System Integration-(V900R007C02 02)

V900R007C02

System Integration

Issue 02

Huawei Technologies Co., Ltd.

Bantian, Longgang Shenzhen 518129

People's Republic of China Website: http://www.huawei.com

Email: [email protected]

Copyright © Huawei Technologies Co., Ltd. 2009. All rights reserved.

No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd.

Trademarks and Permissions

and other Huawei trademarks are the property of Huawei Technologies Co., Ltd.

All other trademarks and trade names mentioned in this document are the property of their respective holders.

Notice

The information in this document is subject to change without notice. Every effort has been made in the preparation of this document to ensure accuracy of the contents, but the statements, information, and recommendations in this document do not constitute a warranty of any kind, express or implied.

Contents

About This Document...1

1 Basis of System Integration...1-1

1.1 Starting the LMT...1-2 1.2 Overview of CLI Views...1-6 1.3 Configuring Data by Using CLI Commands...1-9

2 Configuring the Data for the PCF...2-1

2.1 Configuration Preparation...2-3 2.2 Networking for Connecting to the PCF...2-3 2.3 Configuring the Physical Interface...2-6 2.4 Configuring the Eth-trunk Interface...2-7 2.5 Configuring the R-P Interface...2-8 2.6 Configuring the Static Route to the PCF...2-8 2.7 Setting the SPI Parameters...2-9 2.8 Configuring the A11 Timer...2-10 2.9 Commissioning the Data for the Interworking with the PCF...2-11 2.10 Configuration Example...2-12 2.10.1 Networking of the PDSN9660 and the PCF...2-12 2.10.2 Reliability Networking of the PDSN9660 and the PCF...2-14

3 Configuring the Data for the AAA Server...3-1

3.1 Configuration Preparation...3-3 3.2 Planning the Networking for Connecting to the AAA Server...3-3 3.3 Creating a VPN Instance...3-8 3.4 Configuring the Physical Interface...3-9 3.5 Configuring the Eth-trunk Interface...3-10 3.6 Configuring the Sub-interface...3-11 3.7 Configuring the Pi Interface...3-12 3.8 Configuring the GRE VPN...3-13 3.8.1 Creating the Loopback Interface...3-13 3.8.2 Creating the Tunnel Interface...3-14

3.9.2 Configuring the IPSec Proposal...3-20 3.9.3 Configuring the IKE Security Proposal...3-22 3.9.4 Configuring the IKE Peer Attributes...3-23 3.9.5 Configuring the IKE Local ID...3-24 3.9.6 Configuring the IKE DPD Function...3-25 3.9.7 Configuring the Attributes of the IKE Keepalive Mechanism...3-25 3.9.8 Configuring the IPSec Policy...3-26 3.9.9 Applying an IPSec Policy to an Interface...3-29 3.10 Configuring the Static Route to the AAA Server...3-30 3.11 Configuring the Dynamic Route to the AAA Server...3-32 3.12 Configuring the AAA Authentication/Accounting Server...3-34 3.13 Commissioning the Data for the Interworking with the AAA Server...3-36 3.14 Configuration Example...3-36 3.14.1 Inband Networking...3-37 3.14.2 Outband Networking...3-41 3.14.3 GRE VPN in Inband Networking...3-47 3.14.4 GRE VPN in Outband Networking...3-52 3.14.5 IPSec Policy Applied to the Pi Interface...3-60

4 Configuring the Data for the OCS...4-1

4.1 Planning the Networking for Connecting to the OCS...4-3 4.2 Creating a VPN Instance...4-6 4.3 Configuring the Physical Interface...4-7 4.4 Configuring the Eth-trunk Interface...4-8 4.5 Configuring the Sub-interface...4-9 4.6 Configuring the Gy Interface...4-10 4.7 Configuring the Static Route to the OCS...4-11 4.8 Configuring the Dynamic Route to the OCS...4-12 4.9 Configuring the OCS Information...4-14 4.10 Commissioning the Data for the Interworking with the OCS...4-15 4.11 Configuration Example...4-16

5 Configuring the Data for the HA...5-1

5.1 Configuration Preparation...5-3 5.2 Networking for Connecting to the HA...5-3 5.3 Configuring the Physical Interface...5-5 5.4 Configuring the Eth-trunk Interface...5-6 5.5 Configuring the Pi Interface...5-7 5.6 Configuring the Static Route to the HA...5-8 5.7 Commissioning the Data for the Interworking with the HA...5-9 5.8 Configuration Example...5-10

6 Configuring the Data for the PDN... 6-1

6.2 Planning the Networking for Connecting to the PDN...6-3 6.3 Creating a VPN Instance...6-7 6.4 Configuring the Physical Interface...6-8 6.5 Configuring the Eth-trunk Interface...6-9 6.6 Configuring the Sub-interface...6-10 6.7 Configuring the L2TP VPN...6-11 6.8 Configuring the GRE VPN...6-12 6.8.1 Creating the Loopback Interface...6-13 6.8.2 Creating the Tunnel Interface...6-14 6.8.3 Configuring the Keepalive Function...6-15 6.9 Configuring the IPSec Policy...6-16 6.9.1 Configuring the Protected Data Flows...6-18 6.9.2 Configuring the IPSec Proposal...6-19 6.9.3 Configuring the IKE Security Proposal...6-21 6.9.4 Configuring the IKE Peer Attributes...6-22 6.9.5 Configuring the IKE Local ID...6-23 6.9.6 Configuring the IKE DPD Function...6-24 6.9.7 Configuring the Attributes of the IKE Keepalive Mechanism...6-24 6.9.8 Configuring the IPSec Policy...6-25 6.9.9 Applying an IPSec Policy to an Interface...6-28 6.10 Configuring the Static Route to the PDN...6-29 6.11 Configuring the Dynamic Route to the PDN...6-31 6.12 Configuring the Downlink Route from the P Interface to the MS...6-33 6.13 Commissioning the Data for the Interworking with the PDN...6-35 6.14 Configuration Example...6-35 6.14.1 Eth-trunk Load-sharing Mode + Dynamic Routing...6-36 6.14.2 Dynamic Routing + L2TP VPN Tunnel...6-40 6.14.3 IPSec Policy Applied to the Tunnel Interface...6-44

7 Configuring Service Data...7-1

7.1 Configuring the Domain Data...7-2 7.1.1 Application Scheme for the Domain...7-3 7.1.2 Configuring PPP Negotiation Parameters...7-8 7.1.3 Configuring the Basic Domain Information...7-10 7.1.4 Configuring the Constructed Domain...7-13 7.1.5 Configuring the Authentication Data and Accounting Data for the Domain...7-14 7.1.6 Configuring the Local Address Pool...7-15 7.1.7 Configuring the DNS Information...7-17 7.1.8 Configuring the Downlink Route to the MS...7-19 7.1.9 Commissioning the Domain Data...7-23

7.2.2 Configuring the Packet Filtering Policy...7-41 7.2.3 Configuring the Anti-DDoS Function...7-43 7.2.4 Configuring the Pi Redirection Function...7-43 7.2.5 Configuring the IPSec Policy...7-44 7.2.6 Maintaining the Data for the Security Function...7-58 7.2.7 Configuration Example...7-59 7.3 Configuring the Data for the FA...7-68 7.3.1 Application Scheme for the FA...7-69 7.3.2 Configuring the Foreign Agent Care-of Address...7-70 7.3.3 Configuring the FA...7-71 7.3.4 Configuring the SA Between the MN and the FA...7-73 7.3.5 Configuring the SA Between the FA and the HA...7-74 7.3.6 Commissioning the Data for the FA Function...7-75 7.3.7 Configuration Example...7-75 7.4 Configuring the Data for RADIUS Authentication and Accounting...7-78 7.4.1 Planning the Application Scheme for RADIUS Authentication and Accounting...7-79 7.4.2 Configuring RADIUS Authentication...7-80 7.4.3 Configuring RADIUS Accounting...7-81 7.4.4 Configuring the Charging Characteristic...7-82 7.4.5 Configuring the Charging Parameters...7-83 7.4.6 Configuring the Tariff Switch Function...7-84 7.4.7 Configuring the UDR Cache Function...7-85 7.4.8 Maintaining the Data for RADIUS Authentication and Accounting...7-86 7.4.9 Example of RADIUS Authentication and Accounting...7-86 7.5 Configuring the Data for the Diameter Online Charging Function...7-89 7.5.1 Application Schemes for Online Charging...7-90 7.5.2 Configuring the Gy Interface...7-93 7.5.3 Configuring the OCS Information...7-94 7.5.4 Configuring the Primary and Secondary OCSs...7-94 7.5.5 Configuring the Quota Threshold...7-95 7.5.6 Configuring the Mode for Sending a CCR Message...7-96 7.5.7 Configuring the Conditions for Sending a CCR Message...7-97 7.5.8 Configuring the Tx Timer...7-98 7.5.9 Configuring the Service Processing Actions...7-99 7.5.10 Maintaining the Data for the Diameter Online Charging Function...7-100 7.5.11 Configuration Example...7-101 7.6 Configuring the Data for the Content-based Charging Function...7-108 7.6.1 Application Schemes for Content-based Charging...7-108 7.6.2 Configuring the Content-based Charging Function...7-110 7.6.3 Maintaining the Data for the Content-based Charging Function...7-113 7.6.4 Configuration Example...7-115 7.7 Configuring the Data for the Service Resolution and Control Function...7-121

7.7.1 Planning the Application Scheme for Service Control...7-121 7.7.2 Configuring the Service Control Function...7-123 7.7.3 Maintaining the Data for the Service Control Function...7-126 7.7.4 Configuration Example...7-127

A Glossary...A-1

B Abbreviation...B-1

Figures

Figure 6-9 L2TP VPN networking...6-41 Figure 6-10 Networking of setting up a security tunnel between the PDSN9660 and the enterprise gateway ...6-44 Figure 7-1 Configuring the domain...7-4 Figure 7-2 Principles for DNS selection...7-18 Figure 7-3 Address assignment from the local address pool with a complete address segment...7-20 Figure 7-4 Address assignment from the local address pool with an incomplete address segment...7-21 Figure 7-5 Address assignment by the RADIUS server (address segment known in advance)...7-22 Figure 7-6 Networking for an MS to access the IP network of an operator...7-25 Figure 7-7 Networking for an MS to access the network of an ISP...7-28 Figure 7-8 Networking for an MS to access an intranet...7-31 Figure 7-9 Address assignment from the local address pool with a complete address segment...7-34 Figure 7-10 Address assignment from the local address pool with an incomplete address segment...7-34 Figure 7-11 Address assignment by the RADIUS server (address segment known in advance)...7-37 Figure 7-12 Data transmission...7-42 Figure 7-13 Configuration procedure for the IPSec policy...7-45 Figure 7-14 Configuration of the IPSec proposal...7-47 Figure 7-15 IKE proposal configuration map...7-50 Figure 7-16 IKE peer configuration procedure...7-51 Figure 7-17 IPSec policy through manual configuration...7-54 Figure 7-18 IPSec policy through the IKE negotiation...7-54 Figure 7-19 Preventing attacks from an MS or a PDN user to devices on the core network...7-60 Figure 7-20 Packet redirection through the PDSN...7-64 Figure 7-21 Networking of setting up a security tunnel between the PDSN9660 and the AAA server...7-66 Figure 7-22 Configuring the FA function...7-69 Figure 7-23 Networking for the MIP service...7-76 Figure 7-24 Networking for a MS to access the enterprise network...7-87 Figure 7-25 Configuration procedure for online charging...7-91 Figure 7-26 Networking of Diameter online charging...7-102 Figure 7-27 Networking of Diameter online charging...7-105 Figure 7-28 Configuration procedure for content-based charging...7-109 Figure 7-29 Networking for CBC...7-115 Figure 7-30 Networking for CBC...7-118 Figure 7-31 Configuring Procedure...7-122

Tables

About This Document

Purpose

This document describes the configuration methods and procedures of system integration for specific services of the PDSN9660.

Related Versions

The following table lists the product version related to this document.

Product Name Version

PDSN9660 V900R007C02

Intended Audience

This document is intended for:

l Installation commissioning engineer l Data configuration engineer

Update History

Updates between document versions are cumulative. Therefore, the latest document version contains all updates made to previous issues.

Updates in Issue 02 (2009-04-10)

The second commercial release has the following updates: The mistakes are corrected.

Updates in Issue 01 (2009-01-05) Initial commercial release.

Organization

The PDSN9660 interworks with the packet control function (PCF) through a physical interface and the R-P interface.

3 Configuring the Data for the AAA Server

The PDSN9660 supports Remote Authentication Dial In User Service (RADIUS) authentication and accounting. It can assign an IP address to a mobile station (MS) through the authorization, authentication and accounting (AAA) server. Before setting parameters of authentication, accounting, or address assignment, ensure that the PDSN9660 interworks with the AAA server. 4 Configuring the Data for the OCS

The PDSN9660 provides the traffic plane function (TPF). With the TPF function, the PDSN9660 differentiates various content-based charging (CBC) services and collects the charging information. The PDSN9660 performs the online charging for normal users and CBC users by interworking with the online charging system (OCS) through the Gy interface. 5 Configuring the Data for the HA

This describes how to configure the data for the home agent (HA). 6 Configuring the Data for the PDN

The PDSN9660 is a gateway device that enables a mobile station (MS) to access an external packet data network (PDN). To carry out data service for an MS, the PDSN9660 needs to interwork with network elements (NEs) on the PDN.

7 Configuring Service Data

This describes how to configure service data such as domain, security, Remote Authentication Dial In User Service (RADIUS) authentication and accounting, content-based charging, and service control.

A Glossary B Abbreviation

Conventions

Symbol Conventions

The symbols that may be found in this document are defined as follows.

Symbol Description

Indicates a hazard with a high level of risk, which if not avoided,will result in death or serious injury.

Indicates a hazard with a medium or low level of risk, which if not avoided, could result in minor or moderate injury. Indicates a potentially hazardous situation, which if not avoided,could result in equipment damage, data loss, performance degradation, or unexpected results.

Symbol Description

Indicates a tip that may help you solve a problem or save time.

Provides additional information to emphasize or supplement important points of the main text.

General Conventions

The general conventions that may be found in this document are defined as follows.

Convention Description

Times New Roman Normal paragraphs are in Times New Roman.

Boldface Names of files, directories, folders, and users are in

boldface. For example, log in as user root.

Italic Book titles are in italics.

Courier New Examples of information displayed on the screen are in Courier New.

Command Conventions

The command conventions that may be found in this document are defined as follows.

Convention Description

Boldface The keywords of a command line are in boldface.

Italic Command arguments are in italics.

[ ] Items (keywords or arguments) in brackets [ ] are optional. { x | y | ... } Optional items are grouped in braces and separated by

vertical bars. One item is selected.

[ x | y | ... ] Optional items are grouped in brackets and separated by vertical bars. One item is selected or no item is selected. { x | y | ... }* _{Optional items are grouped in braces and separated by}

vertical bars. A minimum of one item or a maximum of all items can be selected.

[ x | y | ... ]* _{Optional items are grouped in brackets and separated by} vertical bars. Several items or no item can be selected.

Convention Description

Boldface Buttons, menus, parameters, tabs, window, and dialog titles are in boldface. For example, click OK.

> Multi-level menus are in boldface and separated by the ">" signs. For example, choose File > Create > Folder .

Keyboard Operations

The keyboard operations that may be found in this document are defined as follows.

Format Description

Key Press the key. For example, press Enter and press Tab.

Key 1+Key 2 Press the keys concurrently. For example, pressing Ctrl+Alt +A means the three keys should be pressed concurrently.

Key 1, Key 2 Press the keys in turn. For example, pressing Alt, A means the two keys should be pressed in turn.

Mouse Operations

The mouse operations that may be found in this document are defined as follows.

Action Description

Click Select and release the primary mouse button without moving the pointer.

Double-click Press the primary mouse button twice continuously and quickly without moving the pointer.

Drag Press and hold the primary mouse button and move the pointer to a certain position.

1

Basis of System Integration

About This Chapter

Before system integration, you need to set up the configuration environment and learn how to use the local maintenance terminal (LMT) and the command line interface (CLI) commands.

1.1 Starting the LMT

This describes how to start the local maintenance terminal (LMT) and set up the connection with the PDSN9660.

1.2 Overview of CLI Views

This describes the command line interface (CLI) views. In addition to the graphical user interface (GUI), the local maintenance terminal (LMT) provides the CLI. The PDSN9660 provides abundant CLI commands for you to operate and maintain the system.

1.3 Configuring Data by Using CLI Commands

The local maintenance terminal (LMT) provides a set of configuration commands. Users can configure and manage the PDSN9660 by entering these commands in the command line interface (CLI) to ensure that the system runs normally.

1.1 Starting the LMT

This describes how to start the local maintenance terminal (LMT) and set up the connection with the PDSN9660.

Prerequisite

l The LMT software is installed. See Checking the Installation of the LMT Software. l The LMT is connected to the PDSN9660.

Context

CAUTION

Logging in to the PDSN9660 through Telnet is prohibited.

WARNING

Do not modify the system time when the LMT programs are running. This helps to prevent system errors. You can modify the system time only after all the LMT application programs are stopped.

Procedure

Step 1 Check whether the icon of LMT Service Manager exists in the notification area of the

taskbar.

Condition Operation

The icon of LMT Service Manager exists. It indicates that the LMT service manager is

started. Go to Step 2.

The icon of LMT Service Manager does not exist.

Choose Start > Programs > Huawei Local

Maintenance Terminal > LMT Service Manager to start the LMT service manager on

the computer where the LMT is installed. Then, go to Step 2.

Step 2 Choose Start > Programs > Huawei Local Maintenance Terminal > Local Maintenance Terminal . The User Login dialog box is displayed. See Figure 1-1.

Start for the First Time? Operation

Yes Go to Step 3.

No Select an office to which the LMT is connected in the Office dropdown list box. Go to Step 6.

Figure 1-1 User login

NOTE

l Domain user: indicates that this user is managed by the M2000 domain.

l Local user: indicates that this user is managed by the local LMT.

NOTE

l You can also log in to the LMT by clicking Offline. Thus, you can use some of the functions of the LMT offline, such as help browsing, eliminating the need to log in to the PDSN9660.

l You can log out of the LMT by clicking Exit.

Step 3 Set the office information if you log in to the PDSN9660 for the first time. Click . The Office

Figure 1-2 Office Management dialog box

NOTE

l Office: specifies the PDSN9660 connected to the LMT. You can define the office name. It is recommended that you name the office in a way that makes the office easy to be distinguished from others.

l IP Address: specifies the IP address of the SRU or LPU of the PDSN9660 connected to the LMT.

l NE Type: specifies the type of a network element (NE). The LMT can manage the NEs of different types. Thus, you can choose the type of the NE to be managed.

l Port: specifies the port through which the SRU or LPU of the PDSN is connected to the LMT.

l Connect Type: specifies the connection type of the LMT.

Step 4 Click Add.... The Add dialog box is displayed. See Figure 1-3.

Figure 1-3 Add dialog box

In the Add dialog box, specify Office and enter IP Address of the PDSN9660. Then, click

NOTE

If the M2000 proxy server is located between the LMT and the PDSN9660, set the IP address of Proxy

Server in the Add dialog box.

Step 5 Click Close in the Office Management dialog box. The office configuration is complete. The User Login dialog box is displayed. See Figure 1-4.

Figure 1-4 User login

Step 6 Enter the user name and the password, and specify the user type. Then, click Login to access

the main interface of the LMT.

If the status is "Connected" and the IP address displayed in the bottom of the window, it indicates that the LMT is correctly connected to the PDSN9660. Thus, you can perform service and data configurations for the PDSN9660 by using command line interface (CLI) commands on this window.

NOTE

When logging in to the LMT for the first time, you must log in as an admin user. The password is determined when the PDSN9660 software is installed.

NOTE

The user type can be EMS or Local.

l EMS user are managed by the M2000. The element management system (EMS) user account is used for management during routine maintenance. For the user that logs in to the M2000, the PDSN9660 sends the information about user authentication to the M2000, and then the M2000 performs user authentication.

l Local users are managed by the LMT of the PDSN9660. The local user account is used for deployment and upgrade. For the user that logs in to the LMT, the PDSN9660 performs user authentication by using the local user profile.

1.2 Overview of CLI Views

This describes the command line interface (CLI) views. In addition to the graphical user interface (GUI), the local maintenance terminal (LMT) provides the CLI. The PDSN9660 provides abundant CLI commands for you to operate and maintain the system.

When the CLI is displayed, the initial user view is displayed. The CLI consists of command line views each with registered commands. The command line view must be displayed first for you to run a command that is registered in this view.

CLI Views on the PDSN9660 V900R007

The CLI on the PDSN9660 V900R007 is composed of the following views:

l Charge view: The information related to charging is configured in this view. l Domain view: The information related to domains is configured in this view. l MIP view: The information related to mobile IP (MIP) is configured in this view. l Interface view: The information related to interfaces such as physical interfaces, logical

interfaces, and sub-interfaces is configured in this view.

l Access view: The access resources, including the Remote Authentication Dial In User

Service (RADIUS) information, address pool, quality of service (QoS), and Layer 2 Tunneling Protocol (L2TP) group, are configured in this view.

l Service view: The information related to service control is configured in this view. l Operation and maintenance view: The information related to alarm management,

performance measurement, and software management is configured in this view.

l Security view: The information related to the IP Security (IPSec) protocol and the Internet

Key Exchange (IKE) protocol is configured in this type of view. Security views consist of the IPSec view, IPSec policy view, IKE peer view, and IKE proposal view.

CLI View Structure on the PDSN9660 V900R007

Figure 1-5 CLI view structure on the PDSN9660 V900R007

DCC template view

DCC global view

User view System view

Charge view Domain view MIP view Interface view Access view RADIUS view

Address pool view

QoS view

L2TP group view

Service view

OM view

IPSec view

IPSec policy view

IKE peer view

IKE proposal view

User profile instance view Lawful interception view

Usage Guideline of the CLI Views on the PDSN9660 V900R007

Table 1-1 lists the CLI views.

Table 1-1 Description of the CLI views

View Prerequisite Command

User view You are logged in to the LMT.

View Prerequisite Command

Charge view The system view is displayed.

<PDSN>system-view [PDSN]charge-view [PDSN-charge]

DCC template view The charge view is displayed.

<PDSN>system-view [PDSN]charge-view

[PDSN-charge]dcc-template test [PDSN-dcc-test]

DCC global view The charge view is displayed.

<PDSN>system-view [PDSN]charge-view

[PDSN-charge]dcc-global-view [PDSN-dcc-global]

Domain view The system view is displayed.

<PDSN>system-view [PDSN]domain testdomain [PDSN-domain-testdomain]

MIP view The system view is displayed. <PDSN>system-view [PDSN]mip enable [PDSN-mip-view] Physical interface view

The system view is displayed. <PDSN>system-view [PDSN]interface GigabitEthernet 0/0/0 [PDSN-GigabitEthernet0/0/0] Logical interface view

The system view is displayed.

<PDSN>system-view

[PDSN]interface rpif3/0/0 [PDSN-rpif3/0/0]

Sub-interface view The Eth-trunk interface view or physical interface view is displayed. <PDSN>system-view [PDSN]interface Eth-Trunk 0 [PDSN-Eth-Trunk0] [PDSN]interface Eth-Trunk0.1 [PDSN-Eth-Trunk0.1] Eth-trunk interface view

The system view is displayed. <PDSN>system-view [PDSN]interface Eth-Trunk 0 [PDSN-Eth-Trunk0] Loopback interface view

The system view is displayed. <PDSN>system-view [PDSN]interface LoopBack 0 [PDSN-LoopBack0] Tunnel interface view

The system view is displayed.

<PDSN>system-view

[PDSN]interface Tunnel 1/0/0 [PDSN-Tunnel1/0/0]

Access view The system view is displayed.

<PDSN>access-view [PDSN]access-view [PDSN-access]

RADIUS view The access view is displayed. <PDSN>system-view [PDSN]access-view [PDSN-access]radius-server group testaaa [PDSN-access-radius-testaaa]

Address pool view The access view is displayed.

<PDSN>system-view [PDSN]access-view

[PDSN-access]ip pool testpool [PDSN-access-ip-pool-testpool]

QoS view The access view is displayed.

<PDSN>system-view [PDSN]access-view [PDSN-access]qos-view [PDSN-access-qos]

View Prerequisite Command

L2TP group view The access view is displayed. <PDSN>system-view [PDSN]access-view [PDSN-access]l2tp group 1 [PDSN-l2tp-group-1] Lawful interception view

The system view is displayed.

<PDSN>system-view [PDSN]li-view [PDSN-li]

Service view The system view is displayed.

<PDSN>system-view [PDSN]service-view [PDSN-service]

User profile view The service view is displayed.

[PDSN-service]user-profile testprofile [PDSN-service-profile-testprofile]

IP farm view The service view is displayed. <PDSN>system-view [PDSN]service-view [PDSN-service] [PDSN-service]ip-farm testfarm [PDSN-service-ip-farm-testfarm] Operation and maintenance view

The system view is displayed. <PDSN>system-view [PDSN]om-view [PDSN-om-view] IPSec proposal view

The system view is displayed.

<PDSN>system-view

[PDSN]ipsec proposal testproposal [PDSN-ipsec-proposal-testproposal]

IPSec policy view The system view is displayed.

<PDSN>system-view

[PDSN]ipsec policy testpolicy 100 manual

[PDSN-ipsec-policy-manual-testpolicy-100]

IKE peer view The system view is displayed.

<PDSN>system-view [PDSN]ike peer testpeer [PDSN-ike-peer-testpeer]

IKE proposal view The system view is displayed.

<PDSN>system-view [PDSN]ike proposal 1 [PDSN-ike-proposal-1]

1.3 Configuring Data by Using CLI Commands

The local maintenance terminal (LMT) provides a set of configuration commands. Users can configure and manage the PDSN9660 by entering these commands in the command line interface (CLI) to ensure that the system runs normally.

CLI Command Overview

A CLI command may contain key words, arguments, and values. See Table 1-2.

Syntax Description

Italics Command arguments are in italics.

[ ] Items (keywords or arguments) in square brackets [ ] are optional. { x | y | ... } Alternative items are grouped in braces and separated by vertical

bars. One is selected.

[ x | y | ... ] Optional alternative items are grouped in square brackets and separated by vertical bars. One or none is selected.

{ x | y | ... } * Alternative items are grouped in braces and separated by vertical bars. A minimum of one or a maximum of all can be selected. [ x | y | ... ] * Optional items are grouped in brackets and separated by vertical

bars. Several items or no item can be selected.

Take the command radius-server accounting ip-address [ port port-number ] [

vpn-instance vpn-vpn-instance ] key key-string as an example.

Here, radius-server accounting is the command line keywords. port, vpn-instance, and key are command keywords. ip-address, port-number, vpn-instance, and key-string are command arguments.

Online Help of the Command Line

The CLI provides the following types of online help:

l Full help

Enter a question mark (?) in a command line view to display all the commands and their description in this view.

Enter a command and a question mark (?) separated by a space. If the question mark is in the position of a keyword, all keywords and their description are displayed.

Enter a command and a question mark (?) separated by a space. If the question mark is in the position of a parameter, the related parameter names and parameter description are displayed.

l Partial help

Enter a character string followed by a question mark (?) without any space to display all commands that begin with this character string and their description.

Enter a character string followed by a question mark (?) without any space to display all keywords that begin with this character string.

Example of Data Configuration by Using CLI Commands

The procedure for setting the Remote Authentication Dial In User Service (RADIUS) accounting server by using the CLI commands is as follows:

1. Enter the access view.

<PDSN>system-view [PDSN]access-view

2. Configure the RADIUS accounting server. Create the RADIUS server group group1.

[PDSN-access]radius-server group group1

Set the IP address of the accounting server to 10.1.1.1, port number to 1813, and key to 12345.

[PDSN-access-radius-group1]radius-server accounting ip 10.1.1.1 port 1813 key 12345

3. Check the information about the accounting server.

[PDSN-access]display radius-server accounting group1

NOTE

2

Configuring the Data for the PCF

About This Chapter

The PDSN9660 interworks with the packet control function (PCF) through a physical interface and the R-P interface.

Prerequisite

l The hardware of the PDSN9660 and the base station controller (BSC)/PCF is installed and

checked. The hardware is switched on and operates normally. For details, see Checking the Installation.

l The local maintenance terminal (LMT) of the PDSN9660 is installed. For details, see

Checking the LMT System.

l The software of the PDSN9660 and the BSC/PCF is installed and checked. For details, see

Checking the Installation of the Host Software.

Context

Based on the 3rd Generation Partnership Project 2 (3GPP2) protocol, the PCF uses the Generic Routing Encapsulation (GRE) protocol to encapsulate uplink data packets from a mobile station (MS). The destination IP address of the encapsulated packets is the IP address of the R-P interface on the PDSN9660. The packets are forwarded to the PDSN9660 through the GRE tunnel between the PCF and the PDSN9660. Then, the PDSN9660 GRE decapsulates the packets and forwards them to the packet data network (PDN).

The PDSN9660 GRE encapsulates downlink data packets to the MS from the PDN. The destination IP address of the encapsulated packets is the IP address of the R-P interface on the PCF. The packets are forwarded through the GRE tunnel to the PCF. Then, the PCF removes the GRE headers and obtains the original packets. The original packets are then forwarded to the MS.

The PDSN9660 sets up the physical path with the PCF through a physical interface. The logical interworking with the PCF is realized through the A10 connection. The interworking with the PCF at the network layer is realized through the routing protocol. The R-P logical interface is

2.1 Configuration Preparation

This provides concepts related to the connection between the PDSN9660 and the packet control function (PCF).

2.2 Networking for Connecting to the PCF

This describes the networking for connecting to the packet control function (PCF).

2.3 Configuring the Physical Interface

This describes how to configure a physical interface to establish the physical path between the PDSN9660 and the network entity.

2.4 Configuring the Eth-trunk Interface

This describes how to configure the Eth-trunk interface. To enhance networking reliability, configure the Eth-trunk interface to establish path between the PDSN9660 and the network entity, and enable the Address Resolution Protocol (ARP) probe function.

2.5 Configuring the R-P Interface

This describes how to create the logical communication path between the packet control function (PCF) and the PDSN9660.

2.6 Configuring the Static Route to the PCF

This describes how to configure the static route to realize the interworking between the PDSN9660 and the packet control function (PCF) at the network layer.

2.7 Setting the SPI Parameters

This describes how to set the security parameter index (SPI). The SPI is an extended option in an A11 message. It provides security parameters, such as the authentication mode and key, for reliable transmission of the A11 message.

2.8 Configuring the A11 Timer

This describes how to configure the A11 timer and the Point-to-Point Protocol (PPP) timer.

2.9 Commissioning the Data for the Interworking with the PCF

This provides the commands for commissioning the configuration data for the interworking with the packet control function (PCF).

2.10 Configuration Example

This provides an example of the configuration for the interworking between the PDSN9660 and the packet control function (PCF).

2.1 Configuration Preparation

This provides concepts related to the connection between the PDSN9660 and the packet control function (PCF).

Related Concepts

Related Concept Reference

Concepts related to interfaces

Physical interface l Overview of NEs and Interfaces l Physical Interfaces

l Relation Between Logical Interfaces and

Physical Interfaces

l Interface Naming Rules

Eth-trunk interface l Logical Interfaces l Interface Naming Rules

R-P interface Overview of the Configuration for the Interworking Between NEs

Logical interface l Logical Interfaces

l Relation Between Logical Interfaces and

Physical Interfaces

l Interface Naming Rules

Concepts related to networking modes Networking of the single physical interface

mode

Networking of Single Physical Interface and Static Routing Mode

Networking of Eth-trunk active/standby mode and static routing mode

Networking of Eth-trunk Active/Standby Mode and Static Routing Mode

Networking of Eth-trunk load-sharing mode and dynamic routing mode

Networking of Eth-trunk Load-sharing Mode and Dynamic Routing Mode

2.2 Networking for Connecting to the PCF

This describes the networking for connecting to the packet control function (PCF).

Configuration Roadmap

For the interworking between the PDSN9660 and the base station controller (BSC)/PCF, you must establish the physical path and the logical link, and configure the routing protocol for the

Figure 2-1 Networking for the interworking between the PDSN9660 and the PCF Configure data for

interworking with the PCF.

Configure the R-P interface. Configure the

physical interface.

Configure the Eth-trunk interface.

Configure the static route to the PCF.

End

Set the SPI parameters.

(Optional) Configure the A11 timer.

Choose a networking mode.

Simple networking Reliability networking

By clicking the following operations, you can check the corresponding configuration tasks.

l 2.3 Configuring the Physical Interface l 2.4 Configuring the Eth-trunk Interface l 2.5 Configuring the R-P Interface

l 2.6 Configuring the Static Route to the PCF l 2.7 Setting the SPI Parameters

l 2.8 Configuring the A11 Timer

Configuration Task Description

Networking

Scheme NetworkingRequireme nt Characteristic Simple networking 2.3 Configuring the Physical Interface

It is easy to configure the physical path by using a single physical interface. This method is suitable for simple networks.

One configured physical interface can be shared by two links. Reliability networking 2.4 Configuring the Eth-trunk Interface

Eth-trunk active/standby mode: It can enhance reliability. When a member link is faulty, the traffic is automatically switched to an available link.

Eth-trunk load-sharing mode: It can improve bandwidth usage and enhance reliability. The bandwidth of the Eth-trunk interface is the total bandwidth of all physical interfaces. If a physical interface is Down, other member interfaces are still available for data transmission.

2. Establish the logical path. For details, see 2.5 Configuring the R-P Interface.

3. Configure the route to the BSC/PCF for the interworking at the network layer with the BSC/ PCF.

Routing

Protocol Characteristic

Static routing mode

The static routing mode is applicable for a small stable network with simple topology.

4. Set the parameters related to the security parameter index (SPI), such as the IP address of the signaling plane on the PCF, IP address of the R-P interface on the PDSN9660, SPI value, authentication algorithm, authentication mode, key, and anti-replay mode. For details, see 2.7 Setting the SPI Parameters.

5. (Optional) Set the parameters related to the A11 timer and the PPP timer. For details, see 2.8 Configuring the A11 Timer.

Common Networking Schemes

Different networking schemes can meet different requirements. The common networking schemes for the interworking with the BSC/PCF are described as follows:

Table 2-1 Common networking schemes Networkin

g Scheme Networking Requirement Configuration

Example Eth-trunk active/ standby mode and static routing mode

l The Eth-trunk active/standby mode can improve reliability.

When a member link is faulty, the traffic is automatically switched to an available link.

l This scheme simplifies the configurations when the

PDSN9660 interworks with multiple BSCs/PCFs.

l This scheme features easy management. If the IP addresses

or the planning of the BSCs/PCFs are changed, no configuration change is required on the PDSN9660.

For details, see 2.10 Configurat ion

Example.

2.3 Configuring the Physical Interface

This describes how to configure a physical interface to establish the physical path between the PDSN9660 and the network entity.

Prerequisite

The network environment between the PDSN9660 and the network entity is established.

Context

Single physical interface is a simple method to set up a physical path.

Configuration Principle

l The configuration steps are not transposable. You must follow the order strictly.

l To bind an interface to a Virtual private network (VPN), you must associate the interface

with the specific VPN instance in the interface view and then set the IP address for the interface.

Data Planning

No. Data

1 Name of the physical interface that is connected to the networking entities 2 (Optional) VPNs to which the interfaces are bound

3 IP addresses and subnet masks of the physical interfaces

Procedure

Step 1 Run interface to enter the interface view.

Step 2 Optional: Run ip binding vpn-instance to bind the interface to the specific VPN instance. Step 3 Run ip address to set the IP address of the physical interface.

2.4 Configuring the Eth-trunk Interface

This describes how to configure the Eth-trunk interface. To enhance networking reliability, configure the Eth-trunk interface to establish path between the PDSN9660 and the network entity, and enable the Address Resolution Protocol (ARP) probe function.

Prerequisite

The network environment between the PDSN9660 and the network entity is established.

Context

An Eth-trunk interface can work in either active/standby mode or load-sharing mode.

l Active/standby mode: It can enhance reliability. When a member link is Down, the traffic

is automatically switched to another available link.

l Load-sharing mode: It can improve bandwidth usage and enhance reliability. The

bandwidth of the Eth-trunk interface is the total bandwidth of all physical interfaces. If a physical interface is Down, other member interfaces are still available for data transmission. The working mode of active and standby Eth-trunk interfaces that each operate in load-sharing mode can further enhance reliability and ensure connectivity of the physical path. You can configure the cost value for running Open Shortest Path First (OSPF) on an interface to specify whether the interface is active or standby. The interface with a larger cost value serves as the standby interface.

Configuration Principle

l The configuration steps are not transposable. You must follow the order strictly. l To bind an interface to a VPN, you must associate the interface with the specific VPN

instance in the interface view and then set the IP address for the interface.

Data Planning

Data planning for configuring the Eth-trunk interface

No. Data

1 Physical interfaces that are bound to an Eth-trunk logical interface 2 Operating modes of the Eth-trunk logical interfaces

3 (Optional) VPNs to which the interfaces are bound 4 IP addresses of the Eth-trunk logical interfaces

Step 3 Optional: Run ip binding vpn-instance to bind the interface to the specific VPN instance. Step 4 Run ip address to set the IP address of the Eth-trunk interface.

Step 5 Run quit to return to the system view.

Step 6 Run interface to enter the physical interface view.

Step 7 Run eth-trunk to bind the physical interface to the specific Eth-trunk interface. ----End

2.5 Configuring the R-P Interface

This describes how to create the logical communication path between the packet control function (PCF) and the PDSN9660.

Prerequisite

l The network environment between the PDSN9660 and the PCF is established.

l The physical interface is configured and commissioned. For details, see 2.3 Configuring

the Physical Interface.

Data Planning

No. Data

1 Name of the R-P interface that is used to interwork with the PCF 2 IP address of the interface

Procedure

Step 1 Run interface to enter the interface view and create the R-P interface.

NOTE

l The created interface must be the planned R-P interface. The interface name consists of the interface type rpif and the interface number. The interface number is in the format of SPU group number/virtual

interface card number/virtual port number.

l The R-P interface is created on the SPU and can be configured only when the SPU runs normally and no user exists on the SPU. You cannot configure the R-P interface if the SPU is not started or when it is starting.

Step 2 Run ip address to set the IP address of the R-P interface.

NOTE

When you set the IP address of theR-P interface, the subnet mask must be set to 255.255.255.255.

----End

2.6 Configuring the Static Route to the PCF

This describes how to configure the static route to realize the interworking between the PDSN9660 and the packet control function (PCF) at the network layer.

Prerequisite

l The network environment between the PDSN9660 and the PCF is established. l The physical interface is configured. For details, see 2.3 Configuring the Physical

Interface.

l The R-P interface is configured. For details, see 2.5 Configuring the R-P Interface.

Configuration Principle

You can configure only the static route between the PDSN9660 and the PCF.

Data Planning

No. Data

1 IP address and subnet mask of the R-P interface (signaling plane on the PCF) 2 IP address of the next hop router or firewall to the PCF

Procedure

Run ip route-static to configure a static route. NOTE

The destination address of the static route is an IP address of the network segment to which the R-P interface (signaling plane of the PCF) belongs. The next hop address is the IP address of the router or the firewall to which the PDSN9660 connects.

CAUTION

On the next hop router or firewall, you must configure the static route to the PDSN9660. The destination address of the static route is the IP address of the R-P interface on the PDSN9660, and the next hop address is the IP address of the physical interface on the PDSN9660 used for interworking with the PCF, or the next hop address can be the IP address of the Eth-trunk interface when reliability networking is adopted.

----End

2.7 Setting the SPI Parameters

This describes how to set the security parameter index (SPI). The SPI is an extended option in an A11 message. It provides security parameters, such as the authentication mode and key, for reliable transmission of the A11 message.

CAUTION

On the packet control function (PCF), you must set the same SPI value, authentication mode, and key as those on the PDSN9660. Otherwise, the A10 connection between the PDSN9660 and the PCF cannot be established.

Data Planning

No. Data

1 IP address of the R-P interface on the PCF, and that of the R-P interface on the PDSN9660

2 SPI value, authentication algorithm, authentication mode, and key between the PDSN9660 and the PCF

3 Anti-replay mode between the PDSN9660 and the PCF

Procedure

Step 1 Run access-view to enter the access view.

Step 2 Run pcf to set the SPI parameters, such as the IP address of the signaling plane on the PCF, IP

address of the R-P interface on the PDSN9660, SPI value, authentication algorithm, authentication mode, key, and anti-replay mode.

NOTE

Anti-replay is to prevent any user from repeatedly sending a data packet. The receiver rejects an old or a duplicate packet.

----End

2.8 Configuring the A11 Timer

This describes how to configure the A11 timer and the Point-to-Point Protocol (PPP) timer.

Context

An A10 connection between the PDSN9660 and the packet control function (PCF) is set up, refreshed or released through A11 messages.

l When a mobile station (MS) initiates a packet data session, the base station controller (BSC)

coordinates the air channel. After the radio access network (RAN) is set up, the PCF sends an A11 registration request to the PDSN9660 for establishing an A10 connection.

l If the PDSN9660 accepts the A11 registration request, the PDSN9660 returns an A11

registration reply containing the accept indication to inform the PCF that the A10 connection is established.

l The establishment of the A10 connection indicates that the data path for the user is set up.

Then, the PPP negotiation between the MS and the PDSN9660 can be started through this path.

The user data over the path is encapsulated by using the Generic Routing Encapsulation (GRE) protocol. For details about GRE, see RFC1701.

Data Planning

No. Data

1 Number of retransmission times of registration update messages 2 Timeout interval of the dormant timer

3 Timeout interval of the registration update timer

4 Interval for the registration lifetime timer of the A10 connection

Procedure

Step 1 Run access-view to enter the access view.

Step 2 Run a11timer to configure the A11 timer, that is, set the number of retransmission times of

registration update messages, timeout interval of the dormant timer, timeout interval of the registration update timer, and interval for the registration lifetime timer of the A10 connection.

----End

2.9 Commissioning the Data for the Interworking with the

PCF

This provides the commands for commissioning the configuration data for the interworking with the packet control function (PCF).

Context

When the preceding configuration is complete, you can run the following commands to check the running status or configuration result.

Table 2-2 Displaying the data for the interworking between the PDSN and the PCF

Command Function

display current-configuration Displays the current configuration of the interface.

display ip interface Displays the running status of the interface.

display ip routing-table Displays the abstract information about the routing table and information about the route with a specified destination IP address.

When some configuration is incorrect or requires modification, you can run the following commands to delete the current configuration and reconfigure the system.

Table 2-3 Deleting the data for the interworking between the PDSN and the PCF

Command Function

undo interface Deletes the configuration of the interface.

shutdown Shuts down the physical interface.

undo ip address Deletes the IP address of the interface.

undo ip route-static Deletes a specified static route.

undo pcf Deletes the SPI parameters and PCF-related

information.

2.10 Configuration Example

This provides an example of the configuration for the interworking between the PDSN9660 and the packet control function (PCF).

2.10.1 Networking of the PDSN9660 and the PCF

This provides an example of the configuration for the networking of the PDSN9660 and the packet control function (PCF).

2.10.2 Reliability Networking of the PDSN9660 and the PCF

This provides an example of the configuration for the reliability networking of the PDSN9660 and the packet control function (PCF).

2.10.1 Networking of the PDSN9660 and the PCF

This provides an example of the configuration for the networking of the PDSN9660 and the packet control function (PCF).

Networking Requirement

In the CDMA2000 core network, the PDSN9660 connects to the PCF through router A. See Figure 2-2. The PDSN9660 must interwork with the PCF.

Figure 2-2 Networking for the interworking between the PDSN9660 and the PCF

IP/MPLS backbone PDSN Router A PCF rpif3/0/0 10.8.20.1/32 10.8.60.3 10.8.10.1/24 ethernet2/0/0 10.8.60.1/24

Data Collection

Plan the data as follows:

Physical interface

Ethernet interface Ethernet2/0/0

IP address and subnet mask of the Ethernet2/0/0 interface

10.8.60.1/255.255.255.0 IP address of the interface on router A that is

connected to the Ethernet2/0/0 interface

10.8.60.3/255.255.255.0 R-P interface

IP address and subnet mask of the rpif3/0/0 interface

10.8.20.1/255.255.255.255 SPI

IP address of the control plane of the PCF 10.8.10.1 IP address of the signaling plane of the

PDSN9660

10.8.20.1 Security parameter index (SPI) between the

PDSN9660 and the PCF

256

Key 0123456789abcdef

Authentication algorithm MD5

Security mode prefix-postfix

Anti-replay mode Timestamp

Parameters about the A11 timer and the dormant timer Number of retransmission times of

registration update messages

2

Timeout interval of the dormant timer 10 minutes Timeout interval of the registration update

timer

3 seconds Timeout interval of the registration life cycle

timer of the A10 connection

1800 seconds

Configuration Procedure

1. Set the IP address and subnet mask of the Ethernet2/0/0 interface.

[PDSN]interface ethernet2/0/0

[PDSN-rpif3/0/0]quit

3. Configure the static route to the PCF.

[PDSN]ip route-static 10.8.10.1 255.255.255.0 10.8.60.3

4. Set the SPI parameters.

# Set the IP address of control plane of the PCF to 10.8.10.1, IP address of the R-P interface of the PDSN9660 to 10.8.20.1, SPI to 256, encryption algorithm for A11 messages to MD5, key to 0123456789abcdef, authentication mode to prefix-postfix, and anti-replay mode to timestamp.

[PDSN]access-view

[PDSN-access]pcf pcfip 10.8.10.1 pdsnip 10.8.20.1 spi 256 share-key 0123456789abcdef authalgo 1 authmode 1 replaymode 1

NOTE

On router A, you need to configure a static route to the PDSN9660. The destination address of the static route is 10.8.20.1. This is the IP address of the rpif3/0/0 interface on the PDSN9660. The next hop address is 10.8.60.1. This is the IP address of the physical interface Ethernet2/0/0 on the PDSN9660.

5. Set the parameters for the A11 timer.

Set the number of retransmission times of registration update messages to 2, timeout interval of the dormant timer to 10 minutes, timeout interval of the registration update timer to 3 seconds, and timeout interval of the registration life cycle timer of the A10 connection to 1800 seconds.

[PDSN-access]a11timer resndnum 2 tdormant 10 tregupd 3 trp 1800 [PDSN-access]quit

[PDSN]quit

6. Save the current configuration.

<PDSN>save

Interworking Test

Run ping to check whether the link to the PCF is normal. NOTE

l If the link is normal, the number of received packets is displayed. If "timeout" is displayed, the link is abnormal.

l When checking the connectivity of the R-P interface, specify the parameter SRCIP as the IP address of the R-P interface. If SRCIP is not set, the PDSN9660 takes the address of the physical interface that sends the ping packets as the source IP address by default. In this case, you can check the connectivity between the peer and the physical interface sending the ping packets rather than the connectivity between the R-P interface and the peer.

2.10.2 Reliability Networking of the PDSN9660 and the PCF

This provides an example of the configuration for the reliability networking of the PDSN9660 and the packet control function (PCF).

Networking Requirement

To guarantee communication reliability between the PDSN9660 and the PCF, reliability networking is adopted. When the active link fails, the system automatically switches the traffic to the standby link.

In the CDMA2000 core network, the PDSN9660 connects to the PCF through router A. See Figure 2-3. Therefore, the PDSN9660 must interwork with the PCF.

Figure 2-3 Reliability networking for the interworking between the PDSN9660 and the PCF IP/MPLS backbone PDSN Router A PCF rpif3/0/0 10.8.20.1/32 10.3.37.81 10.8.10.1/28 Eth-Trunk0 10.3.37.94/28

Data Collection

Plan the data as follows:

Eth-trunk0

Eth-trunk0 Bound with GigabitEthernet1/0/0 and

GigabitEthernet1/0/1 Operating mode of the Eth-trunk0 interface Active/standby mode IP address and subnet mask of the Eth-trunk0

interface

10.3.37.94/255.255.255.240 IP address of the interface on router A that is

connected to the Eth-trunk0 interface

10.3.37.81 R-P interface IP address and subnet mask of the rpif3/0/0

interface

10.8.20.1/255.255.255.255 SPI

IP address of the control plane of the PCF 10.8.10.1 IP address of the signaling plane of the PCF 10.8.20.1 Security parameter index (SPI) between the

PDSN9660 and the PCF

256

Key 0123456789abcdef

Authentication algorithm MD5

Security mode prefix-postfix

Anti-replay mode Timestamp

Parameters about the A11 timer and the dormant timer Number of retransmission times of 2

Timeout interval of the registration update timer

3 seconds Timeout interval of the registration life cycle

timer of the A10 connection

1800 seconds

Configuration Procedure

1. Configure the Eth-trunk0 interface.

[PDSN]interface eth-trunk 0 [PDSN-Eth-Trunk0]workmode backup

[PDSN-Eth-Trunk0]ip address 10.3.37.94 255.255.255.240 [PDSN-Eth-Trunk0]quit

2. Bind the physical interfaces to the Eth-trunk0 interface.

Bind the GigabitEthernet1/0/0 interface to the Eth-trunk0 interface.

[PDSN]interface GigabitEthernet1/0/0 [PDSN-GigabitEthernet1/0/0]eth-trunk 0 [PDSN-GigabitEthernet1/0/0]quit

Bind the GigabitEthernet1/0/1 interface to the Eth-trunk0 interface.

[PDSN]interface GigabitEthernet1/0/1 [PDSN-GigabitEthernet1/0/1]eth-trunk 0 [PDSN-GigabitEthernet1/0/1]quit

3. Configure the rpif3/0/0 interface.

[PDSN]interface rpif3/0/0

[PDSN-rpif3/0/0]ip address 10.8.20.1 255.255.255.255 [PDSN-rpif3/0/0]quit

4. Configure the static route to the PCF.

[PDSN]ip route-static 10.8.10.1 255.255.255.240 10.3.37.81

5. Set the SPI parameters.

# Set the IP address of control plane of the PCF to 10.8.10.1, IP address of the R-P interface of the PDSN9660 to 10.8.20.1, SPI to 256, encryption algorithm for A11 messages to MD5, key to 0123456789abcdef, authentication mode to prefix-postfix, and anti-replay mode to timestamp.

[PDSN]access-view

[PDSN-access]pcf pcfip 10.8.10.1 pdsnip 10.8.20.1 spi 256 share-key 0123456789abcdef authalgo 1 authmode 1 replaymode 1

NOTE

On router A, you need to configure a static route to the PDSN9660. The destination address of the static route is 10.8.20.1. This is the IP address of the rpif3/0/0 interface on the PDSN9660. The next hop address is 10.8.60.1. This is the IP address of the physical interface Ethernet2/0/0 on the PDSN9660.

6. Set the parameters for the A11 timer.

Set the number of retransmission times of registration update messages to 2, timeout interval of the dormant timer to 10 minutes, timeout interval of the registration update timer to 3 seconds, and timeout interval of the registration life cycle timer of the A10 connection to 1800 seconds.

[PDSN-access]a11timer resndnum 2 tdormant 10 tregupd 3 trp 1800 [PDSN-access]quit

[PDSN]quit

7. Save the current configuration.

Interworking Test

Run ping to check whether the link to the PCF is normal. NOTE

l If the link is normal, the number of received packets is displayed. If "timeout" is displayed, the link is abnormal.

l When checking the connectivity of the R-P interface, specify the parameter SRCIP as the IP address of the R-P interface. If SRCIP is not set, the PDSN9660 takes the address of the physical interface that sends the ping packets as the source IP address by default. In this case, you can check the connectivity between the peer and the physical interface sending the ping packets rather than the connectivity between the R-P interface and the peer.

3

Configuring the Data for the AAA Server

About This Chapter

The PDSN9660 supports Remote Authentication Dial In User Service (RADIUS) authentication and accounting. It can assign an IP address to a mobile station (MS) through the authorization, authentication and accounting (AAA) server. Before setting parameters of authentication, accounting, or address assignment, ensure that the PDSN9660 interworks with the AAA server. The PDSN9660 sets up a physical path with the AAA server through a physical interface. The interworking with the AAA server is realized through the RADIUS protocol on the Pi interface. The network-layer interworking with the AAA server is realized through a routing protocol.

NOTE

The default port number for RADIUS authentication is 1812 and the default port number for RADIUS accounting is 1813.

Prerequisite

l The PDSN9660 and the AAA server are installed.

l The data for interworking with the PDSN9660 is configured on the AAA server.

3.1 Configuration Preparation

This describes the concepts related to the connection between the PDSN9660 and the authentication, authorization and accounting (AAA) server.

3.2 Planning the Networking for Connecting to the AAA Server

This describes the networking for connecting to the authentication, authorization and accounting (AAA) server.

3.3 Creating a VPN Instance

This describes how to create a virtual private network (VPN) instance to identify a VPN.

3.4 Configuring the Physical Interface

This describes how to configure a physical interface to establish the physical path between the PDSN9660 and the network entity.

This describes how to configure the Eth-trunk interface. To enhance networking reliability, configure the Eth-trunk interface to establish path between the PDSN9660 and the network entity, and enable the Address Resolution Protocol (ARP) probe function.

3.6 Configuring the Sub-interface

This describes how to configure the sub-interface. To solve the problem of limited physical interfaces, configure the sub-interface to establish paths between the PDSN9660 and the network entity.

3.7 Configuring the Pi Interface

This describes how to create the logical communication path between the Pi and the authorization, authentication and accounting (AAA) server.

3.8 Configuring the GRE VPN

This describes how to configure the Generic Routing Encapsulation (GRE) virtual private network (VPN).

3.9 Configuring the IPSec Policy

This describes how to configure the IP Security (IPSec) policy.

3.10 Configuring the Static Route to the AAA Server

This describes how to configure the static route for the interworking between the PDSN9660 and the authorization, authentication and accounting (AAA) server at the network layer.

3.11 Configuring the Dynamic Route to the AAA Server

You can configure a dynamic route for the interworking between the PDSN9660 and the authorization, authentication and accounting (AAA) server at the network layer.

3.12 Configuring the AAA Authentication/Accounting Server

You must configure the authentication, authorization and accounting (AAA) server for authentication when the access mode is Point-to-Point Protocol (PPP) authentication access, or when the address assignment mode is assignment by the Remote Authentication Dial In User Service (RADIUS) server. You must configure the AAA server for accounting when an Internet service provider (ISP) or intranet requires RADIUS accounting for users.

3.13 Commissioning the Data for the Interworking with the AAA Server

This describes how to commission the data for the interworking with the authentication, authorization and accounting (AAA) server.

3.14 Configuration Example

This provides an example of the configuration for the interworking between the PDSN9660 and the authentication, authorization and accounting (AAA) server.

3.1 Configuration Preparation

This describes the concepts related to the connection between the PDSN9660 and the authentication, authorization and accounting (AAA) server.

Related Concepts

Related Concept Reference

Concepts related to interfaces

Physical interface Overview of NEs and Interfaces, Physical Interfaces, Relation Between Logical Interfaces and Physical Interfaces, and Interface Naming Rules

Eth-trunk interface Logical Interfaces and Interface Naming Rules

Sub-interface Logical Interfaces and Interface Naming Rules

Logical interface Logical Interfaces, Relation Between Logical Interfaces and Physical Interfaces, and Interface Naming Rules

Concepts related to networking modes Networking of the single physical interface

mode

Networking of Single Physical Interface and Static Routing Mode

Networking of Eth-trunk active/standby mode and static routing mode

Networking of Eth-trunk Active/Standby Mode and Static Routing Mode

Networking of the Eth-trunk load-sharing mode and dynamic routing mode

Networking of Eth-trunk Load-sharing Mode and Dynamic Routing Mode

Inband or outband networking with the AAA server

Inband or Outband Networking with the AAA Server

3.2 Planning the Networking for Connecting to the AAA

Server

This describes the networking for connecting to the authentication, authorization and accounting (AAA) server.