Network Architecture

GSM Network Architecture

A GSM network is made up of multiple components and interfaces that facilitate sending and receiving of signalling and traffic messages. It is a collection of transceivers, controllers, switches, routers, and registers.

A Public Land Mobile Network (PLMN) is a network that is owned and operated by one GSM service provider or administration, which includes all of the components and equipment as described below. For example, all of the equipment and network resources that is owned and operated by Cingular is considered a PLMN.



Mobile Station (MS)

The Mobile Station (MS) is made up of two components:

Mobile Equipment (ME) This refers to the physical phone itself. The phone must be able to operate on a GSM network. Older phones operated on a single band only. Newer phones are dual-band, triple-band, and even quad-band capable. A quad-band phone has the technical capability to operate on any GSM network worldwide.

Each phone is uniquely identified by the International Mobile Equipment Identity (IMEI) number. This number is burned into the phone by the manufacturer. The IMEI can usually be found by removing the battery of the phone and reading the panel in the battery well.

It is possible to change the IMEI on a phone to reflect a different IMEI. This is known as IMEI spoofing or IMEI cloning. This is usually done on stolen phones. The average user does not have the technical ability to change a phone's IMEI.

Subscriber Identity Module (SIM) - The SIM is a small smart card that is inserted into the phone and carries information specific to the subscriber, such as IMSI, TMSI, Ki (used for encryption), Service Provider Name (SPN), and Local Area Identity (LAI). The SIM can also store phone numbers (MSISDN) dialed and received, the Kc (used for encryption), phone books, and data for other applications. A SIM card can be removed from one phone, inserted into another GSM capable phone and the subscriber will get the same service as always.

Eadch SIM card is protected by a 4-digit Personal Identification Number (PIN). In order to unlock a card, the user must enter the PIN. If a PIN is entered incorrectly three times in a row, the card blocks itself and can not be used. It can only be unblocked with an 8-digit Personal Unblocking Key (PUK), which is also stored on the SIM card.


[Back to Top]

Base Transceiver Station (BTS)

Base Transceiver Station (BTS) - The BTS is the Mobile Station's access point to the network. It is responsible for carrying out radio communications between the network and the MS. It handles speech encoding, encryption, multiplexing (TDMA), and modulation/demodulation of the radio signals. It is also capable of frequency hopping. A BTS will have between 1 and 16 Transceivers (TRX), depending on the geography and user demand of an area. Each TRX represents one ARFCN.

One BTS usually covers a single 120 degree sector of an area. Usually a tower with 3 BTSs will accomodate all 360 degrees around the tower. However, depending on geography and user demand of an area, a cell may be divided up into one or two sectors, or a cell may be serviced by several BTSs with redundant sector coverage.

A BTS is assigned a Cell Identity. The cell identity is 16-bit number (double octet) that identifies that cell in a particular Location Area. The cell identity is part of the Cell Global Identification (CGI), which is discussed in the section about the Visitor Location Register (VLR).


120 ° Sector



The interface between the MS and the BTS is known as the Um Interface or the Air Interface.


Um Interface



[Back to Top]

Base Station Controller (BSC)

Base Station Controller (BSC) - The BSC controls multiple BTSs. It handles allocation of radio channels, frequency administration, power and signal measurements from the MS, and handovers from one BTS to another (if both BTSs are controlled by the same BSC). A BSC also functions as a "funneler". It reduces the number of connections to the Mobile Switching Center (MSC) and allows for higher capacity connections to the MSC.

A BSC my be collocated with a BTS or it may be geographically separate. It may even be collocated with the Mobile Switching Center (MSC).

Base Station Controller




The interface between the BTS and the BSC is known as the Abis Interface



Abis Interface



The Base Transceiver Station (BTS) and the Base Station Controller (BSC) together make up the Base Station System (BSS).



Base Station System



[Back to Top]

Mobile Switching Center (MSC)

Mobile Switching Center (MSC) - The MSC is the heart of the GSM netowrk. It handles call routing, call setup, and basic switching functions. An MSC handles multiple BSCs and also interfaces with other MSC's and registers. It also handles iner-BSC handoffs as well as coordinates with other MSC's for inter-MSC handoffs.


Mobile Switching Center



The interface between the BSC and the MSC is known as the A Interface

A Interface



[Back to Top]

Gateway Mobile Switching Center (GMSC)

There is another important type of MSC, called a Gateway Mobile Switching Center (GMSC). The GMSC functions as a gateway between two networks. If a mobile subscriber wants to place a call to a regular landline, then the call would have to go through a GMSC in order to switch to the Public Switched Telephone Network (PSTN).


Gateway Mobile Switching Center



For example, if a subscriber on the Cingular network wants to call a subscriber on a T-Mobile network, the call would have to go through a GMSC.


Connections Between Two Networks



The interface between two Mobile Switching Centers (MSC) is called the E Interface


E Interface



[Back to Top]

Home Location Register (HLR)

Home Location Register (HLR) - The HLR is a large database that permanently stores data about subscribers. The HLR maintains subscriber-specific information such as the MSISDN, IMSI, current location of the MS, roaming restrictions, and subscriber supplemental feautures. There is logically only one HLR in any given network, but generally speaking each network has multiple physical HLRs spread out across its network.

[Back to Top]

Visitor Location Register (VLR)

Visitor Location Register (VLR) - The VLR is a database that contains a subset of the information located on the HLR. It contains similar information as the HLR, but only for subscribers currently in its Location Area. There is a VLR for every Location Area. The VLR reduces the overall number of queries to the HLR and thus reduces network traffic. VLRs are often identified by the Location Area Code (LAC) for the area they service.


Visitor Location Register



Location Area Code (LAC)

A LAC is a fixed-length code (two octets) that identifies a location area within the network. Each Location Area is serviced by a VLR, so we can think of a Location Area Code (LAC) being assigned to a VLR.

Location Area Identity (LAI)
An LAI is a globally uniqe number that identifies the country, network provider, and LAC of any given Location Area, which coincides with a VLR. It is composed of the Mobile Country Code (MCC), the Mobile Network Code (MNC), and the Location Area Code (LAC). The MCC and the MNC are the same numbers used when forming the IMSI.


Location Area Identity (LAI)



Cell Global Identification (CGI)
The CGI is a number that uniquely identifies a specific cell within its location area, network, and country. The CGI is composed of the MCC, MNC, LAI, and Cell Identity (CI)


Cell Global Identity



The VLR also has one other very important function: the assignment of a Temporary Mobile Subscriber Identity (TMSI). TMSIs are assigned by the VLR to a MS as it comes into its Location Area. TMSIs are unique to a VLR. TMSIs are only allocated when in cipher mode.



The interface between the MSC and the VLR is known as the B Interface and the interface between the VLR and the HLR is known as the D Interface. The interface between two VLRs is called the G Interface


B and D Interfaces



[Back to Top]

Equipment Identity Register (EIR)

Equipment Identity Register (EIR) - The EIR is a database that keeps tracks of handsets on the network using the IMEI. There is only one EIR per network. It is composed of three lists. The white list, the gray list, and the black list.

The black list is a list if IMEIs that are to be denied service by the network for some reason. Reasons include the IMEI being listed as stolen or clonedor if the handset is malfunctioning or doesnt have the technical capabilities to operate on the network.

The gray list is a list of IMEIs that are to be monitored for suspicous activity. This could include handsets that are behaving oddly or not performing as the network expects it to.

The white list is an unpopulated list. That means if an IMEI is not on the black list or on the gray list, then it is considered good and is "on the white list".

The interface between the MSC and the EIR is called the F Interface.


Equipment Identity Register



[Back to Top]

Authentication Center (Auc)

Authentication Center (AuC) - The AuC handles the authentication and encryption tasks for the network. The Auc stores the Ki for each IMSI on the network. It also generates cryptovariables such as the RAND, SRES, and Kc. Although it is not required, the Auc is normally physically collocated with the HLR.


Authentication Center



There is one last interface that we haven't discussed. The interface between the HLR and a GMSC is called the C Interface. You will see it in the full network diagram below.This completes the introduction to the network architecture of a GSM network. Below you will find a network diagram with all of the components as well as the names of all of the interfaces.


Full GSM Network

Introduction     Architecture     TDMA     Logical Channels     Authentication & Encryption     Timing Advances     Speech Encoding     GSM Events