Cisco OL-4387-02 Configuration Manual
  1. Manuals
  2. Brands
  3. Cisco Manuals
  4. Network Router
  5. OL-4387-02
  6. Configuration manual
Cisco OL-4387-02 Configuration Manual

Cisco OL-4387-02 Configuration Manual

Router service selection gateway configuration guide
Hide thumbs
Table of Contents

Quick Links

Cisco 10000 Series Router Service
Selection Gateway Configuration Guide
January 2004
Corporate Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 526-4100
Text Part Number: OL-4387-02
Table of Contents
loading

Related Manuals for Cisco OL-4387-02

Summary of Contents for Cisco OL-4387-02

  • Page 1 Cisco 10000 Series Router Service Selection Gateway Configuration Guide January 2004 Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 Text Part Number: OL-4387-02...
  • Page 2 CCIP, CCSP, the Cisco Arrow logo, the Cisco Powered Network mark, Cisco Unity, Follow Me Browsing, FormShare, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE,...

  • Page 3: Table Of Contents

    C H A P T E R Single Host Logon Prerequisites for Single Host Logon SSG Autologoff Restrictions for SSG Autologoff OL-4387-02 xiii xiii xiii Cisco 10000 Series Router Service Selection Gateway Configuration Guide C O N T E N T S...
  • Page 4 Restrictions for SSG AutoDomain Configuration of SSG AutoDomain Configuration Example for SSG AutoDomain SSG Prepaid Restrictions for SSG Prepaid Configuration of SSG Prepaid Configuration Example for SSG Prepaid SSG Open Garden Cisco 10000 Series Router Service Selection Gateway Configuration Guide OL-4387-02...
  • Page 5 C H A P T E R SSG Hierarchical Policing Overview SSG Hierarchical Policing Token Bucket Scheme Restrictions for SSG Hierarchical Policing SSG Hierarchical Policing Configuration Configuration Examples for SSG Hierarchical Policing OL-4387-02 Cisco 10000 Series Router Service Selection Gateway Configuration Guide Contents...
  • Page 6 Restrictions for Packet Filtering Cisco 10000 Series Router Service Selection Gateway Configuration Guide 10-1 10-1 10-2 10-3 10-4 10-4 10-4 10-6 10-7 10-7 10-7 10-8 11-1 11-1 11-2 11-2 11-2 11-3 11-4 11-4 11-4 10-5 10-5 10-5 11-1 11-1 11-2 11-3 11-3 OL-4387-02...
  • Page 7 SSG Configuration Example A P P E N D I X SSG Implementation Notes A P P E N D I X L O S S A R Y N D E X OL-4387-02 11-5 11-5 11-5 11-5 11-6 11-6...
  • Page 8 Contents Cisco 10000 Series Router Service Selection Gateway Configuration Guide viii OL-4387-02...

  • Page 9: About This Guide

    Service Profiles and Cached Service Profiles Chapter 8 SSG Hierarchical Policing Chapter 9 Interface Configuration OL-4387-02 Description Describes the Service Selection Gateway features, restrictions, and prerequisites. Also provides an architectural model. Describes limitations and restrictions, of the Service Selection Gateway feature.

  • Page 10: Document Conventions

    SSG Enhancements for Overlapping Services • Provides show commands for monitoring and maintaining SSG, describes the per-service statistics feature, and provides commands for monitoring the Parallel Express Forwarding (PXF) engine. Provides a basic configuration example for SSG. About This Guide OL-4387-02...

  • Page 11: Related Documentation

    Obtaining Documentation Cisco provides several ways to obtain documentation, technical assistance, and other technical resources. These sections explain how to obtain technical information from Cisco Systems. Cisco.com You can access the most current Cisco documentation on the World Wide Web at this URL: http://www.cisco.com/univercd/home/home.htm...

  • Page 12: Documentation Cd-Rom

    Nonregistered Cisco.com users can order documentation through a local account representative by • calling Cisco Systems Corporate Headquarters (California, USA) at 408 526-7208 or, elsewhere in North America, by calling 800 553-NETS (6387). Documentation Feedback You can submit e-mail comments about technical documentation to [email protected].

  • Page 13: Cisco Tac Website

    Priority 4 (P4)—You require information or assistance with Cisco product capabilities, installation, or configuration. There is little or no effect on your business operations. OL-4387-02 Cisco 10000 Series Router Service Selection Gateway Configuration Guide Obtaining Technical Assistance...

  • Page 14: Obtaining Additional Publications And Information

    Information about Cisco products, technologies, and network solutions is available from various online and printed sources. • The Cisco Product Catalog describes the networking products offered by Cisco Systems, as well as ordering and customer support services. Access the Cisco Product Catalog at this URL: http://www.cisco.com/en/US/products/products_catalog_links_launch.html Cisco Press publishes a wide range of general networking, training and certification titles.

  • Page 15: Chapter 1 Service Selection Gateway Overview

    (VPDNs), and normal routing methods. The user can concurrently connect to a number of different services, which can be private or public services. Connections to the services are established using IP. Cisco 10000 Series Router Service Selection Gateway Configuration Guide OL-4387-02...
  • Page 16 Cisco 10000 Series Router Service Selection Gateway Configuration Guide Default Network Dashboard Cisco 10000 router PPP/RBE/IP Open Garden ISP/Service C Chapter 1 Service Selection Gateway Overview RADIUS Cisco Secure ISP/Service A RADIUS ISP/Service B RADIUS Extranet OL-4387-02...

  • Page 17: Default Network

    On the network side, the router supports receiving SSG traffic on the following interface types: • ATM PVCs and subinterfaces Ethernet interfaces and subinterfaces • POS interfaces • Serial and channelized interfaces • OL-4387-02 Cisco 10000 Series Router Service Selection Gateway Configuration Guide Service Selection Gateway...

  • Page 18: Supported Ssg Features

    Open Garden to the uplink interfaces. Do not bind the Open Garden to the interface used by the private service. Cisco 10000 Series Router Service Selection Gateway Configuration Guide Chapter 1 Service Selection Gateway, Release 12.2(15)B Map. Service Selection Gateway Overview OL-4387-02...
  • Page 19 For RBE and IP users, the addresses of services that share an uplink interface cannot overlap. • For information about the restrictions for a specific SSG feature, see the appropriate chapter in this guide. OL-4387-02 Cisco 10000 Series Router Service Selection Gateway Configuration Guide SSG Restrictions...

  • Page 20: Ssg Prerequisites

    Service Selection Gateway Topology Notebook Subscriber access media Cisco 10000 Series Router Service Selection Gateway Configuration Guide SESM GGSN Open Wireless LAN garden Services selection Chapter 1 Service Selection Gateway Overview Cisco Subscriber Edge Services Directory Server Corporate Internet Gaming Services 3.1(1). OL-4387-02...
  • Page 21 Service providers can use SESM to offer and advertise value-added services and to associate these services with their brand identities. Cisco 10000 Series Router Service Selection Gateway Configuration Guide OL-4387-02...
  • Page 22 Chapter 1 Service Selection Gateway Overview SSG Architecture Model Cisco 10000 Series Router Service Selection Gateway Configuration Guide OL-4387-02...

  • Page 23: Chapter 2 Scalability And Performance

    Best—Access to network A and access to network B at rate 2 Good—Access to network A and access to network B at rate 1 Standard—Access to network A but no access to network B OL-4387-02 C H A P T E R Cisco 10000 Series Router Service Selection Gateway Configuration Guide...
  • Page 24 These service definitions allow all users to connect to the Standard service and allow some users to connect simultaneously to Good or Best services. Best—Access to network B at rate 2 Good—Access to network B at rate 1 Standard—Access to network A Cisco 10000 Series Router Service Selection Gateway Configuration Guide OL-4387-02...

  • Page 25: Chapter 3 Ssg Logon And Logoff

    Policy Engine Installation and Configuration Prerequisites for Single Host Logon To use the Single Host Logon feature, you must install and configure Cisco SESM Release 3.1(1) or later. OL-4387-02 C H A P T E R Cisco Subscriber Edge Services Manager and Subscriber Guide.

  • Page 26: Ssg Autologoff

    To configure the SSG Autologoff feature, use the ssg auto-logoff command in global configuration mode. For more information, refer to the Cisco 10000 Series Router Service Selection Gateway Configuration Guide Chapter 3 SSG Autologoff, Release 12.2(4)B feature SSG Logon and Logoff module. OL-4387-02...

  • Page 27: Configuration Example For Ssg Autologoff

    A configurable threshold value is used to prevent this. This value causes SSG to reauthorize a user’s connection before the user completely consumes the allocated quota for a service. OL-4387-02 SSG Autologoff Using ARP Ping SSG Autologoff Using ICMP Ping...

  • Page 28: Service Authorization

    Reauthorization Reason attribute are the following: Quota Consumed (QR0) • Idle Timer Expired (QR1) • For more information, refer to the Cisco 10000 Series Router Service Selection Gateway Configuration Guide SSG Prepaid Idle Timeout, Release 12.2(15)B feature Chapter 3 SSG Logon and Logoff module. OL-4387-02...

  • Page 29: Restrictions For Ssg Prepaid Idle Timeout

    DefaultRedirectGroup server 10.0.0.1 8080 server 10.0.0.20 80 redirect prepaid-user to DefaultRedirectGroup OL-4387-02 SSG Prepaid, Release 12.2(4)B feature module SSG Prepaid Service SSG TCP Redirect Cisco 10000 Series Router Service Selection Gateway Configuration Guide SSG Prepaid Idle Timeout and the module.

  • Page 30: Ssg Session And Idle Timeout

    In a service profile, the attribute applies individually to each service connection. Cisco 10000 Series Router Service Selection Gateway Configuration Guide SSG Service-Specific TCP Redirect SSG Threshold Time SSG Threshold Volume Chapter 3 SSG Logon and Logoff Example 3-6 Example 3-7 shows how to configure OL-4387-02...

  • Page 31: Chapter 4 Authentication And Accounting

    Configuration Examples for SSG Full Username RADIUS Attribute Example 4-1 Service-Info = “X” Example 4-2 9,251 = “X” OL-4387-02 RADIUS Freeware Format Example CiscoSecure ACS for UNIX Example Cisco 10000 Series Router Service Selection Gateway Configuration Guide C H A P T E R...

  • Page 32: Radius Accounting Records

    Acct-Terminate-Cause attribute indicates the reason for account termination, which can be due to the following events: User-Request • Session-Timeout • Idle-Timeout • Lost-Carrier • Cisco 10000 Series Router Service Selection Gateway Configuration Guide RADIUS Accounting-Start Record RADIUS Accounting-Stop Record Chapter 4 Authentication and Accounting OL-4387-02...

  • Page 33: Service Connection And Termination

    – This attribute is used for proxy services. Ttype—Indicates whether the connection is proxy (X), tunnel (T), or passthrough (P). – OL-4387-02 RADIUS Accounting-Start Record for Service Access Cisco 10000 Series Router Service Selection Gateway Configuration Guide RADIUS Accounting Records...
  • Page 34 Acct-Terminate-Cause—Indicates the reason for service termination, which can be due to the • following events: User-Request – Lost-Carrier – Lost-Service – Session-Timeout – Idle-Timeout – Cisco 10000 Series Router Service Selection Gateway Configuration Guide Chapter 4 Authentication and Accounting module. OL-4387-02...

  • Page 35: Chapter 5 Service Selection Methods

    All users who subscribe to that service are also bound to that same VRF. Packets to and from the user and to and from the network side interface are routed within the same VRF. OL-4387-02 C H A P T E R...

  • Page 36: Restrictions For Pta-Md

    For more information, refer to the Cisco 10000 Series Router Service Selection Gateway Configuration Guide Cisco Subscriber Edge Services Manager Web Developer describes how to develop SESM applications. SESM documentation. Chapter 5 Service Selection Methods OL-4387-02...

  • Page 37: Sesm And Ssg Performance

    TCP packets from the SESM to the SSG are passed to the RP for processing. The RP does not have as much forwarding capacity as the PXF. Note OL-4387-02 Cisco 10000 Series Router Service Selection Gateway Configuration Guide Web Service Selection...
  • Page 38 Chapter 5 Service Selection Methods Web Service Selection Cisco 10000 Series Router Service Selection Gateway Configuration Guide OL-4387-02...

  • Page 39: Ssg Autodomain

    When you enable AutoDomain, an AutoDomain profile is downloaded from the local AAA server. This profile specifies an outbound service and the password is the globally configured service password. OL-4387-02 C H A P T E R Cisco 10000 Series Router Service Selection Gateway Configuration Guide...

  • Page 40: Restrictions For Ssg Autodomain

    (exclude APN), and motorola (exclude domain name). Cisco 10000 Series Router Service Selection Gateway Configuration Guide SSG AutoDomain, Release 12.2(4)B feature SSG AutoDomain, Release 12.2(4)B feature Chapter 6 Service Connection module. module. OL-4387-02...

  • Page 41: Ssg Autodomain

    AutoDomain exclude file. Example 6-3 AutoDomain Exclude File Format user = ssg-auto-domain-exclude-profile{ radius=SSGDictionary { check_items= { 2=cisco reply_attributes= { 9,253="XDcisco" 9,253="XDmotorola" 9,253="XAalcatel" 9,253="XAnokia" OL-4387-02 |d|e|f|p| Cisco 10000 Series Router Service Selection Gateway Configuration Guide SSG AutoDomain...

  • Page 42: Ssg Prepaid

    For more information, refer to the Cisco 10000 Series Router Service Selection Gateway Configuration Guide SSG Prepaid, Release 12.2(4)B feature SSG Prepaid, Release 12.2(4)B feature Chapter 6 Service Connection module. module. OL-4387-02...

  • Page 43: Configuration Example For Ssg Prepaid

    Open Garden services that are directly connected to the SSG router. Service binding is mandatory, however, for Open Garden services that are routed through a next-hop address. For more information, refer to the OL-4387-02 Attaching a Global Prepaid Server Group to the SSG Open garden 1 Next-hop gateway SSG Open Garden, Release 12.2(4)B feature...

  • Page 44: Restrictions For Ssg Open Garden

    (VSA). When the SESM server sends a reply to the subscriber, SSG translates the destination IP address and destination TCP port according to the port map. Cisco 10000 Series Router Service Selection Gateway Configuration Guide Chapter 6 module. Service Connection OL-4387-02...

  • Page 45: Restrictions For Ssg Port-Bundle Host Key

    Traffic to the second and subsequent user(s) is treated as transparent passthrough and is forwarded to these users, but it does not affect the SSG accounting. The ssg show host command displays the first user. OL-4387-02 SSG Port-Bundle Host Key, Release 12.2(4)B feature Cisco 10000 Series Router Service Selection Gateway Configuration Guide SSG Port-Bundle Host Key module.

  • Page 46: Prerequisites For Ssg Port-Bundle Host Key

    However, when a group is defined as mutually exclusive, SESM limits service selection to one service at a time within the group. Cisco 10000 Series Router Service Selection Gateway Configuration Guide module. SSG AutoDomain, Release 12.2(4)B feature Chapter 6 Service Connection module. OL-4387-02...

  • Page 47: Configuration Of Mutually Exclusive Service Selection

    MutexGrp1 Password = "groupcisco", Service-Type = Outbound Account-Info = "IBandwidth-QoS", Account-Info = "Nbw-gold", Account-Info = "Nbw-silver", Account-Info = "Nbw-bronze", Account-Info = "TE" OL-4387-02 ”Configuring Service Group Profiles” in the Cisco Subscriber Edge Services Manager and Subscriber Policy Engine 3.1(3). Configuring a Mutually Exclusive Service Selection Group...
  • Page 48 Chapter 6 Service Connection Mutually Exclusive Service Selection Cisco 10000 Series Router Service Selection Gateway Configuration Guide 6-10 OL-4387-02...

  • Page 49: Chapter 7 Service Profiles And Cached Service Profiles

    Specifies either an IOS standard access control list or an extended access control list to be applied to downstream traffic going to the user. Cisco-AVpair = “ip:outacl [# number ]={ standard-access-control-list | extended-access-control-list }” OL-4387-02 C H A P T E R chapter in the Cisco 6400 Feature Guide, Release Cisco 10000 Series Router Service Selection Gateway Configuration Guide 12.2(2)B.

  • Page 50: Upstream Access Control List

    Service Authentication Type Specifies whether the SSG uses the CHAP or PAP protocol to authenticate users for proxy services. Service-Info = " Aauthen-typ e" Cisco 10000 Series Router Service Selection Gateway Configuration Guide Chapter 7 Service Profiles and Cached Service Profiles OL-4387-02...

  • Page 51: Service-Defined Cookie

    Service URL (Optional) Specifies the URL that is displayed in the SESM HTTP address field when the service opens. Service-Info = “ Hurl ” Service-Info = “ Uurl ” OL-4387-02 Cisco 10000 Series Router Service Selection Gateway Configuration Guide Service Profiles...

  • Page 52: Type Of Service

    A user selects a service on the service logon page that SESM displays. • SSG receives the service logon request and looks up the service profile using the service name. Cisco 10000 Series Router Service Selection Gateway Configuration Guide Service Profile Chapter 7 Service Profiles and Cached Service Profiles OL-4387-02...

  • Page 53: Configuration Of Cached Service Profiles

    If the service with that service name is not in use when you enter the ssg service-cache command, the command does not attempt to download the service profile. OL-4387-02 Cisco 10000 Series Router Service Selection Gateway Configuration Guide...
  • Page 54 Chapter 7 Service Profiles and Cached Service Profiles Cached Service Profiles Cisco 10000 Series Router Service Selection Gateway Configuration Guide OL-4387-02...

  • Page 55: Chapter 8 Ssg Hierarchical Policing

    (such as time between packets and packet sizes) ultimately determine whether a packet is transmitted or dropped. For more information, refer to the feature module. OL-4387-02 C H A P T E R Service Selection Gateway Hierarchical Policing, Release 12.2(4)B Cisco 10000 Series Router Service Selection Gateway Configuration Guide...

  • Page 56: Restrictions For Ssg Hierarchical Policing

    Enable per-user and per-session policing using the ssg qos police command in global configuration • mode. For more information, refer to the feature module. Cisco 10000 Series Router Service Selection Gateway Configuration Guide Chapter 8 Service Selection Gateway Hierarchical Policing, Release 12.2(4)B SSG Hierarchical Policing OL-4387-02...

  • Page 57: Configuration Examples For Ssg Hierarchical Policing

    Router(config)# ssg qos police session For more information, refer to the feature module. OL-4387-02 Configuring a RADIUS Service Profile for Per-Session Policing Enabling Per-Session Policing on a Router Service Selection Gateway Hierarchical Policing, Release 12.2(4)B Cisco 10000 Series Router Service Selection Gateway Configuration Guide...

  • Page 58: Configuration Examples For Ssg Hierarchical Policing

    Chapter 8 SSG Hierarchical Policing Configuration Examples for SSG Hierarchical Policing Cisco 10000 Series Router Service Selection Gateway Configuration Guide OL-4387-02...

  • Page 59: Chapter 9 Interface Configuration

    Open Garden network to allow SSG hosts access to certain networks. The default is to allow non-SSG hosts (on non-SSG interfaces) access to Internet services that are reachable through an uplink interface. OL-4387-02 C H A P T E R Service Selection Gateway, Release 12.2(15)B feature Cisco 10000 Series Router Service Selection Gateway Configuration Guide module.

  • Page 60: Access Side Interfaces

    When you bind an interface to a direction, traffic is routed through SSG features and processing. If you do not bind an interface to a direction, the interface is a transparent passthrough interface and traffic is routed through normal Cisco IOS features processing. Cisco 10000 Series Router Service Selection Gateway Configuration Guide Chapter 9 Interface Configuration OL-4387-02...

  • Page 61: Network Side Interfaces

    SSG interfaces can simultaneously receive multicast traffic and normal SSG traffic such as traffic to and from the default network, Open Garden network, and service networks. The normal SSG traffic is routed through SSG features and processing. OL-4387-02 “Restrictions of Transparent Passthrough” section on module.

  • Page 62: Configuration Of Multicast Protocols On Ssg Interfaces

    For more information about multicast protocols on SSG interfaces, refer to in the Cisco 6400 Feature Guide, Release Cisco 10000 Series Router Service Selection Gateway Configuration Guide Chapter 9 Cisco 10000 Series Router Guide. ”Service Selection Gateway” 12.2(2)B. Interface Configuration OL-4387-02...

  • Page 63: Chapter 10 Ssg Tcp Redirect

    SESM and is authenticated and authorized. SESM then presents the subscriber with a personalized home page, the service provider home page, or the original URL. OL-4387-02 C H A P T E R Cisco 10000 Series Router Service Selection Gateway Configuration Guide...

  • Page 64: Redirection For Unauthorized Services

    IPTVService (10.1.1.1/32), but allows access to anywhere else in ServiceA (10.0.0.0/8). Cisco 10000 Series Router Service Selection Gateway Configuration Guide 10-2 Figure 10-1 the user is allowed to access ServiceA. IPTVService is part of ServiceA, Chapter 10 SSG TCP Redirect OL-4387-02...

  • Page 65: Initial Captivation

    Duration of captivation • Service name (optional) • Note If you specify the optional service name, captivation activates only when logon to that service occurs. OL-4387-02 ServiceA 10.0.0.0/8 IPTVService 10.1.1.1/32 Cisco 10000 Series Router Service Selection Gateway Configuration Guide 10-3...

  • Page 66: Restrictions For Ssg Tcp Redirect

    • Define network lists. • Define port lists. • Associate network and port lists with server groups. Specify the default groups for captivation. • Cisco 10000 Series Router Service Selection Gateway Configuration Guide 10-4 Chapter 10 SSG TCP Redirect OL-4387-02...

  • Page 67: Configuration Considerations For Ssg Tcp Redirect

    Router(config-ssg-redirect)# server-group new-users1 Router(config-ssg-redirect-group)# server 10.0.1.4 8090 Router(config-ssg-redirect-group)# max-sessions user4 15 OL-4387-02 binds the server group named userRedirect1 to port 80 for unauthenticated user limits the number of TCP sessions from user4. In this example, SSG redirects a maximum Cisco 10000 Series Router Service Selection Gateway Configuration Guide...
  • Page 68 Defines a network list. Adds a network IP address to the network list. Specifies a list of destination IP networks to be redirected by the captive portal group. SSG TCP Redirect for Services, Release 12.2(4)B feature Chapter 10 SSG TCP Redirect OL-4387-02...

  • Page 69: Configuration Examples For Ssg Tcp Redirect

    Router(config-ssg-redirect-network)# network 10.2.2.0 255.255.255.0 Router(config-ssg-redirect-network)# network-list serviceNetwork3 Router(config-ssg-redirect-network)# network 10.3.3.0 255.255.255.0 OL-4387-02 SSG TCP Redirect for Services, Release 12.2(4)B feature shows how to configure a server group for user, service, and initial captivation redirection. defines three network lists. The list named serviceNetwork1 includes network 10.1.1.0;...
  • Page 70 Router(config)# ssg tcp-redirect Router(config-ssg-redirect)# port-list ports Router(config-ssg-redirect-port)# port 80 Router(config-ssg-redirect-port)# port 8080 Router(config-ssg-redirect-port)# port 443 Router(config-ssg-redirect-port)# exit Router(config-ssg-redirect)# redirect port-list ports to serviceRedirect1 Router(config-ssg-redirect)# redirect port-list ports to initialCaptivate Cisco 10000 Series Router Service Selection Gateway Configuration Guide 10-8 OL-4387-02...

  • Page 71: Vpi/Vci Static Binding To A Service Profile

    To map a VC to a service, use the ssg vc-service-map command in global configuration mode. For more information, refer to the Cisco IOS Wide-Area Networking Command Reference, Release OL-4387-02 C H A P T E R the”Configuring VPI/VCI Indexing to Service Profile”...

  • Page 72: Radius Virtual Circuit Logging

    • Cisco 10000 Series Router Service Selection Gateway Configuration Guide 11-2 Chapter 11 RADIUS Virtual Circuit Logging, Release 11.3DB9 feature RADIUS Virtual Circuit Logging, Release 11.3DB9 feature Service Selection Gateway, Release 12.2(15)B feature Miscellaneous SSG Features module. module. module. OL-4387-02...

  • Page 73: Configuration Of Aaa Server Group Support For Proxy Services

    Downstream Access Control List—outacl, page 11-4 • Upstream Access Control List—inacl, page 11-4 • OL-4387-02 Service Selection Gateway, Release 12.2(15)B feature Service Selection Gateway, Release 12.2(15)B Cisco 10000 Series Router Service Selection Gateway Configuration Guide Packet Filtering module.

  • Page 74: Downstream Access Control List-Outacl

    If an SSG ACL is applied to the interface in the same direction, the router applies the SSG ACL. Cisco 10000 Series Router Service Selection Gateway Configuration Guide 11-4 Chapter 11 Miscellaneous SSG Features OL-4387-02...

  • Page 75: Configuration Of Packet Filtering

    SSG Unconfig clears all SSG resources on the system. Therefore, if you no longer need to run SSG features on the router, instead of using SSG Unconfig enter the no ssg enable force-cleanup command after all users are logged out. OL-4387-02 Service Selection Gateway, Release 12.2(15)B feature and the Service Selection Gateway, Release 12.2(15)B feature...

  • Page 76: Prerequisites For Ssg Unconfig

    SSG Unconfig, Release 12.2(15)B feature shows how to unconfigure SSG and release system resources. shows how to remove all host objects associated with a downlink interface and then verify SSG Unconfig, Release 12.2(15)B feature Chapter 11 Miscellaneous SSG Features module. module. OL-4387-02...

  • Page 77: Ssg Enhancements For Overlapping Services

    Silver_512 10.58.253.0/255.255.255.0 10.58.254.0/255.255.255.0 10.58.102.6/255.255.255.255 ssg bind service Gold_2048 10.58.253.0/255.255.255.0 10.58.254.0/255.255.255.0 10.58.102.6/255.255.255.255 ssg bind service Platinum_1024 10.58.253.0/255.255.255.0 OL-4387-02 SSG Enhancements for Overlapping Services Cisco 10000 Series Router Service Selection Gateway Configuration Guide 11-7...
  • Page 78 10.58.254.0/255.255.255.0 10.58.102.6/255.255.255.255 10.58.102.7/255.255.255.255 Based on the service definitions, the service translation mechanism internally defines the following network sets: Set1 10.58.253.0/255.255.255.0 10.58.254.0/255.255.255.0 Set2 10.58.102.6/255.255.255.255 10.58.102.7/255.255.255.255 Cisco 10000 Series Router Service Selection Gateway Configuration Guide 11-8 Chapter 11 Miscellaneous SSG Features OL-4387-02...

  • Page 79: Restrictions For Service Translation

    Prerequisites for Service Translation Enable service translation before SESM downloads overlapping service definitions. OL-4387-02 SSG Enhancements for Overlapping Services Cisco 10000 Series Router Service Selection Gateway Configuration Guide...

  • Page 80: Configuration Of Service Translation

    Service A_256 Set2 and Set3 Cisco 10000 Series Router Service Selection Gateway Configuration Guide 11-10 Chapter 11 Purpose Enables service translation and indicates to the router to use the translated sets to provide the desired network behavior. Miscellaneous SSG Features OL-4387-02...

  • Page 81: Expansion Of Service Ids

    Rate-3 10.58.251.0/255.255.255.0 ssg bind service Rate-4 10.58.250.0/255.255.255.0 ssg bind service Rate-5 10.58.249.0/255.255.255.0 OL-4387-02 SSG Enhancements for Overlapping Services Cisco 10000 Series Router Service Selection Gateway Configuration Guide 11-11...
  • Page 82 SSG Enhancements for Overlapping Services Network Sets: Set1 0.0.0.0/0.0.0.0 Set2 10.58.252.0/255.255.255.0 Set3 10.58.253.0/255.255.255.0 Set4 10.58.254.0/255.255.255.0 Set5 10.58.102.6/255.255.255.255 Set6 10.58.251.0/255.255.255.0 Set7 10.58.250.0/255.255.255.0 Set8 10.58.249.0/255.255.255.0 Cisco 10000 Series Router Service Selection Gateway Configuration Guide 11-12 Chapter 11 Miscellaneous SSG Features OL-4387-02...

  • Page 83: Chapter 12 Monitoring And Maintaining Ssg

    Router# show ssg next-hop Router# clear ssg next-hop Router# show ssg binding Router# show ssg service service-name OL-4387-02 C H A P T E R Purpose Displays a list of all SSG interfaces, the bind direction, and the binding type.

  • Page 84: Troubleshooting Radius

    Displays packet contents handled by control modules. Displays all data-path packets. Displays all data-path packets for the specified access list. Displays all error messages for system modules. Displays event messages for system modules. Displays packet contents handled by system modules. Monitoring and Maintaining SSG OL-4387-02...

  • Page 85: Monitoring The Parallel Express Forwarding Engine

    [detail]} For more information about PXF commands, refer to the Reference Guide. OL-4387-02 Monitoring the Parallel Express Forwarding Engine Purpose Clears PXF counters for the specified interface or for the route processor (RP). If you do not specify an interface, the PXF counters for all interfaces are cleared.
  • Page 86 Chapter 12 Monitoring and Maintaining SSG Monitoring the Parallel Express Forwarding Engine Cisco 10000 Series Router Service Selection Gateway Configuration Guide 12-4 OL-4387-02...

  • Page 87: Appendix

    SSG Example Topology Sun-monsoon Cisco 7200-RISM SESM RADIUS 192.168.2.62 192.168.2.50 10.1.1.100 192.168.2x 192.168.2.60 Fa/0/0/0 7/0/0 atm7/0/1 10.1.1.1 VLANs C10K+PRE2+SSG Cisco 6260 PC-10.60.1.x Switch 10.1.1.21 DSLAM 827-10.60.1.1 PPPoA 1/32 Cisco 2600-Services Cisco 10000 Series Router Service Selection Gateway Configuration Guide OL-4387-02...

  • Page 88: Appendix A Ssg Configuration Example

    192.168.2.62 ip host sesm 192.168.2.50 ip name-server 172.16.168.183 ip name-server 172.31.226.120 mpls ldp log-neighbor-changes ssg enable Cisco 10000 Series Router Service Selection Gateway Configuration Guide Appendix A SSG Configuration Example OL-4387-02...
  • Page 89 26 9 251 "Omobile.users.com" attribute 26 9 251 "R35.1.5.1;255.255.255.255" buffers small permanent 1500 buffers middle permanent 12000 buffers big permanent 8000 interface Loopback1 description LOOPBACK for DSL/PPPoA/PAT users ip address 192.168.201.1 255.255.255.255 OL-4387-02 Cisco 10000 Series Router Service Selection Gateway Configuration Guide...
  • Page 90 11 ip address 10.1.10.1 255.255.255.0 interface ATM8/0/0 no ip address load-interval 30 no atm ilmi-keepalive interface ATM8/0/0.1 point-to-point pvc 1/32 encapsulation aal5mux ppp Virtual-Template1 Cisco 10000 Series Router Service Selection Gateway Configuration Guide Appendix A SSG Configuration Example OL-4387-02...
  • Page 91 0 exec-timeout 0 0 line aux 0 line vty 0 4 exec-timeout 0 0 password cisco line vty 5 99 OL-4387-02 Cisco 10000 Series Router Service Selection Gateway Configuration Guide...
  • Page 92 0 0 password lab ntp clock-period 17181406 ntp update-calendar Cisco 10000 Series Router Service Selection Gateway Configuration Guide Appendix A SSG Configuration Example OL-4387-02...

  • Page 93: Appendix

    SSG Feature ACLs and QoS AutoDomain L2TP Logon OL-4387-02 A P P E N D I X 1-6, and also see Chapter 2, “Scalability and Performance.” Implementation Notes ACL and QoS are applied even if the traffic is to or from an Open Garden or the default network (when port-bundle host key is not enabled).

  • Page 94: Appendix B Ssg Implementation Note

    The customer premises equipment (CPE) must be configured for PAT. Only time-based quotas are supported. Quotas are always measured in seconds. Quotas based on data volume are not supported. If configured, traffic might exceed the quota. Appendix B SSG Implementation Notes OL-4387-02...
  • Page 95 Unsupported Features VPI/VCI Static Binding to a Service Profile OL-4387-02 Implementation Notes Not Supported. MTU Size Attribute—In Directory Enabled Service Selection Subscription (DESS) mode, SESM does not support the use of the MTU Size attribute. Service-Defined Cookie Attribute—SSG does not parse or interpret the value of this attribute.
  • Page 96 Appendix B SSG Implementation Notes Cisco 10000 Series Router Service Selection Gateway Configuration Guide OL-4387-02...
  • Page 97 Internet, on networks characterized by intensive Web-based applications, or interactive sessions. Digital Subscriber Line. OL-4387-02 Cisco 10000 Series Router Service Selection Gateway Configuration Guide G L O S S A R Y...
  • Page 98 IP address pools within a pool group. Collection of websites or networks that users can access without having to provide authentication Open Garden information. Cisco 10000 Series Router Service Selection Gateway Configuration Guide GL-2 OL-4387-02...
  • Page 99 In ATM terminology, called a permanent virtual connection. Compare with SVC. See also virtual circuit (VC). OL-4387-02 Cisco 10000 Series Router Service Selection Gateway Configuration Guide Glossary...
  • Page 100 Switched virtual circuit. Virtual circuit that is dynamically established on demand and is torn down when transmission is complete. SVCs are used in situations where data transmission is sporadic. Called a switched virtual connection in ATM terminology. Compare with PVC. Cisco 10000 Series Router Service Selection Gateway Configuration Guide GL-4 OL-4387-02...
  • Page 101 Vendor-Specific Attribute. An attribute that has been implemented by a particular vendor. It uses the attribute Vendor-Specific to encapsulate the resulting AV pair: essentially, Vendor-Specific = protocol:attribute = value. OL-4387-02 Cisco 10000 Series Router Service Selection Gateway Configuration Guide Glossary...
  • Page 102 Glossary Various types of digital subscriber lines. Examples include ADSL, HDLS, and VDSL. xDSL Cisco 10000 Series Router Service Selection Gateway Configuration Guide GL-6 OL-4387-02...
  • Page 103 7-2, 11-2, 11-3 Service Authentication Service-Defined Cookie Service Description Service Mode Service Next-Hop Gateway service profile 7-1 to 7-4 Service Route OL-4387-02 Service URL Type of Service (TOS) VSAs authentication authentication for SSG AutoDomain services implementation notes autologoff 7-1, 11-4...
  • Page 104 AutoDomain download Full Username RADIUS attribute host key idle timeout Idle Timeout (Attribute 28) inacl attribute initial captivation for TCP Redirect interfaces access-side 4-3, 6-1 to 6-9 12-2 mode 11-5, 11-6 4-1, 7-2 3-4, 3-6 7-2, 9-3, 11-4 10-3, 10-4 OL-4387-02...
  • Page 105 SSG interfaces NAT, enabling networks accessing Open Garden 6-5, 6-6 default excluding access to network-side interfaces no ssg enable force-cleanup command OL-4387-02 definition Open Garden implementation notes open garden outacl attribute overlapping services providing for service translation...
  • Page 106 PTA-MD 1-4, 1-5, 2-1, 2-2 VPI/VCI service profiles 11-1 routed bridge encapsulation See RBE selecting services 5-1, 5-2 Service Authentication attribute service connection methods AutoDomain 6-1, 6-2 Exclude Networks 6-8, 6-9 Open Garden 6-5, 6-6 12-2 OL-4387-02...
  • Page 107 PPP terminated aggregation (PTA) PTA multidomain (PTA-MD) SESM service translation, for overlapping services 11-9, 11-10 Service URL attribute 7-3, 7-4 OL-4387-02 SESM definition session timeout Session-Timeout RADIUS attribute sets, for overlapping services show interface command microcode command...
  • Page 108 See VCI virtual circuit See VC virtual circuit logging (RADIUS) virtual path identifier See VPI virtual routing and forwarding See VRF VLAN 10-6 10-4, 10-5 10-3, 10-4 10-1, 10-2 10-2, 10-3 10-1 11-5, 11-6 8-1, 8-2 9-1, 9-3 11-2 OL-4387-02...
  • Page 109 VPI/VCI implementation notes service profiles 11-1 subscriber 11-2 definition web service selection web sites accessing through Open Garden xDSL OL-4387-02 6-5, 6-6 Cisco 10000 Series Router Service Selection Gateway Configuration Guide Index IN-7...
  • Page 110 Index Cisco 10000 Series Router Service Selection Gateway Configuration Guide IN-8 OL-4387-02...

This manual is also suitable for:

10000 series

Table of Contents