Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
October 2011
*6871018P74 *
6871018P74-A
Copyrights
The Motorola products described in this document may include copyrighted Motorola computer programs. Laws
in the United States and other countries preserve for Motorola certain exclusive rights for copyrighted computer
programs. Accordingly, any copyrighted Motorola computer programs contained in the Motorola products described
in this document may not be copied or reproduced in any manner without the express written permission of Motorola.
2011 Motorola Solutions, Inc. All Rights Reserved
No part of this document may be reproduced, transmitted, stored in a retrieval system, or translated into any language
or computer language, in any form or by any means, without the prior written permission of Motorola Solutions, Inc.
Furthermore, the purchase of Motorola products shall not be deemed to grant either directly or by implication,
estoppel or otherwise, any license under the copyrights, patents or patent applications of Motorola, except for the
normal non-exclusive, royalty-free license to use that arises by operation of law in the sale of a product.
Disclaimer
Please note that certain features, facilities, and capabilities described in this document may not be applicable to
or licensed for use on a particular system, or may be dependent upon the characteristics of a particular mobile
subscriber unit or configuration of certain parameters. Please refer to your Motorola contact for further information.
Trademarks
MOTOROLA, MOTO, MOTOROLA SOLUTIONS, and the Stylized M Logo are trademarks or registered
trademarks of Motorola Trademark Holdings, LLC and are used under license. All other trademarks are the property
of their respective owners.
The European Union's WEEE directive requires that products sold into EU countries must have the crossed out
trashbin label on the product (or the package in some cases).
As defined by the WEEE directive, this cross-out trashbin label means that customers and end-users in EU countries
should not dispose of electronic and electrical equipment or accessories in household waste.
Customers or end-users in EU countries should contact their local equipment supplier representative or service
centre for information about the waste collection system in their country.
Contents
1 Public Safety Long Term Evolution Push-to-Talk (PTT) Architecture .................................................................. 1-1
1.1 PTT Architecture Overview ................................................................................................................ 1-1
1.2 Public Safety LTE Push-to-Talk (PTT) Port Assignment Map.................................................................... 1-4
2 Highly-Available IP Network ....................................................................................................................... 2-1
3 Public Safety Long Term Evolution Push-to-Talk (PTT) Network Implementation.................................................. 3-1
3.1 IP Configuration ............................................................................................................................... 3-1
3.2 Updating any Configured IP Address' ................................................................................................... 3-3
3.3 External Subnet(s) Operations ............................................................................................................. 3-5
3.4 Configuration Examples..................................................................................................................... 3-6
4 Public Safety Long Term Evolution Push-to-Talk (PTT) Firewall Rules................................................................ 4-1
4.1 PTT Switch and Handset Interface Rules............................................................................................... 4-2
4.2 OAMP Traffic Rules.......................................................................................................................... 4-2
4.2.1 Provisioning Graphical User Interface Rules ................................................................................. 4-2
4.2.2 Enterprise Administrator Web Server Interface Rules ..................................................................... 4-3
4.2.3 MTAS Client and MTAS Interface on the PTT Server Interface Rules................................................ 4-3
4.2.4 Operator SNMP Manager and the SNMP Interface on the PTT Server Interface Rules .......................... 4-4
4.2.5 TL1 Interface Rules ................................................................................................................. 4-4
4.2.6 SFTP Interface Rules ............................................................................................................... 4-5
4.2.7 SSH Interface Rules ................................................................................................................. 4-5
5 Transferring Billing Data............................................................................................................................. 5-1
iii
List of Figures
Figure 1-1
Figure 1-2
Figure 2-1
Figure 2-2
Public Safety Long Term Evolution Push-to-Talk (PTT) System Architecture ...................................... 1-2
PTT PS Port Assignment Map ..................................................................................................... 1-4
System Network Overview.......................................................................................................... 2-1
Web server in PTT Solution ........................................................................................................ 2-3
List of Tables
Table 3-1
Table 4-1
Table 4-2
Table 4-3
Table 4-4
Table 4-5
Table 4-6
Table 4-7
Table 4-8
Table 4-9
Table 4-10
Table 4-11
Table 4-12
vii
The term Public Safety LTE Push-to-Talk is referred as PTT in the document for server/system
references and network/services/switch context.
Contact Motorola System Support Center (SSC) if any situations not described in this guide are
encountered or if unable to solve any problem involving the Public Safety LTE Push-to-Talk
(PTT) system using the procedures in this guide.
Related Information
Document
Description
Provides how to operate, administer and maintain the Public Safety LTE
Push-to-Talk (PTT) Provisioning Guide SoftSwitch. The Public Safety
LTE Push-to-Talk (PTT) Provisioning Guide Server provides Operations,
Administration, Maintenance functionality through the EMS subsystem. Operators
and system administrators can use Public Safety LTE Push-to-Talk (PTT)
Operations Guide for script execution, monitoring, and maintaining the Public
Safety LTE Push-to-Talk (PTT) system components.
ix
Document
Description
Describes the Public Safety LTE Push-to-Talk (PTT) hardware components and
features. Designed for the networking or the computer technician responsible for
identifying the hardware components, install/mounting the hardware components,
cabling and replacing the Field Replaceable Units (FRUs) of the Public Safety LTE
Push-to-Talk (PTT) system. It describes the physical and characteristics of the
switch, explain how to install it, and provide LEDs information. The document
does not describe system messages that you might receive or how to configure
your switch.
Revision History
The following sections show the revision status of this document.
Version Information
The following table describes the changes made to this document:
Version
Date of Issue
Description
OCT 2011
Initial Release
Release information
This section describes the changes in this document for the current release.
Initial Release
Release Information
This release contains OMA features and functionalities (related to provisioning, configuration, billing, statistics, web
server, so on.) which are not supported for commercial deployment. OMA PoC Service shall not be considered
for launching without Motorola's approval. Please contact Product Management for more information. Motorola
recommends the Public Safety LTE Push-to-Talk (PTT) customers to refer the Software Release Manual for better
understanding of the supported and not supported features.
General Information
Service Request
CMBP Number
Description
N/A
N/A
N/A
General Information
Motorola Solutions documents provide the information to operate, install, and maintain Motorola equipment. It is
recommended that all personnel engaged in such activities be properly trained by Motorola Solutions.
Always use the switch and software configuration settings specified by Motorola Solutions. If other settings are
necessary for proper system operation, consult with the Motorola SSC. Deviating from Motorolas original
configuration settings in your system may result in damage to equipment or loss of service.
Motorola disclaims all liability whatsoever, implied or expressed, for any risk of damage, loss or reduction in system
performance arising directly or indirectly out of the failure of the customer, or anyone acting on the customer's
behalf, to abide by the instructions, system parameters, or recommendations made in this document.
These documents are not intended to replace the system and equipment training offered by Motorola. They can be
used to supplement and enhance the knowledge gained through such training.
If this document was obtained when attending a Motorola Solutions training course, it is not updated or
amended by Motorola Solutions. It is intended for TRAINING PURPOSES ONLY. If it was supplied
under normal operational circumstances, to support a major software release, then Motorola Solutions
automatically supplies corrections and posts on the Motorola Solutions customer website.
Cross References
References made to external publications are shown in italics. Other cross references, emphasized in blue text in
electronic versions, are active links to the references.
This document is divided into numbered chapters that are divided into sections. Sections are not numbered, but are
individually named at the top of each page, and are listed in the table of contents.
Icon Conventions
The documentation set is designed to give the reader more visual clues. The following graphic icons are used
throughout the documentation set. These icons and their associated meanings are described below.
The signal word DANGER with the associated safety icon implies information that, if disregarded,
will result in death or serious injury.
xi
The signal word WARNING with the associated safety icon implies information that, if disregarded,
could result in death or serious injury, or serious product damage.
The signal word CAUTION with the associated safety icon implies information that, if disregarded,
may result in minor or moderate injury, or serious product damage.
The signal word CAUTION may be used without the safety icon to state potential damage or injury
that is not related to the product.
IMPORTANT statements contain information that is crucial to the discussion at hand, but is not CAUTION
or WARNING. There is no warning level associated with the IMPORTANT statement.
NOTE contains information more important than the surrounding text, such as exceptions or preconditions.
They also refer the reader elsewhere for additional information, remind the reader how to complete an
action (when it is not part of the current procedure, for instance), or tell the reader where something is
located on the screen. There is no warning level associated with a note.
SUGGESTION
SUGGESTION implies a recommendation or tip from Motorola that does not require to be followed, but
might be helpful. There is no warning level associated with SUGGESTION.
Style Conventions
The following style conventions are used:
xii
Convention
Description
Bold
This typeface is used for names of, for instance, windows, buttons, and labels
when these names appear on the screen (example: the Alarms Browser window).
When it is clear that we are referring to, for instance, a button, the name is used
alone (example: Click OK).
Monospacing font in
bold
This typeface is used for words to be typed in exactly as they are shown in the
text (example: In the Address field, type http://ucs01.ucs:9080/)
Monospacing font
This typeface is used for messages, prompts, and other text displayed on the
computer screen (example: A new trap destination has been
added).
Description
Monospacing font in
bold Italic
This typeface is used with angle brackets for words to be substituted by a specific
member of the group that the words represent (example: <router number>).
This typeface is used for keyboard keys (example: Press Y, and then press
ENTER).
Italic
This typeface is used citations. This can be the name of a document or a phrase
from another document (example: Dimetra IP System Overview.
An (arrow pointing right) is used for indicating the menu or tab structure in
instructions on how to select a certain menu item (example: File Save) or
a certain sub-tab.
ESD Procedure
Motorola Solutions strongly recommends that you use an antistatic wrist strap and a conductive foam pad when
installing or upgrading the system. Electronic components, such as disk drives, computer boards, and memory
modules, can be extremely sensitive to Electrostatic Discharge (ESD). After removing the component from the
system or its protective wrapper, place the Wrist Strap component flat on a grounded, static-free surface, and in the
case of a board, component-side up. Do not slide the component over any surface.
If an ESD station is not available, you can avoid damage resulting from ESD by wearing an antistatic wrist strap
(available at electronics stores) that is attached to an unpainted metal part of the system chassis.
Hazardous voltage, current, and energy levels are present in this product. Power switch terminals can have
hazardous voltages present even when the power switch is off. Do not operate the system with the cover removed.
Always replace the cover before turning on the system. Do not operate in an explosive atmosphere. Do not operate
the equipment in the presence of flammable gases or fumes. Operation of any electrical equipment in such an
environment constitutes a definite safety hazard.
xiii
Hazardous Voltage
Voltages, capable of causing death, are present in this equipment. Use extreme caution when handling, testing,
and adjusting.
xiv
Support Center
The Motorola Solutions Support Center (SSC) is the primary Motorola Solutions contact. Call:
Prior to any software reload.
To confirm troubleshooting results and analysis prior to removing and replacing a Field Replaceable Unit
(FRU) and Field Replaceable Entity (FRE) to repair the system.
Motorola Solutions Support Center
For....
Phone
Domestic Calls
8004227144
International Calls
8475767300
Phone
Phone Orders
Fax Orders
Errors
To report a documentation error, call the SSC and provide the following information to enable support to open
an SR (Service Request):
The document type
The document title, part number, and revision character
xv
xvi
1
Public Safety Long Term Evolution
Push-to-Talk (PTT) Architecture
Topics Covered in this Chapter
PTT Architecture Overview
Public Safety LTE Push-to-Talk (PTT) Port Assignment Map
The Public Safety Long Term Evolution Push-to-Talk (PTT) systems are connected by IP or Ethernet networks. IP
networks are an integral part of the Motorola Solutions Public Safety Long Term Evolution Push-to-Talk (PTT)
system that consists of three potential exposed IP subnet and multiple non-exposed IP subnets.
The non-exposed IP subnets are internal to Public Safety Long Term Evolution Push-to-Talk (PTT) system operation
and other systems in the customer network can not reach the Public Safety Long Term Evolution Push-to-Talk (PTT)
non-exposed IP subnets directly. To access the non-exposed subnet systems, the administrator first needs access to
the NMHost, which is a system in the exposed IP subnet. From the NMHost, the administrator has access to the
systems that are in non-exposed subnets.
The Public Safety Long Term Evolution Push-to-Talk (PTT) requires one exposed or routable subnet for management
operations, also referred to as the management subnet or management VLAN, such as billing system interconnection,
SNMP agent interconnection alarm and, operational measurements and secure shell (ssh) or secure FTP (SFTP).
This subnet is typically connected to the customer LAN or WAN network.
1-1
Figure 1-1
The PTT system and the customer network has the following main components:
DL380 Server(s) :HP Proliant DL380 G6 is the Public Safety Long Term Evolution Push-to-Talk (PTT)
server platform. A redundant server is available addition to the primary server.
One DL380 server is configured to run all active processes. The other DL380 server is configured to run all
backup and EMS processes. Together, the servers provide the following:
Control Public Safety LTE Push-to-Talk (PTT) system component startup and shutdown
Log events
Run the Managed Object (MO) server process, which provides the HTTP and Transaction Language
1 (TL1) interfaces to the provisioning database. MO server process collects the statistics and events,
and raises SNMP traps for transmission to one or more SNMP trap recipients.
Provide Management Information Base (MIB) support
Run the Billing North Bound Interface process, which analyzes the call detail records and sends
the billing data.
Monitor the performance of the Public Safety LTE Push-to-Talk (PTT) system.
RAID: The RAID contains and manages the following system elements:
System provisioning database
Alarms database
Call billing data
1-2
System statistics
Call performance data
System logs
VLAN : The virtual local area network (VLAN) technology is developed for switches to control broadcast
operations in LANs. Virtual local area networks (VLANs) establishes the IP connectivity among the private
nodes within the Public Safety Long Term Evolution Push-to-Talk (PTT) network. VLANs provide external
access to the private nodes for external communications. A VLAN can span across multiple switches, or
even routers. This enables hosts in a VLAN to be dispersed in a more loose way. That is, hosts in a VLAN
can belong to different physical network segment.
One advantage of VLAN is network security is improved. VLANs cannot communicate with each
other directly. That is, hosts in different VLANs cannot communicate with each other directly. To
enable communications between different VLANs, network devices operating on Layer 3 (such as
routers/switches) are needed.
L1: Redundant links for private traffic
L2: Redundant links for signaling and media traffic (VLAN 1)
L3: Redundant links for management traffic (VLAN 2)
L4: Redundant links for Web server traffic (VLAN 3)
L5: Connection between iLO port and regular ethernet port of same DL380
Public Safety Long Term Evolution Push-to-Talk (PTT) traffic to and from the switch is classified as listed. There are
separate physical links dedicated to each type of traffic. Thus the Public Safety Long Term Evolution Push-to-Talk
(PTT) switch caters to 3 external networks.
Management network to accommodate management traffic : Network management deals with the
process of monitoring and controlling the activities of network besides transforming the network into a
managed resource by improving performance, efficiency, and security. It also helps to operate, administer,
and maintain the network systems.
Signaling/ Media network to accommodate VoIP traffic: When a network is presented with large amounts
of user activity and session initiation requests, the service must be able to handle and efficiently process
that traffic.
Web server network to accommodate to web server traffic: Web Server traffic is the amount of data sent
and received by a web server.
Alternatively, there is an option to collapse the different traffic types into a single network. In addition, there is an
internal network used by the Public Safety Long Term Evolution Push-to-Talk (PTT) applications to communicate
with each other in the Public Safety Long Term Evolution Push-to-Talk (PTT) switch. This internal network is fixed
as 192.168.0.0/24 and cannot be changed.
The network for iLO connections is 172.16.0.0/24 and for RAID management connections is 10.0.0.0/24.
The external subnet(s) are restricted to reach the respective interfaces on the Public Safety Long Term Evolution
Push-to-Talk (PTT) switch.
A subnetwork, or subnet, is a logically visible subdivision of an IP network. The practice of dividing a network
into subnetworks is called sub-netting. All computers that belong to a subnet are addressed with a common,
identical, most-significant bit-group in their IP address. This results in the logical division of an IP address into
two fields, a network or routing prefix and the rest field. The rest field is a specific identifier for the computer
or the network interface.
The external subnet access restriction is a mandatory configuration while configuring the switch. For example,
external subnet A and subnet B are configured to reach the Signaling/ Media network on the Public Safety Long
Term Evolution Push-to-Talk (PTT) switch. Thus a network device from subnet C cannot reach the Signaling/ Media
network on the Public Safety Long Term Evolution Push-to-Talk (PTT) switch.
1-3
1-4
Highly-Available IP Network
The following graphic depicts the redundant IP network as a bus function between the system components. This
function allows the Public Safety Long Term Evolution Push-to-Talk (PTT) switch to continue operation in the event
of a single point of failure. A single point of failure is defined as an ethernet link/ port failure. It includes single
uplink failure when a dual uplink configuration is used. The Public Safety Long Term Evolution Push-to-Talk
(PTT) switch does not support multiple points of failure including dual uplink failure. Care should be taken in the
design of the customer network uplink interconnections.
Figure 2-1
The Public Safety Long Term Evolution Push-to-Talk (PTT) switch supports a highly available (HA) IP network
system. For each external subnet (management, signaling/ media, webserver), 2 ethernet ports (per nmhost) are
used. These 2 ports are bonded using Linux Bonding (Active/ Backup mode) to overcome any Ethernet port failure.
The 2 links are connected to 2 ports on the customer router to overcome any Ethernet link failure. If redundant
customer routers are used, the 2 links are connected to these 2 routers (i.e., 1 port on DL380 to 1 router and another
port on DL380 to another router). The 2 routers must be configured with VRRP (or equivalent protocol) so that
router redundancy can work.
The Public Safety Long Term Evolution Push-to-Talk (PTT) system has the following main components:
Control Switch (CS): The Control Switch supports all call processing for the Motorola Solutions Public
Safety Long Term Evolution Push-to-Talk (PTT) system. The Control Switch controls the call setup and tear
down as well as collection of mid-call data from the end users. The Control Switch is responsible for
associating all call legs of a call with a particular multicast port. The Control Switch also collects call
information and sends it to the Element Management System to generate Usage Detail Records (UDR). The
Control Switch interfaces to the Active Directory to share presence and subscriber data. It is cached at the
Control Switch for users registered on that CS.
The CS provides the basic call processing capabilities for the system.
Active Directory (AD): The Active Directory maintains Public Safety Long Term Evolution Push-to-Talk
(PTT) Subscriber profile including Group Lists, Contact Lists, presence information and subscriber specific
settings. The Public Safety Long Term Evolution Push-to-Talk (PTT) Subscriber and Presence database
2-1
maintains data on current Public Safety Long Term Evolution Push-to-Talk (PTT) Subscribers, and provides
the mobile directory number (MDN or MSISDN) to IP address mapping and presence status (registered/user
selected state or not registered). The PTT Subscriber and Presence database (SPdb) also maintains a list of
user groups and contacts, and information associated with groups. This includes the members of the group,
IP address, and presence.
Operators may provision subscribers on the AD through either a web GUI, or XML interface on the AD.
Whenever a Push-to-Talk (PTT) Subscriber registers, de-registers, or makes other changes in status,
the Push-to-Talk (PTT) Subscriber and Presence database is updated. Whenever a Push-to-Talk (PTT)
Subscriber requests a point-to-point or private call, a lookup is carried out to the PTT Subscriber and
Presence Database to identify the called partys IP address and presence status. This lookup is performed
only if the called parties information is not found in the Control Switchs local AD cache. When a call is
made to a Push-to-Talk (PTT) group, a look-up is also carried out to the SPdb to obtain IP addressing and
presence information.
The SPdb maintains the dynamic presence information about all individual members of a given group.
Whenever a registration change happens on the Push-to-Talk (PTT) Subscriber and Presence Database for a
specific Push-to-Talk (PTT) Subscriber, the Push-to-Talk (PTT) Subscriber and Presence database triggers an
update to the group information (the Push-to-Talk (PTT) Subscriber is a member of a list of groups each of
which is potentially owned by some SPdb) and to the SPdb entries of all other subscribers who have that
subscriber as a contact. As a result, only registered members of a given group being called will be returned
back from the SPdb to the CS for call processing.
NMHost (Element Management System): The Element Manger is the network management control point
for each of the elements within the system. The Element Manager interfaces to the operators management
system via the SNMP standard Network Management interface. The Element Manager for the Control
Switch supports generation of Usage Detail Records for each PTT call and the Element Manager for
the Active Directory support provisioning interfaces for carrier provisioning of subscribers. Alarming,
performance, and system configuration is managed by the Element Manager as well.
Web Server: The PTT web server provides a web interface for enterprise administrators to provision and
manage contacts and groups. The web interface is available only for enterprise administrators. The Web
Server interfaces to the Active Directory. The actual storage of the groups and contacts is in the Active
Directory.
Following graphic shows the Web server in the overall architecture of the Public Safety Long Term Evolution
Push-to-Talk (PTT) solution.
2-2
Figure 2-2
Enterprise Administrator Access: The Web server provides a web-based interface for Enterprise
Administrators. Operator creates and manages the administrator at the EMS GUI interface. Once
provisioned, the administrators may use the Web server to manage the contacts and groups for the
members of their enterprise.
The following is a list of major features that administrators can access through the Web server:
Manage (add, modify, delete) entries from Contact List
Assign or remove individual contact entries from subscriber phones in the enterprise manage groups
Manage groups and members of groups
Manage Chat group (add, modify, delete) operations
Assign or remove individual group entries from subscriber phones in the enterprise
Change Administrator Password
IPMH: The IP Message Handler (IPMH) process is responsible for any route incoming / outgoing SIP call
control messages to / from the call control processes. The IPMH process is responsible for routing the IP
messages between the PTT entities and executing the load balancing policy for Public Safety Long Term
Evolution Push-to-Talk (PTT).
MRS: The Media Resource Server (MRS) is a pure IP-based network element without the TDM interfaces.
The MRS implements the following media-specific services:
Voice multicasting
Multi-party calls
The media stream is based on the Real-time Transport Protocol (RTP) or the User Datagram Protocol (UDP)
or the Internet Protocol (IP) format. The MRS replicates the voice from one stream to other streams that are
part of the same session for one to one and group calls.
The MRS processes run only in active configuration. Loss of the MRS process results in all active calls on
2-3
2-4
2-5
3
Public Safety Long Term Evolution
Push-to-Talk (PTT) Network Implementation
Topics Covered in this Chapter
IP Configuration
Updating any Configured IP Address'
External Subnet(s) Operations
Configuration Examples
The standard Public Safety Long Term Evolution Push-to-Talk (PTT) shipped with each switch chassis includes
Two DL380 G6 Servers
One RAID
3.1 IP Configuration
The entire IP configuration on the Public Safety Long Term Evolution Push-to-Talk (PTT) server is done using
networkConf.sh script.
A file /cluster/xfs/etc/ipConfig.cfg, must be created that contains the following IP related information.
Table 3-1
IP Configuration
NO.
IP
Configuration Description/Summary
SIGNALING_IP
MEDIA_IP_1
MEDIA_IP_2
SIGNALING_MEDIA_NETMASK
SIGNALING_MEDIA_GATEWAY
SIGNALING_MEDIA_SUBNETS
3-1
Table 3-1
3-2
IP Configuration (cont'd.)
NO.
IP
Configuration Description/Summary
MANAGEMENT_FLOATING_IP
MANAGEMENT_IP_1
MANAGEMENT_IP_2
10
MANAGEMENT_NETMASK
11
MANAGEMENT_GATEWAY
12
MANAGEMENT_SUBNETS
13
WEBSERVER_FLOATING_IP
14
WEBSERVER_IP_1
15
WEBSERVER_IP_2
16
WEBSERVER_NETMASK
17
WEBSERVER_GATEWAY
All web server traffic to reach the clients uses this gateway.
18
WEBSERVER_SUBNETS
19
DEFAULT_GATEWAY
Procedure Steps
1
Login to NMHost01.
login as: swuser
I've read & consent to terms in IS user agreem't.
swuser@10.234.22.165's password:
Last login: Fri Jun 10 03:28:36 from 10.232.53.167
I've read & consent to terms in IS user agreem't.
[swuser@nm71-01:swuser]$
Login as root.
[swuser@nm71-01:swuser]$ su Password:
[root@nm18-01:root]#
3-3
Execute /root/SCRIPTS/networkConf.sh u
3-4
Update the NAT addresses for SIP and Media (for each MRS).
a. For SIP, Select Home -> Configuration -> NNI -> Params -> Edit -> Global Parameters -> External
SIP IP Address
Refer section Setting NNI Params in Public Safety Long Term Evolution Push-to-Talk (PTT) Provisioning
Guide.
b. For Media, Home -> Configuration -> MRS NAT Configuration -> Edit (for each MRS) -> NAT
RTP Address.
Refer section Configuring MRS NAT in Public Safety Long Term Evolution Push-to-Talk (PTT)
Provisioning Guide.
Procedure Steps
1
Logon to NMHost01.
login as: swuser
swuser@10.232.114.86's password:
This Session will be Logged
Last login: Wed Oct 28 08:32:24 from 10.232.2.147
You have new mail.
[swuser@nm18-01:swuser]$
Login as root.
[swuser@nm18-01:swuser]$ su Password:
[root@nm18-01:root]#
To add/ delete/ modify external subnet(s) from which access is allowed to respective interfaces on the Public
Safety Long Term Evolution Push-to-Talk (PTT) switch, edit the /cluster/xfs/etc/ipConfig.cfg file.
[root@nm18-01:root]# vi /cluster/xfs/etc/ipConfig.cfg
3-5
Execute /root/SCRIPTS/networkConf.sh r
3-6
MANAGEMENT_NETMASK=255.255.255.0
MANAGEMENT_GATEWAY=10.51.15.1
MANAGEMENT_SUBNETS=10.232.53.191/32,10.232.53.161/32,10.234.12.40/32,
10.234.12.0/24,10.234.16.0/24,10.234.17.0/24,10.232.53.0/24,10.51.122.0/24
WEBSERVER_FLOATING_IP=10.51.24.223
WEBSERVER_IP_1=10.51.24.221
WEBSERVER_IP_2=10.51.24.222
WEBSERVER_NETMASK=255.255.255.0
WEBSERVER_GATEWAY=10.51.24.1
WEBSERVER_SUBNETS=
DEFAULT_GATEWAY=10.51.24.1
ifconfig
[root@nm13-01:swuser]# ifconfig
bond0 Link encap:Ethernet HWaddr D8:D3:85:B1:70:42
inet addr:192.168.0.141 Bcast:192.168.0.255
Mask:255.255.255.0
inet6 addr: fe80::dad3:85ff:feb1:7042/64 Scope:Link
UP BROADCAST RUNNING MASTER MULTICAST MTU:1500 Metric:1
RX packets:4107364 errors:0 dropped:0 overruns:0 frame:0
TX packets:4256896 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1319644627 (1.2 GiB)
TX bytes:788944444 (752.3 MiB)
bond1 Link encap:Ethernet HWaddr D8:D3:85:B1:70:44
inet addr:10.51.15.141 Bcast:10.51.15.255
Mask:255.255.255.0
inet6 addr: fe80::dad3:85ff:feb1:7044/64 Scope:Link
UP BROADCAST RUNNING MASTER MULTICAST MTU:1500 Metric:1
RX packets:348541 errors:0 dropped:0 overruns:0 frame:0
TX packets:249160 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:341848870 (326.0 MiB)
TX bytes:26587670 (25.3 MiB)
bond2 Link encap:Ethernet HWaddr D8:D3:85:B1:70:46
inet addr:10.51.30.171 Bcast:10.51.30.255
Mask:255.255.255.0
inet6 addr: fe80::dad3:85ff:feb1:7046/64 Scope:Link
UP BROADCAST RUNNING MASTER MULTICAST MTU:1500 Metric:1
RX packets:24785 errors:0 dropped:0 overruns:0 frame:0
TX packets:50715 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1773230 (1.6 MiB)
TX bytes:76806434 (73.2 MiB)
bond2:1 Link encap:Ethernet HWaddr D8:D3:85:B1:70:46
inet addr:10.51.30.173 Bcast:10.51.30.255
Mask:255.255.255.0
UP BROADCAST RUNNING MASTER MULTICAST MTU:1500 Metric:1
bond3 Link encap:Ethernet HWaddr 00:26:55:DE:8A:D2
inet addr:10.51.24.221 Bcast:10.51.24.255
Mask:255.255.255.0
inet6 addr: fe80::226:55ff:fede:8ad2/64 Scope:Link
UP BROADCAST RUNNING MASTER MULTICAST MTU:1500 Metric:1
3-7
3-8
Memory:fbce0000-fbd00000
eth6 Link encap:Ethernet HWaddr D8:D3:85:B1:70:46
UP BROADCAST RUNNING SLAVE MULTICAST MTU:1500 Metric:1
RX packets:17 errors:0 dropped:0 overruns:0 frame:0
TX packets:1 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:1020 (1020.0 b) TX bytes:90 (90.0 b)
Memory:fbfe0000-fc000000
eth7 Link encap:Ethernet HWaddr 00:26:55:DE:8A:D2
UP BROADCAST SLAVE MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
Memory:fbee0000-fbf00000
eth8 Link encap:Ethernet HWaddr 00:26:55:DE:8C:61
inet addr:172.16.0.4 Bcast:172.16.0.255 Mask:255.255.255.0
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
Memory:fb8e0000-fb900000
eth9 Link encap:Ethernet HWaddr 00:26:55:DE:8A:D2
UP BROADCAST RUNNING SLAVE MULTICAST MTU:1500 Metric:1
RX packets:76734 errors:0 dropped:0 overruns:0 frame:0
TX packets:26 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:7519514 (7.1 MiB) TX bytes:1308 (1.2 KiB)
Memory:fb7e0000-fb800000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:10536158 errors:0 dropped:0 overruns:0 frame:0
TX packets:10536158 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2604674980 (2.4 GiB) TX bytes:2604674980 (2.4 GiB)
ip addr list
[root@nm13-01:swuser]# ip addr list
1: lo: <OOPBACK,UP,LOWER_UP>mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0:
pfifo_fast
link/ether
3: eth1:
3-9
3-10
route
[root@nm13-01:swuser]# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
wms_mgmt * 255.255.255.255 UH 0 0 0 bond0
10.51.15.142 * 255.255.255.255 UH 0 0 0 bond0
10.232.53.191 10.51.15.1 255.255.255.255 UGH 0 0 0 bond1
10.234.12.40 10.51.15.1 255.255.255.255 UGH 0 0 0 bond1
239.192.15.143 * 255.255.255.255 UH 0 0 0 bond0
10.232.53.161 10.51.15.1 255.255.255.255 UGH 0 0 0 bond1
10.51.30.172 * 255.255.255.255 UH 0 0 0 bond0
10.51.24.222 * 255.255.255.255 UH 0 0 0 bond0
10.51.30.173 * 255.255.255.255 UH 0 0 0 bond0
wms_wbsvr * 255.255.255.255 UH 0 0 0 bond0
10.234.12.0 10.51.15.1 255.255.255.0 UG 0 0 0 bond1
10.0.0.0 * 255.255.255.0 U 0 0 0 eth3
172.16.0.0 * 255.255.255.0 U 0 0 0 eth8
192.168.0.0 * 255.255.255.0 U 0 0 0 bond0
10.51.74.0 10.51.30.1 255.255.255.0 UG 0 0 0 bond2
10.51.24.0 * 255.255.255.0 U 0 0 0 bond3
10.51.122.0 10.51.15.1 255.255.255.0 UG 0 0 0 bond1
10.232.53.0 10.51.15.1 255.255.255.0 UG 0 0 0 bond1
10.234.17.0 10.51.15.1 255.255.255.0 UG 0 0 0 bond1
10.51.30.0 * 255.255.255.0 U 0 0 0 bond2
10.234.16.0 10.51.15.1 255.255.255.0 UG 0 0 0 bond1
10.51.15.0 * 255.255.255.0 U 0 0 0 bond1
169.254.0.0 * 255.255.0.0 U 0 0 0 eth8
default 10.51.24.1 0.0.0.0 UG 0 0 0 bond3
3-11
4
Public Safety Long Term Evolution
Push-to-Talk (PTT) Firewall Rules
Topics Covered in this Chapter
PTT Switch and Handset Interface Rules
OAMP Traffic Rules
Firewalls are one of the core components of a network security implementation. Firewall rules inspect and filters
the connections between the internal network and the Internet. The first step in creating firewall rules is to list the
services that should be allowed with their sources and destinations.
Following list allows some of the specified service to pass through the firewall.
WWW (HTTP) The HTTP protocol is used by Apache (and by other Web servers) to serve web pages.
SSH Secure Shell (SSH) is a suite of tools for logging into and executing commands on a remote machine.
TCP TCP enables two hosts to establish a connection and exchange streams of data.
UDP UDP, a no connection protocol that, like TCP, runs on top of IP networks. Unlike TCP/IP, UDP/IP
provides very few error recovery services, offering instead a direct way to send and receive datagrams
over an IP network.
SFTP SFTP is a method of transferring files between computers over a secure SSH secure data stream.
Firewall filters provide rules that define whether to permit or deny packets that are transiting an interface on a switch
from a source address to a destination address. Firewall filters determine whether to permit or deny traffic before it
enters or exits a port, VLAN, or Layer 3 (routed) interface to which the firewall filter is applied.
A firewall filter filters on source and destination IP addresses, IP protocols, or protocol informationsuch as TCP
and UDP port numbersnearest to the source devices. However, typically applying a firewall filter that filters only
on a source IP address nearest to the destination devices. When applied too close to the source device, a firewall
filter that filters only on a source IP address could potentially prevent that source device from accessing other
services that are available on the network.
Following firewall types are supported:
Port (Layer 2) firewall filter Port firewall filters apply to Layer 2 switch ports. Apply port firewall
filters on a physical port.
VLAN firewall filter VLAN firewall filters provide access control for packets that enter a VLAN,
are bridged within a VLAN, and leave a VLAN. VLAN firewall filters are applied to all packets that are
forwarded to or forwarded from the VLAN.
Router (Layer 3) firewall filter Apply a router firewall filter on Layer 3 (routed) interfaces and routed
VLAN interfaces.
Each filtering criteria consists of the following components:
Match conditionsSpecifies the values or fields that the packet must contain. You can define various match
conditions, including the IP source address field, IP destination address field, Transmission Control Protocol
(TCP) or User Datagram Protocol (UDP) source port field, IP protocol field, Internet Control Message
Protocol (ICMP) packet type, TCP flags, and interfaces.
ActionSpecifies what to do if a packet matches the match conditions. Possible actions are to accept or
discard a packet.
4-1
Destination port
Any handset
ephemeral port
Signaling IP
5060
5060
Handset
private IP
Any handset
ephemeral port
Destination
IP
Destination port
Protocol
Source IP
Source Port
Handset to PTT
switch
UDP
Handset
private IP
PTT switch to
Handset
UDP
Signaling IP
Table 4-2
TCP
TCP
Source IP
Source Port
Handset to PTT
switch
UDP
Handset
private IP
Any handset
ephemeral port
Media IP
10000-10799,
12000-12799,
14000-14799,
16000-16799,
18000-18799,
20000-20799,
22000-22799,
24000-24799
PTT switch to
handset
UDP
Media IP
10000-10799,
12000-12799,
14000-14799,
16000-16799,
18000-18799,
20000-20799,
22000-22799,
24000-24799
Handset
private IP
Any handset
ephemeral port
4-2
Source IP
Source Port
Destination IP
Destination
port
Operator Browser
to PTT server
HTTP
Any ephemeral
port
Management
floating IP
80
Operator Browser
to PTT server
HTTPS
Any ephemeral
port
Management
floating IP
443
Table 4-4
Source IP
Source
Port
Destination IP
Destination port
PTT Server to
Operator Browser
HTTP
Management
floating IP
80
PTT Server to
Operator Browser
HTTPS
Management
floating IP
443
Operator Browser to PTT Server ( Enterprise Administrator Web Server) Interface Rules
Protocol
Browser to PTT
Server
Table 4-6
Destination
IP
Destination port
Any
ephemeral
port
Web server
floating IP
80
Any
ephemeral
port
Web server
floating IP
443
Source IP
Source Port
HTTP
HTTPS
PTT server to Operator Browser ( Enterprise Administrator Web Server) Interface Rules
Protocol
PTT Server to
Browser
Source IP
Source
Port
Destination IP
Destination port
HTTP
Web server
floating IP
80
HTTPS
Web server
floating IP
443
4.2.3 MTAS Client and MTAS Interface on the PTT Server Interface
Rules
The MTAS client is an application in the operator network which provisions the Public Safety Long Term Evolution
Push-to-Talk (PTT) subscribers to the MTAS interface on the Public Safety System.
4-3
Table 4-7
Source IP
Source Port
Destination IP
Destination
port
TCP
Any ephemeral
port
Management IP
6827
TCP
Management IP
6827
Any IP having
access to
Management
network (MTAS
client)
Any
ephemeral
port
4.2.4 Operator SNMP Manager and the SNMP Interface on the PTT
Server Interface Rules
Table 4-8
GET/ SET/
GETNEXT SNMP
operations
Table 4-9
Destination port
Destination IP
Source IP
Source Port
UDP
161, 8001,
8002
UDP
Management floating
IP
161, 8001,
8002
Any
ephemeral
port
SNMP Traps to
Manager
UDP
Source IP
Management
floating IP
Source
Port
162
Destination IP
Destination port
4-4
Table 4-10
Source IP
Source Port
Destination IP
Destination
port
TCP
Any
ephemeral
port
Management IP
2361, 2362
TCP
Management IP
2361, 2362
Any IP having
access to
Management
network
Any ephemeral
port
Source Port
Destination IP
Destination
port
SFTP
Any
ephemeral
port
Management IP
22
SFTP
Management IP
22
Any IP having
access to
Management
network
Any ephemeral
port
Protocol
Source IP
Source Port
Destination IP
Destination
port
SSH
Any
ephemeral
port
Management IP
22
SSH
Management IP
22
Any IP having
access to
Management
network
Any ephemeral
port
4-5
The CCSW sends Call Detail Records (CDR) to the BillingNBI application at the end of the call or
the activity.
2.
The BillingNBI application generates corresponding user data records and writes into a file in CSV format.
3.
Initially when the UDR file is created, it has *.inp extension. The inp extension is removed when the
UDR file is complete.
4.
After 2 minutes, the UDR files are archived to /cluster/amap directory. The UDR files are stored in this
directory for three days after which they are moved to /cluster/arch directory. The UDR files are stored
in this directory for five days.
5-1