When router interface Network Group Encryption (NGE) is configured on a PDN router interface that is enabled for CBSD authorization, an exception filter must be configured to ensure that SAS control packets are permitted. The filter must allow the following:
outbound and inbound clear text traffic to and from the primary SAS. The server IP address must be known.
outbound and inbound clear text traffic to and from the secondary SAS server, if configured. The server IP address must be known.
outbound and inbound clear text DNS queries and responses using the DNS server information learned in the PCO. The IP address returned from the DNS query must be known and statically configured for the primary and secondary SAS server addresses.
outbound and inbound clear text SSH sessions