Corporate Headquarters
January
Cisco Systems, Inc 170 West Tasman Drive San Jose, CA
800 553-NETS Fax 408
Copyright 2004, Cisco Systems, Inc All rights reserved
Default Network
Service Selection Gateway Overview
C O N T E N T S
Audience
Configuration Example for SSG Prepaid
Configuration Example for SSG AutoDomain
Configuration Examples for Account Login and Logout
Configuration of SSG Autologoff
Configuration of Mutually Exclusive Service Selection
Configuration Example for SSG Open Garden
Service Profiles
Service-Defined Cookie
Interface Configuration
Configuration of VPI/VCI Static Binding to a Service Profile
Configuring Port-Based Redirection for Unauthenticated Users
Limiting Redirection for Unauthenticated Users
Per-Service Statistics
SSG Unconfig
Restrictions for SSG Unconfig
Service Translation
Contents
viii
OL-4387-02
Audience
About This Guide
Document Organization
Chapter
Chapter
Document Conventions
Title
Description
Cisco 10000 Series Router Software Configuration Guides
Cisco 10000 Series Router Feature Map
Related Documentation
Obtaining Documentation
Obtaining Technical Assistance
Documentation Feedback
Documentation CD-ROM
Ordering Documentation
Opening a TAC Case
Cisco TAC Website
TAC Case Priority Definitions
http//tools.cisco.com/RPF/register/register.do
Obtaining Additional Publications and Information
Service Selection Gateway
Service Selection Gateway Overview
C H A P T E R
Figure 1-1 SSG Topology Example
Access Protocols
Default Network
Packets from a User and Destined for the Default Network
Packets from the Default Network and Destined for an SSG User
SSG Logon and Logoff, page Authentication and Accounting, page
Supported SSG Features
Service Selection Methods, page Service Connection, page
Service Profiles and Cached Service Profiles, page
Any interface requiring tunneling for example, L2TP or GRE tunneling
SSG Architecture Model
SSG Prerequisites
Internet
Gaming
In Figure 1-2, subscribers access the SESM web portal application using any web browser on a variety of devices such as a desktop computer over DSL. The Cisco 10000 series router the SSG node forwards unauthenticated SSG traffic from the subscriber to SESM, configured as the captive portal and default network. The SSG feature set of the router allows the service provider to design a service selection access network
OL-4387-02
Chapter 1 Service Selection Gateway Overview SSG Architecture Model
Limitations and Restrictions
Scalability and Performance
C H A P T E R
Best-Access to network B at rate Good-Access to network B at rate
SSG Logon and Logoff
SSG Prepaid Idle Timeout, page SSG Session and Idle Timeout, page
Single Host Logon
Prerequisites for Single Host Logon
SSG Autologoff
Configuration of SSG Autologoff
Restrictions for SSG Autologoff
ARP ping
Configuration Example for SSG Autologoff
SSG Prepaid Idle Timeout
Service Reauthorization
Service Authorization
Prerequisites for SSG Prepaid Idle Timeout
Restrictions for SSG Prepaid Idle Timeout
Configuration of SSG Prepaid Idle Timeout
Configuration Example for SSG Prepaid Idle Timeout
SSG Session and Idle Timeout
Configuration Examples for SSG Full Username RADIUS Attribute
Authentication and Accounting
SSG Full Username RADIUS Attribute
Restrictions for SSG Full Username RADIUS Attribute
Configuration Examples for Account Login and Logout
Account Login and Logout
Account Login and Logout, page
Service Connection and Termination, page
Configuration Examples for Service Connection and Termination
Service Connection and Termination
Service-Type-Indicates the type of service
Web Service Selection, page
Service Selection Methods
PPP Terminated Aggregation
PTA-Multidomain
Restrictions for PTA-MD
Web Service Selection
SESM and SSG Performance
OL-4387-02
Chapter 5 Service Selection Methods Web Service Selection
Mutually Exclusive Service Selection, page
Service Connection
SSG AutoDomain
SSG AutoDomain, page SSG Prepaid, page SSG Open Garden, page
Configuration Example for SSG AutoDomain
Configuration of SSG AutoDomain
Restrictions for SSG AutoDomain
Example 6-2 AutoDomain Exclude Profile SSG VSA Format
Example 6-1 SSG AutoDomain
Example 6-3 AutoDomain Exclude File Format
SSG Prepaid
Configuration of SSG Prepaid
Restrictions for SSG Prepaid
SSG Open Garden
Configuration Example for SSG Prepaid
Configuration Example for SSG Open Garden
Configuration of SSG Open Garden
SSG Open Garden, Release 12.24B feature module
SSG Port-Bundle Host Key
Restrictions for SSG Port-Bundle Host Key
Configuration of SSG Port-Bundle Host Key
Mutually Exclusive Service Selection
SSG Port-Bundle Host Key, Release 12.24B feature module
Exclude Networks
Configuration Example for Mutually Exclusive Service Selection
Configuration of Mutually Exclusive Service Selection
Example 6-5 Configuring a Mutually Exclusive Service Selection Group
Chapter 6 Service Connection Mutually Exclusive Service Selection
6-10
OL-4387-02
Downstream Access Control List
Service Profiles
Service Profiles, page Cached Service Profiles, page
Service Profiles and Cached Service Profiles
Service Authentication Type
Upstream Access Control List
Domain Name
Full Username
Service Description
Service-Defined Cookie
Service Mode
Service Next-Hop Gateway
Type of Service
Cached Service Profiles
Service Profile Example
Configuration of Cached Service Profiles
Cached Service Profiles
Chapter 7 Service Profiles and Cached Service Profiles
OL-4387-02
SSG Hierarchical Policing Overview
SSG Hierarchical Policing
SSG Hierarchical Policing Token Bucket Scheme
C H A P T E R
Restrictions for SSG Hierarchical Policing
SSG Hierarchical Policing Configuration
Configuration Examples for SSG Hierarchical Policing
Configuration Examples for SSG Hierarchical Policing
Routerconfig# local-profile cisco.com
Routerconfig-prof# attribute 26 9 1 “QU1600030004000D2400040008000”
Chapter 8 SSG Hierarchical Policing
Configuration Examples for SSG Hierarchical Policing
OL-4387-02
Transparent Passthrough
Interface Configuration
Transparent Passthrough, page
C H A P T E R
Access Side Interfaces
Multicast Protocols on SSG Interfaces
Configuration of Transparent Passthrough
Network Side Interfaces
Restrictions of Transparent Passthrough
Configuration of Multicast Protocols on SSG Interfaces
Redirection for Unauthenticated Users, page
Redirection for Unauthenticated Users
Redirection for Unauthorized Services, page Initial Captivation, page
SSG TCP Redirect
10-2
Redirection for Unauthorized Services
group-name
10-3
Initial Captivation
Restrictions for SSG TCP Redirect
Configuration of SSG TCP Redirect
Prerequisites for SSG TCP Redirect
10-4
Configuring Port-Based Redirection for Unauthenticated Users
Configuration Considerations for SSG TCP Redirect
Limiting Redirection for Unauthenticated Users
Configuration Considerations for SSG TCP Redirect, page
Command
Configuring SSG TCP Redirect
Purpose
10-6
Configuration Example for Server Groups
Configuration Examples for SSG TCP Redirect
Configuration Example for Network Lists
Configuration Example for Server Groups, page
10-8
Configuration Example for Port Lists
Example 10-5 Defining Port Lists
Chapter 10 SSG TCP Redirect
VPI/VCI Static Binding to a Service Profile
Miscellaneous SSG Features
Restrictions for VPI/VCI Static Binding to a Service Profile
Configuration of VPI/VCI Static Binding to a Service Profile
Configuration of RADIUS Virtual Circuit Logging
AAA Server Group Support for Proxy Services
Restrictions for AAA Server Group Support for Proxy Services
RADIUS Virtual Circuit Logging
Configuration Example for AAA Server Group Support for Proxy Services
Configuration of AAA Server Group Support for Proxy Services
Downstream Access Control List-outacl, page
Upstream Access Control List-inacl, page
Upstream Access Control List-inacl
Downstream Access Control List-outacl
Restrictions for Packet Filtering
11-4
Configuration of Packet Filtering
SSG Unconfig
Configuration Example for Packet Filtering
Restrictions for SSG Unconfig
Configuration of SSG Unconfig
Prerequisites for SSG Unconfig
Configuration Examples for SSG Unconfig
11-6
Service Translation
SSG Enhancements for Overlapping Services
Service Translation, page Expansion of Service IDs, page
11-7
Set1 0.0.0.0/0.0.0.0 Set2 10.58.253.0/255.255.255.0 Set3
11-8
Prerequisites for Service Translation
Restrictions for Service Translation
11-9
Configuration Example for Service Translation
Configuration of Service Translation
Enables service translation and indicates to the router to use the
Service Definitions
Restrictions for Expansion of Service IDs
Expansion of Service IDs
Configuration Example for Expansion of Service IDs
11-11
11-12
Network Sets
12-1
Monitoring and Maintaining SSG
Command
C H A P T E R
Per-Service Statistics
Troubleshooting RADIUS
Restrictions for Per-Service Statistics
Removes the specified service
Reference Guide
Monitoring the Parallel Express Forwarding Engine
12-3
Command
Chapter 12 Monitoring and Maintaining SSG
12-4
Monitoring the Parallel Express Forwarding Engine
OL-4387-02
A P P E N D I X A
SSG Configuration Example
Appendix A SSG Configuration Example
Example A-1 Cisco 10000 Router SSG Configuration
OL-4387-02
Appendix A SSG Configuration Example
OL-4387-02
Appendix A SSG Configuration Example
OL-4387-02
Appendix A SSG Configuration Example
exec-timeout 0 0 password lab
Appendix A SSG Configuration Example
ntp clock-period 17181406 ntp update-calendar
OL-4387-02
SSG Implementation Notes
SSG Feature
A P P E N D I X B
Implementation Notes
Implementation Notes
SSG Feature
SSG Feature
Also see the “Restrictions for SSG TCP Redirect” section on page
Implementation Notes
OL-4387-02
Appendix B SSG Implementation Notes
Digital Subscriber Line
G L O S S A R Y
GL-1
GL-2
GL-3
GL-4
GL-5
xDSL
GL-6
Glossary
OL-4387-02
See CEF
I N D E
IN-1
idle timeout
IN-2
Idle Timeout Attribute 28 3-4
inacl attribute
See PPP
See PXF
IN-3
IN-4
See RBE
AutoDomain
Exclude Networks 6-8
IN-5
IN-6
See VPI
VC G-5 VCI G-5 vendor-specific attributes definition G-5
virtual channel identifier See VCI virtual circuit See VC
VPI G-5 VPI/VCI implementation notes B-3 service profiles subscriber
IN-7
web service selection 5-2 web sites accessing through Open Garden 6-5
VRF G-5 VSA definition G-5
Index
IN-8
OL-4387-02