Home | Skip to Content | Skip to Search | Skip to Navigation | Skip to Footer |
Worldwide [change] |Register |About Cisco
Guest

Hierarchical Navigation

Cisco IOS Software Releases 12.3 T

Configuring SSG for On-Demand IP Address Renewal

Downloads

Table Of Contents

Configuring SSG for On-Demand IP Address Renewal

Contents

Prerequisites for SSG On-Demand IP Address Renewal

Restrictions for SSG On-Demand IP Address Renewal

Information About SSG On-Demand IP Address Renewal

Overview of SSG On-Demand IP Address Renewal

DHCP Notification for SSG On-Demand IP Address Renewal

SSG On-Demand IP Address Renewal Packet Flow

Benefits of SSG On-Demand IP Address Renewal

How to Configure SSG for On-Demand IP Address Renewal

Configuring SSG On-Demand IP Address Renewal

Verifying and Troubleshooting SSG On-Demand IP Address Renewal

Verifying a Subscriber's IP Address

Displaying Subscriber Login Events and Errors for the SSG On-Demand IP Address Renewal Feature

Configuration Examples for SSG On-Demand IP Address Renewal

Configuring SSG for On-Demand IP Address Renewal: Example

Additional References

Related Documents

Standards

MIBs

RFCs

Technical Assistance

Command Reference

debug ssg dhcp

ssg intercept dhcp

Glossary


Configuring SSG for On-Demand IP Address Renewal

The Configuring SSG for On-Demand IP Address Renewal feature enables service providers to manage the Dynamic Host Configuration Protocol (DHCP) pool from which a subscriber's IP address is assigned. By receiving an IP address through DHCP rather than through Network Address Translation (NAT), subscribers can access services that require a dynamically assigned IP address through the Cisco Service Selection Gateway (SSG).

History for the Configuring SSG for On-Demand IP Address Renewal Feature

Release
Modification

12.3(14)T

This feature was introduced.


Finding Support Information for Platforms and Cisco IOS Software Images

Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.

Contents

Prerequisites for SSG On-Demand IP Address Renewal

Restrictions for SSG On-Demand IP Address Renewal

Information About SSG On-Demand IP Address Renewal

How to Configure SSG for On-Demand IP Address Renewal

Configuration Examples for SSG On-Demand IP Address Renewal

Additional References

Command Reference

Prerequisites for SSG On-Demand IP Address Renewal

SSG must be enabled before on-demand IP address renewal can be configured.

DHCP must be enabled on the router that is hosting SSG or on another router with SSG acting as a DHCP relay agent.

Restrictions for SSG On-Demand IP Address Renewal

Subscribers cannot connect to two or more services simultaneously when each service requires that the subscriber's IP address be assigned from a different pool.

Information About SSG On-Demand IP Address Renewal

To configure the SSG On-Demand IP Address Renewal feature, you should understand the following concepts:

Overview of SSG On-Demand IP Address Renewal

DHCP Notification for SSG On-Demand IP Address Renewal

Benefits of SSG On-Demand IP Address Renewal

Overview of SSG On-Demand IP Address Renewal

SSG implements Layer 3 service selection through selective routing of IP packets to destination networks on a per-subscriber basis. It uses the subscriber's IP address to identify the subscriber session. A subscriber's computer may have a static IP address or may request an IP address via DHCP or from a RADIUS server. When the SSG On-Demand IP Address Renewal feature is not configured, SSG performs network address translation (NAT) between the IP address assigned by the service provider with the original IP address of the subscriber.

With the SSG On-Demand IP Address Renewal feature, you can configure SSG to force a subscriber to request an IP address directly from a service provider. The IP address request process is described in the "SSG On-Demand IP Address Renewal Packet Flow" section.

DHCP Notification for SSG On-Demand IP Address Renewal

Because the SSG On-Demand IP Address Renewal feature utilizes DHCP to provide a subscriber's IP address, the router on which SSG is running must either run the DHCP server feature, or act as a DHCP relay agent.

The Cisco IOS DHCP Server feature is a full DHCP server implementation that assigns and manages IP addresses from specified address pools within the router to DHCP clients.

A DHCP relay agent is any host that forwards DHCP packets between clients and servers. Relay agents are used to forward requests and replies between clients and servers when they are not on the same physical subnet. Relay agent forwarding is distinct from the normal forwarding of an IP router, where IP datagrams are switched between networks somewhat transparently. Relay agents receive DHCP messages and then generate a new DHCP message to send out on another interface.

The Cisco IOS DHCP relay agent supports the use of unnumbered interfaces. The DHCP relay agent automatically adds a static host route specifying the unnumbered interface as the outbound interface.

For optimal performance, Cisco recommends that the router running SSG also function as a DHCP relay agent, with the DHCP server running on a separate platform.

For more details about configuring DHCP, see the "Configuring DHCP" chapter in Part 1 of the Cisco IOS IP Configuration Guide, Release 12.3, and the DHCP Enhancements for Edge-Session Management feature module for Cisco IOS Release 12.3(14)T.

SSG On-Demand IP Address Renewal Packet Flow

Figure 1 is a diagram of a simple network topology that supports on-demand IP address renewal for SSG. In this sample configuration, the router running SSG also acts as the DHCP relay agent, whereas the DHCP server is running on a separate platform.

Figure 1 Simple On-Demand IP Address Renewal Network Topology

In on-demand IP address renewal, the following events occur:

1. On bootup, a subscriber's computer sends a DHCPDISCOVER request to the DHCP relay agent. The DHCP relay agent forwards the DHCPDISCOVER request to the DHCP server.

2. The DHCP server assigns the subscriber a short lease-time IP address from the private address pool in a DHCPOFFER response, which is passed through SSG to the subscriber.

3. The subscriber's computer sends a DHCPREQUEST to the DHCP server, which responds with a DHCPACK to acknowledge receipt of the request and start the lease.

4. The DHCP relay agent informs SSG about this event by invoking the reg_invoke_dhcpd_address_assignment_notify() registry call. Since there is not yet a host object for the subscriber, SSG ignores this event. If transparent autologon (TAL) is enabled, however, SSG will trigger TAL for this IP address. The TAL authorization request will contain the MAC address of the user in RADIUS attribute 31.

5. Upon receipt of DHCPACK, the subscriber can log into his or her account and service. When the subscriber logs into a service for which an ISP-supplied IP address is mandated in the service profile, SSG triggers the DHCP relay agent to terminate the current lease and force the subscriber's computer to rediscover an IP address.

6. The subscriber's computer sends a new DHCPREQUEST to the DHCP relay agent.

7. The DHCP relay agent replies with a DHCPNAK message, forcing the subscriber's computer to send a new DHCPDISCOVER message.

8. Upon receipt of the new DHCPDISCOVER request, the DHCP relay agent informs SSG, which replies with the class name of the service.

9. The DHCP relay agent then forwards the DHCPDISCOVER request and class name to the DHCP server.

10. The DHCP server assigns an IP address from the service provider's address pool and sends a DHCPOFFER message to the subscriber's computer. The subscriber's computer replies with a DHCPREQUEST message, passed transparently through SSG.

11. The DHCP server sends a DHCPAK containing an IP address from the service provider's address pool. This IP address will have a finite lease time, typically a few minutes.

12. The DHCP relay agent informs SSG about the IP address assignment. SSG creates a host object for this new IP address and sends an Accounting-Start packet. SSG then removes the host object initially created for the IP address assigned from the private address pool (Step 2) and sends an Accounting-Stop packet.

13. When finished using the service, the subscriber may disconnect in one of two ways:

a. By logging out of the service. SSG informs the DHCP relay agent, which begins the process to forces the subscriber's computer to rediscover an IP address in the private address pool.

b. By sending a DHCPRELEASE message (for instance, if the subscriber shuts down his or her computer). The DHCP relay agent informs SSG, which removes the host object of this subscriber.

Benefits of SSG On-Demand IP Address Renewal

The principal benefit of the SSG On-Demand IP Address Renewal feature is to allow service providers to manage subscriber access to services using SSG while retaining the ability to assign an IP address from a pool configured for a specific service.

For Ethernet access subscribers, service providers can provide a short-term lease of an IPv4 address, and then, after authentication, provide a new IP address through DHCP. This two-stage IP address allocation process allows a service provider to reduce the number of assigned IPv4 addresses.

How to Configure SSG for On-Demand IP Address Renewal

This section contains the following tasks:

Configuring SSG On-Demand IP Address Renewal (required)

Verifying and Troubleshooting SSG On-Demand IP Address Renewal (optional)

Configuring SSG On-Demand IP Address Renewal

This task explains how to configure SSG for on-demand IP address renewal.

SUMMARY STEPS

1. enable

2. configure terminal

3. ssg intercept dhcp

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

ssg intercept dhcp

Example:

Router<config># ssg intercept dhcp

Configures SSG to force a subscriber's computer, upon logging into an ISP service, to request an IP address from the DHCP pool associated with the service profile.

Verifying and Troubleshooting SSG On-Demand IP Address Renewal

The following tasks display configuration and event information when SSG on-demand IP address renewal is enabled:

Verifying a Subscriber's IP Address

Displaying Subscriber Login Events and Errors for the SSG On-Demand IP Address Renewal Feature

Verifying a Subscriber's IP Address

Perform this task to verify a subscriber's IP address.

SUMMARY STEPS

1. enable

2. show ssg host [ip-address | count | username]

DETAILED STEPS

Step 1 enable

Enables privileged EXEC mode. Enter your password if prompted. 

Router> enable

Step 2 show ssg host [ip-address | count | username]

Use this command with the username keyword to display all host usernames and IP addresses. Use this command with the subscriber's IP address as the ip-address argument to display information about an individual subscriber. 


Router# show ssg host username


1:10.3.1.1        (active) Host name:pppoauser

2:10.3.6.1        (active) Host name:ssguser2


### Total HostObject Count(including inactive hosts):2

Displaying Subscriber Login Events and Errors for the SSG On-Demand IP Address Renewal Feature

Perform this task to display subscriber login events and errors when the SSG On-Demand IP Address Renewal feature is enabled.

SUMMARY STEPS

1. enable

2. debug ssg dhcp {error | event} [ip_address]

DETAILED STEPS

Step 1 enable

Enables privileged EXEC mode. Enter your password if prompted. 

Router> enable


Step 2 debug ssg dhcp {error | event} [ip_address]

To limit the display of information to a specific subscriber, enter the subscriber's IP address as the ip-address argument. Use the error keyword to display only error messages, or the event keyword to display only event messages. 


Router# debug ssg dhcp event 1.1.1.5


SSG DHCP awareness events debugging is on


2d20h: SSG-DHCP-EVN: DHCP-DISCOVER event received. SSG-dhcp awareness feature enabled

2d20h: SSG-DHCP-EVN:1.1.1.5: Get pool name called for 000c.31ea.a9c0

2d20h: SSG-DHCP-EVN: Get pool class called, class name = ISP_svc1



### Total HostObject Count(including inactive hosts):2

Configuration Examples for SSG On-Demand IP Address Renewal

This section contains the following example:

Configuring SSG for On-Demand IP Address Renewal: Example

Configuring SSG for On-Demand IP Address Renewal: Example

The following example shows a simple configuration to enable SSG to support on-demand IP address renewal. 

enable

 configure terminal

 ssg intercept dhcp

Additional References

The following sections provide references related to the SSG On-Demand IP Address Renewal feature.

Related Documents

Related Topic
Document Title

Configuring DHCP

"Configuring DHCP" chapter in Part 1 of the Cisco IOS IP Configuration Guide, Release 12.3

DHCP Lease Query Support

DHCP Enhancements for Edge-Session Management feature module for Cisco IOS Release 12.3(14)T

Configuring RADIUS

"Configuring RADIUS" chapter in the Cisco IOS Security Configuration Guide, Release 12.2


Standards

Standards
Title

No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.


MIBs

MIBs
MIBs Link

No new or modified MIBs are supported by this feature, and support for existing MIBs has not been modified by this feature.

To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://www.cisco.com/go/mibs


RFCs

RFCs
Title

No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature.


Technical Assistance

Description
Link

Technical Assistance Center (TAC) home page, containing 30,000 pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content.

http://www.cisco.com/public/support/tac/home.shtml


Command Reference

This section documents new and modified commands only.

debug ssg dhcp

ssg intercept dhcp

debug ssg dhcp

To enable the display of control errors and events related to Service Selection Gateway (SSG) Dynamic Host Configuration Protocol (DHCP), use the debug ssg dhcp command in privileged EXEC mode. To stop debugging, use the no form of this command.

debug ssg dhcp{error | event} [ip-address]

no debug ssg dhcp{error | event} [ip-address]

Syntax Description

error

Enables the display of SSG-DHCP control error information.

event

Enables the display of SSG-DHCP control events information.

ip-address

(Optional) Limits the display of information to the specified IP address.


Command Default

Displays SSG-DHCP information for all IP addresses.

Command Modes

Privileged EXEC

Command History

Release
Modification

12.3(14)T

This command was introduced.


Examples

SSG DHCP Event Messages

The following example shows user login events when DHCP intercept is enabled using the ssg intercept dhcp command. 

debug ssg dhcp 


01:01:03:   DHCPD: remote id 020a000005010101100000000000 

01:01:03:   DHCPD: circuit id 00000000

01:01:03: SSG-DHCP-EVN: DHCP-DISCOVER event received. SSG-dhcp awareness feature enabled

01:01:03: DHCPD: DHCPDISCOVER received from client 
0063.6973.636f.2d30.3030.632e.3331.6561.2e61.3963.312d.4661.302f.31 on interface 
FastEthernet1/0.

01:01:03: DHCPD: Seeing if there is an internally specified pool class:

01:01:03:   DHCPD: htype 1 chaddr 000c.31ea.a9c1

01:01:03:   DHCPD: remote id 020a000005010101100000000000

01:01:03:   DHCPD: circuit id 00000000

01:01:03: SSG-DHCP-EVN: Get pool name called for 000c.31ea.a9c1. No hostobject

01:01:03: SSG-DHCP-EVN: Get pool class called, class name = 

01:01:03: DHCPD: No internally specified class returned

01:01:03: DHCPD: Sending DHCPOFFER to client 
0063.6973.636f.2d30.3030.632e.3331.6561.2e61.3963.312d.4661.302f.31 (5.1.1.2).

01:01:03: DHCPD: child  pool: 5.1.1.0 / 255.255.255.0 (Default-pool)

01:01:03: DHCPD: pool Default-pool has no parent.

01:01:03: DHCPD: child  pool: 5.1.1.0 / 255.255.255.0 (Default-pool)

01:01:03: DHCPD: pool Default-pool has no parent.

01:01:03: DHCPD: child  pool: 5.1.1.0 / 255.255.255.0 (Default-pool)

01:01:03: DHCPD: pool Default-pool has no parent.

01:01:03: DHCPD: broadcasting BOOTREPLY to client 000c.31ea.a9c1.

01:01:03: DHCPD: DHCPREQUEST received from client 
0063.6973.636f.2d30.3030.632e.3331.6561.2e61.3963.312d.4661.302f.31.

01:01:03: DHCPD: Sending notification of ASSIGNMENT:

01:01:03:  DHCPD: address 5.1.1.2 mask 255.255.255.0

01:01:03:   DHCPD: htype 1 chaddr 000c.31ea.a9c1

01:01:03:   DHCPD: lease time remaining (secs) = 180

01:01:03: SSG-DHCP-EVN:5.1.1.2: IP address notification received.

01:01:03: SSG-DHCP-EVN:5.1.1.2: HostObject not present

01:01:03: DHCPD: No default domain to append - abort update

01:01:03: DHCPD: Sending DHCPACK to client 
0063.6973.636f.2d30.3030.632e.3331.6561.2e61.3963.312d.4661.302f.31 (5.1.1.2).

01:01:03: DHCPD: child  pool: 5.1.1.0 / 255.255.255.0 (Default-pool)

01:01:03: DHCPD: pool Default-pool has no parent.

01:01:03: DHCPD: child  pool: 5.1.1.0 / 255.255.255.0 (Default-pool)

01:01:03: DHCPD: pool Default-pool has no parent.

01:01:03: DHCPD: child  pool: 5.1.1.0 / 255.255.255.0 (Default-pool)

01:01:03: DHCPD: pool Default-pool has no parent.

01:01:03: DHCPD: broadcasting BOOTREPLY to client 000c.31ea.a9c1.

SSG DHCP Error Messages

The following example shows user login errors when a user tries to log into two different services that require IP addresses to be assigned from different pools. 

debug ssg dhcp error 


01:21:58: SSG-CTL-EVN: Checking maximum service count.

01:21:58: SSG-CTL-EVN: Service logon is accepted.

01:21:58: SSG-CTL-EVN: Activating the ConnectionObject.


01:21:58: SSG-DHCP-ERR:6.2.1.2: DHCP pool name of this service is different from,  users 
already logged in service DHCP pool name

01:21:58: SSG-CTL-EVN: Connection Activation Failed for host 6.2.1.2


01:21:58: SSG-CTL-EVN: Send cmd 11 to host S6.2.1.2. dst=10.76.86.90:42412

01:21:58: SSG-CTL-PAK: Sent packet:

01:21:58: RADIUS: id= 0, code= Access-Reject, len= 79

Related Commands

Command
Description

ssg intercept dhcp

Configures SSG to assign IP addresses from a user's ISP.


ssg intercept dhcp

To configure the Service Selection Gateway (SSG) to force subscribers to get IP addresses from their ISPs using Dynamic Host Configuration Protocol (DHCP), use the ssg intercept dhcp command in global configuration mode. To disable IP address assignment from the ISP via DHCP, use the no form of this command.

ssg intercept dhcp

no ssg intercept dhcp

Syntax Description

This command has no arguments or keywords.

Command Default

SSG performs network address translation (NAT) between the IP address assigned by the ISP with the original IP address of the subscriber.

Command Modes

Global configuration

Command History

Release
Modification

12.3(14)T

This command was introduced.


Usage Guidelines

Use the ssg intercept dhcp command to force subscribers to request IP addresses from their ISPs using DHCP.

Examples

The following example enables IP address assignment from the ISP via DHCP: 

Router(config)# ssg intercept dhcp

Related Commands

Command
Description

debug ssg dhcp

Enables the display of control errors and events related to SSG-DHCP IP address allocation.


Glossary

DHCP—Dynamic Host Configuration Protocol.

DHCP relay agent—Any host that forwards DHCP packets between clients and servers.

DHCP server—An application that assigns and manages IP addresses from specified address pools within the router to DHCP clients.

SSG—Service Selection Gateway.

subscriber—The end user who accesses a service provided by a service provider via SSG.

Note See Internetworking Terms and Acronyms for terms not included in this glossary.

Copyright © 2005 Cisco Systems, Inc. All rights reserved.