|
|
This feature module describes the Node Route Processor-Service Selection Gateway (NRP-SSG) feature. It includes information on the benefits of the new feature, supported platforms, related documents, and so forth.
This document includes the following sections:
The NRP-SSG is a feature of Cisco IOS Release 12.0(3)DC. It is a switching solution for service providers who offer intranet, extranet, and Internet connections to subscribers using high-speed data circuit equipment (DCE) such as Asymmetric Digital Subscriber Line (ADSL) to allow simultaneous access to network services. The NRP-SSG with Web Selection works in conjunction with the Cisco Service Selection Dashboard (SSD). The Cisco SSD is a customizable web-based application that allows users to select from multiple passthrough and proxy services through a standard web browser.
Figure 1 shows a diagram of a typical network topology including the NRP-SSG. This is an end-to-end, service-oriented DSL deployment consisting of Digital Subscriber Line Access Multiplexers (DSLAMs), ADSL modems, and other internetworking components and servers. The NRP-SSG resides in the Cisco 6400 universal access concentrator, which acts as a central control point for Layer 2 and Layer 3 services. This can include services available through Asynchronous Transfer Mode (ATM) virtual circuits (VCs), virtual private dial-up networks (VPDNs), or normal routing methods.
The NRP-SSG communicates with the authentication, authorization, and accounting (AAA) management network where Remote Access Dial-In User Service (RADIUS), Dynamic Host Configuration Protocol (DHCP), and Simple Network Management Protocol (SNMP) servers reside and with the Internet service provider (ISP) network, which may connect to the Internet, corporate networks, and value-added services.
A licensed version of the NRP-SSG works with the Cisco SSD to present to subscribers a menu of network services that can be selected from a single graphical user interface (GUI). This improves flexibility and convenience for subscribers, and enables service providers to bill subscribers based on connect time and services used, rather than charging a flat rate.
The user opens an HTML browser and accesses the URL of the Cisco SSD, a web server application. The Cisco SSD forwards user login information to the NRP-SSG, which forwards the information to the AAA server.
Based on the contents of the Access-Accept response, the Cisco SSD presents a dashboard menu of services that the user is authorized to use, and the user selects one or more of the services. The NRP-SSG then creates an appropriate connection for the user and starts RADIUS accounting for the connection.
Note that when a non-Point-to-Point Protocol (non-PPP) user, such as in a bridged networking environment, disconnects from a service without logging off, the connection remains open and the user will be able to reaccess the service without going through the logon procedure. This is because no direct connection (PPP) exists between the subscribers and the NRP-SSG. To prevent non-PPP users from being logged on to services indefinitely, be sure to configure the Session-Timeout and/or Idle-Timeout RADIUS attributes.
Note that the Cisco SSD functionality discussed throughout this document is available only with the NRP-SSG with Web Selection product.
The NRP-SSG with Web Selection works in conjunction with the Cisco SSD. The Cisco SSD is a specialized web server that allows users to log on to and disconnect from multiple passthrough and proxy services through a standard web browser.
After the user opens a web browser, the NRP-SSG allows access to a single IP address or subnet, referred to as the "default network." This is typically the IP address of the Cisco SSD. The Cisco SSD prompts the user for a username and password. After the user is authenticated, the Cisco SSD presents a list of available services.
The NRP-SSG is designed to work with RADIUS-based AAA servers that accept vendor-specific attributes (VSAs).
The NRP-SSG supports the following types of services:
The NRP-SSG can forward traffic through any interface via normal routing or a next hop table. Because Network Address Translation (NAT) is not performed for this type of traffic, overhead is reduced. Passthrough service is ideal for standard Internet access.
When a subscriber requests access to a proxy service, the NRP-SSG will proxy the Access-Request to the remote AAA server. Upon receiving an Access-Accept from the remote RADIUS server, the NRP-SSG responds to the subscriber with the Access-Accept. To the remote AAA server, the NRP-SSG appears as a client.
During remote authentication, if the RADIUS server assigns an IP address to the subscriber, the NRP-SSG performs NAT between the assigned IP address and the subscriber's real IP address. If the remote RADIUS server does not assign an IP address, NAT is not performed.
When a user selects a proxy service, there is another username and password prompt. After authentication, the service is accessible until the user logs out from the service, logs out from the Cisco SSD, or is timed out.
When enabled, transparent passthrough allows unauthenticated subscriber traffic to be routed through the NRP-SSG in either direction. Filters can be specified to control transparent passthrough traffic. Some of the applications for this feature include:
The NRP-SSG supports multicast traffic, which includes normal multicast packets and Internet Group Management Protocol (IGMP) packets.
In order for the NRP-SSG to forward multicast packets to the IOS routing engine, it must be configured as follows:
If multicast is not enabled, multicast packets received on the interface will be dropped.
PTA can only be used by PPP-type users. AAA is performed exactly as in the proxy service type. A subscriber logs on to a service using a PPP dialer application with a username of the form user@service. The NRP-SSG recognizes the @service as a service profile and loads the service profile from the local configuration or a AAA server. The NRP-SSG forwards the AAA request to the remote RADIUS server as specified by the service profile's RADIUS-Server Attribute. An address is assigned to the subscriber through RADIUS Attribute 8 or Cisco-AVpair "ip:addr-pool." NAT is not performed, and all user traffic is aggregated to the remote network. With PTA, users can only access one service. Users will not have access to the default network or the Cisco SSD.
While PTA terminates the PPP session into a single routing domain, PTA-MD terminates the PPP sessions into multiple IP routing domains, thus supporting a wholesale VPN model where each domain is isolated from the other by an ATM core and has the capability to support overlapping IP addresses.
The NRP-SSG uses IOS access control lists (ACLs) to prevent users, services, and passthrough traffic from accessing specific IP addresses and ports.
When an ACL attribute is added to a service profile, all users of that service are prevented from accessing the specified IP address, subnet mask, and port combinations through the service.
When an ACL attribute is added to a user profile, it will apply globally to all of the user's traffic.
Upstream and downstream attributes, including inacl and outacl attributes, can be added to a special pseudo-service profile that can be downloaded to the NRP-SSG from a RADIUS server. Additionally, locally configured ACLs can be used. After the ACLs have been defined, they are applied to all traffic passed by the transparent passthrough feature.
When users are accessing multiple services, the NRP-SSG must determine the services for which the packets are destined. To do this, the NRP-SSG uses an algorithm to create a service access order list. This list is stored in the user's host object and contains services that are currently open and the order in which they are searched.
The algorithm that creates this list orders the open services based on the size of the network. Network size is determined by the subnet mask of the Service Route RADIUS attribute. A subnet that contains more hosts implies a larger network. In the case of networks that are the same size, the services will be listed in the order in which they were last accessed.
When creating service profiles, be sure to define as small a network as possible. If there is overlapping address space, packets might be forwarded to the wrong service.
The next hop gateway attribute is used to specify the next hop key for a service. Each NRP-SSG uses its own next hop gateway table that associates this key with an actual IP address.
Note that this attribute overrides the IP routing table for packets destined to a service.
When the NRP-SSG receives a DNS request, it performs domain name matching using the Domain Name attribute from the service profiles of the currently logged in services.
If a match is found, the request is redirected to the DNS server for the matched service.
If a match is not found and the user is logged on to a service that has Internet connectivity, the request is redirected to the first service in the user's service access order list that has Internet connectivity. Internet connectivity is defined as a service containing a Service Route attribute of 0.0.0.0/0.
If a match is not found and the user is not logged on to a service that has Internet connectivity, the request is forwarded using the normal routing methods specified in the client's Transmission Control Protocol/Internet Protocol (TCP/IP) stack.
The NRP-SSG can be configured to work with a single DNS server, or two servers in a fault-tolerant configuration. Based on an internal algorithm, DNS requests will be switched to the secondary server if the primary server begins to perform poorly or fails.
In a dial-up networking or bridged (non-PPP) network environment, a user might disconnect from the NAS and release the IP address without logging out from the NRP-SSG. If this happens, the NRP-SSG will continue to allow traffic to pass from that IP address and this might be a problem if the IP address is obtained by another user.
The NRP-SSG provides two mechanisms to prevent this problem:
The Session-Timeout and Idle-Timeout attributes can be used in either a user or service profile. In a user profile, the attribute applies to the user's session. In a service profile, the attribute individually applies to each service connection.
NRP-SSG services can be configured for concurrent or sequential access. Concurrent access allows users to log on to this service while simultaneously connected to other services. Sequential access requires that the user log out of all other services before accessing a service configured for sequential access.
Concurrent access is recommended for most services. Sequential access is ideal for services for which security is important, such as corporate intranet access, or for which there is a possibility of overlapping address space.
The NRP-SSG supports extended high system availability (EHSA) redundancy. You can configure this chassis redundancy at the slot level of the Cisco 6400 for adjacent slot or subslot pairs. For example, if you have NRP-SSGs installed in slots 1 and 2, you can set a preferred device between the two. To ensure that configuration is consistent between redundant NRP-SSGs, you can configure automatic synchronization between the two. You can also manually force the primary and secondary devices in a redundant pair to switch roles. See the Cisco 6400 UAC Software Configuration Guide for more information on EHSA redundancy.
The NRP-SSG works in conjunction with the Cisco SSD. The Cisco SSD is a specialized web server, populated by the service provider, that lists all of the potential networks (or services) a particular customer can access. Customers select and deselect services from a menu through an HTML browser.
For related information on this feature, refer to the following documents:
This feature is supported on these platforms:
If you want to perform Layer 3 service selection, you must install and configure the Cisco Service Selection Dashboard as described in the Cisco Service Selection Dashboard User Guide.
Perform the following tasks to configure the NRP-SSG.
The following tasks are optional:
You must set up user and service RADIUS profiles on the AAA server as described in this section. Service profiles can also be defined locally using the local-profile command.You can optionally set up pseudo-service profiles also as described in this section.
This section describes RADIUS attributes that can be used to define specific AAA elements in NRP-SSG user profiles, service profiles, and specialized pseudo-service profiles.
For detailed information on the syntax of these attributes, see "NRP-SSG Vendor-Specific Attributes".
RADIUS user profiles contain a password, a list of subscribed services and/or groups, and access control lists.
This section specifies Cisco AVPair attributes that appear within user profiles.
Table 1 Cisco AVPair Attributes
This section specifies standard and vendor-specific RADIUS attributes that can be used in NRP-SSG user profiles.
Table 2 User Profile Attributes
Service profiles include the password, service type (outbound), type of service (passthrough or proxy), the service access mode (sequential or concurrent), the DNS server IP address, networks that exist in the service domain, access control lists, and other optional attributes.
This section specifies Cisco AVPair attributes that appear within service profiles.
Table 3 Cisco AVPair Attributes
This section specifies standard RADIUS attributes that can be used in NRP-SSG service profiles.
Table 4 Standard Service Profile Attributes
This section specifies VSAs that appear within service profiles.
Table 5 NRP-SSG Service Profile Attributes
| Attribute | Usage |
|---|---|
(Optional) Indicates whether the service is proxy (requiring remote authentication) or passthrough (does not require authentication). The default is passthrough. |
|
(Optional) Specifies whether the user is able to log on to this service while simultaneously connected to other services (concurrent) or whether the user cannot access any other services while using this service (sequential). The default is concurrent. |
|
(Optional) Specifies the primary and/or secondary DNS servers for this service. |
|
(Required) Specifies networks that exist for the service. There can be multiple instances of this attribute within a single user profile. |
|
(Required for proxy services) Specifies the remote RADIUS server that the NRP-SSG will use to authenticate and authorize a service log on for a proxy service type. |
|
(Optional) Specifies the next hop key for this service. Each NRP-SSG uses its own next hop gateway table that associates this key with an actual IP address. For information on creating a next hop gateway table, see "Next Hop Gateway Pseudo-Service Profile". |
|
(Optional) Specifies domain names that get DNS resolution from the DNS server(s) specified in DNS Server Address. |
|
(Optional) Provides a description of the service that is displayed to the user. |
Service group profiles contain a list of services and/or service groups and can be used to create directory structures for locating and logging on to services. When a user is subscribed to a service group, the user automatically is subscribed to all services and groups within that service group. A service group profile includes the password and the service type (outbound) as check attributes and a list of services and/or a list of service groups as reply attributes.
This section specifies vendor-specific attributes that can be used in NRP-SSG service group profiles.
Table 6 Service Group Profile Attributes
This section describes pseudo-service profiles. Pseudo-service profiles are used to define variable length tables or lists of information in the form of services. There are currently two types of pseudo-service profiles: Transparent Passthrough Filter and Next Hop Gateway. The following sections describe both types.
Transparent passthrough is designed to allow unauthenticated traffic (users or network devices that have not logged in to the NRP-SSG through the Cisco SSD) to be routed through normal IOS processing.
Table 7 Transparent Passthrough Filter Pseudo-Service Profile Attributes
The Transparent Passthrough Filter pseudo-service profile allows or denies access to IP addresses and ports accessed through the transparent passthrough feature.
To define what traffic can pass through, the NRP-SSG downloads the Transparent Passthrough Filter pseudo-service profile. This profile contains a list of access control list (ACL) attributes. Each item contains an IP address or range of IP addresses, a list of port numbers, and specifies whether traffic is allowed or denied.
To create a filter for transparent passthrough, create a profile that contains ACL attributes that define what can and cannot be accessed.
You can also create ACLs locally. For more information, see the ssg pass-through command in the Command Reference section.
Because multiple NRP-SSGs might access services from different networks, each service profile specifies a next hop key, which is any string identifier, rather than an actual IP address. For each NRP-SSG to determine the IP address of the next hop, each NRP-SSG downloads its own next hop gateway table that associates keys with IP addresses.
Table 8 Next Hop Gateway Pseudo-Service Profile Attributes
To create a next hop gateway table, create a profile and give it any name. Use the Next Hop Gateway Entry attribute to associate service keys with their IP addresses. When you have finished, repeat this for each NRP-SSG if the next hop IP addresses are different. For an example next hop gateway pseudo-service profile, see "Sample Pseudo-Service Profiles".
For more information, see the ssg next-hop command in the Command Reference section.
The NRP-SSG uses vendor-specific RADIUS attributes. If using the NRP-SSG with Cisco User Control Point (UCP) software, specify settings that allow processing of the NRP-SSG attributes while configuring the CiscoSecure Access Control Server (ACS) component. If using another AAA server, you must customize that server's RADIUS dictionary to incorporate the NRP-SSG vendor-specific attributes.
Table 9 lists vendor-specific attributes used by the NRP-SSG. By sending an Access-Request packet with the vendor-specific attributes shown in the table, the Cisco Service Selection Dashboard (SSD) can send requests to the NRP-SSG to log on and log off an account and disconnect and connect services. The vendor ID for all of the Cisco-specific attributes is 9.
Table 9 Vendor-Specific RADIUS Attributes for the NRP-SSG
| AttrID | VendorID | SubAttrID | SubAttrName | SubAttrDataType |
|---|---|---|---|---|
The following sections describe the format of each subattribute.
The Cisco-AVpair attributes are used in user and service profiles. The Cisco-AVpair attributes are used to configure ACLs.
This attribute specifies either an IOS standard access control list or an extended access control list to be applied to upstream traffic coming from the user.
Note There can be multiple instances of this attribute within profiles. Use one attribute for each access control list statement. Multiple attributes can be used for the same ACL. Multiple attributes will be downloaded according to the number specified and executed in that order.
This attribute specifies either an IOS standard access control list or an extended access control list to be applied to downstream traffic going to the user.
Note There can be multiple instances of this attribute within profiles. Use one attribute for each access control list statement. Multiple attributes can be used for the same ACL. Multiple attributes will be downloaded according to the number specified and executed in that order.
The Account-Info attributes are used in user profiles and service group profiles.
User profiles define the password and services and/or groups to which the user is subscribed.
Service group profiles contain a list of services and/or service groups and can be used to create sophisticated directory structures for locating and logging on to services. When a user is subscribed to a service group, the user is automatically subscribed to all services and groups within that service group. A service group profile includes the name of the service group, the password, the service type (outbound), a list of services and/or a list of other service groups.
In user profiles, this attribute subscribes the user to the specified service. In service group profiles, this attribute lists services that belong to the service group.
Note There can be multiple instances of this attribute within a user or service profile. Use one attribute for each service.
In user profiles, this attribute subscribes a user to a service group. In service group profiles, this attribute lists the service groups that belong to this service group.
Note There can be multiple instances of this attribute within a user or service group profile. Use one attribute for each service group.
This attribute subscribes the user to a service and automatically logs the user on to the service when the user accesses the Cisco SSD. Each user profile can have more than one auto service attribute.
Username used to access the service. Required for proxy services. |
|
Password used to access the service. Required for proxy services. |
This attribute provides a description of the service group to the Cisco SSD. If this attribute is omitted, the service group profile name is used.
The Service-Info attributes are used to define a service. The following attributes define the parameters for a service.
This attribute describes the service. This attribute is optional.
This attribute indicates whether the service is proxy or passthrough. This attribute is optional.
This attribute defines whether the user is able to log on to this service while simultaneously connected to other services (concurrent) or whether the user cannot access any other services while using this service (sequential). The default is concurrent. This attribute is optional.
This attribute specifies the primary and secondary DNS servers for this service. If two servers are specified, the NRP-SSG can send DNS requests to the primary DNS server until performance is diminished or it fails (failover). This attribute is optional.
This attribute specifies networks available to the user for this service. This attribute is required.
Use the Service Route attribute to specify networks that exist for a service. For more information, see "Service Access Order".
This attribute specifies the remote RADIUS server that the NRP-SSG will use to authenticate, authorize, and perform accounting for a service log on for a proxy service type. This attribute is only used in proxy service profiles. This attribute is required for proxy service profiles.
UDP port number for authentication and authorization requests. |
|
This attribute specifies the next hop key for this service. Each NRP-SSG uses its own next hop gateway table that associates this key with an actual IP address. For information on creating a next hop gateway table, see "Next Hop Gateway Table Entry". This attribute is optional.
This attribute specifies domain names that get DNS resolution from the DNS server(s) specified in DNS server address. This attribute is optional.
(Optional) Additional domain name(s) that gets DNS resolution from this server. |
Use the DNS Resolution attribute to specify domain names that get DNS resolution from this DNS server. For more information, see "Service Access Order".
This attribute indicates the username provided by the Cisco SSD user to log on to the service and for authentication with the home gateway.
This attribute defines the name of the service.
The Control-Info attributes are used to define lists or tables of information.
Because multiple NRP-SSGs might access services from different networks, each service profile specifies a next hop key rather than an actual IP address. For each NRP-SSG to determine the IP address of the next hop, each NRP-SSG downloads its own next hop gateway table that associates keys with IP addresses. For information on defining next hop keys, see "Service Next Hop Gateway".
Note This attribute is only used in Next Hop Gateway pseudo-service profiles and should not appear in service profiles or user profiles.
Service name or key specified in the Service Next Hop Gateway service profile. |
|
Use this attribute to create a next hop gateway table for the selected NRP-SSG.
To define the IP address of the next hop for each service, the NRP-SSG downloads a special service profile that associates the next hop gateway key for each service with an IP address.
To create a next hop gateway table, create a service profile and give it any name. Use this attribute to associate service keys with their IP addresses. When you have finished, repeat this for each NRP-SSG.
For more information, see the ssg next-hop command in the Command Reference section.
Current RADIUS standards only support the counting of up to 32 bits of information with the ACCT-Output-Octets attribute. Standards such as ADSL have much higher throughput.
In order for the accounting server to keep track of and bill for this usage, the NRP-SSG uses the Octets attribute.
The Octets Output attribute keeps track of how many times the 32-bit integer rolled over and the value of the integer when it overflowed for outbound data.
Value in the 32-bit integer when the stop record was generated and the service or user was logged out. |
Use this attribute to accurately keep track of and bill for usage. To calculate the actual number of bytes, use the following formula:
In the following example, the rollover is 2 and the value is 153 (2 * 232 + 153 = 8589934745):
Current RADIUS standards only support the counting of up to 32 bits of information with the ACCT-Input-Octets attribute. Standards such as ADSL have much higher throughput.
In order for the accounting server to keep track of and bill for this usage, the NRP-SSG uses the Octets attribute.
The Octets Input attribute keeps track of how many times the 32-bit integer rolled over and the value of the integer when it overflowed for inbound data.
Value in the 32-bit integer when the stop record was generated and the service or user was logged out. |
Use this attribute to accurately keep track of and bill for usage. To calculate the actual number of bytes, use the following formula:
In the following example, the rollover is 3 and the value is 151 (3 * 232 + 151 = 12884902039):
This section provides samples of user profiles and service profiles used with the
NRP-SSG.
The following is an example of a user profile. The profile is formatted for use with a freeware RADIUS server:
The following is the same profile as above, formatted for Cisco UCP or CiscoSecure ACS for UNIX:
The following is an example of a service group profile. The profile is formatted for use with a freeware RADIUS server:
The following is the same profile as above, formatted for Cisco UCP or CiscoSecure ACS for UNIX:
The following is an example of a service profile. The profile is formatted for use with a freeware RADIUS server:
The following is the same profile as above, formatted for Cisco UCP or CiscoSecure ACS for UNIX:
The following is an example of the Transparent Passthrough Filter pseudo-service profile. The profile is formatted for use with a freeware RADIUS server:
The following is the same profile as above, formatted for Cisco UCP or CiscoSecure ACS for UNIX:
The following is an example of the Next Hop Gateway pseudo-service profile. The profile is formatted for use with a freeware RADIUS server:
The following is the same profile as above, formatted for Cisco UCP or CiscoSecure ACS for UNIX:
This section describes events that generate RADIUS accounting records and the attributes associated with the accounting records sent from the NRP-SSG to the accounting server.
When a user logs on, the NRP-SSG sends a RADIUS accounting-request on behalf of the user to the accounting server. The attributes associated with this record are:
Accounting record queuing information (has no effect on account billing). |
When a user logs off, the NRP-SSG sends a RADIUS accounting-request on behalf of the user to the accounting server. The attributes associated with this record are:
When a user accesses a service, the NRP-SSG sends a RADIUS accounting-request to the accounting server. The attributes associated with this record are:
The username used to authenticate the user with the remote RADIUS server. This attribute is used for proxy services. |
|
Accounting record queuing information (has no effect on account billing). |
When a user terminates a service, the NRP-SSG sends a RADIUS accounting-request to the accounting server. The attributes associated with this record are:
The username used to authenticate the user with the remote RADIUS server. This attribute is used for proxy services. |
|
Accounting record queuing information (has no effect on account billing). |
Use the show running-config command to verify that security has been configured correctly.
Configure the first IP address or subnet that users will be able to access without authentication. This is the address where the Cisco SSD resides.
Use the show running-config command to verify that the default network has been configured correctly.
If you are going to use PPP to connect subscribers to the NRP-SSG, you do not have to configure any downlink interfaces. If you are using non-PPP connections, such as bridging or LAN, you must configure at least one downlink interface.
Configure all interfaces that will be connected to services as uplink interfaces.
Use the show ssg direction command to verify that interfaces have been configured correctly.
Every service must be bound to an uplink interface.
Use the show ssg service command to verify that services have been bound to interfaces correctly. Use the show running-config command to verify that the service search order and maximum services have been configured correctly. Use the show ssg next-hop command to verify all mappings between services and IP addresses.
This task is required if you want to use Layer 2 service selection; otherwise, it is optional. You can configure local service profiles in addition to the service profiles on the remote RADIUS server.
Use the show running-config command to verify that local service profiles have been configured correctly.
This task is optional, and only supported in Cisco IOS Releases 12.0(3)DC and 12.0(5)DC. Enable or disable transparent passthrough by using the appropriate command:
Use the show running-config command to verify that transparent passthrough has been enabled. Use the show ssg pass-through-filter command to verify that the filter for transparent passthrough has been configured correctly.
This task is optional. Perform the following tasks on the NSP:
This task is optional. Perform the following tasks on the NRP:
| Step | Command | Purpose |
|---|---|---|
| 1. | ||
| 2. | ||
| 3. | Synchronizes the configuration (startup configuration, boot variables, configuration register, or all three configurations) between redundant NSPs. |
|
| 4. |
Use the show redundancy command to verify that redundancy has been configured correctly.
This task is optional. Fastswitching is enabled by default.
| Command | Purpose |
|---|---|
Use the show running-config command to verify that fastswitching has been enabled. Because fastswitching is enabled by default, it will not be displayed in the running configuration. If fastswitching has been disabled, the following line will appear in the output of the show running-config command:
This task is optional. Multicast is disabled by default.
Use the show running-config command to verify that multicast has been enabled. If multicast is disabled, which is the default, it will not be displayed in the running configuration. If multicast is enabled, the following line will appear in the output of the show running-config command:
You can perform the following verification tasks after completing all configuration tasks described above.
To verify that the NRP-SSG, Cisco SSD, and RADIUS server have been configured to work together correctly:
To verify that transparent passthrough has been configured correctly:
To verify that redundancy has been configured correctly:
| Command | Purpose |
|---|---|
Removes the downloaded filter for transparent passthrough. To remove the filter from NVRAM, use the no form of the ssg pass-through command. |
|
Displays the information about a subscriber and the current connections of the subscriber. |
|
Displays the direction of all interfaces for which a direction has been specified. |
|
Removes the next-hop table. To remove the next-hop table from NVRAM, use the no form of the ssg next-hop command. |
|
Displays service names that have been bound to interfaces and the interfaces to which they have been bound. |
|
The configuration examples in this section support the network topology shown in Figure 2.
The following is an example service profile as it would appear on the RADIUS server. It is formatted for CiscoSecure ACS for UNIX and UCP.
The following is an example next-hop table as it would appear on the RADIUS server. It is formatted for CiscoSecure ACS for UNIX and UCP.
The following is an example transparent passthrough filter as it would appear on the RADIUS server. It is formatted for CiscoSecure ACS for UNIX and UCP.
There will be nothing in the running configuration for fastswitching when it is enabled.
This section documents new commands associated with the NRP-SSG. All other commands used with this feature are documented in the Cisco IOS Release 12.0 command reference publications.
To configure an attribute in a local RADIUS service profile, use the attr profile configuration command. Use the no form of this command to delete an attribute from a service profile.
No default behavior or values.
| Release | Modification |
|---|---|
Use this command to configure attributes in local RADIUS service profiles.
The following example configures the Cisco-Avpair upstream access control list attribute in the RADIUS profile, cisco.com:
The following example deletes the Session-Timeout attribute in the RADIUS profile, cisco.com:
| Command | Description |
|---|---|
Configures a local RADIUS service profile and enters profile configuration mode. |
To remove the connections of a given host and a service name, use the clear ssg connection privileged EXEC command.
No default behavior or values.
| Release | Modification |
|---|---|
Use this command to remove the connections for a given host and service name.
The following example removes the service connection for Perftest to host 192.168.1.1:
| Command | Description |
|---|---|
Displays the connections of a given host and a service name. |
To remove or disable a given host or subscriber, use the clear ssg host privileged EXEC command.
No default behavior or values.
| Release | Modification |
|---|---|
Use this command to remove a host's connection from the NRP-SSG.
The following example removes the connection for host 192.168.1.1:
| Command | Description |
|---|---|
Displays the information about a subscriber and current connections of the subscriber. |
To remove the next-hop table, use the clear ssg next-hop privileged EXEC command.
This command has no arguments or keywords.
No default behavior or values.
| Release | Modification |
|---|---|
If you use this command to clear the next-hop table, nothing will be displayed when you use the show ssg next-hop command. However, the next-hop table will still appear in the running configuration. To remove the next-hop table from the running configuration, use the no form of the ssg next-hop command.
The following example removes the next-hop table:
| Command | Description |
|---|---|
To remove the downloaded filter for transparent passthrough, use the clear ssg pass-through-filter privileged EXEC command.
This command has no arguments or keywords.
No default behavior or values.
| Release | Modification |
|---|---|
Removing the filter allows unauthenticated traffic to pass through the NRP-SSG in either direction without modification. If you use this command to clear the downloaded transparent passthrough filter, nothing will be displayed when you use the show ssg pass-through-filter command. However, the transparent passthrough filter will still appear in the running configuration. To remove the transparent passthrough filter from the running configuration, use the no form of the ssg pass-through command.
The following example removes the downloaded transparent passthrough filter:
| Command | Description |
|---|---|
To remove a service, use the clear ssg service privileged EXEC command.
No default behavior or values.
| Release | Modification |
|---|---|
Use this command to remove services.
The following example removes the Perftest service:
| Command | Description |
|---|---|
Displays service names that have been bound to interfaces and the interfaces to which they have been bound. |
|
To configure a local RADIUS service profile and enter profile configuration mode, use the local-profile global configuration command. Use the no form of this command to delete the local service profile.
No default behavior or values.
| Release | Modification |
|---|---|
Use this command to configure local RADIUS service profiles.
The following example configures the RADIUS profile called cisco.com, and enters profile configuration mode:
| Command | Description |
|---|---|
Specifies the order in which NRP-SSG searches for a service profile. |
To display service names that have been bound to interfaces and the IP addresses to which they have been bound, use the show ssg binding privileged EXEC command.
(Optional) Word or phrase used to determine what lines will be shown. |
No default behavior or values.
| Release | Modification |
|---|---|
Use this command to display services and the interfaces to which they have been bound.
The following example displays all service names that have been bound to interfaces:
| Command | Description |
|---|---|
To display the connections of a given host and a service name, use the show ssg connection privileged EXEC command.
IP address of an active SSG connection. This is always a subscribed host. |
|
(Optional) Word or phrase used to determine what lines will be shown. |
No default behavior or values.
| Release | Modification |
|---|---|
Use this command to display information about the connections for a given host and service name.
The following example shows the service connection for the Perftest service to host 192.168.1.1:
| Command | Description |
|---|---|
To display the direction of all interfaces for which a direction has been specified, use the show ssg direction privileged EXEC command.
(Optional) Word or phrase used to determine what lines will be shown. |
No default behavior or values.
| Release | Modification |
|---|---|
Use this command to display all interfaces that have been specified as uplinks or downlinks.
The following example displays the direction of all interfaces that have been specified as uplinks or downlinks.
| Command | Description |
|---|---|
To display the information about a subscriber and current connections of the subscriber, use the show ssg host privileged EXEC command.
(Optional) Display the usernames logged into the active hosts. |
|
(Optional) Word or phrase used to determine what lines will be shown. |
If no arguments are provided, all current connections are displayed.
| Release | Modification |
|---|---|
Use this command to display information about host objects.
The following example displays all active hosts:
The following example displays all active hosts whose IP addresses begin with 172.16.6:
The following example displays the usernames logged in to the active hosts:
The following example displays information about host 172.16.6.112:
| Command | Description |
|---|---|
To display the next-hop table, use the show ssg next-hop privileged EXEC command.
(Optional) Word or phrase used to determine what lines will be shown. |
No default behavior or values.
| Release | Modification |
|---|---|
Use this command to display all next-hop IP addresses.
The following example displays the next-hop table:
| Command | Description |
|---|---|
To display the downloaded filter for transparent passthrough, use the show ssg pass-through-filter privileged EXEC command.
(Optional) Word or phrase used to determine what lines will be shown. |
No default behavior or values.
| Release | Modification |
|---|---|
Use this command to display the downloaded transparent passthrough filter. The filter prevents passthrough traffic from accessing the specified IP address and subnet mask combinations. The filter is set using the ssg pass-through command.
To display a filter defined on the command line, use the show running-config command.
The following example displays the passthrough filter:
| Command | Description |
|---|---|
To display the information for a service, use the show ssg service privileged EXEC command.
(Optional) Word or phrase used to determine what lines will be shown. |
If no service name is provided, the command displays information for all services.
| Release | Modification |
|---|---|
Use this command to display connection information for a service.
The following example displays the information for the service called isp-name.com:
| Command | Description |
|---|---|
Displays service names that have been bound to interfaces and the interfaces to which they have been bound. |
|
To specify an interface as a downlink or uplink interface, use the ssg bind direction global configuration command. Use the no form of this command to disable the directional specification for the interface.
All interfaces are configured as uplink interfaces by default.
| Release | Modification |
|---|---|
Use this command to specify an interface as downlink or uplink. An uplink interface is an interface to services; a downlink interface is an interface to subscribers.
The following example specifies an ATM interface as a downlink interface:
| Command | Description |
|---|---|
Displays service names that have been bound to interfaces and the interfaces to which they have been bound. |
To specify the interface for a service, use the ssg bind service global configuration command. Use the no form of this command to unbind the service and the interface.
No default behavior or values.
| Release | Modification |
|---|---|
Use this command to bind a service to an interface.
The following example specifies the interface for the service defined as MyService:
| Command | Description |
|---|---|
Displays service names that have been bound to interfaces and the interfaces to which they have been bound. |
|
To specify the default network IP address or subnet and mask, use the ssg default-network global configuration command. Use the no form of this command to disable the default network IP address and mask.
No default behavior or values.
| Release | Modification |
|---|---|
Use this command to specify the first IP address or subnet that users will be able to access without authentication. This is the address where the Cisco SSD resides. After users enter the URL for the Cisco SSD, they will be prompted for a username and password. A mask provided with the IP address specifies the range of IP addresses that users will be able to access without authentication.
The following example specifies a default network IP address, 192.168.1.2., and mask 255.255.255.255.
To enable fastswitching, use the ssg fastswitch global configuration command. Use the no form of this command to disable fastswitching.
This command has no arguments or keywords.
Fastswitching is enabled by default.
| Release | Modification |
|---|---|
Fastswitching must be enabled for the NRP-SSG to function.
The following example disables fastswitching:
To set the maximum number of services per user, use the ssg maxservice global configuration command. Use the no form of the command to remove the maximum number of services per user from the running configuration and return it to the default.
Maximum number of services per user. The minimum value is 0; the maximum is 20. |
The default maximum number of services per user is 20.
| Release | Modification |
|---|---|
Use this command to limit the number of services to which a user can be logged on simultaneously.
The following example sets the maximum number of services per user to 10.
To enable the NRP-SSG's handling of multicast, use the ssg multicast global configuration command. Use the no form of this command to disable multicast.
This command has no arguments or keywords.
The NRP-SSG's handling of multicast is disabled by default.
| Release | Modification |
|---|---|
When multicast is enabled, the NRP-SSG will forward multicast packets, which include normal multicast packets and IGMP packets, received on an uplink or downlink interface that has had a service bound to it to the IOS routing engine.
The following example enables multicast:
To download the next-hop table from a RADIUS server, use the ssg next-hop global configuration command. Use the no form of this command to remove the command from the configuration.
If no profile name and password are provided, the previous profile specified with this command is downloaded. If no previous profile was specified, an error is generated.
| Release | Modification |
|---|---|
When this command is used, an entry is made in the running configuration. When the configuration is reloaded, the next-hop table is automatically downloaded. If the no form of this command is used to remove it from the running configuration, a next-hop table will not be automatically downloaded when the configuration is reloaded.
The following example downloads the next-hop table called MyProfile from a RADIUS server:
| Command | Description |
|---|---|
To enable transparent passthrough, use the ssg pass-through global configuration command. Use the no form of this command to disable transparent passthrough.
(Optional) Load a service profile and use its filter(s) as default filter(s). |
|
Transparent passthrough is disabled by default.
| Release | Modification |
|---|---|
Use this command to enable transparent passthrough, if you want to allow unauthenticated traffic to pass through the NRP-SSG in either direction without modification. If you want all traffic to be authenticated by the NRP-SSG, use this command to disable transparent passthrough. You can use the filter option to prevent passthrough traffic from accessing the specified IP address and subnet mask combinations.
Use the no form of this command to remove a transparent passthrough filter that was configured at the command line. This will also remove it from the running configuration.
The following example downloads a transparent passthrough filter from the filter01 service profile:
| Command | Description |
|---|---|
To enable communications with the Cisco Service Selection Dashboard (SSD) and specify port numbers and secret keys for receiving packets, use the ssg radius-helper global configuration command. Use the no form of this command to disable communications with the Cisco SSD.
The default port number for acct-port is 1646.
The default port number for auth-port is 1645.
| Release | Modification |
|---|---|
You must use this command to specify a key so that the NRP-SSG can communicate with the Cisco SSD.
The following example enables communication with the Cisco SSD:
To specify the password for downloading a service profile, use the ssg service-password global configuration command. Use the no form of this command to disable the password.
No default behavior or values.
| Release | Modification |
|---|---|
This command sets the password required to authenticate with the AAA server and download a service profile.
The following example sets the password for downloading a service profile:
To specify the order in which NRP-SSG searches for a service profile, use the ssg service-search-order global configuration command. Use the no form of this command to disable the search order.
Search for service profiles in local Flash memory, then on a RADIUS server. |
|
Search for service profiles on a RADIUS server, then in local Flash memory. |
The default search order is remote, that is, the NRP-SSG searches for service profiles on the RADIUS server.
| Release | Modification |
|---|---|
The NRP-SSG can search for service profiles in local Flash memory, on a remote RADIUS server, or both. The possible search orders are:
The following example sets the search order to local remote, so that NRP-SSG will always look for service in Flash memory first, then on the RADIUS server:
| Command | Description |
|---|---|
This section documents new debug commands. All other commands used with this feature are documented in the Cisco IOS Release 12.0 command references.
To display all error messages for control modules, use the debug ssg ctrl-errors privileged EXEC command. Use the no form of this command to disable debugging output.
This command has no arguments or keywords.
No default behavior or values.
| Release | Modification |
|---|---|
This command displays error messages for the control modules, which includes all modules that manage the user authentication and service log on and log off (RADIUS, PPP, Subblock, and Accounting). An error message is the result of an error detected during normal execution.
The following output is generated by the debug ssg ctrl-errors command when a host logs on and logs off from a service:
| Command | Description |
|---|---|
To display all event messages for control modules, use the debug ssg ctrl-events privileged EXEC command. Use the no form of this command to disable debugging output.
This command has no arguments or keywords.
No default behavior or values.
| Release | Modification |
|---|---|
This command displays event messages for the control modules, which includes all modules that manage the user authentication and service log on and log off (RADIUS, PPP, Subblock, and Accounting). An event message is an informational message generated during normal execution.
The following output is generated by the debug ssg ctrl-events command when a host logs on to a service:
| Command | Description |
|---|---|
To display packet contents handled by control modules, use the debug ssg ctrl-packets privileged EXEC command. Use the no form of this command to disable debugging output.
This command has no arguments or keywords.
No default behavior or values.
| Release | Modification |
|---|---|
This command displays packet messages for the control modules, which includes all modules that manage the user authentication and service log on and log off (RADIUS, PPP, Subblock, and Accounting). A packet message displays the contents of a package.
The following output is generated by the debug ssg ctl-packets command when a host logs off from a service:
| Command | Description |
|---|---|
To display all data path packets, use the debug ssg data privileged EXEC command. Use the no form of this command to disable debugging output.
This command has no arguments or keywords.
No default behavior or values.
| Release | Modification |
|---|---|
This command displays packets for the data modules, which includes all modules that forward data packets (DHCP, DNS, tunneling, fastswitch, IP stream, and multicast).
The following output is generated by the debug ssg data command when a host logs on and logs off from a service:
| Command | Description |
|---|---|
To display all data path packets for NAT processing, use the debug ssg data-nat privileged EXEC command. Use the no form of this command to disable debugging output.
This command has no arguments or keywords.
No default behavior or values.
| Release | Modification |
|---|---|
This command displays packets for the data modules, which includes all modules that forward NAT data packets.
The following output is generated by the debug ssg data-nat command when a host logs on and logs off from a service:
| Command | Description |
|---|---|
To display all error messages for the system modules, use the debug ssg errors privileged EXEC command. Use the no form of this command to disable debugging output.
This command has no arguments or keywords.
No default behavior or values.
| Release | Modification |
|---|---|
This command displays error messages for the system modules, which include the basic IOS and other support modules (such as Object Model, Timeout, and Initialization). An error message is the result of an error detected during normal execution.
The following output is generated by the debug ssg errors command when a PPPoE client logs on with an incorrect password:
| Command | Description |
|---|---|
To display event messages for system modules, use the debug ssg events privileged EXEC command. Use the no form of this command to disable debugging output.
This command has no arguments or keywords.
No default behavior or values.
| Release | Modification |
|---|---|
This command displays event messages for the system modules, which include the basic IOS modules and other support modules (such as Object Model, Timeout, and Initialization). An event message is an informational message during normal execution.
The following output is generated by the debug ssg events command when a PPPoE client logs in with the username "username" and the password "cisco:"
| Command | Description |
|---|---|
AAA—Authentication, authorization, and accounting (pronounced "triple a").
DHCP—Dynamic Host Configuration Protocol. Provides a mechanism for allocating IP addresses dynamically so that addresses can be reused when hosts no longer need them.
NRP—Node Route Processor. Cisco IOS software routing engine derived from the Cisco 7200 series technology. These router blades are part of the Cisco 6400 universal access concentrator. They enable the service provider to offer scalable Layer 3 services.
PPP—Point-to-Point Protocol. Successor to SLIP that provides router-to-router and host-to-network connections over synchronous and asynchronous circuits. Whereas SLIP was designed to work with IP, PPP was designed to work with several network layer protocols, such as IP, IPX, and ARA. PPP also has built-in security mechanisms, such as CHAP and PAP. PPP relies on two protocols: LCP and NCP.
PTA—PPP termination aggregation. A method of aggregating IP traffic by terminating PPP sessions and aggregating the IP traffic into a single routing domain.
PTA-MD—PTA Multi-Domain. A method of aggregating IP traffic by terminating PPP sessions and aggregating the IP traffic into a VPN or multiple IP routing domains.
RADIUS—Remote Access Dial-In User Service. Database for authenticating modem and ISDN connections and for tracking connection time.
SNMP—Simple Network Management Protocol. Network management protocol used almost exclusively in TCP/IP networks. SNMP provides a means to monitor and control network devices, and to manage configurations, statistics collection, performance, and security.
SSD—The Service Selection Dashboard server is a customizable Web-based application that works with the Cisco SSG to allow end customers to log on to and disconnect from proxy and passthrough services through a standard Web browser. After the customer logs in to the service provider's network, an HTML Dashboard is populated with the services authorized for that user.
SSG—Service Selection Gateway. The Cisco SSG offers service providers a means for menu-based service selection. End users can select services from the Dashboard menu, and the Cisco SSG will set up and tear down proxy and passthrough network connections based on a user's selection. The Cisco SSG will account for the services selected so that service providers can bill for individual services.
TACACS+—Terminal Access Controller Access Control System Plus. Proprietary Cisco enhancement to Terminal Access Controller Access Control System (TACACS). Provides additional support for authentication, authorization, and accounting. TACACS is an authentication protocol, developed by the Defense Data Network (DDN) community, that provides remote access authentication and related services, such as event logging. User passwords are administered in a central database rather than in individual routers, providing an easily scalable network security solution.
UAC—Universal Access Concentrator. The Cisco 6400 UAC is a broadband concentrator that supports Cisco Systems' end-to-end ATM transmission services, PPP termination services, and tunneling services. The Cisco 6400 UAC is a new system consisting of an Asynchronous Transfer Mode (ATM) switching core and redundant routing engines.
UCP—User Control Point. Cisco UCP is a carrier-class service policy administration system that enables personalized IP services. Cisco UCP's distributed, fault-tolerant architecture integrates authentication, authorization, and accounting (AAA); roaming; and address management services into a service provider's operations support systems.
Posted: Fri Jan 17 02:02:14 PST 2003
All contents are Copyright © 1992--2002 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.
