Cisco ASR 5x Series Configuration Audit Guide 5.0: Global Mobility Practice

CiscoASR 5x Series Configuration Audit Guide 5.
0
Global Mobility Practice
Americas Headquarters: Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA 2012 Cisco Systems, Inc. All rights reserved.
The information in this document is the proprietary and confidential property of Cisco Corporation. No part of this document may be disclosed, reproduced or distributed without the express written permission of Cisco Corporation. Cisco Corporation reserves the rights to alter the design and specifications at any time without notice, as part of its continuing program of product development. Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. 2012 Cisco Systems, Inc. and/or its affiliated entities. All rights reserved.
Configuration Audit Guide
Table of Contents
1. 2. 3. 4. 4.1 4.2 4.3 5. INTRODUCTION..................................................................................................................................................................................................................... 11 DATA COLLECTION AND METHODOLOGY ....................................................................................................................................................................... 12 PREREQUISITES ................................................................................................................................................................................................................... 16 PLATFORM AUDIT ................................................................................................................................................................................................................ 17 Card Audit ............................................................................................................................................................................................................................. 18 Interface Audit ....................................................................................................................................................................................................................... 19 Threshold Audit ..................................................................................................................................................................................................................... 20 SYSTEM AUDIT ..................................................................................................................................................................................................................... 22
5.1 Context Audit ......................................................................................................................................................................................................................... 22 5.2 AAA Interface ........................................................................................................................................................................................................................ 23 5.3 DHCP Interface ..................................................................................................................................................................................................................... 24 5.4 Ga/Gz Interface ..................................................................................................................................................................................................................... 24 5.5 DCCA/DPCA Audit ................................................................................................................................................................................................................ 25 5.5.1 Gx Interface ........................................................................................................................................................................................................................ 26 5.5.2 Gy Interface ........................................................................................................................................................................................................................ 26 5.6 GGSN Audit .......................................................................................................................................................................................................................... 27 5.6.1 Gn Interface ....................................................................................................................................................................................................................... 27 5.6.2 Gi Interface ......................................................................................................................................................................................................................... 28 5.6.2.1 APN Audit ...................................................................................................................................................................................................................................................................................................... 29 5.7 SGSN Audit ........................................................................................................................................................................................................................... 30 5.7.1 Gn Interface ....................................................................................................................................................................................................................... 30 5.7.2 Gb Interface ....................................................................................................................................................................................................................... 31 5.7.3 IuPS Interface .................................................................................................................................................................................................................... 31 5.7.4 DNS Service Audit ............................................................................................................................................................................................................. 33 5.7.5 Gr, Gf and Gs Interface ...................................................................................................................................................................................................... 33 5.7.6 SS7 Routing Domain Audit ................................................................................................................................................................................................ 34 5.7.7 SCCP Network Audit .......................................................................................................................................................................................................... 35 5.7.8 GTT Association Audit ....................................................................................................................................................................................................... 36 5.7.9 Operator Policy Audit ......................................................................................................................................................................................................... 36 5.8 MME Audit ............................................................................................................................................................................................................................. 37 5.8.1 S1-MME Interface .............................................................................................................................................................................................................. 37 5.8.2 S6a and S13 Interface ....................................................................................................................................................................................................... 39 5.8.3 S10/S11 Interface .............................................................................................................................................................................................................. 39 5.8.4 S3 Interface ........................................................................................................................................................................................................................ 40
PRIVATE AND CONFIDENTIAL Page 2 of 74 Cisco Systems, Inc.
Configuration Audit Guide 5.8.5 SGs Interface ..................................................................................................................................................................................................................... 40 5.8.6 LTE Policy .......................................................................................................................................................................................................................... 41 5.8.7 Operator Policy .................................................................................................................................................................................................................. 41 5.9 SGW Audit............................................................................................................................................................................................................................. 42 5.9.1 S1-U/S11/S12 Interface ..................................................................................................................................................................................................... 43 5.9.2 S4-SGSN ........................................................................................................................................................................................................................... 43 5.9.3 S5/S8 Interface .................................................................................................................................................................................................................. 44 5.10 PGW Audit .......................................................................................................................................................................................................................... 44 5.10.1 S5/S8 interface................................................................................................................................................................................................................. 45 5.10.2 SGi Interface .................................................................................................................................................................................................................... 45 5.10.2.1 APN Audit ................................................................................................................................................................................................................................................................................................... 46 5.11 PDSN Audit ......................................................................................................................................................................................................................... 47 5.11.1 RP Interface ..................................................................................................................................................................................................................... 47 5.11.2 Pi Interface ....................................................................................................................................................................................................................... 49 5.11.2.1 Subscriber Template Audit ................................................................................................................................................................................................................................................................. 49 5.12 FA Audit .............................................................................................................................................................................................................................. 50 5.12.1 FA Service ........................................................................................................................................................................................................................ 50 5.13 HA Audit .............................................................................................................................................................................................................................. 51 5.13.1 Pi Interface ....................................................................................................................................................................................................................... 51 5.13.2 PDN Interface ................................................................................................................................................................................................................... 52 5.13.2.1 Subscriber Template Audit ................................................................................................................................................................................................................................................................. 53 5.14 HSGW Audit ........................................................................................................................................................................................................................ 53 5.14.1 RP Interface ..................................................................................................................................................................................................................... 53 5.14.2 S2a Interface .................................................................................................................................................................................................................... 54 5.15 P-CSCF Audit ...................................................................................................................................................................................................................... 54 5.15.1 P-CSCF Service Policy Configuration Audit .................................................................................................................................................................... 54 5.15.2 P-CSCF Access Profile Audit ........................................................................................................................................................................................... 55 5.15.3 PCRF Policy Control Configuration .................................................................................................................................................................................. 56 5.15.4 PROXY-CSCF Audit ........................................................................................................................................................................................................ 57 5.15.5 P-CSCF Policy and Service Policy Rule Configuration Audit .......................................................................................................................................... 57 5.16 S-CSCF Audit ...................................................................................................................................................................................................................... 58 5.16.1 S-CSCF Peer Server Audit .............................................................................................................................................................................................. 58 5.16.2 S-CSCF Translation Audit ................................................................................................................................................................................................ 58 5.16.3 S-CSCF Policy Audit ........................................................................................................................................................................................................ 59 5.16.4 S-CSCF IFC Audit ............................................................................................................................................................................................................ 59 5.16.5 AAA Group Audit .............................................................................................................................................................................................................. 60 5.16.5.1 HSS interworking audit ........................................................................................................................................................................................................................................................................ 60 5.16.5.2 CDF interworking audit ........................................................................................................................................................................................................................................................................ 60 5.16.6 CSCF Service Audit ......................................................................................................................................................................................................... 61 5.16.6.1 S-CSCF Service Audit .............................................................................................................................................................................................................................................................................. 61
Configuration Audit Guide 5.16.6.2 Serving-CSCF Audit................................................................................................................................................................................................................................................................................. 62 5.16.7 HSS endpoint Audit .......................................................................................................................................................................................................... 62 5.16.8 CDF Endpoint Audit ......................................................................................................................................................................................................... 63 6. 6.1 6.2 7. OSS AUDIT ............................................................................................................................................................................................................................. 64 MUR Audit ............................................................................................................................................................................................................................. 64 WEM Audit ............................................................................................................................................................................................................................ 65 ECS AUDIT ............................................................................................................................................................................................................................. 66
APPENDIX A ENGINEERING LIMITATIONS ............................................................................................................................................................................ 72
PRIVATE AND CONFIDENTIAL Page 4 of 74
Cisco Systems, Inc.
List of Tables
Table 4-1: Platform Audit ............................................................................................................................................................................................................... 18 Table 4-2: Card Audit ..................................................................................................................................................................................................................... 19 Table 4-3: Interface Audit ............................................................................................................................................................................................................... 19 Table 5-1: Context Audit ................................................................................................................................................................................................................ 23 Table 5-2: RADIUS Audit .............................................................................................................................................................................................................. 24 Table 5-3: DHCP Audit................................................................................................................................................................................................................... 24 Table 5-4: Ga/Gz Interface Audit ................................................................................................................................................................................................... 25 Table 5-5: Diameter Audit .............................................................................................................................................................................................................. 26 Table 5-6: Gx Interface Audit ......................................................................................................................................................................................................... 26 Table 5-7: Ga Interface Audit ......................................................................................................................................................................................................... 27 Table 5-8: Gn Interface Audit ........................................................................................................................................................................................................ 28 Table 5-9: Gi Interface Audit .......................................................................................................................................................................................................... 29 Table 5-10: APN Audit ................................................................................................................................................................................................................... 30 Table 5-11: SGTP Service Audit .................................................................................................................................................................................................... 31 Table 5-12: GPRS Service Audit ................................................................................................................................................................................................... 31 Table 5-13: IuPS Interface Audit .................................................................................................................................................................................................... 32 Table 5-14: SGSN Service Audit ................................................................................................................................................................................................... 33 Table 5-15: DNS Service Audit ...................................................................................................................................................................................................... 33 Table 5-16: MAP Service Audit ...................................................................................................................................................................................................... 33 Table 5-17: SS7 Routing Domain Audit ......................................................................................................................................................................................... 35 Table 5-18: SCCP Network Audit .................................................................................................................................................................................................. 36 Table 5-19: GTT Association Audit ................................................................................................................................................................................................ 36 Table 5-20: Operator Policy Audit .................................................................................................................................................................................................. 37 Table 5-21: S1-MME Interface Audit .............................................................................................................................................................................................. 39 Table 5-22: S6a and S13 Interface Audit ....................................................................................................................................................................................... 39
Configuration Audit Guide Table 5-23: S10/S11 Interface Audit .............................................................................................................................................................................................. 40 Table 5-24: S3 Interface Audit ....................................................................................................................................................................................................... 40 Table 5-25: SGs Interface Audit ..................................................................................................................................................................................................... 40 Table 5-26: LTE Policy Audit.......................................................................................................................................................................................................... 41 Table 5-27: Operator Policy Audit .................................................................................................................................................................................................. 41 Table 5-28: SGW Service Audit ..................................................................................................................................................................................................... 43 Table 5-29: S11 Interface Audit ..................................................................................................................................................................................................... 43 Table 5-30: S4 SGSN audit............................................................................................................................................................................................................ 44 Table 5-31: S5/S8 Interface Audit .................................................................................................................................................................................................. 44 Table 5-32: PGW Service Audit ..................................................................................................................................................................................................... 45 Table 5-33: S5/S8 Interface Audit .................................................................................................................................................................................................. 45 Table 5-34: SGi Interface Audit ...................................................................................................................................................................................................... 46 Table 5-35: APN Audit ................................................................................................................................................................................................................... 47 Table 5-36: RP Interface Audit ....................................................................................................................................................................................................... 48 Table 5-37: Pi Interface Audit......................................................................................................................................................................................................... 49 Table 5-38: Subscriber Template Audit ......................................................................................................................................................................................... 50 Table 5-39: FA Service Audit ......................................................................................................................................................................................................... 51 Table 5-40: Pi Interface Audit......................................................................................................................................................................................................... 52 Table 5-41: PDN Interface Audit .................................................................................................................................................................................................... 52 Table 5-42: Subscriber Template Interface Audit .......................................................................................................................................................................... 53 Table 5-43: HSGW RP Interface Audit ....................................................................................................................................................................................... 54 Table 5-44: S2a Interface Audit ..................................................................................................................................................................................................... 54 Table 5-45: P-CSCF Service Policy Audit ...................................................................................................................................................................................... 55 Table 5-46: P-CSCF Access Profile Audit ..................................................................................................................................................................................... 56 Table 5-47: P-CSCF Service Audit ................................................................................................................................................................................................ 56 Table 5-48: Proxy CSCF Audit ....................................................................................................................................................................................................... 57 Table 5-49: Proxy CSCF Audit ....................................................................................................................................................................................................... 58
Configuration Audit Guide Table 5-50: S-CSCF Peer Server Audit ......................................................................................................................................................................................... 58 Table 5-51: S-CSCF Translation Audit .......................................................................................................................................................................................... 59 Table 5-52: S-CSCF Policy Audit ................................................................................................................................................................................................... 59 Table 5-53: S-CSCF IFC Audit....................................................................................................................................................................................................... 60 Table 5-54: HSS Interworking Audit ............................................................................................................................................................................................... 60 Table 5-55: CDF Interworking Audit ............................................................................................................................................................................................... 61 Table 5-56: S-CSCF Service Audit ................................................................................................................................................................................................ 61 Table 5-57: Serving CSCF Audit .................................................................................................................................................................................................... 62 Table 5-58: HSS Endpoint Audit .................................................................................................................................................................................................... 63 Table 5-59 CDF Endpoint Audit ..................................................................................................................................................................................................... 63 Table 6-1: OSS Audit ..................................................................................................................................................................................................................... 64 Table 6-2: MUR Audit ..................................................................................................................................................................................................................... 65 Table 6-3: WEM Audit .................................................................................................................................................................................................................... 65 Table 7-1: ECS Audit Sample Report ............................................................................................................................................................................................ 68
Cisco Systems, Inc.
References
[1] Data Collection Guide [2] ASR 5X00 Command Line Interface Guide [3] ASR 5X00 Administration Guide
Cisco Systems, Inc.
Definitions
Acronym CSCF CIQ GGSN HA FA HSGW I-CSCF MME P-CSCF PGW S-CSCF SAEGW SGSN SGW Meaning Call Session Control Function Customer Information Questionnaire Gateway GPRS Support Node Home Agent Foreign Agent HRPD Serving Gateway Interrogating-CSCF Mobility Management Entity Proxy-CSCF Packet Data Network Gateway Serving-CSCF System Architecture Evolution Gateway Serving Gateway Support Node Serving Gateway
Cisco Systems, Inc.
Revision History
Version 1.0 1.5 2.0 3.0 Date 2/27/12 4/27/12 5/22/12 7/25/12 Status First Version Second Version Third Version Fourth Version Author/s Daryl Huynh Daryl Huynh Amol Khire Daryl Huynh Amol Khire Bin Guo Hao Jiang Jiang Rahul Mahadik Daryl Huynh Rahul Mahadik Review Santosh Panambur Anwin Kallumpurath Anwin Kallumpurath Daryl Huynh, Aravind Balakrishnan Gavish Kumar, Matthew Brandes Changes
4.0
10/31/12
Fifth Version
Amol Khire, Akshay Raj, Aravind Balakrishnan Daryl Huynh, Jiming Shen, Bo Keun Kang, Govindaraj Duraisamy
5.0
1/30/12
Sixth Version
Cisco Systems, Inc.
1. Introduction
This document focuses on the configuration audit process by explaining what the configuration audit requirements are and what to check for and flag as a concern. Primarily, the process works by supplying an ASR 5000 support details and check for system constraints and best practice guidelines using this output. A configuration audit report is used to identify the following points: General System Audit evaluating a configuration and identifying any missing components or configurations Best Practice Guidelines assessing the overall health of the configuration to ensure certain best practices are applied System Limitations check for system limitations based on the inherent software limits Feature Implementation identify the features implemented based on the configuration.
Please note that this document will be constantly revised as the technology evolves and additional best practices and guidelines are found.
Cisco Systems, Inc.
2. Data Collection and Methodology

The Show Support Details output on the ASR 5000 is required for the configuration audit. In general, the configuration within the SSD will provide information on what features are enabled, how much resources are used (i.e. # of contexts used) and whether best practices are applied based on the CLIs configured. In addition to the configuration, CLI show commands from the SSD will need to be evaluated to assist in the audit process as this information cannot be derived from the configuration alone. This includes looking at the following CLI commands: Show version verbose used to identify the version number and build release. This information will help to identify issues with the configuration based on the release version.
******** show version verbose ******* Active Software: Image Version: 12.0 (39936) Image Description: Production_Build Image Date: Tue Sep 20 22:18:03 EDT 2011 Kernel Version: 2.6.18-staros-v2-pc Kernel Machine Type: i686
Show license information used to identify all the licensed features available on the chassis. This information can be used to identify whether all the features are used, or whether there may be a potential licensing issue.
******** show license information ******* Key Information (installed key): Comment PRODUCTION SYSTEM 2 PO:678497,687276 CF Device 1 Model: SanDiskSDCFJ-4096 Serial Number: 116922I0207F3815 CF Device 2 Model: SanDiskSDCFJ-4096 Serial Number: 111719I0207F3324 Issued Thursday November 13 08:15:34 NZDT 2008 Issued By Cisco Systems Key Number 28155 Enabled Features: Feature Applicable Part Numbers ---------------------------------------- ----------------------------GGSN: [ 600-00-7544 / 600-00-7545 ] + DHCP [ 600-00-7520 ] + RADIUS AAA Server Groups [ none ] Ipv4 Routing Protocols [ none ] Enhanced Charging Bundle 2: [ 600-00-7574 ] + DIAMETER Closed-Loop Charging Interfa [ none ] PRIVATE AND CONFIDENTIAL Page 12 of 74 Cisco Systems, Inc.

+ Enhanced Charging Bundle 1 [ 600-00-7526 ] Session Recovery [ 600-00-7513 / 600-00-7546 600-00-7552 / 600-00-7554 600-00-7594 / 600-00-9100 600-00-9101 ] Dynamic Radius extensions (CoA and PoD) [ 600-00-7518 ] Session Limits: Sessions Session Type -------- ----------------------322000 GGSN 322000 ECS CARD License Counts: [none] Status: Device 1 Matches card 9 flash Device 2 Matches card 8 flash License Status Good (Redundant)
Show card hardware used to identify the hardware setup of the node. This information will help us audit and categorize the node hardware inventory.
******** show card hardware ******* Card 2: Card Type : Packet Services Card Card Description : PSC Part Number : 530-02-0030 14 Serial Number : PLB51077565 Switch Fabric Modes : control plane, switch fabric Card Programmables : up to date NPU Microcode : running 1.0 Slave SCB : on-card 1.6 PSR : on-card 0 BIOS : on-card-a 7.8.14, on-card-b 7.8.14 DT FPGA : running 8.85 CPU 0 Type/Memory : Socket 0: Xeon 000 C0, 2000 MHz : Socket 3: Xeon 000 C0, 2000 MHz : Chipset: E7520 C4, 6300ESB A3, 16384 MB CPU 1 Type/Memory : IXP2855 A0, 1500 Mhz, 1536 MB CPU 0 CFE/Diags : on-card 2.0.17, running 130.1.2
Show configuration errors used to check the health of the configuration file. This information will help us identify common configuration errors, which may not be captured by the configuration parser.

******** show configuration errors ******* # Displaying Diameter Configuration errors Total 0 error(s) in this section !
Displaying MAP-service system errors
Error : Sccp network configuration is missing for the map-service map in context gb Error : Map service map in context gb does not have any hlr configuration. Error : Sccp network configuration is missing for the map-service gs in context test Error : Map service gs in context test does not have any hlr configuration. Total 4 error(s) in this section!
Show active-charging ruledef statistics all charging Identifies the commonly hit URLs on the chassis.
******** show active-charging ruledef statistics all charging ******* Ruledef Name Packets-Down Bytes-Down Packets-Up Bytes-Up Hits ----------------------- ---------- ---------- ----------10.10.10.10 0 0 7663 723532 7457 10.10.10.11 0 0 0 0 0 10.18.0.0/18 62 2728 5376 443037 5033 10.20.0.0/18 79 3476 71892 6434902 67709 10.20.128.0/18 79 3476 3160 270314 2866 10.222.0.0/20 0 0 0 0 0 10.222.136.0/21 0 0 0 0 0 10.222.24.0/21 0 0 0 0 0 129.142.220.79 0 0 0 0 0 130.244.196.90 1638368 1269197678 1165789 226055446 2202497
Show active-charging analyzer statistics all charging Identifies the analyzers matching packets on the chassis.
******** show active-charging analyzer statistics ******* ACS Flow Stats: Cumulative: 2644539112 IPv4: 2644539112 ICMP: 37295257 IPv6: 0 ICMPv6: 0 TCP: 1624756837 UDP: 981906211 HTTP: 798435757 HTTPS: 0 PRIVATE AND CONFIDENTIAL Page 14 of 74 Cisco Systems, Inc.

POP3: SMTP: RTSP: RTP: WTP: WSP_CO: DNS: 0 IMAP: 0 FTP: 136862 SIP: 164165 RTCP: 156593 MMS: 85438 WSP_CL: 0 P2P: 0 0 0 163042 2416126 262730 455532984
ACS - Num Flows Cleared by Idle Timer: Total: 1224361242 IPv4: 1224361242 ICMP: IPv6: 0 ICMPv6: TCP: 265243456 UDP: HTTP: 25647653 HTTPS: POP3: 0 IMAP: SMTP: 0 FTP: RTSP: 3756 SIP: RTP: 1669 RTCP: WTP: 0 MMS: WSP_CO: 2824 WSP_CL: P2P: 423644234 DNS:
35158025 0 923429147 0 0 0 0 1025 6658 8 0
Cisco Systems, Inc.
3. Prerequisites
The prerequisite for a configuration audit requires a show support details and any additional CLI commands need to be logged. In addition, this information must come at the beginning of the soak period and the end of a monitoring period during the data collection phase as per the Data Collection Guide [1]. An understanding of the ASR5000 configuration and structure is required. The ASR 5000 CLI Guide [2] can be used for reference.
Cisco Systems, Inc.
4. Platform Audit
A platform audit consists of identifying a set of common CLI commands that may be configured on all chassis regardless of the node function based on the system license. The platform audit will also identify the types of cards and interfaces configured within the node. The platform audit should check for the following CLIs as seen in the table and provide a recommended action or appropriate message for flagging: Platform Configuration CLI command log filter runtime facility cli level debug Analysis CLI debug should be enabled to allow CLI outputs to be captured in syslogs. Hidden password is an engineering only command that should not be configured on any node configuration. Recommendation It is recommended to enable CLI level debug. It is not recommended to configure this CLI as it is an engineering-only command, so it should be removed if found. Additionally, you can include the noconfirm option if you wish to bypass a check for scripting purposes. It is not recommended to configure this CLI as it will bypass any system checks, so it should be removed if found. It is recommended to enable this command to enable GTPP proxy processing on the system. Enabling this command requires a reload.
hidden password
autoconfirm
Autoconfirm disables built in system checks for configuration change. For UMTS/LTE:
gtpp single-source
GTPP single-source allows the system to perform proxy function by reserving a CPU to process GTPP requests. Identify whether this CLI command is configured. AAA large-configuration enables the system to accept a larger number of RADIUS configurations. A banner allows the system to prompt users prior to accessing the node. A system hostname allows the node name to be identified. It is also used to populate billing parameters such as within CDR records. Timestamps allow for all CLI commands to be logged with an associated timestamp. By default, clock timezone is set to us-eastern. However, in a normal deployment, the clock timezone varies from node to node and should be set based on the node location.
aaa large-configuration
banner motd
system hostname
It is recommended to enables the system to configure additional AAA groups. Enabling this command requires a reload. It is considered best practice to include a banner for user login to notify the user of unauthorized access to the node. It is recommended to enable system hostnames for all nodes. It is recommended to enable timestamps so that users who are logging the screen will have the proper timestamps associated with the logs. It is recommended to configure the proper timezone for various reasons such as billing purposes and user traceability purposes.
Cisco Systems, Inc.
timestamps
clock timezone [us-eastern]
Configuration Audit Guide crash enable url Crash URL enables the system to send full crash cores to a remote location. This is a licensed feature. Session recovery allows for calls to be recovered during a task crash or card failure to improve user experience. This is a licensed feature. If the license is available, it is recommended to enable active-charging as enabling it the first time will prevent the scenario where enabling the feature requires a system reload. Proxy multiple enables the system to create a proxy for each active PSC card on the system for the client-server peering for DIAMETER. For CDMA: aaa last-resort context Configuring AAA last resort contexts provides UEs with a last attempt to locate an AAA server based on the context provided within this configuration. For CDMA: Configuring default-domain provides UEs to include a default domain if the domain field is empty. For CDMA: aaa domain-matching ignore-case Configuring ignore-case allows the system to ignore case-sensitivity when matching against domain names. It is recommended to enable sending full crash cores to an external node. It is recommended to enable this feature on a system to improve user experience and accessibility.
require session recovery
require active-charging
It is recommended to enable this feature on a system to proactively configure ECS services to prevent a scenario where a reload is required to enable the feature.
require diameter-proxy multiple
It is recommended to configure proxy to multiple instead of single to prevent the scenario where a single call affecting the single proxy can cause the facility to crash thus affecting all related calls. It is recommended to enable last resort contexts to provide a fail-safe for configurations missing the proper AAA configurations to find the proper AAA server as a last resort. It is recommended to configure a default-domain to allow for subscribers missing a domain to include a default domain for accounting and authentication services.
aaa default-domain
It is recommended to configure ignore-case to allow for the system to ignore case-sensitivity as it is a common error that subscribers add in case-type typos when making network changes on their handsets.
Table 4-1: Platform Audit
4.1Card Audit
A card audit consists of identifying the card arrangement and understanding which cards are enabled within the system. Since a card audit will generally take up the front slots, it is best to identify which cards are in the system in order to determine if the physical arrangement of the cards are done as per best practice for maximum airflow and future expansion considerations. Show card hardware should also be used to verify the configuration audit as well to ensure that cards are used optimally.
Configuration Audit Guide Card Configuration CLI command card card shutdown port preferred port Table 4-2: Card Audit Analysis Cards should be laid out to allow for best airflow and for future expansion. Card shutdown terminates all tasks and processes on a card and causes the card to go offline even when a new card is inserted in the slot. Preferred slot enables the port to prefer a port when there is a link issue. Recommendation It is recommended to arrange cards in every other slot first, while slot 1 and 16 should be the last two used slots. It is recommended to set card to no shutdown so that new cards that are inserted can be in an operational standby state. It is recommended to disable preferred port as this scenario may cause links to constantly flap between two ports if there is an issue with the preferred port.
4.2Interface Audit
An interface audit consists of identifying the interface arrangements and understanding whether the cards are enabled in an active/active or active/standby scenario. The card arrangement will also be identified to determine whether cards are placed optimally, especially in the case of XGLC cards where they must be in odd slots to begin with since it required for active/standby redundancy. Show card hardware should also be used to verify the configuration audit as well to ensure that cards are used opti mally. Interface Configuration CLI command Analysis Linecards should be laid according to best practice guidelines where single full length linecards should be on the odd port first due to future redundancy expansion considerations as full length cards are redundant to its immediately even port IE 17 is redundant to 18. Port descriptions help engineers quickly identify why a port is configured or used. Preferred slot enables the port to prefer a port when there is a link issue. Recommendation It is recommended to arrange cards in an optimal manner to consider for future expansions or design requirements.
port ethernet
port ethernet description port ethernet preferred port
It is recommended to enable descriptions for all used ports on the system. It is recommended to disable preferred port as this scenario may cause links to constantly flap between two ports if there is an issue with the preferred port.
Table 4-3: Interface Audit
Cisco Systems, Inc.
4.3Threshold Audit
By default, the ASR5000 and ASR5500 have built in threshold monitoring. However, they are not enabled by default. Refer to the following for more details on providing an accurate recommendation of thresholds to the customer: http://www.cisco.com/en/US/docs/wireless/asr_5000/12_2/OL25552_Thresholding_Config.pdf. Interface Configuration CLI command no threshold monitoring npuresource no threshold monitoring cpuresource no threshold monitoring system no threshold monitoring license no threshold monitoring subscriber no threshold monitoring call-setup no threshold monitoring ecs no threshold monitoring fa-service no threshold monitoring haservice no threshold monitoring pdsnservice no threshold monitoring pdifservice no threshold monitoring asngw no threshold monitoring asnpc no threshold monitoring phsgw no threshold monitoring phsp no threshold monitoring firewall no threshold monitoring pdgservice no threshold monitoring hnbgwservice no threshold monitoring sgwservice no threshold monitoring saegwservice no threshold monitoring pgwservice Analysis Recommendation
The following monitoring thresholds are PLATFORM related thresholds.
It is recommended to enable the following PLATFORM thresholds for monitoring purposes.
The following thresholds are SERVICE related thresholds.
It is recommended to enable the following SERVICE thresholds as applicable for the node for monitoring purposes.
Cisco Systems, Inc.
Configuration Audit Guide no threshold monitoring lmaservice no threshold monitoring hsgwservice no threshold monitoring epdgservice no threshold monitoring routeservice no threshold monitoring mmeservice no threshold monitoring fngservice no threshold monitoring diameter no threshold monitoring aaa-acctarchive-queue no threshold monitoring aaa-authfailure no threshold monitoring aaa-acctfailure
Cisco Systems, Inc.
5. System Audit
A system audit consists of identifying common CLI configurations that must be configured for all chassis in order to configure the respective services.
5.1Context Audit
A context audit consists of identifying how many contexts are configured and what services are enabled within each context to determine the function of it. Since the OAM on the ASR5000 is also identified as a context environment, the local context shoul d be identified separately from other service level contexts. Generally, only the local context is enabled for access protocols such as SSH or FTP, so it is worth noting if a context is enabled with such services.
Context Configuration CLI command context ip access-list Analysis An IP access list it used to permit or deny packets to a context. However, an IP access list is not a global command as ACLs configured within a context and unused is simply using up system resources. FTP is considered an insecure access protocol that should be avoided as communications between client and server is sent in plain text, which makes all the CLI commands including username and password to be highly susceptible to snooping. TELNET is considered an insecure access protocol that should be avoided as communications between client and server is sent in plain text, which makes all the CLI commands including username and password to be highly susceptible to snooping. SSH is a secure data access protocol that can be used to log into the chassis. Syslog servers enable the system to send facility messages to log activity on the system. The SPIO ports are configured as port 24/1, 24/2, 25/1 and 25/2. However, unlike the LCs, SPIO ports are sideby-side redundant whereas port 24/1 is redundant to port 25/1.
Recommendation It is recommended to use ACLs only within its respective context as ACLs are not globally configured commands.
context server ftpd
It is recommended to disable FTP and use SFTP instead for security reasons.
It is recommended to use SSH over TELNET.
context server telnetd context server sshd subsystem sftp context local logging syslog
It is recommended to use SSH and SFTP over TELNET and FTP. It is recommended to configure syslog servers on the system to log all system related events and CLI outputs, for troubleshooting or debugging. It is recommended to have redundant SPIO ports active between 24/1 and 25/1, and 24/2 and 25/2 respectively.
port ethernet 24/1
Cisco Systems, Inc.
Configuration Audit Guide Table 5-1: Context Audit
5.2AAA Interface
A RADIUS audit consists of identifying whether RADIUS services are enabled within the context specified and configured correctly as per best practice guidelines.
RADIUS Configuration CLI command Analysis The AAA group identifies the RADIUS authentication/accounting server on the node. By default, an AAA group default is configured for all contexts and should be used if the requirement is only one RADIUS group needed. The RADIUS NAS IP should be configured within the same context as the AAA group. For UMTS/LTE: context aaa group no radius accounting archive context aaa group radius detect-dead-server consecutive failures context aaa group radius mediation-device accounting server context aaa group radius timeout radius max-retries radius accounting timeout radius accounting max-retries RADIUS accounting archive enables the system to store offline accounting requests and archives them to be sent to the server when the server is available. RADIUS detect-dead-server allows the system to mark a system as DEAD after multiple timeouts and retries. Recommendation It is recommended to use non-default configuration for AAA group from a design perspective only if there are more than one AAA server configured on the system. Inherent fallback design for misconfigurations will refer to the default configuration. It is recommended to configure the NAS IP address within the same context as the AAA group. It is recommended to disable RADIUS accounting archive to prevent a scenario where offline accounting requests spam the server as there is generally no billing consideration for RADIUS accounting in a UMTS/LTE network. It is recommended to enable detect-dead-server to prevent the scenario where a timed out server is being sent AAA requests. It is recommended to configure this value as 4 or less, but greater then 0. It is recommended to configure all RADIUS accounting servers as medication devices.
context aaa group
context aaa group radius attribute nas-ip-address
RADIUS accounting server identifies which RADIUS server to send accounting messages to. The following timers are used to control the number of authentication and accounting retries before a server is considered down. Based on show radius counters all, these values can be modified depending on the number of timeouts or roundtrip time. This algorithm dictates how many servers you send
It is recommended to configure the following values: radius timeout 2 radius accounting timeout 2 radius max-retries 3 radius accounting max-retries 3 The number of first-n servers should be equal to or less
Cisco Systems, Inc.
Configuration Audit Guide context aaa group radius accounting algorithm first-n Table 5-2: RADIUS Audit accounting requests to. then the number of accounting servers configured.
5.3DHCP Interface
A DHCP audit consists of identifying whether DHCP services are enabled within the context specified. DHCP services are commonly configured primarily for corporate networks, so a context identified with DHCP services can generally be considered a corporate context.
DHCP Configuration CLI command dhcp-service dhcp ip dhcp-service dhcp deadtime dhcp detect-dead-server consecutive-failures Table 5-3: DHCP Audit Analysis DHCP server is supported in proxy or relay mode in R12.0. However, in R14, relay mode is no longer supported. DCHP deadtime and detect-dead-server is used to determine how long a DHCP server is marked as dead upon a timed out request. Recommendation It is recommended for a customer to move to proxy-mode as relay mode will not be supported in future releases. It is recommended to configure the following values: dhcp deadtime 60 dhcp detect-dead-server consecutive-failures 3
5.4Ga/Gz Interface
A GTPP audit consists of identifying whether GTPP groups are enabled within a context for billing. Since it is used primarily for billing, if a single GTPP group is identified, it should be configured as a default group only since the system fails over to a default group in a failure scenario. In addition, the threshold/interim values should be identified and determined as part of the KPI analysis to determine whether higher thresholds should be used if there are issues with mediation processing the number of records.
Ga/Gz Interface Configuration CLI command gtpp group Analysis The GTPP group identifies the billing confiugraion on the system. By default, a GTPP group default is configured
Recommendation It is recommended to use non-default configuration for GTPP group from a design perspective only if there are
Cisco Systems, Inc.
Configuration Audit Guide for all contexts and should be used if the requirement is only one GTPP group required. gtpp group no gtpp dead-server suppresscdrs gtpp group gtpp deadtime gtpp group gtpp detect-dead-server consecutive-failures gtpp group gtpp source-port-validation gtpp group gtpp max-retries gtpp group gtpp suppress-cdrs zero-volumeand-duration gtpp group gtpp storage-server mode streaming gtpp group no gtpp egcdr service-data-flow threshold Table 5-4: Ga/Gz Interface Audit Configures actions to be taken when a dead server is detected Specifies the time duration in seconds after which system will treat a previously CGF server as active. Configures how to detect a dead CGF Specifies whether the Charging agent should respond to request messages from only configured CFGs Configures maximum number of times system will attempt to communicate with a CGF before system fails over to the secondary CGF. Suppress CDRS with zero volume and zero duration. Specifies the use of HDD to store CDRs in case if CGF fails and then stream the CDRs to the CGF when CGF is up. Configures the thresholds for closing a service data flow container within an eGCDR based on volume or interval. more than one GTPP server configured on the system. Inherent fallback design for misconfigurations will refer to the default configuration. It is recommended to disable
It is recommended to configure this value as 120 or less, but more then 0 to mark a server properly down. It is recommended to configure this value to be greater then 0 if a CGF is implemented. Otherwise, it is recommended to configure as 0. It is recommended to enable source-port-validation to prevent the scenario where a un-configured CGF can send responses to the system. It is recommended to configure this value as 4 or less, but greater then 0. It is recommended to supress CDRs with zero volume or duration to reduce the number of CDRs being processed by mediation without any data. It is recommended to configure GTPP mode to streaming if a CGF is used. It is recommended to disable this configuration by default as it would prematurely generate closing CDRs and result in additional CDRs to be processed.
5.5DCCA/DPCA Audit
A DCCA/DPCA audit consists of identifying the diameter endpoint configurations enabled within a context. Since the endpoint can be configured for multiple services, you must first identify the endpoint and the associated services before you can determine what a particular DCCA/DPCA service is used for. In addition, specific timers should be checked against between the client and server side to make sure the values are in sync during a failure scenario.
Diameter Configuration CLI command Analysis

Recommendation
Cisco Systems, Inc.
Configuration Audit Guide diameter endpoint watchdog-timeout diameter endpoint connection retry-timeout diameter endpoint reconnect-timeout diameter endpoint response-timeout diameter endpoint route-entry Table 5-5: Diameter Audit Connection retry-timeout identifies the Tw timer which is the timeout value in which a watchdog considers the peer to be down. Connection retry-timeout identifies the Tc timer which is the timeout value in which a retry is sent. Reconnect-timeout enables the system to resend a CER after a period when the client receives a DO NOT WANT TO TALK TO YOU message from the server. Response timeout configures how long the client waits for a response before it times out. A route entry can be added for a host, peer and realm. The watchdog-timeout can be configured to 30 or 60 seconds to reduce the flapping of the diameter connection, which causes due to low watchdog timeout like 5-10 seconds. Default value is 30 seconds. It is recommended to configure the connection retrytimeout to 10 seconds (default 60) to reduce the time in which the CER/CEA has not been exchanged. It is recommended to configure a 60 second interval so that a DO NOT WANT TO TALK TO YOU message from the server will not mark the peering relationship to be down permanently (until reboot) on the system. It is recommended to configure a 10 second interval to reduce the time in which the CER message is considered timeout. It is recommended to add a route-entry for each peer and set it to equal weight by default.
5.5.1 Gx Interface
As part of the DCCA audit, the PCRF audit must be checked to determine whether the endpoint is configured as part of the PCRF service, named ims-authservice. The IMS auth service is configured within a context and is considered a global parameter. As a result, if a context is configured with the ims-authservice, it can be loosely identified at least as a Gx type context since it may still have other services enabled in the same context as well.
Gx Interface Configuration CLI command ims-auth-service policy-control diameter request-timeout Table 5-6: Gx Interface Audit Analysis Response timeout configures how long the client waits for a response before it times out. Recommendation It is recommended to configure a 10 second interval to reduce the time in which the CCR message is considered timeout and CCFH condition is triggered.
5.5.2 Gy Interface
As part of the DCCA audit, the OCS audit must be checked to determine whether the endpoint is configured as part of the OCS service. Credit control is configured as part of the ECS configuration. If an endpoint is identified as a OCS endpoint, the context where the endpoint is configured can be loosely identified as a Gy type context since it may still have other services enabled in the same context as well.
Gy Interface Configuration CLI command credit-control group diameter pending-timeout Analysis Connection retry-timeout identifies the Tc timer, which is the timeout value in which a CCR is not responded to and triggers the CCFH condition. The credit-control group identifies the DCCA group responsible for the online charging with the OCS. By default, a default group is configured and should be used if the requirement is only one credit-control group is required. Recommendation It is recommended to configure a 3 second timeout interval to reduce the time in which the CCR message is considered a timeout and CCFH condition is triggered. By default, the CCFH condition is to terminate the call. It is recommended to use non-default configuration for credit-control group from a design perspective only if there are more than one credit-control group configured on the system. Inherent fallback design for misconfigurations will refer to the default configuration.
credit-control group default
Table 5-7: Ga Interface Audit
5.6GGSN Audit
The GGSN audit consists of identifying the GGSN related services configured on the ASR 5000. Best practice guidelines should be checked against the configuration to identify any risk areas that may come as a result of avoiding such guidelines. The GGSN audit covers two primary areas: GGSN service and APN configuration.
5.6.1 Gn Interface
The GGSN service audit identifies where the GGSN service is enabled within a context. The service will be identified to determine whether multiple GGSN services are configured as required based on customer requirements and also the logical design of the control and user plane. The context where the GGSN service resides can be identified as the Gn APN where the GTPC requests from the SGSN are coming from the network.
Gn Interface Configuration CLI command Analysis Recommendation It is recommended that the GTPU service be the same IP address as the GTPC bound address to simplify design as the traffic reaches the context in the same manner. However, if there is a design requirement to split up the IPs traceability purposes, LI purposes this recommendation can be ignored.
Cisco Systems, Inc.
ggsn service associate gtpu-service
The GTPU service is responsible for handling the user plane traffic for the GGSN service.
Configuration Audit Guide If the node is used for 3G and 4G services, the IP address for GTP-C and GTP-U should match the IP address bound to the PGW service. It is recommended to have one GGSN service per chassis, unless it is a design requirement to do so. It is recommended to configure the accounting context as part of the GGSN service instead of the APN configuration. It is recommended to configure SGSN addresses in subnet blocks as applicable. It is recommended that the GTPC address to be the same IP address as the GTPU address to simplify design as the traffic reaches the context in the same manner. However, if there is a design requirement to split up the IPs traceability purposes, LI purposes this recommendation can be ignored. If the node is used for 3G and 4G services, the IP address for GTP-C and GTP-U should match the IP address bound to the PGW service. It is recommended to configure the echo interval to 60 seconds.
ggsn-service ggsn-service accounting context ggsn-service sgsn address
The GGSN service is responsible for handling 2G/3G PDP requests from the SGSN. The accounting context within the GGSN service direct which billing context should be used for CDR generation. The SGSN address is used to identify the SGSNs used to send PDP requests to the GGSN within the home network.
ggsn-service bind address
The bind address is responsible for handling the control plane traffic for the GGSN service.
ggsn-service echo interval Table 5-8: Gn Interface Audit
The echo interval is used to send echo requests to the servicing SGSNs to determine if the SGSN is still alive.
5.6.2 Gi Interface
The Gi interface defines the communication between GGSN and external PDN. Gi interface is configured within the PDN context configured and is logically bound together by the APN configuration. This interface is implicitly referenced based on how the IP pools defined and bound to the APN are configured.
Gi Interface Configuration CLI command context interface ip-address IPv4..IPv6 context ip pool private Analysis The Gi interface is routed based on the available IP pools within the same context. The interface should be in either IPv4 or IPv6 format depending on the pools configured. Private pools are assigned only if the APN are configured the pool name.
Recommendation It is recommended to configure the interface based on the IP type of the pools and to have redundant interfaces ideally, two logical interfaces to route IP traffic. It is recommended to configure all pools as PRIVATE to avoid the scenario where a PUBLIC pool gets assigned
Cisco Systems, Inc.
Configuration Audit Guide to an APN by default. context ip pool group-name context ip pool explicit-route-advertise Table 5-9: Gi Interface Audit Group-names can be used to group together common tools. Explicit-route-advertise creates a /32 host route when a subscriber connects to the pool. It is recommended to configure group-name for multiple pools to simplify the configuration. It can also simplify the design if IP pool names are passed back from a RADIUS server. It is not recommended to use this feature as a context has an inherent limit of 2000 routes on their IP table.
5.6.2.1
APN Audit
The APN audit identifies where the subscribers will connect to. APNs are generally classified as consumer APNs and corpora te APNs. This is usually determined by the naming convention of the APN. Identify the APN type is necessary as service between a corporate and consumer APN is generally very different between service providers. All the related services to a subscriber are configured at the APN level.
APN Configuration CLI command context apn virtual-apn gcdr apn-name-tobe-included Gn context apn aaa group context apn ip access-group * in ip access-group * out context apn ip source-violation ignore context apn mediation-device Analysis Virtual-APN GCDR apn-name-to-be-included Gn applies the Gn APN within the GCDR records. The AAA group assigned the RADIUS authentication/accounting server to be used by the APN. The IP access-group for in/out traffic is used to apply permit/deny/redirect rules to subscriber traffic accessing this APN. Source-violation enables the APN to check for IP spoofing. This feature will check if the subscriber assigned APN matches the traffic that is being received and will drop the call if 10 invalid packets are found by default. Mediation-device enables the APN to send accounting requests to a mediation-type RADIUS server.
Recommendation It is recommended to use the Gn APN to identify the source of the PDP request unless there is a mediation reason why the Gi APN is used APN in the billing records. It is recommended that the AAA group be configured in the same context as the APN. It is recommended to configure ACLs within the same context as the APNs as ACLs are not global configurations. It is recommended to ignore this command as dongles are commonly connected to APNs with a concurrent Internet connection, which will cause this rule to be hit by default and drop the call, affecting user experience. It is recommended to use mediation-device for RADIUS accounting servers.
Cisco Systems, Inc.
Configuration Audit Guide It is recommended to configure timeout idle value within the apn where it is not configured and if there are lot of subscribers are with very high idle time. Whereas if you prematurely disconnect idle subscribers, it will actually cause more signalling traffic within the network, so it should be a relatively high enough value as per customer requirement. This timeout value would be helpful for optimizing the system resources used. It is recommended to leave this command as default if the APN is configured in the same context as the Gi context where the IP pool is configured. It is recommended to leave this command as default if only one OCS is available. The OCS configuration should also be configured as default.
context apn timeout absolute/idle
Absolute Timeout disconnects the subscriber upon the end of the timer. Idle Timeout disconnects the subscriber upon the end of the timer when the subscriber starts idling.
context apn ip context-name context apn credit-control-group Table 5-10: APN Audit
The IP context name configures the routing context in which the IP pool will be assigned to the subscriber. The credit-control-group enables the APN to send CER to the OCS.
5.7SGSN Audit
The SGSN audit consists of identify all the related contexts and services required for SGSN service for GPRS and UMTS services. Best practice guidelines are checked for the SGSN service to determine whether there are risks to the current configuration. Furthermore, the audit shall check for the timers used between the SGSN and external node entities as well. The contexts for the SGSN must be identified as part of the audit process. It can generally be identified based on the services enabled within the context.
5.7.1 Gn Interface
The SGSN Service audit covers the primary services you will see enabled on a chassis. Regardless whether the SGSN is configured for 2G or 3G services, sgtp-service and map-service will always be seen as the sgtp-service is responsible for handling the GTP messages between the SGSN and GGSN. Although you may have multiple sgtp-services to associate to different services, it is recommended to have a single service for all calls from a best practice design perspective unless otherwise required for customer design reasons. Gn Interface Configuration CLI command context sgtp-service context sgtp-service gtpu echo-interval context Analysis The SGTP service is responsible for handling the PDP requests over the Gn interface towards the GGSN. The GTPU echo interval handles the echo messages and how often messages are sent that serves as the keep alive between the SGSN and GGSN. The GTPU max-retranmissions determine how many
Recommendation It is recommended to configure only one SGTP service to be used to identify the SGSN Gn interface to the GGSN. It is recommended to enable echo-interval to 60 seconds. It is recommended to enable max-retramissions to 4.
Cisco Systems, Inc.
Configuration Audit Guide sgtp-service gtpu max-retranmissions context sgtp-service gtpu retransmission-timeout Table 5-11: SGTP Service Audit times an echo is sent before the GGSN is considered to be down and active PDP calls are dropped. The GTPU retranmission-timeout determines when the retranmissions will be marked as no response. It is recommended to enable retranmission-timeout to 5.
5.7.2 Gb Interface
The 2G services required for the SGSN covers the network-service-entity level, which establishes the NSVL associations to the BSC, and the gprs-service, which handles the 2G related calls on the SGSN for the ASR5000. Gb Interface Configuration CLI command network-service-entity nsvl instance network-service-entity nsvc-failure-action send-nsstatus clear-nse Table 5-12: GPRS Service Audit Analysis The NSVL instance is the association responsible for communicating with the BSC. The NSVL failure-action clear-nse enables the SGSN to clear NSEs if the NSVCs to the BSC are down. Recommendation It is recommended to configure 4 NSVL instances for maximum redundancy. It is recommended to enable the NSVC failure action to send a clear to re-establish the Gb association since by default; failures in the association are not re-established.
5.7.3 IuPS Interface

The 3G services required for the SGSN covers the iups-service, which covers the association to the RNC, and the sgsn-service, which enables the iupsservice to talk to the sgtp-service for call traffic association. Basically, for every iups-service, there should be a sgsn-service. However, as noted previously, it is recommended to have one iups-service and sgsn-service. Based on the distributed architecture and design of the platform, it is not necessary to have multiple services similar to how legacy SGSN equipment was designed. IuPS Service Configuration CLI command context iups-service context iups-service gtpu echo-interval context iups-service Analysis The SGTP service is responsible for handling the PDP requests over the IuPS interface towards the RNC The GTPU echo interval handles the echo messages and how often messages are sent that serves as the keep alive between the SGSN and RNC The GTPU max-retranmissions determine how many times an echo is sent before the RNC is considered to be
Recommendation It is recommended to configure only one IuPS service to be used to identify the SGSN IuPS interface to the RNC. It is recommended to disable the echo-interval for the iups-service. It is recommended to enable max-retramissions to 4.
Cisco Systems, Inc.
Configuration Audit Guide gtpu max-retranmissions context iups-service gtpu retransmission-timeout Table 5-13: IuPS Interface Audit SGSN Service Configuration CLI command context sgsn-service gmm T3302-timeout context sgsn-service gmm T3312-timeout context sgsn-service gmm T3313-timeout context sgsn-service gmm T3322-timeout context sgsn-service gmm T3350-timeout context sgsn-service gmm T3360-timeout context sgsn-service gmm T3370-timeout context sgsn-service nri sgsn-address rac lac nri Analysis Defines the number of minutes for timer to send to MS when attach failure and attempt counter is greater then or equal to 5 or RAU failure and attempt counter is greater then or equal 5 Periodic RAU timer to send to MS Recommendation By default, this value is set at 10 minutes, but it is recommended to tailor this parameter to the RNC parameters. By default, this value is set at 54 minutes, but it is recommended to tailor this parameter to the RNC parameters. By default, this value is set at 5 seconds, but it is recommended to tailor this parameter to the RNC parameters. By default, this value is set at 6 seconds, but it is recommended to tailor this parameter to the RNC parameters. By default, this value is set at 6 seconds, but it is recommended to tailor this parameter to the RNC parameters. By default, this value is set at 6 seconds, but it is recommended to tailor this parameter to the RNC parameters. By default, this value is set at 6 seconds, but it is recommended to tailor this parameter to the RNC parameters. It is recommended to enable pooling by configuring nonbroadcast lac/rac info within the SGSN service. down and active calls are dropped. The GTPU retranmission-timeout determines when the retranmissions will be marked as no response. It is recommended to enable retranmission-timeout to 5.
Retransmission timer for Paging requests
Retransmission timer for network initiated detached request Retransmission timer for Attach Accept/RAU accept/PTMSI reallocation command Retransmission timer for Authentication Request
Retransmission timer for Identity Request
The NRI determines which pool the SGSN belongs to.
Cisco Systems, Inc.
Configuration Audit Guide Table 5-14: SGSN Service Audit
5.7.4 DNS Service Audit

The DNS audit covers the DNS resolution configuration for the SGSN. Primarily, it is important to have multiple DNS servers configured in the event of a failure. The cache value should also be set only if the cache returned by the DNS server is a higher value.
DNS Configuration CLI command .ip name-servers dns-client cache ttl negative cache ttl positive Table 5-15: DNS Service Audit Analysis Identify the DNS servers configured for lookup. The cache ttl values determine how long positive or negative queries are cached before querying the DNS server. Recommendation It is recommended to have two IP name servers configured. It is recommended to have the cache ttl value lower then the cache returned by the DNS for the configuration to take effect 86400 seconds for positive and 60 seconds for negative.
5.7.5 Gr, Gf and Gs Interface

The MAP service is responsible for handling the requests to the HLR, EIR and SMSC. Gr, Gf and Gs Interface Configuration CLI command context map-service auth-vectors number-to-request map-service hlr acn-version-retention persubscriber Analysis This configuration identifies the number of auth vectors required for the authentication. Recommendation It is recommended to enable to 3 or more to reduce the amount of signaling to the HLR. This CLI is recommended primarily for roaming scenarios. By default, the SGSN sends CAN version 3 SAI to the HLR. It will receive an error message if the HLR does not support that version and will try again with version 2 SAI. This scenario is most likely to happen during a roaming scenario, so it is recommended to have it be sent on a per subscriber basis.
This configuration enables the SGSN to send CAN versions based on the subscriber profile.
Table 5-16: MAP Service Audit
Cisco Systems, Inc.
5.7.6 SS7 Routing Domain Audit

The SS7 routing domain audit covers how the SS7 routing domains are broken down on the SGSN from a design perspective. As part of the audit process, you would check to see if the links are single-homing or multi-homing, as well as check if additional ASP instances are configured in order to spawn additional linkmgrs to prevent potential congestion issues on a single linkmgr. Furthermore, checking the SCTP values based on best practice guidelines is highly recommended to prevent congestion.
SS7 Configuration CLI command ss7-routing-domain asp instance ss7-routing-domain peer-server id psp instance ss7-routing-domain peer-server id psp instance psp-mode ss7-routing-domain peer-server id psp instance timeout m3ua-periodic-destaudit ss7-routing-domain peer-server id psp instance timeout sctp-heart-beat ss7-routing-domain peer-server id psp instance sctp-rto-min ss7-routing-domain peer-server id psp instance sctp-rto-initial ss7-routing-domain peer-server id psp instance Analysis The ASP instance defines the process to handle the SCTP endpoint and messages between the client and server. The PSP instance defines the peer servers to send the SCTP messages. This configuration identifies whether the PSP mode is server or client based. Recommendation It is recommended to configure 4 ASP instances for maximum redundancy. It is recommended to configure 4 PSP instances to avoid potential congestion within the network. It is recommended to configure the PSP mode as server though this is limited to customer design.
Sets the M3UA audit timeout
By default, this value is set at 2 seconds, but it is recommended to tailor this parameter to the SS7 network parameters. By default, this value is set at 30 seconds, but it is recommended to tailor this parameter to the SS7 network parameters. By default, this value is set at 10ms, but it is recommended to tailor this parameter to the SS7 network parameters. By default, this value is set at 30 ms, but it is recommended to tailor this parameter to the SS7 network parameters. By default, this value is set at 600ms, but it is recommended to tailor this parameter to the SS7 network
Cisco Systems, Inc.
Sets the SCTP heart-beat timer
Sets the SCTP min retransmission timeout value. Sets the SCTP initial retransmission timeout value.
Sets the SCTP max retransmission timeout value
Configuration Audit Guide sctp-rto-max ss7-routing-domain peer-server id psp instance sctp-sack-period units ss7-routing-domain peer-server id psp instance sctp-max-init-retx ss7-routing-domain peer-server id psp instance sctp-max-assoc-retx ss7-routing-domain peer-server id psp instance sctp-max-path-retx ss7-routing-domain peer-server id psp instance sctp-alpha ss7-routing-domain peer-server id psp instance sctp-beta Sets the SCTP selection ACK period. parameters. By default, this value is set at 2ms, but it is recommended to tailor this parameter to the SS7 network parameters.
Sets the SCTP max initiation retransmissions
By default, this value is set at 10ms, but it is recommended to tailor this parameter to the SS7 network parameters. By default, this value is set at 10ms, but it is recommended to tailor this parameter to the SS7 network parameters. By default, this value is set at 5ms, but it is recommended to tailor this parameter to the SS7 network parameters.
Sets the SCTP max association retransmissions.
Sets the SCTP max path retransmissions.
Sets the SCTP RTO alpha
By default, this value is set at 5ms, but it is recommended to tailor this parameter to the SS7 network parameters.
Sets the SCTP RTO beta
By default, this value is set at 10ms, but it is recommended to tailor this parameter to the SS7 network parameters.
Table 5-17: SS7 Routing Domain Audit
5.7.7 SCCP Network Audit

The SCCP network audit checks the SCCP network configuration against the SS7 routing domains configured. It identifies which point codes to use for itself as well as which SS7 routing domain to use in the event of address routing. Routing towards the RNCs is also configured as part of the sccp-network configuration as well if the point code is used instead of routing through the GTT translation map. SCCP Configuration CLI command sccp-network global-title-translation addressmap Analysis GTT address maps are used for GTT routing. Recommendation A recommendation should be made if the max number of supported address-maps has been reached.
Cisco Systems, Inc.
Configuration Audit Guide Table 5-18: SCCP Network Audit
5.7.8 GTT Association Audit

The Global Title Translation audit covers the GTT configuration on the SGSN which is responsible for routing translating addresses to route in a SCCP network. It is important to understand the GTT configuration in order to understand how a specific call is handled within the SCCP domain and whether external elements such as STPs are used to identify the network architecture. Also, based on the GTT configuration, the configuration should cover ALL scenarios, so any gaps within the configuration must be flagged missing-self point code, missing an action for a particular integer, or missing an action towards an STP. GTT Configuration CLI command global-title-translation addressmap gt-address global-title-translation addressmap description Table 5-19: GTT Association Audit Analysis The GT address map is used to route calls matching the SCCP short address. A description can be added for each GT address map. Recommendation It is recommended to include routing for all possible parameters or digits to route calls properly. It is recommended to include descriptions to each GT address to facilitate understanding of the configuration and from a troubleshooting perspective.
5.7.9 Operator Policy Audit

An Operator Policy audit covers an ASR5000 functionality that allows subscribers to be internally authenticate with a subscriber policy before going through the normal call flows. This allows the operator to control behaviour as well as limit access as required. For example, roamers can be restricted to GPRS access only as a result of their operator policy. By understanding how a call is controlled prior to the call flow, we can identify how the network is setup to treat home subscribers, roamers as well as MVNOs or MOCN scenarios. The default operator policy should always be used as a catch all for all other scenarios that are not unique to the customer network.
Operator Policy Configuration CLI command operator-policy-name description operator-policy-name gtpu fast-path Analysis Operatory policies are subscriber policies to handle various call scenarios/profiles. Enables the GTPU fast path feature to route traffic to reduce CPU cycles and increases NPU cycles.
Recommendation It is recommended to have descriptions for the operator policies from a best practice perspective. It is recommended to enable fast-path only if the CPU is higher than the NPU. Otherwise, it is recommended that this feature not be used on PSC2 or newer cards since this feature reduces CPU cycles and increases NPU
Cisco Systems, Inc.
Configuration Audit Guide cycles as NPU is the bottleneck on PSC2 or newer cards. operator-policy-name idle-mode-signaling-reduction The ISR feature is used to reduce signaling required for idle handsets between 3G and 4G networks. This is a license feature that is recommended to reduce signaling messages and improve battery life for UEs when moving between 3G and 4G area coverage when idle.
Table 5-20: Operator Policy Audit
5.8MME Audit
The MME audit consists of identifying the services related to the MME are configured on the ASR 5000. Best practice guidelines should be checked against the configuration to identify any risk areas that may come as a result o f avoiding such guidelines. The MME audit covers the various interfaces involved in setting up the MME service, including the S1-MME, S6a, and S10/S11 interfaces. Optionally, the SGs and S13 interfaces are also covered. When support for S3 is made available, this interface will also be included.
5.8.1 S1-MME Interface

The S1-MME interface defines the communication between MME and eNodeBs. The MME service receives an Attach Request messages and references HSS peer service for authentication and subscription profile. By default, the MME service bound address implicitly implies that the S1-MME interface.
S1-MME Interface Configuration CLI command Analysis The mobile-reachable timeout is configured in the MME service to set the timeout timer duration (in seconds) after which reachability procedure will be discarded and reattempt starts. The T3412 and mobile-reachable-timeout values are both started simultaneously during a periodic TAU. This would mean if the MME does not receive a periodic TAU before the T3412 timeout expires, the MME will wait for the mobile-reachable-timeout value to expire 5400 seconds later and detach the UE. The t3412 timeout is configured in the MME Service to set the timer is used for periodic tracking area update (PTAU). By default it is configured as 3240 seconds. The T3412 and mobile-reachable-timeout values are both
Recommendation It is recommended to configure this timeout as 3480 seconds or 240 seconds longer then the t3412 timeout. As a configuration best practice and per specification 3GPP TS24.301 Section 8.5.0, it is recommended to set the mobile-reachable-timeout 4 minutes more then the T3412 value at 3840 seconds. Since the UE has failed to respond to a periodic TAU, there is no benefit waiting an additional 90 minutes before disconnect the call and clearing of system resources. It is recommended to configure this timeout as 3240 seconds or 240 seconds shorter then the mobilereachable-timeout.
context mme-service emm mobile-reachable-timeout
context mme-service emm t3412-timeout
Configuration Audit Guide started simultaneously during a periodic TAU. This would mean if the MME does not receive a periodic TAU before the T3412 timeout expires, the MME will wait for the mobile-reachable-timeout value to expire 5400 seconds later and detach the UE. As a configuration best practice and per specification 3GPP TS24.301 Section 8.5.0, it is recommended to set the mobile-reachable-timeout 4 minutes more then the T3412 value at 3840 seconds. Since the UE has failed to respond to a periodic TAU, there is no benefit waiting an additional 90 minutes before disconnect the call and clearing of system resources.
context mme-service emm t3413-timeout
The t3413 is configured in the MME Service to set the timer which starts when MME initiates the EPS paging procedure to the EMM entity in the network and requests the lower layer to start paging. This timer stops for the paging procedure when a response received from the UE. The t3422 timeout is configured in the MME Service to set the timer which starts when MME initiates the detach procedure by sending a DETACH REQUEST message to the UE and stops upon receipt of the DETACH ACCEPT message. The t3423 timeout is configured and used when the UE enters a 3G network from the 4G network and is deactivated. The implicit-detach-timeout timer starts after the T3240 timeout expires and the subscriber will implicitly detach from the network if there is no activity. If T3420 timeout is not supported, the T3412 timeout is used instead which implies that the mobile-reachabletimeout should equal to the implicit-detach-timeout. The PGW address configuration is used by the MME to statically assign a PGW address for the subscriber This configuration determines how many times the MME will try to page the UE. Heuristic paging is a license feature that allows each MME to maintain a list of n last heard from eNodeBs inside the TAI for the UE.
It is recommended to configure this timeout as 6 seconds.
context mme-service emm t3422-timeout context mme-service emm t3423-timeout
It is recommended to configure this timeout as 6 seconds.
It is recommended to configure this timeout as 54 minutes.
context mme-service emm implicit-detach-timeout
It is recommended to configure this timeout as 240 seconds or have it be equal to the mobile-reachabletimeout or T3420 timeout. If ISR is enabled, it should be 240 seconds greater then the T3423 timer.
context mme-service pgw address context mme-service max-paging-attempts context mme-service heuristic-paging paging-map
It is recommended to enable DNS PGW address resolution for redundancy purposes. The recommended value for max-paging-attempts is 3 or more. It is recommended to enable heuristic-paging to reduce the number of paging attempts by allowing for smarter paging. However, this will also lead to higher voice call setup times. In R14.0, heuristic paging will only affect PS pages only.
Cisco Systems, Inc.
Configuration Audit Guide context mme-service policy attach set-ue-time enable Table 5-21: S1-MME Interface Audit Configures the MME to set the time in the UE during the Attach procedure. It is recommended to set policy attach set-ue-time disable to use the MSC to set network time as it is considered more accurate.
5.8.2 S6a and S13 Interface

The S6a Interface defines the communication with HSS and MME on a diameter interface while the S13 interface defines the communication between the MME and EIR on a diameter interface. The S6a interface is mandatory while the S13 interface is optional.
S6a and S13 Interface Configuration CLI command context hss peer service auth-request num-auth-vectors context hss peer service request timeout Analysis Identify the number of vectors configured in the MME is requesting from the HSS. Identify configured timeout duration for the application request timeout between the HSS peer service and HSS node. The MME waits for this duration before retransmitting the request to corresponding HSS node. Recommendation It is recommended to have 3 vectors to reduce the amount of signaling messages towards the HSS. It is recommended to configure this value as 300 seconds or lower.
Table 5-22: S6a and S13 Interface Audit
5.8.3 S10/S11 Interface

The S10/S11 interface defines the communication between MME to SGW and other MMEs. The eGTP Service audit covers the primary services you will see enabled on a chassis. The S10/S11 interface is considered the same interface on the MME and cannot be separated.
S10/S11 Service Configuration CLI command egtp-service gtpc echo-interval egtp-service gtpc max-retransmissions egtp-service gtpc echo-retransmissionAnalysis Identify the duration between the sending of echo messages in seconds configured in the eGTP service. Identifies the maximum number of retries for packets configured in eGTP service. Identifies the duration between sending the echo retransmission timeout.
Recommendation It is recommended to configure this value to be 60 or above, but not disabled. It is recommended to configure this value to be 4 or lower than 4, It is recommended to configure this value to be 4 or lower than 4,
Cisco Systems, Inc.
Configuration Audit Guide timeout egtp-service gtpc retranmission-timeout Table 5-23: S10/S11 Interface Audit Identifies the duration of retransmission timeouts. It is recommended to configure this value to be 3.
5.8.4
S3 Interface
This is the interface used by the MME to communicate with S4-SGSNs on the same Public PLMN for interworking between GPRS/UMTS and LTE network access technologies. This interface serves as the signalling path for establishing and maintaining subscriber UE contexts.
S3 Interface Configuration CLI command egtp-service isr-capability Analysis This configuration enables the ISR functionality for the S3 interface. However, this configuration is also required on the entire network SGSN MME, SGW, and HSS to activate ISR for the UE.. Recommendation This is a license feature that is recommended to the customer to reduce signaling for UEs going between 3G and 4G networks, which improve user experience by saving on battery life.
Table 5-24: S3 Interface Audit
5.8.5 SGs Interface

The SGs Service Configuration is used to create and manage SGs interface between the MME and a Mobile Switching Center/Visitor Location Register (MSC/VLR). SGs Interface Configuration CLI command sgs-service sgs vlr-recover sgs-service sgs vlr-failure Analysis This command enables active recovery of Circuit Switched Fall Back (SMS-only) UEs when a failed VLR becomes responsive again. This command configures the MME to monitor all VLRs and perform a controlled release (detach) of affected UEs when any VLR becomes unavailable. Recommendation This is a license feature that is recommended to improve the accessibility of the MSC/VLR by recovering UEs when a failed VLR is responsive again. This is a license feature that is recommended to improve the accessibility of the MSC/VLR by performing a controlled detach of affected UEs when a VLR becomes unavailable.
Table 5-25: SGs Interface Audit

5.8.6 LTE Policy

The LTE Policy audit is responsible for the TAI management DB for paging. It is also responsible for static SGW address allocation for the MME, which can be weighed as required. It is recommended for all MME configurations to contain an LTE policy for mapping the TAC of eNBs. LTE Policy Configuration CLI command lte-policy sgw-address Table 5-26: LTE Policy Audit Analysis The SGW address allows for a static allocation of the SGW selection by the MME. Recommendation It is recommended to provide DNS SGW resolution and selection on the MME service.
5.8.7 Operator Policy

An Operator Policy audit covers an ASR5000 functionality that allows subscribers to be internally authenticate with a subscriber policy before going through the normal call flows. This allows the operator to control behaviour as well as limit access as required. For example, roamers can be restricted to LTE access only as a result of their operator policy. By understanding how a call is controlled prior to the call flow, we can identify how the network is setup to treat home subscribers, roamers as well as MVNOs or MOCN scenarios. The default operator policy should always be used as a catch all for all other scenarios that are not unique to the customer network. Operator Policy Configuration CLI command operator-policy-name description operator-policy-name gtpu fast-path Analysis Operatory policies are subscriber policies to handle various call scenarios/profiles. Enables the GTPU fast path feature to route traffic to reduce CPU cycles and increases NPU cycles. Recommendation It is recommended to have descriptions for the operator policies from a best practice perspective. It is recommended to enable fast-path only if the CPU is higher than the NPU. Otherwise, it is recommended that this feature not be used on PSC2 or newer cards since this feature reduces CPU cycles and increases NPU cycles as NPU is the bottleneck on PSC2 or newer cards. This is a license feature that is recommended to reduce signaling messages and improve battery life for UEs when moving between 3G and 4G area coverage when idle.
operator-policy-name idle-mode-signaling-reduction
The ISR feature is used to reduce signaling required for idle handsets between 3G and 4G networks.
Table 5-27: Operator Policy Audit
Cisco Systems, Inc.
5.9SGW Audit
The SGW audit consists of identifying the SGW related services configured on the ASR 5000. Best practice guidelines should be checked against the configuration to identify any risk areas that may come as a result of avoiding such guidelines. The design of the SGW can vary greatly from deployment to deployment based on how many collocated services are configured on the node. Identifying the context and how the interfaces are intended to route is a must. SGW Service Configuration CLI command Analysis Recommendation It is recommended to configure the EGTP service for egress traffic for the SGW in the same context as the PGW service for a SAE GW node. Based on context design, this will enable the traffic to transverse context instead of over the interface, potentially causing signaling traffic to leave the interface just to reach another context on the system. It is recommended to configure the path failure as signalpeer to notify the external systems that we are explicitly detaching/clearing the call. It is recommended to configure the path failure as signalpeer to notify the external systems that we are explicitly detaching/clearing the call. It is recommended to configure the path failure as signalpeer to notify the external systems that we are explicitly detaching/clearing the call. It is recommended to configure the path failure as signalpeer to notify the external systems that we are explicitly detaching/clearing the call. It is recommended to configure the path failure as signalpeer to notify the external systems that we are explicitly detaching/clearing the call. It is recommended to configure the path failure as signalpeer to notify the external systems that we are explicitly detaching/clearing the call. It is recommended to configure the path failure as signalpeer to notify the external systems that we are explicitly
Cisco Systems, Inc.
context sgw-service associate egress egtp-service
The egress EGTP service for the SGW configuration handles the control packet to the PGW.
context sgw-service path-failure s11 signal-peer context sgw-service path-failure s5 signal-peer context sgw-service path-failure s1u signal-peer context sgw-service path-failure s5u signal-peer context sgw-service path-failure s4 signal-peer context sgw-service path-failure s4u signal-peer context sgw-service path-failure s12 signal-peer
Determines the path failure handling mechanism of the SGW service for the S11 interface. Determines the path failure handling mechanism of the SGW service for the S5 interface. Determines the path failure handling mechanism of the SGW service for the S1u interface. Determines the path failure handling mechanism of the SGW service for the S5u interface. Determines the path failure handling mechanism of the SGW service for the S4 interface. Determines the path failure handling mechanism of the SGW service for the S4u interface. Determines the path failure handling mechanism of the SGW service for the S12 interface.
Configuration Audit Guide detaching/clearing the call. Table 5-28: SGW Service Audit
5.9.1 S1-U/S11/S12 Interface

S1-U interface defines the communication between the SGW and the eNB. S11 interface defines the communication between SGW and MME. S12 interface is considered the direct tunnel interface between the SGW and RNC. However, these three interfaces are treated as the same interface and cannot be separated. S1-U/S11/S12 Configuration CLI command egtp-service page-ue pgw-initiated-proc egtp-service gtpc echo-interval egtp-service gtpc max-retransmissions egtp-service gtpc echo-retransmissiontimeout egtp-service gtpc retranmission-timeout Table 5-29: S11 Interface Audit Analysis This configuration allows the SGW to page a UE for PGW-initiated procedures (CBR/MBR/UBR) when the UE is idle, and sends a failure response to the P-GW. Identify the duration between the sending of echo messages in seconds configured in the eGTP service. Identifies the maximum number of retries for packets configured in eGTP service. Identifies the duration between sending the echo retransmission timeout. Identifies the duration of retransmission timeouts. Recommendation It is recommended to disable this feature to reduce signaling costs. It is recommended to configure this value to be 60 or above, but not disabled. It is recommended to configure this value to be 4 or lower, but not disabled. It is recommended to configure this value to be 4 or lower than 4, It is recommended to configure this value to be 3.
5.9.2 S4-SGSN
The S4 interface defines the communication between the SGW and the SGSN. eGTP Service Configuration CLI command egtp-service gtpc echo-interval egtp-service gtpc max-retransmissions egtp-service gtpc echo-retransmissionAnalysis Identify the duration between the sending of echo messages in seconds configured in the eGTP service. Identifies the maximum number of retries for packets configured in eGTP service. Identifies the duration between sending the echo retransmission timeout.
Recommendation It is recommended to configure this value to be 60 or lower, but not disabled. It is recommended to configure this value to be 4 or lower than 4. It is recommended to configure this value to be 4 or lower than4,
Cisco Systems, Inc.
Configuration Audit Guide timeout egtp-service gtpc retranmission-timeout Table 5-30: S4 SGSN audit Identifies the duration of retransmission timeouts. It is recommended to configure this value to be 3.
5.9.3 S5/S8 Interface

S5/S8 interface is defines the communication between SGW and PGW. This interface can be located in a context separate from the SGW service. eGTP egress Service Configuration CLI command egtp-service gtpc echo-interval egtp-service gtpc max-retransmissions egtp-service gtpc echo-retransmissiontimeout egtp-service gtpc retranmission-timeout Table 5-31: S5/S8 Interface Audit Analysis Identify the duration between the sending of echo messages in seconds configured in the eGTP service. Identifies the maximum number of retries for packets configured in eGTP service. Identifies the duration between sending the echo retransmission timeout. Identifies the duration of retransmission timeouts. Recommendation It is recommended to configure this value to be 60 or above lower, but not disabled. It is recommended to configure this value to be 4 or lower than 4. It is recommended to configure this value to be 4 or lower than 4.. It is recommended to configure this value to be 3.
5.10 PGW Audit

The PGW audit consists of identifying the PGW related services configured on the ASR 5000. Best practice guidelines should be checked against the configuration to identify any risk areas that may come as a result of avoiding such guidelines. The design of the PGW can vary greatly from deployment to deployment based on how many collocated services are configured on the node. Identifying the context and how the interfaces are intended to route is a must. PGW Service Configuration CLI command context pgw-service association egtp-service associate ggsn-service Analysis The EGTP service is the ingress interface for the PGW service. The GGSN service is the 3G service support for the PGW service.
Recommendation It is recommended for the GGSN and EGTP Ingress services to have the same IP addresses for the control and user plane to simplify the design unless there is a design requirement to split them into separate IPs.
Cisco Systems, Inc.
Configuration Audit Guide Table 5-32: PGW Service Audit
5.10.1 S5/S8 interface

S5/S8 interface defines the communication between PGW and SGW. egtp service Configuration CLI command egtp-service gtpc echo-interval egtp-service gtpc max-retransmissions egtp-service gtpc echo-retransmissiontimeout egtp-service gtpc retranmission-timeout Table 5-33: S5/S8 Interface Audit Analysis Identify the duration between the sending of echo messages in seconds configured in the eGTP service. Identifies the maximum number of retries for packets configured in eGTP service. Identifies the duration between sending the echo retransmission timeout. Identifies the duration of retransmission timeouts. Recommendation It is recommended to configure this value to be 60 or above, but not disabled. It is recommended to configure this value to be 4 or lower than 4. It is recommended to configure this value to be 4 or lower. It is recommended to configure this value to be 3.
5.10.2 SGi Interface

SGi interface defines the communication between PGW and external PDN. PDN Context Configuration CLI command context interface ip-address IPv4..IPv6 context ip pool private context ip pool group-name context ip pool explicit-route-advertise Analysis The Gi interface is routed based on the available IP pools within the same context. The interface should be in either IPv4 or IPv6 format depending on the pools configured. Private pools are assigned only if the APN are configured the pool name. Group-names can be used to group together common tools. Explicit-route-advertise creates a /32 host route when a subscriber connects to the pool.
Recommendation It is recommended to configure the interface based on the IP type of the pools and to have redundant interfaces ideally, two logical interfaces to route IP traffic. It is recommended to configure all pools as PRIVATE to avoid the scenario where a PUBLIC pool gets assigned to an APN by default. It is recommended to configure group-name for multiple pools to simplify the configuration. It can also simplify the design if IP pool names are passed back from a RADIUS server. It is not recommended to use this feature as a context has an inherent limit of 2000 routes on their IP table.
Cisco Systems, Inc.
Configuration Audit Guide Table 5-34: SGi Interface Audit
5.10.2.1
APN Audit
The APN audit identifies where the subscribers will connect to. APNs are generally classified as consumer APNs and corpora te APNs. This is usually determined by the naming convention of the APN. Identify the APN type is necessary as service between a corporate and consumer APN is generally very different between service providers. All the related services to a subscriber are configured at the APN level. APN Configuration CLI command context apn virtual-apn gcdr apn-name-tobe-included Gn context apn aaa group context apn ip access-group * in ip access-group * out context apn ip source-violation ignore context apn mediation-device context apn ip context-name context apn bearer-control-mode context apn timeout absolute/idle Analysis Virtual-APN GCDR apn-name-to-be-included Gn applies the Gn APN within the GCDR records. The AAA group assigned the RADIUS authentication/accounting server to be used by the APN. The IP access-group for in/out traffic is used to apply permit/deny/redirect rules to subscriber traffic accessing this APN. Source-violation enables the APN to check for IP spoofing. This feature will check if the subscriber assigned APN matches the traffic that is being received and will drop the call if 10 invalid packets are found by default. Mediation-device enables the APN to send accounting requests to a mediation-type RADIUS server. The IP context name configures the routing context in which the IP pool will be assigned to the subscriber. Enables or disables the bearer control mode for network controlled QoS (NCQoS) through this APN. It also controls the sending of an IE in GTP messages. Absolute Timeout disconnects the subscriber upon the end of the timer. Idle Timeout disconnects the subscriber upon the end of the timer when the subscriber starts idling.
Recommendation It is recommended to use the Gn APN to identify the source of the PDP request unless there is a mediation reason why the Gi APN is used APN in the billing records. It is mandatory to have the AAA group be configured in the same context as the APN. It is recommended to configure ACLs within the same context as the APNs as ACLs are not global configurations. It is recommended to ignore this command as dongles are commonly connected to APNs with a concurrent Internet connection, which will cause this rule to be hit by default and drop the call, affecting user experience. It is recommended to use mediation-device for RADIUS accounting servers. It is recommended to leave this command as default if the APN is configured in the same context as the Gi context where the IP pool is configured. It is recommended to configure bearer-control-mode as mixed to allow both the UE and GGSN to control the network controlled QOS. It is recommended to disable all TIMEOUT parameters on the APN as LTE networks and UEs are designed to be always on devices. Timing out the subscriber will make them reconnect immediately and use up more resources
Cisco Systems, Inc.
Configuration Audit Guide throughout the network as a result. context apn dns Table 5-35: APN Audit Configures the DNS server to allow for host name resolution for the PDN. It is recommended to configure two DNS servers for primary and secondary resolution.
5.11 PDSN Audit

The PDSN audit consists of identifying the PDSN related services configured on the ASR 5000. Best practice guidelines should be checked against the configuration to identify any risk areas that may come as a result of avoiding such guidelines. The PDSN audit covers two primary areas: PDSN service and subscriber template configuration.
5.11.1 RP Interface
The PDSN service audit identifies where the PDSN service is enabled within a context. The service will be identified to determine whether multiple PDSN services are configured as required based on customer requirements and also the logical design of the control and user plane. The context where the PDSN service resides can be identified as the RP where the A11 requests from the PCF are coming from the network. PDSN Service Configuration CLI command context pdsn-service spi remote-address description Analysis A description can be inserted into the SPI remote address. Recommendation It is recommended to configure a description for all remote addresses.
context pdsn-service authentication allow-noauth
Configures whether the FA service looks for a Mobile Network-Home Agent (MN-HA) authentication extension in the RRP.
It is not recommended to configure this CLI as it bypasses authentication process which can cause security concerns. Although if someone used allownoauth option in conjunction with commands specifying other authentication protocols and priorities to use, then it is suggested to use allow-noauth option as the lowest priority. It is recommended to enable source-violation to prevent IP spoofing. The recommended value is 10 packets. It is recommended to clear source-violation packets upon receiving a valid packet.
Cisco Systems, Inc.
context pdsn-service ip source-violation context pdsn-service ip source-violation clear-on-
Sets the parameters for IP source validation. Source validation is useful if packet spoofing is suspected or for verifying packet routing and labelling within the network. Sets the parameter to clear source violation for a subscriber if a valid packet is received.
Configuration Audit Guide valid-packet context pdsn-service gre sequence-mode none context pdsn-service spi timestamp-tolerance context pdsn-service pcf-monitor context subscriber pdsn-service ip header-compression Configures how incoming out-of-sequence GRE packets should be handled. Identifies allowable difference (tolerance) in timestamps that is acceptable. BA license feature from Cisco that monitors the PCF to determine whether it is down by sending ICMP echo requests. If it is determined that the PCF is down, the related sessions are torn down and the corresponding AAA requests are sent. This configuration enables IP header compression for the default subscriber IP traffic. It is recommended by Cisco to use reorder mode for the GRE sequence to handle out of order packets to gracefully handle a call and prevent a fll tear down and retry of an existing call. It is recommended to configure the timestamp tolerance to 65535. Recommended to enable this license specific feature to remove stale sessions and to improve CPU cycles/memory resources and user licenses.
It is recommended to disable this feature.
context pdsn-service closedrp-rp handoff
This command enables a PDSN service to handoff sessions between Closed-RP and RP connections.
It is recommended to enable closed RP to RP handoff by default. If pdsn-service & pdsn closedrp-service both services are configured in the same chassis/network.
context ha service optimize tunnel-reassembly
This configuration enables the tunnel reassembly optimization will be used for fragmented large packets passed between HA and FA.
It is recommended to disable this feature. This command applies to very specific scenarios where packet reassembly is not supported at the far end of the tunnel. There are cases where the destination network may either discard the data, or be unable to reassemble the packets.
context optimize pdsn inter-servicehandoff Table 5-36: RP Interface Audit
This controls the optimization of the systems handling of inter-PDSN handoffs.
It is recommended to disable this feature.
Cisco Systems, Inc.
5.11.2 Pi Interface
The Pi interface defines the communication between PDSN and external PDN. Pi interface is configured within the PDN context configured and is logically bound together by the subscriber template configuration. This interface is implicitly referenced based on how the IP pools defined and bound to the subscriber are configured. Pi Interface Configuration CLI command .context ..interface ip-address IPv4..IPv6 Analysis The Pi interface is routed based on the available IP pools within the same context. The interface should be in either IPv4 or IPv6 format depending on the pools configured. Private pools are assigned only if the Subscriber defaults are configured the pool name. Recommendation It is recommended to configure the interface based on the IP type of the pools and to have redundant interfaces ideally, two logical interfaces to route IP traffic. It is recommended to configure all pools as PRIVATE to avoid the scenario where a PUBLIC pool gets assigned to a subcsriber by default. However, if there are multiple subscriber templates without an IP assigned, then this recommendation can be ignored. It is recommended to configure group-name for multiple pools to simplify the configuration. It can also simplify the design if IP pool names are passed back from a RADIUS server. It is not recommended to use this feature as a context has an inherent limit of 2000 routes on their IP table.
context ip pool private
context ip pool group-name context ip pool explicit-route-advertise Table 5-37: Pi Interface Audit 5.11.2.1
Group-names can be used to group together common tools. Explicit-route-advertise creates a /32 host route when a subscriber connects to the pool.
Subscriber Template Audit
The subscriber template audit identifies where the subscribers will connect to subscriber templates are generally classified as consumer username and corporate username. This is usually determined by the naming convention of the username. Identify the username type is necessary as service between a corporate and consumer username is generally very different between service providers. All the related services to a subscriber are configured at the subscriber template level. Subscriber Template Configuration CLI command context subscriber aaa group context subscriber Analysis The AAA group assigned the RADIUS authentication/accounting server to be used by the subscriber The IP access-group for in/out traffic is used to apply permit/deny/redirect rules to subscriber traffic accessing
Recommendation It is recommended that the AAA group be configured in the same context as the subscriber. It is recommended to configure ACLs within the same context as the subscribers as ACLs are not global
Cisco Systems, Inc.
Configuration Audit Guide ip access-group * in ip access-group * out context subscriber ip context-name context subscriber credit-control-group context subscriber dns this subscriber The IP context name configures the routing context in which the IP pool will be assigned to the subscriber. The credit-control-group enables the subscriber to send CER to the OCS. Configures the DNS server to allow for host name resolution for the PDN. configurations. It is recommended to leave this command as default if the subscriber is configured in the same context as the Pi context where the IP pool is configured. It is recommended to leave this command as default if only one OCS is available. The OCS configuration should also be configured as default. It is recommended to configure two DNS servers for primary and secondary resolution.
Table 5-38: Subscriber Template Audit
5.12 FA Audit
The FA audit consists of identify all the related contexts and services required for FA service. Best practice guidelines are checked for the FA service to determine whether there are risks to the current configuration. Furthermore, the audit shall check for the timers used between the FA and HA as well. The contexts for the FA must be identified as part of the audit process. It can generally be identified based on the services enabled within the context.
5.12.1 FA Service
FA-Service Configuration CLI command context fa-service spi description context fa-service authentication mn-ha allownoauth context fa-service authentication mn-aaa renewand-dereg-noauth context fa-service reg-timeout Analysis A description can be inserted into the SPI remote address. Configures whether the FA service looks for a Mobile Network-Home Agent (MN-HA) authentication extension in the RRP. The following command disables authentication request upon re-registration and de-registration. Timeout parameter for the registration request. In common deployments, if the response is not seen within 3 seconds, it is unlikely to change whether it is more then 3 seconds.
Recommendation It is recommended to configure a description for all remote addresses. It is recommended to always check for the extension to prevent unauthorized access to your network. It is recommended to enable this command to reduce the amount of signalling retries for a previous registered mobile. It is recommended by Cisco to reduce the timeout from 7 seconds to 3 seconds in order to reduce the time in which the ASR5000 will hold system resources for a likely timed out registration request.
Cisco Systems, Inc.
Configuration Audit Guide context fa-service spi timestamp-tolerance context ip identification packet-sizethreshold Identifies allowable difference (tolerance) in timestamps that is acceptable. This configuration is used to set the upper limits of the IP packet size that is considered fragmentable and assigned a unique non-zero identifier to IP encapsulation headers such as MIP data tunnel to better handle fragmented packets internally on the ASR5000. By default, enabling this command allows the FA to accept stale challenges regardless of the ID field or if other RRQs are pending. By ignoring the challenge, it prevents a potential race condition where a new challenge can be send while an older challenge is still being processed. Furthermore, this can also have signalling benefits by reusing older RADIUS responses instead of retrying based on the stale challenge Allows for FA services to accept new calls and drop the existing call when the new call requests an IP address that is already in use by an existing call. This configuration enables the tunnel reassembly optimization will be used for fragmented large packets passed between HA and FA. It is recommended to configure the timestamp tolerance to 65535.
It is recommended to configure this value to 1400, which equals the MTU on the logical interface.
context fa-service ignore-stale-challenge
It is recommended to enable this command from no ignore-stale-challenge to ignore-stale-challenge based on the known benefits of this feature as observed from other CDMA networks.
context mobile-ip fa newcall duplicatehome-address accept context fa-service optimize tunnel-reassembly
It is recommended enable this configuration as accept It is recommended to disable this feature. This command applies to very specific scenarios where packet reassembly is not supported at the far end of the tunnel. There are cases where the destination network may either discard the data, or be unable to reassemble the packet
Table 5-39: FA Service Audit
5.13 HA Audit
The HA audit consists of identifying the HA related services configured on the ASR 5000. Best practice guidelines should be checked against the configuration to identify any risk areas that may come as a result of avoiding such guidelines.
5.13.1 Pi Interface
The packet interface (Pi) is the communications path between the PDSN/Foreign Agent (PDSN/FA) and the Home Agent (HA) for Mobile IP applications. Pi Interface Configuration CLI command Analysis
Recommendation
Cisco Systems, Inc.
Configuration Audit Guide context ha-service fa-ha-spi remote-address description context ha-service authentication mn-ha allownoauth context ha-service authentication mn-aaa renewand-dereg-noauth context ha-service reg-lifetime context ha-service fa-ha-spi timestamptolerance Table 5-40: Pi Interface Audit A description can be inserted into the SPI remote address. Configures whether the HA service looks for a Mobile Network-Home Agent (MN-HA) authentication extension in the RRP. The following command disables authentication request upon re-registration and de-registration. It is recommended to configure a description for all remote addresses. It is recommended to always check for the extension to prevent unauthorized access to your network. It is recommended to enable this command to reduce the amount of signalling retries for a previous registered mobile. It is recommended by Cisco to configure the reg-lifetime to be 600 or more, but equal to or less then what handsets are requesting to control registration lifetime within your network. It is recommended to configure the timestamp tolerance to 65535.
Configures Mobile IP session registration lifetime
Identifies allowable difference (tolerance) in timestamps that is acceptable.
5.13.2 PDN Interface

The PDN interface defines the communication between HA and external PDN. PDN interface is configured within the PDN context configured and is logically bound together by the subscriber template configuration. This interface is implicitly referenced based on how the IP pools defined and bound to the subscriber template are configured. PDN Interface Configuration CLI command context interface ip-address IPv4..IPv6 context ip pool Message/Action Identify context, interface and IPv4 / IPv6 address defined for PDN interface. It is recommended to see the IP addresses configured for PDN interface as per the IP Pool assigned for each of the subscriber profile and within the range as defined. Identify how many IP pools are configured, what type of pools and what are the routing contexts used. Check the pool configuration with engineering limits. The contexts where the pools are configured are considered the PDN or routing context. Check if all the pools are used. Check if public pools are configured. If so, it is recommended to use private pools instead.
Table 5-41: PDN Interface Audit

Configuration Audit Guide 5.13.2.1 Subscriber Template Audit The subscriber template audit identifies where the subscribers will connect to. Subscriber templates are generally classified as consumer username and corporate username. This is usually determined by the naming convention of the username. Identify the username type is necessary as service between a corporate and consumer username is generally very different between service providers. All the related services to a subscriber are configured at the subscriber template level. Subscriber Template Configuration CLI command context subscriber aaa group context subscriber ip access-group * in ip access-group * out context subscriber ip context-name context subscriber credit-control-group context subscriber dns Analysis The AAA group assigned the RADIUS authentication/accounting server to be used by the subscriber The IP access-group for in/out traffic is used to apply permit/deny/redirect rules to subscriber traffic accessing this subscriber The IP context name configures the routing context in which the IP pool will be assigned to the subscriber. The credit-control-group enables the subscriber to send CER to the OCS. Configures the DNS server to allow for host name resolution for the PDN. Recommendation It is recommended that the AAA group be configured in the same context as the subscriber. It is recommended to configure ACLs within the same context as the subscribers as ACLs are not global configurations. It is recommended to leave this command as default if the subscriber is configured in the same context as the Pi context where the IP pool is configured. It is recommended to leave this command as default if only one OCS is available. The OCS configuration should also be configured as default. It is recommended to configure two DNS servers for primary and secondary resolution.
Table 5-42: Subscriber Template Interface Audit
5.14 HSGW Audit

5.14.1 RP Interface
The HSGW service audit identifies where the HSGW service is enabled within a context. The service will be identified to determine whether multiple HSGW services are configured as required based on customer requirements and also the logical design of the control and user plane. The context where the HSGW service resides can be identified as the RP where the A11 requests from the ePCF are coming from the network.
HSGW Service Configuration

Configuration Audit Guide CLI command context hsgw-service setup-timeout context hsgw-service retransmission-timeout Analysis Max timeout allowed for session setup. Configures timeout period for retransmission of RP control packets Recommendation It is recommended to configure the timeout as 5 seconds. It is recommended to configure this value as 3 or less, but not disabled.
Table 5-43: HSGW RP Interface Audit
5.14.2 S2a Interface

The S2a interface defines the communication between HSGW and PGW. S2a interface is configured within the MAG context configured. S2a Interface Configuration CLI command context mag-service max-retrasmissions context mag-service retransmission-timeout context mag-service setup-timeout Table 5-44: S2a Interface Audit Analysis Configures timeout period for retransmission of RP control packets. Configures timeout period for retransmission of RP control packets in seconds. Max time allowed for session setup in seconds. Recommendation It is recommended to configure this value as 3 retransmissions. It is recommended to configure this value as 3 seconds or less, but not disabled. It is recommended to configure this value as 5 seconds.
5.15 P-CSCF Audit

The P-CSCF audit consists of identifying the P-CSCF related services configured on the ASR 5X00. Best practice guidelines should be checked against the configuration to identify any risk areas that may come as a result of avoiding such guide lines.
5.15.1 P-CSCF Service Policy Configuration Audit

The P-CSCF service policy configuration audit consists of identifying configuration enabled within a P-CSCF context. Each policy rule can be configured under P-CSCF Policy group, and this policy group should be assigned under P-CSCF Service.
Configuration Audit Guide Especially, If VoLTE needs to support video calls, the video-sessions rules must be configured. The calls will be rejected if not configured. P-CSCF Service Policy Configuration CLI command context cscf policy name service-policy-rules authorization early-bandwidth context cscf policy name service-policy-rules video-sessions context cscf service max-sipmsg-size context cscf service session-timer Analysis Enables early bandwidth authorization in P-CSCF in SDP when communicating with external policy server via Rx. When Authorization early bandwidth is enabled, the PCSCF will try to reserve bandwidth when it receives the INVITE (call initiation). If disabled, the bandwidth reservation will be done upon receiving the 200 Ok. Identify CSCF policy to allow video bearers. Recommendation
It is recommended to enable early bandwidth authorization to enable AAR during offer (INVITE).
It is recommended to enable this CLI for video bearers. It is recommended to keep maximum SIP message size (65535 bytes) to avoid dropping of message so that UE or AS can send big size sip message. It is recommended to configure this value as 5 mins for session recovery. This value should be same or less than the value configured in S-CSCF. Whereas best value should be chosen by operator according to their charging policy and redundancy policy.
Identify the maximum SIP message size. Identify the session expiry for sessions in P-CSCF. A caller and a called need to be exchanged UPDATE or INVITE message within this timer during a call. If one of party doesn't receive UPDATE or INVITE message for session refresh, the call would be disconnected. It's mechanism to prevent over-charging for a subscriber.
Table 5-45: P-CSCF Service Policy Audit
5.15.2 P-CSCF Access Profile Audit

The P-CSCF Access Profile audit consists of identifying P-CSCF access profile configuration is enabled within a P-CSCF context. Each network type is able to assign different Access profile. This can be allowed to support different accessing to the system depends on network access technology. For example, the PCRF interworking can be allowed for LTE network, but it can be disallowed for EVDO network. P-CSCF Access Profile Configuration CLI command context cscf access-profile name authentication context Analysis Identify authentication method to use for subscribers using this access profile. Identify PCRF policy control for this access profile.
Recommendation It is recommended to enable strongest algorithm like AKAv1 for user authentication. PCRF interworking should be enabled or disabled based
Cisco Systems, Inc.
Configuration Audit Guide cscf access-profile name pcrf-policy-control Table 5-46: P-CSCF Access Profile Audit on the access network type.
5.15.3 PCRF Policy Control Configuration

A PCRF policy control audit consists of identifying PCRF interworking configurations enabled within a context. Specific timers should be checked against between the client and server side to make sure the values are in sync during a failure scenario. PCRF Policy Control Configuration CLI command context cscf service proxy-cscf timeout policy-interface context cscf service proxy-cscf diameter policy-control request-timeout context cscf service proxy-cscf pcrf-policy-control signaling-bearer-loss subscription context cscf service proxy-cscf pcrf-policy-control authorization policyinterworking-failure Table 5-47: P-CSCF Service Audit Analysis Identify the value of timeout for PCRF interworking failure. P-CSCF will look for 2nd PCRF (according to PCRF policy control) if it doesn't receive response within 3 sec, and finally P-CSCF will process the call according to PCRF policy control if it doesn't receive response within 2 sec. Identify RX Diameter requested timeout value. If P-CSCF doesn't receive a response within timer, P-CSCF will timeout the session or process the call according to PCRF policy-control. Identify subscription to notification of signaling transmission path status. When this CLI disabled, the PCSCF/A-BG will not subscribe to any event during registration with PCRF and no diameter session will be established. Recommendation It is recommended to configure this value to be 5 sec. Whereas best value should be chosen by operator according to their PCRF policy control.
It is recommended to configure 3 second interval time in which diameter policy control request timeout is considered.
It is recommended to enable the subscription by which PCSCF/A-BG sends AAR to the external PCRF via the Rx interface after UE registration.
Identify RX interworking failure policy for P-CSCF.
It is recommended to set policy to session-continue where P-CSCF continues session in case of failure from PCRF.
Cisco Systems, Inc.
5.15.4 PROXY-CSCF Audit

The PROXY-CSCF audit consists of identifying PROXY-CSCF configuration is enabled within a P-CSCF context. The PROXY-CSCF audit identifies where the P-CSCF is enabled within a context. PROXY-CSCF Service Configuration CLI command context cscf service proxy-cscf allow rfc3261-ua-interworking context cscf service proxy-cscf sip-header insert context cscf service proxy-cscf sip-param insert Table 5-48: Proxy CSCF Audit Analysis Identify IMS interworking with RFC3261 SIP User Agents. Identify SIP header insertion for P-CSCF. It indicates to the IMS network over which access technology the UE is attached to IMS and private user id of the user sending any dialogue creating request or any standalone requests, to be added in the message towards next hop. Identify SIP param to add integrity-protected parameter in the authorization header of a SIP (REGISTER) message. Recommendation It is recommended to allow IMS interworking with RFC3261 SIP User Agents. It is recommended to configure p-access-network-info and p-cust1-prid-info header in received request/response.
It is recommended to insert integrity-protected parameter for custom-logic in authorization header.
5.15.5 P-CSCF Policy and Service Policy Rule Configuration Audit

P-CSCF Policy and Service Policy Rule Configuration CLI command context cscf policy name service-policy-rules max-cscf-concurrent-sessions context cscf policy name service-policy-rules qos bandwidth uplink peak Analysis Recommendation It is recommended to configure 5 concurrent sessions per subscriber, which is default value. Whereas it can be increased depending upon applications that requires certain concurrent sessions and in case call rejection happening due to concurrent call limit exceeded. It is recommended to configure peak bandwidth between 1 to 99999999 kilobits per second depending on voice or video call.
Cisco Systems, Inc.
Identify CSCF policy to configure the maximum number of concurrent sessions allowed per subscriber.
Identify CSCF policy to configure QOS bandwidth settings for uplink and downlink when the SDP does not contain bandwidth.
Configuration Audit Guide qos bandwidth downlink peak
Table 5-49: Proxy CSCF Audit
5.16 S-CSCF Audit

The S-CSCF audit consists of identifying the S-CSCF related services configured on the ASR 5000. Best practice guidelines should be checked against the configuration to identify any risk areas that may come as a result of avoiding such guidelines.
5.16.1 S-CSCF Peer Server Audit

The S-CSCF Peer Server audit consists of identifying next hopes enabled within a S-CSCF context. This creates a specific peer server group for next hop and individual peer servers monitoring parameter and operation mode around S-CSCF. The configurable types are all possible nodes around CSCF, but the most configured peer server type is sip-as. S-CSCF Peer Server Configuration CLI command context cscf peer-servers server monitor-status context cscf peer-servers hunting-method Analysis Identify monitoring status parameters. Recommendation It is recommend to enable this CLI to monitor status of peer servers. It is recommended to use sequence-on-failure hunting method to connect peer servers. For this case server will be used sequentially if a failure occurs on a server i.e. first peer server is always used, except on failure, during which next peer server in the list will be used.
Identify the method to be used by the system to connect to peer servers.
Table 5-50: S-CSCF Peer Server Audit
5.16.2 S-CSCF Translation Audit

The S-CSCF translation audit consists of identifying translation lists which are used to modify or replace request-URI such as an E.164 number. For example, a translation list can be configured to append digits to the end of a number or replace a domain name with another. The first matching entry applies if the specific request-URI can be matched to multiple translation lists. CSCF translation Configuration CLI command Analysis
Recommendation
Cisco Systems, Inc.
Configuration Audit Guide Identify readdress criteria for URI translations. The number which is matched to local, this subscriber is in this domain and I-CSCF need to query LIR/LIA to find exact S-CSCF address. The number, which is matched to emergency, this number is emergency number like 911, and P-CSCF need to route this call to E-CSCF. The number that is matched to none, this number is out of this domain, this number need to be routed the MGCF or IBCF and according to CSCF routes table. Identify how does action adjusted a target address to route sessions to appropriate locations.
context cscf translation uri-readdress
It is recommended to use translation type local, none or emergency according to call flow and purposes.
context cscf translation uri-readdress action
It is recommended to configure proper action to operator numbering plan for number translation.
Table 5-51: S-CSCF Translation Audit
5.16.3 S-CSCF Policy Audit

The S-CSCF Policy audit consists of identifying S-CSCF policy configuration is enabled within a S-CSCF context. Each policy rule can be configured under S-CSCF Policy group, and this policy group should be assigned under S-CSCF Service. S-CSCF Policy Configuration CLI command context cscf policy name max-cscf-concurrent-sessions Analysis Identify CSCF policy to configure the maximum number of concurrent sessions allowed per subscriber. Recommendation It is recommended to configure 5 concurrent sessions per subscriber, which is default value. Whereas it can be increased depending upon applications that requires certain concurrent sessions and in case call rejection happening due to concurrent call limit exceeded.
Table 5-52: S-CSCF Policy Audit
5.16.4 S-CSCF IFC Audit

The S-CSCF IFC audit consists of identifying IFC or shared iFC (SiFC) enabled within a context. CSCF IFC Configuration CLI command context Analysis Identify an Initial Filter Criteria (iFC) Service Point Trigger
Recommendation It is recommended to create individual spt conditions,

Cisco Systems, Inc.
Configuration Audit Guide cscf ifc-spt-condition (SPT) condition for SIFC functionality. which will be associated with an spt group in the iFC spt group configuration Mode.
Table 5-53: S-CSCF IFC Audit
5.16.5 AAA Group Audit

The AAA Group audit consists of identifying the information related to the CX and RF interface within a context. To enable CX and RF interface, CX and RF endpoint should be assigned under AAA group audit. 5.16.5.1 HSS interworking audit
HSS interworking Configuration CLI command context aaa group diameter authentication request-timeout Table 5-54: HSS Interworking Audit 5.16.5.2 CDF interworking audit Analysis Identify how long system will wait for a response from HSS. Recommendation It is recommended to configure 3 seconds time to wait for a response from a Diameter server before re-transmitting the request.
CDF interworking Configuration CLI command context aaa group diameter accounting requesttimeout context aaa group diameter accounting hd-mode context aaa group diameter accounting hdstorage-policy Analysis Identify how long system will wait for a response from CDF. Recommendation It is recommended to configure 3 seconds time to wait for a response from a Diameter server before re-transmitting the request. It is recommended to enable this CLI, which avoids loss of records in case of Diameter servers connectivity is down or unreachable. CDF will pull the records through SFTP, which were copied, in local HDD. It is recommended to configure this CLI, which enables the storage of Rf diameter messages to HDD in case all CDFs are down or unreachable.
Cisco Systems, Inc.
Identify that records be copied to the local HDD if the CDF server is down or unreachable.
Identify associated HD storage policy.
Configuration Audit Guide Table 5-55: CDF Interworking Audit
5.16.6 CSCF Service Audit

The CSCF Service audit consists of identifying S-CSCF service within a S-CSCF context. There are 2 steps to run S-CSCF within a context. First, need to configure CSCF service for S-CSCF. Second, configure proxy-cscf under CSCF service for S-CSCF. Most of CLIs need to configure for both CSCF service for P-CSCF and S-CSCF. 5.16.6.1 S-CSCF Service Audit
S-CSCF Service Configuration CLI command context cscf service max-sipgmsg-size context cscf service charging context cscf service charging exclude context cscf service policy accounting interiminterval context cscf service session-timer context cscf service trust-domain-entity Table 5-56: S-CSCF Service Audit Analysis Identify the maximum SIP message size. Maximum SIP message size should be more than the message-maxsize set. Identify RF charging in this CSCF service for SIP messages. Recommendation It is recommended to keep maximum SIP message size (65535 bytes) to avoid dropping of message so that UE or AS can send big size sip message. It is recommended to enable charging for session Initiation Protocol (SIP) messages. It is recommended to exclude sip requests like notify, subscribe, update, and register from Rf charging. Whereas exclude messages should be chosen by operator depending on their design. It is recommended to configure policy account interim interval to 60. It is recommended to configure this value as 5 mins for session recovery. This value should be same or greater than the value configured in P-CSCF. Whereas best value should be chosen by operator according to their charging policy and redundancy policy. All IMS nodes around CSCF should be configured as trust domain. If not, some headers would be omitted by 3gpp standard.
Identify SIP requests to exclude RF charging. Identify Interim-Interval value for CSCF accounting sessions. This value is sent in the Acct-Interim-Interval AVP of ACR message. However, Interim-interval timer is started, based on the value of response message from CDF. Identify the session expiry for sessions in S-CSCF. This value should be same or less than the value configured in P-CSCF. Identify trust network nodes around S-CSCF. This CLI can be entered multiple times to identity multiple trust network entities.
Cisco Systems, Inc.
Configuration Audit Guide 5.16.6.2 Serving-CSCF Audit
Servicing CSCF Configuration CLI command context cscf service serving-cscf authentication allow-noauth invite context cscf service serving-cscf authentication aka-v1 context cscf service serving-cscf sip-header insert context cscf service serving-cscf sifc context cscf service serving-cscf registration lifetime Table 5-57: Serving CSCF Audit Analysis Identify S-CSCF service is allowed if authentication fails on specific SIP requests. Recommendation It is recommended to configure authentication allownoauth invite to avoid authentication for INVITE requests. Whereas request should be chosen by operator depending on their design. It is recommended to configure strongest authentication algorithm like AKA-V1 at higher preference.
Identify AKA-V1 algorithm as the authentication type of SCSCF. The value specifies a preference the lower the value, the higher the preference. Identify SIP header insertion for S-CSCF. It contains the private user id of the user sending the REGISTER request, to be added in the REGISTER message toward AS during third party registration. Identify Shared Initial Filter Criteria (SiFC) in which subsets of iFC may be shared by several service profiles. To use this CLI, HSS also must support this feature. Identify a registration lifetime for all subscribers to the SCSCF.
It is recommended to enable custom header p-cust1-pridinfo in SIP (REGISTER) message. It is recommended to enable this feature depending on design of operator and required to keep local databases in the S-CSCFs and HSSs consistent. It is recommended to configure default settings for registration lifetime.
5.16.7 HSS endpoint Audit

A HSS endpoint audit consists of identifying the diameter endpoint for HSS interworking configurations enabled within a context. This endpoint should be assigned under S-CSCF audit. Specific timers should be checked against between the client and server side to make sure the values are in sync during a failure scenario. HSS Endpoint Configuration CLI command context Analysis Identify the Tw timer. Check the timer against the peer
Recommendation It is recommended to configure watchdog timer to 15

Cisco Systems, Inc.
Configuration Audit Guide diameter endpoint watchdog-timeout Table 5-58: HSS Endpoint Audit server. seconds to get response from the destination.
5.16.8 CDF Endpoint Audit

A CDF endpoint audit consists of identifying the diameter endpoint for CDF interworking configurations enabled within a context. This endpoint should be assigned under S-CSCF audit. Specific timers should be checked against between the client and server side to make sure the values are in sync during a failure scenario. CDF Endpoint Configuration CLI command context diameter endpoint watchdog-timeout Table 5-59 CDF Endpoint Audit Analysis Identify the Tw timer. Check the timer against the peer server. Recommendation It is recommended to configure watchdog timer to 15 seconds to get response from the destination.
Cisco Systems, Inc.
6. OSS Audit
As part of the OSS audit, we can identify what external devices are configured and integrated simply by looking through the configuration and identifying portions specific to OSS integration. We can also identify whether WEM and MUR are used in their network as well. For generic OSS integration, the OSS audit checks whether an SNMP server and NTP server is configured. At the minimum, these two configurations should be done to send traps to an external NMS and that clocks are synchronized externally for DST and billing. OSS Configuration CLI command snmp target snmp trap-timestamps ntp Table 6-1: OSS Audit Analysis This configuration enables the system to send traps to an NMS for monitoring such as WEM at a minimum. It is recommended to enable TRAP timestamps to be sent with the alarms to properly identify alarms for duplication. This configuration enables using NTP servers for time synchronization. Recommendation It is recommended to configure at least one SNMP target location. If WEM is configured, it is recommended to enable this timestamp as WEM uses the timestamp to identify for duplicate alarms within the alarm database. It is recommended to configure at least two NTP servers, with one being the primary.
6.1MUR Audit
The MUR audit checks whether MUR has been configured. This can be determined by looking for the edr-module configuration, which enables the pushing of EDRs from the ASR5000 to the MUR server. However, it is possible that a customer may be using the push functionality for other purposes such as billing and mediation, so it would only be confirmed by checking for the configuration against the EDR formats as part of ECS in the following sections as well. MUR Configuration CLI command context edr-module reporting file rotation volume context edr-module file rotation time context edr-module file storage-limit context Analysis Complete the file based on file volume. Recommendation Rotation volume is recommended to be larger than 50MB. Rotation time is recommended to be larger than 300 seconds. Storage limit is recommended to be larger than 10MB. It is recommended to remove the file after a successful
Cisco Systems, Inc.
Complete the file based on file duration Start deleting files when specified bytes are used for storage. This configuration removes the CDR file from the HDD
Configuration Audit Guide edr-module cdr remove-file-after-transfer context edr-module cdr use-harddisk Table 6-2: MUR Audit after its been transferred. transfer to prevent build-up on the HDD. It is recommended to use the hard disk to store the files prior to transferring.
The HDD on SMC card is used to store EDR/UDR files.
6.2WEM Audit
The WEM audit checks whether WEM is configured and used by looking for the orbem configuration and the bulkstat configuration for file 1. The gather interval should be noted as it is most common to have this value set for 5 or 15. However, some functionality on WEM will not work properly with all collection intervals, such as generation of XML files with gather intervals of 5 or WEM threshold alarms with gather intervals of 15. WEM Configuration CLI command bulkstat historical bulkstat collection file 1 bulkstat collection file transfer interval bulkstat collection file gather interval bulkstat collection file header format bulkstat collection file receiver Analysis Enable historical bulkstats allowing historical counters to be properly populated. Identifies the file to be used for sending bulkstats. Identify the transfer interval. This will determine the file size of the bulkstat file when transferred. Identify the gather interval. This will determine the file size of the bulkstat file when transferred. Identify the header format and check if the format is in sync with the WEM or MUR as required. Identify the IP address for where the bulkstats are being sent. Recommendation It is recommended to enable this configuration so that historical bulkstats can be properly captured in the statistics. It is recommended to use/reserve file 1 for WEM. It is recommended to set the transfer interval as 60.
It is recommended to configure the gather interval as 15. It is recommended to fill in the header format if a WEM or MUR is enabled to determine if the format version is up to date with the software version. It is recommended to configure two server locations should be configured for redundancy.
Table 6-3: WEM Audit
Cisco Systems, Inc.
7. ECS Audit
The ECS audit consists of identifying the rules and definitions configured within the active -charging global configuration. It also identifies any additional features, which may be used as part of the ECS service such as content filtering, header enrichment, NAT and FW features. For a specific ECS feature, it should be checked against the system licenses. The following table details the commonly configured CLI commands within the active-charging service. ECS Configuration CLI command active-charging service p2p-detection protocol active-charging service p2p-dynamic-rules protocol active-charging service ruledef active-charging service ruledef multi-line-or all-lines active-charging service ruledef rule-application routing active-charging service ruledef rule-application postprocessing active-charging service group-of-ruledefs active-charging service charging-action active-charging service charging-action flow action readdress server Analysis Enables P2P detection on the system. Enables the P2P protocols on the system. Configures a ruledef to do shallow packet or deep packet inspection. Configures a ruledef to match by any combination of matching criterias. Configures a ruledef that will be used as a routing rule to match for traffic types. Specifies that the current ruledef is for post-processing purposes. This enables processing of packets even if the rule matching for them has been disabled. Recommendation If P2P license is supported, it is recommended to enable P2P detection to identify P2P traffic within the system. If P2P license is supported, it is recommended to enable all P2P protocols for Pre-R14. It is recommended to avoid using contains type rules as a standalone configuration unless absolutely necessary as it is easily prone to spoofing or misconfiguration. It is recommended to configure this command only if there are multiple long list of URL names ie. www.google.com. Otherwise, there is a high risk of this rule matching unwarranted traffic. It is recommended to remove rules that are no longer used or misconfigurations to optimize the configuration. This is recommended for handling packets for address redirection (refer to flow action readdress server) to process the packet after its complete to properly charge the ruledef. It is recommended to remove rules that are no longer used or misconfigurations to optimize the configuration. Group-of-ruledefs should also consist of 10 or more ruledefs, else, it would be better optimized to have them be separate rules. It is recommended to remove rules that are no longer used or misconfigurations to optimize the configuration. If flow control handshaking CLI is enabled within the rulebase to delay charging to the control packets, postprocessing ruledefs must be used to readdress the control packets for TCP traffic (not needed for
Cisco Systems, Inc.
Configures a group-of-ruledefs which consists of a group of ruledefs with the same charging characteristic. Charging-action determines the action to be taken when a ruledef is hit. Alters the destination address and port number in TCP or UDP packet headers to redirect packets to a different server.
Configuration Audit Guide UDP/ICMP).
active-charging service charging-action cca charging credit rating-group content-id active-charging service rulebase active-charging service rulebase action priority active-charging service rulebase route priority active-charging service rulebase post-processing priority active-charging service rulebase rtp dynamic-flow-detection active-charging service rulebase edr suppress-zero-byte-records active-charging service rulebase edr transaction-complete active-charging service rulebase flow end-condition normal-endsignaling active-charging service rulebase p2p dynamic-flow-detection active-charging service rulebase
The CCA charging credit enables the subscriber to talk to the OCS for quota. A rulebase is a collection of charging rules and actions that is applied to a subscriber. The action priority is a priority list for the order at which rules are processed and matched against. The action priority is a priority list for the order at which rules are routed and matched against. The action priority is a priority list for the order at which rules are processed once the traffic flow is complete. This command allows you to enable/disable the Real Time Streaming Protocol (RTSP) and Session Description Protocol (SDP) analyzers to detect the start/stop of RTP and RTCP flows This configuration suppresses an EDR from being generated if there are 0 bytes. This configuration enables the EDR to be generated upon the completion of a transaction. Creates an EDR with the specified EDR format whenever flow end is signaled normally, for example like detecting FIN and ACK for a TCP flow, or a WSP-DISCONNECT terminating a connection-oriented WSP flow over UDP) and create an EDR for the flow using the specified EDR format. Identify whether P2P is enabled on the rulebase. Enables eGCDR billing records.
It is recommended to not configure rating-group as part of the cca charging credit if the rating-group is identical to the content-id. It is recommended to remove rulebases that are identical to other rulebases. It is recommended to configure action priorities at least 35 numbers apart from one another. Ruledefs configured in this section should be configured within the configuration. It is recommended to configure your ruledef with your rule-application routing priority to match the configuration in route priority within the rulebase. It is recommended to configure your ruledef with your rule-application post-processing rule to match the configuration in post-processing priority within the rulebase. It is recommended to enable this feature if RTP detection is required within the network as seen in the RTP related routing rules. It is recommended to enable this CLI to prevent unnecessary generation of EDRs. It is recommended to enable this CLI to prevent unnecessary generation of EDRs.
It is recommended to enable this CLI to generate EDRs during normal flow conditions.
It is recommended to enable this within the rulebase if p2p-detection is enabled on the system. It is mandatory to enable eGCDR by configuring it at the rulebase level and charging-action level.
Cisco Systems, Inc.
Configuration Audit Guide billing egcdr Table 7-1: ECS Audit Sample Report Sample Recommendation:
Functional Area System / Platform Analysis

require diameter-proxy single
Rating
Timeline
Findings and Recommendations
Medium Term
user timeout
Low Term
banner motd
Low Term
timestamps
Medium Term Medium Term
autoconfirm
clock timezone
Medium Term
It is recommended to configure diameterproxy to be multiple to prevent the scenario where a fault with the single proxy affects all your calls. It is recommended to configure user timeout parameters to manage all the users (~200+) to avoid the scenario where subscribers are using SMC resources when not logging out properly. It is recommended to configure a banner motd to notify the user the system requirements and guidelines before access. It is recommended to enable timestamps so that logging a window will have the appropriate timestamps as required for troubleshooting. It is recommended to remove this CLI command to prevent accidentally removal/inclusion of configurations. Clock timezone is configured as default, which is taking Eastern UTC (GMT 5) timezone by default. It is recommended to configure the proper clock time zone with local time to avoid mismatch in accounting records & user traceability purposes.
Services Analysis MME Service

pgw-address Low Term It is recommended to use DNS PGW selection to avoid a scenario where an
Cisco Systems, Inc.
Functional Area
Rating
Timeline

unresponsive DNS causes the MME to send all calls to a SAE GW, potentially causing a capacity issue. It is recommended to disable this CLI in order to prefer the usage of the MSC to set the network time for a UE as the MSC uses bits timing which is considered more accurate. As per specification, it is recommended to configure the mobile-reachable-timeout to be 4 minutes after the t3412 timeout. It is recommended to configure the implicitdetach-timeout to be equal to the mobilereachable-timeout. However this recommendation is for Rel 12.2 when ISR was not supported. ISR is planned to be supported in R14. It is recommended to enable GTPC max retranmissions to allow the MME the best chance to reach its preferred SAE GW.
policy attach set-ue-time enable
Low Term
emm t3412-timeout 3600 emm mobile-reachable-timeout 9000
Medium Term
emm implicit-detach-timeout 9000
Medium Term
gtpc max-retransmissions 0
Medium Term
SAEGW Service
Low Term It is recommended to configure IP pools to private. It will be used by subscribers connecting to an APN, which have requested an IP address from a specified pool. It is recommended to use enable ignore or check to improve the end user experience while also avoiding a scenario where a subscriber is constantly trying to send traffic unknowingly through the network and using network resources while having the traffic be dropped. It is recommended to disable timeout idle parameter for LTE and LTE+3G APNs due to always-on devices immediately reconnecting to the network upon idle
Cisco Systems, Inc.
ip pool public
ip source-violation check 0
Medium Term
timeout idle
Medium Term
Functional Area
Rating
Timeline

timeout, which will increase signalling without the network.
ECS Service
It is recommended to reduce the timeout from 10 seconds to 3 seconds to better optimize the CCFH condition to take action. If there is no response in 3 seconds, by waiting an additional 7 seconds, it is only further delaying the user setup time and experience rather then helping it.
diameter pending-timeout
Low Term
Note This analysis is objectively based solely on analyzing the ASR5000 configuration and statistics as per best practice guidelines for LTE networks. Sample Analysis: Current CLI require diameter-proxy single Rating
CLI Description
This command enables or disables Diameter Proxy mode.
Node Name
ABBRLW - MME1, MME2 BCGLMR - MME1, MME2 ONHOOD - MME1, MME2 PQPTFD - MME 1,MME2 ONHOOD - PSGW1, PSGW2 ABBRLW - PSGW1, PSGW2 BCGLMR - PSGW1, PSGW2 PQPTFD - PSGW1, PSGW2
Global Configuration or Context Location Global
Cisco Systems, Inc.
Configuration Audit Guide Based on the configuration of all the MME and SAEGW nodes, require diameter proxy single has been enabled to create a single proxy sessmgr to handle all DIAMETER related messages between the nodes and the DIAMETER servers. Although this configuration allows for simplification in creating a server-client CER/CEA peering relationship, the single proxy may cause a scenario where a bug or a fault found in any call on that facility to potentially affect all causes handled by that single proxy. To prevent a scenario where you are having a single point of access for all DIAMETER related calls, it is recommended to enable require diameter -proxy multiple to create multiple proxies. In this scenario, when a single proxy fails, it does not affect all DIAMETER related subscribers on your node. By having proxy multiple, case must be taken to configure additional peers based on the number of PSC cards on the server.
Analysis
Recommendation
Cisco Systems, Inc.
Appendix A Engineering Limitations

Platform Limitations Platform Limit Max Number of Number of Contexts Number of Routes per Context GGSN Limitations GGSN Limit Max Number of Number of APNs DCCA clients SGSN Limitations for R12.0 SGSN Limit Max Number of Signaling Link per SS7 Linkset Maximum SS7 Linksets Maximum NSEI supported Maximum NSVCI supported Maximum packets buffered during RAU Maximum logical RNCs R12.0 Limit 16 144 512 8192 300 512 R14.0 Limit 16 144 2048 TBD 300 144 directly connected and 1024 indirectly connected R12.0 Limit 1024 12 R14.0 Limit 1024 12 R12.0 Limit 63 2000 IPv4 + 32 IPv6 R14.0 Limit 63 2000 IPv4 + 32 IPv6
ECS System Limitations ECS Limit Max Number of Number of Ruledefs R12.0 Limit 2048 ruledefs per chassis, up to 1024 actions per ruledef
R14.0 2048 ruledefs per chassis.
Cisco Systems, Inc.
Configuration Audit Guide MME Service Limitations for R14.0 MME Limit Max Number of Services S-GW Service Limitations for R14.0 S-GW Limit Max Number of Local subscribers Services P-GW Service Limitations for R14.0 P-GW Limit Max Number of Assignment tables Services CSCF Limitations for R12.0 CSCF Limit Max Number of Number of URI re-addresses Number of routes Number of IP localhosts Number of SIP peer servers Number of ifc spt groups Number of ifc spt conditions Number of ifc trigger points Number of ifc filter criteria Limit 1000 1000 1024 1000 128 128 128 1000
Limit 256 services per system.
Limit 2,048 local subscribers per context 256 services per system.
Limit 8 P-GW assignment tables per context and per chassis 256 services per system.
Configuration Audit Guide Number of trusted domain entities 50
Cisco Systems, Inc.

Cisco ASR 5x Series Configuration Audit Guide 5.0: Global Mobility Practice

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cisco ASR 5x Series Configuration Audit Guide 5.0: Global Mobility Practice

Uploaded by

Copyright:

Available Formats

CiscoASR 5x Series Configuration Audit Guide 5.

Configuration Audit Guide

APPENDIX A ENGINEERING LIMITATIONS ............................................................................................................................................................................ 72

PRIVATE AND CONFIDENTIAL Page 4 of 74

Cisco Systems, Inc.

Configuration Audit Guide

PRIVATE AND CONFIDENTIAL Page 7 of 74

Cisco Systems, Inc.

Configuration Audit Guide

PRIVATE AND CONFIDENTIAL Page 8 of 74

Cisco Systems, Inc.

Configuration Audit Guide

PRIVATE AND CONFIDENTIAL Page 9 of 74

Cisco Systems, Inc.

Configuration Audit Guide

PRIVATE AND CONFIDENTIAL Page 10 of 74

Cisco Systems, Inc.

Configuration Audit Guide

PRIVATE AND CONFIDENTIAL Page 11 of 74

Cisco Systems, Inc.

Configuration Audit Guide

2. Data Collection and Methodology

Configuration Audit Guide

Configuration Audit Guide

Displaying MAP-service system errors

Configuration Audit Guide

35158025 0 923429147 0 0 0 0 1025 6658 8 0

PRIVATE AND CONFIDENTIAL Page 15 of 74

Cisco Systems, Inc.

Configuration Audit Guide

PRIVATE AND CONFIDENTIAL Page 16 of 74

Cisco Systems, Inc.

Configuration Audit Guide

clock timezone [us-eastern]

require session recovery

require diameter-proxy multiple

Table 4-1: Platform Audit

port ethernet description port ethernet preferred port

Table 4-3: Interface Audit

PRIVATE AND CONFIDENTIAL Page 19 of 74

Cisco Systems, Inc.

Configuration Audit Guide

The following monitoring thresholds are PLATFORM related thresholds.

It is recommended to enable the following PLATFORM thresholds for monitoring purposes.

The following thresholds are SERVICE related thresholds.

PRIVATE AND CONFIDENTIAL Page 20 of 74

Cisco Systems, Inc.

PRIVATE AND CONFIDENTIAL Page 21 of 74

Cisco Systems, Inc.

Configuration Audit Guide

context server ftpd

It is recommended to use SSH over TELNET.

port ethernet 24/1

Cisco Systems, Inc.

Configuration Audit Guide Table 5-1: Context Audit

context aaa group

context aaa group radius attribute nas-ip-address

Diameter Configuration CLI command Analysis

Configuration Audit Guide

credit-control group default

Table 5-7: Ga Interface Audit

ggsn service associate gtpu-service

PRIVATE AND CONFIDENTIAL Page 27 of 74