Overview

Cellular domains

The NFM-P supports the management of cellular domains that group together devices such as the 7705 SAR-Hm for remote management. A cellular domain groups devices that have similar cellular network characteristics. If devices with dual SIM cards are in use, the cellular domain groups devices with the same primary and backup cellular network.

All NEs in a cellular domain must be running the same NE software release.

Note: All NEs in the domain must have the same combination of carriers. If, for example, two NEs have SIM cards for the same carriers but NE1 will use Carrier A as primary and NE2 will use Carrier B as primary, the two NEs must be in separate domains.

A cellular domain provides the following:

A cellular domain acts as a template for ADP device discovery within one or more predefined subnets, initial configuration, and encryption of the NEs in the domain using NGE.

After the ADP process completes, the NEs in one or more predefined subnets are included in the cellular domain and managed using the cellular domain configurations. You can add new NEs to the domain by re-enabling ADP, which enables the deployment of the required configuration, for example, BGP or NGE, to the devices.

Note: An NE can belong to only one cellular domain.

Dual SIM deployment

The NFM-P supports the use of two SIM cards in a 7705 SAR-Hm, each with a different wireless carrier, for WAN redundancy. One SIM is active at a time.

Switching from one SIM to the other can be automatic or manual. With automatic switchover, you can choose which SIM is primary and secondary, and configure SIM switchover criteria. For example, the BGP operational state associated with the cellular port can be used as a criterion for determining when a SIM switchover should occur. If the BGP operational state is down for a specified interval, then a SIM switchover occurs.

A SIM switchover is service affecting. Overly frequent switchovers will impact continuous service operation.

Dual SIM deployment is configured at the cellular domain level. All NEs in a dual SIM domain must have two working SIM cards.

The NFM-P does not support conversion of a single SIM cellular domain to a dual SIM cellular domain.

Head-end nodes

Each cellular domain must have at least one head-end node. A single SIM domain can have from one to four head-end nodes; a dual SIM domain can have from one to eight.

Head-end nodes serve as an intermediary for communication with the NFM-P, terminate Layer 2 and Layer 3 services, forward services to other NEs, and optionally define the gateway sites used by the NGE domain associated with the cellular domain. Each head-end node in a cellular domain must also be a gateway site to the NGE domain, if NGE is in use.

A head-end node can be a VSR, 7705 SAR, or 7750 SR, and must be discovered and managed by the NFM-P to be included in a cellular domain. If NGE is required, the head-end node cannot be a 7750 SR.

Cellular domain operation modes

A cellular domain in single SIM layout has the following operation modes:

In a dual SIM layout, both SIMs automatically operate in dynamic cellular interface mode.

In any operation mode, an operator-created XML file can be used to specify the devices for discovery.

In static or dynamic interface mode, if the ADP System IP Address parameter is set to something other than Use XML, you can also specify a pool of IP addresses for assignment to the discovered devices.

Static system mode

In static system mode, ADP can be configured to do one of the following when an SNMPv2 trap is received from a 7705 SAR-Hm in an ADP subnet:

Note: When ADP is used in static system mode, the system address of a 7705 SAR-Hm must match the cellular interface address.

Static interface mode

In static interface mode, ADP does one of the following:

Note: The NFM-P reuses IP addresses in a pool if the IP address is not used when the ADP Domain site is deleted and assigned.

To avoid issues when reusing IP addresses, the IP address should be deleted from the 7705 SAR-Hm and the node should be unmanaged and deleted from NFM-P before deleting the ADP domain site.

When the addresses in an IP-address pool are exhausted, the NFM-P raises an alarm, and ADP discovery is halted. In such a case, you can add a new system IP pool to resume ADP discovery.

Note: If a subnet has an associated IP-address pool, and an IP address is associated with the device IMSI in an ADP XML file, the IP address in the XML file is assigned to the device.

Note: When ADP is used in static interface mode, the system address of a 7705 SAR-Hm must be unique and different from the cellular interface address.

Dynamic interface mode

In dynamic interface mode, ADP does one of the following:

Note: The NFM-P reuses IP addresses in a pool if the IP address is not used when the ADP Domain site is deleted and assigned.

To avoid issues when reusing IP addresses, the IP address should be deleted from the 7705 SAR-Hm and the node should be unmanaged and deleted from NFM-P before deleting the ADP domain site.

When the addresses in a System IP-address pool are exhausted, the NFM-P raises an alarm, and ADP discovery is halted. In such a case, you can add a new system IP pool to resume ADP discovery.

Note: If a subnet has an associated IP-address pool, and an IP address is associated with the device IMSI in an ADP XML file, the IP address in the XML file is assigned to the device.

Specifying devices using an XML file

Identifiers for 7705 SAR-Hm devices can be specified in an XML file, and imported for use in either operation mode. The XML file requires an ADP element and one node element for each device to discover. Each node element has IMSI, systemName, and systemAddress attributes.

Note: The systemAddress attribute is optional, depending on the IP allocation configuration and the operation mode of the cellular domain. The systemName attribute is also optional.

In both static and dynamic cellular interface mode, the systemAddress is the private IP address reachable via the in-band VPRN service.

The following is an example of an ADP XML file:

<?xml version="1.0" encoding="UTF-8"?>

<ADP>

<node IMSI="310150123456720"

systemAddress="10.10.10.20"

systemName="test"/>

</ADP>

To configure a cellular domain with single SIM deployment and To configure a cellular domain with dual SIM deployment describe how to specify the devices for ADP discovery using an XML file.

Domain subnets

You can create separate subnets in a cellular domain. A domain subnet represents a group of NEs with a cellular interface IP address that exists with the specified subnet. For each subnet in a domain, a BGP dynamic neighbor is created on each head-end node in the domain. The dynamic neighbor can accept remote 7705 SAR-Hm peers as they become available. The deletion of a subnet also deletes the BGP dynamic neighbor from all head-end node BGP groups.

Note: If the head-end node is a 7705 SAR, BGP neighbors are not created automatically when subnets are added. The 7705 SAR does not support dynamic neighbors. Static neighbors must be manually created.

ADP must be enabled on a subnet that has new devices to discover. ADP is initiated based on the cellular domain operation mode; see ADP discovery process.

Note: You cannot delete a subnet that has ADP enabled at the domain or subnet level.

7705 SAR-Hm security during ADP

For additional security, each new 7705 SAR-Hm includes an information card that names the chassis serial number and a unique administrator password. During cellular domain configuration, you must specify the serial number and password of each such device to enable ADP access to the device.

A cellular domain can also contain older devices that have a common default administrator password. To support such devices, the cellular domain configuration must include the default password for ADP communication with the older devices.

The administrative account credentials for a device in a cellular domain must meet the following requirements.

Configuring secure 7705 SAR-Hm ADP

During cellular domain configuration, you can specify the serial numbers and passwords manually, or import the passwords from a file, as described in To create an ADP password mapping file.

Cellular domain security with NGE

You can secure a cellular domain by binding the cellular domain to an NGE domain. The encryption status of PDN interfaces in the cellular domain is determined by the encryption status of the gateway interfaces of the gateway sites of the NGE domain.

Each head-end node in each cellular domain that belongs to the NGE domain must also be a gateway site in the NGE domain. The NEs in each cellular domain of an NGE domain are listed as sites in the NGE domain. Multiple cellular domains can point to the same NGE domain.

You can unbind a cellular domain from an NGE domain if the NGE domain is not encrypting. Before the cellular domain can be removed, the RI NGE encryption on each 7705 SAR-Hm NE in the cellular domain must be stopped.

Enhanced NE security mode

To prevent unwanted tampering with security settings on any 7705 SAR-Hm, you can enable enhanced NE security mode, which protects all 7705 SAR-Hm devices in the network using stringent security constraints that cannot be altered by an NFM-P operator. Attempts to do so are blocked, and generate NFM-P alarms.

Note: Enabling enhanced NE security mode affects each 7705 SAR-Hm in the managed network. Also, in order to disable the function, you must first unmanage each managed NE of any type in the entire network.

When enhanced NE security mode is enabled, the NFM-P enforces the following security constraints for each 7705 SAR-Hm device:

Note: The function does not validate any password, only the conformance of the local NE password policy.

To enable enhanced NE security mode describes how to configure and enable the mechanism.

Note: The local and global NE password policy definitions are verified against the required password criteria before being applied to the NEs.

The SAR-Hm Enhanced Security indicator on the NFM-P System Preferences form shows whether enhanced NE security mode is enabled.

Implementation

If enhanced NE security mode is enabled, the NFM-P raises an alarm against any 7705 SAR-Hm whose configuration violates any listed security constraint. The alarm is raised regardless of whether a device is discovered before or after enhanced NE security mode is enabled. An alarm is also raised if a managed NE configuration is changed via CLI in a way that violates a constraint.

When you invoke the ADP process and enhanced NE security mode enabled, the NFM-P first verifies the password of the SNMPv3 user in the cellular domain mediation policy against the required password complexity rules. If the password violates any complexity rule, ADP does not proceed.

After ADP completes:

Note: The NFM-P does not initiate any configuration change to resolve an alarm raised because of a constraint violation. The alarm condition must be resolved by an NFM-P operator, or via the NE CLI, depending on the nature of the violation.

Management of remote 7705 SAR-Hm NEs

The 7705 SAR-Hm is a small form factor wireless router that extends IP/MPLS services over secure 3G/LTE wireless networks using cellular wireless infrastructure and WLAN technology. The 7705 SAR-Hm is available in several variants that have different cellular-interface radio capabilities. The cellular interface is the primary network port for WAN connectivity.

A 7705 SAR-Hm can be deployed in a remote location to perform wireless aggregation of traffic that is forwarded as IP packets to the cellular domain head-end node. In such a deployment, the cellular domain head-end node routes the traffic through a dedicated VPRN that you can optionally secure using NGE. See the 7705 SAR-Hm Main Configuration Guide for additional functional, operational, and deployment information.

7705 SAR-Hm discovery, configuration, and management

You can use the NFM-P to perform the following discovery, configuration, and management functions for 7705 SAR-Hm devices.

Note: NFM-P management of remotely deployed 7705 SAR-Hm devices is limited to IPv4 only.

In-band management using VPRN

When the cellular interface on a 7705 SAR-Hm is operating in static or dynamic cellular interface mode, the NFM-P can reach the NE system IP address through an in-band management VPRN service. For this mode of operation, the system IP address for NE management is private and differs from the cellular interface IP address. The system IP address must be advertised from the 7705 SAR-Hm to the head-end node by the in-band management VPRN service.

Routing in the private IP/MPLS network past the head-end node must allow management traffic to reach the head-end node, which then sends the management traffic over the VPRN to the 7705 SAR-Hm. Operators are responsible for configuring and ensuring connectivity to the NSP past the head-end node. This configuration is not described by this guide.

Each head-end node in a cellular domain must belong to the same VPRN service, which requires the following configuration:

Note: You can associate one VPRN service with only one cellular domain. If multiple head-end nodes are present in the domain, all head-end nodes must have the same VPRN service ID.

Figure 47-1, Cellular domain management shows the scope of cellular domain management.

Figure 47-1: Cellular domain management
Cellular domain management
Configuring polling for devices in cellular domains

During a system uptime poll of the NEs in a cellular domain, the NFM-P verifies the SIM information, IMEI, and chassis ID against the stored values. If a discrepancy is found, the NFM-P suspends management of the NE and disables resynchronization for the NE.

System uptime polling is performed in the following scenarios:

As part of the cellular domain creation, a BGP group is configured on each head-end node. To monitor NE reachability in a cellular domain, the NFM-P polls the status of each BGP session between the head-end nodes and the managed NEs in the domain. Such a reachability check limits the traffic between the NFM-P and the managed NEs.

Device discovery and deployment using ADP

The NFM-P uses ADP, which is called ADP-Hm in the device documentation, to discover the remote devices in a cellular domain subnet. ADP provides all initialization and commissioning functions automatically for a newly installed device. After one or more SIMs is installed on a device and the device is turned up, ADP configures the cellular interface, establishes connectivity to the NFM-P, and waits for the NFM-P to complete the discovery and configuration of the device.

ADP automatically creates an NFM-P discovery rule to track the managed state of each NE in a cellular domain, and to initiate ADP when new devices in a cellular domain subnet are available for discovery. The NFM-P scans the network periodically for new devices, as specified by the discovery rule scan interval, which is the time between scans. To reduce the amount of network-management traffic in a cellular domain, you can configure the scan interval in the discovery rule for the subnet to be greater than the global scan interval defined in the NFM-P mediation configuration. The scan interval in a discovery rule overrides the scan interval in the NFM-P mediation configuration.

7705 SAR-Hm discovery prerequisites

The prerequisites for NFM-P discovery of a 7705 SAR-Hm using ADP are the following.

Offline NE handling during the ADP process

The ADP process cannot be completed when the 7705 SAR-Hm or the domain head-end node has an SNMP timeout or is not reachable.

When ADP starts, the online status of all the configured head-end nodes is checked. The ADP cannot start if none of the head-end nodes is online. ADP remembers the list of online head-end nodes and this list is used for the entire ADP process, rather than the list of configured head-end nodes. For ADP to succeed, at least one head-end node must be up during the entire ADP process. If all head-end nodes on the online head-end nodes list go down during the ADP process, ADP will fail.

When ADP with NGE configured is enabled, inbound ACL entries are created on the head-end nodes. The list of online head-end nodes is only updated when ADP is started and when outbound entries are added or removed. If any head-end node goes offline when ADP is in an initiating state, for example, adding inbound ACL entries to head-end nodes, the list of online head-end nodes may not be updated. This may cause ADP to fail or not start.

An OfflineDuringAdp alarm will be raised if a head-end node becomes offline during ADP. When a head-end node is marked as offline, its status will not be changed during the ADP process. If any offline head-end node becomes online during ADP, this head-end node will have no affect on the ongoing ADP process.

When the head-end node comes back online, you must manually fix the mismatched configuration and clear the alarm.

If any 7705 SAR-Hm becomes offline during ADP, ADP will fail for that 7705 SAR-Hm only. ADP will continue for all other online 7705 SAR-Hm NEs.

ADP discovery process

The following are the ADP operational phases:

Phase 1 — Network Discovery

When a 7705 SAR-Hm initially boots, it runs the application load, executes the configuration file, which is empty, then checks the BOF to determine if ADP is enabled and needs to run.

If ADP is enabled on the NE, the NE performs the following:

If the LTE network authenticates and accepts the new NE, a default bearer is established and the following are provided to the NE for the default APN to which the NE connects:

Phase 2 — NFM-P Discovery

During the NFM-P discovery phase, the 7705 SAR-Hm sends DNS query messages to the DNS server addresses discovered in the previous phase.

The following NFM-P URLs are set in the BOF by default for the auto-discover function:

Note: The names can also be set to the following:

The 7705 SAR-Hm regularly sends a DNS query message until a DNS query response message that contains an NFM-P main server IP address is received. If no DNS query response message is received, ADP times out and reboots the device, after which ADP restarts the network discovery process.

Phase 3 — 7705 SAR-Hm Discovery

After the 7705 SAR-Hm receives one or more NFM-P server IP address, the 7705 SAR-Hm configures SNMPv2 trap destinations to the NFM-P server addresses using log ID 1.

ADP enables NetConf over SSHv2 and searches the user database for a user with access to NetConf. If none is found, NetConf access is given to the admin user.

The 7705 SAR-Hm initiates an SNMP trap poll that sends a notification to the NFM-P every 15 seconds for 30 minutes. If the ADP is not completed within the 30 minute interval, ADP will time out and begin again.

The 7705 SAR-Hm then sends an SNMPv2 Hello request, after which the NFM-P completes the device configuration, as described in the next phase.

Phase 4— NFM-P Configuration

In this phase, the NFM-P secures the 7705 SAR-Hm and completes the device configuration. During the configuration process, the 7705 SAR-Hm regularly sends an SNMPv3 trap to the NFM-P. When the configuration is complete, the NFM-P disables ADP on the NE.

ADP discovery methods

To meet differing security requirements, the following ADP discovery methods are available:

During the ADP process with Dynamic Cellular IP mode, the NE can become unreachable at any time because the IP address that was used during the auto-discover process may change. The NE is at risk until the default in-band managed service is enabled and its configuration saved on the NE. Until then, the NFM-P relies on the IMSI value as the identifier for a particular NE. If the NE reboots during ADP and comes back, the SNMP trap hello message will indicate the IMSI and the cellular interface IP the NFM-P should be using to reach the NE and complete ADP.

Note: The NFM-P performs device configuration saves frequently during the process, regardless of the method used.

When the actions associated with either method are complete, the NFM-P does the following:

One-step ADP discovery

In one-step ADP discovery, the 7705 SAR-Hm is turned up and ADP on the device completes the entire discovery and configuration process.

After the NFM-P receives an SNMPv2 trap and verifies the IMSI, and optionally, the system IP, the NFM-P uses NetConf over SSHv2 to configure the SNMPv3 user and parameters, including the required encryption and authentication keys. The configuration is based on the NFM-P mediation security policy associated with the cellular domain.

The NFM-P then completes the remainder of the device configuration:

After the NFM-P completes the ADP process, the 7705 SAR-Hm Status and Alarm LEDs indicate that the ADP process is complete. The NE is securely managed by the NFM-P and ready for service.

Two-step ADP discovery

In two-step ADP discovery, the 7705 SAR-Hm is powered on first in a staging area for the initial NFM-P security configuration, then a second time at the remote site to complete the remaining configuration tasks, as described in the following sequence:

  1. The 7705 SAR-Hm is powered on for the first time and the NFM-P does the following:

    Note: ADP for the subnet must be enabled on the NFM-P during this step.

    • creates a strict security association between the 7705 SAR-Hm chassis information, IMEI, and SIM; the SIM cannot be inserted into another NE and managed by the NFM-P without operator intervention

    • configures user names, passwords, scopes of command, and associated profiles

    • downloads the required 7705 SAR-Hm software load, and resets the NE to apply the new load

    • stops the ADP process on the NE by executing an “ADP complete” command on the NE

    The 7705 SAR-Hm Status LED turns solid green and the Alarm LED continues to blink. The 7705 SAR-Hm has completed step one and can be powered off and shipped to the remote site for installation.

  2. After the 7705 SAR-Hm is installed and powered on at the remote site, the following occur:

    Note: ADP for the subnet must be enabled on the NFM-P during this step.

After the NFM-P completes the ADP process, the 7705 SAR-Hm Status and Alarm LEDs indicate that the ADP process is complete. The NE is securely managed by the NFM-P and ready for service.