cc/td/doc/product/software/ios120/120newft/120limit/120dc
hometocprevnextglossaryfeedbacksearchhelp
PDF

Table of Contents

Node Route Processor—Service Selection Gateway
 Feature Overview
 Benefits
 Related Features and Technologies
 Related Documents
 Supported Platforms
 New Supported Standards, MIBs, and RFCs
 Prerequisites
 Configuration Tasks
 Configuring RADIUS Profiles
 Configuring Security

 Verifying Security
 Configuring a Default Network
 Verifying the Default Network
 Configuring Interfaces
 Verifying Interfaces
 Configuring Services
 Verifying Services
 Configuring Local Service Profiles
 Verifying Local Service Profiles
 Configuring Transparent Passthrough
 Verifying Transparent Passthrough
 Configuring Redundancy
 Verifying Redundancy
 Configuring Fastswitching
 Verifying Fastswitching
 Configuring Multicast
 Verifying Multicast
 Verifying NRP-SSG Configuration
 Monitoring and Maintaining the NRP-SSG
 Configuration Examples
 Security
 Default Network
 Interfaces
 Services
 Service Search Order
 Next-Hop Table
 Max Services
 Local Service Profile
 Transparent Passthrough Filter
 Redundancy
 Fastswitching
 Multicast
 Command Reference
 attr
 clear ssg connection
 clear ssg host
 clear ssg next-hop
 clear ssg pass-through-filter
 clear ssg service
 local-profile
 show ssg binding
 show ssg connection
 show ssg direction
 show ssg host
 show ssg next-hop
 show ssg pass-through-filter
 show ssg service
 ssg bind direction
 ssg bind service
 ssg default-network
 ssg fastswitch
 ssg maxservice
 ssg multicast
 ssg next-hop
 ssg pass-through
 ssg radius-helper
 ssg service-password
 ssg service-search-order
 Debug Commands
 debug ssg ctrl-errors
 debug ssg ctrl-events
 debug ssg ctrl-packets
 debug ssg data
 debug ssg data-nat
 debug ssg errors
 debug ssg events
 Glossary

Node Route Processor—Service Selection Gateway

This feature module describes the Node Route Processor-Service Selection Gateway (NRP-SSG) feature. It includes information on the benefits of the new feature, supported platforms, related documents, and so forth.

This document includes the following sections:

Feature Overview

The NRP-SSG is a feature of Cisco IOS Release 12.0(3)DC. It is a switching solution for service providers who offer intranet, extranet, and Internet connections to subscribers using high-speed data circuit equipment (DCE) such as Asymmetric Digital Subscriber Line (ADSL) to allow simultaneous access to network services. The NRP-SSG with Web Selection works in conjunction with the Cisco Service Selection Dashboard (SSD). The Cisco SSD is a customizable web-based application that allows users to select from multiple passthrough and proxy services through a standard web browser.

Figure 1 shows a diagram of a typical network topology including the NRP-SSG. This is an end-to-end, service-oriented DSL deployment consisting of Digital Subscriber Line Access Multiplexers (DSLAMs), ADSL modems, and other internetworking components and servers. The NRP-SSG resides in the Cisco 6400 universal access concentrator, which acts as a central control point for Layer 2 and Layer 3 services. This can include services available through Asynchronous Transfer Mode (ATM) virtual circuits (VCs), virtual private dial-up networks (VPDNs), or normal routing methods.


Figure 1   NRP-SSG Connection Between ADSL Equipment and Network Services

The NRP-SSG communicates with the authentication, authorization, and accounting (AAA) management network where Remote Access Dial-In User Service (RADIUS), Dynamic Host Configuration Protocol (DHCP), and Simple Network Management Protocol (SNMP) servers reside and with the Internet service provider (ISP) network, which may connect to the Internet, corporate networks, and value-added services.

A licensed version of the NRP-SSG works with the Cisco SSD to present to subscribers a menu of network services that can be selected from a single graphical user interface (GUI). This improves flexibility and convenience for subscribers, and enables service providers to bill subscribers based on connect time and services used, rather than charging a flat rate.

The user opens an HTML browser and accesses the URL of the Cisco SSD, a web server application. The Cisco SSD forwards user login information to the NRP-SSG, which forwards the information to the AAA server.

Based on the contents of the Access-Accept response, the Cisco SSD presents a dashboard menu of services that the user is authorized to use, and the user selects one or more of the services. The NRP-SSG then creates an appropriate connection for the user and starts RADIUS accounting for the connection.

Note that when a non-Point-to-Point Protocol (non-PPP) user, such as in a bridged networking environment, disconnects from a service without logging off, the connection remains open and the user will be able to reaccess the service without going through the logon procedure. This is because no direct connection (PPP) exists between the subscribers and the NRP-SSG. To prevent non-PPP users from being logged on to services indefinitely, be sure to configure the Session-Timeout and/or Idle-Timeout RADIUS attributes.

Note that the Cisco SSD functionality discussed throughout this document is available only with the NRP-SSG with Web Selection product.

Benefits

Web-Based Dashboard

The NRP-SSG with Web Selection works in conjunction with the Cisco SSD. The Cisco SSD is a specialized web server that allows users to log on to and disconnect from multiple passthrough and proxy services through a standard web browser.

After the user opens a web browser, the NRP-SSG allows access to a single IP address or subnet, referred to as the "default network." This is typically the IP address of the Cisco SSD. The Cisco SSD prompts the user for a username and password. After the user is authenticated, the Cisco SSD presents a list of available services.

RADIUS Authentication and Accounting

The NRP-SSG is designed to work with RADIUS-based AAA servers that accept vendor-specific attributes (VSAs).

Multiple Traffic-Type Support

The NRP-SSG supports the following types of services:

The NRP-SSG can forward traffic through any interface via normal routing or a next hop table. Because Network Address Translation (NAT) is not performed for this type of traffic, overhead is reduced. Passthrough service is ideal for standard Internet access.

When a subscriber requests access to a proxy service, the NRP-SSG will proxy the Access-Request to the remote AAA server. Upon receiving an Access-Accept from the remote RADIUS server, the NRP-SSG responds to the subscriber with the Access-Accept. To the remote AAA server, the NRP-SSG appears as a client.

During remote authentication, if the RADIUS server assigns an IP address to the subscriber, the NRP-SSG performs NAT between the assigned IP address and the subscriber's real IP address. If the remote RADIUS server does not assign an IP address, NAT is not performed.

When a user selects a proxy service, there is another username and password prompt. After authentication, the service is accessible until the user logs out from the service, logs out from the Cisco SSD, or is timed out.

When enabled, transparent passthrough allows unauthenticated subscriber traffic to be routed through the NRP-SSG in either direction. Filters can be specified to control transparent passthrough traffic. Some of the applications for this feature include:

The NRP-SSG supports multicast traffic, which includes normal multicast packets and Internet Group Management Protocol (IGMP) packets.

In order for the NRP-SSG to forward multicast packets to the IOS routing engine, it must be configured as follows:

If multicast is not enabled, multicast packets received on the interface will be dropped.

PTA can only be used by PPP-type users. AAA is performed exactly as in the proxy service type. A subscriber logs on to a service using a PPP dialer application with a username of the form user@service. The NRP-SSG recognizes the @service as a service profile and loads the service profile from the local configuration or a AAA server. The NRP-SSG forwards the AAA request to the remote RADIUS server as specified by the service profile's RADIUS-Server Attribute. An address is assigned to the subscriber through RADIUS Attribute 8 or Cisco-AVpair "ip:addr-pool." NAT is not performed, and all user traffic is aggregated to the remote network. With PTA, users can only access one service. Users will not have access to the default network or the Cisco SSD.

While PTA terminates the PPP session into a single routing domain, PTA-MD terminates the PPP sessions into multiple IP routing domains, thus supporting a wholesale VPN model where each domain is isolated from the other by an ATM core and has the capability to support overlapping IP addresses.

Packet Filtering

The NRP-SSG uses IOS access control lists (ACLs) to prevent users, services, and passthrough traffic from accessing specific IP addresses and ports.

When an ACL attribute is added to a service profile, all users of that service are prevented from accessing the specified IP address, subnet mask, and port combinations through the service.

When an ACL attribute is added to a user profile, it will apply globally to all of the user's traffic.

Upstream and downstream attributes, including inacl and outacl attributes, can be added to a special pseudo-service profile that can be downloaded to the NRP-SSG from a RADIUS server. Additionally, locally configured ACLs can be used. After the ACLs have been defined, they are applied to all traffic passed by the transparent passthrough feature.

Service Access Order

When users are accessing multiple services, the NRP-SSG must determine the services for which the packets are destined. To do this, the NRP-SSG uses an algorithm to create a service access order list. This list is stored in the user's host object and contains services that are currently open and the order in which they are searched.

The algorithm that creates this list orders the open services based on the size of the network. Network size is determined by the subnet mask of the Service Route RADIUS attribute. A subnet that contains more hosts implies a larger network. In the case of networks that are the same size, the services will be listed in the order in which they were last accessed.

When creating service profiles, be sure to define as small a network as possible. If there is overlapping address space, packets might be forwarded to the wrong service.

Next Hop Gateway

The next hop gateway attribute is used to specify the next hop key for a service. Each NRP-SSG uses its own next hop gateway table that associates this key with an actual IP address.

Note that this attribute overrides the IP routing table for packets destined to a service.

DNS Redirection

When the NRP-SSG receives a DNS request, it performs domain name matching using the Domain Name attribute from the service profiles of the currently logged in services.

If a match is found, the request is redirected to the DNS server for the matched service.

If a match is not found and the user is logged on to a service that has Internet connectivity, the request is redirected to the first service in the user's service access order list that has Internet connectivity. Internet connectivity is defined as a service containing a Service Route attribute of 0.0.0.0/0.

If a match is not found and the user is not logged on to a service that has Internet connectivity, the request is forwarded using the normal routing methods specified in the client's Transmission Control Protocol/Internet Protocol (TCP/IP) stack.

Fault Tolerance for DNS

The NRP-SSG can be configured to work with a single DNS server, or two servers in a fault-tolerant configuration. Based on an internal algorithm, DNS requests will be switched to the secondary server if the primary server begins to perform poorly or fails.

Session-Timeout and Idle-Timeout RADIUS Attributes

In a dial-up networking or bridged (non-PPP) network environment, a user might disconnect from the NAS and release the IP address without logging out from the NRP-SSG. If this happens, the NRP-SSG will continue to allow traffic to pass from that IP address and this might be a problem if the IP address is obtained by another user.

The NRP-SSG provides two mechanisms to prevent this problem:

The Session-Timeout and Idle-Timeout attributes can be used in either a user or service profile. In a user profile, the attribute applies to the user's session. In a service profile, the attribute individually applies to each service connection.

Concurrent or Sequential Service Access Mode

NRP-SSG services can be configured for concurrent or sequential access. Concurrent access allows users to log on to this service while simultaneously connected to other services. Sequential access requires that the user log out of all other services before accessing a service configured for sequential access.

Concurrent access is recommended for most services. Sequential access is ideal for services for which security is important, such as corporate intranet access, or for which there is a possibility of overlapping address space.

Extended High System Availability

The NRP-SSG supports extended high system availability (EHSA) redundancy. You can configure this chassis redundancy at the slot level of the Cisco 6400 for adjacent slot or subslot pairs. For example, if you have NRP-SSGs installed in slots 1 and 2, you can set a preferred device between the two. To ensure that configuration is consistent between redundant NRP-SSGs, you can configure automatic synchronization between the two. You can also manually force the primary and secondary devices in a redundant pair to switch roles. See the Cisco 6400 UAC Software Configuration Guide for more information on EHSA redundancy.

Related Features and Technologies

The NRP-SSG works in conjunction with the Cisco SSD. The Cisco SSD is a specialized web server, populated by the service provider, that lists all of the potential networks (or services) a particular customer can access. Customers select and deselect services from a menu through an HTML browser.

Related Documents

For related information on this feature, refer to the following documents:

Supported Platforms

This feature is supported on these platforms:

New Supported Standards, MIBs, and RFCs

MIBs

None

RFCs

None

Standards

None

Prerequisites

Cisco Service Selection Dashboard

If you want to perform Layer 3 service selection, you must install and configure the Cisco Service Selection Dashboard as described in the Cisco Service Selection Dashboard User Guide.

Configuration Tasks

Perform the following tasks to configure the NRP-SSG.

The following tasks are optional:

Configuring RADIUS Profiles

You must set up user and service RADIUS profiles on the AAA server as described in this section. Service profiles can also be defined locally using the local-profile command.You can optionally set up pseudo-service profiles also as described in this section.

This section describes RADIUS attributes that can be used to define specific AAA elements in NRP-SSG user profiles, service profiles, and specialized pseudo-service profiles.

For detailed information on the syntax of these attributes, see "NRP-SSG Vendor-Specific Attributes".

User Profiles

RADIUS user profiles contain a password, a list of subscribed services and/or groups, and access control lists.

Cisco AVPair Attributes

This section specifies Cisco AVPair attributes that appear within user profiles.

Table 1   Cisco AVPair Attributes

Attribute Usage

Upstream Access Control List (inacl)

Specifies either an IOS standard access control list or an extended access control list to be applied to upstream traffic coming from the user.

Downstream Access Control List (outacl)

Specifies either an IOS standard access control list or an extended access control list to be applied to downstream traffic going to the user.

User Profile Attributes

This section specifies standard and vendor-specific RADIUS attributes that can be used in NRP-SSG user profiles.

Table 2   User Profile Attributes

Attribute Usage

Password

Specifies the user's password (check attribute).

Session-Timeout

Specifies, in seconds, the maximum length of the user's session (reply attribute).

Idle-Timeout

Specifies, in seconds, the maximum time a connection can remain idle (reply attribute).

Service Name

Subscribes the user to a service. There can be multiple instances of this attribute within a single user profile. Use one attribute for each service to which the user is subscribed (reply attribute).

Service Group

Subscribes the user to a service group. There can be multiple instances of this attribute within a single user profile. Use one attribute for each service group to which the user is subscribed (reply attribute).

Auto Service

Automatically logs a user into a service when the user logs on to the NRP-SSG (reply attribute).

Service Profiles

Service profiles include the password, service type (outbound), type of service (passthrough or proxy), the service access mode (sequential or concurrent), the DNS server IP address, networks that exist in the service domain, access control lists, and other optional attributes.

Cisco AVPair Attributes

This section specifies Cisco AVPair attributes that appear within service profiles.

Table 3   Cisco AVPair Attributes

Attribute Usage

Upstream Access Control List (inacl)

Specifies either an IOS standard access control list or an extended access control list to be applied to upstream traffic coming from the user.

Downstream Access Control List (outacl)

Specifies either an IOS standard access control list or an extended access control list to be applied to downstream traffic going to the user.

Standard Service Profile Attributes

This section specifies standard RADIUS attributes that can be used in NRP-SSG service profiles.

Table 4   Standard Service Profile Attributes

Attribute Usage

Password

Specifies the password (check attribute).

Service-Type

Specifies the level of service (check attribute). Must be "outbound."

Session-Timeout

Specifies, in seconds, the maximum length of the session (reply attribute).

Idle-Timeout

Specifies, in seconds, the maximum time a service connection can remain idle (reply attribute).

NRP-SSG Specific Service Profile Attributes

This section specifies VSAs that appear within service profiles.

Table 5   NRP-SSG Service Profile Attributes

Attribute Usage

Type of Service

(Optional) Indicates whether the service is proxy (requiring remote authentication) or passthrough (does not require authentication). The default is passthrough.

Service Mode

(Optional) Specifies whether the user is able to log on to this service while simultaneously connected to other services (concurrent) or whether the user cannot access any other services while using this service (sequential). The default is concurrent.

DNS Server Address

(Optional) Specifies the primary and/or secondary DNS servers for this service.

Service Route

(Required) Specifies networks that exist for the service. There can be multiple instances of this attribute within a single user profile.

RADIUS Server

(Required for proxy services) Specifies the remote RADIUS server that the NRP-SSG will use to authenticate and authorize a service log on for a proxy service type.

Next Hop Gateway

(Optional) Specifies the next hop key for this service. Each NRP-SSG uses its own next hop gateway table that associates this key with an actual IP address. For information on creating a next hop gateway table, see "Next Hop Gateway Pseudo-Service Profile".

Domain Name

(Optional) Specifies domain names that get DNS resolution from the DNS server(s) specified in DNS Server Address.

Service Description

(Optional) Provides a description of the service that is displayed to the user.

Service Group Profiles

Service group profiles contain a list of services and/or service groups and can be used to create directory structures for locating and logging on to services. When a user is subscribed to a service group, the user automatically is subscribed to all services and groups within that service group. A service group profile includes the password and the service type (outbound) as check attributes and a list of services and/or a list of service groups as reply attributes.

This section specifies vendor-specific attributes that can be used in NRP-SSG service group profiles.

Table 6   Service Group Profile Attributes

Attribute Usage

Service Name

Lists services that belong to the service group. There can be multiple instances of this attribute within a single user profile. Use one attribute for each service (reply attribute).

Service Group

Lists the service subgroups that belong to this service group. When configured, the service group and service name attributes can define an organized directory structure for accessing services.

There can be multiple instances of this attribute within a service group profile. Use one attribute for each service subgroup that belongs to this service group.

Group Description

Provides a description of the service group.

Password

Specifies the password (check attribute).

Service-Type

Specifies the level of service (check attribute). Must be "outbound."

Pseudo-Service Profiles

This section describes pseudo-service profiles. Pseudo-service profiles are used to define variable length tables or lists of information in the form of services. There are currently two types of pseudo-service profiles: Transparent Passthrough Filter and Next Hop Gateway. The following sections describe both types.

Transparent Passthrough Filter Pseudo-Service Profile

Transparent passthrough is designed to allow unauthenticated traffic (users or network devices that have not logged in to the NRP-SSG through the Cisco SSD) to be routed through normal IOS processing.

Note      Transparent passthrough is supported only in Cisco IOS Releases 12.0(3)DC and 12.0(5)DC.

Table 7   Transparent Passthrough Filter Pseudo-Service Profile Attributes

Attribute Usage

Upstream Access Control List (inacl)

Specifies either an IOS standard access control list or an extended access control list to be applied to upstream traffic coming from the user.

Downstream Access Control List (outacl)

Specifies either an IOS standard access control list or an extended access control list to be applied to downstream traffic going to the user.

The Transparent Passthrough Filter pseudo-service profile allows or denies access to IP addresses and ports accessed through the transparent passthrough feature.

To define what traffic can pass through, the NRP-SSG downloads the Transparent Passthrough Filter pseudo-service profile. This profile contains a list of access control list (ACL) attributes. Each item contains an IP address or range of IP addresses, a list of port numbers, and specifies whether traffic is allowed or denied.

To create a filter for transparent passthrough, create a profile that contains ACL attributes that define what can and cannot be accessed.

You can also create ACLs locally. For more information, see the ssg pass-through command in the Command Reference section.

Next Hop Gateway Pseudo-Service Profile

Because multiple NRP-SSGs might access services from different networks, each service profile specifies a next hop key, which is any string identifier, rather than an actual IP address. For each NRP-SSG to determine the IP address of the next hop, each NRP-SSG downloads its own next hop gateway table that associates keys with IP addresses.

Table 8   Next Hop Gateway Pseudo-Service Profile Attributes

Attribute Usage

Next Hop Gateway Entry

Associates next hop gateway keys with IP addresses.

To create a next hop gateway table, create a profile and give it any name. Use the Next Hop Gateway Entry attribute to associate service keys with their IP addresses. When you have finished, repeat this for each NRP-SSG if the next hop IP addresses are different. For an example next hop gateway pseudo-service profile, see "Sample Pseudo-Service Profiles".

For more information, see the ssg next-hop command in the Command Reference section.

NRP-SSG Vendor-Specific Attributes

The NRP-SSG uses vendor-specific RADIUS attributes. If using the NRP-SSG with Cisco User Control Point (UCP) software, specify settings that allow processing of the NRP-SSG attributes while configuring the CiscoSecure Access Control Server (ACS) component. If using another AAA server, you must customize that server's RADIUS dictionary to incorporate the NRP-SSG vendor-specific attributes.

Table 9 lists vendor-specific attributes used by the NRP-SSG. By sending an Access-Request packet with the vendor-specific attributes shown in the table, the Cisco Service Selection Dashboard (SSD) can send requests to the NRP-SSG to log on and log off an account and disconnect and connect services. The vendor ID for all of the Cisco-specific attributes is 9.

Table 9   Vendor-Specific RADIUS Attributes for the NRP-SSG

AttrID VendorID SubAttrID SubAttrName SubAttrDataType

26

9

1

Cisco-AVpair

String

26

9

250

Account-Info

String

26

9

251

Service-Info

String

26

9

253

Control-Info

String

The following sections describe the format of each subattribute.

Note      All RADIUS attributes are case sensitive.

Cisco-AVpair Attribute

The Cisco-AVpair attributes are used in user and service profiles. The Cisco-AVpair attributes are used to configure ACLs.

Upstream Access Control List

This attribute specifies either an IOS standard access control list or an extended access control list to be applied to upstream traffic coming from the user.

Cisco-AVpair = "ip:inacl[#number]={standard-access-control-list | extended-access-control-list}"
Syntax Description

number

Access list identifier.

standard-access-control-list

Standard access control list.

extended-access-control-list

Extended access control list.

Example
Cisco-AVpair="ip:inacl#101=deny tcp 192.168.1.0 0.0.0.255 any eq 21"

Note      There can be multiple instances of this attribute within profiles. Use one attribute for each access control list statement. Multiple attributes can be used for the same ACL. Multiple attributes will be downloaded according to the number specified and executed in that order.

Downstream Access Control List

This attribute specifies either an IOS standard access control list or an extended access control list to be applied to downstream traffic going to the user.

Cisco-AVpair = "ip:outacl[#number]={standard-access-control-list | extended-access-control-list}"
Syntax Description

number

Access list identifier.

standard-access-control-list

Standard access control list.

extended-access-control-list

Extended access control list.

Example
Cisco-AVpair="ip:outacl#101=deny tcp 192.168.1.0 0.0.0.255 any eq 21"

Note      There can be multiple instances of this attribute within profiles. Use one attribute for each access control list statement. Multiple attributes can be used for the same ACL. Multiple attributes will be downloaded according to the number specified and executed in that order.

Account-Info Attributes

The Account-Info attributes are used in user profiles and service group profiles.

User profiles define the password and services and/or groups to which the user is subscribed.

Service group profiles contain a list of services and/or service groups and can be used to create sophisticated directory structures for locating and logging on to services. When a user is subscribed to a service group, the user is automatically subscribed to all services and groups within that service group. A service group profile includes the name of the service group, the password, the service type (outbound), a list of services and/or a list of other service groups.

Example (RADIUS Freeware Format)
Account-Info = "Nservice1.com"
Example (CiscoSecure ACS for UNIX and UCP Format)
9,250 = "Nservice1.com"

Service Name

In user profiles, this attribute subscribes the user to the specified service. In service group profiles, this attribute lists services that belong to the service group.

Account-Info = "Nname"
Syntax Description

name

Name of the service profile.

Example
Account-Info = "Ncisco.com"

Note      There can be multiple instances of this attribute within a user or service profile. Use one attribute for each service.

Service Group

In user profiles, this attribute subscribes a user to a service group. In service group profiles, this attribute lists the service groups that belong to this service group.

Account-Info = "Gname"
Syntax Description

name

Name of the group profile.

Example
Account-Info = "GServiceGroup1"

Note      There can be multiple instances of this attribute within a user or service group profile. Use one attribute for each service group.

Auto Service

This attribute subscribes the user to a service and automatically logs the user on to the service when the user accesses the Cisco SSD. Each user profile can have more than one auto service attribute.

Account-Info = "Aservicename [;username;password]"
Syntax Description

servicename

Name of the service.

username

Username used to access the service. Required for proxy services.

password

Password used to access the service. Required for proxy services.

Example
Account-Info = "Agamers.net;jdoe;secret"

Note      The user must be subscribed to this service. See "Service Name".

Group Description

This attribute provides a description of the service group to the Cisco SSD. If this attribute is omitted, the service group profile name is used.

Account-Info = "Idescription"
Syntax Description

description

Description of the service group.

Example
Account-Info = "ICompany Intranet Access"

Service-Info Attributes

The Service-Info attributes are used to define a service. The following attributes define the parameters for a service.

Service Description

This attribute describes the service. This attribute is optional.

Service-Info = "Idescription"
Syntax Description

description

Description of the service.

Example
Service-Info = "ICompany Intranet Access"

Type of Service

This attribute indicates whether the service is proxy or passthrough. This attribute is optional.

Service-Info = "Ttype"
Syntax Description

type

P—Passthrough. Indicates the user's packets are forwarded through the
NRP-SSG. This is the default.

 

X—Proxy. Indicates the NRP-SSG performs proxy service.

Example
Service-Info = "TP"

Service Mode

This attribute defines whether the user is able to log on to this service while simultaneously connected to other services (concurrent) or whether the user cannot access any other services while using this service (sequential). The default is concurrent. This attribute is optional.

Service-Info = "Mmode"
Syntax Description

mode

S—Sequential mode.

C—Concurrent mode. This is the default.

Example
Service-Info = "MS"

DNS Server Address

This attribute specifies the primary and secondary DNS servers for this service. If two servers are specified, the NRP-SSG can send DNS requests to the primary DNS server until performance is diminished or it fails (failover). This attribute is optional.

Service-Info = "Dip_address_1[;ip_address_2]"
Syntax Description

ip_address_1

IP address of the primary DNS server.

ip_address_2

(Optional) IP address of the secondary DNS server used for fault tolerance.

Example
Service-Info = "D192.168.1.2;192.168.1.3"

Service Route

This attribute specifies networks available to the user for this service. This attribute is required.

Service-Info = "Rip_address;mask"
Syntax Description

ip_address

IP address.

mask

Subnet mask.

Usage

Use the Service Route attribute to specify networks that exist for a service. For more information, see "Service Access Order".

Note      An Internet service is typically specified as "R0.0.0.0;0.0.0.0" in the service profile.

Example
Service-Info = "R192.168.1.128;255.255.255.192"

Note      There can be multiple instances of this attribute within a single service profile.

RADIUS Server

This attribute specifies the remote RADIUS server that the NRP-SSG will use to authenticate, authorize, and perform accounting for a service log on for a proxy service type. This attribute is only used in proxy service profiles. This attribute is required for proxy service profiles.

Service-Info = "SRadius-server-address;auth-port;acct-port;secret-key"
Syntax Description

Radius-server-address

IP address of the RADIUS server.

auth-port

UDP port number for authentication and authorization requests.

acct-port

UDP port number for accounting requests.

secret-key

Secret key shared with RADIUS clients.

Example
Service-Info = "S192.168.1.1;1645;1646;cisco"

Service Next Hop Gateway

This attribute specifies the next hop key for this service. Each NRP-SSG uses its own next hop gateway table that associates this key with an actual IP address. For information on creating a next hop gateway table, see "Next Hop Gateway Table Entry". This attribute is optional.

Service-Info = "Gkey"
Syntax Description

key

Name of the next hop.

Example
Service-Info = "Gnexthop1"

Domain Name

This attribute specifies domain names that get DNS resolution from the DNS server(s) specified in DNS server address. This attribute is optional.

Service-Info = "Oname1[;name2]...[;nameX]"
Syntax Description

name1

Domain name that gets DNS resolution from this server.

name2...X

(Optional) Additional domain name(s) that gets DNS resolution from this server.

Usage

Use the DNS Resolution attribute to specify domain names that get DNS resolution from this DNS server. For more information, see "Service Access Order".

Example
Service-Info = "Ocisco.com;cisco-sales.com"

Note      There can be multiple instances of this attribute within a single service profile.

Service User

This attribute indicates the username provided by the Cisco SSD user to log on to the service and for authentication with the home gateway.

Service-Info = "Uusername"
Syntax Description

username

The name provided by the user for authentication.

Example
Service-Info = "Ujoe@cisco.com"

Note      This attribute is only used for accounting purposes and does not appear in profiles.

Service Name

This attribute defines the name of the service.

Service-Info = "Nname"
Syntax Description

name

Name of the service profile or service that belongs to a service group.

Example
Service-Info = "Nservice1.com"

Note      This attribute is only used for accounting purposes and does not appear in profiles.

Control-Info Attributes

The Control-Info attributes are used to define lists or tables of information.

Next Hop Gateway Table Entry

Because multiple NRP-SSGs might access services from different networks, each service profile specifies a next hop key rather than an actual IP address. For each NRP-SSG to determine the IP address of the next hop, each NRP-SSG downloads its own next hop gateway table that associates keys with IP addresses. For information on defining next hop keys, see "Service Next Hop Gateway".

Note      This attribute is only used in Next Hop Gateway pseudo-service profiles and should not appear in service profiles or user profiles.

Control-Info = "Gkey;ip_address"
Syntax Description

key

Service name or key specified in the Service Next Hop Gateway service profile.

ip_address

IP address of the next hop for this service.

Usage

Use this attribute to create a next hop gateway table for the selected NRP-SSG.

To define the IP address of the next hop for each service, the NRP-SSG downloads a special service profile that associates the next hop gateway key for each service with an IP address.

To create a next hop gateway table, create a service profile and give it any name. Use this attribute to associate service keys with their IP addresses. When you have finished, repeat this for each NRP-SSG.

For more information, see the ssg next-hop command in the Command Reference section.

Example
Control-Info = "GNHT_for_SSG_1;192.168.1.128"

Octets Output

Current RADIUS standards only support the counting of up to 32 bits of information with the ACCT-Output-Octets attribute. Standards such as ADSL have much higher throughput.

In order for the accounting server to keep track of and bill for this usage, the NRP-SSG uses the Octets attribute.

The Octets Output attribute keeps track of how many times the 32-bit integer rolled over and the value of the integer when it overflowed for outbound data.

Control-Info = "Orollover;value"
Syntax Description

rollover

Number of times the 32-bit integer rolled over to 0.

value

Value in the 32-bit integer when the stop record was generated and the service or user was logged out.

Usage

Use this attribute to accurately keep track of and bill for usage. To calculate the actual number of bytes, use the following formula:

rollover * 232 + value

Example

In the following example, the rollover is 2 and the value is 153 (2 * 232 + 153 = 8589934745):

Control-Info = "O2;153"

Note      This attribute is only used for accounting purposes and does not appear in profiles.

Octets Input

Current RADIUS standards only support the counting of up to 32 bits of information with the ACCT-Input-Octets attribute. Standards such as ADSL have much higher throughput.

In order for the accounting server to keep track of and bill for this usage, the NRP-SSG uses the Octets attribute.

The Octets Input attribute keeps track of how many times the 32-bit integer rolled over and the value of the integer when it overflowed for inbound data.

Control-Info = "Irollover;value"
Syntax Description

rollover

Number of times the 32-bit integer rolled over to 0.

value

Value in the 32-bit integer when the stop record was generated and the service or user was logged out.

Usage

Use this attribute to accurately keep track of and bill for usage. To calculate the actual number of bytes, use the following formula:

rollover * 232 + value

Example

In the following example, the rollover is 3 and the value is 151 (3 * 232 + 151 = 12884902039):

Control-Info = "I3;151"

Note      This attribute is only used for accounting purposes and does not appear in profiles.

Sample User and Service Profiles

This section provides samples of user profiles and service profiles used with the
NRP-SSG.

Sample User Profile

The following is an example of a user profile. The profile is formatted for use with a freeware RADIUS server:

bert Password = "ernie"
Session-Timeout = 21600,
Account-Info = "GServiceGroup1",
Account-Info = "Nservice1.com",
Account-Info = "Ngamers.net"

The following is the same profile as above, formatted for Cisco UCP or CiscoSecure ACS for UNIX:

user = bert {
radius = SSG {
check_items = {
2 = "ernie"
}
reply_attributes = {
27 = 21600
9,250 = "GServiceGroup1"
9,250 = "Nservice1.com"
9,250 = "Ngamers.net"
}
}
}

Sample Service Group Profile

The following is an example of a service group profile. The profile is formatted for use with a freeware RADIUS server:

ServiceGroup1 Password = "cisco", Service-Type = outbound,
Account-Info = "Nservice1.com",
Account-Info = "Ngamers.net",
Account-Info = "GServiceGroup3",
Account-Info = "GServiceGroup4",
Account-Info = "IStandard User Services"

The following is the same profile as above, formatted for Cisco UCP or CiscoSecure ACS for UNIX:

user = ServiceGroup1 {
radius = SSG {
check_items = {
2 = "cisco"
6 = 5
}
reply_attributes = {
9,250 = "Nservice1.com"
9,250 = "Ngamers.net"
9,250 = "GServiceGroup3"
9,250 = "GServiceGroup4"
9,250 = "IStandard User Services"
}
}
}

Sample Service Profile

The following is an example of a service profile. The profile is formatted for use with a freeware RADIUS server:

service1.com    Password = "cisco", Service-Type = outbound,
Idle-Timeout = 1800,
Service-Info = "R192.168.1.128;255.255.255.192",
Service-Info = "R192.168.2.0;255.255.255.192",
Service-Info = "R192.168.3.0;255.255.255.0",
Service-Info = "Gservice1",
Service-Info = "D192.168.2.81",
Service-Info = "MC",
Service-Info = "TP",
Service-Info = "ICompany Intranet Access",
Service-Info = "Oservice1.com"

The following is the same profile as above, formatted for Cisco UCP or CiscoSecure ACS for UNIX:

user = service1.com {
radius = SSG {
check_items = {
2 = "cisco"
6 = 5
}
reply_attributes = {
28 = 1800
9,251 = "R192.168.1.128;255.255.255.192"
9,251 = "R192.168.2.0;255.255.255.192"
9,251 = "R192.168.3.0;255.255.255.0"
9,251 = "Gservice1"
9,251 = "D192.168.2.81"
9,251 = "MC"
9,251 = "TP"
9,251 = "ICompany Intranet Access"
9,251 = "Oservice1.com"
}
}
}

Sample Pseudo-Service Profiles

The following is an example of the Transparent Passthrough Filter pseudo-service profile. The profile is formatted for use with a freeware RADIUS server:

ssg-filter Password = "cisco", Service-Type = outbound,
Cisco-AVpair="ip:inacl#3=deny tcp 192.168.1.0 0.0.0.255 any eq 21",
Cisco-AVpair="ip:inacl#7=permit ip any any"

The following is the same profile as above, formatted for Cisco UCP or CiscoSecure ACS for UNIX:

user = ssg-filter {
radius = SSG {
check_items = {
2 = "cisco"
6 = 5
reply_attributes = {
9,1 = "ip:inacl#3=deny tcp 192.168.1.0 0.0.0.255 any eq 21",
9,1 = "ip:inacl#7=permit ip any any"
}
}
}

The following is an example of the Next Hop Gateway pseudo-service profile. The profile is formatted for use with a freeware RADIUS server:

nht1           Password = "cisco", Service-Type = outbound,
Account-Info = "Gservice3;192.168.103.3",
Account-Info = "Gservice2;192.168.103.2",
Account-Info = "Gservice1;192.168.103.1",
Account-Info = "GLabservices;192.168.4.2",
Account-Info = "GWorldwide_Gaming;192.168.4.2"

The following is the same profile as above, formatted for Cisco UCP or CiscoSecure ACS for UNIX:

user = nht1{
radius= SSG {
check_items= {
2=cisco
6=5
}
reply_attributes= {
9,253="Gservice3;192.168.103.3"
9,253="Gservice2;192.168.103.2"
9,253="Gservice1;192.168.103.1"
9,253="GLabservices;192.168.4.2"
9,253="GWorldwide_Gaming;192.168.4.2"
}
}

RADIUS Accounting Records

This section describes events that generate RADIUS accounting records and the attributes associated with the accounting records sent from the NRP-SSG to the accounting server.

Account Logon

When a user logs on, the NRP-SSG sends a RADIUS accounting-request on behalf of the user to the accounting server. The attributes associated with this record are:

Acct-Status-Type = Start
NAS-IP-Address = ip_address
User-Name = "username"
Acct-Session-Id = "session_id"
Framed-IP-Address = user_ip
Proxy-State = "n"

ip_address

IP address of the NRP-SSG.

username

Name used to log on to the service provider network.

session_id

Session number.

user_ip

IP address of the user's system.

n

Accounting record queuing information (has no effect on account billing).

Account Logoff

When a user logs off, the NRP-SSG sends a RADIUS accounting-request on behalf of the user to the accounting server. The attributes associated with this record are:

Acct-Status-Type = Stop
NAS-IP-Address = ip_address
User-Name = "username"
Acct-Session-Time = time
Acct-Terminate-Cause = cause
Acct-Session-Id = "session_id"
Framed-Address = user_ip
Proxy-State = "n"

ip_address

IP address of the NRP-SSG.

username

Name used to log on to the service provider network.

time

Length of session in seconds.

cause

Cause of account termination. These can include:

  • User-Request.
  • Session-Timeout.
  • Idle-Timeout.
  • Lost-Carrier.

session_id

Session number.

user_ip

IP address of the user's system.

n

Accounting record queuing information (has no effect on account billing).

Connection Start

When a user accesses a service, the NRP-SSG sends a RADIUS accounting-request to the accounting server. The attributes associated with this record are:

NAS-IP-Address = 172.16.6.1
NAS-Port = 0
NAS-Port-Type = Virtual
User-Name = "username"
Acct-Status-Type = Start
Acct-Authentic = RADIUS
Service-Type = Framed
Acct-Session-Id = "00000010"
Framed-Protocol = PPP
Service-Info = "Nisp-name.com"
Service-Info = "Uusername"
Service-Info = "TP"
Acct-Delay-Time = 0

ip_address

IP address of the NRP-SSG.

username

Name used to log on to the service provider network.

session_id

Session number.

service

Name of the service profile.

hg_username

The username used to authenticate the user with the remote RADIUS server. This attribute is used for proxy services.

type

X—Proxy connection.

P—Passthrough connection (usually the Internet).

n

Accounting record queuing information (has no effect on account billing).

Connection Stop

When a user terminates a service, the NRP-SSG sends a RADIUS accounting-request to the accounting server. The attributes associated with this record are:

NAS-IP-Address = 172.16.6.1
NAS-Port = 0
NAS-Port-Type = Virtual
User-Name = "username"
Acct-Status-Type = Stop
Acct-Authentic = RADIUS
Service-Type = Framed
Acct-Session-Id = "00000010"
Acct-Terminate-Cause = Lost-Carrier
Acct-Session-Time = 71
Acct-Input-Octets = 0
Acct-Output-Octets = 0
Acct-Input-Packets = 0
Acct-Output-Packets = 0
Framed-Protocol = PPP
Control-Info = "I0;0"
Control-Info = "O0;0"
Service-Info = "Nisp-name.com"
Service-Info = "Uusername"
Service-Info = "TP"
Acct-Delay-Time = 0

ip_address

IP address of the NRP-SSG.

username

Name used to log on to the service provider network.

in_bytes

Number of inbound bytes.

out_bytes

Number of outbound bytes.

time

Length of session in seconds.

cause

Cause of service termination. These include:

  • User-Request.
  • Lost-Carrier.
  • Lost-Service.
  • Session-Timeout.
  • Idle-Timeout.

session_id

Session number.

service

Name of the service profile.

hg_username

The username used to authenticate the user with the remote RADIUS server. This attribute is used for proxy services.

type

X—Proxy connection.

P—Passthrough connection (usually the Internet).

n

Accounting record queuing information (has no effect on account billing).

Configuring Security

Command Purpose
Router(config)# aaa new-model

Enables AAA.

Router(config)# aaa authentication ppp default radius

Specifies RADIUS as the default authentication method for users that log in to serial interfaces using PPP.

Router(config)# aaa authorization network default radius

Specifies that RADIUS is the default authorization used for all network-related requests.

Router(config)# radius-server host {hostname | ip-address} [auth-port UDP-port-number] [acct-port UDP-port-number]

Specifies the RADIUS server host.

Router(config)# radius-server key AAAPassword

Sets the RADIUS shared secret between the NRP-SSG and the local AAA server.

Router(config)# radius-server vsa send

(Optional) Send vendor-specific attributes with authentication and accounting requests to the AAA server.

Router(config)# ssg radius-helper key DashboardPassword

Sets the RADIUS shared secret between the NRP-SSG and the Cisco SSD.

Router(config)# ssg radius-helper

Specifies the UDP default port numbers for a RADIUS authentication server (1645) and accounting server (1646).

Router(config)# ssg service-password ServicePassword

Sets the password used to authenticate the NRP-SSG with the local AAA server service profiles. This value must match the value configured for the AAA server service profiles.

Verifying Security

Use the show running-config command to verify that security has been configured correctly.

Configuring a Default Network

Configure the first IP address or subnet that users will be able to access without authentication. This is the address where the Cisco SSD resides.

Command Purpose
Router(config)# ssg default-network ip-address mask

Sets the IP address or subnet that users will be able to access without authentication. Typically, this is the address where the Cisco SSD resides. A mask provided with the IP address specifies the range of IP addresses that users will be able to access without authentication.

Verifying the Default Network

Use the show running-config command to verify that the default network has been configured correctly.

Configuring Interfaces

If you are going to use PPP to connect subscribers to the NRP-SSG, you do not have to configure any downlink interfaces. If you are using non-PPP connections, such as bridging or LAN, you must configure at least one downlink interface.

Command Purpose
Router(config)# ssg bind direction downlink {ATM atm-interface | Async async-interface | BVI bvi-interface | Dialer dialer-interface | Ethernet ethernet-interface | FastEthernet fastethernet-interface | Group-Async group-async-interface | Lex lex-interface | Loopback loopback-interface | Multilink multilink-interface | Null null-interface | Port-channel port-channel-interface | Tunnel tunnel-interface | Virtual-Access virtual-access-interface | Virtual-Template virtual-template-interface | Virtual-TokenRing virtual-tokenring-interface}

Specifies a downlink interface, that is, the interface to the subscribers.

Configure all interfaces that will be connected to services as uplink interfaces.

Command Purpose
Router(config)# ssg bind direction uplink {ATM atm-interface | Async async-interface | BVI bvi-interface | Dialer dialer-interface | Ethernet ethernet-interface | FastEthernet fastethernet-interface | Group-Async group-async-interface | Lex lex-interface | Loopback loopback-interface | Multilink multilink-interface | Null null-interface | Port-channel port-channel-interface | Tunnel tunnel-interface | Virtual-Access virtual-access-interface | Virtual-Template virtual-template-interface | Virtual-TokenRing virtual-tokenring-interface}

Specifies an uplink interface, that is, the interface to the services.

Verifying Interfaces

Use the show ssg direction command to verify that interfaces have been configured correctly.

Configuring Services

Every service must be bound to an uplink interface.

Command Purpose
Router(config)# ssg bind service service {ip-address | ATM atm-interface | Async async-interface | BVI bvi-interface | Dialer dialer-interface | Ethernet ethernet-interface | FastEthernet fastethernet-interface | Group-Async group-async-interface | Lex lex-interface | Loopback loopback-interface | Multilink multilink-interface | Null null-interface | Port-channel port-channel-interface | Tunnel tunnel-interface | Virtual-Access virtual-access-interface | Virtual-Template virtual-template-interface | Virtual-TokenRing virtual-tokenring-interface}

Specifies the interface for a service.

Router(config)# ssg service-search-order local | remote | local remote | remote local

(Optional) Specifies the order in which NRP-SSG searches for a service profile. The default service search order is local remote, that is, the NRP-SSG searches for service profiles in Flash memory first, then on the RADIUS server.

Router(config)# ssg next-hop download [profile-name] [profile-password]

(Optional) Downloads the next-hop table from a RADIUS server.

Router(config)# ssg maxservice number

(Optional) Sets the maximum number of services per user.

Verifying Services

Use the show ssg service command to verify that services have been bound to interfaces correctly. Use the show running-config command to verify that the service search order and maximum services have been configured correctly. Use the show ssg next-hop command to verify all mappings between services and IP addresses.

Configuring Local Service Profiles

This task is required if you want to use Layer 2 service selection; otherwise, it is optional. You can configure local service profiles in addition to the service profiles on the remote RADIUS server.

Command Purpose
Router(config)# local-profile profilename

Enters profile configuration mode. Configures a local RADIUS service profile.

Router(config-prof)# attr radius-attribute-id [vendor-id] [cisco-vsa-type] attribute-value

Configures an attribute in a local RADIUS service profile.

Verifying Local Service Profiles

Use the show running-config command to verify that local service profiles have been configured correctly.

Configuring Transparent Passthrough

This task is optional, and only supported in Cisco IOS Releases 12.0(3)DC and 12.0(5)DC. Enable or disable transparent passthrough by using the appropriate command:

Command Purpose
Router(config)# ssg pass-through [filter {ip-access-list | ip-extended-access-list | access-list-name | download [profile-name | profile-name profile-password]} [downlink | uplink]}]

Enables transparent passthrough, allowing unauthenticated traffic to pass through the NRP-SSG.

Router(config)# no ssg pass-through [filter {ip-access-list [downlink | uplink] | ip-extended-access-list [downlink | uplink] | access-list-name [downlink | uplink] | downlink | download [profile-name | profile-name profile-password] | uplink}}]

Disables transparent passthrough, forcing traffic to be authenticated by the NRP-SSG before passing through it.

Verifying Transparent Passthrough

Use the show running-config command to verify that transparent passthrough has been enabled. Use the show ssg pass-through-filter command to verify that the filter for transparent passthrough has been configured correctly.

Configuring Redundancy

This task is optional. Perform the following tasks on the NSP:

Step Command Purpose
1.
Router(config)# redundancy

Selects the redundancy configuration submode.

2.
Router(config-r)# associate slot slot [slot]

Configures two NRPs installed in the specified slots as a redundant pair. You only need to specify the first NRP of the pair; the second NRP is assumed to be in the adjacent slot.

3.
Router(config-r)# prefer slot

Defines which of the redundant NRPs is the preferred one.

4.
Router(config-r-mc)# end

Return to privileged EXEC mode.

This task is optional. Perform the following tasks on the NRP:

Step Command Purpose
1.
Router(config)# redundancy

Selects the redundancy configuration submode.

2.
Router(config-r)# main-cpu

Selects the main-cpu configuration submode.

3.
Router(config-r-mc)# auto-sync [startup-config | bootvar | config-register | standard]

Synchronizes the configuration (startup configuration, boot variables, configuration register, or all three configurations) between redundant NSPs.

4.
Router(config-r-mc)# end

Return to privileged EXEC mode.

Verifying Redundancy

Use the show redundancy command to verify that redundancy has been configured correctly.

RouterA# show redundancy
User EHSA configuration (by CLI config):
slave-console = off
keepalive = off
config-sync modes:
standard = on
start-up = on
boot-var = on
config-reg = on
NSP EHSA configuration (via pam-mbox):
redundancy = off
preferred (slot 6) = no
Debug EHSA Information:
NRP specific information:
Backplane resets = 0
NSP mastership changes = 0
print_pambox_config_buff: pmb_configG values:
valid = 1
magic = 0xEBDDBE1 (expected 0xEBDDBE1)
Backplane resets = 0
NSP mastership changes = 0
print_pambox_config_buff: pmb_configG values:
valid = 1
magic = 0xEBDDBE1 (expected 0xEBDDBE1)
nmacaddrs = 1
run_redundant = 0x0
preferred_master = 0x0
macaddr[0][0] = 0010.7bb9.ca43
macaddr[1][0] = 0000.0000.0000
EHSA pins:
peer present = 1
peer state = SANTA_EHSA_SECONDARY
crash status: this-nrp=NO_CRASH(1) peer-nrp=NO_CRASH(1)
EHSA related MAC addresses:
peer bpe mac-addr = 0010.7bb9.ca47
my bpe mac-addr = 0010.7bb9.ca43

Configuring Fastswitching

This task is optional. Fastswitching is enabled by default.

Command Purpose
Router(config)# ssg fastswitch

Enables fastswitching.

Router(config)# no ssg fastswitch

Disables fastswitching.

Verifying Fastswitching

Use the show running-config command to verify that fastswitching has been enabled. Because fastswitching is enabled by default, it will not be displayed in the running configuration. If fastswitching has been disabled, the following line will appear in the output of the show running-config command:

no ssg fastswitch

Configuring Multicast

This task is optional. Multicast is disabled by default.

Command Purpose
Router(config)# ssg multicast

Enables multicast. When multicast is enabled, the NRP-SSG will forward multicast packets, which include normal multicast packets and IGMP packets, received on an uplink or downlink interface that has had a service bound to it to the IOS routing engine.

Router(config)# no ssg multicast

Disables multicast. If multicast is disabled, multicast packets received on an uplink or downlink interface or an interface that has had a service bound to it will be dropped.

Verifying Multicast

Use the show running-config command to verify that multicast has been enabled. If multicast is disabled, which is the default, it will not be displayed in the running configuration. If multicast is enabled, the following line will appear in the output of the show running-config command:

ssg multicast

Verifying NRP-SSG Configuration

You can perform the following verification tasks after completing all configuration tasks described above.

To verify that the NRP-SSG, Cisco SSD, and RADIUS server have been configured to work together correctly:

To verify that transparent passthrough has been configured correctly:

To verify that redundancy has been configured correctly:

Monitoring and Maintaining the NRP-SSG

Command Purpose
Router# show ssg connection ip-address service-name

Displays the connections of a given host and service name.

Router# clear ssg connection ip-address service-name

Removes the connections of a given host and service name.

Router# show ssg pass-through-filter

Displays the downloaded filter for transparent passthrough.

Router# clear ssg pass-through-filter

Removes the downloaded filter for transparent passthrough. To remove the filter from NVRAM, use the no form of the ssg pass-through command.

Router# show ssg host [ip-address] [username]

Displays the information about a subscriber and the current connections of the subscriber.

Router# clear ssg host ip-address

Removes a given host or subscriber.

Router# show ssg direction

Displays the direction of all interfaces for which a direction has been specified.

Router# show ssg next-hop

Displays the next-hop table.

Router# clear ssg next-hop

Removes the next-hop table. To remove the next-hop table from NVRAM, use the no form of the ssg next-hop command.

Router# show ssg binding

Displays service names that have been bound to interfaces and the interfaces to which they have been bound.

Router# show ssg service service-name

Displays the information for a service.

Router# clear ssg service service-name

Removes a service.

Configuration Examples

The configuration examples in this section support the network topology shown in Figure 2.


Figure 2   Example NRP-SSG Network Topology

Security

aaa new-model
aaa authentication ppp default radius
aaa authorization network default radius
ssg service-password cisco
ssg radius-helper auth-port 1645 acct-port 1646
ssg radius-helper key cisco
radius-server host 192.168.100.28 auth-port 1645 acct-port 1646
radius-server key cisco
radius-server vsa send accounting
radius-server vsa send authentication

Default Network

ssg default-network 192.168.100.24 255.255.255.255

Interfaces

ssg bind direction uplink ATM0/0/0.1
ssg bind direction uplink ATM0/0/0.2
ssg bind direction uplink ATM0/0/0.3
ssg bind direction downlink BVI1

Services

ssg bind service Labservices 192.168.123.1
ssg bind service Worldwide_Gaming 192.168.113.1
ssg bind service ACME_ISP 192.168.103.1
ssg next-hop download nhg1 cisco
ssg maxservice 10

The following is an example service profile as it would appear on the RADIUS server. It is formatted for CiscoSecure ACS for UNIX and UCP.

user = ACME_ISP{
profile_id = 2026
profile_cycle = 12
member = ServicesGroup
radius=6510-SSG-v1.1a {
check_items= {
2=cisco
6=5
}
reply_attributes= {
9,251="R192.168.250.0;255.255.255.0"
9,251="TX"
9,251="S192.168.250.11;1645;1646;cisco"
}
}
}

Service Search Order

ssg service-search-order local remote

Next-Hop Table

ssg next-hop download nht1 cisco

The following is an example next-hop table as it would appear on the RADIUS server. It is formatted for CiscoSecure ACS for UNIX and UCP.

ssg next-hop download nht1 cisco
user = nht1{
radius= SSG {
check_items= {
2=cisco
6=5
}
reply_attributes= {
9,253="GACME_ISP;192.168.103.1"
9,253="GLabservices;192.168.123.1"
9,253="GWorldwide_Gaming;192.168.113.1"
}
}
}

Max Services

ssg maxservice 10

Local Service Profile

local-profile Labservices
attr 26 9 251 "R192.168.123.1;255.255.255.0"
attr 26 9 251 "S192.168.252.11;1645;1646;cisco"
attr 26 9 251 "OAnyProxyService.Com"
attr 26 9 251 "TX"
attr 2 "cisco"
attr 6 5

Transparent Passthrough Filter

ssg pass-through filter download tptfilter1 cisco

The following is an example transparent passthrough filter as it would appear on the RADIUS server. It is formatted for CiscoSecure ACS for UNIX and UCP.

user = tptfilter1{
radius= SSG {
check_items= {
2=cisco
6=5
}
reply_attributes= {
9,1="ip:inacl#2=deny tcp 172.16.4.0 0.0.0.255 192.168.250.0 0.0.0.255 eq 23"
9,1="ip:inacl#5=permit ip any any"
9,1="ip:inacl#1=permit tcp any any established"
}
}
}

Redundancy

redundancy
main-cpu
auto-sync standard
no secondary console enable

Fastswitching

There will be nothing in the running configuration for fastswitching when it is enabled.

Multicast

ssg multicast

Command Reference

This section documents new commands associated with the NRP-SSG. All other commands used with this feature are documented in the Cisco IOS Release 12.0 command reference publications.

attr

To configure an attribute in a local RADIUS service profile, use the attr profile configuration command. Use the no form of this command to delete an attribute from a service profile.

attr radius-attribute-id [vendor-id] [cisco-vsa-type] attribute-value
no attr radius-attribute-id [vendor-id] [cisco-vsa-type] attribute-value

Syntax Description

radius-attribute-id

RADIUS attribute ID to be configured.

vendor-id

(Optional) Vendor ID. Required if the RADIUS attribute ID is 26, indicating a vendor-specific attribute. Cisco's vendor ID is 9.

cisco-vsa-type

(Optional) Cisco vendor-specific attribute (VSA) type. Required if the vendor ID is 9, indicating a Cisco VSA.

attribute-value

Attribute value.

Defaults

No default behavior or values.

Command Mode

Profile configuration

Command History

Release Modification

12.0(3)DC

This command was first introduced.

Usage Guidelines

Use this command to configure attributes in local RADIUS service profiles.

Examples

The following example configures the Cisco-Avpair upstream access control list attribute in the RADIUS profile, cisco.com:

routerA# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
routerA(config)# local-profile cisco.com
routerA(config-prof)# attr 26 9 1 "ip:inacl#101=deny tcp 192.168.1.0 0.0.0.255 any eq 21"

The following example deletes the Session-Timeout attribute in the RADIUS profile, cisco.com:

routerA# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
routerA(config)# local-profile cisco.com
routerA(config-prof)# no attr 27 600

Related Commands

Command Description

local-profile

Configures a local RADIUS service profile and enters profile configuration mode.

clear ssg connection

To remove the connections of a given host and a service name, use the clear ssg connection privileged EXEC command.

clear ssg connection ip-address service-name

Syntax Description

ip-address

IP address of an active SSG connection.

service-name

Name of an active SSG connection.

Defaults

No default behavior or values.

Command Mode

Privileged EXEC

Command History

Release Modification

12.0(3)DC

This command was first introduced.

Usage Guidelines

Use this command to remove the connections for a given host and service name.

Examples

The following example removes the service connection for Perftest to host 192.168.1.1:

RouterA# clear ssg connection 192.168.1.1 Perftest

Related Commands

Command Description

show ssg connection

Displays the connections of a given host and a service name.

clear ssg host

To remove or disable a given host or subscriber, use the clear ssg host privileged EXEC command.

clear ssg host ip-address

Syntax Description

ip-address

IP address of the host or subscriber.

Defaults

No default behavior or values.

Command Mode

Privileged EXEC

Command History

Release Modification

12.0(3)DC

This command was first introduced.

Usage Guidelines

Use this command to remove a host's connection from the NRP-SSG.

Examples

The following example removes the connection for host 192.168.1.1:

RouterA# clear ssg host 192.168.1.1

Related Commands

Command Description

show ssg host

Displays the information about a subscriber and current connections of the subscriber.

clear ssg next-hop

To remove the next-hop table, use the clear ssg next-hop privileged EXEC command.

clear ssg next-hop

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Mode

Privileged EXEC

Command History

Release Modification

12.0(3)DC

This command was first introduced.

Usage Guidelines

If you use this command to clear the next-hop table, nothing will be displayed when you use the show ssg next-hop command. However, the next-hop table will still appear in the running configuration. To remove the next-hop table from the running configuration, use the no form of the ssg next-hop command.

Examples

The following example removes the next-hop table:

RouterA# clear ssg next-hop

Related Commands

Command Description

ssg next-hop

Downloads the next-hop table from a RADIUS server.

show ssg next-hop

Displays the next-hop table.

clear ssg pass-through-filter

To remove the downloaded filter for transparent passthrough, use the clear ssg pass-through-filter privileged EXEC command.

clear ssg pass-through-filter

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Mode

Privileged EXEC

Command History

Release Modification

12.0(3)DC

This command was first introduced.

Usage Guidelines

Removing the filter allows unauthenticated traffic to pass through the NRP-SSG in either direction without modification. If you use this command to clear the downloaded transparent passthrough filter, nothing will be displayed when you use the show ssg pass-through-filter command. However, the transparent passthrough filter will still appear in the running configuration. To remove the transparent passthrough filter from the running configuration, use the no form of the ssg pass-through command.

Examples

The following example removes the downloaded transparent passthrough filter:

RouterA# clear ssg pass-through-filter

Related Commands

Command Description

ssg pass-through

Enables transparent passthrough.

show ssg pass-through-filter

Displays the downloaded filter for transparent passthrough.

clear ssg service

To remove a service, use the clear ssg service privileged EXEC command.

clear ssg service service-name

Syntax Description

service-name

Name of an active SSG service.

Defaults

No default behavior or values.

Command Mode

Privileged EXEC

Command History

Release Modification

12.0(3)DC

This command was first introduced.

Usage Guidelines

Use this command to remove services.

Examples

The following example removes the Perftest service:

RouterA# clear ssg service Perftest

Related Commands

Command Description

ssg bind service

Specifies the interface for a service.

show ssg binding

Displays service names that have been bound to interfaces and the interfaces to which they have been bound.

show ssg service

Displays the information for a service.

local-profile

To configure a local RADIUS service profile and enter profile configuration mode, use the local-profile global configuration command. Use the no form of this command to delete the local service profile.

local-profile profilename
no local-profile profilename

Syntax Description

profilename

Name of profile to be configured.

Defaults

No default behavior or values.

Command Mode

Global configuration

Command History

Release Modification

12.0(3)DC

This command was first introduced.

Usage Guidelines

Use this command to configure local RADIUS service profiles.

Examples

The following example configures the RADIUS profile called cisco.com, and enters profile configuration mode:

routerA# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
routerA(config)# local-profile cisco.com
routerA(config-prof)#

Related Commands

Command Description

attr

Configures an attribute in a local RADIUS profile.

ssg service-search-order

Specifies the order in which NRP-SSG searches for a service profile.

show ssg binding

To display service names that have been bound to interfaces and the IP addresses to which they have been bound, use the show ssg binding privileged EXEC command.

show ssg binding [| {begin expression | exclude expression | include expression}]

Syntax Description

begin

(Optional) Begin with the line that contains expression.

exclude

(Optional) Exclude lines that contain expression.

include

(Optional) Include lines that contain expression.

expression

(Optional) Word or phrase used to determine what lines will be shown.

Defaults

No default behavior or values.

Command Mode

Privileged EXEC

Command History

Release Modification

12.0(3)DC

This command was first introduced.

Usage Guidelines

Use this command to display services and the interfaces to which they have been bound.

Examples

The following example displays all service names that have been bound to interfaces:

RouterA# show ssg binding
WhipitNet -> 192.168.1.1 (NHT)
Service1.com -> 192.168.1.2 (NHT)
Service2.com -> 192.168.1.3 (NHT)
Service3.com -> 192.168.1.4 (NHT)
GoodNet -> 192.168.2.1
Perftest -> 192.168.1.6

Related Commands

Command Description

ssg bind service

Specifies the interface for a service.

show ssg service

Displays the information for a service.

clear ssg service

Removes a service.

show ssg connection

To display the connections of a given host and a service name, use the show ssg connection privileged EXEC command.

show ssg connection ip-address service-name [| {begin expression | exclude expression | include expression}]

Syntax Description

ip-address

IP address of an active SSG connection. This is always a subscribed host.

service-name

The name of an active SSG connection.

begin

(Optional) Begin with the line that contains expression.

exclude

(Optional) Exclude lines that contain expression.

include

(Optional) Include lines that contain expression.

expression

(Optional) Word or phrase used to determine what lines will be shown.

Defaults

No default behavior or values.

Command Mode

Privileged EXEC

Command History

Release Modification

12.0(3)DC

This command was first introduced.

Usage Guidelines

Use this command to display information about the connections for a given host and service name.

Examples

The following example shows the service connection for the Perftest service to host 192.168.1.1:

RouterA# show ssg connection 192.168.1.1 Perftest
------------------------ ConnectionObject Content -----------------------
User Name:
User Password:
Owner Host: 192.168.1.1
Associated Service: Perftest
Connection State: 0
Connection Started since:
*11:08:15.000 PST Mon Jan 25 1999
Connection Traffic Statistics:
Input Bytes = 0 (HI = 0), Input packets = 0
Output Bytes = 0 (HI = 0), Output packets = 0

Related Commands

Command Description

clear ssg connection

Removes the connections of a given host and a service name.

show ssg direction

To display the direction of all interfaces for which a direction has been specified, use the show ssg direction privileged EXEC command.

show ssg direction [| {begin expression | exclude expression | include expression}]

Syntax Description

begin

(Optional) Begin with the line that contains expression.

exclude

(Optional) Exclude lines that contain expression.

include

(Optional) Include lines that contain expression.

expression

(Optional) Word or phrase used to determine what lines will be shown.

Defaults

No default behavior or values.

Command Mode

Privileged EXEC

Command History

Release Modification

12.0(3)DC

This command was first introduced.

Usage Guidelines

Use this command to display all interfaces that have been specified as uplinks or downlinks.

Examples

The following example displays the direction of all interfaces that have been specified as uplinks or downlinks.

RouterA# show ssg direction
ATM0/0/0.10: Uplink
BVI1: Downlink
FastEthernet0/0/0: Uplink

Related Commands

Command Description

ssg bind direction

Specifies an interface as a downlink or uplink interface.

show ssg host

To display the information about a subscriber and current connections of the subscriber, use the show ssg host privileged EXEC command.

show ssg host [ip-address [| {begin expression | exclude expression | include expression}] | username [| {begin expression | exclude expression | include expression}] | [| {begin expression | exclude expression | include expression}]]

Syntax Description

ip-address

(Optional) IP address of the host.

username

(Optional) Display the usernames logged into the active hosts.

begin

(Optional) Begin with the line that contains expression.

exclude

(Optional) Exclude lines that contain expression.

include

(Optional) Include lines that contain expression.

expression

(Optional) Word or phrase used to determine what lines will be shown.

Defaults

If no arguments are provided, all current connections are displayed.

Command Mode

Privileged EXEC

Command History

Release Modification

12.0(3)DC

This command was first introduced.

Usage Guidelines

Use this command to display information about host objects.

Examples

The following example displays all active hosts:

RouterA# show ssg host
1:172.16.4.3
2:172.16.4.21
3:172.16.61.1
### Active HostObject Count:3

The following example displays all active hosts whose IP addresses begin with 172.16.6:

RouterA# show ssg host | begin 172.16.6
3:172.16.61.1
### Active HostObject Count:3

Note      A vertical bar (|) must precede the output modifier (begin, exclude or include).

The following example displays the usernames logged in to the active hosts:

RouterA# show ssg host username
1: 172.16.2.11 (active) Host name: user1
### Total HostObject Count(including inactive hosts): 1

The following example displays information about host 172.16.6.112:

RouterA# show ssg host 172.16.6.112
------------------------ HostObject Content -----------------------
Activated:TRUE
IDB:1625316924
User Name:user1
Host IP:172.16.6.112
Msg IP:0.0.0.0 (0)
Host DNS IP:0.0.0.0
Maximum Session Timeout:0 seconds
Host Idle Timeout:0 seconds
Class Attr:NONE
User logged on since:*06:34:42.000 pst Mon May 3 1999
User last activity at:*06:34:47.000 pst Mon May 3 1999
Default Service:NONE
DNS Default Service:NONE
Active Services:isp-2; isp-name.com; isp-1;
AutoService:isp-1; isp-2;
Subscribed Services:isp-2; isp-3; isp-1; isp-4; isp-5;

Related Commands

Command Description

clear ssg host

Removes or disables a given host or subscriber.

show ssg next-hop

To display the next-hop table, use the show ssg next-hop privileged EXEC command.

show ssg next-hop [| {begin expression | exclude expression | include expression}]

Syntax Description

begin

(Optional) Begin with the line that contains expression.

exclude

(Optional) Exclude lines that contain expression.

include

(Optional) Include lines that contain expression.

expression

(Optional) Word or phrase used to determine what lines will be shown.

Defaults

No default behavior or values.

Command Mode

Privileged EXEC

Command History

Release Modification

12.0(3)DC

This command was first introduced.

Usage Guidelines

Use this command to display all next-hop IP addresses.

Examples

The following example displays the next-hop table:

RouterA# show ssg next-hop
Next hop table loaded from profile prof-nhg:
WhipitNet -> 192.168.1.6
Service1.com -> 192.168.1.3
Service2.com -> 192.168.1.2
Service3.com -> 192.168.1.1
GoodNet -> 192.168.1.2
Perftest -> 192.168.1.5
End of next hop table.

Related Commands

Command Description

ssg next-hop

Downloads the next-hop table from a RADIUS server.

clear ssg next-hop

Removes the next-hop table.

show ssg pass-through-filter

To display the downloaded filter for transparent passthrough, use the show ssg pass-through-filter privileged EXEC command.

show ssg pass-through-filter [| {begin expression | exclude expression | include expression}]

Syntax Description

begin

(Optional) Begin with the line that contains expression.

exclude

(Optional) Exclude lines that contain expression.

include

(Optional) Include lines that contain expression.

expression

(Optional) Word or phrase used to determine what lines will be shown.

Defaults

No default behavior or values.

Command Mode

Privileged EXEC

Command History

Release Modification

12.0(3)DC

This command was first introduced.

Usage Guidelines

Use this command to display the downloaded transparent passthrough filter. The filter prevents passthrough traffic from accessing the specified IP address and subnet mask combinations. The filter is set using the ssg pass-through command.

To display a filter defined on the command line, use the show running-config command.

Examples

The following example displays the passthrough filter:

RouterA# show ssg pass-through-filter
Service name: filter01
Password: cisco
Direction: Uplink
Extended IP access list (SSG ACL)
permit tcp 172.16.6.0 0.0.0.255 any eq telnet
permit tcp 172.16.6.0 0.0.0.255 192.168.250.0 0.0.0.255 eq ftp

Related Commands

Command Description

ssg pass-through

Enables transparent passthrough.

clear ssg pass-through-filter

Removes the downloaded filter for transparent passthrough.

show ssg service

To display the information for a service, use the show ssg service privileged EXEC command.

show ssg service [service-name [| {begin expression | exclude expression | include expression}]]

Syntax Description

service-name

(Optional) Name of an active SSG service.

begin

(Optional) Begin with the line that contains expression.

exclude

(Optional) Exclude lines that contain expression.

include

(Optional) Include lines that contain expression.

expression

(Optional) Word or phrase used to determine what lines will be shown.

Defaults

If no service name is provided, the command displays information for all services.

Command Mode

Privileged EXEC

Command History

Release Modification

12.0(3)DC

This command was first introduced.

Usage Guidelines

Use this command to display connection information for a service.

Examples

The following example displays the information for the service called isp-name.com:

RouterA# show ssg service isp-name.com
------------------------ ServiceInfo Content -----------------------
Name:isp-name.com
Type:PASS-THROUGH
Mode:CONCURRENT
Service Session Timeout:0 seconds
Service Idle Timeout:0 seconds
Class Attr:NONE
Authentication Type:CHAP
Max Connections Allowed:10
Reference Count:1
DNS Server(s):Primary:192.168.250.11
Included Network Segments:
192.168.250.0/255.255.255.0
Excluded Network Segments:
Domain List:isp-name.com;
Active Connections:
1 :Virtual=172.16.6.112, Subscriber=172.16.6.112
------------------------ End of ServiceInfo Content ----------------

Related Commands

Command Description

ssg bind service

Specifies the interface for a service.

show ssg binding

Displays service names that have been bound to interfaces and the interfaces to which they have been bound.

clear ssg service

Removes a service.

ssg bind direction

To specify an interface as a downlink or uplink interface, use the ssg bind direction global configuration command. Use the no form of this command to disable the directional specification for the interface.

ssg bind direction downlink | uplink {ATM atm-interface | Async async-interface | BVI bvi-interface | Dialer dialer-interface | Ethernet ethernet-interface | FastEthernet fastethernet-interface | Group-Async group-async-interface | Lex lex-interface | Loopback loopback-interface | Multilink multilink-interface | Null null-interface | Port-channel port-channel-interface | Tunnel tunnel-interface | Virtual-Access virtual-access-interface | Virtual-Template virtual-template-interface | Virtual-TokenRing virtual-tokenring-interface}
no ssg bind direction downlink | uplink {ATM atm-interface | Async async-interface | BVI bvi-interface | Dialer dialer-interface | Ethernet ethernet-interface | FastEthernet fastethernet-interface | Group-Async group-async-interface | Lex lex-interface | Loopback loopback-interface | Multilink multilink-interface | Null null-interface | Port-channel port-channel-interface | Tunnel tunnel-interface | Virtual-Access virtual-access-interface | Virtual-Template virtual-template-interface | Virtual-TokenRing virtual-tokenring-interface}

Syntax Description

downlink

Specify interface direction as downlink.

uplink

Specify interface direction as uplink.

ATM

Indicates the interface is ATM.

atm-interface

ATM interface.

Async

Indicates the interface is Async.

async-interface

Async interface.

BVI

Indicates the interface is BVI.

bvi-interface

Bridge-Group Virtual Interface.

Dialer

Indicates the interface is Dialer.

dialer-interface

Dialer interface.

Ethernet

Indicates the interface is Ethernet.

ethernet-interface

IEEE 802.3.

FastEthernet

Indicates the interface is FastEthernet.

fastethernet-interface

FastEthernet IEEE 802.3.

Group-Async

Indicates the interface is Group Async.

group-async-interface

Group async interface.

Lex

Indicates the interface is Lex.

lex-interface

Lex interface.

Loopback

Indicates the interface is Loopback.

loopback-interface

Loopback interface.

Multilink

Indicates the interface is Multilink.

multilink-interface

Multilink interface.

Null

Indicates the interface is Null.

null-interface

Null interface.

Port-channel

Indicates the interface is Port Channel.

port-channel-interface

Port channel interface.

Tunnel

Indicates the interface is Tunnel.

tunnel-interface

Tunnel interface.

Virtual-Access

Indicates the interface is Virtual Access.

virtual-access-interface

Virtual access interface.

Virtual-Template

Indicates the interface is Virtual Template.

virtual-template-interface

Virtual template interface.

Virtual-TokenRing

Indicates the interface is Virtual Token Ring.

virtual-tokenring-interface

Virtual token ring interface.

Defaults

All interfaces are configured as uplink interfaces by default.

Command Mode

Global configuration

Command History

Release Modification

12.0(3)DC

This command was first introduced.

Usage Guidelines

Use this command to specify an interface as downlink or uplink. An uplink interface is an interface to services; a downlink interface is an interface to subscribers.

Examples

The following example specifies an ATM interface as a downlink interface:

routerA# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
routerA(config)# ssg bind direction downlink ATM 0/0/0.10

Related Commands

Command Description

show ssg binding

Displays service names that have been bound to interfaces and the interfaces to which they have been bound.

ssg bind service

To specify the interface for a service, use the ssg bind service global configuration command. Use the no form of this command to unbind the service and the interface.

ssg bind service service-name {ip-address | ATM atm-interface | Async async-interface | BVI bvi-interface | Dialer dialer-interface | Ethernet ethernet-interface | FastEthernet fastethernet-interface | Group-Async group-async-interface | Lex lex-interface | Loopback loopback-interface | Multilink multilink-interface | Null null-interface | Port-channel port-channel-interface | Tunnel tunnel-interface | Virtual-Access virtual-access-interface | Virtual-Template virtual-template-interface | Virtual-TokenRing virtual-tokenring-interface}
no ssg bind service service-name {ip-address | ATM atm-interface | Async async-interface | BVI bvi-interface | Dialer dialer-interface | Ethernet ethernet-interface | FastEthernet fastethernet-interface | Group-Async group-async-interface | Lex lex-interface | Loopback loopback-interface | Multilink multilink-interface | Null null-interface | Port-channel port-channel-interface | Tunnel tunnel-interface | Virtual-Access virtual-access-interface | Virtual-Template virtual-template-interface | Virtual-TokenRing virtual-tokenring-interface}

Syntax Description

service

Service name.

ip-address

IP address of the next hop router.

ATM

Indicates the interface is ATM.

atm-interface

ATM interface.

Async

Indicates the interface is Async.

async-interface

Async interface.

BVI

Indicates the interface is BVI.

bvi-interface

Bridge-Group Virtual Interface.

Dialer

Indicates the interface is Dialer.

dialer-interface

Dialer interface.

Ethernet

Indicates the interface is Ethernet.

ethernet-interface

IEEE 802.3.

FastEthernet

Indicates the interface is FastEthernet.

fastethernet-interface

FastEthernet IEEE 802.3.

Group-Async

Indicates the interface is Group Async.

group-async-interface

Group async interface.

Lex

Indicates the interface is Lex.

lex-interface

Lex interface.

Loopback

Indicates the interface is Loopback.

loopback-interface

Loopback interface.

Multilink

Indicates the interface is Multilink.

multilink-interface

Multilink interface.

Null

Indicates the interface is Null.

null-interface

Null interface.

Port-channel

Indicates the interface is Port Channel.

port-channel-interface

Port channel interface.

Tunnel

Indicates the interface is Tunnel.

tunnel-interface

Tunnel interface.

Virtual-Access

Indicates the interface is Virtual Access.

virtual-access-interface

Virtual access interface.

Virtual-Template

Indicates the interface is Virtual Template.

virtual-template-interface

Virtual template interface.

Virtual-TokenRing

Indicates the interface is Virtual Token Ring.

virtual-tokenring-interface

Virtual token ring interface.

Defaults

No default behavior or values.

Command Mode

Global configuration

Command History

Release Modification

12.0(3)DC

This command was first introduced.

Usage Guidelines

Use this command to bind a service to an interface.

Examples

The following example specifies the interface for the service defined as MyService:

routerA# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
routerA(config)# ssg bind service MyService ATM 0/0/0.10

Related Commands

Command Description

show ssg service

Displays the information for a service.

show ssg binding

Displays service names that have been bound to interfaces and the interfaces to which they have been bound.

clear ssg service

Removes a service.

ssg default-network

To specify the default network IP address or subnet and mask, use the ssg default-network global configuration command. Use the no form of this command to disable the default network IP address and mask.

ssg default-network ip-address mask
no ssg default-network ip-address mask

Syntax Description

ip-address

SSG default IP address or subnet

mask

SSG default network destination mask

Defaults

No default behavior or values.

Command Mode

Global configuration

Command History

Release Modification

12.0(3)DC

This command was first introduced.

Usage Guidelines

Use this command to specify the first IP address or subnet that users will be able to access without authentication. This is the address where the Cisco SSD resides. After users enter the URL for the Cisco SSD, they will be prompted for a username and password. A mask provided with the IP address specifies the range of IP addresses that users will be able to access without authentication.

Examples

The following example specifies a default network IP address, 192.168.1.2., and mask 255.255.255.255.

routerA# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
routerA(config)# ssg default-network 192.168.1.2 255.255.255.255

Related Commands

None.

ssg fastswitch

To enable fastswitching, use the ssg fastswitch global configuration command. Use the no form of this command to disable fastswitching.

ssg fastswitch
no ssg fastswitch

Syntax Description

This command has no arguments or keywords.

Defaults

Fastswitching is enabled by default.

Command Mode

Global configuration

Command History

Release Modification

12.0(3)DC

This command was first introduced.

Usage Guidelines

Fastswitching must be enabled for the NRP-SSG to function.

Examples

The following example disables fastswitching:

routerA# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
routerA(config)# no ssg fastswitch

Related Commands

None.

ssg maxservice

To set the maximum number of services per user, use the ssg maxservice global configuration command. Use the no form of the command to remove the maximum number of services per user from the running configuration and return it to the default.

ssg maxservice number
no ssg maxservice

Syntax Description

number

Maximum number of services per user. The minimum value is 0; the maximum is 20.

Defaults

The default maximum number of services per user is 20.

Command Mode

Global configuration

Command History

Release Modification

12.0(3)DC

This command was first introduced.

Usage Guidelines

Use this command to limit the number of services to which a user can be logged on simultaneously.

Examples

The following example sets the maximum number of services per user to 10.

routerA# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
routerA(config)# ssg maxservice 10

Related Commands

None.

ssg multicast

To enable the NRP-SSG's handling of multicast, use the ssg multicast global configuration command. Use the no form of this command to disable multicast.

ssg multicast
no ssg multicast

Syntax Description

This command has no arguments or keywords.

Defaults

The NRP-SSG's handling of multicast is disabled by default.

Command Mode

Global configuration

Command History

Release Modification

12.0(3)DC

This command was first introduced.

Usage Guidelines

When multicast is enabled, the NRP-SSG will forward multicast packets, which include normal multicast packets and IGMP packets, received on an uplink or downlink interface that has had a service bound to it to the IOS routing engine.

Examples

The following example enables multicast:

routerA# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
routerA(config)# ssg multicast

Related Commands

None.

ssg next-hop

To download the next-hop table from a RADIUS server, use the ssg next-hop global configuration command. Use the no form of this command to remove the command from the configuration.

ssg next-hop download [profile-name] [profile-password]
no ssg next-hop download [profile-name] [profile-password]

Syntax Description

download

Loads the next-hop table profile.

profile-name

(Optional) Profile name.

profile-password

(Optional) Profile password.

Defaults

If no profile name and password are provided, the previous profile specified with this command is downloaded. If no previous profile was specified, an error is generated.

Command Mode

Global configuration

Command History

Release Modification

12.0(3)DC

This command was first introduced.

Usage Guidelines

When this command is used, an entry is made in the running configuration. When the configuration is reloaded, the next-hop table is automatically downloaded. If the no form of this command is used to remove it from the running configuration, a next-hop table will not be automatically downloaded when the configuration is reloaded.

Examples

The following example downloads the next-hop table called MyProfile from a RADIUS server:

routerA# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
routerA(config)# ssg next-hop download MyProfile MyProfilePassword

Related Commands

Command Description

show ssg next-hop

Displays the next-hop table.

clear ssg next-hop

Removes the next-hop table.

ssg pass-through

To enable transparent passthrough, use the ssg pass-through global configuration command. Use the no form of this command to disable transparent passthrough.

ssg pass-through [filter {ip-access-list | ip-extended-access-list | access-list-name | download [profile-name | profile-name profile-password]} [downlink | uplink]}]
no ssg pass-through [filter {ip-access-list [downlink | uplink] | ip-extended-access-list [downlink | uplink] | access-list-name [downlink | uplink] | downlink | download [profile-name | profile-name profile-password] | uplink}}]

Syntax Description

filter

(Optional) Specify access control for packets.

ip-access-list

(Optional) IP access list (standard or extended).

ip-extended-access-list

(Optional) IP extended access list (standard or extended).

access-list-name

(Optional) Access list name.

download

(Optional) Load a service profile and use its filter(s) as default filter(s).

profile-name

(Optional) Service profile name.

profile-password

(Optional) Service profile password.

downlink

(Optional) Apply filter to downlink packets.

uplink

(Optional) Apply filter to uplink packets.

Defaults

Transparent passthrough is disabled by default.

Command Mode

Global configuration

Command History

Release Modification

12.0(3)DC

This command was first introduced.

Note      Transparent passthrough is supported only in Cisco IOS Releases 12.0(3)DC and 12.0(5)DC.

Usage Guidelines

Use this command to enable transparent passthrough, if you want to allow unauthenticated traffic to pass through the NRP-SSG in either direction without modification. If you want all traffic to be authenticated by the NRP-SSG, use this command to disable transparent passthrough. You can use the filter option to prevent passthrough traffic from accessing the specified IP address and subnet mask combinations.

Use the no form of this command to remove a transparent passthrough filter that was configured at the command line. This will also remove it from the running configuration.

Examples

The following example downloads a transparent passthrough filter from the filter01 service profile:

routerA# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
routerA(config)# ssg pass-through filter download filter01 cisco
Radius reply received:
Created Upstream acl from it.
Loading default pass-through filter succeeded.

Related Commands

Command Description

show ssg pass-through-filter

Displays the downloaded filter for transparent passthrough.

clear ssg pass-through-filter

Removes the downloaded filter for transparent passthrough.

ssg radius-helper

To enable communications with the Cisco Service Selection Dashboard (SSD) and specify port numbers and secret keys for receiving packets, use the ssg radius-helper global configuration command. Use the no form of this command to disable communications with the Cisco SSD.

ssg radius-helper [acct-port port-number | auth-port port-number | acct-port port-number auth-port port-number | key key]
no ssg radius-helper [acct-port port-number | auth-port port-number | acct-port port-number auth-port port-number | key key]

Syntax Description

acct-port

(Optional) Specifies the UDP destination port for a RADIUS accounting server.

port-number

(Optional) Port number for accounting requests; the host is not used for accounting if set to 0. The default is 1646.

auth-port

(Optional) Specifies the UDP destination port for a RADIUS authentication server.

port-number

(Optional) Port number for authentication requests; the host is not used for authentication if set to 0. The default is 1645.

key

(Optional) Specifies the key shared with the RADIUS clients.

key

(Optional) Key shared with the RADIUS clients.

Defaults

The default port number for acct-port is 1646.
The default port number for auth-port is 1645.

Command Mode

Global configuration

Command History

Release Modification

12.0(3)DC

This command was first introduced.

Usage Guidelines

You must use this command to specify a key so that the NRP-SSG can communicate with the Cisco SSD.

Examples

The following example enables communication with the Cisco SSD:

routerA# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
routerA(config)# ssg radius-helper acct-port 1646 auth-port 1645
routerA(config)# ssg radius-helper key MyKey

Related Commands

None.

ssg service-password

To specify the password for downloading a service profile, use the ssg service-password global configuration command. Use the no form of this command to disable the password.

ssg service-password password
no ssg service-password password

Syntax Description

password

Service profile password.

Defaults

No default behavior or values.

Command Mode

Global configuration

Command History

Release Modification

12.0(3)DC

This command was first introduced.

Usage Guidelines

This command sets the password required to authenticate with the AAA server and download a service profile.

Examples

The following example sets the password for downloading a service profile:

routerA# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
routerA(config)# ssg service-password MyPassword

Related Commands

None.

ssg service-search-order

To specify the order in which NRP-SSG searches for a service profile, use the ssg service-search-order global configuration command. Use the no form of this command to disable the search order.

ssg service-search-order {local | remote | local remote | remote local}
no ssg service-search-order {local | remote | local remote | remote local}

Syntax Description

local

Search for service profiles in local Flash memory.

remote

Search for service profiles on a RADIUS server.

local remote

Search for service profiles in local Flash memory, then on a RADIUS server.

remote local

Search for service profiles on a RADIUS server, then in local Flash memory.

Defaults

The default search order is remote, that is, the NRP-SSG searches for service profiles on the RADIUS server.

Command Mode

Global configuration

Command History

Release Modification

12.0(3)DC

This command was first introduced.

Usage Guidelines

The NRP-SSG can search for service profiles in local Flash memory, on a remote RADIUS server, or both. The possible search orders are:

Examples

The following example sets the search order to local remote, so that NRP-SSG will always look for service in Flash memory first, then on the RADIUS server:

routerA# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
routerA(config)# ssg service-search-order local remote

Related Commands

Command Description

local-profile

Configures a local RADIUS service profile.

Debug Commands

This section documents new debug commands. All other commands used with this feature are documented in the Cisco IOS Release 12.0 command references.

debug ssg ctrl-errors

To display all error messages for control modules, use the debug ssg ctrl-errors privileged EXEC command. Use the no form of this command to disable debugging output.

[no] debug ssg ctrl-errors

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command History

Release Modification

12.0(3)DC

This command was first introduced.

Usage Guidelines

This command displays error messages for the control modules, which includes all modules that manage the user authentication and service log on and log off (RADIUS, PPP, Subblock, and Accounting). An error message is the result of an error detected during normal execution.

Examples

The following output is generated by the debug ssg ctrl-errors command when a host logs on and logs off from a service:

routerA# debug ssg ctrl-errors
Mar 29 13:51:30 [192.168.5.1.15.21] 59:00:15:38:%VPDN-6-AUTHORERR:L2F NAS
LowSlot6 cannot locate a AAA server for Vi6 user User1
Mar 29 13:51:31 [192.168.5.1.15.21] 60:00:15:39:%LINEPROTO-5-UPDOWN:Line
protocol on Interface Virtual-Access6, changed state to down

Related Commands

Command Description

debug ssg ctrl-events

Displays all event messages for control modules.

debug ssg ctrl-packets

Displays packet contents handled by control modules.

debug ssg ctrl-events

To display all event messages for control modules, use the debug ssg ctrl-events privileged EXEC command. Use the no form of this command to disable debugging output.

[no] debug ssg ctrl-events

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command History

Release Modification

12.0(3)DC

This command was first introduced.

Usage Guidelines

This command displays event messages for the control modules, which includes all modules that manage the user authentication and service log on and log off (RADIUS, PPP, Subblock, and Accounting). An event message is an informational message generated during normal execution.

Examples

The following output is generated by the debug ssg ctrl-events command when a host logs on to a service:

routerA# debug ssg ctrl-events
Mar 16 16:20:30 [192.168.6.1.7.141] 799:02:26:51:SSG-CTL-EVN:Service logon is accepted.
Mar 16 16:20:30 [192.168.6.1.7.141] 800:02:26:51:SSG-CTL-EVN:Send cmd 11 to host 172.16.6.13. dst=192.168.100.24:36613

Related Commands

Command Description

debug ssg ctrl-errors

Displays all error messages for control modules.

debug ssg ctrl-packets

Displays packet contents handled by control modules.

debug ssg ctrl-packets

To display packet contents handled by control modules, use the debug ssg ctrl-packets privileged EXEC command. Use the no form of this command to disable debugging output.

[no] debug ssg ctrl-packets

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command History

Release Modification

12.0(3)DC

This command was first introduced.

Usage Guidelines

This command displays packet messages for the control modules, which includes all modules that manage the user authentication and service log on and log off (RADIUS, PPP, Subblock, and Accounting). A packet message displays the contents of a package.

Examples

The following output is generated by the debug ssg ctl-packets command when a host logs off from a service:

routerA# debug ssg ctrl-packets
Mar 16 16:23:38 [192.168.6.1.7.141] 968:02:30:00:SSG-CTL-PAK:Received Packet:
Mar 16 16:23:38 [192.168.6.1.7.141] 980:02:30:00:SSG-CTL-PAK:Sent packet:
Mar 16 16:23:39 [192.168.6.1.7.141] 991:02:30:00:SSG-CTL-PAK:
Mar 16 16:23:39 [192.168.6.1.7.141] 992:Received Packet:

Related Commands

Command Description

debug ssg ctrl-errors

Displays all error messages for control modules.

debug ssg ctrl-events

Displays all event messages for control modules.

debug ssg data

To display all data path packets, use the debug ssg data privileged EXEC command. Use the no form of this command to disable debugging output.

[no] debug ssg data

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command History

Release Modification

12.0(3)DC

This command was first introduced.

Usage Guidelines

This command displays packets for the data modules, which includes all modules that forward data packets (DHCP, DNS, tunneling, fastswitch, IP stream, and multicast).

Examples

The following output is generated by the debug ssg data command when a host logs on and logs off from a service:

routerA# debug ssg data
Mar 29 13:45:16 [192.168.5.1.15.21] 45:00:09:24:
SSG-DATA:PS-UP-SetPakOutput=1(Vi6:172.16.5.50->199.199.199.199)
Mar 29 13:45:16 [192.168.5.1.15.21] 46:00:09:24:
SSG-DATA:PS-DN-SetPakOutput=1(Fa0/0/0:171.69.2.132->172.16.5.50)
Mar 29 13:45:16 [192.168.5.1.15.21] 47:00:09:24:
SSG-DATA:FS-UP-SetPakOutput=1(Vi6:172.16.5.50->171.69.43.34)
Mar 29 13:45:16 [192.168.5.1.15.21] 48:00:09:24:

Related Commands

Command Description

debug ssg data-nat

Displays all data path packets for NAT processing.

debug ssg data-nat

To display all data path packets for NAT processing, use the debug ssg data-nat privileged EXEC command. Use the no form of this command to disable debugging output.

[no] debug ssg data-nat

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command History

Release Modification

12.0(3)DC

This command was first introduced.

Usage Guidelines

This command displays packets for the data modules, which includes all modules that forward NAT data packets.

Examples

The following output is generated by the debug ssg data-nat command when a host logs on and logs off from a service:

routerA# debug ssg data-nat
Mar 29 13:43:14 [192.168.5.1.15.21] 35:00:07:21:SSG-DATA:TranslateIP Dst
199.199.199.199->171.69.2.132
Mar 29 13:43:14 [192.168.5.1.15.21] 36:00:07:21:SSG-DATA:TranslateIP Src
171.69.2.132->199.199.199.199
Mar 29 13:43:30 [192.168.5.1.15.21] 39:00:07:38:SSG-DATA:TranslateIP Dst
199.199.199.199->171.69.2.132
Mar 29 13:43:30 [192.168.5.1.15.21] 40:00:07:38:SSG-DATA:TranslateIP Src
171.69.2.132->199.199.199.199

Related Commands

Command Description

debug ssg data

Displays all data path packets.

debug ssg errors

To display all error messages for the system modules, use the debug ssg errors privileged EXEC command. Use the no form of this command to disable debugging output.

[no] debug ssg errors

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command History

Release Modification

12.0(3)DC

This command was first introduced.

Usage Guidelines

This command displays error messages for the system modules, which include the basic IOS and other support modules (such as Object Model, Timeout, and Initialization). An error message is the result of an error detected during normal execution.

Examples

The following output is generated by the debug ssg errors command when a PPPoE client logs on with an incorrect password:

routerA# debug ssg errors
Mar 16 08:46:20 [192.168.6.1.7.141] 225:00:16:06:SSG:SSGDoAccounting:
reg_invoke_do_acct returns FALSE

Related Commands

Command Description

debug ssg events

Displays event messages for system modules.

debug ssg events

To display event messages for system modules, use the debug ssg events privileged EXEC command. Use the no form of this command to disable debugging output.

[no] debug ssg events

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command History

Release Modification

12.0(3)DC

This command was first introduced.

Usage Guidelines

This command displays event messages for the system modules, which include the basic IOS modules and other support modules (such as Object Model, Timeout, and Initialization). An event message is an informational message during normal execution.

Examples

The following output is generated by the debug ssg events command when a PPPoE client logs in with the username "username" and the password "cisco:"

routerA# debug ssg events
Mar 16 08:39:39 [192.168.6.1.7.141] 167:00:09:24:%LINK-3-UPDOWN:
Interface Virtual-Access3, changed state to up
Mar 16 08:39:39 [192.168.6.1.7.141] 168:00:09:25:%LINEPROTO-5-UPDOWN:
Line protocol on Interface Virtual-Access3, changed state to up
Mar 16 08:39:40 [192.168.6.1.7.141] 169:00:09:26:%VPDN-6-AUTHORERR:L2F
NAS LowSlot7 cannot locate a AAA server for Vi3 user username
Mar 16 08:39:40 [192.168.6.1.7.141] 170:HostObject::HostObject:size = 256
Mar 16 08:39:40 [192.168.6.1.7.141] 171:HostObject::Reset
Mar 16 08:39:40 [192.168.6.1.7.141] 172:Service List:
Mar 16 08:39:40 [192.168.6.1.7.141] 175:Service = isp-1

Related Commands

Command Description

debug ssg errors

Displays all error messages for the system modules.

Glossary

AAA—Authentication, authorization, and accounting (pronounced "triple a").

DHCP—Dynamic Host Configuration Protocol. Provides a mechanism for allocating IP addresses dynamically so that addresses can be reused when hosts no longer need them.

NRP—Node Route Processor. Cisco IOS software routing engine derived from the Cisco 7200 series technology. These router blades are part of the Cisco 6400 universal access concentrator. They enable the service provider to offer scalable Layer 3 services.

PPP—Point-to-Point Protocol. Successor to SLIP that provides router-to-router and host-to-network connections over synchronous and asynchronous circuits. Whereas SLIP was designed to work with IP, PPP was designed to work with several network layer protocols, such as IP, IPX, and ARA. PPP also has built-in security mechanisms, such as CHAP and PAP. PPP relies on two protocols: LCP and NCP.

PTA—PPP termination aggregation. A method of aggregating IP traffic by terminating PPP sessions and aggregating the IP traffic into a single routing domain.

PTA-MD—PTA Multi-Domain. A method of aggregating IP traffic by terminating PPP sessions and aggregating the IP traffic into a VPN or multiple IP routing domains.

RADIUS—Remote Access Dial-In User Service. Database for authenticating modem and ISDN connections and for tracking connection time.

SNMP—Simple Network Management Protocol. Network management protocol used almost exclusively in TCP/IP networks. SNMP provides a means to monitor and control network devices, and to manage configurations, statistics collection, performance, and security.

SSD—The Service Selection Dashboard server is a customizable Web-based application that works with the Cisco SSG to allow end customers to log on to and disconnect from proxy and passthrough services through a standard Web browser. After the customer logs in to the service provider's network, an HTML Dashboard is populated with the services authorized for that user.

SSG—Service Selection Gateway. The Cisco SSG offers service providers a means for menu-based service selection. End users can select services from the Dashboard menu, and the Cisco SSG will set up and tear down proxy and passthrough network connections based on a user's selection. The Cisco SSG will account for the services selected so that service providers can bill for individual services.

TACACS+—Terminal Access Controller Access Control System Plus. Proprietary Cisco enhancement to Terminal Access Controller Access Control System (TACACS). Provides additional support for authentication, authorization, and accounting. TACACS is an authentication protocol, developed by the Defense Data Network (DDN) community, that provides remote access authentication and related services, such as event logging. User passwords are administered in a central database rather than in individual routers, providing an easily scalable network security solution.

UAC—Universal Access Concentrator. The Cisco 6400 UAC is a broadband concentrator that supports Cisco Systems' end-to-end ATM transmission services, PPP termination services, and tunneling services. The Cisco 6400 UAC is a new system consisting of an Asynchronous Transfer Mode (ATM) switching core and redundant routing engines.

UCP—User Control Point. Cisco UCP is a carrier-class service policy administration system that enables personalized IP services. Cisco UCP's distributed, fault-tolerant architecture integrates authentication, authorization, and accounting (AAA); roaming; and address management services into a service provider's operations support systems.


hometocprevnextglossaryfeedbacksearchhelp
Posted: Fri Jan 17 02:02:14 PST 2003
All contents are Copyright © 1992--2002 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.