GGSN Basics

Need for GPRS/Class of Handsets

Protocol Links for GPRS
GGSN interfaces
Transmission Plane
Mobility Management-PDP context MS
IPv4 Network Host Brief
IP UDP structure
TCP structure
Router configuration modes
MS GPRS/IMSI attach procedure
Basics GGSN configuration
DNS- Domain Name Server
DNS Query Response log
GPRS DNS Query
Configuring Access Point Name
APN Parameters
GGSN IP address allocation
RADIUS features
APN n/w selection flow chart
PDP Context Activation procedure
NSAPI TLLI
TUNNEL ID
GTP protocol structure
Gn/Gp GTP messages

RADIUS Message flow

GGSN RADIUS WAP gateway flow
Create PDP context request log
Create PDP context response log
GTP messages log
RA area update for different SGSN
GPRS GGSN Roaming
GGSN PDP context
Ga Charging CDR
GGSN customization (GTP & GTP')
Concept of Tunnel for Security
Node Network(IPSec) Security
WAP Architecture
GSM a subnet INTERNET
GGSN Summary

Why GPRS ?

General Packet Radio Service

Protocol Links for GPRS

Air Int
Um
Bluetooth,IR
Serial cable

TE
Laptop

BSS

BTS

A
SS7
Circuit
switching

BSC
PCU

GPRS MS

Gb
Frame Relay
E1 link

NMS
IP

SGSN

PSTN

MSC/VLR
HLR

Packet
switching

GSN

SMSC

AUC

Gr
SS7

Internet

DNS

GTP

IP

IP BACKBONE

GTP
BGP Border
Fire Wall
Gateway
Gp
Other
GPRS
Networks

VPN
GTP

GTP
CG

Private network

GTP

GGSN
IP

IP

Router with
Access Policy
Corporate Network

Fire Wall

Intranet

GGSN interfaces

GPRS Transmission Plane

WAP / HTTP-XML
Application

IP

IP / X.25

IP / X.25
NSAPI ( during PDP )

SNDCP
TLLI (IMSI / PTMSI)

LLC
RLC

TFI
(TSTBF)

MAC
GSM RF

RLC

BSSGP

MAC

Network
Service

BVCIcell
ID
NSVCI
DLCI

GSM RF L1 bis

Um

SNDCP

GTP

LLC

TCP
UDP

TCP
UDP

IP

IP

BSSGP

Network
Layer 2
Service
L1 bis

BSS

MS

TID
(NSAPI /
IMSI)

Layer 2

Layer 1

Layer 1

GGSN

SGSN
Gb

GTP

Gn

Gi

Mobility Management

IDLE

GPRS

Attach/Detach (towards SGSN/HLR)

Makes MS available for SMS over GPRS
Paging via SGSN
Notification of incoming packet
PDP Context Activation/Deactivation
Associate with a GGSN
Obtain PDP address (e.g. IP)

IDLE
GPRS
Attach

GPRS
Attach

GPRS
Detach

Mobile Reachable
time expiry

READY

STANDBY
SGSN tracks the mobile (Routing
Area).
When downlink data is available, packet
paging message is sent to routing area
Upon reception, MS sends it's cell location
to the SGSN and enters the ACTIVE state

IDLE

GPRS
Detach

SGSN does not know about

the location of mobile
No logical PDP context activated
No network address (IP) registered for the
terminal
No routing of external data possible

READY

READY Timer expiry

PDU
Transmission
READY Timer expiry

STANDBY

STANDBY

MOBILE

SGSN

PDU
Reception

READY
SGSN knows the cell of the MS
PDP contexts can be activated/deactivated
May remain in this state even if no data is
transmitted (controlled by timer)

PDP Contexts
Packet Data Protocol (PDP)
Session
Logical tunnel between MS and GGSN
Anchors SGSN & GGSN for session
PDP activities
Activation
Modification
Deactivation

IP Address Classes

IP Address as a
32-Bit Binary Number

Hosts for Classes of

IP Addresses

IP

UDP

TCP

Different Router Modes

Router>enable

User EXEC Mode

Privileged EXEC Mode

Global Configuration Mode

Configuration
Mode
Interface
Line
Router
Access-list mode

Router#config term
Router(config)#

Prompt
Router(config-if)#
Router(config-line)#
Router(config-router)#
Router(access-list)#

Ctrl-Z (end)
Exit

The GGSN requires a logical interface called a virtual template to be configured.

A virtual template interface is a logical entitya configuration for an interface but not tied
to a physical interfacethat can be applied dynamically as needed to facilitate configuration
of connections between the GGSN and SGSN, and the GGSN and PDNs

DNS-Domain Name Server

DNS Message Format

HEADER
QUESTIONS
ANSWERS (Resource Records)
AUTHORITY (Resource Records)
ADDITIONAL (Resource Records)

DNS response

APN Parameters

The GGSN uses the Dynamic Host Configuration Protocol (DHCP) to assign IP addresses
to mobile station users who need to access the PDN.(Packet Data Networks)
The GGSN can use local DHCP services within the Cisco IOS Software or configure the
GGSN to use an external DHC P server

Remote Authentication Dial-In User Service

The GGSN uses the RADIUS server for a particular access point to authenticate mobile
users for access to a PDN. Security-(AAA) Authentication, Authorization, and Accounting
Mobile user access.

APN Flow diagram

Tunnel ID creation

An IP address is a Logical address, not a

Hardware address-similarly - mapped to
the IMSI or MSISDN of any MS SIM card
.
TID -IP addressing is designed to allow a
host to communicate with a host on a
different network.eg Internet or Inter
PLMN
.

GTP v0 : UDP Port 3386 GPRS Signal + Data

GTP v1 : UDP Port 2123 GTP-C UDP Port 2152 GTP-U

Gn /Gp GTP Messages

Signalling Plane
Tunnel Management messages
Create PDP Context Request
Create PDP Context Response
Update PDP Context Request
Update PDP Context Response
Delete PDP Context Request
Error Indication
PDU Notification Request
PDU Notification
PDU Notification Reject Request
PDU Notification Reject Response

Mobility Management messages

Identification Request
Identification Response
SGSN Context Request
SGSN Context Response
SGSN Context Acknowledge

Information elements
Cause
International Mobile Subscriber Identity (IMSI)
Temporary Logical Link Identity (TLLI)
Quality of Service (QoS) Profile
PDP Context
Access Point Name
MS International PSTN/ISDN Number (MSISDN)
Charging ID
End User Address
Protocol Configuration Options
GSN Address
Charging Gateway

Transmission Plane
Protocol Stack
Usage of the GTP Header
Usage of the Sequence Number
Tunnelling between SGSN and GGSN

Path Protocols
UDP /IP
UDP Header
Signalling request messages
Signalling response messages
Encapsulated T-PDUs
IP Header
TCP Header

Error handling
Protocol errors
Different GTP version
GTP Message too short
Unknown GTP signalling message
Unexpected GTP signalling message
Missing mandatorily present information element
Invalid Length
Invalid mandatory information element
Invalid optional information element
Unknown information element
Out of sequence information elements
Unexpected information element
Repeated information elements
Incorrect optional information elements
Path failure

GGSN RADIUS gateway WAP flow

Data Record Transfer Reponse

T-PDU

Delete PDP Context Request

Delete PDP Context Response

GPRS Roaming

GGSN MM Records

Ga interface GTP protocol CDR overview

MOBILITY MANAGEMENT CONTEXT
MS

ISP
PDP CONTEXT WITH UNIQUE TUNNEL ID

SGSN

GGSN

S-CDRs

G-CDRs

M-CDRs

CG

gprs default charging-gateway ip address or name (primary secondary)

GGSN customization
GTP
gprs maximum-pdp-context-allowed: The maximum number of PDP contexts (mobile sessions) that can be activated on the GGSN
gprs gtp path-echo-interval : The number of seconds that the GGSN waits before sending an echo-request message to check for GTP
path failure
gprs gtp n3-requests: The maximum number of times that the GGSN attempts to send a signaling request.
gprs gtp t3-response: The maximum time that the GGSN waits to respond to a signaling request message.
gprs idle-pdp-context purge-timer: The time that the GGSN waits before purging idle mobile sessions .

Charging Gateway
gprs charging transfer interval : The number of seconds that the GGSN waits before it transfers charging data to the charging gateway
gprs charging cdr-aggregation-limit: The maximum number of call detail records (CDRs) that the GGSN aggregates in a charging
data transfer message to a charging gateway.
gprs charging cg-path-requests:The number of minutes that the GGSN waits before trying to establish the TCP/UDP path to the
Charging gateway when TCP/UDP is the specified path protocol.
gprs charging cdr-option node-id : The GGSN uses the node ID field in CDRs
gprs charging cdr-option local-record-sequence-number:The local record sequence number field is used in CDRs on the GGSN

GGSN parameters and statistics

Routes

Tunnel
TunnelID
ID00
IP
IPadress
adress_._._._/_
_._._._/_
Source
SourceIP
IP_._._._
_._._._
Destination
DestinationIP
IP_._._._
_._._._

Tunnel
TunnelID
ID11
IP
IPadress
adress_._._._/_
_._._._/_
Source
SourceIP
IP_._._._
_._._._
Destination
DestinationIP
IP_._._._
_._._._

GPRS Network
VirtualTemplate

Network Security
User name and Password:
secret password enryption (Does not display the username and password plain text the same is displayed in encrypted
formMD5).(Telnet Console Auxillary)
AAA(authentication-authorization-accounting) RADIUS(Remote Authentication Dial-in User Service) Server
implementation
auth-portSpecifies the UDP destination port for authentication requests
acct-portSpecifies the UDP destination port for accounting requests
radius-server key stringSpecifies the authentication and encryption key for GGSN and the RADIUS daemon
Access Policy
Standard Access List Deny/Permit a particular host or network using the source address .
Extended Access List Added value of being Protocol specific for host/network Deny/Permit policy
Route Map policy
Traffic Tunnelling
VPN creation using Source and Destination tunnel and a unique Network for each APN.
Vlan policy created on Layer3 switch for interface with GGSN which does not permit any other traffic to reach the private
network

IPSec Network
Security

IP Security Protocol (IPSec)

The IP security protocol is implemented for data authentication, confidentiality, encryption and integrity between the
GGSN and another router on the PDN
Configuring an IKE ( Internet Key Exchange )Policy (Required)
crypto isakmp policy priority (config-isakmp mode)
encryption algorithm * des 56-bit Data Encryption Standard (DES)-Cipher Block Chaining (CBC) -3des 168-bit
hash algorithm * sha(Secure Hash Algorithm ) md5 Message Digest 5
authentication method * rsa-sig | rsa-encr | pre-share
Diffie-Hellman group identifier * 768-bit or 1024-bit
Configuring Pre-Shared Keys (Required, when pre-shared authentication is configured)
crypto isakmp key keystring address peer-address
or
crypto isakmp key keystring hostname peer-hostname
Configuring Transform Sets (Optional)
A combination of security protocols and algorithms to transform set for protecting a particular data flow during the IPSec
security association negotiation.
Transform set * crypto ipsec transform-set transform-set-name transform1 (Crypto transform configuration mode)
Encapsulation of IP packet * mode [tunnel | transport]

Configuring Crypto Map Entries that Use IKE to Establish Security Associations (Optional)
**Defines the settings for IPSec peer negotiation using a crypto map entry.
crypto map map-name seq-num ipsec-isakmp (crypto map configuration mode.)
match address access-list-id
(The traffic to be protected by IPSec)
set peer {hostname | ip-address}
( A remote IPSec peer)
set transform-set

WAP access via GGSN

GGSN Summary