Professional Documents
Culture Documents
Cisco ASR 5x Series Configuration Audit Guide 5.0: Global Mobility Practice
Cisco ASR 5x Series Configuration Audit Guide 5.0: Global Mobility Practice
0
Global Mobility Practice
Americas Headquarters: Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA 2012 Cisco Systems, Inc. All rights reserved.
The information in this document is the proprietary and confidential property of Cisco Corporation. No part of this document may be disclosed, reproduced or distributed without the express written permission of Cisco Corporation. Cisco Corporation reserves the rights to alter the design and specifications at any time without notice, as part of its continuing program of product development. Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. 2012 Cisco Systems, Inc. and/or its affiliated entities. All rights reserved.
Table of Contents
1. 2. 3. 4. 4.1 4.2 4.3 5. INTRODUCTION..................................................................................................................................................................................................................... 11 DATA COLLECTION AND METHODOLOGY ....................................................................................................................................................................... 12 PREREQUISITES ................................................................................................................................................................................................................... 16 PLATFORM AUDIT ................................................................................................................................................................................................................ 17 Card Audit ............................................................................................................................................................................................................................. 18 Interface Audit ....................................................................................................................................................................................................................... 19 Threshold Audit ..................................................................................................................................................................................................................... 20 SYSTEM AUDIT ..................................................................................................................................................................................................................... 22
5.1 Context Audit ......................................................................................................................................................................................................................... 22 5.2 AAA Interface ........................................................................................................................................................................................................................ 23 5.3 DHCP Interface ..................................................................................................................................................................................................................... 24 5.4 Ga/Gz Interface ..................................................................................................................................................................................................................... 24 5.5 DCCA/DPCA Audit ................................................................................................................................................................................................................ 25 5.5.1 Gx Interface ........................................................................................................................................................................................................................ 26 5.5.2 Gy Interface ........................................................................................................................................................................................................................ 26 5.6 GGSN Audit .......................................................................................................................................................................................................................... 27 5.6.1 Gn Interface ....................................................................................................................................................................................................................... 27 5.6.2 Gi Interface ......................................................................................................................................................................................................................... 28 5.6.2.1 APN Audit ...................................................................................................................................................................................................................................................................................................... 29 5.7 SGSN Audit ........................................................................................................................................................................................................................... 30 5.7.1 Gn Interface ....................................................................................................................................................................................................................... 30 5.7.2 Gb Interface ....................................................................................................................................................................................................................... 31 5.7.3 IuPS Interface .................................................................................................................................................................................................................... 31 5.7.4 DNS Service Audit ............................................................................................................................................................................................................. 33 5.7.5 Gr, Gf and Gs Interface ...................................................................................................................................................................................................... 33 5.7.6 SS7 Routing Domain Audit ................................................................................................................................................................................................ 34 5.7.7 SCCP Network Audit .......................................................................................................................................................................................................... 35 5.7.8 GTT Association Audit ....................................................................................................................................................................................................... 36 5.7.9 Operator Policy Audit ......................................................................................................................................................................................................... 36 5.8 MME Audit ............................................................................................................................................................................................................................. 37 5.8.1 S1-MME Interface .............................................................................................................................................................................................................. 37 5.8.2 S6a and S13 Interface ....................................................................................................................................................................................................... 39 5.8.3 S10/S11 Interface .............................................................................................................................................................................................................. 39 5.8.4 S3 Interface ........................................................................................................................................................................................................................ 40
PRIVATE AND CONFIDENTIAL Page 2 of 74 Cisco Systems, Inc.
Configuration Audit Guide 5.8.5 SGs Interface ..................................................................................................................................................................................................................... 40 5.8.6 LTE Policy .......................................................................................................................................................................................................................... 41 5.8.7 Operator Policy .................................................................................................................................................................................................................. 41 5.9 SGW Audit............................................................................................................................................................................................................................. 42 5.9.1 S1-U/S11/S12 Interface ..................................................................................................................................................................................................... 43 5.9.2 S4-SGSN ........................................................................................................................................................................................................................... 43 5.9.3 S5/S8 Interface .................................................................................................................................................................................................................. 44 5.10 PGW Audit .......................................................................................................................................................................................................................... 44 5.10.1 S5/S8 interface................................................................................................................................................................................................................. 45 5.10.2 SGi Interface .................................................................................................................................................................................................................... 45 5.10.2.1 APN Audit ................................................................................................................................................................................................................................................................................................... 46 5.11 PDSN Audit ......................................................................................................................................................................................................................... 47 5.11.1 RP Interface ..................................................................................................................................................................................................................... 47 5.11.2 Pi Interface ....................................................................................................................................................................................................................... 49 5.11.2.1 Subscriber Template Audit ................................................................................................................................................................................................................................................................. 49 5.12 FA Audit .............................................................................................................................................................................................................................. 50 5.12.1 FA Service ........................................................................................................................................................................................................................ 50 5.13 HA Audit .............................................................................................................................................................................................................................. 51 5.13.1 Pi Interface ....................................................................................................................................................................................................................... 51 5.13.2 PDN Interface ................................................................................................................................................................................................................... 52 5.13.2.1 Subscriber Template Audit ................................................................................................................................................................................................................................................................. 53 5.14 HSGW Audit ........................................................................................................................................................................................................................ 53 5.14.1 RP Interface ..................................................................................................................................................................................................................... 53 5.14.2 S2a Interface .................................................................................................................................................................................................................... 54 5.15 P-CSCF Audit ...................................................................................................................................................................................................................... 54 5.15.1 P-CSCF Service Policy Configuration Audit .................................................................................................................................................................... 54 5.15.2 P-CSCF Access Profile Audit ........................................................................................................................................................................................... 55 5.15.3 PCRF Policy Control Configuration .................................................................................................................................................................................. 56 5.15.4 PROXY-CSCF Audit ........................................................................................................................................................................................................ 57 5.15.5 P-CSCF Policy and Service Policy Rule Configuration Audit .......................................................................................................................................... 57 5.16 S-CSCF Audit ...................................................................................................................................................................................................................... 58 5.16.1 S-CSCF Peer Server Audit .............................................................................................................................................................................................. 58 5.16.2 S-CSCF Translation Audit ................................................................................................................................................................................................ 58 5.16.3 S-CSCF Policy Audit ........................................................................................................................................................................................................ 59 5.16.4 S-CSCF IFC Audit ............................................................................................................................................................................................................ 59 5.16.5 AAA Group Audit .............................................................................................................................................................................................................. 60 5.16.5.1 HSS interworking audit ........................................................................................................................................................................................................................................................................ 60 5.16.5.2 CDF interworking audit ........................................................................................................................................................................................................................................................................ 60 5.16.6 CSCF Service Audit ......................................................................................................................................................................................................... 61 5.16.6.1 S-CSCF Service Audit .............................................................................................................................................................................................................................................................................. 61
PRIVATE AND CONFIDENTIAL Page 3 of 74 Cisco Systems, Inc.
Configuration Audit Guide 5.16.6.2 Serving-CSCF Audit................................................................................................................................................................................................................................................................................. 62 5.16.7 HSS endpoint Audit .......................................................................................................................................................................................................... 62 5.16.8 CDF Endpoint Audit ......................................................................................................................................................................................................... 63 6. 6.1 6.2 7. OSS AUDIT ............................................................................................................................................................................................................................. 64 MUR Audit ............................................................................................................................................................................................................................. 64 WEM Audit ............................................................................................................................................................................................................................ 65 ECS AUDIT ............................................................................................................................................................................................................................. 66
List of Tables
Table 4-1: Platform Audit ............................................................................................................................................................................................................... 18 Table 4-2: Card Audit ..................................................................................................................................................................................................................... 19 Table 4-3: Interface Audit ............................................................................................................................................................................................................... 19 Table 5-1: Context Audit ................................................................................................................................................................................................................ 23 Table 5-2: RADIUS Audit .............................................................................................................................................................................................................. 24 Table 5-3: DHCP Audit................................................................................................................................................................................................................... 24 Table 5-4: Ga/Gz Interface Audit ................................................................................................................................................................................................... 25 Table 5-5: Diameter Audit .............................................................................................................................................................................................................. 26 Table 5-6: Gx Interface Audit ......................................................................................................................................................................................................... 26 Table 5-7: Ga Interface Audit ......................................................................................................................................................................................................... 27 Table 5-8: Gn Interface Audit ........................................................................................................................................................................................................ 28 Table 5-9: Gi Interface Audit .......................................................................................................................................................................................................... 29 Table 5-10: APN Audit ................................................................................................................................................................................................................... 30 Table 5-11: SGTP Service Audit .................................................................................................................................................................................................... 31 Table 5-12: GPRS Service Audit ................................................................................................................................................................................................... 31 Table 5-13: IuPS Interface Audit .................................................................................................................................................................................................... 32 Table 5-14: SGSN Service Audit ................................................................................................................................................................................................... 33 Table 5-15: DNS Service Audit ...................................................................................................................................................................................................... 33 Table 5-16: MAP Service Audit ...................................................................................................................................................................................................... 33 Table 5-17: SS7 Routing Domain Audit ......................................................................................................................................................................................... 35 Table 5-18: SCCP Network Audit .................................................................................................................................................................................................. 36 Table 5-19: GTT Association Audit ................................................................................................................................................................................................ 36 Table 5-20: Operator Policy Audit .................................................................................................................................................................................................. 37 Table 5-21: S1-MME Interface Audit .............................................................................................................................................................................................. 39 Table 5-22: S6a and S13 Interface Audit ....................................................................................................................................................................................... 39
PRIVATE AND CONFIDENTIAL Page 5 of 74 Cisco Systems, Inc.
Configuration Audit Guide Table 5-23: S10/S11 Interface Audit .............................................................................................................................................................................................. 40 Table 5-24: S3 Interface Audit ....................................................................................................................................................................................................... 40 Table 5-25: SGs Interface Audit ..................................................................................................................................................................................................... 40 Table 5-26: LTE Policy Audit.......................................................................................................................................................................................................... 41 Table 5-27: Operator Policy Audit .................................................................................................................................................................................................. 41 Table 5-28: SGW Service Audit ..................................................................................................................................................................................................... 43 Table 5-29: S11 Interface Audit ..................................................................................................................................................................................................... 43 Table 5-30: S4 SGSN audit............................................................................................................................................................................................................ 44 Table 5-31: S5/S8 Interface Audit .................................................................................................................................................................................................. 44 Table 5-32: PGW Service Audit ..................................................................................................................................................................................................... 45 Table 5-33: S5/S8 Interface Audit .................................................................................................................................................................................................. 45 Table 5-34: SGi Interface Audit ...................................................................................................................................................................................................... 46 Table 5-35: APN Audit ................................................................................................................................................................................................................... 47 Table 5-36: RP Interface Audit ....................................................................................................................................................................................................... 48 Table 5-37: Pi Interface Audit......................................................................................................................................................................................................... 49 Table 5-38: Subscriber Template Audit ......................................................................................................................................................................................... 50 Table 5-39: FA Service Audit ......................................................................................................................................................................................................... 51 Table 5-40: Pi Interface Audit......................................................................................................................................................................................................... 52 Table 5-41: PDN Interface Audit .................................................................................................................................................................................................... 52 Table 5-42: Subscriber Template Interface Audit .......................................................................................................................................................................... 53 Table 5-43: HSGW RP Interface Audit ....................................................................................................................................................................................... 54 Table 5-44: S2a Interface Audit ..................................................................................................................................................................................................... 54 Table 5-45: P-CSCF Service Policy Audit ...................................................................................................................................................................................... 55 Table 5-46: P-CSCF Access Profile Audit ..................................................................................................................................................................................... 56 Table 5-47: P-CSCF Service Audit ................................................................................................................................................................................................ 56 Table 5-48: Proxy CSCF Audit ....................................................................................................................................................................................................... 57 Table 5-49: Proxy CSCF Audit ....................................................................................................................................................................................................... 58
PRIVATE AND CONFIDENTIAL Page 6 of 74 Cisco Systems, Inc.
Configuration Audit Guide Table 5-50: S-CSCF Peer Server Audit ......................................................................................................................................................................................... 58 Table 5-51: S-CSCF Translation Audit .......................................................................................................................................................................................... 59 Table 5-52: S-CSCF Policy Audit ................................................................................................................................................................................................... 59 Table 5-53: S-CSCF IFC Audit....................................................................................................................................................................................................... 60 Table 5-54: HSS Interworking Audit ............................................................................................................................................................................................... 60 Table 5-55: CDF Interworking Audit ............................................................................................................................................................................................... 61 Table 5-56: S-CSCF Service Audit ................................................................................................................................................................................................ 61 Table 5-57: Serving CSCF Audit .................................................................................................................................................................................................... 62 Table 5-58: HSS Endpoint Audit .................................................................................................................................................................................................... 63 Table 5-59 CDF Endpoint Audit ..................................................................................................................................................................................................... 63 Table 6-1: OSS Audit ..................................................................................................................................................................................................................... 64 Table 6-2: MUR Audit ..................................................................................................................................................................................................................... 65 Table 6-3: WEM Audit .................................................................................................................................................................................................................... 65 Table 7-1: ECS Audit Sample Report ............................................................................................................................................................................................ 68
References
[1] Data Collection Guide [2] ASR 5X00 Command Line Interface Guide [3] ASR 5X00 Administration Guide
Definitions
Acronym CSCF CIQ GGSN HA FA HSGW I-CSCF MME P-CSCF PGW S-CSCF SAEGW SGSN SGW Meaning Call Session Control Function Customer Information Questionnaire Gateway GPRS Support Node Home Agent Foreign Agent HRPD Serving Gateway Interrogating-CSCF Mobility Management Entity Proxy-CSCF Packet Data Network Gateway Serving-CSCF System Architecture Evolution Gateway Serving Gateway Support Node Serving Gateway
Revision History
Version 1.0 1.5 2.0 3.0 Date 2/27/12 4/27/12 5/22/12 7/25/12 Status First Version Second Version Third Version Fourth Version Author/s Daryl Huynh Daryl Huynh Amol Khire Daryl Huynh Amol Khire Bin Guo Hao Jiang Jiang Rahul Mahadik Daryl Huynh Rahul Mahadik Review Santosh Panambur Anwin Kallumpurath Anwin Kallumpurath Daryl Huynh, Aravind Balakrishnan Gavish Kumar, Matthew Brandes Changes
4.0
10/31/12
Fifth Version
Amol Khire, Akshay Raj, Aravind Balakrishnan Daryl Huynh, Jiming Shen, Bo Keun Kang, Govindaraj Duraisamy
5.0
1/30/12
Sixth Version
1. Introduction
This document focuses on the configuration audit process by explaining what the configuration audit requirements are and what to check for and flag as a concern. Primarily, the process works by supplying an ASR 5000 support details and check for system constraints and best practice guidelines using this output. A configuration audit report is used to identify the following points: General System Audit evaluating a configuration and identifying any missing components or configurations Best Practice Guidelines assessing the overall health of the configuration to ensure certain best practices are applied System Limitations check for system limitations based on the inherent software limits Feature Implementation identify the features implemented based on the configuration.
Please note that this document will be constantly revised as the technology evolves and additional best practices and guidelines are found.
******** show version verbose ******* Active Software: Image Version: 12.0 (39936) Image Description: Production_Build Image Date: Tue Sep 20 22:18:03 EDT 2011 Kernel Version: 2.6.18-staros-v2-pc Kernel Machine Type: i686
Show license information used to identify all the licensed features available on the chassis. This information can be used to identify whether all the features are used, or whether there may be a potential licensing issue.
******** show license information ******* Key Information (installed key): Comment PRODUCTION SYSTEM 2 PO:678497,687276 CF Device 1 Model: SanDiskSDCFJ-4096 Serial Number: 116922I0207F3815 CF Device 2 Model: SanDiskSDCFJ-4096 Serial Number: 111719I0207F3324 Issued Thursday November 13 08:15:34 NZDT 2008 Issued By Cisco Systems Key Number 28155 Enabled Features: Feature Applicable Part Numbers ---------------------------------------- ----------------------------GGSN: [ 600-00-7544 / 600-00-7545 ] + DHCP [ 600-00-7520 ] + RADIUS AAA Server Groups [ none ] Ipv4 Routing Protocols [ none ] Enhanced Charging Bundle 2: [ 600-00-7574 ] + DIAMETER Closed-Loop Charging Interfa [ none ] PRIVATE AND CONFIDENTIAL Page 12 of 74 Cisco Systems, Inc.
Show card hardware used to identify the hardware setup of the node. This information will help us audit and categorize the node hardware inventory.
******** show card hardware ******* Card 2: Card Type : Packet Services Card Card Description : PSC Part Number : 530-02-0030 14 Serial Number : PLB51077565 Switch Fabric Modes : control plane, switch fabric Card Programmables : up to date NPU Microcode : running 1.0 Slave SCB : on-card 1.6 PSR : on-card 0 BIOS : on-card-a 7.8.14, on-card-b 7.8.14 DT FPGA : running 8.85 CPU 0 Type/Memory : Socket 0: Xeon 000 C0, 2000 MHz : Socket 3: Xeon 000 C0, 2000 MHz : Chipset: E7520 C4, 6300ESB A3, 16384 MB CPU 1 Type/Memory : IXP2855 A0, 1500 Mhz, 1536 MB CPU 0 CFE/Diags : on-card 2.0.17, running 130.1.2
Show configuration errors used to check the health of the configuration file. This information will help us identify common configuration errors, which may not be captured by the configuration parser.
PRIVATE AND CONFIDENTIAL Page 13 of 74 Cisco Systems, Inc.
Error : Sccp network configuration is missing for the map-service map in context gb Error : Map service map in context gb does not have any hlr configuration. Error : Sccp network configuration is missing for the map-service gs in context test Error : Map service gs in context test does not have any hlr configuration. Total 4 error(s) in this section!
Show active-charging ruledef statistics all charging Identifies the commonly hit URLs on the chassis.
******** show active-charging ruledef statistics all charging ******* Ruledef Name Packets-Down Bytes-Down Packets-Up Bytes-Up Hits ----------------------- ---------- ---------- ----------10.10.10.10 0 0 7663 723532 7457 10.10.10.11 0 0 0 0 0 10.18.0.0/18 62 2728 5376 443037 5033 10.20.0.0/18 79 3476 71892 6434902 67709 10.20.128.0/18 79 3476 3160 270314 2866 10.222.0.0/20 0 0 0 0 0 10.222.136.0/21 0 0 0 0 0 10.222.24.0/21 0 0 0 0 0 129.142.220.79 0 0 0 0 0 130.244.196.90 1638368 1269197678 1165789 226055446 2202497
Show active-charging analyzer statistics all charging Identifies the analyzers matching packets on the chassis.
******** show active-charging analyzer statistics ******* ACS Flow Stats: Cumulative: 2644539112 IPv4: 2644539112 ICMP: 37295257 IPv6: 0 ICMPv6: 0 TCP: 1624756837 UDP: 981906211 HTTP: 798435757 HTTPS: 0 PRIVATE AND CONFIDENTIAL Page 14 of 74 Cisco Systems, Inc.
ACS - Num Flows Cleared by Idle Timer: Total: 1224361242 IPv4: 1224361242 ICMP: IPv6: 0 ICMPv6: TCP: 265243456 UDP: HTTP: 25647653 HTTPS: POP3: 0 IMAP: SMTP: 0 FTP: RTSP: 3756 SIP: RTP: 1669 RTCP: WTP: 0 MMS: WSP_CO: 2824 WSP_CL: P2P: 423644234 DNS:
3. Prerequisites
The prerequisite for a configuration audit requires a show support details and any additional CLI commands need to be logged. In addition, this information must come at the beginning of the soak period and the end of a monitoring period during the data collection phase as per the Data Collection Guide [1]. An understanding of the ASR5000 configuration and structure is required. The ASR 5000 CLI Guide [2] can be used for reference.
4. Platform Audit
A platform audit consists of identifying a set of common CLI commands that may be configured on all chassis regardless of the node function based on the system license. The platform audit will also identify the types of cards and interfaces configured within the node. The platform audit should check for the following CLIs as seen in the table and provide a recommended action or appropriate message for flagging: Platform Configuration CLI command log filter runtime facility cli level debug Analysis CLI debug should be enabled to allow CLI outputs to be captured in syslogs. Hidden password is an engineering only command that should not be configured on any node configuration. Recommendation It is recommended to enable CLI level debug. It is not recommended to configure this CLI as it is an engineering-only command, so it should be removed if found. Additionally, you can include the noconfirm option if you wish to bypass a check for scripting purposes. It is not recommended to configure this CLI as it will bypass any system checks, so it should be removed if found. It is recommended to enable this command to enable GTPP proxy processing on the system. Enabling this command requires a reload.
hidden password
autoconfirm
Autoconfirm disables built in system checks for configuration change. For UMTS/LTE:
gtpp single-source
GTPP single-source allows the system to perform proxy function by reserving a CPU to process GTPP requests. Identify whether this CLI command is configured. AAA large-configuration enables the system to accept a larger number of RADIUS configurations. A banner allows the system to prompt users prior to accessing the node. A system hostname allows the node name to be identified. It is also used to populate billing parameters such as within CDR records. Timestamps allow for all CLI commands to be logged with an associated timestamp. By default, clock timezone is set to us-eastern. However, in a normal deployment, the clock timezone varies from node to node and should be set based on the node location.
PRIVATE AND CONFIDENTIAL Page 17 of 74
aaa large-configuration
banner motd
system hostname
It is recommended to enables the system to configure additional AAA groups. Enabling this command requires a reload. It is considered best practice to include a banner for user login to notify the user of unauthorized access to the node. It is recommended to enable system hostnames for all nodes. It is recommended to enable timestamps so that users who are logging the screen will have the proper timestamps associated with the logs. It is recommended to configure the proper timezone for various reasons such as billing purposes and user traceability purposes.
Cisco Systems, Inc.
timestamps
Configuration Audit Guide crash enable url Crash URL enables the system to send full crash cores to a remote location. This is a licensed feature. Session recovery allows for calls to be recovered during a task crash or card failure to improve user experience. This is a licensed feature. If the license is available, it is recommended to enable active-charging as enabling it the first time will prevent the scenario where enabling the feature requires a system reload. Proxy multiple enables the system to create a proxy for each active PSC card on the system for the client-server peering for DIAMETER. For CDMA: aaa last-resort context Configuring AAA last resort contexts provides UEs with a last attempt to locate an AAA server based on the context provided within this configuration. For CDMA: Configuring default-domain provides UEs to include a default domain if the domain field is empty. For CDMA: aaa domain-matching ignore-case Configuring ignore-case allows the system to ignore case-sensitivity when matching against domain names. It is recommended to enable sending full crash cores to an external node. It is recommended to enable this feature on a system to improve user experience and accessibility.
require active-charging
It is recommended to enable this feature on a system to proactively configure ECS services to prevent a scenario where a reload is required to enable the feature.
It is recommended to configure proxy to multiple instead of single to prevent the scenario where a single call affecting the single proxy can cause the facility to crash thus affecting all related calls. It is recommended to enable last resort contexts to provide a fail-safe for configurations missing the proper AAA configurations to find the proper AAA server as a last resort. It is recommended to configure a default-domain to allow for subscribers missing a domain to include a default domain for accounting and authentication services.
aaa default-domain
It is recommended to configure ignore-case to allow for the system to ignore case-sensitivity as it is a common error that subscribers add in case-type typos when making network changes on their handsets.
4.1Card Audit
A card audit consists of identifying the card arrangement and understanding which cards are enabled within the system. Since a card audit will generally take up the front slots, it is best to identify which cards are in the system in order to determine if the physical arrangement of the cards are done as per best practice for maximum airflow and future expansion considerations. Show card hardware should also be used to verify the configuration audit as well to ensure that cards are used optimally.
PRIVATE AND CONFIDENTIAL Page 18 of 74 Cisco Systems, Inc.
Configuration Audit Guide Card Configuration CLI command card card shutdown port preferred port Table 4-2: Card Audit Analysis Cards should be laid out to allow for best airflow and for future expansion. Card shutdown terminates all tasks and processes on a card and causes the card to go offline even when a new card is inserted in the slot. Preferred slot enables the port to prefer a port when there is a link issue. Recommendation It is recommended to arrange cards in every other slot first, while slot 1 and 16 should be the last two used slots. It is recommended to set card to no shutdown so that new cards that are inserted can be in an operational standby state. It is recommended to disable preferred port as this scenario may cause links to constantly flap between two ports if there is an issue with the preferred port.
4.2Interface Audit
An interface audit consists of identifying the interface arrangements and understanding whether the cards are enabled in an active/active or active/standby scenario. The card arrangement will also be identified to determine whether cards are placed optimally, especially in the case of XGLC cards where they must be in odd slots to begin with since it required for active/standby redundancy. Show card hardware should also be used to verify the configuration audit as well to ensure that cards are used opti mally. Interface Configuration CLI command Analysis Linecards should be laid according to best practice guidelines where single full length linecards should be on the odd port first due to future redundancy expansion considerations as full length cards are redundant to its immediately even port IE 17 is redundant to 18. Port descriptions help engineers quickly identify why a port is configured or used. Preferred slot enables the port to prefer a port when there is a link issue. Recommendation It is recommended to arrange cards in an optimal manner to consider for future expansions or design requirements.
port ethernet
It is recommended to enable descriptions for all used ports on the system. It is recommended to disable preferred port as this scenario may cause links to constantly flap between two ports if there is an issue with the preferred port.
4.3Threshold Audit
By default, the ASR5000 and ASR5500 have built in threshold monitoring. However, they are not enabled by default. Refer to the following for more details on providing an accurate recommendation of thresholds to the customer: http://www.cisco.com/en/US/docs/wireless/asr_5000/12_2/OL25552_Thresholding_Config.pdf. Interface Configuration CLI command no threshold monitoring npuresource no threshold monitoring cpuresource no threshold monitoring system no threshold monitoring license no threshold monitoring subscriber no threshold monitoring call-setup no threshold monitoring ecs no threshold monitoring fa-service no threshold monitoring haservice no threshold monitoring pdsnservice no threshold monitoring pdifservice no threshold monitoring asngw no threshold monitoring asnpc no threshold monitoring phsgw no threshold monitoring phsp no threshold monitoring firewall no threshold monitoring pdgservice no threshold monitoring hnbgwservice no threshold monitoring sgwservice no threshold monitoring saegwservice no threshold monitoring pgwservice Analysis Recommendation
It is recommended to enable the following SERVICE thresholds as applicable for the node for monitoring purposes.
Configuration Audit Guide no threshold monitoring lmaservice no threshold monitoring hsgwservice no threshold monitoring epdgservice no threshold monitoring routeservice no threshold monitoring mmeservice no threshold monitoring fngservice no threshold monitoring diameter no threshold monitoring aaa-acctarchive-queue no threshold monitoring aaa-authfailure no threshold monitoring aaa-acctfailure
5. System Audit
A system audit consists of identifying common CLI configurations that must be configured for all chassis in order to configure the respective services.
5.1Context Audit
A context audit consists of identifying how many contexts are configured and what services are enabled within each context to determine the function of it. Since the OAM on the ASR5000 is also identified as a context environment, the local context shoul d be identified separately from other service level contexts. Generally, only the local context is enabled for access protocols such as SSH or FTP, so it is worth noting if a context is enabled with such services.
Context Configuration CLI command context ip access-list Analysis An IP access list it used to permit or deny packets to a context. However, an IP access list is not a global command as ACLs configured within a context and unused is simply using up system resources. FTP is considered an insecure access protocol that should be avoided as communications between client and server is sent in plain text, which makes all the CLI commands including username and password to be highly susceptible to snooping. TELNET is considered an insecure access protocol that should be avoided as communications between client and server is sent in plain text, which makes all the CLI commands including username and password to be highly susceptible to snooping. SSH is a secure data access protocol that can be used to log into the chassis. Syslog servers enable the system to send facility messages to log activity on the system. The SPIO ports are configured as port 24/1, 24/2, 25/1 and 25/2. However, unlike the LCs, SPIO ports are sideby-side redundant whereas port 24/1 is redundant to port 25/1.
PRIVATE AND CONFIDENTIAL Page 22 of 74
Recommendation It is recommended to use ACLs only within its respective context as ACLs are not globally configured commands.
It is recommended to disable FTP and use SFTP instead for security reasons.
context server telnetd context server sshd subsystem sftp context local logging syslog
It is recommended to use SSH and SFTP over TELNET and FTP. It is recommended to configure syslog servers on the system to log all system related events and CLI outputs, for troubleshooting or debugging. It is recommended to have redundant SPIO ports active between 24/1 and 25/1, and 24/2 and 25/2 respectively.
5.2AAA Interface
A RADIUS audit consists of identifying whether RADIUS services are enabled within the context specified and configured correctly as per best practice guidelines.
RADIUS Configuration CLI command Analysis The AAA group identifies the RADIUS authentication/accounting server on the node. By default, an AAA group default is configured for all contexts and should be used if the requirement is only one RADIUS group needed. The RADIUS NAS IP should be configured within the same context as the AAA group. For UMTS/LTE: context aaa group no radius accounting archive context aaa group radius detect-dead-server consecutive failures context aaa group radius mediation-device accounting server context aaa group radius timeout radius max-retries radius accounting timeout radius accounting max-retries RADIUS accounting archive enables the system to store offline accounting requests and archives them to be sent to the server when the server is available. RADIUS detect-dead-server allows the system to mark a system as DEAD after multiple timeouts and retries. Recommendation It is recommended to use non-default configuration for AAA group from a design perspective only if there are more than one AAA server configured on the system. Inherent fallback design for misconfigurations will refer to the default configuration. It is recommended to configure the NAS IP address within the same context as the AAA group. It is recommended to disable RADIUS accounting archive to prevent a scenario where offline accounting requests spam the server as there is generally no billing consideration for RADIUS accounting in a UMTS/LTE network. It is recommended to enable detect-dead-server to prevent the scenario where a timed out server is being sent AAA requests. It is recommended to configure this value as 4 or less, but greater then 0. It is recommended to configure all RADIUS accounting servers as medication devices.
RADIUS accounting server identifies which RADIUS server to send accounting messages to. The following timers are used to control the number of authentication and accounting retries before a server is considered down. Based on show radius counters all, these values can be modified depending on the number of timeouts or roundtrip time. This algorithm dictates how many servers you send
PRIVATE AND CONFIDENTIAL Page 23 of 74
It is recommended to configure the following values: radius timeout 2 radius accounting timeout 2 radius max-retries 3 radius accounting max-retries 3 The number of first-n servers should be equal to or less
Cisco Systems, Inc.
Configuration Audit Guide context aaa group radius accounting algorithm first-n Table 5-2: RADIUS Audit accounting requests to. then the number of accounting servers configured.
5.3DHCP Interface
A DHCP audit consists of identifying whether DHCP services are enabled within the context specified. DHCP services are commonly configured primarily for corporate networks, so a context identified with DHCP services can generally be considered a corporate context.
DHCP Configuration CLI command dhcp-service dhcp ip dhcp-service dhcp deadtime dhcp detect-dead-server consecutive-failures Table 5-3: DHCP Audit Analysis DHCP server is supported in proxy or relay mode in R12.0. However, in R14, relay mode is no longer supported. DCHP deadtime and detect-dead-server is used to determine how long a DHCP server is marked as dead upon a timed out request. Recommendation It is recommended for a customer to move to proxy-mode as relay mode will not be supported in future releases. It is recommended to configure the following values: dhcp deadtime 60 dhcp detect-dead-server consecutive-failures 3
5.4Ga/Gz Interface
A GTPP audit consists of identifying whether GTPP groups are enabled within a context for billing. Since it is used primarily for billing, if a single GTPP group is identified, it should be configured as a default group only since the system fails over to a default group in a failure scenario. In addition, the threshold/interim values should be identified and determined as part of the KPI analysis to determine whether higher thresholds should be used if there are issues with mediation processing the number of records.
Ga/Gz Interface Configuration CLI command gtpp group Analysis The GTPP group identifies the billing confiugraion on the system. By default, a GTPP group default is configured
PRIVATE AND CONFIDENTIAL Page 24 of 74
Recommendation It is recommended to use non-default configuration for GTPP group from a design perspective only if there are
Cisco Systems, Inc.
Configuration Audit Guide for all contexts and should be used if the requirement is only one GTPP group required. gtpp group no gtpp dead-server suppresscdrs gtpp group gtpp deadtime gtpp group gtpp detect-dead-server consecutive-failures gtpp group gtpp source-port-validation gtpp group gtpp max-retries gtpp group gtpp suppress-cdrs zero-volumeand-duration gtpp group gtpp storage-server mode streaming gtpp group no gtpp egcdr service-data-flow threshold Table 5-4: Ga/Gz Interface Audit Configures actions to be taken when a dead server is detected Specifies the time duration in seconds after which system will treat a previously CGF server as active. Configures how to detect a dead CGF Specifies whether the Charging agent should respond to request messages from only configured CFGs Configures maximum number of times system will attempt to communicate with a CGF before system fails over to the secondary CGF. Suppress CDRS with zero volume and zero duration. Specifies the use of HDD to store CDRs in case if CGF fails and then stream the CDRs to the CGF when CGF is up. Configures the thresholds for closing a service data flow container within an eGCDR based on volume or interval. more than one GTPP server configured on the system. Inherent fallback design for misconfigurations will refer to the default configuration. It is recommended to disable
It is recommended to configure this value as 120 or less, but more then 0 to mark a server properly down. It is recommended to configure this value to be greater then 0 if a CGF is implemented. Otherwise, it is recommended to configure as 0. It is recommended to enable source-port-validation to prevent the scenario where a un-configured CGF can send responses to the system. It is recommended to configure this value as 4 or less, but greater then 0. It is recommended to supress CDRs with zero volume or duration to reduce the number of CDRs being processed by mediation without any data. It is recommended to configure GTPP mode to streaming if a CGF is used. It is recommended to disable this configuration by default as it would prematurely generate closing CDRs and result in additional CDRs to be processed.
5.5DCCA/DPCA Audit
A DCCA/DPCA audit consists of identifying the diameter endpoint configurations enabled within a context. Since the endpoint can be configured for multiple services, you must first identify the endpoint and the associated services before you can determine what a particular DCCA/DPCA service is used for. In addition, specific timers should be checked against between the client and server side to make sure the values are in sync during a failure scenario.
Recommendation
Cisco Systems, Inc.
Configuration Audit Guide diameter endpoint watchdog-timeout diameter endpoint connection retry-timeout diameter endpoint reconnect-timeout diameter endpoint response-timeout diameter endpoint route-entry Table 5-5: Diameter Audit Connection retry-timeout identifies the Tw timer which is the timeout value in which a watchdog considers the peer to be down. Connection retry-timeout identifies the Tc timer which is the timeout value in which a retry is sent. Reconnect-timeout enables the system to resend a CER after a period when the client receives a DO NOT WANT TO TALK TO YOU message from the server. Response timeout configures how long the client waits for a response before it times out. A route entry can be added for a host, peer and realm. The watchdog-timeout can be configured to 30 or 60 seconds to reduce the flapping of the diameter connection, which causes due to low watchdog timeout like 5-10 seconds. Default value is 30 seconds. It is recommended to configure the connection retrytimeout to 10 seconds (default 60) to reduce the time in which the CER/CEA has not been exchanged. It is recommended to configure a 60 second interval so that a DO NOT WANT TO TALK TO YOU message from the server will not mark the peering relationship to be down permanently (until reboot) on the system. It is recommended to configure a 10 second interval to reduce the time in which the CER message is considered timeout. It is recommended to add a route-entry for each peer and set it to equal weight by default.
5.5.1 Gx Interface
As part of the DCCA audit, the PCRF audit must be checked to determine whether the endpoint is configured as part of the PCRF service, named ims-authservice. The IMS auth service is configured within a context and is considered a global parameter. As a result, if a context is configured with the ims-authservice, it can be loosely identified at least as a Gx type context since it may still have other services enabled in the same context as well.
Gx Interface Configuration CLI command ims-auth-service policy-control diameter request-timeout Table 5-6: Gx Interface Audit Analysis Response timeout configures how long the client waits for a response before it times out. Recommendation It is recommended to configure a 10 second interval to reduce the time in which the CCR message is considered timeout and CCFH condition is triggered.
5.5.2 Gy Interface
As part of the DCCA audit, the OCS audit must be checked to determine whether the endpoint is configured as part of the OCS service. Credit control is configured as part of the ECS configuration. If an endpoint is identified as a OCS endpoint, the context where the endpoint is configured can be loosely identified as a Gy type context since it may still have other services enabled in the same context as well.
PRIVATE AND CONFIDENTIAL Page 26 of 74 Cisco Systems, Inc.
Gy Interface Configuration CLI command credit-control group diameter pending-timeout Analysis Connection retry-timeout identifies the Tc timer, which is the timeout value in which a CCR is not responded to and triggers the CCFH condition. The credit-control group identifies the DCCA group responsible for the online charging with the OCS. By default, a default group is configured and should be used if the requirement is only one credit-control group is required. Recommendation It is recommended to configure a 3 second timeout interval to reduce the time in which the CCR message is considered a timeout and CCFH condition is triggered. By default, the CCFH condition is to terminate the call. It is recommended to use non-default configuration for credit-control group from a design perspective only if there are more than one credit-control group configured on the system. Inherent fallback design for misconfigurations will refer to the default configuration.
5.6GGSN Audit
The GGSN audit consists of identifying the GGSN related services configured on the ASR 5000. Best practice guidelines should be checked against the configuration to identify any risk areas that may come as a result of avoiding such guidelines. The GGSN audit covers two primary areas: GGSN service and APN configuration.
5.6.1 Gn Interface
The GGSN service audit identifies where the GGSN service is enabled within a context. The service will be identified to determine whether multiple GGSN services are configured as required based on customer requirements and also the logical design of the control and user plane. The context where the GGSN service resides can be identified as the Gn APN where the GTPC requests from the SGSN are coming from the network.
Gn Interface Configuration CLI command Analysis Recommendation It is recommended that the GTPU service be the same IP address as the GTPC bound address to simplify design as the traffic reaches the context in the same manner. However, if there is a design requirement to split up the IPs traceability purposes, LI purposes this recommendation can be ignored.
Cisco Systems, Inc.
The GTPU service is responsible for handling the user plane traffic for the GGSN service.
Configuration Audit Guide If the node is used for 3G and 4G services, the IP address for GTP-C and GTP-U should match the IP address bound to the PGW service. It is recommended to have one GGSN service per chassis, unless it is a design requirement to do so. It is recommended to configure the accounting context as part of the GGSN service instead of the APN configuration. It is recommended to configure SGSN addresses in subnet blocks as applicable. It is recommended that the GTPC address to be the same IP address as the GTPU address to simplify design as the traffic reaches the context in the same manner. However, if there is a design requirement to split up the IPs traceability purposes, LI purposes this recommendation can be ignored. If the node is used for 3G and 4G services, the IP address for GTP-C and GTP-U should match the IP address bound to the PGW service. It is recommended to configure the echo interval to 60 seconds.
The GGSN service is responsible for handling 2G/3G PDP requests from the SGSN. The accounting context within the GGSN service direct which billing context should be used for CDR generation. The SGSN address is used to identify the SGSNs used to send PDP requests to the GGSN within the home network.
The bind address is responsible for handling the control plane traffic for the GGSN service.
The echo interval is used to send echo requests to the servicing SGSNs to determine if the SGSN is still alive.
5.6.2 Gi Interface
The Gi interface defines the communication between GGSN and external PDN. Gi interface is configured within the PDN context configured and is logically bound together by the APN configuration. This interface is implicitly referenced based on how the IP pools defined and bound to the APN are configured.
Gi Interface Configuration CLI command context interface ip-address IPv4..IPv6 context ip pool private Analysis The Gi interface is routed based on the available IP pools within the same context. The interface should be in either IPv4 or IPv6 format depending on the pools configured. Private pools are assigned only if the APN are configured the pool name.
PRIVATE AND CONFIDENTIAL Page 28 of 74
Recommendation It is recommended to configure the interface based on the IP type of the pools and to have redundant interfaces ideally, two logical interfaces to route IP traffic. It is recommended to configure all pools as PRIVATE to avoid the scenario where a PUBLIC pool gets assigned
Cisco Systems, Inc.
Configuration Audit Guide to an APN by default. context ip pool group-name context ip pool explicit-route-advertise Table 5-9: Gi Interface Audit Group-names can be used to group together common tools. Explicit-route-advertise creates a /32 host route when a subscriber connects to the pool. It is recommended to configure group-name for multiple pools to simplify the configuration. It can also simplify the design if IP pool names are passed back from a RADIUS server. It is not recommended to use this feature as a context has an inherent limit of 2000 routes on their IP table.
5.6.2.1
APN Audit
The APN audit identifies where the subscribers will connect to. APNs are generally classified as consumer APNs and corpora te APNs. This is usually determined by the naming convention of the APN. Identify the APN type is necessary as service between a corporate and consumer APN is generally very different between service providers. All the related services to a subscriber are configured at the APN level.
APN Configuration CLI command context apn virtual-apn gcdr apn-name-tobe-included Gn context apn aaa group context apn ip access-group * in ip access-group * out context apn ip source-violation ignore context apn mediation-device Analysis Virtual-APN GCDR apn-name-to-be-included Gn applies the Gn APN within the GCDR records. The AAA group assigned the RADIUS authentication/accounting server to be used by the APN. The IP access-group for in/out traffic is used to apply permit/deny/redirect rules to subscriber traffic accessing this APN. Source-violation enables the APN to check for IP spoofing. This feature will check if the subscriber assigned APN matches the traffic that is being received and will drop the call if 10 invalid packets are found by default. Mediation-device enables the APN to send accounting requests to a mediation-type RADIUS server.
PRIVATE AND CONFIDENTIAL Page 29 of 74
Recommendation It is recommended to use the Gn APN to identify the source of the PDP request unless there is a mediation reason why the Gi APN is used APN in the billing records. It is recommended that the AAA group be configured in the same context as the APN. It is recommended to configure ACLs within the same context as the APNs as ACLs are not global configurations. It is recommended to ignore this command as dongles are commonly connected to APNs with a concurrent Internet connection, which will cause this rule to be hit by default and drop the call, affecting user experience. It is recommended to use mediation-device for RADIUS accounting servers.
Cisco Systems, Inc.
Configuration Audit Guide It is recommended to configure timeout idle value within the apn where it is not configured and if there are lot of subscribers are with very high idle time. Whereas if you prematurely disconnect idle subscribers, it will actually cause more signalling traffic within the network, so it should be a relatively high enough value as per customer requirement. This timeout value would be helpful for optimizing the system resources used. It is recommended to leave this command as default if the APN is configured in the same context as the Gi context where the IP pool is configured. It is recommended to leave this command as default if only one OCS is available. The OCS configuration should also be configured as default.
Absolute Timeout disconnects the subscriber upon the end of the timer. Idle Timeout disconnects the subscriber upon the end of the timer when the subscriber starts idling.
context apn ip context-name context apn credit-control-group Table 5-10: APN Audit
The IP context name configures the routing context in which the IP pool will be assigned to the subscriber. The credit-control-group enables the APN to send CER to the OCS.
5.7SGSN Audit
The SGSN audit consists of identify all the related contexts and services required for SGSN service for GPRS and UMTS services. Best practice guidelines are checked for the SGSN service to determine whether there are risks to the current configuration. Furthermore, the audit shall check for the timers used between the SGSN and external node entities as well. The contexts for the SGSN must be identified as part of the audit process. It can generally be identified based on the services enabled within the context.
5.7.1 Gn Interface
The SGSN Service audit covers the primary services you will see enabled on a chassis. Regardless whether the SGSN is configured for 2G or 3G services, sgtp-service and map-service will always be seen as the sgtp-service is responsible for handling the GTP messages between the SGSN and GGSN. Although you may have multiple sgtp-services to associate to different services, it is recommended to have a single service for all calls from a best practice design perspective unless otherwise required for customer design reasons. Gn Interface Configuration CLI command context sgtp-service context sgtp-service gtpu echo-interval context Analysis The SGTP service is responsible for handling the PDP requests over the Gn interface towards the GGSN. The GTPU echo interval handles the echo messages and how often messages are sent that serves as the keep alive between the SGSN and GGSN. The GTPU max-retranmissions determine how many
PRIVATE AND CONFIDENTIAL Page 30 of 74
Recommendation It is recommended to configure only one SGTP service to be used to identify the SGSN Gn interface to the GGSN. It is recommended to enable echo-interval to 60 seconds. It is recommended to enable max-retramissions to 4.
Cisco Systems, Inc.
Configuration Audit Guide sgtp-service gtpu max-retranmissions context sgtp-service gtpu retransmission-timeout Table 5-11: SGTP Service Audit times an echo is sent before the GGSN is considered to be down and active PDP calls are dropped. The GTPU retranmission-timeout determines when the retranmissions will be marked as no response. It is recommended to enable retranmission-timeout to 5.
5.7.2 Gb Interface
The 2G services required for the SGSN covers the network-service-entity level, which establishes the NSVL associations to the BSC, and the gprs-service, which handles the 2G related calls on the SGSN for the ASR5000. Gb Interface Configuration CLI command network-service-entity nsvl instance network-service-entity nsvc-failure-action send-nsstatus clear-nse Table 5-12: GPRS Service Audit Analysis The NSVL instance is the association responsible for communicating with the BSC. The NSVL failure-action clear-nse enables the SGSN to clear NSEs if the NSVCs to the BSC are down. Recommendation It is recommended to configure 4 NSVL instances for maximum redundancy. It is recommended to enable the NSVC failure action to send a clear to re-establish the Gb association since by default; failures in the association are not re-established.
Recommendation It is recommended to configure only one IuPS service to be used to identify the SGSN IuPS interface to the RNC. It is recommended to disable the echo-interval for the iups-service. It is recommended to enable max-retramissions to 4.
Cisco Systems, Inc.
Configuration Audit Guide gtpu max-retranmissions context iups-service gtpu retransmission-timeout Table 5-13: IuPS Interface Audit SGSN Service Configuration CLI command context sgsn-service gmm T3302-timeout context sgsn-service gmm T3312-timeout context sgsn-service gmm T3313-timeout context sgsn-service gmm T3322-timeout context sgsn-service gmm T3350-timeout context sgsn-service gmm T3360-timeout context sgsn-service gmm T3370-timeout context sgsn-service nri sgsn-address rac lac nri Analysis Defines the number of minutes for timer to send to MS when attach failure and attempt counter is greater then or equal to 5 or RAU failure and attempt counter is greater then or equal 5 Periodic RAU timer to send to MS Recommendation By default, this value is set at 10 minutes, but it is recommended to tailor this parameter to the RNC parameters. By default, this value is set at 54 minutes, but it is recommended to tailor this parameter to the RNC parameters. By default, this value is set at 5 seconds, but it is recommended to tailor this parameter to the RNC parameters. By default, this value is set at 6 seconds, but it is recommended to tailor this parameter to the RNC parameters. By default, this value is set at 6 seconds, but it is recommended to tailor this parameter to the RNC parameters. By default, this value is set at 6 seconds, but it is recommended to tailor this parameter to the RNC parameters. By default, this value is set at 6 seconds, but it is recommended to tailor this parameter to the RNC parameters. It is recommended to enable pooling by configuring nonbroadcast lac/rac info within the SGSN service. down and active calls are dropped. The GTPU retranmission-timeout determines when the retranmissions will be marked as no response. It is recommended to enable retranmission-timeout to 5.
Retransmission timer for network initiated detached request Retransmission timer for Attach Accept/RAU accept/PTMSI reallocation command Retransmission timer for Authentication Request
DNS Configuration CLI command .ip name-servers dns-client cache ttl negative cache ttl positive Table 5-15: DNS Service Audit Analysis Identify the DNS servers configured for lookup. The cache ttl values determine how long positive or negative queries are cached before querying the DNS server. Recommendation It is recommended to have two IP name servers configured. It is recommended to have the cache ttl value lower then the cache returned by the DNS for the configuration to take effect 86400 seconds for positive and 60 seconds for negative.
This configuration enables the SGSN to send CAN versions based on the subscriber profile.
SS7 Configuration CLI command ss7-routing-domain asp instance ss7-routing-domain peer-server id psp instance ss7-routing-domain peer-server id psp instance psp-mode ss7-routing-domain peer-server id psp instance timeout m3ua-periodic-destaudit ss7-routing-domain peer-server id psp instance timeout sctp-heart-beat ss7-routing-domain peer-server id psp instance sctp-rto-min ss7-routing-domain peer-server id psp instance sctp-rto-initial ss7-routing-domain peer-server id psp instance Analysis The ASP instance defines the process to handle the SCTP endpoint and messages between the client and server. The PSP instance defines the peer servers to send the SCTP messages. This configuration identifies whether the PSP mode is server or client based. Recommendation It is recommended to configure 4 ASP instances for maximum redundancy. It is recommended to configure 4 PSP instances to avoid potential congestion within the network. It is recommended to configure the PSP mode as server though this is limited to customer design.
By default, this value is set at 2 seconds, but it is recommended to tailor this parameter to the SS7 network parameters. By default, this value is set at 30 seconds, but it is recommended to tailor this parameter to the SS7 network parameters. By default, this value is set at 10ms, but it is recommended to tailor this parameter to the SS7 network parameters. By default, this value is set at 30 ms, but it is recommended to tailor this parameter to the SS7 network parameters. By default, this value is set at 600ms, but it is recommended to tailor this parameter to the SS7 network
Cisco Systems, Inc.
Sets the SCTP min retransmission timeout value. Sets the SCTP initial retransmission timeout value.
Configuration Audit Guide sctp-rto-max ss7-routing-domain peer-server id psp instance sctp-sack-period units ss7-routing-domain peer-server id psp instance sctp-max-init-retx ss7-routing-domain peer-server id psp instance sctp-max-assoc-retx ss7-routing-domain peer-server id psp instance sctp-max-path-retx ss7-routing-domain peer-server id psp instance sctp-alpha ss7-routing-domain peer-server id psp instance sctp-beta Sets the SCTP selection ACK period. parameters. By default, this value is set at 2ms, but it is recommended to tailor this parameter to the SS7 network parameters.
By default, this value is set at 10ms, but it is recommended to tailor this parameter to the SS7 network parameters. By default, this value is set at 10ms, but it is recommended to tailor this parameter to the SS7 network parameters. By default, this value is set at 5ms, but it is recommended to tailor this parameter to the SS7 network parameters.
By default, this value is set at 5ms, but it is recommended to tailor this parameter to the SS7 network parameters.
By default, this value is set at 10ms, but it is recommended to tailor this parameter to the SS7 network parameters.
Operator Policy Configuration CLI command operator-policy-name description operator-policy-name gtpu fast-path Analysis Operatory policies are subscriber policies to handle various call scenarios/profiles. Enables the GTPU fast path feature to route traffic to reduce CPU cycles and increases NPU cycles.
PRIVATE AND CONFIDENTIAL Page 36 of 74
Recommendation It is recommended to have descriptions for the operator policies from a best practice perspective. It is recommended to enable fast-path only if the CPU is higher than the NPU. Otherwise, it is recommended that this feature not be used on PSC2 or newer cards since this feature reduces CPU cycles and increases NPU
Cisco Systems, Inc.
Configuration Audit Guide cycles as NPU is the bottleneck on PSC2 or newer cards. operator-policy-name idle-mode-signaling-reduction The ISR feature is used to reduce signaling required for idle handsets between 3G and 4G networks. This is a license feature that is recommended to reduce signaling messages and improve battery life for UEs when moving between 3G and 4G area coverage when idle.
5.8MME Audit
The MME audit consists of identifying the services related to the MME are configured on the ASR 5000. Best practice guidelines should be checked against the configuration to identify any risk areas that may come as a result o f avoiding such guidelines. The MME audit covers the various interfaces involved in setting up the MME service, including the S1-MME, S6a, and S10/S11 interfaces. Optionally, the SGs and S13 interfaces are also covered. When support for S3 is made available, this interface will also be included.
S1-MME Interface Configuration CLI command Analysis The mobile-reachable timeout is configured in the MME service to set the timeout timer duration (in seconds) after which reachability procedure will be discarded and reattempt starts. The T3412 and mobile-reachable-timeout values are both started simultaneously during a periodic TAU. This would mean if the MME does not receive a periodic TAU before the T3412 timeout expires, the MME will wait for the mobile-reachable-timeout value to expire 5400 seconds later and detach the UE. The t3412 timeout is configured in the MME Service to set the timer is used for periodic tracking area update (PTAU). By default it is configured as 3240 seconds. The T3412 and mobile-reachable-timeout values are both
PRIVATE AND CONFIDENTIAL Page 37 of 74 Cisco Systems, Inc.
Recommendation It is recommended to configure this timeout as 3480 seconds or 240 seconds longer then the t3412 timeout. As a configuration best practice and per specification 3GPP TS24.301 Section 8.5.0, it is recommended to set the mobile-reachable-timeout 4 minutes more then the T3412 value at 3840 seconds. Since the UE has failed to respond to a periodic TAU, there is no benefit waiting an additional 90 minutes before disconnect the call and clearing of system resources. It is recommended to configure this timeout as 3240 seconds or 240 seconds shorter then the mobilereachable-timeout.
Configuration Audit Guide started simultaneously during a periodic TAU. This would mean if the MME does not receive a periodic TAU before the T3412 timeout expires, the MME will wait for the mobile-reachable-timeout value to expire 5400 seconds later and detach the UE. As a configuration best practice and per specification 3GPP TS24.301 Section 8.5.0, it is recommended to set the mobile-reachable-timeout 4 minutes more then the T3412 value at 3840 seconds. Since the UE has failed to respond to a periodic TAU, there is no benefit waiting an additional 90 minutes before disconnect the call and clearing of system resources.
The t3413 is configured in the MME Service to set the timer which starts when MME initiates the EPS paging procedure to the EMM entity in the network and requests the lower layer to start paging. This timer stops for the paging procedure when a response received from the UE. The t3422 timeout is configured in the MME Service to set the timer which starts when MME initiates the detach procedure by sending a DETACH REQUEST message to the UE and stops upon receipt of the DETACH ACCEPT message. The t3423 timeout is configured and used when the UE enters a 3G network from the 4G network and is deactivated. The implicit-detach-timeout timer starts after the T3240 timeout expires and the subscriber will implicitly detach from the network if there is no activity. If T3420 timeout is not supported, the T3412 timeout is used instead which implies that the mobile-reachabletimeout should equal to the implicit-detach-timeout. The PGW address configuration is used by the MME to statically assign a PGW address for the subscriber This configuration determines how many times the MME will try to page the UE. Heuristic paging is a license feature that allows each MME to maintain a list of n last heard from eNodeBs inside the TAI for the UE.
PRIVATE AND CONFIDENTIAL Page 38 of 74
It is recommended to configure this timeout as 240 seconds or have it be equal to the mobile-reachabletimeout or T3420 timeout. If ISR is enabled, it should be 240 seconds greater then the T3423 timer.
context mme-service pgw address context mme-service max-paging-attempts context mme-service heuristic-paging paging-map
It is recommended to enable DNS PGW address resolution for redundancy purposes. The recommended value for max-paging-attempts is 3 or more. It is recommended to enable heuristic-paging to reduce the number of paging attempts by allowing for smarter paging. However, this will also lead to higher voice call setup times. In R14.0, heuristic paging will only affect PS pages only.
Cisco Systems, Inc.
Configuration Audit Guide context mme-service policy attach set-ue-time enable Table 5-21: S1-MME Interface Audit Configures the MME to set the time in the UE during the Attach procedure. It is recommended to set policy attach set-ue-time disable to use the MSC to set network time as it is considered more accurate.
S6a and S13 Interface Configuration CLI command context hss peer service auth-request num-auth-vectors context hss peer service request timeout Analysis Identify the number of vectors configured in the MME is requesting from the HSS. Identify configured timeout duration for the application request timeout between the HSS peer service and HSS node. The MME waits for this duration before retransmitting the request to corresponding HSS node. Recommendation It is recommended to have 3 vectors to reduce the amount of signaling messages towards the HSS. It is recommended to configure this value as 300 seconds or lower.
S10/S11 Service Configuration CLI command egtp-service gtpc echo-interval egtp-service gtpc max-retransmissions egtp-service gtpc echo-retransmissionAnalysis Identify the duration between the sending of echo messages in seconds configured in the eGTP service. Identifies the maximum number of retries for packets configured in eGTP service. Identifies the duration between sending the echo retransmission timeout.
PRIVATE AND CONFIDENTIAL Page 39 of 74
Recommendation It is recommended to configure this value to be 60 or above, but not disabled. It is recommended to configure this value to be 4 or lower than 4, It is recommended to configure this value to be 4 or lower than 4,
Cisco Systems, Inc.
Configuration Audit Guide timeout egtp-service gtpc retranmission-timeout Table 5-23: S10/S11 Interface Audit Identifies the duration of retransmission timeouts. It is recommended to configure this value to be 3.
5.8.4
S3 Interface
This is the interface used by the MME to communicate with S4-SGSNs on the same Public PLMN for interworking between GPRS/UMTS and LTE network access technologies. This interface serves as the signalling path for establishing and maintaining subscriber UE contexts.
S3 Interface Configuration CLI command egtp-service isr-capability Analysis This configuration enables the ISR functionality for the S3 interface. However, this configuration is also required on the entire network SGSN MME, SGW, and HSS to activate ISR for the UE.. Recommendation This is a license feature that is recommended to the customer to reduce signaling for UEs going between 3G and 4G networks, which improve user experience by saving on battery life.
operator-policy-name idle-mode-signaling-reduction
The ISR feature is used to reduce signaling required for idle handsets between 3G and 4G networks.
5.9SGW Audit
The SGW audit consists of identifying the SGW related services configured on the ASR 5000. Best practice guidelines should be checked against the configuration to identify any risk areas that may come as a result of avoiding such guidelines. The design of the SGW can vary greatly from deployment to deployment based on how many collocated services are configured on the node. Identifying the context and how the interfaces are intended to route is a must. SGW Service Configuration CLI command Analysis Recommendation It is recommended to configure the EGTP service for egress traffic for the SGW in the same context as the PGW service for a SAE GW node. Based on context design, this will enable the traffic to transverse context instead of over the interface, potentially causing signaling traffic to leave the interface just to reach another context on the system. It is recommended to configure the path failure as signalpeer to notify the external systems that we are explicitly detaching/clearing the call. It is recommended to configure the path failure as signalpeer to notify the external systems that we are explicitly detaching/clearing the call. It is recommended to configure the path failure as signalpeer to notify the external systems that we are explicitly detaching/clearing the call. It is recommended to configure the path failure as signalpeer to notify the external systems that we are explicitly detaching/clearing the call. It is recommended to configure the path failure as signalpeer to notify the external systems that we are explicitly detaching/clearing the call. It is recommended to configure the path failure as signalpeer to notify the external systems that we are explicitly detaching/clearing the call. It is recommended to configure the path failure as signalpeer to notify the external systems that we are explicitly
Cisco Systems, Inc.
The egress EGTP service for the SGW configuration handles the control packet to the PGW.
context sgw-service path-failure s11 signal-peer context sgw-service path-failure s5 signal-peer context sgw-service path-failure s1u signal-peer context sgw-service path-failure s5u signal-peer context sgw-service path-failure s4 signal-peer context sgw-service path-failure s4u signal-peer context sgw-service path-failure s12 signal-peer
Determines the path failure handling mechanism of the SGW service for the S11 interface. Determines the path failure handling mechanism of the SGW service for the S5 interface. Determines the path failure handling mechanism of the SGW service for the S1u interface. Determines the path failure handling mechanism of the SGW service for the S5u interface. Determines the path failure handling mechanism of the SGW service for the S4 interface. Determines the path failure handling mechanism of the SGW service for the S4u interface. Determines the path failure handling mechanism of the SGW service for the S12 interface.
PRIVATE AND CONFIDENTIAL Page 42 of 74
Configuration Audit Guide detaching/clearing the call. Table 5-28: SGW Service Audit
5.9.2 S4-SGSN
The S4 interface defines the communication between the SGW and the SGSN. eGTP Service Configuration CLI command egtp-service gtpc echo-interval egtp-service gtpc max-retransmissions egtp-service gtpc echo-retransmissionAnalysis Identify the duration between the sending of echo messages in seconds configured in the eGTP service. Identifies the maximum number of retries for packets configured in eGTP service. Identifies the duration between sending the echo retransmission timeout.
PRIVATE AND CONFIDENTIAL Page 43 of 74
Recommendation It is recommended to configure this value to be 60 or lower, but not disabled. It is recommended to configure this value to be 4 or lower than 4. It is recommended to configure this value to be 4 or lower than4,
Cisco Systems, Inc.
Configuration Audit Guide timeout egtp-service gtpc retranmission-timeout Table 5-30: S4 SGSN audit Identifies the duration of retransmission timeouts. It is recommended to configure this value to be 3.
Recommendation It is recommended for the GGSN and EGTP Ingress services to have the same IP addresses for the control and user plane to simplify the design unless there is a design requirement to split them into separate IPs.
Cisco Systems, Inc.
Recommendation It is recommended to configure the interface based on the IP type of the pools and to have redundant interfaces ideally, two logical interfaces to route IP traffic. It is recommended to configure all pools as PRIVATE to avoid the scenario where a PUBLIC pool gets assigned to an APN by default. It is recommended to configure group-name for multiple pools to simplify the configuration. It can also simplify the design if IP pool names are passed back from a RADIUS server. It is not recommended to use this feature as a context has an inherent limit of 2000 routes on their IP table.
Cisco Systems, Inc.
5.10.2.1
APN Audit
The APN audit identifies where the subscribers will connect to. APNs are generally classified as consumer APNs and corpora te APNs. This is usually determined by the naming convention of the APN. Identify the APN type is necessary as service between a corporate and consumer APN is generally very different between service providers. All the related services to a subscriber are configured at the APN level. APN Configuration CLI command context apn virtual-apn gcdr apn-name-tobe-included Gn context apn aaa group context apn ip access-group * in ip access-group * out context apn ip source-violation ignore context apn mediation-device context apn ip context-name context apn bearer-control-mode context apn timeout absolute/idle Analysis Virtual-APN GCDR apn-name-to-be-included Gn applies the Gn APN within the GCDR records. The AAA group assigned the RADIUS authentication/accounting server to be used by the APN. The IP access-group for in/out traffic is used to apply permit/deny/redirect rules to subscriber traffic accessing this APN. Source-violation enables the APN to check for IP spoofing. This feature will check if the subscriber assigned APN matches the traffic that is being received and will drop the call if 10 invalid packets are found by default. Mediation-device enables the APN to send accounting requests to a mediation-type RADIUS server. The IP context name configures the routing context in which the IP pool will be assigned to the subscriber. Enables or disables the bearer control mode for network controlled QoS (NCQoS) through this APN. It also controls the sending of an IE in GTP messages. Absolute Timeout disconnects the subscriber upon the end of the timer. Idle Timeout disconnects the subscriber upon the end of the timer when the subscriber starts idling.
PRIVATE AND CONFIDENTIAL Page 46 of 74
Recommendation It is recommended to use the Gn APN to identify the source of the PDP request unless there is a mediation reason why the Gi APN is used APN in the billing records. It is mandatory to have the AAA group be configured in the same context as the APN. It is recommended to configure ACLs within the same context as the APNs as ACLs are not global configurations. It is recommended to ignore this command as dongles are commonly connected to APNs with a concurrent Internet connection, which will cause this rule to be hit by default and drop the call, affecting user experience. It is recommended to use mediation-device for RADIUS accounting servers. It is recommended to leave this command as default if the APN is configured in the same context as the Gi context where the IP pool is configured. It is recommended to configure bearer-control-mode as mixed to allow both the UE and GGSN to control the network controlled QOS. It is recommended to disable all TIMEOUT parameters on the APN as LTE networks and UEs are designed to be always on devices. Timing out the subscriber will make them reconnect immediately and use up more resources
Cisco Systems, Inc.
Configuration Audit Guide throughout the network as a result. context apn dns Table 5-35: APN Audit Configures the DNS server to allow for host name resolution for the PDN. It is recommended to configure two DNS servers for primary and secondary resolution.
5.11.1 RP Interface
The PDSN service audit identifies where the PDSN service is enabled within a context. The service will be identified to determine whether multiple PDSN services are configured as required based on customer requirements and also the logical design of the control and user plane. The context where the PDSN service resides can be identified as the RP where the A11 requests from the PCF are coming from the network. PDSN Service Configuration CLI command context pdsn-service spi remote-address description Analysis A description can be inserted into the SPI remote address. Recommendation It is recommended to configure a description for all remote addresses.
Configures whether the FA service looks for a Mobile Network-Home Agent (MN-HA) authentication extension in the RRP.
It is not recommended to configure this CLI as it bypasses authentication process which can cause security concerns. Although if someone used allownoauth option in conjunction with commands specifying other authentication protocols and priorities to use, then it is suggested to use allow-noauth option as the lowest priority. It is recommended to enable source-violation to prevent IP spoofing. The recommended value is 10 packets. It is recommended to clear source-violation packets upon receiving a valid packet.
Cisco Systems, Inc.
Sets the parameters for IP source validation. Source validation is useful if packet spoofing is suspected or for verifying packet routing and labelling within the network. Sets the parameter to clear source violation for a subscriber if a valid packet is received.
PRIVATE AND CONFIDENTIAL Page 47 of 74
Configuration Audit Guide valid-packet context pdsn-service gre sequence-mode none context pdsn-service spi timestamp-tolerance context pdsn-service pcf-monitor context subscriber pdsn-service ip header-compression Configures how incoming out-of-sequence GRE packets should be handled. Identifies allowable difference (tolerance) in timestamps that is acceptable. BA license feature from Cisco that monitors the PCF to determine whether it is down by sending ICMP echo requests. If it is determined that the PCF is down, the related sessions are torn down and the corresponding AAA requests are sent. This configuration enables IP header compression for the default subscriber IP traffic. It is recommended by Cisco to use reorder mode for the GRE sequence to handle out of order packets to gracefully handle a call and prevent a fll tear down and retry of an existing call. It is recommended to configure the timestamp tolerance to 65535. Recommended to enable this license specific feature to remove stale sessions and to improve CPU cycles/memory resources and user licenses.
This command enables a PDSN service to handoff sessions between Closed-RP and RP connections.
It is recommended to enable closed RP to RP handoff by default. If pdsn-service & pdsn closedrp-service both services are configured in the same chassis/network.
This configuration enables the tunnel reassembly optimization will be used for fragmented large packets passed between HA and FA.
It is recommended to disable this feature. This command applies to very specific scenarios where packet reassembly is not supported at the far end of the tunnel. There are cases where the destination network may either discard the data, or be unable to reassemble the packets.
5.11.2 Pi Interface
The Pi interface defines the communication between PDSN and external PDN. Pi interface is configured within the PDN context configured and is logically bound together by the subscriber template configuration. This interface is implicitly referenced based on how the IP pools defined and bound to the subscriber are configured. Pi Interface Configuration CLI command .context ..interface ip-address IPv4..IPv6 Analysis The Pi interface is routed based on the available IP pools within the same context. The interface should be in either IPv4 or IPv6 format depending on the pools configured. Private pools are assigned only if the Subscriber defaults are configured the pool name. Recommendation It is recommended to configure the interface based on the IP type of the pools and to have redundant interfaces ideally, two logical interfaces to route IP traffic. It is recommended to configure all pools as PRIVATE to avoid the scenario where a PUBLIC pool gets assigned to a subcsriber by default. However, if there are multiple subscriber templates without an IP assigned, then this recommendation can be ignored. It is recommended to configure group-name for multiple pools to simplify the configuration. It can also simplify the design if IP pool names are passed back from a RADIUS server. It is not recommended to use this feature as a context has an inherent limit of 2000 routes on their IP table.
context ip pool group-name context ip pool explicit-route-advertise Table 5-37: Pi Interface Audit 5.11.2.1
Group-names can be used to group together common tools. Explicit-route-advertise creates a /32 host route when a subscriber connects to the pool.
The subscriber template audit identifies where the subscribers will connect to subscriber templates are generally classified as consumer username and corporate username. This is usually determined by the naming convention of the username. Identify the username type is necessary as service between a corporate and consumer username is generally very different between service providers. All the related services to a subscriber are configured at the subscriber template level. Subscriber Template Configuration CLI command context subscriber aaa group context subscriber Analysis The AAA group assigned the RADIUS authentication/accounting server to be used by the subscriber The IP access-group for in/out traffic is used to apply permit/deny/redirect rules to subscriber traffic accessing
PRIVATE AND CONFIDENTIAL Page 49 of 74
Recommendation It is recommended that the AAA group be configured in the same context as the subscriber. It is recommended to configure ACLs within the same context as the subscribers as ACLs are not global
Cisco Systems, Inc.
Configuration Audit Guide ip access-group * in ip access-group * out context subscriber ip context-name context subscriber credit-control-group context subscriber dns this subscriber The IP context name configures the routing context in which the IP pool will be assigned to the subscriber. The credit-control-group enables the subscriber to send CER to the OCS. Configures the DNS server to allow for host name resolution for the PDN. configurations. It is recommended to leave this command as default if the subscriber is configured in the same context as the Pi context where the IP pool is configured. It is recommended to leave this command as default if only one OCS is available. The OCS configuration should also be configured as default. It is recommended to configure two DNS servers for primary and secondary resolution.
5.12 FA Audit
The FA audit consists of identify all the related contexts and services required for FA service. Best practice guidelines are checked for the FA service to determine whether there are risks to the current configuration. Furthermore, the audit shall check for the timers used between the FA and HA as well. The contexts for the FA must be identified as part of the audit process. It can generally be identified based on the services enabled within the context.
5.12.1 FA Service
FA-Service Configuration CLI command context fa-service spi description context fa-service authentication mn-ha allownoauth context fa-service authentication mn-aaa renewand-dereg-noauth context fa-service reg-timeout Analysis A description can be inserted into the SPI remote address. Configures whether the FA service looks for a Mobile Network-Home Agent (MN-HA) authentication extension in the RRP. The following command disables authentication request upon re-registration and de-registration. Timeout parameter for the registration request. In common deployments, if the response is not seen within 3 seconds, it is unlikely to change whether it is more then 3 seconds.
PRIVATE AND CONFIDENTIAL Page 50 of 74
Recommendation It is recommended to configure a description for all remote addresses. It is recommended to always check for the extension to prevent unauthorized access to your network. It is recommended to enable this command to reduce the amount of signalling retries for a previous registered mobile. It is recommended by Cisco to reduce the timeout from 7 seconds to 3 seconds in order to reduce the time in which the ASR5000 will hold system resources for a likely timed out registration request.
Cisco Systems, Inc.
Configuration Audit Guide context fa-service spi timestamp-tolerance context ip identification packet-sizethreshold Identifies allowable difference (tolerance) in timestamps that is acceptable. This configuration is used to set the upper limits of the IP packet size that is considered fragmentable and assigned a unique non-zero identifier to IP encapsulation headers such as MIP data tunnel to better handle fragmented packets internally on the ASR5000. By default, enabling this command allows the FA to accept stale challenges regardless of the ID field or if other RRQs are pending. By ignoring the challenge, it prevents a potential race condition where a new challenge can be send while an older challenge is still being processed. Furthermore, this can also have signalling benefits by reusing older RADIUS responses instead of retrying based on the stale challenge Allows for FA services to accept new calls and drop the existing call when the new call requests an IP address that is already in use by an existing call. This configuration enables the tunnel reassembly optimization will be used for fragmented large packets passed between HA and FA. It is recommended to configure the timestamp tolerance to 65535.
It is recommended to configure this value to 1400, which equals the MTU on the logical interface.
It is recommended to enable this command from no ignore-stale-challenge to ignore-stale-challenge based on the known benefits of this feature as observed from other CDMA networks.
It is recommended enable this configuration as accept It is recommended to disable this feature. This command applies to very specific scenarios where packet reassembly is not supported at the far end of the tunnel. There are cases where the destination network may either discard the data, or be unable to reassemble the packet
5.13 HA Audit
The HA audit consists of identifying the HA related services configured on the ASR 5000. Best practice guidelines should be checked against the configuration to identify any risk areas that may come as a result of avoiding such guidelines.
5.13.1 Pi Interface
The packet interface (Pi) is the communications path between the PDSN/Foreign Agent (PDSN/FA) and the Home Agent (HA) for Mobile IP applications. Pi Interface Configuration CLI command Analysis
PRIVATE AND CONFIDENTIAL Page 51 of 74
Recommendation
Cisco Systems, Inc.
Configuration Audit Guide context ha-service fa-ha-spi remote-address description context ha-service authentication mn-ha allownoauth context ha-service authentication mn-aaa renewand-dereg-noauth context ha-service reg-lifetime context ha-service fa-ha-spi timestamptolerance Table 5-40: Pi Interface Audit A description can be inserted into the SPI remote address. Configures whether the HA service looks for a Mobile Network-Home Agent (MN-HA) authentication extension in the RRP. The following command disables authentication request upon re-registration and de-registration. It is recommended to configure a description for all remote addresses. It is recommended to always check for the extension to prevent unauthorized access to your network. It is recommended to enable this command to reduce the amount of signalling retries for a previous registered mobile. It is recommended by Cisco to configure the reg-lifetime to be 600 or more, but equal to or less then what handsets are requesting to control registration lifetime within your network. It is recommended to configure the timestamp tolerance to 65535.
Configuration Audit Guide 5.13.2.1 Subscriber Template Audit The subscriber template audit identifies where the subscribers will connect to. Subscriber templates are generally classified as consumer username and corporate username. This is usually determined by the naming convention of the username. Identify the username type is necessary as service between a corporate and consumer username is generally very different between service providers. All the related services to a subscriber are configured at the subscriber template level. Subscriber Template Configuration CLI command context subscriber aaa group context subscriber ip access-group * in ip access-group * out context subscriber ip context-name context subscriber credit-control-group context subscriber dns Analysis The AAA group assigned the RADIUS authentication/accounting server to be used by the subscriber The IP access-group for in/out traffic is used to apply permit/deny/redirect rules to subscriber traffic accessing this subscriber The IP context name configures the routing context in which the IP pool will be assigned to the subscriber. The credit-control-group enables the subscriber to send CER to the OCS. Configures the DNS server to allow for host name resolution for the PDN. Recommendation It is recommended that the AAA group be configured in the same context as the subscriber. It is recommended to configure ACLs within the same context as the subscribers as ACLs are not global configurations. It is recommended to leave this command as default if the subscriber is configured in the same context as the Pi context where the IP pool is configured. It is recommended to leave this command as default if only one OCS is available. The OCS configuration should also be configured as default. It is recommended to configure two DNS servers for primary and secondary resolution.
Configuration Audit Guide CLI command context hsgw-service setup-timeout context hsgw-service retransmission-timeout Analysis Max timeout allowed for session setup. Configures timeout period for retransmission of RP control packets Recommendation It is recommended to configure the timeout as 5 seconds. It is recommended to configure this value as 3 or less, but not disabled.
Configuration Audit Guide Especially, If VoLTE needs to support video calls, the video-sessions rules must be configured. The calls will be rejected if not configured. P-CSCF Service Policy Configuration CLI command context cscf policy name service-policy-rules authorization early-bandwidth context cscf policy name service-policy-rules video-sessions context cscf service max-sipmsg-size context cscf service session-timer Analysis Enables early bandwidth authorization in P-CSCF in SDP when communicating with external policy server via Rx. When Authorization early bandwidth is enabled, the PCSCF will try to reserve bandwidth when it receives the INVITE (call initiation). If disabled, the bandwidth reservation will be done upon receiving the 200 Ok. Identify CSCF policy to allow video bearers. Recommendation
It is recommended to enable early bandwidth authorization to enable AAR during offer (INVITE).
It is recommended to enable this CLI for video bearers. It is recommended to keep maximum SIP message size (65535 bytes) to avoid dropping of message so that UE or AS can send big size sip message. It is recommended to configure this value as 5 mins for session recovery. This value should be same or less than the value configured in S-CSCF. Whereas best value should be chosen by operator according to their charging policy and redundancy policy.
Identify the maximum SIP message size. Identify the session expiry for sessions in P-CSCF. A caller and a called need to be exchanged UPDATE or INVITE message within this timer during a call. If one of party doesn't receive UPDATE or INVITE message for session refresh, the call would be disconnected. It's mechanism to prevent over-charging for a subscriber.
Recommendation It is recommended to enable strongest algorithm like AKAv1 for user authentication. PCRF interworking should be enabled or disabled based
Cisco Systems, Inc.
Configuration Audit Guide cscf access-profile name pcrf-policy-control Table 5-46: P-CSCF Access Profile Audit on the access network type.
It is recommended to configure 3 second interval time in which diameter policy control request timeout is considered.
It is recommended to enable the subscription by which PCSCF/A-BG sends AAR to the external PCRF via the Rx interface after UE registration.
It is recommended to set policy to session-continue where P-CSCF continues session in case of failure from PCRF.
Identify CSCF policy to configure the maximum number of concurrent sessions allowed per subscriber.
Identify CSCF policy to configure QOS bandwidth settings for uplink and downlink when the SDP does not contain bandwidth.
PRIVATE AND CONFIDENTIAL Page 57 of 74
Recommendation
Cisco Systems, Inc.
Configuration Audit Guide Identify readdress criteria for URI translations. The number which is matched to local, this subscriber is in this domain and I-CSCF need to query LIR/LIA to find exact S-CSCF address. The number, which is matched to emergency, this number is emergency number like 911, and P-CSCF need to route this call to E-CSCF. The number that is matched to none, this number is out of this domain, this number need to be routed the MGCF or IBCF and according to CSCF routes table. Identify how does action adjusted a target address to route sessions to appropriate locations.
It is recommended to use translation type local, none or emergency according to call flow and purposes.
It is recommended to configure proper action to operator numbering plan for number translation.
Configuration Audit Guide cscf ifc-spt-condition (SPT) condition for SIFC functionality. which will be associated with an spt group in the iFC spt group configuration Mode.
HSS interworking Configuration CLI command context aaa group diameter authentication request-timeout Table 5-54: HSS Interworking Audit 5.16.5.2 CDF interworking audit Analysis Identify how long system will wait for a response from HSS. Recommendation It is recommended to configure 3 seconds time to wait for a response from a Diameter server before re-transmitting the request.
CDF interworking Configuration CLI command context aaa group diameter accounting requesttimeout context aaa group diameter accounting hd-mode context aaa group diameter accounting hdstorage-policy Analysis Identify how long system will wait for a response from CDF. Recommendation It is recommended to configure 3 seconds time to wait for a response from a Diameter server before re-transmitting the request. It is recommended to enable this CLI, which avoids loss of records in case of Diameter servers connectivity is down or unreachable. CDF will pull the records through SFTP, which were copied, in local HDD. It is recommended to configure this CLI, which enables the storage of Rf diameter messages to HDD in case all CDFs are down or unreachable.
Cisco Systems, Inc.
Identify that records be copied to the local HDD if the CDF server is down or unreachable.
S-CSCF Service Configuration CLI command context cscf service max-sipgmsg-size context cscf service charging context cscf service charging exclude context cscf service policy accounting interiminterval context cscf service session-timer context cscf service trust-domain-entity Table 5-56: S-CSCF Service Audit Analysis Identify the maximum SIP message size. Maximum SIP message size should be more than the message-maxsize set. Identify RF charging in this CSCF service for SIP messages. Recommendation It is recommended to keep maximum SIP message size (65535 bytes) to avoid dropping of message so that UE or AS can send big size sip message. It is recommended to enable charging for session Initiation Protocol (SIP) messages. It is recommended to exclude sip requests like notify, subscribe, update, and register from Rf charging. Whereas exclude messages should be chosen by operator depending on their design. It is recommended to configure policy account interim interval to 60. It is recommended to configure this value as 5 mins for session recovery. This value should be same or greater than the value configured in P-CSCF. Whereas best value should be chosen by operator according to their charging policy and redundancy policy. All IMS nodes around CSCF should be configured as trust domain. If not, some headers would be omitted by 3gpp standard.
Identify SIP requests to exclude RF charging. Identify Interim-Interval value for CSCF accounting sessions. This value is sent in the Acct-Interim-Interval AVP of ACR message. However, Interim-interval timer is started, based on the value of response message from CDF. Identify the session expiry for sessions in S-CSCF. This value should be same or less than the value configured in P-CSCF. Identify trust network nodes around S-CSCF. This CLI can be entered multiple times to identity multiple trust network entities.
Servicing CSCF Configuration CLI command context cscf service serving-cscf authentication allow-noauth invite context cscf service serving-cscf authentication aka-v1 context cscf service serving-cscf sip-header insert context cscf service serving-cscf sifc context cscf service serving-cscf registration lifetime Table 5-57: Serving CSCF Audit Analysis Identify S-CSCF service is allowed if authentication fails on specific SIP requests. Recommendation It is recommended to configure authentication allownoauth invite to avoid authentication for INVITE requests. Whereas request should be chosen by operator depending on their design. It is recommended to configure strongest authentication algorithm like AKA-V1 at higher preference.
Identify AKA-V1 algorithm as the authentication type of SCSCF. The value specifies a preference the lower the value, the higher the preference. Identify SIP header insertion for S-CSCF. It contains the private user id of the user sending the REGISTER request, to be added in the REGISTER message toward AS during third party registration. Identify Shared Initial Filter Criteria (SiFC) in which subsets of iFC may be shared by several service profiles. To use this CLI, HSS also must support this feature. Identify a registration lifetime for all subscribers to the SCSCF.
It is recommended to enable custom header p-cust1-pridinfo in SIP (REGISTER) message. It is recommended to enable this feature depending on design of operator and required to keep local databases in the S-CSCFs and HSSs consistent. It is recommended to configure default settings for registration lifetime.
Configuration Audit Guide diameter endpoint watchdog-timeout Table 5-58: HSS Endpoint Audit server. seconds to get response from the destination.
6. OSS Audit
As part of the OSS audit, we can identify what external devices are configured and integrated simply by looking through the configuration and identifying portions specific to OSS integration. We can also identify whether WEM and MUR are used in their network as well. For generic OSS integration, the OSS audit checks whether an SNMP server and NTP server is configured. At the minimum, these two configurations should be done to send traps to an external NMS and that clocks are synchronized externally for DST and billing. OSS Configuration CLI command snmp target snmp trap-timestamps ntp Table 6-1: OSS Audit Analysis This configuration enables the system to send traps to an NMS for monitoring such as WEM at a minimum. It is recommended to enable TRAP timestamps to be sent with the alarms to properly identify alarms for duplication. This configuration enables using NTP servers for time synchronization. Recommendation It is recommended to configure at least one SNMP target location. If WEM is configured, it is recommended to enable this timestamp as WEM uses the timestamp to identify for duplicate alarms within the alarm database. It is recommended to configure at least two NTP servers, with one being the primary.
6.1MUR Audit
The MUR audit checks whether MUR has been configured. This can be determined by looking for the edr-module configuration, which enables the pushing of EDRs from the ASR5000 to the MUR server. However, it is possible that a customer may be using the push functionality for other purposes such as billing and mediation, so it would only be confirmed by checking for the configuration against the EDR formats as part of ECS in the following sections as well. MUR Configuration CLI command context edr-module reporting file rotation volume context edr-module file rotation time context edr-module file storage-limit context Analysis Complete the file based on file volume. Recommendation Rotation volume is recommended to be larger than 50MB. Rotation time is recommended to be larger than 300 seconds. Storage limit is recommended to be larger than 10MB. It is recommended to remove the file after a successful
Cisco Systems, Inc.
Complete the file based on file duration Start deleting files when specified bytes are used for storage. This configuration removes the CDR file from the HDD
PRIVATE AND CONFIDENTIAL Page 64 of 74
Configuration Audit Guide edr-module cdr remove-file-after-transfer context edr-module cdr use-harddisk Table 6-2: MUR Audit after its been transferred. transfer to prevent build-up on the HDD. It is recommended to use the hard disk to store the files prior to transferring.
6.2WEM Audit
The WEM audit checks whether WEM is configured and used by looking for the orbem configuration and the bulkstat configuration for file 1. The gather interval should be noted as it is most common to have this value set for 5 or 15. However, some functionality on WEM will not work properly with all collection intervals, such as generation of XML files with gather intervals of 5 or WEM threshold alarms with gather intervals of 15. WEM Configuration CLI command bulkstat historical bulkstat collection file 1 bulkstat collection file transfer interval bulkstat collection file gather interval bulkstat collection file header format bulkstat collection file receiver Analysis Enable historical bulkstats allowing historical counters to be properly populated. Identifies the file to be used for sending bulkstats. Identify the transfer interval. This will determine the file size of the bulkstat file when transferred. Identify the gather interval. This will determine the file size of the bulkstat file when transferred. Identify the header format and check if the format is in sync with the WEM or MUR as required. Identify the IP address for where the bulkstats are being sent. Recommendation It is recommended to enable this configuration so that historical bulkstats can be properly captured in the statistics. It is recommended to use/reserve file 1 for WEM. It is recommended to set the transfer interval as 60.
It is recommended to configure the gather interval as 15. It is recommended to fill in the header format if a WEM or MUR is enabled to determine if the format version is up to date with the software version. It is recommended to configure two server locations should be configured for redundancy.
7. ECS Audit
The ECS audit consists of identifying the rules and definitions configured within the active -charging global configuration. It also identifies any additional features, which may be used as part of the ECS service such as content filtering, header enrichment, NAT and FW features. For a specific ECS feature, it should be checked against the system licenses. The following table details the commonly configured CLI commands within the active-charging service. ECS Configuration CLI command active-charging service p2p-detection protocol active-charging service p2p-dynamic-rules protocol active-charging service ruledef active-charging service ruledef multi-line-or all-lines active-charging service ruledef rule-application routing active-charging service ruledef rule-application postprocessing active-charging service group-of-ruledefs active-charging service charging-action active-charging service charging-action flow action readdress server Analysis Enables P2P detection on the system. Enables the P2P protocols on the system. Configures a ruledef to do shallow packet or deep packet inspection. Configures a ruledef to match by any combination of matching criterias. Configures a ruledef that will be used as a routing rule to match for traffic types. Specifies that the current ruledef is for post-processing purposes. This enables processing of packets even if the rule matching for them has been disabled. Recommendation If P2P license is supported, it is recommended to enable P2P detection to identify P2P traffic within the system. If P2P license is supported, it is recommended to enable all P2P protocols for Pre-R14. It is recommended to avoid using contains type rules as a standalone configuration unless absolutely necessary as it is easily prone to spoofing or misconfiguration. It is recommended to configure this command only if there are multiple long list of URL names ie. www.google.com. Otherwise, there is a high risk of this rule matching unwarranted traffic. It is recommended to remove rules that are no longer used or misconfigurations to optimize the configuration. This is recommended for handling packets for address redirection (refer to flow action readdress server) to process the packet after its complete to properly charge the ruledef. It is recommended to remove rules that are no longer used or misconfigurations to optimize the configuration. Group-of-ruledefs should also consist of 10 or more ruledefs, else, it would be better optimized to have them be separate rules. It is recommended to remove rules that are no longer used or misconfigurations to optimize the configuration. If flow control handshaking CLI is enabled within the rulebase to delay charging to the control packets, postprocessing ruledefs must be used to readdress the control packets for TCP traffic (not needed for
Cisco Systems, Inc.
Configures a group-of-ruledefs which consists of a group of ruledefs with the same charging characteristic. Charging-action determines the action to be taken when a ruledef is hit. Alters the destination address and port number in TCP or UDP packet headers to redirect packets to a different server.
PRIVATE AND CONFIDENTIAL Page 66 of 74
active-charging service charging-action cca charging credit rating-group content-id active-charging service rulebase active-charging service rulebase action priority active-charging service rulebase route priority active-charging service rulebase post-processing priority active-charging service rulebase rtp dynamic-flow-detection active-charging service rulebase edr suppress-zero-byte-records active-charging service rulebase edr transaction-complete active-charging service rulebase flow end-condition normal-endsignaling active-charging service rulebase p2p dynamic-flow-detection active-charging service rulebase
The CCA charging credit enables the subscriber to talk to the OCS for quota. A rulebase is a collection of charging rules and actions that is applied to a subscriber. The action priority is a priority list for the order at which rules are processed and matched against. The action priority is a priority list for the order at which rules are routed and matched against. The action priority is a priority list for the order at which rules are processed once the traffic flow is complete. This command allows you to enable/disable the Real Time Streaming Protocol (RTSP) and Session Description Protocol (SDP) analyzers to detect the start/stop of RTP and RTCP flows This configuration suppresses an EDR from being generated if there are 0 bytes. This configuration enables the EDR to be generated upon the completion of a transaction. Creates an EDR with the specified EDR format whenever flow end is signaled normally, for example like detecting FIN and ACK for a TCP flow, or a WSP-DISCONNECT terminating a connection-oriented WSP flow over UDP) and create an EDR for the flow using the specified EDR format. Identify whether P2P is enabled on the rulebase. Enables eGCDR billing records.
PRIVATE AND CONFIDENTIAL Page 67 of 74
It is recommended to not configure rating-group as part of the cca charging credit if the rating-group is identical to the content-id. It is recommended to remove rulebases that are identical to other rulebases. It is recommended to configure action priorities at least 35 numbers apart from one another. Ruledefs configured in this section should be configured within the configuration. It is recommended to configure your ruledef with your rule-application routing priority to match the configuration in route priority within the rulebase. It is recommended to configure your ruledef with your rule-application post-processing rule to match the configuration in post-processing priority within the rulebase. It is recommended to enable this feature if RTP detection is required within the network as seen in the RTP related routing rules. It is recommended to enable this CLI to prevent unnecessary generation of EDRs. It is recommended to enable this CLI to prevent unnecessary generation of EDRs.
It is recommended to enable this CLI to generate EDRs during normal flow conditions.
It is recommended to enable this within the rulebase if p2p-detection is enabled on the system. It is mandatory to enable eGCDR by configuring it at the rulebase level and charging-action level.
Cisco Systems, Inc.
Configuration Audit Guide billing egcdr Table 7-1: ECS Audit Sample Report Sample Recommendation:
Rating
Timeline
Medium Term
user timeout
Low Term
banner motd
Low Term
timestamps
autoconfirm
clock timezone
Medium Term
It is recommended to configure diameterproxy to be multiple to prevent the scenario where a fault with the single proxy affects all your calls. It is recommended to configure user timeout parameters to manage all the users (~200+) to avoid the scenario where subscribers are using SMC resources when not logging out properly. It is recommended to configure a banner motd to notify the user the system requirements and guidelines before access. It is recommended to enable timestamps so that logging a window will have the appropriate timestamps as required for troubleshooting. It is recommended to remove this CLI command to prevent accidentally removal/inclusion of configurations. Clock timezone is configured as default, which is taking Eastern UTC (GMT 5) timezone by default. It is recommended to configure the proper clock time zone with local time to avoid mismatch in accounting records & user traceability purposes.
Functional Area
Rating
Timeline
Low Term
Medium Term
Medium Term
gtpc max-retransmissions 0
Medium Term
SAEGW Service
Low Term It is recommended to configure IP pools to private. It will be used by subscribers connecting to an APN, which have requested an IP address from a specified pool. It is recommended to use enable ignore or check to improve the end user experience while also avoiding a scenario where a subscriber is constantly trying to send traffic unknowingly through the network and using network resources while having the traffic be dropped. It is recommended to disable timeout idle parameter for LTE and LTE+3G APNs due to always-on devices immediately reconnecting to the network upon idle
Cisco Systems, Inc.
ip pool public
ip source-violation check 0
Medium Term
timeout idle
Medium Term
Functional Area
Rating
Timeline
ECS Service
It is recommended to reduce the timeout from 10 seconds to 3 seconds to better optimize the CCFH condition to take action. If there is no response in 3 seconds, by waiting an additional 7 seconds, it is only further delaying the user setup time and experience rather then helping it.
diameter pending-timeout
Low Term
Note This analysis is objectively based solely on analyzing the ASR5000 configuration and statistics as per best practice guidelines for LTE networks. Sample Analysis: Current CLI require diameter-proxy single Rating
CLI Description
Node Name
ABBRLW - MME1, MME2 BCGLMR - MME1, MME2 ONHOOD - MME1, MME2 PQPTFD - MME 1,MME2 ONHOOD - PSGW1, PSGW2 ABBRLW - PSGW1, PSGW2 BCGLMR - PSGW1, PSGW2 PQPTFD - PSGW1, PSGW2
Configuration Audit Guide Based on the configuration of all the MME and SAEGW nodes, require diameter proxy single has been enabled to create a single proxy sessmgr to handle all DIAMETER related messages between the nodes and the DIAMETER servers. Although this configuration allows for simplification in creating a server-client CER/CEA peering relationship, the single proxy may cause a scenario where a bug or a fault found in any call on that facility to potentially affect all causes handled by that single proxy. To prevent a scenario where you are having a single point of access for all DIAMETER related calls, it is recommended to enable require diameter -proxy multiple to create multiple proxies. In this scenario, when a single proxy fails, it does not affect all DIAMETER related subscribers on your node. By having proxy multiple, case must be taken to configure additional peers based on the number of PSC cards on the server.
Analysis
Recommendation
ECS System Limitations ECS Limit Max Number of Number of Ruledefs R12.0 Limit 2048 ruledefs per chassis, up to 1024 actions per ruledef
PRIVATE AND CONFIDENTIAL Page 72 of 74
Configuration Audit Guide MME Service Limitations for R14.0 MME Limit Max Number of Services S-GW Service Limitations for R14.0 S-GW Limit Max Number of Local subscribers Services P-GW Service Limitations for R14.0 P-GW Limit Max Number of Assignment tables Services CSCF Limitations for R12.0 CSCF Limit Max Number of Number of URI re-addresses Number of routes Number of IP localhosts Number of SIP peer servers Number of ifc spt groups Number of ifc spt conditions Number of ifc trigger points Number of ifc filter criteria Limit 1000 1000 1024 1000 128 128 128 1000
PRIVATE AND CONFIDENTIAL Page 73 of 74 Cisco Systems, Inc.
Limit 2,048 local subscribers per context 256 services per system.
Limit 8 P-GW assignment tables per context and per chassis 256 services per system.