GigaSMART GTP Whitelisting and GTP Flow Sampling
Required Licenses: GTP Filtering & Correlation and FlowVUE
Supported Devices : GigaVUE- HC3 Gen 2, GigaVUE- HC3 Gen 3 ,GigaVUE- HC1 Plus.
Refer to Supported GigaSMART Operations for more details on the devices that support GigaSMART operations.
Use GTP forward listing and GTP flow sampling to provide subsets of GTP correlated flows to tools. GTP forward listing selects specific subscribers based on IMSI, while GTP flow sampling uses map rules to select subscribers. Starting in software version 4.8, GigaSMART supports GTP overlap mapping, which combines both forward listing and flow sampling maps as part of a map group. Refer to GTP Overlap Flow Sampling Maps
Starting in software version 4.5, a GigaSMART group (gsgroup) associated with GTP applications can have multiple GigaSMART engine port members (e ports), up to four, forming an engine group. Refer to GTP Scaling.
Refer to the following sections:
- GTP Whitelisting
- GTP Flow Sampling
- GTP Subscriber Aware Random Sampling
- Display GTP Flow Ops Report Statistics
GTP Whitelisting
GTP forward listing selects specific subscribers based on IMSI. The forward list contains up to 2,000,000 subscriber IMSIs. For subscribers in the forward list, 100% of their traffic is always sent to a specified tool port.
For example, when a subscriber session comes in, GTP forward listing checks the IMSI of the subscriber. If the incoming IMSI or RAN matches an IMSI or RAN in the forward list, the session is sent to the tool port or load balancing group specified in the forward list map.
Starting in software version 4.7, GTP forward listing is supported in a cluster. Refer to GTP Whitelisting in a Cluster for more information.
Subscriber IMSIs are added to a forward list that can contain up to 2,000,000 subscriber IMSIs. One active forward list per GigaSMART group is supported.
Entries in the forward list can be added one at a time or whitelist files containing multiple IMSIs can be created and downloaded. Entries are added by using the GTP Whitelist page by selecting GigaSMART > GTP Whitelist. The GTP Whitelist page shows alias for the currently configured GTP Whitelists, the IMSI count for each Forward list and the GigaSMART Group associated with the GTP Whitelist. The GTP Whitelist is associated with the GigaSMART group by specifying its alias in the GTP Whitelist Alias field in GigaSMART Group configuration page and then clicking New.
An individual IMSI is added by selecting Individual Entry Operation and specifying the IMSI in the Individual IMSI Entry field.
The IMSIs in whitelist files must be distinct entries, with one IMSI on each line of a file and a maximum of 500,000 entries in each file. This means that 4 files of 500,000 entries will be needed to populate the forward list to its capacity. Wildcards are not supported in whitelist files.
Whitelist files must have a filename with a .txt suffix. Use the GTP Whitelist page to fetch the entries from a whitelist file at a specified location, using one of the following formats, which are specified in the Enter Remote URL field when Bulk Entry Operation is selected and the Bulk Upload Type is Upload from URL:
http://IPaddress/path/filename.txt |
scp://username:password@IPaddress:/path/filename.txt |
tftp://IPaddress/path/filename.txt |
To fetch a whitelist file from a local location, select File Upload for Bulk Upload Type and use the Browse button to select the file.
To update an existing forward list, download the whitelist file, add the forward list entry and then re-upload the file. This will not modify or remove the previous entries added in the file.
When a whitelist file is downloaded, the entries are compared to the forward list on the node. There may be new entries in the file that might already be part of the existing forward list. GigaSMART will add the new, non-duplicate entries to the forward list, without rejecting the entire file.
If the current number of entries in the forward list plus the new entries in the whitelist file is greater than the forward list capacity of 2,000,000 IMSIs, the Append operation will fail and the new entry or the entries from the new whitelist file will not be added.
GTP forward listing does not use map rules like GTP flow sampling does. The forward list is associated with a GigaSMART group, GigaSMART operation, and second level maps, called whitelist maps.
You can create multiple forward list database per GigaSMART group but the maximum number of whitlelist entries allowed are 2,000,000 IMSIs per GigaSMART group. You can have a maximum of 20 active forward list database in a GigaSMART group. You can also perform dynamic addition of a forward list database after deploying a solution. You can delete the forward list database, only after removing the GigaSMART group. Refer to Delete Forward List.
For the sequences of steps to create a forward list with the UI, refer to the configuration example for forward listing in GigaSMART GTP Whitelisting and GTP Flow Sampling.
The whitelist maps are configured per GigaSMART group. Each forward list map, associated with the same vport, uses the same underlying forward list.
Up to ten (10) whitelist maps are supported. Multiple whitelist maps provide a granular selection of tool ports for forward listing. Using multiple maps, traffic can be segregated and sent to multiple destinations. Forward list map rules allow you to select the subset of IMSIs sent to a particular tool.
Each forward list map can contain up to four rules. The rules specify the type of traffic to be forward listed by that map. Within any single map, the rules are evaluated in order. The rules in the first map have a higher priority than the rules in the second, third, and subsequent maps.
The rules will specify either an Evolved Packet Core (EPC) interface type or a GTP version as the attribute to match. An Access Point Name (APN) and can also be specified in a rule of a Second Level Flow Whitelist map, either by itself, or preceding the EPC interface type or in combination with the GTP version.
For APN, you must specify a pattern (a name) to match. Use APN to direct the traffic that matches the pattern to a specific tool.
GTP version and EPC interface are mutually exclusive. A mix of versions and interface types across whitelist maps, associated with the same vport, is not supported. For example, you can configure two whitelist maps with one map specifying a rule for version 1 and another map specifying a rule for version 2, OR four whitelist maps with each map specifying a rule for each interface type (Gn, S11, S5, and S10). For more information on interfaces, refer to Supported Interfaces.
An APN pattern is for example, three.co.uk. Wildcard prefixes and suffixes are supported, for example, *mobile.com or *ims*. The pattern can be specified in up to 100 case-insensitive alphanumeric characters and can include the following special characters: period (.), hyphen (-), and wildcard (*). A standalone wildcard (*) is not allowed for APN.
You must specify a pattern required for the forward list DataBase (DB) lookup in Type. The following three types of values are supported for the DB lookup:
-
imsi/supi — only IMSI or SUPI value used for the DB lookup.
-
ran — only RAN value used for the DB lookup.
-
all — both RAN and IMSI/SUPI value used for the DB lookup.
By default, SUPI or IMSI is value is used for the DB lookup, if no type is configured.
You can configure a maximum of 10 forward list aliases in a single forward list map. The Database lookup happens only in the configured forward list alias based on the configured DB type.
When there is only DB type is configured and no forward list alias is configured, then the first forward list DB configured in the gsparams is used for the DB lookup.
When there is no DB type and no forward list alias are configured, then the lookup happens in all the forward list DB configured in the gsparams.
Each new subscriber session will be evaluated by the whitelist maps in the order of priority, which, by default, is the order in which the maps were created.
When a subscriber session comes in, GTP forward listing will check the IMSI of the subscriber. If the IMSI is present in the forward list, the rules in the first forward list map is evaluated to qualify the match further. Otherwise, the packet is evaluated against the rules in the subsequent whitelist maps for a possible match.
For example, with one forward list map having a rule specifying GTP version 1 and another forward list map having a rule specifying GTP version 2, when a subscriber session comes in, GTP forward listing will check the IMSI of the subscriber. if the IMSI is present in the forward list and if there is a match to version 1, the session (100% of subscriber packets) will be forwarded to the tool port, GigaStream, or load balancing group specified in the forward list map. If there is not a match to version 1, the next map is evaluated. If there is a match to version 2 in the next map, the session will be forwarded to the tool port, GigaStream, or load balancing group specified in the second forward list map.
Note: Both maps can specify the same destination.
Rules can be added to, or deleted from, a forward list map. Use the Add a Rule button to add a new forward list rule (a pass rule). Click x to delete a rule. A rule in a forward list map cannot be edited. To edit a rule, first delete it, then recreate it.
The default map configuration in which neither GTP version, EPC interface, or APN is specified in the map, continues to be supported. If the incoming IMSI matches an IMSI in the forward list, the session will be sent to the tool port, GigaStream, or load balancing group specified in the forward list map.
Whitelist maps cannot contain any other rules such as GigaSMART rules (gsrule), flow filtering rules (flowrule), or flow sampling rules (flowsample).
GTP whitelist-based forwarding is performed prior to GTP flow sampling (rule-based flow sampling) and GTP flow filtering.
Note: For GTP second level maps, a maximum of fifteen maps can be attached to a vport. For example, for the same vport you can have five whitelist maps and ten flow sampling maps, or ten whitelist maps, four flow sampling maps, and one flow filtering map. In addition, you can have a collector map, which is not counted.
For the steps to create a whitelist map with the UI, refer to the configuration example for forward listing in GigaSMART GTP Whitelisting and GTP Flow Sampling.
Use the Priority field in the map to change the priority of whitelist maps.
When a forward list map is deleted, the priority of the remaining whitelist maps will be re-prioritized. For example, if the first forward list map is deleted, the second forward list map will increase in priority.
For the deleted forward list map, the traffic associated with the rules in the map will be reevaluated and then passed to subsequent maps.
When a forward list map is re-prioritized, the existing sessions will be reevaluated according to the new priority of the map. The traffic associated with the rules in the map will be reevaluated and then passed to subsequent maps.
When the last forward list map is deleted, the traffic associated with the rules in the map will also be reevaluated before being passed to subsequent maps. But the traffic associated with the rules in maps that were not matched, will not be reevaluated because that traffic was already passed to subsequent maps.
When a single forward list entry is added, forward listing is applied for new as well as existing subscribers. When a new whitelist file is fetched, forward listing is applied only for new subscribers.
Forward listed traffic is then sent to the port or load balancing group specified in the whitelist map.
Entries in the forward list can be deleted one at a time. Each entry is a single IMSI.
When a forward list entry is deleted, the session associated with the forward list entry stays active and traffic is still sent to the whitelist map. The forward list session will not be reevaluated or passed to subsequent maps.
To delete a single entry from the forward list, select Individual Entry Operation, set Remove as the Operation Type, and enter the IMSI in the Individual IMSI Entry field.
Multiple IMSIs can be deleted from the forward list. Specify the IMSIs to be deleted in a whitelist file, which can contain up to 20,000 IMSIs.
Whitelist files must have a filename with a .txt suffix. To remove multiple entries from the forward list, select Bulk Entry Operation and set Remove as the Operation Type.
The entire forward list can be deleted using one of the following options:
Delete the forward list by deleting all the IMSI entries. With this option, you do not have to delete the forward list map, GigaSMART operation, or disassociate the GigaSMART group from the forward list. To delete all the IMSI entries, select Delete All. |
Destroy the forward list. With this option, you must first delete the forward list map, GigaSMART operation, and disassociate the GigaSMART group from the forward list before deleting the forward list. |
Alternatively ,select the forward list and click on edit option then select the 'Clear' radio button, to remove existing forward list. |
To destroy a forward list, use the following sequence:
Task |
UI Steps |
||||||||||||
Delete the forward list map |
|
||||||||||||
Delete the GigaSMART Operation |
|
||||||||||||
Disassociate the GigaSMART group from the forward list. (You do not need to delete the GigaSMART group.) |
|
||||||||||||
Destroy (delete) the forward list. |
|
The forward list(all whitelist files) must reside on the leader of the cluster. The member nodes receive a copy of the forward list from the leader. Updates to the forward list are synchronized from the leader to the member nodes. If a member node leaves the cluster and rejoins, its forward list will be resynchronized.
If there are GigaVUE TA Series nodes in the cluster, they will not receive a copy of the forward list.
GTP Flow Sampling
GTP flow sampling samples a configured percentage of GTP sessions. GTP flow sampling uses map rules to select subscribers and then forward a percentage of the packets to tool ports.
Pass rules are defined in flow sampling maps. Each rule contains some combination of IMSI, IMEI, and MSISDN numbers or patterns, Evolved Packet Core (EPC) interface type, GTP version, Access Point Name (APN), or QoS Class Identifier (QCI), as well as a percentage to sample. The flow is sampled to see if it matches a rule. The percentage of the subscriber sessions matching each rule are selected.
Map rules specify the type of traffic to be flow sampled by that map. For each new session, map rules are evaluated in top-down order of decreasing priority. If there is a match, the indicated percentage of the subscriber session is either accepted or rejected. If accepted, the traffic is sent to the tool port or load balancing group specified in the map. If rejected, the traffic is dropped. If there is not a match to a rule, the traffic is passed to subsequent maps.
Starting in software version 4.6, GTP load balancing in a cluster is supported for GTP flow sampling. For an example of GTP load balancing in a cluster, refer to GigaSMART GTP Whitelisting and GTP Flow Sampling.
Flow sampling rules are configured in maps called flow sampling maps. Up to ten (10) flow sampling maps per GigaSMART group are supported. Each flow sampling map supports up to 20 flow sampling rules, for a maximum of 200 rules per GigaSMART group.
GTP flow sampling (rule-based flow sampling) is performed after GTP forward list-based forwarding but before GTP flow filtering. So, flow sampling maps have a priority lower than whitelist maps and higher than flow filtering maps.
Note: For GTP second level maps, a maximum of fifteen maps can be attached to a vport. For example, for the same vport you can have one forward list map and ten flow sampling maps, or ten forward list map, four flow sampling maps, and one flow filtering map. In addition, you can have a collector map, which is not counted.
In the flow sampling maps, the rules in the first map have a higher priority than the rules in the second, third, and subsequent maps. Within any single map, rules are evaluated in order.
Rules can be added to, deleted from, or inserted into a flow sampling map when the subtype selected for a Second Level map is Flow Sample. Suffix wildcarding, such as IMSI 100*, is supported in the flow sampling map rules.
Use the Add a Rule button in the Maps page to add a new flow sampling rule (a pass rule). Specify IMSI, IMEI, or MSISDN subscriber IDs, as well as the percentage of the flow to be sampled. The percentage is a range from 1 to 100%. Use 0% to drop sampled data.
A rule can specify other packet attributes, such as an EPC interface type or GTP version. An APN pattern can also be specified in a rule, either by itself or preceding the EPC interface or GTP version. A QCI value can be specified, but only in combination with an APN pattern.
EPC interface and GTP version are mutually exclusive. They can be specified in a flow sampling rule, but not both in a single rule. The supported interface types for filtering are: Gn/Gp, S11/S1-U, S5/S8, S10, or S2B. The supported versions for filtering are 1 or 2. For example, you can send version 1 traffic to one tool port and version 2 traffic to another tool port. For more information on interfaces, refer to Supported Interfaces.
For APN, specify a pattern (a name) to match, for example, three.co.uk. Wildcard prefixes and suffixes are supported, for example, *mobile.com or *ims*. The pattern can be specified in up to 100 case-insensitive alphanumeric characters and can include the following special characters: period (.), hyphen (-), and wildcard (*).
QCI is a mechanism used in Long Term Evolution (LF TE) networks to ensure bearer traffic is allocated to the appropriate Quality of Service (QoS). For QCI, specify a value from 0 to 255. Wildcard prefixes and suffixes are not supported.
Use APN and QCI to send traffic that matches a certain APN pattern or that belongs to a certain bearer with a certain QCI to specified tool ports, based on the sampling percentage.
Click the x next to a rule to delete a specific rule. Rules are identified by a priority ID, which indicates the order of rules in a flow sampling map. For example, if a map has 12 pass flow sampling rules, there will be 12 priority IDs.
When creating Flow Sampling rules on the Maps page, the first rule created has the highest priority and the priority of subsequent rules is in the order that they are added. To change the priority of a Flow Sampling rule in a new map, do the following:
1. | Save the rule. |
2. | Select the map and click Edit. |
3. | Enter a priority in the Priority field of each rule to order the rules in the map. (For details about map priority, refer to Map Priority) |
Note: A flow sampling map can contain only flowsampling rules. A flow sampling map cannot contain other GigaSMART rules (gsrule) or flow filtering rules (flowrule).
For configuration examples for flow sampling, refer to GigaSMART GTP Whitelisting and GTP Flow Sampling.
Flow sampling is applied for new subscribers. When a new rule is added to the rules in a flow sampling map, traffic will be sent to the port or load balancing group specified in the map.G
When a rule is deleted from a flow sampling map, the session associated with the rule stays active. The traffic associated with the rule will not be reevaluated by subsequent maps.
Use the Priority field in the GTP map rule to set the priority of flow sampling maps.
When a flow sampling map is deleted, the priority of the remaining flow sampling maps will be re-prioritized. For example, if the first flow sampling map is deleted, the second flow sampling map will increase in priority.
For the deleted flow sampling map, the traffic associated with the rules in the map will be reevaluated and then passed to subsequent maps.
When a flow sampling map is re-prioritized, the existing sessions will be reevaluated according to the new priority of the map. The traffic associated with the rules in the map will be reevaluated and then passed to subsequent maps.
When the last flow sampling map is deleted, the traffic associated with the rules in the map will also be reevaluated before being passed to subsequent maps. But the traffic associated with the rules in maps that were not matched, will not be reevaluated because that traffic was already passed to subsequent maps.
The flow-ops report displays the flow sampling rule ID for sessions that have been accepted or rejected by the flow sampling map.
However, since rule IDs are not unique across maps, when there are multiple flow sampling maps, the flow-ops report is unable to identify the exact rule that the session matched. For example, with multiple flow sampling maps, each map can have a rule ID of 1. The rule ID will be identified in the flow-ops report, but not the map associated with it.
The sampling Percentage field in a map for GTP flow sampling, represents the percentage of subscribers that will be sampled (not the sessions).
The GTP correlation engine tracks all of the subscribers and all of their sessions that it sees on the network. In this example, for those subscribers with an IMSI starting with the value 46*, the GTP correlation engine keeps a list of them and randomly selects 80% of those subscribers and sets them to be in the sample, which means that a tool port (or load balanced group) will see 100% of the packets for 100% of the sessions for those randomly selected 80% of subscribers.
For the other 20% of subscribers, the GTP correlation engine continuously tracks those subscribers through the network, but does not send any packets to the tool port (or load balanced group).
Refer to the GTP flow sampling configuration examples in GigaSMART GTP Whitelisting and GTP Flow Sampling.
When a session matches one of the configured flow sampling rules, it is either accepted for sampling or rejected.
If it is accepted, all packets belonging to that GTP session are sent to the tool port or ports specified in the flow sampling maps. If a subscriber is in the sample, then both the control plane packets and the user-data plane packets are sent to the tools.
If it is rejected, all packets belonging to the session are dropped. If the subscriber is not in the sample, then neither the control plane packets nor the user-data plane packets are sent to the tools.
Control plane (GTP-c) and user-data plane (GTP-u) traffic are treated the same. For a matching session, all the control plane and user-data plane traffic will be accepted. Otherwise, all the control plane and user-data plane traffic will be rejected and dropped. Instead, to enable or disable GTP control plane traffic sampling, refer to Enable or Disable GTP Control Plane Traffic Sampling.
GTP control plane (GTP-c) traffic is typically a small percentage of total GTP traffic, but it contains useful information for analytics. Therefore, it is not always expedient to drop control plane traffic for sampled sessions.
Subscriber traffic by IMSI can be sampled such that network traffic for a subset of mobile subscribers can be selected to be sent to network monitoring tools. In some cases, network monitoring tools will want to see GTP control plane and GTP user plane traffic for a percentage of the subscribers. In other cases, network monitoring tools will want to see all of the GTP control plane traffic, but see only the GTP user plane traffic for the sampled percentage of subscribers.
Starting in software version 4.5, all control plane traffic for all subscribers will be sent to tools if GTP control plane traffic sampling is disabled. When disabled, 100% of the control traffic that matches any of the flow sampling rules will be sent to the tool ports specified in the flow sampling maps. Control traffic for both accepted and rejected sessions will be sent to the tool ports.
When GTP control plane traffic sampling is enabled, GTP-c packets will be sampled and only the indicated percentage of the control traffic that matches any of the flow sampling rules will be sent to the tool ports specified in the flow sampling maps, as described in GTP Flow Sampling Percentage.
The default is enable.
To disable sampling of GTP-c traffic, which enables 100% of control plane traffic, select GigaSMART > GigaSMART Groups > GigaSMART Groups. Under GigaSMART Parameters, go to GTP Sampling and make sure that GTP Control Sampling is not selected.
To enable sampling of GTP-c traffic, which enables 100% of control plane traffic, select GigaSMART > GigaSMART Groups > GigaSMART Groups. Under GigaSMART Parameters, go to GTP Sampling and make sure that GTP Control Sampling is selected. This setting applies to all the flow sampling maps for a GigaSMART group.
GTP Subscriber Aware Random Sampling
GTP Subscriber Aware Random Sampling allows to randomly sample all the subscriber’s IMSI on a rotational basis. Based on the configured sampling percentage, the selected sessions are either sampled in or out. The correlation engine takes the configurable interval as an input to rotate the random selection of each of the subscriber’s sessions.
The configurable interval is a minimum of 12 hours and a maximum of 48 hours. Each GigaSMART node must be synchronized with an NTP/PTP server, as UTC time is involved in the random selection of the subscriber’s sessions.
Note: This feature is effective for a new subscriber’s sessions after enabling the random sampling.
The Map rules in the GTP random sampling are similar to GTP Flow Sampling. For more information refer to GigaSMART GTP Whitelisting and GTP Flow Sampling.
To enable GTP Random Sampling do the following:
1. | From the left navigation pane, go to System > GigaSMART > GigaSMART Groups. |
2. | Select a GigaSMART Group and click Edit. |
3. | Under GigaSMART Parameters, go to GTP and select GTP Random Sampling check box. |
4. | Enter the time in Rotation Interval in multiples of 12 hours. |
5. | Click OK. |
To display GTP statistics, select GigaSMART > GigaSMART Operations (GSOP) > Statistics.
Refer to Flow Ops Report Statistics Definitions for GTP on page 635 for descriptions of these statistics.