Cisco Cisco Packet Data Gateway (PDG) Documentation Roadmaps
Packet Data Interworking Function Overview
Features and Functionality - Licensed Enhanced Feature Support ▀
Cisco ASR 5000 Series Product Overview ▄
OL-22938-01
The IPSec controller does not send an IPSec manager death notification to any subsystem. This allows the daughter card
to continue to receive and decrypt IPSec tunnel data. It also allows both the session manager and daughter card to
continue carrying subscriber traffic using NPU flows and IPSec SAs to transmit the data.
to continue to receive and decrypt IPSec tunnel data. It also allows both the session manager and daughter card to
continue carrying subscriber traffic using NPU flows and IPSec SAs to transmit the data.
A session manager is created on a PSC and a corresponding AAA manager is created on a different PSC but is created
with the same instance number. A session manager saves (check-points) its Call Recovery Record (CRR) on the AAA
manager with an instance ID the same as its own. This pairs up the session manager and the AAA manager and at the
same time guarantees session recovery in the event of a single PSC failure.
with the same instance number. A session manager saves (check-points) its Call Recovery Record (CRR) on the AAA
manager with an instance ID the same as its own. This pairs up the session manager and the AAA manager and at the
same time guarantees session recovery in the event of a single PSC failure.
IPSec manager is also created on a PSC. When a PDIF call request arrives, the IPSec manager picks a session manager
for this particular call using a demux library on the same PSC. This means the IPSec manager is associated with the
session managers on the PSC.
for this particular call using a demux library on the same PSC. This means the IPSec manager is associated with the
session managers on the PSC.
The session subsystem continues to use the AAA manager as its storage system for the PDIF because AAA needs to
provide other subscriber-related information to the session manager. Now that the session manager and the IPSec
manager are paired on the same PSC, the IPSec manager is assured of data recovery in case of PSC failure. This is
because the session manager saves its data on the AAA manager on a backup PSC.
provide other subscriber-related information to the session manager. Now that the session manager and the IPSec
manager are paired on the same PSC, the IPSec manager is assured of data recovery in case of PSC failure. This is
because the session manager saves its data on the AAA manager on a backup PSC.
Important:
For more information, refer to the PDIF Session Recovery chapter in the System Enhanced Features
Configuration Guide.
Intelligent Packet Monitoring System (IPMS)
The IPMS provides a control-packet capture, database, and query facility. It provides the functions to assist operators to
analyze and investigate call-related events at a later time.
analyze and investigate call-related events at a later time.
Important:
IPMS is described in the IPMS System Administration Guide.
Multiple Traffic Selectors
The PDIF can be configured with multiple IPSec traffic classes, each containing up to 128 traffic selectors, which are
used during traffic selector negotiation with UEs. Multiple traffic selectors allow the PDIF to direct outbound traffic to
selected IP addresses based on the following protocols: IP, TCP, UDP, and ICMP. The PDIF can also direct TCP and
UDP traffic to selected IP addresses and port ranges.
used during traffic selector negotiation with UEs. Multiple traffic selectors allow the PDIF to direct outbound traffic to
selected IP addresses based on the following protocols: IP, TCP, UDP, and ICMP. The PDIF can also direct TCP and
UDP traffic to selected IP addresses and port ranges.
Important:
In this software release, the PDIF supports IPv4 traffic selectors only.
Per RFC 4306, when a packet arrives at an IPSec subsystem and matches a 'protect' selector in its Security Policy
Database (SPD), the subsystem must protect the packet via IPSec tunneling. Traffic selectors enable an IPSec subsystem
to accomplish this by allowing two endpoints to share information from their SPDs. Traffic selectors can be used to
assure that both endpoint SPDs are consistent and can aid in the dynamic update of an SPD. Traffic selector payloads
contain the selection criteria for packets being sent over IPSec security associations (SAs).
Database (SPD), the subsystem must protect the packet via IPSec tunneling. Traffic selectors enable an IPSec subsystem
to accomplish this by allowing two endpoints to share information from their SPDs. Traffic selectors can be used to
assure that both endpoint SPDs are consistent and can aid in the dynamic update of an SPD. Traffic selector payloads
contain the selection criteria for packets being sent over IPSec security associations (SAs).
During traffic selector negotiation, each endpoint sends two traffic selector payloads in the messages exchanged during
the creation of an IPSec SA. The first traffic selector payload is known as the TSi (Traffic Selector-initiator) and the
the creation of an IPSec SA. The first traffic selector payload is known as the TSi (Traffic Selector-initiator) and the