SCS Client is a graphical user interface to the domain server.
4. A region server maintains device-specific information for a group of
GGSNs. Up to 16 GGSNs can report to a region server.
5. A pull server allows the GGSNs to query dynamic PPP subscriber
information when a PPP subscriber is logged in. Up to three pull servers
can be configured for a GGSN, but only one will send the pull requests at
any given time.
6. A log server collects all device logs and stores them. The log server also
collects subscriber logs (for example, statistics and accounting logs) and
stores them in binary files. Up to three log servers can be defined to which
a GGSN can send logs.
Notes:
GPRS 4.0 & UMTS 2.0 Shasta GGSN OA&M - Student Guide GGSN 2.0
70 Lesson 3 Software overview and installation Nortel Networks Confidential
SCS deployment 0
Following are some general rules for deploying the software on your servers:
• the LDAP software must be installed on a server before installing the SCS
software
• SCS Client software interfaces with the domain server
Single-region installations:
• domain, region and pull servers are co-resident on the same host
• additional domain, region and pull servers may be incorporated for
redundancy
• the domain, region and pull server combination supports up to 16 GGSNs
Multi-region installations:
• log servers are shared by the regions
• one pull server is dedicated to each region
• region, pull, and log servers can have 1:N redundancy across all regions;
the log server does not require redundancy, though
• each region requires a region server
• a single region server supports up to 16 GGSNs
Notes:
GPRS 4.0 & UMTS 2.0 Shasta GGSN OA&M - Student Guide GGSN 2.0
72 Lesson 3 Software overview and installation Nortel Networks Confidential
Synchronization 0
Synchronization is the process of overwriting the configuration files on the
GGSN with the SCS configuration. The GGSN is wiped clean, rebooted and
reconfigured from the SCS files.
When a GGSN is “out of sync”, it means that the transaction counter on the
GGSN is different than that in the SCS server. There is a sequence number
check between the SCS and the GGSN that gets incremented as commands
from the SCS are pushed down to the GGSN. When the numbers no longer
match, the two are considered “out of sync”.
Notes:
GPRS 4.0 & UMTS 2.0 Shasta GGSN OA&M - Student Guide GGSN 2.0
74 Lesson 3 Software overview and installation Nortel Networks Confidential
Exercises 0
Lesson 4
Configuration: basic
This chapter includes slides and notes for Lesson 4.
GPRS 4.0 & UMTS 2.0 Shasta GGSN OA&M - Student Guide GGSN 2.0
76 Lesson 4 Configuration: basic Nortel Networks Confidential
0
Lesson 4 - slides 0
This lesson describes the roles of the GGSN “Device Owner” and “ISP User”.
The Device Owner defines a Shasta GGSN, configures the hardware, and
builds the virtual ISP router(s). These functions are performed before an ISP
user can have full access and functionality.
The exercises that are included in this lesson consist of using SCS to
configure the Shasta GGSN for initial deployment. Based on your lab
equipment configuration, you will perform some or all of these exercises.
Your instructor will assign the exercises for this lesson and provide the
information to complete them.
Notes:
GPRS 4.0 & UMTS 2.0 Shasta GGSN OA&M - Student Guide GGSN 2.0
78 Lesson 4 Configuration: basic Nortel Networks Confidential
The Shasta GGSN can support multiple configurable ISP contexts (apart from
the default, non-configurable ISP context). This will be discussed further on
subsequent slides.
Notes:
GPRS 4.0 & UMTS 2.0 Shasta GGSN OA&M - Student Guide GGSN 2.0
80 Lesson 4 Configuration: basic Nortel Networks Confidential
Gn & Gi interfaces 0
An ISP context is a logical entity that encapsulates all of the services,
interfaces, and functionalities of one service provider. An ISP context is
similar to a virtual router. It contains the ISP’s default IP address (used,
among other things, to terminate tunnels), and the IP addresses of the ISP’s
interfaces. In order to separate the core network from the Gi side, each GGSN
requires one Gn ISP context and at least one Gi ISP context. GTP tunnels are
configured on the Gn ISP. Subscriber sessions are created on Gi ISPs - that is,
a Gi ISP implements services and protocols associated with an Access Point
Name (APN).
Only trunk connections are permitted for the Gn and Gi interfaces on the GGSN.
Trunk connections are layer-2 connections made up of either Ethernet or ATM
interfaces.
• With Ethernet, one port = one trunk.
• With ATM, all connections, both ingress and egress, are routed trunk
connections only. One PVC = one trunk. There are four assured
forwarding queues for QoS. Neither bridging nor VC multiplexing are
used in wireless networks.
The design of a GPRS Public Land Mobile Network (PLMN) network features
these security rules:
1. GTP tunnels are only valid if they terminate or originate on a Gn
interface. The Gi interface is not used for this.
2. The only types of traffic allowed over a Gn interface are GTP tunnels,
DHCP and RADIUS (if applicable), and OA&M.
3. Packets arriving on the Gi side cannot be routed to any node on the PLMN
network other than a mobile with a valid PDP context, and that only by
means of a GTP tunnel.
Notes:
GPRS 4.0 & UMTS 2.0 Shasta GGSN OA&M - Student Guide GGSN 2.0
82 Lesson 4 Configuration: basic Nortel Networks Confidential
A device owner owns the GGSN and provisions the chassis, the connections,
and the ISPs (Gn and Gi). Each ISP is a virtual router, isolated from other
ISPs.
Given ownership of a virtual router, the ISP controls the routing services,
along with other services. One Gn ISP context and up to 63 Gi ISP contexts
can be provisioned on a single GGSN.
Because each ISP owns a secure virtual context in the GGSN with a separate
address space, conflicts or security issues that could arise from shared routing
tables do not occur. No ISP can see another ISP’s configuration.
Notes:
GPRS 4.0 & UMTS 2.0 Shasta GGSN OA&M - Student Guide GGSN 2.0
84 Lesson 4 Configuration: basic Nortel Networks Confidential
Notes:
GPRS 4.0 & UMTS 2.0 Shasta GGSN OA&M - Student Guide GGSN 2.0
86 Lesson 4 Configuration: basic Nortel Networks Confidential
The Device Owner functions are performed before the ISP User can have full
access and functionality.
Notes:
GPRS 4.0 & UMTS 2.0 Shasta GGSN OA&M - Student Guide GGSN 2.0
88 Lesson 4 Configuration: basic Nortel Networks Confidential
Notes:
GPRS 4.0 & UMTS 2.0 Shasta GGSN OA&M - Student Guide GGSN 2.0
90 Lesson 4 Configuration: basic Nortel Networks Confidential
Notes:
GPRS 4.0 & UMTS 2.0 Shasta GGSN OA&M - Student Guide GGSN 2.0
92 Lesson 4 Configuration: basic Nortel Networks Confidential
Note: Not included in this list, but equally necessary, are all the steps
needed to configure external systems such as the RADIUS server, the
external network management system, and the accounting system (such as
CGF).
Notes:
GPRS 4.0 & UMTS 2.0 Shasta GGSN OA&M - Student Guide GGSN 2.0
94 Lesson 4 Configuration: basic Nortel Networks Confidential
Exercises 0
Lesson 5
Configuration: network access models
This chapter includes slides and notes for Lesson 5.
GPRS 4.0 & UMTS 2.0 Shasta GGSN OA&M - Student Guide GGSN 2.0
96 Lesson 5 Configuration: network access models Nortel Networks Confidential
Lesson 5 - slides
This lesson offers some theory and describes the activities of the “ISP user”
that enables the various types of network access.
The exercises that are included in this lesson consist of using SCS to
configure the Shasta GGSN to perform four types of network access. Based
on your lab equipment configuration, you will perform some or all of these
exercises. Your instructor will assign the exercises for this lesson and provide
the information to complete them.
Notes:
GPRS 4.0 & UMTS 2.0 Shasta GGSN OA&M - Student Guide GGSN 2.0
98 Lesson 5 Configuration: network access models Nortel Networks Confidential
Network-access models 0
The following table summarizes the configuration options associated with
each network model:
Table 5: Network model configuration options
Wireless ISP L2TP VPN IPSec VPN & Shasta
GGSN VPRN
Access Mode Transparent or Non- Transparent; Non- Transparent or Non-
Transparent Transparent if Single APN Transparent
used
Mobile RADIUS Authentication done at LNS RADIUS
Subscriber side
Authentication
(if required)
PDU Type IP or PPP IP or PPP IP or PPP
PPP Session Terminated Created between GGSN Terminated
and LNS for IP PDU and
pass through for PPP PDU
Gi Interface Raw IP L2TP or L2TP over IPSec IPSec
IP Address Address allocation by Address allocation by Address allocation by
Allocation GGSN remote Intranet GGSN
IP Address Public IP address from Public or Private IP address Public or Private IP
Domain operator’s domain and from ISP domain address from operator’s
Private IP address with domain
external NAT server
GGSN IP Internal address pools or IP Address allocation is not Internal address pool or
address DHCP or RADIUS static/ performed on GGSN, IP DHCP or RADIUS static/
allocation dynamic address Address is allocated at the dynamic address
methods allocation* LNS allocation*
IP Services Applied to the data packets Not supported Applied to the data packets
on the Gi interface on the Gi interface
Tariff Service Supported based on Supported based on Supported based on
configuration configuration configuration
WAP Service Supported (based on Not supported Not supported
configuration)
RADIUS Supported based on Supported based on Supported based on
Accounting configuration.* configuration. configuration.*
QoS Service Supported based on Supported on Gn interface Supported based on
configuration based on configuration configuration
ToD Service Supported based on Supported based on Supported based on
configuration configuration configuration
End to End IP IP and PPP for IP PDU and IP
Protocols PPP for PPP PDU
* Dynamic IP address allocation by Radius server only if Radius accounting is configured on same server.
Notes:
GPRS 4.0 & UMTS 2.0 Shasta GGSN OA&M - Student Guide GGSN 2.0
100 Lesson 5 Configuration: network access models Nortel Networks Confidential
APN provisioning 0
Before delving into the network models, we need to discuss the concept of the
Access Point Name (APN). The APN is used to identify the data session
requested by the mobile. An APN is carried in the Create PDP Context
Request between the SGSN and GGSN. An APN is associated with a
subscriber template. APNs are provisioned on Gi ISPs. APNs are
provisioned—per group—within the GGSN internal LDAP directory. The
APN makes reference to the GGSN that is to be used, and identifies the
external network to which a subscriber may wish to connect. A GGSN
supports up to 2000 APNs per Gi ISP.
Provisioning performed at the APN level gives the operator the flexibility to
create profiles with different policies in different APNs.
Notes:
GPRS 4.0 & UMTS 2.0 Shasta GGSN OA&M - Student Guide GGSN 2.0
102 Lesson 5 Configuration: network access models Nortel Networks Confidential
The single APN concept enables APN consolidation by storing the per-
subscriber information on the RADIUS server instead of grouping the services
into different APNs on the Shasta GGSN. The services that can be provisioned
on a per subscriber basis on RADIUS Server include:
• VPN membership
• IP Services
• Prepaid Subscription
• Outbound Tunneling
One or many of these attributes may be provisioned on the RADIUS server
for each subscriber. If these attributes are not returned from the RADIUS
server, the provisioning of the corresponding APN via SCS will be used. The
minimum information that must be passed for the per subscriber information
lookup is the subscriber’s username and password. The anonymous mode user
authentication can be used for the Single APN.
When the Single APN attributes are returned from the RADIUS server to the
Shasta GGSN, these attribute values overwrite the APN configuration
provisioned via the SCS. This approach effectively associates the services
with individual subscriber, not the destined APN for this PDP session.
For example, to declare a VPN membership without single APN capability, the
following configuration is provisioned on Shasta GGSN:
• Provision a VPN within the VPRN Manager via SCS.
• Provision the Subscriber Template for the APN with the VPN name.
However, with Single APN capability, the VPN membership configuration
becomes:
• Provision an APN with authentication required.
• Provision a VPN within the VPRN Manager via the SCS.
• Provision the RADIUS Server to return the subscriber’s VPN name upon
successful authentication for the subscriber.
Notes:
GPRS 4.0 & UMTS 2.0 Shasta GGSN OA&M - Student Guide GGSN 2.0
104 Lesson 5 Configuration: network access models Nortel Networks Confidential
On the Shasta GGSN, the returned VPN attribute in the RADIUS Access-
Accept message is used to match a provisioned VPN and the matched VPN
configuration is used for the subscriber. As a result, many subscribers may
access the same APN, but retain different VPN memberships.
If the RADIUS server does not return any Single APN attributes, the
configuration provisioned via the SCS is used. Returning these Single APN
attributes from the RADIUS Server is optional. Nevertheless, the
configuration of multiple APNs for different VPN memberships can still be
used on Shasta GGSN if per subscriber information is not provisioned on the
RADIUS Server.
Single APN capability is supported for all network models and is only
available for the non-transparent mode (Radius authentication needed).
See the Shasta GGSN User Guide, 411-5221-926 for more information
concerning Single APN.
Notes:
GPRS 4.0 & UMTS 2.0 Shasta GGSN OA&M - Student Guide GGSN 2.0
106 Lesson 5 Configuration: network access models Nortel Networks Confidential
This network model supports both transparent and non-transparent access for
both IP and PPP PDU types. If PPP PDU type is used, the PPP session is
terminated on GGSN and the encapsulated raw IP packets are delivered to the
Gi interface.
Notes:
GPRS 4.0 & UMTS 2.0 Shasta GGSN OA&M - Student Guide GGSN 2.0
108 Lesson 5 Configuration: network access models Nortel Networks Confidential
Notes:
GPRS 4.0 & UMTS 2.0 Shasta GGSN OA&M - Student Guide GGSN 2.0
110 Lesson 5 Configuration: network access models Nortel Networks Confidential
In the L2TP VPN network-access model, the GGSN terminates a GTP tunnel
from the SGSN and creates an associated PPP/L2TP tunnel to go out on the
Gi interface to the intranet/ISP. The tunnel mapping at the GGSN is one-to-
one (GTP tunnel to L2TP session). Both IP and PPP PDU types are supported
in this network model.
With the L2TP VPN model, the GGSN functions as a LAC. The operator has
a choice of enabling security (IPSec) on the L2TP tunnel (“L2TP over
IPSec”) to the remote LNS.
Notes:
GPRS 4.0 & UMTS 2.0 Shasta GGSN OA&M - Student Guide GGSN 2.0
112 Lesson 5 Configuration: network access models Nortel Networks Confidential
Notes:
GPRS 4.0 & UMTS 2.0 Shasta GGSN OA&M - Student Guide GGSN 2.0
114 Lesson 5 Configuration: network access models Nortel Networks Confidential
IPSec 0
IPSec is fundamental to the IPSec VPN model, so we will discuss this method
of encryption before proceeding to the discussion of the model itself.
Encrypted data cannot be read by intermediary observers in an un-trusted
network, but can be decrypted and read by the intended recipients who have
the appropriate key for decrypting the data. The Shasta GGSN supports
industry-standard encryption capabilities using IPSecurity (IPSec) and
associated key management protocols. IPSec within a VPN allows users to
behave as if they are on a secure isolated local area network (LAN), although
it is physically connected to unsecured public networks.
These objectives are met through the use of two traffic security protocols, the
Authentication Header (AH) and the Encapsulating Security Payload (ESP),
and through the use of cryptographic key management procedures and
protocols. These protocols may be applied alone or in combination with each
other to provide a desired set of security services.
Notes:
GPRS 4.0 & UMTS 2.0 Shasta GGSN OA&M - Student Guide GGSN 2.0
116 Lesson 5 Configuration: network access models Nortel Networks Confidential
Notes:
GPRS 4.0 & UMTS 2.0 Shasta GGSN OA&M - Student Guide GGSN 2.0
118 Lesson 5 Configuration: network access models Nortel Networks Confidential
Notes:
GPRS 4.0 & UMTS 2.0 Shasta GGSN OA&M - Student Guide GGSN 2.0
120 Lesson 5 Configuration: network access models Nortel Networks Confidential
These are the events which occur in establishing a VPN connection and to be
able to exchange data:
1. the user on the mobile activates a PDP context
2. the SGSN activates the GTP Tunnel to the GGSN
3. authentication of the user occurs
4. authorization of the user occurs
5. the mobile obtains an IP address
6. VPN tunnel establishment occurs
Notes:
GPRS 4.0 & UMTS 2.0 Shasta GGSN OA&M - Student Guide GGSN 2.0
122 Lesson 5 Configuration: network access models Nortel Networks Confidential
Notes:
GPRS 4.0 & UMTS 2.0 Shasta GGSN OA&M - Student Guide GGSN 2.0
124 Lesson 5 Configuration: network access models Nortel Networks Confidential
Notes:
GPRS 4.0 & UMTS 2.0 Shasta GGSN OA&M - Student Guide GGSN 2.0
126 Lesson 5 Configuration: network access models Nortel Networks Confidential
Notes:
GPRS 4.0 & UMTS 2.0 Shasta GGSN OA&M - Student Guide GGSN 2.0
128 Lesson 5 Configuration: network access models Nortel Networks Confidential
Exercises 0
Lesson 6
Configuration: IP services
This chapter includes slides and notes for Lesson 6.
GPRS 4.0 & UMTS 2.0 Shasta GGSN OA&M - Student Guide GGSN 2.0
130 Lesson 6 Configuration: IP services Nortel Networks Confidential
0
Lesson 6 - slides 0
The GGSN offers a rich variety of IP services. Service policies are created
using the SCS service policy manager. Service polices are the building blocks
out of which subscriber templates are built.
The exercises that are included in this lesson consist of using the SCS to build
service policies and then applying them to subscriber templates. Based on
your lab equipment configuration, you will perform some or all of these
exercises. Your instructor will assign the exercises for this lesson and provide
the information to complete them.
Notes:
GPRS 4.0 & UMTS 2.0 Shasta GGSN OA&M - Student Guide GGSN 2.0
132 Lesson 6 Configuration: IP services Nortel Networks Confidential
Unlike a general purpose router, the GGSN data plane is built around two
fundamental concepts – the subscriber and the session. Packets received by a
GGSN are associated with a particular subscriber. A subscriber template
contains instructions for how packets belonging to this particular subscriber
are to be processed. Packets not only belong to a particular subscriber, they
belong to a particular subscriber session. When a subscriber session is created
as a result of a Create PDP Context Request, a logical communications path
through the GGSN is created. All packets belonging to that particular
subscriber session follow that path, and are processed by the resources
allocated to manage that path. When the session comes to an end, the path is
terminated and the allocated resources are returned to the system. This is
unlike a router where each packet is treated as a separate entity and is
unrelated to any other packet.
Also, unlike a traditional router, the GGSN provides a rich set of IP services
that can be applied to subscriber sessions. A subscriber template is used to
capture which IP services (if any) are to be applied to a particular subscriber
session. When a subscriber session is created, the GGSN queries the
subscriber template associated with the subscriber initiating the session, and
allocates the resources required for the IP services specified in the template.
The services are managed by software processes that are created specifically
for the subscriber session. When a subscriber session ends the system
resources used by the session are returned to the system in general.
Notes:
GPRS 4.0 & UMTS 2.0 Shasta GGSN OA&M - Student Guide GGSN 2.0
134 Lesson 6 Configuration: IP services Nortel Networks Confidential
The slide shows the policy service manager panel with the three categories
open. The slide, for purposes of example, also shows the rules currently
defined for one of the security policies.
Service policies are constructed out of service objects. Service objects are the
building blocks out of which policies are created. For example, the simple
firewall policy depicted in the slide contains a set of rules. Each rule is
constructed out of the following service objects – source address, destination
address, service application, action, log, remark. Each type of IP service
policy has a required set of service objects that must be datafilled. Not all IP
services are constructed out of the same objects.
Notes:
GPRS 4.0 & UMTS 2.0 Shasta GGSN OA&M - Student Guide GGSN 2.0
136 Lesson 6 Configuration: IP services Nortel Networks Confidential
Remember, IP services which are permitted by the access model might not be
available to each subscriber. When a user initiates a connection to the network
and is authenticated, a subscriber template is applied to the user’s session.
The subscriber template determines which specific IP services are applied to
the subscriber’s session.
Notes:
GPRS 4.0 & UMTS 2.0 Shasta GGSN OA&M - Student Guide GGSN 2.0
138 Lesson 6 Configuration: IP services Nortel Networks Confidential
Packet processing 0
This slide shows how IP services are applied to each packet, in both egress
and ingress directions. This processing takes place in the SSMs of an SSC.
In most cases, the order in which policies are listed in the subscriber template
does not matter; at the end, the results are the same.
Notes:
GPRS 4.0 & UMTS 2.0 Shasta GGSN OA&M - Student Guide GGSN 2.0
140 Lesson 6 Configuration: IP services Nortel Networks Confidential
Security 0
The security policy is a firewall. A firewall is a hardware device or software
process that sits between two networks. It has the capability to scrutinize the
traffic passing between the two networks and to make decisions on how to
handle that traffic (allow, modify, disallow). Scrutiny can be based on the type
of access (such as email, telnet, or FTP), contents of the data accessed, source
or destination IP address, ingress or egress direction, and time of day.
The GGSN provides stateful firewall processes that can be applied separately
for each subscriber, Firewalls are configured on SCS with easy-to-use
templates that can then be readily applied to additional subscribers as needed.
Notes:
GPRS 4.0 & UMTS 2.0 Shasta GGSN OA&M - Student Guide GGSN 2.0
142 Lesson 6 Configuration: IP services Nortel Networks Confidential
Security (cont.) 0
Security policies are constructed using the subscriber policy manager.
Policies are constructed by building a set of rules that subscriber IP
conversations will be scrutinized against. Table 7 details a simple security
policy with two rules.
Table 7: Firewall policy
The first rule states that any packet belonging to an IP conversation originated
by the subscriber, to any destination, by any application are to be allowed to
pass out onto the external packet data network. The second rule is applied
only to packets that do not match the first rule. The rule is a catch all that
makes sure that packets not part of IP conversations initiated from the client
source address are dropped.
The following two examples show how the GGSN inspects a conversation
using the rules provided in Table 7.
HTTP example
Suppose a subscriber initiates an http session. When the first packet arrives at
the GGSN, it is run through the classifier which determines that it hasn’t seen
this data session before. The classifier assigns it a flow ID. It then checks the
packet against the rules in the security policy. It matches the first rule and
packets associated with this data session are allowed to pass out onto the
network. The packet is then sent to the processes on the GGSN set up to
handle this conversation. When the http server replies to the subscriber’s
request, the packets arrive at the GGSN and are passed examined by the
classifier. The classifier realizes that the packets are in response to the http
get, and that they belong to a previously established flow ID. Because of this,
the packets are not evaluated against the rules in the security policy. The
packets are routed to the software processes handling this particular
conversation. Note that if the response packets were evaluated against the
rules, the packets would match rule # 2 and would be dropped.
FTP example
Similar to above, the initial TCP connection, including initiator and response
packets used to set up a FTP process match the first rule. However, ftp uses
the initial connection to negotiate new TCP connections for any data transfer
(GET, PUT, DIR, etc.). The GGSN recognizes the initial control connection
as ftp, and monitors the negotiation for new TCP connections. It then derives
the new expected TCP connection information, and associates all packets in
those connections with the same overall “ftp conversation”. Even though
some parameters have changed, the packets are still identified with the
original flow ID for the ftp session.
Summary
The GGSN can track an IP conversations even when the conversation changes
port #s during the conversation. The GGSN has a sophisticated understanding
of how protocols setup, manage, and teardown connections.
GPRS 4.0 & UMTS 2.0 Shasta GGSN OA&M - Student Guide GGSN 2.0
144 Lesson 6 Configuration: IP services Nortel Networks Confidential
Security (cont.) 0
Sample policies for Wireless ISP and L2TP VPN are presented below.
The following two rules cover basic ingress and egress traffic. Additional
rules will be required based on the actual network security requirements.
Table 8: Simple IP security rules
The rules for L2TP VPN are more narrow in that no subscriber subnet
addresses are required because mobile data traffic is not routed directly to the
GGSN. Data traffic sent to the GGSN is limited to that tunneled from the
remote security gateways.
Table 9: Simple IP VPN security rules
Notes:
GPRS 4.0 & UMTS 2.0 Shasta GGSN OA&M - Student Guide GGSN 2.0
146 Lesson 6 Configuration: IP services Nortel Networks Confidential
Anti-spoofing 0
What is IP spoofing
IP spoofing is a form of attack that targets machines that run software processes
that perform session authentication based on the IP address of the host
requesting access to the service. Many applications and tools in UNIX rely on
source IP address authentication and include:
• RPC (Remote Procedure Call services)
• the X window system
• the R services suite (rlogin, rsh, etc.)
In general, the attack relies on exploiting how TCP connections are initiated.
To understand the attack you need to understand the 3-way handshake used in
establishing a TCP connection. In the following scenario: B is the server and
A is a host that B trusts. Suppose A wants to establish a connection to the rsh
server on B. A sends the following message to B to initiate a TCP connection:
A sends a packet with the TCP SYN (“synchronize sequence number”) bit set
and an initial sequence number ISNa. B replies with
A->B: ACK(ISNb)
The initial sequence numbers for establishing a TCP connection are intended
to be more or less random as defined in RFC 793. Unfortunately, Berkeley
derived kernels increment a counter used for the ISN sequence numbers with
a set of constants. Thus, if you open a connection to one of these machines
and examine the ISN used for the connection, you know to a very high degree
of confidence what sequence number the server will use for its next
connection. And therein lies the attack. In this scenario let X be an attacker
who wants to gain access to B. X will impersonate A the trusted host.
X opens a real connection to its target B. This gives X ISNb. X can then guess
with a high degree of reliability what ISN will be used by B for its next
connection. B then sends a message to B to initiate a TCP connection using
A’s IP address as the source address (B impersonates A).
Notes:
GPRS 4.0 & UMTS 2.0 Shasta GGSN OA&M - Student Guide GGSN 2.0
148 Lesson 6 Configuration: IP services Nortel Networks Confidential
IP spoofing (cont.) 0
B’s response to X’s impersonation of A
Ax->B: ACK(ISNb’)
using the predicted value for ISNb’. If the guess is right and usually it will be,
B’s rsh server thinks it has a legitimate connection with A, when in fact X is
sending the packets. It is important to understand that X does not receive B’s
responses to A. X is conducting the attack completely in the dark. Once a
connection is established X starts executing commands on the server. X will
not see any responses to those commands, but this is not a problem for X.
There is a minor difficulty here. If A sees B’s message, it will realize that B is
acknowledging something it never sent, and will send a message to B to tear
down the connection. There are a number of ways to prevent A from
responding to connections it did not initiate; the easiest is to wait until A is
turned off; more difficult but still easy is to prevent A from responding (gag
it). There are a number of strategies for gagging machines, the most common
attack is SYN flooding (where a host’s TCP input queue is flooded).
In general, the GGSN state-aware filtering only allows packets that arrive in
response to traffic explicitly initiated by a mobile subscriber. This helps
protect the subscriber base from falling prey to most network-based direct
infiltration attack scenarios. For example, to protect against SYN floods, the
GGSN drops all unsolicited SYN requests. To protect against LAND attacks,
the GGSN disallows any packets with the same source and destination
addresses. Finally, the GGSN prevents ftp bounce attacks through its in depth
knowledge of ftp control streams.
NO SLIDE
Notes:
GPRS 4.0 & UMTS 2.0 Shasta GGSN OA&M - Student Guide GGSN 2.0
150 Lesson 6 Configuration: IP services Nortel Networks Confidential
QoS parameters (A/R and TC parameters) are passed to the GGSN within the
PDP Context Request message. QoS is activated per APN. An APN QoS profile
is a statically provisioned policy profile that allows the operator to define policy
profiles based on the A/R parameter and the Traffic Class. The Shasta GGSN
uses these elements, provisioned per APN, to guarantee minimum bandwidth:
• traffic policing (Metering, Marking/Tagging): regulates user traffic in the
ingress direction to ensure it doesn’t exceed the contracted rate
• traffic shaping: allows for differentiation in the egress direction to provide
higher priority and rate guarantees for important applications during
congestion.
• queuing: sophisticated scheduling mechanisms manage output queues
based on defined marking rules;
A service package is based on the level of QoS desired. The Shasta GGSN’s
total QoS package enables end-to-end DiffServ, and traffic management.
Towards core:
• queuing priority (L3/L2 Mapping) and scheduling mechanisms
• WRED
• IP data packets over Gi are DiffServ marked when the GTP tunnel is
created.
• both GTP control packets and GTP’ packets are marked with the DSCP
Towards subscriber:
• queuing priority (L3/L2 Mapping) and scheduling mechanisms
• Selective Discard
• Hierarchical Weighted Fair Queuing (WFQ), application-based
• the TOS byte in the outer IP header of data packets is DiffServ marked
based on the provisioned DSCP.
• both GTP control packets and GTP’ packets are marked with the DSCP
Notes:
GPRS 4.0 & UMTS 2.0 Shasta GGSN OA&M - Student Guide GGSN 2.0
152 Lesson 6 Configuration: IP services Nortel Networks Confidential
Notes:
GPRS 4.0 & UMTS 2.0 Shasta GGSN OA&M - Student Guide GGSN 2.0
154 Lesson 6 Configuration: IP services Nortel Networks Confidential
DiffServ marking 0
GGSN ingress traffic is prioritized for Qos by a combination of DiffServ and
Weighted Fair Queuing (WFQ). Because the GGSN is a subscriber
aggregator, it is subscribers who are competing for bandwidth on the trunks in
the ingress direction. Therefore, during times of bandwidth congestion,
certain subscribers can pay higher fees to receive a higher QoS.
WFQ can also be applied on a per type of service basis. For instance, a
subscriber may not want to pay to have higher priority put on all his ingress
traffic, but may want just his voice over IP (VoIP) and FTP traffic receive
higher Qos. This can also be achieved through DiffServ and WFQ.
GPRS 4.0 & UMTS 2.0 Shasta GGSN OA&M - Student Guide GGSN 2.0
156 Lesson 6 Configuration: IP services Nortel Networks Confidential
Traffic shaping 0
Traffic shaping is a feature that provides traffic management to the subscriber
network. Traffic shaping allows service providers to provide higher priority
and rate guarantees to specific mission-critical applications while giving
lower priority to applications such as email or FTP. Traffic shaping is an
egress-only IP service.
Notes:
GPRS 4.0 & UMTS 2.0 Shasta GGSN OA&M - Student Guide GGSN 2.0
158 Lesson 6 Configuration: IP services Nortel Networks Confidential
Traffic policing 0
Traffic policing is used to ensure that connections conform to established
bandwidth parameters in the ingress direction. The policing function protects
the network core from traffic in excess of the subscriber's contracted rate. The
policing function relies on the results of the DiffServ marking in conjunction
with bandwidth limits to set different drop priorities.
Rules are applied as to what happens with excess traffic. The committed rate,
committed burst size, peak rate, and peak burst size thresholds are set with
corresponding actions. For each of the action categories (red, yellow, green),
the actions will vary from dropping the traffic, placing it in the appropriate
queue, or marking the IP precedence. The rates and actions are associated
with each of the 4 Diffserv Assured Forwarding classes. Two different types
of policers exist: a single-rate, three-color marker (SRTCM) and a two-rate,
three-color marker (TRTCM).
Traffic is monitored for each AF queue on a per subscriber basis. Any traffic
between line rate = zero (no traffic) and your CIR is a policing status of green,
typically no action needed. Traffic in excess of your CIR but within your CB
has a policing action of yellow. Traffic in excess of your CIR and CB has a
policing action of red.
For each policing status, the provider can establish an action for traffic in that
AF queue. Traffic from the subscriber can be reassigned a drop precedence
within the queue (such as, from AF 4 DP 1 to AF 4 DP 3) or can be dropped
to the CIR entirely.
The policing tool will monitor a subscriber’s traffic in each queue and assure
its adherence to any Service Level Agreement (SLA) made with the provider.
For instance, the ISP may have an SLA with a subscriber that all ingress
traffic in AF 4 will be at 128 kbps. This is the Committed Information Rate
(CIR). The provider can then set two thresholds to help monitor and control
any bursty traffic from the subscriber in excess of the CIR. The Committed
Burst (CB) is the next level threshold, while the Excess Burst (EB) is the
highest.
Notes:
GPRS 4.0 & UMTS 2.0 Shasta GGSN OA&M - Student Guide GGSN 2.0
160 Lesson 6 Configuration: IP services Nortel Networks Confidential
A PNP service will translate a subscriber's HTTP requests from its intended
sites to a configured PNP web site. Subscribers can visit their intended web
sites only if the captive portal web site instructs the GGSN, which performs
the HTTP request “hijacking”, to switch from captive mode to non-captive
mode. After the configured elapse time has passed, subscribers may be
redirected to visit PNP web sites again.
The PNP features provide the capability to link retail or wholesale ISP
services to specific web content(s). Subscriber Hyper Text Transfer Protocol
(HTTP) or FTP requests are intercepted, and redirected from their intended
sites to pre-configured “personal network portal” web locations. For example,
instead of viewing an expected Hyper Text Markup Language (HTML) page,
subscribers are forced to navigate specific HTML pages on a portal server.
With the PNP capability, the subscriber session can be captured and steered to
specific content. Each subscriber can be mapped to a specific local home page
where different services and capabilities may be applied to them. Web
sessions can be captured on startup or at configurable intervals thereby
increasing advertising revenue opportunity.
Notes:
GPRS 4.0 & UMTS 2.0 Shasta GGSN OA&M - Student Guide GGSN 2.0
162 Lesson 6 Configuration: IP services Nortel Networks Confidential
Policy-based forwarding 0
A policy-based forwarding policy enables an ISP to steer a packet that
matches a rule in the policy to an IP address that differs from the packet's
specified destination.
Description
• Capture and steer HTTP sessions
• Supports connectivity to an external portal server
Benefits
• Increased operator brand visibility
• Incremental ISP service/revenue model
— Capture web sessions on start up or at configurable intervals
— Match content to identified subscribers
• Quick content retrieval from local server support
The policy-based forwarding service can also be used for web steering. (The
Shasta GGSN supports co-located high bandwidth content servers. Accessing
content off a co-located server is generally much faster than having it traverse
over the public Internet. A web-steering policy permits an ISP to redirect
subscriber HTTP requests to a Web cache. The ISP can store frequently used
Web pages in the cache, promoting speed and efficiency. If the page is not
cached, it will be retrieved from the Internet.) A policy-based forwarding
policy essentially just forwards packets of matching conversations out the
interface chosen by performing a route lookup on the IP address specified in
the matching rules action.
Notes:
GPRS 4.0 & UMTS 2.0 Shasta GGSN OA&M - Student Guide GGSN 2.0
164 Lesson 6 Configuration: IP services Nortel Networks Confidential
Accounting 0
Accounting is used to collect network data related to resource usage by a
subscriber.
Accounting will track how many packets are sent and received by your
subscriber. If your subscriber has DiffServ applied, and is marking traffic,
your ISP can differentiate that traffic and count the packets based on the level
of service.
Accounting will divide the packet counts into separate “buckets”, based on
the marking applied to that traffic. Any traffic that does not match the
accounting policy is counted by Bucket 0 by default.
When you mark your traffic using a DiffServ policy, you can separate it into
different accounting buckets, based on the markings. If you do not mark
subscriber traffic, it will default to AF Class 1, Drop Priority 1 within the
Shasta. If you do not have an accounting policy set for this default marking, it
will be counted in Bucket 0.
Notes:
GPRS 4.0 & UMTS 2.0 Shasta GGSN OA&M - Student Guide GGSN 2.0
166 Lesson 6 Configuration: IP services Nortel Networks Confidential
Exercises 0
Lesson 7
Introduction to maintenance and
troubleshooting
This chapter contains slides and notes for Lesson 7.
GPRS 4.0 & UMTS 2.0 Shasta GGSN OA&M - Student Guide GGSN 2.0
168 Lesson 7 Introduction to maintenance and troubleshooting Nortel Networks Confidential
0
Lesson 7 - slides 0
In this lesson, you will learn about the diagnostic and troubleshooting
capabilities of the Shasta GGSN equipment. You will learn about some
methods of monitoring performance, and how built-in diagnostics can detect
problems. You will learn about typical maintenance procedures, and how to
get technical assistance when you need it.
Notes:
GPRS 4.0 & UMTS 2.0 Shasta GGSN OA&M - Student Guide GGSN 2.0
170 Lesson 7 Introduction to maintenance and troubleshooting Nortel Networks Confidential
Notes:
GPRS 4.0 & UMTS 2.0 Shasta GGSN OA&M - Student Guide GGSN 2.0
172 Lesson 7 Introduction to maintenance and troubleshooting Nortel Networks Confidential
There are four types of logs that the Shasta GGSN can generate: event logs,
system logs, service logs, and service-accounting logs. Each type of log has
distinct characteristics as well as values and can be used for various purposes.
Event log items include: tunneling, security, backups, debugging, hardware
devices, processes and driver events. So, for example, an event log generated
following a card port failure can be used for fault management and
troubleshooting. System logs contain security and configuration information.
Service accounting can be used both for usage-based billing and for
performance reporting. A firewall service log can be used to notify a
subscriber of Denial of Service attack.
The Shasta GGSN collects logging information, then stores the information in
the SCS log server. The SCS is based on a distributed architecture where the
log servers are part of the architecture. The log server collects service logs
and accounting logs relevant to the respective GGSNs only. The log servers
do not collect event-logs information; the event-logs information is sent by
the GGSN (if configured) to an appropriate Syslog server. The files are stored
in binary files that can be viewed via the SCS interface or through
SCSLogCat (a utility that converts binary files into ASCII files).
Notes:
GPRS 4.0 & UMTS 2.0 Shasta GGSN OA&M - Student Guide GGSN 2.0
174 Lesson 7 Introduction to maintenance and troubleshooting Nortel Networks Confidential
Note: This window is only available when logged in to the SCS as Device
Owner.
Notes:
GPRS 4.0 & UMTS 2.0 Shasta GGSN OA&M - Student Guide GGSN 2.0
176 Lesson 7 Introduction to maintenance and troubleshooting Nortel Networks Confidential
The SCS Log Writer receives accounting data in binary format on a TCP
connection from the GGSN and writes it to disk for later processing.
(Accounting has to be turned on for device owner/ISP either through the CLI
or the SCS GUI). Accounting logs can be accessed either through the SCS log
GUI or by a text dump utility, SCSLogCat that exports the logs into text files.
For text files, use the SCSLogCat utility under the SCS install directory (SCS
server/bin/) to view logs.
Notes:
GPRS 4.0 & UMTS 2.0 Shasta GGSN OA&M - Student Guide GGSN 2.0
178 Lesson 7 Introduction to maintenance and troubleshooting Nortel Networks Confidential
/space/scs/server/log
/space/scs/server/log/region1
/space/scs/server/log/region1/device2
/space/scs/server/log/region1/device2/isp2
For device owner there is only one accounting file containing device-related
statistics. There is one file for all the accounting information for an ISP. All
subscriber accounting is written into one ISP services-accounting file. The
“isp-0” directory, indicates the Device Owner ISP; it contains device statistics
and services accounting for the default ISP.
The latest data is always written to the service.acc file in the appropriate ISP
directory. When the file reaches the maximum file size, the file will roll over,
meaning the file service.acc will be renamed to service.acc.0 and a new
service.acc file will be created (into which the new data will be written). If
there is an older service.acc file at the time of the rollover, it will be renamed
to service.acc.1 and if a service.acc.1 file already exists, it will be deleted.
This is if the maximum number of rotations was set to 2. Do NOT delete
accounting non-rollover files (that is, those with a suffix of .1, .2, … .n).
Notes:
GPRS 4.0 & UMTS 2.0 Shasta GGSN OA&M - Student Guide GGSN 2.0
180 Lesson 7 Introduction to maintenance and troubleshooting Nortel Networks Confidential
Note that the show commands cannot be used to make any changes. Recall
that the CLI is not to be used for configuring the Shasta GGSN because any
changes performed through the CLI are overwritten by the configuration
downloaded from the SCS server after a “resync” operation. The CLI can be
used for initial setup, and for performing diagnostics and troubleshooting. All
provisioning and system administration is to be performed by means of the
SCS.
Notes:
GPRS 4.0 & UMTS 2.0 Shasta GGSN OA&M - Student Guide GGSN 2.0
182 Lesson 7 Introduction to maintenance and troubleshooting Nortel Networks Confidential
Refer to the Shasta 5000 Broadband Service Node Hardware Installation and
Maintenance Guide (Part No. 01453) to interpret the meaning of each
hardware alarm and indicator.
Chassis indicators
The chassis front has light-emitting diode (LED) indicators for Alarm Status
(minor, major, critical) and Fan Status.
The chassis front has a connector for alarm contact signals to enable an
optional audible alarm.
The chassis rear has a connector to receive status signals from optional AC
power shelf status.
The CMC has an alphanumeric display and two LEDs to provide information
about card configuration, status, and activity. The PCMCIA slot has one LED,
and each Ethernet port has two LEDs, to indicate status.
The SSC has an alphanumeric display and two LEDs per SSM, and two LEDs
for the overall card, to provide information about configuration, status, and
activity.
Each line card has an alphanumeric display and two LEDs for the overall
card, and LEDs for each port, to provide information about configuration,
status, and activity.
Notes:
GPRS 4.0 & UMTS 2.0 Shasta GGSN OA&M - Student Guide GGSN 2.0
184 Lesson 7 Introduction to maintenance and troubleshooting Nortel Networks Confidential
Notes:
GPRS 4.0 & UMTS 2.0 Shasta GGSN OA&M - Student Guide GGSN 2.0
186 Lesson 7 Introduction to maintenance and troubleshooting Nortel Networks Confidential
Occasionally, diagnostics may indicate that a component has failed. Field repair
consists entirely of replacement of defective items. No components of the
Shasta GGSN are user-serviceable. Components that can be replaced are as
follows:
• cards
• fan tray
• fan filter
Notes:
GPRS 4.0 & UMTS 2.0 Shasta GGSN OA&M - Student Guide GGSN 2.0
188 Lesson 7 Introduction to maintenance and troubleshooting Nortel Networks Confidential
It is also possible to move the LDAP and Solid databases from one host to
another (that is, to one with a different IP address and host name). As an
example of when this would be done, consider the case where Host A (where
LDAP and Solid databases currently reside) needs to be replaced. In this case,
the information on Host A can be transferred to Host B. Then, when Host A is
operational again, the configuration on Host A can be restored from Host B.
Notes:
GPRS 4.0 & UMTS 2.0 Shasta GGSN OA&M - Student Guide GGSN 2.0
190 Lesson 7 Introduction to maintenance and troubleshooting Nortel Networks Confidential
2. Set the circuit breaker at the rear of the chassis to the “off” position.
3. If using an optional AC power shelf, set the two switches at the front of
the shelf to the “off” position, shown as “0” on the switches.
Warning: The chassis can be powered by dual (or redundant) power feeds.
Ensure that the circuit breaker at the rear of the chassis is set to “off” before
installation or while servicing the unit.
Likewise, when a GGSN starts up, the software initializes in this manner:
• CMC is loaded with software image during power-up
• CMC forwards software image to other cards
• after system initialization, the SGSN initiates the setup of the tunnel with
the GGSN
Notes:
GPRS 4.0 & UMTS 2.0 Shasta GGSN OA&M - Student Guide GGSN 2.0
192 Lesson 7 Introduction to maintenance and troubleshooting Nortel Networks Confidential
Troubleshooting overview 0
This is the general approach one would take to troubleshooting problems that
may be related to the Shasta GGSN:
1. Troubleshoot the Shasta GGSN equipment (by means of local and on-line
testing). You may find these tools helpful, among others:
— the SCS client (logs, diagnostics, alarms)
— the CLI
— hardware indicators on the chassis and circuit packs
2. Troubleshoot the Gn link (IP and ATM). You may find these tools helpful,
among others:
— Ping utility
— the CLI
3. Troubleshoot the Gi link (IP). You may find these tools helpful, among
others:
— Ping utility
— the CLI
Notes:
GPRS 4.0 & UMTS 2.0 Shasta GGSN OA&M - Student Guide GGSN 2.0
194 Lesson 7 Introduction to maintenance and troubleshooting Nortel Networks Confidential
Notes:
GPRS 4.0 & UMTS 2.0 Shasta GGSN OA&M - Student Guide GGSN 2.0
196 Lesson 7 Introduction to maintenance and troubleshooting Nortel Networks Confidential
To order documentation from Nortel Networks Global Wireless Knowledge Services, call
(1) (877) 662-5669
Information is subject to change without notice. Nortel Networks reserves the right to make changes in design or components as
progress in engineering and manufacturing may warrant.
Contivity, Shasta and Nortel are trademarks of Nortel Networks. All other trademarks are the property of their respective owners.
Trademarks are acknowledged with an asterisk (*) at their first appearance in the document.
Course number: Course UM642
Product release: GGSN 2.0
Document version: Standard 03.05
Date: September 2002
Originated in the United States of America and Canada