Cisco OL-4387-02 - Manuals

Contents vi Cisco 10000 Series Router Service Selection Gateway Configuration Guide OL-4387-02 C H A P T E R 9 Interface Configuration 9-1 Transparent Passthrough 9-1 Access Side Interfaces 9-2 Network Side Interfaces 9-3 Restrictions of Transparent Passthrough 9-3 Configuration of Transparent Passt...

Contents vii Cisco 10000 Series Router Service Selection Gateway Configuration Guide OL-4387-02 Configuration of Packet Filtering 11-5 Configuration Example for Packet Filtering 11-5 SSG Unconfig 11-5 Restrictions for SSG Unconfig 11-5 Prerequisites for SSG Unconfig 11-6 Configuration of SSG Unconfi...

ix Cisco 10000 Series Router Service Selection Gateway Configuration Guide OL-4387-02 About This Guide This guide provides information about the Service Selection Gateway (SSG) features of the Cisco 10000 Series Router. The SSG features are supported in Cisco IOS Release 12.2(16)BX and later release...

x Cisco 10000 Series Router Service Selection Gateway Configuration Guide OL-4387-02 About This Guide Document Conventions Note This guide also includes a glossary of terms used in the document and an index to help you locate topics. Document Conventions This guide uses the following conventions: • ...

xi Cisco 10000 Series Router Service Selection Gateway Configuration Guide OL-4387-02 About This Guide Related Documentation Caution Means reader be careful . In this situation, you might do something that could result in equipment damage or loss of data. Warning Means danger . You are in a situatio...

xii Cisco 10000 Series Router Service Selection Gateway Configuration Guide OL-4387-02 About This Guide Documentation Feedback Documentation CD-ROM Cisco documentation and additional literature are available in a Cisco Documentation CD-ROM package, which may have shipped with your product. The Docum...

xiii Cisco 10000 Series Router Service Selection Gateway Configuration Guide OL-4387-02 About This Guide Obtaining Technical Assistance Cisco TAC Website The Cisco TAC website provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies....

xiv Cisco 10000 Series Router Service Selection Gateway Configuration Guide OL-4387-02 About This Guide Obtaining Additional Publications and Information Obtaining Additional Publications and Information Information about Cisco products, technologies, and network solutions is available from various ...

C H A P T E R 1-1 Cisco 10000 Series Router Service Selection Gateway Configuration Guide OL-4387-02 1 Service Selection Gateway Overview The Service Selection Gateway feature, available in Cisco IOS Release 12.2(16)BX or later, offers a switching solution to service providers. Working in conjunctio...

1-3 Cisco 10000 Series Router Service Selection Gateway Configuration Guide OL-4387-02 Chapter 1 Service Selection Gateway Overview Service Selection Gateway Default Network The default network is a location that SSG allows unauthenticated users to access. The default network is a single IP address ...

1-4 Cisco 10000 Series Router Service Selection Gateway Configuration Guide OL-4387-02 Chapter 1 Service Selection Gateway Overview Supported SSG Features Supported SSG Features The Cisco 10000 series router supports the following SSG features and functionality: • SSG Logon and Logoff, page 3-1 • Au...

1-6 Cisco 10000 Series Router Service Selection Gateway Configuration Guide OL-4387-02 Chapter 1 Service Selection Gateway Overview SSG Prerequisites SSG Prerequisites The SSG feature has the following prerequisites: • The Cisco 10000 series router must be running Cisco IOS Release 12.2(16)BX or lat...

C H A P T E R 2-1 Cisco 10000 Series Router Service Selection Gateway Configuration Guide OL-4387-02 2 Scalability and Performance The infrastructure of the service provider must be capable of supporting the services the enterprise customer or Internet service provider (ISP) wants to offer its subsc...

C H A P T E R 3-1 Cisco 10000 Series Router Service Selection Gateway Configuration Guide OL-4387-02 3 SSG Logon and Logoff The Cisco 10000 series router supports the following SSG features for logon and logoff related functions: • Single Host Logon, page 3-1 • SSG Autologoff, page 3-2 • SSG Prepaid...

3-2 Cisco 10000 Series Router Service Selection Gateway Configuration Guide OL-4387-02 Chapter 3 SSG Logon and Logoff SSG Autologoff SSG Autologoff The SSG Autologoff feature enables SSG to verify connectivity with each host. SSG checks the status of the connection with each host at configured inter...

3-3 Cisco 10000 Series Router Service Selection Gateway Configuration Guide OL-4387-02 Chapter 3 SSG Logon and Logoff SSG Prepaid Idle Timeout Configuration Example for SSG Autologoff Example 3-1 shows how to enable autologoff with ARP ping. Example 3-1 SSG Autologoff Using ARP Ping ssg auto-logoff ...

3-4 Cisco 10000 Series Router Service Selection Gateway Configuration Guide OL-4387-02 Chapter 3 SSG Logon and Logoff SSG Prepaid Idle Timeout Service Authorization SSG sends a service authorization request to the billing server upon initial service authorization. Explicit service authorization is r...

3-5 Cisco 10000 Series Router Service Selection Gateway Configuration Guide OL-4387-02 Chapter 3 SSG Logon and Logoff SSG Prepaid Idle Timeout Restrictions for SSG Prepaid Idle Timeout The SSG Prepaid Idle Timeout feature has the following restrictions: • The Cisco 10000 router supports only time-ba...

3-6 Cisco 10000 Series Router Service Selection Gateway Configuration Guide OL-4387-02 Chapter 3 SSG Logon and Logoff SSG Session and Idle Timeout Example 3-5 shows how to configure the SSG TCP Redirect feature for a specific service. The commands redirect all prepaid service traffic to the captive ...

C H A P T E R 4-1 Cisco 10000 Series Router Service Selection Gateway Configuration Guide OL-4387-02 4 Authentication and Accounting The Cisco 10000 series router supports the following SSG features for authentication and accounting related functions: • SSG Full Username RADIUS Attribute, page 4-1 •...

4-2 Cisco 10000 Series Router Service Selection Gateway Configuration Guide OL-4387-02 Chapter 4 Authentication and Accounting RADIUS Accounting Records RADIUS Accounting Records SSG sends accounting records with the associated attributes to the RADIUS accounting server when the following events occ...

4-3 Cisco 10000 Series Router Service Selection Gateway Configuration Guide OL-4387-02 Chapter 4 Authentication and Accounting RADIUS Accounting Records Service Connection and Termination SSG also sends a RADIUS accounting-request record to the local RADIUS server when a user accesses or terminates ...

C H A P T E R 5-1 Cisco 10000 Series Router Service Selection Gateway Configuration Guide OL-4387-02 5 Service Selection Methods The Cisco 10000 series router supports the following service selection methods: • PPP Terminated Aggregation, page 5-1 • PTA-Multidomain, page 5-1 • Web Service Selection,...

5-2 Cisco 10000 Series Router Service Selection Gateway Configuration Guide OL-4387-02 Chapter 5 Service Selection Methods Web Service Selection Restrictions for PTA-MD A user cannot connect to multiple services that are simultaneously in different VRFs. Web Service Selection Web service selection e...

5-3 Cisco 10000 Series Router Service Selection Gateway Configuration Guide OL-4387-02 Chapter 5 Service Selection Methods Web Service Selection SESM and SSG Performance Packets sent between the SSG and the SESM might require processing by the Cisco 10000 router Route Processor (RP), instead of the ...

C H A P T E R 6-1 Cisco 10000 Series Router Service Selection Gateway Configuration Guide OL-4387-02 6 Service Connection The Cisco 10000 series router supports the following SSG features for service connection: • SSG AutoDomain, page 6-1 • SSG Prepaid, page 6-4 • SSG Open Garden, page 6-5 • SSG Por...

6-2 Cisco 10000 Series Router Service Selection Gateway Configuration Guide OL-4387-02 Chapter 6 Service Connection SSG AutoDomain You can configure SSG AutoDomain in basic or extended mode. In basic mode, the AutoDomain profile downloaded from the AAA server is a service profile. This service profi...

6-4 Cisco 10000 Series Router Service Selection Gateway Configuration Guide OL-4387-02 Chapter 6 Service Connection SSG Prepaid SSG Prepaid The SSG Prepaid feature allows a user to connect to a service if the user has prepaid for the service. SSG checks a subscriber’s available credit to determine w...

6-5 Cisco 10000 Series Router Service Selection Gateway Configuration Guide OL-4387-02 Chapter 6 Service Connection SSG Open Garden Configuration Example for SSG Prepaid Example 6-4 configures a global prepaid server group named ssg_prepaid and attaches the server group to the SSG. Example 6-4 Attac...

6-6 Cisco 10000 Series Router Service Selection Gateway Configuration Guide OL-4387-02 Chapter 6 Service Connection SSG Port-Bundle Host Key Restrictions for SSG Open Garden The SSG Open Garden feature has the following restrictions: • RADIUS accounting records are not created for Open Garden servic...

6-7 Cisco 10000 Series Router Service Selection Gateway Configuration Guide OL-4387-02 Chapter 6 Service Connection SSG Port-Bundle Host Key For each TCP session between a subscriber and the SESM server, SSG uses one port from the port bundle as the port map. Port mappings are flagged as eligible fo...

6-8 Cisco 10000 Series Router Service Selection Gateway Configuration Guide OL-4387-02 Chapter 6 Service Connection Exclude Networks Prerequisites for SSG Port-Bundle Host Key The SSG Port-Bundle Host Key feature has the following requirements: • The Cisco 10000 router supports the SSG Port-Bundle H...

6-9 Cisco 10000 Series Router Service Selection Gateway Configuration Guide OL-4387-02 Chapter 6 Service Connection Mutually Exclusive Service Selection A SESM configuration option controls the SESM action when a subscriber is already logged into one service and then selects another service in the g...

C H A P T E R 7-1 Cisco 10000 Series Router Service Selection Gateway Configuration Guide OL-4387-02 7 Service Profiles and Cached Service Profiles The RADIUS server or the SESM downloads service profiles to the Cisco 10000 series router (SSG node) as needed. Typically, the SSG removes the service p...

7-4 Cisco 10000 Series Router Service Selection Gateway Configuration Guide OL-4387-02 Chapter 7 Service Profiles and Cached Service Profiles Cached Service Profiles If the SESM web application is designed to use HTML frames, then this attribute also specifies whether the service is displayed in a n...

7-5 Cisco 10000 Series Router Service Selection Gateway Configuration Guide OL-4387-02 Chapter 7 Service Profiles and Cached Service Profiles Cached Service Profiles • If the service profile exists and it is active, SSG uses the service profile to process the logon request. • If the service profile ...

C H A P T E R 8-1 Cisco 10000 Series Router Service Selection Gateway Configuration Guide OL-4387-02 8 SSG Hierarchical Policing The SSG Hierarchical Policing feature ensures that a subscriber does not utilize additional bandwidth for overall service or for a specific service that is outside the bou...

8-2 Cisco 10000 Series Router Service Selection Gateway Configuration Guide OL-4387-02 Chapter 8 SSG Hierarchical Policing Restrictions for SSG Hierarchical Policing Restrictions for SSG Hierarchical Policing The SSG Hierarchical Policing feature has the following restrictions: • When using SSG hier...

8-3 Cisco 10000 Series Router Service Selection Gateway Configuration Guide OL-4387-02 Chapter 8 SSG Hierarchical Policing Configuration Examples for SSG Hierarchical Policing Configuration Examples for SSG Hierarchical Policing Example 8-1 Configuring a RADIUS Service Profile for Per-Session Polici...

C H A P T E R 9-1 Cisco 10000 Series Router Service Selection Gateway Configuration Guide OL-4387-02 9 Interface Configuration When an interface is configured as an SSG uplink or downlink interface, non-SSG traffic is not allowed to pass through the interface. You configure interfaces that are conne...

9-2 Cisco 10000 Series Router Service Selection Gateway Configuration Guide OL-4387-02 Chapter 9 Interface Configuration Transparent Passthrough Access Side Interfaces For access side interfaces, the interface type determines the method used to indicate an interface as SSG or transparent passthrough...

9-3 Cisco 10000 Series Router Service Selection Gateway Configuration Guide OL-4387-02 Chapter 9 Interface Configuration Multicast Protocols on SSG Interfaces Network Side Interfaces For network side interfaces, SSG uplink interfaces can accept and forward both SSG traffic and transparent passthroug...

9-4 Cisco 10000 Series Router Service Selection Gateway Configuration Guide OL-4387-02 Chapter 9 Interface Configuration Multicast Protocols on SSG Interfaces Configuration of Multicast Protocols on SSG Interfaces For SSG to forward multicast packets to the Cisco IOS routing engine, configure the fo...

C H A P T E R 10-1 Cisco 10000 Series Router Service Selection Gateway Configuration Guide OL-4387-02 10 SSG TCP Redirect The SSG TCP Redirect feature redirects certain user packets to an alternative location that can handle the packets in a suitable manner. This feature works in conjunction with th...

10-2 Cisco 10000 Series Router Service Selection Gateway Configuration Guide OL-4387-02 Chapter 10 SSG TCP Redirect The SSG TCP Redirect feature always sends redirected packets to a captive portal group that consists of one or more servers. SSG selects one server from the group in a round-robin fash...

10-3 Cisco 10000 Series Router Service Selection Gateway Configuration Guide OL-4387-02 Chapter 10 SSG TCP Redirect Figure 10-1 Restricting Access to Networks within Authorized Services The following describes the behavior of redirection for unauthorized services: • If a packet arrives from an unaut...

10-4 Cisco 10000 Series Router Service Selection Gateway Configuration Guide OL-4387-02 Chapter 10 SSG TCP Redirect Typically, if a service is connected, SSG forwards packets to a user and packets from a user even if the packets do not match the protocol and TCP ports specified for redirection. Howe...

10-5 Cisco 10000 Series Router Service Selection Gateway Configuration Guide OL-4387-02 Chapter 10 SSG TCP Redirect The following sections describe these tasks in more detail: • Configuration Considerations for SSG TCP Redirect, page 10-5 • Configuring Port-Based Redirection for Unauthenticated User...

10-6 Cisco 10000 Series Router Service Selection Gateway Configuration Guide OL-4387-02 Chapter 10 SSG TCP Redirect Configuring SSG TCP Redirect To configure SSG TCP Redirect, use the following commands beginning in global configuration mode: For more detailed information, refer to the SSG TCP Redir...

10-7 Cisco 10000 Series Router Service Selection Gateway Configuration Guide OL-4387-02 Chapter 10 SSG TCP Redirect Configuration Examples for SSG TCP Redirect This section provides the following example configurations: • Configuration Example for Server Groups, page 10-7 • Configuration Example for...

10-8 Cisco 10000 Series Router Service Selection Gateway Configuration Guide OL-4387-02 Chapter 10 SSG TCP Redirect Configuration Example for Port Lists Example 10-5 shows how to configure a port list named ports for TCP redirection of HTTP packets and associate the port list to the server groups na...

C H A P T E R 11-1 Cisco 10000 Series Router Service Selection Gateway Configuration Guide OL-4387-02 11 Miscellaneous SSG Features This chapter describes the following SSG features: • VPI/VCI Static Binding to a Service Profile, page 11-1 • RADIUS Virtual Circuit Logging, page 11-2 • AAA Server Gro...

11-2 Cisco 10000 Series Router Service Selection Gateway Configuration Guide OL-4387-02 Chapter 11 Miscellaneous SSG Features RADIUS Virtual Circuit Logging RADIUS Virtual Circuit Logging RADIUS Virtual Circuit (VC) Logging extends and modifies the RADIUS network access server (NAS) port field to ca...

11-3 Cisco 10000 Series Router Service Selection Gateway Configuration Guide OL-4387-02 Chapter 11 Miscellaneous SSG Features Packet Filtering Configuration of AAA Server Group Support for Proxy Services To configure AAA Server Group Support for Proxy Services, use the RADIUS Server attribute. This ...

11-4 Cisco 10000 Series Router Service Selection Gateway Configuration Guide OL-4387-02 Chapter 11 Miscellaneous SSG Features Packet Filtering Downstream Access Control List—outacl Specifies either a Cisco IOS standard ACL or an extended ACL to be applied to downstream traffic going to the user. Cis...

11-5 Cisco 10000 Series Router Service Selection Gateway Configuration Guide OL-4387-02 Chapter 11 Miscellaneous SSG Features SSG Unconfig Configuration of Packet Filtering To configure SSG ACLs, use the following Cisco-AV pair attributes: • Downstream Access Control List (outacl) Cisco-AVpair = ...

11-6 Cisco 10000 Series Router Service Selection Gateway Configuration Guide OL-4387-02 Chapter 11 Miscellaneous SSG Features SSG Unconfig Prerequisites for SSG Unconfig You must enable SSG before you configure SSG Unconfig. Configuration of SSG Unconfig To configure SSG Unconfig, perform any of the...

11-7 Cisco 10000 Series Router Service Selection Gateway Configuration Guide OL-4387-02 Chapter 11 Miscellaneous SSG Features SSG Enhancements for Overlapping Services SSG Enhancements for Overlapping Services Overlapping services are services for which the route prefix of one service matches or is ...

11-9 Cisco 10000 Series Router Service Selection Gateway Configuration Guide OL-4387-02 Chapter 11 Miscellaneous SSG Features SSG Enhancements for Overlapping Services The service translation mechanism then internally converts the services to the following sets: Service Bronze_256 Set1 Service Silve...

11-10 Cisco 10000 Series Router Service Selection Gateway Configuration Guide OL-4387-02 Chapter 11 Miscellaneous SSG Features SSG Enhancements for Overlapping Services Configuration of Service Translation To enable service translation on the router, enter the following command in global configurati...

11-11 Cisco 10000 Series Router Service Selection Gateway Configuration Guide OL-4387-02 Chapter 11 Miscellaneous SSG Features SSG Enhancements for Overlapping Services Service B_512 Set2, set3, and set4 Service C_2048 Set2, set3, and set4 Service D_1024 Set2 Expansion of Service IDs The Cisco 10000...

12-2 Cisco 10000 Series Router Service Selection Gateway Configuration Guide OL-4387-02 Chapter 12 Monitoring and Maintaining SSG Troubleshooting RADIUS Troubleshooting RADIUS To troubleshoot communication between the RADIUS server and SSG, enter the debug radius command in privileged EXEC mode. Per...

12-3 Cisco 10000 Series Router Service Selection Gateway Configuration Guide OL-4387-02 Chapter 12 Monitoring and Maintaining SSG Monitoring the Parallel Express Forwarding Engine Monitoring the Parallel Express Forwarding Engine To monitor the parallel express forwarding (PXF) engine, use the follo...

GL-1 Cisco 10000 Series Router Service Selection Gateway Configuration Guide OL-4387-02 G L O S S A R Y A authentication A security feature that allows access to information to be granted on an individual basis. B bandwidth The range of frequencies a transmission line or channel can carry. The great...

IN-1 Cisco 10000 Series Router Service Selection Gateway Configuration Guide OL-4387-02 I N D E X A aaa group server radius command 6-4 AAA servers, proxy services 11-2, 11-3 access-side interfaces 9-2 accounting for SSG 4-1 to 4-4 accounting records (RADIUS) 4-2, 4-3 Account Session Time (Attribute...