Guest

Cisco IOS Software Releases 12.2 Special and Early Deployments

SSG Port-Bundle Host Key

  • Viewing Options

  • PDF (430.8 KB)
  • Feedback
SSG Port-Bundle Host Key

Table Of Contents

SSG Port-Bundle Host Key

Contents

Prerequisites for SSG Port-Bundle Host Key

Restrictions for SSG Port-Bundle Host Key

Information About SSG Port-Bundle Host Key

Overview of SSG

Host Key Mechanism

Local Forwarding

Benefits of SSG Port-Bundle Host Key

How to Configure SSG Port-Bundle Host Key

Configuring the SSG Port-Bundle Host Key

Port-Bundle Length

Prerequisites

Verifying the SSG Port-Bundle Host Key

Monitoring and Maintaining SSG Port-Bundle Host Key

Configuration Examples for SSG Port-Bundle Host Key

SSG Port-Bundle Host Key Configuration: Example

Additional References

Related Documents

Standards

MIBs

RFCs

Technical Assistance

Command Reference

destination access-list

destination range

length (SSG)

show ssg interface

show ssg summary

source ip

ssg port-map

ssg port-map destination access-list

ssg port-map destination range

ssg port-map enable

ssg port-map length

ssg port-map source ip


SSG Port-Bundle Host Key



Note This document describes the SSG Port-Bundle Host Key feature in Cisco IOS Releases 12.2(16)B and 12.3(4)T. If you are running an earlier release of Cisco IOS software, refer to the "Service Selection Gateway" new-feature document for that release.


The SSG Port-Bundle Host Key feature enhances communication and functionality between the Service Selection Gateway (SSG) and the Cisco Subscriber Edge Services Manager (SESM) by introducing a mechanism that uses the host source IP address and source port to identify and monitor subscribers.

Release
Modification

12.2(2)B

This feature was introduced on the Cisco 6400 series.

12.2(13)T

This feature was integrated into Cisco IOS Release 12.2(13)T.

12.2(16)B

The command-line interface (CLI) was enhanced to simplify the configuration of this feature.

12.3(4)T

The CLI enhancements from 12.2(16)B were integrated into Cisco IOS Release 12.3(4)T.


Feature History for the SSG Port-Bundle Host Key Feature

Finding Support Information for Platforms and Cisco IOS Software Images

Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.

Contents

Prerequisites for SSG Port-Bundle Host Key, page 2

Restrictions for SSG Port-Bundle Host Key, page 2

Information About SSG Port-Bundle Host Key, page 3

How to Configure SSG Port-Bundle Host Key, page 5

Configuration Examples for <Phrase Based on Module Title>, page 10

Additional References, page 10

Command Reference, page 12

Prerequisites for SSG Port-Bundle Host Key

The SSG Port-Bundle Host Key feature requires Cisco Service Selection Dashboard (SSD) Release 3.0(1) or Cisco SESM Release 3.1(1). If you are using an earlier release of SSD, disable the SSG Port-Bundle Host Key feature using the no ssg port-map global configuration command.

A default network must be configured and routable from SSG in order for the following commands to be effective:

destination access-list

destination range (without an IP address specified)

You must enable Cisco Express Forwarding (CEF) on the router before SSG functionality can be enabled. You can disable CEF at the individual interface level without affecting SSG.

You must enable SSG by using the ssg enable command before you can configure the SSG Port-Bundle Host Key feature.

Restrictions for SSG Port-Bundle Host Key

The SSG Port-Bundle Host Key feature has the following restrictions:

The SSG Port-Bundle Host Key feature must be separately enabled at the SESM and at all connected SSGs.

The SSG Port-Bundle Host Key feature can be enabled or the port-bundle length can be changed only when there are no SSG host objects present.

All SSG source IP addresses configured with the source ip command must be routable in the management network where the SESM resides.

Overlapping subscriber IP addresses are supported only for hosts connected to SSG through routed point-to-point interfaces.

Overlapping IP users cannot come in on the same SSG downlink interface.

Overlapping IP users cannot be connected to the same service or to different services that are bound to the same uplink interface.

For each SESM server, all connected SSGs must have the same port-bundle length.

RFC 1483 or local bridged or routed clients cannot have overlapping IP addresses, even across different interfaces.

Information About SSG Port-Bundle Host Key

To configure the SSG Port-Bundle Host Key feature, you should understand the following concepts:

Overview of SSG, page 3

Host Key Mechanism, page 3

Local Forwarding, page 4

Benefits of SSG Port-Bundle Host Key, page 4

Overview of SSG

Service Selection Gateway (SSG) is a switching solution for service providers who offer intranet, extranet, and Internet connections to subscribers using broadband access technology such as digital subscriber lines, cable modems, or wireless to allow simultaneous access to network services.

SSG works in conjunction with the Cisco Service Selection Dashboard (SSD) or its successor product, the Cisco SESM. Together with the SESM or SSD, SSG provides subscriber authentication, service selection, and service connection capabilities to subscribers of Internet services. Subscribers interact with an SESM or SSD web application using a standard Internet browser.

Host Key Mechanism


Note All references to SESM also apply to SSD unless a clear distinction is made.


With the SSG Port-Bundle Host Key feature, SSG performs port-address translation (PAT) and network-address translation (NAT) on the HTTP traffic between the subscriber and the SESM server. When a subscriber sends an HTTP packet to the SESM server, SSG creates a port map that changes the source IP address to a configured SSG source IP address and changes the source TCP port to a port allocated by SSG. SSG assigns a bundle of ports to each subscriber because one subscriber can have several simultaneous TCP sessions when accessing a web page. The assigned host key, or combination of port bundle and SSG source IP address, uniquely identifies each subscriber. The host key is carried in RADIUS packets sent between the SESM server and SSG in the Subscriber IP vendor-specific attribute (VSA). Table 1 describes the Subscriber IP VSA. When the SESM server sends a reply to the subscriber, SSG translates the destination IP address and destination TCP port according to the port map.

Table 1 Subscriber IP VSA Description

Attr ID
Vendor ID
Sub Attr ID and Type
Attr Name
Sub Attr Data

26

9

250 Account-Info

Subscriber IP

S—Account-Info code for subscriber IP.

<subscriber IP address>:<port-bundle number>—The port-bundle number is used if the SSG Port-Bundle Host Key feature is configured.


For each TCP session between a subscriber and the SESM server, SSG uses one port from the port bundle as the port map. Port mappings are flagged as eligible for reuse on the basis of inactivity timers, but are not explicitly removed once assigned. The number of port bundles is limited, but you can assign multiple SSG source IP addresses to accommodate more subscribers.

SSG assigns the base port of the port bundle to a port map only if SSG has no state information for the subscriber or if the state of the subscriber has changed. When the SESM server sees the base port of a port bundle in the host key, SESM queries SSG for new subscriber state information.

Local Forwarding

When the SSG Port-Bundle Host Key feature is not configured, SSG local forwarding enables SSG to forward packets locally between any SSG hosts. When the SSG Port-Bundle Host Key feature is configured, local forwarding works only for SSG hosts that are connected to at least one common service. The hosts must be connected to a common service because if the destination host has an overlapping IP address, SSG will not know to which of the overlapping hosts to forward the traffic. In order for SSG to forward packets from one SSG host to another SSG host that has an overlapping IP address, the overlapping hosts cannot share any common services with the source host; otherwise, traffic is not guaranteed to go to the required host.

Benefits of SSG Port-Bundle Host Key

Support for Overlapped Subscriber IP Addresses Extended to Include SESM Usage

Without the SSG Port-Bundle Host Key feature, PPP users are allowed to have overlapped subscriber IP addresses, but they cannot use SSG to conduct service selection through the web-based SESM user interface.

With the SSG Port-Bundle Host Key feature, PPP users can have overlapped IP addresses while using SSG with SESM or SSD. The subscriber IP addresses are also not required to be routable within the service management network where the SESM server resides, because the host key enables support for private addressing schemes.

Cisco SESM Provisioning for Subscriber and SSG IP Addresses No Longer Required

Without the SSG Port-Bundle Host Key feature, SESM must be provisioned for subscriber and SSG IP addresses before SESM is able to send RADIUS packets to SSG or send HTTP packets to subscribers.

The SSG Port-Bundle Host Key feature eliminates the need to provision SESM in order to allow one SESM server to serve multiple SSGs and to allow one SSG to be served by multiple SESM servers.

Reliable and Just-in-Time Notification to Cisco SSD of Subscriber State Changes

Without the SSG Port-Bundle Host Key feature, SSG uses an asynchronous messaging mechanism to immediately notify the SESM server of subscriber state changes in SSG (such as session timeouts or idle timeout events).

The SSG Port-Bundle Host Key feature replaces the asynchronous messaging mechanism with an implicit and reliable notification mechanism that uses the base port of a port bundle to alert the SESM server of a state change. The SESM server can then query SSG for the true state of the subscriber and update the cached object or send the information back to the subscriber.

Support for Multiple Accounts for One Subscriber IP Address

To accommodate multiple users sharing a single PC, the SSG Port-Bundle Host Key feature supports multiple subaccounts, each with a different username under one subscriber. When the SESM server contacts SSG to log a new user in to an already logged-in account, SSG logs out the existing account and logs in the new user. In account switching, the port bundle and host object remain the same, but the content of the host object is changed according to the profile of the subaccount user.

How to Configure SSG Port-Bundle Host Key

This section contains the following procedures:

Configuring the SSG Port-Bundle Host Key, page 5 (required)

Verifying the SSG Port-Bundle Host Key, page 8 (optional)

Monitoring and Maintaining SSG Port-Bundle Host Key, page 9 (optional)

Configuring the SSG Port-Bundle Host Key

To use SSG port-bundle host key functionality, you must enable the host key, specify the subscriber traffic to be port-mapped, and specify the SSG source IP addresses. You can also specify the port-bundle length. Perform this task to configure the SSG port-bundle host key functionality.

Port-Bundle Length

The port-bundle length is used to determine the number of bundles in one group and the number of ports in one bundle. By default, the port-bundle length is 4 bits. The maximum port-bundle length is 10 bits. See Table 2 for available port-bundle length values and the resulting port-per-bundle and bundle-per-group values. Increasing the port-bundle length can be useful when you see frequent error messages about running out of ports in a port bundle.

Table 2 Port-Bundle Lengths and Resulting Port-per-Bundle and Bundle-per-Group Values

Port-Bundle Length
(in bits)
Number of Ports
per Bundle
Number of Bundles per Group
(and per SSG Source IP Address)

0

1

64512

1

2

32256

2

4

16128

3

8

8064

4 (default)

16

4032

5

32

2016

6

64

1008

7

128

504

8

256

252

9

512

126

10

1024

63



Note For each SESM server, all connected SSGs must have the same port-bundle length, which must correspond to the configured value given in the SESM server's BUNDLE_LENGTH argument. If you change the port-bundle length on an SSG, be sure to make the corresponding change in the SESM configuration.


Prerequisites

The SSG Port-Bundle Host Key feature requires Cisco SSD Release 3.0(1) or Cisco SESM Release 3.1(1).

SUMMARY STEPS

1. enable

2. configure terminal

3. ip cef

4. ssg enable

5. ssg port-map

6. destination range port-range-start to port-range-end [ip ip-address]

7. destination access-list access-list-number

8. source ip {ip-address | interface}

9. length bits

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

ip cef

Example:

Router(config)# ip cef

Enables CEF.

Step 4 

ssg enable

Example:

Router(config)# ssg enable

Enables SSG.

Step 5 

ssg port-map

Example:

Router(config)# ssg port-map

Enables the SSG port-bundle host key and enters SSG portmap configuration mode.

Step 6 

destination range port-range-start to port-range-end [ip ip-address]

Example:

Router(config-ssg-portmap)# destination range 8080 to 8081

Identifies packets for port-mapping by specifying the TCP port range to compare against the subscriber traffic.

If the destination IP address is not configured, a default network must be configured and routable from SSG in order for this command to be effective.

If the destination IP address is not configured, any traffic going to the default network with the destination port will fall into the destination port range and will be port mapped.

You can use multiple entries of the destination access-list and destination range commands. The port ranges and access lists are checked against the subscriber traffic in the order in which they were defined.

Step 7 

destination access-list access-list-number

Example:

Router(config-ssg-portmap)# destination access-list 100

Identifies packets for port-mapping by specifying an access list to compare against the subscriber traffic.

A default network must be configured and routable from SSG in order for this command to be effective.

You can use multiple entries of the destination access-list and destination range commands. The port ranges and access lists are checked in the order in which they are defined.

Step 8 

source ip {ip-address | interface}

Example:

Router(config-ssg-portmap)# source ip 10.0.50.1

Specifies an SSG source IP address. If you specify an interface instead of an IP address, SSG uses the main IP address of the specified interface.

You can use multiple entries of the source ip command.

All SSG source IP addresses configured using the source ip command must be routable in the management network where the SESM resides.

Step 9 

length bits

Example:

Router(config-ssg-portmap)# length 5

Modifies the port-bundle length, which is used to determine the number of ports per bundle and the number of bundles per group.

For more information about port-bundle length, see the "Port-Bundle Length" section on page 5.

Verifying the SSG Port-Bundle Host Key

Perform this task to verify SSG port-bundle host key configuration and functionality.

SUMMARY STEPS

1. show running-config

2. show ssg port-map status

3. show ssg port-map status [free | reserved | inuse]

4. show ssg port-map ip ip-address port port-number

DETAILED STEPS


Step 1 To verify the SSG Port-Bundle Host Key configuration, use the show running-config command in privileged EXEC mode.

Step 2 To display a summary of all port-bundle groups, use the show ssg port-map status command with no keywords:

Router# show ssg port-map status

Bundle-length = 4

Bundle-groups:-

IP Address              Free Bundles            Reserved Bundles         In-use Bundles
70.13.60.2                      4032                    0                      0

Step 3 Use the show ssg port-map status command with the free, reserved, or inuse keyword to display port bundles with the specified status:

Router# show ssg port-map status inuse

Bundle-group 70.13.60.2 has the following in-use port-bundles:-

Port-bundle             Subscriber Address              Interface

64                      10.10.3.1                       Virtual-Access2

Step 4 To display information about a specific port bundle, use the show ssg port-map ip command:

Router# show ssg port-map ip 70.13.60.2 port 64

State = IN-USE
Subscriber Address = 10.10.3.1
Downlink Interface = Virtual-Access2

Port-mappings:-

Subscriber Port:   3271                Mapped Port:   1024
Subscriber Port:   3272                Mapped Port:   1025
Subscriber Port:   3273                Mapped Port:   1026
Subscriber Port:   3274                Mapped Port:   1027
Subscriber Port:   3275                Mapped Port:   1028


Monitoring and Maintaining SSG Port-Bundle Host Key

Perform this task to monitor and maintain the SSG Port-Bundle Host Key feature. The commands do not have to be entered in a particular order.

SUMMARY STEPS

1. debug ssg port-map {events | packets}

2. clear ssg connection ip-address service-name [interface]

3. clear ssg host ip-address interface

4. show ssg connection ip-address service-name [interface]

5. show ssg host [ip-address [interface] | username]

6. show ssg port-map ip ip-address port port-number

7. show ssg port-map status [free | reserved | inuse]

8. show ssg interface [interface | brief]

9. show ssg summary

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

debug ssg port-map {events | packets}

Example:

Router# debug ssg port-map events

Displays debug messages for port-mapping.

Step 2 

clear ssg connection ip-address service-name [interface]

Example:

Router# clear ssg connection 10.18.1.1 Service1

Removes the connections of a given host and a service name.

Step 3 

clear ssg host ip-address interface

Example:

Router# clear ssg host 192.168.1.1 fastethernet

Removes or disables a given host or subscriber.

Step 4 

show ssg connection ip-address service-name [interface]

Example:

Router# show ssg connection 19.1.1.19 InstMsg

Displays the connections of a given host and a service name.

Step 5 

show ssg host [ip-address [interface] | username]

Example:

Router# show ssg host 10.3.1.1

Displays the information about a subscriber and current connections of the subscriber.

Step 6 

show ssg port-map ip ip-address port port-number

Example:

Router# show ssg port-map ip 10.13.60.2 port 64

Displays the following information about a port bundle:

Port maps in the port bundle

Subscriber's IP address

Interface through which the subscriber is connected

Step 7 

show ssg port-map status [free | reserved | inuse]

Example:

Router# show ssg port-map status

Displays information on port-bundle groups, including the following:

List of port-bundle groups

Port-bundle length

Number of free, reserved, and in-use port bundles in each group

Step 8 

show ssg interface [interface | brief]

Example:

Router# show ssg interface atm 3/0.10

Displays information about SSG interfaces.

Use this command without any keywords or arguments to display information about all SSG interfaces.

Step 9 

show ssg summary

Example:

Router# show ssg summary

Displays a summary of the SSG configuration.

Use this command to display information such as which SSG features are enabled, how many users are active, how many services are active, and what filters are active.

Configuration Examples for SSG Port-Bundle Host Key

This section contains the following example:

SSG Port-Bundle Host Key Configuration: Example, page 10

SSG Port-Bundle Host Key Configuration: Example

In the following example, packets that match the specified TCP port range or that are permitted by access list 100 will be port-mapped. Loopback interface 1 is specified as the SSG source IP address.

ssg port-map 
 destination range 8080 to 10100 ip 10.13.6.100
 port-map destination access-list 100
 port-map source ip Loopback1

Additional References

The following sections provide references related to the SSG Port-Bundle Host Key feature.

Related Documents

Related Topic
Document Title

SSG commands

Cisco IOS Wide-Area Networking Command Reference, Release 12.3 T

SSG configuration tasks

Service Selection Gateway, Release 12.3(4)T new-feature document

Service Selection Gateway Accounting Update Interval per Service, Release 12.2(13)T new-feature document

Service Selection Gateway Hierarchical Policing, Release 12.2(13)T new-feature document

SSG AutoDomain, Release 12.2(13)T new-feature document

SSG Autologoff Enhancement, Release 12.3(4)T new-feature document

SSG Autologon Using Proxy Radius, Release 12.2(13)T new-feature document

SSG Autologoff, Release 12.2(13)T new-feature document

SSG Proxy for CDMA2000, Release 12.3(4)T new-feature document

SSG Direction Configuration for Interfaces and Ranges, Release12.3(4)T new-feature document

SSG EAP Transparency, Release 12.3(4)T new-feature document

SSG L2TP Dial-Out, Release 12.3(4)T new-feature document

SSG Open Garden, Release 12.2(13)T new-feature document

SSG Port-Bundle Host Key, Release 12.2(13)T new-feature document

SSG Prepaid, Release 12.2(13)T new-feature document

SSG Prepaid Idle Timeout, Release 12.3(4)T new-feature document

SSG Service Profile Caching, Release 12.3(4)T new-feature document

SSG Suppression of Unused Accounting Records, Release 12.3(4)T new-feature document

SSG TCP Redirect for Services, Release 12.2(13)T new-feature document

SSG Unconfig, Release 12.3(4)T new-feature document

SSG Unique Session ID, Release 12.3(4)T new-feature document

SESM

Cisco Subscriber Edge Services Manager and Subscriber Policy Engine Installation and Configuration Guide

Cisco Service Selection Dashboard Installation and Configuration Guide

Cisco Service Selection Dashboard Web Developer Guide

RADIUS commands

Cisco IOS Security Command Reference, Release 12.3 T

RADIUS configuration tasks

Cisco IOS Security Configuration Guide


Standards

Standards
Title

No new or modified standards are supported by this feature. Support for existing standards has not been modified by this feature.


MIBs

MIBs
MIBs Link

No new or modified MIBs are supported by this feature. Support for existing MIBs has not been modified by this feature.

To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://www.cisco.com/go/mibs


RFCs

RFCs
Title

No new or modified RFCs are supported by this feature. Support for existing RFCs has not been modified by this feature.


Technical Assistance

Description
Link

Technical Assistance Center (TAC) home page, containing 30,000 pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content.

http://www.cisco.com/public/support/tac/home.shtml


Command Reference

This section documents new and replaced commands in Cisco IOS Releases 12.2(16)B and 12.3(4)T. All other commands used with this feature are documented in the Cisco IOS Release 12.3 T command reference publications.

New Commands

destination access-list

destination range

length (SSG)

show ssg interface

show ssg summary

source ip

ssg port-map

Command in Cisco IOS Releases 12.2(4)B and 12.2(13)T
Replacement Command Beginning in Cisco IOS Releases 12.2(16)B and 12.3(4)T

ssg port-map destination access-list

destination access-list

ssg port-map destination range

destination range

ssg port-map enable

ssg port-map

ssg port-map length

length (SSG)

ssg port-map source ip

source ip


Replaced Commands

destination access-list

To specify packets for port-mapping by specifying an access list to compare against the subscriber traffic, use the destination access-list command in SSG portmap configuration configuration mode. To remove this specification, use the no form of this command.

destination access-list access-list-number

no destination access-list access-list-number

Syntax Description

access-list-number

Integer from 100 to 199 that is the number or name of an extended access list.


Defaults

SSG does not use an access list when port-mapping subscriber traffic.

Command Modes

SSG portmap configuration

Command History

Release
Modification

12.2(16)B

This command was introduced. This command replaces the ssg port-map destination access-list command.

12.3(4)T

This command was integrated into Cisco IOS Release 12.3(4)T.


Usage Guidelines

When the destination access-list command is configured, any traffic going to the default network and matching the access list will be port-mapped.


Note A default network must be configured and routable from SSG in order for this command to be effective.


You can use multiple entries of the destination access-list command. The access lists are checked against the subscriber traffic in the order in which they are defined.

Examples

In the following example, SSG will port-map packets that are permitted by access list 100:

ssg port-map 
 destination access-list 100
 source ip Ethernet0/0/0
!
.
.
.
!
access-list 100 permit ip 10.0.0.0 0.255.255.255 host 70.13.6.100
access-list 100 deny   ip any any

Related Commands

Command
Description

destination range

Identifies packets for port-mapping by specifying the TCP port range to compare against the subscriber traffic.

ssg port-map

Enables the SSG port-bundle host key and enters SSG portmap configuration mode.


destination range

To identify packets for port-mapping by specifying the TCP port range to compare against the subscriber traffic, use the destination range command in SSG portmap configuration mode. To remove this specification, use the no form of this command.

destination range port-range-start to port-range-end [ip ip-address]

no destination range port-range-start to port-range-end [ip ip-address]

Syntax Description

port-range-start

Port number at the start of the TCP port range.

to

Specifies higher end of TCP port range.

port-range-end

Port number at the end of TCP port range.

ip ip-address

(Optional) Destination IP address in the packets.


Defaults

A TCP port range is not used in port-mapping subscriber traffic.

Command Modes

SSG portmap configuration

Command History

Release
Modification

12.2(16)B

This command was introduced. This command replaces the ssg port-map destination range command.

12.3(4)T

This command was integrated into Cisco IOS Release 12.3(4)T.


Usage Guidelines

If a destination IP address is not configured, a default network must be configured and routable from SSG in order for this command to be effective.

If the destination IP address is not configured, any traffic going to the default network with the destination port will fall into the destination port range and will be port-mapped.

You can use multiple entries of the destination range command. The port ranges are checked against the subscriber traffic in the order in which they were defined.

Examples

In the following example, SSG will port-map any packets that are going to the default network and have a destination port within the range from 8080 to 8081:

ssg port-map 
 destination range 8080 to 8081

Related Commands

Command
Description

destination access-list

Specifies packets for port-mapping by specifying an access list to compare against the subscriber traffic.

ssg port-map

Enables the SSG port-bundle host key and enters SSG portmap configuration mode.


length (SSG)

To modify the port-bundle length upon the next Service Selection Gateway (SSG) reload, use the length command in SSG portmap configuration mode. To return the port-bundle length to the default value, use the no form of this command.

length bits

no length bits

Syntax Description

bits

Port-bundle length, in bits. The range is from 0 to 10 bits. The default is 4 bits.


Defaults

4 bits

Command Modes

SSG portmap configuration

Command History

Release
Modification

12.2(16)B

This command was introduced. This command replaces the ssg port-map destination range command.

12.3(4)T

This command was integrated into Cisco IOS Release 12.3(4)T.


Usage Guidelines

The port-bundle length is used to determine the number of bundles in one group and the number of ports in one bundle. By default, the port-bundle length is 4 bits. The maximum port-bundle length is 10 bits. See Table 3 for available port-bundle length values and the resulting port-per-bundle and bundle-per-group values. Increasing the port-bundle length can be useful when you see frequent error messages about running out of ports in a port bundle, but note that the new value does not take effect until SSG next reloads and Cisco Service Selection Dashboard (SSD) restarts.


Note For each Cisco SSD server, all connected SSGs must have the same port-bundle length.


Table 3 Port-Bundle Lengths and Resulting Port-per-Bundle and Bundle-per-Group Values 

Port-Bundle Length
(in Bits)
Number of Ports
per Bundle
Number of Bundles per Group
(and per-SSG Source IP Address)

0

1

64512

1

2

32256

2

4

16128

3

8

8064

4 (default)

16

4032

5

32

2016

6

64

1008

7

128

504

8

256

252

9

512

126

10

1024

63


Examples

The following example results in 64 ports per bundle and 1008 bundles per group:

ssg port-map 
 length 6

Related Commands

Command
Description

source ip

Specifies SSG source IP addresses to which to map the destination IP addresses in subscriber traffic.

ssg port-map

Enables the SSG port-bundle host key and enters SSG portmap configuration mode.


show ssg interface

To display information about Service Selection Gateway (SSG) interfaces, use the show ssg interface command in user EXEC or privileged EXEC mode.

show ssg interface [interface | brief]

Syntax Description

interface

(Optional) Specific interface for which to display information.

brief

(Optional) Gives brief information about each of the SSG interfaces and their usage.


Command Modes

User EXEC
Privileged EXEC

Command History

Release
Modification

12.2(16)B

This command was introduced.

12.3(4)T

This command was integrated into Cisco IOS Release 12.3(4)T.


Usage Guidelines

Use this command without any keywords or arguments to display information about all SSG interfaces.

Examples

The following example shows the show ssg interface brief command:

Router# show ssg interface brief

Interface   Direction           bindingtype    Status
ATM3/0.1    Uplink              Dynamic        Up
ATM3/0.2    Downlink            Static         Down

Related Commands

Command
Description

show ssg binding

Displays service names that have been bound to interfaces and the IP addresses to which they have been bound.

show ssg direction

Displays the direction of all interfaces for which a direction has been specified.

show ssg summary

Displays a summary of the SSG configuration.


show ssg summary

To display a summary of the Service Selection Gateway (SSG) configuration, use the show ssg summary command in user EXEC or privileged EXEC mode.

show ssg summary

Syntax Description

This command has no arguments or keywords.

Command Modes

User EXEC
Privileged EXEC

Command History

Release
Modification

12.2(16)B

This command was introduced.

12.3(4)T

This command was integrated into Cisco IOS Release 12.3(4)T.


Usage Guidelines

Use this command to display information such as which SSG features are enabled, how many users are active, how many services are active, and what filters are active.

Examples

The following example shows the show ssg summary command:

Router# show ssg summary

SSG Features Enabled:
TCP Redirect: Unauthenticated, Service, Captive portal.
QOS: User policing, Session Policing.
Host Key: Enabled

Related Commands

Command
Description

show ssg binding

Displays service names that have been bound to interfaces and the IP addresses to which they have been bound.

show ssg direction

Displays the direction of all interfaces for which a direction has been specified.

show ssg interface

Displays information about SSG interfaces.


source ip

To specify Service Selection Gateway (SSG) source IP addresses to which to map the destination IP addresses in subscriber traffic, use the source ip command in SSG portmap configuration mode. To remove this specification, use the no form of this command.

source ip {ip-address | interface}

no source ip {ip-address | interface}

Syntax Description

ip-address

SSG source IP address.

interface

Interface whose main IP address is used as the SSG source IP address.


Defaults

No default behavior or values.

Command Modes

SSG portmap configuration

Command History

Release
Modification

12.2(16)B

This command was introduced. This command replaces the ssg port-map source ip command.

12.3(4)T

This command was integrated into Cisco IOS Release 12.3(4)T.


Usage Guidelines

With the SSG Port-Bundle Host Key feature, SSG maps the destination IP addresses in subscriber traffic to specified SSG source IP addresses.

All SSG source IP addresses configured with the source ip command must be routable in the management network where the Cisco SSD or SESM resides.

If the interface for the source IP address is deleted, the port-map translations will not work correctly.

Because a subscriber can have several simultaneous TCP sessions when accessing a web page, SSG assigns a bundle of ports to each subscriber. Because the number of available port bundles is limited, you can assign multiple SSG source IP addresses (one for each group of port bundles). By default, each group has 4032 bundles, and each bundle has 16 ports. To modify the number of bundles per group and the number of ports per bundle, use the length command.

Examples

The following example shows the SSG source IP address specified with an IP address and with specific interfaces:

ssg port-map 
 source ip 10.0.50.1
 source ip Ethernet 0/0/0
 ssg port-map source ip Loopback 1

Related Commands

Command
Description

length (SSG)

Modifies the port-bundle length upon the next SSG reload.

ssg port-map

Enables the SSG port-bundle host key and enters SSG portmap configuration mode.


ssg port-map

To enable the SSG port-bundle host key and enter SSG portmap configuration mode, use the ssg port-map command in global configuration mode. To disable the port-bundle host key feature, use the no form of this command.

ssg port-map

no ssg port-map

Syntax Description

This command has no arguments or keywords.

Defaults

The Port-Bundle Host Key feature is not enabled.

Command Modes

Global configuration

Command History

Release
Modification

12.2(16)B

This command was introduced.

12.3(4)T

This command was integrated into Cisco IOS Release 12.3(4)T.


Usage Guidelines

This command will not take effect until the router has reloaded.

The SSG Port-Bundle Host Key feature requires Cisco Service Selection Dashboard (SSD) Release 3.0(1) or Cisco Subscriber Edge Services Manager (SESM) Release 3.1(1).

Examples

The following example shows how to enable the SSG port-bundle host key and enter SSG portmap configuration mode:

Router(config)# ssg port-map
Router(ssg-port-map)#

Related Commands

Command
Description

destination access-list

Specifies packets for port-mapping by specifying an access list to compare against the subscriber traffic.

destination range

Identifies packets for port-mapping by specifying the TCP port range to compare against the subscriber traffic.

length (SSG)

Modifies the port-bundle length upon the next SSG reload.

source ip

Specifies SSG source IP addresses to which to map the destination IP addresses in subscriber traffic.


ssg port-map destination access-list


Note Effective with Cisco IOS Releases 12.2(16)B and 12.3(4)T, this command is replaced by the destination access-list command. See the destination access-list command page for more information.


To identify packets for port-mapping by specifying an access list to compare against the subscriber traffic, use the ssg port-map destination access-list command in global configuration mode. To remove this specification, use the no form of this command.

ssg port-map destination access list access-list-number

no ssg port-map destination access list access-list-number

Syntax Description

access-list-number

Integer from 100 to 199 that is the number or name of an extended access list.


Defaults

No default behavior or values.

Command Modes

Global configuration

Command History

Release
Modification

12.2(2)B

This command was introduced on the Cisco 6400 series.

12.2(4)B

Support for this command was added to other platforms.

12.2(13)T

This command was integrated into Cisco IOS Release 12.2(13)T.

12.2(16)B

This command was replaced by the destination access-list command in Cisco IOS Release 12.2(16)B.

12.3(4)T

This command was replaced by the destination access-list command in Cisco IOS Release 12.3(4)T.


Usage Guidelines

When the ssg port-map destination access list command is configured, any traffic going to the default network and matching the access list will be port-mapped.


Note A default network must be configured and routable from SSG in order for this command to be effective.


You can use multiple entries of the ssg port-map destination access-list command. The access lists are checked against the subscriber traffic in the order in which they are defined.

Examples

In the following example, packets permitted by access list 100 will be port-mapped:

ssg port-map enable
ssg port-map destination access-list 100
ssg port-map source ip Ethernet0/0/0
!
....
!
access-list 100 permit ip 10.0.0.0 0.255.255.255 host 70.13.6.100
access-list 100 deny   ip any any

Related Commands

Command
Description

ssg port-map destination range

Identifies packets for port-mapping by specifying the TCP port range to compare against the subscriber traffic.


ssg port-map destination range


Note Effective with Cisco IOS Releases 12.2(16)B and 12.3(4)T, this command is replaced by the destination range command. See the destination range command page for more information.


To identify packets for port-mapping by specifying the TCP port range to compare against the subscriber traffic, use the ssg port-map destination range command in global configuration mode. To remove this specification, use the no form of this command.

ssg port-map destination range from port-number-1 to port-number-2 [ip ip-address]

no ssg port-map destination range from port-number-1 to port-number-2 [ip ip-address]

Syntax Description

from

Specifies lower end of TCP port range.

port-number-1

Port number at lower end of TCP port range.

to

Specifies higher end of TCP port range.

port-number-2

Port number at higher end of TCP port range.

ip ip-address

(Optional) Destination IP address in the packets.


Defaults

If an IP address is not specified, Service Selection Gateway (SSG) will allow any destination IP address in the subscriber traffic to be port-mapped, as long as the packets match the specified port ranges.

Command Modes

Global configuration

Command History

Release
Modification

12.2(2)B

This command was introduced on the Cisco 6400 series.

12.2(4)B

Support for this command was added to other platforms.

12.2(13)T

This command was integrated into Cisco IOS Release 12.2(13)T.

12.2(16)B

This command was replaced by the destination range command in Cisco IOS Release 12.2(16)B.

12.3(4)T

This command was replaced by the destination range command in Cisco IOS Release 12.3(4)T.


Usage Guidelines

If the destination IP address is not configured, a default network must be configured and routable from SSG in order for this command to be effective.

If the destination IP address is not configured, any traffic going to the default network with the destination port will fall into the destination port range and will be port mapped.

You can use multiple entries of the ssg port-map destination range command. The port ranges are checked against the subscriber traffic in the order in which they were defined.

Examples

In the following example, packets that are going to the default network and have a destination port within the range from 8080 to 8081 will be port-mapped:

Router(config)# ssg port-map destination range from 8080 to 8081

Related Commands

Command
Description

ssg port-map destination access-list

Identifies packets for port-mapping by specifying an access list to compare against the subscriber traffic.


ssg port-map enable


Note Effective with Cisco IOS Releases 12.2(16)B and 12.3(4)T, this command is replaced by the ssg port-map command. See the ssg port-map command page for more information.


To enable the Service Selection Gateway (SSG) port-bundle host key, use the ssg port-map enable command in global configuration mode. To disable the SSG port-bundle host key, use the no form of this command.

ssg port-map enable

no ssg port-map enable

Syntax Description

This command has no arguments or keywords.

Defaults

SSG port-bundle host key is disabled by default.

Command Modes

Global configuration

Command History

Release
Modification

12.2(2)B

This command was introduced on the Cisco 6400 series.

12.2(4)B

Support for this command was added to other platforms.

12.2(13)T

This command was integrated into Cisco IOS Release 12.2(13)T.

12.2(16)B

This command was replaced by the ssg port-map command in Cisco IOS Release 12.2(16)B.

12.3(4)T

This command was replaced by the ssg port-map command in Cisco IOS Release 12.3(4)T.


Usage Guidelines

This command will not take effect until the router has been reloaded.

The SSG Port-Bundle Host Key feature requires Cisco Service Selection Dashboard (SSD) Release 3.0(1) or CiscoSubscriber Edge Services Manager (SESM) Release 3.1(1). If you are using an earlier release of SSD, use the no ssg port-map enable command to disable the SSG Port-Bundle Host Key feature.

Examples

The following example shows how to enable the SSG port-bundle host key:

Router(config)# ssg port-map enable

Related Commands

Command
Description

ssg port-map destination access-list

Identifies packets for port-mapping by specifying an access list to compare against the subscriber traffic.

ssg port-map destination range

Identifies packets for port-mapping by specifying the TCP port range to compare against the subscriber traffic.

ssg port-map source ip

Specifies SSG source IP addresses to which to map the destination IP addresses in subscriber traffic.


ssg port-map length


Note Effective with Cisco IOS Releases 12.2(16)B and 12.3(4)T, this command is replaced by the length command. See the length (SSG) command page for more information.


To modify the port-bundle length upon the next Service Selection Gateway (SSG) reload, use the ssg port-map length command in global configuration mode. To return the port-bundle length to the default value, use the no form of this command.

ssg port-map length bits

no ssg port-map length bits

Syntax Description

bits

Port-bundle length, in bits. The maximum port-bundle length is 10 bits.


Defaults

4 bits

Command Modes

Global configuration

Command History

Release
Modification

12.2(2)B

This command was introduced on the Cisco 6400 series.

12.2(4)B

Support for this command was added to other platforms.

12.2(13)T

This command was integrated into Cisco IOS Release 12.2(13)T.

12.2(16)B

This command was replaced by the length command in Cisco IOS Release 12.2(16)B.

12.3(4)T

This command was replaced by the length command in Cisco IOS Release 12.3(4)T.


Usage Guidelines

The port-bundle length is used to determine the number of bundles in one group and the number of ports in one bundle. By default, the port-bundle length is 4 bits. The maximum port-bundle length is 10 bits. See Table 4 for available port-bundle length values and the resulting port-per-bundle and bundle-per-group values. Increasing the port-bundle length can be useful when you see frequent error messages about running out of ports in a port bundle, but note that the new value does not take effect until SSG next reloads and Cisco Service Selection Dashboard (SSD) restarts.


Note For each Cisco SSD server, all connected SSGs must have the same port-bundle length.


Table 4 Port-Bundle Lengths and Resulting Port-per-Bundle and Bundle-per-Group Values 

Port-Bundle Length
(in Bits)
Number of Ports
per Bundle
Number of Bundles per Group
(and per SSG Source IP Address)

0

1

64512

1

2

32256

2

4

16128

3

8

8064

4 (default)

16

4032

5

32

2016

6

64

1008

7

128

504

8

256

252

9

512

126

10

1024

63


Examples

The following example results in 64 ports per bundle and 1008 bundles per group:

Router(config)# ssg port-map length 6

Related Commands

Command
Description

show ssg port-map status

Displays information on port bundles, including the port-bundle length.


ssg port-map source ip


Note Effective with Cisco IOS Releases 12.2(16)B and 12.3(4)T, this command is replaced by the source ip command. See the source ip command page for more information.


To specify Service Selection Gateway (SSG) source IP addresses to which to map the destination IP addresses in subscriber traffic, use the ssg port-map source ip command in global configuration mode. To remove this specification, use the no form of this command.

ssg port-map source ip {ip-address | interface}

no ssg port-map source ip {ip-address | interface}

Syntax Description

ip-address

SSG source IP address.

interface

Interface whose main IP address is used as the SSG source IP address.


Defaults

No default behavior or values.

Command Modes

Global configuration

Command History

Release
Modification

12.2(2)B

This command was introduced on the Cisco 6400 series.

12.2(4)B

Support for this command was added to other platforms.

12.2(13)T

This command was integrated into Cisco IOS Release 12.2(13)T.

12.2(16)B

This command was replaced by the source ip command in Cisco IOS Release 12.2(16)B.

12.3(4)T

This command was replaced by the source ip command in Cisco IOS Release 12.3(4)T.


Usage Guidelines

With the SSG Port-Bundle Host Key feature, SSG maps the destination IP addresses in subscriber traffic to specified SSG source IP addresses.

All SSG source IP addresses configured with the ssg port-map source ip command must be routable in the management network where the Cisco SSD resides.

If the interface for the source IP address is deleted, the port-map translations will not work correctly.

Because a subscriber can have several simultaneous TCP sessions when accessing a web page, SSG assigns a bundle of ports to each subscriber. Because the number of available port bundles are limited, you can assign multiple SSG source IP addresses (one for each group of port bundles). By default, each group has 4032 bundles, and each bundle has 16 ports. To modify the number of bundles per group and the number of ports per bundle, use the ssg port-map length commandin global configuration mode.

Examples

The following example shows the SSG source IP address specified with an IP address and with specific interfaces:

Router(config)# ssg port-map source ip 10.0.50.1
Router(config)# ssg port-map source ip Ethernet0/0/0
Router(config)# ssg port-map source ip Loopback 1

Related Commands

Command
Description

ssg port-map length

Modifies the port-bundle length upon the next SSG reload.