Showing results for 
Search instead for 
Did you mean: 

Ask the Expert: 3GPP Mobility

Community Manager
Community Manager

Layer 2 Security on Cisco Catalyst PlatformsWith Gilles Dufour

Welcome to the Cisco Support Community Ask the Expert conversation.  This  is an opportunity to learn and ask questions about how to configure and troubleshoot Cisco 3GPP Mobility solutions, specifically the Cisco ASR 5000 with expert Gilles Dufour. 

The Cisco ASR 5000 Series combines massive performance and scale with flexibility, virtualization, and intelligence, so network resources are available exactly when they are needed. The series was developed to address the anticipated increase in performance requirements that the next generation of the mobile Internet will bring. Join expert Gilles Dufour as he answers your questions about configuring and troubleshooting the Cisco ASR 5000 Series.  

Gilles Dufour is a technical leader in the Mobility Business Unit. Before joining the Mobility group, Gilles was part of the data center team in charge of all Cisco load balancers (CSM, CSS, ACE). Gilles has more than 15 years of experience inside Cisco. During his career, Gilles achieved his CCIE in routing and switching (1998) and security (2002) (CCIE 3878).

Remember to use the rating system to let Gilles know if you've received an adequate response. 

Because of the volume expected during this event, Gilles might not be able to answer every question. Remember that you can continue the conversation in the Wireless - Mobility community, subcommunity, Security and Network Management, shortly after the event. This event lasts through November 29, 2013. Visit this forum often to view responses to your questions and those of other Cisco Support Community members.


27 Replies 27

Hello Gilles,

Could you please tell me how does  the GGSN get the username field that we see in monitor subscriber ? Thanks in advance for your help.

kind regards,



Me again

I'm not sure what additional value is generated with the following commands:

   saegw-service mysaegwsvc

      associate sgw-service mysgwsvc

      associate pgw-service mypgwsvc


So the question is: what is lost if upper section is not configured? I simply don't see what is the benefit of configuring these three extra lines.

SAEGW is a combination of SGW/PGW services, once you add following three lines SGW/PGW services (in same ingress context) get associated with each other.

If a subscriber lands on SGW/PGW service part of SAEGW, then we collapse two call lines into single call line. This basically saves one call line across chassis, effectively doubling the session handling capacity of the system.



Telco Geek

Hi Gilles,

I'm interested in the WiFi offload feature: what elements are used, apart from LTE on one side and WiFi network on another, to enable seamless handover? Please focus only on mandatory elements, i.e. what is the minimum required in the lab during the first phase (just to make it work).

Assuming you have LTE environment and Wifi network, what you need  is a gateway between the 2.

The ASR5k configured as an HNbGW can service this purpose.

Some example here

Or the ASR1k setup as an ISG.

See slide 42 from


And what wil be the purpose of WAG (wifi access gateway)? Is it running as another service on existing StarOS (one that is capable of running SGW or PGW or MME service)?

Indeed the ASR5k could also be configured with eWAG service to interconnect Wifi world with LTE.

It all depends on the wifi you want to use.

Maybe it is clearer from this link

But basically, with an ASR5k you're sure to have the right equipment to interconnect both world.

You may have to play a bit with the config to find the right setup for your environment.

I find the following document also very interesting


John Ventura
Community Manager
Community Manager

Hi there Gilles,

Just a quick question on this.  What can be done in the SGSN to deny Inter SGSN hand off?  thanks very much.


Here is a potential solution

a) “rau-inter restrict access-type umts/gprs all”  To restrict Inter SGSN handoff

b) ”rau-inter access-type umts/gprs all failure-code 10”  To set the gmm cause “Implicit Detach(10)” in RAU Reject msg.


John Ventura
Community Manager
Community Manager

Thanks for the answer Gilles.. in terms of PTMSI .. what is the PTMSI structure used in SGSN? 


Telco Geek

Could you please help me understand the purpose of PCRF and OCS elements: I'm trying to figure out why the functionality of PCRF/OCS elements is not built inside HSS, i.e. what is the benefit of having separate elements? In addition, when talking about basic Attach procedure, can we skip AAA, PCRF and OCS elements and keep only EPC plus HSS? If it is true that AAA, PCRF and OCS are not mandatory elements, what messages/parameters are used to define when each of them will be included?

Thanks for the great work and fantastic topic, we hope to see you here again!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers