This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
No part of this document may be reproduced or transmitted in any form or by any means without priorwritten consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd. All othertrademarks and trade names mentioned in this document are the property of their respective holders.
Notice
The purchased products, services and features are stipulated by the commercial contract made betweenHuawei and the customer. All or partial products, services and features described in this document maynot be within the purchased scope or the usage scope. Unless otherwise agreed by the contract, allstatements, information, and recommendations in this document are provided "AS IS" without warranties,guarantees or representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in thepreparation of this document to ensure accuracy of the contents, but all statements, information, andrecommendations in this document do not constitute a warranty of any kind, express or implied.
4.2 Mapping Between DHCP Clients and Servers .............................................................................. 4-4 4.3 DHCP Procedure ........................................................................................................................... 4-4
4.3.1 Base Station Identification .................................................................................................... 4-4 4.3.2 Procedure for Obtaining Configuration Information in Non-IPSec Networking Scenarios ... 4-5 4.3.3 Procedure for Obtaining Configuration Information in IPSec Networking Scenarios ........... 4-6 4.3.4 Procedure for Releasing Allocated Configuration Information ............................................. 4-8
5 Automatic OMCH Establishment by the Single-mode Base Station and Co-MPTMultimode Base Station ............................................................................................................. 5-1
5.2.1 Introduction to Non-IPSec Networking ................................................................................. 5-1 5.2.2 Automatic OMCH Establishment Procedure ........................................................................ 5-1 5.2.3 Configuration Requirements for the DHCP Server ............................................................... 5-2 5.2.4 Configuration Requirements for NEs .................................................................................... 5-8
5.3 Automatic OMCH Establishment in IPSec Networking Scenario 1 ............................................... 5-9 5.3.1 Introduction to IPSec Networking Scenario 1 ....................................................................... 5-9
5.3.2 Automatic OMCH Establishment Procedure ...................................................................... 5-10 5.3.3 Configuration Requirements for the Public DHCP Server .................................................. 5-12 5.3.4 Establishing a Temporary IPSec Tunnel ............................................................................. 5-14 5.3.5 Configuration Requirements for the Internal DHCP Server ............................................... 5-16 5.3.6 Obtaining Formal Transmission Configuration Information from the Internal DHCP Server
..................................................................................................................................................... 5-17 5.3.7 Establishing a Formal IPSec Tunnel .................................................................................. 5-20 5.3.8 Configuration Requirements for NEs .................................................................................. 5-21
5.4 Automatic OMCH Establishment in IPSec Networking Scenario 2 ............................................. 5-22 5.4.1 Introduction to IPSec Networking Scenario 2 ..................................................................... 5-22 5.4.2 Automatic OMCH Establishment Procedure ...................................................................... 5-23 5.4.3 Configuration Requirements for the Internal DHCP Server ............................................... 5-23 5.4.4 Configuration Requirements for NEs .................................................................................. 5-24
5.5 Automatic OMCH Establishment in IPSec Networking Scenario 3 ............................................. 5-25 5.5.1 Introduction to IPSec Networking Scenario 3 ..................................................................... 5-25 5.5.2 Automatic OMCH Establishment Procedure ...................................................................... 5-26 5.5.3 Configuration Requirements for the Internal DHCP Server ............................................... 5-27 5.5.4 Configuration Requirements for NEs .................................................................................. 5-28
6 Automatic OMCH Establishment by the Separate-MPT Multimode Base Station ... 6-1 6.1 Networking .................................................................................................................................... 6-1 6.2 Automatic OMCH Establishment Procedure ................................................................................. 6-2 6.3 Configuration Requirements for the DHCP Server ....................................................................... 6-3 6.4 Configuration Requirements for NEs ............................................................................................ 6-3
7 Application Restrictions ......................................................................................................... 7-1 7.1 Configuration Requirements for Base Stations and Other NEs .................................................... 7-1 7.2 Impact of M2000 Deployment on Base Station Deployment by PnP ............................................ 7-3
This document describes the Automatic OMCH Establishment feature, including its implementationprinciples, procedures, and requirements for NEs.
For details about data to prepare before a base station starts the automatic OMCH establishmentprocedure, see 3900 Series Base Station Initial Configuration Guide. For details about software andconfiguration file downloading, activation, and commissioning on a base station after the automaticOMCH establishment procedure is complete, see 3900 Series Base Station Commissioning Guide.
This document applies to IP-based 3900 GSM series base stations, 3900 WCDMA series base stations,3900 LTE series base stations, and 3900 multimode base stations.
1.2 Intended Audience
This document is intended for personnel who:
Are familiar with GSM, WCDMA, and LTE basics
Need to understand Automatic OMCH Establishment
Work with Huawei products
1.3 Change History
This section provides information about the changes in different document versions.
There are two types of changes, which are defined as follows:
Feature change: refers to a change in the Automatic OMCH Establishment feature of a specific
product version. Editorial change: refers to a change in wording or the addition of information that was not described in
Operation and maintenance channels (OMCHs) are established between base stations and theoperation maintenance center (OMC, either the M2000 or BSC). OMCHs are used to transmit operationand maintenance information about base stations and are classified as follows:
OMCHs between the single-mode base station, such as the eGBTS, NodeB, or eNodeB and theM2000, or between the GBTS and the BSC.
OMCHs between the co-MPT multimode base station and the M2000. MPT is short for mainprocessing and transmission unit.
OMCHs between the separate-MPT multimode base station and the M2000. The separate-MPTmultimode base station is comprised of multiple cascaded single-mode base stations and thereforehas multiple OMCHs. For example, OMCHs for the separate-MPT UMTS/LTE dual-mode base stationinclude the OMCH between the NodeB and the M2000, and the OMCH between the eNodeB and the
M2000.
OMCHs between the eGBTS, NodeB, eNodeB, or co-MPT multimode base station and the M2000 arecarried over Transmission Control Protocol (TCP). OMCHs between the GBTS and the BSC are carriedover User Datagram Protocol (UDP). For details about the protocol stacks for OMCHs, see chapter 3"OMCH Protocol Stacks."
One end of an OMCH is located at the main control board of a base station. Depending on the configuration of the maincontrol board, multimode base stations are classified into co-MPT multimode base stations and separate-MPT multimodebase stations. For co-MPT multimode base stations, GSM, UMTS, and LTE modes share the same main control boardand OMCH. For separate-MPT multimode base stations, GSM, UMTS, and LTE modes have their respective main controlboards and OMCHs.
In this document, a base station is used if differentiation among GSM, UMTS, and LTE modes is not required. A GBTS,eGBTS, NodeB, eNodeB, co-MPT multimode base station, or separate-MPT multimode base station is used ifdifferentiation among GSM, UMTS, and LTE modes is required.
The Automatic OMCH Establishment feature enables a powered-on base station, which is configuredwith hardware but no transmission information, to obtain OMCH configuration information through thetransport network and automatically establish an OMCH to the M2000 or BSC. The base station thencan automatically download software and configuration files from the M2000 or BSC over theestablished OMCH and activate them. After being commissioned, the base station enters the workingstate.
This feature applies to base station deployment by plug and play (PnP). Figure 2-1 shows the automaticOMCH establishment phase during base station deployment by PnP.
Figure 2-1 Automatic OMCH establishment phase during base station deployment by PnP
To establish an OMCH, a base station needs to obtain the following transmission configurationinformation:
Basic information, including its OM IP address, OM virtual local area network (VLAN) ID, the interfaceIP address, the interface IP address mask, the IP address of the next-hop gateway, the IP address ofthe M2000 or BSC, and the IP address mask of the M2000 or BSC.
Security-related information, including the Certificate Authority (CA) name, transmission protocol(HTTP or HTTPS) used by the CA, CA address, CA port number, CA path, and IP address of thesecurity gateway (SeGW). Obtaining the operator's CA information is required only when the base
station needs to use digital certificates issued by the operator's CA to perform identity authenticationwith other NEs.
For details about how the base station obtains the preceding information, see chapter 4 "ObtainingTransmission Configuration Information."
2.2 Benefits
With the Automatic OMCH Establishment feature, a base station can establish OMCHs by networkcommunication without requiring operations at the local end. This implements remote base stationdeployment by PnP, thereby facilitating base station deployment and reducing the deployment cost andtime.
The Automatic OMCH Establishment feature applies to base station deployment by PnP in InternetProtocol Security (IPSec) or non-IPSec networking scenarios. In this document, the IPSec or non-IPSecnetworking indicates that the IP layer communication between the base station and other NEs is securedor not secured by IPSec, respectively.
Table 2-1 describes the application networking scenarios for the Automatic OMCH Establishmentfeature.
Table 2-1 Application networking scenarios
Networking Scenario Description
Non-IPSec IPSec does not secure Dynamic Host Configuration Protocol(DHCP) packets, OMCH data, service data, signaling data, or clockdata.
IPSec Scenario 1 IPSec secures DHCP packets, OMCH data, and all or some of theother data.
Scenario 2 IPSec secures OMCH data and all or some of the other data. It doesnot secure DHCP packets.
Scenario 3: IPSec secures service and signaling data. It neither secures OMCHdata nor all or some of the other data.
For details about how the single-mode base station and co-MPT multimode base station obtain OMCHconfiguration information and establish OMCHs in different scenarios, see chapter 5 "Automatic OMCHEstablishment by the Single-mode Base Station and Co-MPT Multimode Base Station." For details abouthow the separate-MPT multimode base station obtains OMCH configuration information and establishesOMCHs in different scenarios, see chapter 6 "Automatic OMCH Establishment by the Separate-MPTMultimode Base Station."
Figure 3-1 shows the protocol stacks for an OMCH between the eGBTS, NodeB, eNodeB, or co-MPTmultimode base station and the M2000 in non-IPSec networking scenarios.
Figure 3-1 Protocol stacks for an OMCH between the eGBTS, NodeB, eNodeB, or co-MPT multimode basestation and the M2000 (non-IPSec networking)
As shown in Figure 3-1, an OMCH between the eGBTS, NodeB, eNodeB, or co-MPT multimode basestation and the M2000 is carried over TCP and Secure Sockets Layer (SSL), of which SSL is optional.
The eGBTS, NodeB, eNodeB, or co-MPT multimode base station listens to the TCP connectionestablishment request with a specific TCP port number from the M2000, and establishes the TCPconnection to the M2000 as requested. After the TCP connection is established, the M2000 initiates anOMCH establishment request to the eGBTS, NodeB, eNodeB, or co-MPT multimode base station.
The M2000 can use SSL to perform encryption and authentication for OMCHs and enable theestablishment of SSL-based OMCHs. SSL uses the public key infrastructure (PKI), with which thecommunication between the base station and the M2000 is protected against eavesdropping andtherefore confidentiality and reliability are guaranteed. However, the M2000 should not use digitalcertificate to authenticate a base station if SSL-based OMCHs are to be established during base stationdeployment by PnP. For details about SSL, see SSL Feature Parameter Description.
Figure 3-2 shows the protocol stacks for an OMCH between the GBTS and the BSC in non-IPSecnetworking scenarios.
Figure 3-2 Protocol stacks for an OMCH between the GBTS and the BSC (non-IPSec networking)
As shown in Figure 3-2, an OMCH between the GBTS and the BSC is carried over UDP. The GBTSlistens to the UDP connection establishment request with a specific UDP port number from the BSC, andestablishes the UDP connection to the BSC as requested. After the UDP connection is established, theBSC initiates an OMCH establishment request to the GBTS.
3.2 IPSec Networking Scenario
In IPSec networking scenarios, OMCH data can be secured or not secured by IPSec. Figure 3-3 showsthe networking scenario in which IPSec secures OMCH data.
Figure 3-3 Networking scenario in which IPSec secures OMCH data
As shown in Figure 3-3, the network is divided into the trusted domain and the untrusted domain, whichare separated by the SeGW. NEs in the untrusted domain cannot access the NEs in the trusted domain. After a base station starts, it establishes an IPSec tunnel to the SeGW. Packets from the base station aresent over the IPSec tunnel to pass the untrusted domain and then forwarded by the SeGW to the M2000or BSC in the trusted domain.
Figure 3-4 shows the protocol stacks for an OMCH between the eGBTS, NodeB, eNodeB, or co-MPTmultimode base station and the M2000 in IPSec networking scenarios.
Figure 3-4 Protocol stacks for an OMCH between the eGBTS, NodeB, eNodeB, or co-MPT multimode basestation and the M2000 (IPSec networking)
Figure 3-5 shows the protocol stacks for an OMCH between the GBTS and the BSC in IPSec networkingscenarios.
Figure 3-5 Protocol stacks for an OMCH between the GBTS and the BSC (IPSec networking)
In IPSec networking scenarios, IPSec secures base station data. IPSec is a security architecture definedby the Internet Engineering Task Force (IETF) and applicable to the IP layer. IPSec secures datacommunication by identity authentication, data encryption, data integrity, and address encryption. Duringthe automatic OMCH establishment procedure, the base station establishes an IPSec tunnel to theSeGW and then an OMCH secured by the IPSec tunnel. The base station uses two types of source anddestination IP addresses:
IP addresses in the untrusted domain, that is, the interface IP addresses used for communication with
the SeGW in the untrusted domain after the base station starts.
IP addresses in the trusted domain, that is, the IP addresses used for communication with the M2000,BSC, or a DHCP server that is built into the M2000 (referred to as M2000 DHCP server in thisdocument) in the trusted domain.
The base station uses the interface IP address to access the untrusted domain. Unless otherwise
specified, the base station uses the logical IP address to access the trusted domain.
When using IPSec to secure data, an operator can determine whether to use digital certificates foridentity authentication. If authentication by digital certificates is used, the PKI must be deployed. A basestation interworks with the PKI using Certificate Management Protocol (CMP). During the automaticOMCH establishment procedure, the base station interworks with the operator's PKI to obtain theoperator-issued device certificate and CA root certificate, and establishes an IPSec tunnel to the SeGWand then an OMCH secured by the IPSec tunnel.
For details about IPSec tunnels, see IPSec Feature Parameter Description. For details about digitalcertificate management, see PKI Feature Parameter Description.
During the OMCH establishment procedure, the eGBTS, NodeB, eNodeB, or co-MPT multimode base station listens tospecific TCP port numbers, and the GBTS listens to the UDP port numbers. For details, see Communication Matrix of3900 Series Base Stations. The packets with these port numbers must be allowed to pass through the firewall betweenthe base station and the DHCP server, M2000, or BSC.
After establishing an OMCH to the M2000, the base station uses File Transmission Protocol (FTP) to download softwareand configuration files from the FTP server. FTP runs over TCP/IP, and therefore its transport layer can be secured usingSSL. For details about FTP, see RFC 959.
After establishing an OMCH to the BSC, the GBTS uses the proprietary protocol that runs over UDP to download softwareand configuration files from the BSC.
IPSec networking is not supported by the following base stations:
GBTSs in which the GTMU provides the transmission port.
NodeBs in which the WMPT provides the transmission port.
4 Obtaining Transmission Configuration Information
4.1 DHCP Overview
4.1.1 Introduction
Before an OMCH is established, a base station is not configured with any data and cannot performend-to-end communication with other NEs at the IP layer. To implement this communication, the basestation needs to obtain the following information:
OMCH configuration data, including the OM IP address, OM VLAN ID, interface IP address, interfaceIP address mask, IP address of the next-hop gateway, IP address of the M2000 or BSC, and IPaddress mask of the M2000 or BSC.
During base station deployment by PnP, if the base station needs to use digital certificates issued bythe operator's CA to perform identity authentication with other NEs, it also needs to obtain theoperator's CA information, including the CA name, CA address, CA port number, CA path, and
transmission protocol (HTTP or HTTPS) used by the CA. In IPSec networking scenarios, the base station also needs to obtain SeGW information, including the
SeGW IP address and SeGW local name.
The base station uses DHCP to obtain the preceding information. DHCP is used to allocate anddistribute configuration parameters and adopts the client/server mode. The DHCP procedure involvesthe following logical NEs:
DHCP client: a host that uses DHCP to obtain configuration parameters
DHCP server: a host that allocates and distributes configuration parameters to a DHCP client
DHCP relay agent: an NE that transmits DHCP packets between a DHCP server and a DHCP client. ADHCP relay client must be deployed between a DHCP server and a DHCP client that are in different
broadcast domains.
After a DHCP client accesses the network, it actively exchanges DHCP packets with its DHCP server toobtain configuration parameters. During the exchange, the DHCP server and the DHCP relay agentlisten to DHCP packets in which the destination UDP port number is 67, and the DHCP client listens toDHCP packets in which the destination UDP port number is 68.
4.1.2 DHCP Interworking
Figure 4-1 shows the interworking between a DHCP client and a DHCP server.
1. After the DHCP client starts, it broadcasts a DHCPDISCOVER packet to search for an availableDHCP server. The DHCPDISCOVER packet carries the identification information about the DHCPclient.
2. The DHCP server responds to the DHCPDISCOVER packet with a DHCPOFFER packet.
3. The DHCP client sends a DHCPREQUEST packet to the DHCP server, requesting parameters suchas an IP address.
4. The DHCP server sends a DHCPACK packet to the DHCP client to assign parameters such as an IPaddress.
5. If the assigned parameters cannot be used, for example, an assigned IP address has been used byother DHCP clients, the DHCP client sends a DHCPDECLINE packet to notify the DHCP server.
6. If the DHCP client does not need the assigned parameters any more, it sends a DHCPRELEASEpacket to notify the DHCP server so that the DHCP server can assign these parameters to otherDHCP clients.
4.1.3 DHCP Packet Format
Figure 4-2 shows the example format of DHCP packets shown in Figure 4-1.
The actual length and sequence of each field in a DHCP packet in software implementation may be different from thoseshown in Figure 4-2.
In a DHCP packet, the IP and UDP headers are in the standard format, and the DHCP header containsthe DHCP control and configuration information. In the DHCP header, the fields related to automaticOMCH establishment are as follows:
yiaddr: This field carries the interface IP address of the base station.
giaddr: This field carries the IP address of the DHCP relay agent.
Option fields: These fields carry other configuration information. They are encoded incode-length-value (CLV) format and consist of many subcodes. Among them, Option 43 carriesHuawei proprietary information elements (IEs) and most configuration information of the base station.For example, subcode 1 in Option 43 carries the electronic serial number (ESN) of the Huawei basestation.
Because Option 43 has a limited length, Option 224 is also used to carry Huawei proprietary IEs inSRAN8.0 or later.
For details about DHCP, see section "Dynamic Host Configuration Protocol (DHCP)" in RFC 2131 and"DHCP Options and BOOTP Vendor Extensions" in RFC 2132.
4.2 Mapping Between DHCP Clients and Servers
In this document, base stations act as DHCP clients. Table 4-1 describes the mapping between basestations and DHCP servers.
Table 4-1 Mapping between base stations and DHCP servers
Base Station Type DHCP Server in Non-IPSecNetworking Scenarios
DHCP Server in IPSecNetworking Scenarios
Single-mode GBTS BSC In the trusted domain: M2000DHCP server
In the untrusted domain:public DHCP server
eGBTS M2000
NodeB M2000 or RNC
eNodeB M2000
Multimode Co-MPTmultimode basestation
M2000
Separate-MPTmultimode basestation
Same as that of each single-modebase station
Unless otherwise specified, "base station controller" in this document is a generic term for GSM and UMTS modes.
The DHCP server and the M2000 are different logical communication entities, although they may be deployed on thesame hardware. Therefore, this document distinguishes between the DHCP server and the M2000.
In SRAN8.0, if single-mode base stations or separate-MPT multimode base stations evolve to co-MPTmultimode base stations, their DHCP servers must migrate to the M2000. Even if the evolution is notimplemented, the migration is recommended, because it provides better function support and paves theway to future smooth upgrades and evolutions.
4.3 DHCP Procedure
4.3.1 Base Station Identification
Upon receiving a DHCP packet from a base station, the DHCP server finds and sends relatedconfiguration information to the base station based on the base station identification (BS ID) contained inthe DHCP packet.
The M2000 that matches SRAN8.0 uses the combination of the ESN and slot number or the combinationof the deployment identifier (DID), subrack topology, and slot number as the BS ID.
Base station controllers and M2000s that match versions earlier than SRAN8.0 use the combination ofthe ESN and NE type or the combination of the DID and NE type as the BS ID.
The details about each element in the combinations are as follows:
ESN identifies the baseband unit (BBU) backplane of the base station. Each backplane has a uniqueESN. The ESN is reported by the base station.
DID is scanned into the base station using a barcode scanner connected to the USB port of the maincontrol board. After being scanned into the base station, the DID is broadcast in all BBUs. All maincontrol boards will record the DID and use it as the BS ID in the DHCP procedure.
Subrack topology identifies the interconnection relationship between BBU subracks that areinterconnected using UCIUs. The combination of the DID and subrack topology uniquely identifies aBBU subrack.
Slot number identifies the number of the slot that accommodates the main control board. The slot
number is used to differentiate main control boards in a BBU subrack. If the base station is configuredwith active and standby main control boards, the slot number is that of the active main control board.The slot number is reported by the base station.
NE type indicates whether the base station works in the GSM, UMTS, or LTE mode.
When creating a base station commissioning task by PnP, operators must specify the ESN if the M2000uses the combination of the ESN and slot number as the BS ID. The DID must be included in the basestation configuration file if the M2000 uses the combination of the subrack topology and slot number asthe BS ID.
4.3.2 Procedure for Obtaining Configuration Information inNon-IPSec Networking Scenarios
Procedure for Obtaining Configuration Information with No DHCP Relay Agent
A DHCP client and a DHCP server on the same Layer 2 (L2) network can directly communicate witheach other. The L2 network is a subnet in which broadcast IP packets can be exchanged and forwardedby MAC addresses and VLAN IDs. An example is the Ethernet or a VLAN of the Ethernet.
Figure 4-3 shows the procedure for a base station to obtain configuration information from a DHCPserver when no DHCP relay agent is deployed.
Figure 4-3 Procedure for obtaining configuration information with no DHCP relay agent
The procedure is as follows: After the base station is powered on, it broadcasts a DHCPDISCOVERpacket with the BS ID. The DHCP server then sends configuration information to the base station based
The DHCP server can be deployed on the L2 network of the base station only when the DHCP server isdeployed on the base station controller instead of the M2000. This is because DHCP packets carry thewell-known UDP port number and the operating system of the M2000 always discards such packets.Therefore, the DHCP server deployed on the M2000 can process only DHCP packets forwarded by theDHCP relay agent, but not DHCP packets broadcast by the base station.
Procedure for Obtaining Configuration Information with a DHCP Relay Agent
If a DHCP server is not deployed on the L2 network of a DHCP client, a DHCP relay agent must beinstalled on the next-hop gateway of the DHCP client to forward DHCP packets. The DHCP relay agentmust be on the same L2 network as the DHCP client, and the DHCP server must be on the Layer 3 (L3)network in which packets are forwarded by IP addresses.
Figure 4-4 shows the procedure for a base station to obtain configuration information from a DHCPserver when a DHCP relay agent is deployed.
Figure 4-4 Procedure for obtaining configuration information with a DHCP relay agent
The procedure is as follows: The DHCP relay agent converts DHCP packets broadcast by the basestation to unicast packets and routes the unicast packets to the DHCP server. The DHCP server sendsunicast response packets to the DHCP relay agent, which then broadcasts received response packetson the L2 network.
4.3.3 Procedure for Obtaining Configuration Information in IPSecNetworking Scenarios
In IPSec networking scenarios, a DHCP server in the trusted domain can be secured or not secured byIPSec. When the DHCP server is secured by IPSec, a public DHCP server in the untrusted domain mustbe deployed. Figure 4-5 shows the OMCH networking in this scenario.
Figure 4-6 shows the two procedures for the base station in Figure 4-5 to obtain transmissionconfiguration information.
Figure 4-6 Two procedures for obtaining transmission configuration information in IPSec networkingscenarios
1. The base station exchanges DHCP packets with a public DHCP server to obtain information, such asthe interface IP address for accessing the untrusted domain and the SeGW IP address. The basestation also needs to obtain the CA IP address if digital certificates are required for identityauthentication with the SeGW. This procedure is referred to as the first DHCP procedure.
2. The base station negotiates with the SeGW on the Internet Key Exchange (IKE) security association(SA) and IPSec SA, and then establishes an IPSec tunnel. If digital certificates are required foridentity authentication with the SeGW, the base station must apply to the CA for digital certificatesthat can be identified by the SeGW.
3. The base station exchanges DHCP packets with its M2000 DHCP server to obtain the OM IPaddress used for accessing the trusted domain. This procedure is referred to as the second DHCPprocedure. The second DHCP procedure varies depending on IPSec networking scenarios. Fordetails, see section 5.3.6 "Obtaining Formal Transmission Configuration Information from the InternalDHCP Server."
During the first DHCP procedure, the public DHCP server runs DHCP. It may not supportHuawei-defined DHCP Option fields and fail to identify the BS ID reported by the base station. If thisoccurs, the public DHCP server selects an IP address from the IP address pool and sends it to the basestation. During the second DHCP procedure, the M2000 DHCP server sends configuration parametersto the base station based on the BS ID reported by the base station.
4.3.4 Procedure for Releasing Allocated Configuration Information
When a base station obtains configuration information from its M2000 DHCP server and does not needconfiguration information allocated by a public DHCP server, the base station sends a DHCPRELEASEmessage to the public DHCP server. After receiving the DHCPRELEASE message, the public DHCPserver can redistribute allocated configuration information to other NEs. Figure 4-7 shows the procedurefor releasing allocated configuration information.
Figure 4-7 Procedure for releasing allocated configuration information
In addition to the preceding procedures, DHCP also supports the procedure for updating configuration information. However, base stations in SRAN8.0 do not support the procedure for updating configuration information.
4.4 Schemes for Obtaining VLAN Information for DHCP Packets4.4.1 Overview
Packets sent by a base station on a VLAN-based network must carry the VLAN ID. Before an OMCH isestablished, that is, before the base station sends the first DHCP packet, it must automatically acquireVLAN information after it starts. After acquiring VLAN information, it sends DHCP packets with VLAN IDsto interwork with DHCP servers to obtain transmission configuration information. Table 4-2 describes therecommended schemes for the base station in SRAN8.0 to obtain VLAN information during deployment.
Scenario Description How to ObtainVLANInformationBase
StationDeploymentMode
Whether IPSec
Secures OMCHData
Requirements for NEs
1 By PnP No N/A Using scheme 1
2 By PnP Yes The SeGW initiates a requestfor IKE negotiation with thebase station. The destinationIP address of the request isthe interface IP address thatthe base station uses toaccess the untrusted domain.
The VLAN information inDHCP packets sent by thebase station must be thesame as the VLANinformation in theconfiguration files of the basestation.
3 By PnP Yes The security policy allows thetransmission of DHCP packetssent by DHCP servers or theM2000 to the base station.
Using scheme 2
4 By PnP Yes The L2 network is configuredwith the default VLAN ID or noVLAN ID.
Using scheme 3
5 By PnP Yes The next-hop gateway of thebase station can periodicallysend ping packets to theinterface IP address of the basestation.
Using scheme 4
6 By USB Either Yes or No N/A From a USBflash drive
If a base station is deployed by USB, it imports transmission configuration information including VLANconfiguration information from the USB. If the base station is deployed by PnP, the scheme for obtainingVLAN information varies depending on whether IPSec secures OMCH data and the capability of NEs:
If IPSec does not secure OMCH data, scheme 1 is used:
The M2000 or BSC actively and periodically sends OMCH establishment requests to the base station. After receiving the requests, the next-hop gateway of the base station sends Address ResolutionProtocol (ARP) packets to the base station. The base station then records VLAN IDs derived from ARPpackets and includes recorded VLAN IDs in DHCP packets.
If IPSec secures OMCH data, any of the following schemes is used:
− Scheme 2: The DHCP server on the M2000 periodically sends the base station empty packets withthe destination IP address as the interface IP address of the base station. This enables the next-hopgateway of the base station to send ARP packets from which the base station derives VLANinformation.
−
Scheme 3: The base station sends DHCP packets with no VLAN ID, and the L2 network attaches aVLAN ID to DHCP packets sent by the base station. Therefore, the base station does not need toacquire VLAN information.
− Scheme 4: The next-hop gateway of the base station or other NEs periodically send packets to thebase station or an idle address of the subnet in which the base station is deployed. This enables thenext-hop gateway of the base station to send ARP packets from which the base station derives VLANinformation.
4.4.2 Scheme 1
Scheme 1 applies to two scenarios:
IPSec does not secure OMCH data. Figure 4-8 shows the procedure for a base station to obtain VLAN
information in this scenario.
IPSec secures OMCH data and NEs meet specific requirements. Figure 4-9 shows the procedure for abase station to obtain VLAN information in this scenario.
Figure 4-8 Scheme 1 (IPSec does not secure OMCH data
1. The M2000 or BSC sends an OMCH establishment request to the OM IP address of the base station.
2. To forward the OMCH establishment request to the correct base station, the next-hop gateway of thebase station broadcasts ARP packets to obtain the MAC address mapping the destination IP address
of the request. The next-hop gateway or the L2 network attaches VLAN IDs to ARP packets so thatcorrect VLAN IDs are contained in the ARP packets received by the base station.
3. The base station parses all received ARP packets and records the VLAN IDs contained in thepackets. It may record the VLAN ID in an ARP packet destined for another base station.
4. The base station attempts to send all DHCP packets with recorded VLAN IDs. Only DHCP packetswith correct VLAN IDs can reach the DHCP relay agent.
1. The M2000 or BSC sends an OMCH establishment request to the OM IP address of the base station.The request is forwarded to the SeGW.
2. The SeGW detects that the IPSec SA with the base station has not been established and sends anIKE negotiation request to the interface IP address of the base station. The request is routed to thenext-hop gateway of the base station.
3. To forward the IKE negotiation request to the correct base station, the next-hop gateway of the basestation broadcasts ARP packets to obtain the MAC address mapping the destination IP address of
the request. The next-hop gateway or the L2 network attaches VLAN IDs to ARP packets so thatcorrect VLAN IDs are contained in the ARP packets received by the base station.
4. The base station parses all received ARP packets and records the VLAN IDs contained in thepackets. It may record the VLAN ID in an ARP packet destined for another base station.
5. The base station attempts to send all DHCP packets with recorded VLAN IDs. Only DHCP packetswith correct VLAN IDs can reach the DHCP relay agent.
4.4.3 Scheme 2
Figure 4-10 shows the procedure for a base station to obtain VLAN information in scheme 2.
1. The M2000 sends a DHCPOFFER packet with no content to the interface IP address of the basestation. The packet is forwarded to the next-hop gateway of the base station.
2. To forward the DHCPOFFER packet to the correct base station, the next-hop gateway of the basestation broadcasts ARP packets to obtain the MAC address mapping the destination IP address ofthe request. The next-hop gateway or the L2 network attaches VLAN IDs to ARP packets so thatcorrect VLAN IDs are contained in the ARP packets received by the base station.
3. The base station parses all received ARP packets and records the VLAN IDs contained in thepackets. It may record the VLAN ID in an ARP packet destined for another base station.
4. The base station attempts to send all DHCP packets with recorded VLAN IDs. Only DHCP packetswith correct VLAN IDs can reach the DHCP relay agent.
4.4.4 Scheme 3
Figure 4-11 shows the procedure for a base station to obtain VLAN information in scheme 3.
Figure 4-11 Scheme 3
1. The base station sends a DHCP packet with no VLAN ID.
2. The L2 network between the base station and the next-hop gateway of the base station automaticallyattaches the default VLAN ID to the DHCP packet. The default VLAN ID is the same as the VLAN IDrequired for deploying the base station. With the correct VLAN ID, the DHCP packet can beforwarded over the L2 network to the DHCP relay agent and then reach the DHCP server.
4.4.5 Scheme 4
Figure 4-12 shows the procedure for a base station to obtain VLAN information in scheme 4.
Figure 4-12 Scheme 4
1. After the next-hop gateway of the base station is configured with the service level agreement (SLA), itperiodically sends ping packets to the interface IP address of the base station or an IP address onthe network segment of the base station.
2. To forward ping packets to the correct base station, the next-hop gateway of the base stationbroadcasts ARP packets to obtain the MAC address of the base station mapping the destination IPaddress of the ping packets. The ARP packets received by the base station carry correct VLAN IDs.
3. The base station parses all received ARP packets and records the VLAN IDs contained in thepackets. It may record the VLAN ID in an ARP packet destined for another base station.
4. The base station attempts to send all DHCP packets with recorded VLAN IDs. Only DHCP packetswith correct VLAN IDs can reach the DHCP relay agent.
5 Automatic OMCH Establishment by the Single-modeBase Station and Co-MPT Multimode Base Station
5.1 OverviewThis chapter describes the automatic OMCH establishment procedures implemented by the single-modebase station and co-MPT multimode base station in IPSec or non-IPSec networking scenarios, and theprocedures' requirements for NEs. In IPSec networking scenarios, the network is divided into theuntrusted domain and the trusted domain. Depending on NE distribution in the untrusted domain and thetrusted domain, IPSec networking scenarios are classified as follows:
Scenario 1: IPSec secures OMCH data and DHCP packets.
Scenario 2: IPSec secures OMCH data, but not DHCP packets.
Scenario 3: IPSec secure service data, but not OMCH data or DHCP packets.
5.2 Automatic OMCH Establishment in Non-IPSec NetworkingScenarios
5.2.1 Introduction to Non-IPSec Networking
Figure 5-1 shows a non-IPSec networking scenario in which IPSec does not secure OMCH data.
Figure 5-1 Non-IPSec networking
This networking has the following characteristics:
The DHCP server is not deployed on the L2 network of the base station.
The DHCP relay agent is deployed on the next-hop gateway of the base station.
IPSec does not secure OMCH data.
5.2.2 Automatic OMCH Establishment Procedure
Figure 5-2 shows the automatic OMCH establishment procedure in non-IPSec networking scenarios.
Figure 5-2 Automatic OMCH establishment in non-IPSec networking scenarios
1. After a base station commissioning by PnP task is created on the M2000, the M2000 or BSC
periodically sends an SSL-based or plaintext-based OMCH establishment request to the base station.In the request, the source IP address is the IP address of the M2000 and the destination IP addressis the OM IP address of the base station. After the next-hop gateway of the base station receives therequest, it broadcasts ARP packets to the base station to obtain the MAC address mapping theinterface IP address of the base station.
The next-hop gateway of the base station broadcasts ARP packets each time it receives a TCP connection request sentperiodically by the M2000.
2. The base station obtains VLAN information. For details, see section 4.4 "Schemes for ObtainingVLAN Information for DHCP Packets."
3. The base station first sends DHCP packets with no VLAN ID and then DHCP packets with VLAN IDs.
By exchanging DHCP packets with its next-hop gateway and DHCP server, the base station obtainsthe OMCH configuration data and validates the data.
4. In response to the ARP packets and the OMCH establishment request, the base station establishesan OMCH to the M2000 or BSC. The DHCP server then sends related configuration files to the basestation based on the BS ID.
5.2.3 Configuration Requirements for the DHCP Server
The DHCP server of a base station must be configured with the following:
A route to the base station or the network segment of the base station.
Parameters to be used during the DHCP procedure. These parameters are contained in the DHCP
packet headers, Option fields defined by RFC 2132, and subcodes of Option 43 defined by Huawei.
Table 5-1 lists the parameters to be contained in the DHCP packet headers.
Table 5-1 Parameters to be contained in the DHCP packet headers in non-IPSec networking scenarios
giaddr 4 IP address of the DHCPrelay agent deployed on thenetwork, if any. Broadcastpackets (Discovery andRequest packets) sent bythe base station do notcarry this IP address, andthe DHCP relay agent addsthis IP address to DHCPpackets to be forwarded.For details, see RFC 2131.
Optional DHCPDISCOVERY
DHCPOFFER
DHCPREQUEST
DHCPACK
Table 5-2 lists the parameters to be contained in Option fields defined by RFC 2132.
Table 5-2 Parameters to be contained in DHCP Option fields in non-IPSec scenarios
ParameterName
MappingDHCPOption
Length(Bytes)
Parameter Description DHCP Packet Involved
Subnet Mask 1 4 Subnet mask of a DHCP client DHCPOFFER
DHCPACK
Router Option 3 N*4 List of the IP addresses of routers
deployed in a DHCP client'ssubnet
DHCPOFFER
DHCPACK
Vendor SpecificInformation
43 0-255 Vendor-specific informationexchanged between a DHCPclient and a DHCP server
DHCPDISCOVER
DHCPREQUEST
DHCPOFFER
DHCPACK
IP AddressLease Time
51 4 Lease time of an assigned IPaddress
DHCPOFFER
DHCPACK
DHCP Message
Type
53 1 Value:
1: DHCPDISCOVER
2: DHCPOFFER
3: DHCPREQUEST
5: DHCPACK
DHCPDISCOVER
DHCPREQUEST DHCPOFFER
DHCPACK
Server Identifier 54 4 IP address of a DHCP server DHCPOFFER
DHCPACK
Renewal (T1)Time Value
58 4 Interval from address assignmentto the transition to theRENEWING state
OM Interface Type 2 1 Transmissioninterface ofthe basestation:Ethernet orE1.
NOTE
If an Ethernetinterface isused as thetransmissioninterface, theOMCH managedobject (MO) inconfigurationfiles of thebase stationmust bebound to aroute, or the
peer IPaddress mustbe the IPaddress of theM2000 or thenext-hopgateway of thebase station.
Optional
The defaultvalue isEthernet.
DHCPOFFER
DHCPACK
OM Interface SlotNumber
248 1 Slot numberof the maincontrol boardif thetransmission
interface isprovided bythe maincontrol board,or the slotnumber of theUTRP board ifthetransmissioninterface isprovided bythe UTRP
board.
Mandatory inSRAN8.0 orlater only if anEthernetinterface is used
as thetransmissioninterface. If thisparameter is notspecified, thebase stationautomaticallyidentifies the slotnumber.
247 1 Port numberof thetransmissioninterface ofthe basestation
Mandatory inSRAN8.0 orlater only if anEthernetinterface is usedas thetransmissioninterface. If thisparameter is notspecified, thebase stationautomaticallyidentifies theport number.
DHCPOFFER
DHCPACK
OMLOCATION 51 3 The numbersof the cabinet,subrack, andslot thataccommodatethe maincontrol boardwhere theOMCH islocated.
Mandatory inSRAN8.0 orlater only if anEthernetinterface is usedas thetransmissioninterface.
If this parameteris not specified,the base station
automaticallyidentifies thenumbers of thecabinet,subrack, andslot.
DHCPOFFER
DHCPACK
OM IP Address 3 4 Local IPaddress of theOMCH
Mandatory DHCPOFFER
DHCPACK
OM IP AddressSubnet Mask
4 4 Local IPaddress mask
of the OMCH
Mandatory DHCPOFFER
DHCPACK
M2000 IP Address 5 4 Peer IPaddress of theOMCH Thisparameterand OMCHRoute Mask collectivelyidentify anOMCH route.
In the decimalequivalent ofthis parametervalue, 01 isnot allowed.
DHCPACK
OM Vlan ID 11 2 VLAN ID ofthe OMCH
Mandatory onlyif VLANinformation isconfigured andan Ethernetinterface is used
as thetransmissioninterface
DHCPOFFER
DHCPACK
OM Vlan Priority 12 1 VLAN priorityof the OMCH
Optional DHCPOFFER
DHCPACK
BSC IP 13 4 IP address ofthe BSC
Mandatory forthe GSM mode
DHCPOFFER
DHCPACK
OM Next Hop IP Address
17 4 Next-hop IPaddress of thebase station
Mandatory DHCPOFFER
DHCPACK
When creating a base station commissioning by PnP task on the M2000, deployment engineers canexport configuration information listed in Table 5-3 to the DHCP server. Deployment engineers canmanually modify the configuration information for the DHCP server only on the M2000 GUI. Deploymentmay fail if the DHCP server is not configured with mandatory parameters listed in Table 5-3 or optionalparameters that must be configured in certain scenarios.
5.2.4 Configuration Requirements for NEs
Table 5-4 lists the configuration requirements for NEs during base station deployment by PnP in thenon-IPSec networking scenario shown in Figure 5-1.
Table 5-4 Configuration requirements for NEs
NE Requirement
Base station None
Next-hop L2 NE of thebase station
(Optional) Is configured with VLAN information. VLAN configuration isrequired only when the L2 network adopts VLANs.
L2 NEs Allow the transmission of DHCP broadcast and unicast packets withoutfiltering or modifying DHCP packets.
Are configured with the VLAN forwarding function that matches the
This networking has the following characteristics:
A public DHCP server and an M2000 DHCP server are deployed in the untrusted domain and the
trusted domain, respectively. The base station obtains from the public DHCP server the transmissionconfiguration information required for establishing a temporary IPSec tunnel to the SeGW and obtainsfrom the M2000 DHCP server the formal transmission configuration information.
The base station in the untrusted domain cannot directly access NEs in the trusted domain. Instead,packets from the base station must be encrypted over the IPSec tunnel to the SeGW before beingtransmitted to the M2000 or BSC in the trusted domain.
A CA is deployed. During base station deployment, the CA can be accessed by NEs or using an IPaddress (for example, the interface IP address of the base station) in the untrusted domain.
After the base station starts, it must apply to the CA for operator-issued digital certificates beforeconnecting to the SeGW. After obtaining the certificates, the base station negotiates with the SeGW toestablish an IPSec tunnel.
5.3.2 Automatic OMCH Establishment Procedure
In IPSec networking scenario 1, the base station obtains configuration information as follows:
1. Obtains the following information from the public DHCP server:
− Interface IP address used for accessing NEs in the untrusted domain.
− Configuration information used for establishing an IPSec tunnel to the SeGW. The informationincludes the SeGW configuration data and the CA configuration data.
2. Obtains digital certificates from the CA.
3. After establishing the IPSec tunnel, obtains the OMCH configuration data from the M2000 DHCPserver. The information is used for accessing NEs in the trusted domain and referred to as formal
transmission configuration information in this document.
The interface IP address obtained from the public DHCP server can be the same as or different from thatobtained from the M2000 DHCP server.
Figure 5-4 shows the automatic OMCH establishment procedure in IPSec networking scenario 1.
1. The base station obtains VLAN information. For details, see section 4.4 "Schemes for ObtainingVLAN Information for DHCP Packets."
2. Using the DHCP procedure, the base station obtains from the public DHCP server the transmissionconfiguration information used for establishing a temporary IPSec tunnel. The information includesthe interface IP address of the base station, CA configuration data, SeGW configuration data, andM2000 DHCP server IP address. For details about the configuration information on the public DHCP
server, see section 5.2.3 "Configuration Requirements for the DHCP Server."3. Using CMPv2, the base station applies to the CA for an operator-issued device certificate and a CA
root certificate. The base station adds the obtained CA root certificate to the default trusted certificatelist so that it can authenticate peer NEs, such as the SeGW. If the application for operator-issueddigital certificates fails or receives no response within about 30 seconds, the preconfigured digitalcertificates are used for establishing an IPSec tunnel.
NOTE
The operator's CA must be configured with the Huawei-issued CA root certificate to authenticate the device certificate ofthe base station. The base station uses the Huawei-issued device certificate for identity authentication by the CA.
4. The base station establishes a temporary IPSec tunnel to the SeGW. For details about the securityparameters used by the base station during the temporary IPSec tunnel establishment, see section
5.3.4 "Establishing a Temporary IPSec Tunnel."5. With protection from the temporary IPSec tunnel, the base station obtains formal transmission
configuration information from the M2000 DHCP server in different ways, depending on whether theIP address used for accessing the trusted domain and the M2000 DHCP server IP address areavailable. For details, see section 5.3.6 "Obtaining Formal Transmission Configuration Informationfrom the Internal DHCP Server."
6. The base station releases the temporary IPSec tunnel and uses formal transmission configurationinformation to establish a formal IPSec tunnel to the SeGW. For details, see section 5.3.7"Establishing a Formal IPSec Tunnel."
7. With protection from the formal IPSec tunnel, the base station waits 10 minutes for the SSL-based orplaintext-based OMCH establishment request from the M2000 or BSC and finally establishes an
OMCH to the M2000 or BSC. If an OMCH is successfully established between the M2000 and base
station within 10 minutes, base station deployment by PnP ends. Otherwise, base station deploymentby PnP is restarted.
5.3.3 Configuration Requirements for the Public DHCP Server
The public DHCP server must be configured with the parameters listed in Table 5-5 as well as a route tothe base station or the network segment of the base station. Unless otherwise specified, theseparameters are contained in subcodes of Option 43 in DHCP packets.
Table 5-5 Parameters to be configured on the public DHCP server
Classification
ParameterName
MappingSubcode
Length(Bytes)
ParameterDescription
Mandatoryor Optional
DHCP PacketInvolved
CAinformation
PKI SERVERIP
35 4 IP address ofthe CA
Mandatoryonly ifidentityauthenticati
on by digitalcertificatesis requiredand the CAURL is notconfigured.
Theseparameterscollectivelyidentify andequal theURL of the
CA.These fourparameterscannot beconfigured ifthe CA URLhas beenconfigured.
DHCPOFFER
DHCPACK
CA protocoltype
39 1 Protocol usedto access theCA: HTTP orHTTPS
DHCPOFFER
DHCPACK
CA port 36 2 HTTP orHTTPS portnumber of theCA
DHCPOFFE
DHCPACK
CA Path 37 1 to 60 Path used foraccessingdigital
certificates onthe CA
DHCPOFFE
DHCPACK
CA URL 44 1 to 128 URL used foraccessing thedigital
certificate path.This parameteris configurableonly when thebase stationand CA useCMPv2.
The CA URLformat is asfollows:http(s)://CAIP:CAport/CAPath
Mandatoryonly if thefollowing
parametersare notconfiguredwhenauthentication by digitalcertificatesis required:PKISERVER IP,CAprotocoltype, CAport, and
Transmissionconfigurationinformation for thebasestation
Interface IP Address
- 4 Carried in theyiaddr field inDHCP packetheaders
Mandatory DHCPOFFE
DHCPACK
Interface IP Addressmask
- 4 Carried inDHCP option 1
Mandatory DHCPOFFE
DHCPACK
Next-hopGateway IP Address
- 4 Carried inDHCP option 3
Mandatory DHCPOFFE
DHCPACK
All IP addresses or URLs listed in Table 5-5 except Internal DHCP Server IP Address (List) can beused only in the untrusted domain. Particularly, NEs in the untrusted domain must have access to the CAIP address and the CA URL. If the base station cannot access the CA, it cannot obtain anyoperator-issued certificate.
NOTE
In IPSec networking scenario 1, the public DHCP server assigns an interface IP address in the IP address pool to thebase station, without parsing the BS ID contained in Option 43. Therefore, the BS ID contained in DHCP packets ismeaningless in such a scenario.
5.3.4 Establishing a Temporary IPSec Tunnel
After the base station obtains the transmission configuration information (including its interface IPaddress, the SeGW IP address, and the CA IP address) from the public DHCP server, the base stationobtains digital certificates from the CA and attempts to establish a temporary IPSec tunnel to the SeGW.For details about the temporary IPSec tunnel establishment, see IPSec Feature Parameter Description.This section describes the security parameters (algorithms) used by the base station during deploymentby PnP.
IKEv1 and IKEv2 are incompatible. During base station deployment by PnP, the base station cannotpredict the IKE version used by the SeGW. If the base station successfully negotiated an IKE versionwith the SeGW, the base station preferentially tries this IKE version. Otherwise, the base station triesIKEv2 before IKEv1.
IKE SA Negotiation During IKE SA negotiation in the normal operation of the base station, the base station supports a largenumber of algorithm groups. However, during base station deployment by PnP, the base station onlysupports the 48 algorithm groups (see Table 5-6) in the IKEv2 proposal and the 120 algorithm groups(see Table 5-7) in the IKEv1 proposal.
Encryption Algorithm Authentication Algorithm Diffie-Hellman Group AuthenticationMethod
(Only IKEv1)
DES MD5 DH_GROUP1 PSK
3DES SHA1 DH_GROUP2 RSA-SIG
AES128 - DH_GROUP14 DSS-SIG
AES192 - DH_GROUP15 -
AES256 - - -
NOTE
During base station deployment by PnP, when performing IKEv1 negotiation, the base station tries only the perfectforward secrecy (PFS) value DISABLE, not PFS_GROUP1 or PFS_GROUP2.
To establish a temporary IPSec tunnel, the base station preferentially tries the five algorithm groupslisted in Table 5-7 in sequence. If this fails, the base station tries the other groups until it establishes anIPSec tunnel. To increase the deployment success rate and shorten the deployment duration, it isrecommended that security parameters in configuration files of the base station follow the configurationslisted in Table 5-8.
Table 5-8 The first five algorithm groups in the IKE proposal
IPSec SA Negotiation During IPSec SA negotiation in the normal operation of the base station, the base station supports ESPand AH authentication in tunnel or transport mode. However, during base station deployment by PnP, thebase station only supports ESP authentication in tunnel mode.
During IPSec SA negotiation in the normal operation of the base station, the base station supportsmultiple encryption and authentication algorithm groups. However, during base station deployment byPnP, the base station supports only the encryption and authentication algorithm groups listed in Figure5-5. It first tries the six algorithm groups marked in green. If this fails, it tries the six algorithm groupsmarked in gray. Once IKE negotiation is successful using an algorithm group, the base station appliesthis algorithm group.
The base station tries IKE version and algorithm groups in the following priority sequence:
1. IKEv2 and algorithm groups marked in green
2. IKEv2 and algorithm groups marked in gray
3. IKEv1 and algorithm groups marked in green
4. IKEv1 and algorithm groups marked in gray
Figure 5-5 Encryption and authentication algorithms in IPSec proposal
Authenticationalgorithm
Encryptionalgorithm
3DES
AES128
AES192
AES256
SHA1 SHA256 AES-XCBC-MAC-96
NOTE
During base station deployment by PnP, the base station does not try all supported security parameters (such as the DESalgorithm) when establishing an IPSec tunnel. This is because trying all supported combinations of security parametersmay take a long time.
During base station deployment by PnP, the base station must use tunnel mode instead of transfer mode as theencapsulation mode when establishing an IPSec tunnel. This is because the M2000, BSC, DHCP server, and FTP serverdo not support IPSec.
If the security parameters and their settings on the base station or SeGW side are inconsistent with
those tried during base station deployment by PnP, OMCH establishment may fail, leading todeployment failures. Therefore, ensure there is consistency between the parameters and settings.
5.3.5 Configuration Requirements for the Internal DHCP Server
The M2000 DHCP server must be configured with the parameters listed in Table 5-9 as well as theparameters listed in Table 5-3. These parameters are contained in Option 43 in DHCP packets.
Table 5-9 Parameters specific to the M2000 DHCP server in IPSec networking scenario 1
information SecGW IP serving SeGW inIPSec networking
scenarios
DHCPACK
ServingSecGWLocal Name
32 Local name of theserving SeGW.
It is provided bythe base station toauthenticate theserving SeGW inIPSec networkingscenarios
Optional
5.3.6 Obtaining Formal Transmission Configuration Informationfrom the Internal DHCP Server
RFC 4306, the standard protocol for IKEv2, defines the MODE-CONFIG mode in which the base stationuses the configuration payload (CP) to apply to the SeGW for certain configuration information. Usingthe MODE-CONFIG mode during IKE negotiation, the base station can obtain one temporary logical IPaddress used for accessing the trusted domain and one M2000 DHCP server IP address. The basestation can also interwork with the public DHCP server to obtain a maximum of eight M2000 DHCPserver IP addresses.
NOTE
In IKEv1, CP is not standardized and is referred to as MODE-CONFIG, which is supported only by the base station inaggressive mode. For details about the MODE-CONFIG, see RFC4306 Internet Key Exchange (IKEv2) Protocol .
The base station follows procedures listed in Table 5-10 to obtain formal transmission configurationinformation from the M2000 DHCP server, depending on whether the logical IP address used foraccessing the untrusted domain and any M2000 DHCP server IP address are available.
Table 5-10 Obtaining formal transmission configuration information from the M2000 DHCP server
If... Then... ConfigurationRequirements for NEs
The base station has obtained theinterface IP address foraccessing the untrusted domain,and has used theMODE-CONFIG mode during IKEnegotiation to obtain the logical IPaddress for accessing the trusteddomain.
The base station has obtainedone or more M2000 DHCP serverIP addresses, using either theDHCP procedure or theMODE-CONFIG mode during IKEnegotiation.
The base station uses the logical IPaddress for accessing the trusteddomain as the source IP address,and uses any M2000 DHCP serverIP address as the destination IPaddress. The base station thenunicasts DHCP packets to eachM2000 DHCP server. Only theM2000 DHCP server that has thecorrect BS ID sends configurationinformation to the base station.
The base station automaticallyconfigures an access control list(ACL) rule that allows DHCPpackets to reach the base station.
In the ACL rule, both the sourceand destination IP addresses can
be any address.
The base station has obtained theinterface IP address foraccessing the untrusted domain,but not the logical IP address foraccessing the trusted domain.
The base station has obtainedone or more M2000 DHCP serverIP addresses.
The base station uses the interfaceIP address for accessing theuntrusted domain as the source IPaddress, and uses any M2000DHCP server IP address as thedestination IP address. The basestation then unicasts DHCPpackets to each M2000 DHCPserver. Only the M2000 DHCPserver that has the correct BS IDsends configuration information tothe base station.
The base station automaticallyconfigures an ACL rule that allowsDHCP packets to reach the basestation. In the ACL rule, the sourceIP address is the interface IPaddress and the destination IPaddress is an M2000 DHCP serverIP address.
See Table 5-12.
The base station has not obtainedthe logical IP address for accessing
the trusted domain or any M2000DHCP server IP address.
The base station uses 0.0.0.0 asthe source IP address and
255.255.255.255 as the destinationIP address to broadcast DHCPpackets over an IPSec tunnel. Thepackets are encapsulated over theIPSec tunnel before reaching theSeGW.
The base station automaticallyconfigures an ACL rule that allowsDHCP packets to reach the basestation. In the ACL rule, the sourceUDP port number is 68 and thedestination UDP port number is 67.
See Table 5-13.
Table 5-11 Configuration requirements for NEs (1)
NE Requirement
Public DHCP server Is configured with one to eight M2000 DHCP server IP addressesonly if the SeGW is not configured with any M2000 DHCP server IPaddress.
SeGW Supports the MODE-CONFIG mode so that the SeGW sends atemporary logical IP address and an M2000 DHCP server IP
address to the base station. Alternatively, the SeGW sends a
temporary logical IP address and the public DHCP server sendsan M2000 DHCP server IP address. It is recommended that theoperator plan all temporary logical IP addresses for accessing the
trusted domain on the same network segment and on a differentnetwork segment from the OM IP address of the base station.
Automatically generates an ACL rule after using theMODE-CONFIG mode to send the M2000 DHCP server IPaddress. In the ACL rule, the source IP address is the temporarylogical IP address for accessing the trusted domain and thedestination IP address can be any IP address. This eliminates theneed to manually configure associated ACL rules. If an ACL rule ismanually configured that the source IP address is the temporarylogical IP address for accessing the trusted domain, the IPaddresses of all M2000 DHCP servers must be on the networksegment defined by this ACL rule.
All NEs between the basestation and the M2000 DHCPserver
Are configured with the firewall policy or the packet filtering policyso that they allow the transmission of packets with 67 or 68 as thesource and destination UDP port number.
Are configured with a route to the logical IP address for accessingthe trusted domain or network segment of the logical IP addressso that related packets can be routed to the SeGW.
M2000 DHCP server Is configured with a route to the logical IP address of the basestation.
Table 5-12 Configuration requirements for NEs (2)
NE Requirement
Public DHCP server Is configured with one to eight M2000 DHCP server IPaddresses.
All NEs between the base stationand the M2000 DHCP server
Are configured with the firewall policy or the packet filteringpolicy so that they allow the transmission of packets with 67 or68 as the source and destination UDP port number.
Are configured with a route to the temporary logical IP addressfor accessing the trusted domain or network segment of thetemporary logical IP address so that related packets can berouted to the SeGW.
Are configured with a route to the interface IP address of thebase station or the IP address of the network segment.
M2000 DHCP server Is configured with a route to the interface IP address of the basestation.
SeGW Supports sending DHCP broadcast packets in IPSec tunnels, in
compliance with RFC 3456.
All NEs between the basestation and the M2000 DHCPserver
Are configured with the firewall policy or the packet filtering policyso that they allow the transmission of packets with 67 or 68 as thesource and destination UDP port number.
Are configured with a route to the IP address of the DHCP relayagent on the SeGW.
M2000 DHCP server Are configured with a route to the IP address of the DHCP relayagent on the SeGW.
Compared with non-IPSec networking scenarios, IPSec networking scenario 1 has the followingdifferences in the procedure for obtaining transmission configuration information from the M2000 DHCPserver:
The M2000 DHCP server can be deployed only on the M2000, not the base station controller.
The base station may obtain IP addresses of many DHCP servers. Therefore, it needs tocommunicate with each DHCP server to find the correct DHCP server.
IPSec secures OMCH data. Therefore, among the configuration information sent by the M2000 DHCPserver to the base station, the SeGW IP address is mandatory and the local name of the SeGW isoptional. The local name of the SeGW is used to authenticate the SeGW.
5.3.7 Establishing a Formal IPSec Tunnel
The SeGW IP address obtained from the M2000 DHCP server may or may not be the same as theSeGW IP address obtained from the public DHCP server. In either case, the base station needs tonegotiate an IKE SA and an IPSec SA with the SeGW before establishing an IPSec tunnel to the SeGW.The SeGW is identified by the SeGW IP address in the configuration information from the M2000 DHCPserver.
The procedure for establishing a formal IPSec tunnel differs from the procedure for establishing atemporary IPSec tunnel as follows:
To establish an IKE SA and an IPSec tunnel to the SeGW, the base station uses the interface IPaddress and the SeGW IP address sent by the M2000 DHCP server. During IPSec tunnel negotiation,the base station automatically configures two ACL rules. In both ACL rules, the source IP address is
the OM IP address of the base station, but the destination IP address can be any IP address in onerule and must be the IP address of the M2000 or BSC in the other rule. Accordingly, the SeGW can beconfigured with the two ACL rules. If the SeGW is configured with the two ACL rules, the ID of the ACLrule by which the destination IP address can be any IP address should be as small as possible toavoid rule mismatches.
NOTE
If the SeGW is configured with the ACL rule that the destination IP address is the IP address of the M2000 or BSC, theFTP server from which the base station downloads software and configuration files must be deployed on the M2000 orBSC and use the same IP address as the M2000 or BSC. Otherwise, the base station cannot access the FTP server afterthe base station and the SeGW filter packets according to ACL rules.
The base station preferentially tries security parameters with which the temporary IPSec tunnel wassuccessfully established to establish the formal IPSec tunnel. If this fails, the base station follows the
sequence described in section 5.3.4 "Establishing a Temporary IPSec Tunnel" to try other securityparameters.
5.3.8 Configuration Requirements for NEs
Table 5-14 lists the configuration requirements for NEs in IPSec networking scenario 1.
Table 5-14 Configuration requirements for NEs in IPSec networking scenario 1
NE Requirement
L2 NEs Allow the transmission of DHCP broadcast and unicast packets withoutfiltering or modifying DHCP packets.
Are configured with correct VLAN information.
Next-hop L3 NE of thebase station
Is configured as the DHCP server or enabled with the DHCP relay agent.
Is configured with correct DHCP server IP addresses.
Is configured with routes to the DHCP server, CA, and SeGW.
L3 NEs (NEs in the untrusted domain): Are configured with routes to the temporaryand formal interface IP addresses of the base station and routes to the CAand the SeGW.
(NEs in the trusted domain): Are configured with a route to the OM IPaddress of the base station and routes to the M2000 and FTP server.
M2000 Is configured with a route to the OM IP address of the base station.
M2000 DHCP server Is configured with a route to the DHCP relay agent.
FTP server Is configured with a route to the OM IP address of the base station.
Stores software and configuration files of the base station in the specifieddirectory.
Provides access rights, such as the user name and password, for the basestation.
SeGW Allows DHCP packets to be exchanged between the base station and theM2000.
Allows packets to be exchanged between the base station and the M2000over an OMCH and between the base station and the FTP server.
Is enabled with the DHCP relay agent function if the SeGW complies withRFC 3456.
Is configured with security parameters listed in Table 5-5.
Is configured with ACL rules that allow the transmission of packets sentfrom the base station during the DHCP procedure and the OMCHestablishment procedure.
Is configured with related IP address pool and assignment rules if theSeGW needs to assign an IP address for accessing the trusted domain ora DHCP server IP address to the base station.
Is configured with operator-issued CA certificates and its own certificates.
An IP address that can be accessed by NEs in the untrusted domain
Huawei-issued CA root certificates
5.4 Automatic OMCH Establishment in IPSec NetworkingScenario 2
5.4.1 Introduction to IPSec Networking Scenario 2
Figure 5-6 shows IPSec networking scenario 2, in which IPSec secures all packets except DHCPpackets.
Figure 5-6 IPSec networking scenario 2
This networking has the following characteristics:
An M2000 DHCP server in the trusted domain is deployed. IPSec does not secure DHCP packets.Using a DHCP procedure in the untrusted domain, the base station obtains its temporary IP address
and the OM IP address, the SeGW IP address, and the CA IP address. From the M2000 DHCP server,the base station obtains the formal transmission configuration information.
The base station in the untrusted domain cannot directly access NEs in the trusted domain. Instead,packets from the base station must be encrypted over the IPSec tunnel to the SeGW before beingtransmitted to the M2000 or BSC in the trusted domain.
A CA is deployed and provides digital certificates for the base station to perform mutual authenticationwith other NEs. During base station deployment, the CA can be accessed by NEs or using an IPaddress in the untrusted domain.
After the base station starts, it must apply to the CA for operator-issued digital certificates beforeconnecting to the SeGW.
In IPSec networking scenario 2, the base station must establish an IPSec tunnel to the SeGW before itcan access the M2000 or BSC in the trusted domain. To establish the IPSec tunnel, the base stationmust obtain digital certificates issued by the operator's CA. To obtain digital certificates, the base stationmust obtain required configuration information from the M2000 DHCP server.
Figure 5-7 shows the automatic OMCH establishment procedure in IPSec networking scenario 2.
1. The base station obtains VLAN information. For details, see section 4.4 "Schemes for ObtainingVLAN Information for DHCP Packets."
2. The base station obtains required configuration information from the M2000 DHCP server. Theinformation includes the interface IP address and the OM IP address of the base station, the CA IPaddress, and the SeGW address.
NOTE
DHCP packets from the base station are forwarded by the DHCP relay agent to the DHCP server on the M2000.
3. By using the configuration information obtained from the M2000 DHCP server, the base stationapplies to the CA for operator-issued digital certificates.
4. By using the configuration information obtained from the M2000 DHCP server, the base stationestablishes a formal IPSec tunnel to the SeGW.
5. The base station validates the formal transmission configuration information. With protection from theformal IPSec tunnel, the base station waits for the SSL-based or plaintext-based OMCHestablishment request from the M2000 or BSC and finally establishes an OMCH to the M2000 orBSC.
5.4.3 Configuration Requirements for the Internal DHCP Server
The M2000 DHCP server must be configured with the parameters listed in Table 5-15 as well as theparameters listed in Table 5-3. These parameters are contained in subcodes of Option 43 in DHCPpackets.
L3 NEs (NEs in the untrusted domain): Are configured with routes to theinterface IP addresses of the base station and routes to the CA and theSeGW.
(NEs in the trusted domain): Are configured with a route to the OM IPaddress of the base station and routes to the M2000 and FTP server.
M2000 Is configured with a route to the OM IP address of the base station
M2000 DHCP server Is configured with a route to the DHCP relay agent.
SeGW Allows packets to be exchanged between the base station and theM2000 over an OMCH and between the base station and the FTPserver.
Is configured with security parameters listed in Table 5-6, Table 5-7, and Figure 5-5.
Is configured with ACL rules in which the source destination IP addresscan be any address and the destination IP address can be any IPaddress or the OM IP address of the base station .
Is configured with operator-issued CA certificates and its owncertificates.
CA Is configured with the following:
An IP address that can be accessed by NEs in the untrusted domain
Huawei-issued CA root certificates
5.5 Automatic OMCH Establishment in IPSec NetworkingScenario 3
5.5.1 Introduction to IPSec Networking Scenario 3
Figure 5-8 shows IPSec networking scenario 3, in which IPSec secures service and signaling data, butnot DHCP packets or OMCH data.
This networking has the following characteristics:
An M2000 DHCP server is deployed. The base station obtains the OMCH configuration data and CAconfiguration data from the M2000 DHCP server. IPSec does not secure DHCP packets.
IPSec does not secure OMCH data. The base station uses the OM IP address to access NEs in theuntrusted domain. IPSec tunnels established between the base station and the SeGW are used tosecure signaling and service data.
Either party involved in IPSec negotiation uses digital certificates or PSK to authenticate the otherparty.
The CA is optional. If the PSK is used for authentication, a CA is not required. If digital certificates areused for authentication, a CA is required. After the base station starts, it must apply to the CA foroperator-issued digital certificates before connecting to the SeGW. During base station deployment,the CA can be accessed by NEs or using an IP address (for example, the interface IP address of the
base station) in the untrusted domain.
5.5.2 Automatic OMCH Establishment Procedure
Figure 5-9 shows the automatic OMCH establishment procedure in IPSec networking scenario 3.
1. The base station obtains VLAN information. For details, see section 4.4 "Schemes for Obtaining
VLAN Information for DHCP Packets."
2. The base station obtains the OMCH configuration data and CA configuration data (optional) from theM2000 DHCP server. If the base station uses the PSK for authentication, the base station does notneed to obtain the CA configuration data. If the base station uses digital certificates for authentication,the base station must obtain the CA configuration data.
3. The base station applies to the CA for operator-issued digital certificates if digital certificates are usedfor authentication. After the base station restarts, it establishes an IPSec tunnel to the SeGW tosecure services and signaling.
4. Based on the configuration information obtained from the M2000 DHCP server, the base stationestablishes an OMCH to the M2000 or BSC
5.5.3 Configuration Requirements for the Internal DHCP ServerIf the base station uses digital certificates for authentication, the M2000 DHCP server must beconfigured with the parameters listed in both Table 5-17 and Table 5-3. These parameters are containedin subcodes of Option 43 in DHCP packets.
Table 5-17 Parameters specific to the M2000 DHCP server in IPSec networking scenario 3
Classification
Parameter Name
Subcode
Length (Bytes) ParameterDescription
Mandatory orOptional
DHCPPacketInvolved
CA
information
CA URL 44 1 to 128 URL from which
the base stationobtainsoperator-issueddigitalcertificates. ThisURL must beaccessible toNEs in theuntrusteddomain.
Table 5-18 lists the configuration requirements for NEs in IPSec networking scenario 3.
Table 5-18 Configuration requirements for NEs in IPSec networking scenario 3
NE Requirement
L2 NEs Allow the transmission of DHCP broadcast and unicast packets withoutfiltering or modifying DHCP packets.
Are configured with correct VLAN information.
Next-hop gatewayof the base station
Is enabled with the DHCP relay agent function and configured with the IPaddress of the DHCP server, that is, the IP address of the M2000. If an NATserver is deployed, the IP address of the M2000 must be that converted bythe NAT server.
Is configured with a route to the DHCP server.
Is configured with a route to the OM IP address of the base station if the OMIP address is not the same as the interface IP address of the base station.
Is configured with a route to the CA.
L3 NEs (NEs in the untrusted domain): Are configured with a route to the IP addressof the base station, a route to the OM IP address of the base station, a routeto the M2000, a route to the FTP server, and a route to the CA.
(NEs in the trusted domain): Are configured with a route to the OM IP addressof the base station and routes to the M2000 and FTP server.
M2000 Is configured with a route to the OM IP address of the base station.
M2000 DHCPserver
Is configured with a route to the DHCP relay agent.
CA Is configured with the following:
An IP address that can be accessed by NEs in the untrusted domain
6 Automatic OMCH Establishment by the Separate-MPTMultimode Base Station
6.1 NetworkingThe separate-MPT multimode base station is similar to many single-mode base stations that areinterconnected using the transmission board. The interconnection can either be based on the panel orthe backplane. Generally, the transmission board of a certain mode provides a shared transmissioninterface for connecting to the transport network. The base station in this mode is called an upper-levelbase station, and base stations in the other modes are called lower-level base stations. The upper-levelbase station acts as the DHCP relay agent of lower-level base stations.
Figure 6-1 shows the OMCH networking for the separate-MPT multimode base station that usespanel-based interconnection. The upper-level base station provides two transmission interfaces, one forpanel-based interconnection and the other for connecting to the transport network.
Figure 6-1 OMCH networking for the separate-MPT multimode base station that uses panel-basedinterconnection
Figure 6-2 shows the OMCH networking for the separate-MPT multimode base station that usesbackplane-based interconnection.
Figure 6-2 OMCH networking for the separate-MPT multimode base station that uses backplane-basedinterconnection
The automatic OMCH establishment procedure for the separate-MPT base station is similar to therespective automatic OMCH establishment procedure for each single-mode base station. Lower-levelbase stations can start the automatic OMCH establishment procedure only after the upper-level basestation completes the procedure. This section describes the differences in the procedures between theseparate-MPT base station and the single-mode base station.
6.2 Automatic OMCH Establishment ProcedureFigure 6-3 shows the automatic OMCH establishment procedure for the separate-MPT multimode basestation.
Figure 6-3 Automatic OMCH establishment procedure
2. DHCP procedur e
2. DHCP procedure
3. OMCH establishment
Lower-levelbase station
Upper-levelbase station
DHCP server ofupper-level base
station
OMC of upper-level base station
DHCP server oflower-level base
station
OMC of lower-level base
station
1. OMCH auto-establishment, configuration file download and
activation, and transition to working state
1. Same as the single-mode base station, the upper-level base station follows the OMCH establishmentprocedure described in chapter 5 "Automatic OMCH Establishment by the Single-mode Base Stationand Co-MPT Multimode Base Station." The upper-level base station then obtains software andconfiguration files from the M2000 or BSC over the established OMCH. The upper-level base stationactivates software and configuration files and then enters the working state.
2. Each lower-level base station exchanges DHCP packets with the DHCP relay agent (upper-levelbase station) and the DHCP server to obtain the transmission configuration information.
3. Each lower-level base station establishes an OMCH to the M2000 or BSC.
The DHCP servers of the upper-level base station and lower-level base stations can be deployed on the
same NE or different NEs.
6.3 Configuration Requirements for the DHCP Server
Each mode in a separate-MPT multimode base station has almost the same configuration requirementsfor the DHCP server as a single-mode base station. The only difference lies in the setting of the OMBearing Board parameter on DHCP servers of lower-level base stations, as described in Table 6-1. Fordetails about the configuration requirements for the DHCP server of each single-mode base station, seechapter 5 "Automatic OMCH Establishment by the Single-mode Base Station and Co-MPT MultimodeBase Station."
Table 6-1 Setting of the OM Bearing Board parameter on DHCP servers of lower-level base stations
ParameterName
Subcode Parameter Description Length(Bytes)
Mandatoryor Optional
DHCP PacketInvolved
OM BearingBoard
250 Value:
0: An OMCH isestablished on thepanel.
1: An OMCH isestablished on thebackplane.
Set this parameter to 0
when the separate-MPTmultimode base stationuses panel-basedinterconnection.
Set this parameter to 1 when the separate-MPTmultimode base stationuses backplane-basedinterconnection.
1 Mandatory DHCPOFFER
DHCPACK
6.4 Configuration Requirements for NEsEach mode in a separate-MPT multimode base station has similar configuration requirements for NEs toa single-mode base station. For details about these requirements, see chapter 5 "Automatic OMCHEstablishment by the Single-mode Base Station and Co-MPT Multimode Base Station." This sectiondescribes only the differences in the configuration requirements.
The upper-level base station acts as the DHCP relay agent to forward DHCP packets and as a router toforward OMCH and service packets for lower-level base stations. The transport network for theupper-level base station needs to forward DHCP packets from the DHCP servers of lower-level basestations. Therefore, the upper-level base station and its transport network must be configured with datalisted in Table 6-2.
Upper-level base station Is enabled with the DHCP relay agent function.
Is configured with IP addresses of the DHCP servers of lower-levelbase stations.
Is configured with routes to the DHCP servers of lower-level basestations.
Is configured with routes used for serving lower-level base stations,including downlink routes to the IP addresses of lower-level basestations and uplink routes to the peer IP addresses of lower-level basestations.
− If the lower-level base station is the GBTS or NodeB, uplink routes tothe base station controller must be configured.
− If the lower-level base station is the eNodeB, uplink routes to the
M2000, mobility management entity (MME), and serving gateway(S-GW) must be configured.
Is configured with the IP address of the transmission interface (used forpanel-based interconnection) provided by the upper-level base station.It is recommended that only one such IP address be configured. Ifmany such IP addresses are configured, the source IP address inDHCP packets forwarded by the upper-level base station is the firstconfigured IP address. As a result, the packet forwarding may fail dueto differences in the configuration sequence.
If the DHCP packets and OM data of lower-level base stations aresecured by the IPSec tunnel of the upper-level base station, theupper-level base station needs to configure security parameters for thepasserby flows of lower-level base stations. The security parametersinclude the packet filtering rules, ACL rules, IPSec proposal, and IKEproposal.
All NEs on the transportnetwork for theupper-level base station
Are configured with routes to the DHCP servers of lower-level basestations.
Are configured with routes to the IP address of the DHCP relay agent.
Are configured with routes to the OM IP address of the upper-level basestation or either of the following routes:
− The routes to the IP address of the transmission interface (used forpanel-based interconnection) provided by the upper-level base stationwhen the separate-MPT multimode base station uses panel-basedinterconnection
− The routes to the network segment of the next-hop gateway of theupper-level base station when the separate-MPT multimode basestation uses backplane-based interconnection
DHCP servers oflower-level base stations
Are configured with routes to the upper-level base station
Lower-level base stations Are configured with routes to the OM IP address of the upper-level basestation. If the separate-MPT multimode base station uses panel-basedinterconnection, lower-level base stations can also be configured with
routes to the IP address of either of the transmission interfaces (used for
7.1 Configuration Requirements for Base Stations and Other
NEsWhen a base station is to be deployed by PnP, configuration requirements for the base station andrelated DHCP servers must be met to ensure successful automatic OMCH establishment. Ifconfiguration requirements are not met, automatic OMCH establishment may fail, leading to adeployment failure. Table 7-1 through Table 7-3 summarizes the configuration requirements.
Table 7-1 lists the configuration requirements for the configuration files of the base station in allscenarios.
Table 7-1 Configuration requirements for configuration files of the base station in all scenarios
SN MO Requirement
1 OMCH If the base station is configured with active and standby OMCHs, only theactive OMCH is used for base station deployment by PnP. The activeOMCH is the OMCH for which the Flag parameter is set toMASTER(Master).
The active OMCH must meet the following requirements:
If the active OMCH is bound to a route:
− The PeerIP parameter must be set to the IP address of the M2000.
− The IP addresses of the M2000 and the FTP server must be on thenetwork segment that is collectively specified by the PeerIP andPEERMASK parameters.
If the active OMCH is not bound to any route:
− The FTP server and the M2000 must be deployed on the sameequipment or network segment.
− The PeerIP parameter must be set to the IP address of the M2000.
− The IP addresses of the M2000 and the FTP server must be on thenetwork segment that is collectively specified by the PeerIP andPEERMASK parameters.
− The base station must be configured with a route to the networksegment of its peer IP address.
If the requirements are not met, the PeerIP parameter must be set to thenext-hop IP address of the active OMCH, and the PEERMASK parameter
must be set to the interface IP address mask of the base station.
2 VLANMAP The VLANMODE parameter specifies the VLAN mode. It is recommendedthat upper-level and lower-level base stations use the SingleVLAN modeinstead of the VLANGroup mode to configure VLANs. If base stations arecascaded and the upper-level base station uses the VLANGroup mode,the upper-level base station must attach related VLAN IDs to packets withdifferentiated services code point (DSCP) set to 46 (when the lower-levelbase station is the NodeB or eNodeB) or 48 (when the lower-level basestation is GBTS or eGBTS).
3 BFDSESSION If the CATLOG parameter is set to RELIABILITY(Reliability) for a BFDsession, the BFD session is bound to a handover route. If the base stationuses a logical IP address as the OM IP address, the base station cannotbe deployed by PnP in non-IPSec networking scenarios.
4 NE If the combination of the DID and NE type is used as the BS ID, the DID parameter in the NE MO must be specified.
Table 7-2 lists the specific configuration requirements for the configuration files of the base station inIPSec networking scenarios.
Table 7-2 Configuration requirements for the configuration files of the base station in IPSec networkingscenarios
SN NE MO Requirement
1 Base station ACLRULE The configured ACL rule meets either of thefollowing requirements:
The SIP and DIP parameters are set to 0.0.0.0,and the SWC and DWC parameters are set to255.255.255.255. That is, both the source anddestination IP addresses can be any address.
The SIP is set to the OM IP address, and the DIP parameter is set to the IP address of the M2000,the IP address of the M2000 network segment,or 0.0.0.0. Note that IPSec tunnels do not secureOMCHs established during base stationdeployment if the ACTION parameter is set toDENY(Deny). IPSec tunnels secure the OMCHsonly when the ACTION parameter is set toPERMIT(Permit).
If neither requirement is met, errors may occurwhen parameters configured on the SeGW areexported from the CME, leading to failures in base
station deployment by PnP.
2 Base station IKEPROPOSAL
IPSECPROPOSAL
Parameter settings of the IKEPROPOSAL MOmust be consistent with those described in Table5-6 or Table 5-7.
Parameter settings of the IPSECPROPOSAL MOmust be consistent with those described in Figure5-5.
If the base station uses the IPSec tunnel pairtopology, only the active tunnel supports basestation deployment by PnP.
3 Base station BFDSESSION If the base station uses the IPSec tunnel pairtopology, the BFD session cannot be bound to aroute during the BFD session configuration.
4 L2 NEs ETHTRK Ethernet link aggregation group must not bemanually configured on the peer L2 NEs of thebase station.
5 CA CA The CA must be configured with the INITREQSIP parameter and the UPDSIP parameter whenidentify authentication by digital certificates isrequired.
The CA must be accessible to NEs in the untrusteddomain.
Table 7-3 lists the configuration requirements for a DHCP server.
Table 7-3 Configuration requirements for a DHCP server
SN Requirement
1 The public DHCP server can be configured with a maximum of eight M2000 DHCP serverIP addresses.
2 If the WMPT board of the NodeB needs to be replaced with the UMPT board, the BS IDconfigured on the DHCP server must be changed from being bound to the panel's ESN
(mapping subcode 43 in DHCP Option 43) to being bound to the backplane's ESN(mapping subcode 1 in DHCP Option 43).
NOTE
When you configure or modify the information of the M2000 DHCP server on the M2000, the destination IP address of theOMCH route and the IP address of the destination network segment must be correct.
7.2 Impact of M2000 Deployment on Base Station Deploymentby PnP
During base station deployment by PnP and subsequent commissioning, the base station needs tocommunicate with many application services of the M2000, including the DHCP service, FTP service,and OMCH management service.
The preceding three services can be deployed on different M2000s and use different IP addresses.Therefore, network planning and base station data configuration must ensure normal communicationbetween the OM IP address of the base station and the IP addresses of the three services.
Table 7-4 describes the impact of M2000 deployment on automatic OMCH establishment.
the masternode isdifferentfrom that ofthe slavenode, andthe IPaddressesof the twonodes are inthe samesubnet.
bound to a route,the route mustbe to thenetworksegment of theM2000.
must be the IPaddress of themaster node. The SeGWmust beconfigured with ACL ruleswhich allowpackets of theM2000 DHCPserver to pass. The SeGWmust beconfigured with ACL ruleswhich allow OMdata to pass.
Remote HAsystem
The activeand standbynodes aredeployed ontwolocations.
The IPaddress ofthe activenode isdifferentfrom that ofthe standbynode, andthe IPaddressesof the twonodes may
not be in thesamesubnet.
Active orstandbynode
The M2000must serveas theDHCPserver.
The base stationmust beconfigured withroutes to the twoIP address ortwo network
segments. The PeerIP
parameter forthe OMCH of thebase stationmust be set tothe IP address ofthe M2000 thatserves as theDHCP server.
In IPSecnetworkingscenarios,the IPaddress ofthe M2000
DHCP serverconfigured onthe publicDHCP servermust be theIP address ofthe M2000that servesas the DHCPserver. If theoperatorexpects touse either ofthe activeand standbynodes as theDHCPserver, thepublic DHCPserver mustbe configuredwith the IPaddresses ofthe activeand standby
The SeGWmust beconfiguredwith ACLrules whichallow DHCPpackets topass. If theoperatorexpects touse either ofthe active
and standbynodes as theDHCPserver, theSeGW mustbe configuredwith ACLrules whichallow packetsof active andstandbynodes topass.
The SeGWmust beconfiguredwith ACLrules whichallow OMdata to pass.If theoperatorexpects touse either ofthe activeand standbynodes as theOMC, theSeGW mustbe configuredwith ACLrules whichallow packetsof active andstandbynodes topass.
Theemergencysystemperformsbasicfunctions onlyand does notsupport PnPor DHCP.
Notsupported
Notsupported
Not involved Not involved
For example: When the M2000 uses the multi-server load-sharing (SLS) networking, the DHCP service is deployed
on the master server, whereas the FTP service and the OMCH management service can be deployedon either the master or slave server. When the FTP service and OMCH management service aredeployed on different M2000 servers and accordingly use different IP addresses, the routeconfiguration on the base station and the transport network must ensure that the IP addresses of thetwo services are reachable using configured routes.
If IPSec secures OMCH data, the IPSec SA's traffic selector (TS) successfully negotiated between thebase station and the SeGW must cover the traffic between the OM IP address of the base station andthe IP addresses of the FTP service and the OMCH management service.
OMCH networking requires that the NAT server be deployed only on the M2000 side, but not the base
station or BSC side. Figure 7-1 shows the OMCH networking in which the NAT server is deployed on theM2000 side.
Figure 7-1 OMCH networking when the NAT server is deployed on the M2000
The IP address and port number of the M2000 can be converted by the NAT. Therefore, the route to theM2000 on the base station side must use an M2000 IP address visible on the base station side as thedestination address. As shown in Figure 7-1, the local IP address configured for the M2000 is 10.0.0.1. After the conversion performed by the NAT server, however, the source IP address in TCP packetsreceived by the base station is 20.1.1.1 instead of 10.0.0.1. Therefore, the route to 20.1.1.1 instead of10.0.0.1 must be configured on the base station side