4. Configuration

4.1. Overview

This section focuses on a step by step approach to set up a Virtual Service Router UPF as a basic PSA as pictured in the following diagrams.

_images/upf-psa.svg

Abstract view of a basic UPF-PSA.

_images/upf-psa-detail.svg

Concrete configuration about to be made.

Most steps also apply to I-UPF and ULCL/BP configurations however, since regardless of the setup, setting up a Virtual Service Router UPF essentially boils down to:

  • Enabling the fast path since GTP-U management is completely handled internally (no control plane counterpart).

  • Configuring the various N3/N4/N6/N9 links (network interfaces and IPv4/IPv6 routes) to interact with other 5GS network functions.

  • Creating a GTP virtual network interface (in each relevant VRF) to enable GTP-U management in the fast path, that is, the ability to steer GTP-U traffic while applying the rules and policies provided by SMF.

  • For PSA, adding UE-bound IPv4/IPv6 routes through the GTP virtual network interface (in each relevant VRF).

  • Enabling the PFCP service to listen to SMF configuration messages over N4. By handling requests and reporting states through PFCP, this service acts as the glue between SMF and the fast path GTP subsystem.

4.2. Starting up the fast path

The fast path must be running and configured to manage the physical ports expected to handle PDUs (N3/N6/N9 interfaces).

Here device pci-b0s4 refers to eth0 (N4), pci-b0s5 to eth1 (N3) and pci-b0s6 to eth2 (N6).

  • N4, being mainly used for PFCP traffic with SMF, doesn’t actually have to be managed by the fast path, except for the special case where PDUs are also directed through it. It’s only done here for consistency.

  • N3/N6/N9 must be bound to the fast path regardless.

On a related note, resources for the maximum number of concurrent GTP-U tunnels the fast path can handle being allocated during startup, the default value may not be enough for the target use case.

Configuring gtp-max-pdp at this point is therefore recommended to avoid an expensive fast path restart later that would wreak havoc on existing sessions. This following snippet sets this value to 10000.

vsr> edit running
vsr running config# system fast-path
vsr running fast-path#! port pci-b0s4  # N4
vsr running fast-path# port pci-b0s5  # N3
vsr running fast-path# port pci-b0s6  # N6
vsr running fast-path# limits gtp-max-pdp 10000  # GTP-U tunnels
vsr running fast-path# enabled true
vsr running fast-path# / vrf main
vsr running vrf main# interface physical eth0 port pci-b0s4 enabled true
vsr running vrf main# interface physical eth1 port pci-b0s5 enabled true
vsr running vrf main# interface physical eth2 port pci-b0s6 enabled true
vsr running vrf main# commit

See also

4.3. GTP virtual interface

A GTP virtual interface must be created in a VRF to be associated with PFCP (more about this in PFCP service).

Its presence enables GTP processing (GTP-U encapsulation/decapsulation of PDUs) and provides a gateway for bare, DL-bound IPv4/IPv6 traffic coming from N6 for a given VRF.

It has no other purpose with respect to PDU traffic. A PSA normally does not use it for UL-bound PDUs and it’s not involved for any PDUs in the case of an I-UPF.

vsr> edit running
vsr running config# vrf main
vsr running vrf main# interface gtp gtp0
vsr running gtp gtp0# commit

See also

  • The GTP user guide describes the creation of GTP virtual interfaces.

4.4. IPv4/IPv6 configuration

A basic IPv4/IPv6 configuration is necessary for Virtual Service Router UPF to reach its 5GS neighbors.

Apart from N6 depending on whether access to external networks (e.g. Internet) is desired, networks surrounding an UPF can rely on private addressing as PDUs are encapsulated.

Note

If the intended setup involves VRFs, they must be instantiated first and the relevant network interfaces attached to them.

So as a PSA, a mandatory route for DL-bound traffic (destined to UEs) is configured through the GTP virtual interface, otherwise PDUs in this direction would be either dropped or sent as is without GTP-U encapsulation.

vsr> edit running
vsr running config# vrf main
vsr running vrf main# routing static ipv4-route 10.60.0.0/16 next-hop gtp0
vsr running vrf main# commit

Note

This route may be either permanent or created on a needed basis. Being part of the general IPv4/IPv6 configuration however, its presence is an administrator’s responsibility; it’s not created automatically.

IP configuration for the remaining interfaces and default route through N6’s DN:

vsr> edit running
vsr running config# vrf main
vsr running vrf main# interface physical eth0 ipv4 address 10.175.0.2/24  # N4
vsr running vrf main# interface physical eth1 ipv4 address 10.100.0.2/24  # N3
vsr running vrf main# interface physical eth2 ipv4 address 10.200.0.2/24  # N6
vsr running vrf main# routing static ipv4-route 0.0.0.0/0 next-hop 10.200.0.1
vsr running vrf main# commit

See also

4.5. PFCP service

The last missing piece of a working UPF is the ability to process SMF configuration messages coming from N4.

The role of the PFCP service is to handle these messages, configure the fast path GTP subsystem accordingly and report to the SMF.

The configured mandatory gtp-interface will be the interface used by PFCP to create the tunnels requested by the SMF.

The following snippet enables the PFCP service and associate it with the GTP virtual interface gtp0 previously configured in the main VRF:

vsr> edit running
vsr running config# vrf main
vsr running vrf main# pfcp enabled true
vsr running vrf main# pfcp address 10.175.0.2
vsr running vrf main# pfcp gtp-interface name gtp0 vrf main
vsr running vrf main# commit
  • The PFCP service only has to be enabled in the VRF managing the N4 interface. Although not mandatory, it’s explicitly bound to eth0’s IP address here.

Note

Currently the PFCP service can be associated with only one SMF at a time. Associating it with another causes the previous association to end.

Important

N4 is critical and should use a dedicated link that’s as reliable as possible.

PFCP traffic has weak security (no authentication, no encryption, easily spoofable) and, being carried by UDP packets, is subject to loss and reordering.

Consider securing N4 with IPsec or comparable solutions as per 3GPP recommendations.

See also

  • Setting up the PFCP service.

  • Regarding N4 security, refer to 3GPP TS 33.501: 5G; Security architecture and procedures for 5G System chapter 9.9 Security mechanisms for non-SBA interfaces internal to the 5GC.