eCNS600 V100R002 Feature Description - Huawei - … · eCNS600 V100R002 Feature Description Draft A...

eCNS600 V100R002

Feature Description

Draft A

Date 2013-04-09

HUAWEI TECHNOLOGIES CO., LTD.

Draft A (2013-04-09) Huawei Proprietary and Confidential

Copyright © Huawei Technologies Co., Ltd

i

Copyright © Huawei Technologies Co., Ltd. 2013. All rights reserved.

No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd.

Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.

All other trademarks and trade names mentioned in this document are the property of their respective holders.

Notice

The purchased products, services and features are stipulated by the contract made between Huawei and

the customer. All or part of the products, services and features described in this document may not be

within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements,

information, and recommendations in this document are provided "AS IS" without warranties, guarantees or representations of any kind, either express or implied.

The information in this document is subject to change without notice. Every effort has been made in the

preparation of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute a warranty of any kind, express or implied.

Huawei Technologies Co., Ltd.

Address: Huawei Industrial Base

Bantian, Longgang

Shenzhen 518129

People's Republic of China

Website: http://www.huawei.com

Email: [email protected]

http://www.huawei.com/

mailto:[email protected]

eCNS600

Feature Description Contents



ii

Contents

1 Basic Features ............................................................................................................................ 1

1.1 Basic Service ............................................................................................................................................. 1

1.1.1 eCNSFD-010200 Mobility Management ........................................................................................... 1

1.1.2 eCNSFD-010300 Security Management ............................................................................................ 3

1.1.3 eCNSFD-010400 Path Management .................................................................................................. 7

1.1.4 eCNSFD-010500 IP Address Allocation from Local Address Pool ..................................................... 8

1.1.5 eCNSFD-010600 Integrated Subscriber Data Management ................................................................ 9

1.1.6 eCNSFD-010700 Session Management ............................................................................................ 11

1.2 User Plane ................................................................................................................................................13

1.2.1 eCNSFD-030100 QoS and Traffic Management ...............................................................................13

1.3 IP Network Management ..........................................................................................................................13

1.3.1 eCNSFD-040100 Routing ................................................................................................................13

1.3.2 eCNSFD-040200 NTP .....................................................................................................................15

1.3.3 eCNSFD-040300 VLAN Supporting ................................................................................................16

1.3.4 eCNSFD-040500 Eth-Trunk.............................................................................................................18

1.3.5 eCNSFD-040600 OSPFv2 ...............................................................................................................19

1.3.6 eCNSFD-040700 VRF .....................................................................................................................21

1.3.7 eCNSFD-040800 Local Routing ......................................................................................................22

1.3.8 eCNSFD-040900 SGi Redirection ....................................................................................................23

1.4 Reliability.................................................................................................................................................25

1.4.1 eCNSFD-050200 Board Redundant Backup .....................................................................................25

1.5 Operation and Maintenance ......................................................................................................................26

1.5.1 eCNSFD-060100 Software Management ..........................................................................................26

1.5.2 eCNSFD-060300 Performance Management ....................................................................................27

1.5.3 eCNSFD-060400 Fault Management ................................................................................................29

1.5.4 eCNSFD-060500 Equipment Management .......................................................................................30

1.5.5 eCNSFD-060600 Configuration Management ..................................................................................32

1.5.6 eCNSFD-060700 Security Management ...........................................................................................33

1.5.7 eCNSFD-060800 Online Documentation ..........................................................................................35

1.5.8 eCNSFD-060900 Tracing Function ..................................................................................................36

1.5.9 eCNSFD-061000 Log Management .................................................................................................40

1.5.10 eCNSFD-061100 Daylight Saving Time .........................................................................................40

1.6 Interface Function .....................................................................................................................................41

eCNS600

Feature Description Contents



iii

1.6.1 eCNSFD-070100 S1 Interface ..........................................................................................................41

1.6.2 eCNSFD-070200 SGi Interface ........................................................................................................43

1.6.3 eCNSFD-070300 S10 Interface ........................................................................................................44



1.6.6 eCNSFD-070600 Ga Interface .........................................................................................................49

1.6.7 eCNSFD-070700 S6a Interface ........................................................................................................50

1.7 Basic Platform ..........................................................................................................................................52

1.7.1 eCNSFD-080300 Linux Security Hardening .....................................................................................52

2 Optional Features ................................................................................................................... 56

2.1 Security Management ...............................................................................................................................56

2.1.1 eCNSFD-110001 NAS Encryption and Integrity Protection (AES) ...................................................56

2.1.2 eCNSFD-110002 NAS Encryption and Integrity Protection (SNOW3G) ...........................................57

2.1.3 eCNSFD-110003 O&M SSL ............................................................................................................58

2.2 Service Management ................................................................................................................................59

2.2.1 eCNSFD-110004 Static IP Address Allocation ..................................................................................59

2.2.2 eCNSFD-110005 Multiple PDN Connection ....................................................................................60

2.2.3 eCNSFD-110008 SPI-based QoS Profile Control..............................................................................61

2.2.4 eCNSFD-110009 Offline Charging ..................................................................................................62

2.2.5 eCNSFD-110011 UE IP Address assigned by the Radius AAA Server ...............................................66

2.2.6 eCNSFD-110012 E2E Subscriber Tracing ........................................................................................69

2.3 Reliability.................................................................................................................................................71

2.3.1 eCNSFD-110006 eCNS Redundancy ...............................................................................................71

2.4 Networking ..............................................................................................................................................72

2.4.1 eCNSFD-110007 Bidirectional Forwarding Detection (BFD) ...........................................................72

2.4.2 eCNSFD-110010 Routing Behind MS ..............................................................................................74

2.4.3 eCNSFD-110013 UE Fixed IP MultiHoming ....................................................................................76

eCNS600

Feature Description 1 Basic Features



1

1 Basic Features

1.1 Basic Service

1.1.1 eCNSFD-010200 Mobility Management

Applicable NEs

eCNS

Availability

The EPS mobility management (EMM) was introduced in eCNS600 V100R001.

Summary

EMM controls the access of a UE to the evolved universal terrestrial radio access network

(E-UTRAN) and traces location information about the UE. The location information includes

information about the tracking area (TA) and the eCNS where the UE is located.

EMM is implemented in the following procedures:

Attach

Detach

Tracking area update (TAU)

Service request

Handover

Paging

Purge

Benefits

As a basic feature of the eCNS, it enables UEs to move in an enterprise's network.

Description

EMM controls the access of a UE to the E-UTRAN and traces location information about the

UE.

eCNS600




2

UE states in the E-UTRAN are divided into EMM states and EPS connection management

(ECM) states:

EMM states are classified into EMM-DEREGISTERED and EMM-REGISTERED.

ECM states are classified into ECM-IDLE and ECM-CONNECTED.

The main EMM procedures are described as follows:

Attach

A UE must register on the network before using network services. This registration

procedure is called network attach. During the attach procedure, a default EPS bearer,

which provides a permanent IP connection, is established. The policy and charging

control (PCC) rules that apply to the default EPS bearer can be predefined in the PDN

GW and activated by the PDN GW itself in the attach procedure.

TAU

In an EPS network, the basic unit of location management is TA. A TA list can contain

one or more TAs. A TA list can be dynamically generated or statically configured; and.

prevents a UE from frequently initiating TA update procedures. For example, when a UE

frequently moves between several TAs, you can define these TAs as a TA list. This prevents the TAU procedure from being generated.

A UE initiates a TAU procedure in the following scenarios:

a) The UE detects that the current TA identity does not exist in the TA identity (TAI)

list on the network where the UE is registered.

b) The access type of the UE is changed.

c) The load balancing TAU is required.

d) The TAU procedure is triggered during a handover procedure.

e) The periodic TAU timer has expired.

f) The RRC connection has failed.

Service request

A service request is used to change the ECM state from ECM-IDLE to

ECM-CONNECTED and to establish radio and S1-U bearers during the transfer of uplink and downlink data.

When the UE is in ECM-IDLE mode, it initiates a service request procedure in the

following scenarios:

− The downlink signaling or data needs to be transmitted from the network side.

− The uplink signaling or data needs to be transmitted from the UE side.

Generally, a service request procedure is initiated by a UE. When the downlink data or

information is transferred in ECM-IDLE mode, the network initiates a paging procedure. This triggers a UE to initiate a service request procedure as the paging response.

Handover

When the UE is in the ECM-CONNECTED state, a handover procedure is triggered after the E-UTRAN determines that reselection is required.

The eCNS supports S1-based handover.

S1 refers to the interface between the eNodeB and the eCNS.

Detach

eCNS600




3

The detach procedure is used in the following scenarios:

− A UE is detached from the EPS service.

− A UE is disconnected from the last PDN connection.

− The network informs a UE that it cannot be connected to the EPS.

A UE can be detached explicitly or implicitly.

− Explicit detach: A UE or network side requests the detach, and the originating party

informs the other party of this event.

− Implicit detach: A network side detaches a UE without informing the UE. For

example, the network side performs implicit detach to a UE when it determines that the UE is unreachable.

The detach procedure is classified into three types:

− Detach procedure initiated by a UE

− Detach procedure initiated by an eCNS

After the detach procedure is complete, the EPS bearer contexts of the UE are

deactivated locally. After a UE is detached from the network, the network cannot obtain

the UE location information.

Paging function

This is the PS domain paging function. The network originates paging by using a certain

ID of a subscriber, such as GUTI or IMSI, in a known area. After obtaining a response from the subscriber, the network performs the subsequent signaling flow or data transfer.

Purge

After removing the subscription data and MM context of a detached UE, the MME notifies the HSS of the removal through a purge procedure.

Enhancement

None

Dependency

This feature does not depend on other features.

Standards 3GPP TS 23.060, "General Packet Radio Service (GPRS); Service description"

3GPP TS 23.401, "General Packet Radio Service (GPRS) enhancements for Evolved Universal Terrestrial Radio Access Network (E-UTRAN) access"

3GPP TS 24.008, "Mobile radio interface Layer 3 specification; Core Network protocols

- Stage 3"

3GPP TS 25.413, "UTRAN Iu Interface RANAP Signaling"

3GPP TS 24.301, "Non-Access-Stratum (NAS) protocol for Evolved Packet System (EPS); Stage 3"

3GPP TS 36.413, "Evolved Universal Terrestrial Radio Access Network (E-UTRAN); S1 Application Protocol (S1AP)"

1.1.2 eCNSFD-010300 Security Management

The security management feature can:

eCNS600




4

Identify and authenticate users.

Ensure that only legal users can access the network.

Guarantee confidentiality of user identity, user data, and signaling transfer.

The security management feature consists of the following sub-features:

Authentication

User ID confidentiality

Identity check

1.1.2.1 eCNSFD-010301 Authentication

Applicable NEs

eCNS

Availability

The EPS authentication was introduced in eCNS600 V100R001.

Summary

The authentication feature is used in subscriber identification, authentication, and

synchronization of the encryption key. This feature checks the validity of a subscriber's

service requests to ensure that only legal subscribers can use network services. The

authentication procedure is performed in association with EMM procedures.

The authentication function has two types: authentication of the network by a UE and

authentication of a UE by the network.

Benefits

As a basic feature of the eCNS, it prevents illegal users from accessing the network, and

ensures service operation profits.

Subscribers who require high security can use this function to prevent their access to

unacknowledged networks, and eliminate possible security risks.

Description

The EPS authentication is based on a USIM. An EPS authentication vector is composed of a

quartet, namely, RAND, AUTN, XRES, and KASME.

Random Challenge (RAND)

A RAND is a random value that the network provides to a UE. The length is 16 octets.

Authentication Token (AUTN)

An AUTN is used to provide the information for a UE so that the UE can use the AUTN to authenticate the network. The length is 17 octets.

Expected Response (XRES)

An XRES is an expected response parameter of UE authentication. It is compared with

the RES or RES+RES_EXT generated by a UE to determine whether the authentication is successful. The length ranges from 4 to 16 octets.

eCNS600




5

Key ASME (KASME)

A KASME is a root encryption key deduced from the CK/IK and the public land mobile

network (PLMN) ID of the ASME (MME). The length is 32 octets.

Access Security Management Entity (ASME): In E-UTRAN access mode, the MME serves as an ASME.

Figure 1-1 shows the EPS authentication procedure.

Figure 1-1 EPS authentication procedure

1. The eCNS sends the Authentication Request message to the UE to trigger the authentication

procedure. The authentication vectors, such as RAND, AUTN, and Key Set Identifier

(KSIASME) are contained in the message.

2. The UE sends the Authentication response message to the eCNS.

The UE authenticates the network based on the AUTN. If the authentication fails, the UE returns the Authentication Failure message to the MME, indicating the cause.

If the authentication is successful, the UE calculates the RES based on the RAND and

returns the RES to the MME. The MME compares the XRES in the authentication vector

set with the returned RES. If they are consistent, the authentication succeeds. Otherwise,

the authentication fails. In this case, the MME sends the Authentication Reject message to the UE.

If the authentication succeeds, the UE calculates and saves the KASME value for later encryption and integrity protection.

----End

In addition to basic authentication features, the eCNS provides the feature to obtain

authentication sets in advance. The CNS can request authentication sets before all

authentication sets are used up. Therefore, the duration of the procedure for the UE to access

to the eCNS is shortened and user experience is improved.

Enhancement

None

Dependency


eCNS600




6

Standards 3GPP TS 33.102, "3G Security; Security architecture"

3GPP TS 33.401, "3GPP System Architecture Evolution (SAE); Security architecture"

1.1.2.2 eCNSFD-010302 User Identity Confidentiality

Applicable NEs

eCNS

Availability

The EPS user identity confidentiality was introduced in eCNS600 V100R001.

Summary

The EPS user identity confidentiality is implemented through GUTI allocation. The GUTI is

used to provide a unique temporary UE identity in the EPS network. This identity does not

reveal the permanent UE identity on the LTE-Uu interface.

Benefits

As a basic feature of the eCNS, user identity confidentiality prevents the IMSIs of UEs from

being stolen, improving network security.

Description

A GUTI consists of the following parts:

GUMMEI: A GUMMEI consists of a mobile country code (MCC), a mobile network code (MNC), and an eCNS identity.

M-TMSI: A 32-bit M-TMSI uniquely identifies a UE in an eCNS.

The GUTI can be implicitly allocated in the attach or TAU procedure or explicitly allocated in

the GUTI reallocation procedure.

Enhancement

None

Dependency


Standards 3GPP TS 24.301, "Non-Access-Stratum (NAS) protocol for Evolved Packet System

(EPS); Stage 3"

3GPP TS 24.008, "Mobile radio interface Layer 3 specification; Core Network protocols - Stage 3"

eCNS600




7

1.1.2.3 eCNSFD-010304 Identity Check

Applicable NEs

eCNS

Availability

The EPS identity check was introduced in eCNS600 V100R001.

Summary

The network requests different user identities, such as IMSI and IMEI, to check the real

identity of a UE.

Benefits

This is a basic feature of the eCNS.

Description

When a UE attaches to the network using a GUTI, to obtain the real identity of the UE, the

network sends the UE an Identity Request for IMSI, IMEI, or IMEISV. Then the UE returns

an Identity Response to notify the network of its identity.

After obtaining the real identity of the UE, the network checks the user identity with the

HLR/HSS or EIR. For details, see section 1.1.2.1 eCNSFD-010301 Authentication.

Enhancement

None

Dependency


Standards 3GPP TS 24.301, "Non-Access-Stratum (NAS) protocol for Evolved Packet System

(EPS); Stage 3"

3GPP TS 24.008, "Mobile radio interface Layer 3 specification; Core Network protocols

- Stage 3"

1.1.3 eCNSFD-010400 Path Management

Applicable NEs

eCNS

Availability

This feature was introduced in eCNS600 V100R001.

eCNS600




8

Summary

The system can manage the paths by using path detection messages, and clear invalid paths.

Benefits

The communication between devices can be ensured.

Description

A GTP path is determined by a quaternary, namely, local IP address, local port, peer IP

address, and peer port. The path management messages are usually sent and received between

the GTP entities.

The path management feature is used to detect whether the peer GTP Entity is available. The

eCNS can send the path management message on all paths in use. When a path is detected as

faulty, the eCNS may deactivate all PDP/EPS bearer contexts related to the path so that data

packets are no longer along this path.

If no signaling or data is sent or received on a path for a long period, the eCNS determines

that the path is invalid and clears the path.

Enhancement

None

Dependency


Standards 3GPP TS 29.060, "GPRS Tunneling Protocol (GTPv1) across the Gn and Gp interface"

3GPP TS 09.60, "GPRS Tunneling Protocol (GTPv0) across the Gn and Gp interface"

1.1.4 eCNSFD-010500 IP Address Allocation from Local Address Pool

Applicable NEs

eCNS

Availability


Summary

The eCNS allocates IPv4 addresses to UEs from its local address pool.

eCNS600




9

Benefits

This feature provides an enhancement to eCNSFD-110004 Static IP Address Allocation and

enables the eCNS to automatically create routes to UEs.

Description

A UE must obtain at least one IP address before it is able to access PS services. A PDN

Address Allocation IE is specified during the setup of a default bearer for the UE. This IE

contains protocol information (including an IP address field) the UE must obtain before it is

able to access an external PDN. In addition, this IE indicates the method the UE expects to

use to obtain an IP address.

3GPP TS 23.401 defines three modes of allocating IP addresses to UEs:

IP address allocation from the local address pool

In this mode, the eCNS allocates a dynamic IP address to a UE from the local address

pool during the activation of a bearer for the UE.

The local address pool contains the IP addresses planned by the enterprise customer.

Static IP address allocation

In this mode, the eCNS allocates IP addresses to UEs from its integrated subscriber data

module. This module matches the IMSI of each UE to an IP address range planned by

the enterprise customer. This mode is a pure static IP address allocation mode, which requires complex configurations.

Static allocation is an optional feature and is under license control.

IP address allocation from the RADIUS server

In this mode, the eCNS allocates dynamic IP addresses obtained from the RADIUS

server during UE authentication in the bearer activation procedure. Note that dynamic IP addresses are carried in access response messages sent by the RADIUS server.

This mode is applicable to enterprise customers or internet service providers (ISPs) who manage the RADIUS server and plan IP addresses for their internal users.

Enhancement

None

Dependency


Standards

3GPP TS 23.401, "General Packet Radio Service (GPRS) enhancements for Evolved

Universal Terrestrial Radio Access Network (E-UTRAN) access"

1.1.5 eCNSFD-010600 Integrated Subscriber Data Management

Applicable NEs

eCNS

eCNS600




10

Availability


Summary

The eCNS implements the subscriber data management function, which is generally provided

by the home subscriber server (HSS) in an EPC.

Benefits

This feature meets the requirements of the enterprise customer for higher space utilization,

low power consumption, simple service delivery system, independent service management,

and capability to terminate LTE local services.

Description

Compared with the HSS, the eCNS has the following unique characteristics in terms of

subscriber data management:

Integrated subscriber data management interface

The eCNS does not need to provide a standard S6a interface.

Differentiated service delivery system

For end users, the eCNS delivers services using MML commands. For enterprise customers, the eCNS does not interconnect with their service delivery systems.

Differentiated subscriber data management

The eCNS stores and manages subscriber data and simplifies data templates. The eCNS

can substitute for an LTE-HSS, but not an IMS-HSS, GSM-HSS, or UMTS-HSS.

The eCNS manages subscriber data as follows:

− Defines a USIM card

The eCNS accepts the input of the information about a USIM card.

− Cancels a USIM card

The eCNS removes the information about a USIM card.

− Defines a subscriber

The eCNS enables services for a subscriber and allocates a phone number to the

subscriber.

− Deregisters a subscriber

The eCNS disables services for a subscriber and removes the information about this subscriber.

− Allows the query of static subscriber information

The eCNS allows the query of static subscriber information, including subscribed services and locking status.

− Manages EPS QoS templates

The eCNS allows the enterprise customer to create EPS QoS templates and set

default QoS parameters.

− Manages APN templates

The eCNS allows the enterprise customer to create access point name (APN) templates.

eCNS600




11

− Manages PDP context templates

The eCNS allows the enterprise customer to create PDP context templates.

Enhancement

None

Dependency


Standards

3GPP TS 23.008, "Organization of subscriber data"

3GPP TS 29.002, "Mobile Application Part (MAP) specification"

1.1.6 eCNSFD-010700 Session Management

Applicable NEs

eCNS

Availability

The EPS session management (ESM) was introduced in eCNS600 V100R001.

Summary

The objective of EPS session management (ESM) is to manage EPS bearers. Through the

E-UTRAN and EPC networks, the EPS provides an IP connection, known as the PDN

connection, between a UE and the PDN. Each PDN connection consists of at least one EPS

bearer. The EPS bearer refers to the logical combination of one or more service data flows

(SDFs). EPS bearers are created to meet requirements of QoS management and provide

control for a bearer granularity.

Benefits

As a basic feature of the eCNS, it enables subscribers to connect to an external PDN and

perform data services.

Description

The ESM procedure can be initiated by the network or requested by a UE. The ESM involves

the following procedures:

Default EPS bearer context activation

This procedure is used to set up a default EPS bearer context between a UE and the EPC. It can be part of the attach procedure or an independent procedure.

Dedicated EPS bearer context activation

This procedure is used to set up the special QoS and traffic flow template (TFT) bearer

contexts between a UE and the EPC.

EPS bearer context modification

eCNS600




12

This procedure is used to modify the QoS and TFT of the EPS bearer context.

EPS bearer context deactivation

This procedure is used to deactivate one, several, or all the EPS bearer contexts to the

PDN. If all the EPS bearer contexts to the PDN are deactivated, the connection to the PDN is disconnected.

UE-requested PDN disconnection

This procedure is used when the UE requests to be disconnected from the PDN. In this

procedure, all the EPS bearer contexts, including the default bearer context, related to the

PDN are released.

The last PDN connection can be disconnected only by the detach procedure initiated by the UE or the MME, and not by the UE-requested PDN connection.

UE-requested EPS bearer resource modification

The procedure involves the allocation and release of UE-requested EPS bearer resources.

The allocation part involves allocating EPS bearer resources to new SDFs on request

from the UE. The UE can request or modify a specified QoS. It can also initiate the guaranteed bit rate (GBR) request or change the existing GBR.

The release part involves releasing the EPS bearer resources related to a specified SDF on request from the UE.

The UE-initiated detach procedure is used to release all bearers.

Enhancement

None

Dependency


Standards 3GPP TS 23.060, "General Packet Radio Service (GPRS); Service description"

3GPP TS 23.401, "General Packet Radio Service (GPRS) enhancements for Evolved Universal Terrestrial Radio Access Network (E-UTRAN) access"

3GPP TS 24.008, "Mobile radio interface Layer 3 specification; Core Network protocols - Stage 3"

3GPP TS 25.413, "UTRAN Iu Interface RANAP Signaling"

3GPP TS 29.060, "GPRS Tunneling Protocol (GTPv1) across the Gn and Gp interface"

3GPP TS 24.301, "Non-Access-Stratum (NAS) protocol for Evolved Packet System

(EPS); Stage 3"

3GPP TS 36.413, "Evolved Universal Terrestrial Radio Access Network (E-UTRAN); S1 Application Protocol (S1AP)"

3GPP TS 29.274, "Evolved General Packet Radio Service (GPRS); Tunneling Protocol for Control plane (GTPv2-C); Stage 3"

NOTE

NOTE

eCNS600




13

1.2 User Plane

1.2.1 eCNSFD-030100 QoS and Traffic Management

For details, see section 1.2.1.1 eCNSFD-030101 EPS QoS.

1.2.1.1 eCNSFD-030101 EPS QoS

Applicable NEs

eCNS

Availability


Summary

The eCNS supports EPS QoS control at the bearer level.

Benefits

As a basic feature of the eCNS, it guarantees the end-to-end QoS in the EPS network.

Description

EPS QoS parameters are included in the EPS bearer context.

EPS QoS parameters contain uplink/downlink GBR, uplink/downlink maximum bit rate

(MBR), allocation/retention priority (ARP), QCI, APN-AMBR, and UE-AMBR.

Enhancement

None

Dependency


Standards



1.3 IP Network Management

1.3.1 eCNSFD-040100 Routing

For details, see section 1.3.1.1 eCNSFD-040101 Static Routes and Default Routes.

eCNS600




14

1.3.1.1 eCNSFD-040101 Static Routes and Default Routes

Applicable NEs

eCNS

Availability


Summary

The eCNS, together with routers, implements routing using static routes, which are manually

configured by network administrators. Default routes are special routes and can also be

manually configured.

The eCNS uses static routes to communicate with a network or equipment. Specifically, the

configured static routes are added to a routing table. Before the eCNS sends signaling, user

data, or OM packets, it searches the routing table for a next-hop router or an interface by the

specified destination address and subnet mask.

Benefits

This feature provides multiple route options for the enterprise customer.

Description

Static routes apply to networks with simple architectures and static network topologies. Static

routes help implement security policies. Only authorized network administrators are allowed

to modify the routing table.

The eCNS use static routes to communicate with OM networks, eNodeBs, and PDNs.

Implementation

Static routes are added to the routing table after being configured by network administrators.

Multiple static routes can be configured for the same destination address. If these routes are

assigned the same priority, they work in load sharing mode. If they are assigned different

priorities, they work in route backup mode.

Default routes are used only when no matched entries are found in the routing table. Default

routes can be manually configured by network administrators or generated using dynamic

routing protocols such as Open Shortest Path First (OSPF) and Intermediate System to

Intermediate System (IS-IS).

The configuration for default routes is simple and robust. Together with other routes, default

routes ensure that packets are forwarded when no matched entries are found in the routing

table.

Detection

Bidirectional forwarding detection (BFD) is used to check the next hop of one or more static

routes. If BFD detects that the next hop is unreachable, the associated static routes are

removed from the routing table. When the next hop becomes reachable, the associated static

routes are added back to the routing table.

Application

http://3ms.huawei.com/term/docMaintain/termOperate.do?method=listTermAndDefinition&f_id=20081205001089&fd_id=7755&node_id=1-9&searchType=fulltext&searchValue=OSPF&caseSensitive=&language_t=cn

http://3ms.huawei.com/term/docMaintain/termOperate.do?method=listTermAndDefinition&f_id=20081203000465&fd_id=52510&node_id=1-9&searchType=fulltext&searchValue=IS-IS&caseSensitive=&language_t=cn

http://3ms.huawei.com/term/docMaintain/termOperate.do?method=listTermAndDefinition&f_id=20081203000465&fd_id=52510&node_id=1-9&searchType=fulltext&searchValue=IS-IS&caseSensitive=&language_t=cn

eCNS600




15

In a network with a simple structure, static routes can be configured to ensure that the network

works properly. Correct static route settings provide network security and save bandwidth

resources for important applications.

Default routes are used to reduce the time for selecting routes and the bandwidth for

forwarding packets. Default routes can meet the requirements for simultaneous

communication by a large number of users.

Enhancement

None

Dependency

Application Limitations

When the network is faulty or the network topology is changed, the static routes become

unavailable and must be reconfigured by network administrators.

Interaction with Other Features

Table 1-1 Interaction with other features

Related Feature Interaction

eCNSFD-110007

Bidirectional

Forwarding Detection (BFD)

Static routes do not have self-healing capabilities and require

intervention from the network administrators when faults occur.

If BFD is enabled, the route management system can check the BFD

session status to determine whether the IPv4 static routes in the public network are reachable.

Standards

RFC 791, "Internet Protocol"

RFC 1155, "Structure and Identification of Management Information for TCP/IP-based

Internets"

1.3.2 eCNSFD-040200 NTP

Applicable NEs

eCNS

Availability


Summary

The Network Time Protocol (NTP) is used to synchronize the time across the entire network.

The eCNS supports NTPv3 and serves as an NTP client. The eCNS periodically obtains the

standard time from an NTP server located on a PS network and adjusts the system time based

eCNS600




16

on this standard time. To prevent time deviation, the time on the network needs to be

synchronized with the external standard time.

Benefits

The NTP protocol ensures the time consistency of all NEs on a network, and guarantees the

accuracy and consistency of functions such as performance measurement.

Description

The NTP protocol is a TCP/IP protocol that is used to synchronize time on all devices across

the network. NTP is based on the UDP protocol. RFC 1305 stipulates the complex algorithm

used by NTP to guarantee accuracy of time synchronization.

The eCNS supports connecting to a remote NTP server in client mode. The eCNS periodically

obtains the standard time from an NTP server or OMC server and adjusts the time across the

entire network based on this standard time.

Enhancement

None

Dependency


Standards

RFC 1305, "Network Time Protocol"

1.3.3 eCNSFD-040300 VLAN Supporting

Applicable NEs

eCNS

Availability


Summary

A virtual local area network (VLAN) is a logical network comprising multiple physical

network devices. A VLAN forms a broadcast domain. Different VLANs communicate with

each other through routes.

The eCNS implements VLAN functions by setting VLAN IDs on sub-interfaces.

If VLANs are implemented based on layer 3 networking, sub-interfaces are configured on

Ethernet ports or trunks and defined as the members of VLANs to distinguish users or

services.

eCNS600




17

Benefits

Broadcast traffic and unicast traffic in a VLAN are not forwarded to other VLANs. This helps

control network traffic, reduce equipment investments, simplify network management, and

improve network security and reliability.

Traffic can be isolated by adding interfaces to different VLANs.

Description

The eCNS provides the following VLAN functions:

Isolates traffic

When the eCNS uses a set of switching equipment to construct a LAN, it can assign the

interfaces between NEs to different VLANs to implement traffic isolation. The eCNS can also assign the interfaces between PDNs to different VLANs to isolate users.

Adapts to the peer

If the routers, switches, or firewalls that are directly connected to the eCNS are assigned

to different VLANs, the relevant ports on the eCNS must be divided into sub-interfaces. These sub-interfaces must also be assigned to the corresponding VLANs.

Increases the number of available interfaces

If the ports on the eCNS are insufficient for connecting to the routers, switches, or

firewalls, these ports can be divided into sub-interfaces and VLAN IDs can be configured on these ports.

If a sub-interface on the eCNS is configured with a VLAN ID, the layer-2 or layer-3 device that is directly connected to the eCNS must also be configured with the same VLAN ID.

Enhancement

Table 1-2 Release history and enhancement

Feature Version

Product Version Details

eCNSFD-040

300, 02

eCNS600 V100R002 Added the function of binding VLANs and

sub-interfaces.

eCNSFD-040

300, 01

eCNS600 V100R001 First official release.

Dependency


This feature is applicable only when the routers, switches, and firewalls that are directly

connected to the eCNS also support VLAN functions.


eCNS600




18



eCNSFD-040100

Routing

Route information must be configured on the eCNS. Otherwise,

packets cannot be forwarded between VLANs.

1.3.4 eCNSFD-040500 Eth-Trunk

Applicable NEs

eCNS

Availability


Summary

Eth-trunk supports traffic load sharing between multiple Ethernet interfaces, which improves

network reliability.

Benefits

This feature increases the bandwidth, improves the reliability of networking, and ensures load

sharing.

Description

Trunk is a bundling technology. Multiple Ethernet physical interfaces can be bound into a

logical interface that is known as an Eth-trunk interface. Physical interfaces that are bound are

called member interfaces.

The trunk link can be regarded as a point-to-point direct link. The two ends of a trunk link can

be two switches, or two routers, or one switch and one router.

The advantages of the Trunk technology are as follows:

Increased bandwidth. The total bandwidth of the Trunk interface is the sum of the

bandwidth of each member interface. In this case, the bandwidth of the trunk interface is multiplied.

Improved reliability. When one physical link connected to the member interface is faulty,

traffic is switched to other available links connected to the member interface. Therefore,

the reliability of the entire Trunk link is improved.

Load sharing support. Load sharing can be achieved among member interfaces of the

Trunk interface. Network congestion occurs when all the traffic is transmitted over a

single link. The trunk interface prevents network congestion by distributing the traffic among different links. The destination of the traffic remains unchanged.

eCNS600




19

Dependency


Feature Interaction

eCNSFD-040700 VRF Eth-Trunk supports to be joined in VRF。

eCNSFD-040600 OSPFv2 eCNS and PE device can learn dynamic routes by

Eth-Trunk through OSPF route protocol.

Standards

IEEE 802.3AD Amendment to carrier sense multiple access with collision detection

(CSMA/CD) access method and physical layer specifications-aggregation of multiple link

segments

1.3.5 eCNSFD-040600 OSPFv2

Applicable NEs

eCNS

Availability

This feature is introduced in eCNS600 V100R002.

Summary

Open Shortest Path First (OSPF) is an Interior Gateway Protocol (IGP) based on link states.

OSPF is more applicable to large complex networks.

The eCNS uses OSPF Version 2 (OSPFv2) on the SGi interface to exchange routing

information with peer equipment and implement network topology sharing.

Benefits

This feature enables data packet routing over the SGi interface between an EPC and an

external data network and allows flexible networking based on the customer requirements, at

same time it raised up the reliability of transmission because of the mesh network.

Description

The eCNS supports OSPFv2.

OSPF is a link-state-based IGP developed by Internet Engineering Task Force (IETF). It

supports networks in different scales and allows hundreds of routers deployed in a network.

OSPF has the following characteristics:

Fast convergence: OSPF sends link state update packets within the autonomous system

(AS) immediately after detecting changes in the network topology.

eCNS600




20

Loop-free routing: OSPF computes the shortest path tree for each route based on link

states by using a shortest path first algorithm that can ensure loop-free routing.

Area-based administration: OSPF allows the AS to be divided into routing areas for

administration. OSPF uses abstract routing information between areas to reduce the network bandwidth usage.

Support of equal-cost routes: OSPF supports multiple equal-cost routes to the same

destination address.

Route hierarchy: OSPF divides routes into four types. In descending order of priorities, these types are intra-area, inter-area, external type 1, and external type 2.

Support of packet authentication: OSPF performs interface-based packet authentication to ensure the security of route computing.

Support of packet multicast

Routers in the AS use OSPF to process routing tables. Each router gathers its link state

information and broadcasts it within the entire AS using a flooding algorithm so that the AS

can maintain one link state database. Based on this database, each router computes its shortest

path tree with the router itself being the root and other routers being leafs.

Enhancement

None

Dependency


OSPFv2 is an IGP and can be used only within an AS. For routing between different ASs,

border gateway protocols such as BGP-4 need to be used.

The eCNS uses OSPFv2 only on the SGi interface.



Feature Interaction

eCNSFD-110007

Bidirectional Forwarding Detection (BFD)

BFD increases the OSPF convergence rate by rapidly

detecting link faults between neighboring routers.

eCNSFD-040700 VRF VRF isolates routes through VRF-route binding and

forwards data based on routing tables and virtual private

network (VPN) IDs.

eCNSFD-040100 Routing The routing feature uses routing policies to control issue,

reception, and reference of OSPF routing information.

eCNSFD-040500 Eth-Trunk eCNS and PE device can learn dynamic routes by

Eth-Trunk through OSPF route protocol.

Standards RFC 791, "Internet Protocol"

eCNS600




21

RFC 1155, "Structure and Identification of Management Information for TCP/IP-based

Internets"

RFC 1131, "OSPF specification"

RFC 1247, "OSPF Version 2"

1.3.6 eCNSFD-040700 VRF

Applicable NEs

eCNS

Availability


Summary

Virtual routing and forwarding (VRF) is a means of implementing the virtual private network

(VPN) function. It enables the functions of multiple virtual routing devices to be implemented

on a single routing device. It is also used to logically define a physical device. Each VRF has

a separate routing table and address space.

eCNS supports VRF, and the functions of multiple logically separated virtual eCNS can be

implemented on one eCNS device. VPN instances can be created on the eCNS to implement

VRF.

Benefits

This feature facilitates connections between the eCNS and intranets because the address

spaces of APNs of carriers' private networks can be reused.

APN traffic can be separated to ensure network security.

Interfaces of different VPN instances can use the same IP address, which conserves public IP

addresses.

Description

A VPN keeps the transferred data private from other VPNs. By taking advantage of this

feature on the eCNS, you can bind each APN to a separate VPN to divide the traffic of

different APNs. Through traffic separation and network division, the APN resources of a VPN

will not be used by other VPNs or subscribers of other VPNs on the network. Therefore, the

information in the VPN is secure.

A eCNS can be logically divided into multiple virtual eCNS through VRF. Each virtual eCNS

works independently as a eCNS and has its own routing table and interface for data

forwarding. In addition, traffic of different services can be separated.

Networking application: The problem of insufficient IP addresses can be solved by binding

physical interfaces (or Eth-trunk interfaces or sub-interfaces), logical interfaces, and routes to

VRF, and the traffic of the signaling plane, user plane, and operation and maintenance (OM)

data can be separated.

Service application: By binding APNs to VRF, multiple virtual routing areas are available on one eCNS to realize the separation of addresses and routes among APNs.

eCNS600




22

Resource application: By binding address pools to VRF, address resources can be reused.

Enhancement

None

Dependency


Feature Interaction

eCNSFD-040900 SGi Redirection VRF does not take effect if SGi redirection is enabled.

eCNSFD-040600 OSPFv2 One VRF support more than OSPF process, while

one OSPF process belongs to only one VRF.

eCNSFD-110007 Bidirectional

Forwarding Detection（BFD）

In the network scenario of dual active ports with

static routes, BFD should be activated in VRF in

order that eCNS could switch route when old route is fault.

eCNSFD-040500 Eth-Trunk Eth-Trunk supports to be joined in VRF。

eCNSFD-110010 Routing Behind

MS

Different UEs which support “Routing Behind MS”

can be separated by different VRFs。

Standards

RFC 2764, "IP Based Virtual Private Networks"

1.3.7 eCNSFD-040800 Local Routing

Applicable NEs

eCNS

Availability


Summary

This feature enables the eCNS to directly forward packets between UEs connected to this

eCNS.

eCNS600




23

Benefits

This feature does not require additional network equipment on the SGi interface for packet

forwarding between UEs and therefore reduces end-to-end forwarding delay.

Description

After the eCNS receives an uplink packet from a UE, the eCNS checks the target UE. If the

eCNS has admitted the target UE, the eCNS directly forwards the packet to the target UE, as

shown in Figure 1-2.

Figure 1-2 Local routing

Enhancement

None

Dependency


Feature Interaction

eCNSFD-040900 SGi Redirection Local routing does not take effect if SGi redirection is enabled.

Standards

None

1.3.8 eCNSFD-040900 SGi Redirection

Applicable NEs

eCNS

eCNS600




24

Availability


Summary

This feature prohibits the eCNS from directly forwarding packets between UEs. Instead, this

feature redirects uplink packets through the SGi interface to a specified device (for example, a

firewall) in the PDN.

Benefits

This feature protects enterprise customers' networks and ensures end users' communication

security.

Description

Most firewalls do not support bidirectional packet transmissions through an interface.

Therefore, the configurations as shown in Figure 1-3 are required for SGi redirection.

The blue line in this figure represents the direction of redirected packets. Uplink packets of

UE 1 are sent through physical port a to the firewall. After being filtered by the firewall, the

packets are sent through physical port b to the eCNS.

Figure 1-3 Packet forwarding when SGi redirection is enabled

If SGi redirection is disabled, uplink packets from UEs are not filtered by the firewall. Instead,

the packets are directly forwarded by the eCNS, as shown in Figure 1-4. In this situation,

packet security cannot be ensured.

eCNS600




25

Figure 1-4 Packet forwarding when SGi redirection is disabled

Enhancement

None

Dependency


Feature Interaction

eCNSFD-040800 Local Routing Local routing does not take effect if SGi redirection is

enabled.

eCNSFD-040700 VRF VRF does not take effect if SGi redirection is enabled.

Standards

None

1.4 Reliability

1.4.1 eCNSFD-050200 Board Redundant Backup

Applicable NEs

eCNS

Availability


eCNS600




26

Summary

The eCNS performs 1+1 backup for all the processes. The redundancy backup ensures that the

system is not impacted by any faulty process. Process redundancy backup, automatic fault

detection, and self-healing function guarantee the system reliability.

Benefits

As a basic feature of the eCNS, it guarantees the system reliability.

Description

Process redundancy backup provides a backup mechanism for all the processes in the system.

That is, all the processes work in the active/standby mode. A standby process can back up the

data periodically or when the backing up process is triggered by an event. If the active process

is faulty, the standby process takes over the service.

Automatic fault detection means when the system is faulty because of a software abnormality

or hardware fault, the system can automatically detect the fault by using a certain method

without user intervention. This is the basis for fault isolation and fault recovery.

Self-healing means after a fault occurs; the system can take some measures, such as

switchover and reset, to rectify the fault without affecting the normal operations of the

system.

Enhancement

None

Dependency


Standards

None

1.5 Operation and Maintenance

1.5.1 eCNSFD-060100 Software Management

Applicable NEs

eCNS

Availability


eCNS600




27

Summary

Software management is used to achieve software management of the eCNS, including

software installation and loading in addition to patch installation, loading, and activation.

Benefits

As a basic feature of the eCNS, it can flexibly manage the running software. Patches can

correct software faults without service interruption.

Description

Software management mainly includes software installation, software upgrade, online

patching.

The eCNS supports software concurrent upgrade. That is, all the processes in the eCNS can

load the software at the same time. As a result, the time spent in loading the software is

greatly reduced.

Enhancement

None

Dependency


Standards

None

1.5.2 eCNSFD-060300 Performance Management

Applicable NEs

eCNS

Availability


Summary

The eCNS can measure network performances to provide the performance measurement data.

Performance measurement data is an important basis for measurement, design, operation, and

management of communication networks.

Benefits

As a basic feature of the eCNS, it can provide network data for network operating, planning,

and management.

eCNS600




28

Description

The eCNS provides various test indexes. To simplify the management of these indexes, the

indexes correspond to different measurement units, and the measurement units correspond to

different measurement clusters. The measurement clusters provided by the eCNS include

charging GTP-C, GTP-U, S1 mode EMM and ESM.

The eCNS reports all the measurement results at a specified period, which means that users do

not need to configure measurement tasks. The eCNS reports all measurement data to the

operation and maintenance (OMS). Users can filter, query, collect, analyze, and print the

measurement data by using the OMS.

The eCNS generates performance alarms when the values of measurement indexes exceed

preset thresholds or terraces.

The performance alarms are categorized into threshold alarms and terrace alarms.

Threshold Alarm

A threshold refers to a preset limit. The unit of the threshold must be the same as the unit of the index. The system compares the measured data with this threshold.

For each measurement index, there are four alarm severities, namely, critical, major,

minor, and warning. You can set the direction (greater or smaller than a value) and the

value of each alarm severity.

For example, the threshold alarms of the average CPU usage are as follows:

− Critical: > 90

− Major: > 80

− Minor: > 70

− Warning: > 50

When the value of average CPU usage reaches 75, the system generates a minor

performance alarm and reports the alarm in the Browse Alarm window to notify maintenance personnel.

Terrace Alarm

A terrace refers to the change degree of two values, reflecting the change rate of the

measurement index. The unit of the value is percentage. The system compares the

change rate of the measured data to this value.

The calculation formula of the change rate is as follows:

(Measured data of this period-Measured data of last period)/Measured data of last period

If the terrace of the measurement index exceeds the preset terrace threshold, the system generates the performance alarm.

For example, the terrace alarms of the average CPU usage are as follows:

− Critical: > 70%

− Major: > 50%

− Minor: > 30%

− Warning: > 10%

If two consecutive values of the average CPU usage are 30% and 20% respectively, the

terrace value is 50%. In this case, the system generates a Minor performance alarm and

reports the alarm to the Browse Alarm window to notify maintenance personnel.

eCNS600




29

Enhancement

None

Dependency


Standards 3GPP TS 12.04, "Performance data measurements"

3GPP TS 32.403, "Telecommunication management; Performance Management (PM);

Performance measurements - UMTS and combined UMTS/GSM"

3GPP TS 32.426, "Telecommunication management; Performance Management (PM);

Performance measurements Evolved Packet Core (EPC) network"

1.5.3 eCNSFD-060400 Fault Management

Applicable NEs

eCNS

Availability


Summary

The fault management feature is used to monitor system operations. The eCNS notifies

maintenance personnel of faults and events through alarms.

Benefits

As a basic feature of the eCNS, it provides detailed alarm information to help maintenance

personnel easily locate and handle faults.

Description

The eCNS generates various types of alarms that cover faults and events related to software

functions, hardware parts, and external environment to ensure that faults can be immediately

detected and handled.

To simplify management, these alarms are assigned different severities.

The eCNS alarms are classified into the following severities:

Critical

Major

Minor

Warning

You can adjust the alarm severities based on certain requirements.

eCNS600




30

When an alarm occurs, the system reports the detailed information about the alarm so that

maintenance personnel can locate and handle the fault. Maintenance personnel can shield

alarms that they consider as unimportant.

The alarm tool uses different colors and windows to differentiate the alarms of different

severities, so that users can focus on alarms of high severity first. Alarms can be queried by

specifying a combination of criteria such as the time range, alarm severity, and alarm type.

The results returned help in analysis and location of faults.

Enhancement

None

Dependency


Standards

None

1.5.4 eCNSFD-060500 Equipment Management

Applicable NEs

eCNS

Availability


Summary

Equipment management includes operations such as monitoring, controlling, and testing the

functions of entities such as system hardware and links.

Benefits

As a basic feature of the eCNS, it helps maintenance personnel in knowing the operations of

the system so that they can flexibly maintain and manage the system.

Description

The equipment management feature helps in monitoring, control, and testing.

Status monitoring

The eCNS provides MML commands for querying status of devices. For boards and

ports, it also provides a graphical query interface. Figure 1-5 and Figure 1-6 show the front view and rear view of a subrack.

eCNS600




31

Figure 1-5 Front view

Figure 1-6 Rear view

eCNS600




32

Device control

Device control includes operations such as switchover, reset, block, and disable. The

monitored objects are board, process, port, link, and logical entities (such as signaling

point).

Device test

The device test is an important method for finding and locating problems. The eCNS provides tests such as link self-loop test and path connectivity test.

Enhancement

None

Dependency


Standards

CCITT X.731 Information Technology - Open Systems Interconnection - Systems

Management

1.5.5 eCNSFD-060600 Configuration Management

Applicable NEs

eCNS

Availability


Summary

Configuration management includes operations such as adding, deleting, modifying, and

querying of system data.

Benefits

As a basic feature of the eCNS, it helps engineers configure and manage parameters for

system operation to make the system work properly.

Description

The eCNS provides both dynamic and static modes for data configuration:

Dynamic data configuration means directly modifying system data without interrupting the operation of the system.

Static data configuration means editing the data script file (MML.TXT) offline.

Modification of the file takes effect after the system resets.

Configuration management also provides backup or export configuration data.

eCNS600




33

Enhancement

None

Dependency


Standards

None

1.5.6 eCNSFD-060700 Security Management

Applicable NEs

eCNS

Availability


Summary

The security management provided by the eCNS ensures that only authorized users can

perform operations on the system, and guarantees system security. Security management

includes account management, right management, operation period control, account validity

control, access control list (ACL), account lockout policy, password policy, and operation log.

Benefits

Only authorized operators can perform authorized operations on legal terminals. It prevents

unauthorized operators from performing operations intentionally or unintentionally, and

ensures system security.

Description

Security management includes account management, right management, operation period

control, account validity control, ACL, account lockout policy, password policy, and operation

log.

Account Management

To maintain the eCNS, the operator must have a valid account. All accounts are managed

by the system administrator. The system administrator can add or delete operator

accounts as required.

Rights Management

The eCNS classifies commands to different command sets. You can manage the rights of

each account by assigning the account with the execution rights of a specified command set.

For convenient management, account rights are defined in user groups, and then users in

different user groups can be assigned different rights. A user group is a collection of users who share the same rights. By default, the system provides four user groups:

eCNS600




34

− Administrators: There is only one administrator account in a system.

− Operators: Users in this group can check the data, maintain the system, and configure

the data.

− Users: Users in this group can check the data and maintain the system.

− Guests: Users in this group can only check the data.

The administrator can assign rights to users by assigning users to different user groups, and can assign special rights to a user account.

Operation Period Control

You can control the time period for which users log in and operate the OMU. If the current time is not in the specified time period, users cannot log in and operate the OMU.

Account Validity Control

The administrator can change the account validity by modifying the user attributes. When a user account is invalid, the user cannot log in to the OMU server.

ACL

Generally, the OMU does not restrict the IP address of the client that a user uses. After

the ACL function is enabled, the IP address of the client that the user uses to log in to the OMU must be contained in the ACL. Otherwise, the login fails.

Account Lockout Policy

You can set a threshold for the number of login failures. If the number of failures to log

in using an account exceeds the threshold, the system locks out the account. During a

specified period, the system rejects login requests from this account.

The account lockout policy can prevent malicious hackers from logging in and misusing the data.

Password Policy

The complexity and regular modification of passwords guarantee system security. The eCNS can customize the password policy as follows:

− Specify the validity period of a password

− Specify the password length

− Specify the characters that can be used in a password

Operation Log

An operation log records all the operation information about a user, including user name,

user number, IP address, commands that the user runs, time when the command is run,

and result of the command. You can check the operation log on the LMT and trace suspicious operations.

Enhancement

None

Dependency


Standards

None

eCNS600




35

1.5.7 eCNSFD-060800 Online Documentation

Applicable NEs

eCNS

Availability


Summary

Each version of the eCNS has its own online help, which contains:

O&M system online help

It is used to help users correctly use relevant interfaces and different management

functions, and provides alarm descriptions and suggestions for handling alarms.

MML command online help

It is used to explain each MML command and help users correctly use these commands.

An online help provides the following functions:

It is organized based on common tasks performed by users. In the client window, choose

Help > Help Topics to display the online help. You can obtain the information about a

task through the navigation tree.

It provides the detailed description of all operations supported by the system. Operation

help is associated with certain interfaces, so you can obtain relevant information by pressing F1 to activate the help you want to query.

It also provides powerful index function, so you can obtain help information by typing a key word.

Benefits

As a basic feature of the eCNS, it guides an operator to use and maintain the system.

Description

The contents of the online help are as follows:

Interface online help

It describes the meanings of the LMT user interfaces and how to use maintenance functions and alarm management functions.

Alarm help

It describes each alarm and provides suggestions to handle alarms.

MML help

It describes the function, notes, parameter description, and example of each MML command.

Performance index help

It describes the meaning, triggering point, measurement object, and unit of each

measurement index.

eCNS600




36

There are several ways to trigger the online help:

Press F1 to invoke the interface online help.

The MML help is automatically triggered after a command is selected or entered.

The alarm help is automatically triggered when you check the alarm.

Choose Help > Help theme to display all online helps.

Enhancement

None

Dependency


Standards

None

1.5.8 eCNSFD-060900 Tracing Function

Applicable NEs

eCNS

Availability


Summary

Tracing can be classified into subscriber tracing, group tracing, and interface tracing. The

tracing functions can be used to store, resolve, and review a tracing file. Interface tracing

involves establishment, capture, and resolution of tracing messages processed by the

interfaces of eCNS.

Benefits

This feature guarantees flexibility in locating and solving problems for enterprise customers.

The tracing feature is used in the daily maintenance of a device. This feature can locate where

a fault occurs in the service procedure through message tracing. After a device is configured

for data, the device can validate whether signaling links run normally by setting up tracing,

and locate faults.

Description

The eCNS provides subscriber signaling and data tracing based on the IMSI or MSISDN. The

eCNS supports the following types of message filters:

MM messages of the S1 interface: NAS_MM and GTP_C

SM messages of the S1 interface: NAS_SM and GTP_C

S1-AP message of the S1 interface: S1-AP

eCNS600




37

The eCNS can create subscriber tracing for a UE that does not attach to the network. Once the

UE initiates the attach procedure, all the signaling and user data can be captured.

Group tracing means tracing the signaling message and interface message on a certain group.

Interface tracing means tracing all the messages on a certain interface.

The eCNS allows a tracing file to be saved to the hard disk in different formats through both

automatic and manual modes.

The tracing messages can be saved in following format:

Trace message file (*.tmf): It is used to browse messages offline through the Trace

Viewer. This type of message browsing is intuitive.

Text file (*.txt): It is used to save the messages displayed in the tracing interface.

Protocol text file (*.txt): It is used to save protocol explanation of messages.

CSV file (*.csv): It is used to save the complete code flow. The LMT interface displays

only part of the code flow.

The OMS provides a message analyzer that can be used to view messages online. You can

double-click a certain message in the Message Browser window to query the detailed

information about this message.

When browsing messages online, you can select and double-click a record that you want to

query. A window containing the detailed information and explanation of the record is

displayed, as shown in Figure 1-7.

Figure 1-7 Message Browser

eCNS600




38

The window is divided into two parts, the upper pane and the lower pane. You can adjust the view by moving the bar that separates the two panes. If you select a row in the upper part of the window, the row is highlighted in blue and the blue bar in the lower pane indicates the hexadecimal information of the selected row.

The tracing files that are saved on local devices can be viewed in the Trace Viewer. The

Trace Viewer can be used to perform the following operations:

View message streams

Complete tracing message procedures can be viewed, including the directory, time, type, and content of a message, as shown in Figure 1-8.

Figure 1-8 Trace Viewer

Resolve messages

Select and double-click a record that you want to query. A window containing the

detailed information and explanation of the record is displayed, as shown in Figure 1-9.

NOTE

eCNS600




39

Figure 1-9 Message Browser

The window is divided into two parts, the upper pane and the lower pane. You can adjust the view by moving the bar that separates the two panes. If you select a row in the upper part of the window, the row is highlighted in blue and the blue bar in the lower pane indicates the hexadecimal information of the selected row.

Sort messages

Messages can be sorted according to the serial number, time, direction, and type.

Enhancement

None

Dependency


Standards

None

NOTE

eCNS600




40

1.5.9 eCNSFD-061000 Log Management

Applicable NEs

eCNS

Availability


Summary

The eCNS provides and manages run logs, debug logs, operation logs, and security logs. It

allows log export and upload.

Benefits

This feature meets the requirements of enterprise customers for log management.

Description

The eCNS supports the following logs:

Run logs: record the running status of system software, for example, record system

deployment status and system status changes. Using the run logs, OM personnel can learn the running status of the system.

Debug logs: record the running status of system software, for example, object status

migrations and message exceptions. Using the debug logs, R&D personnel can locate

problems and analyze system efficiency.

Operation logs: record the commands delivered from LMTs. Using the operation logs, OM personnel can manage OM records.

Security logs: record the security events that occur on the eCNS. The security events include user login, account management, and account authentication.

Enhancement

None

Dependency


Standards

None

1.5.10 eCNSFD-061100 Daylight Saving Time

Applicable NEs

eCNS

eCNS600




41

Availability


Summary

The eCNS can set information about time zone and Daylight Saving Time (DST) management,

such as time zone where the system is located, the start time of DST, and the end time of DST.

Benefits

This feature meets requirements for enterprise customers in different areas.

Description

The eCNS can set information about time zone and DST in the following ways:

By data

By week

Enhancement

None

Dependency


Standards

None

1.6 Interface Function

1.6.1 eCNSFD-070100 S1 Interface

Applicable NEs

eCNS

Availability


Summary

The S1 interface includes the S1-MME interface and the S1-U interface in LTE/SAE.

The S1-MME interface is a standard interface between the eNodeB and the eCNS.

eCNS600




42

The S1-U interface is a user-plane interface between the eNodeB and the eCNS. It is used to

transmit uplink and downlink user-plane data flows between the eNodeB and the eCNS.

Benefits

This feature enables the S1 interface to transmit user-plane and control-plane data.

Description

The S1-MME interface is the signaling interface between the eNodeB and the eCNS. Figure

1-10 shows the protocol stack of the S1-MME interface.

Figure 1-10 Protocol stack of the S1-MME interface

The protocol layers are described as follows:

S1 Application Protocol (S1-AP): It refers to the application layer protocol between the eNodeB and the MME.

Stream Control Transmission Protocol (SCTP): It is used to guarantee the transmission of signaling messages between the eNodeB and the MME.

IP: It contains IPv4 that is defined in RFC 791 and IPv6 that is defined in RFC 1883.

L2/L1: The data link layer/physical layer protocol can be 10 Mbit/s, 100 Mbit/s, or 1000 Mbit/s Ethernet.

The S1-U interface uses the GPRS Tunneling Protocol version 1 (GTPv1). Figure 1-11 shows

the S1-U interface protocol stack.

eCNS600




43

Figure 1-11 S1-U interface protocol stack

Enhancement

None

Dependency


Standards

3GPP TS 36.413, "Evolved Universal Terrestrial Radio Access Network (E-UTRAN); S1

Application Protocol (S1AP)"

1.6.2 eCNSFD-070200 SGi Interface

Applicable NEs

eCNS

Availability


Summary

The SGi interface is an interface between eCNS and the packet data network (PDN), or

between the eCNS and the authentication, authorization and accounting (AAA) server. It is

used to transmit PS session data.

eCNS600




44

Benefits

For... Benefits

Enterprise

customers

This feature enables the eCNS to interwork with PDN devices of

various vendors by using the SGi interface, complying with 3GPP specifications.

Subscribers Subscribers are unaware of the SGi interface feature.

Description

SGi Interface Protocol Stack

Figure 1-12 shows the SGi interface protocol stack.

Figure 1-12 SGi interface protocol stack

Enhancement

None

Dependency



Applicable NEs

eCNS

eCNS600




45

Availability


Summary

The S10 interface is a standard interface between MMEs.

Benefits

The S10 interface of the eCNS complies with 3GPP specifications and therefore can connect

MMEs provided by different vendors.

Description

Figure 1-13 shows the S10 protocol stack.

Figure 1-13 S10 protocol stack

The protocols in the stack are as follows:

GTP-C

GTP-C is used to reliably transmit signaling between MMEs. The version used is GTPv2.

Signaling transmitted on the S10 interface includes GTP path management messages and mobility management messages.

UDP

UDP is used to transmit user data between MMEs. UDP is defined in RFC 768.

IP

IPv4 is defined in RFC 791, and IPv6 is defined in RFC 1883.

L2 and L1

L2 is the data link layer, and L1 is the physical layer. Both can use 10, 100, or 1000

Mbit/s Ethernet.

Enhancement

None

eCNS600




46

Dependency


Standards

3GPP TS 29.274, "Evolved General Packet Radio Service (GPRS); Tunneling Protocol for

Control plane (GTPv2-C); Stage 3"


Applicable NEs

eCNS

Availability


Summary

The S5 interface is a standard interface between an S-GW and a P-GW in the same network.

This interface can be used in both the control plane and user plane.

Benefits

The S5 interface of the eCNS complies with 3GPP specifications and therefore can connect an

S-GW and a P-GW provided by different vendors.

Description

Protocol Stack

Figure 1-14 and Figure 1-15 show the S5 protocol stacks using GTPv2 and GTPv1,

respectively.

Figure 1-14 S5 protocol stack using GTPv2

eCNS600




47


Application Scenario

The S5 interface connects an S-GW and a P-GW in the same network.

Signaling Procedure

The S5 signaling procedures are as follows:

Session setup

Bearer setup

Bearer modification

Session release

Bearer release

Bearer update

Enhancement

None

Dependency


Standards




Applicable NEs

eCNS

eCNS600




48

Availability


Summary

The S8 interface is a standard interface between an S-GW and a P-GW in different networks.

This interface can be used in both the control plane and user plane.

Benefits

The S8 interface of the eCNS complies with 3GPP specifications and therefore can connect an

S-GW and a P-GW provided by different vendors.

Description

Protocol Stack

Figure 1-16 and Figure 1-17 show the S8 protocol stacks using GTPv2 and GTPv1,

respectively.




eCNS600




49

The S8 interface connects an S-GW in a visited network and a P-GW in a home network.

Signaling Procedure

The S8 signaling procedures are as follows:

Session setup

Bearer setup

Bearer modification

Session release

Bearer release

Bearer update

Enhancement

None

Dependency


Standards



1.6.6 eCNSFD-070600 Ga Interface

Applicable NEs

eCNS

Availability


Summary

The Ga interface is a standard interface between a P-GW and a charging gateway (CG). It

uses GTP'.

Benefits

The Ga interface of the eCNS complies with 3GPP specifications and therefore can connect a

P-GW and a CG provided by different vendors.

Description

Figure 1-18 shows the Ga protocol stack.

eCNS600




50

Figure 1-18 Ga protocol stack

GTP' is a GPRS protocol used for CDR transfer.

The Ga signaling procedures are as follows:

CDR generation

CDR delivery

Enhancement

None

Dependency


Standards

3GPP TS 32.295, "Charging Data Record (CDR) transfer"

1.6.7 eCNSFD-070700 S6a Interface

Applicable NEs

eCNS

Availability


Summary

The S6a interface is a standard interface between an MME and an HSS.

Benefits

The S6a interface of the eCNS complies with 3GPP specifications and therefore can connect

an MME and an HSS provided by different vendors.

eCNS600




51

Description

Figure 1-19 shows the S6a protocol stack.

Figure 1-19 S6a protocol stack

The protocols in the stack are as follows:

Diameter

Diameter is used to transmit subscription and authentication data between an MME and an HSS. Diameter is defined in RFC 3588.

SCTP

SCTP is used to transmit signaling between an MME and an HSS.

IP

IPv4 is defined in RFC 791, and IPv6 is defined in RFC 1883.

L2 and L1

L2 is the data link layer, and L1 is the physical layer. Both can use 10, 100, or 1000 Mbit/s Ethernet.

Enhancement

None

Dependency


Standards 3GPP TS 29.272, "Mobility Management Entity (MME) and Serving GPRS Support

Node (SGSN) related interfaces based on Diameter protocol"

RFC3588, "Diameter Base Protocol"

eCNS600




52

1.7 Basic Platform

1.7.1 eCNSFD-080300 Linux Security Hardening

Applicable NEs

eCNS

Availability


Summary

This feature hardens Linux operating system (OS) security and protects against attacks without

interruptions to ongoing services. A secure OS is essential to ensure proper running of NEs and

prevent unauthorized operations. An OS with vulnerabilities is open to attacks from hackers and

viruses, leading to issues such as network service interruption, information loss, data corruption,

and low efficiency.

Linux security is hardened using the following means:

Minimized OS

OS passwords, file permissions, and kernel parameters

OS logs

Interconnection security data

Benefits

This feature enhances system robustness and security, protects against hackers and viruses,

and improves user satisfaction.

Description

This feature hardens Linux security and protects against attacks without interruption to

ongoing services.

OS Security Threats and Vulnerability Causes

The Linux OS faces the following security threats:

Manipulated attacks

Manipulated attacks are major attacks the OS faces. Hackers attack the system by

utilizing OS vulnerabilities that are caused by various factors such as OS leaks, insecure

passwords, or configuration defects. After seizing the super control rights, the hackers

tamper with important files and data, wrecking havoc for the network security.

Programmed attacks

Programmed attacks mainly refer to computer viruses, including executable file viruses,

worm viruses, script viruses, and backdoor programs.

The following factors make the OS vulnerable:

OS leaks

eCNS600




53

OS leaks arise from program design or function defects such as identity authentication

defects and service loopholes.

Insecure accounts or passwords

Hackers and viruses can easily crack insecure accounts and passwords using means such as

password dictionaries or brutal-force crackers.

Incorrect file permissions

With file permissions, users can operate files such as reading, writing, or executing files. File

permissions are essential to file sharing, protection, and confidentiality.

To protect files and directories against unauthorized access, the Linux OS defines three types

of users: owner, user group, and others. These users can be assigned different permissions.

If incorrect permissions are granted to user groups or others, important files may be unexpectedly read, written, or executed.

Insecure network services

All network services have security risks. For example, Telnet does not encrypt or verify

sessions; it transmits user names and passwords over the network in plaintext. In addition,

network services such as Samba have security leaks. If the OS is not promptly patched,

hackers or viruses may utilize these leaks to attack the system.

Incorrect operations

Incorrect operations (for example, directly powering off the Linux OS) may lead to system

faults or system breakdown. If users open email attachments sent from unknown addresses or

visit unknown websites, the system may get infected with viruses.

OS Security Hardening Policies

Linux security is hardened using the following policies:

Minimizing the OS

The default software package of the Linux OS contains many services and components,

most of which are optional. These services and components affect OS performance and security. Therefore, the OS needs to be streamlined for different purposes, including:

− Reducing the system size

− Increasing the startup speed

− Improving the system security

− Retaining existing services and functions after minimization

The minimized OS supports system security measures, for example, closing ports, closing

services, and clearing leaks.

Configuring OS passwords, file permissions, and kernel parameters

Different users are assigned different file permissions to protect important files from being

written, read, or executed by unauthorized users.

In addition to the default user root, the Linux OS creates a user named omu, as described in

Table 1-9. The administrator can also create other users for routine operations and

maintenance (OM).

Table 1-9 OS users and rights

User

Name

Function Rights Default

Password

root User root is the default user. This user can control

all resources, create other users, assign file

User root has the highest

rights, and can install and

huawei

eCNS600




54

permissions to them, and perform all operations

supported by the OS.

During system deployment, user root can perform

installation and configuration. After the

deployment, this user cannot perform routine OM,

and the password is managed by the enterprise customer.

uninstall server

applications.

omu User omu is created during the installation of the

OMU. This user manages OMU processes and

performs routing OM functions by using, for

example, alarms, and logs.

User omu has permissions

to control the status of OMU processes.

omu

Managing OS logs

To better manage OS logs and protect their security, the OS uses different log management

policies based on log types, saving paths, and log formats.

Linux OS logs are classified into two types:

− Login logs

utmp and wtmp are key log files in the Linux OS log system.

utmp records the information about users who have logged in to the system. wtmp

records the information about login, logout, data exchange, power-off, and restart.

− System logs

System logs are configured in the /etc/syslog-ng/syslog-ng.conf file.

Different logs are saved in different paths:

− The saving path of a system log can be specified by the destination messages

parameter in the /etc/syslog-ng/syslog-ng.conf file. The default path is /var/log/messages.

− utmp is saved in /var/run/utmp.

− wtmp is saved in /var/log/wtmp.

The policies for managing OS logs are as follows:

− Creates a centralized log management mechanism.

If multiple computers use the SuSE Linux OS, use a central log server to save and

managing logs. Centralized log management can reduce the daily workload of

querying logs and to help trace attackers.

− Backs up logs.

− Controls the access to logs.

− Compresses logs and save logs for a long period.

Configuring interconnection security data

To harden system security, the OS supports the configuration of the following security

data for interconnection between an OMU (or another board) and an OM node (such as an LMT):

− Client digital certificate

A client digital certificate is used to authenticate a client that communicates with the

OMU. The client supports two types of certificates:

− Common Cert: To apply a certificate to all offices, set the certificate as Common

Cert.

eCNS600




55

− Server Cert: To apply a certificate to only one office, set the certificate as Server

Cert.

− SMM security data

To harden system security during deployment and routing OM, the OS allows the following security configurations for the shelf management module (SMM):

− Prohibiting a user from accessing the SMM from an external network port

− Prohibiting user root from accessing the SMM, and allowing only user smm to access the SMM

− Secure transmission mode between a client and the OMU

By default, the system supports SSL connections and common connections. SSL

connections are recommended for secure data transmission.

Dependency


Standards

None

eCNS600

Feature Description 2 Optional Features



56

2 Optional Features

2.1 Security Management

2.1.1 eCNSFD-110001 NAS Encryption and Integrity Protection (AES)

Applicable NEs

eCNS

Availability


Summary

This feature uses Advanced Encryption Standard (AES) to protect non-access stratum (NAS)

signaling and improve system security.

NAS is a protocol layer between the UE and the EPC, used to transmit user data and signaling

between them.

Benefits

This feature ensures the security and reliability of NAS signaling in addition to user data.

Description

AES is the most widely used encryption and integrity protection standard in the world. 3GPP

defines two AES algorithms, EPS Encryption Algorithm 2 (EEA2) and EPS Integrity

Algorithm 2 (EIA2), with the key length of 128 bits.

After a UE attaches to the network, the UE notifies its supported encryption and integrity

protection algorithms to the eCNS.

If the UE supports AES, the eCNS determines whether to use AES according to local policies.

If AES is used, the eCNS uses AES to encrypt and protect the integrity of signaling between

the UE and the eCNS.

eCNS600




57

Enhancement

None

Dependency


Standards

3GPP TS 33.401, "3GPP System Architecture Evolution (SAE); Security architecture"

2.1.2 eCNSFD-110002 NAS Encryption and Integrity Protection (SNOW3G)

Applicable NEs

eCNS

Availability


Summary

This feature uses SNOW 3G to protect NAS signaling and improve system security.

NAS is a protocol layer between the UE and the EPC, used to transmit user data and signaling

between them.

Benefits

This feature ensures the security and reliability of NAS signaling in addition to user data.

Description

SNOW 3G is an EPS security standard. 3GPP defines two SNOW 3G algorithms, EPS

encryption algorithm 1 (EEA1) and EPS integrity algorithm 1 (EIA1), with the key length of

128 bits.

After a UE attaches to the network, the UE notifies its supported encryption and integrity

protection algorithms to the eCNS.

If the UE supports SNOW 3G, the eCNS determines whether to use SNOW 3G based on the

local policy to encrypt and protect the integrity of signaling between the UE and the eCNS.

Enhancement

None

Dependency


eCNS600




58

Standards 3GPP TS 33.401, "Security architecture"

ETSI Specification of the 3GPP Confidentiality and Integrity Algorithms UEA2 & UIA2,

Document 2: SNOW 3G Specification

2.1.3 eCNSFD-110003 O&M SSL

Applicable NEs

eCNS

Availability


Summary

The eCNS employs Huawei SeCert Transport Layer Security (TLS) development library and

supports SSLv3.0, TLSv1.0, and TLSv1.1 by default.

The Secure Socket Layer (SSL) feature can be implemented when the eCNS communicates

with the M2000 or LMT to enhance security through encryption. Therefore, the MML channel,

binary channel, SOAP interface, Web interface, and FTP file transfer channel between the

eCNS and the M2000 or LMT can be encrypted to ensure secure transmission.

Benefits The security of accounts and passwords of Internet service providers (ISPs) for operation

and maintenance is guaranteed, data is transmitted over networks while remaining intact, and the network operation expenditure is reduced.

By providing the SSL value-added service to enterprises and individuals, an ISP

establishes closer long-term cooperative relationships with them and improves service

quality as the ISP makes full use of the existing network resources. The ISP therefore becomes more competitive and will be exposed to greater business profits.

Description

SSL is a security protocol that was first proposed by Netscape to provide secure

communication for the application layer based on TCP transmission. In the TCP/IP protocol

stack, SSL is applied between the transport layer and the application layer and adopts TCP to

carry messages, therefore ensuring secure transmission for the application layer. SSL is

widely used in services such as Web, FTP, and Telnet.

Currently, available SSL versions are SSLv1, SSLv2, and SSLv3, among which SSLv3 is the

latest version. The standardized versions of SSL are TLS1.0 and TLS1.1.

SSL provides the following security services:

Identity authentication

Identity authentication means checking whether the peer end is the actual end with which

you want to communicate. SSL authenticates the server and the client based on digital

certificates to confirm that they are legitimate users. Both the client and the server have

their own identifiers, which are numbered with a public key. To verify that a user is

eCNS600




59

legitimate, SSL requires digital authentication during data exchange in the handshake

stage.

Connection privacy

Connection privacy means that data is encrypted before transmission to avoid data

cracking by illegitimate users. SSL ensures connection privacy by employing encryption algorithms. The common encryption algorithms are DES, 3DES, RC2, and RC4.

Data integrity

Data integrity means that any modification to data during transmission can be detected.

SSL sets up a secure channel between the client and the server so that all SSL-processed

data can reach the destination without being modified. SSL guarantees data integrity by

employing message digest algorithms. The common message abstract algorithms are MD5 and SHA-1.

Enhancement

None

Dependency


Standards

None

2.2 Service Management

2.2.1 eCNSFD-110004 Static IP Address Allocation

Applicable NEs

eCNS

Availability


This feature is an optional feature and is under license control.

Summary

The eCNS allocates static IP addresses to UEs based on subscriber data.

Benefits

This feature provides a basic function for radio access.

eCNS600




60

Description

A UE must obtain at least one IP address before it is able to access PS services. A PDN

Address Allocation IE is specified during the setup of a default bearer for the UE. This IE

contains protocol information (including an IP address field) the UE must obtain before it is

able to access an external PDN. In addition, this IE indicates the method the UE expects to

use to obtain an IP address.

3GPP TS 23.401 defines three modes of allocating IP addresses to UEs:

IP address allocation from the local address pool

In this mode, the eCNS allocates a dynamic IP address to a UE from the local address

pool during the activation of a bearer for the UE.

The local address pool contains the IP addresses planned by the enterprise customer.

Static IP address allocation

In this mode, the eCNS allocates IP addresses to UEs from its integrated subscriber data

module. This module matches the IMSI of each UE to an IP address range planned by

the enterprise customer. This mode is a pure static IP address allocation mode, which

requires complex configurations.

IP address allocation from the RADIUS server

In this mode, the eCNS allocates dynamic IP addresses obtained from the RADIUS

server during UE authentication in the bearer activation procedure. Note that dynamic IP addresses are carried in access response messages sent by the RADIUS server.

This mode is applicable to enterprise customers or internet service providers (ISPs) who manage the RADIUS server and plan IP addresses for their internal users.

Enhancement

None

Dependency


Standards



2.2.2 eCNSFD-110005 Multiple PDN Connection

Applicable NEs

eCNS

Availability



eCNS600




61

Summary

A UE can create several PDN connections to access different networks at the same time. The

UE also needs to support the feature.

Benefits

The multiple PDN feature enables a UE to connect to several networks at the same time.

Therefore, the UE can use other services without stopping the current service. For example,

the UE can receive multimedia messages when surfing on the Internet or send pictures on the

websites through multimedia messages.

Description

The EPS can support simultaneous exchange of IP traffic between a UE and multiple PDNs

by using one or several PDN GWs. The usage of multiple PDNs is controlled by network

policies and defined in the subscription data.

To allow one or several connections to the PDN, the EPS must support the UE-initiated PDN

connection procedure. The UE-initiated PDN connection procedure includes the

establishment of a default bearer.

The UE can use the disconnection procedure to disconnect from any PDN. In this

disconnection procedure, all bearers related to the disconnected PDN, including the default

bearer, are released.

The disconnection procedure cannot be used to disconnect the last PDN connection. The UE

or eCNS can initiate a detach procedure to disconnect the last PDN connection.

Enhancement

None

Dependency


Standards



2.2.3 eCNSFD-110008 SPI-based QoS Profile Control

Applicable NEs

eCNS

Availability



eCNS600




62

Summary

This feature uses the shallow packet inspection (SPI) technique to recognize traffic flows and

provide QoS guarantees. SPI refers to the inspection of quintuples in IP packet headers at L3

and L4. A quintuple contains the source address, destination address, source port number,

destination port number, and protocol type.

Benefits

This feature enables the eCNS to perform effective control and refined management, provide

different QoS guarantees for different services, and improve user satisfaction.

Description

In the uplink, the eCNS resolves quintuples in packet headers after GTP decapsulation. If the

filtering rules for L3 or L4 are configured, the eCNS filters the packets based on the

quintuples and according to the rules.

In the downlink, the eCNS resolves quintuples in packet headers. If the filtering rules for L3

or L4 are configured, the eCNS filters the packets based on the quintuples and according to

the rules.

After the filtering, the eCNS applies different QoS profiles to different types of packets. For

example, the eCNS initiates a dedicated bearer setup procedure.

If a dedicated bearer fails to be set up, the eCNS can age the quintuple used for setting up the

dedicated bearer. The purpose is to trigger the SPI procedure again and to prevent a temporary

setup failure from becoming a permanent setup failure.

Enhancement

Table 2-1 Release history and enhancement

Feature Version

Product Version Details

eCNSFD-110

008, 02

eCNS600 V100R002 Added the function of reestablishing

dedicated bearers after establishment failures.

eCNSFD-110

008, 01

eCNS600 V100R001 First official release.

Dependency


Standards

None

2.2.4 eCNSFD-110009 Offline Charging

Applicable NEs

eCNS

eCNS600




63

Availability



Summary

This feature enables the eCNS to send generated original CDRs to CGs using GTPv2. The

CGs perform original CDR storage, consolidation, and standardization, and then send the

processed data to the billing system (BS) for generating final bills.

Currently, the eCNS does not support content-based offline charging.

Benefits

Enterprise Customers

This feature enables enterprise customers to perform exact charging based on information

about data services used by end users. In addition, this feature provides reference data for

accounting between enterprise customers and for accounting between an enterprise customer

and an Internet service provider (ISP).

Information about end users' data services helps analyze end users' behaviors and habits, and

helps develop operating policies.

End Users

This feature helps end users reduce consumption based on information about data services

they used.

Description


This feature applies to the following scenarios:

Traffic-based charging

Duration-based charging

Network Structure

The network structure for offline charging is as follows:

eCNS600




64

Figure 2-1 Network structure for offline charging

The eCNS records information about data services used by end users, generates original

CDRs, and sends the original CDRs to CGs using GTP'. The CGs perform original CDR

storage, consolidation, and standardization, and then send the processed data to the BS for

generating final bills.

Load Sharing Between CGs

The eCNS can connect to multiple CGs and configure priorities for these CGs. If the CGs

have different priorities, the eCNS selects the CG with the highest priority.

When a large number of original CDRs are generated, the eCNS can send the original CDRs

to different CGs. This reduces the performance requirement on a single CG and improves the

reliability of original CDR transmission.

CG Link Detection

If the eCNS does not receive any response after sending original CDRs to a CG, the eCNS

sends again the original CDRs to the CG. If the response times out, the eCNS considers the

CG to be faulty.

If there is no original CDR to send, the eCNS sends an Echo message to the CG every one

minute. If the eCNS does not receive any response for N consecutive times, the eCNS

considers the CG to be faulty. N is set to 3 by default.

CDR Buffering

eCNS600




65

If the communication between the eCNS and CGs are broken, the eCNS buffers original

CDRs. After the link recovers, the eCNS sends the original CDRs to the CG.

CDR Generation

The eCNS can control whether to generate original CDRs for an APN based on a specified

charging characteristic.

A CDR contains multiple fields such as user ID, service time segment, and service duration,

based on which the BS charges end users.

The original CDR generation procedure consists of the following three phases:

Generating start original CDRs

The eCNS generates start original CDRs when the services are activated, and records the

user's subsequent actions that require charging.

Generating intermediate original CDRs

The eCNS generates intermediate original CDRs for the end user when the service

duration, traffic volume, charge rate, number of QoS changes, or another parameter value reaches their threshold.

Generating final original CDRs

After the end user stops the services, the eCNS generates final original CDRs.

The preceding procedure shows that the eCNS may generate multiple original CDRs for a

service procedure. The BS consolidates these CDRs and generate final bills.

The original CDRs generated by eCNS only comply with R9 CDR version.

CDR Transfer

After the eCNS generates original CDRs, it encodes the original CDRs in Abstract Syntax

Notation One (ASN.1) format, encapsulates the original CDRs using GTP', and then sends the

GTP' packets to CGs.

Enhancement

None

Dependency


Feature Interaction

eCNSFD-070600 Ga Interface Offline charging depends on Ga interface to CG

Standards 3GPP TS 32.240, "Charging management; Charging architecture and principles"

3GPP TS 32.298, "Charging management; Charging Data Record (CDR) parameter description"

3GPP TS 32.251, "Charging management; Packet Switched (PS) domain charging"

eCNS600




66

3GPP TS 32.295, "Charging management; Charging Data Record (CDR) transfer"

2.2.5 eCNSFD-110011 UE IP Address assigned by the Radius AAA Server

Applicable NEs

eCNS

Availability


Summary

eCNS600 cooperates with Radius AAA Server, to implement centralized assignment of

wireless terminal IP addresses in whole network.

Benefits


Wireless terminal IP addresses are centralized managed by enterprise customers. Though

when wireless terminals roam across core networks, their IP addresses can be centrally

assigned by Radius AAA Server. For example, in railway industry, the IP addresses of

terminals in vehicles are required to be centrally assigned and when these terminals roam

across core networks, their IP addressed should be unique and fixed.

Description


Centralized management of UEs for enterprise customers

Enterprise customers require the deployment of multiple P-GWs and central

management of UE IP addresses, as shown in the following figure.

eCNS600




67

MME HSS

P-GWS-GW

LTE UE eCNS600

PGW

P-GW

AAA Server

Capacity expansion of the authentication, authorization, and accounting (AAA) server

for enterprise customers

If the number of UEs in an enterprise network exceeds the threshold of an AAA server's

capacity of authentication or assigning UE IP addresses, the enterprise customer can add

RADUIS AAA servers to share the load of processing authentication messages sent by

P-GWs, as shown in the following figure.

MME HSS

P-GWS-GW

LTE UE eCNS600

P-GW

P-GW

AAA Server

AAA Server

Services and Functions

The eCNS600 obtains UE IP addresses from the RADIUS AAA server and provides various

services and functions.

UE IP address assignment by RADIUS AAA server

The eCNS600 obtains UE IP addresses from the AAA server through RADIUS authentication.

Mapping between APN and AAA server

The eCNS600 supports the configuration of active/standby AAA servers for each APN.

eCNS600




68

Configuring authentication message resend count and expiration time

The eCNS600 supports the configuration of authentication message resend count and

expiration time based on network conditions.

Striping domain name from user name

The eCNS600 supports the ability to select whether to include a domain name in the user name of the authentication message sent to the RADIUS AAA server.

Before an authentication message is sent, the eCNS600 checks whether the APN is

configured to strip a domain name. If yes, the domain name will be stripped from the

user name before an authentication message is sent to the AAA server. That is, the

message sent to the AAA server carries the user name without a domain name. If no, the

domain name will not be stripped from the user name. By default, the domain name is kept.

Configuring port numbers for communicating with the AAA server

The eCNS600 supports optional configuration of the destination ports of the eCNS600

for communicating with the AAA server. By default, the port number for authentication

is 1812 and that for accounting is 1813. The port number for authentication ranges from

1 to 65535 for compatibility with other AAA server ports whose numbers are not the

default values.

AAA server load sharing

The eCNS600 allows sending RADIUS authentication messages to multiple AAA

servers in load sharing mode between AAA servers, which ensures high service reliability.

Active/Standby AAA server

The eCNS600 allows the AAA servers to receive RADIUS authentication messages in

active/standby mode. In this mode, if the active AAA server works normally, it will

receive all RADIUS authentication messages. If the active server is faulty, all the messages are sent to the standby server.

3GPP extended attributes

3GPP 29.061 defines the protocols of interfaces between the P-GW and the AAA server.

The eCNS600 transmits the extended attributes defined in the 3GPP 29.061 protocol (for

example: IMSI, MCC, and MNC) to the AAA server for authentication reference.

Context deactivation according to RADIUS Packet of Disconnect (POD) messages

The eCNS600 retrieves a UE IP address according to a POD message.

POD messages, which are used to deactivate subscribers, are sent actively by the RADIUS AAA server to the P-GW.

The eCNS600 deactivates context according to POD messages. It checks the validity of

POD messages and receives only PODs containing server IP addresses. Then it deactivates subscribers based on their IMSIs and NSAPIs.

Enhancement

None.

Dependency

This feature depends on the PCO setting of the UE. The UE must support at least the

Authentication Type, User Name and Password items in its PCO Setting. The Initial UE

Message shall send the EPC the three information elements in the UE Attach process.

eCNS600




69

Standard

RFC 2865 Remote Authentication Dial In User Service (RADIUS)

3GPP TS 23.401, General Packet Radio Service (GPRS) enhancements for Evolved Universal

Terrestrial Radio Access Network (E-UTRAN) access

3GPP TS 29.061 Interworking between the Public Land Mobile Network (PLMN) supporting

packet based services and Packet Data Networks (PDN)

2.2.6 eCNSFD-110012 E2E Subscriber Tracing

Applicable NEs

eCNS

Availability


Summary

The end-to-end subscriber trace feature enables multiple MEs to trace signaling messages of a

subscriber in a trace task and to send traced messages to a specified device such as an NMS.

Benefits


The end-to-end subscriber trace feature can improve fault location efficiency for refined

network maintainance.

Description

Operation and maintenance engineers can use the end-to-end subscriber trace feature to trace

subscriber signaling messages and then analyze the traced signaling messages for handling

customer complaints, locating network faults, adjusting and optimizing networks, analyzing

subscriber behaviors, and testing new features.

Figure 2-2 shows the end-to-end subscriber trace procedure.

eCNS600




70

Figure 2-2 End-to-end subscriber trace

1. The element management system (EMS) sends a trace command to MME through a

management link and the instruction includes creating, checking, and deleting trace

sessions. Alternatively, the EMS sends a trace command to the HSS and the HSS

informs the MME of the instruction through a message over the S6a interface. The trace command is subscriber-specific and the subscriber is specified by the IMSI or MSISDN.

2. MME sends trace control parameters to the S-GW, P-GW, and eNodeB through

signaling links.

3. MME traces signaling messages and sends traced signaling messages in file report mode

to the EMS through the trace data link. Then, the EMS displays the traced messages.

Trace data includes the trace reference ID, trace depth, trace ME list, and trace interface list of

each ME.

Trace reference ID

It uniquely identifies a trace session.

Trace depth

It indicates the content depth of traced messages reported by the MEs. Currently, only

the maximum depth is supported, that is, complete messages are reported.

Trace ME list

It lists the MEs required to trace signaling messages in a trace session, including the eNodeB, MME, S-GW, and P-GW. The MME sends trace data to the MEs in this list.

Trace interface list

It lists the interfaces on which messages need to be traced. Each ME has a trace interface

list. When the eCNS600 servers as the MME, the messages on the S1-MME, S6a, and S10 interfaces can be traced.

eNBeNB

HSS SGW

MME

EMS PGW1

1

2

2

22

3

3

3

EMS

3

EMS

3

Vendor AVendor B

S1 S1

NMS

Itf-N

Itf-NItf-N

1

eCNS600




71

Enhancement

None.

Dependency

The complete end-to-end subscriber trace function requires that all of the EMS, MME,

eNodeB, S-GW, P-GW, and HSS support the end-to-end subscriber trace function. For the

eCNS600 to implement the end-to-end subscriber trace function, at least the EMS must

support the end-to-end subscriber trace function.

Standard

3GPP TS 32.422, Telecommunication management; Subscriber and equipment trace: Trace

control and configuration management

2.3 Reliability

2.3.1 eCNSFD-110006 eCNS Redundancy

Applicable NEs

eCNS

Availability



Summary

eCNS redundancy is a disaster tolerance mechanism where multiple eCNSs serve the same

radio coverage area (called the eCNS redundancy area). These eCNSs connect to all the

eNodeBs in this area and work in load sharing mode.

Benefits

This feature implements disaster tolerance and improves the network availability.

Description

In eCNS redundancy scenarios, the eNodeB selects an eCNS for a UE based on the load

sharing policy configured on the eNodeB. Therefore, the eNodeB needs to know the status of

the eCNSs. If the eNodeB detects that an eCNS is unavailable, it adjusts the load sharing

policy and assigns new service requests to other eCNSs. In addition, the eNodeB needs to

obtain the load sharing weights of the eCNSs through the S1 interfaces so that the eNodeB

can select an eCNS for a UE from available eCNSs.

eCNS600




72

An area served by multiple eCNSs is called an eCNS redundancy area. If one or more

tracking areas (TAs) are served by multiple eCNSs, these TAs form an eCNS redundancy

area.

eCNS redundancy mainly implements disaster tolerance and improves the network

availability. In addition, eCNS redundancy can be used to increase the maximum data

throughput when the forwarding capability of the network becomes a bottleneck.

Table 2-3 lists eCNS redundancy specifications.

Table 2-3 eCNS redundancy specifications

Item Specification Remarks

Network

usability 1 - (1 – A)

N

A: system availability of an eCNS

N (≤5): number of eCNSs

Maximum data

throughput N x 4 Gbit/s

4 Gbit/s: maximum data throughput of

an eCNS

Enhancement

None

Dependency


Standards

3GPP TS 23.401, "General Packet Radio Service (GPRS) enhancements for Evolved universal Terrestrial Radio Access Network (E-UTRAN) access"

3GPP TS 23.236, "Intra-domain connection of Radio Access Network (RAN) nodes to

multiple Core Network (CN) nodes"

2.4 Networking

2.4.1 eCNSFD-110007 Bidirectional Forwarding Detection (BFD)

Applicable NEs

eCNS

Availability



eCNS600




73

Summary

Bidirectional forwarding detection (BFD) is used to detect communication faults between

devices and notify the upper layers of the faults.

The major characteristics of BFD are as follows:

Implements bidirectional link detection, which does not significantly add to the network load and requires little time to complete.

Dynamically modifies BFD parameters without affecting the status of ongoing sessions.

Benefits

This feature provides a transmission-media-independent detection mechanism that enables

fault detection at the millisecond level.

Description

The eCNS supports single-hop BFD, which refers to detection of IP connectivity between

directly connected devices.

For a data protocol, only one BFD session exists on a specified interface such as a physical

port, virtual circuit, or tunnel.

BFD packets are encapsulated in UDP packets. The destination port number is 3784. The

source port number is within the range of 49152 and 65535. All the BFD packets of a session

use the same source port number.

The eCNS supports BFD in asynchronous mode, but not in demand mode. In asynchronous

BFD, the devices periodically send BFD packets to each other. If one device does not receive

any packet from the other device within a specified period, the session is considered to be

down. Asynchronous BFD is most commonly used.

Table 2-4 lists BFD specifications.

Table 2-4 BFD specifications

Item Specification

Shortest detection time (ms) 30

Maximum number of BFD sessions 16

Maximum number of static routes bound to a BFD session 512

Maximum number of default routes bound to a BFD session 6

Enhancement

None

eCNS600




74

Dependency


Feature Interaction

eCNSFD-040700 VRF In the network scenario of dual active ports with

static routes, BFD should be activated in VRF in

order that eCNS could switch route when old route is fault.

Standards

Draft-ietf-bfd-v4v6-1hop-04

Draft-ietf-bfd-base-04

Draft-ietf-bfd-multihop-04

2.4.2 eCNSFD-110010 Routing Behind MS

Applicable NEs

eCNS

Availability



Summary

This feature applies to mobile VPNs.

This feature allows terminals to access an enterprise network through a wireless device and

allows mutual visits between the terminals and the enterprise network.Unlike Network

Address Translation (NAT), this feature allows the wireless device to obtain a network

segment address (not only an IP address) and assign IP addresses to the terminals. With these

addresses, the terminals can communicate with the enterprise network.

The eCNS can determine whether to use this feature for an APN.

Benefits


This feature provides a new business model for mobile VPNs, improves working efficiency,

and reduces operating costs.

End Users

eCNS600




75

This feature enables end users to access the enterprise network through a wireless device. In

addition, this feature allows mutual visits between branches and headquarters in a flexible,

rapid, and secure manner.

Description


This feature is mainly applicable to enterprise customers' mobile VPNs.

Both mobile VPN users and common home users can access a network through a wireless

device. However, the technologies for the two applications are very different.

Common home users visit a network through a wireless router. The router uses NAT for

address translation and allows multiple users to access the network at the same time even

when the router obtains only one IP address during an EPS bearer activation procedure.

In comparison, mobile VPN users need to visit or be visited by an enterprise network. As NAT

cannot meet this requirement, the Routing Behind MS feature is introduced to address this

issue.

Figure 2-3 shows the network structure for the Routing Behind MS feature.

Figure 2-3 Network structure for the Routing Behind MS feature

Main Functional Units

CPE

The CPE is a wireless device. It originates the setup of a default EPS bearer, obtains a network segment address, and assigns IP addresses to the connected terminals.

eCNS

The eCNS receives uplink data from the CPE and forwards the data to PDNs. The eCNS

also receives downlink data from PDNs, selects tunnels in the enterprise network based on the destination IP addresses, and sends the data to target terminals.

IP terminals

IP terminals are connected to the CPE. These terminals may be mobile phones, WiFi

terminals, or computers.

eCNS600




76

Enhancement

None

Dependency


Feature Interaction

eCNSFD-040600 OSPFv2 One VRF support more than OSPF process, while

one OSPF process belongs to only one VRF.

Standards

None

2.4.3 eCNSFD-110013 UE Fixed IP MultiHoming

Applicable NEs

eCNS

Availability



Summary

This feature applies to mobile virtual private networks (VPNs). The eCNS dynamically

delivers route information containing the UE fixed IP address as the destination IP address

over the SGi interface through the Open Shortest Path First (OSPF) protocol. In this way, a

UE can access multiple interconnected eCNSs at different time points without changing its

fixed IP address.

Benefits


With enterprise networks, most traffic is originated by the network side and the IP addresses

of the UEs are fixed. Normally, these UEs attach only to a specific eCNS. The UE Fixed IP

MultiHoming feature enables the UE to change the route with the eCNS accessed by the UE.

This improves the UE's capability to perform cross-EPC services. EPC is short for evolved

packet core.

eCNS600




77

Description

Application Scenarios

Cross-region access: In this scenario, the enterprise network consists of multiple eCNSs that

cover different regions without any overlap. The UE has a fixed IP address and retains its

fixed IP address after attaching to the eCNSs in different regions.

Network redundancy backup: In this scenario, the enterprise network consists of multiple

eCNSs whose coverage regions are overlapped. The UE has a fixed IP address and retains its

fixed IP address after attaching to another eligible eCNS in the same region.

The following figure shows the networking for UE Fixed IP MultiHoming.

Figure 2-1 Networking for UE Fixed IP MultiHoming

Main Functional Units

UE: A UE has a fixed IP address and selects an eCNS on an EPC to attach to.

eCNS: When a UE attaches to the eCNS, the eCNS delivers route information containing the

UE fixed IP address as the destination IP address over the SGi interface through the OSPF

protocol. When a UE detaches from the eCNS, the eCNS notifies the router to delete the route

over the SGi interface through the OSPF protocol.

Router: A router learns the route information containing the UE fixed IP address as the

destination IP address through the OSPF protocol. When the router receives downlink data

sent by the APP server, the router sends the data to the eCNS that recently delivers the route

based on learned routes.

APP Server: An APP Server initiates services to the UE, sends downlink data to the UE, and

receives uplink data from the UE.

Enhancement

None

OSPF

Area

eNodeB A

eCNS A

eCNS BeNodeB B

UE

Router

SGi

SGi

S5 S10

S1

S1

APP Server

eCNS600




78

Dependency



eCNSFD-040600 OSPFv2 This feature depends on the eCNSFD-04600 OSPFv2 feature.

eCNSFD-110010 Routing

Behind MS

This feature is mutually exclusive to the eCNSFD-110010

Routing Behind MS feature.

Standards

None

Date post:	13-Apr-2018
Category:	Documents
Upload:	tranmien
View:	268 times
Download:	4 times

eCNS600 V100R002 Feature Description - Huawei - … · eCNS600 V100R002 Feature Description Draft A...

Documents