GTP Inspection
GTP does not include any inherent security or encryption of user data, but using GTP with the FWSM
helps protect your network against these risks.
The SGSN is logically connected to a GGSN using GTP. GTP allows multiprotocol packets to be
tunneled through the GPRS backbone between GSNs. GTP provides a tunnel control and management
protocol that allows the SGSN to provide GPRS network access for a mobile station by creating,
modifying and deleting tunnels. GTP uses a tunneling mechanism to provide a service for carrying user
data packets.
When using GTP with failover, if a GTP connection is established and the active unit fails before data
Note
is transmitted over the tunnel, the GTP data connection (with a "j" flag set) is not replicated to the
standby unit. This occurs because the active unit does not replicate embryonic connections to the standby
unit.
The GGSN load balancing feature allows any GSN belonging to a GSN pool to respond to an SGSN
request to achieve load balancing on the GGSNs.
GTP Maps and Commands
You can enforce additional inspection parameters on GTP traffic. The gtp-map command lets you
specify a set of such parameters. When you enable GTP inspection with the inspect gtp command, you
have the option of specifying a GTP map.
If you do not specify a map with the inspect gtp command, the FWSM uses the default GTP map, which
is preconfigured with the following default values:
•
•
•
•
•
•
•
Table 22-4
commands are available in GTP map configuration mode. For the detailed syntax of each command, see
the applicable command page in the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall
Services Module Command Reference.
Table 22-4
Command
description
drop
mcc
message-length
permit errors
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
22-36
request-queue 200
timeout gsn 0:30:00
timeout pdp-context 0:30:00
timeout request 0:01:00
timeout signaling 0:30:00
timeout tunnel 0:01:00
tunnel-limit 500
summarizes the commands that you use to configure GTP inspection parameters. These
GTP Map Configuration Commands
Chapter 22
Description
Specifies the GTP configuration map description.
Specifies the message ID, APN, or GTP version to drop.
Specifies the three-digit Mobile Country Code (000 - 999).
One-digit or two-digit entries will be prefixes with 0s.
Specifies the message length min and max.
Permits packets with errors or different GTP versions.
Applying Application Layer Protocol Inspection
OL-20748-01