GPRS Tunneling Protocol V2 Support

Size: px
Start display at page:

Download "GPRS Tunneling Protocol V2 Support"

Transcription

1 General Packet Radio Service (GPRS) Tunneling Protocol Version 2 (GTPv2) is introduced by the 3rd Generation Partnership Project (3GPP) Technical Specification (TS) , which modifies and enhances the GPRS Tunneling Protocol used in 2G and 3G mobile networks. GTPv2 enhances the GTP Application Inspection and Control (AIC) policies to provide security to subscriber data. This module describes how to configure GTPv2 on a zone-based policy firewall. Finding Feature Information, page 1 Restrictions for, page 1 Information About, page 2 How to Configure, page 5 Configuration Examples for, page 10 Additional References for, page 11 Feature Information for, page 12 Finding Feature Information Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to An account on Cisco.com is not required. Restrictions for The limit for the number of match statements in a Layer 7 class map is 64. The limit for the number of classes (including the default class) in a Layer 7 policy map is

2 Information About The limit for the number of characters in a pattern string for a regular expression (regex) parameter map is 245. The data path supports up to 512 regular expressions. No statistics are available for the match command. Statistics are available for only packets and bytes in a class. 3GPP Technical Specification release 8 and 9 are not compatible with GPRS Tunneling Protocol Version 2 (GTPv2). Information About GTPv2 Overview General Packet Radio Service (GPRS) Tunneling Protocol Version 2 (GTPv2), also known as evolved packet services GTP or egtp, is modified and enhanced from the GPRS Tunneling Protocol used in 2G and 3G mobile networks. GTPv2 has two flavors, a control plane protocol (GTPv2-C) and a user plane protocol (GTPv2-U). GTPv2 is primarily used for control signaling between the Serving Gateway (SGW) and the Packet Data Network (PDN) Gateway (PGW) in an Evolved Packet Core (EPC) network. The 3rd-Generation Partnership Project (3GPP) develops globally acceptable specifications for 3rd-Generation (3G) mobile systems. GPRS integrates with the existing Global System for Mobile Communication (GSM) networks and provides always-on packet-switched data services to corporate networks and the Internet. 2

3 GTPv2 Overview For more information on GTPv0 and GTPv1, see the Configuring GPRS Tunneling Protocol Support chapter in the Security Configuration Guide: Zone-Based Policy Firewall. Figure 1: General Format of the GTPv2-C Header Figure 2: Format of Echo and Version Not Supported Message GTPv2-C Header The usage of the GTPv2-C header for EPC-specific interfaces is defined below: Octet 1: Octet 1 represents Version (bits 8 through 6) that is set to decimal 2 ( 010 ). If the T flag (bit 4) is set to 1, the Tunnel Endpoint Identifier (TEID) field immediately follows the Length field in octets 5 through 8. The P flag (Piggybacking Support) is not supported. Octet 2: Octet 2 represents the Message Type field. This field supports GTPv2-C message type values. Octets 3-4: Octets 3 and 4 represent the Length field. This is the length of the message in octets excluding the mandatory part of the GTPv2-C header (the first 4 octets). 3

4 Stateful Inspection Octets 5-8: Octets 5 through 8 represent the Tunnel Identifier field if the T flag is set in the first octet. Octets 9-10: Octets 9 and 10 represent the Sequence Number field if the TEID is present. If the TEID field is not present, the Sequence Number field will be contained in octets 5 and 6. Octets 11-12: Octets 11 and 12 are two spare octets followed by the Sequence Number field. Note Apart from the following messages, all other GTPv2-C messages contain the TEID in their headers. Echo Request Echo Response Version Not Supported Indication Figure 3: General Format of GTPv2 Message for Control Plane Stateful Inspection Stateful inspection, also referred to as dynamic packet filtering, examines a packet based on the information in its header and tracks and validates each connection to which a firewall is connected. During stateful inspection, firewalls close ports until a connection request to a specific port is received. A global database is built on the GTP Application Inspection and Control (AIC) policies for stateful inspection of the GTPv2 traffic. When GTPv2 messages traverse the zone-based firewall, GTP AIC policies inspect messages based on the Packet Data Protocol (PDP) context database. Packets that require Layer 7 inspection (the packet payload must be inspected or altered) are passed to the control plane. Information Elements A GTP header contains a number of options fields called Information Elements (IEs). An IE may be present in a GTP protocol data unit (PDU). The IE may be included in a message header. An IE is identified by an IE type and an instance value. The combination of IE type and instance value uniquely identifies an IE in a message. Grouped IEs contain more than one IE and have a 4-octet IE header. Each IE 4

5 How to Configure within a grouped IE also has a 4-octet IE header. The IE format in GTPv2 is TLIV (Type, Length, Instance, Value) encoded. The length value of a grouped IE is the total length of the embedded IEs. Figure 4: General Format of an Information Element (IE) in a GTPv2-C Message Octet 1: Octet 1 represents the IE Type field. The IE Type field supports GTPv2-C IE type values. Octets 2-3: Octets 2 and 3 represent the length of the IE excluding the Type and the Length field. Octet 4: Octet 4 represents the instance number (bit 4-1) of the IE. Octets 5-n: Octets 5 through n represent the actual data contained in the IE. How to Configure Configuring GPRS Tunneling Protocol Version 2 (GTPv2) is configured using the zone-based firewall structure of policies and class maps. Because GTPv2 and GTPv1 protocols share the same destination port, Layer 4 class maps cannot classify GTPv2 and GTPv1; they are classified by Layer 7 class maps. Configuring a Parameter Map for SUMMARY STEPS 1. enable 2. configure terminal 3. parameter-map type regex parameter-map-name 4. pattern expression 5. exit 6. parameter-map type inspect-global gtp 7. gtpv2 {request-queue elements tunnel-limit tunnels} 8. end 5

6 Configuring a Parameter Map for DETAILED STEPS Step 1 Step 2 Command or Action enable Device> enable configure terminal Purpose Enables privileged EXEC mode. Enter your password if prompted. Enters global configuration mode. Step 3 Step 4 Step 5 Step 6 Step 7 Device# configure terminal parameter-map type regex parameter-map-name Device(config)# parameter-map type regex PARAM-REG pattern expression Device(config-profile)# pattern apn.cisco.com exit Device(config-profile)# exit parameter-map type inspect-global gtp Device(config)# parameter-map type inspect-global gtp gtpv2 {request-queue elements tunnel-limit tunnels} Configures a regex parameter-map type to match a specific traffic pattern and enters parameter map type configuration mode. Configures a matching pattern that specifies a list of domains, URL keywords, or URL meta-characters that should be allowed or blocked by local URL filtering. Exits parameter map type configuration mode and returns to global configuration mode. Configures an inspect-type parameter map for connecting thresholds, timeouts, and other parameters pertaining to the inspect action and enters parameter map type configuration mode. Configures inspection parameters for GTP. Step 8 Device(config-profile)# gtpv2 request-queue end Device(config-profile)# end Exits parameter-map type inspect mode and returns to privileged EXEC mode. 6

7 Configuring a Class Map and a Policy Map for Parameter Map for The following is sample output from the show parameter-map type command: Device# show parameter-map type inspect-global gtp parameter-map type inspect-global gtp gtp request-queue (default) gtp tunnel-limit (default) gtp pdp-context timeout 300 (default) gtp request-queue timeout 60 (default) permit-error Disable (default) gtpv2 request-queue gtpv2 tunnel-limit Configuring a Class Map and a Policy Map for GPRS Tunneling Protocol V2 Support SUMMARY STEPS 1. enable 2. configure terminal 3. class-map type inspect protocol-name {match-any match-all} class-map-name 4. match {apn regex parameter-name {mcc country-code mnc network-code message-length msisdn regex parameter-name version number} 5. exit 6. policy-map type inspect protocol-name policy-map-name 7. class type inspect protocol-name class-map-name 8. inspect 9. service-policy protocol-name policy-map 10. end DETAILED STEPS Step 1 Step 2 Command or Action enable Device> enable configure terminal Purpose Enables privileged EXEC mode. Enter your password if prompted. Enters global configuration mode. Device# configure terminal 7

8 Configuring a Class Map and a Policy Map for Step 3 Command or Action class-map type inspect protocol-name {match-any match-all} class-map-name Purpose Creates a Layer 7 (application-specific) inspect-type class map and enters class map configuration mode. Step 4 Device(config)# class-map type inspect gtpv1 match-any gtpv2-cl7-1 match {apn regex parameter-name {mcc country-code mnc network-code message-length msisdn regex parameter-name version number} Configures the classification criteria for the inspect-type class map for the GTP. Step 5 Step 6 Step 7 Step 8 Device(config-cmap)# match version 2 exit Device(config-cmap)# exit policy-map type inspect protocol-name policy-map-name Device(config)# policy-map type inspect gtpv1 gtpv2-policy-map class type inspect protocol-name class-map-name Device(config-pmap)# class type inspect gtpv1 gtpv2-cl7-1 inspect Exits class map configuration mode and returns to global configuration mode. Creates a Layer 7 (protocol-specific) inspect-type policy map and enters policy map configuration mode. Specifies the traffic (class) on which an action is to be performed and enters policy-map class configuration mode. Enables stateful packet inspection. Step 9 Step 10 Device(config-pmap-c)# inspect service-policy protocol-name policy-map Device(config-pmap-c)# service-policy gtpv1 gtpv2-policy-map end Device(config-pmap-c)# end Attaches a Layer 7 policy map to the top-level Layer 3 or Layer 4 policy map. Exits policy-map class configuration mode and returns to privileged EXEC mode. 8

9 Configuring Zones and Zone Pairs for Configuring Zones and Zone Pairs for SUMMARY STEPS 1. enable 2. configure terminal 3. zone security {zone-name default} 4. exit 5. zone-pair securityzone-pair-namesource {source-zone-name self default} destination {destination-zone-name self default} 6. service-policy type inspect policy-map-name 7. exit 8. interface type number 9. zone-member security zone-name 10. end DETAILED STEPS Step 1 Step 2 Command or Action enable Device> enable configure terminal Purpose Enables privileged EXEC mode. Enter your password if prompted. Enters global configuration mode. Step 3 Step 4 Step 5 Device# configure terminal zone security {zone-name default} Device(config)# zone security z1 Device(config)# zone security z2 exit Device(config-sec-zone)# exit zone-pair securityzone-pair-namesource {source-zone-name self default} destination {destination-zone-name self default} Creates a security zone to which interfaces can be assigned and enters security zone configuration mode. Note To create a security zone pair, you must configure two security zones (z1 and z2) to which interfaces can be assigned. Exits security zone configuration mode and returns to global configuration mode. Creates a security zone pair and enters security zone-pair configuration mode. Note To apply a policy, you must configure a zone pair. 9

10 Configuration Examples for Command or Action Purpose Step 6 Step 7 Step 8 Device(config)# zone-pair security clt2srv1 source z1 destination z2 service-policy type inspect policy-map-name Device(config-sec-zone-pair)# service-policy type inspect gtpv2-policy-map exit Device(config-sec-zone-pair)# exit interface type number Attaches a firewall policy map to the destination zone pair. Note If a policy is not configured between a pair of security zones, traffic is dropped by default. Exits security zone-pair configuration mode and returns to global configuration mode. Configures an interface and returns interface configuration mode. Step 9 Step 10 Device(config)# interface gigabitethernet 0/0/0 zone-member security zone-name Device(config-if)# zone-member security z1 end Device(config-if)# end Assigns an interface to a specified security zone. Note When you make an interface a member of a security zone, all traffic in and out of that interface (except traffic bound for the device or initiated by the device) is dropped by default. To let traffic through the interface, you must make the zone part of a zone pair to which you apply a policy. If the policy permits traffic, traffic can flow through that interface. Exits interface configuration mode and returns to privileged EXEC mode. Configuration Examples for Configuring The following example shows how to configure GTPv2 support: Device> enable Device# configure terminal Device(config)# parameter-map type regex PARAM-REG 10

11 Configuring Zones and Zone Pairs for Device(config-profile)# pattern apn.cisco.com Device(config-profile)# exit Device(config)# parameter-map type inspect-global Device(config-profile)# gtpv2 tunnel-limit 100 Device(config-profile)# exit Device(config)# class-map type inspect gtpv1 match-any gtpv2-cl7-1 Device(config-cmap)# match version 2 Device(config-cmap)# exit Device(config)# policy-map type inspect gtpv1 gtpv2-policy-map Device(config-pmap)# class type inspect gtpv1 gtpv2-cl7-1 Device(config-pmap-c)# inspect Device(config-pmap-c)# service-policy gtpv1 gtpv2-policy-map Device(config-pmap)# end Configuring Zones and Zone Pairs for GPRS Tunneling Protocol V2 Support The following example shows how to configure zones and zone pairs for GTPv2: Device> enable Device# configure terminal Device(config)# zone security z1 Device(config-sec-zone)# exit Device(config)# zone-pair security clt2srv1 source z1 destination z2 Device(config-sec-zone-pair)# service-policy type inspect gtpv2-policy-map Device(config-sec-zone-pair)# exit Device(config)# interface gigabitethernet 0/0/0 Device(config-if)# ip address Device(config-if)# zone-member security z1 Device(config-if)# exit Device(config)# interface gigabitethernet0/0/2 Device(config-if)# ip address Device(config-if)# zone-member security z2 Device(config)# end Additional References for Related Documents Related Topic Cisco IOS commands Security commands Security configuration Document Title Cisco IOS Master Command List, All Releases Security Command Reference: Commands A to C Security Command Reference: Commands D to L Security Command Reference: Commands M to R Security Command Reference: Commands S to Z Security Configuration Guide: Zone-Based Policy Firewall 11

12 Feature Information for Technical Assistance Description The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies. To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password. Link Feature Information for The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to An account on Cisco.com is not required. Table 1: Feature Information for GPRS Tunneling Protocol Version 2 Support Feature Name GTPv2 Support Releases Cisco IOS XE Release 3.9S Feature Information The GTPv2 Support feature is introduced by the 3rd-Generation Partnership Project (3GPP) TS , which modifies and enhances the GPRS Tunneling Protocol used in 2G and 3G mobile networks. GTPv2 enhances the GTP Application Inspection and Control (AIC) policies to provide security to subscriber data. This module describes how to configure GTPv2 on a zone-based policy firewall. The following commands have been newly introduced or modified: show parameter-map type inspect-global, zone-pair security. 12

13 Feature Information for 13

14 Feature Information for 14

Configuring GPRS Tunneling Protocol Support

Configuring GPRS Tunneling Protocol Support The GPRS Tunneling Protocol Support feature provides firewall support for General Packet Radio Switching (GPRS) Tunneling Protocol (GTP). GPRS is a data network architecture, which integrates with existing

More information

Configurable Number of Simultaneous Packets per Flow

Configurable Number of Simultaneous Packets per Flow Configurable Number of Simultaneous Packets per Flow In zone-based policy firewalls, the number of simultaneous packets per flow is restricted to 25 and packets that exceed the limit are dropped. The dropping

More information

Enabling ALGs and AICs in Zone-Based Policy Firewalls

Enabling ALGs and AICs in Zone-Based Policy Firewalls Enabling ALGs and AICs in Zone-Based Policy Firewalls Zone-based policy firewalls support Layer 7 application protocol inspection along with application-level gateways (ALGs) and application inspection

More information

Enabling ALGs and AICs in Zone-Based Policy Firewalls

Enabling ALGs and AICs in Zone-Based Policy Firewalls Enabling ALGs and AICs in Zone-Based Policy Firewalls Zone-based policy firewalls support Layer 7 application protocol inspection along with application-level gateways (ALGs) and application inspection

More information

GGSN Pooling Support for Firewalls

GGSN Pooling Support for Firewalls The feature enhances the General Packet Radio Switching (GPRS) Tunneling Protocol (GTP) feature by adding load balancing support. GTP supports the inspection of control traffic that is designated to a

More information

Nested Class Map Support for Zone-Based Policy Firewall

Nested Class Map Support for Zone-Based Policy Firewall Nested Class Map Support for Zone-Based Policy Firewall The Nested Class Map Support for Zone-Based Policy Firewall feature provides the Cisco IOS XE firewall the functionality to configure multiple traffic

More information

Sun RPC ALG Support for Firewalls and NAT

Sun RPC ALG Support for Firewalls and NAT The feature adds support for the Sun Microsystems remote-procedure call (RPC) application-level gateway (ALG) on the firewall and Network Address Translation (NAT). Sun RPC is an application layer protocol

More information

Sun RPC ALG Support for Firewalls and NAT

Sun RPC ALG Support for Firewalls and NAT The feature adds support for the Sun Microsystems remote-procedure call (RPC) application-level gateway (ALG) on the firewall and Network Address Translation (NAT). Sun RPC is an application layer protocol

More information

Loose Checking Option for TCP Window Scaling in Zone-Based Policy Firewall

Loose Checking Option for TCP Window Scaling in Zone-Based Policy Firewall Loose Checking Option for TCP Window Scaling in Zone-Based Policy Firewall The Loose Checking Option for TCP Window Scaling in Zone-Based Policy Firewall feature disables the strict checking of the TCP

More information

Configuring System MTU

Configuring System MTU Restrictions for System MTU, on page 1 Information About the MTU, on page 1 How to Configure MTU, on page 2 Configuration Examples for System MTU, on page 4 Additional References for System MTU, on page

More information

NBAR2 HTTP-Based Visibility Dashboard

NBAR2 HTTP-Based Visibility Dashboard The NBAR2 HTTP-based Visibility Dashboard provides a web interface displaying network traffic data and related information. The information is presented in an intuitive, interactive graphical format. Finding

More information

QoS Group Match and Set for Classification and Marking

QoS Group Match and Set for Classification and Marking QoS Group Match and Set for Classification and Marking This feature provides the capability of matching and classifying traffic on the basis of the QoS group value. Finding Feature Information, on page

More information

Sun RPC ALG Support for Firewall and NAT

Sun RPC ALG Support for Firewall and NAT Sun RPC ALG Support for Firewall and NAT Last Updated: December 18, 2011 The Sun RPC ALG Support for Firewall and NAT feature adds support for the Sun Microsystems (Sun) Remote Procedure Call (RPC) Application

More information

Per-Flow Admission. Finding Feature Information. Prerequisites for Per-Flow Admission

Per-Flow Admission. Finding Feature Information. Prerequisites for Per-Flow Admission The feature provides explicit controls to limit packet flow into a WAN edge in order to protect already admitted flows on the routing/wan edge. Finding Feature Information, page 1 Prerequisites for, page

More information

Restrictions for Disabling Flow Cache Entries in NAT and NAT64

Restrictions for Disabling Flow Cache Entries in NAT and NAT64 The feature allows you to disable flow cache entries for dynamic and static Network Address Translation (NAT) translations. Disabling flow cache entries for dynamic and static translations saves memory

More information

Per-Flow Admission. Finding Feature Information. Prerequisites for Per-Flow Admission

Per-Flow Admission. Finding Feature Information. Prerequisites for Per-Flow Admission The feature provides explicit controls to limit packet flow into a WAN edge in order to protect already admitted flows on the routing/wan edge. Finding Feature Information, page 1 Prerequisites for, page

More information

Fine-Grain NBAR for Selective Applications

Fine-Grain NBAR for Selective Applications By default NBAR operates in the fine-grain mode, offering NBAR's full application recognition capabilities. Used when per-packet reporting is required, fine-grain mode offers a troubleshooting advantage.

More information

Bulk Logging and Port Block Allocation

Bulk Logging and Port Block Allocation The feature allocates a block of ports for translation instead of allocating individual ports. This feature is supported only in carrier-grade Network Address Translation (CGN) mode. This module provides

More information

SSH Algorithms for Common Criteria Certification

SSH Algorithms for Common Criteria Certification The feature provides the list and order of the algorithms that are allowed for Common Criteria Certification. This module describes how to configure the encryption, Message Authentication Code (MAC), and

More information

Object Tracking: IPv6 Route Tracking

Object Tracking: IPv6 Route Tracking The feature expands the Enhanced Object Tracking (EOT) functionality to allow the tracking of IPv6 routes. Finding Feature Information, page 1 Restrictions for, page 1 Information About, page 2 How to

More information

Firewall Stateful Inspection of ICMP

Firewall Stateful Inspection of ICMP The feature categorizes Internet Control Management Protocol Version 4 (ICMPv4) messages as either malicious or benign. The firewall uses stateful inspection to trust benign ICMPv4 messages that are generated

More information

Fine-Grain NBAR for Selective Applications

Fine-Grain NBAR for Selective Applications By default NBAR operates in the fine-grain mode, offering NBAR's full application recognition capabilities. Used when per-packet reporting is required, fine-grain mode offers a troubleshooting advantage.

More information

RADIUS Route Download

RADIUS Route Download The feature allows users to configure their network access server (NAS) to direct RADIUS authorization. Finding Feature Information, page 1 Prerequisites for, page 1 Information About, page 1 How to Configure,

More information

VRF-Aware Cloud Web Security

VRF-Aware Cloud Web Security The feature adds virtual routing and forwarding (VRF) support to the Cisco Cloud Web Security configuration. VRF instances in IP-based networks enable a device to have multiple instances of the routing

More information

Zone-Based Firewall Logging Export Using NetFlow

Zone-Based Firewall Logging Export Using NetFlow Zone-Based Firewall Logging Export Using NetFlow Zone-based firewalls support the logging of messages to an external collector using NetFlow Version 9 export format. NetFlow Version 9 export format uses

More information

Flow-Based per Port-Channel Load Balancing

Flow-Based per Port-Channel Load Balancing The feature allows different flows of traffic over a Gigabit EtherChannel (GEC) interface to be identified based on the packet header and then mapped to the different member links of the port channel.

More information

8K GM Scale Improvement

8K GM Scale Improvement The feature supports optimization of the Cooperative Protocol (COOP) announcement messages by increasing the number of Group Members (GM) to 8000. Finding Feature Information, page 1 Prerequisites for,

More information

Stateful Network Address Translation 64

Stateful Network Address Translation 64 The feature provides a translation mechanism that translates IPv6 packets into IPv4 packets and vice versa. The stateful NAT64 translator algorithmically translates the IPv4 addresses of IPv4 hosts to

More information

Quality of Service for VPNs

Quality of Service for VPNs The QoS for VPNs feature provides a solution for making Cisco IOS QoS services operate in conjunction with tunneling and encryption on an interface. Cisco IOS software can classify packets and apply the

More information

Using Flexible NetFlow Flow Sampling

Using Flexible NetFlow Flow Sampling This document contains information about and instructions for configuring sampling to reduce the CPU overhead of analyzing traffic with Flexible NetFlow. NetFlow is a Cisco technology that provides statistics

More information

Using Flexible NetFlow Flow Sampling

Using Flexible NetFlow Flow Sampling This document contains information about and instructions for configuring sampling to reduce the CPU overhead of analyzing traffic with Flexible NetFlow. NetFlow is a Cisco technology that provides statistics

More information

NAT Routemaps Outside-to-Inside Support

NAT Routemaps Outside-to-Inside Support The feature enables you to configure a NAT routemap configuration that allows IP sessions to be initiated from outside the network to inside the network. This module explains how to configure the feature.

More information

Encrypted Vendor-Specific Attributes

Encrypted Vendor-Specific Attributes The feature provides users with a way to centrally manage filters at a RADIUS server and supports the following types of string vendor-specific attributes (VSAs): Tagged String VSA, on page 2 (similar

More information

BGP-RT and VPN Distinguisher Attribute Rewrite Wildcard

BGP-RT and VPN Distinguisher Attribute Rewrite Wildcard BGP-RT and VPN Distinguisher Attribute Rewrite Wildcard The BGP RT and VPN Distinguisher Attribute Rewrite Wildcard feature introduces the ability to set a range of route target (RT) community attributes

More information

Autoroute Announce and Forwarding Adjacencies For OSPFv3

Autoroute Announce and Forwarding Adjacencies For OSPFv3 Autoroute Announce and Forwarding The Autoroute Announce and Forwarding Adjacencies for OSPFv3 feature advertises IPv6 routes over MPLS/TE IPv4 tunnels. This module describes how to configure the Autoroute

More information

Autoroute Announce and Forwarding Adjacencies For OSPFv3

Autoroute Announce and Forwarding Adjacencies For OSPFv3 Autoroute Announce and Forwarding The Autoroute Announce and Forwarding Adjacencies for OSPFv3 feature advertises IPv6 routes over MPLS/TE IPv4 tunnels. This module describes how to configure the Autoroute

More information

Password Strength and Management for Common Criteria

Password Strength and Management for Common Criteria Password Strength and Management for Common Criteria The Password Strength and Management for Common Criteria feature is used to specify password policies and security mechanisms for storing, retrieving,

More information

Object Groups for ACLs

Object Groups for ACLs The feature lets you classify users, devices, or protocols into groups and apply these groups to access control lists (ACLs) to create access control policies for these groups. This feature lets you use

More information

Configuring Firewall TCP SYN Cookie

Configuring Firewall TCP SYN Cookie The Firewall TCP SYN Cookie feature protects your firewall from TCP SYN-flooding attacks. TCP SYN-flooding attacks are a type of denial-of-service (DoS) attack. Usually, TCP synchronization (SYN) packets

More information

SSL Custom Application

SSL Custom Application feature enables users to customize applications that run on any protocol over Secure Socket Layer (SSL), including HTTP over Secure Socket Layer (HTTPS), using the server name, if it exists in the Client

More information

802.1P CoS Bit Set for PPP and PPPoE Control Frames

802.1P CoS Bit Set for PPP and PPPoE Control Frames 802.1P CoS Bit Set for PPP and PPPoE Control The 802.1P CoS Bit Set for PPP and PPPoE Control feature provides the ability to set user priority bits in the IEEE 802.1Q tagged frame to allow traffic prioritization.

More information

AAA Dead-Server Detection

AAA Dead-Server Detection The feature allows you to configure the criteria to be used to mark a RADIUS server as dead. If no criteria are explicitly configured, the criteria are computed dynamically on the basis of the number of

More information

ACL Syslog Correlation

ACL Syslog Correlation The Access Control List (ACL) Syslog Correlation feature appends a tag (either a user-defined cookie or a device-generated MD5 hash value) to access control entry (ACE) syslog entries. This tag uniquely

More information

Configuring IP SLA - Percentile Support for Filtering Outliers

Configuring IP SLA - Percentile Support for Filtering Outliers Configuring IP SLA - Percentile Support for Filtering Outliers This module describes how to configure the percentile option for IP SLAs to examine a set of network measurements that are within a specified

More information

MPLS over GRE. Finding Feature Information. Prerequisites for MPLS VPN L3VPN over GRE

MPLS over GRE. Finding Feature Information. Prerequisites for MPLS VPN L3VPN over GRE The feature provides a mechanism for tunneling Multiprotocol Label Switching (MPLS) packets over a non-mpls network. This feature utilizes MPLS over generic routing encapsulation (MPLSoGRE) to encapsulate

More information

Flexible NetFlow - MPLS Support

Flexible NetFlow - MPLS Support The feature supports the monitoring of the following MPLS-related fields: MPLS Labels 1-6 (3 bytes -- 20 bits of label, 3 bits of EXP, 1 bit of EOS). Top Label EXP i.e. the EXP field for label 1. Top Label

More information

EIGRP Route Tag Enhancements

EIGRP Route Tag Enhancements The feature enables you to specify and display route tags in dotted-decimal format, filter routes using the route tag value with wildcard mask, and set a default route tag for all internal Enhanced Interior

More information

MSRPC ALG Support for Firewall and NAT

MSRPC ALG Support for Firewall and NAT The feature provides support for the Microsoft (MS) Remote Procedure Call (RPC) application-level gateway (ALG) on the firewall and Network Address Translation (NAT). The MSRPC ALG provides deep packet

More information

IPv6 over IPv4 GRE Tunnels

IPv6 over IPv4 GRE Tunnels GRE tunnels are links between two points, with a separate tunnel for each link. The tunnels are not tied to a specific passenger or transport protocol, but in this case carry IPv6 as the passenger protocol

More information

IPv6 over IPv4 GRE Tunnels

IPv6 over IPv4 GRE Tunnels GRE tunnels are links between two points, with a separate tunnel for each link. The tunnels are not tied to a specific passenger or transport protocol, but in this case carry IPv6 as the passenger protocol

More information

PPPoE Smart Server Selection

PPPoE Smart Server Selection The feature allows service providers to determine which Broadband Remote Access Server (BRAS) a PPP call will terminate on. The feature allows you to configure a specific PPP over Ethernet (PPPoE) Active

More information

Dynamic Bandwidth Sharing

Dynamic Bandwidth Sharing The Cisco cbr series router enables dynamic bandwidth sharing (DBS) on integrated cable (IC) and wideband (WB) cable interfaces. Finding Feature Information Your software release may not support all the

More information

Configuring Local Policies

Configuring Local Policies Finding Feature Information, on page 1 Restrictions for, on page 1 Information About, on page 2 How to Configure Local Policies, on page 3 Monitoring Local Policies, on page 8 Examples: Local Policies

More information

Configuring DHCP Option 60 and Option 82 with VPN-ID Support for Transparent Automatic Logon

Configuring DHCP Option 60 and Option 82 with VPN-ID Support for Transparent Automatic Logon Configuring DHCP Option 60 and Option 82 with VPN-ID Support for Transparent Automatic Logon Intelligent Services Gateway (ISG) is a Cisco software feature set that provides a structured framework in which

More information

PPPoE Smart Server Selection

PPPoE Smart Server Selection The feature allows service providers to determine which Broadband Remote Access Server (BRAS) a PPP call will terminate on. The feature allows you to configure a specific PPP over Ethernet (PPPoE) Active

More information

Call Flows for 3G and 4G Mobile IP Users

Call Flows for 3G and 4G Mobile IP Users This chapter provides various call flows for 3G and 4G mobile IP users, and contains the following sections: Finding Feature Information, on page 1 3G DHCP Discover Call Flow, on page 1 4G DHCP Discover

More information

Configuring Local Authentication and Authorization

Configuring Local Authentication and Authorization Configuring Local Authentication and Authorization Finding Feature Information, page 1 How to Configure Local Authentication and Authorization, page 1 Monitoring Local Authentication and Authorization,

More information

Flexible NetFlow Full Flow support

Flexible NetFlow Full Flow support Flexible NetFlow Full Flow support Last Updated: January 29, 2013 The Flexible NetFlow - Full Flow support feature enables Flexible NetFlow to collect flow records for every packet. Finding Feature Information,

More information

QoS Tunnel Marking for GRE Tunnels

QoS Tunnel Marking for GRE Tunnels The feature introduces the capability to define and control the quality of service (QoS) for both incoming and outgoing customer traffic on the provider edge (PE) router in a service provider network.

More information

Carrier Grade Network Address Translation

Carrier Grade Network Address Translation (CGN) is a large-scale NAT that translates private IPv4 addresses into public IPv4 addresses. CGN employs Network Address and Port Translation methods to aggregate multiple private IPv4 addresses into

More information

BGP Policy Accounting

BGP Policy Accounting Border Gateway Protocol (BGP) policy accounting measures and classifies IP traffic that is sent to, or received from, different peers. Policy accounting is enabled on an input interface, and counters based

More information

MPLS VPN Inter-AS with ASBRs Exchanging VPN-IPv4 Addresses

MPLS VPN Inter-AS with ASBRs Exchanging VPN-IPv4 Addresses MPLS VPN Inter-AS with ASBRs Exchanging VPN-IPv4 Addresses The Multiprotocol Label Switching (MPLS) VPN Inter-AS with Autonomous System Boundary Routers (ASBRs) Exchanging VPN-IPv4 Addresses feature allows

More information

Port-Level Shaping and Minimum Bandwidth Guarantee

Port-Level Shaping and Minimum Bandwidth Guarantee Port-Level Shaping and Minimum Bandwidth Guarantee This document explains the Port-Level Shaping and Minimum Bandwidth Guarantee feature. The port-level shaping part of this feature allows you to configure

More information

Marking Network Traffic

Marking Network Traffic Marking network traffic allows you to set or modify the attributes for traffic (that is, packets) belonging to a specific class or category. When used in conjunction with network traffic classification,

More information

Configuring SDM Templates

Configuring SDM Templates Finding Feature Information, on page 1 Information About, on page 1 How to Configure SDM Templates, on page 3 Monitoring and Maintaining SDM Templates, on page 4 Configuration Examples for SDM Templates,

More information

Encrypted Vendor-Specific Attributes

Encrypted Vendor-Specific Attributes Encrypted Vendor-Specific Attributes Last Updated: January 15, 2012 The Encrypted Vendor-Specific Attributes feature provides users with a way to centrally manage filters at a RADIUS server and supports

More information

Configuring IP SLAs TCP Connect Operations

Configuring IP SLAs TCP Connect Operations This module describes how to configure an IP Service Level Agreements (SLAs) TCP Connect operation to measure the response time taken to perform a TCP Connect operation between a Cisco router and devices

More information

Match-in-VRF Support for NAT

Match-in-VRF Support for NAT The feature supports Network Address Translation (NAT) of packets that communicate between two hosts within the same VPN routing and forwarding (VRF) instance. In intra-vpn NAT, both the local and global

More information

FPG Endpoint Agnostic Port Allocation

FPG Endpoint Agnostic Port Allocation When the Endpoint Agnostic Port Allocation feature is configured, an entry is added to the Symmetric Port Database. If the entry is already available, the port listed in the Symmetric Port Database is

More information

URI-Based Dialing Enhancements

URI-Based Dialing Enhancements The feature describes the enhancements made to Uniform Resource Identifier (URI)-based dialing on Cisco Unified Border Element (Cisco UBE) for Session Initiation Protocol (SIP) calls. The feature includes

More information

Configuring a Load-Balancing Scheme

Configuring a Load-Balancing Scheme This module contains information about Cisco Express Forwarding and describes the tasks for configuring a load-balancing scheme for Cisco Express Forwarding traffic. Load-balancing allows you to optimize

More information

QoS: Child Service Policy for Priority Class

QoS: Child Service Policy for Priority Class QoS: Child Service Policy for Priority Class First Published: November, 2006 Last Updated: March 2, 2009 The QoS: Child Service Policy for Priority Class feature allows you to configure a child service

More information

SIP ALG Resilience to DoS Attacks

SIP ALG Resilience to DoS Attacks The feature provides protection against Session Initiation Protocol (SIP) application layer gateway (ALG) denial of service (DoS) attacks. This feature supports a configurable lock limit, a dynamic blacklist,

More information

Manually Configured IPv6 over IPv4 Tunnels

Manually Configured IPv6 over IPv4 Tunnels This feature provides support for manually configured IPv6 over IPv4 tunnels. A manually configured tunnel is equivalent to a permanent link between two IPv6 domains over an IPv4 backbone. Finding Feature

More information

Configuring System MTU

Configuring System MTU Finding Feature Information, page 1 Restrictions for System MTU, page 1 Information about the MTU, page 2 How to Configure System MTU, page 3 Configuration Examples for System MTU, page 4 Additional References

More information

DHCP Relay Server ID Override and Link Selection Option 82 Suboptions

DHCP Relay Server ID Override and Link Selection Option 82 Suboptions DHCP Relay Server ID Override and Link Selection Option 82 Suboptions The DHCP Relay Server ID Override and Link Selection Option 82 Suboptions feature enables the relay agent to be part of all Dynamic

More information

IP over IPv6 Tunnels. Information About IP over IPv6 Tunnels. GRE IPv4 Tunnel Support for IPv6 Traffic

IP over IPv6 Tunnels. Information About IP over IPv6 Tunnels. GRE IPv4 Tunnel Support for IPv6 Traffic IPv6 supports IP over IPv6 tunnels, which includes the following: Generic routing encapsulation (GRE) IPv4 tunnel support for IPv6 traffic IPv6 traffic can be carried over IPv4 GRE tunnels using the standard

More information

URI-Based Dialing Enhancements

URI-Based Dialing Enhancements The feature describes the enhancements made to Uniform Resource Identifier (URI)-based dialing on Cisco Unified Border Element (Cisco UBE) for Session Initiation Protocol (SIP) calls. The feature includes

More information

Configuring the Cisco Discovery Protocol

Configuring the Cisco Discovery Protocol Finding Feature Information, page 1 Information About CDP, page 1 How to Configure CDP, page 3 Monitoring and Maintaining CDP, page 11 Additional References, page 12 Feature History and Information for

More information

Protection Against Distributed Denial of Service Attacks

Protection Against Distributed Denial of Service Attacks Protection Against Distributed Denial of Service Attacks The Protection Against Distributed Denial of Service Attacks feature provides protection from Denial of Service (DoS) attacks at the global level

More information

Marking Network Traffic

Marking Network Traffic Marking network traffic allows you to set or modify the attributes for traffic (that is, packets) belonging to a specific class or category. When used in conjunction with network traffic classification,

More information

Exclusive Configuration Change Access and Access Session Locking

Exclusive Configuration Change Access and Access Session Locking Exclusive Configuration Change Access and Access Session Locking Exclusive Configuration Change Access (also called the Configuration Lock feature) allows you to have exclusive change access to the Cisco

More information

QoS Policy Propagation via BGP

QoS Policy Propagation via BGP The feature allows you to classify packets by IP precedence based on the Border Gateway Protocol (BGP) community lists, BGP autonomous system paths, and access lists. After packets have been classified,

More information

Classifying and Marking MPLS EXP

Classifying and Marking MPLS EXP The QoS EXP Matching feature allows you to classify and mark network traffic by modifying the Multiprotocol Label Switching (MPLS) experimental bits (EXP) field in IP packets. This module contains conceptual

More information

Proxy Mobile IPv6 Support for MAG Functionality

Proxy Mobile IPv6 Support for MAG Functionality The feature provides network-based IP Mobility management to a mobile node (MN) without requiring the participation of the mobile node in any IP Mobility-related signaling. The Mobile Access Gateway (MAG)

More information

Cisco Discovery Protocol Version 2

Cisco Discovery Protocol Version 2 Cisco Discovery Protocol (formerly known as CDP) is a Layer 2, media-independent, and network-independent protocol that runs on Cisco devices and enables networking applications to learn about directly

More information

Troubleshooting ISG with Session Monitoring and Distributed Conditional Debugging

Troubleshooting ISG with Session Monitoring and Distributed Conditional Debugging Troubleshooting ISG with Session Monitoring and Distributed Conditional Debugging Intelligent Services Gateway (ISG) is a software feature set that provides a structured framework in which edge devices

More information

Configuring Access Point Groups

Configuring Access Point Groups Finding Feature Information, page 1 Prerequisites for Configuring AP Groups, page 1 Restrictions for, page 2 Information About Access Point Groups, page 2 How to Configure Access Point Groups, page 4 Additional

More information

BGP Policy Accounting Output Interface Accounting

BGP Policy Accounting Output Interface Accounting BGP Policy Accounting Output Interface Accounting Last Updated: November 2, 2011 Border Gateway Protocol (BGP) policy accounting (PA) measures and classifies IP traffic that is sent to, or received from,

More information

Configuring Embedded Resource Manager-MIB

Configuring Embedded Resource Manager-MIB The Embedded Resource Manager (ERM)-MIB feature introduces MIB support for the ERM feature. The ERM feature tracks resource usage information for every registered resource owner and resource user. The

More information

Configuring Access Point Groups

Configuring Access Point Groups Finding Feature Information, page 1 Prerequisites for Configuring AP Groups, page 1 Restrictions for, page 2 Information About Access Point Groups, page 2 How to Configure Access Point Groups, page 3 Additional

More information

The ISG RADIUS Proxy Support for Mobile Users Hotspot Roaming and Accounting Start Filtering feature

The ISG RADIUS Proxy Support for Mobile Users Hotspot Roaming and Accounting Start Filtering feature ISG RADIUS Proxy Support for Mobile Users Hotspot Roaming and Accounting Start Filtering The ISG RADIUS Proxy Support for Mobile Users Hotspot Roaming and Accounting Start Filtering feature allows the

More information

IPv6 Firewall Support for Prevention of Distributed Denial of Service Attacks and Resource Management

IPv6 Firewall Support for Prevention of Distributed Denial of Service Attacks and Resource Management IPv6 Firewall Support for Prevention of Distributed Denial of Service Attacks and Resource Management IPv6 zone-based firewalls support the Protection of Distributed Denial of Service Attacks and the Firewall

More information

Configuring IP SLAs ICMP Echo Operations

Configuring IP SLAs ICMP Echo Operations This module describes how to configure an IP Service Level Agreements (SLAs) Internet Control Message Protocol (ICMP) Echo operation to monitor end-to-end response time between a Cisco router and devices

More information

Regulating Packet Flow on a Per-Interface Basis Using Generic Traffic Shaping

Regulating Packet Flow on a Per-Interface Basis Using Generic Traffic Shaping Regulating Packet Flow on a Per-Interface Basis Using Generic Traffic Shaping Packet flow on a network can be regulated using a traffic shaping mechanism. One such traffic shaping mechanism is a Cisco

More information

Configuring IP SLAs UDP Echo Operations

Configuring IP SLAs UDP Echo Operations This module describes how to configure an IP Service Level Agreements (SLAs) User Datagram Protocol (UDP) Echo operation to monitor end-to-end response time between a Cisco device and devices using IPv4

More information

BGP AS-Override Split-Horizon

BGP AS-Override Split-Horizon The feature enables a Provider Edge (PE) device using split-horizon to avoid advertisement of routes propagated by a Customer Edge (CE) device to the same CE device. The BGP AS-Override Split-Horizon feature

More information

Configuring IP Multicast over Unidirectional Links

Configuring IP Multicast over Unidirectional Links Configuring IP Multicast over Unidirectional Links IP multicast requires bidirectional communication, yet some networks include broadcast satellite links, which are unidirectional. Unidirectional link

More information

IPv6 Routing: RIP for IPv6

IPv6 Routing: RIP for IPv6 IPv6 Routing Information Protocol (RIP) functions the same and offers the same benefits as IPv4 RIP. RIP enhancements for IPv6, detailed in RFC 2080, include support for IPv6 addresses and prefixes and

More information

Add Path Support in EIGRP

Add Path Support in EIGRP The feature enables hubs in a single Dynamic Multipoint VPN (DMVPN) domain to advertise multiple best paths to connected spokes when the Enhanced Interior Gateway Routing Protocol (EIGRP) is the routing

More information