Cisco Systems OL-4387-02 Downstream Access Control List-outacl, Restrictions for Packet Filtering

Page 74

Chapter 11 Miscellaneous SSG Features

Packet Filtering

Downstream Access Control List—outacl

Specifies either a Cisco IOS standard ACL or an extended ACL to be applied to downstream traffic going to the user.

Cisco-AVpair = "ip:outacl[#number]={standard-access-control-list extended-access-control-list}"

Upstream Access Control List—inacl

Specifies either a Cisco IOS standard ACL or an extended ACL to be applied to upstream traffic coming from the user.

Cisco-AVpair = "ip:inacl[#number]={standard-access-control-list extended-access-control-list}"

Restrictions for Packet Filtering

Packet filtering for SSG has the following restrictions:

•SSG accepts only the permit and deny actions for a per-user ACL. You can place ACLs on user traffic for both the input and output directions that are similar to existing Cisco IOS ACLs; however, the log option is not accepted.

•SSG supports mini-ACLs with eight or less access control entries (ACEs). The ACEs can be extended ACEs.

•SSG does not support turbo ACLs applied to SSG users. Turbo ACLs have more than eight ACEs defined.

•To support some SSG features, SSG prepends ACEs on user ACLs. Because the number of ACEs is restricted to a maximum of eight, the number of ACEs that you can define is therefore reduced in some cases. For example, for the Port-Bundle Host Key feature, an ACE is required on both the host input and output ACL. This allows seven ACEs that you can define.

•SSG does not support the ability to apply per-service (connection level) ACLs. ACLs for QoS classification are not applicable to SSG host interfaces.

•SSG ACLs take precedence over Cisco IOS ACLs. If you configure a Cisco IOS ACL on an SSG interface by using the ip access-groupcommand, the router applies the ACL as long as an SSG ACL is not applied to the interface in the same direction. If an SSG ACL is applied to the interface in the same direction, the router applies the SSG ACL.

Cisco 10000 Series Router Service Selection Gateway Configuration Guide

11-4	OL-4387-02

Image 74

Contents Corporate Headquarters Copyright 2004, Cisco Systems, Inc All rights reserved N T E N T S IiiConfiguration Example for SSG AutoDomain Configuration Example for SSG Open Garden Configuration of VPI/VCI Static Binding to a Service Profile SSG Unconfig ViiViii Document Organization About This GuideAudience Document Conventions Cisco.com Related DocumentationObtaining Documentation Documentation CD-ROM Documentation FeedbackObtaining Technical Assistance Ordering DocumentationTAC Case Priority Definitions Cisco TAC WebsiteOpening a TAC Case XiiiObtaining Additional Publications and Information XivService Selection Gateway Overview Service Selection GatewaySSG Topology Example Default Network Access ProtocolsSupported SSG Features SSG RestrictionsService Selection Gateway Overview SSG Restrictions SSG Prerequisites SSG Architecture ModelService Selection Gateway Overview SSG Architecture Model OL-4387-02 Scalability and Performance Limitations and RestrictionsScalability and Performance Limitations and Restrictions Prerequisites for Single Host Logon SSG Logon and LogoffSingle Host Logon Restrictions for SSG Autologoff Configuration of SSG AutologoffSSG Autologoff Example 3-1 SSG Autologoff Using ARP Ping SSG Prepaid Idle TimeoutConfiguration Example for SSG Autologoff Example 3-2 SSG Autologoff Using Icmp PingService Authorization Service ReauthorizationConfiguration of SSG Prepaid Idle Timeout Restrictions for SSG Prepaid Idle TimeoutPrerequisites for SSG Prepaid Idle Timeout Configuration Example for SSG Prepaid Idle TimeoutExample 3-7 SSG Threshold Volume SSG Session and Idle TimeoutExample 3-5 SSG Service-Specific TCP Redirect Example 3-6 SSG Threshold TimeRestrictions for SSG Full Username Radius Attribute Authentication and AccountingSSG Full Username Radius Attribute Example 4-1 Radius Freeware Format ExampleExample 4-3 Radius Accounting-Start Record Account Login and LogoutRadius Accounting Records Example 4-4 Radius Accounting-Stop RecordService Connection and Termination Authentication and Accounting Radius Accounting Records PTA-Multidomain Service Selection MethodsPPP Terminated Aggregation Web Service Selection Restrictions for PTA-MDSesm and SSG Performance OL-4387-02 Service Connection SSG AutoDomainRestrictions for SSG AutoDomain Configuration of SSG AutoDomainConfiguration Example for SSG AutoDomain Example 6-3 AutoDomain Exclude File Format Example 6-1 SSG AutoDomainExample 6-2 AutoDomain Exclude Profile SSG VSA Format Restrictions for SSG Prepaid Configuration of SSG PrepaidSSG Prepaid Configuration Example for SSG Prepaid SSG Open GardenSSG Port-Bundle Host Key Configuration of SSG Open GardenConfiguration Example for SSG Open Garden Restrictions for SSG Open GardenRestrictions for SSG Port-Bundle Host Key Exclude Networks Mutually Exclusive Service SelectionConfiguration of SSG Port-Bundle Host Key Prerequisites for SSG Port-Bundle Host KeyConfiguration of Mutually Exclusive Service Selection OL-4387-02 Service Profiles Downstream Access Control ListDomain Name Upstream Access Control ListService Authentication Type Full UsernameService Mode Service-Defined CookieService Description Service Next-Hop GatewayService Profile Example Cached Service ProfilesType of Service Example 7-1 Service ProfileConfiguration of Cached Service Profiles OL-4387-02 SSG Hierarchical Policing Token Bucket Scheme SSG Hierarchical PolicingSSG Hierarchical Policing Overview SSG Hierarchical Policing Configuration Restrictions for SSG Hierarchical PolicingConfiguration Examples for SSG Hierarchical Policing Example 8-2 Enabling Per-Session Policing on a RouterOL-4387-02 Interface Configuration Transparent PassthroughAccess Side Interfaces For exampleNetwork Side Interfaces Configuration of Transparent PassthroughMulticast Protocols on SSG Interfaces Restrictions of Transparent PassthroughConfiguration of Multicast Protocols on SSG Interfaces 10-1 Redirection for Unauthenticated UsersSSG TCP Redirect Redirection for Unauthorized Services 10-2Initial Captivation 10-3Prerequisites for SSG TCP Redirect Configuration of SSG TCP RedirectRestrictions for SSG TCP Redirect 10-4Example 10-2 Limiting Redirected TCP Sessions 10-5Example 10-1 Binding a Server Group to a Port Configuring SSG TCP Redirect 10-6Example 10-3 Defining a Captive Portal Server Group Configuration Examples for SSG TCP Redirect10-7 Example 10-4 Defining Network Lists10-8 Example 10-5 Defining Port Lists11-1 Miscellaneous SSG FeaturesVPI/VCI Static Binding to a Service Profile Radius Virtual Circuit Logging AAA Server Group Support for Proxy ServicesConfiguration of Radius Virtual Circuit Logging 11-2Packet Filtering 11-3Restrictions for Packet Filtering Downstream Access Control List-outaclUpstream Access Control List-inacl 11-4Configuration Example for Packet Filtering SSG UnconfigConfiguration of Packet Filtering Restrictions for SSG UnconfigConfiguration Examples for SSG Unconfig Prerequisites for SSG UnconfigConfiguration of SSG Unconfig 11-611-7 SSG Enhancements for Overlapping ServicesService Translation 11-8 Restrictions for Service Translation 11-9Configuration of Service Translation 11-10Expansion of Service IDs 11-11Network Sets 11-12Monitoring and Maintaining SSG 12-1Restrictions for Per-Service Statistics Troubleshooting RadiusPer-Service Statistics 12-2Monitoring the Parallel Express Forwarding Engine 12-312-4 SSG Configuration Example Figure A-1 SSG Example TopologyExample A-1 Cisco 10000 Router SSG Configuration Username cisco password 0 cisco clock timezone PSTSsg accounting interval 300 ssg profile-cache Full-duplex Peer default ip address pool SSG-POOL Exec-timeout 0 0 password lab SSG Feature Implementation Notes SSG Implementation NotesMpls Also see the Restrictions for SSG TCP Redirect section on OL-4387-02 O S S a R Y GL-1GL-2 GL-3 GL-4 GL-5 GL-6 D E IN-1DSL G-1 IN-2ISP G-2 L2TP IN-3Radius IN-4Reauthorizing prepaid IN-5TCP IN-6VRF G-5 VSA IN-7IN-8