Cisco Systems OL-4387-02 manual SSG Implementation Notes, SSG Feature Implementation Notes

Page 93

A P P E N D I X B

SSG Implementation Notes

Table B-1provides information about how SSG is implemented on the Cisco 10000 series router. For additional information about general SSG limitations, see the “SSG Restrictions” section on page 1-4, the “SSG Prerequisites” section on page 1-6, and also see Chapter 2, “Scalability and Performance.”

Table B-1 SSG Implementation Notes for the Cisco 10000 Router

SSG Feature	Implementation Notes
ACLs and QoS	ACL and QoS are applied even if the traffic is to or from an Open Garden or the
	default network (when port-bundle host key is not enabled).
	Service ACLs cannot be applied to a connection. The connection will remain
	active, but the ACLs will have no effect.
	Modular QoS CLI (MQC) is not supported on SSG interfaces. If an MQC service
	policy is configured on an SSG interface, SSG ignores the policy.
	See the “Restrictions for SSG Hierarchical Policing” section on page 8-2for
	additional implementation information.

AutoDomain	You must enable Cisco Express Forwarding (CEF) before you enable SSG
	functionality.
	Passthrough services are available only for services that perform authentication
	(for example, proxy or VPDN services). This is because AutoDomain bypasses
	the local authentication that is performed at the network access server (NAS).
	DHCP requests for IP address assignment must be done before RADIUS
	negotiation.
	If an Access-Request does not contain an IP address, you must configure a local
	per-domain or global IP address pool.
	“Virtual-user” profiles can contain only one AutoLogon service.

L2TP	Not supported.
	SSG attempts to set up the tunnel, but does not set up the VRF for tunnel services.
	Therefore, traffic is not forwarded to the tunnel. The same applies to L2TP dialout.

Logon	A user cannot log on to services on different uplink interfaces. All services that
	the user connects to must be on the same interface. This is because a user can
	connect to only one VRF, and in SSG one VRF is used for each uplink interface.
	To connect to a different service, the user has to logoff from the current service,
	and log on to the other service.

Cisco 10000 Series Router Service Selection Gateway Configuration Guide

	OL-4387-02	B-1

Image 93

Contents Corporate Headquarters Copyright 2004, Cisco Systems, Inc All rights reserved Iii N T E N T SConfiguration Example for SSG AutoDomain Configuration Example for SSG Open Garden Configuration of VPI/VCI Static Binding to a Service Profile Vii SSG UnconfigViii About This Guide AudienceDocument Organization Document Conventions Related Documentation Obtaining DocumentationCisco.com Obtaining Technical Assistance Documentation FeedbackDocumentation CD-ROM Ordering DocumentationOpening a TAC Case Cisco TAC WebsiteTAC Case Priority Definitions XiiiXiv Obtaining Additional Publications and InformationService Selection Gateway Service Selection Gateway OverviewSSG Topology Example Access Protocols Default NetworkSSG Restrictions Supported SSG FeaturesService Selection Gateway Overview SSG Restrictions SSG Architecture Model SSG PrerequisitesService Selection Gateway Overview SSG Architecture Model OL-4387-02 Limitations and Restrictions Scalability and PerformanceScalability and Performance Limitations and Restrictions SSG Logon and Logoff Single Host LogonPrerequisites for Single Host Logon Configuration of SSG Autologoff SSG AutologoffRestrictions for SSG Autologoff Configuration Example for SSG Autologoff SSG Prepaid Idle TimeoutExample 3-1 SSG Autologoff Using ARP Ping Example 3-2 SSG Autologoff Using Icmp PingService Reauthorization Service AuthorizationPrerequisites for SSG Prepaid Idle Timeout Restrictions for SSG Prepaid Idle TimeoutConfiguration of SSG Prepaid Idle Timeout Configuration Example for SSG Prepaid Idle TimeoutExample 3-5 SSG Service-Specific TCP Redirect SSG Session and Idle TimeoutExample 3-7 SSG Threshold Volume Example 3-6 SSG Threshold TimeSSG Full Username Radius Attribute Authentication and AccountingRestrictions for SSG Full Username Radius Attribute Example 4-1 Radius Freeware Format ExampleRadius Accounting Records Account Login and LogoutExample 4-3 Radius Accounting-Start Record Example 4-4 Radius Accounting-Stop RecordService Connection and Termination Authentication and Accounting Radius Accounting Records Service Selection Methods PPP Terminated AggregationPTA-Multidomain Restrictions for PTA-MD Web Service SelectionSesm and SSG Performance OL-4387-02 SSG AutoDomain Service ConnectionConfiguration of SSG AutoDomain Configuration Example for SSG AutoDomainRestrictions for SSG AutoDomain Example 6-1 SSG AutoDomain Example 6-2 AutoDomain Exclude Profile SSG VSA FormatExample 6-3 AutoDomain Exclude File Format Configuration of SSG Prepaid SSG PrepaidRestrictions for SSG Prepaid SSG Open Garden Configuration Example for SSG PrepaidConfiguration Example for SSG Open Garden Configuration of SSG Open GardenSSG Port-Bundle Host Key Restrictions for SSG Open GardenRestrictions for SSG Port-Bundle Host Key Configuration of SSG Port-Bundle Host Key Mutually Exclusive Service SelectionExclude Networks Prerequisites for SSG Port-Bundle Host KeyConfiguration of Mutually Exclusive Service Selection OL-4387-02 Downstream Access Control List Service ProfilesService Authentication Type Upstream Access Control ListDomain Name Full UsernameService Description Service-Defined CookieService Mode Service Next-Hop GatewayType of Service Cached Service ProfilesService Profile Example Example 7-1 Service ProfileConfiguration of Cached Service Profiles OL-4387-02 SSG Hierarchical Policing SSG Hierarchical Policing OverviewSSG Hierarchical Policing Token Bucket Scheme Restrictions for SSG Hierarchical Policing SSG Hierarchical Policing ConfigurationExample 8-2 Enabling Per-Session Policing on a Router Configuration Examples for SSG Hierarchical PolicingOL-4387-02 Transparent Passthrough Interface ConfigurationFor example Access Side InterfacesMulticast Protocols on SSG Interfaces Configuration of Transparent PassthroughNetwork Side Interfaces Restrictions of Transparent PassthroughConfiguration of Multicast Protocols on SSG Interfaces Redirection for Unauthenticated Users SSG TCP Redirect10-1 10-2 Redirection for Unauthorized Services10-3 Initial CaptivationRestrictions for SSG TCP Redirect Configuration of SSG TCP RedirectPrerequisites for SSG TCP Redirect 10-410-5 Example 10-1 Binding a Server Group to a PortExample 10-2 Limiting Redirected TCP Sessions 10-6 Configuring SSG TCP Redirect10-7 Configuration Examples for SSG TCP RedirectExample 10-3 Defining a Captive Portal Server Group Example 10-4 Defining Network ListsExample 10-5 Defining Port Lists 10-8Miscellaneous SSG Features VPI/VCI Static Binding to a Service Profile11-1 Configuration of Radius Virtual Circuit Logging AAA Server Group Support for Proxy ServicesRadius Virtual Circuit Logging 11-211-3 Packet FilteringUpstream Access Control List-inacl Downstream Access Control List-outaclRestrictions for Packet Filtering 11-4Configuration of Packet Filtering SSG UnconfigConfiguration Example for Packet Filtering Restrictions for SSG UnconfigConfiguration of SSG Unconfig Prerequisites for SSG UnconfigConfiguration Examples for SSG Unconfig 11-6SSG Enhancements for Overlapping Services Service Translation11-7 11-8 11-9 Restrictions for Service Translation11-10 Configuration of Service Translation11-11 Expansion of Service IDs11-12 Network Sets12-1 Monitoring and Maintaining SSGPer-Service Statistics Troubleshooting RadiusRestrictions for Per-Service Statistics 12-212-3 Monitoring the Parallel Express Forwarding Engine12-4 Figure A-1 SSG Example Topology SSG Configuration ExampleUsername cisco password 0 cisco clock timezone PST Example A-1 Cisco 10000 Router SSG ConfigurationSsg accounting interval 300 ssg profile-cache Full-duplex Peer default ip address pool SSG-POOL Exec-timeout 0 0 password lab SSG Implementation Notes SSG Feature Implementation NotesMpls Also see the Restrictions for SSG TCP Redirect section on OL-4387-02 GL-1 O S S a R YGL-2 GL-3 GL-4 GL-5 GL-6 IN-1 D EIN-2 DSL G-1IN-3 ISP G-2 L2TPIN-4 RadiusIN-5 Reauthorizing prepaidIN-6 TCPIN-7 VRF G-5 VSAIN-8