Peer default ip address pool SSG-POOL | Cisco Systems OL-4387-02

Appendix A SSG Configuration Example

interface ATM8/0/1 no ip address shutdown

no atm ilmi-keepalive

!

interface ATM8/0/2 no ip address shutdown

no atm ilmi-keepalive

!

interface ATM8/0/3 no ip address shutdown

no atm ilmi-keepalive

!

interface Virtual-Template1 ip unnumbered Loopback1

peer default ip address pool SSG-POOL

pppauthentication pap chap ppp ipcp address accept

!

ip local pool SSG-POOL 10.60.1.1 10.60.1.100 ip classless

ip route 0.0.0.0 0.0.0.0 192.168.2.1

ip route 10.80.1.1 255.255.0.0 11.1.1.51 no ip http server

!

!

ip radius source-interface FastEthernet0/0/0

!

logging trap debugging logging facility local6 logging 192.168.2.50

access-list 101 permit ip 10.0.0.0 0.255.255.255 172.25.0.0 0.0.255.255 access-list 102 permit ip host 192.168.2.50 any

access-list 102 permit ip any host 192.168.2.50 access-list 103 permit ip host 10.60.1.2 any access-list 104 permit tcp any any

access-list 105 permit ip 10.60.1.0 0.0.0.255 any arp 10.27.1.3 3434.3434.3434 ARPA

snmp-server community public RW

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart snmp-server enable traps tty

snmp-server enable traps alarms

!

radius-server host 192.168.2.62 auth-port 1812 acct-port 1813 key cisco radius-server retransmit 5

radius-server timeout 15 radius-server attribute nas-port format d radius-server key cisco

radius-server authorization permit missing Service-Type radius-server vsa send accounting

radius-server vsa send authentication alias exec cpu show proc cpu history

alias exec dcopy copy running-config disk0:ssg-c10k.txt

alias exec zcopy copy running-config tftp://192.168.2.50/rohit/ssg-c10k.txt

!

line con 0 exec-timeout 0 0

	line aux 0
	line vty 0 4
	exec-timeout 0		0
	password cisco
	line vty 5	99
			Cisco 10000 Series Router Service Selection Gateway Configuration Guide

	OL-4387-02				A-5
	OL-4387-02				A-5

Image 91

Cisco Systems OL-4387-02 manual Peer default ip address pool SSG-POOL

Contents

Corporate Headquarters Copyright 2004, Cisco Systems, Inc All rights reserved Iii N T E N T S Configuration Example for SSG AutoDomain Configuration Example for SSG Open Garden Configuration of VPI/VCI Static Binding to a Service Profile Vii SSG Unconfig Viii Audience About This GuideDocument Organization Document Conventions Obtaining Documentation Related DocumentationCisco.com Ordering Documentation Documentation FeedbackObtaining Technical Assistance Documentation CD-ROM Xiii Cisco TAC WebsiteOpening a TAC Case TAC Case Priority Definitions Xiv Obtaining Additional Publications and Information Service Selection Gateway Service Selection Gateway Overview SSG Topology Example Access Protocols Default Network SSG Restrictions Supported SSG Features Service Selection Gateway Overview SSG Restrictions SSG Architecture Model SSG Prerequisites Service Selection Gateway Overview SSG Architecture Model OL-4387-02 Limitations and Restrictions Scalability and Performance Scalability and Performance Limitations and Restrictions Single Host Logon SSG Logon and LogoffPrerequisites for Single Host Logon SSG Autologoff Configuration of SSG AutologoffRestrictions for SSG Autologoff Example 3-2 SSG Autologoff Using Icmp Ping SSG Prepaid Idle TimeoutConfiguration Example for SSG Autologoff Example 3-1 SSG Autologoff Using ARP Ping Service Reauthorization Service Authorization Configuration Example for SSG Prepaid Idle Timeout Restrictions for SSG Prepaid Idle TimeoutPrerequisites for SSG Prepaid Idle Timeout Configuration of SSG Prepaid Idle Timeout Example 3-6 SSG Threshold Time SSG Session and Idle TimeoutExample 3-5 SSG Service-Specific TCP Redirect Example 3-7 SSG Threshold Volume Example 4-1 Radius Freeware Format Example Authentication and AccountingSSG Full Username Radius Attribute Restrictions for SSG Full Username Radius Attribute Example 4-4 Radius Accounting-Stop Record Account Login and LogoutRadius Accounting Records Example 4-3 Radius Accounting-Start Record Service Connection and Termination Authentication and Accounting Radius Accounting Records PPP Terminated Aggregation Service Selection MethodsPTA-Multidomain Restrictions for PTA-MD Web Service Selection Sesm and SSG Performance OL-4387-02 SSG AutoDomain Service Connection Configuration Example for SSG AutoDomain Configuration of SSG AutoDomainRestrictions for SSG AutoDomain Example 6-2 AutoDomain Exclude Profile SSG VSA Format Example 6-1 SSG AutoDomainExample 6-3 AutoDomain Exclude File Format SSG Prepaid Configuration of SSG PrepaidRestrictions for SSG Prepaid SSG Open Garden Configuration Example for SSG Prepaid Restrictions for SSG Open Garden Configuration of SSG Open GardenConfiguration Example for SSG Open Garden SSG Port-Bundle Host Key Restrictions for SSG Port-Bundle Host Key Prerequisites for SSG Port-Bundle Host Key Mutually Exclusive Service SelectionConfiguration of SSG Port-Bundle Host Key Exclude Networks Configuration of Mutually Exclusive Service Selection OL-4387-02 Downstream Access Control List Service Profiles Full Username Upstream Access Control ListService Authentication Type Domain Name Service Next-Hop Gateway Service-Defined CookieService Description Service Mode Example 7-1 Service Profile Cached Service ProfilesType of Service Service Profile Example Configuration of Cached Service Profiles OL-4387-02 SSG Hierarchical Policing Overview SSG Hierarchical PolicingSSG Hierarchical Policing Token Bucket Scheme Restrictions for SSG Hierarchical Policing SSG Hierarchical Policing Configuration Example 8-2 Enabling Per-Session Policing on a Router Configuration Examples for SSG Hierarchical Policing OL-4387-02 Transparent Passthrough Interface Configuration For example Access Side Interfaces Restrictions of Transparent Passthrough Configuration of Transparent PassthroughMulticast Protocols on SSG Interfaces Network Side Interfaces Configuration of Multicast Protocols on SSG Interfaces SSG TCP Redirect Redirection for Unauthenticated Users10-1 10-2 Redirection for Unauthorized Services 10-3 Initial Captivation 10-4 Configuration of SSG TCP RedirectRestrictions for SSG TCP Redirect Prerequisites for SSG TCP Redirect Example 10-1 Binding a Server Group to a Port 10-5Example 10-2 Limiting Redirected TCP Sessions 10-6 Configuring SSG TCP Redirect Example 10-4 Defining Network Lists Configuration Examples for SSG TCP Redirect10-7 Example 10-3 Defining a Captive Portal Server Group Example 10-5 Defining Port Lists 10-8 VPI/VCI Static Binding to a Service Profile Miscellaneous SSG Features11-1 11-2 AAA Server Group Support for Proxy ServicesConfiguration of Radius Virtual Circuit Logging Radius Virtual Circuit Logging 11-3 Packet Filtering 11-4 Downstream Access Control List-outaclUpstream Access Control List-inacl Restrictions for Packet Filtering Restrictions for SSG Unconfig SSG UnconfigConfiguration of Packet Filtering Configuration Example for Packet Filtering 11-6 Prerequisites for SSG UnconfigConfiguration of SSG Unconfig Configuration Examples for SSG Unconfig Service Translation SSG Enhancements for Overlapping Services11-7 11-8 11-9 Restrictions for Service Translation 11-10 Configuration of Service Translation 11-11 Expansion of Service IDs 11-12 Network Sets 12-1 Monitoring and Maintaining SSG 12-2 Troubleshooting RadiusPer-Service Statistics Restrictions for Per-Service Statistics 12-3 Monitoring the Parallel Express Forwarding Engine 12-4 Figure A-1 SSG Example Topology SSG Configuration Example Username cisco password 0 cisco clock timezone PST Example A-1 Cisco 10000 Router SSG Configuration Ssg accounting interval 300 ssg profile-cache Full-duplex Peer default ip address pool SSG-POOL Exec-timeout 0 0 password lab SSG Implementation Notes SSG Feature Implementation Notes Mpls Also see the Restrictions for SSG TCP Redirect section on OL-4387-02 GL-1 O S S a R Y GL-2 GL-3 GL-4 GL-5 GL-6 IN-1 D E IN-2 DSL G-1 IN-3 ISP G-2 L2TP IN-4 Radius IN-5 Reauthorizing prepaid IN-6 TCP IN-7 VRF G-5 VSA IN-8