Professional Documents
Culture Documents
Lab Guide
Text Part Number: ePDG3D_2-1
Americas Headquarters Asia Pacific Headquarters Europe Headquarters
Cisco Systems, Inc. Cisco Systems (USA) Pte. Ltd. Cisco Systems International BV
San Jose, CA Singapore Amsterdam,
The Netherlands
Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website
at www.cisco.com/go/offices.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco and the Cisco logo are trademarks or registered trademarks
of Cisco and/or its affiliates in the U.S. and other countries. Cisco and the Cisco logo are trademarks or registered
trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL:
www.cisco.com/go/trademarks. Third party company names, trademarks, and logos referenced in these materials are the
property of their respective owners and their use does not constitute or imply an endorsement, sponsorship, affiliation,
association or approval by the third parties of these materials or with Cisco. The use of the word partner does not imply a
partnership relationship between Cisco and any other company.
DISCLAIMER WARRANTY: THIS CONTENT IS BEING PROVIDED "AS IS" AND AS SUCH MAY INCLUDE
TYPOGRAPHICAL, GRAPHICS, OR FORMATTING ERRORS. CISCO MAKES AND YOU RECEIVE NO WARRANTIES
IN CONNECTION WITH THE CONTENT PROVIDED HEREUNDER, EXPRESS, IMPLIED, STATUTORY OR IN ANY
OTHER PROVISION OF THIS CONTENT OR COMMUNICATION BETWEEN CISCO AND YOU. CISCO SPECIFICALLY
DISCLAIMS ALL IMPLIED WARRANTIES, INCLUDING WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT
AND FITNESS FOR A PARTICULAR PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE
PRACTICE. This learning product may contain early release content, and while Cisco believes it to be accurate, it falls
subject to the disclaimer above.
Cisco Learning Services (www.cisco.com/go/cls) Contents
Contents
Overview for All Labs..........................................................................................v
Command Syntax Reference ....................................................................................... vi
Lab 1: Configuring the ASR 5000 for ePDG Operation (GTP Connection to PGW)
1–1
Task 1: Creating Contexts .........................................................................1–2
Task 2: Configuring the IPv4 SWu Interface on the ePDG ......................1–4
Task 3: Configuring the IPv4 SWm Interface on the ePDG .....................1–8
Task 4: Configuring the S2b IPV4 GTP Interface on the ePDG ............1–12
Task 5: Creating a DIAMETER Connection to the AAA Server ............1–16
Task 6: Configure an EAP Profile ............................................................1–19
Task 7: Configure IPSec Transforms and Crypto Template...................1–21
Task 8: Creating the ePDG Service .........................................................1–24
Task 9: Creating the GTP Services..........................................................1–26
Task 10: Creating a DNS Client ..............................................................1–29
Task 11: Saving and Testing the Configuration .....................................1–31
Lab 2: Configuring the ASR 5500 for ePDG Operation (GTP Connection to PGW)
2–1
Task 1: Creating Contexts .........................................................................2–2
Task 2: Configuring the IPv4 SWu Interface on the ePDG ......................2–4
Task 3: Configuring the IPv4 SWm Interface on the ePDG .....................2–8
Task 4: Configuring the S2b IPV4 GTP Interface on the ePDG ............2–12
Task 5: Creating a DIAMETER Connection to the AAA Server ............2–16
Task 6: Configure an EAP Profile ............................................................2–19
Task 7: Configure IPSec Transforms and Crypto Template...................2–21
Task 8: Creating the ePDG Service .........................................................2–24
Task 9: Creating the GTP services ..........................................................2–26
Task 10: Creating a DNS Client ..............................................................2–29
Task 11: Saving and Testing the Configuration .....................................2–31
Required Resources
The following resources and equipment are required for completing the activities in this
lab guide:
Laptop or notebook computer with
Terminal emulation program (such as PuTTY available at
http://www.chiark.greenend.org.uk/~sgtatham/putty/) capable of Telnet or
SSH
10/100 Base-T Ethernet interface
Access to the Internet
Cisco Learning Services (www.cisco.com/go/cls) Overview for All Labs
brackets ([ ]) Indicates optional element. You can choose one of the options.
Example:
(config-if)# frame-relay lmi-type
{ansi|cisco|q933a}
italics font Arguments for which you supply values are in italics.
Example: Open file ip tcp window-size bytes
angle brackets (<>) In contexts that do not allow italics, arguments for which you
supply values are enclosed in angle brackets [<>]. Do not type the
brackets when entering the command.
Example: If the command syntax is ping <ip_address>, you
enter ping 192.32.10.12
vertical line (|) Indicates that you enter one of the choices. The vertical line
separates choices. Do not type the vertical line when entering the
command.
Example: If the command syntax is show ip route|arp, you
enter either show ip route or show ip arp, but not both.
Description
The ePDG configuration that you are going to build is illustrated below. The following
instructions show you how this is put together, piece by piece.
Visual Objective
Activity Objective
In this activity, you will learn how to build the configuration shown above.
Cisco Learning Services (www.cisco.com/go/cls) Configuring the ASR 5000 for ePDG Operation (GTP
Connection to PGW)
Task Data
The table below lists the names of the contexts, depending on your team number. Use this
table and the directions below to create the correct contexts.
Activity Procedure
Complete these steps:
Step 1 Verify that you are at the Exec mode prompt and in the local context.
Enter global configuration mode and create the PDGin context for your
team:
config
context PDGin-x (where x is your team number)
Step 2 After confirming the context creation, you are placed into the context
configuration sub-mode. Exit this mode so you can create another
context:
exit
Activity Procedure
Complete these steps:
Step 1 It is through the SWu interface that the WLAN-connected UE initially
contacts the ePDG. Go into context configuration sub-mode for the
ingress context:
configure
context <PDGin context of your team>
Step 2 Create a loopback interface that will be bound to the ePDG service.
From the UE’s perspective, this will be the address to which it forms an
IPSec tunnel.
Step 3 Using the table and commands below, create the low-level SWu
interface for your team. It is through this interface that the UE will be
attempting to connect to the loopback address.
Team IP address/mask
1 192.168.10.141/24
2 192.168.10.142/24
3 192.168.10.143/24
4 192.168.10.144/24
5 192.168.10.145/24
6 192.168.10.146/24
Step 5 Configure the physical port and vlan that the interface will use. This
includes binding the logical interface created in the previous step to the
vlan tag on the port. Use the portion of the table below that is relevant
to your team number:
port ethernet <slot#/port#>
description <port description>
no shutdown
vlan 10
no shutdown
bind interface <logical int name> <logical
interface context>
end
Activity Procedure
Complete these steps:
Step 1 The SWm interface connects the ePDG to the AAA server. Enter Global
Configuration Mode and then go into the context configuration sub-
mode for the ingress context:
configure
context <PDGin context of your team>
Step 2 Create a loopback interface that will be as the source address for
communication with the 3GPP AAA server.
Step 4 Using the table and commands below, create the low-level SWm
interface for your team.
Team IP address/mask
1 135.2.214.111/24
2 135.2.214.112/24
3 135.2.214.113/24
4 135.2.214.114/24
5 135.2.214.115/24
6 135.2.214.116/24
Step 6 Configure the physical port and vlan that the interface will use. This
includes binding the logical interface created in the previous step to the
vlan tag. Use the portion of the table below that is relevant to your
team number:
port ethernet <slot#/port#>
vlan 214
no shutdown
bind interface <logical int name> <logical
int context>
end
Activity Procedure
Complete these steps:
Step 1 This interface connects the ePDG to the PGW, through an IPv4 tunnel.
Enter Global Configuration Mode, and then the Context Configuration
sub-mode for the PDGout context of your team:
configure
context <PDGout context of your team>
Step 2 Create a loopback interface that will be used for S2b purposes. This will
be the source address of GTP messages sent from the ePDG to the
PGW.
interface S2B-LOOP-x loopback (where x is
your team number)
Step 4 Using the table and commands below, create the low-level S2b interface
for your team. This is the interface through which traffic will flow to
get to the loopback address.
Step 6 Configure the physical port and vlan that the interface will use. This
includes binding the logical interface created in the previous steps to
the vlan tag. Use the portion of the table below that is relevant to your
team:
port ethernet <slot#/port#>
vlan 4
no shutdown
bind interface <logical int name> <logical
int context>
end
Visual Objective
The following graphic shows the objective for this task.
Activity Procedure
Complete these steps:
Step 1 In the PDGin context, create a DIAMETER endpoint for access to the
3GPP AAA server. This endpoint will use the loopback address that you
created earlier in the lab:
config
Step 2 Within the default AAA group of the PDGin context, configure the
system to use the endpoint you just created:
aaa group default
diameter authentication dictionary aaa-
custom16
diameter authentication endpoint aaa-swm-
teamx (where x is your team number)
diameter authentication server aaa-swm
priority 1
end
Visual Objective
The following graphic shows the objective for this task.
Activity Procedure
Complete these steps:
Step 1 Enter Global Configuration Mode and navigate into the ingress PDG
context of your team:
configure
context PDGin-x (where x is your team number)
Visual Objective
The following graphic shows the objective for this task.
Activity Procedure
Complete these steps:
Step 1 Go into Global Configuration Mode and enter the context configuration
sub-mode:
configure
context PDGin-x (where x is your team number)
Step 2 Configure an IKE transform set. This will be used by the PDG during
the INIT phase of IPSec negotiation:
ikev2-ikesa transform-set ikev2-sa-set-1
encryption aes-cbc-128
prf sha1
hmac sha1-96
group 2
exit
Step 3 Configure an IPSc transform set. This will be used by the ePDG during
the AUTH phase of IPSec negotiation:
ipsec transform-set ipsec-set-1
encryption aes-cbc-128
hmac sha1-96
mode tunnel
exit
Step 4 Configure the crypto template. This will reference the authentication
profile, IKE transform set, and IPSec transform set that you just
created.
crypto template epdg-crypto-template-teamx
ikev2-dynamic (where x is your team number)
authentication remote eap-profile eap-
teamx (where x is your team number)
ikev2-ikesa transform-set list ikev2-sa-
set-1
ikev2-ikesa rekey
payload ipsec-sa-payload match childsa
match any
ipsec transform-set list ipsec-set-1
lifetime 3600
rekey keepalive
exit
nai use-received-idr
ikev2-ikesa policy error-notification
dos cookie-challenge notify-payload half-
open-sess-count start 2 stop 2
ikev2-ikesa keepalive-user-activity
end
Step 5 Use these commands to verify the transforms you just created.
context <ingress context of your team>
show crypto ipsec transform-set (you should
see the IPsec transform set you created)
show crypto ikev2-ikesa transform-set (you
should see the IKEv2 transform tht you created)
Activity Procedure
Complete these steps:
Step 1 The ePDG service ties together many of the components you have
created up to this point. It will reference the IPSec crypto template and
loopback address. Enter Configuration Mode for the PDGin context of
your team:
configure
context PDGin-x (where x is your team
number)
Step 2 Create an ePDG service and bind it to the loopback interface you
configured earlier. Also note that you are telling the system to look for
a MAG service in the PDGout context:
epdg-service epdg-svc-x (where x is your team
number)
plmn id mcc 311 mnc 482
associate egtp-service egtp-svc-x (where x
is your team number)
dns-pgw selection topology
bind address <SWu loopback address> crypto-
template epdg-crypto-template-teamx (where x is
your team number)
end
Activity Procedure
Complete these steps:
Step 1 Enter Configuration Mode for the PDGout context of your team:
configure
context PDGout-x (where x is your team
number)
Step 2 Create the GTP service which is responsible for tunneling all traffic
(user and signaling) to the PGW:
gtpu-service gtpu-svc-x (where x is your team
number)
echo interval 3600
no path-failure detection-policy
source-port standard
bind ipv4-address <IPv4 loopback address from
table>
exit
Step 3 Create the EGTP service which is responsible for generating and
parsing GTP signaling traffic:
egtp-service egtp-svc-x (where x is your team
number)
no gtpc path-failure detection-policy
interface-type interface-epdg-egress
associate gtpu-service gtpu-svc-x (where x is
your team number)
gtpc bind ipv4-address <IPv4 loopback address
from table>
end
Visual Objective
The following graphic shows the objective for this task.
Activity Procedure
Complete these steps:
Step 1 Enter Configuration Mode for the ingress context of your team:
configure
context PDGin-x (where x is your team
number)
Step 2 Create a DNS client that will send queries to the configured name
server. Bind it to the SWu loopback address from the table below:
ip domain-lookup
ip name-server 192.168.10.4
dns-client dns-callgen
bind address <SWu loopback>
end
Activity Procedure
Complete these steps:
Step 1 Save your configuration. The name of your saved configuration file
should match that in the table below:
save config /flash/<config file name>
file sync
Step 4 Use this command to see your session from the perspective of the
ePDG:
show sub epdg-only all
Step 5 After a test call has succeeded, prepare to capture another call using
the monitor subscriber command:
monitor subscriber next-call
The GTP Create Session Request from the ePDG to the PGW
Step 7 Save this capture for later reference.
Step 8 This completes the lab.
Description
The ePDG configuration that you are going to build is illustrated below. The following
instructions show you how this is put together, piece by piece.
Visual Objective
Activity Objective
In this activity, you will learn how to build the configuration shown above.
Cisco Learning Services (www.cisco.com/go/cls) Configuring the ASR 5500 for ePDG Operation (GTP
Connection to PGW)
Task Data
The table below lists the names of the contexts, depending on your team number. Use this
table and the directions below to create the correct contexts.
Activity Procedure
Complete these steps:
Step 1 Verify that you are at the Exec mode prompt and in the local context.
Enter global configuration mode and create the PDGin context for your
team:
config
context PDGin-x (where x is your team number)
Step 2 After confirming the context creation, you are placed into the context
configuration sub-mode. Exit this mode so you can create another
context:
exit
Activity Procedure
Complete these steps:
Step 1
Step 2 It is through the SWu interface that the WLAN-connected UE initially
contacts the ePDG. Go into context configuration sub-mode for the
ingress context:
configure
context <PDGin context of your team>
Step 3 Create a loopback interface that will be bound to the ePDG service.
From the UE’s perspective, this will be the address to which it forms an
IPSec tunnel.
Step 4 Using the table and commands below, create the low-level SWu
interface for your team. It is through this interface that the UE will be
attempting to connect to the loopback address.
Team IP address/mask
1 192.168.10.141/24
2 192.168.10.142/24
3 192.168.10.143/24
4 192.168.10.144/24
5 192.168.10.145/24
6 192.168.10.146/24
Step 6 Configure the physical port and vlan that the interface will use. This
includes binding the logical interface created in the previous step to the
vlan tag on the port. Use the portion of the table below that is relevant
to your team number:
port ethernet <slot#/port#>
description <port description>
no shutdown
vlan 10
no shutdown
bind interface <logical int name> <logical
interface context>
end
Activity Procedure
Complete these steps:
Step 1 The SWm interface connects the ePDG to the AAA server. Enter Global
Configuration Mode and then go into the context configuration sub-
mode for the ingress context:
configure
context <PDGin context of your team>
Step 2 Create a loopback interface that will be as the source address for
communication with the 3GPP AAA server.
Step 4 Using the table and commands below, create the low-level SWm
interface for your team.
Team IP address/mask
1 135.2.214.111/24
2 135.2.214.112/24
3 135.2.214.113/24
4 135.2.214.114/24
5 135.2.214.115/24
6 135.2.214.116/24
Step 6 Configure the physical port and vlan that the interface will use. This
includes binding the logical interface created in the previous step to the
vlan tag. Use the portion of the table below that is relevant to your
team number:
port ethernet <slot#/port#>
vlan 214
no shutdown
bind interface <logical int name> <logical
int context>
end
Activity Procedure
Complete these steps:
Step 1 This interface connects the ePDG to the PGW, through an IPv4 tunnel.
Enter Global Configuration Mode, and then the Context Configuration
sub-mode for the PDGout context of your team:
configure
context <PDGout context of your team>
Step 2 Create a loopback interface that will be used for S2b purposes. This will
be the source address of GTP messages sent from the ePDG to the
PGW.
interface S2B-LOOP-x loopback (where x is
your team number)
Step 4 Using the table and commands below, create the low-level S2b interface
for your team. This is the interface through which traffic will flow to
get to the loopback address.
Step 6 Configure the physical port and vlan that the interface will use. This
includes binding the logical interface created in the previous steps to
the vlan tag. Use the portion of the table below that is relevant to your
team:
port ethernet <slot#/port#>
vlan 4
no shutdown
bind interface <logical int name> <logical
int context>
end
Visual Objective
The following graphic shows the objective for this task.
Activity Procedure
Complete these steps:
Step 1 In the PDGin context, create a DIAMETER endpoint for access to the
3GPP AAA server. This endpoint will use the loopback address that you
created earlier in the lab:
config
Step 2 Within the default AAA group of the PDGin context, configure the
system to use the endpoint you just created:
aaa group default
diameter authentication dictionary aaa-
custom16
diameter authentication endpoint aaa-swm-
teamx (where x is your team number)
diameter authentication server aaa-swm
priority 1
end
Step 4 Verify that the State is ‘Open’ for each proxy server on each packet
service card (PSC).
Visual Objective
The following graphic shows the objective for this task.
Activity Procedure
Complete these steps:
Step 1 Enter Global Configuration Mode and navigate into the ingress PDG
context of your team:
configure
context PDGin-x (where x is your team number)
Visual Objective
The following graphic shows the objective for this task.
Activity Procedure
Complete these steps:
Step 1 Go into Global Configuration Mode and enter the context configuration
sub-mode:
configure
context PDGin-x (where x is your team number)
Step 2 Configure an IKE transform set. This will be used by the PDG during
the INIT phase of IPSec negotiation:
ikev2-ikesa transform-set ikev2-sa-set-1
encryption aes-cbc-128
prf sha1
hmac sha1-96
group 2
exit
Step 3 Configure an IPSc transform set. This will be used by the ePDG during
the AUTH phase of IPSec negotiation:
ipsec transform-set ipsec-set-1
encryption aes-cbc-128
hmac sha1-96
mode tunnel
exit
Step 4 Configure the crypto template. This will reference the authentication
profile, IKE transform set, and IPSec transform set that you just
created.
crypto template epdg-crypto-template-teamx
ikev2-dynamic (where x is your team number)
authentication remote eap-profile eap-
teamx (where x is your team number)
ikev2-ikesa transform-set list ikev2-sa-
set-1
ikev2-ikesa rekey
payload ipsec-sa-payload match childsa
match any
ipsec transform-set list ipsec-set-1
lifetime 3600
rekey keepalive
exit
nai use-received-idr
ikev2-ikesa policy error-notification
dos cookie-challenge notify-payload half-
open-sess-count start 2 stop 2
ikev2-ikesa keepalive-user-activity
end
Step 5 Use these commands to verify the transforms you just created.
context <ingress context of your team>
show crypto ipsec transform-set (you should
see the IPsec transform set you created)
show crypto ikev2-ikesa transform-set (you
should see the IKEv2 transform tht you created)
Visual Objective
The following graphic shows the objective for this task.
Activity Procedure
Complete these steps:
Step 1 The ePDG service ties together many of the components you have
created up to this point. It will reference the IPSec crypto template and
loopback address. Enter Configuration Mode for the PDGin context of
your team:
configure
context PDGin-x (where x is your team
number)
Step 2 Create an ePDG service and bind it to the loopback interface you
configured earlier. Also note that you are telling the system to look for
a MAG service in the PDGout context:
epdg-service epdg-svc-x (where x is your team
number)
plmn id mcc 311 mnc 482
associate egtp-service egtp-svc-x (where x
is your team number)
dns-pgw selection topology
bind address <SWu loopback address> crypto-
template epdg-crypto-template-teamx (where x is
your team number)
end
Visual Objective
The following graphic shows the objective for this task.
Activity Procedure
Complete these steps:
Step 1 Enter Configuration Mode for the PDGout context of your team:
configure
context PDGout-x (where x is your team
number)
Step 2 Create the GTP service which is responsible for tunneling all traffic
(user and signaling) to the PGW:
gtpu-service gtpu-svc-x (where x is your team
number)
echo-interval 3600
no path-failure detection-policy
source-port standard
bind ipv4-address <IPv4 loopback address from
table>
exit
Step 3 Create the EGTP service which is responsible for generating and
parsing GTP signaling traffic:
egtp-service egtp-svc-x (where x is your team
number)
no gtpc path-failure detection-policy
interface-type interface-epdg-egress
associate gtpu-service gtpu-svc-x (where x is
your team number)
gtpc bind ipv4-address <IPv4 loopback address
from table>
end
Visual Objective
The following graphic shows the objective for this task.
Activity Procedure
Complete these steps:
Step 1 Enter Configuration Mode for the ingress context of your team:
configure
context PDGin-x (where x is your team
number)
Step 2 Create a DNS client that will send queries to the configured name
server. Bind it to the SWu loopback address from the table below:
ip domain-lookup
ip name-server 192.168.10.4
dns-client dns-callgen
bind address <SWu loopback>
end
Activity Procedure
Complete these steps:
Step 1 Save your configuration. The name of your saved configuration file
should match that in the table below:
save config /flash/<config file name>
file sync
Step 4 Use this command to see your session from the perspective of the
ePDG:
show sub epdg-only all
Step 5 After a test call has succeeded, prepare to capture another call using
the monitor subscriber command:
monitor subscriber next-call
The GTP Create Session Request from the ePDG to the PGW
Step 7 Save this capture for later reference.
Step 8 This completes the lab.
Description
The ePDG configuration that you are going to build is illustrated below. The following
instructions show you how this is put together, piece by piece.
Visual Objective
Activity Objective
In this activity, you will learn how to build the configuration shown above.
Cisco Learning Services (www.cisco.com/go/cls) Configuring ePDG Operation on Cisco vPC-DI (GTP
Connection to PGW)
Task Data
The table below lists the names of the contexts, depending on your team number. Use this
table and the directions below to create the correct contexts.
Activity Procedure
Complete these steps:
Step 1 Verify that you are at the Exec mode prompt and in the local context.
Enter global configuration mode and create the PDGin context for your
team:
config
context PDGin-x (where x is your team number)
Step 2 After confirming the context creation, you are placed into the context
configuration sub-mode. Exit this mode so you can create another
context:
exit
Activity Procedure
Complete these steps:
Step 1 It is through the SWu interface that the WLAN-connected UE initially
contacts the ePDG. Go into context configuration sub-mode for the
ingress context:
configure
context <PDGin context of your team>
Step 2 Create a loopback interface that will be bound to the ePDG service.
From the UE’s perspective, this will be the address to which it forms an
IPSec tunnel.
Step 3 Using the table and commands below, create the low-level SWu
interface for your team. It is through this interface that the UE will be
attempting to connect to the loopback address.
Team IP address/mask
1 192.168.10.141/24
2 192.168.10.142/24
3 192.168.10.143/24
4 192.168.10.144/24
5 192.168.10.145/24
6 192.168.10.146/24
Step 5 Configure the physical port and vlan that the interface will use. This
includes binding the logical interface created in the previous step to the
vlan tag on the port. Use the portion of the table below that is relevant
to your team number:
port ethernet <slot#/port#>
description <port description>
no shutdown
vlan 10
no shutdown
bind interface <logical int name> <logical
interface context>
end
Activity Procedure
Complete these steps:
Step 1 The SWm interface connects the ePDG to the AAA server. Enter Global
Configuration Mode and then go into the context configuration sub-
mode for the ingress context:
configure
context <PDGin context of your team>
Step 2 Create a loopback interface that will be as the source address for
communication with the 3GPP AAA server.
Step 4 Using the table and commands below, create the low-level SWm
interface for your team.
Team IP address/mask
1 135.2.214.111/24
2 135.2.214.112/24
3 135.2.214.113/24
4 135.2.214.114/24
5 135.2.214.115/24
6 135.2.214.116/24
Step 6 Configure the physical port and vlan that the interface will use. This
includes binding the logical interface created in the previous step to the
vlan tag. Use the portion of the table below that is relevant to your
team number:
port ethernet <slot#/port#>
vlan 214
no shutdown
bind interface <logical int name> <logical
int context>
end
Activity Procedure
Complete these steps:
Step 1 This interface connects the ePDG to the PGW, through an IPv4 tunnel.
Enter Global Configuration Mode, and then the Context Configuration
sub-mode for the PDGout context of your team:
configure
context <PDGout context of your team>
Step 2 Create a loopback interface that will be used for S2b purposes. This will
be the source address of GTP messages sent from the ePDG to the
PGW.
interface S2B-LOOP-x loopback (where x is
your team number)
Step 4 Using the table and commands below, create the low-level S2b interface
for your team. This is the interface through which traffic will flow to
get to the loopback address.
Step 6 Configure the physical port and vlan that the interface will use. This
includes binding the logical interface created in the previous steps to
the vlan tag. Use the portion of the table below that is relevant to your
team:
port ethernet <slot#/port#>
vlan 4
no shutdown
bind interface <logical int name> <logical
int context>
end
Visual Objective
The following graphic shows the objective for this task.
Activity Procedure
Complete these steps:
Step 1 In the PDGin context, create a DIAMETER endpoint for access to the
3GPP AAA server. This endpoint will use the loopback address that you
created earlier in the lab:
config
Step 2 Within the default AAA group of the PDGin context, configure the
system to use the endpoint you just created:
aaa group default
diameter authentication dictionary aaa-
custom16
diameter authentication endpoint aaa-swm-
teamx (where x is your team number)
diameter authentication server aaa-swm
priority 1
end
Visual Objective
The following graphic shows the objective for this task.
Activity Procedure
Complete these steps:
Step 1 Enter Global Configuration Mode and navigate into the ingress PDG
context of your team:
configure
context PDGin-x (where x is your team number)
Visual Objective
The following graphic shows the objective for this task.
Activity Procedure
Complete these steps:
Step 1 Go into Global Configuration Mode and enter the context configuration
sub-mode:
configure
context PDGin-x (where x is your team number)
Step 2 Configure an IKE transform set. This will be used by the PDG during
the INIT phase of IPSec negotiation:
ikev2-ikesa transform-set ikev2-sa-set-1
encryption aes-cbc-128
prf sha1
hmac sha1-96
group 2
exit
Step 3 Configure an IPSc transform set. This will be used by the ePDG during
the AUTH phase of IPSec negotiation:
ipsec transform-set ipsec-set-1
encryption aes-cbc-128
hmac sha1-96
mode tunnel
exit
Step 4 Configure the crypto template. This will reference the authentication
profile, IKE transform set, and IPSec transform set that you just
created.
crypto template epdg-crypto-template-teamx
ikev2-dynamic (where x is your team number)
authentication remote eap-profile eap-
teamx (where x is your team number)
ikev2-ikesa transform-set list ikev2-sa-
set-1
ikev2-ikesa rekey
payload ipsec-sa-payload match childsa
match any
ipsec transform-set list ipsec-set-1
lifetime 3600
rekey keepalive
exit
nai use-received-idr
ikev2-ikesa policy error-notification
dos cookie-challenge notify-payload half-
open-sess-count start 2 stop 2
ikev2-ikesa keepalive-user-activity
end
Step 5 Use these commands to verify the transforms you just created.
context <ingress context of your team>
show crypto ipsec transform-set (you should
see the IPsec transform set you created)
show crypto ikev2-ikesa transform-set (you
should see the IKEv2 transform tht you created)
Visual Objective
The following graphic shows the objective for this task.
Activity Procedure
Complete these steps:
Step 1 The ePDG service ties together many of the components you have
created up to this point. It will reference the IPSec crypto template and
loopback address. Enter Configuration Mode for the PDGin context of
your team:
configure
context PDGin-x (where x is your team
number)
Step 2 Create an ePDG service and bind it to the loopback interface you
configured earlier. Also note that you are telling the system to look for
a MAG service in the PDGout context:
epdg-service epdg-svc-x (where x is your team
number)
plmn id mcc 311 mnc 482
associate egtp-service egtp-svc-x (where x
is your team number)
dns-pgw selection topology
bind address <SWu loopback address> crypto-
template epdg-crypto-template-teamx (where x is
your team number)
end
Visual Objective
The following graphic shows the objective for this task.
Activity Procedure
Complete these steps:
Step 1 Enter Configuration Mode for the PDGout context of your team:
configure
context PDGout-x (where x is your team
number)
Step 2 Create the GTP service which is responsible for tunneling all traffic
(user and signaling) to the PGW:
gtpu-service gtpu-svc-x (where x is your team
number)
echo-interval 3600
no path-failure detection-policy
source-port standard
bind ipv4-address <IPv4 loopback address from
table>
exit
Step 3 Create the EGTP service which is responsible for generating and
parsing GTP signaling traffic:
egtp-service egtp-svc-x (where x is your team
number)
no gtpc path-failure detection-policy
interface-type interface-epdg-egress
associate gtpu-service gtpu-svc-x (where x is
your team number)
gtpc bind ipv4-address <IPv4 loopback address
from table>
end
Visual Objective
The following graphic shows the objective for this task.
Activity Procedure
Complete these steps:
Step 1 Enter Configuration Mode for the ingress context of your team:
configure
context PDGin-x (where x is your team
number)
Step 2 Create a DNS client that will send queries to the configured name
server. Bind it to the SWu loopback address from the table below:
ip domain-lookup
ip name-server 192.168.10.4
dns-client dns-callgen
bind address <SWu loopback>
end
Activity Procedure
Complete these steps:
Step 1 Save your configuration. The name of your saved configuration file
should match that in the table below:
save config /flash/<config file name>
file sync
Step 4 Use this command to see your session from the perspective of the
ePDG:
show sub epdg-only all
Step 5 After a test call has succeeded, prepare to capture another call using
the monitor subscriber command:
monitor subscriber next-call
The GTP Create Session Request from the ePDG to the PGW
Step 7 Save this capture for later reference.
Step 8 This completes the lab.
Description
The ePDG configuration that you are going to build is illustrated below. The following
instructions show you how this is put together, piece by piece.
Visual Objective
Activity Objective
In this activity, you will learn how to build the configuration shown above.
Cisco Learning Services (www.cisco.com/go/cls) Configuring the ASR 5000 for ePDG Operation
Task Data
The table below lists the names of the contexts, depending on your team number. Use this
table and the directions below to create the correct contexts.
Activity Procedure
Complete these steps:
Step 1 Verify that you are at the Exec mode prompt and in the local context.
Enter global configuration mode and create the PDGin context for your
team:
config
context PDGin-x (where x is your team number)
Step 2 After confirming the context creation, you are placed into the context
configuration sub-mode. Exit this mode so you can create another
context:
exit
Activity Procedure
Complete these steps:
Step 1 It is through the SWu interface that the WLAN-connected UE initially
contacts the ePDG. Go into context configuration sub-mode for the
ingress context:
configure
context <PDGin context of your team>
Step 2 Create a loopback interface that will be bound to the ePDG service.
From the UE’s perspective, this will be the address to which it forms an
IPSec tunnel.
Step 3 Using the table and commands below, create the low-level SWu
interface for your team. It is through this interface that the UE will be
attempting to connect to the loopback address.
Team IP address/mask
1 192.168.10.141/24
2 192.168.10.142/24
3 192.168.10.143/24
4 192.168.10.144/24
5 192.168.10.145/24
6 192.168.10.146/24
Step 5 Configure the physical port and vlan that the interface will use. This
includes binding the logical interface created in the previous step to the
vlan tag on the port. Use the portion of the table below that is relevant
to your team number:
port ethernet <slot#/port#>
description <port description>
no shutdown
vlan 10
no shutdown
bind interface <logical int name> <logical
interface context>
end
Activity Procedure
Complete these steps:
Step 1 The SWm interface connects the ePDG to the AAA server. Enter Global
Configuration Mode and then go into the context configuration sub-
mode for the ingress context:
configure
context <PDGin context of your team>
Step 2 Create a loopback interface that will be as the source address for
communication with the 3GPP AAA server.
Step 4 Using the table and commands below, create the low-level SWm
interface for your team.
Team IP address/mask
1 135.2.214.111/24
2 135.2.214.112/24
3 135.2.214.113/24
4 135.2.214.114/24
5 135.2.214.115/24
6 135.2.214.116/24
Step 6 Configure the physical port and vlan that the interface will use. This
includes binding the logical interface created in the previous step to the
vlan tag. Use the portion of the table below that is relevant to your
team number:
port ethernet <slot#/port#>
vlan 214
no shutdown
bind interface <logical int name> <logical
int context>
end
Activity Procedure
Complete these steps:
Step 1 This interface connects the ePDG to the PGW, through an IPv6 tunnel.
Enter Global Configuration Mode, and then the Context Configuration
sub-mode for the PDGout context of your team:
configure
context <PDGout context of your team>
Step 2 Create a loopback interface that will be used for S2b purposes. This will
be the source address of Proxy Mobile IP (PMIP) messages sent from
the ePDG to the PGW.
interface S2B-LOOP-x loopback (where x is
your team number)
Step 4 Using the table and commands below, create the low-level S2b
interface for your team. This is the interface through which traffic will
flow to get to the loopback address.
Step 6 Configure the physical port and vlan that the interface will use. This
includes binding the logical interface created in the previous steps to
the vlan tag. Use the portion of the table below that is relevant to your
team:
port ethernet <slot#/port#>
vlan 808
no shutdown
bind interface <logical int name> <logical
int context>
end
Visual Objective
The following graphic shows the objective for this task.
Activity Procedure
Complete these steps:
Step 1 In the PDGin context, create a DIAMETER endpoint for access to the
3GPP AAA server. This endpoint will use the loopback address that you
created earlier in the lab:
config
Step 2 Within the default AAA group of the PDGin context, configure the
system to use the endpoint you just created:
aaa group default
diameter authentication dictionary aaa-
custom16
diameter authentication endpoint aaa-swm-
teamx (where x is your team number)
diameter authentication server aaa-swm
priority 1
end
Step 4 Verify that the State is ‘Open’ for each proxy server on each packet
service card (PSC).
Visual Objective
The following graphic shows the objective for this task.
Activity Procedure
Complete these steps:
Step 1 Enter Global Configuration Mode and navigate into the ingress PDG
context of your team:
configure
context PDGin-x (where x is your team number)
Visual Objective
The following graphic shows the objective for this task.
Activity Procedure
Complete these steps:
Step 1 Go into Global Configuration Mode and enter the context configuration
sub-mode:
configure
context PDGin-x (where x is your team number)
Step 2 Configure an IKE transform set. This will be used by the PDG during
the INIT phase of IPSec negotiation:
ikev2-ikesa transform-set ikev2-sa-set-1
encryption aes-cbc-128
prf sha1
hmac sha1-96
group 2
exit
Step 3 Configure an IPSc transform set. This will be used by the ePDG during
the AUTH phase of IPSec negotiation:
ipsec transform-set ipsec-set-1
encryption aes-cbc-128
hmac sha1-96
mode tunnel
exit
Step 4 Configure the crypto template. This will reference the authentication
profile, IKE transform set, and IPSec transform set that you just
created.
crypto template epdg-crypto-template-teamx
ikev2-dynamic (where x is your team number)
authentication remote eap-profile eap-
teamx (where x is your team number)
ikev2-ikesa transform-set list ikev2-sa-
set-1
ikev2-ikesa rekey
payload ipsec-sa-payload match childsa
match any
ipsec transform-set list ipsec-set-1
lifetime 3600
rekey keepalive
exit
nai use-received-idr
ikev2-ikesa policy error-notification
dos cookie-challenge notify-payload half-
open-sess-count start 2 stop 2
ikev2-ikesa keepalive-user-activity
end
Step 5 Use these commands to verify the transforms you just created.
context <ingress context of your team>
show crypto ipsec transform-set (you should
see the IPsec transform set you created)
show crypto ikev2-ikesa transform-set (you
should see the IKEv2 transform tht you created)
Visual Objective
The following graphic shows the objective for this task.
Activity Procedure
Complete these steps:
Step 1 The ePDG service ties together many of the components you have
created up to this point. It will reference the IPSec crypto template and
loopback address. Enter Configuration Mode for the PDGin context of
your team:
configure
context PDGin-x (where x is your team
number)
Step 2 Create an ePDG service and bind it to the loopback interface you
configured earlier. Also note that you are telling the system to look for
a MAG service in the PDGout context:
epdg-service epdg-svc-x (where x is your team
number)
plmn id mcc 311 mnc 482
mobile-access-gateway context PDGout-x mag-
service magx (where x is your team number)
bind address <SWu loopback address> crypto-
template epdg-crypto-template-teamx (where x is
your team number)
end
Visual Objective
The following graphic shows the objective for this task.
Activity Procedure
Complete these steps:
Step 1 Enter Configuration Mode for the PDGout context of your team:
configure
context PDGout-x (where x is your team
number)
Visual Objective
The following graphic shows the objective for this task.
Activity Procedure
Complete these steps:
Step 1 Enter Configuration Mode for the intress context of your team:
configure
context PDGin-x (where x is your team
number)
Step 2 Create a DNS client that will send queries to the configured
nameserver. Bind it to the SWu loopback address from the table below:
ip domain-lookup
ip name-server 192.168.10.4
dns-client dns-callgen
bind address <SWu loopback>
end
Activity Procedure
Complete these steps:
Step 1 Save your configuration. The name of your saved configuration file
should match that in the table below:
save config /flash/<config file name>
file sync
Step 4 Use this command to see your session from the perspective of the
ePDG:
show sub epdg-only all
Step 5 After a test call has succeeded, prepare to capture the next call using
the monitor subscriber command:
monitor subscriber next-call