Intelligent Services Gateway Configuration Guide, Cisco IOS XE Release 3S
Configuring ISG Port-Bundle Host Key
Downloads: The complete bookPDF (PDF - 5.68MB) | The complete bookePub (ePub - 1.23MB) | The complete bookMobi (Mobi - 2.46MB) | Feedback

Configuring ISG Port-Bundle Host Key

Contents

Configuring ISG Port-Bundle Host Key

The Intelligent Services Gateway (ISG) provides a structured framework in which edge devices can deliver flexible and scalable services to subscribers. This module describes how to configure the ISG Port-Bundle Host Key feature, which maps TCP packets from subscribers to a local IP address for the ISG and a range of ports. This mapping allows an external portal to identify the ISG from which a session originated.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Prerequisites for the ISG Port-Bundle Host Key Feature

  • The ISG Port-Bundle Host Key feature must be enabled separately at the portal and at all connected ISGs.

  • All ISG source IP addresses configured with the source command must be routable in the management network where the portal resides.

  • For each portal server, all connected ISGs must have the same port-bundle length.

  • The external portal must support port-bundle host keys and must be configured with the same port-bundle host key parameters.

Restrictions for the ISG Port-Bundle Host Key Feature

  • The ISG Port-Bundle Host Key feature uses TCP. Packets will not be mapped for a subscriber who does not send TCP traffic.

  • Specifying the ISG Port-Bundle Host Key feature in a user profile works only when the user profile is available prior to the arrival of IP packets; for example, for PPP sessions or for DHCP-initiated IP sessions with transparent autologon.

Information About ISG Port-Bundle Host Key

Overview of ISG Port-Bundle Host Key

The ISG Port-Bundle Host Key feature serves as an in-band signaling mechanism for session identification at external portals. TCP packets from subscribers are mapped to a local IP address for the ISG and a range of ports. This mapping allows the portal to identify the ISG from which the session originated. The mapping also identifies sessions uniquely even when subscribers have overlapping IP addresses. The ISG Port-Bundle Host Key feature enables a single portal to be deployed for multiple virtual routing and forwarding (VRF) instances even when there are subscribers with overlapping IP addresses.

Port-Bundle Host Key Mechanism

With the ISG Port-Bundle Host Key feature, an ISG performs Port-Address Translation (PAT) and Network Address Translation (NAT) on TCP traffic between the subscriber and the portal. When a subscriber TCP connection is set up, the ISG creates a port mapping that changes the source IP address to a configured ISG IP address and changes the source TCP port to a port allocated by the ISG. The ISG assigns a bundle of ports to each subscriber because one subscriber can have several simultaneous TCP sessions when accessing a web page. The assigned port-bundle host key, or a combination of the port bundle and the ISG source IP address, uniquely identifies each subscriber. The host key is carried in RADIUS packets sent between the portal server and the ISG in the Subscriber IP vendor-specific attribute (VSA). The table below describes the Subscriber IP VSA. When the portal server sends a reply to the subscriber, the ISG uses translation tables to identify the destination IP address and destination TCP port.

Table 1 Subscriber IP VSA Description

Attribute ID

Vendor ID

Subattribute ID and Type

Attribute Name

Attribute Data

26

9

250 Account-Info

Subscriber IP

S subscriber-ip-address [:port-bundle-number]

  • S—Account-Info code for subscriber IP.

  • subscriber-ip-address [:port-bundle-number]—The port-bundle number is used only if the ISG Port-Bundle Host Key feature is configured.

For each TCP session between a subscriber and the portal, the ISG uses one port from the port bundle as the port map. Individual port mappings are flagged as eligible for reuse on the basis of inactivity timers, but are not explicitly removed once assigned. The number of port bundles is limited per ISG address, but there is no limit to the number of ISG IP addresses that can be configured for port bundle usage.


Note


The ISG Port-Bundle Host Key feature assigns ISG IP addresses to the source IP in a round-robin fashion based on the available IP addresses and ports.


Port-Bundle Length

The port-bundle length is used to determine the number of ports in one bundle. By default, the port-bundle length is 4 bits. The maximum port-bundle length is 10 bits. See the table below for available port-bundle length values and the resulting port-per-bundle and bundle-per-group values. You may want to increase the port-bundle length when you see frequent error messages about running out of ports in a port bundle.

Table 2 Port-Bundle Lengths and Resulting Port-per-Bundle and Bundle-per-Group Values

Port-Bundle Length (in Bits)

Number of Ports per Bundle

Number of Bundles per Group (and per ISG Source IP Address)

0

1

64512

1

2

32256

2

4

16128

3

8

8064

4 (default)

16

4032

5

32

2016

6

64

1008

7

128

504

8

256

252

9

512

126

10

1024

63


Note


For each portal server, all connected ISGs must have the same port-bundle length, which must correspond to the configured value given in the portal server’s BUNDLE_LENGTH argument. If you change the port-bundle length on an ISG, be sure to make the corresponding change in the configuration on the portal.


Benefits of ISG Port-Bundle Host Key

Support for Overlapped Subscriber IP Addresses Extended to Include External Portal Usage

The ISG Port-Bundle Host Key feature enables external portal access regardless of the subscriber IP address or VRF membership. Without the use of port-bundle host keys, all subscribers accessing a single external portal must have unique IP addresses. Furthermore, because port-bundle host keys isolate VRF-specific addresses from the domain in which the portal resides, routing considerations are simplified.

Portal Provisioning for Subscriber and ISG IP Addresses No Longer Required

Without the ISG Port-Bundle Host Key feature, a portal must be provisioned for subscriber and ISG IP addresses before the portal is able to send RADIUS packets to the ISG or HTTP packets to subscribers. The ISG Port-Bundle Host Key feature eliminates the need to provision a portal to allow one portal server to serve multiple ISGs and one ISG to be served by multiple portal servers.

How to Configure ISG Port-Bundle Host Key

Enabling the ISG Port-Bundle Host Key Feature in a Service Policy Map

Perform this task to enable the ISG Port-Bundle Host Key feature in a service policy map. The ISG Port-Bundle Host Key feature will be applied to any subscriber who uses this service policy map.


Note


We recommend that you use a dedicated service policy for the feature. Do not share a policy with other ISG features.


SUMMARY STEPS

    1.    enable

    2.    configure terminal

    3.    policy-map type service policy-name

    4.    ip portbundle

    5.    end


DETAILED STEPS
     Command or ActionPurpose
    Step 1 enable


    Example:
    Router> enable
     

    Enables privileged EXEC mode.

    • Enter your password if prompted.

     
    Step 2 configure terminal


    Example:
    Router# configure terminal
     

    Enters global configuration mode.

     
    Step 3 policy-map type service policy-name


    Example:
    Router(config)# policy-map type service service1
     

    Creates or defines a service policy map, which is used to define an ISG service.

     
    Step 4 ip portbundle


    Example:
    Router(config-service-policymap)# ip portbundle
     

    Enables the ISG Port-Bundle Host Key feature for the service.

     
    Step 5 end


    Example:
    Router(config-service-policymap)# end
     

    (Optional) Returns to privileged EXEC mode.

     

    What to Do Next

    You may want to configure a method for activating the service policy map or service profile; for example, control policies can be used to activate services. For more information about methods of service activation, see the module “Configuring ISG Subscriber Services.”

    Enabling the ISG Port-Bundle Host Key Feature in a User Profile or Service Profile on the AAA Server

    SUMMARY STEPS

      1.    Add the Port-Bundle Host Key attribute to the user or service profile.


    DETAILED STEPS
       Command or ActionPurpose
      Step 1 Add the Port-Bundle Host Key attribute to the user or service profile.

      Example:
      26,9,1 = "ip:portbundle=enable"
       

      Enables the ISG Port-Bundle Host Key feature in the user or service profile.

       

      What to Do Next

      If you enabled the ISG Port-Bundle Host Key feature in a service profile, you may want to configure a method of activating the service profile; for example, control policies can be used to activate services. For more information about methods of service activation, see the “Configuring ISG Subscriber Services” module.

      Configuring Port-Bundle Host Key Parameters

      Perform this task to configure ISG Port-Bundle Host Key parameters and specify the interface for which ISG will use translation tables to derive the IP address and port number for downstream traffic.

      SUMMARY STEPS

        1.    enable

        2.    configure terminal

        3.    ip portbundle

        4.    match access-list access-list-number

        5.    length bits

        6.    source interface-type interface-number

        7.    exit

        8.    interface type number

        9.    ip portbundle outside

        10.    end


      DETAILED STEPS
         Command or ActionPurpose
        Step 1 enable


        Example:
        Router> enable
         

        Enables privileged EXEC mode.

        • Enter your password if prompted.

         
        Step 2 configure terminal


        Example:
        Router# configure terminal
         

        Enters global configuration mode.

         
        Step 3 ip portbundle


        Example:
        Router(config)# ip portbundle
         

        Enters IP portbundle configuration mode.

         
        Step 4 match access-list access-list-number


        Example:
        Router(config-portbundle)# match access-list 101
         

        Specifies packets for port mapping by specifying an access list to compare against the subscriber traffic.

         
        Step 5 length bits


        Example:
        Router(config-portbundle)# length 5
         

        Specifies the ISG port-bundle length, which determines the number of ports per bundle and bundles per group.

        • The default number of bits is 4.

        • See the section “Port-Bundle Length” for more information.

         
        Step 6 source interface-type interface-number


        Example:
        Router(config-portbundle)# source loopback 0
         

        Specifies the interface for which the main IP address is mapped by ISG to the destination IP addresses in subscriber traffic.

        • We recommend that you use a loopback interface as the source interface.

         
        Step 7 exit


        Example:
        Router(config-portbundle)# exit
         

        Returns to global configuration mode.

         
        Step 8 interface type number


        Example:
        Router(config)# interface gigabitethernet 0/0/0
         

        Specifies an interface for configuration and enters the interface configuration mode.

         
        Step 9 ip portbundle outside


        Example:
        Router(config-if)# ip portbundle outside
         

        Configures ISG to reverse translate the destination IP address and TCP port to the actual subscriber IP address and TCP port for traffic going from the portal to the subscriber for the interface being configured.

         
        Step 10end


        Example:
        Router(config-if)# end
         

        Exits interface configuration mode.

         

        Verifying the ISG Port-Bundle Host Key Configuration

        SUMMARY STEPS

          1.    enable

          2.    show ip portbundle status [free | inuse]

          3.    show ip portbundle ip portbundle-ip-address bundle port-bundle-number

          4.    show subscriber session [detailed] [identifier identifier | uid session-id | username name]


        DETAILED STEPS
           Command or ActionPurpose
          Step 1 enable


          Example:
          Router> enable
           

          Enables privileged EXEC mode.

          • Enter your password if prompted.

           
          Step 2 show ip portbundle status [free | inuse]


          Example:
          Router# show ip portbundle status free
           

          Displays information about ISG port-bundle groups.

           
          Step 3 show ip portbundle ip portbundle-ip-address bundle port-bundle-number


          Example:
          Router# show ip portbundle ip 10.10.10.10 bundle 65
           

          Displays information about a specific ISG port bundle.

           
          Step 4 show subscriber session [detailed] [identifier identifier | uid session-id | username name]


          Example:
          Router# show subscriber session detailed
           

          Displays ISG subscriber session information.

           

          Configuration Examples for ISG Port-Bundle Host Key

          Example: Configuring ISG Port-Bundle Host Key

          The following example shows how to apply the ISG Port-Bundle Host Key feature to all sessions:

          policy-map type service ISGPBHKService
           ip portbundle 
          ! 
          policy-map type control PBHKRule 
           class type control always event session-start 
            1 service-policy type service ISGPBHKService
          ! 
          service-policy type control PBHKRule 
          interface gigabitethernet0/0/0
           ip address 10.1.1.1 255.255.255.0
           ip portbundle outside
          !
          ip portbundle
           match access-list 101
           length 5
           source loopback 0

          Additional References

          Related Documents

          Technical Assistance

          Description

          Link

          The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

          http:/​/​www.cisco.com/​cisco/​web/​support/​index.html

          Feature Information for ISG Port-Bundle Host Key

          The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

          Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

          Table 3 Feature Information for ISG Port-Bundle Host Key

          Feature Name

          Releases

          Feature Configuration Information

          ISG Port-Bundle Host Key

          Cisco IOS XE Release 2.2

          The ISG Port-Bundle Host Key feature serves as an in-band signaling mechanism for session identification at external portals. TCP packets from subscribers are mapped to a local IP address for the ISG and a range of ports. This mapping allows the portal to identify the ISG from which the session originated.