Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Configuring GTP Handover Group

A GPRS tunneling protocol (GTP) handover group is a set of SGSNs or serving gateway (SGW) with a common address-book library.

GTP Handover Group Overview

A GPRS tunneling protocol (GTP) handover group is a set of SGSNs or serving gateway (SGW) with a common address-book library. An administrator can configure a GTP profile and associate an GTP handover group to the GTP profile. When a GTP handover group name is referenced by a GTP profile, the device checks to see if the current SGSN/SGW address and the proposed SGSN/SGW address are both contained within the same GTP handover group. If both SGSN/SGW addresses are contained within the same GTP handover group, then the handover is allowed. If both the current and proposed SGSN/SGW addresses are not within the same GTP handover group, then the profile for the default handover group is used.

GTP handover across different GTP handover groups is not allowed.

You can configure the handover group using the set security gprs gtp profile profile-name handover-group command. If there is no handover group defined in the GTP profile, and if the traffic reaches the policy configured with this profile, handover between all GTPs matching this policy is permitted by default. Handover is denied if the configuration command is set using the set security gprs gtp handover-default deny command.

Figure 1: GTP Handover GroupGTP Handover Group

For example, the user equipment accesses the Internet through the GTP tunnels built over the SGSN and the gateway GPRS support node (GGSN). The SGSN builds GTP tunnels to the GGSN to transfer the user equipment data, which attaches to the SGSN. In a home-routed roaming architecture, a roaming user equipment device roams back to the GGSN of a home PLMN (HPLMN) through a visited SGSN (VSGSN) of a visited PLMN (VPLMN). If the original SGSN and the SGSN target 1 as shown in Figure 1 belong to the same handover group (HG-1), then handover occurs. If the SGSN original seeks to handover to SGSN target 2, which is in a different handover group (HG-2), then handover is denied.

Understanding GTP Handover Messages

Starting in Junos OS Release 15.1X49-D40 and Junos OS Release 17.3R1, support for GTP handover messages is provided. During handover procedures, Serving GPRS Support Node (SGSN) context messages (request, response, and acknowledge) or forward relocation messages are sent between the new and the old mobility management entity (MME) and SGSN. For GPRS tunneling protocol (GTP) version 2, the messages should be context messages or forward relocation messages. For simplicity, these types of messages are uniformly referred as handover messages. The packet data protocol (PDP) context information is acquired from these messages. The PDP context is set up on the SRX Series Firewall when these messages are received, and then subsequent GTP messages can be normally inspected according to the new PDP context.

Use the set security gprs gtp profile <profile-name> handover-on-roaming-intf command to enable PDP context setup by handover messages. Use the delete security gprs gtp profile <profile-name> handover-on-roaming-intf command to disable PDP context setup by handover messages.

The addresses and tunnel endpoint identifiers (TEIDs) for forwarding data traffic are also acquired from handover messages. In addition, the forward tunnel can be set up on SRX Series Firewalls for forwarding GPRS tunneling protocol, user plane (GTP-U) stateful check.

Handover between different GTP versions is supported.

Key features of GTP handover are:

  • Support for GTP inter-MME/SGSN handover messages for GTPv0, v1, and v2

  • Inter-MME/SGSN handover messages inspection

  • GTP PDP context and forwarding tunnel setup according to the information in handover messages

  • GTP-U inspection for forwarding data traffic

  • Support for PDP context update by updating and modifying messages with different versions

  • System log and counter for handover messages

Starting in Junos OS Release 15.1X49-D70 and Junos OS Release 17.3R1, the Serving GPRS Support Node (SGSN) and a Gateway GPRS Support Node (GGSN) of the GTPv1 or GTPv2 nodes cannot communicate with the GTPv0 node. If a device sends a GTPv1 or GTPv2 message to update the tunnels created by GTPv0, these messages are dropped and the GTPv0 tunnel will not be updated.

Example: Configuring Handover Groups

This example shows how to configure GTP handover groups on GTP profiles.

Requirements

Before you begin, you need an SRX1500, SRX4100, SRX4200, SRX5400, SRX5600, or SRX5800 device or a vSRX Virtual Firewall instance and user equipment that needs to connect to the Internet. You will also need a 3G or 4G mobile core network and a home and visited network.

Overview

A user equipment accesses the Internet through SGSN or Serving Gateway (SGW) and GGSN or packet data network gateway (PGW) in a 3G or 4G core network. The SGSN/SGW builds GTP tunnels to the GGSN/PGW to transfer the user equipment data, which attaches to the SGSN/SGW. In a home-routed roaming architecture, a roaming user equipment roams back to its GGSN of home PLMN (HPLMN) through a visited SGSN (VSGSN) of a visited PLMN (VPLMN). If the user equipment device moves out of the coverage area of the visited SGSN/SGW, it is handed over to another visited SGSN/SGW.

In this example, see Figure 2 X-mobile is the home PLMN and the visited PLMN is the Y-mobile and the Z-mobile. You can configure GTP handover groups for the X-mobile and perform the handover within the same handover group.

Figure 2: Handover Group ConfigurationHandover Group Configuration

Configuration

Procedure

CLI Quick Configuration

To quickly configure this section of the example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration mode in the Junos OS CLI User Guide.

To configure GTP handover group in a GTP profile:

  1. Specify the addresses in the address book.

  2. Specify the handover group.

  3. Configure the handover groups on the GTP profile.

  4. Configure security zones for the GTP profile.

  5. Define security policies for the GTP profile.

Results

From configuration mode, confirm your configuration by entering the show security gprs gtp profile, show security address-book, and show security policies command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

Confirm that the configuration is working properly. The show security gprs gtp command displays all the handover groups configured for the GTP profile Scenario-1.

Change History Table

Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.

Release
Description
15.1X49-D70
Starting in Junos OS Release 15.1X49-D70 and Junos OS Release 17.3R1, the Serving GPRS Support Node (SGSN) and a Gateway GPRS Support Node (GGSN) of the GTPv1 or GTPv2 nodes cannot communicate with the GTPv0 node.
15.1X49-D40
Starting in Junos OS Release 15.1X49-D40 and Junos OS Release 17.3R1, support for GTP handover messages is provided.