Manuals / Cisco Systems / Computer Equipment / Network Router

Cisco Systems OL-4387-02 manual 1 SSG Topology Example

Models: OL-4387-02

1 110

Download 110 pages 54.42 Kb

Page 16

Figure 1-1 SSG Topology Example

Chapter 1 Service Selection Gateway Overview

Service Selection Gateway

Figure 1-1 SSG Topology Example
	RADIUS
Default	AAA		Cisco
Default			Cisco
Network			Secure
Web
Dashboard		ISP/Service A
Cisco 10000		ISP/Service A
router
PPP/RBE/IP			RADIUS
SSG			AAA
		ISP/Service B
Open
Garden			RADIUS
			RADIUS
			AAA
RADIUS
IP Data			87907
Tunnel		Extranet	87907
Tunnel

ISP/Service C

Note The Cisco 10000 series router does not support tunneling of SSG users.

The Cisco 10000 series router adds the Open Garden and default networks to all SSG VRFs, providing reachability information to the Open Garden and default networks for all services both public and private. However, access is restricted for the following conditions:

•If the Open Garden and default network addresses overlap within the service definition, the traffic destined for either network is subject to the rules of the default network.

•If the Open Garden network is bound to a specific interface and a VRF is also applied to the interface, the Open Garden network is accessible to users whose sessions are established using the applied VRF.

The SSG feature communicates with the authentication, authorization, and accounting (AAA) management network that includes RADIUS and Dynamic Host Configuration Protocol (DHCP) servers. SSG connects to the service provider network, which can connect to the Internet service provider (ISP) network and corporate networks.

The Cisco 10000 series router supports the Cisco Subscriber Edge Services Manager (SESM), which provides subscriber authentication, service selection, and service connection capabilities to subscribers of Internet services. Subscribers interact with the SESM web application using a standard Internet browser. The SESM functionality provides a flexible and convenient graphical user interface (GUI) for subscribers and enables service providers to bill subscribers for connection time and services used, rather than charging a flat rate.

Cisco 10000 Series Router Service Selection Gateway Configuration Guide

1-2	OL-4387-02

Image 16

Cisco Systems OL-4387-02 manual 1 SSG Topology Example

Contents

January Corporate HeadquartersCisco Systems, Inc 170 West Tasman Drive San Jose, CA 800 553-NETS Fax 408Copyright 2004, Cisco Systems, Inc All rights reserved Service Selection Gateway Overview Default NetworkC O N T E N T S AudienceConfiguration Example for SSG AutoDomain Configuration Example for SSG PrepaidConfiguration Examples for Account Login and Logout Configuration of SSG AutologoffConfiguration Example for SSG Open Garden Configuration of Mutually Exclusive Service SelectionService Profiles Service-Defined CookieConfiguration of VPI/VCI Static Binding to a Service Profile Interface ConfigurationConfiguring Port-Based Redirection for Unauthenticated Users Limiting Redirection for Unauthenticated UsersSSG Unconfig Per-Service StatisticsRestrictions for SSG Unconfig Service TranslationContents viiiOL-4387-02 About This Guide AudienceDocument Organization ChapterDocument Conventions ChapterTitle DescriptionCisco 10000 Series Router Feature Map Cisco 10000 Series Router Software Configuration GuidesRelated Documentation Obtaining DocumentationDocumentation Feedback Obtaining Technical AssistanceDocumentation CD-ROM Ordering DocumentationCisco TAC Website Opening a TAC CaseTAC Case Priority Definitions http//tools.cisco.com/RPF/register/register.doObtaining Additional Publications and Information Service Selection Gateway Service Selection Gateway OverviewC H A P T E R Figure 1-1 SSG Topology Example Default Network Access ProtocolsPackets from a User and Destined for the Default Network Packets from the Default Network and Destined for an SSG UserSupported SSG Features SSG Logon and Logoff, page Authentication and Accounting, pageService Selection Methods, page Service Connection, page Service Profiles and Cached Service Profiles, pageAny interface requiring tunneling for example, L2TP or GRE tunneling SSG Prerequisites SSG Architecture ModelInternet GamingIn Figure 1-2, subscribers access the SESM web portal application using any web browser on a variety of devices such as a desktop computer over DSL. The Cisco 10000 series router the SSG node forwards unauthenticated SSG traffic from the subscriber to SESM, configured as the captive portal and default network. The SSG feature set of the router allows the service provider to design a service selection access network Chapter 1 Service Selection Gateway Overview SSG Architecture Model OL-4387-02Limitations and Restrictions Scalability and PerformanceC H A P T E R Best-Access to network B at rate Good-Access to network B at rate SSG Prepaid Idle Timeout, page SSG Session and Idle Timeout, page SSG Logon and LogoffSingle Host Logon Prerequisites for Single Host LogonConfiguration of SSG Autologoff SSG AutologoffRestrictions for SSG Autologoff ARP pingSSG Prepaid Idle Timeout Configuration Example for SSG AutologoffService Authorization Service ReauthorizationRestrictions for SSG Prepaid Idle Timeout Prerequisites for SSG Prepaid Idle TimeoutConfiguration of SSG Prepaid Idle Timeout Configuration Example for SSG Prepaid Idle TimeoutSSG Session and Idle Timeout Authentication and Accounting Configuration Examples for SSG Full Username RADIUS AttributeSSG Full Username RADIUS Attribute Restrictions for SSG Full Username RADIUS AttributeAccount Login and Logout Configuration Examples for Account Login and LogoutAccount Login and Logout, page Service Connection and Termination, pageService Connection and Termination Configuration Examples for Service Connection and TerminationService-Type-Indicates the type of service Service Selection Methods Web Service Selection, pagePPP Terminated Aggregation PTA-MultidomainWeb Service Selection Restrictions for PTA-MDSESM and SSG Performance Chapter 5 Service Selection Methods Web Service Selection OL-4387-02Service Connection Mutually Exclusive Service Selection, pageSSG AutoDomain SSG AutoDomain, page SSG Prepaid, page SSG Open Garden, pageConfiguration Example for SSG AutoDomain Configuration of SSG AutoDomainRestrictions for SSG AutoDomain Example 6-2 AutoDomain Exclude Profile SSG VSA Format Example 6-1 SSG AutoDomainExample 6-3 AutoDomain Exclude File Format SSG Prepaid Configuration of SSG PrepaidRestrictions for SSG Prepaid Configuration Example for SSG Prepaid SSG Open GardenConfiguration of SSG Open Garden Configuration Example for SSG Open GardenSSG Open Garden, Release 12.24B feature module SSG Port-Bundle Host KeyRestrictions for SSG Port-Bundle Host Key Mutually Exclusive Service Selection Configuration of SSG Port-Bundle Host KeySSG Port-Bundle Host Key, Release 12.24B feature module Exclude NetworksConfiguration Example for Mutually Exclusive Service Selection Configuration of Mutually Exclusive Service SelectionExample 6-5 Configuring a Mutually Exclusive Service Selection Group Chapter 6 Service Connection Mutually Exclusive Service Selection 6-10OL-4387-02 Service Profiles Downstream Access Control ListService Profiles, page Cached Service Profiles, page Service Profiles and Cached Service ProfilesUpstream Access Control List Service Authentication TypeDomain Name Full UsernameService-Defined Cookie Service DescriptionService Mode Service Next-Hop GatewayType of Service Cached Service ProfilesService Profile Example Configuration of Cached Service Profiles Cached Service Profiles Chapter 7 Service Profiles and Cached Service ProfilesOL-4387-02 SSG Hierarchical Policing SSG Hierarchical Policing OverviewSSG Hierarchical Policing Token Bucket Scheme C H A P T E RSSG Hierarchical Policing Configuration Restrictions for SSG Hierarchical PolicingConfiguration Examples for SSG Hierarchical Policing Configuration Examples for SSG Hierarchical PolicingRouterconfig# local-profile cisco.com Routerconfig-prof# attribute 26 9 1 “QU1600030004000D2400040008000”Chapter 8 SSG Hierarchical Policing Configuration Examples for SSG Hierarchical PolicingOL-4387-02 Interface Configuration Transparent PassthroughTransparent Passthrough, page C H A P T E RAccess Side Interfaces Configuration of Transparent Passthrough Multicast Protocols on SSG InterfacesNetwork Side Interfaces Restrictions of Transparent PassthroughConfiguration of Multicast Protocols on SSG Interfaces Redirection for Unauthenticated Users Redirection for Unauthenticated Users, pageRedirection for Unauthorized Services, page Initial Captivation, page SSG TCP Redirect10-2 Redirection for Unauthorized Servicesgroup-name Initial Captivation 10-3Configuration of SSG TCP Redirect Restrictions for SSG TCP RedirectPrerequisites for SSG TCP Redirect 10-4Configuration Considerations for SSG TCP Redirect Configuring Port-Based Redirection for Unauthenticated UsersLimiting Redirection for Unauthenticated Users Configuration Considerations for SSG TCP Redirect, pageConfiguring SSG TCP Redirect CommandPurpose 10-6Configuration Examples for SSG TCP Redirect Configuration Example for Server GroupsConfiguration Example for Network Lists Configuration Example for Server Groups, pageConfiguration Example for Port Lists 10-8Example 10-5 Defining Port Lists Chapter 10 SSG TCP RedirectMiscellaneous SSG Features VPI/VCI Static Binding to a Service ProfileRestrictions for VPI/VCI Static Binding to a Service Profile Configuration of VPI/VCI Static Binding to a Service ProfileAAA Server Group Support for Proxy Services Configuration of RADIUS Virtual Circuit LoggingRestrictions for AAA Server Group Support for Proxy Services RADIUS Virtual Circuit LoggingConfiguration of AAA Server Group Support for Proxy Services Configuration Example for AAA Server Group Support for Proxy ServicesDownstream Access Control List-outacl, page Upstream Access Control List-inacl, pageDownstream Access Control List-outacl Upstream Access Control List-inaclRestrictions for Packet Filtering 11-4SSG Unconfig Configuration of Packet FilteringConfiguration Example for Packet Filtering Restrictions for SSG UnconfigPrerequisites for SSG Unconfig Configuration of SSG UnconfigConfiguration Examples for SSG Unconfig 11-6SSG Enhancements for Overlapping Services Service TranslationService Translation, page Expansion of Service IDs, page 11-711-8 Set1 0.0.0.0/0.0.0.0 Set2 10.58.253.0/255.255.255.0 Set3Prerequisites for Service Translation Restrictions for Service Translation11-9 Configuration of Service Translation Configuration Example for Service TranslationEnables service translation and indicates to the router to use the Service DefinitionsExpansion of Service IDs Restrictions for Expansion of Service IDsConfiguration Example for Expansion of Service IDs 11-11Network Sets 11-12Monitoring and Maintaining SSG 12-1Command C H A P T E RTroubleshooting RADIUS Per-Service StatisticsRestrictions for Per-Service Statistics Removes the specified serviceMonitoring the Parallel Express Forwarding Engine Reference Guide12-3 Command12-4 Chapter 12 Monitoring and Maintaining SSGMonitoring the Parallel Express Forwarding Engine OL-4387-02SSG Configuration Example A P P E N D I X AExample A-1 Cisco 10000 Router SSG Configuration Appendix A SSG Configuration ExampleAppendix A SSG Configuration Example OL-4387-02Appendix A SSG Configuration Example OL-4387-02Appendix A SSG Configuration Example OL-4387-02Appendix A SSG Configuration Example exec-timeout 0 0 password labntp clock-period 17181406 ntp update-calendar OL-4387-02SSG Feature SSG Implementation NotesA P P E N D I X B Implementation NotesSSG Feature Implementation NotesSSG Feature Also see the “Restrictions for SSG TCP Redirect” section on pageImplementation Notes Appendix B SSG Implementation Notes OL-4387-02Digital Subscriber Line G L O S S A R YGL-1 GL-2 GL-3 GL-4 GL-5 GL-6 xDSLGlossary OL-4387-02See CEF I N D EIN-1 IN-2 idle timeoutIdle Timeout Attribute 28 3-4 inacl attributeSee PPP See PXFIN-3 See RBE IN-4AutoDomain Exclude Networks 6-8IN-5 See VPI IN-6VC G-5 VCI G-5 vendor-specific attributes definition G-5 virtual channel identifier See VCI virtual circuit See VCIN-7 VPI G-5 VPI/VCI implementation notes B-3 service profiles subscriberweb service selection 5-2 web sites accessing through Open Garden 6-5 VRF G-5 VSA definition G-5Index IN-8OL-4387-02