GigaSMART GTP Whitelisting and GTP Flow Sampling Examples
GTP whitelisting selects specific subscribers based on IMSI. The whitelist contains up to 500,000 subscriber IMSIs. For subscribers in the whitelist, 100% of their traffic is always sent to a specified tool port.
For example, when a subscriber session comes in, GTP whitelisting checks the IMSI of the subscriber. If the incoming IMSI matches an IMSI in the whitelist, the session is sent to the tool port or load balancing group specified in the whitelist map.
GTP flow sampling samples a configured percentage of GTP sessions. GTP flow sampling uses map rules to select subscribers and then forward a percentage of the packets to tool ports.
Pass rules are defined in flow sampling maps. Each rule contains some combination of IMSI, IMEI, and MSISDN numbers or patterns, Evolved Packet Core (EPC) interface type, GTP version, Access Point Name (APN), or QoS Class Identifier (QCI), as well as a percentage to sample. The flow is sampled to see if it matches a rule. The percentage of the subscriber sessions matching each rule are selected.
Refer to the “GigaSMART GTP Whitelisting and GTP Flow Sampling” section in the GigaVUE Fabric Management Guide for detailed information.
Refer to the following examples:
| Example 1: GigaSMART GTP Whitelisting |
| Example 2: GigaSMART GTP Whitelisting with Multiple Maps |
| Example 3: GigaSMART GTP Flow Sampling |
| Example 4: GigaSMART GTP Whitelisting, GigaSMART GTP Flow Sampling, and GigaSMART Load Balancing |
| Example 5: GigaSMART GTP Flow Sampling with Multiple Maps |
| Example 6: GigaSMART GTP Load Balancing in a Cluster |
| Example 7: APN for GigaSMART GTP Whitelisting, APN and QCI for GigaSMART GTP Flow Sampling |
For details on the CLI commands used in the following examples, refer to the following sections in the CLI reference section:
| apps gtp-whitelist |
| gsgroup |
| gsop |
| gsparams |
| map |
| port-group |
| vport |
Example 1: GigaSMART GTP Whitelisting
Example 1 is a GTP whitelisting configuration example. Traffic from network ports go to the three first level maps (GTP-Control, GTP-User, and Fragments-Not-First) and then to the virtual port (vport1). If there is a match to an IMSI in the whitelist (MyIMSIs), it is forwarded to a port.
|
Step |
Description |
Command |
|||
|
Configure a GigaSMART group and associate it with a GigaSMART engine port. |
(config) # gsgroup alias gsg1 port-list 10/7/e1 |
|||
|
Create a virtual port. |
(config) # vport alias vport1 gsgroup gsg1 |
|||
|
Create the GTP whitelist. |
(config) # apps gtp-whitelist alias MyIMSIs create |
|||
|
Fetch whitelist files from a specified location to populate the GTP whitelist. |
(config) # apps gtp-whitelist alias MyIMSIs fetch add http://10.1.1.100/tftpboot/myfiles/MyIMSIs_file1.txt (config) # apps gtp-whitelist alias MyIMSIs fetch add http://10.1.1.100/tftpboot/myfiles/MyIMSIs_file2.txt |
|||
|
Associate the GigaSMART group to the GTP whitelist. |
(config) # gsparams gsgroup gsg1 gtp-whitelist add MyIMSIs |
|||
|
Configure the GigaSMART operation for GTP whitelisting. |
(config) # gsop alias gtp-whitelist flow-ops gtp-whitelist lb app gtp metric hashing key imsi port-list gsg1 |
|||
|
Configure three first level maps. Note: In the rules, 2123 is GTP-c traffic and 2152 is GTP-u traffic. |
(config) # map alias GTP-Control (config map alias GTP-Control) # type firstLevel byRule (config map alias GTP-Control) # roles replace admin to owner_roles (config map alias GTP-Control) # rule add pass portdst 2123 bidir (config map alias GTP-Control) # to vport1 (config map alias GTP-Control) # from 8/1/x40,8/1/x6 (config map alias GTP-Control) # exit (config) # (config) # map alias GTP-User (config map alias GTP-User) # type firstLevel byRule (config map alias GTP-User) # roles replace admin to owner_roles (config map alias GTP-User) # rule add pass portdst 2152 bidir (config map alias GTP-User) # to vport1 (config map alias GTP-User) # from 8/1/x40,8/1/x6 (config map alias GTP-User) # exit (config) # (config) # map alias Fragments-Not-First (config map alias Fragments-Not-First) # type firstLevel byRule (config map alias Fragments-Not-First) # roles replace admin to owner_roles (config map alias Fragments-Not-First) # rule add pass ipfrag all-frag-no-first (config map alias Fragments-Not-First) # to vport1 (config map alias Fragments-Not-First) # from 8/1/x40,8/1/x6 (config map alias Fragments-Not-First) # exit (config) # |
|||
|
Configure a second level map for GTP whitelisting, the whitelist map. If there is a match to an IMSI in the whitelist (MyIMSIs), it is forwarded to a port. |
(config) # map alias GTP-Whitelist (config map alias GTP-Whitelist) # type secondLevel flowWhitelist (config map alias GTP-Whitelist) # roles replace admin to owner_roles (config map alias GTP-Whitelist) # use gsop gtp-whitelist (config map alias GTP-Whitelist) # to 10/5/x17 (config map alias GTP-Whitelist) # from vport1 (config map alias GTP-Whitelist) # exit (config) # |
Example 2: GigaSMART GTP Whitelisting with Multiple Maps
Example 2 is a GTP whitelisting configuration example that includes multiple GTP whitelisting maps, which provide a more granular selection of tool ports.
Traffic from network ports go to the three first level maps (GTP-Control, GTP-User, and Fragments-Not-First) and then to the virtual port (vport1). Two whitelist maps are configured. The first map specifies a rule for version 1 traffic. The second map specifies a rule for version 2 traffic.
|
Step |
Description |
Command |
|||
|
Configure a GigaSMART group and associate it with a GigaSMART engine port. |
(config) # gsgroup alias gsg1 port-list 10/7/e1 |
|||
|
Create a virtual port. |
(config) # vport alias vport1 gsgroup gsg1 |
|||
|
Create the GTP whitelist. |
(config) # apps gtp-whitelist alias MyIMSIs create |
|||
|
Fetch whitelist files from a specified location to populate the GTP whitelist. |
(config) # apps gtp-whitelist alias MyIMSIs fetch add http://10.1.1.100/tftpboot/myfiles/MyIMSIs_file1.txt (config) # apps gtp-whitelist alias MyIMSIs fetch add http://10.1.1.100/tftpboot/myfiles/MyIMSIs_file2.txt |
|||
|
Associate the GigaSMART group to the GTP whitelist. |
(config) # gsparams gsgroup gsg1 gtp-whitelist add MyIMSIs |
|||
|
Configure the GigaSMART operation for GTP whitelisting. |
(config) # gsop alias gtp-whitelist flow-ops gtp-whitelist lb app gtp metric hashing key imsi port-list gsg1 |
|||
|
Configure three first level maps. Note: In the rules, 2123 is GTP-c traffic and 2152 is GTP-u traffic. |
(config) # map alias GTP-Control (config map alias GTP-Control) # type firstLevel byRule (config map alias GTP-Control) # roles replace admin to owner_roles (config map alias GTP-Control) # rule add pass portdst 2123 bidir (config map alias GTP-Control) # to vport1 (config map alias GTP-Control) # from 8/1/x40,8/1/x6 (config map alias GTP-Control) # exit (config) # (config) # map alias GTP-User (config map alias GTP-User) # type firstLevel byRule (config map alias GTP-User) # roles replace admin to owner_roles (config map alias GTP-User) # rule add pass portdst 2152 bidir (config map alias GTP-User) # to vport1 (config map alias GTP-User) # from 8/1/x40,8/1/x6 (config map alias GTP-User) # exit (config) # (config) # map alias Fragments-Not-First (config map alias Fragments-Not-First) # type firstLevel byRule (config map alias Fragments-Not-First) # roles replace admin to owner_roles (config map alias Fragments-Not-First) # rule add pass ipfrag all-frag-no-first (config map alias Fragments-Not-First) # to vport1 (config map alias Fragments-Not-First) # from 8/1/x40,8/1/x6 (config map alias Fragments-Not-First) # exit (config) # |
|||
|
Configure one second level map for GTP whitelisting, the first whitelist map. If there is a match to version 1 and if the IMSI is present in the whitelist (MyIMSIs), it is forwarded to the specified port. |
(config) # map alias GTP-Whitelist_v1 (config map alias GTP-Whitelist_v1) # type secondLevel flowWhitelist (config map alias GTP-Whitelist_v1) # roles replace admin to owner_roles (config map alias GTP-Whitelist_v1) # use gsop gtp-whitelist (config map alias GTP-Whitelist_v1) # to 1/2/x23 (config map alias GTP-Whitelist_v1) # from vport1 (config map alias GTP-Whitelist_v1) # whitelist add gtp version 1 (config map alias GTP-Whitelist_v1) # exit (config) # |
|||
|
Configure another second level map for GTP whitelisting, the second whitelist map. If there is a match to version 2 and if the IMSI is present in the whitelist (MyIMSIs), it is forwarded to the specified port. |
(config) # map alias GTP-Whitelist_v2 (config map alias GTP-Whitelist_v2) # type secondLevel flowWhitelist (config map alias GTP-Whitelist_v2) # roles replace admin to owner_roles (config map alias GTP-Whitelist_v2) # use gsop gtp-whitelist (config map alias GTP-Whitelist_v2) # to 1/2/x24 (config map alias GTP-Whitelist_v2) # from vport1 (config map alias GTP-Whitelist_v2) # whitelist add gtp version 2 (config map alias GTP-Whitelist_v2) # exit (config) # |
Example 3: GigaSMART GTP Flow Sampling
Example 3 is a GTP flow sampling configuration example. Traffic from network ports go to the three first level maps (GTP-Control, GTP-User, and Fragments-Not-First) and then to the virtual port (vport1). The traffic flow is sampled based on the rules in one flow sampling map (GTP-Sample-01). The flow sampling rules specify IMSI, IMEI, and MSISDN numbers, as well as the percentage to sample. Packets are then accepted or rejected. Accepted packets are forwarded to a port. Rejected packets are dropped. Packets that do not match a rule will be passed to subsequent maps.
|
Step |
Description |
Command |
|||
|
Configure a GigaSMART group and associate it with a GigaSMART engine port. |
(config) # gsgroup alias gsg1 port-list 10/7/e1 |
|||
|
Create a virtual port. |
(config) # vport alias vport1 gsgroup gsg1 |
|||
|
Configure three first level maps. Note: In the rules, 2123 is GTP-c traffic and 2152 is GTP-u traffic. |
(config) # map alias GTP-Control (config map alias GTP-Control) # type firstLevel byRule (config map alias GTP-Control) # roles replace admin to owner_roles (config map alias GTP-Control) # rule add pass portdst 2123 bidir (config map alias GTP-Control) # to vport1 (config map alias GTP-Control) # from 8/1/x40,8/1/x6 (config map alias GTP-Control) # exit (config) # (config) # map alias GTP-User (config map alias GTP-User) # type firstLevel byRule (config map alias GTP-User) # roles replace admin to owner_roles (config map alias GTP-User) # rule add pass portdst 2152 bidir (config map alias GTP-User) # to vport1 (config map alias GTP-User) # from 8/1/x40,8/1/x6 (config map alias GTP-User) # exit (config) # (config) # map alias Fragments-Not-First (config map alias Fragments-Not-First) # type firstLevel byRule (config map alias Fragments-Not-First) # roles replace admin to owner_roles (config map alias Fragments-Not-First) # rule add pass ipfrag all-frag-no-first (config map alias Fragments-Not-First) # to vport1 (config map alias Fragments-Not-First) # from 8/1/x40,8/1/x6 (config map alias Fragments-Not-First) # exit (config) # |
|||
|
Configure the GigaSMART operation for GTP flow sampling. |
(config) # gsop alias gtp-flowsample flow-ops gtp-flowsample lb app gtp metric hashing key imsi port-list gsg1 |
|||
|
Configure a second level map for GTP flow sampling, the flow sampling map. The traffic flow is sampled based on the rules in this map. |
(config) # map alias GTP-Sample-01 (config map alias GTP-Sample-01) # type secondLevel flowSample (config map alias GTP-Sample-01) # roles replace admin to owner_roles (config map alias GTP-Sample-01) # use gsop gtp-flowsample (config map alias GTP-Sample-01) # flowsample add gtp imsi 31* imei 01416800* percentage 50 (config map alias GTP-Sample-01) # flowsample add gtp imsi 46* percentage 80 (config map alias GTP-Sample-01) # flowsample add gtp msisdn 1509* percentage 25 (config map alias GTP-Sample-01) # flowsample add gtp imsi 31* imei 01400* percentage 15 (config map alias GTP-Sample-01) # flowsample add gtp imsi 31* msisdn 1909* percentage 20 (config map alias GTP-Sample-01) # to 10/5/x18 (config map alias GTP-Sample-01) # from vport1 (config map alias GTP-Sample-01) # exit (config) # |
Example 4: GigaSMART GTP Whitelisting, GigaSMART GTP Flow Sampling, and GigaSMART Load Balancing
Example 4 combines the GTP whitelisting configuration from Example 1 with the GTP flow sampling configuration from Example 3, and adds GigaSMART load balancing.
In Example 4, traffic from network ports go to the three first level maps (GTP-Control, GTP-User, and Fragments-Not-First) and then to the virtual port (vport1). If there is a match to an IMSI in the whitelist (MyIMSIs), it is forwarded to the port group (PG-Whitelist) for load balancing.
Note: In Example 4, the tool ports in the port group are on the same node as the GigaSMART group and GigaSMART operation.
If there is not a match to an IMSI in the whitelist, the traffic flow is sampled based on the rules in the flow sampling map (GTP-Sample-01). The flow sampling rules specify IMSI, IMEI, and MSISDN numbers, as well as the percentage to sample. Packets are then accepted or rejected. Accepted packets are forwarded to the port group (PG-Sample) for load balancing. Rejected packets are dropped. Packets that do not match a rule will be passed to subsequent maps.
|
Step |
Description |
Command |
|||
|
Create port groups and specify the tool ports for load balancing. |
(config) # port-group alias PG-Whitelist port-list 10/5/x17..x18 (config) # port-group alias PG-Sample port-list 10/5/x19..x20 |
|||
|
Enable load balancing on the port groups. |
(config) # port-group alias PG-Whitelist smart-lb enable (config) # port-group alias PG-Sample smart-lb enable |
|||
|
Configure a GigaSMART group and associate it with a GigaSMART engine port. |
(config) # gsgroup alias gsg1 port-list 10/7/e1 |
|||
|
Create a virtual port. |
(config) # vport alias vport1 gsgroup gsg1 |
|||
|
Configure three first level maps. Note: In the rules, 2123 is GTP-c traffic and 2152 is GTP-u traffic. |
(config) # map alias GTP-Control (config map alias GTP-Control) # type firstLevel byRule (config map alias GTP-Control) # roles replace admin to owner_roles (config map alias GTP-Control) # rule add pass portdst 2123 bidir (config map alias GTP-Control) # to vport1 (config map alias GTP-Control) # from 8/1/x40,8/1/x6 (config map alias GTP-Control) # exit (config) # (config) # map alias GTP-User (config map alias GTP-User) # type firstLevel byRule (config map alias GTP-User) # roles replace admin to owner_roles (config map alias GTP-User) # rule add pass portdst 2152 bidir (config map alias GTP-User) # to vport1 (config map alias GTP-User) # from 8/1/x40,8/1/x6 (config map alias GTP-User) # exit (config) # (config) # map alias Fragments-Not-First (config map alias Fragments-Not-First) # type firstLevel byRule (config map alias Fragments-Not-First) # roles replace admin to owner_roles (config map alias Fragments-Not-First) # rule add pass ipfrag all-frag-no-first (config map alias Fragments-Not-First) # to vport1 (config map alias Fragments-Not-First) # from 8/1/x40,8/1/x6 (config map alias Fragments-Not-First) # exit (config) # |
|||
|
Create the GTP whitelist. |
(config) # apps gtp-whitelist alias MyIMSIs create |
|||
|
Fetch whitelist files from a specified location to populate the GTP whitelist. |
(config) # apps gtp-whitelist alias MyIMSIs fetch add http://10.1.1.100/tftpboot/myfiles/MyIMSIs_file1.txt (config) # apps gtp-whitelist alias MyIMSIs fetch add http://10.1.1.100/tftpboot/myfiles/MyIMSIs_file2.txt |
|||
|
(Optional) Add a single IMSI to the GTP whitelist. |
(config) # apps gtp-whitelist alias MyIMSIs add imsi 318260109318283 |
|||
|
Associate the GigaSMART group to the GTP whitelist. |
(config) # gsparams gsgroup gsg1 gtp-whitelist add MyIMSIs |
|||
|
Configure the GigaSMART operation for GTP whitelisting. |
(config) # gsop alias gtp-whitelist flow-ops gtp-whitelist lb app gtp metric hashing key imsi port-list gsg1 |
|||
|
Configure a second level map for GTP whitelisting, the whitelist map. If there is a match to an IMSI in the whitelist (MyIMSIs), it is forwarded to a load balancing port group. |
(config) # map alias GTP-Whitelist (config map alias GTP-Whitelist) # type secondLevel flowWhitelist (config map alias GTP-Whitelist) # roles replace admin to owner_roles (config map alias GTP-Whitelist) # use gsop gtp-whitelist (config map alias GTP-Whitelist) # to PG-Whitelist (config map alias GTP-Whitelist) # from vport1 (config map alias GTP-Whitelist) # exit (config) # |
|||
|
Configure the GigaSMART operation for GTP flow sampling. |
(config) # gsop alias gtp-flowsample flow-ops gtp-flowsample lb app gtp metric hashing key imsi port-list gsg1 |
|||
|
Configure a second level map for GTP flow sampling, the flow sampling map. If there is not a match to an IMSI in the whitelist, the traffic flow is sampled based on the rules in this map. Accepted packets are forwarded to a load balancing port group. |
(config) # map alias GTP-Sample-01 (config map alias GTP-Sample-01) # type secondLevel flowSample (config map alias GTP-Sample-01) # roles replace admin to owner_roles (config map alias GTP-Sample-01) # use gsop gtp-flowsample (config map alias GTP-Sample-01) # flowsample add gtp imsi 31* imei 01416800* percentage 50 (config map alias GTP-Sample-01) # flowsample add gtp imsi 46* percentage 80 (config map alias GTP-Sample-01) # flowsample add gtp msisdn 1509* percentage 25 (config map alias GTP-Sample-01) # flowsample add gtp imsi 31* imei 01400* percentage 15 (config map alias GTP-Sample-01) # flowsample add gtp imsi 31* msisdn 1909* percentage 20 (config map alias GTP-Sample-01) # to PG-Sample (config map alias GTP-Sample-01) # from vport1 (config map alias GTP-Sample-01) # exit (config) # |
|||
|
Display the configuration for this example. |
(config) # show port-group (config) # show gsgroup (config) # show vport (config) # show gsop (config) # show gsparams (config) # show map (config) # show gsgroup flow-whitelist (config) # show map stats all (config) # show apps gtp-whitelist |
|||
|
Display the GTP whitelist entry count |
(config) # show apps gtp-whitelist alias MyIMSIs count
|
Note: IP-CAN-Bearer—IP Connectivity Access Network (CAN) Bearer, refers to bearers in 3G/4G. With the introduction of APN filtering, GTP correlation started to be based on bearers and not subscribers. Specific bearers of subscribers are counted as bearers matched under the IP-CAN-Bearer heading.
Example 5: GigaSMART GTP Flow Sampling with Multiple Maps
Example 5 includes multiple GTP flow sampling maps, which provide a more granular selection of tool ports for flow sampling.
In Example 5, traffic from network ports go to the three first level maps (GTP-Control, GTP-User, and Fragments-Not-First) and then to the virtual port (vport1). If there is a match to an IMSI in the whitelist (VoLTE_1MM), it is forwarded to the port group (PG-Whitelist-1) for load balancing.
Note: In Example 5, the tool ports in the port group are on the same node as the GigaSMART group and GigaSMART operation.
If there is not a match to an IMSI in the whitelist, the traffic flow is sampled based on the rules in four flow sampling maps (GTP-Sample-1 to GTP-Sample-4).
The flow sampling rules in each map specify IMSI, IMEI, and MSISDN numbers, as well as the percentage to sample. Packets are then accepted or rejected. Accepted packets are forwarded to the port group (PG-Sample-1 to PG-Sample-4) for load balancing. Rejected packets are dropped. Packets that do not match a rule will be passed to subsequent maps, in this example, to a shared collector.
|
Step |
Description |
Command |
|||
|
Create port groups and specify the tool ports for load balancing. |
(config) # port-group alias PG-Sample-1 port-list 10/5/x17..x20 (config) # port-group alias PG-Sample-2 port-list 10/5/x21..x22 (config) # port-group alias PG-Sample-3 port-list 10/4/x5..x6 (config) # port-group alias PG-Sample-4 port-list 10/4/x7..x8 (config) # port-group alias PG-Whitelist-1 port-list 10/5/x23..x24 |
|||
|
Enable load balancing on the port groups. |
(config) # port-group alias PG-Sample-1 smart-lb enable (config) # port-group alias PG-Sample-2 smart-lb enable (config) # port-group alias PG-Sample-3 smart-lb enable (config) # port-group alias PG-Sample-4 smart-lb enable (config) # port-group alias PG-Whitelist-1 smart-lb enable |
|||
|
Configure a GigaSMART group and associate it with a GigaSMART engine port. |
(config) # gsgroup alias gsg1 port-list 10/7/e1 |
|||
|
Create a virtual port. |
(config) # vport alias vport1 gsgroup gsg1 |
|||
|
Configure three first level maps. Note: In the rules, 2123 is GTP-c traffic and 2152 is GTP-u traffic. |
(config) # map alias GTP-Control (config map alias GTP-Control) # type firstLevel byRule (config map alias GTP-Control) # roles replace admin to owner_roles (config map alias GTP-Control) # rule add pass portdst 2123 bidir (config map alias GTP-Control) # to vport1 (config map alias GTP-Control) # from 10/1/x5,10/3/x1,10/6/q1 (config map alias GTP-Control) # exit (config) # (config) # map alias GTP-User (config map alias GTP-User) # type firstLevel byRule (config map alias GTP-User) # roles replace admin to owner_roles (config map alias GTP-User) # rule add pass portdst 2152 bidir (config map alias GTP-User) # to vport1 (config map alias GTP-User) # from 10/1/x5,10/3/x1,10/6/q1 (config map alias GTP-User) # exit (config) # (config) # map alias Fragments-Not-First (config map alias Fragments-Not-First) # type firstLevel byRule (config map alias Fragments-Not-First) # roles replace admin to owner_roles (config map alias Fragments-Not-First) # rule add pass ipfrag all-frag-no-first (config map alias Fragments-Not-First) # to vport1 (config map alias Fragments-Not-First) # from 10/1/x5,10/3/x1,10/6/q1 (config map alias Fragments-Not-First) # exit (config) # |
|||
|
Create the GTP whitelist. |
(config) # apps gtp-whitelist alias VoLTE_1MM create |
|||
|
Fetch whitelist files from a specified location to populate the GTP whitelist. |
(config) # apps gtp-whitelist alias VoLTE_1MM fetch add http://10.1.1.100/tftpboot/myfiles/IMSI_file1.txt (config) # apps gtp-whitelist alias VoLTE_1MM fetch add http://10.1.1.100/tftpboot/myfiles/IMSI_file2.txt |
|||
|
(Optional) Add a single IMSI to the GTP whitelist. |
(config) # apps gtp-whitelist alias VoLTE_1MM add imsi 318260109318283 |
|||
|
Associate the GigaSMART group to the GTP whitelist. |
(config) # gsparams gsgroup gsg1 gtp-whitelist add VoLTE_1MM |
|||
|
Configure the GigaSMART operation for GTP whitelisting. |
(config) # gsop alias gtp-whitelist-1 flow-ops gtp-whitelist lb app gtp metric hashing key imsi port-list gsg1 |
|||
|
Configure a second level map for GTP whitelisting, the whitelist map. If there is a match to an IMSI in the whitelist (VoLTE_1MM), it is forwarded to a load balancing port group. |
(config) # map alias GTP-Whitelist (config map alias GTP-Whitelist) # type secondLevel flowWhitelist (config map alias GTP-Whitelist) # roles replace admin to owner_roles (config map alias GTP-Whitelist) # use gsop gtp-whitelist-1 (config map alias GTP-Whitelist) # to PG-Whitelist-1 (config map alias GTP-Whitelist) # from vport1 (config map alias GTP-Whitelist) # exit (config) # |
|||
|
Configure the GigaSMART operation for GTP flow sampling. |
(config) # gsop alias gtp-flowsample-1 flow-ops gtp-flowsample lb app gtp metric hashing key imsi port-list gsg1 |
|||
|
Configure a second level map for GTP flow sampling, the first flow sampling map. This map has 12 rules. Traffic flow is sampled based on the rules in this map. Accepted packets are forwarded to a load balancing port group. |
(config) # map alias GTP-Sample-1 (config map alias GTP-Sample-1) # type secondLevel flowSample (config map alias GTP-Sample-1) # roles replace admin to owner_roles (config map alias GTP-Sample-1) # use gsop gtp-flowsample-1 (config map alias GTP-Sample-1) # flowsample add gtp imsi 3182609833* imei 35609506* percentage 75 (config map alias GTP-Sample-1) # flowsample add gtp imsi 3182609834* imei 3560950* percentage 10 (config map alias GTP-Sample-1) # flowsample add gtp imsi 31826098350* imei 356095* percentage 20 (config map alias GTP-Sample-1) # flowsample add gtp imsi 31826098351* imei 35609* percentage 20 (config map alias GTP-Sample-1) # flowsample add gtp imsi 31826098352* imei 3560* percentage 20 (config map alias GTP-Sample-1) # flowsample add gtp imsi 31826098353* imei 356* percentage 20 (config map alias GTP-Sample-1) # flowsample add gtp imsi 31826098354* imei 35* percentage 20 (config map alias GTP-Sample-1) # flowsample add gtp imsi 31826098355* imei 3* percentage 20 (config map alias GTP-Sample-1) # flowsample add gtp imsi 31826098356* imei 356095* percentage 20 (config map alias GTP-Sample-1) # flowsample add gtp imsi 31826098357* imei 3560* percentage 20 (config map alias GTP-Sample-1) # flowsample add gtp imsi 31826098358* imei 35* percentage 20 (config map alias GTP-Sample-1) # flowsample add gtp imsi 31826098359* imei 356095* percentage 20 (config map alias GTP-Sample-1) # to PG-Sample-1 (config map alias GTP-Sample-1) # from vport1 (config map alias GTP-Sample-1) # exit (config) # |
|||
|
Configure a second level map for GTP flow sampling, the second flow sampling map. This map has 12 rules. Traffic flow is sampled based on the rules in this map. Accepted packets are forwarded to a load balancing port group. |
(config) # map alias GTP-Sample-2 (config map alias GTP-Sample-2) # type secondLevel flowSample (config map alias GTP-Sample-2) # roles replace admin to owner_roles (config map alias GTP-Sample-2) # use gsop gtp-flowsample-1 (config map alias GTP-Sample-2) # flowsample add gtp imsi 3182609836* imei 35609506* percentage 30 (config map alias GTP-Sample-2) # flowsample add gtp imsi 3182609837* imei 356095062* percentage 5 (config map alias GTP-Sample-2) # flowsample add gtp imsi 31826098380* imei 356095062* percentage 50 (config map alias GTP-Sample-2) # flowsample add gtp imsi 31826098381* imei 35609506* percentage 50 (config map alias GTP-Sample-2) # flowsample add gtp imsi 31826098382* imei 3560950* percentage 50 (config map alias GTP-Sample-2) # flowsample add gtp imsi 31826098383* imei 356095* percentage 50 (config map alias GTP-Sample-2) # flowsample add gtp imsi 31826098384* imei 35* percentage 50 (config map alias GTP-Sample-2) # flowsample add gtp imsi 31826098385* imei 356* percentage 50 (config map alias GTP-Sample-2) # flowsample add gtp imsi 31826098386* imei 3560* percentage 50 (config map alias GTP-Sample-2) # flowsample add gtp imsi 31826098387* imei 35609* percentage 50 (config map alias GTP-Sample-2) # flowsample add gtp imsi 31826098388* imei 356095* percentage 50 (config map alias GTP-Sample-2) # flowsample add gtp imsi 31826098389* imei 3560950* percentage 50 (config map alias GTP-Sample-2) # to PG-Sample-2 (config map alias GTP-Sample-2) # from vport1 (config map alias GTP-Sample-2) # exit (config) # |
|||
|
Configure a second level map for GTP flow sampling, the third flow sampling map. This map has 5 rules. Traffic flow is sampled based on the rules in this map. Accepted packets are forwarded to a load balancing port group. |
(config) # map alias GTP-Sample-3 (config map alias GTP-Sample-3) # type secondLevel flowSample (config map alias GTP-Sample-3) # roles replace admin to owner_roles (config map alias GTP-Sample-3) # use gsop gtp-flowsample-1 (config map alias GTP-Sample-3) # flowsample add gtp imsi 31826098390* imei 35609506* percentage 10 (config map alias GTP-Sample-3) # flowsample add gtp imsi 31826098391* imei 35609506* percentage 10 (config map alias GTP-Sample-3) # flowsample add gtp imsi 31826098392* imei 35609506* percentage 10 (config map alias GTP-Sample-3) # flowsample add gtp imsi 31826098393* imei 35609506* percentage 10 (config map alias GTP-Sample-3) # flowsample add gtp imsi 31826098394* imei 35609506* percentage 10 (config map alias GTP-Sample-3) # to PG-Sample-3 (config map alias GTP-Sample-3) # from vport1 (config map alias GTP-Sample-3) # exit (config) # |
|||
|
Configure a second level map for GTP flow sampling, the fourth flow sampling map. This map has one rule. Traffic flow is sampled based on the rules in this map. Accepted packets are forwarded to a load balancing port group. |
(config) # map alias GTP-Sample-4 (config map alias GTP-Sample-4) # type secondLevel flowSample (config map alias GTP-Sample-4) # roles replace admin to owner_roles (config map alias GTP-Sample-4) # use gsop gtp-flowsample-1 (config map alias GTP-Sample-4) # flowsample add gtp imsi 31826098429* imei 35609506* percentage 10 (config map alias GTP-Sample-4) # to PG-Sample-4 (config map alias GTP-Sample-4) # from vport1 (config map alias GTP-Sample-4) # exit (config) # |
|||
|
Configure a collector map for any packets that do not match other rules. |
(config) # map alias GTP-Collector (config map alias GTP-Collector) # roles replace admin to owner_roles (config map alias GTP-Collector) # from vport1 (config map alias GTP-Collector) # collector gtp-collector (config map alias GTP-Collector) # exit (config) # |
|||
|
Display the configuration for this example. |
(config) # show port-group (config) # show gsgroup (config) # show vport (config) # show gsop (config) # show gsparams (config) # show map |
Example 6: GigaSMART GTP Load Balancing in a Cluster
Example 6 includes GTP load balancing in a cluster. The tool ports in the port groups must be on the same node, but the GigaSMART group and GigaSMART operation can be on a different node.
GTP load balancing in a cluster is supported for GTP flow filtering and GTP flow sampling.
In Example 6, two nodes are in a cluster, connected through a stack link. The port groups are specified in the to parameter of second level maps.
For information on GigaSMART load balancing, refer to GigaSMART Load Balancing.
Note: When the show load-balance port-group stats all command is executed from the leader, statistics for all the attached load balanced port groups are displayed. When the command is executed from another node in the cluster (standby or normal), only the statistics for the load balanced port group in the map attached to the GigaSMART operation on that node are displayed. The results displayed for the show load-balance port-group stats alias <alias> command are similar.
|
Step |
Description |
Command |
||||||||||||
|
Configure ports on two nodes as follows:
Then administratively enable the ports. |
(config) # port 1/1/q1 type network (config) # port 1/1/x6 type network (config) # port 1/1/x8 type network (config) # port 1/1/x10 type network (config) # port 1/1/x12 type network (config) # port 2/6/x1..x4 type tool (config) # port 2/7/x1..x6 type tool (config) # port 2/8/x1..x8 type tool (config) # port 1/2/q1..q8 type stack (config) # port 2/1/q1..q8 type stack (config) # port 1/1/q1 params admin enable (config) # port 1/1/x6 params admin enable (config) # port 1/1/x8 params admin enable (config) # port 1/1/x10 params admin enable (config) # port 1/1/x12 params admin enable (config) # port 2/6/x1..x4,2/7/x1..x6,2/8/x1..x8 params admin enable (config) # port 1/2/q1..q8,2/1/q1..q8 params admin enable |
||||||||||||
|
Configure GigaStreams as follows:
|
(config) # gigastream alias GTP-Collector-Filter port-list 2/8/x5..x6 params hash advanced (config) # gigastream alias GTP-Collector-Sample port-list 2/7/x5..x6 params hash advanced (config) # gigastream alias gstrm_stck_1_2_q1q8 port-list 1/2/q1..q8 params hash advanced (config) # gigastream alias gstrm_stck_2_1_q1q8 port-list 2/1/q1..q8 params hash advanced |
||||||||||||
|
Create three port groups and specify four tool ports each, for load balancing. Also, enable load balancing on each port group. The port groups are as follows:
Note: The tool ports in the port groups must be on the same node. |
(config) # port-group alias PG-Filter-Version1 (config port-group alias PG-Filter-Version1) # port-list 2/8/x1..x4 (config port-group alias PG-Filter-Version1) # smart-lb enable (config port-group alias PG-Filter-Version1) # exit (config) # port-group alias PG-Filter-Version2 (config port-group alias PG-Filter-Version2) # port-list 2/6/x1..x4 (config port-group alias PG-Filter-Version2) # smart-lb enable (config port-group alias PG-Filter-Version2) # exit (config) # port-group alias PG-Sample (config port-group alias PG-Sample) # port-list 2/7/x1..x4 (config port-group alias PG-Sample) # smart-lb enable (config port-group alias PG-Sample) # exit |
||||||||||||
|
Configure the stack link between the nodes. |
(config) # stack-link alias stck_lnk_bn_1and3 between gigastreams gstrm_stck_1_2_q1q8 and gstrm_stck_2_1_q1q8 |
||||||||||||
|
Configure two GigaSMART groups, one for GTP flow filtering and one for GTP flow sampling. Note: The GigaSMART groups are on a different node than the port groups. |
(config) # gsgroup alias GSG-Filter port-list 1/3/e1 (config) # gsgroup alias GSG-Sample port-list 1/4/e1 |
||||||||||||
|
Configure a flow filtering GigaSMART operation, specify load balancing, and assign the GigaSMART operation to the GigaSMART group for flow filtering. Configure a flow sampling GigaSMART operation, specify load balancing, and assign the GigaSMART operation to the GigaSMART group for flow sampling. Note: The GigaSMART operations are on a different node than the port groups. |
(config) # gsop alias GSOP-Filter flow-ops flow-filtering gtp lb app gtp metric hashing key imsi port-list GSG-Filter (config) # gsop alias GSOP-Sample flow-ops gtp-flowsample lb app gtp metric hashing key imsi port-list GSG-Sample |
||||||||||||
|
Configure virtual ports and assign them to the same GigaSMART groups. |
(config) # vport alias VP-Filter gsgroup GSG-Filter (config) # vport alias VP-Sample gsgroup GSG-Sample |
||||||||||||
|
Create a first level map that directs GTP traffic from the network ports to the virtual port for flow filtering. Note: In the rules, 2123 is GTP-c traffic and 2152 is GTP-u traffic. |
(config) # map alias Map-Lev1-GTP-Filter (config map alias Map-Lev1-GTP-Filter) # type firstLevel byRule (config map alias Map-Lev1-GTP-Filter) # roles replace admin to owner_roles (config map alias Map-Lev1-GTP-Filter) # rule add pass portdst 2123 bidir (config map alias Map-Lev1-GTP-Filter) # rule add pass portdst 2152 bidir (config map alias Map-Lev1-GTP-Filter) # rule add pass ipfrag all-frag-no-first (config map alias Map-Lev1-GTP-Filter) # to VP-Filter (config map alias Map-Lev1-GTP-Filter) # from 1/1/x6,1/1/x8,1/1/x10,1/1/x12 (config map alias Map-Lev1-GTP-Filter) # exit (config) # |
||||||||||||
|
Create a first level map that directs GTP traffic from a network port to the virtual port for flow sampling. Note: In the rules, 2123 is GTP-c traffic and 2152 is GTP-u traffic. |
(config) # map alias Map-Lev1-GTP-Sample (config map alias Map-Lev1-GTP-Sample) # type firstLevel byRule (config map alias Map-Lev1-GTP-Sample) # roles replace admin to owner_roles (config map alias Map-Lev1-GTP-Sample) # rule add pass portdst 2123 bidir (config map alias Map-Lev1-GTP-Sample) # rule add pass portdst 2152 bidir (config map alias Map-Lev1-GTP-Sample) # rule add pass ipfrag all-frag-no-first (config map alias Map-Lev1-GTP-Sample) # to VP-Sample (config map alias Map-Lev1-GTP-Sample) # from 1/1/q1 (config map alias Map-Lev1-GTP-Sample) # exit (config) # |
||||||||||||
|
Configure a second level map for GTP flow filtering for version 1 traffic coming from the virtual port for flow filtering and going to the port group for version 1. |
(config) # map alias Map-Lev2-GTP-Filter-Version1 (config map alias Map-Lev2-GTP-Filter-Version1) # type secondLevel flowFilter (config map alias Map-Lev2-GTP-Filter-Version1) # roles replace admin to owner_roles (config map alias Map-Lev2-GTP-Filter-Version1) # use gsop GSOP-Filter (config map alias Map-Lev2-GTP-Filter-Version1) # flowrule add pass gtp imsi * version 1 (config map alias Map-Lev2-GTP-Filter-Version1) # to PG-Filter-Version1 (config map alias Map-Lev2-GTP-Filter-Version1) # from VP-Filter (config map alias Map-Lev2-GTP-Filter-Version1) # exit (config) # |
||||||||||||
|
Configure another second level map for GTP flow filtering for version 2 traffic coming from the virtual port for flow filtering and going to the port group for version 2. |
(config) # map alias Map-Lev2-GTP-Filter-Version2 (config map alias Map-Lev2-GTP-Filter-Version2) # type secondLevel flowFilter (config map alias Map-Lev2-GTP-Filter-Version2) # roles replace admin to owner_roles (config map alias Map-Lev2-GTP-Filter-Version2) # use gsop GSOP-Filter (config map alias Map-Lev2-GTP-Filter-Version2) # flowrule add pass gtp imsi * version 2 (config map alias Map-Lev2-GTP-Filter-Version2) # to PG-Filter-Version2 (config map alias Map-Lev2-GTP-Filter-Version2) # from VP-Filter (config map alias Map-Lev2-GTP-Filter-Version2) # exit (config) # |
||||||||||||
|
Configure a second level map for GTP flow sampling traffic coming from the virtual port for flow sampling and going to the port group for flow sampling. |
(config) # map alias Lev2-GTP-Sample (config map alias Lev2-GTP-Sample) # type secondLevel flowSample (config map alias Lev2-GTP-Sample) # roles replace admin to owner_roles (config map alias Lev2-GTP-Sample) # use gsop GSOP-Sample (config map alias Lev2-GTP-Sample) # flowsample add gtp percentage 80 (config map alias Lev2-GTP-Sample) # to PG-Sample (config map alias Lev2-GTP-Sample) # from VP-Sample (config map alias Lev2-GTP-Sample) # exit (config) # |
||||||||||||
|
Add a shared collector for any unmatched traffic from the virtual port for flow filtering. |
(config) # map-scollector alias Collector-Filter (config map-scollector alias Collector-Filter) # roles replace admin to owner_roles (config map-scollector alias Collector-Filter) # from VP-Filter (config map-scollector alias Collector-Filter) # collector GTP-Collector-Filter (config map-scollector alias Collector-Filter) # exit (config) # |
||||||||||||
|
Add a shared collector for any unmatched traffic from the virtual port for flow sampling. |
(config) # map-scollector alias Collector-Sample (config map-scollector alias Collector-Sample) # roles replace admin to owner_roles (config map-scollector alias Collector-Sample) # from VP-Sample (config map-scollector alias Collector-Sample) # collector GTP-Collector-Sample (config map-scollector alias Collector-Sample) # exit (config) # |
||||||||||||
|
Display the configuration for this example. |
(config) # show map brief (config) # show gigastream (config) # show port-group (config) # show gsgroup (config) # show vport (config) # show gsop (config) # show map (config) # show map brief (config) # show load-balance port-group stats all |
Example 7: APN for GigaSMART GTP Whitelisting, APN and QCI for GigaSMART GTP Flow Sampling
Example 7 specifies APN patterns for GTP whitelisting and GTP flow sampling. It also specifies QCI for GTP flow sampling.
In Example 7, traffic from network ports go to the two first level maps (gtp_to_v1_c and gtp_to_v1_u) and then to the virtual port (v1).
In the whitelist map, if there is a match to the APN pattern and if the IMSI is present in the whitelist (IMSI), packets are forwarded to a tool port.
If there is not a match to an IMSI in the whitelist, the traffic is flow sampled based on the APN pattern and QCI value in the flow sampling map. Accepted packets are forwarded to the same tool port as specified in the whitelist map. Only 50% of traffic with QCI 5 is sent to the tool port.
Any unmatched traffic goes to a shared collector that sends it to a different tool port.
|
Step |
Description |
Command |
|||
|
Configure a network port and two tool ports and enable them. |
(config) # port 22/3/x3 type network (config) # port 22/4/x18 type tool (config) # port 22/4/x19 type tool (config) # port 22/3/x3 params admin enable (config) # port 22/4/x18 params admin enable (config) # port 22/4/x19 params admin enable |
|||
|
Configure a GigaSMART group and associate it with two GigaSMART engine ports. |
(config) # gsgroup alias gsg2 port-list 22/2/e1,22/2/e2 |
|||
|
Create a virtual port. |
(config) # vport alias v1 gsgroup gsg2 |
|||
|
Configure two first level maps, one for control traffic and one for user traffic. |
(config) # map alias gtp_to_v1_c (config map alias gtp_to_v1_c) # type firstLevel byRule (config map alias gtp_to_v1_c) # roles replace admin to owner_roles (config map alias gtp_to_v1_c) # param traffic control (config map alias gtp_to_v1_c) # rule add pass portdst 2123 bidir (config map alias gtp_to_v1_c) # rule add pass portdst 2122 bidir (config map alias gtp_to_v1_c) # to v1 (config map alias gtp_to_v1_c) # from 22/3/x3 (config map alias gtp_to_v1_c) # exit (config) # (config) # map alias gtp_to_v1_u (config map alias gtp_to_v1_u) # type firstLevel byRule (config map alias gtp_to_v1_u) # roles replace admin to owner_roles (config map alias gtp_to_v1_u) # rule add pass portdst 2152 bidir (config map alias gtp_to_v1_u) # rule add pass ipfrag all-frag-no-first (config map alias gtp_to_v1_u) # to v1 (config map alias gtp_to_v1_u) # from 22/3/x3 (config map alias gtp_to_v1_u) # exit (config) # |
|||
|
Associate the GigaSMART group to the active GTP whitelist. |
(config) # gsparams gsgroup gsg2 gtp-whitelist add IMSI |
|||
|
Configure the GigaSMART operation for GTP whitelisting. |
(config) # gsop alias gtp-corelate_gsg_wl flow-ops gtp-whitelist lb app gtp metric hashing key imsi port-list gsg2 |
|||
|
Configure a second level map for GTP whitelisting, the whitelist map. If there is a match to the APN pattern and if the IMSI is present in the whitelist (IMSI), packets are forwarded to a tool port. |
(config) # map alias GTP-whitelist (config map alias GTP-whitelist) # type secondLevel flowWhitelist (config map alias GTP-whitelist) # roles replace admin to owner_roles (config map alias GTP-whitelist) # use gsop gtp-corelate_gsg_wl (config map alias GTP-whitelist) # whitelist add gtp apn *mobile.com* (config map alias GTP-whitelist) # to 22/4/x18 (config map alias GTP-whitelist) # from v1 (config map alias GTP-whitelist) # exit (config) # |
|||
|
Configure the GigaSMART operation for GTP flow sampling. |
(config) # gsop alias gtp-corelate_gsg_fs flow-ops gtp-flowsample lb app gtp metric hashing key imei port-list gsg2 |
|||
|
Configure a second level map for GTP flow sampling, the flow sampling map. If there is not a match to an IMSI in the whitelist, the traffic flow is sampled based on the APN pattern in this map. Accepted packets are forwarded to the same tool port as specified in the whitelist map. |
(config) # map alias from_vp_fs1 (config map alias from_vp_fs1) # type secondLevel flowSample (config map alias from_vp_fs1) # roles replace admin to owner_roles (config map alias from_vp_fs1) # use gsop gtp-corelate_gsg_fs (config map alias from_vp_fs1) # flowsample add gtp apn *ims* qci 5 percentage 50 (config map alias from_vp_fs1) # flowsample add gtp ims* percentage 100 (config map alias from_vp_fs1) # to 22/4/x18 (config map alias from_vp_fs1) # from v1 (config map alias from_vp_fs1) # exit (config) # |
|||
|
Add a shared collector for any unmatched traffic from the virtual port and send it to a different tool port. |
(config) # map-scollector alias from_vp_scoll (config map-scollector alias from_vp_scoll) # roles replace admin to owner_roles (config map-scollector alias from_vp_scoll) # from v1 (config map-scollector alias from_vp_scoll) # collector 22/4/x19 (config map-scollector alias from_vp_scoll) # exit (config) # |
|||
|
Display the session table. |
(config) # show gsgroup flow-ops-report alias gsg2 type flow-filtering any |
Only 20 characters of the APN pattern are displayed in the session table. A plus sign (+) indicates that there are more characters. In the first USER row, the ims* suffix in the flow sampling map matched. In the second USER row, the *mobile.com* prefix and suffix in the whitelisting map matched.
Flow-Ops for Unsupported Interfaces
The Flow-ops table displays statistics of the interfaces not supported by the GTP correlation engine.
Interface Pkts
=============== ===========
S2A 0
S3 0
S4 0
S11U 0
Unknown 0
