32 SPD - eRAN12.1 - LTE FDD Network Design Technical Training-20170315-A-1.0
32 SPD - eRAN12.1 - LTE FDD Network Design Technical Training-20170315-A-1.0
32 SPD - eRAN12.1 - LTE FDD Network Design Technical Training-20170315-A-1.0
www.huawei.com
Outputs Outputs
Customer
requirements Hardware resource allocation
Project
Information BOQ Naming rules
Inputs
eNodeB Script
Clock Synchronization
Clock source recommendation policy design, clock source design
Design
Transmission Interface
Route backup, SCTP multi-homing, OMCH backup
Reliability Design
Transmission Security
PSK/PKI/digital certificate, CMPV2, IPSEC, 802.1X
Design
Other Related Design LTE-EPC joint-design, U2000 design, transport networking overview
Maintenance IP address
O&M network planning planning and service IP address
isolation
OMCH DHCP/DSCP design
Objective: Improve network security and ensure network maintenance stable and
low cost.
Transport networking
Cell naming design
design
Objective: Providing standard eNodeB naming rules and recommending board deployment rules.
1588V2
(G8265.1/16.1)
eNodeB
SYNETH eNodeB
Clock
Clock source Source
combination eNodeB
eNodeB
Local Crystal
Oscillator
You can obtain network design deliverables from http://support.huawei.com by choosing Support
> Knowledge Base > Wireless Network > FDD > LTE FDD RAN > LTE FDD_eNodeB > eRAN .
http://support.huawei.com/carrier/docview!docview?nid=KB1000184464&path=PBI1-
7851894/PBI1-21433538/PBI1-7854329/PBI1-21465979/PBI1-6149576
Remarks: Network design deliverables have not achieved GA, and therefore they are unavailable
http://support.huawei.com. They will be uploaded to http://support.huawei.com in future.
UMPTb
LTE(FDD)
UMPTe
main control Yes 2 Slot7 Slot6 - - - -
board UMPTa2/U
MPTa6
LMPT
USCUb22 No 1 Slot5 Slot1 - - - -
Satellite
USCUb14
card board No 1 Slot5 Slot4 Slot1 Slot0 - -
USCUb11
LBBPd
LTE(FDD) LBBPc Slot
baseband Yes 6 Slot3 Slot0 Slot1 Slot2 Slot5
UBBPd 4
board
UMPTe1
UMPTe2
UMPTe3
Satellite USCUb22 No 1 Slot5 Slot1 - - - -
card board
USCUb14 No 1 Slot5 Slot4 Slot0 Slot1 - -
USCUb11
UBBPe_L
LTE main processing and transmission unit (LMPT): manages the eNodeB, implements OM management
and signaling processing functions, and provides clock for the BBU3900.
Ports SFP0 and FE/GE0 are 1 GE transmission line actually, and cannot be used at one time.
Ports SFP1 and FE/GE1 are 1 GE transmission line actually, and cannot be used at one time.
The eNodeB adopts LMPT board cold backup, which means that two LMPT boards work in
active/standby mode.
1. When the active LMPT board becomes faulty, services will be automatically switched over to the
standby LMPT board. The switchover will cause service interruption, and the interruption is about 2
minutes.
2. Operators can run the following MML command to conduct a switchover: SWP BRD.
3. Hot backup is not supported.
UMPTa/b panel
UMPTe panel
Universal main processing and transmission unit (UMPT): main control board of the BBU3900,
provides signaling processing and resource management functions for other boards.
The following types of UMPT board apply to LTE networks: UMPTa1, UMPTa2, UMPTa6, UMPTb1,
and UMPTb2, UMPTe1,UMPTe2,UMPTe3. The board type is marked in the lower left corner of each
board.
Each UMPT board has the following ports: 1. One FE/GE optical port and one FE/GE electrical port,
which are used to transmit service data and signaling over the Ethernet 2. Four E1/T1 ports, which
are used to input and output E1/T1 signals
Baseband processing board of the BBU3900, implements uplink and downlink baseband processing, and provides CPRI ports for communication between the BBU and RF modules. An LBBP board can be
placed in slots 0 to 5. A maximum of three boards (for the same mode) can be used. The types of LBBP board apply to LTE networks are as follows: LBBPc, LBBPd1, LBBPd2, and LBBPd3.
Resources are dynamically allocated to services according to the LBBP capacity and load.
CPU processing capacity is shared between cells, users, uplink and downlink services.
Complete redundancy of baseband resources is available between cells. When some baseband resources are unavailable, the associated services can be diverted to other baseband resources so that the
services in the cell are not disrupted or can resume.
The Universal Inter-Connection Combo Unit (UCCU) provides the following functions:
Supports interconnection between the BBU and USU.
Allows the BBU to exchange data with the USU.
UCCU supports data transmission over 10GE port and 40GE port. 10GE port is
used as the outbound interface. UCCU supports the data synchronization of S1,
X2, and eX2 interfaces, which requires configuring the security and SCTP polices
in advance.
A maximum of two remote OM channels can be added to an eNodeB: one active channel and one standby channel.
The active channel takes effect upon eNodeB startup. If there is no active OMCH, the standby OMCH does not
automatically work as the active OMCH. In this case, the system thinks that the eNodeB has not configured a remote
OMCH.
After an active/standby switchover, the standby OMCH does not automatically switch back to the active OMCH,
Step1
Step2
1. Customer's requirements
2. Unique in the entire network
3. Easy to understand and easy to use
4. Restrictions: The name supports a maximum of 64 characters. It cannot be an empty string or contain is less than (<), is greater than (>), exclamation (!), question mark (?), caret (^), two or more spaces, or two or more percents (%).
1. Customer's requirements
2. Unique in the entire network
3. Easy to understand and easy to use eNodeB Cell Name Cell ID
4. Aleksandrow_DBS3900_1_Cell1
Restrictions: The name supports a maximum of 994 characters. It cannot be an empty string1or contain is
less than (<), is greater than (>), exclamation (!), question mark (?), caret (^), two or more spaces, or two
Aleksandrow_DBS3900_1_Cell2 2
or more percents (%).
PS: LocalCellId: 0 to 11; SectorId: 0 to 11; cellID: 0 to 255; PhyCellId: 0 to 503
LocalCellId is planned in the eNodeB and is generally the same as the value of SectorId.
CellID+eNBID+PLMN=ECGI, unique cell identifier in eUTRAN. PCI multiplexing is required, and the PCI
of a cell must be different with the PCIs of adjacent cells for handovers. PCIs are used because the
eNodeB easily parses PCIs. Generally, the eNodeB measures PCIs, ECGIs, and TACs in sequence.
eNodeB synchronization
Advantage:
Slot 5
Slot 1 accuracy;
providing time
synchronization
Slot 4/Slot 5 and clock
Slot 0/Slot 1 synchronization at
the same time
Disadvantage:
requiring the
USCU and the
Port Connector Description
GPS antenna; a
GPS port SMA coaxial connector Receiving GPS signals
site with the
PCB welded wiring
RGPS port Receiving RGPS signals
terminal capability of
TOD0 port RJ-45 connector Receiving or sending 1PPS+TOD signals receiving GPS
TOD1 port RJ-45 connector
Receiving or sending 1PPS+TOD signals; receiving M1000 TOD signals.
signals
Receiving BITS clock signals; supporting adaptive inputs of
BITS port SMA coaxial connector
2.048M and 10M clock reference sources
M-1PPS port SMA coaxial connector Receiving M1000 1PPS signals
1. The compensation value is calculated on the basis of the GPS feeder length to increase the clock accuracy. The
clock accuracy is affected if there is an excessively large difference between the configured GPS feeder length and
the actual feeder length.
2. GPS: Global Positioning System
GLONASS: GLObal NAvigation Satellite System
GPS/GLONASS: GPS Active 1U USCU
COMPASS: BeiDou (COMPASS) Navigation Satellite System
COMPASS/GPS: CPMPASS Active
GPS/COMPASS: GPS Active
3. When RGPS is used, the local satellite card is not required, because the external third-party device provides
demodulated satellite synchronization signals for the BS.
Working modes of eNodeB clock sources Auto Manual Free
IP Clock
eNodeB
Router/ IP Network
LAN Switch
Clock
physical link
IEEE1588 V2 1. With only frequency synchronization, this technology supports 1. To achieve time synchronization,
transparent transmission across the data network and has low all intermediate transport
requirements for the intermediate transport equipment. equipment must be upgraded to
2. This technology supports both frequency synchronization and time support IEEE1588 V2.
√ √ synchronization, and meets the clock requirements of LTE TDD. 2. The clock recovery quality is easily
3. IEEE1588 V2 is a standard protocol. Therefore, profile-based affected by the delay, jitter, and
interworking between equipment of different manufacturers is packet loss rate across the data
supported. network.
Clock over IP 1. This technology supports the transparent transmission across the 1. This technology does not support
data network and has low requirements for the intermediate time synchronization.
transport equipment. 2. The clock recovery quality is easily
√ × 2. This technology is mature and has been in commercial use for a affected by the delay, jitter, and
long time. packet loss rate across the data
network.
Synchronous 1. 1. Clock signals are extracted from the physical layer and are not 1. This technology does not support
Ethernet related to upper layer services. Therefore, the interworking time synchronization.
performance is satisfactory. 2. In the E-UTRAN, besides
2. The clock recovery quality is satisfactory. The technology is mature
eNodeBs, the intermediate
and insusceptible to packet loss rate and jitter.
transport equipment such as hubs
√ × 3. The transmission of clock signals does not occupy transmission
bandwidth. and LAN switches must be capable
of transparent transmission or
regeneration of clock signals at the
physical layer.
Page 46
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential
Strategy for Selecting eNodeB Clock Sources
1. If eNodeBs are configured with the GPS clock, the GPS clock is used as the system clock
reference source.
2. When an FE or GE port on the eNodeB is set to 100 Mbit/s or 1000 Mbit/s, and all
equipment on the network supports synchronous Ethernet, synchronous Ethernet is
recommended.
3. Huawei IP clocks and IEEE 1588 V2 are recommended.
4. If a customer has a dedicated clock server that supports the G8265.1 protocol, the eNodeB
can interconnect with the customer's clock server using the G8265.1 protocol.
5. If eNodeBs use the E1/T1 line clock, the E1/T1 line clock is used as the system clock
source.
6. When transmission is unavailable during site deployment or when external clocks cannot be
acquired due to the external reference failure, internal clocks are used instead.
For IEEE1588 V2, clock over IP, and synchronous Ethernet technologies, the clock is obtained from the network,
and then clock signals are distributed. Therefore, the data bearer network must have a fairly high QoS. The
following table lists the requirements of the three synchronization technologies for the QoS of the data bearer
network.
Technology Item Specification Remarks
Jitter < 20 ms /
IEEE1588V2 Packet loss
< 1% /
rate
Jitter < 20 ms /
Clock over IP Packet loss
< 1% /
rate
Similar to E1/T1, synchronous Ethernet uses the mechanism of extracting
clock signals from the physical layer. Therefore, synchronous Ethernet does
Input not have special requirements of the three synchronization technologies for
Synchronous
frequency <±0.016ppm the QoS of the data bearer network.
Ethernet
accuracy
As the eNodeB reference clock source, the input frequency accuracy should
be better than ±4.6 ppm and must reach the straum-2 clock standard
(±0.016ppm).
Remarks: The QoS requirements on the data bearer network for IEEE1588 V2 and IP Clock
are defined by Huawei, those for synchronous Ethernet are defined by the protocol.
Note: When the internal performance deteriorates, you need to lock the standard external clock
source (Rubidium equipment) to calibrate the clock. If the internal test results are unsatisfactory,
local crystal oscillator must be calibrated after one month.
In automatic mode, the eNodeB determines which clock server to be used based
IP Interworking Design
Transmission Security design
Reliability Design
S1-Flex
Another IP address is required. It is not recommended that the signaling plane be separated from the
user plane. The separation is used only when the customer has the requirement.
In IP route backup, there are multiple routes to a destination. The route with the highest priority
is the active route and the routes with lower priorities are standby routes. Each route uses
different physical connections. When the active route is unreachable, the eNodeB performs an
active/standby switchover to select a standby route to prevent services from being interrupted.
When the active route is restored, the system is automatically switched over to the active route
with the highest priority.
MML commands:
//add an IP address to Ethernet port 0
ADD DEVIP:SN=7,SBT=BASE_BOARD,PT=ETH,PN=0,IP="11.11.11.11",MASK="255.255.255.0";
//add the active route (Route backup is applied between the eNodeB and the SeGW.)
ADDIPRT:SN=7,SBT=BASE_BOARD,DSTIP="13.13.13.13",DSTMASK="255.255.255.0",RTTYPE=NEXTHOP,NEXTH
OP="11.11.11.10",PREF=50,DESCRI="Master IP Route";
The eNodeB has two device IP addresses but they cannot be on the same network segment. If there is only one
device IP address, IP route backup cannot be configured.
the eNodeB preferentially selects the MME identified by the MME identity, that is, NNSF. If a UE
does not provide an MME identity or the MME identified by the UE-provided MME identity is not
available, the eNodeB selects an MME for the UE based on the following policies:
In an overlapping area, the eNodeB selects an MME pool based on the MME pool
priorities, network topology, and average load of each MME pool.
In the MME pool, the eNodeB selects an MME based on the MME priorities, capacities,
and loads.
IP PM detection: It can be used only when the transmission network supports IP PM. It is
2 recommended that this function be disabled. It is used to monitor transmission network
performance.
BFD detection: The peer device must support this function. SBFD is applicable to the
3 detection on the same network segment, and MBFD is applicable to the end-to-end
detection.
IEEE802.3ah: The peer device must support this function. It supports link performance
5
monitoring, fault detection, and loopback detection.
IEEE802.1ag: The peer device must support this function. It supports Ethernet CC, LB,
6
and LT.
Function: used to detect the transmission quality between the eNodeB and the S-GW and monitor transmission performance
parameters, including the number of TX/RX packets, packet loss rate, unidirectional delay and jitter, and bidirectional RTT.
Advantage: provides transmission KPIs and works with the dynamic flow control algorithm, preventing dynamic changes in
the transmission bandwidth from affecting QoS.
Disadvantage: A larger number of IP PM streams are activated leads to a more accurate congestion decision, but consumes
more resources.
Requirements for the equipment: The IP PM protocol is a Huawei proprietary protocol. This function can be used only when
the eNodeB and EPC support this function. The DSCP values of the intermediate transmission network must be the same as
the settings of the eNodeB and EPC and cannot be modified. Otherwise, the IP PM function fails to be activated.
Recommended scenario: This function is recommended when Huawei EPC is used, especially in the ADSL-based IP
transmission scenarios, such as poor link quality, high packet loss rate, unstable link, and great change in the bandwidth.
MME/SGW eNodeB
Bandwidth change
3. Transport Dynamic
Flow Control
The preceding figure shows the IP PM-based adaptive flow control principle. The dotted lines indicate the
changes in the bandwidths of the IP/Ethernet transmission network. IP PM between the S-GW/MME and the
eNodeB is enabled to check the changes in the transmission network performance, including the delay, jitter,
and packet loss rate and to estimate the minimum end-to-end available transmission bandwidth. The eNodeB
sends the information about available bandwidth to the flow control module, and the module adjusts the data
traffic that will be sent to the transmission network, reducing lost packets during transmission on the
transmission network and improving the bandwidth usage.
2. Run the following command to query the status of an IP PM session. The status information includes
parameters such as the transmission line delay, jitter, and packet loss rate.
DSP IPPMSESSION: IPPMSN=0;
Note that:
1) Before adding an IPPM session, ensure that the peer NE supports IP PM rules.
2) Before adding an IPPM session, check whether the peer NE supports bidirectional activation. If the peer
NE does not support bidirectional activation, only UL IP PM sessions can be added for the local end.
Otherwise, intermittent failures may occur on the link.
Advantage: IP route fault detection. BFD duration is quick, in the unit of 100 ms.
Disadvantage:
Requirements for the equipment: Currently, the eNodeB supports BFD V1, and therefore the
peer equipment also must support BFD V1. If the peer equipment does not support BFD V1,
this function cannot be used.
Both ends are started at the same time, and the detection durations at both ends are similar.
Recommended scenario:
SBFD: mainly used to detect faults in the point-to-point network with IP addresses of both
ends being on the same network segment.
MBFD: used to detect faults in the end-to-end network with multiple routing nodes.
Dynamic detection: Heartbeat messages are sent for detection only when there is at least
one online UE. If no echo response is received after three consecutive echo requests are sent,
the eNodeB will release UEs without generating any alarm or deactivating the cell and then
inform the EPC that UEs are released. Settings of GTP-U path detection can be different on
UGWs at both ends. According to the 3GPP protocol, eNodeBs support dynamic GTP-U
detection by default and no command can be executed to disable the detection.
Static detection: Heartbeat messages are sent for detection even if there is no online UE. If
no echo response is received after three consecutive echo requests are sent, the eNodeB will
release UEs while generating an alarm and deactivating the cell. This is not related to the GTP-U
path detection on the peer UGW. In dynamic GTP-U detection mode, when an eNodeB detects
an IP path fault, it releases the UE, and the detection stops when no services are performed.
Without dynamic GTP-U detection, an eNodeB cannot detect the status of an IP path. By default,
the path is considered as normal and other UEs access the network through the path. In this
case, the UEs are accessed and released repeatedly. Therefore, it is recommended that static
GTP-U detection be enabled to prevent UEs from being accessed and released repeatedly.
•A complete Ethernet OAM feature is achieved by two solutions. One solution is based on
IEEE 802. 1ag and focuses on E2E Ethernet OAM. The other solution is based on IEEE 802.
3ah and focuses on P2P.
The transmission
• Continuity check Advantage: focus on end-to-end
equipment must comply
IEEE 802.1ag • Loopback test Ethernet fault monitoring of the
with the IEEE 802.1ag
• Linktrace test Ethernet link
protocol.
Failure cause:
The protocol is not
negotiated or
configured at the
peer end.
1. Query the status of the remote maintenance association end point (RMEP): DSP CFMRMEP. If
the configuration is correct, the REMP status is normal.
2. If the link is disconnected, the REMP status is abnormal.
802.3h,1ag
1) ETH OAM provides the transmission connectivity and performance detection functions for the layer-2
Ethernet, including:
• IEEE802.3ag: provides one-hop Ethernet transmission connectivity detection and bit error monitoring, including
route detection, fault detection, link monitoring, and remote loopback.
• IEEE802.1ag: provides one- or multi-hop Ethernet transmission connectivity detection, link trace, and link
loopback.
2) Y.1731: provides the functions provided by IEEE802.1ag, and the following functions: link delay detection
and packet loss detection.
• The main application scenarios of Y.1731 in IP RAN is as follows: When end-to-end layer-2 Ethernet
performance monitoring and fault detection are co-deployed on the eNodeB and transmission equipment, this
function must be enable on the peer device.
• ETH OAM is not widely used on the live network. Y.1731 is used to implement the connection between Huawei
routers and switches. A compatibility test is recommended for interconnection between devices provided by
other vendors.
VLAN1
MEP MA
MIP
MA1
VLAN1
When ITU –T
Add the MEP. Y.1731 is used,
MA is MEG ID.
IP Interworking Design
Transmission Security design
VLAN
IP Route
Planning
Physical Port/
IP Address IP Interworking Design
Communication
Planning Port Matrix
QoS
Negotiation
Parameters
The service address To be simple to maintain in the Difficult to evolve to the multi-mode base Customization solution only
shares with the single-mode base station and station and have to reserve IP addresses; for the scenarios using
interface address or free from configuring the route difficult to evolve from non-security independent transmission
on the same network on the gateway scenarios to security scenarios; not suitable and non-IPSec scenarios,
segment as the for security scenarios especially for the like-for-
interface address like swap scenario
The service address and interface address are
coupled and therefore the planning cannot be
unified.
IP planning and VLAN planning (in single eNodeB and non-IPSec mode)
Networking Description Advantages Disadvantages
Isolation between OM data The OM channel and the service High security by isolating OM data and Complicated configurations
and service data. channel are configured with different service data
sub-interfaces and VLANs. More IP addresses used
Isolation between OM data Service data is configured with High security by isolating OM data and Complicated configurations
and service data (isolation different sub-interfaces and VLANs service data
between CP and UP data in based on the mode. All OM data is More IP addresses used
LTE) configured with a dedicated sub- The performance statistics can be
interface and VLAN. collected based on the mode in the
intermediate network. Different QoS
policies can be used.
IP planning and VLAN planning (in single eNodeB and IPSec mode)
Networking Advantages Disadvantages Selection Principle
The external data is Reduced IKE and investment This solution cannot distinguish the Recommended by default
transmitted over the same radio access technology (RAT),
VLAN and VPN, and not Simple configurations OM, and service management
isolated. (counters or fault isolation).
The external data of OM This solution can distinguish the OM and This solution cannot distinguish Alternative
and service is transmitted service management (counter or fault RAT and service management
over two VLANs or VPNs, isolation). (counter or fault isolation). Scenario 1: Reconstruct the secure node
respectively, and are where the OM data and service data are
isolated. Different policies, such as security, More IPSec resources consumed isolated.
reliability, or QoS, are adopted for OM
and service. Scenario 2: The OM data and service data are
transmitted in different transmission paths.
This solution supports that the OM data
and service data are transmitted in Scenario 3: The customers are required to
different transmission paths. carry out different policies on OM and
services, such as security, reliability, and
QoS.
1. One physical port is recommended instead of two ports for physical resource reduction.
2. Gigabit optical or electrical ports are recommended to meet the high requirements for the transmission bandwidth
of the LTE and for future network expansion.
3. For a networking without IPsec tunnels, it is recommended that each eNodeB be allocated with two IP addresses
for address resource reduction, route planning and future maintenance. One IP address is for the S1/X2
interface and the other address is for the operation and maintenance (OM) and clock. If IP addresses are
insufficient, an eNodeB can be allocated with only one IP address.
4. For a networking with IPsec tunnels, IP addresses must be planned based on the actual conditions of the
customer.
For the security of internal IP addresses, it is recommended that external IP addresses (interface IP addresses)
and internal IP addresses (logic IP addresses) be combined. That is, external IP addresses are used to set up
IPsec tunnels with security gateways and are readable on the network.
Internal IP addresses are used for service communication and are encapsulated in IPsec tunnels.
5. For easy configuration and maintenance of eNodeBs, engineers should use as few IP addresses as possible.
Generally, IP addresses are limited and many customers require reducing IP addresses. During the planning,
engineers must communicate with customers and fully understand their requirements. IP planning must be
combined with the VLAN planning.
5. In IPsec mode, each tunnel must be set with an external interface IP address (except for LOOPINT interface) in
addition to the internal logic IP addresses (OM, SYNC, S1/X2 IP addresses). The logical OM IP address is used
as the clock IP address.
Route Configuration
… Route …
Priority
1. Default route: The configuration is simple. 2. The smaller the value of the PREF
Only one route is required, and both the parameter, the higher the priority.
destination IP address and the subnet mark 3. When the high-priority route is
consist of 0s.
unreachable, the system is automatically
2. Host IP address: The destination IP address
switched over to the low-priority route.
is a specific IP address, with a 32-bit mask.
4. When active and standby maintenance
3. Network segment route: The destination IP
address is a specific IP address. The channels are used, do not trigger an
Storm Separation
… VLAN Priority
…
1. VLANs are configured in the following methods: by next hop and by DSCP.
2. When VLANs are configured by next hop, different VLAN IDs correspond to different
next hops. In this case, the IP addresses of eNodeBs must be on different network
segments.
Mapping
Mapping
VLAN Pri
Service Type DSCP DSCP MML Commands Configured with DSCP Data Type
Global interconnection
parameters eNodeBID, MCC, and MNC
Cell-level parameters
communication between the eNodeB and other NEs must be opened on the firewall. Communication port number design is mainly
used to specify the TCP/UDP ports that must be opened for eNodeB services on the firewall of the operator and list the numbers of
For details about the design process, see the latest communication matrix at http://support.huawei.com and the numbers of ports
IP Interworking Design
Transmission Security design
IEEE 802.1X
Port Security
Management
IPsec
Transmission
Security Design
PSK
PKI
Scenario 1: The customer network has a SeGW. To communicate with the DHCP server and to obtain the temporary
eNodeB IP address, U2000 IP address, and SeGW IP address, the OMCH of the eNodeB must be authenticated by
the SeGW and a security channel must be set up. This scenario is used by a self-organizing network (SON) and
requires no manual handling. This scenario is not analyzed in the network design document.
Scenario 2: The customer network has a SeGW. To access the EPC, the S1 interface of the eNodeB must be
authenticated by the SeGW and a security channel must be set up. To improve reliability, a backup SeGW to the EPC
is used and the Virtual Router Redundancy Protocol (VRRP) is started.
Scenario 3: The customer network has a SeGW. To access other eNodeBs, the X2 interface of the eNodeB must be
authenticated by the SeGW and a security channel must be set up.
Scenario 4: The data over the X2 interface traverses insecure public transmission network. IPSec is used between the
eNodeBs; the eNodeBs are authenticated by each other; security channels are set up.
Equipment and High Low. This is because if the OM data are not transmitted
network security over the IPSec tunnel, the equipment and network are at
the risk of attacks.
Base station In this solution, the requirements of eNodeB deployment by In this solution, the requirements of eNodeB deployment
deployment using PnP is complicated. This is because higher security by using PnP is simple: The DHCP relay to the U2000 is
requirements pose greater challenge for eNodeB configured as the next hop of the eNodeB. The eNodeB
deployment by PnP. deployment can be conducted step by step. The
deployment process is controllable and viewable. Any
A nonstop deployment is required and all the problems faults occurred in the deployment can be remotely located.
occurred during the deployment need to be solved by The IPSec tunnel can be established after setting up the
visiting sites. Downloading certificates and establishing OM channel.
IPSec tunnel must be finished before setting up the OM
channel.
Operation and If the IPSec tunnel is faulty, the eNodeB cannot be If the IPSec is faulty, the eNodeB can be commissioned
maintenance commissioned remotely. remotely on the premise that the OM channel is
established before setting up the IPSec tunnel.
If an IP clock server is deployed, the IP clock server is usually behind the SeGW. The following
figure shows the security policies.
Time synchronization data cannot enter IPSec tunnels;
Time synchronization data is usually transmitted in multicast packets;
During time synchronization, time needs to be compensated node by node, and precision
cannot be ensured.
If the clock configured in the transport network is used instead of the IP clock server, you are
recommended to choose a suitable clock in compliance with the situation.
Security This method uses asymmetrical encryption and This method uses symmetrical encryption and provides
provides high security. low security.
OM This method supports the standard online certificate This method needs to assign different PSKs for each
management process and supports certificate update. eNodeB. The key management is complicated and the
keys cannot be updated.
Site deployment This method supports eNodeB deployment by using This method supports eNodeB deployment only by using
PnP and by using a USB flash drive a USB flash drive
Conclusion Advantages: Advantage: simple deployment
High security; Disadvantages:
Complete online certificate management; Low security;
Support of eNodeB deployment by using PnP and by Complicated keys management;
using a USB flash drive
Support of eNodeB deployment only by using a USB
Disadvantage: high cost flash driver.
CAUTION : Do not perform any operation on the local ports, unless the customer wants to
disable the local ports.
IEEE 802.1x is a LAN access control protocol. Its full name is Port-Based Network Access
Control. It is based on client/server mode and can restrict unauthorized user or equipment
from accessing the LAN or WLAN from the access ports.
At the information collection stage, ask the customer whether to enable IEEE 802.1x.
If IEEE 802.1x is to be enabled, ask the customer whether the access network supports IEEE
802.1x. Configure Huawei CA certificate and the eNodeB ESN on the RADIUS server.
After power-on and access to the network, the eNodeB automatically performs security
authentication.
Equipment Requirements
The IEEE 802.1x authentication mechanism is enabled by default.
eNodeB
The IEEE 802.1x client software is installed.
Access Supports 802.1x.
equipment Supports EAPOL and EAPOR encapsulations.
Supports EAPOR encapsulation.
Huawei root CA certificate is configured on the RADIUS server for determining the
RADIUS server validity of the digital certificate built in the eNodeB.
Huawei eNodeB ESN is configured on the RADIUS server for determining that the
access eNodeB is Huawei eNodeB.
PKI System
Architecture
SeGW
CRL CA
L2/L3
network Core network SAE
eNodeB AR
M2000
Example of secure
networking with
PSK
Therefore, using the PSK to verify the L2TP/IPSec connection is a relatively weak authentication
method. PSK is often used in the small network and home network, while PKI is often used as a
long-term reliable authentication method. In secure networking with PSK, the network can be
deployed without the PKI system.
Multi-SeGW IPSec disaster recovery uses the IKE DPD mechanism to monitor the status
of IPSec channels between the eNodeB and the SeGWs. If the IPSec channel between
the eNodeB and the active SeGW becomes faulty, the eNodeB attempts to establish a
standby IPSec channel between the eNodeB and a standby SeGW, thereby achieving
IPSec disaster recovery between multiple SeGWs.
On the eNodeB side, the ACL IDs referenced by IPSec policies to The secure network can learn the eNodeB's downlink routing
which all active and standby IKE peers belong must be the same. information sent by SeGWs.
The DPD function must be enabled on all active and stanby IKE
The license for Multi-SeGW IPSec disaster recovery is activated.
peers on the eNodeB side.