GPRS Tunneling Protocol V2 Support
|
|
- Jocelyn Richardson
- 6 years ago
- Views:
Transcription
1 General Packet Radio Service (GPRS) Tunneling Protocol Version 2 (GTPv2) is introduced by the 3rd Generation Partnership Project (3GPP) Technical Specification (TS) , which modifies and enhances the GPRS Tunneling Protocol used in 2G and 3G mobile networks. GTPv2 enhances the GTP Application Inspection and Control (AIC) policies to provide security to subscriber data. This module describes how to configure GTPv2 on a zone-based policy firewall. Finding Feature Information, page 1 Restrictions for, page 1 Information About, page 2 How to Configure, page 5 Configuration Examples for, page 10 Additional References for, page 11 Feature Information for, page 12 Finding Feature Information Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to An account on Cisco.com is not required. Restrictions for The limit for the number of match statements in a Layer 7 class map is 64. The limit for the number of classes (including the default class) in a Layer 7 policy map is
2 Information About The limit for the number of characters in a pattern string for a regular expression (regex) parameter map is 245. The data path supports up to 512 regular expressions. No statistics are available for the match command. Statistics are available for only packets and bytes in a class. 3GPP Technical Specification release 8 and 9 are not compatible with GPRS Tunneling Protocol Version 2 (GTPv2). Information About GTPv2 Overview General Packet Radio Service (GPRS) Tunneling Protocol Version 2 (GTPv2), also known as evolved packet services GTP or egtp, is modified and enhanced from the GPRS Tunneling Protocol used in 2G and 3G mobile networks. GTPv2 has two flavors, a control plane protocol (GTPv2-C) and a user plane protocol (GTPv2-U). GTPv2 is primarily used for control signaling between the Serving Gateway (SGW) and the Packet Data Network (PDN) Gateway (PGW) in an Evolved Packet Core (EPC) network. The 3rd-Generation Partnership Project (3GPP) develops globally acceptable specifications for 3rd-Generation (3G) mobile systems. GPRS integrates with the existing Global System for Mobile Communication (GSM) networks and provides always-on packet-switched data services to corporate networks and the Internet. 2
3 GTPv2 Overview For more information on GTPv0 and GTPv1, see the Configuring GPRS Tunneling Protocol Support chapter in the Security Configuration Guide: Zone-Based Policy Firewall. Figure 1: General Format of the GTPv2-C Header Figure 2: Format of Echo and Version Not Supported Message GTPv2-C Header The usage of the GTPv2-C header for EPC-specific interfaces is defined below: Octet 1: Octet 1 represents Version (bits 8 through 6) that is set to decimal 2 ( 010 ). If the T flag (bit 4) is set to 1, the Tunnel Endpoint Identifier (TEID) field immediately follows the Length field in octets 5 through 8. The P flag (Piggybacking Support) is not supported. Octet 2: Octet 2 represents the Message Type field. This field supports GTPv2-C message type values. Octets 3-4: Octets 3 and 4 represent the Length field. This is the length of the message in octets excluding the mandatory part of the GTPv2-C header (the first 4 octets). 3
4 Stateful Inspection Octets 5-8: Octets 5 through 8 represent the Tunnel Identifier field if the T flag is set in the first octet. Octets 9-10: Octets 9 and 10 represent the Sequence Number field if the TEID is present. If the TEID field is not present, the Sequence Number field will be contained in octets 5 and 6. Octets 11-12: Octets 11 and 12 are two spare octets followed by the Sequence Number field. Note Apart from the following messages, all other GTPv2-C messages contain the TEID in their headers. Echo Request Echo Response Version Not Supported Indication Figure 3: General Format of GTPv2 Message for Control Plane Stateful Inspection Stateful inspection, also referred to as dynamic packet filtering, examines a packet based on the information in its header and tracks and validates each connection to which a firewall is connected. During stateful inspection, firewalls close ports until a connection request to a specific port is received. A global database is built on the GTP Application Inspection and Control (AIC) policies for stateful inspection of the GTPv2 traffic. When GTPv2 messages traverse the zone-based firewall, GTP AIC policies inspect messages based on the Packet Data Protocol (PDP) context database. Packets that require Layer 7 inspection (the packet payload must be inspected or altered) are passed to the control plane. Information Elements A GTP header contains a number of options fields called Information Elements (IEs). An IE may be present in a GTP protocol data unit (PDU). The IE may be included in a message header. An IE is identified by an IE type and an instance value. The combination of IE type and instance value uniquely identifies an IE in a message. Grouped IEs contain more than one IE and have a 4-octet IE header. Each IE 4
5 How to Configure within a grouped IE also has a 4-octet IE header. The IE format in GTPv2 is TLIV (Type, Length, Instance, Value) encoded. The length value of a grouped IE is the total length of the embedded IEs. Figure 4: General Format of an Information Element (IE) in a GTPv2-C Message Octet 1: Octet 1 represents the IE Type field. The IE Type field supports GTPv2-C IE type values. Octets 2-3: Octets 2 and 3 represent the length of the IE excluding the Type and the Length field. Octet 4: Octet 4 represents the instance number (bit 4-1) of the IE. Octets 5-n: Octets 5 through n represent the actual data contained in the IE. How to Configure Configuring GPRS Tunneling Protocol Version 2 (GTPv2) is configured using the zone-based firewall structure of policies and class maps. Because GTPv2 and GTPv1 protocols share the same destination port, Layer 4 class maps cannot classify GTPv2 and GTPv1; they are classified by Layer 7 class maps. Configuring a Parameter Map for SUMMARY STEPS 1. enable 2. configure terminal 3. parameter-map type regex parameter-map-name 4. pattern expression 5. exit 6. parameter-map type inspect-global gtp 7. gtpv2 {request-queue elements tunnel-limit tunnels} 8. end 5
6 Configuring a Parameter Map for DETAILED STEPS Step 1 Step 2 Command or Action enable Device> enable configure terminal Purpose Enables privileged EXEC mode. Enter your password if prompted. Enters global configuration mode. Step 3 Step 4 Step 5 Step 6 Step 7 Device# configure terminal parameter-map type regex parameter-map-name Device(config)# parameter-map type regex PARAM-REG pattern expression Device(config-profile)# pattern apn.cisco.com exit Device(config-profile)# exit parameter-map type inspect-global gtp Device(config)# parameter-map type inspect-global gtp gtpv2 {request-queue elements tunnel-limit tunnels} Configures a regex parameter-map type to match a specific traffic pattern and enters parameter map type configuration mode. Configures a matching pattern that specifies a list of domains, URL keywords, or URL meta-characters that should be allowed or blocked by local URL filtering. Exits parameter map type configuration mode and returns to global configuration mode. Configures an inspect-type parameter map for connecting thresholds, timeouts, and other parameters pertaining to the inspect action and enters parameter map type configuration mode. Configures inspection parameters for GTP. Step 8 Device(config-profile)# gtpv2 request-queue end Device(config-profile)# end Exits parameter-map type inspect mode and returns to privileged EXEC mode. 6
7 Configuring a Class Map and a Policy Map for Parameter Map for The following is sample output from the show parameter-map type command: Device# show parameter-map type inspect-global gtp parameter-map type inspect-global gtp gtp request-queue (default) gtp tunnel-limit (default) gtp pdp-context timeout 300 (default) gtp request-queue timeout 60 (default) permit-error Disable (default) gtpv2 request-queue gtpv2 tunnel-limit Configuring a Class Map and a Policy Map for GPRS Tunneling Protocol V2 Support SUMMARY STEPS 1. enable 2. configure terminal 3. class-map type inspect protocol-name {match-any match-all} class-map-name 4. match {apn regex parameter-name {mcc country-code mnc network-code message-length msisdn regex parameter-name version number} 5. exit 6. policy-map type inspect protocol-name policy-map-name 7. class type inspect protocol-name class-map-name 8. inspect 9. service-policy protocol-name policy-map 10. end DETAILED STEPS Step 1 Step 2 Command or Action enable Device> enable configure terminal Purpose Enables privileged EXEC mode. Enter your password if prompted. Enters global configuration mode. Device# configure terminal 7
8 Configuring a Class Map and a Policy Map for Step 3 Command or Action class-map type inspect protocol-name {match-any match-all} class-map-name Purpose Creates a Layer 7 (application-specific) inspect-type class map and enters class map configuration mode. Step 4 Device(config)# class-map type inspect gtpv1 match-any gtpv2-cl7-1 match {apn regex parameter-name {mcc country-code mnc network-code message-length msisdn regex parameter-name version number} Configures the classification criteria for the inspect-type class map for the GTP. Step 5 Step 6 Step 7 Step 8 Device(config-cmap)# match version 2 exit Device(config-cmap)# exit policy-map type inspect protocol-name policy-map-name Device(config)# policy-map type inspect gtpv1 gtpv2-policy-map class type inspect protocol-name class-map-name Device(config-pmap)# class type inspect gtpv1 gtpv2-cl7-1 inspect Exits class map configuration mode and returns to global configuration mode. Creates a Layer 7 (protocol-specific) inspect-type policy map and enters policy map configuration mode. Specifies the traffic (class) on which an action is to be performed and enters policy-map class configuration mode. Enables stateful packet inspection. Step 9 Step 10 Device(config-pmap-c)# inspect service-policy protocol-name policy-map Device(config-pmap-c)# service-policy gtpv1 gtpv2-policy-map end Device(config-pmap-c)# end Attaches a Layer 7 policy map to the top-level Layer 3 or Layer 4 policy map. Exits policy-map class configuration mode and returns to privileged EXEC mode. 8
9 Configuring Zones and Zone Pairs for Configuring Zones and Zone Pairs for SUMMARY STEPS 1. enable 2. configure terminal 3. zone security {zone-name default} 4. exit 5. zone-pair securityzone-pair-namesource {source-zone-name self default} destination {destination-zone-name self default} 6. service-policy type inspect policy-map-name 7. exit 8. interface type number 9. zone-member security zone-name 10. end DETAILED STEPS Step 1 Step 2 Command or Action enable Device> enable configure terminal Purpose Enables privileged EXEC mode. Enter your password if prompted. Enters global configuration mode. Step 3 Step 4 Step 5 Device# configure terminal zone security {zone-name default} Device(config)# zone security z1 Device(config)# zone security z2 exit Device(config-sec-zone)# exit zone-pair securityzone-pair-namesource {source-zone-name self default} destination {destination-zone-name self default} Creates a security zone to which interfaces can be assigned and enters security zone configuration mode. Note To create a security zone pair, you must configure two security zones (z1 and z2) to which interfaces can be assigned. Exits security zone configuration mode and returns to global configuration mode. Creates a security zone pair and enters security zone-pair configuration mode. Note To apply a policy, you must configure a zone pair. 9
10 Configuration Examples for Command or Action Purpose Step 6 Step 7 Step 8 Device(config)# zone-pair security clt2srv1 source z1 destination z2 service-policy type inspect policy-map-name Device(config-sec-zone-pair)# service-policy type inspect gtpv2-policy-map exit Device(config-sec-zone-pair)# exit interface type number Attaches a firewall policy map to the destination zone pair. Note If a policy is not configured between a pair of security zones, traffic is dropped by default. Exits security zone-pair configuration mode and returns to global configuration mode. Configures an interface and returns interface configuration mode. Step 9 Step 10 Device(config)# interface gigabitethernet 0/0/0 zone-member security zone-name Device(config-if)# zone-member security z1 end Device(config-if)# end Assigns an interface to a specified security zone. Note When you make an interface a member of a security zone, all traffic in and out of that interface (except traffic bound for the device or initiated by the device) is dropped by default. To let traffic through the interface, you must make the zone part of a zone pair to which you apply a policy. If the policy permits traffic, traffic can flow through that interface. Exits interface configuration mode and returns to privileged EXEC mode. Configuration Examples for Configuring The following example shows how to configure GTPv2 support: Device> enable Device# configure terminal Device(config)# parameter-map type regex PARAM-REG 10
11 Configuring Zones and Zone Pairs for Device(config-profile)# pattern apn.cisco.com Device(config-profile)# exit Device(config)# parameter-map type inspect-global Device(config-profile)# gtpv2 tunnel-limit 100 Device(config-profile)# exit Device(config)# class-map type inspect gtpv1 match-any gtpv2-cl7-1 Device(config-cmap)# match version 2 Device(config-cmap)# exit Device(config)# policy-map type inspect gtpv1 gtpv2-policy-map Device(config-pmap)# class type inspect gtpv1 gtpv2-cl7-1 Device(config-pmap-c)# inspect Device(config-pmap-c)# service-policy gtpv1 gtpv2-policy-map Device(config-pmap)# end Configuring Zones and Zone Pairs for GPRS Tunneling Protocol V2 Support The following example shows how to configure zones and zone pairs for GTPv2: Device> enable Device# configure terminal Device(config)# zone security z1 Device(config-sec-zone)# exit Device(config)# zone-pair security clt2srv1 source z1 destination z2 Device(config-sec-zone-pair)# service-policy type inspect gtpv2-policy-map Device(config-sec-zone-pair)# exit Device(config)# interface gigabitethernet 0/0/0 Device(config-if)# ip address Device(config-if)# zone-member security z1 Device(config-if)# exit Device(config)# interface gigabitethernet0/0/2 Device(config-if)# ip address Device(config-if)# zone-member security z2 Device(config)# end Additional References for Related Documents Related Topic Cisco IOS commands Security commands Security configuration Document Title Cisco IOS Master Command List, All Releases Security Command Reference: Commands A to C Security Command Reference: Commands D to L Security Command Reference: Commands M to R Security Command Reference: Commands S to Z Security Configuration Guide: Zone-Based Policy Firewall 11
12 Feature Information for Technical Assistance Description The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies. To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password. Link Feature Information for The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to An account on Cisco.com is not required. Table 1: Feature Information for GPRS Tunneling Protocol Version 2 Support Feature Name GTPv2 Support Releases Cisco IOS XE Release 3.9S Feature Information The GTPv2 Support feature is introduced by the 3rd-Generation Partnership Project (3GPP) TS , which modifies and enhances the GPRS Tunneling Protocol used in 2G and 3G mobile networks. GTPv2 enhances the GTP Application Inspection and Control (AIC) policies to provide security to subscriber data. This module describes how to configure GTPv2 on a zone-based policy firewall. The following commands have been newly introduced or modified: show parameter-map type inspect-global, zone-pair security. 12
13 Feature Information for 13
14 Feature Information for 14
Configuring GPRS Tunneling Protocol Support
The GPRS Tunneling Protocol Support feature provides firewall support for General Packet Radio Switching (GPRS) Tunneling Protocol (GTP). GPRS is a data network architecture, which integrates with existing
More informationConfigurable Number of Simultaneous Packets per Flow
Configurable Number of Simultaneous Packets per Flow In zone-based policy firewalls, the number of simultaneous packets per flow is restricted to 25 and packets that exceed the limit are dropped. The dropping
More informationEnabling ALGs and AICs in Zone-Based Policy Firewalls
Enabling ALGs and AICs in Zone-Based Policy Firewalls Zone-based policy firewalls support Layer 7 application protocol inspection along with application-level gateways (ALGs) and application inspection
More informationEnabling ALGs and AICs in Zone-Based Policy Firewalls
Enabling ALGs and AICs in Zone-Based Policy Firewalls Zone-based policy firewalls support Layer 7 application protocol inspection along with application-level gateways (ALGs) and application inspection
More informationGGSN Pooling Support for Firewalls
The feature enhances the General Packet Radio Switching (GPRS) Tunneling Protocol (GTP) feature by adding load balancing support. GTP supports the inspection of control traffic that is designated to a
More informationNested Class Map Support for Zone-Based Policy Firewall
Nested Class Map Support for Zone-Based Policy Firewall The Nested Class Map Support for Zone-Based Policy Firewall feature provides the Cisco IOS XE firewall the functionality to configure multiple traffic
More informationSun RPC ALG Support for Firewalls and NAT
The feature adds support for the Sun Microsystems remote-procedure call (RPC) application-level gateway (ALG) on the firewall and Network Address Translation (NAT). Sun RPC is an application layer protocol
More informationSun RPC ALG Support for Firewalls and NAT
The feature adds support for the Sun Microsystems remote-procedure call (RPC) application-level gateway (ALG) on the firewall and Network Address Translation (NAT). Sun RPC is an application layer protocol
More informationLoose Checking Option for TCP Window Scaling in Zone-Based Policy Firewall
Loose Checking Option for TCP Window Scaling in Zone-Based Policy Firewall The Loose Checking Option for TCP Window Scaling in Zone-Based Policy Firewall feature disables the strict checking of the TCP
More informationConfiguring System MTU
Restrictions for System MTU, on page 1 Information About the MTU, on page 1 How to Configure MTU, on page 2 Configuration Examples for System MTU, on page 4 Additional References for System MTU, on page
More informationNBAR2 HTTP-Based Visibility Dashboard
The NBAR2 HTTP-based Visibility Dashboard provides a web interface displaying network traffic data and related information. The information is presented in an intuitive, interactive graphical format. Finding
More informationQoS Group Match and Set for Classification and Marking
QoS Group Match and Set for Classification and Marking This feature provides the capability of matching and classifying traffic on the basis of the QoS group value. Finding Feature Information, on page
More informationSun RPC ALG Support for Firewall and NAT
Sun RPC ALG Support for Firewall and NAT Last Updated: December 18, 2011 The Sun RPC ALG Support for Firewall and NAT feature adds support for the Sun Microsystems (Sun) Remote Procedure Call (RPC) Application
More informationPer-Flow Admission. Finding Feature Information. Prerequisites for Per-Flow Admission
The feature provides explicit controls to limit packet flow into a WAN edge in order to protect already admitted flows on the routing/wan edge. Finding Feature Information, page 1 Prerequisites for, page
More informationRestrictions for Disabling Flow Cache Entries in NAT and NAT64
The feature allows you to disable flow cache entries for dynamic and static Network Address Translation (NAT) translations. Disabling flow cache entries for dynamic and static translations saves memory
More informationPer-Flow Admission. Finding Feature Information. Prerequisites for Per-Flow Admission
The feature provides explicit controls to limit packet flow into a WAN edge in order to protect already admitted flows on the routing/wan edge. Finding Feature Information, page 1 Prerequisites for, page
More informationFine-Grain NBAR for Selective Applications
By default NBAR operates in the fine-grain mode, offering NBAR's full application recognition capabilities. Used when per-packet reporting is required, fine-grain mode offers a troubleshooting advantage.
More informationBulk Logging and Port Block Allocation
The feature allocates a block of ports for translation instead of allocating individual ports. This feature is supported only in carrier-grade Network Address Translation (CGN) mode. This module provides
More informationSSH Algorithms for Common Criteria Certification
The feature provides the list and order of the algorithms that are allowed for Common Criteria Certification. This module describes how to configure the encryption, Message Authentication Code (MAC), and
More informationObject Tracking: IPv6 Route Tracking
The feature expands the Enhanced Object Tracking (EOT) functionality to allow the tracking of IPv6 routes. Finding Feature Information, page 1 Restrictions for, page 1 Information About, page 2 How to
More informationFirewall Stateful Inspection of ICMP
The feature categorizes Internet Control Management Protocol Version 4 (ICMPv4) messages as either malicious or benign. The firewall uses stateful inspection to trust benign ICMPv4 messages that are generated
More informationFine-Grain NBAR for Selective Applications
By default NBAR operates in the fine-grain mode, offering NBAR's full application recognition capabilities. Used when per-packet reporting is required, fine-grain mode offers a troubleshooting advantage.
More informationRADIUS Route Download
The feature allows users to configure their network access server (NAS) to direct RADIUS authorization. Finding Feature Information, page 1 Prerequisites for, page 1 Information About, page 1 How to Configure,
More informationVRF-Aware Cloud Web Security
The feature adds virtual routing and forwarding (VRF) support to the Cisco Cloud Web Security configuration. VRF instances in IP-based networks enable a device to have multiple instances of the routing
More informationZone-Based Firewall Logging Export Using NetFlow
Zone-Based Firewall Logging Export Using NetFlow Zone-based firewalls support the logging of messages to an external collector using NetFlow Version 9 export format. NetFlow Version 9 export format uses
More informationFlow-Based per Port-Channel Load Balancing
The feature allows different flows of traffic over a Gigabit EtherChannel (GEC) interface to be identified based on the packet header and then mapped to the different member links of the port channel.
More information8K GM Scale Improvement
The feature supports optimization of the Cooperative Protocol (COOP) announcement messages by increasing the number of Group Members (GM) to 8000. Finding Feature Information, page 1 Prerequisites for,
More informationStateful Network Address Translation 64
The feature provides a translation mechanism that translates IPv6 packets into IPv4 packets and vice versa. The stateful NAT64 translator algorithmically translates the IPv4 addresses of IPv4 hosts to
More informationQuality of Service for VPNs
The QoS for VPNs feature provides a solution for making Cisco IOS QoS services operate in conjunction with tunneling and encryption on an interface. Cisco IOS software can classify packets and apply the
More informationUsing Flexible NetFlow Flow Sampling
This document contains information about and instructions for configuring sampling to reduce the CPU overhead of analyzing traffic with Flexible NetFlow. NetFlow is a Cisco technology that provides statistics
More informationUsing Flexible NetFlow Flow Sampling
This document contains information about and instructions for configuring sampling to reduce the CPU overhead of analyzing traffic with Flexible NetFlow. NetFlow is a Cisco technology that provides statistics
More informationNAT Routemaps Outside-to-Inside Support
The feature enables you to configure a NAT routemap configuration that allows IP sessions to be initiated from outside the network to inside the network. This module explains how to configure the feature.
More informationEncrypted Vendor-Specific Attributes
The feature provides users with a way to centrally manage filters at a RADIUS server and supports the following types of string vendor-specific attributes (VSAs): Tagged String VSA, on page 2 (similar
More informationBGP-RT and VPN Distinguisher Attribute Rewrite Wildcard
BGP-RT and VPN Distinguisher Attribute Rewrite Wildcard The BGP RT and VPN Distinguisher Attribute Rewrite Wildcard feature introduces the ability to set a range of route target (RT) community attributes
More informationAutoroute Announce and Forwarding Adjacencies For OSPFv3
Autoroute Announce and Forwarding The Autoroute Announce and Forwarding Adjacencies for OSPFv3 feature advertises IPv6 routes over MPLS/TE IPv4 tunnels. This module describes how to configure the Autoroute
More informationAutoroute Announce and Forwarding Adjacencies For OSPFv3
Autoroute Announce and Forwarding The Autoroute Announce and Forwarding Adjacencies for OSPFv3 feature advertises IPv6 routes over MPLS/TE IPv4 tunnels. This module describes how to configure the Autoroute
More informationPassword Strength and Management for Common Criteria
Password Strength and Management for Common Criteria The Password Strength and Management for Common Criteria feature is used to specify password policies and security mechanisms for storing, retrieving,
More informationObject Groups for ACLs
The feature lets you classify users, devices, or protocols into groups and apply these groups to access control lists (ACLs) to create access control policies for these groups. This feature lets you use
More informationConfiguring Firewall TCP SYN Cookie
The Firewall TCP SYN Cookie feature protects your firewall from TCP SYN-flooding attacks. TCP SYN-flooding attacks are a type of denial-of-service (DoS) attack. Usually, TCP synchronization (SYN) packets
More informationSSL Custom Application
feature enables users to customize applications that run on any protocol over Secure Socket Layer (SSL), including HTTP over Secure Socket Layer (HTTPS), using the server name, if it exists in the Client
More information802.1P CoS Bit Set for PPP and PPPoE Control Frames
802.1P CoS Bit Set for PPP and PPPoE Control The 802.1P CoS Bit Set for PPP and PPPoE Control feature provides the ability to set user priority bits in the IEEE 802.1Q tagged frame to allow traffic prioritization.
More informationAAA Dead-Server Detection
The feature allows you to configure the criteria to be used to mark a RADIUS server as dead. If no criteria are explicitly configured, the criteria are computed dynamically on the basis of the number of
More informationACL Syslog Correlation
The Access Control List (ACL) Syslog Correlation feature appends a tag (either a user-defined cookie or a device-generated MD5 hash value) to access control entry (ACE) syslog entries. This tag uniquely
More informationConfiguring IP SLA - Percentile Support for Filtering Outliers
Configuring IP SLA - Percentile Support for Filtering Outliers This module describes how to configure the percentile option for IP SLAs to examine a set of network measurements that are within a specified
More informationMPLS over GRE. Finding Feature Information. Prerequisites for MPLS VPN L3VPN over GRE
The feature provides a mechanism for tunneling Multiprotocol Label Switching (MPLS) packets over a non-mpls network. This feature utilizes MPLS over generic routing encapsulation (MPLSoGRE) to encapsulate
More informationFlexible NetFlow - MPLS Support
The feature supports the monitoring of the following MPLS-related fields: MPLS Labels 1-6 (3 bytes -- 20 bits of label, 3 bits of EXP, 1 bit of EOS). Top Label EXP i.e. the EXP field for label 1. Top Label
More informationEIGRP Route Tag Enhancements
The feature enables you to specify and display route tags in dotted-decimal format, filter routes using the route tag value with wildcard mask, and set a default route tag for all internal Enhanced Interior
More informationMSRPC ALG Support for Firewall and NAT
The feature provides support for the Microsoft (MS) Remote Procedure Call (RPC) application-level gateway (ALG) on the firewall and Network Address Translation (NAT). The MSRPC ALG provides deep packet
More informationIPv6 over IPv4 GRE Tunnels
GRE tunnels are links between two points, with a separate tunnel for each link. The tunnels are not tied to a specific passenger or transport protocol, but in this case carry IPv6 as the passenger protocol
More informationIPv6 over IPv4 GRE Tunnels
GRE tunnels are links between two points, with a separate tunnel for each link. The tunnels are not tied to a specific passenger or transport protocol, but in this case carry IPv6 as the passenger protocol
More informationPPPoE Smart Server Selection
The feature allows service providers to determine which Broadband Remote Access Server (BRAS) a PPP call will terminate on. The feature allows you to configure a specific PPP over Ethernet (PPPoE) Active
More informationDynamic Bandwidth Sharing
The Cisco cbr series router enables dynamic bandwidth sharing (DBS) on integrated cable (IC) and wideband (WB) cable interfaces. Finding Feature Information Your software release may not support all the
More informationConfiguring Local Policies
Finding Feature Information, on page 1 Restrictions for, on page 1 Information About, on page 2 How to Configure Local Policies, on page 3 Monitoring Local Policies, on page 8 Examples: Local Policies
More informationConfiguring DHCP Option 60 and Option 82 with VPN-ID Support for Transparent Automatic Logon
Configuring DHCP Option 60 and Option 82 with VPN-ID Support for Transparent Automatic Logon Intelligent Services Gateway (ISG) is a Cisco software feature set that provides a structured framework in which
More informationPPPoE Smart Server Selection
The feature allows service providers to determine which Broadband Remote Access Server (BRAS) a PPP call will terminate on. The feature allows you to configure a specific PPP over Ethernet (PPPoE) Active
More informationCall Flows for 3G and 4G Mobile IP Users
This chapter provides various call flows for 3G and 4G mobile IP users, and contains the following sections: Finding Feature Information, on page 1 3G DHCP Discover Call Flow, on page 1 4G DHCP Discover
More informationConfiguring Local Authentication and Authorization
Configuring Local Authentication and Authorization Finding Feature Information, page 1 How to Configure Local Authentication and Authorization, page 1 Monitoring Local Authentication and Authorization,
More informationFlexible NetFlow Full Flow support
Flexible NetFlow Full Flow support Last Updated: January 29, 2013 The Flexible NetFlow - Full Flow support feature enables Flexible NetFlow to collect flow records for every packet. Finding Feature Information,
More informationQoS Tunnel Marking for GRE Tunnels
The feature introduces the capability to define and control the quality of service (QoS) for both incoming and outgoing customer traffic on the provider edge (PE) router in a service provider network.
More informationCarrier Grade Network Address Translation
(CGN) is a large-scale NAT that translates private IPv4 addresses into public IPv4 addresses. CGN employs Network Address and Port Translation methods to aggregate multiple private IPv4 addresses into
More informationBGP Policy Accounting
Border Gateway Protocol (BGP) policy accounting measures and classifies IP traffic that is sent to, or received from, different peers. Policy accounting is enabled on an input interface, and counters based
More informationMPLS VPN Inter-AS with ASBRs Exchanging VPN-IPv4 Addresses
MPLS VPN Inter-AS with ASBRs Exchanging VPN-IPv4 Addresses The Multiprotocol Label Switching (MPLS) VPN Inter-AS with Autonomous System Boundary Routers (ASBRs) Exchanging VPN-IPv4 Addresses feature allows
More informationPort-Level Shaping and Minimum Bandwidth Guarantee
Port-Level Shaping and Minimum Bandwidth Guarantee This document explains the Port-Level Shaping and Minimum Bandwidth Guarantee feature. The port-level shaping part of this feature allows you to configure
More informationMarking Network Traffic
Marking network traffic allows you to set or modify the attributes for traffic (that is, packets) belonging to a specific class or category. When used in conjunction with network traffic classification,
More informationConfiguring SDM Templates
Finding Feature Information, on page 1 Information About, on page 1 How to Configure SDM Templates, on page 3 Monitoring and Maintaining SDM Templates, on page 4 Configuration Examples for SDM Templates,
More informationEncrypted Vendor-Specific Attributes
Encrypted Vendor-Specific Attributes Last Updated: January 15, 2012 The Encrypted Vendor-Specific Attributes feature provides users with a way to centrally manage filters at a RADIUS server and supports
More informationConfiguring IP SLAs TCP Connect Operations
This module describes how to configure an IP Service Level Agreements (SLAs) TCP Connect operation to measure the response time taken to perform a TCP Connect operation between a Cisco router and devices
More informationMatch-in-VRF Support for NAT
The feature supports Network Address Translation (NAT) of packets that communicate between two hosts within the same VPN routing and forwarding (VRF) instance. In intra-vpn NAT, both the local and global
More informationFPG Endpoint Agnostic Port Allocation
When the Endpoint Agnostic Port Allocation feature is configured, an entry is added to the Symmetric Port Database. If the entry is already available, the port listed in the Symmetric Port Database is
More informationURI-Based Dialing Enhancements
The feature describes the enhancements made to Uniform Resource Identifier (URI)-based dialing on Cisco Unified Border Element (Cisco UBE) for Session Initiation Protocol (SIP) calls. The feature includes
More informationConfiguring a Load-Balancing Scheme
This module contains information about Cisco Express Forwarding and describes the tasks for configuring a load-balancing scheme for Cisco Express Forwarding traffic. Load-balancing allows you to optimize
More informationQoS: Child Service Policy for Priority Class
QoS: Child Service Policy for Priority Class First Published: November, 2006 Last Updated: March 2, 2009 The QoS: Child Service Policy for Priority Class feature allows you to configure a child service
More informationSIP ALG Resilience to DoS Attacks
The feature provides protection against Session Initiation Protocol (SIP) application layer gateway (ALG) denial of service (DoS) attacks. This feature supports a configurable lock limit, a dynamic blacklist,
More informationManually Configured IPv6 over IPv4 Tunnels
This feature provides support for manually configured IPv6 over IPv4 tunnels. A manually configured tunnel is equivalent to a permanent link between two IPv6 domains over an IPv4 backbone. Finding Feature
More informationConfiguring System MTU
Finding Feature Information, page 1 Restrictions for System MTU, page 1 Information about the MTU, page 2 How to Configure System MTU, page 3 Configuration Examples for System MTU, page 4 Additional References
More informationDHCP Relay Server ID Override and Link Selection Option 82 Suboptions
DHCP Relay Server ID Override and Link Selection Option 82 Suboptions The DHCP Relay Server ID Override and Link Selection Option 82 Suboptions feature enables the relay agent to be part of all Dynamic
More informationIP over IPv6 Tunnels. Information About IP over IPv6 Tunnels. GRE IPv4 Tunnel Support for IPv6 Traffic
IPv6 supports IP over IPv6 tunnels, which includes the following: Generic routing encapsulation (GRE) IPv4 tunnel support for IPv6 traffic IPv6 traffic can be carried over IPv4 GRE tunnels using the standard
More informationURI-Based Dialing Enhancements
The feature describes the enhancements made to Uniform Resource Identifier (URI)-based dialing on Cisco Unified Border Element (Cisco UBE) for Session Initiation Protocol (SIP) calls. The feature includes
More informationConfiguring the Cisco Discovery Protocol
Finding Feature Information, page 1 Information About CDP, page 1 How to Configure CDP, page 3 Monitoring and Maintaining CDP, page 11 Additional References, page 12 Feature History and Information for
More informationProtection Against Distributed Denial of Service Attacks
Protection Against Distributed Denial of Service Attacks The Protection Against Distributed Denial of Service Attacks feature provides protection from Denial of Service (DoS) attacks at the global level
More informationMarking Network Traffic
Marking network traffic allows you to set or modify the attributes for traffic (that is, packets) belonging to a specific class or category. When used in conjunction with network traffic classification,
More informationExclusive Configuration Change Access and Access Session Locking
Exclusive Configuration Change Access and Access Session Locking Exclusive Configuration Change Access (also called the Configuration Lock feature) allows you to have exclusive change access to the Cisco
More informationQoS Policy Propagation via BGP
The feature allows you to classify packets by IP precedence based on the Border Gateway Protocol (BGP) community lists, BGP autonomous system paths, and access lists. After packets have been classified,
More informationClassifying and Marking MPLS EXP
The QoS EXP Matching feature allows you to classify and mark network traffic by modifying the Multiprotocol Label Switching (MPLS) experimental bits (EXP) field in IP packets. This module contains conceptual
More informationProxy Mobile IPv6 Support for MAG Functionality
The feature provides network-based IP Mobility management to a mobile node (MN) without requiring the participation of the mobile node in any IP Mobility-related signaling. The Mobile Access Gateway (MAG)
More informationCisco Discovery Protocol Version 2
Cisco Discovery Protocol (formerly known as CDP) is a Layer 2, media-independent, and network-independent protocol that runs on Cisco devices and enables networking applications to learn about directly
More informationTroubleshooting ISG with Session Monitoring and Distributed Conditional Debugging
Troubleshooting ISG with Session Monitoring and Distributed Conditional Debugging Intelligent Services Gateway (ISG) is a software feature set that provides a structured framework in which edge devices
More informationConfiguring Access Point Groups
Finding Feature Information, page 1 Prerequisites for Configuring AP Groups, page 1 Restrictions for, page 2 Information About Access Point Groups, page 2 How to Configure Access Point Groups, page 4 Additional
More informationBGP Policy Accounting Output Interface Accounting
BGP Policy Accounting Output Interface Accounting Last Updated: November 2, 2011 Border Gateway Protocol (BGP) policy accounting (PA) measures and classifies IP traffic that is sent to, or received from,
More informationConfiguring Embedded Resource Manager-MIB
The Embedded Resource Manager (ERM)-MIB feature introduces MIB support for the ERM feature. The ERM feature tracks resource usage information for every registered resource owner and resource user. The
More informationConfiguring Access Point Groups
Finding Feature Information, page 1 Prerequisites for Configuring AP Groups, page 1 Restrictions for, page 2 Information About Access Point Groups, page 2 How to Configure Access Point Groups, page 3 Additional
More informationThe ISG RADIUS Proxy Support for Mobile Users Hotspot Roaming and Accounting Start Filtering feature
ISG RADIUS Proxy Support for Mobile Users Hotspot Roaming and Accounting Start Filtering The ISG RADIUS Proxy Support for Mobile Users Hotspot Roaming and Accounting Start Filtering feature allows the
More informationIPv6 Firewall Support for Prevention of Distributed Denial of Service Attacks and Resource Management
IPv6 Firewall Support for Prevention of Distributed Denial of Service Attacks and Resource Management IPv6 zone-based firewalls support the Protection of Distributed Denial of Service Attacks and the Firewall
More informationConfiguring IP SLAs ICMP Echo Operations
This module describes how to configure an IP Service Level Agreements (SLAs) Internet Control Message Protocol (ICMP) Echo operation to monitor end-to-end response time between a Cisco router and devices
More informationRegulating Packet Flow on a Per-Interface Basis Using Generic Traffic Shaping
Regulating Packet Flow on a Per-Interface Basis Using Generic Traffic Shaping Packet flow on a network can be regulated using a traffic shaping mechanism. One such traffic shaping mechanism is a Cisco
More informationConfiguring IP SLAs UDP Echo Operations
This module describes how to configure an IP Service Level Agreements (SLAs) User Datagram Protocol (UDP) Echo operation to monitor end-to-end response time between a Cisco device and devices using IPv4
More informationBGP AS-Override Split-Horizon
The feature enables a Provider Edge (PE) device using split-horizon to avoid advertisement of routes propagated by a Customer Edge (CE) device to the same CE device. The BGP AS-Override Split-Horizon feature
More informationConfiguring IP Multicast over Unidirectional Links
Configuring IP Multicast over Unidirectional Links IP multicast requires bidirectional communication, yet some networks include broadcast satellite links, which are unidirectional. Unidirectional link
More informationIPv6 Routing: RIP for IPv6
IPv6 Routing Information Protocol (RIP) functions the same and offers the same benefits as IPv4 RIP. RIP enhancements for IPv6, detailed in RFC 2080, include support for IPv6 addresses and prefixes and
More informationAdd Path Support in EIGRP
The feature enables hubs in a single Dynamic Multipoint VPN (DMVPN) domain to advertise multiple best paths to connected spokes when the Enhanced Interior Gateway Routing Protocol (EIGRP) is the routing
More information