ePDG3D 2-1 LG

ePDG3D
Cisco ePDG System

Administration
Version 2.1
Lab Guide
Text Part Number: ePDG3D_2-1
Americas Headquarters Asia Pacific Headquarters Europe Headquarters
Cisco Systems, Inc. Cisco Systems (USA) Pte. Ltd. Cisco Systems International BV
San Jose, CA Singapore Amsterdam,
The Netherlands
Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website
at www.cisco.com/go/offices.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco and the Cisco logo are trademarks or registered trademarks
of Cisco and/or its affiliates in the U.S. and other countries. Cisco and the Cisco logo are trademarks or registered
trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL:
www.cisco.com/go/trademarks. Third party company names, trademarks, and logos referenced in these materials are the
property of their respective owners and their use does not constitute or imply an endorsement, sponsorship, affiliation,
association or approval by the third parties of these materials or with Cisco. The use of the word partner does not imply a
partnership relationship between Cisco and any other company.
DISCLAIMER WARRANTY: THIS CONTENT IS BEING PROVIDED "AS IS" AND AS SUCH MAY INCLUDE
TYPOGRAPHICAL, GRAPHICS, OR FORMATTING ERRORS. CISCO MAKES AND YOU RECEIVE NO WARRANTIES
IN CONNECTION WITH THE CONTENT PROVIDED HEREUNDER, EXPRESS, IMPLIED, STATUTORY OR IN ANY
OTHER PROVISION OF THIS CONTENT OR COMMUNICATION BETWEEN CISCO AND YOU. CISCO SPECIFICALLY
DISCLAIMS ALL IMPLIED WARRANTIES, INCLUDING WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT
AND FITNESS FOR A PARTICULAR PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE
PRACTICE. This learning product may contain early release content, and while Cisco believes it to be accurate, it falls
subject to the disclaimer above.
Cisco Learning Services (www.cisco.com/go/cls) Contents
Contents
Overview for All Labs..........................................................................................v
Command Syntax Reference ....................................................................................... vi
Lab 1: Configuring the ASR 5000 for ePDG Operation (GTP Connection to PGW)
1–1
Task 1: Creating Contexts .........................................................................1–2
Task 2: Configuring the IPv4 SWu Interface on the ePDG ......................1–4
Task 3: Configuring the IPv4 SWm Interface on the ePDG .....................1–8
Task 4: Configuring the S2b IPV4 GTP Interface on the ePDG ............1–12
Task 5: Creating a DIAMETER Connection to the AAA Server ............1–16
Task 6: Configure an EAP Profile ............................................................1–19
Task 7: Configure IPSec Transforms and Crypto Template...................1–21
Task 8: Creating the ePDG Service .........................................................1–24
Task 9: Creating the GTP Services..........................................................1–26
Task 10: Creating a DNS Client ..............................................................1–29
Task 11: Saving and Testing the Configuration .....................................1–31
Lab 2: Configuring the ASR 5500 for ePDG Operation (GTP Connection to PGW)
2–1
Task 9: Creating the GTP services ..........................................................2–26
© 2017 Cisco Systems, Inc. ePDG3D_2-1 Lab Guide iii

This document is for training purposes only. All content is subject to change without notice.
Cisco Learning Services (www.cisco.com/go/cls) Contents
Lab 3: Configuring ePDG Operation on Cisco vPC-DI (GTP Connection to PGW)

3–1
Task 9: Creating the GTP Services..........................................................3–26
Lab 4: Configuring the ASR 5000 for ePDG Operation .............................4–1

Task 4: Configuring the S2b IPv6 PMIP Interface on the ePDG ...........4–11
Task 9: Creating the MAG Service ..........................................................4–25
© 2017 Cisco Systems, Inc. ePDG3D_2-1 Lab Guide iv

Overview for All Labs
Required Resources
The following resources and equipment are required for completing the activities in this
lab guide:
 Laptop or notebook computer with
 Terminal emulation program (such as PuTTY available at
http://www.chiark.greenend.org.uk/~sgtatham/putty/) capable of Telnet or
SSH
 10/100 Base-T Ethernet interface
 Access to the Internet
Cisco Learning Services (www.cisco.com/go/cls) Overview for All Labs
Command Syntax Reference

This lab guide uses the following conventions for command syntax:
boldface Commands are in boldface and Courier New typeface.

Courier New
Example: Type show running config
Example: Use the name command.
Example: Save your current configuration as the default

startup config.
Router Name# copy running startup
brackets ([ ]) Indicates optional element. You can choose one of the options.
Example:
(config-if)# frame-relay lmi-type
{ansi|cisco|q933a}
italics font Arguments for which you supply values are in italics.
Example: Open file ip tcp window-size bytes
angle brackets (<>) In contexts that do not allow italics, arguments for which you
supply values are enclosed in angle brackets [<>]. Do not type the
brackets when entering the command.
Example: If the command syntax is ping <ip_address>, you
enter ping 192.32.10.12
string A non-quoted set of characters. Type the characters as-is.

Example: (config)# hostname MyRouter
vertical line (|) Indicates that you enter one of the choices. The vertical line
separates choices. Do not type the vertical line when entering the
command.
Example: If the command syntax is show ip route|arp, you
enter either show ip route or show ip arp, but not both.
© 2017 Cisco Systems, Inc. ePDG3D_2-1 Lab Guide vi

Lab 1: Configuring the ASR 5000 for
ePDG Operation (GTP
Connection to PGW)
Description
The ePDG configuration that you are going to build is illustrated below. The following
instructions show you how this is put together, piece by piece.
Visual Objective
Activity Objective
In this activity, you will learn how to build the configuration shown above.
Cisco Learning Services (www.cisco.com/go/cls) Configuring the ASR 5000 for ePDG Operation (GTP
Connection to PGW)
Task 1: Creating Contexts

In this exercise, your team is going to configure everything within two contexts.
Task Data
The table below lists the names of the contexts, depending on your team number. Use this
table and the directions below to create the correct contexts.
Team Ingress Egress Context

Context
1 PDGin-1 PDGout-1
2 PDGin-2 PDGout-2
3 PDGin-3 PDGout-3
4 PDGin-4 PDGout-4
5 PDGin-5 PDGout-5
6 PDGin-6 PDGout-6
Activity Procedure
Complete these steps:
Step 1 Verify that you are at the Exec mode prompt and in the local context.
Enter global configuration mode and create the PDGin context for your
team:
config
context PDGin-x (where x is your team number)
Step 2 After confirming the context creation, you are placed into the context
configuration sub-mode. Exit this mode so you can create another
context:
exit
© 2017 Cisco Systems, Inc. ePDG3D_2-1 Lab Guide 1–2

Connection to PGW)
Step 3 Create the egress context for your team:

context PDGout-x (where x is your team number)
end
Step 4 Verify that your contexts were successfully created:
a. show context

Connection to PGW)
Task 2: Configuring the IPv4 SWu Interface on the ePDG
Activity Procedure
Step 1 It is through the SWu interface that the WLAN-connected UE initially
contacts the ePDG. Go into context configuration sub-mode for the
ingress context:
configure
context <PDGin context of your team>
Step 2 Create a loopback interface that will be bound to the ePDG service.
From the UE’s perspective, this will be the address to which it forms an
IPSec tunnel.
interface AAA-SWU-LOOP-x loopback (where x

is your team number)
ip address <address> <mask>
exit

Connection to PGW)
Team AAA SWU Loopback

IP Address/mask
1 192.168.10.10/32
2 192.168.10.22/32
3 192.168.10.30/32
4 192.168.10.40/32
5 192.168.10.50/32
6 192.168.10.60/32
Step 3 Using the table and commands below, create the low-level SWu
interface for your team. It is through this interface that the UE will be
attempting to connect to the loopback address.
interface <interface name>
Team SWu Interface Name

1 20/1-swu
2 20/2-swu
3 20/3-swu
4 20/4-swu
5 20/5-swu
6 20/6-swu

Connection to PGW)
Step 4 Within the interface configuration sub-mode, configure the correct IP

address and subnet mask. Also, create a default route in this context.
Use the following command and the table to add the correct address for
your team only:
exit
ip route 0.0.0.0/0 next-hop 192.168.10.4
<swu interface name from table above>
exit
Team IP address/mask
1 192.168.10.141/24
2 192.168.10.142/24
3 192.168.10.143/24
4 192.168.10.144/24
5 192.168.10.145/24
6 192.168.10.146/24
Step 5 Configure the physical port and vlan that the interface will use. This
includes binding the logical interface created in the previous step to the
vlan tag on the port. Use the portion of the table below that is relevant
to your team number:
port ethernet <slot#/port#>
description <port description>
no shutdown
vlan 10
no shutdown
bind interface <logical int name> <logical
interface context>
end

Connection to PGW)
Team Slot#/port # Port Logical Int Logical Int

Description Name Context
1 20/1 “Team 1 In” 20/1-swu PDGin-1
Step 6 Verify your configuration by entering the following commands. All

interfaces should have a state of UP.
show ip interface summary

Connection to PGW)
Task 3: Configuring the IPv4 SWm Interface on the ePDG
Activity Procedure
Step 1 The SWm interface connects the ePDG to the AAA server. Enter Global
Configuration Mode and then go into the context configuration sub-
mode for the ingress context:
configure
Step 2 Create a loopback interface that will be as the source address for
communication with the 3GPP AAA server.
interface AAA-SWM-LOOP-X loopback (where

x is your team number)

Connection to PGW)
Step 3 Within the interface configuration sub-mode, set the loopback IP

address and subnet mask. Use the following to add the correct address
for your team only:
exit
Team AAA SWM Loopback

IP Address/mask
1 135.2.214.1/32
2 135.2.214.2/32
3 135.2.214.3/32
4 135.2.214.4/32
5 135.2.214.5/32
6 135.2.214.6/32
Step 4 Using the table and commands below, create the low-level SWm
interface for your team.
interface <SWm interface name>
Team SWm Interface

Name
1 20/1-swm
2 20/2-swm
3 20/3-swm
4 20/4-swm
5 20/5-swm
6 20/6-swm

Connection to PGW)

address and subnet mask. Use the following command and the table to
add the correct address for your team only:
exit
exit
1 135.2.214.111/24
2 135.2.214.112/24
3 135.2.214.113/24
4 135.2.214.114/24
5 135.2.214.115/24
6 135.2.214.116/24
vlan tag. Use the portion of the table below that is relevant to your
team number:
vlan 214
no shutdown
int context>
end
Team Slot#/port # Logical Int Logical Int

Name Context
1 20/1 20/1-swm PDGin-1
2 20/2 20/2-swm PDGin-2
3 20/3 20/3-swm PDGin-3
4 20/4 20/4-swm PDGin-4
5 20/5 20/5-swm PDGin-5
6 20/6 20/6-swm PDGin-6

Connection to PGW)


Connection to PGW)
Task 4: Configuring the S2b IPV4 GTP Interface on the ePDG
Activity Procedure
Step 1 This interface connects the ePDG to the PGW, through an IPv4 tunnel.
Enter Global Configuration Mode, and then the Context Configuration
sub-mode for the PDGout context of your team:
configure
context <PDGout context of your team>
Step 2 Create a loopback interface that will be used for S2b purposes. This will
be the source address of GTP messages sent from the ePDG to the
PGW.
interface S2B-LOOP-x loopback (where x is
your team number)

Connection to PGW)
Step 3 Within the interface configuration sub-mode, add an IP address and

mask. Use the following command and the table to add the correct
address for your team only:
exit
Team IPv4 Loopback

Address/mask
1 192.168.4.221/32
2 192.168.4.223/32
3 192.168.4.225/32
4 192.168.4.227/32
5 192.168.4.229/32
6 192.168.4.231/32
Step 4 Using the table and commands below, create the low-level S2b interface
for your team. This is the interface through which traffic will flow to
get to the loopback address.
Team S2b Interface Name

1 20/1-s2b
2 20/2-s2b
3 20/3-s2b
4 20/4-s2b
5 20/5-s2b
6 20/6-s2b

Connection to PGW)

exit
exit
Team IPv4 address/mask

1 192.168.4.220/24
2 192.168.4.222/24
3 192.168.4.224/24
4 192.168.4.226/24
5 192.168.4.228/24
6 192.168.4.230/24
includes binding the logical interface created in the previous steps to
the vlan tag. Use the portion of the table below that is relevant to your
team:
vlan 4
no shutdown
int context>
end

Name Context
1 20/1 20/1-s2b PDGout-1
2 20/2 20/2-s2b PDGout-2
3 20/3 20/3-s2b PDGout-3
4 20/4 20/4-s2b PDGout-4
5 20/5 20/5-s2b PDGout-5
6 20/6 20/6-s2b PDGout-6

Connection to PGW)
Step 7 Verify your configuration by entering the following commands:

show ip interface summary (verify that all
interfaces are up)

Connection to PGW)
Task 5: Creating a DIAMETER Connection to the AAA Server
Visual Objective
The following graphic shows the objective for this task.

Connection to PGW)
Activity Procedure
Step 1 In the PDGin context, create a DIAMETER endpoint for access to the
3GPP AAA server. This endpoint will use the loopback address that you
created earlier in the lab:
config

diameter endpoint aaa-swm-teamx (where x
origin realm cisco.com
use-proxy
origin host ASR5K-swm-teamx (where x is

your team number) address <address of SWm loopback for your
team from table below>
peer aaa-swm realm cisco.com address
<peer address from table> port <port from table>
route-entry peer aaa-swm
exit
Team IPv4 SWm Peer Port

Loopback Address
Address
1 135.2.214.1 135.2.214.21 4851
2 135.2.214.2 135.2.214.32 4852
3 135.2.214.3 135.2.214.23 4853
4 135.2.214.4 135.2.214.24 4854
5 135.2.214.5 135.2.214.25 4855
6 135.2.214.6 135.2.214.26 4856

Connection to PGW)
Step 2 Within the default AAA group of the PDGin context, configure the
system to use the endpoint you just created:
aaa group default
diameter authentication dictionary aaa-
custom16
diameter authentication endpoint aaa-swm-
teamx (where x is your team number)
diameter authentication server aaa-swm
priority 1
end
Step 3 Verify that the DIAMETER connection is up:

show diameter peer full endpoint aaa-swm-teamx
(where x is your team number)
Step 4 Verify that the State is ‘Open’ for each proxy server on each packet
service card (PSC).

Connection to PGW)
Task 6: Configure an EAP Profile
Visual Objective

Connection to PGW)
Activity Procedure
Step 1 Enter Global Configuration Mode and navigate into the ingress PDG
context of your team:
configure
Step 2 Create an Extensible Authentication Protocol (EAP) profile that will be

included in the Crypto Template (IPSec policy). This profile is going to
define EAP-AKA as the preferred authentication mechanism:
eap-profile eap-teamx (where x is your team
number)
mode authenticator-pass-through
method eap-aka
end

Connection to PGW)
Task 7: Configure IPSec Transforms and Crypto Template
Visual Objective

Connection to PGW)
Activity Procedure
Step 1 Go into Global Configuration Mode and enter the context configuration
sub-mode:
configure
Step 2 Configure an IKE transform set. This will be used by the PDG during
the INIT phase of IPSec negotiation:
ikev2-ikesa transform-set ikev2-sa-set-1
encryption aes-cbc-128
prf sha1
hmac sha1-96
group 2
exit
Step 3 Configure an IPSc transform set. This will be used by the ePDG during
the AUTH phase of IPSec negotiation:
ipsec transform-set ipsec-set-1
hmac sha1-96
mode tunnel
exit

Connection to PGW)
Step 4 Configure the crypto template. This will reference the authentication
profile, IKE transform set, and IPSec transform set that you just
created.
crypto template epdg-crypto-template-teamx
ikev2-dynamic (where x is your team number)
authentication remote eap-profile eap-
ikev2-ikesa transform-set list ikev2-sa-
set-1
ikev2-ikesa rekey
payload ipsec-sa-payload match childsa
match any
ipsec transform-set list ipsec-set-1
lifetime 3600
rekey keepalive
exit
nai use-received-idr
ikev2-ikesa policy error-notification
dos cookie-challenge notify-payload half-
open-sess-count start 2 stop 2
ikev2-ikesa keepalive-user-activity
end
Step 5 Use these commands to verify the transforms you just created.
context <ingress context of your team>
show crypto ipsec transform-set (you should
see the IPsec transform set you created)
show crypto ikev2-ikesa transform-set (you
should see the IKEv2 transform tht you created)

Connection to PGW)
Task 8: Creating the ePDG Service

Connection to PGW)
Activity Procedure
Step 1 The ePDG service ties together many of the components you have
created up to this point. It will reference the IPSec crypto template and
loopback address. Enter Configuration Mode for the PDGin context of
your team:
configure
context PDGin-x (where x is your team
number)
Step 2 Create an ePDG service and bind it to the loopback interface you
configured earlier. Also note that you are telling the system to look for
a MAG service in the PDGout context:
epdg-service epdg-svc-x (where x is your team
number)
plmn id mcc 311 mnc 482
associate egtp-service egtp-svc-x (where x
dns-pgw selection topology
bind address <SWu loopback address> crypto-
template epdg-crypto-template-teamx (where x is
your team number)
end
Team SWu Loopback

Address
1 192.168.10.10
2 192.168.10.22
3 192.168.10.30
4 192.168.10.40
5 192.168.10.50
6 192.168.10.60
Step 3 Verify your service was created:

show service all
(verify that your service status is STARTED)

Connection to PGW)
Task 9: Creating the GTP Services

Connection to PGW)
Activity Procedure
Step 1 Enter Configuration Mode for the PDGout context of your team:
configure
context PDGout-x (where x is your team
number)
Step 2 Create the GTP service which is responsible for tunneling all traffic
(user and signaling) to the PGW:
gtpu-service gtpu-svc-x (where x is your team
number)
echo interval 3600
no path-failure detection-policy
source-port standard
bind ipv4-address <IPv4 loopback address from
table>
exit
Team IPv4 Loopback

Address/mask
1 192.168.4.221
2 192.168.4.223
3 192.168.4.225
4 192.168.4.227
5 192.168.4.229
6 192.168.4.231

Connection to PGW)
Step 3 Create the EGTP service which is responsible for generating and
parsing GTP signaling traffic:
egtp-service egtp-svc-x (where x is your team
number)
no gtpc path-failure detection-policy
interface-type interface-epdg-egress
associate gtpu-service gtpu-svc-x (where x is
your team number)
gtpc bind ipv4-address <IPv4 loopback address
from table>
end
Team IPv4 Loopback

Address/mask
1 192.168.4.221
2 192.168.4.223
3 192.168.4.225
4 192.168.4.227
5 192.168.4.229
6 192.168.4.231

show service all

Connection to PGW)
Task 10: Creating a DNS Client
Visual Objective

Connection to PGW)
Activity Procedure
Step 1 Enter Configuration Mode for the ingress context of your team:
configure
number)
Step 2 Create a DNS client that will send queries to the configured name
server. Bind it to the SWu loopback address from the table below:
ip domain-lookup
ip name-server 192.168.10.4
dns-client dns-callgen
bind address <SWu loopback>
end
Team SWu Loopback

Address
1 192.168.10.10
2 192.168.10.22
3 192.168.10.30
4 192.168.10.40
5 192.168.10.50
6 192.168.10.60

Connection to PGW)
Task 11: Saving and Testing the Configuration
Activity Procedure
Step 1 Save your configuration. The name of your saved configuration file
should match that in the table below:
save config /flash/<config file name>
file sync
Team Config File Name

1 epdg_team1.cfg
2 epdg_team2.cfg
3 epdg_team3.cfg
4 epdg_team4.cfg
5 epdg_team5.cfg
6 epdg_team6.cfg
Step 2 Ask your instructor to generate a test call.

Step 3 A user session should be anchored by the PGW. Since we have a PGW
configured on the same chassis, you should be able to see the session
from the PGW’s perspective. Use this command to verify that your
session is up on the PGW:
context local
show sub pgw-only all
Step 4 Use this command to see your session from the perspective of the
ePDG:
show sub epdg-only all

Connection to PGW)
Step 5 After a test call has succeeded, prepare to capture another call using
the monitor subscriber command:
monitor subscriber next-call
a) In the protocol selection menu that appears, turn on the following

protocols by typing the appropriate number:
 40 – IPSec IKE Subscriber
 74 – EGTPC (this is ON by default)

b) Ask your instructor to generate another call. Looking at the monitor
output and identify:
 The EAP authentication exchange
 The Create Session Request from the ePDG to the PGW

NOTE: when you capture the session setup, you will not see the initial
IPSec exchange (IKEv2_INIT_Req and IDEv2_INIT_RSP). This is because you
are tracing a new session, and the session does not technically exist until
after this exchange completes.
Step 6 For your reference, you can capture all packets involved using the
monitor protocol command. If you wish, prepare to capture another
session using this command:
monitor protocol

 40 – IPSec IKE Subscriber
 74 – EGTPC protocol
 75 – App Specific Diameter
 8 – Diameter EAP/STa/S6a/s6d/S6b/S13/SWm
b) Type the letter ‘b’ to begin.
c) Confirm this by typing ‘y’ for Yes.
d) Use the ‘+’ key to raise the verbosity to level 2.

Connection to PGW)
e) Ask your instructor to generate another call. Looking at the monitor

 The initial IPSec IKE negotiation
 The GTP Create Session Request from the ePDG to the PGW
Step 7 Save this capture for later reference.
Step 8 This completes the lab.

ePDG Operation (GTP
Connection to PGW)
Description
Visual Objective
Activity Objective
Connection to PGW)

Task Data

Context
1 PDGin-1 PDGout-1
2 PDGin-2 PDGout-2
3 PDGin-3 PDGout-3
4 PDGin-4 PDGout-4
5 PDGin-5 PDGout-5
6 PDGin-6 PDGout-6

Connection to PGW)
Activity Procedure
team:
config
context:
exit

end
show context

Connection to PGW)
Activity Procedure
Step 1
ingress context:
configure
IPSec tunnel.

exit

Connection to PGW)

IP Address/mask
1 192.168.10.21/32
2 192.168.10.22/32
3 192.168.10.23/32
4 192.168.10.24/32
5 192.168.10.25/32
6 192.168.10.26/32

1 5/11-swu
2 5/12-swu
3 5/13-swu
4 5/14-swu
5 5/15-swu
6 5/16-swu

Connection to PGW)

your team only:
exit
ip route 0.0.0.0/0 next-hop 192.168.10.4
exit
1 192.168.10.141/24
2 192.168.10.142/24
3 192.168.10.143/24
4 192.168.10.144/24
5 192.168.10.145/24
6 192.168.10.146/24
no shutdown
vlan 10
no shutdown
interface context>
end

Connection to PGW)



Connection to PGW)
Activity Procedure
configure


Connection to PGW)

for your team only:
exit

IP Address/mask
1 135.2.214.1/32
2 135.2.214.2/32
3 135.2.214.3/32
4 135.2.214.4/32
5 135.2.214.5/32
6 135.2.214.6/32
Team SWm Interface

Name
1 5/11-swm
2 5/12-swm
3 5/13-swm
4 5/14-swm
5 5/15-swm
6 5/16-swm

Connection to PGW)

exit
exit
1 135.2.214.111/24
2 135.2.214.112/24
3 135.2.214.113/24
4 135.2.214.114/24
5 135.2.214.115/24
6 135.2.214.116/24
team number:
vlan 214
no shutdown
int context>
end

Name Context
1 5/11 5/11-swm PDGin-1
2 5/12 5/12-swm PDGin-2
3 5/13 5/13-swm PDGin-3
4 5/14 5/14-swm PDGin-4
5 5/15 5/15-swm PDGin-5
6 5/16 5/16-swm PDGin-6

Connection to PGW)


Connection to PGW)
Activity Procedure
configure
PGW.
your team number)

Connection to PGW)

exit
Team IPv4 Loopback

Address/mask
1 192.168.4.221/32
2 192.168.4.223/32
3 192.168.4.225/32
4 192.168.4.227/32
5 192.168.4.229/32
6 192.168.4.231/32

1 5/11-s2b
2 5/12-s2b
3 5/13-s2b
4 5/14-s2b
5 5/15-s2b
6 5/16-s2b

Connection to PGW)

exit
exit

1 192.168.4.25/124
2 192.168.4.222/24
3 192.168.4.224/24
4 192.168.4.226/24
5 192.168.4.228/24
6 192.168.4.230/24
team:
vlan 4
no shutdown
int context>
end

Name Context
1 5/11 5/11-s2b PDGout-1
2 5/12 5/12-s2b PDGout-2
3 5/13 5/13-s2b PDGout-3
4 5/14 5/14-s2b PDGout-4
5 5/15 5/15-s2b PDGout-5
6 5/16 5/16-s2b PDGout-6

Connection to PGW)

interfaces are up)

Connection to PGW)
Visual Objective

Connection to PGW)
Activity Procedure
config

use-proxy

exit

Loopback Address
Address
1 135.2.214.1 135.2.214.21 4851
2 135.2.214.2 135.2.214.32 4852
3 135.2.214.3 135.2.214.23 4853
4 135.2.214.4 135.2.214.24 4854
5 135.2.214.5 135.2.214.25 4855
6 135.2.214.6 135.2.214.26 4856

Connection to PGW)
aaa group default
custom16
priority 1
end

service card (PSC).

Connection to PGW)
Visual Objective

Connection to PGW)
Activity Procedure
configure

number)
method eap-aka
end

Connection to PGW)
Visual Objective

Connection to PGW)
Activity Procedure
sub-mode:
configure
prf sha1
hmac sha1-96
group 2
exit
hmac sha1-96
mode tunnel
exit

Connection to PGW)
created.
set-1
ikev2-ikesa rekey
match any
lifetime 3600
rekey keepalive
exit
end

Connection to PGW)
Visual Objective

Connection to PGW)
Activity Procedure
your team:
configure
number)
number)
your team number)
end
Team SWu Loopback

Address
1 192.168.10.21
2 192.168.10.22
3 192.168.10.23
4 192.168.10.24
5 192.168.10.25
6 192.168.10.26

show service all

Connection to PGW)
Task 9: Creating the GTP services
Visual Objective

Connection to PGW)
Activity Procedure
configure
number)
number)
echo-interval 3600
table>
exit
Team IPv4 Loopback

Address/mask
1 192.168.4.221
2 192.168.4.223
3 192.168.4.225
4 192.168.4.227
5 192.168.4.229
6 192.168.4.231

Connection to PGW)
number)
your team number)
from table>
end
Team IPv4 Loopback

Address/mask
1 192.168.4.221
2 192.168.4.223
3 192.168.4.225
4 192.168.4.227
5 192.168.4.229
6 192.168.4.231

show service all

Connection to PGW)
Visual Objective

Connection to PGW)
Activity Procedure
configure
number)
ip domain-lookup
end
Team SWu Loopback

Address
1 192.168.10.21
2 192.168.10.22
3 192.168.10.23
4 192.168.10.24
5 192.168.10.25
6 192.168.10.26

Connection to PGW)
Activity Procedure
file sync

1 epdg_team1.cfg
2 epdg_team2.cfg
3 epdg_team3.cfg
4 epdg_team4.cfg
5 epdg_team5.cfg
6 epdg_team6.cfg

context local
ePDG:

Connection to PGW)



monitor protocol


Connection to PGW)


Lab 3: Configuring ePDG Operation on
Cisco vPC-DI (GTP Connection
to PGW)
Description
Visual Objective
Activity Objective
Cisco Learning Services (www.cisco.com/go/cls) Configuring ePDG Operation on Cisco vPC-DI (GTP
Connection to PGW)

Task Data

Context
1 PDGin-1 PDGout-1
2 PDGin-2 PDGout-2
3 PDGin-3 PDGout-3
4 PDGin-4 PDGout-4
5 PDGin-5 PDGout-5
6 PDGin-6 PDGout-6

Connection to PGW)
Activity Procedure
team:
config
context:
exit

end
a.

show context

Connection to PGW)
Activity Procedure
ingress context:
configure
IPSec tunnel.

exit

IP Address/mask
1 192.168.10.21/32
2 192.168.10.22/32
3 192.168.10.23/32
4 192.168.10.24/32
5 192.168.10.25/32
6 192.168.10.26/32

Connection to PGW)

1 11/11-swu
2 12/11-swu
3 13/11-swu
4 14/11-swu
5 15/11-swu
6 16/11-swu

your team only:
exit
ip route 0.0.0.0/0 next-hop 192.168.10.4
exit

Connection to PGW)
1 192.168.10.141/24
2 192.168.10.142/24
3 192.168.10.143/24
4 192.168.10.144/24
5 192.168.10.145/24
6 192.168.10.146/24
no shutdown
vlan 10
no shutdown
interface context>
end

1 11/11 “Team 1 In” 11/11-swu PDGin-1
2 12/11 “Team 2 In” 12/11-swu PDGin-2
3 13/11 “Team 3 In” 13/11-swu PDGin-3
4 14/11 “Team 4 In” 14/11-swu PDGin-4
5 15/11 “Team 5 In” 15/11-swu PDGin-5
6 16/11 “Team 6 In” 16/11-swu PDGin-6

Connection to PGW)


Connection to PGW)
Activity Procedure
configure


Connection to PGW)

for your team only:
exit

IP Address/mask
1 135.2.214.1/32
2 135.2.214.2/32
3 135.2.214.3/32
4 135.2.214.4/32
5 135.2.214.5/32
6 135.2.214.6/32
Team SWm Interface

Name
1 11/11-swm
2 12/11-swm
3 13/11-swm
4 14/11-swm
5 15/11-swm
6 16/11-swm

Connection to PGW)

exit
exit
1 135.2.214.111/24
2 135.2.214.112/24
3 135.2.214.113/24
4 135.2.214.114/24
5 135.2.214.115/24
6 135.2.214.116/24
team number:
vlan 214
no shutdown
int context>
end

Name Context
1 11/11 11/11-swm PDGin-1
2 12/11 12/11-swm PDGin-2
3 13/11 13/11-swm PDGin-3
4 14/11 14/11-swm PDGin-4
5 15/11 15/11-swm PDGin-5
6 16/11 16/11-swm PDGin-6

Connection to PGW)


Connection to PGW)
Activity Procedure
configure
PGW.
your team number)

Connection to PGW)

exit
Team IPv4 Loopback

Address/mask
1 192.168.4.221/32
2 192.168.4.223/32
3 192.168.4.225/32
4 192.168.4.227/32
5 192.168.4.229/32
6 192.168.4.231/32

1 11/12-s2b
2 12/12-s2b
3 13/12-s2b
4 14/12-s2b
5 15/12-s2b
6 16/12-s2b

Connection to PGW)

exit
exit

1 192.168.4.25/124
2 192.168.4.222/24
3 192.168.4.224/24
4 192.168.4.226/24
5 192.168.4.228/24
6 192.168.4.230/24
team:
vlan 4
no shutdown
int context>
end

Name Context
1 11/12 11/12-s2b PDGout-1
2 12/12 12/12-s2b PDGout-2
3 13/12 13/12-s2b PDGout-3
4 14/12 14/12-s2b PDGout-4
5 15/12 15/12-s2b PDGout-5
6 16/12 16/12-s2b PDGout-6

Connection to PGW)

interfaces are up)

Connection to PGW)
Visual Objective

Connection to PGW)
Activity Procedure
config

use-proxy

exit

Loopback Address
Address
1 135.2.214.1 135.2.214.21 4851
2 135.2.214.2 135.2.214.32 4852
3 135.2.214.3 135.2.214.23 4853
4 135.2.214.4 135.2.214.24 4854
5 135.2.214.5 135.2.214.25 4855
6 135.2.214.6 135.2.214.26 4856

Connection to PGW)
aaa group default
custom16
priority 1
end

service card (PSC).

Connection to PGW)
Visual Objective

Connection to PGW)
Activity Procedure
configure

number)
method eap-aka
end

Connection to PGW)
Visual Objective

Connection to PGW)
Activity Procedure
sub-mode:
configure
prf sha1
hmac sha1-96
group 2
exit
hmac sha1-96
mode tunnel
exit

Connection to PGW)
created.
set-1
ikev2-ikesa rekey
match any
lifetime 3600
rekey keepalive
exit
end

Connection to PGW)
Visual Objective

Connection to PGW)
Activity Procedure
your team:
configure
number)
number)
your team number)
end
Team SWu Loopback

Address
1 192.168.10.21
2 192.168.10.22
3 192.168.10.23
4 192.168.10.24
5 192.168.10.25
6 192.168.10.26

show service all

Connection to PGW)
Task 9: Creating the GTP Services
Visual Objective

Connection to PGW)
Activity Procedure
configure
number)
number)
echo-interval 3600
table>
exit
Team IPv4 Loopback

Address/mask
1 192.168.4.221
2 192.168.4.223
3 192.168.4.225
4 192.168.4.227
5 192.168.4.229
6 192.168.4.231

Connection to PGW)
number)
your team number)
from table>
end
Team IPv4 Loopback

Address/mask
1 192.168.4.221
2 192.168.4.223
3 192.168.4.225
4 192.168.4.227
5 192.168.4.229
6 192.168.4.231

show service all

Connection to PGW)
Visual Objective

Connection to PGW)
Activity Procedure
configure
number)
ip domain-lookup
end
Team SWu Loopback

Address
1 192.168.10.21
2 192.168.10.22
3 192.168.10.23
4 192.168.10.24
5 192.168.10.25
6 192.168.10.26

Connection to PGW)
Activity Procedure
file sync

1 epdg_team1.cfg
2 epdg_team2.cfg
3 epdg_team3.cfg
4 epdg_team4.cfg
5 epdg_team5.cfg
6 epdg_team6.cfg

context local
ePDG:

Connection to PGW)



monitor protocol


Connection to PGW)


ePDG Operation
Description
Visual Objective
Activity Objective
Cisco Learning Services (www.cisco.com/go/cls) Configuring the ASR 5000 for ePDG Operation

Task Data

Context
1 PDGin-1 PDGout-1
2 PDGin-2 PDGout-2
3 PDGin-3 PDGout-3
4 PDGin-4 PDGout-4
5 PDGin-5 PDGout-5
6 PDGin-6 PDGout-6

Activity Procedure
team:
config
context:
exit

end
show context

Activity Procedure
ingress context:
configure
IPSec tunnel.

exit

IP Address/mask
1 192.168.10.21/32
2 192.168.10.22/32
3 192.168.10.23/32
4 192.168.10.24/32
5 192.168.10.25/32
6 192.168.10.26/32


1 20/1-swu
2 20/2-swu
3 20/3-swu
4 20/4-swu
5 20/5-swu
6 20/6-swu

your team only:
exit
ip route 0.0.0.0/0 next-hop 192.168.10.4
exit
1 192.168.10.141/24
2 192.168.10.142/24
3 192.168.10.143/24
4 192.168.10.144/24
5 192.168.10.145/24
6 192.168.10.146/24

no shutdown
vlan 10
no shutdown
interface context>
end



Activity Procedure
configure
interface AAA-SWM-LOOP-x loopback (where



for your team only:
exit

IP Address/mask
1 135.2.214.1/32
2 135.2.214.2/32
3 135.2.214.3/32
4 135.2.214.4/32
5 135.2.214.5/32
6 135.2.214.6/32
Team SWm Interface

Name
1 20/1-swm
2 20/2-swm
3 20/3-swm
4 20/4-swm
5 20/5-swm
6 20/6-swm


exit
exit
1 135.2.214.111/24
2 135.2.214.112/24
3 135.2.214.113/24
4 135.2.214.114/24
5 135.2.214.115/24
6 135.2.214.116/24
team number:
vlan 214
no shutdown
int context>
end

Name Context
1 20/1 20/1-swm PDGin-1
2 20/2 20/2-swm PDGin-2
3 20/3 20/3-swm PDGin-3
4 20/4 20/4-swm PDGin-4
5 20/5 20/5-swm PDGin-5
6 20/6 20/6-swm PDGin-6



Task 4: Configuring the S2b IPv6 PMIP Interface on the ePDG
Activity Procedure
configure
be the source address of Proxy Mobile IP (PMIP) messages sent from
the ePDG to the PGW.
your team number)


ipv6 address <address> <mask>
exit
Team IPv6 Loopback

Address/mask
1 2006:cccc::80:80:1/128
2 2006:cccc::80:80:2/128
3 2006:cccc::80:80:3/128
4 2006:cccc::80:80:4/128
5 2006:cccc::80:80:5/128
6 2006:cccc::80:80:6/128
Step 4 Using the table and commands below, create the low-level S2b
interface for your team. This is the interface through which traffic will
flow to get to the loopback address.

1 20/1-s2b
2 20/2-s2b
3 20/3-s2b
4 20/4-s2b
5 20/5-s2b
6 20/6-s2b


ipv6 address <address> <mask>
exit
exit

1 2006:cccc::80:80:121/64
2 2006:cccc::80:80:122/64
3 2006:cccc::80:80:123/64
4 2006:cccc::80:80:124/64
5 2006:cccc::80:80:125/64
6 2006:cccc::80:80:126/64
team:
vlan 808
no shutdown
int context>
end

Name Context
1 20/1 20/1-s2b PDGout-1
2 20/2 20/2-s2b PDGout-2
3 20/3 20/3-s2b PDGout-3
4 20/4 20/4-s2b PDGout-4
5 20/5 20/5-s2b PDGout-5
6 20/6 20/6-s2b PDGout-6


show ipv6 interface summary (verify that all
interfaces are up)

Visual Objective

Activity Procedure
config

use-proxy

exit

Loopback Address
Address
1 135.2.214.1 135.2.214.21 4851
2 135.2.214.2 135.2.214.32 4852
3 135.2.214.3 135.2.214.23 4853
4 135.2.214.4 135.2.214.24 4854
5 135.2.214.5 135.2.214.25 4855
6 135.2.214.6 135.2.214.26 4856

aaa group default
custom16
priority 1
end

service card (PSC).

Visual Objective

Activity Procedure
configure

number)
method eap-aka

Visual Objective

Activity Procedure
sub-mode:
configure
prf sha1
hmac sha1-96
group 2
exit
hmac sha1-96
mode tunnel
exit

created.
set-1
ikev2-ikesa rekey
match any
lifetime 3600
rekey keepalive
exit
end

Visual Objective

Activity Procedure
your team:
configure
number)
number)
mobile-access-gateway context PDGout-x mag-
service magx (where x is your team number)
your team number)
end
Team SWu Loopback

Address
1 192.168.10.21
2 192.168.10.22
3 192.168.10.23
4 192.168.10.24
5 192.168.10.25
6 192.168.10.26

show service all

Task 9: Creating the MAG Service
Visual Objective

Activity Procedure
configure
number)
Step 2 Create the MAG service which is responsible:

mag-service magx (where x is your team number)
information-element-set custom1
bind address <IPv6 loopback address from
table>
end
Team S2b IPv6 Loopback

Address/mask
1 2006:cccc::80:80:1
2 2006:cccc::80:80:2
3 2006:cccc::80:80:3
4 2006:cccc::80:80:4
5 2006:cccc::80:80:5
6 2006:cccc::80:80:6

show service all

Visual Objective

Activity Procedure
Step 1 Enter Configuration Mode for the intress context of your team:
configure
number)
Step 2 Create a DNS client that will send queries to the configured
nameserver. Bind it to the SWu loopback address from the table below:
ip domain-lookup
end
Team SWu Loopback

Address
1 192.168.10.21
2 192.168.10.22
3 192.168.10.23
4 192.168.10.24
5 192.168.10.25
6 192.168.10.26

Activity Procedure
file sync

1 epdg_team1.cfg
2 epdg_team2.cfg
3 epdg_team3.cfg
4 epdg_team4.cfg
5 epdg_team5.cfg
6 epdg_team6.cfg

context local
ePDG:

Step 5 After a test call has succeeded, prepare to capture the next call using

 48 – Mobile IPv6 (this is ON by default)

 The IPv6 PMIP request from the ePDG to the PGW

monitor protocol command. If you wish, prepare to capture the next
call using this command:
monitor protocol

 48 – Mobile IPv6


 The IPv6 PMIP request from the ePDG to the PGW

This completes the lab.


ePDG3D 2-1 LG

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ePDG3D 2-1 LG

Uploaded by

Copyright:

Available Formats

ePDG3D

Cisco ePDG System

© 2017 Cisco Systems, Inc. ePDG3D_2-1 Lab Guide iii

Lab 3: Configuring ePDG Operation on Cisco vPC-DI (GTP Connection to PGW)

Lab 4: Configuring the ASR 5000 for ePDG Operation .............................4–1

© 2017 Cisco Systems, Inc. ePDG3D_2-1 Lab Guide iv

Command Syntax Reference

boldface Commands are in boldface and Courier New typeface.

Example: Use the name command.

Example: Save your current configuration as the default

string A non-quoted set of characters. Type the characters as-is.

© 2017 Cisco Systems, Inc. ePDG3D_2-1 Lab Guide vi

Task 1: Creating Contexts

Team Ingress Egress Context

© 2017 Cisco Systems, Inc. ePDG3D_2-1 Lab Guide 1–2

Step 3 Create the egress context for your team:

© 2017 Cisco Systems, Inc. ePDG3D_2-1 Lab Guide 1–3

Task 2: Configuring the IPv4 SWu Interface on the ePDG

interface AAA-SWU-LOOP-x loopback (where x

© 2017 Cisco Systems, Inc. ePDG3D_2-1 Lab Guide 1–4

Team AAA SWU Loopback

interface <interface name>

Team SWu Interface Name

© 2017 Cisco Systems, Inc. ePDG3D_2-1 Lab Guide 1–5

Step 4 Within the interface configuration sub-mode, configure the correct IP

© 2017 Cisco Systems, Inc. ePDG3D_2-1 Lab Guide 1–6

Team Slot#/port # Port Logical Int Logical Int

Step 6 Verify your configuration by entering the following commands. All

© 2017 Cisco Systems, Inc. ePDG3D_2-1 Lab Guide 1–7

Task 3: Configuring the IPv4 SWm Interface on the ePDG

interface AAA-SWM-LOOP-X loopback (where

© 2017 Cisco Systems, Inc. ePDG3D_2-1 Lab Guide 1–8

Step 3 Within the interface configuration sub-mode, set the loopback IP

Team AAA SWM Loopback

interface <SWm interface name>

Team SWm Interface

© 2017 Cisco Systems, Inc. ePDG3D_2-1 Lab Guide 1–9

Step 5 Within the interface configuration sub-mode, configure the correct IP

Team Slot#/port # Logical Int Logical Int

© 2017 Cisco Systems, Inc. ePDG3D_2-1 Lab Guide 1–10

Step 7 Verify your configuration by entering the following commands. All

© 2017 Cisco Systems, Inc. ePDG3D_2-1 Lab Guide 1–11

Task 4: Configuring the S2b IPV4 GTP Interface on the ePDG

© 2017 Cisco Systems, Inc. ePDG3D_2-1 Lab Guide 1–12

Step 3 Within the interface configuration sub-mode, add an IP address and

Team IPv4 Loopback

interface <interface name>

Team S2b Interface Name

© 2017 Cisco Systems, Inc. ePDG3D_2-1 Lab Guide 1–13

Step 5 Within the interface configuration sub-mode, configure the correct IP

Team IPv4 address/mask

Team Slot#/port # Logical Int Logical Int

© 2017 Cisco Systems, Inc. ePDG3D_2-1 Lab Guide 1–14

Step 7 Verify your configuration by entering the following commands:

© 2017 Cisco Systems, Inc. ePDG3D_2-1 Lab Guide 1–15

Task 5: Creating a DIAMETER Connection to the AAA Server

© 2017 Cisco Systems, Inc. ePDG3D_2-1 Lab Guide 1–16

context <PDGin context of your team>

origin host ASR5K-swm-teamx (where x is

Team IPv4 SWm Peer Port

© 2017 Cisco Systems, Inc. ePDG3D_2-1 Lab Guide 1–17

Step 3 Verify that the DIAMETER connection is up:

© 2017 Cisco Systems, Inc. ePDG3D_2-1 Lab Guide 1–18