Cisco Systems, Inc 170 West Tasman Drive San Jose, CA
January
Corporate Headquarters
800 553-NETS Fax 408
Copyright 2004, Cisco Systems, Inc All rights reserved
C O N T E N T S
Service Selection Gateway Overview
Default Network
Audience
Configuration Examples for Account Login and Logout
Configuration Example for SSG AutoDomain
Configuration Example for SSG Prepaid
Configuration of SSG Autologoff
Service Profiles
Configuration Example for SSG Open Garden
Configuration of Mutually Exclusive Service Selection
Service-Defined Cookie
Configuring Port-Based Redirection for Unauthenticated Users
Configuration of VPI/VCI Static Binding to a Service Profile
Interface Configuration
Limiting Redirection for Unauthenticated Users
Restrictions for SSG Unconfig
SSG Unconfig
Per-Service Statistics
Service Translation
viii
Contents
OL-4387-02
Document Organization
About This Guide
Audience
Chapter
Title
Document Conventions
Chapter
Description
Related Documentation
Cisco 10000 Series Router Feature Map
Cisco 10000 Series Router Software Configuration Guides
Obtaining Documentation
Documentation CD-ROM
Documentation Feedback
Obtaining Technical Assistance
Ordering Documentation
TAC Case Priority Definitions
Cisco TAC Website
Opening a TAC Case
http//tools.cisco.com/RPF/register/register.do
Obtaining Additional Publications and Information
Service Selection Gateway Overview
Service Selection Gateway
C H A P T E R
Figure 1-1 SSG Topology Example
Packets from a User and Destined for the Default Network
Default Network
Access Protocols
Packets from the Default Network and Destined for an SSG User
Service Selection Methods, page Service Connection, page
Supported SSG Features
SSG Logon and Logoff, page Authentication and Accounting, page
Service Profiles and Cached Service Profiles, page
Any interface requiring tunneling for example, L2TP or GRE tunneling
Internet
SSG Prerequisites
SSG Architecture Model
Gaming
In Figure 1-2, subscribers access the SESM web portal application using any web browser on a variety of devices such as a desktop computer over DSL. The Cisco 10000 series router the SSG node forwards unauthenticated SSG traffic from the subscriber to SESM, configured as the captive portal and default network. The SSG feature set of the router allows the service provider to design a service selection access network
Chapter 1 Service Selection Gateway Overview SSG Architecture Model
OL-4387-02
Scalability and Performance
Limitations and Restrictions
C H A P T E R
Best-Access to network B at rate Good-Access to network B at rate
Single Host Logon
SSG Prepaid Idle Timeout, page SSG Session and Idle Timeout, page
SSG Logon and Logoff
Prerequisites for Single Host Logon
Restrictions for SSG Autologoff
Configuration of SSG Autologoff
SSG Autologoff
ARP ping
SSG Prepaid Idle Timeout
Configuration Example for SSG Autologoff
Service Authorization
Service Reauthorization
Configuration of SSG Prepaid Idle Timeout
Restrictions for SSG Prepaid Idle Timeout
Prerequisites for SSG Prepaid Idle Timeout
Configuration Example for SSG Prepaid Idle Timeout
SSG Session and Idle Timeout
SSG Full Username RADIUS Attribute
Authentication and Accounting
Configuration Examples for SSG Full Username RADIUS Attribute
Restrictions for SSG Full Username RADIUS Attribute
Account Login and Logout, page
Account Login and Logout
Configuration Examples for Account Login and Logout
Service Connection and Termination, page
Service Connection and Termination
Configuration Examples for Service Connection and Termination
Service-Type-Indicates the type of service
PPP Terminated Aggregation
Service Selection Methods
Web Service Selection, page
PTA-Multidomain
Web Service Selection
Restrictions for PTA-MD
SESM and SSG Performance
Chapter 5 Service Selection Methods Web Service Selection
OL-4387-02
SSG AutoDomain
Service Connection
Mutually Exclusive Service Selection, page
SSG AutoDomain, page SSG Prepaid, page SSG Open Garden, page
Configuration of SSG AutoDomain
Configuration Example for SSG AutoDomain
Restrictions for SSG AutoDomain
Example 6-1 SSG AutoDomain
Example 6-2 AutoDomain Exclude Profile SSG VSA Format
Example 6-3 AutoDomain Exclude File Format
Configuration of SSG Prepaid
SSG Prepaid
Restrictions for SSG Prepaid
Configuration Example for SSG Prepaid
SSG Open Garden
SSG Open Garden, Release 12.24B feature module
Configuration of SSG Open Garden
Configuration Example for SSG Open Garden
SSG Port-Bundle Host Key
Restrictions for SSG Port-Bundle Host Key
SSG Port-Bundle Host Key, Release 12.24B feature module
Mutually Exclusive Service Selection
Configuration of SSG Port-Bundle Host Key
Exclude Networks
Configuration of Mutually Exclusive Service Selection
Configuration Example for Mutually Exclusive Service Selection
Example 6-5 Configuring a Mutually Exclusive Service Selection Group
6-10
Chapter 6 Service Connection Mutually Exclusive Service Selection
OL-4387-02
Service Profiles, page Cached Service Profiles, page
Service Profiles
Downstream Access Control List
Service Profiles and Cached Service Profiles
Domain Name
Upstream Access Control List
Service Authentication Type
Full Username
Service Mode
Service-Defined Cookie
Service Description
Service Next-Hop Gateway
Cached Service Profiles
Type of Service
Service Profile Example
Configuration of Cached Service Profiles
Chapter 7 Service Profiles and Cached Service Profiles
Cached Service Profiles
OL-4387-02
SSG Hierarchical Policing Token Bucket Scheme
SSG Hierarchical Policing
SSG Hierarchical Policing Overview
C H A P T E R
SSG Hierarchical Policing Configuration
Restrictions for SSG Hierarchical Policing
Routerconfig# local-profile cisco.com
Configuration Examples for SSG Hierarchical Policing
Configuration Examples for SSG Hierarchical Policing
Routerconfig-prof# attribute 26 9 1 “QU1600030004000D2400040008000”
Configuration Examples for SSG Hierarchical Policing
Chapter 8 SSG Hierarchical Policing
OL-4387-02
Transparent Passthrough, page
Interface Configuration
Transparent Passthrough
C H A P T E R
Access Side Interfaces
Network Side Interfaces
Configuration of Transparent Passthrough
Multicast Protocols on SSG Interfaces
Restrictions of Transparent Passthrough
Configuration of Multicast Protocols on SSG Interfaces
Redirection for Unauthorized Services, page Initial Captivation, page
Redirection for Unauthenticated Users
Redirection for Unauthenticated Users, page
SSG TCP Redirect
Redirection for Unauthorized Services
10-2
group-name
Initial Captivation
10-3
Prerequisites for SSG TCP Redirect
Configuration of SSG TCP Redirect
Restrictions for SSG TCP Redirect
10-4
Limiting Redirection for Unauthenticated Users
Configuration Considerations for SSG TCP Redirect
Configuring Port-Based Redirection for Unauthenticated Users
Configuration Considerations for SSG TCP Redirect, page
Purpose
Configuring SSG TCP Redirect
Command
10-6
Configuration Example for Network Lists
Configuration Examples for SSG TCP Redirect
Configuration Example for Server Groups
Configuration Example for Server Groups, page
Example 10-5 Defining Port Lists
Configuration Example for Port Lists
10-8
Chapter 10 SSG TCP Redirect
Restrictions for VPI/VCI Static Binding to a Service Profile
Miscellaneous SSG Features
VPI/VCI Static Binding to a Service Profile
Configuration of VPI/VCI Static Binding to a Service Profile
Restrictions for AAA Server Group Support for Proxy Services
AAA Server Group Support for Proxy Services
Configuration of RADIUS Virtual Circuit Logging
RADIUS Virtual Circuit Logging
Downstream Access Control List-outacl, page
Configuration of AAA Server Group Support for Proxy Services
Configuration Example for AAA Server Group Support for Proxy Services
Upstream Access Control List-inacl, page
Restrictions for Packet Filtering
Downstream Access Control List-outacl
Upstream Access Control List-inacl
11-4
Configuration Example for Packet Filtering
SSG Unconfig
Configuration of Packet Filtering
Restrictions for SSG Unconfig
Configuration Examples for SSG Unconfig
Prerequisites for SSG Unconfig
Configuration of SSG Unconfig
11-6
Service Translation, page Expansion of Service IDs, page
SSG Enhancements for Overlapping Services
Service Translation
11-7
11-8
Set1 0.0.0.0/0.0.0.0 Set2 10.58.253.0/255.255.255.0 Set3
Restrictions for Service Translation
Prerequisites for Service Translation
11-9
Enables service translation and indicates to the router to use the
Configuration of Service Translation
Configuration Example for Service Translation
Service Definitions
Configuration Example for Expansion of Service IDs
Expansion of Service IDs
Restrictions for Expansion of Service IDs
11-11
Network Sets
11-12
Command
Monitoring and Maintaining SSG
12-1
C H A P T E R
Restrictions for Per-Service Statistics
Troubleshooting RADIUS
Per-Service Statistics
Removes the specified service
12-3
Monitoring the Parallel Express Forwarding Engine
Reference Guide
Command
Monitoring the Parallel Express Forwarding Engine
12-4
Chapter 12 Monitoring and Maintaining SSG
OL-4387-02
SSG Configuration Example
A P P E N D I X A
Example A-1 Cisco 10000 Router SSG Configuration
Appendix A SSG Configuration Example
Appendix A SSG Configuration Example
OL-4387-02
Appendix A SSG Configuration Example
OL-4387-02
Appendix A SSG Configuration Example
OL-4387-02
ntp clock-period 17181406 ntp update-calendar
Appendix A SSG Configuration Example
exec-timeout 0 0 password lab
OL-4387-02
A P P E N D I X B
SSG Feature
SSG Implementation Notes
Implementation Notes
SSG Feature
Implementation Notes
Also see the “Restrictions for SSG TCP Redirect” section on page
SSG Feature
Implementation Notes
Appendix B SSG Implementation Notes
OL-4387-02
G L O S S A R Y
Digital Subscriber Line
GL-1
GL-2
GL-3
GL-4
GL-5
Glossary
GL-6
xDSL
OL-4387-02
I N D E
See CEF
IN-1
Idle Timeout Attribute 28 3-4
IN-2
idle timeout
inacl attribute
See PXF
See PPP
IN-3
AutoDomain
See RBE
IN-4
Exclude Networks 6-8
IN-5
VC G-5 VCI G-5 vendor-specific attributes definition G-5
See VPI
IN-6
virtual channel identifier See VCI virtual circuit See VC
web service selection 5-2 web sites accessing through Open Garden 6-5
IN-7
VPI G-5 VPI/VCI implementation notes B-3 service profiles subscriber
VRF G-5 VSA definition G-5
IN-8
Index
OL-4387-02