[ Contents] [ Prev] [ Next] [ Index] [ Report an Error]

Understanding GPRS Tunneling Protocol on SRX Series Devices

This topic includes:

The GPRS Tunneling Protocol (GTP) is used to establish a GTP tunnel, for individual mobile stations (MS), between a Serving GPRS Support Node (SGSN) and a Gateway GPRS Support Node (GGSN). A GTP tunnel is a channel between GSNs through which two hosts exchange data. The SGSN receives packets from the MS and encapsulates them within a GTP header before forwarding them to the GGSN through the GTP tunnel. When the GGSN receives the packets, it decapsulates them and forwards them to the external host.

A Juniper Networks security device provides firewall protection for the following types of GPRS interfaces:

Note: The term interface has different meanings in JUNOS Software and in GPRS technology. In JUNOS Software, an interface is like a doorway to a security zone and allows traffic to enter and exit the zone. In GPRS, an interface is a connection, or a reference point, between two components of a GPRS infrastructure, for example, an SGSN and a GGSN.

Gp and Gn Interfaces

You implement a security device on the Gn interface to protect core network assets such as the SGSN and GGSN. To secure GTP tunnels on the Gn interface, you place the security device between SGSNs and GGSNs within a common PLMN.

When you implement a security device to the Gp interface, you protect a PLMN from another PLMN. To secure GTP tunnels on the Gp interface, you place the SGSNs and GGSNs of a PLMN behind the security device so that all traffic, incoming and outgoing, goes through the firewall.

Figure 179 illustrates the placement of Juniper Networks SRX Series devices used to protect PLMNs on the Gp and Gn interfaces

Figure 179: Gp and Gn Interfaces

Image g030659.gif

Gi Interface

When you implement a security device on the Gi interface, you can simultaneously control traffic for multiple networks, protect a PLMN against the Internet and external networks, and protect mobile users from the Internet and other networks. JUNOS Software provides a great number of virtual routers, making it possible for you to use one virtual router per customer network and thereby allow the separation of traffic for each customer network.

The security device can securely forward packets to the Internet or destination networks using the Layer 2 Tunneling Protocol (L2TP) for IPsec virtual private network (VPN) tunnels. (Note, however, that SRX Series devices do not support full L2TP.)

Figure 180 illustrates the implementation of a security device to protect a PLMN on the Gi interface.

Figure 180: Gi Interface

Image g030660.gif

Operational Modes

JUNOS Software supports two interface operational modes with GTP: transparent mode and route mode. If you want the security device to participate in the routing infrastructure of your network, you can run it in route mode. This requires a certain amount of network redesign. Alternatively, you can implement the security device into your existing network in transparent mode without having to reconfigure the entire network. In transparent mode, the security device functions as a Layer 2 switch or bridge, and the IP addresses of interfaces are set at 0.0.0.0, making the presence of the security device invisible, or transparent, to users.

JUNOS Software supports Network Address Translation (NAT) on interfaces and policies that do not have GTP inspection enabled.

Currently in JUNOS Software, route mode supports active/passive, and active/active chassis cluster. Transparent mode supports active/passive only.

For more information about operational modes and high availability, see the JUNOS Software Interfaces and Routing Configuration Guide and Chassis Cluster, respectively.


[ Contents] [ Prev] [ Next] [ Index] [ Report an Error]