Overview

Cellular domains

The NFM-P supports the management of cellular domains that group together devices such as the 7705 SAR-Hm for remote management. A cellular domain groups devices that have similar cellular network characteristics. If devices with dual SIM cards are in use, the cellular domain groups devices with the same primary and backup cellular network.

All NEs in a cellular domain must be running the same NE software release.

Note: All NEs in the domain must have the same combination of carriers. If, for example, two NEs have SIM cards for the same carriers but NE1 will use Carrier A as primary and NE2 will use Carrier B as primary, the two NEs must be in separate domains.

A cellular domain provides the following:

• a management domain for a group of cellular-connected NEs with common management attributes

• automatic discovery protocol (ADP), which facilitates remote device discovery and management

• multiple head-end nodes, which are used to reach the NEs in the cellular domain

• definition of an optional in-band management VPRN service of the cellular domain used to manage the NEs

• optional NGE domain used to secure the NEs cellular interface for all NEs in the cellular domain

• wireless carrier redundancy with optional dual SIM operation

• chassis-level security using a common SIM PIN (Personal Identification Number) per carrier for all NEs in a domain

A cellular domain acts as a template for ADP device discovery within one or more predefined subnets, initial configuration, and encryption of the NEs in the domain using NGE.

After the ADP process completes, the NEs in one or more predefined subnets are included in the cellular domain and managed using the cellular domain configurations. You can add new NEs to the domain by re-enabling ADP, which enables the deployment of the required configuration, for example, BGP or NGE, to the devices.

Note: An NE can belong to only one cellular domain.

Dual SIM deployment

The NFM-P supports the use of two SIM cards in a 7705 SAR-Hm, each with a different wireless carrier, for WAN redundancy. One SIM is active at a time.

Switching from one SIM to the other can be automatic or manual. With automatic switchover, you can choose which SIM is primary and secondary, and configure SIM switchover criteria. For example, the BGP operational state associated with the cellular port can be used as a criterion for determining when a SIM switchover should occur. If the BGP operational state is down for a specified interval, then a SIM switchover occurs.

A SIM switchover is service affecting. Overly frequent switchovers will impact continuous service operation.

Dual SIM deployment is configured at the cellular domain level. All NEs in a dual SIM domain must have two working SIM cards.

The NFM-P does not support conversion of a single SIM cellular domain to a dual SIM cellular domain.

Head-end nodes

Each cellular domain must have at least one head-end node. A single SIM domain can have from one to four head-end nodes; a dual SIM domain can have from one to eight.

Head-end nodes serve as an intermediary for communication with the NFM-P, terminate Layer 2 and Layer 3 services, forward services to other NEs, and optionally define the gateway sites used by the NGE domain associated with the cellular domain. Each head-end node in a cellular domain must also be a gateway site to the NGE domain, if NGE is in use.

A head-end node can be a VSR, 7705 SAR, or 7750 SR, and must be discovered and managed by the NFM-P to be included in a cellular domain. If NGE is required, the head-end node cannot be a 7750 SR.

Cellular domain operation modes

A cellular domain in single SIM layout has the following operation modes:

• static cellular system mode — in-band management via 7705 SAR-Hm PDN interface

• static cellular interface mode — in-band management via a VPRN service and a private system IP address on the 7705 SAR-Hm

• dynamic cellular interface mode — in-band management via a VPRN service and a private system IP address on the 7705 SAR-Hm

In a dual SIM layout, both SIMs automatically operate in dynamic cellular interface mode.

In any operation mode, an operator-created XML file can be used to specify the devices for discovery.

In static or dynamic interface mode, if the ADP System IP Address parameter is set to something other than Use XML, you can also specify a pool of IP addresses for assignment to the discovered devices.

Static system mode

In static system mode, ADP can be configured to do one of the following when an SNMPv2 trap is received from a 7705 SAR-Hm in an ADP subnet:

• Learn the system address and IMSI of the 7705 SAR-Hm:

  The NFM-P adds the device to the associated cellular domain and initiates the ADP.

• Verify the system address of the 7705 SAR-Hm:

  If the IMSI and system address match a device specified in an operator-created XML file, the NFM-P adds the device to the cellular domain and initiates the ADP. Specifying devices using an XML file describes how to structure and import the XML file.

Note: When ADP is used in static system mode, the system address of a 7705 SAR-Hm must match the cellular interface address.

Static interface mode

In static interface mode, ADP does one of the following:

• imports an operator-created XML file that specifies each 7705 SAR-Hm device to discover

  When an SNMPv2 trap is received from a 7705 SAR-Hm, the NFM-P initiates the ADP for the device if the IMSI value matches an entry in the file. Specifying devices using an XML file describes how to structure and import the XML file.

• assigns an IP address from a user-specified pool of addresses

Note: The NFM-P reuses IP addresses in a pool if the IP address is not used when the ADP Domain site is deleted and assigned.

To avoid issues when reusing IP addresses, the IP address should be deleted from the 7705 SAR-Hm and the node should be unmanaged and deleted from NFM-P before deleting the ADP domain site.

When the addresses in an IP-address pool are exhausted, the NFM-P raises an alarm, and ADP discovery is halted. In such a case, you can add a new system IP pool to resume ADP discovery.

Note: If a subnet has an associated IP-address pool, and an IP address is associated with the device IMSI in an ADP XML file, the IP address in the XML file is assigned to the device.

Note: When ADP is used in static interface mode, the system address of a 7705 SAR-Hm must be unique and different from the cellular interface address.

Dynamic interface mode

In dynamic interface mode, ADP does one of the following:

• imports an operator-created XML file that specifies each 7705 SAR-Hm device to discover

  When an SNMPv2 trap is received from a 7705 SAR-Hm, the NFM-P initiates the ADP for the device if the IMSI value matches an entry in the file. Specifying devices using an XML file describes how to structure and import the XML file.

• assigns a system IP address from a user-specified pool of addresses

Note: The NFM-P reuses IP addresses in a pool if the IP address is not used when the ADP Domain site is deleted and assigned.

To avoid issues when reusing IP addresses, the IP address should be deleted from the 7705 SAR-Hm and the node should be unmanaged and deleted from NFM-P before deleting the ADP domain site.

When the addresses in a System IP-address pool are exhausted, the NFM-P raises an alarm, and ADP discovery is halted. In such a case, you can add a new system IP pool to resume ADP discovery.

Note: If a subnet has an associated IP-address pool, and an IP address is associated with the device IMSI in an ADP XML file, the IP address in the XML file is assigned to the device.

Specifying devices using an XML file

Identifiers for 7705 SAR-Hm devices can be specified in an XML file, and imported for use in either operation mode. The XML file requires an ADP element and one node element for each device to discover. Each node element has IMSI, systemName, and systemAddress attributes.

Note: The systemAddress attribute is optional, depending on the IP allocation configuration and the operation mode of the cellular domain. The systemName attribute is also optional.

In both static and dynamic cellular interface mode, the systemAddress is the private IP address reachable via the in-band VPRN service.

The following is an example of an ADP XML file:

<?xml version="1.0" encoding="UTF-8"?>

<ADP>

<node IMSI="310150123456720"

systemAddress="10.10.10.20"

systemName="test"/>

</ADP>

To configure a cellular domain with single SIM deployment and To configure a cellular domain with dual SIM deployment describe how to specify the devices for ADP discovery using an XML file.

Domain subnets

You can create separate subnets in a cellular domain. A domain subnet represents a group of NEs with a cellular interface IP address that exists with the specified subnet. For each subnet in a domain, a BGP dynamic neighbor is created on each head-end node in the domain. The dynamic neighbor can accept remote 7705 SAR-Hm peers as they become available. The deletion of a subnet also deletes the BGP dynamic neighbor from all head-end node BGP groups.

Note: If the head-end node is a 7705 SAR, BGP neighbors are not created automatically when subnets are added. The 7705 SAR does not support dynamic neighbors. Static neighbors must be manually created.

ADP must be enabled on a subnet that has new devices to discover. ADP is initiated based on the cellular domain operation mode; see ADP discovery process.

Note: You cannot delete a subnet that has ADP enabled at the domain or subnet level.

7705 SAR-Hm security during ADP

For additional security, each new 7705 SAR-Hm includes an information card that names the chassis serial number and a unique administrator password. During cellular domain configuration, you must specify the serial number and password of each such device to enable ADP access to the device.

A cellular domain can also contain older devices that have a common default administrator password. To support such devices, the cellular domain configuration must include the default password for ADP communication with the older devices.

The administrative account credentials for a device in a cellular domain must meet the following requirements.

• The User Name value on the NE User properties form must match the User Name value for CLI and NETCONF access in the ADP mediation security policy.

• The Password value for console or FTP access on the NE User properties form must match the Password value for CLI and NETCONF access in the ADP mediation security policy.

  To simplify the configuration, you can use the same value for the SNMPv3 user authentication and privacy passwords.

Configuring secure 7705 SAR-Hm ADP

During cellular domain configuration, you can specify the serial numbers and passwords manually, or import the passwords from a file, as described in To create an ADP password mapping file.

Cellular domain security with NGE

You can secure a cellular domain by binding the cellular domain to an NGE domain. The encryption status of PDN interfaces in the cellular domain is determined by the encryption status of the gateway interfaces of the gateway sites of the NGE domain.

Each head-end node in each cellular domain that belongs to the NGE domain must also be a gateway site in the NGE domain. The NEs in each cellular domain of an NGE domain are listed as sites in the NGE domain. Multiple cellular domains can point to the same NGE domain.

You can unbind a cellular domain from an NGE domain if the NGE domain is not encrypting. Before the cellular domain can be removed, the RI NGE encryption on each 7705 SAR-Hm NE in the cellular domain must be stopped.

Enhanced NE security mode

To prevent unwanted tampering with security settings on any 7705 SAR-Hm, you can enable enhanced NE security mode, which protects all 7705 SAR-Hm devices in the network using stringent security constraints that cannot be altered by an NFM-P operator. Attempts to do so are blocked, and generate NFM-P alarms.

Note: Enabling enhanced NE security mode affects each 7705 SAR-Hm in the managed network. Also, in order to disable the function, you must first unmanage each managed NE of any type in the entire network.

When enhanced NE security mode is enabled, the NFM-P enforces the following security constraints for each 7705 SAR-Hm device:

• The enabled SSH versions cannot include SSHv1.

• Exponential backoff must be enabled.

• The password policy must include specific criteria.

Note: The function does not validate any password, only the conformance of the local NE password policy.

To enable enhanced NE security mode describes how to configure and enable the mechanism.

Note: The local and global NE password policy definitions are verified against the required password criteria before being applied to the NEs.

The SAR-Hm Enhanced Security indicator on the NFM-P System Preferences form shows whether enhanced NE security mode is enabled.

Implementation

If enhanced NE security mode is enabled, the NFM-P raises an alarm against any 7705 SAR-Hm whose configuration violates any listed security constraint. The alarm is raised regardless of whether a device is discovered before or after enhanced NE security mode is enabled. An alarm is also raised if a managed NE configuration is changed via CLI in a way that violates a constraint.

When you invoke the ADP process and enhanced NE security mode enabled, the NFM-P first verifies the password of the SNMPv3 user in the cellular domain mediation policy against the required password complexity rules. If the password violates any complexity rule, ADP does not proceed.

After ADP completes:

• Any client GUI configuration that attempts to enable SSH1 on an NE is blocked. If the configuration is performed using a CLI, the NFM-P raises an alarm.

• Any client GUI attempt to disable exponential backoff is blocked, and an attempt via CLI causes the NFM-P to raise an alarm.

• An error message is displayed if an NFM-P operator attempts to distribute an NE security policy or password policy to a 7705 SAR-Hm.

Note: The NFM-P does not initiate any configuration change to resolve an alarm raised because of a constraint violation. The alarm condition must be resolved by an NFM-P operator, or via the NE CLI, depending on the nature of the violation.

Management of remote 7705 SAR-Hm NEs

The 7705 SAR-Hm is a small form factor wireless router that extends IP/MPLS services over secure 3G/LTE wireless networks using cellular wireless infrastructure and WLAN technology. The 7705 SAR-Hm is available in several variants that have different cellular-interface radio capabilities. The cellular interface is the primary network port for WAN connectivity.

A 7705 SAR-Hm can be deployed in a remote location to perform wireless aggregation of traffic that is forwarded as IP packets to the cellular domain head-end node. In such a deployment, the cellular domain head-end node routes the traffic through a dedicated VPRN that you can optionally secure using NGE. See the 7705 SAR-Hm Main Configuration Guide for additional functional, operational, and deployment information.

7705 SAR-Hm discovery, configuration, and management

You can use the NFM-P to perform the following discovery, configuration, and management functions for 7705 SAR-Hm devices.

Note: NFM-P management of remotely deployed 7705 SAR-Hm devices is limited to IPv4 only.

• Initiate ADP for the discovery of each 7705 SAR-Hm in a cellular domain. For the static cellular interface mode of operation, the NFM-P creates a management VPRN service for in-band 7705 SAR-Hm management.

• Upgrade the radio card firmware on 7705 SAR-Hm, Release 15.0 R6 and later, automatically during ADP.

• Create and manage 7705 SAR-Hm devices in cellular domains. Each 7705 SAR-Hm in a domain connects to the same head-end nodes and is part of the same NGE domain.

• Add the 7705 SAR-Hm devices that are going to be discovered to a cellular domain by importing an XML file that lists the SIM IMSI, and optionally, the system IP, of each device to discover in the domain.

• Move 7705 SAR-Hm NEs in or out of a cellular domain, or from one cellular domain to another.

• Globally apply/deploy a new security PIN to all 7705 SAR-Hm devices in a cellular domain during the ADP, or from domains that contain discovered devices, to overwrite any pre-existing/default PINs applied to the device. When a PIN is configured during the domain creation, all subsequent devices added to the domain using ADP have the same PIN applied to them.

• Create a security association between the SIM, IMEI, and the chassis identifier of each managed 7705 SAR-Hm. The NFM-P interprets a subsequent unexpected identifier change as a potential security violation, and alerts an operator.

• Configure polling in a cellular domain to monitor 7705 SAR-Hm reachability and system uptime. The polling interval is configurable in order to minimize traffic between the NFM-P and a large-scale 7705 SAR-Hm deployment.

In-band management using VPRN

When the cellular interface on a 7705 SAR-Hm is operating in static or dynamic cellular interface mode, the NFM-P can reach the NE system IP address through an in-band management VPRN service. For this mode of operation, the system IP address for NE management is private and differs from the cellular interface IP address. The system IP address must be advertised from the 7705 SAR-Hm to the head-end node by the in-band management VPRN service.

Routing in the private IP/MPLS network past the head-end node must allow management traffic to reach the head-end node, which then sends the management traffic over the VPRN to the 7705 SAR-Hm. Operators are responsible for configuring and ensuring connectivity to the NSP past the head-end node. This configuration is not described by this guide.

Each head-end node in a cellular domain must belong to the same VPRN service, which requires the following configuration:

• Route Distinguisher

• Route Target

• SNMP Community

• Auto-Bind Tunnel with GRE, and the resolution status set to Any Filter

• Autonomous System

Note: You can associate one VPRN service with only one cellular domain. If multiple head-end nodes are present in the domain, all head-end nodes must have the same VPRN service ID.

Figure 47-1, Cellular domain management shows the scope of cellular domain management.

Figure 47-1: Cellular domain management

Configuring polling for devices in cellular domains

During a system uptime poll of the NEs in a cellular domain, the NFM-P verifies the SIM information, IMEI, and chassis ID against the stored values. If a discrepancy is found, the NFM-P suspends management of the NE and disables resynchronization for the NE.

System uptime polling is performed in the following scenarios:

• during the initial ADP process

• if the dynamic BGP state of a head-end node changes

• at the operator-specified polling interval

As part of the cellular domain creation, a BGP group is configured on each head-end node. To monitor NE reachability in a cellular domain, the NFM-P polls the status of each BGP session between the head-end nodes and the managed NEs in the domain. Such a reachability check limits the traffic between the NFM-P and the managed NEs.

Device discovery and deployment using ADP

The NFM-P uses ADP, which is called ADP-Hm in the device documentation, to discover the remote devices in a cellular domain subnet. ADP provides all initialization and commissioning functions automatically for a newly installed device. After one or more SIMs is installed on a device and the device is turned up, ADP configures the cellular interface, establishes connectivity to the NFM-P, and waits for the NFM-P to complete the discovery and configuration of the device.

ADP automatically creates an NFM-P discovery rule to track the managed state of each NE in a cellular domain, and to initiate ADP when new devices in a cellular domain subnet are available for discovery. The NFM-P scans the network periodically for new devices, as specified by the discovery rule scan interval, which is the time between scans. To reduce the amount of network-management traffic in a cellular domain, you can configure the scan interval in the discovery rule for the subnet to be greater than the global scan interval defined in the NFM-P mediation configuration. The scan interval in a discovery rule overrides the scan interval in the NFM-P mediation configuration.

7705 SAR-Hm discovery prerequisites

The prerequisites for NFM-P discovery of a 7705 SAR-Hm using ADP are the following.

• The NFM-P manages one or more VSR, 7750 SR, or 7705 SAR head-end nodes that are to be included in the cellular domain.

• One or more valid SIM cards are inserted into the 7705 SAR-Hm.

• If dual SIM layout will be used:

  • the SIMs must be from two different carriers, with different HPLMNs

  • a PDN must be configured for each SIM

    The system assigns the PDN profile of the carrier to the port if the carrier IMSI prefix matches the port IMSI.

    For example, if carrier 2 has IMSI prefix 2121 configured and Port 1/1/1 IMSI is 2121xxxxxxxx the PDN profile configured in carrier 2 will be assigned to Port 1/1/1.

  • firmware for both carriers must be available in the NFM-P

• You have determined which ADP discovery method to use; the following are available:

  • one-step — all device configuration is performed automatically at the remote site after the device is turned up

  • two-step — NSP security configuration is performed at the customer staging facility; network configuration is performed automatically at the remote site after the device is turned up

• A route exists from the VPRN service to the cellular domain head-end node that is reachable by the NFM-P.

• A route exists from the cellular domain head-end node to each device that is to be discovered. For initial installation of a 7705 SAR-Hm cellular domain, IP addresses are typically allocated from a /24 or /18 address range.

• A default APN or Virtual Private Network (VPN) service has been procured from the service provider by the operator for the SIMs that are installed in the 7705 SAR-Hm. For a private cellular network, the operator can choose to use an APN if needed.

  If a static IP address is required for the IMSI associated with a SIM, the address can be allocated using one of the following methods:

  • by direct Home Subscriber Server (HSS) allocation, such as when a mobile carrier assigns an IP address

  • by deferred IP allocation; when the 7705 SAR-Hm first connects and authenticates with an HSS, the default APN associated with the service indicates that the IP allocation is deferred to an enterprise RADIUS AAA DHCP server. After the PGW learns the static IP address from the server, the PGW sends the address to the 7705 SAR-Hm in the PDP address IE after the default bearer is established.

• The PGW to which the 7705 SAR-Hm connects is configured with additional Protocol Configuration Options (PCOs) for the APN.

  The PCO must include the following two values:

  • dns-server-ipv4 primary – for example, config/mobile/pdn/apn/pco/dnsserveripv4/primary

  • dns-server-ipv4 secondary – for example, config/mobile/pdn/apn/pco/dnsserveripv4/backup

• Primary and secondary DNS servers are configured to resolve the NFM-P primary and standby main server IP addresses.

• An NFM-P cellular domain is configured with the required ADP operational settings and subnets for 7705 SAR-Hm discovery; see Cellular domains for information.

Offline NE handling during the ADP process

The ADP process cannot be completed when the 7705 SAR-Hm or the domain head-end node has an SNMP timeout or is not reachable.

When ADP starts, the online status of all the configured head-end nodes is checked. The ADP cannot start if none of the head-end nodes is online. ADP remembers the list of online head-end nodes and this list is used for the entire ADP process, rather than the list of configured head-end nodes. For ADP to succeed, at least one head-end node must be up during the entire ADP process. If all head-end nodes on the online head-end nodes list go down during the ADP process, ADP will fail.

When ADP with NGE configured is enabled, inbound ACL entries are created on the head-end nodes. The list of online head-end nodes is only updated when ADP is started and when outbound entries are added or removed. If any head-end node goes offline when ADP is in an initiating state, for example, adding inbound ACL entries to head-end nodes, the list of online head-end nodes may not be updated. This may cause ADP to fail or not start.

An OfflineDuringAdp alarm will be raised if a head-end node becomes offline during ADP. When a head-end node is marked as offline, its status will not be changed during the ADP process. If any offline head-end node becomes online during ADP, this head-end node will have no affect on the ongoing ADP process.

When the head-end node comes back online, you must manually fix the mismatched configuration and clear the alarm.

If any 7705 SAR-Hm becomes offline during ADP, ADP will fail for that 7705 SAR-Hm only. ADP will continue for all other online 7705 SAR-Hm NEs.

ADP discovery process

The following are the ADP operational phases:

• Network Discovery

• NFM-P Discovery

• 7705 SAR-Hm Discovery

• NFM-P Configuration

Phase 1 — Network Discovery

When a 7705 SAR-Hm initially boots, it runs the application load, executes the configuration file, which is empty, then checks the BOF to determine if ADP is enabled and needs to run.

If ADP is enabled on the NE, the NE performs the following:

• initializes the cellular interface using SIM1 for connectivity

• configures a PDN context with the default PDN profile

• after the cellular interface connects to the network, configures a PDN router interface to operate in dynamic cellular interface mode

• creates a loopback interface with a default name for the PDN interface, for example, “pdn1-loopback”; no IP address is assigned to the interface because it operates in dynamic cellular interface mode

• uses the loopback interface as the unnumbered interface for the PDN router interface

If the LTE network authenticates and accepts the new NE, a default bearer is established and the following are provided to the NE for the default APN to which the NE connects:

• cellular interface IP address

• DNS server IP addresses

Phase 2 — NFM-P Discovery

During the NFM-P discovery phase, the 7705 SAR-Hm sends DNS query messages to the DNS server addresses discovered in the previous phase.

The following NFM-P URLs are set in the BOF by default for the auto-discover function:

• auto-discover private.nokia.nsp.primary.nms

• auto-discover private.nokia.nsp.secondary.nms

Note: The names can also be set to the following:

• a different URL, if required

• an IP address, which eliminates the requirement for a DNS server

The 7705 SAR-Hm regularly sends a DNS query message until a DNS query response message that contains an NFM-P main server IP address is received. If no DNS query response message is received, ADP times out and reboots the device, after which ADP restarts the network discovery process.

Phase 3 — 7705 SAR-Hm Discovery

After the 7705 SAR-Hm receives one or more NFM-P server IP address, the 7705 SAR-Hm configures SNMPv2 trap destinations to the NFM-P server addresses using log ID 1.

ADP enables NetConf over SSHv2 and searches the user database for a user with access to NetConf. If none is found, NetConf access is given to the admin user.

The 7705 SAR-Hm initiates an SNMP trap poll that sends a notification to the NFM-P every 15 seconds for 30 minutes. If the ADP is not completed within the 30 minute interval, ADP will time out and begin again.

The 7705 SAR-Hm then sends an SNMPv2 Hello request, after which the NFM-P completes the device configuration, as described in the next phase.

Phase 4— NFM-P Configuration

In this phase, the NFM-P secures the 7705 SAR-Hm and completes the device configuration. During the configuration process, the 7705 SAR-Hm regularly sends an SNMPv3 trap to the NFM-P. When the configuration is complete, the NFM-P disables ADP on the NE.

ADP discovery methods

To meet differing security requirements, the following ADP discovery methods are available:

• one-step — all device configuration is performed automatically at the remote site after the device is turned up; the ADP process is active at the remote site from start to finish

• two-step:

  • NFM-P configures critical network and security parameters on device at the customer staging facility

  • remaining NE configuration is performed automatically after the device is installed and powered on at the remote site

During the ADP process with Dynamic Cellular IP mode, the NE can become unreachable at any time because the IP address that was used during the auto-discover process may change. The NE is at risk until the default in-band managed service is enabled and its configuration saved on the NE. Until then, the NFM-P relies on the IMSI value as the identifier for a particular NE. If the NE reboots during ADP and comes back, the SNMP trap hello message will indicate the IMSI and the cellular interface IP the NFM-P should be using to reach the NE and complete ADP.

Note: The NFM-P performs device configuration saves frequently during the process, regardless of the method used.

When the actions associated with either method are complete, the NFM-P does the following:

• stops the ADP process on the NE by executing an “ADP complete” command on the NE

• disables ADP in the NE BOF and clears the DNS entries on the NE so that a new discovery process cannot occur

One-step ADP discovery

In one-step ADP discovery, the 7705 SAR-Hm is turned up and ADP on the device completes the entire discovery and configuration process.

After the NFM-P receives an SNMPv2 trap and verifies the IMSI, and optionally, the system IP, the NFM-P uses NetConf over SSHv2 to configure the SNMPv3 user and parameters, including the required encryption and authentication keys. The configuration is based on the NFM-P mediation security policy associated with the cellular domain.

The NFM-P then completes the remainder of the device configuration:

• creates a strict security association between the 7705 SAR-Hm chassis information, IMEI, and SIM; the SIM cannot be inserted into another NE and managed by the NFM-P without operator intervention

• configures user names, passwords, scopes of control, and associated profiles

• downloads the required 7705 SAR-Hm software load, and resets the NE to apply the new load

• If NGE is required, configures NGE on the cellular interface by binding it into the NGE domain. If NGE is not required, this step is skipped. If the NGE domain is not encrypting, then the cellular interface is not enabled for encryption.

• if the cellular domain operation mode is Static Cellular Interface Mode or Dynamic Cellular Interface Mode, performs the following on each head-end node in the cellular domain to establish an in-band management service:

  • configures a BGP session to each head-end node in the cellular domain

  • configures an in-band management VPRN service used by the NFM-P to manage the 7705 SAR-Hm in-band over the GRE tunnels in the cellular network; the VPRN service can optionally be NGE-encrypted for secure NE management

  • if the 7705 SAR-Hm is running a release prior to 19.5, the NFM-P configures the GRT with static routes towards the VPRN over the PXC port to reach the primary and secondary NSP servers. The 7705 SAR- Hm system IP needs to be imported into BGP by configuring a static route in the VPRN for the system IP. This will allow the system IP to be reachable via the VPRN service from the head-end nodes. The VPRN static route for the system IP will point towards the PXC that will reach the GRT. At this point all NFM-P traffic can be routed over the VPRN service once the NFM-P starts using the new system IP address to manage the NE instead of the cellular interface IP address.

  • if the 7705 SAR-Hm is running release 19.5 or later, the NFM-P configures a GRT leak in the VPRN to leak the 7705 SAR-Hm system IP to the base routing of the 7705 SAR-Hm. This will allow the system IP to be reachable via the VPRN service from the head-end nodes. At this point all NFM-P traffic can be routed over the VPRN service once the NFM-P starts using the new system IP address to manage the NE instead of the cellular interface IP address.

After the NFM-P completes the ADP process, the 7705 SAR-Hm Status and Alarm LEDs indicate that the ADP process is complete. The NE is securely managed by the NFM-P and ready for service.

Two-step ADP discovery

In two-step ADP discovery, the 7705 SAR-Hm is powered on first in a staging area for the initial NFM-P security configuration, then a second time at the remote site to complete the remaining configuration tasks, as described in the following sequence:

1. The 7705 SAR-Hm is powered on for the first time and the NFM-P does the following:

   Note: ADP for the subnet must be enabled on the NFM-P during this step.

   • creates a strict security association between the 7705 SAR-Hm chassis information, IMEI, and SIM; the SIM cannot be inserted into another NE and managed by the NFM-P without operator intervention

   • configures user names, passwords, scopes of command, and associated profiles

   • downloads the required 7705 SAR-Hm software load, and resets the NE to apply the new load

   • stops the ADP process on the NE by executing an “ADP complete” command on the NE

   The 7705 SAR-Hm Status LED turns solid green and the Alarm LED continues to blink. The 7705 SAR-Hm has completed step one and can be powered off and shipped to the remote site for installation.

2. After the 7705 SAR-Hm is installed and powered on at the remote site, the following occur:

   Note: ADP for the subnet must be enabled on the NFM-P during this step.

• The 7705 SAR-Hm regularly sends SNMPv3 traps to the NFM-P to indicate that the ADP process can resume.

• The NFM-P downloads the NGE key group of the NGE domain associated with the cellular domain, if NGE is to be used, and configures the key group on the 7705 SAR-Hm cellular interface.

• If the cellular domain mode is Static Cellular Interface Mode or Dynamic Cellular Interface Mode, the NFM-P performs the following on each head-end node in the cellular domain to establish an in-band management service:

  • configures a BGP session to each head-end node in the cellular domain

  • configures an in-band management VPRN service used by the NFM-P to manage the 7705 SAR-Hm in-band over the GRE-IMPLS tunnels in the cellular network; the VPRN service can optionally be NGE-encrypted for secure NE management

After the NFM-P completes the ADP process, the 7705 SAR-Hm Status and Alarm LEDs indicate that the ADP process is complete. The NE is securely managed by the NFM-P and ready for service.