Cisco Systems OL-4387-02 Restrictions for SSG TCP Redirect, Prerequisites for SSG TCP Redirect

Page 66

Chapter 10 SSG TCP Redirect

Typically, if a service is connected, SSG forwards packets to a user and packets from a user even if the packets do not match the protocol and TCP ports specified for redirection. However, the behavior of initial captivation on the Cisco 10000 series router differs in the following ways:

•When a packet arrives from an SSG user and the packet matches the protocol and TCP ports configured as the redirection filter, the packet is subject to initial captivation and is redirected. If the packet does not match the redirection filter, it is not subject to initial captivation and the packet is dropped.

•When a packet arrives from a service destined for an SSG user that is subject to initial captivation, the packet is dropped.

Restrictions for SSG TCP Redirect

The SSG TCP Redirect feature has the following restrictions:

•The server(s) defined in a server group must be globally routable.

•Traffic from hosts with overlapping IP addresses can be redirected only to SESMs with port-bundle host keys.

•When overlapping IP address support is enabled (the host key feature is enabled), a host can reach the SSG only by a particular interface on the router. All packets between the host and the SSG use this interface and you should not change the route between SSG and the host.

•After you configure the servers in a group, the routes to those servers should not change. SSG TCP Redirect does not work if packets from servers that need to be redirected are received on a non-SSG interface.

•TCP sessions that can remain idle for more than one minute are not supported.

Prerequisites for SSG TCP Redirect

Cisco SESM Release 3.1(1) or later is required to handle unauthenticated redirections. For other types of redirection, SESM Release 3.1.1 or later is required.

Configuration of SSG TCP Redirect

To configure SSG TCP Redirect, perform the following tasks:

•Enable SSG TCP Redirect.

•Define the captive portal server groups.

•Specify the redirect server groups for unauthenticated user redirection.

•Define network lists.

•Define port lists.

•Associate network and port lists with server groups.

•Specify the default groups for captivation.

Cisco 10000 Series Router Service Selection Gateway Configuration Guide

10-4	OL-4387-02

Image 66

Contents Corporate Headquarters Copyright 2004, Cisco Systems, Inc All rights reserved N T E N T S IiiConfiguration Example for SSG AutoDomain Configuration Example for SSG Open Garden Configuration of VPI/VCI Static Binding to a Service Profile SSG Unconfig ViiViii About This Guide AudienceDocument Organization Document Conventions Related Documentation Obtaining DocumentationCisco.com Documentation CD-ROM Documentation FeedbackObtaining Technical Assistance Ordering DocumentationTAC Case Priority Definitions Cisco TAC WebsiteOpening a TAC Case XiiiObtaining Additional Publications and Information XivService Selection Gateway Overview Service Selection GatewaySSG Topology Example Default Network Access ProtocolsSupported SSG Features SSG RestrictionsService Selection Gateway Overview SSG Restrictions SSG Prerequisites SSG Architecture ModelService Selection Gateway Overview SSG Architecture Model OL-4387-02 Scalability and Performance Limitations and RestrictionsScalability and Performance Limitations and Restrictions SSG Logon and Logoff Single Host LogonPrerequisites for Single Host Logon Configuration of SSG Autologoff SSG AutologoffRestrictions for SSG Autologoff Example 3-1 SSG Autologoff Using ARP Ping SSG Prepaid Idle TimeoutConfiguration Example for SSG Autologoff Example 3-2 SSG Autologoff Using Icmp PingService Authorization Service ReauthorizationConfiguration of SSG Prepaid Idle Timeout Restrictions for SSG Prepaid Idle TimeoutPrerequisites for SSG Prepaid Idle Timeout Configuration Example for SSG Prepaid Idle TimeoutExample 3-7 SSG Threshold Volume SSG Session and Idle TimeoutExample 3-5 SSG Service-Specific TCP Redirect Example 3-6 SSG Threshold TimeRestrictions for SSG Full Username Radius Attribute Authentication and AccountingSSG Full Username Radius Attribute Example 4-1 Radius Freeware Format ExampleExample 4-3 Radius Accounting-Start Record Account Login and LogoutRadius Accounting Records Example 4-4 Radius Accounting-Stop RecordService Connection and Termination Authentication and Accounting Radius Accounting Records Service Selection Methods PPP Terminated AggregationPTA-Multidomain Web Service Selection Restrictions for PTA-MDSesm and SSG Performance OL-4387-02 Service Connection SSG AutoDomainConfiguration of SSG AutoDomain Configuration Example for SSG AutoDomainRestrictions for SSG AutoDomain Example 6-1 SSG AutoDomain Example 6-2 AutoDomain Exclude Profile SSG VSA FormatExample 6-3 AutoDomain Exclude File Format Configuration of SSG Prepaid SSG PrepaidRestrictions for SSG Prepaid Configuration Example for SSG Prepaid SSG Open GardenSSG Port-Bundle Host Key Configuration of SSG Open GardenConfiguration Example for SSG Open Garden Restrictions for SSG Open GardenRestrictions for SSG Port-Bundle Host Key Exclude Networks Mutually Exclusive Service SelectionConfiguration of SSG Port-Bundle Host Key Prerequisites for SSG Port-Bundle Host KeyConfiguration of Mutually Exclusive Service Selection OL-4387-02 Service Profiles Downstream Access Control ListDomain Name Upstream Access Control ListService Authentication Type Full UsernameService Mode Service-Defined CookieService Description Service Next-Hop GatewayService Profile Example Cached Service ProfilesType of Service Example 7-1 Service ProfileConfiguration of Cached Service Profiles OL-4387-02 SSG Hierarchical Policing SSG Hierarchical Policing OverviewSSG Hierarchical Policing Token Bucket Scheme SSG Hierarchical Policing Configuration Restrictions for SSG Hierarchical PolicingConfiguration Examples for SSG Hierarchical Policing Example 8-2 Enabling Per-Session Policing on a RouterOL-4387-02 Interface Configuration Transparent PassthroughAccess Side Interfaces For exampleNetwork Side Interfaces Configuration of Transparent PassthroughMulticast Protocols on SSG Interfaces Restrictions of Transparent PassthroughConfiguration of Multicast Protocols on SSG Interfaces Redirection for Unauthenticated Users SSG TCP Redirect10-1 Redirection for Unauthorized Services 10-2Initial Captivation 10-3Prerequisites for SSG TCP Redirect Configuration of SSG TCP RedirectRestrictions for SSG TCP Redirect 10-410-5 Example 10-1 Binding a Server Group to a PortExample 10-2 Limiting Redirected TCP Sessions Configuring SSG TCP Redirect 10-6Example 10-3 Defining a Captive Portal Server Group Configuration Examples for SSG TCP Redirect10-7 Example 10-4 Defining Network Lists10-8 Example 10-5 Defining Port ListsMiscellaneous SSG Features VPI/VCI Static Binding to a Service Profile11-1 Radius Virtual Circuit Logging AAA Server Group Support for Proxy ServicesConfiguration of Radius Virtual Circuit Logging 11-2Packet Filtering 11-3Restrictions for Packet Filtering Downstream Access Control List-outaclUpstream Access Control List-inacl 11-4Configuration Example for Packet Filtering SSG UnconfigConfiguration of Packet Filtering Restrictions for SSG UnconfigConfiguration Examples for SSG Unconfig Prerequisites for SSG UnconfigConfiguration of SSG Unconfig 11-6SSG Enhancements for Overlapping Services Service Translation11-7 11-8 Restrictions for Service Translation 11-9Configuration of Service Translation 11-10Expansion of Service IDs 11-11Network Sets 11-12Monitoring and Maintaining SSG 12-1Restrictions for Per-Service Statistics Troubleshooting RadiusPer-Service Statistics 12-2Monitoring the Parallel Express Forwarding Engine 12-312-4 SSG Configuration Example Figure A-1 SSG Example TopologyExample A-1 Cisco 10000 Router SSG Configuration Username cisco password 0 cisco clock timezone PSTSsg accounting interval 300 ssg profile-cache Full-duplex Peer default ip address pool SSG-POOL Exec-timeout 0 0 password lab SSG Feature Implementation Notes SSG Implementation NotesMpls Also see the Restrictions for SSG TCP Redirect section on OL-4387-02 O S S a R Y GL-1GL-2 GL-3 GL-4 GL-5 GL-6 D E IN-1DSL G-1 IN-2ISP G-2 L2TP IN-3Radius IN-4Reauthorizing prepaid IN-5TCP IN-6VRF G-5 VSA IN-7IN-8