GPRS Tunneling Protocol V2 Support

Similar documents
Configuring GPRS Tunneling Protocol Support

Configurable Number of Simultaneous Packets per Flow

Enabling ALGs and AICs in Zone-Based Policy Firewalls

Enabling ALGs and AICs in Zone-Based Policy Firewalls

GGSN Pooling Support for Firewalls

Nested Class Map Support for Zone-Based Policy Firewall

Sun RPC ALG Support for Firewalls and NAT

Sun RPC ALG Support for Firewalls and NAT

Loose Checking Option for TCP Window Scaling in Zone-Based Policy Firewall

Configuring System MTU

NBAR2 HTTP-Based Visibility Dashboard

QoS Group Match and Set for Classification and Marking

Sun RPC ALG Support for Firewall and NAT

Per-Flow Admission. Finding Feature Information. Prerequisites for Per-Flow Admission

Restrictions for Disabling Flow Cache Entries in NAT and NAT64

Per-Flow Admission. Finding Feature Information. Prerequisites for Per-Flow Admission

Fine-Grain NBAR for Selective Applications

Bulk Logging and Port Block Allocation

SSH Algorithms for Common Criteria Certification

Object Tracking: IPv6 Route Tracking

Firewall Stateful Inspection of ICMP

Fine-Grain NBAR for Selective Applications

RADIUS Route Download

VRF-Aware Cloud Web Security

Zone-Based Firewall Logging Export Using NetFlow

Flow-Based per Port-Channel Load Balancing

8K GM Scale Improvement

Stateful Network Address Translation 64

Quality of Service for VPNs

Using Flexible NetFlow Flow Sampling

Using Flexible NetFlow Flow Sampling

NAT Routemaps Outside-to-Inside Support

Encrypted Vendor-Specific Attributes

BGP-RT and VPN Distinguisher Attribute Rewrite Wildcard

Autoroute Announce and Forwarding Adjacencies For OSPFv3

Autoroute Announce and Forwarding Adjacencies For OSPFv3

Password Strength and Management for Common Criteria

Object Groups for ACLs

Configuring Firewall TCP SYN Cookie

SSL Custom Application

802.1P CoS Bit Set for PPP and PPPoE Control Frames

AAA Dead-Server Detection

ACL Syslog Correlation

Configuring IP SLA - Percentile Support for Filtering Outliers

MPLS over GRE. Finding Feature Information. Prerequisites for MPLS VPN L3VPN over GRE

Flexible NetFlow - MPLS Support

EIGRP Route Tag Enhancements

MSRPC ALG Support for Firewall and NAT

IPv6 over IPv4 GRE Tunnels

IPv6 over IPv4 GRE Tunnels

PPPoE Smart Server Selection

Dynamic Bandwidth Sharing

Configuring Local Policies

Configuring DHCP Option 60 and Option 82 with VPN-ID Support for Transparent Automatic Logon

PPPoE Smart Server Selection

Call Flows for 3G and 4G Mobile IP Users

Configuring Local Authentication and Authorization

Flexible NetFlow Full Flow support

QoS Tunnel Marking for GRE Tunnels

Carrier Grade Network Address Translation

BGP Policy Accounting

MPLS VPN Inter-AS with ASBRs Exchanging VPN-IPv4 Addresses

Port-Level Shaping and Minimum Bandwidth Guarantee

Marking Network Traffic

Configuring SDM Templates

Encrypted Vendor-Specific Attributes

Configuring IP SLAs TCP Connect Operations

Match-in-VRF Support for NAT

FPG Endpoint Agnostic Port Allocation

URI-Based Dialing Enhancements

Configuring a Load-Balancing Scheme

QoS: Child Service Policy for Priority Class

SIP ALG Resilience to DoS Attacks

Manually Configured IPv6 over IPv4 Tunnels

Configuring System MTU

DHCP Relay Server ID Override and Link Selection Option 82 Suboptions

IP over IPv6 Tunnels. Information About IP over IPv6 Tunnels. GRE IPv4 Tunnel Support for IPv6 Traffic

URI-Based Dialing Enhancements

Configuring the Cisco Discovery Protocol

Protection Against Distributed Denial of Service Attacks

Marking Network Traffic

Exclusive Configuration Change Access and Access Session Locking

QoS Policy Propagation via BGP

Classifying and Marking MPLS EXP

Proxy Mobile IPv6 Support for MAG Functionality

Cisco Discovery Protocol Version 2

Troubleshooting ISG with Session Monitoring and Distributed Conditional Debugging

Configuring Access Point Groups

BGP Policy Accounting Output Interface Accounting

Configuring Embedded Resource Manager-MIB

Configuring Access Point Groups

The ISG RADIUS Proxy Support for Mobile Users Hotspot Roaming and Accounting Start Filtering feature

IPv6 Firewall Support for Prevention of Distributed Denial of Service Attacks and Resource Management

Configuring IP SLAs ICMP Echo Operations

Regulating Packet Flow on a Per-Interface Basis Using Generic Traffic Shaping

Configuring IP SLAs UDP Echo Operations

BGP AS-Override Split-Horizon

Configuring IP Multicast over Unidirectional Links

IPv6 Routing: RIP for IPv6

Add Path Support in EIGRP

Transcription:

General Packet Radio Service (GPRS) Tunneling Protocol Version 2 (GTPv2) is introduced by the 3rd Generation Partnership Project (3GPP) Technical Specification (TS) 29.274, which modifies and enhances the GPRS Tunneling Protocol used in 2G and 3G mobile networks. GTPv2 enhances the GTP Application Inspection and Control (AIC) policies to provide security to subscriber data. This module describes how to configure GTPv2 on a zone-based policy firewall. Finding Feature Information, page 1 Restrictions for, page 1 Information About, page 2 How to Configure, page 5 Configuration Examples for, page 10 Additional References for, page 11 Feature Information for, page 12 Finding Feature Information Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required. Restrictions for The limit for the number of match statements in a Layer 7 class map is 64. The limit for the number of classes (including the default class) in a Layer 7 policy map is 255. 1

Information About The limit for the number of characters in a pattern string for a regular expression (regex) parameter map is 245. The data path supports up to 512 regular expressions. No statistics are available for the match command. Statistics are available for only packets and bytes in a class. 3GPP Technical Specification 29.274 release 8 and 9 are not compatible with GPRS Tunneling Protocol Version 2 (GTPv2). Information About GTPv2 Overview General Packet Radio Service (GPRS) Tunneling Protocol Version 2 (GTPv2), also known as evolved packet services GTP or egtp, is modified and enhanced from the GPRS Tunneling Protocol used in 2G and 3G mobile networks. GTPv2 has two flavors, a control plane protocol (GTPv2-C) and a user plane protocol (GTPv2-U). GTPv2 is primarily used for control signaling between the Serving Gateway (SGW) and the Packet Data Network (PDN) Gateway (PGW) in an Evolved Packet Core (EPC) network. The 3rd-Generation Partnership Project (3GPP) develops globally acceptable specifications for 3rd-Generation (3G) mobile systems. GPRS integrates with the existing Global System for Mobile Communication (GSM) networks and provides always-on packet-switched data services to corporate networks and the Internet. 2

GTPv2 Overview For more information on GTPv0 and GTPv1, see the Configuring GPRS Tunneling Protocol Support chapter in the Security Configuration Guide: Zone-Based Policy Firewall. Figure 1: General Format of the GTPv2-C Header Figure 2: Format of Echo and Version Not Supported Message GTPv2-C Header The usage of the GTPv2-C header for EPC-specific interfaces is defined below: Octet 1: Octet 1 represents Version (bits 8 through 6) that is set to decimal 2 ( 010 ). If the T flag (bit 4) is set to 1, the Tunnel Endpoint Identifier (TEID) field immediately follows the Length field in octets 5 through 8. The P flag (Piggybacking Support) is not supported. Octet 2: Octet 2 represents the Message Type field. This field supports GTPv2-C message type values. Octets 3-4: Octets 3 and 4 represent the Length field. This is the length of the message in octets excluding the mandatory part of the GTPv2-C header (the first 4 octets). 3

Stateful Inspection Octets 5-8: Octets 5 through 8 represent the Tunnel Identifier field if the T flag is set in the first octet. Octets 9-10: Octets 9 and 10 represent the Sequence Number field if the TEID is present. If the TEID field is not present, the Sequence Number field will be contained in octets 5 and 6. Octets 11-12: Octets 11 and 12 are two spare octets followed by the Sequence Number field. Note Apart from the following messages, all other GTPv2-C messages contain the TEID in their headers. Echo Request Echo Response Version Not Supported Indication Figure 3: General Format of GTPv2 Message for Control Plane Stateful Inspection Stateful inspection, also referred to as dynamic packet filtering, examines a packet based on the information in its header and tracks and validates each connection to which a firewall is connected. During stateful inspection, firewalls close ports until a connection request to a specific port is received. A global database is built on the GTP Application Inspection and Control (AIC) policies for stateful inspection of the GTPv2 traffic. When GTPv2 messages traverse the zone-based firewall, GTP AIC policies inspect messages based on the Packet Data Protocol (PDP) context database. Packets that require Layer 7 inspection (the packet payload must be inspected or altered) are passed to the control plane. Information Elements A GTP header contains a number of options fields called Information Elements (IEs). An IE may be present in a GTP protocol data unit (PDU). The IE may be included in a message header. An IE is identified by an IE type and an instance value. The combination of IE type and instance value uniquely identifies an IE in a message. Grouped IEs contain more than one IE and have a 4-octet IE header. Each IE 4

How to Configure within a grouped IE also has a 4-octet IE header. The IE format in GTPv2 is TLIV (Type, Length, Instance, Value) encoded. The length value of a grouped IE is the total length of the embedded IEs. Figure 4: General Format of an Information Element (IE) in a GTPv2-C Message Octet 1: Octet 1 represents the IE Type field. The IE Type field supports GTPv2-C IE type values. Octets 2-3: Octets 2 and 3 represent the length of the IE excluding the Type and the Length field. Octet 4: Octet 4 represents the instance number (bit 4-1) of the IE. Octets 5-n: Octets 5 through n represent the actual data contained in the IE. How to Configure Configuring GPRS Tunneling Protocol Version 2 (GTPv2) is configured using the zone-based firewall structure of policies and class maps. Because GTPv2 and GTPv1 protocols share the same destination port, Layer 4 class maps cannot classify GTPv2 and GTPv1; they are classified by Layer 7 class maps. Configuring a Parameter Map for SUMMARY STEPS 1. enable 2. configure terminal 3. parameter-map type regex parameter-map-name 4. pattern expression 5. exit 6. parameter-map type inspect-global gtp 7. gtpv2 {request-queue elements tunnel-limit tunnels} 8. end 5

Configuring a Parameter Map for DETAILED STEPS Step 1 Step 2 Command or Action enable Device> enable configure terminal Purpose Enables privileged EXEC mode. Enter your password if prompted. Enters global configuration mode. Step 3 Step 4 Step 5 Step 6 Step 7 Device# configure terminal parameter-map type regex parameter-map-name Device(config)# parameter-map type regex PARAM-REG pattern expression Device(config-profile)# pattern apn.cisco.com exit Device(config-profile)# exit parameter-map type inspect-global gtp Device(config)# parameter-map type inspect-global gtp gtpv2 {request-queue elements tunnel-limit tunnels} Configures a regex parameter-map type to match a specific traffic pattern and enters parameter map type configuration mode. Configures a matching pattern that specifies a list of domains, URL keywords, or URL meta-characters that should be allowed or blocked by local URL filtering. Exits parameter map type configuration mode and returns to global configuration mode. Configures an inspect-type parameter map for connecting thresholds, timeouts, and other parameters pertaining to the inspect action and enters parameter map type configuration mode. Configures inspection parameters for GTP. Step 8 Device(config-profile)# gtpv2 request-queue 429496 end Device(config-profile)# end Exits parameter-map type inspect mode and returns to privileged EXEC mode. 6

Configuring a Class Map and a Policy Map for Parameter Map for The following is sample output from the show parameter-map type command: Device# show parameter-map type inspect-global gtp parameter-map type inspect-global gtp gtp request-queue 40000 (default) gtp tunnel-limit 40000 (default) gtp pdp-context timeout 300 (default) gtp request-queue timeout 60 (default) permit-error Disable (default) gtpv2 request-queue 429496729 gtpv2 tunnel-limit 42949672 Configuring a Class Map and a Policy Map for GPRS Tunneling Protocol V2 Support SUMMARY STEPS 1. enable 2. configure terminal 3. class-map type inspect protocol-name {match-any match-all} class-map-name 4. match {apn regex parameter-name {mcc country-code mnc network-code message-length msisdn regex parameter-name version number} 5. exit 6. policy-map type inspect protocol-name policy-map-name 7. class type inspect protocol-name class-map-name 8. inspect 9. service-policy protocol-name policy-map 10. end DETAILED STEPS Step 1 Step 2 Command or Action enable Device> enable configure terminal Purpose Enables privileged EXEC mode. Enter your password if prompted. Enters global configuration mode. Device# configure terminal 7

Configuring a Class Map and a Policy Map for Step 3 Command or Action class-map type inspect protocol-name {match-any match-all} class-map-name Purpose Creates a Layer 7 (application-specific) inspect-type class map and enters class map configuration mode. Step 4 Device(config)# class-map type inspect gtpv1 match-any gtpv2-cl7-1 match {apn regex parameter-name {mcc country-code mnc network-code message-length msisdn regex parameter-name version number} Configures the classification criteria for the inspect-type class map for the GTP. Step 5 Step 6 Step 7 Step 8 Device(config-cmap)# match version 2 exit Device(config-cmap)# exit policy-map type inspect protocol-name policy-map-name Device(config)# policy-map type inspect gtpv1 gtpv2-policy-map class type inspect protocol-name class-map-name Device(config-pmap)# class type inspect gtpv1 gtpv2-cl7-1 inspect Exits class map configuration mode and returns to global configuration mode. Creates a Layer 7 (protocol-specific) inspect-type policy map and enters policy map configuration mode. Specifies the traffic (class) on which an action is to be performed and enters policy-map class configuration mode. Enables stateful packet inspection. Step 9 Step 10 Device(config-pmap-c)# inspect service-policy protocol-name policy-map Device(config-pmap-c)# service-policy gtpv1 gtpv2-policy-map end Device(config-pmap-c)# end Attaches a Layer 7 policy map to the top-level Layer 3 or Layer 4 policy map. Exits policy-map class configuration mode and returns to privileged EXEC mode. 8

Configuring Zones and Zone Pairs for Configuring Zones and Zone Pairs for SUMMARY STEPS 1. enable 2. configure terminal 3. zone security {zone-name default} 4. exit 5. zone-pair securityzone-pair-namesource {source-zone-name self default} destination {destination-zone-name self default} 6. service-policy type inspect policy-map-name 7. exit 8. interface type number 9. zone-member security zone-name 10. end DETAILED STEPS Step 1 Step 2 Command or Action enable Device> enable configure terminal Purpose Enables privileged EXEC mode. Enter your password if prompted. Enters global configuration mode. Step 3 Step 4 Step 5 Device# configure terminal zone security {zone-name default} Device(config)# zone security z1 Device(config)# zone security z2 exit Device(config-sec-zone)# exit zone-pair securityzone-pair-namesource {source-zone-name self default} destination {destination-zone-name self default} Creates a security zone to which interfaces can be assigned and enters security zone configuration mode. Note To create a security zone pair, you must configure two security zones (z1 and z2) to which interfaces can be assigned. Exits security zone configuration mode and returns to global configuration mode. Creates a security zone pair and enters security zone-pair configuration mode. Note To apply a policy, you must configure a zone pair. 9

Configuration Examples for Command or Action Purpose Step 6 Step 7 Step 8 Device(config)# zone-pair security clt2srv1 source z1 destination z2 service-policy type inspect policy-map-name Device(config-sec-zone-pair)# service-policy type inspect gtpv2-policy-map exit Device(config-sec-zone-pair)# exit interface type number Attaches a firewall policy map to the destination zone pair. Note If a policy is not configured between a pair of security zones, traffic is dropped by default. Exits security zone-pair configuration mode and returns to global configuration mode. Configures an interface and returns interface configuration mode. Step 9 Step 10 Device(config)# interface gigabitethernet 0/0/0 zone-member security zone-name Device(config-if)# zone-member security z1 end Device(config-if)# end Assigns an interface to a specified security zone. Note When you make an interface a member of a security zone, all traffic in and out of that interface (except traffic bound for the device or initiated by the device) is dropped by default. To let traffic through the interface, you must make the zone part of a zone pair to which you apply a policy. If the policy permits traffic, traffic can flow through that interface. Exits interface configuration mode and returns to privileged EXEC mode. Configuration Examples for Configuring The following example shows how to configure GTPv2 support: Device> enable Device# configure terminal Device(config)# parameter-map type regex PARAM-REG 10

Configuring Zones and Zone Pairs for Device(config-profile)# pattern apn.cisco.com Device(config-profile)# exit Device(config)# parameter-map type inspect-global Device(config-profile)# gtpv2 tunnel-limit 100 Device(config-profile)# exit Device(config)# class-map type inspect gtpv1 match-any gtpv2-cl7-1 Device(config-cmap)# match version 2 Device(config-cmap)# exit Device(config)# policy-map type inspect gtpv1 gtpv2-policy-map Device(config-pmap)# class type inspect gtpv1 gtpv2-cl7-1 Device(config-pmap-c)# inspect Device(config-pmap-c)# service-policy gtpv1 gtpv2-policy-map Device(config-pmap)# end Configuring Zones and Zone Pairs for GPRS Tunneling Protocol V2 Support The following example shows how to configure zones and zone pairs for GTPv2: Device> enable Device# configure terminal Device(config)# zone security z1 Device(config-sec-zone)# exit Device(config)# zone-pair security clt2srv1 source z1 destination z2 Device(config-sec-zone-pair)# service-policy type inspect gtpv2-policy-map Device(config-sec-zone-pair)# exit Device(config)# interface gigabitethernet 0/0/0 Device(config-if)# ip address 5.0.0.1 255.255.255.0 Device(config-if)# zone-member security z1 Device(config-if)# exit Device(config)# interface gigabitethernet0/0/2 Device(config-if)# ip address 4.0.0.1 255.255.255.0 Device(config-if)# zone-member security z2 Device(config)# end Additional References for Related Documents Related Topic Cisco IOS commands Security commands Security configuration Document Title Cisco IOS Master Command List, All Releases Security Command Reference: Commands A to C Security Command Reference: Commands D to L Security Command Reference: Commands M to R Security Command Reference: Commands S to Z Security Configuration Guide: Zone-Based Policy Firewall 11

Feature Information for Technical Assistance Description The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies. To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password. Link http://www.cisco.com/support Feature Information for The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required. Table 1: Feature Information for GPRS Tunneling Protocol Version 2 Support Feature Name GTPv2 Support Releases Cisco IOS XE Release 3.9S Feature Information The GTPv2 Support feature is introduced by the 3rd-Generation Partnership Project (3GPP) TS 29.274, which modifies and enhances the GPRS Tunneling Protocol used in 2G and 3G mobile networks. GTPv2 enhances the GTP Application Inspection and Control (AIC) policies to provide security to subscriber data. This module describes how to configure GTPv2 on a zone-based policy firewall. The following commands have been newly introduced or modified: show parameter-map type inspect-global, zone-pair security. 12

Feature Information for 13

Feature Information for 14

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback