800 553-NETS Fax 408
January
Corporate Headquarters
Cisco Systems, Inc 170 West Tasman Drive San Jose, CA
Copyright 2004, Cisco Systems, Inc All rights reserved
Audience
Service Selection Gateway Overview
Default Network
C O N T E N T S
Configuration of SSG Autologoff
Configuration Example for SSG AutoDomain
Configuration Example for SSG Prepaid
Configuration Examples for Account Login and Logout
Service-Defined Cookie
Configuration Example for SSG Open Garden
Configuration of Mutually Exclusive Service Selection
Service Profiles
Limiting Redirection for Unauthenticated Users
Configuration of VPI/VCI Static Binding to a Service Profile
Interface Configuration
Configuring Port-Based Redirection for Unauthenticated Users
Service Translation
SSG Unconfig
Per-Service Statistics
Restrictions for SSG Unconfig
viii
Contents
OL-4387-02
Chapter
About This Guide
Audience
Document Organization
Description
Document Conventions
Chapter
Title
Obtaining Documentation
Cisco 10000 Series Router Feature Map
Cisco 10000 Series Router Software Configuration Guides
Related Documentation
Ordering Documentation
Documentation Feedback
Obtaining Technical Assistance
Documentation CD-ROM
http//tools.cisco.com/RPF/register/register.do
Cisco TAC Website
Opening a TAC Case
TAC Case Priority Definitions
Obtaining Additional Publications and Information
Service Selection Gateway Overview
Service Selection Gateway
C H A P T E R
Figure 1-1 SSG Topology Example
Packets from the Default Network and Destined for an SSG User
Default Network
Access Protocols
Packets from a User and Destined for the Default Network
Service Profiles and Cached Service Profiles, page
Supported SSG Features
SSG Logon and Logoff, page Authentication and Accounting, page
Service Selection Methods, page Service Connection, page
Any interface requiring tunneling for example, L2TP or GRE tunneling
Gaming
SSG Prerequisites
SSG Architecture Model
Internet
In Figure 1-2, subscribers access the SESM web portal application using any web browser on a variety of devices such as a desktop computer over DSL. The Cisco 10000 series router the SSG node forwards unauthenticated SSG traffic from the subscriber to SESM, configured as the captive portal and default network. The SSG feature set of the router allows the service provider to design a service selection access network
OL-4387-02
Chapter 1 Service Selection Gateway Overview SSG Architecture Model
Scalability and Performance
Limitations and Restrictions
C H A P T E R
Best-Access to network B at rate Good-Access to network B at rate
Prerequisites for Single Host Logon
SSG Prepaid Idle Timeout, page SSG Session and Idle Timeout, page
SSG Logon and Logoff
Single Host Logon
ARP ping
Configuration of SSG Autologoff
SSG Autologoff
Restrictions for SSG Autologoff
Configuration Example for SSG Autologoff
SSG Prepaid Idle Timeout
Service Reauthorization
Service Authorization
Configuration Example for SSG Prepaid Idle Timeout
Restrictions for SSG Prepaid Idle Timeout
Prerequisites for SSG Prepaid Idle Timeout
Configuration of SSG Prepaid Idle Timeout
SSG Session and Idle Timeout
Restrictions for SSG Full Username RADIUS Attribute
Authentication and Accounting
Configuration Examples for SSG Full Username RADIUS Attribute
SSG Full Username RADIUS Attribute
Service Connection and Termination, page
Account Login and Logout
Configuration Examples for Account Login and Logout
Account Login and Logout, page
Configuration Examples for Service Connection and Termination
Service Connection and Termination
Service-Type-Indicates the type of service
PTA-Multidomain
Service Selection Methods
Web Service Selection, page
PPP Terminated Aggregation
Restrictions for PTA-MD
Web Service Selection
SESM and SSG Performance
OL-4387-02
Chapter 5 Service Selection Methods Web Service Selection
SSG AutoDomain, page SSG Prepaid, page SSG Open Garden, page
Service Connection
Mutually Exclusive Service Selection, page
SSG AutoDomain
Configuration of SSG AutoDomain
Configuration Example for SSG AutoDomain
Restrictions for SSG AutoDomain
Example 6-1 SSG AutoDomain
Example 6-2 AutoDomain Exclude Profile SSG VSA Format
Example 6-3 AutoDomain Exclude File Format
Configuration of SSG Prepaid
SSG Prepaid
Restrictions for SSG Prepaid
SSG Open Garden
Configuration Example for SSG Prepaid
SSG Port-Bundle Host Key
Configuration of SSG Open Garden
Configuration Example for SSG Open Garden
SSG Open Garden, Release 12.24B feature module
Restrictions for SSG Port-Bundle Host Key
Exclude Networks
Mutually Exclusive Service Selection
Configuration of SSG Port-Bundle Host Key
SSG Port-Bundle Host Key, Release 12.24B feature module
Configuration of Mutually Exclusive Service Selection
Configuration Example for Mutually Exclusive Service Selection
Example 6-5 Configuring a Mutually Exclusive Service Selection Group
6-10
Chapter 6 Service Connection Mutually Exclusive Service Selection
OL-4387-02
Service Profiles and Cached Service Profiles
Service Profiles
Downstream Access Control List
Service Profiles, page Cached Service Profiles, page
Full Username
Upstream Access Control List
Service Authentication Type
Domain Name
Service Next-Hop Gateway
Service-Defined Cookie
Service Description
Service Mode
Cached Service Profiles
Type of Service
Service Profile Example
Configuration of Cached Service Profiles
Chapter 7 Service Profiles and Cached Service Profiles
Cached Service Profiles
OL-4387-02
C H A P T E R
SSG Hierarchical Policing
SSG Hierarchical Policing Overview
SSG Hierarchical Policing Token Bucket Scheme
Restrictions for SSG Hierarchical Policing
SSG Hierarchical Policing Configuration
Routerconfig-prof# attribute 26 9 1 “QU1600030004000D2400040008000”
Configuration Examples for SSG Hierarchical Policing
Configuration Examples for SSG Hierarchical Policing
Routerconfig# local-profile cisco.com
Configuration Examples for SSG Hierarchical Policing
Chapter 8 SSG Hierarchical Policing
OL-4387-02
C H A P T E R
Interface Configuration
Transparent Passthrough
Transparent Passthrough, page
Access Side Interfaces
Restrictions of Transparent Passthrough
Configuration of Transparent Passthrough
Multicast Protocols on SSG Interfaces
Network Side Interfaces
Configuration of Multicast Protocols on SSG Interfaces
SSG TCP Redirect
Redirection for Unauthenticated Users
Redirection for Unauthenticated Users, page
Redirection for Unauthorized Services, page Initial Captivation, page
Redirection for Unauthorized Services
10-2
group-name
10-3
Initial Captivation
10-4
Configuration of SSG TCP Redirect
Restrictions for SSG TCP Redirect
Prerequisites for SSG TCP Redirect
Configuration Considerations for SSG TCP Redirect, page
Configuration Considerations for SSG TCP Redirect
Configuring Port-Based Redirection for Unauthenticated Users
Limiting Redirection for Unauthenticated Users
10-6
Configuring SSG TCP Redirect
Command
Purpose
Configuration Example for Server Groups, page
Configuration Examples for SSG TCP Redirect
Configuration Example for Server Groups
Configuration Example for Network Lists
Chapter 10 SSG TCP Redirect
Configuration Example for Port Lists
10-8
Example 10-5 Defining Port Lists
Configuration of VPI/VCI Static Binding to a Service Profile
Miscellaneous SSG Features
VPI/VCI Static Binding to a Service Profile
Restrictions for VPI/VCI Static Binding to a Service Profile
RADIUS Virtual Circuit Logging
AAA Server Group Support for Proxy Services
Configuration of RADIUS Virtual Circuit Logging
Restrictions for AAA Server Group Support for Proxy Services
Upstream Access Control List-inacl, page
Configuration of AAA Server Group Support for Proxy Services
Configuration Example for AAA Server Group Support for Proxy Services
Downstream Access Control List-outacl, page
11-4
Downstream Access Control List-outacl
Upstream Access Control List-inacl
Restrictions for Packet Filtering
Restrictions for SSG Unconfig
SSG Unconfig
Configuration of Packet Filtering
Configuration Example for Packet Filtering
11-6
Prerequisites for SSG Unconfig
Configuration of SSG Unconfig
Configuration Examples for SSG Unconfig
11-7
SSG Enhancements for Overlapping Services
Service Translation
Service Translation, page Expansion of Service IDs, page
Set1 0.0.0.0/0.0.0.0 Set2 10.58.253.0/255.255.255.0 Set3
11-8
Restrictions for Service Translation
Prerequisites for Service Translation
11-9
Service Definitions
Configuration of Service Translation
Configuration Example for Service Translation
Enables service translation and indicates to the router to use the
11-11
Expansion of Service IDs
Restrictions for Expansion of Service IDs
Configuration Example for Expansion of Service IDs
11-12
Network Sets
C H A P T E R
Monitoring and Maintaining SSG
12-1
Command
Removes the specified service
Troubleshooting RADIUS
Per-Service Statistics
Restrictions for Per-Service Statistics
Command
Monitoring the Parallel Express Forwarding Engine
Reference Guide
12-3
OL-4387-02
12-4
Chapter 12 Monitoring and Maintaining SSG
Monitoring the Parallel Express Forwarding Engine
A P P E N D I X A
SSG Configuration Example
Appendix A SSG Configuration Example
Example A-1 Cisco 10000 Router SSG Configuration
OL-4387-02
Appendix A SSG Configuration Example
OL-4387-02
Appendix A SSG Configuration Example
OL-4387-02
Appendix A SSG Configuration Example
OL-4387-02
Appendix A SSG Configuration Example
exec-timeout 0 0 password lab
ntp clock-period 17181406 ntp update-calendar
Implementation Notes
SSG Feature
SSG Implementation Notes
A P P E N D I X B
Implementation Notes
SSG Feature
Also see the “Restrictions for SSG TCP Redirect” section on page
SSG Feature
Implementation Notes
OL-4387-02
Appendix B SSG Implementation Notes
G L O S S A R Y
Digital Subscriber Line
GL-1
GL-2
GL-3
GL-4
GL-5
OL-4387-02
GL-6
xDSL
Glossary
I N D E
See CEF
IN-1
inacl attribute
IN-2
idle timeout
Idle Timeout Attribute 28 3-4
See PXF
See PPP
IN-3
Exclude Networks 6-8
See RBE
IN-4
AutoDomain
IN-5
virtual channel identifier See VCI virtual circuit See VC
See VPI
IN-6
VC G-5 VCI G-5 vendor-specific attributes definition G-5
VRF G-5 VSA definition G-5
IN-7
VPI G-5 VPI/VCI implementation notes B-3 service profiles subscriber
web service selection 5-2 web sites accessing through Open Garden 6-5
IN-8
Index
OL-4387-02