-
Cisco IOS Wide-Area Networking Command Reference, Release 12.2 T
-
ATM Commands (abr through atm svc-upc-intent)
-
ATM Commands (atm txbuff through network-clock-select)
-
ATM Commands (oam ais-rdi through show atm traffic)
-
ATM Commands (show atm vc through vc-class atm)
-
Broadband Access: PPP and Routed Bridge Encapsulation Commands
-
Broadband Access: Service Selection Gateway Commands
-
Frame Relay Commands (class through frame-relay de-list)
-
Frame Relay Commands (frame-relay end-to-end keepalive error threshold through frame-relay lapf t203)
-
Frame Relay Commands (frame-relay lmi-n391dte through keepalive)
-
Frame Relay Commands (map-class frame-relay through threshold ecn)
-
Frame Relay-ATM Interworking Commands
-
SMDS Commands
-
X.25 and LAPB Commands (access-class through x25 alias)
-
X.25 and LAPB Commands (x25 bfe-decision through x25 pvc)
-
X.25 and LAPB Commands (x25 remote-red through xot access-group)
-
Table Of Contents
Broadband Access: Service Selection Gateway Commands
clear ssg radius-proxy client-address
clear ssg radius-proxy nas-address
redirect captivate advertising default group
redirect captivate initial default group duration
redirect unauthenticated-user to
redirect unauthorized-service to
show ssg auto-domain exclude-profile
show ssg radius-proxy address-pool
ssg port-map destination access-list
ssg port-map destination range
Broadband Access: Service Selection Gateway Commands
Use the commands described in this chapter to configure Service Selection Gateway (SSG) switching solutions for service providers who offer intranet, extranet, and Internet connections to subscribers using broadband access technology such as digital subscriber lines (DSL), cable modems, or wireless. SSG allows simultaneous access to network services.
For information about how to configure SSG, refer to the "Service Selection Gateway" 12.2(8)T feature module and the Service Selection Gateway (SSG) Features in Release 12.2(13)T index.
address-pool
To define local IP pools that are to be used by Service Selection Gateway (SSG) to assign IP addresses to users for which SSG is acting as a RADIUS client, use the address-pool command in SSG-radius-proxy mode. To remove a local IP pool, use the no form of this command.
address-pool start-ip end-ip [domain domain-name]
no address-pool start-ip end-ip [domain domain-name]
Syntax Description
Defaults
SSG does not assign IP addresses from a local IP pool.
Command Modes
SSG-radius-proxy
Command History
12.2(4)B
This command was introduced.
12.2(13)T
This command was integrated into Cisco IOS Release 12.2 T.
Usage Guidelines
Use this command to configure SSG to assign an IP address taken from a local pool to a user for which SSG is acting as a RADIUS client. SSG assigns an IP address from a local pool only when one has not been assigned by one of the following methods:
•
Assignment in the Access-Accept from the AAA server
•
•
Note
You can use this command to define a global local IP address pool or an IP address pool for a specific domain by using the domain keyword. You cannot create pools with more than 20,000 addresses.
Note
Examples
The following example shows how to configure a local IP address pool for SSG:
address-pool 172.16.16.0 172.16.20.0The following example shows how to configure a local IP address pool for the domain named "cisco".
address-pool 172.21.21.0 172.21.25.0 domain ciscoRelated Commands
attribute
To configure an attribute in a local service profile, use the attribute command in profile configuration mode. To delete an attribute from a service profile, use the no form of this command.
attribute radius-attribute-id [vendor-id] [cisco-vsa-type] attribute-value
no attribute radius-attribute-id [vendor-id] [cisco-vsa-type] attribute-value
Syntax Description
Defaults
For the Linterval option: If the L option is not defined, the accounting records for a service profile will be sent at the interval configured by the ssg accounting interval command. If the ssg accounting interval command is not set, the accounting records are sent every 600 seconds.
Otherwise, no default behavior or values are set.
Command Modes
Profile configuration
Command History
Usage Guidelines
Use this command to configure attributes in local service profiles.
For the SSG Open Garden feature, use this command to configure the Service Route, DNS Server Address, and Domain Name attributes in a local service profile before adding the service to the open garden.
To change the SSG accounting interval for a service profile, use the Linterval option in the attribute command. For example, if L80 is entered as the attribute value, the service profile sends accounting information every 80 seconds. Interim accounting can be disabled by entering the value (in seconds) as 0 (for instance, L0). When interim accounting is disabled, the normal accounting stops and starts are still sent.
For the SSG Hierarchical Policing feature, use the Q option to configure the token bucket parameters (token rate, normal burst, and excess burst). The syntax for the Q option is as follows:
Router(config-prof)# attribute radius-attribute-id vendor-id cisco-vsa-type "QU;upstream-committed-rate;upstream-normal-burst; [upstream-excess-burst];D;downstream-committed-rate; downstream-normal-burst;[downstream-excess-burst]"
The variables are used to configure upstream (U) and downstream (D) policing. The upstream traffic is the traffic that travels from the subscriber to the network, and the downstream traffic is the traffic that travels from the network to the subscriber.
Examples
In the following example, the Cisco AV pair Upstream Access Control List (inacl) attribute is configured in the local service profile called "cisco.com":
Router(config)# local-profile cisco.comRouter(config-prof)# attribute 26 9 1 "ip:inacl#101=deny tcp 10.2.1.0 0.0.0.255 any eq 21"In the following example, the Session-Timeout attribute is deleted from the local service profile called "cisco.com":
Router(config)# local-profile cisco.comRouter(config-prof)# no attribute 27 600In the following example, the local profile cisco.com is configured to send an interim accounting update every 90 seconds:
Router(config)# local-profile cisco.comRouter(config-prof)# attribute 26 9 1 "L90"In the following example, the SSG Hierarchical Policing parameters are set for upstream and downstream traffic:
Router(config)# local-profile cisco.comRouter(config-prof)# attribute 26 9 251 "QU:8000:16000:20000:D10000:20000:30000"In the following example, an open garden service called "opencisco.com" is defined.
Router(config)# local-profile opencisco.comRouter(config-prof)# attribute 26 9 251 "Oopengarden1.com"Router(config-prof)# attribute 26 9 251 "D10.13.1.5"Router(config-prof)# attribute 26 9 251 "R10.1.1.0;255.255.255.0"Router(config-prof)# exitRouter(config)# ssg open-garden opencisco.comRelated Commands
clear ssg connection
To remove the connections of a given host and a service name, use the clear ssg connection command in privileged EXEC mode.
clear ssg connection ip-address service-name [interface]
Syntax Description
ip-address
IP address of an active Service Selection Gateway (SSG) connection.
service-name
Name of an active SSG connection.
interface
(Optional) Interface to which the host is connected.
Command Modes
Privileged EXEC
Command History
Examples
The following example shows how to remove the service connection for Service1 to host 192.168.1.1, connected through Fast Ethernet:
Router# clear ssg connection 192.168.1.1 fastethernet Service1Related Commands
clear ssg host
To remove or disable a given host or subscriber, use the clear ssg host command in privileged EXEC mode.
clear ssg host ip-address interface
Syntax Description
ip-address
IP address of the host or subscriber.
interface
Interface through which the host or subscriber is connected.
Defaults
No default behavior or values.
Command Modes
Privileged EXEC
Command History
Examples
The following example shows how to remove the connection for host 192.168.1.1:
Router# clear ssg host 192.168.1.1 fastethernetRelated Commands
Displays the information about a subscriber and current connections of the subscriber.
clear ssg next-hop
To remove a next-hop table, use the clear ssg next-hop command in privileged EXEC mode.
clear ssg next-hop
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
If you use this command to clear the next-hop table, nothing appears when you use the show ssg next-hop command. However, the next-hop table will still appear in the running configuration. To remove the next-hop table from the running configuration, use the no form of the ssg next-hop download command.
Examples
The following example shows how to remove the next-hop table:
Router# clear ssg next-hopRelated Commands
clear ssg open-garden
To remove open garden configurations and all open garden service objects, use the clear ssg open-garden command in privileged EXEC mode.
clear ssg open-garden
Syntax Description
This command has no keywords or arguments.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
This command removes the open garden configuration by deleting all instances of the ssg open-garden global configuration command. This command also removes the service object of all the open garden services. The local service profiles of the open garden services are not deleted from the configuration.
Examples
In the following example, all open garden services are displayed and then removed:
Router# show ssg open-gardennrp1-nrp2_og1nrp1-nrp2_og2nrp1-nrp2_og3nrp1-nrp2_og4Router# clear ssg open-garden
Router# show ssg open-gardenRouter#Related Commands
Configures a local service profile.
Displays a list of all configured open garden services.
Designates a service, defined in a local service profile, as an open garden service.
clear ssg pass-through-filter
To remove the downloaded filter for transparent pass-through, use the clear ssg pass-through-filter command in privileged EXEC mode.
clear ssg pass-through-filter
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Removing the filter allows unauthenticated traffic to pass through the Service Selection Gateway in either direction without modification. If you use this command to clear the downloaded transparent pass-through filter, nothing will be displayed when you use the show ssg pass-through-filter command. However, the transparent pass-through filter will still appear in the running configuration. To remove the transparent pass-through filter from the running configuration, use the no form of the ssg pass-through command.
Examples
The following example shows how to remove the downloaded transparent pass-through filter:
Router# clear ssg pass-through-filterRelated Commands
Displays the downloaded filter for transparent pass-through.
Enables transparent pass-through.
clear ssg pending-command
To remove all pending commands, use the clear ssg pending-command command in privileged EXEC mode.
clear ssg pending-command
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Use this command to clear pending commands.
Examples
The following example shows how to clear pending commands:
Router# clear ssg pending-commandRelated Commands
clear ssg radius-proxy client-address
To clear all hosts connected to a specific RADIUS client, use the clear ssg radius-proxy client-address command in privileged EXEC mode.
client ssg radius-proxy client-address ip-address
Syntax Description
Command Modes
Privileged EXEC
Command History
12.2(4)B
This command was introduced.
12.2(13)T
This command was integrated into Cisco IOS Release 12.2(13)T.
Usage Guidelines
Use this command to clear all hosts connected to a specific RADIUS client. This command deactivates and destroys all host objects associated with the specified RADIUS client.
Examples
The following example shows how to clear all hosts connected to the RADIUS client that has the IP address 172.16.0.0:
clear ssg radius-proxy client-address 172.16.0.0Related Commands
clear ssg radius-proxy nas-address
To clear all hosts connected to a specific network access server (NAS), use the clear ssg radius-proxy nas-address command in privileged EXEC mode.
client ssg radius-proxy nas-address ip-address
Syntax Description
Command Modes
Privileged EXEC
Command History
12.2(4)B
This command was introduced.
12.2(13)T
This command was integrated into Cisco IOS Release 12.2(13)T.
Usage Guidelines
Use this command to clear all hosts connected to a specific NAS. This command deactivates and destroys all host objects associated with the specified NAS client.
Note
Examples
The following example shows how to clear all hosts connected to the NAS with IP address 172.16.0.0:
clear ssg radius-proxy nas-address 172.16.0.0Related Commands
clear ssg service
To remove a service, use the clear ssg service command in privileged EXEC mode.
clear ssg service service-name
Syntax Description
Defaults
No default behavior or values.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Use this command to remove services.
Examples
The following example shows how to remove a service called "Perftest":
Router# clear ssg service PerftestRelated Commands
client-address
To configure a RADIUS client IP address and shared secret, use the client-address command in SSG-radius-proxy mode. To disable the RADIUS proxy IP address and shared secret, use the no form of this command.
client-address ip-address key secret
no client-address ip-address key secret
Syntax Description
ip-address
IP address of a RADIUS client.
key
Shared secret between the Service Selection Gateway (SSG) and the RADIUS client.
secret
Description of the shared secret.
Defaults
No default behavior or values.
Command Modes
SSG-radius-proxy
Command History
12.2(4)B
This command was introduced.
12.2(13)T
This command was integrated into Cisco IOS Release 12.2(13)T.
Usage Guidelines
Use this command to configure the RADIUS client to proxy requests from the specified IP address to the RADIUS server. Use the secret attribute to configure each client IP with a unique shared secret. This shared secret should be the same one configured on the RADIUS client.
Examples
The following example shows how to configure the RADIUS client to proxy all requests from IP address 172.16.0.0 to the RADIUS server and assigns the shared secret "cisco" to the client:
client-address 172.16.0.0 key ciscoRelated Commands
download exclude-profile
To add domain or Access Point Names (APNs) names to the Service Selection Gateway (SSG) Autodomain exclusion list, use the download exclude-profile command in SSG-auto-domain mode. To remove a name from the Autodomain exclusion list, use the no form of this command.
download exclude-profile profile-name password
no download exclude-profile profile-name password
Syntax Description
Defaults
No default behavior or values.
Command Modes
SSG-auto-domain
Command History
12.2(4)B
This command was introduced.
12.2(13)T
This command was integrated into Cisco IOS Release 12.2(13)T.
Usage Guidelines
Use the download exclude-profile command to specify the name and password for a list of names that are excluded from being downloaded from the AAA server. Downloads from the AAA server occur at the time of entering the configuration and also on subsequent Route Processor reloads. By reentering the configuration command, you can synchronize with a modified table on the AAA server by forcing a new download. For every successful exclude-profile download, Service Selection Gateway (SSG) deletes the exclude entries added by the previous exclude-profile download and adds the new downloaded entries to the Autodomain exclusion list. The excluded name list introduces the following new attributes to the SSG Control-Info vendor-specific attributes (VSAs):
X—Excluded name list entry.
A—Add this name to the APN exclusion list.
D—Add this name to the domain name exclusion list.
The following is an example profile using the new exclusion list attributes:
abc Password = "cisco" Service-Type = OutboundControl-Info = XAapn1.gprsControl-Info = XAapn2.comControl-Info = XDcisco.comControl-Info = XDredhotant.comExamples
The following example shows how to add a list of names called "abc" with the password "cisco" to the Autodomain exclusion list:
download exclude-profile abc ciscoRelated Commands
exclude
To add Access Point Names (APNs) and domain names to a Service Selection Gateway (SSG) Autodomain exclusion list, use the exclude command in SSG-auto-domain mode. To remove an APN or domain name from the Autodomain exclusion list, use the no form of this command.
exclude {apn | domain} name
no exclude {apn | domain} name
Syntax Description
apn
Adds an APN to the exclusion list.
domain
Adds a domain to the exclusion list.
name
Name of the APN or domain to be added to the exclusion list.
Defaults
No default behavior or values.
Command Modes
SSG-auto-domain
Command History
12.2(4)B
This command was introduced.
12.2(13)T
This command was integrated into Cisco IOS Release 12.2(13)T.
Usage Guidelines
Use the exclude command to add an APN or a domain to the Autodomain exclusion list. APN and domain names that are not on an exclusion are used to perform Autodomain for a user. You can use the the no download exclude-profile command to remove a domain or APN name that is downloaded from the AAA server.
Examples
The following example shows how to add the APN named "abc" to the exclusion list:
exclude apn abcThe following example shows how to add the domain named "xyz" to the exclusion list:
exclude domain xyzRelated Commands
forward accounting-start-stop
To proxy accounting start, stop, and update packets generated by any RADIUS clients to the AAA server, use the forward accounting-start-stop command in SSG-radius-proxy mode. To stop forwarding accounting start, stop, and update packets , use the no form of this command.
forward accounting-start-stop
no forward accounting-start-stop
Syntax Description
This command has no arguments or keywords.
Defaults
Forward accounting-start-stop is disabled by default.
Command Modes
SSG-radius-proxy
Command History
12.2(4)B
This command was introduced.
12.2(13)T
This command was integrated into Cisco IOS Release 12.2(13)T.
Usage Guidelines
Use this command to proxy accounting start, stop, and update packets generated by all RADIUS clients to the AAA server. Disabling this command reduces RADIUS packet traffic and processing for deployments where the billing server is not using these packets for billing purposes.
Note
Examples
The following example shows how to proxy accounting packets generated by all RADIUS clients to the AAA server:
ssg radius-proxyserver-port auth 1645 acct 1646client-address 10.1.2.2 key secret1client-address 10.2.25.90 key secret2client-address 10.0.0.1 key secret3client-address 10.23.3.2 key secret4idle-timeout 30forward accounting-start-stopaddress-pool 10.1.1.1 10.1.40.250address-pool 10.1.5.1 10.1.5.30 domain ssg.comRelated Commands
idle-timeout (SSG)
To configure a host object timeout value, use the idle-timeout command in SSG-radius-proxy mode. To disable the timeout value, use the no form of this command.
idle-timeout timeout
no idle-timeout timeout
Syntax Description
Defaults
No timeout value is configured.
Command Modes
SSG-radius-proxy
Command History
12.2(4)B
This command was introduced.
12.2(13)T
This command was integrated into Cisco IOS Release 12.2(13)T.
Usage Guidelines
Use this command to configure a timeout value for a host object. Configuring this command prevents dangling host objects on the Service Selection Gateway (SSG). If a RADIUS client reloads and does not indicate its fault condition to the SSG, the SSG retains the host objects that are no longer valid. This command removes all host objects from a RADIUS client that has been idle for the time specified by the timeout argument. When configured, this timeout value is added to the host object.
Note
Examples
The following example shows how to configure a timeout value of 60 seconds:
ssg radius-proxyserver-port auth 1645 acct 1646client-address 10.1.2.2 key secret1client-address 10.2.25.90 key secret2client-address 10.0.0.1 key secret3client-address 10.23.3.2 key secret4idle-timeout 60forward accounting-start-stopaddress-pool 10.1.1.1 10.1.40.250address-pool 10.1.5.1 10.1.5.30 domain ssg.comRelated Commands
local-profile
To configure a local service profile and enter profile configuration mode, use the local-profile command in global configuration mode. To delete the local service profile, use the no form of this command.
local-profile profile-name
no local-profile profile-name
Syntax Description
Defaults
No default behavior or values.
Command Modes
Global configuration
Command History
Usage Guidelines
Use this command to configure local service profiles.
Examples
The following example shows how to configure a RADIUS profile called "fictitiousname.com" and enter profile configuration mode:
Router(config)# local-profile fictitiousname.comRouter(config-prof)#In the following example, two services called "og1" and "og2" are defined and added to the open garden:
!ssg open-garden og1ssg open-garden og2!local-profile og1attribute 26 9 251 "Oopengarden1.com"attribute 26 9 251 "D10.13.1.5"attribute 26 9 251 "R10.1.1.0;255.255.255.0"local-profile og2attribute 26 9 251 "Oopengarden2.com"attribute 26 9 251 "D10.14.1.5"attribute 26 9 251 "R10.2.1.0;255.255.255.0"attribute 26 9 251 "R10.3.1.0;255.255.255.0"!ssg bind service og2 10.5.5.1Related Commands
mode extended
To select extended Autodomain mode, use the mode extended command in SSG-auto-domain mode. To reenable basic Autodomain mode, use the no form of this command.
mode extended
no mode extended
Syntax Description
This command has no arguments or keywords.
Defaults
Basic Autodomain mode is selected.
Command Modes
SSG-auto-domain
Command History
12.2(4)B
This command was introduced.
12.2(13)T
This command was integrated into Cisco IOS Release 12.2(13)T.
Usage Guidelines
Use the mode extended command to select the extended Autodomain mode. In basic Autodomain mode, the profile downloaded from the AAA server for the selected Autodomain name is a service profile, which may or may not contain attributes specific to Service Selection Gateway (SSG). In extended Autodomain mode, the profile is a "virtual user" profile, which may contain a list of services in addition to other account attributes. The "virtual user" profile contains one autoservice to an authenticated service such as a proxy, VPDN, or tunnel. Connection to the autoservice occurs in the same way as in basic Autodomain mode. The host object is not activated until the user is authenticated at the service. The presence of SSD allows the user to access any other service in the specified user profile. Extended mode also enables users with multiple service selection to log on.
Examples
The following example shows how to enable extended Autodomain mode:
ssg enablessg auto-domainmode extendedselect usernameexclude apn motorolaexclude domain ciscodownload exclude-profile abc password1nat user-addressRelated Commands
nat user-address
To enable Network Address Translation (NAT) toward Autodomain service, use the nat user-address command in SSG-auto-domain mode. To disable NAT on Autodomain service, use the no form of this command.
nat user-address
no nat user-address
Syntax Description
This command has no arguments or keywords.
Defaults
NAT is not applied toward Autodomain services and IP addresses assigned at the tunnel, VPDN, or proxy service will be assigned at the host and then sent back to the RADIUS client. NAT is always applied towards the Autodomain connection regardless of the configuration of the nat user-address command when the Access-Request from the RADIUS client contains an IP address.
Command Modes
SSG-auto-domain
Command History
12.2(4)B
This command was introduced.
12.2(13)T
This command was integrated into Cisco IOS Release 12.2(13)T.
Usage Guidelines
Use the nat user-address command to enable NAT toward the Autodomain connection. When a host object has not been assigned an IP address using the Access-Request from the RADIUS client, Service Selection Gateway (SSG) by default passes an IP address assigned at the tunnel, VPDN, or proxy service back to the RADIUS client and NAT does not happen toward the Autodomain connection. The nat user-address command overrides the default behavior and specifies that NAT should be performed towards Autodomain services. If a host has been assigned an IP address via the Access-Request, NAT happens toward the Autodomain connection regardless of the status of this command.
Examples
The following example enables NAT toward the Autodomain connection:
ssg enablessg auto-domainmode extendedselect usernameexclude apn motorolaexclude domain ciscodownload exclude-profile abc password1nat user-addressRelated Commands
network (ssg-redirect)
To add an IP address to a named network list, use the network command in SSG-redirect-network configuration mode. To remove an IP address from a named network list, use the no form of this command.
network ip-address
no network ip-address
Syntax Description
Defaults
No default behavior or values.
Command Modes
SSG-redirect-network configuration
Command History
12.2(4)B
This command was introduced.
12.2(13)T
This command was integrated into Cisco IOS Release 12.2(13)T.
Usage Guidelines
Use this command to define an individual network that is found in a named network list. Use the network-list command to define and name the network list and the network command to add an individual IP address to the named network list.
Packets arriving from an authorized user who is attempting to access an unauthorized service from an IP address that is part of a named network list can be redirected to a captive portal group that presents the user with an appropriate response, such as a logon screen. Service Selection Gateway (SSG) TCP Redirect for Services uses a marked TCP port or TCP port list in addition to the destination IP address to determine if a packet is redirected to a captive portal group.
Define a named TCP port list using the port-list command, and add TCP ports to the named TCP port list using the port (ssg-redirect) command.
You must enable SSG using the ssg enable command and SSG TCP Redirect for Services using the ssg tcp-redirect command before you can define a named network list.
Examples
The following example creates a network list named "RedirectNw" and adds IP address 10.0.0.0 255.0.0.0 and address 10.2.2.0 255.255.255.0 to the "RedirectNw" network list:
ssg tcp-redirectnetwork-list RedirectNwnetwork 10.0.0.0 255.0.0.0network 10.2.2.0 255.255.255.0Related Commands
Defines a list of one or more IP networks that make up a named network list.
ssg enable
Enables SSG.
Enables SSG TCP redirect and enters SSG-redirect mode.
network-list
To define a list of one or more IP networks that make up a named network list and to enter SSG-redirect-network configuration mode, use the network-list command in SSG-redirect configuration mode. To remove a named network list, use the no form of this command.
network-list network-listname
no network-list network-listname
Syntax Description
Defaults
No default behavior or values.
Command Modes
SSG-redirect configuration
Command History
12.2(4)B
This command was introduced.
12.2(13)T
This command was integrated into Cisco IOS Release 12.2(13)T.
Usage Guidelines
Use this command to define a list of one or more IP networks that make up a named network list. Use the network-listname attribute to name the IP network list.
Packets arriving from an authorized user who is attempting to access an unauthorized service from an IP address that is part of a named network list can be redirected to a captive portal group that presents the user with an appropriate response, such as a logon screen. Service Selection Gateway (SSG) TCP Redirect for Services uses a marked TCP port or TCP port list in addition to the destination IP address to determine if a packet is redirected to a captive portal group.
Define a named TCP port list using the port-list command, and add TCP ports to the named TCP port list using the port (ssg-redirect) command.
You must enable SSG using the ssg enable command and SSG TCP Redirect for Services using the ssg tcp-redirect command before you can define a named network list.
Examples
The following example defines an IP network list named "RedirectNw":
network-list RedirectNwRelated Commands
port (ssg-redirect)
To add a TCP port to a named port list, use the port command in SSG-redirect-port configuration mode. To remove a TCP port from a named port list, use the no form of this command.
port port-number
no port port-number
Syntax Description
Defaults
No default behavior or values.
Command Modes
SSG-redirect-port configuration
Command History
12.2(4)B
This command was introduced.
12.2(13)T
This command was integrated into Cisco IOS Release 12.2(13)T.
Usage Guidelines
Use this command to add incoming destination ports to a named TCP port list. Incoming packets directed to a port in the named TCP port list can be redirected by the named captive portal group. Configure the named captive portal group using the server-group command, and add servers to the captive portal group using the server (SSG) command. Define and name the TCP port list using the port-list command.
You must enable Service Selection Gateway (SSG) using the ssg enable command and SSG TCP Redirect for Services using the ssg tcp-redirect command before you can define or add incoming destination ports to a named TCP port list.
Examples
The following example creates a named TCP port list named "WebPorts" and adds TCP ports 80 and 8080:
ssg enablessg tcp-redirectport-list WebPortsport 80port 8080Related Commands
port-list
To define a list of one or more TCP ports that make up a named port list and to enter SSG-redirect-port configuration mode, use the port-list command in SSG-redirect configuration mode. To disable a port list, use the no form of this command.
port-list port-listname
no port-list port-listname
Syntax Description
Defaults
No default behavior or values.
Command Modes
SSG-redirect configuration
Command History
12.2(4)B
This command was introduced.
12.2(13)T
This command was integrated into Cisco IOS Release 12.2(13)T.
Usage Guidelines
Use this command to define a named port list. Use this command to create a list of TCP ports that can be redirected by the captive portal group. Use the port (ssg-redirect) command in SSG-redirect-port configuration mode to add TCP ports to the named port list.
You must enable Service Selection Gateway (SSG) using the ssg enable command and SSG TCP Redirect for Services using the ssg tcp-redirect command before you can define a named port list.
Examples
The following example creates a port list named "WebPorts":
ssg enablessg tcp-redirectport-list WebPortsRelated Commands
redirect captivate advertising default group
To configure the default captive portal group, duration, and frequency for advertising captivation, use the redirect captivate advertising default group command in SSG-redirect configuration mode. To deselect a captive portal group as the default for advertising captivation, use the no form of this command.
redirect captivate advertising default group group-name duration seconds frequency frequency
no redirect captivate advertising default group group-name duration seconds frequency frequency
Syntax Description
Defaults
No default behavior or values.
Command Modes
SSG-redirect configuration
Command History
12.2(4)B
This command was introduced.
12.2(13)T
This command was integrated into Cisco IOS Release 12.2(13)T.
Usage Guidelines
Use this command to select the default captive portal group for advertising captivation of users upon Account Logon. Use the seconds argument to configure the duration, in seconds, of the advertising captivation. Any packets arriving from the user and marked for one of the TCP ports configured in the captive portal group group-name are redirected to one of the captive portals defined in that captive portal group for the duration configured by the seconds argument.
Use the frequency argument to configure how often Service Selection Gateway (SSG) attempts to forward packets from the user to the captive portal.
The parameters set by this command can be overridden by the RADIUS attributes set for a user.
Examples
The following example shows how to configure the captive portal group named "CaptivateServer" to forward packets from a user for 30 seconds at intervals of 3600 seconds:
server-group SSDserver 10.0.0.253 8080!redirect port-list WebPorts to SSD!redirect unauthenticated-user to RedirectServerredirect unauthorized-service to SSDredirect smtp group SMTPServer allredirect captivate initial default group CaptivateServer duration 10redirect captivate advertising default group CaptivateServer duration 30 frequency 3600Related Commands
redirect captivate initial default group duration
To select a default captive portal group and duration of the initial captivation of users on Account Logon, use the redirect captivate initial default group duration command in SSG-redirect configuration mode. To deselect a captive portal group as the default for initial captivation, use the no form of this command.
redirect captivate initial default group group-name duration seconds
no redirect captivate initial default group group-name duration seconds
Syntax Description
group-name
Name of the captive portal group.
seconds
The duration in seconds of the initial captivation. The valid range is from 1 to 65,536 seconds.
Defaults
No default behavior or values.
Command Modes
SSG-redirect configuration
Command History
12.2(4)B
This command was introduced.
12.2(13)T
This command was integrated into Cisco IOS Release 12.2(13)T.
Usage Guidelines
Use this command to select the default captive portal group for initial captivation of users on Account Logon. Use the seconds argument to configure the duration, in seconds, of the initial captivation. Any packets arriving from the user and marked for one of the TCP ports configured in the captive portal group group-name are redirected to one of the captive portals defined in that captive portal group for the duration configured by the seconds argument.
The parameters set by this command can be overridden by the RADIUS attributes set for a user.
Examples
The following example shows that the captive portal group named "CaptivateServer" will be used to forward packets from a user for the first 10 seconds that the user is connected:
server-group SSDserver 10.0.0.253 8080!redirect port-list WebPorts to SSD!redirect unauthenticated-user to RedirectServerredirect unauthorized-service to SSDredirect smtp group SMTPServer allredirect captivate initial default group CaptivateServer duration 10redirect captivate advertising default group CaptivateServer duration 30 frequency 3600Related Commands
redirect port to
To configure a TCP port or named TCP port list for Service Selection Gateway (SSG) TCP Redirect for Services, use the redirect port to command in SSG-redirect configuration mode. To disable SSG TCP Redirect for Services on a TCP port or named TCP port list, use the no form of this command.
redirect {port-list port-listname | port port-number} to group-name
no redirect {port-list port-listname | port port-number} to group-name
Syntax Description
Defaults
No default behavior or values.
Command Modes
SSG-redirect configuration
Command History
12.2(4)B
This command was introduced.
12.2(13)T
This command was integrated into Cisco IOS Release 12.2(13)T.
Usage Guidelines
Use this command to mark a TCP port or a named TCP port list for SSG TCP Redirect for Services. Define a named TCP port list using the port-list command and add TCP ports to the named TCP port list using the port (ssg-redirect) command. Packets arriving from an authorized user, or from an authorized user attempting to access an unauthorized service at a marked TCP port or named TCP port list can be redirected to a captive portal group that presents the user with an appropriate response, such as a logon screen.
Note
You must enable SSG using the ssg enable command and SSG TCP Redirect for Services using the ssg tcp-redirect command before you can define a TCP port or named TCP port list for SSG TCP redirection.
Note
Examples
The following example marks TCP port 8080 for SSG TCP redirection. Packets with a destination port of 8080 are redirected to the captive portal group named "RedirectServer":
server-group RedirectServerserver 10.2.36.253 8080!redirect port 8080 to RedirectServerredirect unauthorized-service destination network-list RedirectNw to RedirectServerThe following example marks the named TCP port "WebPorts" for SSG TCP redirection. Packets with a destination port that is one of the ports in the port list "WebPorts" are redirected to the captive portal group named "RedirectServer":
server-group SSDserver 10.0.0.253 8080!redirect port-list WebPorts to RedirectServer!Related Commands
redirect smtp group
To select a captive portal group for redirection of Simple Mail Transfer Protocol (SMTP) traffic, use the redirect smtp group command in SSG-redirect configuration mode. To stop redirecting SMTP traffic to a captive portal group, use the no form of this command.
redirect smtp group group-name [all | user]
no redirect smtp group group-name [all | user]
Syntax Description
group-name
Name of the captive portal group.
all
(Optional) Any SMTP packets are forwarded.
user
(Optional) SMTP packets from users that have SMTP forwarding permission are forwarded.
Defaults
The all keyword is the default if no keyword is specified.
Command Modes
SSG-redirect configuration
Command History
12.2(4)B
This command was introduced.
12.2(13)T
This command was integrated into Cisco IOS Release 12.2(13)T.
Usage Guidelines
Use this command to select a captive portal group for redirection of SMTP traffic. If you select the all keyword, all SMTP packets (TCP port 25) from authorized users are redirected to one of the servers in the captive portal group specified by the group-name argument. If you select the user keyword, only SMTP packets from authorized users that have SMTP forwarding permission set through a RADIUS attribute are redirected. If you do not select a keyword, the default is the all keyword.
Examples
The following example shows how to configure all SMTP packets from authorized users to be redirected to the captive portal group named "SMTPServer":
server-group SSDserver 10.0.0.253 8080!redirect port-list WebPorts to SSD!redirect unauthenticated-user to RedirectServerredirect unauthorized-service to SSDredirect smtp group SMTPServer allredirect captivate initial default group CaptivateServer duration 10redirect captivate advertising default group CaptivateServer duration 30 frequency 3600The following example shows how to configure SMTP packets from any authorized user with the SMTP forwarding permission set through a RADIUS attribute to be redirected to the captive portal group named "SMTPServer":
redirect smtp group SMTPServer userRelated Commands
redirect unauthenticated-user to
To redirect TCP traffic from unauthenticated users to a specified captive portal group, use the redirect unauthenticated-user to command in Service Selection Gateway SSG-redirect configuration mode. To stop redirecting traffic from unauthenticated users to the specified captive portal group, use the no form of this command.
redirect unauthenticated-user to group-name
no redirect unauthenticated-user to group-name
Syntax Description
Defaults
No default behavior or values.
Command Modes
SSG-redirect configuration
Command History
12.2(4)B
This command was introduced.
12.2(13)T
This command was integrated into Cisco IOS Release 12.2(13)T.
Usage Guidelines
Use this command to redirect traffic from unauthenticated users to a specified captive portal group.
Note
Examples
The following example sets redirection of traffic from unauthenticated users to the captive portal group named "RedirectServer":
server-group SSDserver 10.0.0.253 8080!redirect port-list WebPorts to SSD!redirect unauthenticated-user to RedirectServerredirect unauthorized-service to SSDredirect smtp group SMTPServer allredirect captivate initial default group CaptivateServer duration 10redirect captivate advertising default group CaptivateServer duration 30 frequency 3600Related Commands
redirect unauthorized-service to
To set a list of destination IP networks that can be redirected by a specified, named captive portal group, use the redirect unauthorized-service to command in SSG-redirect configuration mode. To remove the list of IP networks that can be redirected by a specified named captive portal group, use the no form of this command.
redirect unauthorized-service [destination network-list network-listname] to group-name
no redirect unauthorized-service [destination network-list network-listname] to group-name
Syntax Description
Defaults
No default behavior or values.
Command Modes
SSG-redirect configuration
Command History
12.2(4)B
This command was introduced.
12.2(13)T
This command was integrated into Cisco IOS Release 12.2(13)T.
Usage Guidelines
Use this command to set a list of destination IP networks that can be redirected by the named captive portal group specified by the group-name argument. Incoming packets from authenticated hosts to networks that they are not authorized to access are checked against the destination IP network list to determine if they need redirection. If you do not specify a destination IP network by configuring the optional destination network-list keywords, the captive portal group specified in the group-name argument is used as the default group for unauthorized service redirection when the IP address of the unauthorized packet does not fall into any network list associated with any captive portal group.
You can associate only one destination IP network list with a captive portal group. You can associate a destination IP network list with multiple captive portal groups.
When you associate a destination IP network list with a captive portal group, packets arriving marked with a destination IP network that matches an IP network list may be redirected via SSG TCP redirection. The incoming destination TCP port also determines whether a packet is a candidate for SSG TCP redirection.
You can associate different server groups with overlapping IP network addresses. You must configure the captive portal group associated with a more specific network group first. For example, you must configure
redirect 10.1.0.0/255.255.0.0 to IPTVGroupbefore you can configure
redirect 10.0.0.0/255.0.0.0 to ISPGroupExamples
The following example shows how to set the captive portal group called "RedirectServer" as a possible candidate for redirection when the destination of a packet matches one of the networks in the destination IP network list named "RedirectNW":
server-group RedirectServerserver 10.2.36.253 8080!redirect port 80 to RedirectServerredirect unauthorized-service destination network-list RedirectNw to RedirectServerThe following example shows how to set the captive portal group called "DefaultRedirectServer" as a possible candidate for redirection when the destination of a packet does not match any of the networks defined in any destination IP network list:
redirect unauthorized-service to DefaultRedirectServerRelated Commands
select
To override the default Autodomain selection algorithm, use the select command in SSG-auto-domain mode. To reenable the default algorithm for selecting the Autodomain, use the no form of this command.
select {username | called-station-id}
no select {username | called-station-id}
Syntax Description
username
Configures the algorithm to use only the username to select the Autodomain.
called-station-id
Configures the algorithm to use only the Access Point Name (APN) Called-Station-ID.
Defaults
The algorithm attempts to find a valid Autodomain based on the APN Called-Station-ID and then by username.
Command Modes
SSG-auto-domain
Command History
12.2(4)B
This command was introduced.
12.2(13)T
This command was integrated into Cisco IOS Release 12.2(13)T.
Usage Guidelines
Use the select command to override the default algorithm for selecting the Autodomain. By default, the algorithm attempts to find a valid Autodomain based on APN Called-Station-ID and then by username. Using this command, you can configure the algorithm to use only the APN or only the username.
Note
Examples
The following example shows how to configure the algorithm to search for a valid Autodomain based only on the username:
ssg enablessg auto-domainmode extendedselect usernameexclude apn motorolaexclude domain ciscodownload exclude-profile abc password1nat user-addressThe following example shows how to configure the algorithm to search for a valid Autodomain based only on the APN:
select called-station-idRelated Commands
server (SSG)
To add a server to a captive portal group, use the server command in SSG-redirect-group configuration mode. To remove a server from a captive portal group, use the no form of this command.
server ip-address port
no server ip-address port
Syntax Description
ip-address
IP address of the server to be added to the captive portal group.
port
TCP port of the server to be added to the captive portal group.
Defaults
No default behavior or values.
Command Modes
SSG-redirect-group
Command History
12.2(4)B
This command was introduced.
12.2(13)T
This command was integrated into Cisco IOS Release 12.2(13)T.
Usage Guidelines
Use the server command in SSG-redirect-group configuration mode to add a server, defined by its IP address and TCP port, to a captive portal group.
Service Selection Gateway (SSG) TCP Redirect for Services provides nonauthorized users access to controlled services within an SSG. Packets sent upstream from an unauthenticated user are forwarded to the captive portal that deals with the packets in a suitable manner, such as routing them to a logon page. You can also use captive portals to handle requests from authorized users who request access to services into which they are not logged.
You must enable SSG using the ssg enable command and SSG TCP Redirect for Services using the ssg tcp-redirect command before you can define a captive portal group. Use the server-group command in SSG-redirect configuration mode to create and name a captive portal group before using the server command to add servers to the captive portal group.
Examples
The following example adds a server at IP address 10.0.0.0 and TCP port 8080 and a server at IP address 10.1.2.3 and TCP port 8081 to a captive portal group named "RedirectServer":
ssg enablessg tcp-redirectserver-group RedirectServerserver 10.0.0.0 8080server 10.1.2.3 8081Related Commands
server-group
To define a group of one or more servers that make up a named captive portal group and enter SSG-redirect-group configuration mode, use the server-group command in SSG-redirect configuration mode. To remove a captive portal group and any servers configured within that portal group, use the no form of this command.
server-group group-name
no server-group group-name
Syntax Description
Defaults
No default behavior or values.
Command Modes
SSG-redirect configuration
Command History
12.2(4)B
This command was introduced.
12.2(13)T
This command was integrated into Cisco IOS Release 12.2(13)T.
Usage Guidelines
Use this command to define and name a captive portal group. Service Selection Gateway (SSG) TCP Redirect for Services provides nonauthorized users access to controlled services within an SSG. Packets sent upstream from an unauthenticated user are forwarded to the captive portal that deals with the packets in a suitable manner, such as routing them to a logon page. You can also use captive portals to handle requests from authorized users who request access to services into which they are not logged.
After defining a captive portal group with the server-group command, identify individual servers for inclusion in the captive portal group using the server ip-address port command in SSG-redirect-group configuration mode.
You must enable SSG using the ssg enable command and SSG TCP Redirect for Services using the ssg tcp-redirect command before you can define a captive portal group.
Note
Examples
The following example defines a captive portal group named "RedirectServer":
ssg enablessg tcp-redirectserver-group RedirectServerRelated Commands
server-port
To configure the ports on which Service Selection Gateway (SSG) listens for RADIUS-requests from configured RADIUS clients, use the server-port command in SSG-radius-proxy configuration mode. To stop SSG from listening for RADIUS requests from configured RADIUS clients on a port, use the no form of this command.
server-port [auth auth-port] [acct acct-port]
no server-port [auth auth-port] [acct acct-port]
Syntax Description
Defaults
Port 1645 is the default RADIUS authentication port.
Port 1646 is the default RADIUS accounting port.Command Modes
SSG-radius-proxy configuration
Command History
12.2(4)B
This command was introduced.
12.2(13)T
This command was integrated into Cisco IOS Release 12.2(13)T.
Usage Guidelines
Use this command to configure the authentication and accounting ports for the SSG Autologon Using Proxy RADIUS feature. Ports configured with this command are global parameters that apply to all proxy clients in the SSG.
Examples
The following example shows how to configure port 23 as the RADIUS authentication port and port 45 as the RADIUS accounting port:
server-port auth 23 acct 45Related Commands
show ssg auto-domain exclude-profile
To display the contents of an Autodomain exclude-profile downloaded from the AAA server, use the show ssg auto-domain exclude-profile command in global configuration mode.
show ssg auto-domain exclude-profile
Syntax Description
This command has no arguments or keywords.
Command Modes
Global configuration
Command History
12.2(4)B
This command was introduced.
12.2(13)T
This command was integrated into Cisco IOS Release 12.2(13)T.
Usage Guidelines
Use this command in global configuration mode to display the contents of an Autodomain exclude-profile downloaded from the AAA server. If any exclude entries downloaded from the AAA server are removed by the no exclude {apn | domain} name command, these entries will not be displayed by the show ssg auto-domain exclude-profile command.
Examples
The following sample displays the contents of an Autodomain exclude-profile downloaded from the AAA server. The report is self- explanatory.
Router# show ssg auto-domain exclude-profileExclude APN Entries Downloaded:apn1.gprs apr2.comExclude Domain Entries Downloaded:cisco.com abcd.comRelated Commands
show ssg binding
To display service names that have been bound to interfaces and the IP addresses to which they have been bound, use the show ssg binding command in privileged EXEC mode.
show ssg binding [begin expression | exclude expression | include expression]
Syntax Description
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Use this command to display services and the interfaces to which they have been bound.
Examples
The following example shows all service names that have been bound to interfaces:
Router# show ssg bindingWhipitNet -> 192.168.1.1 (NHT)Service1.com -> 192.168.1.2 (NHT)Service2.com -> 192.168.1.3 (NHT)Service3.com -> 192.168.1.4 (NHT)GoodNet -> 192.168.2.1Perftest -> 192.168.1.6Related Commands
Removes a service.
Displays the information for a service.
Specifies the interface for a service.
show ssg connection
To display the connections of a given host and a service name, use the show ssg connection command in privileged EXEC mode.
show ssg connection ip-address service-name [interface]
Syntax Description
Command Modes
Privileged EXEC
Command History
Examples
Prepaid Service Based on Volume Example
The following example displays the SSG connection for a prepaid service that uses a volume-based quota:
Router# show ssg connection 19.1.1.19 InstMsg------------------------ConnectionObject Content -----------------------User Name:Owner Host:19.1.1.19Associated Service:InstMsgConnection State:0 (UP)Connection Started since:*00:25:58.000 UTC Tue Oct 23 2001User last activity at:*00:25:59.000 UTC Tue Oct 23 2001Connection Traffic Statistics:Input Bytes = 0, Input packets = 0Output Bytes = 0, Output packets = 0Quota Type = 'VOLUME', Quota Value = 100Session policing disabledPrepaid Service Based on Time Example
The following example displays the SSG connection for a prepaid service that uses a time-based quota:
Router# show ssg connection 19.1.1.22 Prepaid-internet------------------------ConnectionObject Content -----------------------User Name:HostOwner Host:19.1.1.22Associated Service:Prepaid-internetConnection State:0 (UP)Connection Started since:*00:34:06.000 UTC Tue Oct 23 2001User last activity at:*00:34:07.000 UTC Tue Oct 23 2001Connection Traffic Statistics:Input Bytes = 0, Input packets = 0Output Bytes = 0, Output packets = 0Quota Type = 'TIME', Quota Value = 100Session policing disabledAutologin Service Example
The following example shows the service connection for the autologin service to host 10.3.6.1:
Router# show ssg connection 10.3.6.1 autologin------------------------ ConnectionObject Content -----------------------User Name:autologinOwner Host:10.3.6.1Associated Service:autologinConnection State:0 (UP)Connection Started since:*20:41:26.000 UTC Fri Jul 27 2001User last activity at:*20:41:26.000 UTC Fri Jul 27 2001Connection Traffic Statistics:Input Bytes = 0 (HI = 0), Input packets = 0Output Bytes = 0 (HI = 0), Output packets = 0Table 24 describes the significant fields shown in the displays.
Related Commands
clear ssg connection
Removes the connections of a given host and a service name.
show ssg direction
To display the direction of all interfaces for which a direction has been specified, use the show ssg direction command in privileged EXEC mode.
show ssg direction [begin expression | exclude expression | include expression]
Syntax Description
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Use this command to show all interfaces that have been specified as uplinks or downlinks.
Examples
The following example shows the direction of all interfaces that have been specified as uplinks or downlinks.
Router# show ssg directionATM0/0/0.10: UplinkBVI1: DownlinkFastEthernet0/0/0: UplinkRelated Commands
show ssg host
To display the information about a subscriber and current connections of the subscriber, use the show ssg host command in privileged EXEC mode.
show ssg host [ip-address [interface] | username]
Syntax Description
ip-address
(Optional) IP address of the host.
interface
(Optional) Interface through which the host is connected.
username
(Optional) Displays the usernames logged into the active hosts.
Defaults
If no argument is provided, all current connections are displayed.
Command Modes
Privileged EXEC
Command History
Examples
The following example shows all active hosts:
Router# show ssg host1:10.3.1.1 [Host-Key 70.13.60.3:64]2:10.3.6.1 [Host-Key 70.13.60.3:65]### Active HostObject Count:2The following example shows information about host 10.3.1.1:
Router# show ssg host 10.3.1.1------------------------ HostObject Content -----------------------Activated:TRUEInterface:Virtual-Access1User Name:pppoauserHost IP:10.3.1.1Msg IP:0.0.0.0 (0)Host DNS IP:0.0.0.0Maximum Session Timeout:0 secondsHost Idle Timeout:0 secondsClass Attr:NONEUser logged on since:*20:59:51.000 UTC Fri Jul 27 2001User last activity at:*20:59:51.000 UTC Fri Jul 27 2001Default Service:NONEDNS Default Service:NONEActive Services:autologon;AutoService:autologon;Subscribed Services:The following example shows two host objects with the same IP address:
Router# show ssg host 10.3.1.1SSG:Overlapping hosts for IP 10.3.1.1 at interfaces:FastEthernet0/0/0Virtual-Access1In this case, use the interface argument to uniquely identify the host:
Router# show ssg host 10.3.1.1 FastEthernet0/0/0Note that the output produced by this command is the same as that produced by the command without the interface argument. The interface argument is used only to uniquely identify a host when there are overlapping host IP addresses.
The following example shows the usernames logged in to the active hosts:
RouterA# show ssg host user1:10.3.1.1 (active) Host name:pppoauser2:10.3.6.1 (active) Host name:ssguser2### Total HostObject Count(including inactive hosts):2Related Commands
show ssg next-hop
To display the next-hop table, use the show ssg next-hop command in privileged EXEC mode.
show ssg next-hop [begin expression | exclude expression | include expression]
Syntax Description
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Use this command to display all next-hop IP addresses.
Examples
The following example shows the next-hop table:
Router# show ssg next-hopNext hop table loaded from profile prof-nhg:WhipitNet -> 192.168.1.6Service1.com -> 192.168.1.3Service2.com -> 192.168.1.2Service3.com -> 192.168.1.1GoodNet -> 192.168.1.2Perftest -> 192.168.1.5End of next hop table.Related Commands
show ssg open-garden
To display a list of all configured open garden services, use the show ssg open-garden command in privileged EXEC mode.
show ssg open-garden
Syntax Description
This command has no keywords or arguments.
Command Modes
Privileged EXEC
Command History
Examples
In the following example, all configured open garden services are displayed:
Router# show ssg open-gardennrp1-nrp2_og1nrp1-nrp2_og2nrp1-nrp2_og3nrp1-nrp2_og4Related Commands
show ssg pass-through-filter
To display the downloaded filter for transparent pass-through, use the show ssg pass-through-filter command in privileged EXEC mode.
show ssg pass-through-filter [begin expression | exclude expression | include expression]
Syntax Description
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Use this command to display the downloaded transparent pass-through filter. The filter prevents pass-through traffic from accessing the specified IP address and subnet mask combinations. The filter is set using the ssg pass-through command.
To display a filter defined on the command line, use the show running-config command.
Examples
The following example shows the pass-through filter:
Router# show ssg pass-through-filterService name: filter01Password: ciscoDirection: UplinkExtended IP access list (SSG ACL)permit tcp 172.16.6.0 0.0.0.255 any eq telnetpermit tcp 172.16.6.0 0.0.0.255 192.168.250.0 0.0.0.255 eq ftpRelated Commands
Removes the downloaded filter for transparent pass-through.
Enables transparent pass-through.
show ssg pending-command
To display current pending commands, such as next-hop or filters, use the show ssg pending-command command in privileged EXEC mode.
show ssg pending-command
Syntax Description
This command has no keywords or arguments.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Use this command to display the current pending commands.
Examples
The following example shows the pending commands:
Router# show ssg pending-commandSSG pending command list:ssg bind service Service1.com 192.168.103.1ssg bind service Perftest206 192.168.104.5Related Commands
show ssg port-map ip
To display information on a particular port bundle, use the show ssg port-map ip command in privileged EXEC mode.
show ssg port-map ip ip-address port port-number
Syntax Description
ip-address
IP address used to identify the port bundle.
port-number
TCP port number used to identify the port bundle.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
This command displays the following information about a port bundle:
•
•
•
Examples
The following output shows the Virtual-Access2 interface connected to the subscriber:
Router# show ssg port-map ip 70.13.60.2 port 64State = IN-USESubscriber Address = 10.10.3.1Downlink Interface = Virtual-Access2Port-mappings:-Subscriber Port: 3271 Mapped Port: 1024Subscriber Port: 3272 Mapped Port: 1025Subscriber Port: 3273 Mapped Port: 1026Subscriber Port: 3274 Mapped Port: 1027Subscriber Port: 3275 Mapped Port: 1028Table 25 describes the significant fields shown in the display.
Related Commands
show ssg port-map status
To display information on port bundles, use the show ssg port-map status command in privileged EXEC mode.
show ssg port-map status [free | reserved | inuse]
Syntax Description
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Entered without any keywords, the command displays a summary of all port-bundle groups, including the following information:
•
•
•
Examples
Display All Bundles Example
The following example shows output for the show ssg port-map status command with no keywords:
Router# show ssg port-map statusBundle-length = 4Bundle-groups:-IP Address Free Bundles Reserved Bundles In-use Bundles70.13.60.2 4032 0 0Table 26 describes the significant fields shown in the display.
Display In-Use Bundles Example
The following example shows output for the show ssg port-map status command with the inuse keyword:
Router# show ssg port-map status inuseBundle-group 70.13.60.2 has the following in-use port-bundles:-Port-bundle Subscriber Address Interface64 10.10.3.1 Virtual-Access2Table 27 describes the significant fields shown in the display.
Related Commands
show ssg radius-proxy address-pool
To display the pool of IP addresses configured for a router or for a specific domain, use the show ssg radius-proxy address-pool command in privileged EXEC mode.
show ssg radius-proxy address-pool [domain domain-name] [free | inuse]
Syntax Description
Defaults
If no domain name is provided, the command displays information for all IP addresses configured in an address pool.
Command Modes
Privileged EXEC
Command History
12.2(4)B
This command was introduced.
12.2(13)T
This command was integrated into Cisco IOS Release 12.2(13)T.
Usage Guidelines
Use this command to display the IP address pools configured for a router or for a specific domain. You can also display which IP addresses are available or are in use.
Examples
The following example shows how to display information for IP addresses in the IP address pool:
Router# show ssg radius-proxy address-poolGlobal Pool: Free Addresses= 10234 Inuse Addresses= 0The following example shows how to display information about the IP addresses in the IP address pool in the domain called "ssg.com":
Router# show ssg radius-proxy address-pool domain ssg.comDomain Pool(ssg.com): Free Addresses= 20 Inuse Addresses= 10The following example shows how to display information about the IP addresses in the IP address pool for the domain called "ssg.com" that are currently in use:
Router# show ssg radius-proxy address-pool domain cisco inuseInuse Addresses in Domain Pool(ssg.com):1019.1.5.119.1.5.219.1.5.319.1.5.419.1.5.519.1.5.619.1.5.719.1.5.819.1.5.919.1.5.10The following example shows how to display information about the IP addresses in the IP address pool for the domain called "ssg.com" that are currently available:Router# show ssg radius-proxy address-pool domain ssg.com freeFree Addresses in Domain Pool(ssg.com):2019.1.5.1119.1.5.1219.1.5.1319.1.5.1419.1.5.1519.1.5.1619.1.5.1719.1.5.1819.1.5.1919.1.5.2019.1.5.2119.1.5.2219.1.5.2319.1.5.2419.1.5.2519.1.5.2619.1.5.2719.1.5.2819.1.5.2919.1.5.30Related Commands
show ssg service
To display the information for a service, use the show ssg service command in privileged EXEC mode.
show ssg service [service-name [begin expression | exclude expression | include expression]]
Syntax Description
Defaults
If no service name is provided, the command displays information for all services.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Use this command to display connection information for a service.
Examples
The following example shows the information for the service called "serv1-proxy":
Router# show ssg service serv1-proxy------------------------ ServiceInfo Content -----------------------Uplink IDB:Name:serv1-proxyType:PROXYMode:CONCURRENTService Session Timeout:0 secondsService Idle Timeout:0 secondsClass Attr:NONEAuthentication Type:CHAPReference Count:1Next Hop Gateway Key:my-keyDNS Server(s):Primary:10.13.1.5Radius Server:IP=10.13.1.2, authPort=1645, acctPort=1646, secret=my-secretIncluded Network Segments:10.13.0.0/255.255.0.0Excluded Network Segments:Full User Name UsedService Defined Cookie existDomain List:service1.com;Active Connections:1 :Virtual=255.255.255.255, Subscriber=10.20.10.2------------------------ End of ServiceInfo Content ----------------Related Commands
Removes a service.
Displays service names that have been bound to interfaces and the interfaces to which they have been bound.
Specifies the interface for a service.
show ssg tcp-redirect group
To display information about the captive portal groups and their networks associated with those portal groups, use the show ssg tcp-redirect group command in privileged EXEC mode.
show ssg tcp-redirect group [group-name]
Syntax Description
Command Modes
Privileged EXEC
Command History
12.2(4)B
This command was introduced. This command replaced the show ssg http-redirect group command.
12.2(13)T
This command was integrated into Cisco IOS Release 12.2(13)T.
Usage Guidelines
Use this command to display information about the captive portal groups and their associated networks defined in your system.
If you omit the optional group-name argument, this command displays a list of all defined captive portal groups and the networks associated with the captive portal groups. If you specify the group-name argument, this command displays information about that group and its associated networks.
Examples
The following example shows how to display a list of all of the defined captive portal groups:
Router# show ssg tcp-redirect groupCurrent TCP redirect groups:RedirectServerCaptivateServerSMTPServerSSDUnauthenticated user redirect group:RedirectServerDefault service redirect group:SSDSMTP forwarding group:SMTPServer, for all usersDefault initial captivation group:CaptivateServer,for 10 secondsDefault advertising captivation group:CaptivateServer,for 30 seconds approximately every 3600 secondsTable 28 describes the significant fields shown in the display above.
The following example shows how to display a detailed description of the captive portal group called "RedirectServer":
Router# show ssg tcp-redirect group RedirectServerTCP redirect group RedirectServer:Showing all TCP servers (Address, Port):10.2.36.253, 8080, FastEthernet0/0Networks to redirect to (network-list RedirectNw):172.16.10.0 /24172.20.0.0 /16TCP port to redirect:80Table 29 describes the significant fields shown in the display.
Related Commands
show ssg vc-service-map
To display virtual circuit (VC)-to-service-name mappings, use the show ssg vc-service-map command in privileged EXEC mode.
show ssg vc-service-map [vpi/vci | service service-name]
Syntax Description
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Use this command to display VC-to-service-name mappings.
Examples
The following example shows the VCs mapped to the service name "Worldwide":
Router# show ssg vc-service-map service WorldwideInterface From To Service Name TypeAll 3 /33 None Worldwide non-exclusiveRelated Commands
show tcp-redirect mappings
To display information about the TCP redirect mappings for hosts within your system, use the show tcp-redirect mappings command in privileged EXEC mode.
show tcp-redirect mappings [ip-address [interface]]
Syntax Description
Command Modes
Privileged EXEC
Command History
12.2(4)B
This command was introduced.
12.2(13)T
This command was integrated into Cisco IOS Release 12.2(13)T.
Usage Guidelines
Use this command to display information about the TCP redirect mappings for hosts within your system. If you omit the optional ip-address argument, this command displays a list of all host IP addresses that currently have stored mappings. If you include the ip-address argument, this command displays any mappings for the host with the specified IP address. You can use the interface argument when SSG is running in port mapped host key mode to specify the downlink interface on which the host is connected to the SSG. Use the interface argument when you want to display information about a specific host where there are overlapping IP addresses among hosts.
The TCP-redirect mappings are removed automatically after the TCP session terminates or has been idle for more than 60 seconds.
Note
Examples
The following example displays all of the hosts that have redirect mappings stored on your system:
Router# show tcp-redirect mappingsAuthenticated hosts:TCP remapping Host:172.16.10.0 to servers (IP:Port)10.2.36.253:808010.64.131.20:25### Total authenticated hosts being redirected = 1Unauthenticated hosts:TCP remapping Host:172.0.0.2 to server:10.2.36.253 on port:8080The following example displays detailed mapping for the host at IP address 172.16.0.0:
Router# show tcp-redirect mappings 172.16.0.0TCP remapping Host:172.16.0.0TCP remapping to server:10.2.36.253 on port:8080Connection Mappings (src port <-> dest IP,dest port,timestamp, flags):11092 <-> 10.0.0.1,80,730967636,0x1TCP remapping to server:10.64.131.20 on port:25Connection Mappings (src port <-> dest IP,dest port,timestamp,flags):11093 <-> 10.0.0.1,25,730967652,0x0Table 30 describes the significant fields shown in the displays.
Related Commands
ssg accounting
To enable Service Selection Gateway (SSG) accounting, use the ssg accounting command in global configuration mode. To disable the SSG accounting, use the no form of this command.
ssg accounting
no ssg accounting
Syntax Description
This command has no arguments or keywords.
Defaults
Accounting is enabled by default.
Command Modes
Global configuration
Command History
Usage Guidelines
The ssg accounting command enables the sending of start, stop, and interim accounting records for hosts and connections.
Examples
The following example shows how to reenable SSG accounting if it has been disabled:
Router(config)# ssg accountingRelated Commands
Specifies the interval at which accounting updates are sent to the accounting server.
ssg accounting interval
To specify the interval at which accounting updates are sent to the accounting server, use the ssg accounting interval command in global configuration mode. To disable the accounting interval, use the no form of this command.
ssg accounting interval seconds
no ssg accounting interval seconds
Syntax Description
Defaults
600 seconds
Command Modes
Global configuration
Command History
Usage Guidelines
Use this command to specify the interval at which accounting updates are sent to the accounting server.
Examples
The following example shows how to specify that Service Selection Gateway (SSG) will send an accounting update to the accounting server every 60 seconds:
Router(config)# ssg accounting interval 60Related Commands
ssg auto-domain
To enable Service Selection Gateway (SSG) Autodomain, use the ssg auto-domain command in global configuration mode. To remove all Autodomain configuration from the running configuration and to prevent further activation of autodomains, use the no form of this command.
ssg auto-domain
no ssg auto-domain
Syntax Description
This command has no arguments or keywords.
Defaults
Autodomain is disabled by default.
Command Modes
Global configuration
Command History
12.2(4)B
This command was introduced.
12.2(13)T
This command was integrated into Cisco IOS Release 12.2(13)T.
Usage Guidelines
To enable SSG Autodomain, use this command in global configuration mode. SSG must be enabled before the ssg auto-domain command can be entered.
Note
Use the no ssg auto-domain command to prevent further activations of autodomains and to remove all Autodomain configuration from the running-configuration. Subsequent reissuing of the ssg auto-domain command restores Autodomain to its former state.
Examples
The following example enables basic SSG Autodomain:
ssg enablessg auto-domainRelated Commands
ssg auto-logoff arp
To configure Service Selection Gateway (SSG) to automatically log off hosts that have lost connectivity with SSG and to use the Address Resolution Protocol (ARP) ping mechanism to detect connectivity, use the ssg auto-logoff arp command in global configuration mode. To disable SSG auto logoff, use the no form of this command.
ssg auto-logoff arp [interval seconds]
no auto-logoff arp
Syntax Description
Defaults
SSG auto logoff is not enabled.
Default interval is 30 seconds.Command Modes
Global configuration
Command History
12.2(4)B
This command was introduced.
12.2(13)T
This command was integrated into Cisco IOS Release 12.2(13)T.
Usage Guidelines
When the ssg auto-logoff arp command is configured, SSG will use the ARP ping mechanism to detect connectivity to hosts.
Note
ARP request packets are smaller than Internet Control Message Protocol (ICMP) ping packets, so it is recommended that you configure SSG auto logoff to use ARP ping in scenarios in which hosts are directly connected.
ICMP ping can be used in all types of deployment scenarios. See the ssg auto-logoff icmp command page for more information about SSG auto logoff using ICMP ping.
ARP ping will work only on hosts that have a MAC address. So, for example, ARP ping will not work for PPP users because they do not have a MAC table entry.
ARP ping does not support overlapping IP addresses.
SSG autologoff that uses the ARP ping mechanism will not work for hosts with static ARP entries.
You can use only one method of SSG autologoff at a time: ARP ping or ICMP ping. If you configure SSG to use ARP ping after ICMP ping has been configured, the ICMP ping function will become disabled.
Examples
The following example shows how to enable SSG autologoff. SSG will use ARP ping to detect connectivity to hosts.
Router(config)# ssg auto-logoff arp interval 60Related Commands
Configures the SSG to automatically log off hosts that have lost connectivity with SSG and to use the ICMP ping mechanism to detect connectivity.
ssg auto-logoff icmp
To configure Service Selection Gateway (SSG) to automatically log off hosts that have lost connectivity with SSG and to use the Internet Control Message Protocol (ICMP) ping mechanism to detect connectivity, use the ssg auto-logoff icmp command in global configuration mode. To disable SSG autologoff, use the no form of this command.
ssg auto-logoff icmp [timeout milliseconds] [packets number] [interval seconds]
no auto-logoff icmp
Syntax Description
Defaults
SSG autologoff is not enabled.
Interval: 30 seconds.
Timeout: 500 milliseconds.
Number of packets: 2 packets.Command Modes
Global configuration
Command History
12.2(4)B
This command was introduced.
12.2(13)T
This command was integrated into Cisco IOS Release 12.2(13)T.
Usage Guidelines
When the ssg auto-logoff icmp command is specified, SSG will use the ICMP ping mechanism to detect connectivity to hosts.
Note
ICMP ping supports overlapping IP addresses.
If a user is not reachable, a configured number of packets (p) will be sent, and each packet will be timed out (t). The user will be logged off in p * t milliseconds after the first pinging attempt. If p * t milliseconds is greater than the configured pinging interval, then the time taken to log off the host after connectivity is lost will be greater than the configured autologoff interval. If parameters are configured this way, the following warning will be issued: "Hosts will be auto-logged off (p * t) msecs after connectivity is lost." When the pinging interval is less than p * t, the timeout process for a host that has become unreachable will be invoked when the pinging to that host is still occurring. However, because the timeout process will check the status of the host object and find that it is in a pinging state, the host will not be pinged again.
You can use only one method of SSG autologoff at a time: Address Resolution Protocol (ARP) ping or ICMP ping. If you configure SSG to use ARP ping after ICMP ping has been configured, the ICMP ping function will become disabled.
Default values will be applied if a value of zero is configured for any parameters.
The ssg auto-logoff arp command will configure SSG to use the ARP ping mechanism to detect connectivity to hosts. ARP ping should be used only in deployment situations in which all hosts are directly connected to the SSG through a broadcast interface such as an Ethernet interface or a bridged interface such as a routed bridge encapsulation or an integrated routing and bridging interface.
ARP request packets are smaller than ICMP ping packets, so it is recommended that you configure SSG autologoff to use ARP ping in situations in which hosts are directly connected. For more information about SSG autologoff that uses ARP ping, see the ssg auto-logoff arp command reference page.
Examples
The following example shows how to enable SSG autologoff. SSG will use ICMP ping to detect connectivity to hosts.
Router(config)# ssg auto-logoff icmp interval 60 timeout 300 packets 3Related Commands
Configures the SSG to automatically log off hosts that have lost connectivity with SSG and to use the ARP ping mechanism to detect connectivity.
ssg bind direction
To specify an interface as a downlink or uplink interface, use the ssg bind direction command in global configuration mode. To disable the directional specification for the interface, use the no form of this command.
ssg bind direction {downlink | uplink} {ATM atm-interface | Async async-interface | BVI bvi-interface | Dialer dialer-interface | Ethernet ethernet-interface | FastEthernet fastethernet-interface | Group-Async group-async-interface | Lex lex-interface | Loopback loopback-interface | Multilink multilink-interface | Null null-interface | Port-channel port-channel-interface | Tunnel tunnel-interface | Virtual-Access virtual-access-interface | Virtual-Template virtual-template-interface | Virtual-TokenRing virtual-tokenring-interface}
no ssg bind direction {downlink | uplink} {ATM atm-interface | Async async-interface | BVI bvi-interface | Dialer dialer-interface | Ethernet ethernet-interface | FastEthernet fastethernet-interface | Group-Async group-async-interface | Lex lex-interface | Loopback loopback-interface | Multilink multilink-interface | Null null-interface | Port-channel port-channel-interface | Tunnel tunnel-interface | Virtual-Access virtual-access-interface | Virtual-Template virtual-template-interface | Virtual-TokenRing virtual-tokenring-interface}
Syntax Description
Defaults
All interfaces are configured as uplink interfaces by default.
Command Modes
Global configuration
Command History
Usage Guidelines
Use this command to specify an interface as downlink or uplink. An uplink interface is an interface to services; a downlink interface is an interface to subscribers.
Examples
The following example shows how to specify an ATM interface as a downlink interface:
Router# configure terminalEnter configuration commands, one per line. End with CNTL/Z.Router(config)# ssg bind direction downlink ATM 0/0/0.10Related Commands
Displays service names that have been bound to interfaces and the interfaces to which they have been bound.
ssg bind service
To specify the interface for a service, use the ssg bind service command in global configuration mode. To unbind the service and the interface, use the no form of this command.
ssg bind service service-name {ip-address | ATM atm-interface | Async async-interface | BVI bvi-interface | Dialer dialer-interface | Ethernet ethernet-interface | FastEthernet fastethernet-interface | Group-Async group-async-interface | Lex lex-interface | Loopback loopback-interface | Multilink multilink-interface | Null null-interface | Port-channel port-channel-interface | Tunnel tunnel-interface | Virtual-Access virtual-access-interface | Virtual-Template virtual-template-interface | Virtual-TokenRing virtual-tokenring-interface}
no ssg bind service service-name {ip-address | ATM atm-interface | Async async-interface | BVI bvi-interface | Dialer dialer-interface | Ethernet ethernet-interface | FastEthernet fastethernet-interface | Group-Async group-async-interface | Lex lex-interface | Loopback loopback-interface | Multilink multilink-interface | Null null-interface | Port-channel port-channel-interface | Tunnel tunnel-interface | Virtual-Access virtual-access-interface | Virtual-Template virtual-template-interface | Virtual-TokenRing virtual-tokenring-interface}
Syntax Description
Defaults
No default behavior or values.
Command Modes
Global configuration
Command History
Usage Guidelines
Use this command to bind a service to an interface.
Examples
The following example shows the interface for the service defined as "MyService":
Router# configure terminalEnter configuration commands, one per line. End with CNTL/Z.Router(config)# ssg bind service MyService ATM 0/0/0.10Related Commands
Removes a service.
Displays service names that have been bound to interfaces and the interfaces to which they have been bound.
Displays the information for a service.
ssg default-network
To specify the default network IP address or subnet and mask, use the ssg default-network command in global configuration mode. To disable the default network IP address and mask, use the no form of this command.
ssg default-network ip-address mask
no ssg default-network ip-address mask
Syntax Description
ip-address
Service Selection Gateway (SSG) default IP address or subnet.
mask
SSG default network destination mask.
Defaults
No default behavior or values.
Command Modes
Global configuration
Command History
Usage Guidelines
Use this command to specify the first IP address or subnet that users will be able to access without authentication. This is the address where the Cisco Service Selection Dashboard (SSD) resides. After users enter the URL for the Cisco SSD, they will be prompted for a username and password. A mask provided with the IP address specifies the range of IP addresses that users will be able to access without authentication.
Examples
The following example shows a default network IP address, 192.168.1.2, and mask 255.255.255.255:
Router# configure terminalEnter configuration commands, one per line. End with CNTL/Z.Router(config)# ssg default-network 192.168.1.2 255.255.255.255ssg enable
To enable Service Selection Gateway (SSG), use the ssg enable command in global configuration mode. To disable SSG, use the no form of this command.
ssg enable
no ssg enable
Syntax Description
This command has no arguments or keywords.
Defaults
SSG is disabled.
Command Modes
Global configuration
Command History
Examples
The following example shows how to enable SSG:
Router(config)# ssg enablessg local-forwarding
To enable Service Selection Gateway (SSG) to forward packets locally, use the ssg local-forwarding command in global configuration mode. To disable local forwarding, use the no form of this command.
ssg local-forwarding
no ssg local-forwarding
Syntax Description
This command has no arguments or keywords.
Defaults
Disabled
Command Modes
Global configuration
Command History
Examples
The following example enables local forwarding:
Router(config)# ssg local-forwardingssg maxservice
To set the maximum number of services per user, use the ssg maxservice command in global configuration mode. To reset the maximum number of services per user to the default, use the no form of this command.
ssg maxservice number
no ssg maxservice
Syntax Description
Defaults
The default maximum number of services per user is 20.
Command Modes
Global configuration
Command History
Usage Guidelines
Use this command to limit the number of services to which a user can be logged on simultaneously.
Examples
The following example shows how to set the maximum number of services per user to 10:
Router# configure terminalEnter configuration commands, one per line. End with CNTL/Z.Router(config)# ssg maxservice 10ssg next-hop download
To download the next-hop table from a RADIUS server, use the ssg next-hop command in global configuration mode. To remove the command from the configuration, use the no form of this command.
ssg next-hop download [profile-name] [profile-password]
no ssg next-hop download [profile-name] [profile-password]
Syntax Description
download
Loads the next-hop table profile.
profile-name
(Optional) Profile name.
profile-password
(Optional) Profile password.
Defaults
If no profile name and password are provided, the previous profile specified with this command is downloaded. If no previous profile was specified, an error message is generated.
Command Modes
Global configuration
Command History
Usage Guidelines
When this command is used, an entry is made in the running configuration. When the configuration is reloaded, the next-hop table is automatically downloaded. If the no form of this command is used to remove the command from the running configuration, a next-hop table will not be automatically downloaded when the configuration is reloaded.
Examples
The following example shows how to download the next-hop table called "MyProfile" from a RADIUS server:
Router# configure terminalEnter configuration commands, one per line. End with CNTL/Z.Router(config)# ssg next-hop download MyProfile MyProfilePasswordRelated Commands
ssg open-garden
To designate a service as an open garden service, use the ssg open-garden command in global configuration mode. To remove a service from the open garden, use the no form of this command.
ssg open-garden profile-name
no ssg open-garden profile-name
Syntax Description
Command Modes
Global configuration
Command History
Usage Guidelines
Use this command to designate a service, defined in a local service profile, as an open garden service.
Examples
In the following example, the service called "fictitiousname.com" is defined in a local service profile and added to the open garden:
Router(config)# local-profile cisco.comRouter(config-prof)# attribute 26 9 251 "Oopengarden1.com"Router(config-prof)# attribute 26 9 251 "D10.13.1.5"Router(config-prof)# attribute 26 9 251 "R10.1.1.0;255.255.255.0"Router(config-prof)# exitRouter(config)# ssg open-garden fictitiousname.comRelated Commands
ssg pass-through
To enable transparent pass-through, use the ssg pass-through command in global configuration mode. To disable transparent pass-through, use the no form of this command
ssg pass-through [filter {ip-access-list | ip-extended-access-list | access-list-name | download [profile-name | profile-name profile-password]} [downlink | uplink]}]
no ssg pass-through [filter {ip-access-list | ip-extended-access-list | access-list-name | download [profile-name | profile-name profile-password]} [downlink | uplink]}]
Syntax Description
Defaults
Transparent pass-through is disabled.
Command Modes
Global configuration
Command History
Usage Guidelines
Use this command to enable transparent pass-through if you want to allow unauthenticated traffic to pass through the Service Selection Gateway (SSG) in either direction without modification. If you want all traffic to be authenticated by the SSG, use this command to disable transparent pass-through. You can use the filter option to prevent pass through traffic from accessing the specified IP address and subnet mask combinations.
Use the no form of this command to remove a transparent pass-through filter that was configured at the command line. This will also remove it from the running configuration.
Examples
The following example shows how to enable SSG transparent pass-through and download a pass-through filter from the AAA server called "filter01":
Router# configure terminalEnter configuration commands, one per line. End with CNTL/ZRouter(config)# ssg pass-throughRouter(config)# ssg pass-through filter download filter01 ciscoRadius reply received:Created Upstream acl from it.Loading default pass-through filter succeeded.Related Commands
Removes the downloaded filter for transparent pass-through.
Displays the downloaded filter for transparent pass-through.
ssg port-map destination access-list
To identify packets for port-mapping by specifying an access list to compare against the subscriber traffic, use the ssg port-map destination access-list command in global configuration mode. To remove this specification, use the no form of this command.
ssg port-map destination access list access-list-number
no ssg port-map destination access list access-list-number
Syntax Description
Command Modes
Global configuration
Command History
Usage Guidelines
When the ssg port-map destination access list command is configured, any traffic going to the default network and matching the access list will be port-mapped.
Note
You can use multiple entries of the ssg port-map destination access-list command. The access lists are checked against the subscriber traffic in the order in which they are defined.
Examples
In the following example, packets permitted by access list 100 will be port-mapped:
ssg port-map enablessg port-map destination access-list 100ssg port-map source ip Ethernet0/0/0!....!access-list 100 permit ip 10.0.0.0 0.255.255.255 host 70.13.6.100access-list 100 deny ip any anyRelated Commands
Identifies packets for port-mapping by specifying the TCP port range to compare against the subscriber traffic.
ssg port-map destination range
To identify packets for port-mapping by specifying the TCP port range to compare against the subscriber traffic, use the ssg port-map destination range command in global configuration mode. To remove this specification, use the no form of this command.
ssg port-map destination range from port-number-1 to port-number-2 [ip ip-address]
no ssg port-map destination range from port-number-1 to port-number-2 [ip ip-address]
Syntax Description
Defaults
If an IP address is not specified, Service Selection Gateway (SSG) will allow any destination IP address in the subscriber traffic to be port-mapped, as long as the packets match the specified port ranges.
Command Modes
Global configuration
Command History
Usage Guidelines
If the destination IP address is not configured, a default network must be configured and routable from SSG in order for this command to be effective.
If the destination IP address is not configured, any traffic going to the default network with the destination port will fall into the destination port range and will be port-mapped.
You can use multiple entries of the ssg port-map destination range command. The port ranges are checked against the subscriber traffic in the order in which they were defined.
Examples
In the following example, packets that are going to the default network and have a destination port within the range 8080 to 8081 will be port-mapped:
Router(config)# ssg port-map destination range from 8080 to 8081Related Commands
Identifies packets for port-mapping by specifying an access list to compare against the subscriber traffic.
ssg port-map enable
To enable the Service Selection Gateway (SSG) port-bundle host key, use the ssg port-map enable command in global configuration mode. To disable the SSG port-bundle host key, use the no form of this command.
ssg port-map enable
no ssg port-map enable
Syntax Description
This command has no arguments or keywords.
Defaults
SSG port-bundle host key is disabled.
Command Modes
Global configuration
Command History
Usage Guidelines
This command will not take effect until the router has been reloaded.
The SSG Port-Bundle Host Key feature requires Cisco Service Selection Dashboard (SSD) Release 3.0(1) or Cisco Subscriber Edge Services Manager (SESM) Release 3.1(1). If you are using an earlier release of SSD, use the no ssg port-map enable command to disable the SSG Port-Bundle Host Key feature.
Examples
The following example shows how to enable the SSG port-bundle host key:
Router(config)# ssg port-map enableRelated Commands
ssg port-map length
To modify the port-bundle length upon the next Service Selection Gateway (SSG) reload, use the ssg port-map length command in global configuration mode. To return the port-bundle length to the default value, use the no form of this command.
ssg port-map length bits
no ssg port-map length bits
Syntax Description
Defaults
4 bits
Command Modes
Global configuration
Command History
Usage Guidelines
The port-bundle length is used to determine the number of bundles in one group and the number of ports in one bundle. By default, the port-bundle length is 4 bits. The maximum port-bundle length is 10 bits. See Table 31 for available port-bundle length values and the resulting port-per-bundle and bundle-per-group values. Increasing the port-bundle length can be useful when you see frequent error messages about running out of ports in a port bundle, but note that the new value does not take effect until SSG next reloads and Cisco Service Selection Dashboard (SSD) restarts.
Note
Examples
The following example results in 64 ports per bundle and 1008 bundles per group:
Router(config)# ssg port-map length 6Related Commands
ssg port-map source ip
To specify Service Selection Gateway (SSG) source IP addresses to which to map the destination IP addresses in subscriber traffic, use the ssg port-map source ip command in global configuration mode. To remove this specification, use the no form of this command.
ssg port-map source ip {ip-address | interface}
no ssg port-map source ip {ip-address | interface}
Syntax Description
ip-address
SSG source IP address.
interface
Interface whose main IP address is used as the SSG source IP address.
Defaults
No default behavior or values.
Command Modes
Global configuration
Command History
Usage Guidelines
With the SSG Port-Bundle Host Key feature, SSG maps the destination IP addresses in subscriber traffic to specified SSG source IP addresses.
All SSG source IP addresses configured with the ssg port-map source ip command must be routable in the management network where the Cisco SSD resides.
If the interface for the source IP address is deleted, the port-map translations will not work correctly.
Because a subscriber can have several simultaneous TCP sessions when accessing a web page, SSG assigns a bundle of ports to each subscriber. Because the number of available port bundles is limited, you can assign multiple SSG source IP addresses (one for each group of port bundles). By default, each group has 4032 bundles, and each bundle has 16 ports. To modify the number of bundles per group and the number of ports per bundle, use the ssg port-map length global configuration command.
Examples
The following example shows the SSG source specified with an IP address and with specific interfaces:
Router(config)# ssg port-map source ip 10.0.50.1Router(config)# ssg port-map source ip Ethernet0/0/0Router(config)# ssg port-map source ip Loopback 1Related Commands
ssg profile-cache
To enable caching of user profiles for non-PPP users, use the ssg profile-cache command in global configuration mode. To disable caching of user profiles, use the no form of this command.
ssg profile-cache
no ssg profile-cache
Syntax Description
This command has no arguments or keywords.
Defaults
User-profile caching is not enabled.
Command Modes
Global configuration
Command History
12.2(2)B
This command was introduced.
12.2(4)B
This command was integrated into Cisco IOS Release 12.2(4)B.
12.2(8)T
This command was integrated into Cisco IOS Release 12.2(8)T.
Usage Guidelines
The ssg profile-cache command allows Service Selection Gateway (SSG) to cache the user profiles of non-PPP users. User profiles of PPP and RADIUS proxy users are always cached by SSG by default. In situations in which the user profile is not available from other sources, SSG user-profile caching makes the user profile available for RADIUS status queries, providing support for single-sign-on functionality and for failover from one Subscriber Edge Services Manager (SESM) to another.
In order for a user profile to be cached, the ssg profile-cache command must be configured before account login occurs. Once the user authentication has been done (as part of the account login), the host object is created, and the user profile is cached.
Note
Examples
The following example shows how to enable user-profile caching:
Router(config)# ssg profile-cachessg qos police
To enable the limiting transmission rates for an SSG subscriber or for a service being used by an SSG subscriber, use the ssg qos police command in global configuration mode. To disable the limiting of transmission rates, use the no form of this command.
ssg qos police [user | session]
no ssg qos police [user | session]
Syntax Description
Defaults
Traffic is forwarded with no SSG policing restrictions if the ssg qos police command is disabled.
Command Modes
Global configuration
Command History
12.2(4)B
This command was introduced.
12.2(13)T
This command was integrated into Cisco IOS Release 12.2(13)T.
Usage Guidelines
This command enables the SSG Hierarchical Policing feature, which is used to limit the output transmission rate for a subscriber or for a specific SSG service used by a subscriber. The parameters used to police traffic (committed rate, normal burst, and excess burst) are configured in a RADIUS user profile (per-user policing) or a RADIUS service profile (per-session policing) by using the Q option.
Examples
The following is an example of a user profile with the SSG Hierarchical Policing enabled for downstream traffic. In this example, an excess burst size is set at 0 so all dropped packets are tail-dropped. In this particular profile, only downstream traffic is policed (although it is important to note that an upstream token bucket algorithm would operate identically to the downstream policing algorithm).
user = johndoe
radius = 7200-SSG-v1.1
check_items= {
2 = cisco}
reply_attributes={
9,250="Nproxy_ser"
9,250="Ntunnel_ser"
9,250="QD8000;2000;0"Per-user policing must be enabled on the router before the traffic directed to the subscriber is policed. Per-user policing is enabled on the router by entering the following global configuration command:
Router(config)# ssg qos police user
Note
The token bucket starts at 1000 tokens; remember that the committed rate is specified in bits per seconds, but that the token bucket operates based on bytes. Hence, 8000 bits is equal to 1000 bytes, so a full token bucket has 1000 tokens. The normal burst parameter is set at 2000. For the sake of the example, no actual debt has been accrued before the arrival of the first packet.
•
–
–
–
–
–
Because tokens are greater than the actual debt, the user has been idle for a sufficient amount of time and the packet is transmitted.
•
–
–
–
–
–
–
–
–
•
–
–
–
–
–
–
–
Future packets will be policed similarly on the basis of this algorithm.
Related Commands
ssg radius-helper
To enable communications with the Cisco Service Selection Dashboard (SSD) and specify port numbers and secret keys for receiving packets, use the ssg radius-helper command in global configuration mode. To disable communications with the Cisco SSD, use the no form of this command.
ssg radius-helper [acct-port port-number | auth-port port-number | key key]
no ssg radius-helper [acct-port port-number | auth-port port-number | key key]
Syntax Description
acct-port port-number
(Optional) UDP1 destination port for RADIUS accounting requests; the host is not used for accounting if set to 0. The default is 1646.
auth-port port-number
(Optional) UDP destination port for RADIUS authentication requests; the host is not used for authentication if set to 0. The default is 1645.
key key
(Optional) Key shared with the RADIUS clients
1 UDP = User Datagram Protocol
Defaults
The default port number for acct-port is 1646.
The default port number for auth-port is 1645.Command Modes
Global configuration
Command History
Usage Guidelines
You must use this command to specify a key so that SSG can communicate with the Cisco SSD.
Examples
The following example shows how to enable communication with the Cisco SSD:
Router# configure terminalEnter configuration commands, one per line. End with CNTL/Z.Router(config)# ssg radius-helper acct-port 1646 auth-port 1645Router(config)# ssg radius-helper key MyKeyssg radius-proxy
To enable SSG RADIUS Proxy, use the ssg radius-proxy command in global configuration mode. To prevent further connection of proxy users, use the no form of this command
ssg radius-proxy
no ssg radius-proxy
Syntax Description
This command has no arguments or keywords.
Defaults
SSG RADIUS Proxy is not enabled by default.
Command Modes
Global configuration
Command History
12.2(4)B
This command was introduced.
12.2(13)T
This command was integrated into Cisco IOS Release 12.2(13)T.
Usage Guidelines
Use this command to enable SSG RADIUS Proxy.
This command also enables SSG-radius-proxy configuration mode. You must enable SSG with the ssg enable command before you can enter the ssg radius-proxy command. If you do not enter the ssg radius-proxy command, SSG continues to proxy RADIUS packets containing SSG vendor-specific attributes (VSAs) received from the Service Selection Dashboard (SSD), but does not act as a generic RADIUS proxy.
The no ssg radius-proxy command does not log off RADIUS client hosts that are already logged in.
If you configure the no ssg radius-proxy command, no further connections of proxy users are allowed, but hosts from already configured RADIUS clients remain connected. If you subsequently configure the ssg radius-proxy command, the previous RADIUS proxy configuration is restored.
Examples
The following example enables SSG RADIUS Proxy:
ssg enablessg radius-proxyRelated Commands
ssg service-password
To specify the password for downloading a service profile, use the ssg service-password command in global configuration mode. To disable the password, use the no form of this command.
ssg service-password password
no ssg service-password password
Syntax Description
Defaults
No default behavior or values.
Command Modes
Global configuration
Command History
Usage Guidelines
This command sets the password required to authenticate with the authentication, authorization, and accounting (AAA) server and download a service profile.
Examples
The following example shows how to set the password for downloading a service profile:
Router# configure terminalEnter configuration commands, one per line. End with CNTL/Z.Router(config)# ssg service-password MyPasswordssg service-search-order
To specify the order in which Service Selection Gateway (SSG) searches for a service profile, use the ssg service-search-order command in global configuration mode. To disable the search order, use the no form of this command.
ssg service-search-order {local | remote | local remote | remote local}
no ssg service-search-order {local | remote | local remote | remote local}
Syntax Description
Defaults
The default search order is remote; that is, SSG searches for service profiles on the RADIUS server.
Command Modes
Global configuration
Command History
Usage Guidelines
SSG can search for service profiles in local Flash memory, on a remote RADIUS server, or both. The possible search orders are:
•
•
•
•
Examples
The following example shows how to set the search order to local remote, so that SSG will always look for service in Flash memory first, then on the RADIUS server:
Router# configure terminalEnter configuration commands, one per line. End with CNTL/Z.Router(config)# ssg service-search-order local remoteRelated Commands
ssg tcp-redirect
To enable SSG TCP redirection and SSG-redirect mode, use the ssg tcp-redirect command in global configuration mode. To disable SSG TCP redirection, use the no form of this command.
ssg tcp-redirect
no ssg tcp-redirect
Syntax Description
SSG TCP redirect is not enabled.
Defaults
This command has no default behavior.
Command Modes
Global configuration
Command History
12.2(4)B
This command was introduced. This command replaces the ssg http-redirect group command.
12.2(13)T
This command was integrated into Cisco IOS Release 12.2(13)T.
Usage Guidelines
Use this command to enable SSG TCP redirection. This command also enables SSG-redirect mode. The no ssg tcp-redirect command disables SSG TCP Redirect and removes all configurations created in the SSG-redirect mode. You must enable SSG by issuing the ssg enable command before you can configure SSG TCP redirect.
Examples
The following example shows how to select a captive portal group for redirection of traffic from unauthorized users. In the following example, traffic from unauthorized users is redirected to the captive portal group named "RedirectServer":
ssg enablessg tcp-redirectredirect unauthenticated-user to RedirectServerThe following example shows how to define a port list named "WebPorts" and adds TCP ports 80 and 8080 to the port list. Port 8080 is configured to be redirected by the captive portal group named "Redirect Server":
ssg enablessg tcp-redirectport-list WebPortsport 80port 8080exitredirect port 8080 to RedirectServerRelated Commands
ssg vc-service-map
To map virtual circuits (VCs) to service names, use the ssg vc-service-map command in global configuration mode. To disable VC-to-service-name mapping, use the no form of this command.
ssg vc-service-map service-name [interface interface-number] start-vpi | start-vpi/vci [end-vpi | end-vpi/vci] exclusive | non-exclusive
no ssg vc-service-map service-name [interface slot-module-port] start-vpi | start-vpi/vci [end-vpi | end-vpi/vci] exclusive | non-exclusive
Syntax Description
Defaults
The service mapping is non-exclusive by default.
Command Modes
Global configuration
Command History
Usage Guidelines
Use this command to map VCs to service names. If you specify a VC-to-service-name mapping as exclusive, specifying a username will log you in to the mapped service. However, specifying username@service will not log you in. If you specify a mapping as nonexclusive, specifying a username will log you in to the mapped service. However, username@service1 will log you in to service1.
Examples
The following example shows how to map all users coming into SSG on VPI/VCI 3/33 to the service "Worldwide" exclusively:
Router# configure terminalEnter configuration commands, one per line. End with CNTL/Z.Router(config)# ssg vc-service-map Worldwide 3/33 exclusiveRelated Commands
