Cisco Systems OL-4387-02 User Manual

Cisco 10000 Series Router Service Selection Gateway Configuration Guide

January 2004

Corporate Headquarters

Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000

800 553-NETS (6387)

Fax: 408 526-4100

Text Part Number: OL-4387-02

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

CCIP, CCSP, the Cisco Arrow logo, the Cisco Powered Network mark, Cisco Unity, Follow Me Browsing, FormShare, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherSwitch, Fast Step, GigaStack, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, LightStream, MGX, MICA, the Networkers logo, Networking Academy, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, RateMUX, Registrar, ScriptShare, SlideCast, SMARTnet, StrataView Plus, Stratm, SwitchProbe, TeleRouter, The Fastest Way to Increase Your Internet Quotient, TransPath, and VCO are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries.

All other trademarks mentioned in this document or Web site are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0304R)

Cisco 10000 Series Router Service Selection Gateway Configuration Guide

About This Guide ix

Audience ix

Document Organization ix

Document Conventions x

About This Guide

This guide provides information about the Service Selection Gateway (SSG) features of the Cisco 10000 Series Router. The SSG features are supported in Cisco IOS Release 12.2(16)BX and later releases.

Audience

This guide is designed for system and network managers responsible for configuring Service Selection Gateway features on the Cisco 10000 router. The manager should be experienced using Cisco IOS software and be familiar with the operation of the Cisco 10000 router.

Document Organization

This guide contains the following chapters:

Chapter Title Description

Chapter 1 Service Selection Gateway Overview Describes the Service Selection Gateway features, restrictions,

and prerequisites. Also provides an architectural model.

Chapter 2 Scalability and Performance Describes limitations and restrictions, of the Service Selection

Gateway feature.

Chapter 3 SSG Logon and Logoff Describes the SSG features for logon and logoff related

functions.

Chapter 4 Authentication and Accounting Describes the SSG features for authentication and accounting

related functions.

Chapter 5 Service Selection Methods Describes the service selection methods supported on the

Cisco 10000 router.

Chapter 6 Service Connection Describes the SSG features for service connection.

Chapter 7 Service Profiles and Cached Service

Profiles

Chapter 8 SSG Hierarchical Policing Describes the SSG Hierarchical Policing feature supported by

Chapter 9 Interface Configuration Describes the Transparent Passthrough and Multicast Protocols

Describes service profiles and cached service profiles.

the Cisco 10000 router.

on SSG Interfaces features.

OL-4387-02

Cisco 10000 Series Router Service Selection Gateway Configuration Guide

About This Guide

Document Conventions

Chapter Title Description

Chapter 10 SSG TCP Redirect Describes the TCP Redirect feature for SSG.

Chapter 11 Miscellaneous SSG Features Describes the following features:

• VPI/VCI Static Binding to a Service Profile

• RADIUS Virtual Circuit Logging

• AAA Server Group Support for Proxy Services

• Packet Filtering

• SSG Unconfig

• SSG Enhancements for Overlapping Services

Chapter 12 Monitoring and Maintaining SSG Provides show commands for monitoring and maintaining

SSG, describes the per-service statistics feature, and provides commands for monitoring the Parallel Express Forwarding (PXF) engine.

Appendix A Configuration Example for SSG Provides a basic configuration example for SSG.

Note This guide also includes a glossary of terms used in the document and an index to help you locate topics.

Document Conventions

This guide uses the following conventions:

• Bold is used for commands, keywords, and buttons.

• Italics are used for command input for which you supply values.

• Screen font is used for examples of information that are displayed on the screen.

• Bold screen font is used for examples of information that you enter.

• Vertical bars ( | ) indicate separate alternative, mutually exclusive elements.

• Square brackets ( [ ] ) indicate optional elements.

• Braces ( {} ) indicate a required choice.

• Braces within square brackets ( [{}] ) indicate a required choice within an optional element.

Note Means reader take note. Notes contain helpful suggestions or references to material not covered in the

guide.

Timesaver Means the described action saves time. You can save time by performing the action described in the

paragraph.

Cisco 10000 Series Router Service Selection Gateway Configuration Guide

OL-4387-02

About This Guide

Caution Means reader be careful. In this situation, you might do something that could result in equipment

Obtaining Documentation

document that accompanied the device.

Cisco.com

OL-4387-02

Cisco provides several ways to obtain documentation, technical assistance, and other technical resources. These sections explain how to obtain technical information from Cisco Systems.

You can access the most current Cisco documentation on the World Wide Web at this URL:

http://www.cisco.com/univercd/home/home.htm

You can access the Cisco website at this URL:

http://www.cisco.com

International Cisco websites can be accessed from this URL:

http://www.cisco.com/public/countries_languages.shtml

Cisco 10000 Series Router Service Selection Gateway Configuration Guide

Documentation Feedback

Documentation CD-ROM

Cisco documentation and additional literature are available in a Cisco Documentation CD-ROM package, which may have shipped with your product. The Documentation CD-ROM is updated regularly and may be more current than printed documentation. The CD-ROM package is available as a single unit or through an annual or quarterly subscription.

Registered Cisco.com users can order a single Documentation CD-ROM (product number DOC-CONDOCCD=) through the Cisco Ordering tool:

http://www.cisco.com/en/US/partner/ordering/ordering_place_order_ordering_tool_launch.html

All users can order annual or quarterly subscriptions through the online Subscription Store:

http://www.cisco.com/go/subscription

Click Subscriptions & Promotional Materials in the left navigation bar.

Ordering Documentation

You can find instructions for ordering documentation at this URL:

http://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htm

About This Guide

You can order Cisco documentation in these ways:

• Registered Cisco.com users (Cisco direct customers) can order Cisco product documentation from

the Networking Products MarketPlace:

http://www.cisco.com/en/US/partner/ordering/index.shtml

• Nonregistered Cisco.com users can order documentation through a local account representative by

calling Cisco Systems Corporate Headquarters (California, USA) at 408 526-7208 or, elsewhere in North America, by calling 800 553-NETS (6387).

Documentation Feedback

You can submit e-mail comments about technical documentation to bug-doc@cisco.com.

You can submit comments by using the response card (if present) behind the front cover of your document or by writing to the following address:

Cisco Systems Attn: Customer Document Ordering 170 West Tasman Drive San Jose, CA 95134-9883

We appreciate your comments.

Obtaining Technical Assistance

For all customers, partners, resellers, and distributors who hold valid Cisco service contracts, the Cisco Technical Assistance Center (TAC) provides 24-hour-a-day, award-winning technical support services, online and over the phone. Cisco.com features the Cisco TAC website as an online starting point for technical assistance. If you do not hold a valid Cisco service contract, please contact your reseller.

Cisco 10000 Series Router Service Selection Gateway Configuration Guide

xii

OL-4387-02

About This Guide

Cisco TAC Website

The Cisco TAC website provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies. The Cisco TAC website is available 24 hours a day, 365 days a year. The Cisco TAC website is located at this URL:

http://www.cisco.com/tac

Accessing all the tools on the Cisco TAC website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a login ID or password, register at this URL:

http://tools.cisco.com/RPF/register/register.do

Opening a TAC Case

Using the online TAC Case Open Tool is the fastest way to open P3 and P4 cases. (P3 and P4 cases are those in which your network is minimally impaired or for which you require product information.) After you describe your situation, the TAC Case Open Tool automatically recommends resources for an immediate solution. If your issue is not resolved using the recommended resources, your case will be assigned to a Cisco TAC engineer. The online TAC Case Open Tool is located at this URL:

Obtaining Technical Assistance

http://www.cisco.com/tac/caseopen

For P1 or P2 cases (P1 and P2 cases are those in which your production network is down or severely degraded) or if you do not have Internet access, contact Cisco TAC by telephone. Cisco TAC engineers are assigned immediately to P1 and P2 cases to help keep your business operations running smoothly.

To open a case by telephone, use one of the following numbers:

Asia-Pacific: +61 2 8446 7411 (Australia: 1 800 805 227) EMEA: +32 2 704 55 55 USA: 1 800 553-2447

For a complete listing of Cisco TAC contacts, go to this URL:

http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml

TAC Case Priority Definitions

To ensure that all cases are reported in a standard format, Cisco has established case priority definitions.

Priority 1 (P1)—Your network is “down” or there is a critical impact to your business operations. You and Cisco will commit all necessary resources around the clock to resolve the situation.

Priority 2 (P2)—Operation of an existing network is severely degraded, or significant aspects of your business operation are negatively affected by inadequate performance of Cisco products. You and Cisco will commit full-time resources during normal business hours to resolve the situation.

Priority 3 (P3)—Operational performance of your network is impaired, but most business operations remain functional. You and Cisco will commit resources during normal business hours to restore service to satisfactory levels.

OL-4387-02

Priority 4 (P4)—You require information or assistance with Cisco product capabilities, installation, or configuration. There is little or no effect on your business operations.

Cisco 10000 Series Router Service Selection Gateway Configuration Guide

xiii

Obtaining Additional Publications and Information

Information about Cisco products, technologies, and network solutions is available from various online and printed sources.

• The Cisco Product Catalog describes the networking products offered by Cisco Systems, as well as

ordering and customer support services. Access the Cisco Product Catalog at this URL:

http://www.cisco.com/en/US/products/products_catalog_links_launch.html

• Cisco Press publishes a wide range of general networking, training and certification titles. Both new

and experienced users will benefit from these publications. For current Cisco Press titles and other information, go to Cisco Press online at this URL:

http://www.ciscopress.com

• Packet magazine is the Cisco quarterly publication that provides the latest networking trends,

technology breakthroughs, and Cisco products and solutions to help industry professionals get the most from their networking investment. Included are networking deployment and troubleshooting tips, configuration examples, customer case studies, tutorials and training, certification information, and links to numerous in-depth online resources. You can access Packet magazine at this URL:

http://www.cisco.com/packet

About This Guide

• iQ Magazine is the Cisco bimonthly publication that delivers the latest information about Internet

business strategies for executives. You can access iQ Magazine at this URL:

http://www.cisco.com/go/iqmagazine

• Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering

professionals involved in designing, developing, and operating public and private internets and intranets. You can access the Internet Protocol Journal at this URL:

http://www.cisco.com/en/US/about/ac123/ac147/about_cisco_the_internet_protocol_journal.html

• Training—Cisco offers world-class networking training. Current offerings in network training are

listed at this URL:

http://www.cisco.com/en/US/learning/index.html

xiv

Cisco 10000 Series Router Service Selection Gateway Configuration Guide

OL-4387-02

Service Selection Gateway Overview

The Service Selection Gateway feature, available in Cisco IOS Release 12.2(16)BX or later, offers a switching solution to service providers. Working in conjunction with the Cisco Subscriber Edge Services Manager (SESM), SSG provides subscriber authentication, service selection, and service connection capabilities to subscribers of Internet services. Subscribers interact with the SESM web application using a standard Internet browser.

This chapter provides an overview of the Service Selection Gateway feature available on the Cisco 10000 series router.

Service Selection Gateway

The Cisco 10000 series router supports the Service Selection Gateway (SSG) feature in Cisco IOS Release 12.2(16)BX or later. SSG is a switching solution for service providers who offer intranet, extranet, and Internet connections to subscribers using broadband access technology such as digital subscriber lines (DSL) lines, cable modems, or wireless to allow simultaneous access to network services. SSG provides connectivity to corporate networks and differential service selection to users with access to multiple simultaneous services. Users can dynamically connect to and disconnect from any of the services available to them.

CHAPTER

OL-4387-02

Figure 1-1 shows an example of an SSG topology. In the figure, a single user connects to the

Cisco 10000 series router using an access protocol such as PPP, RBE, or IP. SSG resides in the router that serves as a broadband aggregator. The router acts as a central control point for Layer 2 and Layer 3 services, including services available through ATM virtual circuits (VCs), virtual private dial-up networks (VPDNs), and normal routing methods. The user can concurrently connect to a number of different services, which can be private or public services. Connections to the services are established using IP.

Cisco 10000 Series Router Service Selection Gateway Configuration Guide

1-1

Service Selection Gateway

Figure 1-1 SSG Topology Example

Default

Network

Web

Dashboard

Cisco 10000

router

RADIUS

AAA

Chapter 1 Service Selection Gateway Overview

Cisco

Secure

ISP/Service A

PPP/RBE/IP

Open

Garden

RADIUS IP Data Tunnel

ISP/Service C

Note The Cisco 10000 series router does not support tunneling of SSG users.

SSG

Extranet

The Cisco 10000 series router adds the Open Garden and default networks to all SSG VRFs, providing reachability information to the Open Garden and default networks for all services both public and private. However, access is restricted for the following conditions:

• If the Open Garden and default network addresses overlap within the service definition, the traffic

destined for either network is subject to the rules of the default network.

• If the Open Garden network is bound to a specific interface and a VRF is also applied to the

interface, the Open Garden network is accessible to users whose sessions are established using the applied VRF.

RADIUS

AAA

ISP/Service B

RADIUS

AAA

87907

1-2

The SSG feature communicates with the authentication, authorization, and accounting (AAA) management network that includes RADIUS and Dynamic Host Configuration Protocol (DHCP) servers. SSG connects to the service provider network, which can connect to the Internet service provider (ISP) network and corporate networks.

The Cisco 10000 series router supports the Cisco Subscriber Edge Services Manager (SESM), which provides subscriber authentication, service selection, and service connection capabilities to subscribers of Internet services. Subscribers interact with the SESM web application using a standard Internet browser. The SESM functionality provides a flexible and convenient graphical user interface (GUI) for subscribers and enables service providers to bill subscribers for connection time and services used, rather than charging a flat rate.

Cisco 10000 Series Router Service Selection Gateway Configuration Guide

OL-4387-02

Chapter 1 Service Selection Gateway Overview

Default Network

The default network is a location that SSG allows unauthenticated users to access. The default network is a single IP address or subnet, typically the IP address of the SESM application although other types of servers can also be defined as the default network. The default network supports the port-bundle host key.

The default network enables special processing of traffic to and from the default network. Because traffic to and from SESM requires special processing and the Cisco 10000 series router cannot distinguish between SESM and non-SESM traffic, we recommend that you define the SESM server as the default network and place other servers in the Open Garden network.

Note Traffic to and from a non-SESM server does not require special processing.

The SSG typically forwards packets to and from the default network through the router’s PXF forwarding engine. However, SSG also forwards default network traffic through the route processor (RP) as follows:

Packets from a User and Destined for the Default Network

If the port-bundle host key is:

Service Selection Gateway

• Enabled—SSG forwards the packets through the RP.

• Disabled—SSG forwards the packets through the PXF forwarding engine.

Packets from the Default Network and Destined for an SSG User

• SSG forwards the packets through the RP if either of the following conditions are met:

• Otherwise, SSG forwards the packets through the PXF forwarding engine.

Access Protocols

On the subscriber side of the network, the Cisco 10000 series router supports SSG features for the following protocols and encapsulations:

• PPPoE

• PPPoA

• RBE

• RFC 2684 IP

On the network side, the router supports receiving SSG traffic on the following interface types:

–

The port-bundle host key is enabled.

–

The port-bundle host key is disabled, TCP is the transport protocol, and the packets are associated with an active TCP redirect mapping.

OL-4387-02

• ATM PVCs and subinterfaces

• Ethernet interfaces and subinterfaces

• POS interfaces

• Serial and channelized interfaces

Cisco 10000 Series Router Service Selection Gateway Configuration Guide

1-3

Supported SSG Features

The Cisco 10000 series router supports the following SSG features and functionality:

• SSG Logon and Logoff, page 3-1

• Authentication and Accounting, page 4-1

• Service Selection Methods, page 5-1

• Service Connection, page 6-1

• Service Profiles and Cached Service Profiles, page 7-1

• SSG Hierarchical Policing, page 8-1

• Interface Configuration, page 9-1

• SSG TCP Redirect, page 10-1

• VPI/VCI Static Binding to a Service Profile, page 11-1

• RADIUS Virtual Circuit Logging, page 11-2

• AAA Server Group Support for Proxy Services, page 11-2

Chapter 1 Service Selection Gateway Overview

• Packet Filtering, page 11-3

• SSG Unconfig, page 11-5

For more information about the SSG features, refer to the Service Selection Gateway, Release 12.2(15)B

feature module.

For information about SSG features supported in a specific Cisco IOS release, refer to the

Cisco 10000 Series Router Feature Map.

SSG Restrictions

The SSG feature has the following restrictions:

• When using SSG hierarchical policing on Cisco 10000 Series routers, a maximum of 8 policing rates

can be used per uplink interface and R attribute combination. Of these 8 rates, 1 is reserved for “no policing”, leaving 7 different police rates available per uplink interface and R attribute combination For example, if eight SSG services are bound to the same SSG next-hop and all eight services carry an R attribute of “R0.0.0.0;0.0.0.0”, the ninth service will fail to acquire correct policing rates and this error message may appear: %GENERAL-3-EREVENT: C10KSSG: Vi2.8 svc_bitmap 0x2 Unable to set connection rate

• Network address translation (NAT) functionality is not supported. This means that the router does

not support concurrent access to multiple services for which the services, not the access provider, must assign the user’s IP address. For example, this restriction applies to concurrent access to a private service and SESM or the Open Garden network, or concurrent access to a tunnel service and SESM or the Open Garden network.

1-4

• The Cisco 10000 series router adds reachability information to the Open Garden and default

networks for all services, both public and private. Because NAT is not supported, the addresses for the Open Garden and default networks cannot overlap addresses defined within the service definition.

• To restrict access to the Open Garden network by private services, you must specifically bind the

Open Garden to the uplink interfaces. Do not bind the Open Garden to the interface used by the private service.

Cisco 10000 Series Router Service Selection Gateway Configuration Guide

OL-4387-02

Chapter 1 Service Selection Gateway Overview

• The Cisco 10000 router’s SSG software and forwarding software handle multiple users attached to a

single Cisco IOS software interface in different ways, which could result in users receiving services that they did not select. After the first user logs on, all subsequent user logon attempts are rejected. Although the logon is rejected and thus the ability to select services, all users can access the services to which the first user is subscribed. User traffic is not rejected, only the user’s authorization attempt. The traffic from all users is logged in the statistics of the first user. The traffic to the user is treated as transparent passthrough and is forwarded to the user, but it does not affect SSG accounting. If you enter the ssg show host command, statistics are displayed for the first user only.

• For users attached to multipoint interfaces on the access side, the Cisco 10000 router authorizes the

first user and then rejects the authorization attempts of subsequent users. The router only rejects the authorization attempts, not the user traffic. The router treats all subsequent users as the first user logged on, allowing access to the services to which the first user is subscribed. However, subsequent users cannot select services. The traffic from all users is logged in the statistics of the first user. Traffic to the second and subsequent users is treated as transparent passthrough and is forwarded to these users, but it does not affect the SSG accounting. The ssg show host command displays the first user.

• Each private service is associated with its own VRF; global services are associated with the same

VRF. The default network and Open Garden network are typically added to all VRFs, except if the network addresses overlap addresses in the private IP network or the Open Garden network is explicitly bound to an uplink interface. The default network addresses must also be associated with the global Cisco IOS VRF.

SSG Restrictions

• You can apply a service to a next-hop address or to an interface. The interface must be a

non-broadcast interface. For example, an interface with multipoint PVCs or Ethernet without VLANs is not supported.

• You can apply services with overlapping addresses to the same next-hop address. Services that have

overlapping addresses cannot be bound to different next-hop addresses if the next-hop addresses resolve to the same interface.

• All services that share an uplink interface must not have overlapping addresses. Normally, a service

defined to include a route of 0.0.0.0 with a subnet mask of 0.0.0.0 overlaps with any other possible service. Therefore, the Cisco 10000 series router treats the route 0.0.0.0 with a subnet mask of

0.0.0.0 as a default route.

• You cannot configure the following interface types as an SSG uplink interface:

–

Any interface requiring tunneling (for example, L2TP or GRE tunneling)

–

Multilink PPP (MLPPP) interfaces

–

Tag interfaces

–

Load balanced interfaces

• For RBE and IP users, the addresses of services that share an uplink interface cannot overlap.

For information about the restrictions for a specific SSG feature, see the appropriate chapter in this guide.

OL-4387-02

Cisco 10000 Series Router Service Selection Gateway Configuration Guide

1-5

SSG Prerequisites

The SSG feature has the following prerequisites:

• The Cisco 10000 series router must be running Cisco IOS Release 12.2(16)BX or later.

• The performance routing engine (PRE), part number ESR-PRE2 must be installed in the router

chassis. The PRE performs all Layer 2 and Layer 3 packet manipulation related to routing and forwarding operations. Use the show version command to verify that you have the correct PRE version installed.

• If you want to perform Layer 3 service selection, you must install and configure the Cisco

Subscriber Edge Services Manager (SESM) as described in the Cisco Subscriber Edge Services

Manager and Subscriber Policy Engine Installation and Configuration Guide, Release 3.1(1).

For information about the prerequisites for a specific SSG feature, see the appropriate chapter in this guide.

SSG Architecture Model

Chapter 1 Service Selection Gateway Overview

Figure 1-2 shows a Service Selection Gateway (SSG) model.

Figure 1-2 Service Selection Gateway Topology

WAP

PDA

Notebook

AAA

DSL

GGSN

Wireless LAN

garden

Scalability and Performance

The infrastructure of the service provider must be capable of supporting the services the enterprise customer or Internet service provider (ISP) wants to offer its subscribers. It must also be able to scale to an expanding subscriber base. You can configure the Cisco 10000 series router for high scalability.

Limitations and Restrictions

The Cisco 10000 series router has the following limitations and restrictions for the SSG:

• Users can connect to a maximum of seven different services, plus the Open Garden and default

networks (a total of 9) at any one time.

• The Cisco 10000 series router supports mini-ACLs and turbo ACLs. Mini-ACLs are limited to eight

or less access control entries (ACEs); turbo ACLs have more than eight ACEs. ACLs can be standard or extended ACLs. Non-SSG interfaces support both mini-ACLs and turbo ACLs. ACLs defined through SSG configuration (RADIUS) are restricted to mini-ACLs only. You can apply the same ACL to multiple hosts and connections.

CHAPTER

• The SSG QoS features are limited to hierarchical policing and are not based on the modular QoS

CLI (MQC).

• You cannot configure routing protocols in SSG VRFs. Therefore, RA-MPLS features are not

supported for SSG hosts.

• The Cisco 10000 series router does not support load balancing on SSG uplink interfaces or

redundant uplink interfaces to the same set of services.

• The Cisco 10000 series router does not support SSG services on tag interfaces.

• If you use the CLI to configure a VRF on an interface and you simultaneously configure the interface

as an SSG uplink interface, the Cisco 10000 series router accepts the configuration but the SSG uplink configuration takes precedence and the router ignores the VRF configuration.

• You cannot configure overlapping IP addresses in the same VRF and you can associate a single

interface with a single VRF. The router makes routing decisions based on the longest match.

• The services applied on an IP network or networks must not have conflicting features. For example,

consider the following service definitions for the Best, Good, and Standard services. These service definitions are in conflict because network A is not policed while network B is policed and also restricted for some hosts.

Best—Access to network A and access to network B at rate 2

Good—Access to network A and access to network B at rate 1

Standard—Access to network A but no access to network B

OL-4387-02

Cisco 10000 Series Router Service Selection Gateway Configuration Guide

2-1

Limitations and Restrictions

Chapter 2 Scalability and Performance

Now, consider the following revised service definitions in which two different services are defined. These service definitions allow all users to connect to the Standard service and allow some users to connect simultaneously to Good or Best services.

Best—Access to network B at rate 2

Good—Access to network B at rate 1

Standard—Access to network A

2-2

Cisco 10000 Series Router Service Selection Gateway Configuration Guide

OL-4387-02

SSG Logon and Logoff

The Cisco 10000 series router supports the following SSG features for logon and logoff related functions:

• Single Host Logon, page 3-1

• SSG Autologoff, page 3-2

• SSG Prepaid Idle Timeout, page 3-3

• SSG Session and Idle Timeout, page 3-6

This chapter describes each of SSG logon and logoff features.

Single Host Logon

The Single Host Logon feature enables users to enter authentication information only twice. To log on to a service through the SESM web application, a subscriber enters authentication information once for the PPP session and once for the service. The subscriber does not have to log on to the SESM. Instead, the SESM uses the PPP authenticated information from the SSG.

CHAPTER

For non-PPP users, when a subscriber authenticates using the SESM application, the subscriber does not have to log on again for the remainder of the non-PPP session. However, the subscriber still has to log on to services. For more information, refer to Cisco Subscriber Edge Services Manager and Subscriber

Policy Engine Installation and Configuration Guide.

Prerequisites for Single Host Logon

T o use th e Single Host Logon feature, you must inst all and configure Cisco SESM Release 3.1(1) or later.

Cisco 10000 Series Router Service Selection Gateway Configuration Guide

OL-4387-02

3-1

SSG Autologoff

The SSG Autologoff feature enables SSG to verify connectivity with each host. SSG checks the status of the connection with each host at configured intervals. If SSG finds that a host is not reachable, SSG automatically initiates the logoff of that host. SSG has two methods of checking the connectivity of hosts: ARP ping and ICMP ping.

ARP ping

When autologoff is configured to use ARP ping, SSG periodically checks the ARP cache tables. If a table entry for a host is found, SSG forces ARP to refresh the entry and checks the entry again after a configured interval. If a table entry is not found, SSG initiates autologoff for the host. However, if any data traffic to or from the host occurred during the interval, SSG does not ping the host because the reachability of the host during that interval was established by the data traffic. ARP ping works in deployment scenarios in which all hosts are directly connected to the SSG through a broadcast interface such as an Ethernet interface or through a bridged interface such as an RBE interface.

ICMP ping

Chapter 3 SSG Logon and Logoff

When SSG autologoff is configured to use ICMP ping, SSG pings the host to check connectivity until an ICMP response is obtained or the allowable number of tries is used up. If all the tries are used up and the ping was unsuccessful, then SSG initiates logoff for that host. SSG uses ICMP ping one time at each configured interval. If data traffic to or from the host is found during the interval, SSG does not ping the host because reachability was established by the data traffic. ICMP ping works in all types of deployment scenarios and supports overlapping IP users.

Restrictions for SSG Autologoff

The SSG Autologoff feature has the following restrictions:

• Use only one method of SSG autologoff at a time: ARP ping or ICMP ping.

• Use ARP ping only in deployment scenarios in which all hosts are directly connected to the SSG

through a broadcast interface such as an Ethernet interface or through a bridged interface such as an RBE interface. ICMP ping works in all types of deployment scenarios.

• ARP ping works only on hosts that have a MAC address.

• ARP ping does not support overlapping IP addresses.

• SSG autologoff that uses ARP ping does not work for hosts with static ARP entries.

• If you configure both the idle timers and ICMP-based autologoff, you must set the autologoff

interval to a value that is at least twice as long as the idle timeout interval. Otherwise, the ICMP messages reset the idle timer and the user is only logged out if the user does not respond to the ICMP ping.

Configuration of SSG Autologoff

To configure the SSG Autologoff feature, use the ssg auto-logoff command in global configuration mode. For more information, refer to the SSG Autologoff, Release 12.2(4)B feature module.

Cisco 10000 Series Router Service Selection Gateway Configuration Guide

3-2

OL-4387-02

Chapter 3 SSG Logon and Logoff

Configuration Example for SSG Autologoff

Example 3-1 shows how to enable autologoff with ARP ping.

Example 3-1 SSG Autologoff Using ARP Ping

ssg auto-logoff arp interval 60

Example 3-2 shows how to enable autologoff with ICMP ping.

Example 3-2 SSG Autologoff Using ICMP Ping

ssg auto-logoff icmp interval 60 packet 2 timeout 500

SSG Prepaid Idle Timeout

The SSG Prepaid Idle Timeout feature enhances the SSG and the SSG Prepaid feature by doing the following:

SSG Prepaid Idle Timeout

• Enables SSG to return residual quotas (allotments of prepaid credit) to the billing server from

services that a user is logged into but not actively using. The quota that is returned to the billing center can be applied to the quota for the services the user is actively using.

• Enables a user’s connection to services to be open even when the billing server returns a zero quota.

The connection’s status depends on the combination of the quota and the idle timeout value returned. Depending on the connection service, SSG requests the quota for a connection from the billing server at the following times:

–

After the user starts using a particular service

–

When the user runs out of quota

–

After the configured idle timeout value expires

• Enables SSG to reauthorize a user before the user completely consumes the allocated quota. You can

also configure SSG to not pass traffic during reauthorization, thus preventing revenue leaks in the event the billing server returns a zero quota for the user.

• Enhances the handling of a returned zero quota from the billing server. If the billing server returns

a zero quota and a nonzero idle timeout, the user has run out of credit for a service. When a user runs out of credit, the user is redirected to the billing server to replenish the quota. When the user is redirected to the billing server, the user’s connection to the original service or services remains up, but any traffic passing through the connection is dropped. This enables the user to replenish the quota on the billing server without losing connections to services or having to perform additional service logons.

• Enables SSG to notify the billing server when a connection fails. This enables the billing server to

free quota that was reserved for the failed connection and to apply the quota immediately to some other active connection.

OL-4387-02

Without the SSG Prepaid Idle Timeout feature, traffic passed during reauthorization represents a revenue leak if the billing server returns a zero quota for the user. A configurable threshold value is used to prevent this. This value causes SSG to reauthorize a user’s connection before the user completely consumes the allocated quota for a service.

Cisco 10000 Series Router Service Selection Gateway Configuration Guide

3-3

SSG Prepaid Idle Timeout

Service Authorization

SSG sends a service authorization request to the billing server upon initial service authorization. Explicit service authorization is required whenever a user attempts to connect to a prepaid service to ensure that the user has sufficient credit to connect to that service. The billing server responds with the available quota (allotment of prepaid credit) to SSG. If the returned available quota is greater than zero or not present, SSG allows the user to connect to the service and begins metering based on the allotted quota. For this authorization, an Access-Request is generated once the service is identified as a prepaid service. The Access-Request is generated for service authorization regardless of the service type (for example, virtual private dial-up network (VPDN), passthrough, proxy, or tunnel).

The billing server responds to the service authorization Access-Request with an Access-Accept that defines the quota parameters for the connection. Authorization for a service is provided based on the presence and content of the Quota (Attribute 26) and the Idle Timeout (Attribute 28) vendor-specific attributes (VSAs) in the Access-Accept.

Service Reauthorization

SSG sends a service reauthorization request to the billing server at the following times:

Chapter 3 SSG Logon and Logoff

• When a prepaid user’s quota is consumed

• After the configured idle timeout expires

• When the user’s remaining quota reaches the configured threshold value

The SSG Prepaid Idle Timeout feature enables you to configure how traffic is handled during reauthorization. By default, traffic continues during reauthorization. If the billing server returns a zero quota in the reauthorization response, SSG disconnects the connection but the data that was in progress during the reauthorization goes through and is not accounted. You can configure SSG to either drop or forward traffic during reauthorization. You can also configure a threshold value, which configures SSG to reauthorize a connection with the billing server before a prepaid user’s allocated quota is completely consumed.

By configuring the ssg prepaid reauthorization drop-packet command, SSG drops the traffic on a connection during reauthorization and the time used during the reauthorization is not accounted to that connection. SSG deducts the reauthorization times from the total session duration time and sends the Account Session Time (Attribute 46) in the Accounting Stop and Update packets.

If the billing server responds with a time-based connection to redirect the traffic, then SSG redirects TCP traffic. The time of the TCP redirection is also not accounted to the user’s connection.

The reauthorization request for SSG Prepaid Idle Timeout is similar to the reauthorization request for SSG Prepaid. However, the SSG Prepaid Idle Timeout reauthorization request contains an additional attribute: Reauthorization Reason. If the Reauthorization Reason attribute is not present, the billing server assumes that the reason for the reauthorization request is Primary Quota Consumed. The values of the Reauthorization Reason attribute are the following:

• Quota Consumed (QR0)

3-4

• Idle Timer Expired (QR1)

For more information, refer to the SSG Prepaid Idle Timeout, Release 12.2(15)B feature module.

Cisco 10000 Series Router Service Selection Gateway Configuration Guide

OL-4387-02

Chapter 3 SSG Logon and Logoff

Restrictions for SSG Prepaid Idle Timeout

The SSG Prepaid Idle Timeout feature has the following restrictions:

• The Cisco 10000 router supports only time-based SSG Prepaid for a service connection. Quotas are

measured in seconds. You cannot change the unit of measure.

• The Cisco 10000 router does not support returning a quota when the connection is idle.

• After a user runs out of quota and then replenishes the quota at the billing server, SSG receives the

updated quota and resumes the connection only after the next reauthorization.

Prerequisites for SSG Prepaid Idle Timeout

The SSG Prepaid Idle Timeout feature requires the following:

• You must enable SSG accounting before you can use the SSG Prepaid feature. SSG accounting is

enabled by default. If it has been disabled, reenable it by using the ssg accounting command in global configuration mode.

• The SSG Prepaid feature requires the AAA server to support prepaid billing.

• You must configure the SSG to send Attribute 55 in accounting requests.

SSG Prepaid Idle Timeout

Configuration of SSG Prepaid Idle Timeout

To configure the SSG Prepaid Idle Timeout feature, configure the SSG Prepaid and SSG TCP Redirect features. For more information, refer to the SSG Prepaid, Release 12.2(4)B feature module and the

SSG TCP Redirect for Services, Release 12.2(4)B feature module.

Configuration Example for SSG Prepaid Idle Timeout

Example 3-3 shows how to configure the SSG Prepaid feature to provide the prepaid billing server with

session ID and time-stamp information.

Example 3-3 SSG Prepaid Service

radius-server attribute 44 include-in-access-req radius-server attribute 55 include-in-acct-req

Example 3-4 shows how to configure the SSG TCP Redirect feature. The commands configure a captive

portal group called "DefaultRedirectGroup," add two servers to "DefaultRedirectGroup," and redirect prepaid users to the newly created captive portal.

Example 3-4 SSG TCP Redirect

ssg enable ssg tcp-redirect server-group DefaultRedirectGroup server 10.0.0.1 8080 server 10.0.0.20 80 end redirect prepaid-user to DefaultRedirectGroup

OL-4387-02

Cisco 10000 Series Router Service Selection Gateway Configuration Guide

3-5

SSG Session and Idle Timeout

Example 3-5 shows how to configure the SSG TCP Redirect feature for a specific service. The

commands redirect all prepaid service traffic to the captive portal group called "InternetRedirectGroup" and configure the captive portal group as the server group used for redirecting prepaid traffic.

Example 3-5 SSG Service-Specific TCP Redirect

ssg enable ssg tcp-redirect server-group InternetRedirectGroup server 10.0.0.1 8080 server 10.0.0.20 80 end

The service profile for InternetRedirectGroup is shown here:

ServiceInfo="Z"

(Optional) You can configure SSG to reauthorize a prepaid user's connection before the user has completely consumed the allotted quota for a service. To do this, enter the global-configuration commands shown below to configure a time-based or a volume-based threshold value. Example 3-6 shows how to configure a threshold time value of 10 seconds. Example 3-7 shows how to configure threshold volume value of 2000 bytes.

Chapter 3 SSG Logon and Logoff

Example 3-6 SSG Threshold Time

ssg prepaid threshold time 10

Example 3-7 SSG Threshold Volume

ssg prepaid threshold volume 2000

SSG Session and Idle Timeout

In a dial-up networking or bridged (non-PPP) network environment, a user can disconnect from the network access server (NAS) and release the IP address without logging out from the SSG. When this happens, the SSG continues to allow traffic to pass from that IP address, which can create a problem if the another user obtains the same IP address. SSG provides two mechanisms to prevent this problem from occurring:

• Session-Timeout RADIUS attribute—Specifies the maximum length of time for which a host or

connection object can remain continuously active.

• Idle-Timeout RADIUS attribute—Specifies the maximum length of time for which a session or

connection can remain idle before it is disconnected.

The Session-Timeout and Idle-Timeout attributes are used in either a user or service profile. In a user profile, the attribute applies to the user session. In a service profile, the attribute applies individually to each service connection.

3-6

Cisco 10000 Series Router Service Selection Gateway Configuration Guide

OL-4387-02

+ 80 hidden pages

Cisco Systems OL-4387-02 User Manual

Cisco 10000 Series Router Service Selection Gateway Configuration Guide

CONTENTS

About This Guide

Audience

Document Organization

Document Conventions

Related Documentation

Obtaining Documentation

Cisco.com

Documentation Feedback

Documentation CD-ROM

Ordering Documentation

Obtaining Technical Assistance

Cisco TAC Website

Opening a TAC Case

TAC Case Priority Definitions

Obtaining Additional Publications and Information

Service Selection Gateway Overview

Service Selection Gateway

Default Network

Access Protocols

Supported SSG Features

SSG Restrictions

SSG Prerequisites

SSG Architecture Model

Scalability and Performance

Limitations and Restrictions

SSG Logon and Logoff

Single Host Logon

Prerequisites for Single Host Logon

SSG Autologoff

Restrictions for SSG Autologoff

Configuration of SSG Autologoff

Configuration Example for SSG Autologoff

SSG Prepaid Idle Timeout

Service Authorization

Service Reauthorization

Restrictions for SSG Prepaid Idle Timeout

Prerequisites for SSG Prepaid Idle Timeout

Configuration of SSG Prepaid Idle Timeout

Configuration Example for SSG Prepaid Idle Timeout

SSG Session and Idle Timeout