Intelligent Services Gateway Configuration Guide, Cisco IOS Release 15.1S
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Configuring ISG Subscriber Services
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Contents
Configuring ISG Subscriber ServicesLast Updated: June 13, 2011
Intelligent Services Gateway (ISG) is a Cisco IOS software feature set that provides a structured framework in which edge devices can deliver flexible and scalable services to subscribers. ISG defines a service as a collection of policies that can be applied to any subscriber session. This module describes how ISG subscriber services work, how to configure services and traffic classes that may be used to qualify policies defined within a service, and how to activate services. Finding Feature InformationYour software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the Feature Information Table at the end of this document. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required. Restrictions for ISG Subscriber ServicesOnly one nondefault traffic class may be configured in each service. When multiple services are active on a given session, class-based actions are executed on a first-match basis only; in other words, once a class is matched, the actions associated with that class will be executed, and no other class will be matched. Services that are defined on the ISG device cannot be selected externally because they will not be advertised to a portal. Removing or modifying a feature in the configuration, for example an access control list (ACL), is not supported by active sessions that reference that feature. Information About ISG Subscriber Services
ISG ServicesAn ISG service is a collection of policies that may be applied to a subscriber session. ISG services can be applied to any session, regardless of subscriber access media or protocol, and a single service may be applied to multiple sessions. An ISG service is not necessarily associated with a destination zone or a particular uplink interface. Services can be defined in two ways: in a service policy map that is configured on the ISG device by using the CLI, and in a service profile that is configured on an external device, such as an authentication, authorization, and accounting (AAA) server. Although they are configured differently, service policy maps and service profiles serve the same purpose: they contain a collection of traffic policies and other functionality that can be applied to a subscriber session. Traffic policies determine which functionality will be applied to which session traffic. A service policy map or service profile may also contain a network-forwarding policy, a specific type of traffic policy that determines how session data packets will be forwarded to the network. Primary ServicesWhen a network-forwarding policy is included in a service profile or service policy map, the service is known as a primary service . Primary services are mutually exclusive and may not be simultaneously active. Upon activation of a new primary service, ISG will deactivate the existing primary service and any other services dependent on the existing primary service through association with a service group. If a primary service is deactivated, sessions may be left without a network-forwarding policy, that is, with no means to route or forward packets. A policy may be applied to defend against this condition such that a specific service is activated upon deactivation of all others (or all other primary services). This backup service would return network-forwarding policy to the session and allow the subscriber to reach a web portal. However, it should be noted that an IP session will not be automatically terminated when all services are deactivated unless such a policy has been defined and applied. Traffic Classes and Traffic Class PriorityISG traffic classes allow for differentiated behavior for different traffic streams to and from a particular subscriber. For traffic to be classified into streams, you must specify an access control list (ACL) that classifies the traffic and specify the direction of the traffic to which the ACL applies (inbound or outbound). Optionally, the priority of the traffic class can also be specified. Traffic that meets the specifications of a traffic class is said to match the traffic class. Once a match is made, features defined in the traffic policy are executed for that traffic class. The priority of a traffic class determines which class is used first for a specified match if more than one traffic policy has been activated for a single session. In other words, if a packet matches more than one traffic class, it is classified to the class with the higher priority. Packets that do not match any of the ACLs are considered to be part of the default traffic class and are processed as if a traffic policy was not applied to the session. A default class exists for every service, and the default action of the default class is to pass traffic. The default class can be configured to drop traffic. Default traffic is accounted for in the main session accounting. A service can contain one traffic class and one default class. Traffic classes are assigned unique identifiers that can be tracked with Cisco IOS show commands. Traffic PoliciesTraffic policies define the handling of data packets. A traffic policy contains a traffic class and one or more features. Whereas you can specify the event that will trigger an ISG control policy, the trigger for a traffic policy is implicit--the arrival of a data packet. The features configured within a traffic policy apply only to the traffic defined by the traffic class. Multiple traffic policies with various features can be applied to a session. ISG FeaturesAn ISG feature is a functional component that performs a specific operation on a sessionâs data stream. A feature may or may not be associated with a traffic class. However, once associated with a traffic class, a feature can be applied only to the packets that match that traffic class. Otherwise, the feature is applied to all packets for that session. The figure below shows how features apply to a subscriber session and to traffic flows within the session. Service GroupsA service group is a grouping of services that may be simultaneously active for a given session. Typically, a service group includes one primary service and one or more secondary services. Secondary services in a service group are dependent on the primary service and should not be activated unless the primary service is already active. Once a primary service has been activated, any other services that reference the same group may also be activated. Services that belong to other groups, however, may be activated only if they are primary. If a primary service from another service group is activated, all services in the current service group will also be deactivated because they have a dependency on the previous primary service. Service Activation MethodsThere are three methods by which services can be activated:
Automatic Service ActivationThe Auto Service attribute, which can be configured in user profiles, enables subscribers to be automatically logged in to specified services when the user profile is downloaded, usually following authentication. Features that are specified by the Auto Service attribute in a user profile are referred to as auto services . A user profile can specify more than one service as auto services. Control Policy Service ActivationISG control policies can be configured to activate services in response to specific conditions and events. Subscriber-Initiated Service ActivationSubscriber-initiated service activation takes place when a subscriber manually selects a service at a portal. When the system receives a subscriber request to activate a service, the ISG policy engine searches for a policy matching the event âservice-startâ. If no such policy is found, the policy engine will by default download the service via the default AAA network authorization method list. This default behavior is identical to the behavior generated by the following policy configuration: class-map type control match-all SERVICE1_CHECK match service-name SERVICE1 policy-map type control SERVICE1_CHECK event service-start 1 service-policy type service name SERVICE1 The same default behavior applies to subscriber logoffs, with the ISG policy engine searching for a policy that matches the event âservice-stopâ. If a policy is configured, it is the responsibility of the policy to specify how the service should be applied. How to Configure ISG Services on the RouterThere are two ways to configure an ISG service. One way is to configure a service policy map on the local device by using the CLI. The second way is to configure a service profile on a remote AAA server. To configure a service policy map directly on the ISG, perform the tasks in the following sections:
Configuring an ISG Service with Per-Session FunctionalityCertain types of functionality that are configured in a service must be applied to the entire subscriber session rather than to a specific traffic flow. Services that are configured with this type of per-session functionality must not contain a traffic class. Perform this task to configure a service policy map without a traffic class on the ISG.
DETAILED STEPS Configuring an ISG Service with a Traffic PolicyAn ISG traffic policy contains a traffic class and one or more ISG features. The traffic class defines the traffic to which the features will be applied. Perform the following tasks to configure an ISG service with a traffic policy on the router: Defining an ISG Traffic Class MapPerform this task to configure a traffic class map. A traffic class map usually specifies an access control list (ACL) that classifies the flow and the direction of traffic to which the ACL applies (inbound or outbound). Before You Begin
SUMMARY STEPS
This task assumes that access control lists (ACLs) have been configured for classifying traffic. DETAILED STEPS Configuring an ISG Service Policy Map with a Traffic PolicyISG services are configured by creating service policy maps on the ISG or service profiles on an external AAA server. Perform this task to configure a traffic policy in a service policy map on the ISG. DETAILED STEPS
Configuring the Default Class in an ISG Service Policy MapPackets that do not match any traffic classes are considered to be part of default traffic and are processed as if a traffic policy were not applied to the session. A default class exists by default for every service, and the default action of the default class is to pass traffic. Perform this task to configure the default class. DETAILED STEPS
Activating ISG Subscriber ServicesThere are three ways that ISG subscriber services can be activated: by specifying the service as an automatic activation service in a subscriberâs user profile, by configuring control policies to activate the service, and by a subscriber-initiated service logon. No special configuration is necessary to enable a subscriber to log on to a service. To configure a service for automatic activation and to configure control policies to activate services, perform the following tasks:
Configuring Automatic Service Activation in a User ProfilePerform this task to configure automatic service activation for a service in a subscriberâs user profile. DETAILED STEPS
Configuring ISG Control Policies to Activate ServicesBefore You Begin
SUMMARY STEPS
A control class map must be configured if you specify a named control class map in the control policy map. See the module "Configuring ISG Control Policies" for information about configuring control policies. DETAILED STEPS Verifying ISG Services
SUMMARY STEPS
DETAILED STEPS
Configuration Examples for ISG Services
Example Service for Per-Flow AccountingIn the following examples, the service âSERVICE1â is configured with per-flow accounting. The access lists âSERVICE1_ACL_INâ and âSERVICE1_ACL_OUTâ are used to define the traffic class. These examples are equivalent and show the two alternative methods of service configuration: in a service policy map that is configured directly on the ISG, and in a service profile that is configured on a AAA server. ISG Configurationclass-map type traffic match-any SERVICE1_TC match access-group input name SERVICE1_ACL_IN match access-group output name SERVICE1_ACL_OUT ! policy-map type service SERVICE1 10 class type traffic SERVICE1_TC accounting aaa list CAR_ACCNT_LIST class type traffic default in-out drop AAA Server ConfigurationAttributes/ Cisco-AVPair = "ip:traffic-class=in access-group name SERVICE1_ACL_IN priority 10" Cisco-AVPair = "ip:traffic-class=in default drop" Cisco-AVPair = "ip:traffic-class=out access-group name SERVICE1_ACL_OUT priority 10" Cisco-AVPair = "ip:traffic-class=out default drop" Cisco-AVPair = subscriber:accounting-list=CAR_ACCNT_LIST Cisco-SSG-Service-Info = ISERVICE1 Example Service for Absolute Timeout and Idle TimeoutIn the following examples, the service âSERVICE1â is configured with per-flow accounting, an absolute timeout, and an idle timeout. The access lists âSERVICE1_ACL_INâ and âSERVICE1_ACL_OUTâ are used to define the traffic class. These examples are equivalent and show the two methods of service configuration: in a service policy map that is configured directly on the ISG, and in a service profile that is configured on a AAA server. ISG Configurationclass-map type traffic match-any SERVICE1_TC match access-group input name SERVICE1_ACL_IN match access-group output name SERVICE1_ACL_OUT ! policy-map type service SERVICE1 10 class type traffic SERVICE1_TC timeout idle 600 timeout absolute 1800 accounting aaa list CAR_ACCNT_LIST class type traffic default in-out drop AAA Server ConfigurationAttributes/ Cisco-AVPair = "ip:traffic-class=in access-group name SERVICE1_ACL_IN priority 10" Cisco-AVPair = "ip:traffic-class=in default drop" Cisco-AVPair = "ip:traffic-class=out access-group name SERVICE1_ACL_OUT priority 10" Cisco-AVPair = "ip:traffic-class=out default drop" Cisco-AVPair = subscriber:accounting-list=CAR_ACCNT_LIST Cisco-SSG-Service-Info = ISERVICE1 session-timeout = 1800 idle-timeout = 600 Example Service for ISG PolicingIn the following examples, the service âBOD1Mâ is configured with per-flow accounting and ISG policing. The access lists âBOD1M_IN_ACL_INâ and âBOD1M_ACL_OUTâ are used to define the traffic class. These examples are equivalent and show the two methods of service configuration: in a service policy map that is configured directly on the ISG, and in a service profile that is configured on a AAA server. ISG Configurationclass-map type traffic match-any BOD1M_TC match access-group input name BOD1M_IN_ACL_IN match access-group output name BOD1M_ACL_OUT ! policy-map type service BOD1M 10 class type traffic BOD1M_TC accounting aaa list CAR_ACCNT_LIST police input 512000 256000 5000 police output 1024000 512000 5000 class type traffic default in-out drop AAA Server ConfigurationAttributes/ Cisco-AVPair = "ip:traffic-class=in access-group name BOD1M_IN_ACL priority 10" Cisco-AVPair = "ip:traffic-class=in default drop" Cisco-AVPair = "ip:traffic-class=out access-group name BOD1M _OUT_ACL priority 10" Cisco-AVPair = "ip:traffic-class=out default drop" Cisco-AVPair = subscriber:accounting-list=CAR_ACCNT_LIST Cisco-SSG-Service-Info = IBOD1M Cisco-SSG-Service-Info = QU;512000;256000;5000;D;1024000;512000;5000 Example Service for Per-Subscriber FirewallIn the following examples, the service âSERVICE2â is configured with a per-subscriber firewall. The service does not include a traffic class, so it will apply to the entire session. These examples are equivalent and show the two methods of service configuration: in a service policy map that is configured directly on the ISG, and in a service profile that is configured on a AAA server. Example Service for Redirecting Layer 4 Subscriber TrafficThe following example shows the configuration of a service called âUNAUTHORIZED_REDIRECT_SVCâ. The control policy âUNAUTHEN_REDIRECTâ is configured to apply the service upon session start. class-map type traffic match-any UNAUTHORIZED_TRAFFIC match access-group input 100 policy-map type service UNAUTHORIZED_REDIRECT_SVC class type traffic UNAUTHORIZED_TRAFFIC redirect to ip 10.0.0.148 port 8080 policy-map type control UNAUTHEN_REDIRECT class type control always event session-start 1 service-policy type service name UNAUTHORIZED_REDIRECT_SVC Example Deactivating a Layer 4 Redirection Service Following AuthorizationIn the following example, a service configured with Layer 4 redirection is deactivated when traffic becomes authorized; that is, following activation of the appropriate service. class-map traffic UNAUTHORIZED_TRAFFIC match access-group input 100 policy-map type service UNAUTHORIZED_REDIRECT_SVC class traffic UNAUTHORIZED_TRAFFIC redirect to ip 10.0.0.148 port 8080 class-map control match-all CHECK_ISP1 match service ISP1 policy-map control UNAUTHEN_REDIRECT class control always event session-start 1 service-policy type service name UNAUTHORIZED_REDIRECT_SVC class control CHECK_ISP1 event service-start 1 service-policy type service unapply UNAUTHORIZED_REDIRECT_SVC 1 service-policy type service name ISP1 Additional ReferencesMIBsTechnical Assistance
Feature Information for ISG Subscriber ServicesThe following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R) Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||