Cisco Systems OL-4387-02 manual SSG Hierarchical Policing Overview

Page 55

C H A P T E R 8

SSG Hierarchical Policing

The SSG Hierarchical Policing feature ensures that a subscriber does not utilize additional bandwidth for overall service or for a specific service that is outside the bounds of the subscriber’s contract with the service provider.

This chapter describes the SSG Hierarchical Policing feature supported by the Cisco 10000 series router.

SSG Hierarchical Policing Overview

The traffic policing feature limits the transmission rate of traffic entering or leaving a node. In SSG, traffic policing can be used to allocate bandwidth between subscribers and between services to a particular subscriber to ensure all types of services are allocated a proper amount of bandwidth. SSG uses per-user and per-service policing to ensure bandwidth is distributed properly between subscribers (per-user policing) and between services to a particular subscriber (per-session policing). Because these policing techniques are hierarchical in nature (bandwidth can be first policed between users and then policed again between services to a particular user), the feature is called SSG Hierarchical Policing.

Per-user policing is used to police the aggregated traffic destined to or sent from a particular subscriber and can only police the bandwidth allocated to a subscriber. Per-user policing cannot identify services to a particular subscriber and police bandwidth between these services.

Per-session policing is used to police the types of services available to a subscriber. Per-session policing is useful when an SSG subscriber is subscribed to multiple services and the services are allocated different amounts of bandwidth. For example, a subscriber pays separately for Internet access and video service but receives both services from the same service provider. The video service would likely be allocated more bandwidth than the Internet access service and would likely cost more to the subscriber. Per-session policing provides a mechanism for identifying the types of services (such as the video service or Internet access in the example) and ensuring that users do not exceed the allocated bandwidth for the service.

SSG Hierarchical Policing Token Bucket Scheme

The SSG Hierarchical Policing token bucket scheme uses an algorithm to police the use of bandwidth. The parameters that the algorithm uses to allocate bandwidth are user-configurable; however, other unpredictable variables (such as time between packets and packet sizes) ultimately determine whether a packet is transmitted or dropped.

For more information, refer to the Service Selection Gateway Hierarchical Policing, Release 12.2(4)B feature module.

Cisco 10000 Series Router Service Selection Gateway Configuration Guide

 

OL-4387-02

8-1

 

 

 

Page 54 Page 56
Image 55
Page 54 Page 56
Contents Corporate Headquarters Copyright 2004, Cisco Systems, Inc All rights reserved Iii N T E N T SConfiguration Example for SSG AutoDomain Configuration Example for SSG Open Garden Configuration of VPI/VCI Static Binding to a Service Profile Vii SSG UnconfigViii Audience About This GuideDocument Organization Document Conventions Obtaining Documentation Related DocumentationCisco.com Ordering Documentation Documentation FeedbackObtaining Technical Assistance Documentation CD-ROMXiii Cisco TAC WebsiteOpening a TAC Case TAC Case Priority DefinitionsXiv Obtaining Additional Publications and InformationService Selection Gateway Service Selection Gateway OverviewSSG Topology Example Access Protocols Default NetworkSSG Restrictions Supported SSG FeaturesService Selection Gateway Overview SSG Restrictions SSG Architecture Model SSG PrerequisitesService Selection Gateway Overview SSG Architecture Model OL-4387-02 Limitations and Restrictions Scalability and PerformanceScalability and Performance Limitations and Restrictions Single Host Logon SSG Logon and LogoffPrerequisites for Single Host Logon SSG Autologoff Configuration of SSG AutologoffRestrictions for SSG Autologoff Example 3-2 SSG Autologoff Using Icmp Ping SSG Prepaid Idle TimeoutConfiguration Example for SSG Autologoff Example 3-1 SSG Autologoff Using ARP PingService Reauthorization Service AuthorizationConfiguration Example for SSG Prepaid Idle Timeout Restrictions for SSG Prepaid Idle TimeoutPrerequisites for SSG Prepaid Idle Timeout Configuration of SSG Prepaid Idle TimeoutExample 3-6 SSG Threshold Time SSG Session and Idle TimeoutExample 3-5 SSG Service-Specific TCP Redirect Example 3-7 SSG Threshold VolumeExample 4-1 Radius Freeware Format Example Authentication and AccountingSSG Full Username Radius Attribute Restrictions for SSG Full Username Radius AttributeExample 4-4 Radius Accounting-Stop Record Account Login and LogoutRadius Accounting Records Example 4-3 Radius Accounting-Start RecordService Connection and Termination Authentication and Accounting Radius Accounting Records PPP Terminated Aggregation Service Selection MethodsPTA-Multidomain Restrictions for PTA-MD Web Service SelectionSesm and SSG Performance OL-4387-02 SSG AutoDomain Service ConnectionConfiguration Example for SSG AutoDomain Configuration of SSG AutoDomainRestrictions for SSG AutoDomain Example 6-2 AutoDomain Exclude Profile SSG VSA Format Example 6-1 SSG AutoDomainExample 6-3 AutoDomain Exclude File Format SSG Prepaid Configuration of SSG PrepaidRestrictions for SSG Prepaid SSG Open Garden Configuration Example for SSG PrepaidRestrictions for SSG Open Garden Configuration of SSG Open GardenConfiguration Example for SSG Open Garden SSG Port-Bundle Host KeyRestrictions for SSG Port-Bundle Host Key Prerequisites for SSG Port-Bundle Host Key Mutually Exclusive Service SelectionConfiguration of SSG Port-Bundle Host Key Exclude NetworksConfiguration of Mutually Exclusive Service Selection OL-4387-02 Downstream Access Control List Service ProfilesFull Username Upstream Access Control ListService Authentication Type Domain NameService Next-Hop Gateway Service-Defined CookieService Description Service ModeExample 7-1 Service Profile Cached Service ProfilesType of Service Service Profile ExampleConfiguration of Cached Service Profiles OL-4387-02 SSG Hierarchical Policing Overview SSG Hierarchical PolicingSSG Hierarchical Policing Token Bucket Scheme Restrictions for SSG Hierarchical Policing SSG Hierarchical Policing ConfigurationExample 8-2 Enabling Per-Session Policing on a Router Configuration Examples for SSG Hierarchical PolicingOL-4387-02 Transparent Passthrough Interface ConfigurationFor example Access Side InterfacesRestrictions of Transparent Passthrough Configuration of Transparent PassthroughMulticast Protocols on SSG Interfaces Network Side InterfacesConfiguration of Multicast Protocols on SSG Interfaces SSG TCP Redirect Redirection for Unauthenticated Users10-1 10-2 Redirection for Unauthorized Services10-3 Initial Captivation10-4 Configuration of SSG TCP RedirectRestrictions for SSG TCP Redirect Prerequisites for SSG TCP RedirectExample 10-1 Binding a Server Group to a Port 10-5Example 10-2 Limiting Redirected TCP Sessions 10-6 Configuring SSG TCP RedirectExample 10-4 Defining Network Lists Configuration Examples for SSG TCP Redirect10-7 Example 10-3 Defining a Captive Portal Server GroupExample 10-5 Defining Port Lists 10-8VPI/VCI Static Binding to a Service Profile Miscellaneous SSG Features11-1 11-2 AAA Server Group Support for Proxy ServicesConfiguration of Radius Virtual Circuit Logging Radius Virtual Circuit Logging11-3 Packet Filtering11-4 Downstream Access Control List-outaclUpstream Access Control List-inacl Restrictions for Packet FilteringRestrictions for SSG Unconfig SSG UnconfigConfiguration of Packet Filtering Configuration Example for Packet Filtering11-6 Prerequisites for SSG UnconfigConfiguration of SSG Unconfig Configuration Examples for SSG UnconfigService Translation SSG Enhancements for Overlapping Services11-7 11-8 11-9 Restrictions for Service Translation11-10 Configuration of Service Translation11-11 Expansion of Service IDs11-12 Network Sets12-1 Monitoring and Maintaining SSG12-2 Troubleshooting RadiusPer-Service Statistics Restrictions for Per-Service Statistics12-3 Monitoring the Parallel Express Forwarding Engine12-4 Figure A-1 SSG Example Topology SSG Configuration ExampleUsername cisco password 0 cisco clock timezone PST Example A-1 Cisco 10000 Router SSG ConfigurationSsg accounting interval 300 ssg profile-cache Full-duplex Peer default ip address pool SSG-POOL Exec-timeout 0 0 password lab SSG Implementation Notes SSG Feature Implementation NotesMpls Also see the Restrictions for SSG TCP Redirect section on OL-4387-02 GL-1 O S S a R YGL-2 GL-3 GL-4 GL-5 GL-6 IN-1 D EIN-2 DSL G-1IN-3 ISP G-2 L2TPIN-4 RadiusIN-5 Reauthorizing prepaidIN-6 TCPIN-7 VRF G-5 VSAIN-8
Top Page Image Contents