Manuals / Cisco Systems / Computer Equipment / Network Router

Cisco Systems OL-4387-02 Downstream Access Control List-outacl, Restrictions for Packet Filtering

Models: OL-4387-02

1 110

Download 110 pages 54.42 Kb

Page 74

Downstream Access Control List—outacl

Chapter 11 Miscellaneous SSG Features

Packet Filtering

Downstream Access Control List—outacl

Specifies either a Cisco IOS standard ACL or an extended ACL to be applied to downstream traffic going to the user.

Cisco-AVpair = "ip:outacl[#number]={standard-access-control-list extended-access-control-list}"

Upstream Access Control List—inacl

Specifies either a Cisco IOS standard ACL or an extended ACL to be applied to upstream traffic coming from the user.

Cisco-AVpair = "ip:inacl[#number]={standard-access-control-list extended-access-control-list}"

Restrictions for Packet Filtering

Packet filtering for SSG has the following restrictions:

•SSG accepts only the permit and deny actions for a per-user ACL. You can place ACLs on user traffic for both the input and output directions that are similar to existing Cisco IOS ACLs; however, the log option is not accepted.

•SSG supports mini-ACLs with eight or less access control entries (ACEs). The ACEs can be extended ACEs.

•SSG does not support turbo ACLs applied to SSG users. Turbo ACLs have more than eight ACEs defined.

•To support some SSG features, SSG prepends ACEs on user ACLs. Because the number of ACEs is restricted to a maximum of eight, the number of ACEs that you can define is therefore reduced in some cases. For example, for the Port-Bundle Host Key feature, an ACE is required on both the host input and output ACL. This allows seven ACEs that you can define.

•SSG does not support the ability to apply per-service (connection level) ACLs. ACLs for QoS classification are not applicable to SSG host interfaces.

•SSG ACLs take precedence over Cisco IOS ACLs. If you configure a Cisco IOS ACL on an SSG interface by using the ip access-groupcommand, the router applies the ACL as long as an SSG ACL is not applied to the interface in the same direction. If an SSG ACL is applied to the interface in the same direction, the router applies the SSG ACL.

Cisco 10000 Series Router Service Selection Gateway Configuration Guide

11-4	OL-4387-02

Image 74

Cisco Systems OL-4387-02 manual Downstream Access Control List-outacl, Upstream Access Control List-inacl, 11-4

Contents

Cisco Systems, Inc 170 West Tasman Drive San Jose, CA JanuaryCorporate Headquarters 800 553-NETS Fax 408Copyright 2004, Cisco Systems, Inc All rights reserved C O N T E N T S Service Selection Gateway OverviewDefault Network AudienceConfiguration Examples for Account Login and Logout Configuration Example for SSG AutoDomainConfiguration Example for SSG Prepaid Configuration of SSG AutologoffService Profiles Configuration Example for SSG Open GardenConfiguration of Mutually Exclusive Service Selection Service-Defined CookieConfiguring Port-Based Redirection for Unauthenticated Users Configuration of VPI/VCI Static Binding to a Service ProfileInterface Configuration Limiting Redirection for Unauthenticated UsersRestrictions for SSG Unconfig SSG UnconfigPer-Service Statistics Service TranslationOL-4387-02 viiiContents Document Organization About This GuideAudience ChapterTitle Document ConventionsChapter DescriptionRelated Documentation Cisco 10000 Series Router Feature MapCisco 10000 Series Router Software Configuration Guides Obtaining DocumentationDocumentation CD-ROM Documentation FeedbackObtaining Technical Assistance Ordering DocumentationTAC Case Priority Definitions Cisco TAC WebsiteOpening a TAC Case http//tools.cisco.com/RPF/register/register.doObtaining Additional Publications and Information C H A P T E R Service Selection Gateway OverviewService Selection Gateway Figure 1-1 SSG Topology Example Packets from a User and Destined for the Default Network Default NetworkAccess Protocols Packets from the Default Network and Destined for an SSG UserService Selection Methods, page Service Connection, page Supported SSG FeaturesSSG Logon and Logoff, page Authentication and Accounting, page Service Profiles and Cached Service Profiles, pageAny interface requiring tunneling for example, L2TP or GRE tunneling Internet SSG PrerequisitesSSG Architecture Model GamingIn Figure 1-2, subscribers access the SESM web portal application using any web browser on a variety of devices such as a desktop computer over DSL. The Cisco 10000 series router the SSG node forwards unauthenticated SSG traffic from the subscriber to SESM, configured as the captive portal and default network. The SSG feature set of the router allows the service provider to design a service selection access network Chapter 1 Service Selection Gateway Overview SSG Architecture Model OL-4387-02C H A P T E R Scalability and PerformanceLimitations and Restrictions Best-Access to network B at rate Good-Access to network B at rate Single Host Logon SSG Prepaid Idle Timeout, page SSG Session and Idle Timeout, pageSSG Logon and Logoff Prerequisites for Single Host LogonRestrictions for SSG Autologoff Configuration of SSG AutologoffSSG Autologoff ARP pingSSG Prepaid Idle Timeout Configuration Example for SSG AutologoffService Authorization Service ReauthorizationConfiguration of SSG Prepaid Idle Timeout Restrictions for SSG Prepaid Idle TimeoutPrerequisites for SSG Prepaid Idle Timeout Configuration Example for SSG Prepaid Idle TimeoutSSG Session and Idle Timeout SSG Full Username RADIUS Attribute Authentication and AccountingConfiguration Examples for SSG Full Username RADIUS Attribute Restrictions for SSG Full Username RADIUS AttributeAccount Login and Logout, page Account Login and LogoutConfiguration Examples for Account Login and Logout Service Connection and Termination, pageService Connection and Termination Configuration Examples for Service Connection and TerminationService-Type-Indicates the type of service PPP Terminated Aggregation Service Selection MethodsWeb Service Selection, page PTA-MultidomainWeb Service Selection Restrictions for PTA-MDSESM and SSG Performance Chapter 5 Service Selection Methods Web Service Selection OL-4387-02SSG AutoDomain Service ConnectionMutually Exclusive Service Selection, page SSG AutoDomain, page SSG Prepaid, page SSG Open Garden, pageRestrictions for SSG AutoDomain Configuration of SSG AutoDomainConfiguration Example for SSG AutoDomain Example 6-3 AutoDomain Exclude File Format Example 6-1 SSG AutoDomainExample 6-2 AutoDomain Exclude Profile SSG VSA Format Restrictions for SSG Prepaid Configuration of SSG PrepaidSSG Prepaid Configuration Example for SSG Prepaid SSG Open GardenSSG Open Garden, Release 12.24B feature module Configuration of SSG Open GardenConfiguration Example for SSG Open Garden SSG Port-Bundle Host KeyRestrictions for SSG Port-Bundle Host Key SSG Port-Bundle Host Key, Release 12.24B feature module Mutually Exclusive Service SelectionConfiguration of SSG Port-Bundle Host Key Exclude NetworksExample 6-5 Configuring a Mutually Exclusive Service Selection Group Configuration of Mutually Exclusive Service SelectionConfiguration Example for Mutually Exclusive Service Selection OL-4387-02 6-10Chapter 6 Service Connection Mutually Exclusive Service Selection Service Profiles, page Cached Service Profiles, page Service ProfilesDownstream Access Control List Service Profiles and Cached Service ProfilesDomain Name Upstream Access Control ListService Authentication Type Full UsernameService Mode Service-Defined CookieService Description Service Next-Hop GatewayService Profile Example Cached Service ProfilesType of Service Configuration of Cached Service Profiles OL-4387-02 Chapter 7 Service Profiles and Cached Service ProfilesCached Service Profiles SSG Hierarchical Policing Token Bucket Scheme SSG Hierarchical PolicingSSG Hierarchical Policing Overview C H A P T E RSSG Hierarchical Policing Configuration Restrictions for SSG Hierarchical PolicingRouterconfig# local-profile cisco.com Configuration Examples for SSG Hierarchical PolicingConfiguration Examples for SSG Hierarchical Policing Routerconfig-prof# attribute 26 9 1 “QU1600030004000D2400040008000”OL-4387-02 Configuration Examples for SSG Hierarchical PolicingChapter 8 SSG Hierarchical Policing Transparent Passthrough, page Interface ConfigurationTransparent Passthrough C H A P T E RAccess Side Interfaces Network Side Interfaces Configuration of Transparent PassthroughMulticast Protocols on SSG Interfaces Restrictions of Transparent PassthroughConfiguration of Multicast Protocols on SSG Interfaces Redirection for Unauthorized Services, page Initial Captivation, page Redirection for Unauthenticated UsersRedirection for Unauthenticated Users, page SSG TCP Redirectgroup-name Redirection for Unauthorized Services10-2 Initial Captivation 10-3Prerequisites for SSG TCP Redirect Configuration of SSG TCP RedirectRestrictions for SSG TCP Redirect 10-4Limiting Redirection for Unauthenticated Users Configuration Considerations for SSG TCP RedirectConfiguring Port-Based Redirection for Unauthenticated Users Configuration Considerations for SSG TCP Redirect, pagePurpose Configuring SSG TCP RedirectCommand 10-6Configuration Example for Network Lists Configuration Examples for SSG TCP RedirectConfiguration Example for Server Groups Configuration Example for Server Groups, pageExample 10-5 Defining Port Lists Configuration Example for Port Lists10-8 Chapter 10 SSG TCP RedirectRestrictions for VPI/VCI Static Binding to a Service Profile Miscellaneous SSG FeaturesVPI/VCI Static Binding to a Service Profile Configuration of VPI/VCI Static Binding to a Service ProfileRestrictions for AAA Server Group Support for Proxy Services AAA Server Group Support for Proxy ServicesConfiguration of RADIUS Virtual Circuit Logging RADIUS Virtual Circuit LoggingDownstream Access Control List-outacl, page Configuration of AAA Server Group Support for Proxy ServicesConfiguration Example for AAA Server Group Support for Proxy Services Upstream Access Control List-inacl, pageRestrictions for Packet Filtering Downstream Access Control List-outaclUpstream Access Control List-inacl 11-4Configuration Example for Packet Filtering SSG UnconfigConfiguration of Packet Filtering Restrictions for SSG UnconfigConfiguration Examples for SSG Unconfig Prerequisites for SSG UnconfigConfiguration of SSG Unconfig 11-6Service Translation, page Expansion of Service IDs, page SSG Enhancements for Overlapping ServicesService Translation 11-711-8 Set1 0.0.0.0/0.0.0.0 Set2 10.58.253.0/255.255.255.0 Set311-9 Restrictions for Service TranslationPrerequisites for Service Translation Enables service translation and indicates to the router to use the Configuration of Service TranslationConfiguration Example for Service Translation Service DefinitionsConfiguration Example for Expansion of Service IDs Expansion of Service IDsRestrictions for Expansion of Service IDs 11-11Network Sets 11-12Command Monitoring and Maintaining SSG12-1 C H A P T E RRestrictions for Per-Service Statistics Troubleshooting RADIUSPer-Service Statistics Removes the specified service12-3 Monitoring the Parallel Express Forwarding EngineReference Guide CommandMonitoring the Parallel Express Forwarding Engine 12-4Chapter 12 Monitoring and Maintaining SSG OL-4387-02SSG Configuration Example A P P E N D I X AExample A-1 Cisco 10000 Router SSG Configuration Appendix A SSG Configuration ExampleAppendix A SSG Configuration Example OL-4387-02Appendix A SSG Configuration Example OL-4387-02Appendix A SSG Configuration Example OL-4387-02ntp clock-period 17181406 ntp update-calendar Appendix A SSG Configuration Exampleexec-timeout 0 0 password lab OL-4387-02A P P E N D I X B SSG FeatureSSG Implementation Notes Implementation NotesSSG Feature Implementation NotesImplementation Notes Also see the “Restrictions for SSG TCP Redirect” section on pageSSG Feature Appendix B SSG Implementation Notes OL-4387-02GL-1 G L O S S A R YDigital Subscriber Line GL-2 GL-3 GL-4 GL-5 Glossary GL-6xDSL OL-4387-02IN-1 I N D ESee CEF Idle Timeout Attribute 28 3-4 IN-2idle timeout inacl attributeIN-3 See PXFSee PPP AutoDomain See RBEIN-4 Exclude Networks 6-8IN-5 VC G-5 VCI G-5 vendor-specific attributes definition G-5 See VPIIN-6 virtual channel identifier See VCI virtual circuit See VCweb service selection 5-2 web sites accessing through Open Garden 6-5 IN-7VPI G-5 VPI/VCI implementation notes B-3 service profiles subscriber VRF G-5 VSA definition G-5OL-4387-02 IN-8Index