Introduction

The Cisco 6510 Service Selection Gateway is a hardware and software solution that allows users with high-speed fixed network connections, such as Asynchronous Digital Subscriber Line (ADSL) equipment and cable modems, to gain access to intranet and Internet services through an interface similar to Dial-Up networking.

The Cisco 6510 allows users to connect to and disconnect from multiple services, without having to log off. This offers flexibility and convenience to users and enables service providers to bill users based on connect time and services used, rather than charging a flat rate.

The Cisco 6510 is installed in a network to provide access to services such as:

• Basic Internet services

• Tunneled access to a corporation or service provider's home gateway

The Cisco 6510 contains three Ethernet cards that interface with:

• ADSL equipment or cable modems (typically ADSL Termination Units connected to hardware such as a Cisco Catalyst 5500 switch)

• Remote Access Dial-In User Service (RADIUS) authentication, authorization, and accounting (AAA) solutions such as the Cisco User Control Point (UCP)

• The service provider's network via a router that supports direct Internet access as well as tunneled access to corporate home gateways through Layer 2 Forwarding (L2F) technology

Figure 1-1: Cisco 6510 Connection Between ADSL Equipment and Network Services

Figure 1-1 shows a diagram of a typical network topology including the Cisco 6510. Users at remote sites access the network using an ADSL modem (ADSL Termination Unit - Remote, or ATU-R) and telephone lines. At the service provider's Network Operations Center (NOC), incoming connections are processed by an ADSL System Management Unit (ATU-M) that controls an array of ADSL central office terminal units (ATU-C). This equipment converts the ADSL connections into 10BaseT connections.

The 10BaseT connections are fed into a Cisco Catalyst 5000 with dedicated 10BaseT switched ports. Each 10BaseT port is a unique virtual local area network (VLAN) that is transmitted to a Route Switching Module (RSM) in the Catalyst 5000. The Catalyst 5000 is connected through a 100BaseT connector to the first Ethernet port on the Cisco 6510.

The second Ethernet port on the Cisco 6510 is connected to send and receive RADIUS, Dynamic Host Configuration Protocol (DHCP), and Domain Name System (DNS) packets to and from a system running the UCP software (or an AAA server from another vendor).

The third Ethernet port is connected to the Cisco 7513 router, which is connected to the Internet and the corporate home gateway.

Using a client application called the Dashboard, remote users connect to the Cisco 6510. The Cisco 6510 forwards their login information to the AAA server. If they are not a valid user of the network, the AAA server sends an Access-Reject message. If they are a valid user, the AAA server sends an Access-Accept message with information on which services the user is authorized to use.

The Dashboard application presents the user with a menu of services that they are authorized to use, and the user selects one or more of the services. The Cisco 6510 then creates an appropriate connection for the user and starts RADIUS accounting for the connection. If the user wants to connect to the Internet, an Internet connection is established. If the user wants to connect to one of the service provider's services, a tunnelled L2F connection is created to the service provider's home gateway. Using network address translation (NAT) the Cisco 6510 ensures that packets sent by the Cisco 6510 are sent back to the correct host.

---

Note When a user disconnects from a service without logging off, the connection remains open and the user will be able to reaccess the service without going through the log on procedure. To prevent this user from being logged on indefinitely, be sure to configure the Session-Timeout RADIUS attribute.

---

Cisco 6510 Features

The Cisco 6510 provides these features:

• User access to multiple destinations--Users who connect through the Cisco 6510 access the service provider's network through an application called the Dashboard, which allows them to select the service to which they want to connect. This application is provided by the service provider and is made available either on a disk or as a download from a web site on the service provider's network.

• Separate access to normal Internet traffic, the service provider's network, and corporate networks. Normal Internet traffic is provided through a normal Internet connection. Access to the service provider's network is provided through a L2F tunnel, reducing the bandwidth requirements for the service provider's Internet connection. Access to corporate networks is also provided through an L2F tunnel, offering Virtual Private Dialup Networking (VPDN).

• Up to 25,000 simultaneous users.

• Up to 10 connections per user.

• Full utilization of the hardware, CPU, and memory provided through a real-time embedded operating system.

• Network address translation--The Cisco 6510 overcomes limitations with Point-to-Point Protocol (PPP) connections to multiple L2F tunnels. Home gateways assign an IP address for each L2F tunnels. However, client PCs running TCP/IP are only allowed one IP address. To overcome this limitation, the Cisco 6510 forwards packets sent to the IP address assigned by the home gateway to the client's actual IP address.

• Support for DNS--If L2F tunnel service is selected, the Cisco 6510 sends DNS requests through L2F tunnels based on the search order set by each host. If no match is found, the DNS request is sent to the default DNS server. If L2F is not selected, all DNS requests are sent to the default DNS server.

• Support for a variety of AAA servers--The Cisco 6510 is designed to work with the UCP product, which provides RADIUS-based AAA services, DHCP address assignment, and a DNS server. However, the Cisco 6510 can also be used with other vendors' AAA servers and RADIUS implementations.

Cisco 6510 Equipment

The Cisco 6510 ships with the following:

• Intel Pentium II 300-Mhz processor

• 384 MB of SDRAM

• 2-MB FlashDisk Half Card from PEP

• Intel AL440LX motherboard

• Three Intel PRO100+ FE Fast Ethernet cards

• Two serial ports

• Disk drive

• Cisco 6510 custom chassis

• Power cord

• DB-9 to DB-25 or DB-9 to DB-9 null modem serial cable

• This guide

• Regulatory Compliance and Safety Information for the Cisco 6510 Service Selection Gateway document

• Cisco 6510 Service Selection Gateway Hardware Installation Guide publication

Cisco 6510 Failover Mechanism

The Cisco 6510 provides a failover mechanism that, in the event of system failure, allows itself to be replaced by a standby Cisco 6510. To implement failover, connect the failover ports of two Cisco 6510s using a Cisco failover cable and configure the active unit as required. This unit is considered the "primary" unit and the second unit is considered the "standby" unit.

The primary unit performs its normal network functions while the standby unit only monitors, ready to take control in case the primary unit fails. To ensure that both units are configured exactly the same, configuration replication occurs over the failover cable from the primary unit to the standby unit:

• When failover is enabled.

• During Startup.

• When a hot standby is started.

• When a modification is made on the primary unit.

• When the failover cpconfig command is entered.

Network Transparency

Each unit has a presence on the network. The primary unit uses its own IP and Media Access Control (MAC) addresses (the primary unit is determined by the unit that has the end of the failover cable labeled "Primary" or "Unit 0" plugged into it) and the standby unit uses its own IP and MAC addresses. If a switchover occurs, the units swap the IP and MAC addresses they are using and transparently replace each other's presence on the network. Because this action is invisible to the network, the IP to MAC address relationships remain exactly the same. No Address Resolution Protocol (ARP) tables in the network will time out or need to be changed. No other piece of network equipment needs to know about the redundancy or that a switchover occurred.

Fault Detection

Fault detection is based on the following:

• Received network traffic counts--If the primary unit stops receiving packets while the standby is still seeing them for two consecutive 15-second intervals, the standby unit will take over.

• Cable errors--The cable is wired so each unit can distinguish between a power failure in the other unit and an unplugged cable. If the standby unit detects that the primary unit is powered off (or resets), it will take control. If the cable is unplugged, a syslog is generated but no switching occurs. An exception to this is at boot-up, at which point an unplugged cable will force the unit active. If both units are powered up without the failover cable installed, they will both become primary units and create duplicate IP addresses on your network. The failover cable must be installed for failover to work correctly.

• Failover communication--The two units send "hello" packets every 15 seconds. If the standby unit does not hear from the primary unit in two communication attempts (and the cable status is OK), the standby unit will take over.

Failover Recovery

If the primary unit fails, a switchover will occur. To restore the units to a normal state, do one of the following:

• Power cycle the power of the failed unit.

• Enter the command failover reset at the failed unit.

If a failure still exists, the unit will fail again within the normal time required to detect the failure.

If a network interface card (NIC) is not plugged in to an operational network, the unit will fail. If, at a later time, the NIC is plugged in and detects a valid network, the unit will clear its failed state and resume normally. This is the only condition in which a failed unit will automatically clear its own failure.

---

Note Because the standby unit does not keep state information on each connection, all active connections will be dropped. These must be re-established by the clients.

---