GGSN Pooling Support for Firewalls

The GGSN Pooling Support for Firewalls feature enhances the General Packet Radio Switching (GPRS)
Tunneling Protocol (GTP) feature by adding load balancing support. GTP supports the inspection of control
traffic that is designated to a single Gateway GPRS Support Node (GGSN). To provide efficiency and
scalability to Global System for Mobile Communication (GSM) networks, load balancing is added to the
topology. The load balancer dispatches requests from the Serving GPRS Support Node (SGSN) to various
GGSNs in the pool.
This module describes how to configure the GGSN Pooling Support for Firewalls feature.

• Finding Feature Information, page 1

• Information About GGSN Pooling Support for Firewalls, page 2
• How to Configure GGSN Pooling Support for Firewalls, page 5
• Configuration Examples for GGSN Pooling Support for Firewalls, page 15
• Additional References for Firewall Stateful Interchassis Redundancy, page 16
• Feature Information for GGSN Pooling Support for Firewalls , page 16

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and
feature information, see Bug Search Tool and the release notes for your platform and software release. To
find information about the features documented in this module, and to see a list of the releases in which each
feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS XE Release 3S

1
 GGSN Pooling Support for Firewalls
Information About GGSN Pooling Support for Firewalls

Information About GGSN Pooling Support for Firewalls

GPRS Overview
General Packet Radio Service (GPRS) provides uninterrupted connectivity for mobile subscribers between
Global System for Mobile Communication (GSM) networks and corporate networks or the Internet. The
Gateway GPRS Support Node (GGSN) is the interface between the GPRS wireless data network and other
networks. The Serving GPRS Support Node (SGSN) performs mobility, data session management, and data
compression.
The GPRS core network architecture has a mobile station (MS) that is logically connected to an SGSN. The
main function of an SGSN is to provide data support services to an MS. An SGSN is logically connected to
a GGSN by using GTP. If the connection is within the same operator’s Public Land Mobile Network (PLMN),
the connection is called the Gn interface. If the connection is between two different PLMNs, the connection
is known as the Gp interface. A GGSN provides a data gateway to external networks, such as the Internet or
the corporate network, through an interface called the Gi interface. GTP is used to encapsulate data from an
MS. GTP also includes mechanisms for establishing, moving, and deleting tunnels between SGSN and GGSN
in roaming scenarios.

Figure 1: GPRS Core Network

The Universal Mobile Telecommunications System (UMTS) is the commercial convergence of fixed-line
telephony, mobile, Internet, and computer technology. UMTS Terrestrial Radio Access Network (UTRAN)
is the networking protocol used for implementing wireless networks in this system. GTP allows multiprotocol
packets to be tunneled through a UMTS/GPRS backbone between a GGSN, an SGSN, and the UTRAN.
The Gp and Gi interfaces are the primary points of interconnection between an operator’s network and untrusted
external networks. Operators must take care to protect their networks from attacks that originate on these
external networks.

Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS XE Release 3S

2
 GGSN Pooling Support for Firewalls
GTP Overview

The Gp interface is the logical connection that supports mobile (roaming) data users between PLMNs. GTP
establishes a connection between a local SGSN and a user’s home GGSN.
Data that originates from the MS is sent to the Gi interface. It is also the interface that is exposed to public
data networks and networks of corporate customers.
The traffic sent out from a GGSN or arriving for an MS at the Gi interface can virtually be of any kind since
the application being used by the MS is unknown.
GTP allows multiprotocol packets to be tunneled through the GPRS backbone between GPRS Support Nodes
(GSNs). GTP provides a tunnel control and management protocol that allows an SGSN to provide GPRS
network access for an MS by creating, modifying, and deleting tunnels. GTP uses a tunneling mechanism to
provide a service for carrying user data packets.

Note When using GTP with failover, if a GTP connection is established and the active unit fails before data is
transmitted over the tunnel, the GTP data connection (with a “j” flag set) is not replicated to the standby
unit. This occurs because the active unit does not replicate embryonic connections to the standby unit.

GTP Overview
General Packet Radio Service (GPRS) Tunneling Protocol (GTP) allows multiprotocol packets to be tunneled
through the GPRS backbone between GPRS Support Nodes (GSN). Three GTP versions are available. The
GPRS Tunneling Support feature supports two GTP versions: GTP Version 0 (GTPv0) and GTP Version 1
(GTPv1).
In GTPv0, a GPRS Mobile Station (MS) is connected to a Serving GPRS Support Node (SGSN) without
being aware of the protocol. A Packet Data Protocol (PDP) context is identified by the Tunnel Identifier (TID),
which is a combination of the International Mobile Subscriber Identity (IMSI) and the Network Service Access
Point Identifier (NSAPI). Each MS can have up to 15 NSAPIs. This allows an MS to create multiple PDP
contexts with different NSAPIs, based on the application requirements for various quality of service (QoS)
levels. The TID is carried in the GTPv0 header.
An IMSI has the following three parts:
• Mobile Country Code (MCC) that consists of three digits. The MCC uniquely identifies the country of
domicile of a mobile subscriber.
• Mobile Network Code (MNC) that consists of two or three digits for GSM applications. The MNC
identifies the home GSM Public Land Mobile Network (PLMN) of the mobile subscriber. The length
of the MNC depends on the value of the MCC.

Note A combination of two- and three-digit MNC codes within a single MCC area is not
recommended.

• Mobile Subscriber Identification Number (MSIN) that identifies a mobile subscriber within a GSM
PLMN. The National Mobile Subscriber Identity (NMSI) consists of the MNC and the MSIN.

GTPv1 introduces the concept of primary and secondary contexts for an MS. A primary context is associated
with an IP address and indicates other parameters like the Access Point Name (APN) to be attached to the
receiving GSN. Secondary contexts created for this primary PDP context share the IP address and other

Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS XE Release 3S

3
 GGSN Pooling Support for Firewalls
GGSN Pooling Support

parameters that are already associated with the primary context. This allows an MS to initiate another context
with a different quality of service (QoS) requirement and also share the IP address already obtained for the
primary context. Primary and secondary contexts share the Tunnel Endpoint ID (TEID) on the control plane
and have different TEID values in the data plane. Since all primary and associated secondary contexts share
the IP address, Traffic Flow Templates (TFT) are used to classify traffic in the downlink direction towards
the MS. TFTs are exchanged during context creation.
Only the create PDP context request for the primary PDP contains an IMSI. The IMSI and NSAPI together
uniquely identify a PDP context. A secondary PDP context activation contains a Linked NSAPI (LNSAPI)
indicating the NSAPI that is assigned to any one of the already activated PDP contexts for this PDP address
and APN.

Note UDP is the only supported, defined path protocol for signaling messages for GTPv0 and GTPv1.

GGSN Pooling Support

A Gateway GPRS Support Node (GGSN) supports firewall load balancing by using the Server Load Balancing
(SLB) feature. SLB balances traffic flows across a group of firewalls called a firewall farm. In this cluster or
pool, clients can connect to the IP address of a virtual server. When a client initiates a connection to the virtual
server, SLB chooses a real server for the connection, based on a configured load-balancing algorithm.
While configuring GTP load balancing, a pool of GGSNs is configured as a GGSN farm in SLB. You can
use these GGSNs to load balance GPRS Tunneling Protocol (GTP) sessions. A virtual server instance is
configured in the SLB to load balance GTP sessions across the GGSN farm.
To support GGSN pooling, a device must allow load balancing GSNs to respond to Packet Data Protocol
(PDP) requests, even if the GSN is different from the one specified as SLB IP address in the GTP packet.
In GGSN pooling, when a subscriber who is using a roaming connection sends a PDP request from a Serving
GPRS Support Node (SGSN) to the GGSN that resides behind the SLB, the firewall should accept the PDP
request. As pinholes are not created for unknown GGSNs, the firewall drops PDP responses. To avoid PDP
responses from getting dropped by the firewall, you need to configure an access control list (ACL). A firewall
pinhole is a port that is opened through the firewall to allow an application to gain controlled access to a
protected network.
A global session database records all pending PDP request contexts when a PDP request is received from an
SGSN. When a PDP request is received from an SGSN, a session lookup is performed to match the context,
and the response is dropped if no match is found. Packet data is transferred by establishing a PDP context,
which is effectively a data session.

GTP Traffic Through Firewall

The main General Packet Radio Service (GPRS) Tunneling Protocol (GTP) traffic that a device inspects is
the roaming traffic. Roaming traffic is caused when a Mobile Station (MS) moves from its Home Public Land
Mobile Network (HPLMN) to a Visited PLMN (VPLMN).
The GTP traffic through the firewall includes the following messages:
• Serving GPRS Support Node (SGSN) to Gateway GPRS Support Node (GGSN) GTP messages
• GGSN-to-SGSN GTP messages

Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS XE Release 3S

4
 GGSN Pooling Support for Firewalls
How to Configure GGSN Pooling Support for Firewalls

• SGSN-to-SGSN GTP messages

How to Configure GGSN Pooling Support for Firewalls

Configuring Access Control Lists and Class Maps for GGSN Pooling
SUMMARY STEPS

1. enable
2. configure terminal
3. access-list access-list-number permit protocol source source-wildcard any
4. access-list access-list-number permit protocol any destination destination-wildcard
5. access-list access-list-number permit protocol source source-wildcard any
6. class-map type inspect gtpv1 match-any class-map-name
7. match mcc country-code mnc network-code
8. match mcc country-code mnc network-code
9. exit
10. class-map type inspect gtpv1 match-any class-map-name
11. match mcc country-code mnc network-code
12. match mcc country-code mnc network-code
13. exit
14. class-map type inspect gtpv1 match-all class-map-name
15. match protocol protocol-name
16. match access-group access-list-number
17. exit
18. class-map type inspect gtpv1 match-all class-map-name
19. match protocol protocol-name
20. match access-group access-list-number
21. end

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode.
• Enter your password if prompted.
Example:
Device> enable

Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS XE Release 3S

5
 GGSN Pooling Support for Firewalls
Configuring Access Control Lists and Class Maps for GGSN Pooling

Command or Action Purpose

Step 2 configure terminal Enters global configuration mode.

Example:
Device# configure terminal

Step 3 access-list access-list-number permit protocol source Defines an extended IP access list.
source-wildcard any
• Access list 101 that is configured in this example permits
traffic from a GGSN or SGSN to any destination.
Example:
Device(config)# access-list 101 permit ip
10.2.2.0 255.255.255.0 any

Step 4 access-list access-list-number permit protocol any Defines an extended IP access list.
destination destination-wildcard
• Access list 102 that is configured in this example permits
traffic from any source to a GGSN or SGSN.
Example:
Device(config)# access-list 102 permit ip any
10.2.2.0 255.255.255.0

Step 5 access-list access-list-number permit protocol source Defines an extended IP access list.
source-wildcard any
• Access list 103 that is configured in this example permits
traffic from a GGSN or SGSN to any destination.
Example:
Device(config)# access-list 103 permit ip
10.2.2.0 255.255.255.0 any

Step 6 class-map type inspect gtpv1 match-any Creates an application-specific inspect type class map and
class-map-name specifies that packets must meet any one of the specified match
criteria to be considered a member of the class, and enters QoS
Example: class-map configuration mode.
Device(config)# class-map type inspect gtpv1
match-any gtp-cl7-rev

Step 7 match mcc country-code mnc network-code Configures filtering for a valid Mobile Country Code (MCC)
and a Mobile Network Code (MNC).
Example: • In this example you configure filtering of roaming
Device(config-cmap)# match mcc 1 mnc 1
connections to a foreign MCC and MNC.

Step 8 match mcc country-code mnc network-code Configures filtering for a valid MCC and an MNC.
• In this example you configure filtering of roaming
Example: connections to a local MCC and MNC.
Device(config-cmap)# match mcc 2 mnc 1

Step 9 exit Exits QoS class-map configuration mode and enters global
configuration mode.
Example:
Device(config-cmap)# exit

Step 10 class-map type inspect gtpv1 match-any Creates an application-specific inspect type class map and
class-map-name specifies that packets must meet any one of the specified match

Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS XE Release 3S

6
 GGSN Pooling Support for Firewalls
Configuring Access Control Lists and Class Maps for GGSN Pooling

Command or Action Purpose

criteria to be considered a member of the class, and enters QoS
Example: class-map configuration mode.
Device(config)# class-map type inspect gtpv1
match-any gtp-cl7

Step 11 match mcc country-code mnc network-code Configures filtering for a valid MCC and an MNC.

Example:
Device(config-cmap)# match mcc 2 mnc 1

Step 12 match mcc country-code mnc network-code Configures filtering for a valid MCC and an MNC.

Example:
Device(config-cmap)# match mcc 1 mnc 1

Step 13 exit Exits QoS class-map configuration mode and enters global
configuration mode.
Example:
Device(config-cmap)# exit

Step 14 class-map type inspect gtpv1 match-all Creates an application-specific inspect type class map and
class-map-name specifies that packets must meet all specified match criteria to
be considered a member of the class, and enters QoS class-map
Example: configuration mode.
Device(config)# class-map type inspect gtpv1
match-all gtp-l4c

Step 15 match protocol protocol-name Configures a match criterion for a class map on the basis of
the specified protocol.
Example:
Device(config-cmap)# match protocol gtpv1

Step 16 match access-group access-list-number Configures a match criterion for a class map on the basis of
the specified ACL.
Example:
Device(config-cmap)# match access-group 101

Step 17 exit Exits QoS class-map configuration mode and enters global
configuration mode.
Example:
Device(config-cmap)# exit

Step 18 class-map type inspect gtpv1 match-all Creates an application-specific inspect type class map and
class-map-name specifies that packets must meet all specified match criteria to
be considered a member of the class, and enters QoS class-map
Example: configuration mode.
Device(config)# class-map type inspect gtpv1
match-all gtp-l4c-rev

Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS XE Release 3S

7
 GGSN Pooling Support for Firewalls
Configuring Access Control Lists and Class Maps for GGSN Pooling

Command or Action Purpose

Step 19 match protocol protocol-name Configures a match criterion for a class map on the basis of
the specified protocol.
Example:
Device(config-cmap)# match protocol gtpv1

Step 20 match access-group access-list-number Configures a match criterion for a class map on the basis of
the specified ACL.
Example:
Device(config-cmap)# match access-group 102

Step 21 end Exits QoS class-map configuration mode and enters privileged
EXEC mode.
Example:
Device(config-cmap)# end

Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS XE Release 3S

8
 GGSN Pooling Support for Firewalls
Configuring Policy Maps for GGSN Pooling

Configuring Policy Maps for GGSN Pooling

SUMMARY STEPS

1. enable
2. configure terminal
3. policy-map type inspect gtpv1 gtpv1-policy
4. class type inspect gtpv1 class-map-name
5. log
6. exit
7. class class-default
8. exit
9. policy-map type inspect gtpv1 gtpv1-policy
10. class type inspect gtpv1 class-map-name
11. log
12. exit
13. class class-default
14. exit
15. policy-map type inspect gtpv1 gtpv1-policy
16. class type inspect gtpv1 class-map-name
17. inspect
18. service-policy policy-map-name
19. exit
20. class class-default
21. exit
22. policy-map type inspect gtpv1 gtpv1-policy
23. class type inspect gtpv1 class-map-name
24. inspect
25. service-policy policy-map-name
26. exit
27. class class-default
28. end

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode.
• Enter your password if prompted.
Example:
Device> enable

Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS XE Release 3S

9
 GGSN Pooling Support for Firewalls
Configuring Policy Maps for GGSN Pooling

Command or Action Purpose

Step 2 configure terminal Enters global configuration mode.

Example:
Device# configure terminal

Step 3 policy-map type inspect gtpv1 gtpv1-policy Creates a protocol-specific inspect-type policy map and enters
QoS policy-map configuration mode.
Example:
Device(config)# policy-map type inspect gtpv1
gtp-l7p-rev

Step 4 class type inspect gtpv1 class-map-name Specifies a traffic class on which an action is to be performed
and enters QoS policy-map class configuration mode.
Example:
Device(config-pmap)# class type inspect gtpv1
gtp-cl7-rev

Step 5 log Generates a log of messages.

Example:
Device(config-pmap-c)# log

Step 6 exit Exits QoS policy-map class configuration mode and enters
QoS policy-map configuration mode.
Example:
Device(config-pmap-c)# exit

Step 7 class class-default Specifies the default class so that you can configure or modify
its policy.
Example:
Device(config-pmap)# class class-default

Step 8 exit Exits QoS policy-map configuration mode and enters global
configuration mode.
Example:
Device(config-pmap)# exit

Step 9 policy-map type inspect gtpv1 gtpv1-policy Creates a protocol-specific inspect-type policy map and enters
QoS policy-map configuration mode.
Example:
Device(config)# policy-map type inspect gtpv1
gtp-l7p

Step 10 class type inspect gtpv1 class-map-name Specifies a traffic class on which an action is to be performed
and enters QoS policy-map class configuration mode.
Example:
Device(config-pmap)# class type inspect gtpv1
gtp-cl7

Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS XE Release 3S

10
 GGSN Pooling Support for Firewalls
Configuring Policy Maps for GGSN Pooling

Command or Action Purpose

Step 11 log Generates a log of messages.

Example:
Device(config-pmap-c)# log

Step 12 exit Exits QoS policy-map class configuration mode and enters
QoS policy-map configuration mode.
Example:
Device(config-pmap-c)# exit

Step 13 class class-default Specifies the default class so that you can configure or modify
its policy.
Example:
Device(config-pmap)# class class-default

Step 14 exit Exits QoS policy-map configuration mode and enters global
configuration mode.
Example:
Device(config-pmap)# exit

Step 15 policy-map type inspect gtpv1 gtpv1-policy Creates a protocol-specific inspect-type policy map and enters
QoS policy-map configuration mode.
Example:
Device(config)# policy-map type inspect gtpv1
gtp-l4p-rev

Step 16 class type inspect gtpv1 class-map-name Specifies a traffic class on which an action is to be performed
and enters QoS policy-map class configuration mode.
Example:
Device(config-pmap)# class type inspect gtpv1
gtp-l4c-rev

Step 17 inspect Enables stateful packet inspection.

Example:
Device(config-pmap-c)# inspect

Step 18 service-policy policy-map-name Uses a service policy as a QoS policy within a policy map
(called a hierarchical service policy).
Example:
Device(config-pmap-c)# service-policy
gtp-l7p-rev

Step 19 exit Exits QoS policy-map class configuration mode and enters
QoS policy-map configuration mode.
Example:
Device(config-pmap-c)# exit

Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS XE Release 3S

11
 GGSN Pooling Support for Firewalls
Configuring Policy Maps for GGSN Pooling

Command or Action Purpose

Step 20 class class-default Specifies the default class so that you can configure or modify
its policy.
Example:
Device(config-pmap)# class class-default

Step 21 exit Exits QoS policy-map configuration mode and enters global
configuration mode.
Example:
Device(config-pmap)# exit

Step 22 policy-map type inspect gtpv1 gtpv1-policy Creates a protocol-specific inspect-type policy map and enters
QoS policy-map configuration mode.
Example:
Device(config)# policy-map type inspect gtpv1
gtp-l4p

Step 23 class type inspect gtpv1 class-map-name Specifies a traffic class on which an action is to be performed
and enters QoS policy-map class configuration mode.
Example:
Device(config-pmap)# class type inspect gtpv1
gtp-l4c

Step 24 inspect Enables stateful packet inspection.

Example:
Device(config-pmap-c)# inspect

Step 25 service-policy policy-map-name Uses a service policy as a QoS policy within a policy map
(called a hierarchical service policy).
Example:
Device(config-pmap-c)# service-policy gtp-l7p

Step 26 exit Exits QoS policy-map class configuration mode and enters
QoS policy-map configuration mode.
Example:
Device(config-pmap)# exit

Step 27 class class-default Specifies the default class so that you can configure or modify
its policy.
Example:
Device(config-pmap)# class class-default

Step 28 end Exit QoS policy-map class configuration mode and enters
privileged EXEC mode.
Example:
Device(config-pmap-c)# end

Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS XE Release 3S

12
 GGSN Pooling Support for Firewalls
Configuring Zones and Zone Pairs for GGSN Pooling Support

Configuring Zones and Zone Pairs for GGSN Pooling Support

SUMMARY STEPS

1. enable
2. configure terminal
3. zone security security-zone
4. exit
5. zone security security-zone
6. exit
7. zone-pair security zone-pair-name source source-zone destination destination-zone
8. service-policy type inspect policy-map-name
9. exit
10. zone-pair security zone-pair-name source source-zone destination destination-zone
11. service-policy type inspect policy-map-name
12. end

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode.
• Enter your password if prompted.
Example:
Device> enable

Step 2 configure terminal Enters global configuration mode.

Example:
Device(config)# configure terminal

Step 3 zone security security-zone Creates a security zone to which interfaces can be assigned
and enters security zone configuration mode.
Example: • Your configuration must have two security zones to
Device(config)# zone security roam-in
create a zone pair: a source and a destination zone.
• In a zone pair, you can use the default zone as either
the source or the destination zone.

Step 4 exit Exits security zone configuration mode and enters global
configuration mode.
Example:
Device(config-sec-zone)# exit

Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS XE Release 3S

13
 GGSN Pooling Support for Firewalls
Configuring Zones and Zone Pairs for GGSN Pooling Support

Command or Action Purpose

Step 5 zone security security-zone Creates a security zone to which interfaces can be assigned
and enters security zone configuration mode.
Example:
Device(config-sec-zone)# zone security
roam-out

Step 6 exit Exits security zone configuration mode and enters global
configuration mode.
Example:
Device(config-sec-zone)# exit

Step 7 zone-pair security zone-pair-name source source-zone Creates a pair of security zones and enters security zone-pair
destination destination-zone configuration mode.
• To apply a policy, you must configure a zone pair.
Example:
Device(config)# zone-pair security in2out
source roam-in destination roam-out

Step 8 service-policy type inspect policy-map-name Attaches a firewall policy map to the destination zone pair.

Example:
Device(config-sec-zone-pair)# service-policy
type inspect gtp-l4p

Step 9 exit Exits security zone-pair configuration mode and enters global
configuration mode.
Example:
Device(config-sec-zone-pair)# exit

Step 10 zone-pair security zone-pair-name source source-zone Creates a pair of security zones and enters security zone-pair
destination destination-zone configuration mode.

Example:
Device(config)# zone-pair security out2in
source roam-out destination roam-in

Step 11 service-policy type inspect policy-map-name Attaches a firewall policy map to the destination zone pair.

Example:
Device(config-sec-zone-pair)# service-policy
type inspect gtp-l4p-rev

Step 12 end Exits security zone-pair configuration mode and enters

privileged EXEC mode.
Example:
Device(config-sec-zone)# end

Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS XE Release 3S

14
 GGSN Pooling Support for Firewalls
Configuration Examples for GGSN Pooling Support for Firewalls

Configuration Examples for GGSN Pooling Support for Firewalls

Example: Configuring Access Control Lists and Class Maps for GGSN Pooling
Device# configure terminal
Device(config)# access-list 101 permit ip 10.2.2.0 255.255.255.0 any
Device(config)# access-list 102 permit ip any 10.2.2.0 255.255.255.0
Device(config)# access-list 103 permit ip 10.2.2.0 255.255.255.0 any
Device(config)# class-map type inspect gtpv1 match-any gtp-cl7-rev
Device(config-cmap)# match mcc 1 mnc 1
Device(config-cmap)# match mcc 2 mnc 1
Device(config-cmap)# exit
Device(config)# class-map type inspect gtpv1 match-any gtp-cl7
Device(config-cmap)# match mcc 2 mnc 1
Device(config-cmap)# match mcc 1 mnc 1
Device(config-cmap)# exit
Device(config)# class-map type inspect gtpv1 match-all gtp-l4c
Device(config-cmap)# match protocol gtpv1
Device(config-cmap)# match access-group 101
Device(config-cmap)# exit
Device(config)# class-map type inspect gtpv1 match-all gtp-l4c-rev
Device(config-cmap)# match protocol gtpv1
Device(config-cmap)# match access-group 102
Device(config-cmap)# end

Example: Configuring Policy Maps for GGSN Pooling

Device# configure terminal
Device(config)# policy-map type inspect gtpv1 gtp-l7p-rev
Device(config-pmap)# class type inspect gtpv1 gtp-cl7-rev
Device(config-pmap-c)# log
Device(config-pmap-c)# exit
Device(config-pmap)# class class-default
Device(config-pmap)# exit
Device(config)# policy-map type inspect gtpv1 gtp-l7p
Device(config-pmap)# class type inspect gtpv1 gtp-cl7
Device(config-pmap-c)# log
Device(config-pmap-c)# exit
Device(config-pmap)# class class-default
Device(config-pmap)# exit
Device(config)# policy-map type inspect gtpv1 gtp-l4p-rev
Device(config-pmap)# class type inspect gtpv1 gtp-l4c-rev
Device(config-pmap-c)# inspect
Device(config-pmap-c)# service-policy gtp-l7p-rev
Device(config-pmap-c)# exit
Device(config-pmap)# class class-default
Device(config-pmap)# exit
Device(config)# policy-map type inspect gtpv1 gtp-l4p
Device(config-pmap)# class type inspect gtpv1 gtp-l4c
Device(config-pmap-c)# inspect
Device(config-pmap-c)# service-policy gtp-l7p
Device(config-pmap)# exit
Device(config-pmap)# class class-default
Device(config-pmap-c)# end

Example: Configuring Zones and Zone Pairs for GGSN Pooling

Device(config)# configure terminal
Device(config)# zone security roam-in
Device(config-sec-zone)# exit

Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS XE Release 3S

15
 GGSN Pooling Support for Firewalls
Additional References for Firewall Stateful Interchassis Redundancy

Device(config-sec-zone)# zone security roam-out

Device(config-sec-zone)# exit
Device(config)# zone-pair security in2out source roam-in destination roam-out
Device(config-sec-zone-pair)# service-policy type inspect gtp-l4p
Device(config-sec-zone-pair)# exit
Device(config)# zone-pair security out2in source roam-out destination roam-in
Device(config-sec-zone-pair)# service-policy type inspect gtp-l4p-rev
Device(config)# end

Additional References for Firewall Stateful Interchassis

Redundancy
Related Documents

Related Topic Document Title

Cisco IOS commands Master Command List, All Releases

Security commands
• Security Command Reference: Commands A to C
• Security Command Reference: Commands D to L
• Security Command Reference: Commands M to R
• Security Command Reference: Commands S to Z

Technical Assistance

Description Link
The Cisco Support and Documentation website http://www.cisco.com/cisco/web/support/index.html
provides online resources to download documentation,
software, and tools. Use these resources to install and
configure the software and to troubleshoot and resolve
technical issues with Cisco products and technologies.
Access to most tools on the Cisco Support and
Documentation website requires a Cisco.com user ID
and password.

Feature Information for GGSN Pooling Support for Firewalls

The following table provides release information about the feature or features described in this module. This
table lists only the software release that introduced support for a given feature in a given software release
train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS XE Release 3S

16
GGSN Pooling Support for Firewalls
Feature Information for GGSN Pooling Support for Firewalls

Table 1: Feature Information for GGSN Pooling Support for Firewalls

Feature Name Releases Feature Information

GGSN Pooling Support Cisco IOS XE Release The GGSN Pooling Support for Firewalls feature
for Firewalls 3.7S enhances the GPRS Tunneling Protocol (GTP) feature
by adding load balancing support. GTP supports the
inspection of control traffic that is designated to a
single GGSN. To provide efficiency and scalability to
GSM networks, load balancing is added to the
topology. The load balancer dispatches requests from
the SGSN to various GGSNs in the pool.

Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS XE Release 3S

17
 GGSN Pooling Support for Firewalls
Feature Information for GGSN Pooling Support for Firewalls

Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS XE Release 3S

18