Cisco Intelligent Wireless Access Gateway, iWAG Configuration Manual

Intelligent Wireless Access Gateway Configuration Guide

First Published: July 26, 2013

Last Modified: March 28, 2014

Americas Headquarters

Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883

Text Part Number: OL-30226-03

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS,
INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH
THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY,
CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain version
of the UNIX operating system. All rights reserved. Copyright©1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS" WITH ALL FAULTS.
CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT
LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS
HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network
topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional
and coincidental.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: http://

www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership

relationship between Cisco and any other company. (1110R)

©

2014 Cisco Systems, Inc. All rights reserved.

CONTENTS

CHAPTER 1

Overview of the Intelligent Wireless Access Gateway 1

Finding Feature Information 1

Prerequisites for the iWAG 2

Restrictions for the iWAG 2

Information About the iWAG 2

Benefits of the iWAG 3

AAA Attributes 3

Supported Hardware and Software Compatibility Matrix for the iWAG 7

How to Configure the iWAG 8

Configuring the iWAG for Simple IP Users 8

Configuring the iWAG for 3G Mobile IP Users 8

Configuring Authentication, Authorization, and Accounting for the iWAG 8

Configuring DHCP when the iWAG Acts as a DHCP Proxy 10

Configuring the Cisco ISG Class Map and Policy Map for the iWAG 12

Configuring a Session Initiator for the iWAG 15

Configuring a Tunnel Interface for the iWAG 16

Enabling Mobile Client Service Abstraction 17

Configuring the GTP of the iWAG 18

Configuring the iWAG for 4G Mobile IP Users 21

Configuring PMIPv6 for the iWAG 21

Enabling Mobile Client Service Abstraction 21

Additional References 22

Feature Information for the Intelligent Wireless Access Gateway 23

24

CHAPTER 2

IP Sessions Over Gigabit EtherChannel 25

Finding Feature Information 25

Restrictions for IPoGEC 25

OL-30226-03 iii

Intelligent Wireless Access Gateway Configuration Guide

Contents

Information About IP Sessions over Gigabit EtherChannel 26

Supported Features for IPoGEC 26

Configuring IP Sessions over Gigabit EtherChannel 26

Configuring Member Links for IP Sessions over Gigabit EtherChannel 28

Configuration Examples for IP Sessions Over Gigabit EtherChannel 29

Additional References 29

Feature Information for IP Sessions over Gigabit EtherChannel 30

31

CHAPTER 3

CHAPTER 4

Multiple-Flow Tunnel 33

Finding Feature Information 33

Information About Multiple-Flow Tunnel 33

Additional References 34

Feature Information for Multiple-Flow Tunnel 35

35

Service Provider WiFi: Support for Integrated Ethernet Over GRE 37

Finding Feature Information 37

Information About Ethernet Over GRE 38

Restrictions for Configuring Ethernet Over GRE 38

Prerequisites for Configuring Ethernet Over GRE 39

Information About Configuring Ethernet Over GRE 39

EoGRE Deployment with PMIPv6 Integrated for Mobility Service 42

EoGRE Deployment with GTP Integrated for Mobility Service 43

EoGRE Deployment with ISG Integrated for Simple IP Service 43

Supported Features 44

How to Configure the EoGRE Feature 45

Example: Configuring the EoGRE Feature 46

Additional References 48

Feature Information for Configuring Ethernet Over GRE 49

CHAPTER 5

GTPv2 Support in the iWAG 51

Finding Feature Information 51

Restrictions for GTPv2 of the iWAG 51

Information About GTPv2 in the iWAG 52

Intelligent Wireless Access Gateway Configuration Guide

iv OL-30226-03

Contents

GTPv2 Configuration 52

RADIUS Configuration 53

Intra-iWAG Roaming 53

Configuration for the GTPv1 and GTPv2 Roaming Scenario 53

Additional References 54

Feature Information for GTPv2 Support in the iWAG 55

55

CHAPTER 6

CHAPTER 7

iWAG SSO Support for GTP 57

Finding Feature Information 57

Information About iWAG SSO Support for GTP 57

Enabling SSO Support for the GTP 58

Additional References 59

Feature Information for iWAG SSO Support for GTP 60

60

Configuring ISG Policy Templates 61

Finding Feature Information 61

Restrictions for Configuring ISG Policy Templates 61

Information About Configuring ISG Policy Templates 61

How to Configure ISG Policy Templates 62

Additional References 62

Feature Information for Configuring ISG Policy Templates 63

63

CHAPTER 8

Cisco ISG Accounting Accuracy for LNS Sessions 65

Finding Feature Information 65

Information About Cisco ISG Accounting Accuracy for LNS Sessions 65

Additional References 66

Feature Information for Cisco ISG Accounting Accuracy for LNS Sessions 67

67

CHAPTER 9

Dual Stack Support for PMIPv6 and GTP 69

Finding Feature Information 69

Information About Dual-Stack Support for PMIPv6 69

OL-30226-03 v

Intelligent Wireless Access Gateway Configuration Guide

Contents

Features Supported for Dual-Stack PMIPv6 Sessions 70

Information About Dual-Stack Support for GTP 70

Restrictions for Dual-Stack GTP 70

AAA Attributes for Dual Stack 70

Configuration Examples for Dual-Stack PMIPv6 71

Example: Configuring an Access List Traffic Classmap for Dual-Stack PMIPv6 71

Example: Configuring a Classmap for Dual-Stack PMIPv6 71

Example: Configuring a Policymap for Dual-Stack PMIPv6 72

Example: Configuring a Control Policy for Dual-Stack PMIPv6 72

Example: Configuring an Access Interface for Dual-Stack PMIPv6 73

Example: Configuring the Local Mobility Anchor for Cisco ASR 5000 Routers 73

Example: Configuring Mobile Access Gateways for Dual-Stack PMIPv6 74

Configuration Examples for Dual-Stack GTP 75

CHAPTER 10

Example: Configuring Dual-Stack Sessions for GTP 75

Example: Configuring an Interface to PGW or GGSN 75

Example: Configuring a Control Policy for Dual-Stack GTP 75

Example: Configuring an Access Interface for Dual-Stack GTP 75

Enabling IPv6 Routing 76

Additional References 76

Feature Information for Dual-Stack Support for PMIPv6 and GTP 77

77

Flow-Based Redirect 79

Finding Feature Information 79

Flow-Based Redirect for Adult Content Filtering 80

Flow-Based Redirect for Selective IP Traffic Offload 81

Activating and Deactivating the Flow-Based Redirect Feature Through Vendor-Specific

Attributes 82

Configuring Flow-Based Redirect for a Traffic Class Service 82

Examples 85

Best Practices for Configuring the NAT on the Cisco ASR 1000 Series Routers 87

NAT Overloading and Port Parity 88

NAT Interface Overloading with VRF 88

Additional References 89

Feature Information for Flow-Based Redirect 89

Intelligent Wireless Access Gateway Configuration Guide

vi OL-30226-03

Contents

90

CHAPTER 11

CHAPTER 12

Call Flows for Simple IP Users 91

Finding Feature Information 91

Simple IP Unclassified MAC Authentication (MAC TAL and Web Login) Call Flows 91

Simple IP Unclassified MAC with MAC TAL Authentication Call Flow 93

Simple IP Unclassified MAC with Web Login Authentication Call Flow 95

Simple IP Unclassified MAC Authentication Call Flow Configuration 96

Additional References 98

Feature Information for Call Flows for Simple IP Users 99

99

Call Flows for 3G and 4G Mobile IP Users 101

Finding Feature Information 101

3G DHCP Discover Call Flow 101

3G DHCP Discover Call Flow Configuration 104

4G DHCP Discover Call Flow 108

4G DHCP Discover Call Flow Configuration 110

CHAPTER 13

4G Roaming Call Flow 111

4G Roaming Call Flow Configuration 114

Additional References 115

Feature Information for Call Flows for 3G and 4G Mobile IP Users 116

116

Call Flows for Dual-Stack PMIPv6 and GTP 117

Finding Feature Information 117

Dual-Stack Mobile IPoE Session with DHCPv4 as FSOL for PMIPv6 Call Flow 118

Dual-Stack Mobile IPoE Session with IPv6 ND as FSOL for PMIPv6 Call Flow 121

Dual-Stack Mobile IPoE Session with DHCPv4 as FSOL for GTP Call Flow 124

Dual-Stack Mobile IPoE Session with IPv6 ND as FSOL for GTP Call Flow 126

Additional References 128

Feature Information for Call Flows for Dual-Stack PMIPv6 and GTP 129

130

CHAPTER 14

OL-30226-03 vii

iWAG Scalability and Performance 131

Intelligent Wireless Access Gateway Configuration Guide

Contents

iWAG Scaling 131

Restrictions for iWAG Scalability 132

Layer 4 Redirect Scaling 133

Configuring Call Admission Control 133

Walk-by User Support for PWLAN in iWAG 133

Additional References 134

Feature Information for iWAG Scalability and Performance 135

Intelligent Wireless Access Gateway Configuration Guide

viii OL-30226-03

CHAPTER 1

Overview of the Intelligent Wireless Access
Gateway

Service providers use a combination of WiFi and mobility offerings to offload their mobility networks in
the area of high-concentration service usage. This led to the evolution of the Intelligent Wireless Access
Gateway (iWAG).

The iWAG provides a WiFi offload option to 4G and 3G service providers by enabling a single-box solution
that provides the combined functionality of Proxy Mobile IPv6 (PMIPv6) and GPRS Tunneling Protocol
(GTP) on the Cisco Intelligent Services Gateway (Cisco ISG) framework. This document provides information
about the iWAG and how to configure it, and contains the following sections:

Finding Feature Information, page 1

•

Prerequisites for the iWAG, page 2

•

Restrictions for the iWAG, page 2

•

Information About the iWAG, page 2

•

How to Configure the iWAG, page 8

•

Additional References, page 22

•

Feature Information for the Intelligent Wireless Access Gateway, page 23

•

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and
feature information, see Bug Search Tool and the release notes for your platform and software release. To
find information about the features documented in this module, and to see a list of the releases in which each
feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

OL-30226-03 1

Intelligent Wireless Access Gateway Configuration Guide

Prerequisites for the iWAG

Prerequisites for the iWAG

Enable mobile client service abstraction (MCSA).

•

Enable the ipv6 unicast-routing command.

•

Restrictions for the iWAG

Roaming from a 3G mobility network to a WLAN is not supported for the GTP and Cisco ISG sessions.

•

IP subscriber-routed (L3) sessions are not supported.

•

IPv6 and quality of service (QoS) are not supported in a 3G mobility network.

•

Only newly established calls are offloaded to the WLAN Third-Generation Partnership Project (3GPP)

•

IP access.

Overview of the Intelligent Wireless Access Gateway

The iWAG solution for WLAN offload is currently available only for the 3G Universal Mobile

•

Telecommunications System (UMTS).

Information About the iWAG

The iWAG deployment includes a combination of simple IP users (traditional ISG and WiFi) and mobile IP
users (PMIPv6 or GTP tunneling). The term mobility service is used to refer to either the GTP service or the
PMIPv6 service applied to user traffic. The iWAG provides mobility services to mobile IP users, and as a
result, a mobile client can seamlessly access a 3G or 4G mobility network. However, the iWAG does not
provide mobility services to simple IP users. Therefore, simple IP users can access the Public Wireless LAN
(PWLAN) network through the Cisco ISG. Clients are devices that access WiFi Internet (public wireless),
where possible. However, if WiFi is not available, the same clients can

connect to the Internet service using a 3G or 4G mobility network.

The iWAG has a transport or switching element with Cisco ISG subscriber awareness. The iWAG also has
RADIUS-based authentication and accounting, and policy-based subscriber routing for the WiFi wholesale
model.

For more information about the iWAG, see the Overview of iWAG video.

Intelligent Wireless Access Gateway Configuration Guide

2 OL-30226-03

Overview of the Intelligent Wireless Access Gateway

The following figure shows a deployment model of the iWAG on a Cisco ASR 1000 Series Aggregation
Services Router.

Figure 1: iWAG Deployment on a Cisco ASR 1000 Series Aggregation Services Router

Benefits of the iWAG

Benefits of the iWAG

The iWAG offers the following benefits for mobile operators:

Reduces network congestion by reducing OpEx and increasing network efficiency by offloading 3G

•

and 4G traffic.

Provides access to 3G and 4G core inspite of a lack of or weak cell signal, leading to subscriber retention.

•

Lowers CapEx on per user basis or bandwidth basis in dense metro environments.

•

The iWAG offers the following benefits for wireline and WiFi operators:

Provides WiFi security and subscriber control. Delivers scalable, manageable, and secure wireless

•

connectivity.

Enables new revenue-sharing business models, such as Mobile Virtual Network Operators (MVNO)

•

and others.

Delivers a WiFi platform that offers new location-based services.

•

The iWAG offers the following benefits for subscribers:

Provides enhanced quality of experience to subscribers on WiFi networks.

•

Provides unified billing across access networks.

•

• Provides mobility across radio access technologies—3G or 4G to WiFi and WiFi to WiFi.

Provides multiple options within the WiFi platform, thereby enabling location-based services.

•

AAA Attributes

The following table lists the authentication, authorization, and accounting (AAA) attributes required for the
iWAG configuration:

OL-30226-03 3

Intelligent Wireless Access Gateway Configuration Guide

AAA Attributes

Overview of the Intelligent Wireless Access Gateway

Note

The following indicate the availability of the attributes:

C: Conditional

M: Mandatory

O: Optional

N: Not present

Table 1: iWAG AAA Attributes

Attrib
ute
/Subattri

bute
Name

DescriptionValueAttri

bute

StringUser Name1

Identifier

4

-Address

31

Station-ID

StringNAS-IP

MAG

StringCalling-

mobile node

ARq

CoA

5

AA

2

ARj

AS

1

4

3

COMMMNetwork Access

OMNNMIP address of the

MMMMMMAC address of the

26/

10415/

1

26/

10415

/13

26

/9

/1

26

/9

/1

26

/9/1

IMSI

-Charging

-Characteristics

-Selection

-Mobile

-Node

-Identifier

-WLAN

-SSID

ONNON3GPP IMSIString3GPP-

String3GPP

OONONRules for producing

charging information

StringCisco-Service

CNNCNService Identifier

(APN)

StringCisco

CMNMNMobile Node

Identifier

StringCisco

NCNNCSSID of the Access

Point

Intelligent Wireless Access Gateway Configuration Guide

4 OL-30226-03

Overview of the Intelligent Wireless Access Gateway

AAA Attributes

Attrib
ute
/Subattri
bute

26/9/1

26/9/1

26/9/1

bute
Name

-MSISDN

Cisco-MN

-Service

Cisco-MPC

-Protocol

-Interface

StringCisco

ENUM

•

•

•

•

ENUM

•

•

•

•

none

ipv4

ipv6

dual

none

pmipv6

gtpv1

pmipv4

DescriptionValueAttri

ISDN number

type

be used for
interfacing with MPC

ARq

CoA

5

AA

2

ARj

AS

1

4

3

CCNCNMobile Subscriber

OMNMNMobile Node Service

OONMNProtocol Interface to

26/9/1

26/9/1

26/9/1

26/9/1

-Multihoming

-Support

-Uplink

-GRE

-Key

-Downlink

-GRE

-Key

-Home

-LMA

-IPv6

-Address

BinaryCisco

ONNONTrue/False:
Multihoming support
for mobile node

IntegerCisco

ONNON32-bit GRE Key to be
used on the uplink
path (4-octet hex
encoding)

IntegerCisco

ONNON32-bit GRE Key to be
used on the downlink
path (4-octet hex
encoding)

StringCisco

ONNCNMobile node's Home
LMA IPv6 address

OL-30226-03 5

Intelligent Wireless Access Gateway Configuration Guide

AAA Attributes

Overview of the Intelligent Wireless Access Gateway

Attrib
ute
/Subattri
bute

26/9/1

26/9/1

26/9/1

bute
Name

-Visited

-LMA

-IPv6

-Address

-Home

-LMA

-IPv4

-Address

-Visited

-LMA

-IPv4

-Address

CoA

ONNCNMobile node's Visited

5

AA

2

ARj

AS

1

DescriptionValueAttri

ARq

4

3

StringCisco

LMA IPv6 address

IPv4 AddressCisco

ONNCNMobile node's Home

LMA IPv4 address

IPv4 AddressCisco

ONNCNMobile node's Visited

LMA IPv4 address

26/9/1

26/9/1

26

/10415

/5

-Home

-IPv4

-Home

-Address

-Visited

-IPv4

-Home

-Address

_GPRS

_QOS

_PROFILE

IPv4 AddressCisco

CNNONMobile node's Visited

LMA IPv4 address

IPv4 AddressCisco

CNNONMobile node's Visited

IPv4 address

NNNONGRPS QoS ProfileStringTHREEGENPP

Intelligent Wireless Access Gateway Configuration Guide

6 OL-30226-03

Overview of the Intelligent Wireless Access Gateway

Supported Hardware and Software Compatibility Matrix for the iWAG

1

Access Request

2

Access Accept

3

Access Reject

4

Accounting Start

5

Change of Authorization

Attrib
ute
/Subattri
bute

26

/10415

/7

26/9/1

26/9/1

bute
Name

_GGSN

_ADDRESS

-Access

-Vrf

-Id

-Apn

-Vrf

-Id

CoA

5

AA

2

ARj

AS

1

DescriptionValueAttri

ARq

4

3

NNNONGGSN's AddressIPv4 AddressTHREEGENPP

NNNONAccess-side VRF IDStringCisco

NNNONGGSN's IPv4 addressIPv4 AddressCisco

Supported Hardware and Software Compatibility Matrix for the iWAG

ESPRP MemoryChassis

IntegratedIntegrated RP with 16 GBCisco ASR 1001 Router

IntegratedIntegrated RP with 16 GBCisco ASR 1002-X Router

ESP-40GRP2 16 GBCisco ASR 1004 Router

ESP-40GRP2 16 GBCisco ASR 1006 Router and Cisco
ASR 1013 Router offering duplex
RP or ESP setup

ESP-100GRP2 16 GBCisco ASR 1006 Router and Cisco
ASR 1013 Router offering duplex
RP or ESP setup

OL-30226-03 7

Intelligent Wireless Access Gateway Configuration Guide

How to Configure the iWAG

For information about the field-replaceable units (FRUs) of the Cisco ASR 1000 Series Aggregation Services
Routers supported by each ROMmon release, see the "ROMmon Release Requirements" section in the Cisco

ASR 1000 Series Aggregation Services Routers Release Notes.

How to Configure the iWAG

Configuring the iWAG for Simple IP Users

You must configure the Cisco Intelligent Services Gateway (ISG) for the iWAG to enable simple IP users to
access Internet services.

The tasks listed below enable IP sessions and indicate how these sessions are identified. For detailed steps,
see the "Creating ISG Sessions for IP Subscribers" section in the Intelligent Services Gateway Configuration

Guide.

Creating ISG IP interface sessions

•

Overview of the Intelligent Wireless Access Gateway

Creating ISG Static Sessions

•

Creating ISG IP Subnet Sessions

•

Configuring IP Session Recovery for DHCP-Initiated IP Sessions

•

Verifying ISG IP Subscriber Sessions

•

Clearing ISG IP Subscriber Sessions

•

Troubleshooting ISG IP Subscriber Sessions

•

You must configure DHCP support in your network before performing the tasks listed below. For detailed
steps on assigning IP addresses using DHCP, see the "Assigning ISG Subscriber IP Addresses by Using
DHCP" section in the Intelligent Services Gateway Configuration Guide.

Configuring an ISG Interface for Dynamic DHCP Class Association

•

Configuring DHCP Server User Authentication

•

Configuring a DHCP Class in a Service Policy Map

•

Configuring a DHCP Class in a Service Profile or User Profile on the AAA Server

•

Configuring a DHCP Server IP Address

•

Configuring the iWAG for 3G Mobile IP Users

You must configure GTP for the iWAG to allow access to 3G mobile IP users. The various tasks described
in the following sections are mandatory for configuring the iWAG for 3G mobile IP users.

Configuring Authentication, Authorization, and Accounting for the iWAG

This section describes how to configure authentication, authorization, and accounting (AAA) for the iWAG
on the Cisco ASR 1000 Series Aggregation Services Routers.

Intelligent Wireless Access Gateway Configuration Guide

8 OL-30226-03

Overview of the Intelligent Wireless Access Gateway

SUMMARY STEPS

enable

1.

configure terminal

2.

aaa new-model

3.

aaa group server radius group-name

4.

server-private ip-address [auth-port port-number | acct-port port-number ] [non-standard] [timeout

5.

seconds ] [retransmit retries ] [ key string]

aaa authentication login {default | list-name} { [passwd-expiry] method1 [method2...]}

6.

aaa authorization network authorization-name group server-group name

7.

aaa authorization subscriber-service {default {cache | group | local} | list-name} method1 [method2...]

8.

aaa accounting{auth-proxy| system | network | exec | connection | commands level | dot1x} { {default

9.

| list-name } [vrf vrf-name] {start-stop | stop-only | none} [broadcast] group group-name

action-type {none | start-stop | stop-only}

10.

group {tacacs+ server-group}

11.

aaa accounting {auth-proxy | system | network | exec | connection | commands level | dot1x } {default

12.

|list-name } [vrf vrf-name ] {start-stop | stop-only | none} [broadcast] group group-name

Configuring the iWAG for 3G Mobile IP Users

DETAILED STEPS

Step 1

Example:

Router# enable

Step 2

Example:

Router# configure terminal

Step 3

Example:

Router(config)# aaa new-model

Step 4

Step 5

aaa group server radius group-name

Example:

Router(config)# aaa group server radius AAA_SERVER_CAR

server-private ip-address [auth-port port-number | acct-port
port-number ] [non-standard] [timeout seconds ] [retransmit retries
] [ key string]

PurposeCommand or Action

Enables the privileged EXEC mode.enable

Enter your password, if prompted.

Enters the global configuration mode.configure terminal

Enables the AAA access control model.aaa new-model

Groups different RADIUS server hosts into distinct
lists and methods.

Configures the IP address of the private RADIUS
server for the group server.

Example:

Router(config-sg-radius)# server-private 5.3.1.76
auth-port 2145 acct-port 2146 key cisco

OL-30226-03 9

Intelligent Wireless Access Gateway Configuration Guide

Configuring the iWAG for 3G Mobile IP Users

Overview of the Intelligent Wireless Access Gateway

PurposeCommand or Action

Step 6

Step 7

Step 8

Step 9

Step 10

Step 11

Step 12

aaa authentication login {default | list-name} { [passwd-expiry]
method1 [method2...]}

Example:

Router(config-sg-radius)# aaa authentication login
default none

aaa authorization network authorization-name group
server-group name

Example:

Router(config)# aaa authorization network ISG_PROXY_LIST

group AAA_SERVER_CAR

aaa authorization subscriber-service {default {cache | group |
local} | list-name} method1 [method2...]

Example:

Router(config)# aaa authorization subscriber-service
default local group AAA_SERVER_CAR

aaa accounting{auth-proxy| system | network | exec | connection
| commands level | dot1x} { {default | list-name } [vrf vrf-name]
{start-stop | stop-only | none} [broadcast] group group-name

Example:

Router(config)# aaa accounting network PROXY_TO_CAR

action-type {none | start-stop | stop-only}

Example:

Router(cfg-acct-mlist)# action-type start-stop

group {tacacs+ server-group}

Example:

Router(cfg-preauth)# group AAA_SERVER_CAR

aaa accounting {auth-proxy | system | network | exec | connection
| commands level | dot1x } {default |list-name } [vrf vrf-name ]
{start-stop | stop-only | none} [broadcast] group group-name

Example:

Router(config)# aaa accounting network ISG_PROXY_LIST
start-stop group AAA_SERVER_CAR

Sets AAA authentication at login.

Runs authorization for all network-related service
requests.

Specifies one or more AAA authorization methods
for the Cisco ISG to provide subscriber service.

Enables AAA accounting of requested services
for billing and security purposes when either the
RADIUS server or the TACACS+ server is used.

Enables the type of actions to be performed on
accounting records.

Specifies the AAA TACACS+ server group to use
for preauthentication.

Enables AAA accounting of requested services
for billing and security purposes when you use
either the RADIUS server or the TACACS+
server.

Configuring DHCP when the iWAG Acts as a DHCP Proxy

This section describes how to configure the Dynamic Host Configuration Protocol (DHCP) for the iWAG
solution when the iWAG acts as a DHCP proxy.

Intelligent Wireless Access Gateway Configuration Guide

10 OL-30226-03

Overview of the Intelligent Wireless Access Gateway

SUMMARY STEPS

enable

1.

configure terminal

2.

ip dhcp excluded-address [vrf vrf-name] ip-address

3.

ip dhcp pool pool-name

4.

network network-number [ mask [secondary] | /prefix-length [secondary]

5.

default-router ip-address [last-ip-address]

6.

domain-name domain

7.

lease {days [hours [ minutes ]] | infinite}

8.

DETAILED STEPS

Configuring the iWAG for 3G Mobile IP Users

PurposeCommand or Action

Step 1

Step 2

Step 3

Step 4

Step 5

Example:

Router> enable

Example:

Router# configure terminal

ip dhcp excluded-address [vrf vrf-name] ip-address

Example:

Router(config)# ip dhcp excluded-address

192.168.10.1

ip dhcp pool pool-name

Example:

Router(config)# ip dhcp pool test

network network-number [ mask [secondary] |
/prefix-length [secondary]

Example:

Enables the privileged EXEC mode.enable

Enter your password, if prompted.

Enters the global configuration mode.configure terminal

Specifies the IP address that a DHCP server should not assign
to DHCP clients.

Configures a DHCP address pool on a DHCP server and enters
the DHCP pool configuration mode.

Configures the network number and mask for a DHCP address
pool primary subnet or DHCP address pool secondary subnet on
a Cisco IOS DHCP server.

Router(dhcp-config)# network 192.168.0.0

255.255.0.0

Step 6

OL-30226-03 11

default-router ip-address [last-ip-address]

Example:

Router(dhcp-config)# default-router

192.168.10.1

Specifies the default router list for a DHCP client.

Intelligent Wireless Access Gateway Configuration Guide

Configuring the iWAG for 3G Mobile IP Users

Overview of the Intelligent Wireless Access Gateway

PurposeCommand or Action

Step 7

Step 8

domain-name domain

Example:

Router(dhcp-config)# domain-name example.com

lease {days [hours [ minutes ]] | infinite}

Specifies the domain name for a DHCP client.

Configures the duration of the lease for an IP address that is
assigned from a Cisco IOS DHCP server to a DHCP client.

Example:

Note

The DHCP pool lease time is applicable only to simple
sessions. For mobile GTP sessions, lease time from the

Router(dhcp-config)# lease 1 2 2

GTP configuration will be used. Under the GTP
configuration, lease duration should be configured the
same way as the address hold timer in the GGSN or
PGW.

Configuring the Cisco ISG Class Map and Policy Map for the iWAG

This section describes how to configure the Cisco ISG class map and policy map for the iWAG.

SUMMARY STEPS

enable

1.

configure terminal

2.

class-map type traffic match-any class-map-name

3.

match access-group output {access-group | name access-group-name}

4.

match access-group input {access-group | name access-group-name}

5.

policy-map type service policy-map-name

6.

[ priority ] class type traffic {class-map-name | default {in-out | input | output } }

7.

accounting aaa list aaa-method-list

8.

[ priority ] class type traffic { class-map-name | default {in-out | input | output}}

9.

drop

10.

policy-map type control policy-map-name

11.

class type control control-class-name | always} [event{access-reject | account-logoff | account-logon |

12.

acct-notification | credit-exhausted | dummy-event | quota-depleted | radius-timeout | service-failed |
service-start | service-stop | session-default-service | session-restart | session-service-found | session-start
| timed-policy-expiry}]

action-number service-policy type service [unapply] [aaa list list-name ] { name service-name |

13.

identifier {authenticated-domain | authenticated-username | dnis | nas-port | tunnel-name |
unauthenticated-domain | unauthenticated-username }}

action-number authorize[aaa{list-name | list { list-name | default}} [password password]] [upon

14.

network-service-found {continue | stop}] [use method authorization-type] identifier identifier-type
[plus identifier-type]

Intelligent Wireless Access Gateway Configuration Guide

12 OL-30226-03

Overview of the Intelligent Wireless Access Gateway

DETAILED STEPS

Configuring the iWAG for 3G Mobile IP Users

PurposeCommand or Action

Step 1

Step 2

Step 3

Step 4

Step 5

Example:

Router> enable

Example:

Router# configure terminal

class-map type traffic match-any class-map-name

Example:

Router(config)# class-map type traffic match-any
TC_OPENGARDEN

match access-group output {access-group | name
access-group-name}

Example:

Router(config-traffic-classmap)# match access-group
output name ACL_OUT_OPENGARDEN

match access-group input {access-group | name
access-group-name}

Enables the privileged EXEC mode.enable

Enter your password, if prompted.

Enters the global configuration mode.configure terminal

Creates or modifies a traffic class map that is used
for matching packets to a specified Cisco ISG
traffic class.

Configures the match criteria for a Cisco ISG
traffic class map on the basis of the specified
access control list (ACL).

Configures the match criteria for a Cisco ISG
traffic class map on the basis of the specified ACL.

Step 6

Step 7

Step 8

Example:

Router(config-traffic-classmap)# match access-group input

name ACL_IN_OPENGARDEN

policy-map type service policy-map-name

Example:

Router(config)# policy-map type service
OPENGARDEN_SERVICE

[ priority ] class type traffic {class-map-name | default {in-out |
input | output } }

Example:

Router(config-service-policymap)# 20 class type traffic

TC_OPENGARDEN

accounting aaa list aaa-method-list

Example:

Router(config-service-policymap)# accounting aaa list
PROXY_TO_CAR

Creates or modifies a service policy map that is
used to define a Cisco ISG subscriber service.

Creates or modifies a traffic class map that is used
for matching packets to a specified Cisco ISG
traffic class.

Enables Cisco ISG accounting and specifies an
AAA method list to which accounting updates are
forwarded.

OL-30226-03 13

Intelligent Wireless Access Gateway Configuration Guide

Configuring the iWAG for 3G Mobile IP Users

Overview of the Intelligent Wireless Access Gateway

PurposeCommand or Action

Step 9

Step 10

Step 11

Step 12

[ priority ] class type traffic { class-map-name | default {in-out |
input | output}}

Example:

Router(config-service-policymap)# class type traffic
default in-out

drop

Example:

Router(config-service-policymap)# drop

policy-map type control policy-map-name

Example:

Router(config)# policy-map type control BB_PROFILE

class type control control-class-name | always}
[event{access-reject | account-logoff | account-logon |

acct-notification | credit-exhausted | dummy-event | quota-depleted
| radius-timeout | service-failed | service-start | service-stop |
session-default-service | session-restart | session-service-found |
session-start | timed-policy-expiry}]

Creates or modifies a traffic class map that is used
for matching packets to a specified Cisco ISG
traffic class.

Configures a Cisco ISG to discard packets
belonging to the default traffic class.

Creates or modifies a control policy map that
defines a Cisco ISG control policy.

Specifies a control class for which actions can be
configured in a Cisco ISG control policy.

Step 13

Step 14

Example:

Router (config-control-policymap)# class type control
always event session-start

action-number service-policy type service [unapply] [aaa list
list-name ] { name service-name | identifier

{authenticated-domain | authenticated-username | dnis | nas-port
| tunnel-name | unauthenticated-domain |

unauthenticated-username }}

Example:

Router(config-control-policymap-class-control)# 10
service-policy type service name OPENGARDEN_SERVICE

action-number authorize[aaa{list-name | list { list-name |
default}} [password password]] [upon network-service-found
{continue | stop}] [use method authorization-type] identifier
identifier-type [plus identifier-type]

Example:

Router(config-control-policymap-class-control)# 20
authorize aaa list ISG_PROXY_LIST password cisco
identifier mac-address

Activates a Cisco ISG service.

Initiates a request for authorization based on a
specified identifier in a Cisco ISG control policy.

Intelligent Wireless Access Gateway Configuration Guide

14 OL-30226-03

Overview of the Intelligent Wireless Access Gateway

Configuring a Session Initiator for the iWAG

This section describes how to configure a session initiator for the iWAG solution. A session can be created
using different triggers, such as an unknown MAC address, an unclassified MAC address, a RADIUS message
with the Cisco ASR 1000 Series Aggregation Services Router acting as RADIUS proxy or a DHCP DISCOVER
message with the Cisco ASR 1000 Series Aggregation Services Router acting as DHCP proxy.

To enable roaming, one initiator is required for DHCP sessions and another for the unclassified MAC.Note

SUMMARY STEPS

enable

1.

configure terminal

2.

interface GigabitEthernet slot/subslot/port

3.

description string

4.

ip address ip-address mask [secondary [vrf vrf-name]]

5.

negotiation auto

6.

service-policy type control policy-map-name

7.

ip subscriber {l2-connected}

8.

initiator {dhcp | radius-proxy | static ip subscriber list listname | unclassified ip | unclassified

9.

mac-address}

initiator {dhcp | radius-proxy | static ip subscriber list listname | unclassified ip | unclassified

10.

mac-address}

Configuring the iWAG for 3G Mobile IP Users

DETAILED STEPS

Step 1

Step 2

Step 3

Example:

Router> enable

Example:

Router# configure terminal

interface GigabitEthernet slot/subslot/port

Example:

Router(config)# interface GigabitEthernet 1/3/3

PurposeCommand or Action

Enables the privileged EXEC mode.enable

Enter your password, if prompted.

Enters the global configuration mode.configure terminal

Enters the interface configuration mode for Gigabit
Ethernet.

OL-30226-03 15

Intelligent Wireless Access Gateway Configuration Guide

Configuring the iWAG for 3G Mobile IP Users

Overview of the Intelligent Wireless Access Gateway

PurposeCommand or Action

Step 4

Step 5

Step 6

Step 7

Step 8

description string

Example:

Router(config-if)# description access interface
connected to subscriber

ip address ip-address mask [secondary [vrf vrf-name]]

Example:

Router(config-if)# ip address 192.171.10.1

255.255.0.0

Example:

Router(config-if)# negotiation auto

service-policy type control policy-map-name

Example:

Router(config-if)# service-policy type control
BB_Profile

ip subscriber {l2-connected}

Example:

Router(config-if)# ip subscriber l2-connected

Adds a description to an interface configuration.

Sets a primary IP address or secondary IP address for
an interface.

Enables auto negotiation on a Gigabit Ethernet interface.negotiation auto

Applies a control policy to a context.

Enables Cisco ISG IP subscriber support on an interface
and specifies the access method that IP subscribers use
for connecting to the Cisco ISG on an interface.

Note

The iWAG does not support the routed access
method.

Step 9

initiator {dhcp | radius-proxy | static ip subscriber list
listname | unclassified ip | unclassified mac-address}

Example:

Router(config-subscriber)# initiator unclassified

mac-address

Step 10

initiator {dhcp | radius-proxy | static ip subscriber list
listname | unclassified ip | unclassified mac-address}

Example:

Router(config-subscriber)# initiator dhcp

Configuring a Tunnel Interface for the iWAG

This section describes how to configure a tunnel interface between the iWAG solution and the GGSN.

Enables the Cisco ISG to create an IP subscriber session
upon receipt of a specified type of packet.

Enables the Cisco ISG to create an IP subscriber session
upon receipt of a specified type of packet.

Intelligent Wireless Access Gateway Configuration Guide

16 OL-30226-03

Overview of the Intelligent Wireless Access Gateway

SUMMARY STEPS

enable

1.

configure terminal

2.

interface GigabitEthernet slot/subslot/port

3.

description string

4.

ip address ip-address mask [secondary [vrf vrf-name ]]

5.

negotiation auto

6.

DETAILED STEPS

Configuring the iWAG for 3G Mobile IP Users

PurposeCommand or Action

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Example:

Router> enable

Example:

Router# configure terminal

interface GigabitEthernet slot/subslot/port

Example:

Router(config)# interface GigabitEthernet 1/3/5

description string

Example:

Router(config-if)#description interface connected

to GGSN

ip address ip-address mask [secondary [vrf vrf-name ]]

Example:

Router(config-if)# ip address 192.170.10.1

255.255.0.0

negotiation auto

Example:

Enables the privileged EXEC mode.enable

Enter your password, if prompted.

Enters the global configuration mode.configure terminal

Enters the interface configuration mode for Gigabit
Ethernet interface.

Adds a description to an interface configuration.

Sets a primary IP address or secondary IP address for
an interface.

Enables auto negotiation on a Gigabit Ethernet
interface.

Router(config-if)# negotiation auto

Enabling Mobile Client Service Abstraction

This section describes how to enable Mobile Client Service Abstraction (MCSA) for PMIPv6.

OL-30226-03 17

Intelligent Wireless Access Gateway Configuration Guide

Configuring the iWAG for 3G Mobile IP Users

Overview of the Intelligent Wireless Access Gateway

Note

SUMMARY STEPS

DETAILED STEPS

Step 1

Step 2

Enabling MCSA is mandatory before you enable the Mobility feature in the Cisco ASR 1000 Series
Aggregation Services Routers.

enable

1.

configure terminal

2.

mcsa

3.

enable sessionmgr

4.

PurposeCommand or Action

Enables the privileged EXEC mode.enable

Enter your password, if prompted.

Example:

Router> enable

Enters the global configuration mode.configure terminal

Example:

Router# configure terminal

Step 3

mcsa

Example:

Router(config)# mcsa

Step 4

Example:

Router(config-mcsa)# enable sessionmgr

Configuring the GTP of the iWAG

This section describes how to configure GTPv1 for the iWAG solution.

Before You Begin

Enable mobile client service abstraction (MCSA).

Enables MCSA on the Cisco ASR 1000 Series Aggregation
Services Router.

Enables MCSA to receive notifications from the Cisco ISG.enable sessionmgr

Intelligent Wireless Access Gateway Configuration Guide

18 OL-30226-03

Overview of the Intelligent Wireless Access Gateway

SUMMARY STEPS

enable

1.

configure terminal

2.

gtp

3.

n3-request number of requests

4.

interval t3-response number of seconds

5.

interval echo-request request-number

6.

interface local GigabitEthernet slot/subslot/port

7.

apn apn-name

8.

ip address ggsn ip-address

9.

default-gw address prefix-len value

10.

dns-server ip-address

11.

dhcp-server ip-address

12.

dhcp-lease seconds

13.

Configuring the iWAG for 3G Mobile IP Users

DETAILED STEPS

Step 1

Example:

Router> enable

Step 2

Example:

Router# configure terminal

Step 3

Step 4

Step 5

gtp

Example:

Router(config)# gtp

n3-request number of requests

Example:

Router(config-gtp)# n3-request 3

interval t3-response number of seconds

Example:

PurposeCommand or Action

Enables the privileged EXEC mode.enable

Enter your password, if prompted.

Enters the global configuration mode.configure terminal

Configures the GTP for the iWAG solution on the Cisco ASR 1000
Series Aggregation Services Router.

Specifies the number of times a control message must be retried
before a failure message is sent. The default value is 5.

Specifies the time interval, in seconds, for which the SGSN of the
iWAG waits for a response for the control message sent. The default
value is 1.

Router(config-gtp)# interval t3-response

10

OL-30226-03 19

Intelligent Wireless Access Gateway Configuration Guide

Configuring the iWAG for 3G Mobile IP Users

Overview of the Intelligent Wireless Access Gateway

PurposeCommand or Action

Step 6

Step 7

Step 8

Step 9

Step 10

Step 11

interval echo-request request-number

Example:

Router(config-gtp)# interval echo-request

60

interface local GigabitEthernet slot/subslot/port

Example:

Router(config-gtp)# interface local
GigabitEthernet 0/0/3

apn apn-name

Example:

Router(config-gtp)# apn example.com

ip address ggsn ip-address

Example:

Router(config-gtp-apn)# ip address ggsn

192.170.10.2

default-gw address prefix-len value

Example:

Router(config-gtp-apn)# default-gw

192.171.10.1 prefix-len 16

dns-server ip-address

Example:

Specifies the time interval, in seconds, for which the SGSN of the
iWAG waits for before sending an echo request message. The range
is from 60 to 65535. The default value is 60. The value of 0 disables
the Echo Request feature.

Configures the transport interface to communicate with the GGSN.

Configures an ASCII regular expression string to be matched against
the Access Point Name (APN) for GPRS load balancing.

Sets the IP address for the GGSN.

Specifies the default gateway address of the subscriber.

Note

This is the default gateway address of the IP provided by
the GGSN using GTP, and not the default gateway address
on the physical local interface that the subscriber is
connected to. They can be the same, but we recommend
that they be two different subnets.

Specifies the Domain Name System (DNS) IP servers that are
available for a DHCP client.

Router(config-gtp-apn)# dns-server

192.165.1.1

Step 12

dhcp-server ip-address

Example:

Router(config-gtp-apn)# dhcp-server

192.168.10.1

Step 13

dhcp-lease seconds

Example:

Router(config-gtp-apn)# dhcp-lease 3000

Intelligent Wireless Access Gateway Configuration Guide

20 OL-30226-03

Specifies the primary and backup DHCP servers that are used to
allocate IP addresses to mobile station users entering a particular
public data network (PDN) access point.

Configures the duration (in seconds) of the lease for an IP address
that is assigned from a Cisco IOS DHCP Server to a DHCP client.

Overview of the Intelligent Wireless Access Gateway

Configuring the iWAG for 4G Mobile IP Users

Configuring PMIPv6 for the iWAG

You must configure PMIPv6 for the iWAG to allow access to mobile IP users.

The tasks listed below describe the procedures involved in configuring the Mobile Access Gateway. For
detailed steps, see the "How to Configure Proxy Mobile IPv6 Support for MAG Functionality" section in the

IP Mobility: PMIPv6 Configuration Guide, Cisco IOS XE Release 3S .

Configuring a Proxy Mobile IPv6 Domain by Using the Configuration from the AAA Server

•

Configuring the Minimum Configuration for a MAG to Function

•

Configuring a Detailed Configuration for a MAG when an AAA Server is not Available

•

Configuring a Minimum Configuration for a MAG

•

Configuring a Detailed Configuration for a MAG

•

Configuring the iWAG for 4G Mobile IP Users

The tasks listed below describe the procedures involved in configuring Local Mobility Anchor. For detailed
steps, see the "How to Configure Proxy Mobile IPv6 Support for LMA Functionality" section in the IP

Mobility: PMIPv6 Configuration Guide, Cisco IOS XE Release 3S .

Configuring a Proxy Mobile IPv6 Domain by Using the Configuration from the AAA Server

•

Configuring a Minimum Configuration for a Domain When an AAA Server Is Not Available

•

Configuring a Detailed Configuration for a Domain When the AAA Server Is Not Available

•

Configuring a Minimum Configuration for an LMA

•

Configuring a Detailed Configuration for an LMA

•

Enabling Mobile Client Service Abstraction

This section describes how to enable Mobile Client Service Abstraction (MCSA) for PMIPv6.

Note

SUMMARY STEPS

Enabling MCSA is mandatory before you enable the Mobility feature in the Cisco ASR 1000 Series
Aggregation Services Routers.

enable

1.

configure terminal

2.

mcsa

3.

enable sessionmgr

4.

OL-30226-03 21

Intelligent Wireless Access Gateway Configuration Guide

Additional References

DETAILED STEPS

Overview of the Intelligent Wireless Access Gateway

PurposeCommand or Action

Step 1

Example:

Router> enable

Step 2

Example:

Router# configure terminal

Step 3

mcsa

Example:

Router(config)# mcsa

Step 4

Example:

Router(config-mcsa)# enable sessionmgr

Additional References

Enables the privileged EXEC mode.enable

Enter your password, if prompted.

Enters the global configuration mode.configure terminal

Enables MCSA on the Cisco ASR 1000 Series Aggregation
Services Router.

Enables MCSA to receive notifications from the Cisco ISG.enable sessionmgr

Related Documents

Cisco IOS commands

ISG concepts, configuration tasks, and examples

ISG commands

iWAG commands

Mobile IP configuration concepts, tasks, and examples

IP Mobility commands

GGSN configuration concepts, tasks, and examples

Document TitleRelated Topic

Cisco IOS Master Command List, All
Releases

ISG Configuration Guide

Cisco IOS Intelligent Services Gateway
Command Reference

Cisco IOS Intelligent Wireless Access
Gateway Command Reference

IP Mobility: PMIPv6 Configuration Guide

Cisco IOS IP Mobility Command Reference

Mobile Wireless GGSN Configuration Guide

Intelligent Wireless Access Gateway Configuration Guide

22 OL-30226-03