-
Cisco IOS Intelligent Service Gateway Configuration Guide, Release 12.2 SB
-
ISG Features Roadmap
-
Configuring ISG Control Policies
-
Configuring ISG Access for PPP Sessions
-
Configuring ISG Access for IP Subscriber Sessions
-
Configuring ISG Port-Bundle Host Key
-
Configuring ISG as a RADIUS Proxy
-
Configuring ISG Policies for Automatic Subscriber Logon
-
Enabling ISG to Interact with External Policy Servers
-
Configuring ISG Subscriber Services
-
Configuring ISG Network Forwarding Policies
-
Configuring ISG Accounting
-
Configuring ISG Support for Prepaid Billing
-
Configuring ISG Policies for Session Maintenance
-
Redirecting Subscriber Traffic with ISG Layer 4 Redirect
-
Configuring ISG Policies for Regulating Network Access
-
Troubleshooting ISG with Session Monitoring and Distributed Conditional Debugging
-
Configuring ISG Layer 3 Access (Cisco IOS Release 12.2(28)SB)
-
Managing ISG Subscriber IP Addresses (Cisco IOS Release 12.2(28)SB)
-
Configuring ISG VRF Transfer (Cisco IOS Release 12.2(28)SB)
-
Table Of Contents
Configuring ISG Layer 3 Access (Cisco IOS Release 12.2(28)SB)
Prerequisites for Configuring Layer 3 Access
Restrictions for Configuring Layer 3 Access
Information About ISG Layer 3 Access
Supported Types of Layer 3 Sessions
Default Services for IP Sessions
How to Configure ISG Layer 3 Access
Creating an IP Interface Session
Creating IP Subscriber Sessions
Configuration Examples for ISG Layer 3 Access
ISG IP Interface Session Configuration: Example
ISG IP Subscriber Session Configuration: Example
Feature Information for Configuring ISG Layer 3 Access
Configuring ISG Layer 3 Access (Cisco IOS Release 12.2(28)SB)
First Published: March 20, 2006Last Updated: March 20, 2006Intelligent Service Gateway (ISG) is a Cisco IOS software feature set that provides a structured framework in which edge devices can deliver flexible and scalable services to subscribers. This module contains information on how to configure an ISG to bring up Layer 3 sessions.
Note
This document applies to Cisco IOS Release 12.2(28)SB only. For information about configuring ISG Layer 3 access in Cisco IOS Release 12.2(31)SB2 or later releases, see the chapter "Configuring ISG Access for IP Subscriber Sessions."
Finding Feature Information in This Module
Your Cisco IOS software release may not support all features. To find information about feature support and configuration and platform requirements, use the "Feature Information for Configuring ISG Layer 3 Access" section.
Contents
•
•
•
•
•
Prerequisites for Configuring Layer 3 Access
For information about release and platform requirements, see the "Feature Information for Configuring ISG Layer 3 Access" section.
Restrictions for Configuring Layer 3 Access
ISG IP sessions are not supported on the Cisco 10000-PRE2.
Overlapping static IP subscribers are not supported.
Overlapping IP subscribers in different virtual routing and forwarding instances (VRFs) are not supported on the same interface.
IP interface sessions can be created only through static command-line interface (CLI) provisioning.
Information About ISG Layer 3 Access
Before you configure ISG Layer 3 access, you should understand the following concepts:
•
•
Supported Types of Layer 3 Sessions
ISG supports three types of layer 3 sessions:
•
•
•
IP Interface Sessions
An IP interface session includes all IP traffic received on a specific physical or virtual interface. IP interface sessions are provisioned through the CLI; that is, a session is created when the IP interface session commands are entered.
IP interface sessions might be used in situations in which a subscriber is represented by an interface (with the exception of PPP) and communicates using more than one IP address. For example, a subscriber using routed bridge encapsulation (RBE) access might have a dedicated ATM virtual circuit (VC) to home customer premises equipment (CPE) that is hosting multiple PCs.
IP Sessions
An IP session includes all the traffic that is associated with a single subscriber IP address. If the IP address is not unique to the system, other distinguishing characteristics such as VRF or MAC address form part of the identity of the session. An ISG can be configured to create IP sessions upon receipt of Dynamic Host Configuration Protocol (DHCP) packets and unknown IP source addresses. See the "IP Session Creation" section for more information.
IP sessions may be hosted for a connected subscriber device (one routing hop from the ISG) or one that is multiple hops from the gateway.
IP Subnet Sessions
An IP subnet session represents all the traffic that is associated with a single IP subnet. IP subnet sessions are used to apply uniform edge processing to packets associated with a particular IP subnet.
Like an IP session, an IP subnet session may be hosted whether it is directly connected or it is multiple hops from the gateway.
IP subnet sessions are created the same way as IP sessions, except that when a subscriber is authorized or authenticated and the Framed-IP-Netmask attribute is present in the user or service profile, the ISG converts the source-IP-based session into a subnet session with the subnet value in the Framed-IP-Netmask attribute.
Note
IP Session Creation
The following events may be used to signal the start of an IP session or IP subnet session:
•
If the following conditions are met, receipt of a DHCP DISCOVER packet will trigger the creation of an IP session:
–
–
–
•
In the absence of a DHCP DISCOVER packet, a new IP session is triggered by the appearance of an IP packet with an unrecognized source IP address.
IP Session Termination
An IP session may be terminated in one of the following ways:
•
If DHCP is used to detect a new session, its departure may also be signaled by a DHCP event.
•
An application command that is used to terminate the session. The application stop command is typically used to terminate the session when a subscriber initiates an account logoff from a Web portal. An application stop may also result from the actions of an administrator, such as action taken in response to rogue behavior from a subscriber.
•
Idle timeouts and session timeouts can be used to detect or impose termination of an IP session.
Default Services for IP Sessions
Newly created IP sessions may require a default service to allow subsequent subscriber packets to be processed appropriately; for example, to permit or force TCP packets to a captive portal where menu-driven authentication and service selection can be performed. A default service policy map or service profile may be configured for IP sessions to redirect traffic, enable port-bundle host-key functionality for session identification, or enable transparent autologon. A default service would also likely include a network service, typically a VRF, so that subscriber packets may be routed or forwarded.
How to Configure ISG Layer 3 Access
An ISG creates IP sessions for IP traffic on subscriber-side interfaces. The following tasks enable IP sessions on the interface and indicate how a session will be identified. Perform one or both of the following tasks to bring up Layer 3 ISG sessions:
•
•
Creating an IP Interface Session
An ISG IP interface session encompasses all IP packets that cross the specified interface or subinterface. Perform this task to create an ISG IP interface session.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
DETAILED STEPS
What to Do Next
After you have configured the ISG to bring up Layer 3 sessions, you may want to configure policies for subscriber identification and authorization, such as the port-bundle host key feature, redirection of unauthenticated subscriber traffic, and transparent autologon. Examples of these types of policies can be found in the "Configuration Examples for ISG Layer 3 Access" section. Instructions on how to configure these policies can be found in the following modules:
•
•
•
Creating IP Subscriber Sessions
Perform this task to enable ISG to create an IP session or IP subnet session when it receives a DHCP DISCOVER packet or an IP packet from an unrecognized source IP address.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
DETAILED STEPS
What to Do Next
After you have configured the ISG to bring up Layer 3 sessions, you may want to configure policies for subscriber identification and authorization, such as the port-bundle host key feature, redirection of unauthenticated subscriber traffic, and automatic subscriber logon. Examples of these types of policies can be found in the "Configuration Examples for ISG Layer 3 Access" section. Instructions on how to configure these policies can be found in the following modules:
•
•
•
Configuration Examples for ISG Layer 3 Access
This section contains the following examples:
•
•
•
ISG IP Interface Session Configuration: Example
The following example shows an IP interface session configured on Ethernet interface 0/0:
interface ethernet0/0ip subscriberidentifier interfaceISG IP Subscriber Session Configuration: Example
The following example shows how to configure ISG to create IP sessions upon receipt of DHCP DISCOVER packets:
interface ethernet0/0ip subscriberinitiator dhcpAdditional References
The following sections provide references related to ISG Layer 3 access.
Related Documents
ISG commands
Cisco IOS Intelligent Service Gateway Command Reference
DHCP configuration
The "Configuring DHCP" chapter of the Cisco IOS IP Configuration Guide, Release 12.2
Technical Assistance
Feature Information for Configuring ISG Layer 3 Access
Table 24 lists the features in this module and provides links to specific configuration information. Only features that were introduced or modified in Cisco IOS Release 12.2(28)SB or later releases appear in the table.
If you are looking for information on a feature in this technology that is not documented here, see the "Intelligent Service Gateway Features Roadmap."
Not all commands may be available in your Cisco IOS software release. For details on when support for specific commands was introduced, see the command reference documents.
Cisco IOS software images are specific to a Cisco IOS software release, a feature set, and a platform. Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.
Note
Table 24 Feature Information for ISG Layer 3 Access
ISG:Session: Creation: IP Session: Protocol Event (DHCP)
12.2(28)SB
Most ISG sessions are created upon detection of a data flow that cannot be affiliated with an already active session. An ISG can be configured to create an IP session upon receipt of the first DHCP DISCOVER packet received from a subscriber.
The following sections provide information about this feature:
•
ISG:Session: Creation: IP Session: Subnet and Source IP: L2
12.2(28)SB
The ISG session is the primary component used for associating services and policies across specific data flows. An IP subnet session is an ISG session that includes any IP traffic from a single IP subnet. A source-IP-based session includes traffic from a single source IP address.
The following sections provide information about this feature:
•
ISG:Session: Creation: IP Session: Subnet and Source IP: L3
12.2(28)SB
The ISG session is the primary component used for associating services and policies across specific data flows. An IP subnet session is an ISG session that includes any IP traffic from a single IP subnet . A source-IP-based session includes traffic from a single source IP address.
The following sections provide information about this feature:
•
ISG:Session: Creation: Interface IP Session: L2
12.2(28)SB
ISG IP interface sessions include all IP traffic received on a specific physical or virtual interface. IP interface sessions are provisioned through the CLI; that is, a session is created when the IP interface session commands are entered.
The following sections provide information about this feature:
•
ISG:Session: Creation: Interface IP Session: L3
12.2(28)SB
ISG IP interface sessions include all IP traffic received on a specific physical or virtual interface. IP interface sessions are provisioned through the CLI; that is, a session is created when the IP interface session commands are entered.
The following sections provide information about this feature:
•
Copyright © 2006 Cisco Systems, Inc. All rights reserved.
