Cisco Systems OL-4387-02 manual Restrictions for SSG Port-Bundle Host Key

Page 45

Chapter 6 Service Connection

SSG Port-Bundle Host Key

For each TCP session between a subscriber and the SESM server, SSG uses one port from the port bundle as the port map. Port mappings are flagged as eligible for reuse on the basis of inactivity timers, but are not explicitly removed once assigned. The number of port bundles is limited, but you can assign multiple SSG source IP addresses to accommodate more subscribers.

SSG assigns the base port of the port bundle to a port map only if SSG has no state information for the subscriber or if the state of the subscriber has changed. When the SESM server sees the base port of a port bundle in the host key, SESM queries SSG for new subscriber state information.

For more information, refer to the SSG Port-Bundle Host Key, Release 12.2(4)B feature module.

Restrictions for SSG Port-Bundle Host Key

The SSG Port-Bundle Host Key feature has the following restrictions:

You must separately enable the SSG Port-Bundle Host Key feature at the SESM and at all connected SSG nodes.

To enable the SSG Port-Bundle Host Key feature, you must reload SSG and restart the SESM.

When you change the port-bundle length, the change does not take effect until after the router reloads.

All SSG source IP addresses configured using the ssg port-map source ip command must be routable in the management network where the SESM resides.

For each SESM server, all connected SSG nodes must have the same port-bundle length.

RFC 1483, local bridged, or routed clients cannot have overlapping IP addresses, even across different interfaces.

Enabling the SSG Port-Bundle Host Key feature requires additional PXF processing.

The Cisco 10000 router’s SSG software and forwarding software handle multiple users attached to a single Cisco IOS interface in different ways, which could result in users receiving services that they did not select. After the first user logs on, all subsequent user logon attempts are rejected. Although the logon is rejected and thus the ability to select services, all users can access the services to which the first user is subscribed. User traffic is not rejected, only the user’s authorization attempt. The traffic from all users is logged in the statistics of the first user. Traffic to the second and subsequent user(s) is treated as transparent passthrough and is forwarded to these users, but it does not affect the SSG accounting. The ssg show host command displays the first user.

For users attached to multipoint interfaces on the access side, the Cisco 10000 router authorizes the first user and then rejects the authorization attempts of subsequent users. The router only rejects the authorization attempts, not the user traffic. The router treats all subsequent users as the first user logged on, allowing access to the services to which the first user is subscribed. However, subsequent users cannot select services. The traffic from all users is logged in the statistics of the first user. Traffic to the second and subsequent user(s) is treated as transparent passthrough and is forwarded to these users, but it does not affect the SSG accounting. The ssg show host command displays the first user.

Cisco 10000 Series Router Service Selection Gateway Configuration Guide

 

OL-4387-02

6-7

 

 

 

Page 44 Page 46
Image 45
Page 44 Page 46
Contents Corporate Headquarters Copyright 2004, Cisco Systems, Inc All rights reserved Iii N T E N T SConfiguration Example for SSG AutoDomain Configuration Example for SSG Open Garden Configuration of VPI/VCI Static Binding to a Service Profile Vii SSG UnconfigViii About This Guide AudienceDocument Organization Document Conventions Related Documentation Obtaining DocumentationCisco.com Obtaining Technical Assistance Documentation FeedbackDocumentation CD-ROM Ordering DocumentationOpening a TAC Case Cisco TAC WebsiteTAC Case Priority Definitions XiiiXiv Obtaining Additional Publications and InformationService Selection Gateway Service Selection Gateway OverviewSSG Topology Example Access Protocols Default NetworkSSG Restrictions Supported SSG FeaturesService Selection Gateway Overview SSG Restrictions SSG Architecture Model SSG PrerequisitesService Selection Gateway Overview SSG Architecture Model OL-4387-02 Limitations and Restrictions Scalability and PerformanceScalability and Performance Limitations and Restrictions SSG Logon and Logoff Single Host LogonPrerequisites for Single Host Logon Configuration of SSG Autologoff SSG AutologoffRestrictions for SSG Autologoff Configuration Example for SSG Autologoff SSG Prepaid Idle TimeoutExample 3-1 SSG Autologoff Using ARP Ping Example 3-2 SSG Autologoff Using Icmp PingService Reauthorization Service AuthorizationPrerequisites for SSG Prepaid Idle Timeout Restrictions for SSG Prepaid Idle TimeoutConfiguration of SSG Prepaid Idle Timeout Configuration Example for SSG Prepaid Idle TimeoutExample 3-5 SSG Service-Specific TCP Redirect SSG Session and Idle TimeoutExample 3-7 SSG Threshold Volume Example 3-6 SSG Threshold TimeSSG Full Username Radius Attribute Authentication and AccountingRestrictions for SSG Full Username Radius Attribute Example 4-1 Radius Freeware Format ExampleRadius Accounting Records Account Login and LogoutExample 4-3 Radius Accounting-Start Record Example 4-4 Radius Accounting-Stop RecordService Connection and Termination Authentication and Accounting Radius Accounting Records Service Selection Methods PPP Terminated AggregationPTA-Multidomain Restrictions for PTA-MD Web Service SelectionSesm and SSG Performance OL-4387-02 SSG AutoDomain Service ConnectionConfiguration of SSG AutoDomain Configuration Example for SSG AutoDomainRestrictions for SSG AutoDomain Example 6-1 SSG AutoDomain Example 6-2 AutoDomain Exclude Profile SSG VSA FormatExample 6-3 AutoDomain Exclude File Format Configuration of SSG Prepaid SSG PrepaidRestrictions for SSG Prepaid SSG Open Garden Configuration Example for SSG PrepaidConfiguration Example for SSG Open Garden Configuration of SSG Open GardenSSG Port-Bundle Host Key Restrictions for SSG Open GardenRestrictions for SSG Port-Bundle Host Key Configuration of SSG Port-Bundle Host Key Mutually Exclusive Service SelectionExclude Networks Prerequisites for SSG Port-Bundle Host KeyConfiguration of Mutually Exclusive Service Selection OL-4387-02 Downstream Access Control List Service ProfilesService Authentication Type Upstream Access Control ListDomain Name Full UsernameService Description Service-Defined CookieService Mode Service Next-Hop GatewayType of Service Cached Service ProfilesService Profile Example Example 7-1 Service ProfileConfiguration of Cached Service Profiles OL-4387-02 SSG Hierarchical Policing SSG Hierarchical Policing OverviewSSG Hierarchical Policing Token Bucket Scheme Restrictions for SSG Hierarchical Policing SSG Hierarchical Policing ConfigurationExample 8-2 Enabling Per-Session Policing on a Router Configuration Examples for SSG Hierarchical PolicingOL-4387-02 Transparent Passthrough Interface ConfigurationFor example Access Side InterfacesMulticast Protocols on SSG Interfaces Configuration of Transparent PassthroughNetwork Side Interfaces Restrictions of Transparent PassthroughConfiguration of Multicast Protocols on SSG Interfaces Redirection for Unauthenticated Users SSG TCP Redirect10-1 10-2 Redirection for Unauthorized Services10-3 Initial CaptivationRestrictions for SSG TCP Redirect Configuration of SSG TCP RedirectPrerequisites for SSG TCP Redirect 10-410-5 Example 10-1 Binding a Server Group to a PortExample 10-2 Limiting Redirected TCP Sessions 10-6 Configuring SSG TCP Redirect10-7 Configuration Examples for SSG TCP RedirectExample 10-3 Defining a Captive Portal Server Group Example 10-4 Defining Network ListsExample 10-5 Defining Port Lists 10-8Miscellaneous SSG Features VPI/VCI Static Binding to a Service Profile11-1 Configuration of Radius Virtual Circuit Logging AAA Server Group Support for Proxy ServicesRadius Virtual Circuit Logging 11-211-3 Packet FilteringUpstream Access Control List-inacl Downstream Access Control List-outaclRestrictions for Packet Filtering 11-4Configuration of Packet Filtering SSG UnconfigConfiguration Example for Packet Filtering Restrictions for SSG UnconfigConfiguration of SSG Unconfig Prerequisites for SSG UnconfigConfiguration Examples for SSG Unconfig 11-6SSG Enhancements for Overlapping Services Service Translation11-7 11-8 11-9 Restrictions for Service Translation11-10 Configuration of Service Translation11-11 Expansion of Service IDs11-12 Network Sets12-1 Monitoring and Maintaining SSGPer-Service Statistics Troubleshooting RadiusRestrictions for Per-Service Statistics 12-212-3 Monitoring the Parallel Express Forwarding Engine12-4 Figure A-1 SSG Example Topology SSG Configuration ExampleUsername cisco password 0 cisco clock timezone PST Example A-1 Cisco 10000 Router SSG ConfigurationSsg accounting interval 300 ssg profile-cache Full-duplex Peer default ip address pool SSG-POOL Exec-timeout 0 0 password lab SSG Implementation Notes SSG Feature Implementation NotesMpls Also see the Restrictions for SSG TCP Redirect section on OL-4387-02 GL-1 O S S a R YGL-2 GL-3 GL-4 GL-5 GL-6 IN-1 D EIN-2 DSL G-1IN-3 ISP G-2 L2TPIN-4 RadiusIN-5 Reauthorizing prepaidIN-6 TCPIN-7 VRF G-5 VSAIN-8
Top Page Image Contents