Configuring ISG Port-Bundle Host Key
First Published: March 20, 2006
Last Updated: March 2, 2009
Intelligent Services Gateway (ISG) is a Cisco IOS and Cisco IOS XE software feature set that provides a structured framework in which edge devices can deliver flexible and scalable services to subscribers. This module contains information on how to configure ISG port-bundle host key functionality, which maps TCP packets from subscribers to a local IP address for the ISG gateway and a range of ports. This mapping allows an external portal to identify the ISG gateway from which a session originated.
Finding Feature Information
For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for ISG Port-Bundle Host Key" section.
Use Cisco Feature Navigator to find information about platform support and Cisco IOS XE software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Contents
•Prerequisites for the ISG Port-Bundle Host Key Feature
•Restrictions for the ISG Port-Bundle Host Key Feature
•Information About ISG Port-Bundle Host Key
•How to Configure ISG Port-Bundle Host Key
•Configuration Examples for ISG Port-Bundle Host Key
•Additional References
•Feature Information for ISG Port-Bundle Host Key
Prerequisites for the ISG Port-Bundle Host Key Feature
For information about release and platform requirements, see the "Feature Information for ISG Port-Bundle Host Key" section.
The external portal must support port-bundle host keys and must be configured with the same port-bundle host key parameters.
Restrictions for the ISG Port-Bundle Host Key Feature
The following restrictions apply to the ISG Port-Bundle Host Key feature:
•The ISG Port-Bundle Host Key feature must be separately enabled at the portal and at all connected ISGs.
•All ISG source IP addresses configured with the source command must be routable in the management network where the portal resides.
•For each portal server, all connected ISGs must have the same port-bundle length.
•The ISG Port-Bundle Host Key feature uses TCP. Packets will not be mapped for a subscriber who is not sending TCP traffic.
•Specifying the Port-Bundle Host Key feature in a user profile will work only when the user profile is available prior to the arrival of IP packets; for example, for PPP sessions or for DHCP-initiated IP sessions with transparent autologon.
Information About ISG Port-Bundle Host Key
Before you configure the ISG Port-Bundle Host Key feature, you should understand the following concepts:
•Overview of ISG Port-Bundle Host Key
•Port-Bundle Host Key Mechanism
•Benefits of ISG Port-Bundle Host Key
Overview of ISG Port-Bundle Host Key
The ISG Port-Bundle Host Key feature serves as an in-band signaling mechanism for session identification at external portals. TCP packets from subscribers are mapped to a local IP address for the ISG gateway and a range of ports. This mapping allows the portal to identify the ISG gateway from which the session originated. The mapping also identifies sessions uniquely even when subscribers have overlapping IP addresses. The ISG Port-Bundle Host Key feature enables a single portal to be deployed for multiple VRFs even when there are subscribers with overlapping IP addresses.
Port-Bundle Host Key Mechanism
With the ISG Port-Bundle Host Key feature, an ISG performs Port-Address Translation (PAT) and Network Address Translation (NAT) on the TCP traffic between the subscriber and the portal. When a subscriber TCP connection is set up, the ISG creates a port mapping that changes the source IP address to a configured ISG IP address and changes the source TCP port to a port allocated by the ISG. The ISG assigns a bundle of ports to each subscriber because one subscriber can have several simultaneous TCP sessions when accessing a web page. The assigned port-bundle host key, or combination of port bundle and ISG source IP address, uniquely identifies each subscriber. The host key is carried in RADIUS packets sent between the portal server and the ISG in the Subscriber IP vendor-specific attribute (VSA). Table 1 describes the Subscriber IP VSA. When the portal server sends a reply to the subscriber, the ISG uses the translation tables to identify the destination IP address and destination TCP port.
Table 1 Subscriber IP VSA Description
|
|
|
|
|
26 |
9 |
250 Account-Info |
Subscriber IP |
S subscriber-ip-address [:port-bundle-number] •S—Account-Info code for subscriber IP. •subscriber IP address: port-bundle number —The port-bundle number is used only if the ISG Port-Bundle Host Key feature is configured. |
For each TCP session between a subscriber and the portal, the ISG uses one port from the port bundle as the port map. Individual port mappings are flagged as eligible for reuse on the basis of inactivity timers, but are not explicitly removed once assigned. The number of port bundles is limited per ISG address, but there is no limit to the number of ISG IP addresses that can be configured for port bundle usage.
Port-Bundle Length
The port-bundle length is used to determine the number of ports in one bundle. By default, the port-bundle length is four bits. The maximum port-bundle length is ten bits. See Table 2 for available port-bundle length values and the resulting port-per-bundle and bundle-per-group values. You may want to increase the port-bundle length when you see frequent error messages about running out of ports in a port bundle.
Table 2 Port-Bundle Lengths and Resulting Port-per-Bundle and Bundle-per-Group Values
Port-Bundle Length
(in bits)
|
Number of Ports
per Bundle
|
Number of Bundles per Group
(and per ISG Source IP Address)
|
0 |
1 |
64512 |
1 |
2 |
32256 |
2 |
4 |
16128 |
3 |
8 |
8064 |
4 (default) |
16 |
4032 |
5 |
32 |
2016 |
6 |
64 |
1008 |
7 |
128 |
504 |
8 |
256 |
252 |
9 |
512 |
126 |
10 |
1024 |
63 |
Note For each portal server, all connected ISGs must have the same port-bundle length, which must correspond to the configured value given in the portal server's BUNDLE_LENGTH argument. If you change the port-bundle length on an ISG, be sure to make the corresponding change in the configuration on the portal.
Note The Cisco ASR 1000 series routers support a maximum port-bundle length of 7.
Benefits of ISG Port-Bundle Host Key
Support for Overlapped Subscriber IP Addresses Extended to Include External Portal Usage
The ISG Port-Bundle Host Key feature enables external portal access regardless of subscriber IP address or VRF membership. Without the use of port-bundle host keys, all subscribers accessing a single external portal must have unique IP addresses. Furthermore, since port-bundle host keys isolate VRF-specific addresses from the domain in which the portal resides, routing considerations are simplified.
Portal Provisioning for Subscriber and ISG IP Addresses No Longer Required
Without the ISG Port-Bundle Host Key feature, a portal must be provisioned for subscriber and ISG IP addresses before the portal is able to send RADIUS packets to the ISG or send HTTP packets to subscribers. The ISG Port-Bundle Host Key feature eliminates the need to provision a portal in order to allow one portal server to serve multiple ISGs and to allow one ISG to be served by multiple portal servers.
How to Configure ISG Port-Bundle Host Key
Perform the following tasks to configure the ISG Port-Bundle Host Key feature:
•Enabling the ISG Port-Bundle Host Key Feature in a Service Policy Map
•Enabling the ISG Port-Bundle Host Key Feature in a User Profile or Service Profile on the AAA Server
•Configuring Port-Bundle Host Key Parameters
•Verifying ISG Port-Bundle Host Key Configuration
Enabling the ISG Port-Bundle Host Key Feature in a Service Policy Map
Perform this task to enable the ISG Port-Bundle Host Key feature in a service policy map. The ISG Port-Bundle Host Key feature will be applied to any subscriber who uses this service policy map.
SUMMARY STEPS
1. enable
2. configure terminal
3. policy-map type service policy-name
4. ip portbundle
5. end
DETAILED STEPS
|
|
|
Step 1 |
enable
Router> enable |
Enables privileged EXEC mode. •Enter your password if prompted. |
Step 2 |
configure terminal
Router# configure terminal |
Enters global configuration mode. |
Step 3 |
policy-map type service policy-name
Router(config)# policy-map type service service1 |
Creates or defines a service policy map, which is used to define an ISG service. |
Step 4 |
ip portbundle
Router(config-service-policymap)# ip portbundle |
Enables the ISG Port-Bundle Host Key feature for the service. |
Step 5 |
end
Router(config-service-policymap)# end |
(Optional) Returns to privileged EXEC mode. |
What to Do Next
You may want to configure a method of activating the service policy map or service profile; for example, control policies can be used to activate services. For more information about methods of service activation, see the module "Configuring ISG Subscriber Services."
Enabling the ISG Port-Bundle Host Key Feature in a User Profile or Service Profile on the AAA Server
Perform this task to enable the ISG Port-Bundle Host Key feature in a user profile or service profile on the AAA server.
SUMMARY STEPS
1. Add the Port-Bundle Host Key attribute to the user or service profile.
DETAILED STEPS
|
|
|
Step 1 |
Add the Port-Bundle Host Key attribute to the user or service profile. 26,9,1 = "ip:portbundle=enable" |
Enables the ISG Port-Bundle Host Key feature in the user or service profile. |
What to Do Next
If you enabled the ISG Port Bundle Host Key feature in a service profile, you may want to configure a method of activating the service profile; for example, control policies can be used to activate services. For more information about methods of service activation, see the module "Configuring ISG Subscriber Services."
Configuring Port-Bundle Host Key Parameters
Perform this task to configure ISG Port-Bundle Host Key parameters and specify the interface for which ISG will use translation tables to derive the IP address and port number for downstream traffic.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip portbundle
4. match access-list access-list-number
5. length bits
6. source interface-type interface-number
7. exit
8. interface type number
9. ip portbundle outside
DETAILED STEPS
|
|
|
Step 1 |
enable
Router> enable |
Enables privileged EXEC mode. •Enter your password if prompted. |
Step 2 |
configure terminal
Router# configure terminal |
Enters global configuration mode. |
Step 3 |
ip portbundle
Router(config)# ip portbundle |
Enters IP portbundle configuration mode. |
Step 4 |
match access-list access-list-number
Router(config-portbundle)# match access-list 101 |
Specifies packets for port-mapping by specifying an access list to compare against the subscriber traffic. |
Step 5 |
length bits
Router(config-portbundle)# length 5 |
Specifies the ISG port-bundle length, which determines the number of ports per bundle and bundles per group. See the section "SUMMARY STEPS" for more information. •The default is 4. •The Cisco ASR 1000 series routers support a maximum port-bundle length of 7. |
Step 6 |
source interface-type interface-number
Router(config-portbundle)# source loopback 0 |
Specifies the interface for which the main IP address will be mapped by ISG to the destination IP addresses in subscriber traffic. •It is recommended that you use a loopback interface as the source interface. |
Step 7 |
exit
Router(config-portbundle)# exit |
Returns to privileged EXEC mode. |
Step 8 |
interface type number
Router(config)# interface gigabitethernet 0/0/0 |
Specifies an interface for configuration. |
Step 9 |
ip portbundle outside
Router(config-if)# ip portbundle outside |
Configures ISG to reverse translate the destination IP address and TCP port to the actual subscriber IP address and TCP port for traffic going from the portal to the subscriber for the interface being configured. |
Verifying ISG Port-Bundle Host Key Configuration
Perform this task to display information about ISG port-bundle host key configuration.
SUMMARY STEPS
1. enable
2. show ip portbundle status [free | inuse]
3. show ip portbundle ip portbundle-ip-address bundle port-bundle-number
4. show subscriber session [detailed] [identifier identifier | uid session-id | username name]
DETAILED STEPS
|
|
|
Step 1 |
enable
Router> enable |
Enables privileged EXEC mode. •Enter your password if prompted. |
Step 2 |
show ip portbundle status [free | inuse]
Router# show ip portbundle status free |
Displays information about ISG port-bundle groups. |
Step 3 |
show ip portbundle ip portbundle-ip-address bundle port-bundle-number
Router# show ip portbundle ip 10.10.10.10 bundle 65 |
Displays information about a specific ISG port bundle. |
Step 4 |
show subscriber session [detailed] [identifier identifier | uid session-id | username name]
Router# show subscriber session detailed |
Displays ISG subscriber session information. |
Configuration Examples for ISG Port-Bundle Host Key
This section contains the following example:
•ISG Port-Bundle Host Key Configuration: Example
ISG Port-Bundle Host Key Configuration: Example
The following example shows how to configure the ISG Port-Bundle Host Key feature to apply to all sessions:
policy-map type service ISGPBHKService
policy-map type control PBHKRule
class type control always event session-start
1 service-policy type service ISGPBHKService
service-policy type control PBHKRule
interface gigabitethernet0/0/0
ip address 10.1.1.1 255.255.255.0
Additional References
The following sections provide references related to the ISG Port-Bundle Host Key feature.
Related Documents
|
|
ISG commands |
Cisco IOS Intelligent Services Gateway Command Reference |
Technical Assistance
|
|
The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies. To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password. |
http://www.cisco.com/techsupport |
Feature Information for ISG Port-Bundle Host Key
Table 3 lists the features in this module and provides links to specific configuration information. For information about a feature in this technology that is not documented here, see the "Intelligent Services Gateway Features Roadmap."
Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS XE software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Note Table 3 list only the Cisco IOS XE software release that introduced support for a given feature in a given Cisco IOS software release train. Unless noted otherwise, subsequent releases of that Cisco IOS XE software release train also support that feature.
Table 3 Feature Information for ISG Port-Bundle Host Key
|
|
Feature Configuration Information
|
ISG: Session: Auth: PBHK |
Cisco IOS XE Release 2.2 |
The ISG Port-Bundle Host Key feature serves as an in-band signaling mechanism for session identification at external portals. TCP packets from subscribers are mapped to a local IP address for the ISG gateway and a range of ports. This mapping allows the portal to identify the ISG gateway from which the session originated. This module provides information about how to configure the ISG Port-Bundle Host Key feature. |
Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2006-2009 Cisco Systems, Inc. All rights reserved.