Cisco 10000 Series Router Service Selection Gateway Configuration Guide January 2004 Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
C ON T E NT S About This Guide Audience ix ix Document Organization ix Document Conventions x Related Documentation xi Obtaining Documentation xi Cisco.
Contents Configuration of SSG Autologoff 3-2 Configuration Example for SSG Autologoff 3-3 SSG Prepaid Idle Timeout 3-3 Service Authorization 3-4 Service Reauthorization 3-4 Restrictions for SSG Prepaid Idle Timeout 3-5 Prerequisites for SSG Prepaid Idle Timeout 3-5 Configuration of SSG Prepaid Idle Timeout 3-5 Configuration Example for SSG Prepaid Idle Timeout CHAPTER 4 SSG Session and Idle Timeout 3-6 Authentication and Accounting 4-1 3-5 SSG Full Username RADIUS Attribute 4-1 Restrictions for S
Contents Restrictions for SSG Open Garden 6-6 Configuration of SSG Open Garden 6-6 Configuration Example for SSG Open Garden 6-6 SSG Port-Bundle Host Key 6-6 Restrictions for SSG Port-Bundle Host Key 6-7 Prerequisites for SSG Port-Bundle Host Key 6-8 Configuration of SSG Port-Bundle Host Key 6-8 Exclude Networks 6-8 Mutually Exclusive Service Selection 6-8 Configuration of Mutually Exclusive Service Selection 6-9 Configuration Example for Mutually Exclusive Service Selection CHAPTER 7 Service Profil
Contents CHAPTER Interface Configuration 9 9-1 Transparent Passthrough 9-1 Access Side Interfaces 9-2 Network Side Interfaces 9-3 Restrictions of Transparent Passthrough 9-3 Configuration of Transparent Passthrough 9-3 Multicast Protocols on SSG Interfaces 9-3 Configuration of Multicast Protocols on SSG Interfaces CHAPTER CHAPTER 10 11 9-4 SSG TCP Redirect 10-1 Redirection for Unauthenticated Users 10-1 Redirection for Unauthorized Services 10-2 Initial Captivation 10-3 Restrictions for SSG TCP R
Contents Configuration of Packet Filtering 11-5 Configuration Example for Packet Filtering 11-5 SSG Unconfig 11-5 Restrictions for SSG Unconfig 11-5 Prerequisites for SSG Unconfig 11-6 Configuration of SSG Unconfig 11-6 Configuration Examples for SSG Unconfig 11-6 SSG Enhancements for Overlapping Services 11-7 Service Translation 11-7 Restrictions for Service Translation 11-9 Prerequisites for Service Translation 11-9 Configuration of Service Translation 11-10 Configuration Example for Service Translat
Contents Cisco 10000 Series Router Service Selection Gateway Configuration Guide viii OL-4387-02
About This Guide This guide provides information about the Service Selection Gateway (SSG) features of the Cisco 10000 Series Router. The SSG features are supported in Cisco IOS Release 12.2(16)BX and later releases. Audience This guide is designed for system and network managers responsible for configuring Service Selection Gateway features on the Cisco 10000 router. The manager should be experienced using Cisco IOS software and be familiar with the operation of the Cisco 10000 router.
About This Guide Document Conventions Chapter Title Description Chapter 10 SSG TCP Redirect Describes the TCP Redirect feature for SSG.
About This Guide Related Documentation Caution Warning Means reader be careful. In this situation, you might do something that could result in equipment damage or loss of data. Means danger. You are in a situation that could cause bodily injury. Before you work on any equipment, you must be aware of the hazards involved with electrical circuitry and familiar with standard practices for preventing accidents.
About This Guide Documentation Feedback Documentation CD-ROM Cisco documentation and additional literature are available in a Cisco Documentation CD-ROM package, which may have shipped with your product. The Documentation CD-ROM is updated regularly and may be more current than printed documentation. The CD-ROM package is available as a single unit or through an annual or quarterly subscription. Registered Cisco.
About This Guide Obtaining Technical Assistance Cisco TAC Website The Cisco TAC website provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies. The Cisco TAC website is available 24 hours a day, 365 days a year. The Cisco TAC website is located at this URL: http://www.cisco.com/tac Accessing all the tools on the Cisco TAC website requires a Cisco.com user ID and password.
About This Guide Obtaining Additional Publications and Information Obtaining Additional Publications and Information Information about Cisco products, technologies, and network solutions is available from various online and printed sources. • The Cisco Product Catalog describes the networking products offered by Cisco Systems, as well as ordering and customer support services. Access the Cisco Product Catalog at this URL: http://www.cisco.com/en/US/products/products_catalog_links_launch.
C H A P T E R 1 Service Selection Gateway Overview The Service Selection Gateway feature, available in Cisco IOS Release 12.2(16)BX or later, offers a switching solution to service providers. Working in conjunction with the Cisco Subscriber Edge Services Manager (SESM), SSG provides subscriber authentication, service selection, and service connection capabilities to subscribers of Internet services. Subscribers interact with the SESM web application using a standard Internet browser.
Chapter 1 Service Selection Gateway Overview Service Selection Gateway Figure 1-1 SSG Topology Example RADIUS AAA Default Network Cisco Secure Web Dashboard ISP/Service A Cisco 10000 router PPP/RBE/IP RADIUS AAA SSG ISP/Service B Open Garden RADIUS IP Data Tunnel Extranet 87907 RADIUS AAA ISP/Service C Note The Cisco 10000 series router does not support tunneling of SSG users.
Chapter 1 Service Selection Gateway Overview Service Selection Gateway Default Network The default network is a location that SSG allows unauthenticated users to access. The default network is a single IP address or subnet, typically the IP address of the SESM application although other types of servers can also be defined as the default network. The default network supports the port-bundle host key. The default network enables special processing of traffic to and from the default network.
Chapter 1 Service Selection Gateway Overview Supported SSG Features Supported SSG Features The Cisco 10000 series router supports the following SSG features and functionality: • SSG Logon and Logoff, page 3-1 • Authentication and Accounting, page 4-1 • Service Selection Methods, page 5-1 • Service Connection, page 6-1 • Service Profiles and Cached Service Profiles, page 7-1 • SSG Hierarchical Policing, page 8-1 • Interface Configuration, page 9-1 • SSG TCP Redirect, page 10-1 • VPI/VCI S
Chapter 1 Service Selection Gateway Overview SSG Restrictions • The Cisco 10000 router’s SSG software and forwarding software handle multiple users attached to a single Cisco IOS software interface in different ways, which could result in users receiving services that they did not select. After the first user logs on, all subsequent user logon attempts are rejected.
Chapter 1 Service Selection Gateway Overview SSG Prerequisites SSG Prerequisites The SSG feature has the following prerequisites: • The Cisco 10000 series router must be running Cisco IOS Release 12.2(16)BX or later. • The performance routing engine (PRE), part number ESR-PRE2 must be installed in the router chassis. The PRE performs all Layer 2 and Layer 3 packet manipulation related to routing and forwarding operations.
Chapter 1 Service Selection Gateway Overview SSG Architecture Model In Figure 1-2, subscribers access the SESM web portal application using any web browser on a variety of devices (such as a desktop computer over DSL). The Cisco 10000 series router (the SSG node) forwards unauthenticated SSG traffic from the subscriber to SESM, configured as the captive portal and default network. The SSG feature set of the router allows the service provider to design a service selection access network.
Chapter 1 Service Selection Gateway Overview SSG Architecture Model Cisco 10000 Series Router Service Selection Gateway Configuration Guide 1-8 OL-4387-02
C H A P T E R 2 Scalability and Performance The infrastructure of the service provider must be capable of supporting the services the enterprise customer or Internet service provider (ISP) wants to offer its subscribers. It must also be able to scale to an expanding subscriber base. You can configure the Cisco 10000 series router for high scalability.
Chapter 2 Scalability and Performance Limitations and Restrictions Now, consider the following revised service definitions in which two different services are defined. These service definitions allow all users to connect to the Standard service and allow some users to connect simultaneously to Good or Best services.
C H A P T E R 3 SSG Logon and Logoff The Cisco 10000 series router supports the following SSG features for logon and logoff related functions: • Single Host Logon, page 3-1 • SSG Autologoff, page 3-2 • SSG Prepaid Idle Timeout, page 3-3 • SSG Session and Idle Timeout, page 3-6 This chapter describes each of SSG logon and logoff features. Single Host Logon The Single Host Logon feature enables users to enter authentication information only twice.
Chapter 3 SSG Logon and Logoff SSG Autologoff SSG Autologoff The SSG Autologoff feature enables SSG to verify connectivity with each host. SSG checks the status of the connection with each host at configured intervals. If SSG finds that a host is not reachable, SSG automatically initiates the logoff of that host. SSG has two methods of checking the connectivity of hosts: ARP ping and ICMP ping. ARP ping When autologoff is configured to use ARP ping, SSG periodically checks the ARP cache tables.
Chapter 3 SSG Logon and Logoff SSG Prepaid Idle Timeout Configuration Example for SSG Autologoff Example 3-1 shows how to enable autologoff with ARP ping. Example 3-1 SSG Autologoff Using ARP Ping ssg auto-logoff arp interval 60 Example 3-2 shows how to enable autologoff with ICMP ping.
Chapter 3 SSG Logon and Logoff SSG Prepaid Idle Timeout Service Authorization SSG sends a service authorization request to the billing server upon initial service authorization. Explicit service authorization is required whenever a user attempts to connect to a prepaid service to ensure that the user has sufficient credit to connect to that service. The billing server responds with the available quota (allotment of prepaid credit) to SSG.
Chapter 3 SSG Logon and Logoff SSG Prepaid Idle Timeout Restrictions for SSG Prepaid Idle Timeout The SSG Prepaid Idle Timeout feature has the following restrictions: • The Cisco 10000 router supports only time-based SSG Prepaid for a service connection. Quotas are measured in seconds. You cannot change the unit of measure. • The Cisco 10000 router does not support returning a quota when the connection is idle.
Chapter 3 SSG Logon and Logoff SSG Session and Idle Timeout Example 3-5 shows how to configure the SSG TCP Redirect feature for a specific service. The commands redirect all prepaid service traffic to the captive portal group called "InternetRedirectGroup" and configure the captive portal group as the server group used for redirecting prepaid traffic. Example 3-5 SSG Service-Specific TCP Redirect ssg enable ssg tcp-redirect server-group InternetRedirectGroup server 10.0.0.1 8080 server 10.0.0.
C H A P T E R 4 Authentication and Accounting The Cisco 10000 series router supports the following SSG features for authentication and accounting related functions: • SSG Full Username RADIUS Attribute, page 4-1 • RADIUS Accounting Records, page 4-2 This chapter describes the SSG features for authentication and accounting.
Chapter 4 Authentication and Accounting RADIUS Accounting Records RADIUS Accounting Records SSG sends accounting records with the associated attributes to the RADIUS accounting server when the following events occur: • Account Login and Logout, page 4-2 • Service Connection and Termination, page 4-3 Account Login and Logout SSG sends a RADIUS accounting-request record to the local RADIUS server when a user logs in to or out of the SSG.
Chapter 4 Authentication and Accounting RADIUS Accounting Records Service Connection and Termination SSG also sends a RADIUS accounting-request record to the local RADIUS server when a user accesses or terminates a service. The Acct-Status-Type attribute included in the accounting-request record indicates whether the accounting-request marks the start of the user service or the end of the service. When a user accesses a service, SSG sends an accounting-start record to RADIUS.
Chapter 4 Authentication and Accounting RADIUS Accounting Records Example 4-6 shows the information contained in an accounting-stop record for service termination. Example 4-6 RADIUS Accounting-Stop Record for Service Termination NAS-IP-Address = 192.168.2.
C H A P T E R 5 Service Selection Methods The Cisco 10000 series router supports the following service selection methods: • PPP Terminated Aggregation, page 5-1 • PTA-Multidomain, page 5-1 • Web Service Selection, page 5-2 This chapter describes the service selection methods. PPP Terminated Aggregation PPP terminated aggregation (PTA) is a PPP selection method in which service selection is based on a structured domain name (for example, username@service.com).
Chapter 5 Service Selection Methods Web Service Selection Restrictions for PTA-MD A user cannot connect to multiple services that are simultaneously in different VRFs. Web Service Selection Web service selection enables users to concurrently access multiple on-demand services from a list of personalized services. The Cisco 10000 series router supports the Cisco Subscriber Edge Services Manager (SESM) application for web service selection.
Chapter 5 Service Selection Methods Web Service Selection SESM and SSG Performance Packets sent between the SSG and the SESM might require processing by the Cisco 10000 router Route Processor (RP), instead of the parallel express forwarding (PXF) engine.
Chapter 5 Service Selection Methods Web Service Selection Cisco 10000 Series Router Service Selection Gateway Configuration Guide 5-4 OL-4387-02
C H A P T E R 6 Service Connection The Cisco 10000 series router supports the following SSG features for service connection: • SSG AutoDomain, page 6-1 • SSG Prepaid, page 6-4 • SSG Open Garden, page 6-5 • SSG Port-Bundle Host Key, page 6-6 • Exclude Networks, page 6-8 • Mutually Exclusive Service Selection, page 6-8 This chapter describes the SSG features for service connection.
Chapter 6 Service Connection SSG AutoDomain You can configure SSG AutoDomain in basic or extended mode. In basic mode, the AutoDomain profile downloaded from the AAA server is a service profile. This service profile is a proxy or VPDN service. If the AutoDomain service profile is a proxy service, SSG authenticates the user to the appropriate domain AAA server with the authentication information found in the Access-Request received from the RADIUS client.
Chapter 6 Service Connection SSG AutoDomain Example 6-1 SSG AutoDomain ssg auto-domain mode extended select called-station-id nat user-address download exclude-profile ssg-auto-domain-exclude-profile cisco exclude apn cisco exclude domain motorola Example 6-2 shows the format for defining a new vendor-specific attribute, SSG Control-Info VSA(253), which is required for the AutoDomain exclude profile on the AAA server.
Chapter 6 Service Connection SSG Prepaid SSG Prepaid The SSG Prepaid feature allows a user to connect to a service if the user has prepaid for the service. SSG checks a subscriber’s available credit to determine whether to connect the subscriber to the service and how long the connection can last. The billing server administers the subscriber’s credit as a series of quotas. These quotas are allotments of available credit and represent the duration of use, expressed in seconds.
Chapter 6 Service Connection SSG Open Garden Configuration Example for SSG Prepaid Example 6-4 configures a global prepaid server group named ssg_prepaid and attaches the server group to the SSG. Example 6-4 Attaching a Global Prepaid Server Group to the SSG Router(config)# aaa group server radius ssg_prepaid Router(config-sg)# server 1.2.3.
Chapter 6 Service Connection SSG Port-Bundle Host Key Restrictions for SSG Open Garden The SSG Open Garden feature has the following restrictions: • RADIUS accounting records are not created for Open Garden services. • The Cisco 10000 router supports the creation of Open Garden services by using local profiles only; you cannot use RADIUS profiles. • The Cisco 10000 router does not support overlapping Open Garden service networks.
Chapter 6 Service Connection SSG Port-Bundle Host Key For each TCP session between a subscriber and the SESM server, SSG uses one port from the port bundle as the port map. Port mappings are flagged as eligible for reuse on the basis of inactivity timers, but are not explicitly removed once assigned. The number of port bundles is limited, but you can assign multiple SSG source IP addresses to accommodate more subscribers.
Chapter 6 Service Connection Exclude Networks Prerequisites for SSG Port-Bundle Host Key The SSG Port-Bundle Host Key feature has the following requirements: • The Cisco 10000 router supports the SSG Port-Bundle Host Key feature for Cisco SESM Release 3.1(1) or later. • A default network must be configured and routable from SSG. Configuration of SSG Port-Bundle Host Key The port-bundle host key is disabled by default.
Chapter 6 Service Connection Mutually Exclusive Service Selection A SESM configuration option controls the SESM action when a subscriber is already logged into one service and then selects another service in the group: Note • SESM can automatically request SSG to disconnect the first service and connect the new service. • SESM can prompt the subscriber to log off the first service. After the subscriber logs off, SESM requests the connection to the other service.
Chapter 6 Service Connection Mutually Exclusive Service Selection Cisco 10000 Series Router Service Selection Gateway Configuration Guide 6-10 OL-4387-02
C H A P T E R 7 Service Profiles and Cached Service Profiles The RADIUS server or the SESM downloads service profiles to the Cisco 10000 series router (SSG node) as needed. Typically, the SSG removes the service profile from memory after the user logs off. Therefore, each time the user attempts to access services, RADIUS or the SESM downloads the service profile, creating unnecessary traffic. The Cached Service Profiles feature is designed to eliminate this inefficient overhead.
Chapter 7 Service Profiles and Cached Service Profiles Service Profiles Upstream Access Control List Specifies either an IOS standard access control list or an extended access control list to be applied to upstream traffic coming from the user. Cisco-AVpair = “ip:inacl[#number]={standard-access-control-list | extended-access-control-list}” Domain Name (Optional) Specifies domain names that get DNS resolution from the DNS server(s) specified by the DNS server address. Service-Info = “Oname1[;name2]...
Chapter 7 Service Profiles and Cached Service Profiles Service Profiles Service-Defined Cookie Enables you to include user-defined information in RADIUS authentication and accounting requests. Service-Info = “Vstring” Note • SSG does not parse or interpret the value of the Service-Defined Cookie. You must configure the proxy RADIUS server to interpret this attribute. • SSG supports only one Service-Defined Cookie per RADIUS service profile. Service Description (Optional) Describes the service.
Chapter 7 Service Profiles and Cached Service Profiles Cached Service Profiles If the SESM web application is designed to use HTML frames, then this attribute also specifies whether the service is displayed in a new browser window or in a frame in the current (SESM) window, as follows: • Hurl—URL for a service displayed in a frame in the SESM browser window. • Uurl—URL for a service displayed in its own browser window.
Chapter 7 Service Profiles and Cached Service Profiles Cached Service Profiles • If the service profile exists and it is active, SSG uses the service profile to process the logon request. • If the service profile exists, but it is inactive (for example, SSG is currently downloading the profile), SSG queues the logon request and processes the request after the service profile is downloaded.
Chapter 7 Service Profiles and Cached Service Profiles Cached Service Profiles Cisco 10000 Series Router Service Selection Gateway Configuration Guide 7-6 OL-4387-02
C H A P T E R 8 SSG Hierarchical Policing The SSG Hierarchical Policing feature ensures that a subscriber does not utilize additional bandwidth for overall service or for a specific service that is outside the bounds of the subscriber’s contract with the service provider. This chapter describes the SSG Hierarchical Policing feature supported by the Cisco 10000 series router. SSG Hierarchical Policing Overview The traffic policing feature limits the transmission rate of traffic entering or leaving a node.
Chapter 8 SSG Hierarchical Policing Restrictions for SSG Hierarchical Policing Restrictions for SSG Hierarchical Policing The SSG Hierarchical Policing feature has the following restrictions: • When using SSG hierarchical policing on Cisco 10000 Series routers, a maximum of 8 policing rates can be used per uplink interface and R attribute combination.
Chapter 8 SSG Hierarchical Policing Configuration Examples for SSG Hierarchical Policing Configuration Examples for SSG Hierarchical Policing Example 8-1 Configuring a RADIUS Service Profile for Per-Session Policing Router(config)# local-profile cisco.
Chapter 8 SSG Hierarchical Policing Configuration Examples for SSG Hierarchical Policing Cisco 10000 Series Router Service Selection Gateway Configuration Guide 8-4 OL-4387-02
C H A P T E R 9 Interface Configuration When an interface is configured as an SSG uplink or downlink interface, non-SSG traffic is not allowed to pass through the interface. You configure interfaces that are connected to services as uplink interfaces by using the ssg direction uplink command in interface configuration mode. If you use PPP to connect subscribers to SSG, you do not have to configure any downlink interfaces.
Chapter 9 Interface Configuration Transparent Passthrough Access Side Interfaces For access side interfaces, the interface type determines the method used to indicate an interface as SSG or transparent passthrough. If you enable SSG globally, SSG automatically configures PPP users as SSG downlink users. To configure a PPP user as a transparent passthrough user, configure the Cisco 10000 router in one of the following ways: • Do not enable SSG globally on the router.
Chapter 9 Interface Configuration Multicast Protocols on SSG Interfaces Network Side Interfaces For network side interfaces, SSG uplink interfaces can accept and forward both SSG traffic and transparent passthrough traffic. The SSG software classifies the traffic as transparent passthrough. An interface that is not configured as an SSG uplink can receive transparent passthrough traffic or traffic destined for Cisco IOS interfaces. The traffic is handled using normal Cisco IOS processing.
Chapter 9 Interface Configuration Multicast Protocols on SSG Interfaces Configuration of Multicast Protocols on SSG Interfaces For SSG to forward multicast packets to the Cisco IOS routing engine, configure the following: • Configure the interface where multicast packets are received as an uplink or downlink interface, or bind a service to the interface. • Enable SSG multicast by using the ssg multicast command in global configuration mode.
C H A P T E R 10 SSG TCP Redirect The SSG TCP Redirect feature redirects certain user packets to an alternative location that can handle the packets in a suitable manner. This feature works in conjunction with the SESM web interface. SSG TCP Redirect forces subscribers to authenticate before accessing the network or specific services and ensures that subscribers are only allowed to access the services that the service provider wants them to.
Chapter 10 SSG TCP Redirect The SSG TCP Redirect feature always sends redirected packets to a captive portal group that consists of one or more servers. SSG selects one server from the group in a round-robin fashion to receive the redirected packets. For upstream packets, SSG modifies the destination IP address and TCP port to reflect the destination captive portal. For downstream packets, SSG returns the source IP address and port to the original packet’s destination.
Chapter 10 SSG TCP Redirect Figure 10-1 Restricting Access to Networks within Authorized Services IPTVService 10.1.1.1/32 87908 ServiceA 10.0.0.0/8 The following describes the behavior of redirection for unauthorized services: • If a packet arrives from an unauthorized SSG user or it is destined to an unauthorized service, SSG redirects the packet if the packet matches the protocol and ports configured as the redirection filter. If the packet does not match the filter, SSG drops the packet.
Chapter 10 SSG TCP Redirect Typically, if a service is connected, SSG forwards packets to a user and packets from a user even if the packets do not match the protocol and TCP ports specified for redirection. However, the behavior of initial captivation on the Cisco 10000 series router differs in the following ways: • When a packet arrives from an SSG user and the packet matches the protocol and TCP ports configured as the redirection filter, the packet is subject to initial captivation and is redirected.
Chapter 10 SSG TCP Redirect The following sections describe these tasks in more detail: • Configuration Considerations for SSG TCP Redirect, page 10-5 • Configuring Port-Based Redirection for Unauthenticated Users, page 10-5 • Limiting Redirection for Unauthenticated Users, page 10-5 • Configuring SSG TCP Redirect, page 10-6 Configuration Considerations for SSG TCP Redirect When you configure SSG TCP Redirect, consider the following: • Where to redirect—Determine the server group to which you wan
Chapter 10 SSG TCP Redirect Configuring SSG TCP Redirect To configure SSG TCP Redirect, use the following commands beginning in global configuration mode: Command Purpose Step 1 Router(config)# ip cef Enables Cisco Express Forwarding (CEF). Step 2 Router(config)# ssg enable Enables SSG functionality. Step 3 Router(config)# ssg tcp-redirect Enables the SSG TCP Redirect feature. Step 4 Router(config-ssg-redirect)# server-group group-name Defines the captive portal group.
Chapter 10 SSG TCP Redirect Configuration Examples for SSG TCP Redirect This section provides the following example configurations: • Configuration Example for Server Groups, page 10-7 • Configuration Example for Network Lists, page 10-7 • Configuration Example for Port Lists, page 10-8 For more configuration examples, refer to the SSG TCP Redirect for Services, Release 12.2(4)B feature module.
Chapter 10 SSG TCP Redirect Configuration Example for Port Lists Example 10-5 shows how to configure a port list named ports for TCP redirection of HTTP packets and associate the port list to the server groups named serviceRedirect1 and initialCaptivate.
C H A P T E R 11 Miscellaneous SSG Features This chapter describes the following SSG features: • VPI/VCI Static Binding to a Service Profile, page 11-1 • RADIUS Virtual Circuit Logging, page 11-2 • AAA Server Group Support for Proxy Services, page 11-2 • Packet Filtering, page 11-3 • SSG Unconfig, page 11-5 • SSG Enhancements for Overlapping Services, page 11-7 VPI/VCI Static Binding to a Service Profile The VPI/VCI Static Binding to a Service Profile feature allows users accessing SSG through
Chapter 11 Miscellaneous SSG Features RADIUS Virtual Circuit Logging RADIUS Virtual Circuit Logging RADIUS Virtual Circuit (VC) Logging extends and modifies the RADIUS network access server (NAS) port field to carry VPI/VCI information. With RADIUS VC Logging enabled, the Cisco 10000 router (the SSG node) can send NAS port information to the RADIUS server, accurately recording the virtual path interface (VPI) and virtual circuit interface (VCI) of an incoming user or subscriber session.
Chapter 11 Miscellaneous SSG Features Packet Filtering Configuration of AAA Server Group Support for Proxy Services To configure AAA Server Group Support for Proxy Services, use the RADIUS Server attribute. This Service-Info vendor-specific attribute (VSA) is used to specify the remote RADIUS servers that SSG uses to authenticate and authorize a service login for a proxy service type.
Chapter 11 Miscellaneous SSG Features Packet Filtering Downstream Access Control List—outacl Specifies either a Cisco IOS standard ACL or an extended ACL to be applied to downstream traffic going to the user. Cisco-AVpair = "ip:outacl[#number]={standard-access-control-list | extended-access-control-list}" Upstream Access Control List—inacl Specifies either a Cisco IOS standard ACL or an extended ACL to be applied to upstream traffic coming from the user.
Chapter 11 Miscellaneous SSG Features SSG Unconfig Configuration of Packet Filtering To configure SSG ACLs, use the following Cisco-AV pair attributes: • Downstream Access Control List (outacl) Cisco-AVpair = "ip:outacl[#number]={standard-access-control-list | extended-access-control-list}" • Upstream Access Control List (inacl) Cisco-AVpair = "ip:inacl[#number]={standard-access-control-list | extended-access-control-list}" For more information, refer to the Service Selection Gateway, Release 12.
Chapter 11 Miscellaneous SSG Features SSG Unconfig Prerequisites for SSG Unconfig You must enable SSG before you configure SSG Unconfig. Configuration of SSG Unconfig To configure SSG Unconfig, perform any of the following optional tasks: • Unconfigure SSG and release system resources by entering the no ssg enable force-cleanup command in global configuration mode. • Remove one or more SSG host objects by entering the clear ssg host command in privileged EXEC configuration mode.
Chapter 11 Miscellaneous SSG Features SSG Enhancements for Overlapping Services SSG Enhancements for Overlapping Services Overlapping services are services for which the route prefix of one service matches or is contained within the route prefix of another service. For example, the service definition 172.16.253.0/24 overlaps with the service definition 172.16.0.0/16 because the prefix 172.16 is contained in both definitions. The definition 0.0.0.0/0 overlaps all other possible services.
Chapter 11 Miscellaneous SSG Features SSG Enhancements for Overlapping Services Because network sets for services must be unique, the following network sets are defined internally: Set1 0.0.0.0/0.0.0.0 Set2 10.58.253.0/255.255.255.0 Set3 10.58.254.0/255.255.255.0 Set4 10.58.102.6/255.255.255.
Chapter 11 Miscellaneous SSG Features SSG Enhancements for Overlapping Services The service translation mechanism then internally converts the services to the following sets: Service Bronze_256 Set1 Service Silver_512 Set1 and set2 The service translation mechanism also provides for the translation of services that are complete subsets of one another. For example, consider the following service definitions: ssg bind service A_1 10.58.253.0/255.255.255.
Chapter 11 Miscellaneous SSG Features SSG Enhancements for Overlapping Services Configuration of Service Translation To enable service translation on the router, enter the following command in global configuration mode: Command Purpose Router(config)# ssg service-overlap Enables service translation and indicates to the router to use the translated sets to provide the desired network behavior.
Chapter 11 Miscellaneous SSG Features SSG Enhancements for Overlapping Services Service B_512 Set2, set3, and set4 Service C_2048 Set2, set3, and set4 Service D_1024 Set2 Expansion of Service IDs The Cisco 10000 router uses service IDs to determine which services a user is subscribed to and how to police the user traffic. A user can be subscribed to a maximum of seven services. However, service translation can result in more than seven network sets.
Chapter 11 Miscellaneous SSG Features SSG Enhancements for Overlapping Services Network Sets: Set1 0.0.0.0/0.0.0.0 Set2 10.58.252.0/255.255.255.0 Set3 10.58.253.0/255.255.255.0 Set4 10.58.254.0/255.255.255.0 Set5 10.58.102.6/255.255.255.255 Set6 10.58.251.0/255.255.255.0 Set7 10.58.250.0/255.255.255.0 Set8 10.58.249.0/255.255.255.
C H A P T E R 12 Monitoring and Maintaining SSG To monitor and maintain SSG, use the following commands in privileged EXEC mode: Command Purpose Router# show ssg interface [interface-number | brief] Displays a list of all SSG interfaces, the bind direction, and the binding type. Router# show ssg summary Displays a summary of the SSG features configured on the router and the active services.
Chapter 12 Monitoring and Maintaining SSG Troubleshooting RADIUS Command Purpose Router# clear ssg service service-name Removes the specified service. Router# debug ssg ctrl-errors Displays all error messages for control modules. Router# debug ssg ctrl-events Displays all event messages for control modules. Router# debug ssg ctrl-packets Displays packet contents handled by control modules. Router# debug ssg data Displays all data-path packets.
Chapter 12 Monitoring and Maintaining SSG Monitoring the Parallel Express Forwarding Engine Monitoring the Parallel Express Forwarding Engine To monitor the parallel express forwarding (PXF) engine, use the following commands in privileged EXEC mode: Command Purpose Router# clear pxf interface [interface | rp] Clears PXF counters for the specified interface or for the route processor (RP). If you do not specify an interface, the PXF counters for all interfaces are cleared.
Chapter 12 Monitoring and Maintaining SSG Monitoring the Parallel Express Forwarding Engine Cisco 10000 Series Router Service Selection Gateway Configuration Guide 12-4 OL-4387-02
A P P E N D I X A SSG Configuration Example Example A-1 is a sample SSG configuration for the Cisco 10000 series router based on the topology in Figure A-1. The configuration includes AAA, PPP, SSG, and RADIUS. The SSG configuration enables the Port-Bundle Host Key, captive portal, QoS, and Open Garden features. Figure A-1 SSG Example Topology Sun-monsoon SESM RADIUS 192.168.2.50 Cisco 7200-RISM 192.168.2.62 10.1.1.100 192.168.2x 192.168.2.60 Fa/0/0/0 827 1/1 PC-10.60.1.x 827-10.60.1.
Appendix A Example A-1 SSG Configuration Example Cisco 10000 Router SSG Configuration ! version 12.2 no service pad service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone no service password-encryption ! hostname c10k-ssg ! boot system disk0:c10k2-p11-mz.
Appendix A SSG Configuration Example ssg accounting interval 300 ssg profile-cache ssg default-network 192.168.2.50 255.255.255.255 ssg service-password servicecisco ssg radius-helper auth-port 1812 acct-port 1813 ssg radius-helper key cisco ssg maxservice 20 ssg port-map enable ssg port-map destination range 80 to 80 ip 192.168.2.50 ssg port-map source ip 192.168.2.60 ssg bind service video-prepaid 10.1.1.51 ssg bind service zap-com 10.1.1.51 ssg bind service opengarden-helpdesk 10.1.5.
Appendix A SSG Configuration Example interface FastEthernet0/0/0 description Connected to LAB Backbone ip address 192.168.2.60 255.255.255.0 no ip route-cache cef full-duplex ! interface GigabitEthernet1/0/0 no ip address no negotiation auto ! interface GigabitEthernet1/0/0.1 description SSG Service internet encapsulation dot1Q 10 ip address 10.1.1.1 255.255.255.0 ! interface GigabitEthernet1/0/0.2 encapsulation dot1Q 2 ip address 10.1.2.1 255.255.255.0 ! interface GigabitEthernet1/0/0.
Appendix A SSG Configuration Example interface ATM8/0/1 no ip address shutdown no atm ilmi-keepalive ! interface ATM8/0/2 no ip address shutdown no atm ilmi-keepalive ! interface ATM8/0/3 no ip address shutdown no atm ilmi-keepalive ! interface Virtual-Template1 ip unnumbered Loopback1 peer default ip address pool SSG-POOL ppp authentication pap chap ppp ipcp address accept ! ip local pool SSG-POOL 10.60.1.1 10.60.1.100 ip classless ip route 0.0.0.0 0.0.0.0 192.168.2.1 ip route 10.80.1.1 255.255.0.0 11.1.
Appendix A SSG Configuration Example exec-timeout 0 0 password lab ! ntp clock-period 17181406 ntp update-calendar end Cisco 10000 Series Router Service Selection Gateway Configuration Guide A-6 OL-4387-02
A P P E N D I X B SSG Implementation Notes Table B-1 provides information about how SSG is implemented on the Cisco 10000 series router. For additional information about general SSG limitations, see the “SSG Restrictions” section on page 1-4, the “SSG Prerequisites” section on page 1-6, and also see Chapter 2, “Scalability and Performance.
Appendix B Table B-1 SSG Implementation Notes SSG Implementation Notes for the Cisco 10000 Router (continued) SSG Feature Implementation Notes Local Forwarding Cannot be enabled or disabled through the CLI. Only seven services (network sets) can be bound to an uplink interface. If a service cannot be created on the toaster, then no connection is created. A service cannot be bound by interface to a broadcast interface.
Appendix B SSG Implementation Notes Table B-1 SSG Implementation Notes for the Cisco 10000 Router (continued) SSG Feature Implementation Notes RADIUS Proxy Not Supported. Service Profiles MTU Size Attribute—In Directory Enabled Service Selection Subscription (DESS) mode, SESM does not support the use of the MTU Size attribute. Service-Defined Cookie Attribute—SSG does not parse or interpret the value of this attribute. You must configure the proxy RADIUS server to interpret this attribute.
Appendix B SSG Implementation Notes Cisco 10000 Series Router Service Selection Gateway Configuration Guide B-4 OL-4387-02
G L O S S A RY A authentication A security feature that allows access to information to be granted on an individual basis. B bandwidth The range of frequencies a transmission line or channel can carry. The greater the bandwidth, the greater the information-carrying capacity of a channel. For a digital channel this is defined in bits. For an analog channel it is dependent on the type and method of modulation used to encode the data.
Glossary E encapsulation The technique used by layered protocols in which a layer adds header information to the protocol data unit (PDU) from the layer above. Ethernet One of the most common local area network (LAN) wiring schemes, Ethernet has a transmission rate of 10, 100, or 1000 Mbps. H Combination of port bundle and SSG source IP address that uniquely identifies a subscriber. host key I Internet Protocol (IP) The network layer protocol for the Internet protocol suite.
Glossary P permanent virtual circuit A fixed virtual circuit between two users. The public data network equivalent of a leased line. No call setup or clearing procedures are needed. point-to-point subinterface With point-to-point subinterfaces, each pair of routers has its own subnet. If you put the PVC on a point-to-point subinterface, the router assumes that there is only one point-to-point PVC configured on the subinterface.
Glossary PVP Permanent virtual path. Virtual path that consists of PVCs. PXF Parallel Express Forwarding. Also referred to as fast forwarder. A pipelined, multiprocessor parallel packet engine, optimized for fast packet forwarding. R RADIUS Remote Authentication Dial-In User Service (RADIUS). A client/server security protocol created by Livingston Enterprises. Security information is stored in a central location, known as the RADIUS server. RBE Routed bridge encapsulation.
Glossary T TCP Connection-oriented transport layer protocol that provides reliable full-duplex data transmission. TCP is part of the TCP/IP protocol stack. turbo access control A function of the PXF pipeline that determines whether a packet matches a list in a fixed, predictable list period of time, usually regardless of the number of entries in a list. Turbo ACLs enable more expedient packet classification and access checks when the router is evaluating ACLs.
Glossary X xDSL Various types of digital subscriber lines. Examples include ADSL, HDLS, and VDSL.
I N D EX Service URL A 7-3, 7-4 Type of Service (TOS) aaa group server radius command AAA servers, proxy services access-side interfaces accounting for SSG 6-4 VSAs 11-2, 11-3 AutoDomain services accounting records (RADIUS) 4-2, 4-3 Account Session Time (Attribute 46) 6-1, 6-2 implementation notes 3-4 autologoff B-1 3-2 4-2, 6-4, 6-6 B ACLs downstream traffic attribute (outacl) implementation notes 7-1, 11-4 B-1 transparent passthrough bandwidth broadcast G-1 G-1 9-3 upstream traff
Index download exclude-profile no ssg enable force-cleanup PXF connecting to SSG services 6-8 4-3, 6-1 to 6-9 11-5 12-3 D show pxf cpu access-lists pxf cpu buffers pxf cpu cef 12-3 debug radius command 12-3 default network 12-3 1-3 Digital Subscriber Line pxf cpu cef memory 12-3 12-2 G-1 pxf cpu context 12-3 Directory Enabled Service Selection/Subscription (DESS) mode 5-2 pxf cpu mroute 12-3 disabling SSG pxf cpu queue 11-5, 11-6 Domain Name attribute 12-3 7-2 pxf cpu schedule
Index network-side 9-3 O transparent passthrough Internet Protocol ISP 9-1 OAP G-2 G-2 definition G-2 G-2 Open Garden 6-5, 6-6 implementation notes L open garden G-2 outacl attribute L2TP implementation notes 7-1, 9-3, 11-4 overlapping services B-1 local forwarding, implementation notes logging in to SSG providing for B-2 11-7 service translation 3-1 logging on to SSG services B-2 11-7, 11-8, 11-9, 11-10 7-4, 7-5 login P RADIUS 4-2 packet filtering logon implementation
Index PPPoE R definition G-3 PPPoEoA, definition G-3 PPPoE over Ethernet G-3 RADIUS accounting records definition PPPoE over IEEE 802.1Q VLAN definition PPPoX G-4 Idle Timeout attribute G-3 login G-3 PPP terminated aggregation definition 4-2, 4-3 G-3 3-4, 3-6 4-2 RADIUS Server attribute 7-2, 11-2, 11-3 Session-Timeout attribute 3-6 PPP terminated aggregation. See PTA troubleshooting SSG problems with PPP terminated aggregation multidomain.
Index Port-Bundle Host Key Prepaid SESM 6-6, 6-8 definition 6-4 Service-Defined Cookie attribute Service Description attribute service groups Session-Timeout RADIUS attribute 7-3 interface command 7-3 service profiles 12-3 microcode command statistics command 7-1 to 7-4 cache feature 12-3 access-lists command buffers command 7-1 cef command 7-4 implementation notes Service Route attribute 12-3 12-3 context command 12-3 7-3 mroute command 12-3 queue command accessing multiple 5
Index interfaces 1-3, 9-1, 9-3, 9-4 logon and logoff network access Open Garden TCP 6-8 commands G-2 packet filtering Port-Bundle Host Key prepaid idle timeout 3-3, 3-5, 3-6 6-4, 6-5 service reauthorization service selection 10-2, 10-3 SSG B-3 10-1 11-5, 11-6 SSG services 5-1, 5-2 4-3 token bucket policing algorithm 1-2 traffic policing 3-6 Subscriber Edge Services Manager (SESM) 5-2 Transmission Control Protocol implementation notes 4-3 turbo access control lists 8-1, 8-2 tro
Index VPI G-5 VPI/VCI implementation notes service profiles subscriber VRF B-3 11-1 11-2 G-5 VSA definition G-5 W web service selection 5-2 web sites accessing through Open Garden 6-5, 6-6 X xDSL G-6 Cisco 10000 Series Router Service Selection Gateway Configuration Guide OL-4387-02 IN-7
Index Cisco 10000 Series Router Service Selection Gateway Configuration Guide IN-8 OL-4387-02