January
Corporate Headquarters
Cisco Systems, Inc 170 West Tasman Drive San Jose, CA
800 553-NETS Fax 408
Copyright 2004, Cisco Systems, Inc All rights reserved
Service Selection Gateway Overview
Default Network
C O N T E N T S
Audience
Configuration Example for SSG AutoDomain
Configuration Example for SSG Prepaid
Configuration Examples for Account Login and Logout
Configuration of SSG Autologoff
Configuration Example for SSG Open Garden
Configuration of Mutually Exclusive Service Selection
Service Profiles
Service-Defined Cookie
Configuration of VPI/VCI Static Binding to a Service Profile
Interface Configuration
Configuring Port-Based Redirection for Unauthenticated Users
Limiting Redirection for Unauthenticated Users
SSG Unconfig
Per-Service Statistics
Restrictions for SSG Unconfig
Service Translation
viii
Contents
OL-4387-02
About This Guide
Audience
Document Organization
Chapter
Document Conventions
Chapter
Title
Description
Cisco 10000 Series Router Feature Map
Cisco 10000 Series Router Software Configuration Guides
Related Documentation
Obtaining Documentation
Documentation Feedback
Obtaining Technical Assistance
Documentation CD-ROM
Ordering Documentation
Cisco TAC Website
Opening a TAC Case
TAC Case Priority Definitions
http//tools.cisco.com/RPF/register/register.do
Obtaining Additional Publications and Information
Service Selection Gateway Overview
Service Selection Gateway
C H A P T E R
Figure 1-1 SSG Topology Example
Default Network
Access Protocols
Packets from a User and Destined for the Default Network
Packets from the Default Network and Destined for an SSG User
Supported SSG Features
SSG Logon and Logoff, page Authentication and Accounting, page
Service Selection Methods, page Service Connection, page
Service Profiles and Cached Service Profiles, page
Any interface requiring tunneling for example, L2TP or GRE tunneling
SSG Prerequisites
SSG Architecture Model
Internet
Gaming
In Figure 1-2, subscribers access the SESM web portal application using any web browser on a variety of devices such as a desktop computer over DSL. The Cisco 10000 series router the SSG node forwards unauthenticated SSG traffic from the subscriber to SESM, configured as the captive portal and default network. The SSG feature set of the router allows the service provider to design a service selection access network
Chapter 1 Service Selection Gateway Overview SSG Architecture Model
OL-4387-02
Scalability and Performance
Limitations and Restrictions
C H A P T E R
Best-Access to network B at rate Good-Access to network B at rate
SSG Prepaid Idle Timeout, page SSG Session and Idle Timeout, page
SSG Logon and Logoff
Single Host Logon
Prerequisites for Single Host Logon
Configuration of SSG Autologoff
SSG Autologoff
Restrictions for SSG Autologoff
ARP ping
SSG Prepaid Idle Timeout
Configuration Example for SSG Autologoff
Service Authorization
Service Reauthorization
Restrictions for SSG Prepaid Idle Timeout
Prerequisites for SSG Prepaid Idle Timeout
Configuration of SSG Prepaid Idle Timeout
Configuration Example for SSG Prepaid Idle Timeout
SSG Session and Idle Timeout
Authentication and Accounting
Configuration Examples for SSG Full Username RADIUS Attribute
SSG Full Username RADIUS Attribute
Restrictions for SSG Full Username RADIUS Attribute
Account Login and Logout
Configuration Examples for Account Login and Logout
Account Login and Logout, page
Service Connection and Termination, page
Service Connection and Termination
Configuration Examples for Service Connection and Termination
Service-Type-Indicates the type of service
Service Selection Methods
Web Service Selection, page
PPP Terminated Aggregation
PTA-Multidomain
Web Service Selection
Restrictions for PTA-MD
SESM and SSG Performance
Chapter 5 Service Selection Methods Web Service Selection
OL-4387-02
Service Connection
Mutually Exclusive Service Selection, page
SSG AutoDomain
SSG AutoDomain, page SSG Prepaid, page SSG Open Garden, page
Configuration of SSG AutoDomain
Configuration Example for SSG AutoDomain
Restrictions for SSG AutoDomain
Example 6-1 SSG AutoDomain
Example 6-2 AutoDomain Exclude Profile SSG VSA Format
Example 6-3 AutoDomain Exclude File Format
Configuration of SSG Prepaid
SSG Prepaid
Restrictions for SSG Prepaid
Configuration Example for SSG Prepaid
SSG Open Garden
Configuration of SSG Open Garden
Configuration Example for SSG Open Garden
SSG Open Garden, Release 12.24B feature module
SSG Port-Bundle Host Key
Restrictions for SSG Port-Bundle Host Key
Mutually Exclusive Service Selection
Configuration of SSG Port-Bundle Host Key
SSG Port-Bundle Host Key, Release 12.24B feature module
Exclude Networks
Configuration of Mutually Exclusive Service Selection
Configuration Example for Mutually Exclusive Service Selection
Example 6-5 Configuring a Mutually Exclusive Service Selection Group
6-10
Chapter 6 Service Connection Mutually Exclusive Service Selection
OL-4387-02
Service Profiles
Downstream Access Control List
Service Profiles, page Cached Service Profiles, page
Service Profiles and Cached Service Profiles
Upstream Access Control List
Service Authentication Type
Domain Name
Full Username
Service-Defined Cookie
Service Description
Service Mode
Service Next-Hop Gateway
Cached Service Profiles
Type of Service
Service Profile Example
Configuration of Cached Service Profiles
Chapter 7 Service Profiles and Cached Service Profiles
Cached Service Profiles
OL-4387-02
SSG Hierarchical Policing
SSG Hierarchical Policing Overview
SSG Hierarchical Policing Token Bucket Scheme
C H A P T E R
SSG Hierarchical Policing Configuration
Restrictions for SSG Hierarchical Policing
Configuration Examples for SSG Hierarchical Policing
Configuration Examples for SSG Hierarchical Policing
Routerconfig# local-profile cisco.com
Routerconfig-prof# attribute 26 9 1 “QU1600030004000D2400040008000”
Configuration Examples for SSG Hierarchical Policing
Chapter 8 SSG Hierarchical Policing
OL-4387-02
Interface Configuration
Transparent Passthrough
Transparent Passthrough, page
C H A P T E R
Access Side Interfaces
Configuration of Transparent Passthrough
Multicast Protocols on SSG Interfaces
Network Side Interfaces
Restrictions of Transparent Passthrough
Configuration of Multicast Protocols on SSG Interfaces
Redirection for Unauthenticated Users
Redirection for Unauthenticated Users, page
Redirection for Unauthorized Services, page Initial Captivation, page
SSG TCP Redirect
Redirection for Unauthorized Services
10-2
group-name
Initial Captivation
10-3
Configuration of SSG TCP Redirect
Restrictions for SSG TCP Redirect
Prerequisites for SSG TCP Redirect
10-4
Configuration Considerations for SSG TCP Redirect
Configuring Port-Based Redirection for Unauthenticated Users
Limiting Redirection for Unauthenticated Users
Configuration Considerations for SSG TCP Redirect, page
Configuring SSG TCP Redirect
Command
Purpose
10-6
Configuration Examples for SSG TCP Redirect
Configuration Example for Server Groups
Configuration Example for Network Lists
Configuration Example for Server Groups, page
Configuration Example for Port Lists
10-8
Example 10-5 Defining Port Lists
Chapter 10 SSG TCP Redirect
Miscellaneous SSG Features
VPI/VCI Static Binding to a Service Profile
Restrictions for VPI/VCI Static Binding to a Service Profile
Configuration of VPI/VCI Static Binding to a Service Profile
AAA Server Group Support for Proxy Services
Configuration of RADIUS Virtual Circuit Logging
Restrictions for AAA Server Group Support for Proxy Services
RADIUS Virtual Circuit Logging
Configuration of AAA Server Group Support for Proxy Services
Configuration Example for AAA Server Group Support for Proxy Services
Downstream Access Control List-outacl, page
Upstream Access Control List-inacl, page
Downstream Access Control List-outacl
Upstream Access Control List-inacl
Restrictions for Packet Filtering
11-4
SSG Unconfig
Configuration of Packet Filtering
Configuration Example for Packet Filtering
Restrictions for SSG Unconfig
Prerequisites for SSG Unconfig
Configuration of SSG Unconfig
Configuration Examples for SSG Unconfig
11-6
SSG Enhancements for Overlapping Services
Service Translation
Service Translation, page Expansion of Service IDs, page
11-7
11-8
Set1 0.0.0.0/0.0.0.0 Set2 10.58.253.0/255.255.255.0 Set3
Restrictions for Service Translation
Prerequisites for Service Translation
11-9
Configuration of Service Translation
Configuration Example for Service Translation
Enables service translation and indicates to the router to use the
Service Definitions
Expansion of Service IDs
Restrictions for Expansion of Service IDs
Configuration Example for Expansion of Service IDs
11-11
Network Sets
11-12
Monitoring and Maintaining SSG
12-1
Command
C H A P T E R
Troubleshooting RADIUS
Per-Service Statistics
Restrictions for Per-Service Statistics
Removes the specified service
Monitoring the Parallel Express Forwarding Engine
Reference Guide
12-3
Command
12-4
Chapter 12 Monitoring and Maintaining SSG
Monitoring the Parallel Express Forwarding Engine
OL-4387-02
SSG Configuration Example
A P P E N D I X A
Example A-1 Cisco 10000 Router SSG Configuration
Appendix A SSG Configuration Example
Appendix A SSG Configuration Example
OL-4387-02
Appendix A SSG Configuration Example
OL-4387-02
Appendix A SSG Configuration Example
OL-4387-02
Appendix A SSG Configuration Example
exec-timeout 0 0 password lab
ntp clock-period 17181406 ntp update-calendar
OL-4387-02
SSG Feature
SSG Implementation Notes
A P P E N D I X B
Implementation Notes
SSG Feature
Implementation Notes
Also see the “Restrictions for SSG TCP Redirect” section on page
SSG Feature
Implementation Notes
Appendix B SSG Implementation Notes
OL-4387-02
G L O S S A R Y
Digital Subscriber Line
GL-1
GL-2
GL-3
GL-4
GL-5
GL-6
xDSL
Glossary
OL-4387-02
I N D E
See CEF
IN-1
IN-2
idle timeout
Idle Timeout Attribute 28 3-4
inacl attribute
See PXF
See PPP
IN-3
See RBE
IN-4
AutoDomain
Exclude Networks 6-8
IN-5
See VPI
IN-6
VC G-5 VCI G-5 vendor-specific attributes definition G-5
virtual channel identifier See VCI virtual circuit See VC
IN-7
VPI G-5 VPI/VCI implementation notes B-3 service profiles subscriber
web service selection 5-2 web sites accessing through Open Garden 6-5
VRF G-5 VSA definition G-5
IN-8
Index
OL-4387-02