GTP Whitelisting, GTP Flow Sampling, and Load Balancing

Applicable Map Components

Map Components

Sample Configuration

First-Level Map1

Source

Network Port - 1/1/x1

Source Ruleset

Condition - Port Destination, Value - 2123.

Application Ruleset

N/A

Applications

N/A

Destination

Virtual Port-vp1

First-Level Map2

Source

1/1/x1

Source Ruleset

Condition - Port Destination, Value - 2152.

Application Ruleset

N/A

Applications

N/A

Destination

Virtual Port - vp1

First-Level Map3

Source

1/1/x1

Source Ruleset

Condition - IP Fragmentation and Value - All Frag No First.

Application Ruleset

N/A

Applications

N/A

Destination

Virtual Port - vp1

Second-Level Map1

Source

Virtual port - vp1

Source Ruleset

N/A

Applications

Applications - Forward List and Load Balancing.

Load Balancing - Stateful, type - GTP.
Metric - Hashing, Hashing Key - IMSI.

Application Ruleset

Application Ruleset - Flow Whitelist GTP .

Condition - GTP, Version - V1.

Destination

Tool Group - PG-Sample.

Second-Level Map2

Source

Virtual port - vp1

Source Ruleset

N/A

Applications

Applications - Flow Sampling and Load Balancing.

Flow Sampling. type - GTP
Load Balancing - Stateful, type - GTP.
Metric - Hashing, Hashing Key - IMSI.

Application Ruleset

Application Ruleset - Flow Sample GTP

Conditions - GTP
o Percentage - 50 and IMEI - 01416800*
o Percentage - 80 and IMSI - 46*
o Percentage - 25, MSISDN - 1509*
o Percentage - 15, IMSI - 01400*
o Percentage - 20, IMSI - 31*, and MSISDN - 1909*

Destination

Tool Group - PG-Sample.

This topic explains the workflow required to configure a Traffic Policy for GTP Whitelisting, GTP Flow Sampling, and Load Balancing.

The traffic from network ports are forwarded to the three first level maps (GTP-Control, GTP-User, and Fragments-Not_First) and then to the virtual port (vp1). If there is a match to an IMSI in the whitelist (MyIMSIs), it is forwarded to the tool port. If there is a match to an IMSI in the whitelist (MyIMSIs), it is forwarded to the port group (PG-Whitelist) for load balancing.

Note:  The tool ports in the port group should be on the same node as the GigaSMART group and GigaSMART operation.

If there is not a match to an IMSI in the whitelist, the traffic flow is sampled based on the rules in the flow sampling map (GTP-Sample-01). The flow sampling rules specify IMSI, IMEI, and MSISDN numbers, as well as the percentage to sample. Packets are then accepted or rejected. Accepted packets are forwarded to the port group (PG-Sample) for load balancing. Rejected packets are dropped. Packets that do not match a rule will be passed to subsequent maps.

Configure a Port Group

1.   In GigaVUE-FM, go to Inventory > Nodes.
2. Click Nodes then, go to Ports > Port Groups .
3. Click New to create a new Port Group. The New Port Group page appears.
4. Enter PG-Sample in the Alias field.
5. Select Tool option.
6. Enable Load Balancing.
7. Choose the Tool Ports you want to attach to the port group, For example 1/1/x6, 1/1/x7, 1/2/x3, and 1/2/x4.
8. Specify the weights for each port as follows:
•   Weight 1/1/x6 - 5
•   Weight 1/1/x7 - 10
•   Weight 1/2/x3 - 20
•   Weight 1/2/x4 - 10
9. Click Apply to save. The created port group appears in the port group table.
10. Follow the Steps 1 - 9 to create another tool port group with PF-Sample as Alias.

To configure a GigaSMART group:

1.   In GigaVUE-FM, go to Inventory > Nodes.
2. Click the Cluster ID link for the cluster where you want to create the virtual port. The Overview page of the selected node appears.
3. In the left menu, go to System > GigaSMART > GigaSMART Groups. The GigaSMART Groups page appears.
4. Click New. The Add GigaSMART Group page appears.
5. Enter a name (gs-grp) for the GigaSMART group in the Alias field.
6. Select a GigaSMART engine port from the Port List, example 1/3/e1.
7. Click Apply. The GigaSMART Groups page appears with the group you created.

Create a Virtual Port

To configure a virtual port:

1.   In GigaVUE-FM, go to Inventory > Nodes.
2. Click the Cluster ID link for which you want to create the virtual port. The Overview page of the selected node appears.
3. In the left menu, go to System > GigaSMART > Virtual Ports. The Virtual Ports page appears.
4. Click New to add a virtual port. The New Virtual Port page appears.
5. Enter a name (vp1) for the virtual port in Alias field.
6. Select a GigaSMART group to which you want to assign the virtual port from the list.
7. Click Apply. The Virtual Ports page appears with the configured virtual port.

Create a GTP Whitelist

To create GTP Whitelist:

1.   In GigaVUE-FM, go to Inventory > Nodes.
2. Click the Cluster ID link for the cluster where you want to create the virtual port. The Overview page of the selected node appears.
3. In the left menu, go to System > GigaSMART > Forward List. The Forward List page appears.
4. Click New to add a Forward List. The Add Forward List pane appears.
5. Enter a name (MyIMSI) for the forward list in Alias field.
6. Select Type as GTP.
7. Select Bulk Entry Operation for uploading the IMSI list.
8. Select the Import Type as Upload from URL.
9. Select the Operation Type as Append.
10. Enter the URL (Example: http://10.1.1.100/tftpboot/myfiles/MyIMSIs_file2.tx) in the Remote URL field.
11. Click Apply. The Forward List page appears with the created Forward List list.

Associate the GTP Whitelist to GigaSMART Group

To associate the GTP Whitelist with the GigaSMART group:

1.   Go to System > GigaSMART > GigaSMART Groups. The GigaSMART Groups page appears.
2. Select the GigaSMART group (gs-grp) you crated earlier.
3. In Actions dropdown, select Edit. The Edit GigaSMART Group page appears.
4. In the GigaSMART Parameters section, go to GTP Forward List.
5. Select the forward list you created earlier from the GTP Forward List Alias.
6. Click Apply. The GigaSMART Groups page appears with the updated GigaSMART group.

Optional - add a single IMSI to GTP whitelist

Configure Traffic Policy

Create First-level Maps

Map 1:

To create a first-level map:

1.   Access Traffic Policy.
a. In GigaVUE-FM, go to Traffic > Traffic Policy. The Traffic Policy landing page appears.
b. Click New Map in the top right corner of the landing page. The New Map dialog appears.
c. In the New Map dialog, do the following:
•   Alias - Enter GTP- Control.
•   (Optional) Description - Enter the description for the Traffic Policy.
•   (Optional) Enabled - Clear this option, if you want to disable the map. By default, this option is selected.
•   (Optional) Tags - Select a tag key and value for the Traffic Policy, to support policy-level analytics.
a. Click Sources. The Source 1 page appears.
b. Select the network port 1/1/x1.

Note:  To configure or modify the port type, use the Quick Port Editor.

c. Click Add. The Source block appears on the canvas with the selected network port.
2. Select Source Ruleset.
a. Expand the Source Ruleset component and then drag and drop By Rule. The Source Ruleset page appears.
b. Click Add Rules. The Add Ruleset pane appears.
c. Turn on Pass toggle and select Bi-directional option to pass the configured traffic.
d. Select Port Destination from the Condition list, and then enter 2123 in the Value field.
e. Click Save. The added rule appears in the Source Ruleset page.
f. Click Close. The By Rule block appears on the canvas with the configured rule.
3. Select Destination.
a. Click Destinations. The Destination 1 page appears.
b. Select the configured virtual port vp1.
c. Click Add. The Destination block appears on the canvas with the selected virtual port.
4. Deploy Traffic Policy.
a. On the Traffic Policy canvas, click Deploy to deploy the Traffic Policy in the device.
5. Verify deployment.
a. Status: In the Traffic Policy landing page, verify that the Traffic Policy shows Deployment Status as Success and Health Status as Healthy.
b. (Optional) Implemented Device: View the generated map and confirm that the traffic statistics is incrementing as expected.

Map 2:

Follow the same steps in the previous section to create another first-level map with the following changes:

1.   Create the first-level map (GTP-User) with the following source rule:
o   Source ruleset
•   Condition - Port Destination and Value -2152.
2. Deploy and verify the Traffic Policy.

Map 3:

Follow the same steps in the previous section to create another first-level map with the following changes:

1.   Create the first-level map (Fragments-Not-First) with the following source rule:
o   Source ruleset
•   Condition - IP Fragmentation and Value - All Frag No First.
2. Deploy and verify the Traffic Policy

Create a Second-level Map

Map 1:

To create a second-level map to forward traffic that match the IMSI whitelist to the tool port

1.   Access Traffic Policy
a. In GigaVUE-FM, go to Traffic > Traffic Policy. The Traffic Policy landing page appears.
b. Create a new map with Alias as GTP-Whitelist.
2. Select Source
a. Click Sources. The Source 1 page appears with the list of available ports.
b. Select the virtual port vp1.
c. Click Add. The Source block appears on the canvas with the selected virtual port.
3. Select Application
a. Expand the Applications component and then drag and drop My GSOP. The GSOP page appears.
b. Select either a standalone node or a cluster from the Select Node list.
c. Click New from the GSOP field. The New GSOP pane appears with the selected node.
d. Enter a name for the GigaSMART operation in the GSOP Alias field.
e. Select the GigaSMART group (gs-grp) you created earlier.
f. Select Forward List and Load Balancing from the Applications list. By default, the applications you select are enabled.
g. In the Forward List section, select GTP option.
h. In the Load Balancing section, select Stateful option and type as GTP.
i. Select Hashing from the Metric list.
j. Select IMSI option in the Hashing Key field.
k. Click Save. The My GSOP block appears on the canvas with the configured GigaSMART operation.
4. Select Application Ruleset.
a. Expand the Application Ruleset component and then drag and drop a Flow Whitelist GTP. The Application Ruleset page appears.
b. Click Add Rules. The Add Ruleset pane appears.
c. Select GTP from the Condition list, and Version as V1.
d. Click Save. The Application Ruleset page appears with the configured rule.
e. Click Close. The Flow Whitelist GTP block appears on the canvas with the configured application rule.
5. Select Destination.
a. Click Destinations. The Destination 1 page appears with the list of available ports.
b. Select the tool port group (PG-Sample).
c. Click Add. The Destination block appears on the canvas with the selected tool ports.
6. Deploy Traffic Policy.
a. On the Traffic Policy canvas, click Deploy to deploy the Traffic Policy in the device.
7. Verify deployment.
a. Status: In the Traffic Policy landing page, verify that the Traffic Policy shows Deployment Status as Success and Health Status as Healthy.
b. (Optional) Implemented Device: View the generated map and confirm that the traffic statistics is incrementing as expected.

Map 2:

To create a second-level map to flow sample the traffic if these is no match to the IMSI whitelist and to forward the accepted packets to the load balancing port group

Follow the same steps in the previous section to create another second-level map with the following changes:

1.   Create the second-level map (GTP-Sample-01) with the following components and configurations:
o   Source port - Virtual Port (vp1)
o   Destination port - Too port group (PG-Sample)
o   Application - Flow Sampling and Load Balancing
•   In the Flow Sampling section, select Flow Sampling - GTP as the Type.
•   In the Load Balancing section, select Stateful option and type as GTP.
•   Select the Metric as Hashing and IMSI from the Hashing Key options.
o   Application ruleset - Flow Sample GTP
•   Select GTP from the Condition list and enter the given values:
•   Percentage - 50 and IMEI - 01416800*, and IMSI - 31*
•   Percentage - 80 and IMSI - 46*
•   Percentage - 25, MSISDN - 1509*
•   Percentage - 15, IMSI - 01400*, and IMSI - 31*
•   Percentage - 20, IMSI - 31*, and MSISDN - 1909*
2. Deploy and verify the Traffic Policy.