Table Of Contents
Redirecting Subscriber Traffic Using ISG Layer 4 Redirect
Prerequisites for Redirecting ISG Subscriber Traffic
Restrictions for Redirecting ISG Subscriber Traffic
Information About Redirecting ISG Subscriber Traffic
Overview of ISG Layer 4 Redirect
How to Configure ISG Layer 4 Redirect
Defining a Redirect Server Group
Configuring Layer 4 Redirection on an Interface
Configuring Layer 4 Redirection in a Service Policy Map
Configuring Layer 4 Redirection in a Service Profile or User Profile on the AAA Server
Verifying ISG Traffic Redirection
Configuration Examples for ISG Layer 4 Redirect
Redirecting Unauthenticated Subscriber Traffic: Example
Redirecting Unauthorized Subscriber Traffic: Example
Periodic Redirection: Examples
Redirecting DNS Traffic: Example
Feature Information for Redirecting ISG Subscriber Traffic
Redirecting Subscriber Traffic Using ISG Layer 4 Redirect
First Published: March 20, 2006Last Updated: November 25, 2009Intelligent Services Gateway (ISG) is a Cisco IOS software feature set that provides a structured framework in which edge devices can deliver flexible and scalable services to subscribers. This module describes how to configure ISG to redirect subscriber traffic by using the ISG Layer 4 Redirect feature. The ISG Layer 4 Redirect feature enables service providers to better control the user experience by allowing subscriber TCP or User Datagram Protocol (UDP) packets to be redirected to specified servers for appropriate handling. ISG Layer 4 redirection can be used to facilitate subscriber authentication, initial and periodic advertising captivation, redirection of application traffic, and DNS redirection.
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for Redirecting ISG Subscriber Traffic" section.
Use Cisco Feature Navigator to find information about platform support and Cisco IOS and Catalyst OS software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Contents
•
Prerequisites for Redirecting ISG Subscriber Traffic
•
•
•
•
•
Prerequisites for Redirecting ISG Subscriber Traffic
For information about release and platform support, see the "Feature Information for Redirecting ISG Subscriber Traffic" section.
Restrictions for Redirecting ISG Subscriber Traffic
The ISG Layer 4 Redirect feature applies only to TCP or UDP traffic.
Beginning in Cisco IOS Release 12.2(33)SRC, this feature is available on the Cisco 7600 router, with the following limitation:
Because the Cisco 7600 router does not support the traffic class feature, Layer 4 Redirect must be configured using an access control list (ACL).
Information About Redirecting ISG Subscriber Traffic
Before you configure Layer 4 Redirect, you should understand the following concepts:
•
•
Overview of ISG Layer 4 Redirect
The ISG Layer 4 Redirect feature redirects specified packets to servers that handle the packets in a specified manner. For example, packets sent upstream by unauthorized users can be forwarded to a server that redirects the users to a logon page. Similarly, if users try to access a service to which they have not logged on, the packets can be redirected to a server that provides a service logon screen.
The Layer 4 Redirect feature supports three types of redirection, which can be applied to subscriber sessions or to flows:
•
•
•
A redirect server can be any server that is programmed to respond to the redirected packets. If ISG is used with a web portal, unauthenticated subscribers can be sent automatically to a logon page when they start a browser session. Web portal applications can also redirect to service logon pages, advertising pages, and message pages.
Redirected packets are sent to an individual redirect server or redirect server group that consists of one or more servers. ISG selects one server from the group in a rotating fashion to receive the redirected packets.
When traffic is redirected, ISG modifies the destination IP address and TCP port of upstream packets to reflect the destination server. For downstream packets, ISG changes the destination IP address and port to the original packet's source.
When traffic is selected by a policy map that includes a redirection command, packets are fed back into the policy map classification scheme for a second service selection. The modified IP headers can be subject to different classification criteria. For example, if two class maps exist, each with different redirection commands, packets could be redirected, selected by the first class map, and redirected a second time. To avoid this situation, configure traffic class maps so that two consecutive redirections cannot be applied to the same packet.
Layer 4 Redirect Applications
The Layer 4 Redirect feature supports the following applications:
•
HTTP traffic from subscribers can be redirected to a web dashboard where the subscribers can log on so that authentication and authorization can be performed.
•
Subscriber traffic can be redirected to a sponsor's web page for a brief period of time at the start of the session or periodically throughout the session.
•
Application traffic from a subscriber can be redirected so as to provide value-added services. For example, a subscriber's SMTP traffic can be redirected to a local mail server that can function as a forwarding agent for the mail.
•
DNS queries may be redirected to a local DNS server. In some deployments, such as public wireless LAN (PWLAN) hotspots, subscribers may have a static DNS server addresses, which may not be reachable at certain locations. Redirecting DNS queries to a local DNS server allows applications to work properly without requiring reconfiguration.
How to Configure ISG Layer 4 Redirect
There are three ways to apply Layer 4 redirection to sessions. One way is to configure redirection directly on a physical main interface or logical subinterface. A second way is to configure a service profile or service policy map with the Layer 4 redirect attribute in it, and apply that service to the session. A third way is to configure the Layer 4 redirect attribute in the user profile.
The following tasks describe how to configure Layer 4 redirection. The first task is optional. One or more of the next three tasks is required. The last task is optional.
For examples of Layer 4 redirection configuration for specific applications (such as unauthenticated user redirect), see the "Configuration Examples for ISG Layer 4 Redirect" section.
•
•
•
•
•
Defining a Redirect Server Group
Perform this task to define a group of one or more servers to which traffic will be redirected. Traffic will be forwarded to servers in a rotating fashion.
SUMMARY STEPS
1.
2.
3.
4.
DETAILED STEPS
Configuring Layer 4 Redirection on an Interface
Perform this task to redirect all matching Layer 4 subscriber traffic that arrives on an interface.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
DETAILED STEPS
Configuring Layer 4 Redirection in a Service Policy Map
Perform this task to configure ISG Layer 4 redirection in a service policy map.
Prerequisites
The ISG Layer 4 Redirect feature is configured under a traffic class within a service policy map. This task assumes that you have defined the traffic class map. See the module "Configuring ISG Subscriber Services" for more information.
SUMMARY STEPS
1.
2.
3.
4.
5.
DETAILED STEPS
What to Do Next
You may want to configure a method of activating the service policy map; for example, control policies can be used to activate services. For more information about methods of service activation, see the module "Configuring ISG Subscriber Services".
Configuring Layer 4 Redirection in a Service Profile or User Profile on the AAA Server
The Layer 4 Redirect feature can be configured as a Cisco vendor-specific attribute (VSA) in a user or service profile on an authentication, authorization, and accounting (AAA) server. This attribute can appear more than once in a profile to define different types of redirections for a session and can be used in both user and service profiles simultaneously.
SUMMARY STEPS
1.
DETAILED STEPS
What to Do Next
If you configure ISG Layer 4 redirection in a service profile, you may want to configure a method of activating the service profile; for example, control policies can be used to activate services. For more information about methods of service activation, see the module "Configuring ISG Subscriber Services".
Verifying ISG Traffic Redirection
Perform this task to verify the configuration and operation of ISG Layer 4 traffic redirection.
SUMMARY STEPS
1.
2.
3.
4.
DETAILED STEPS
Examples
The following example shows sample output for the show redirect translations command:
Router# show redirect translations ip 10.53.0.2Destination IP/port Server IP/port Prot In Flags Out Flags Timestamp172.20.0.2 23 10.2.36.253 23 TCP none none May 08 2003 12:37:10The following example shows sample output for the show subscriber session command. This output shows that Layer 4 redirect is being applied from the service profile.
Router# show subscriber session uid 135Subscriber session handle: 7C000114, state: connected, service: Local TermUnique Session ID: 135Identifier: blind-rdtSIP subscriber access type(s): IP-InterfaceRoot SIP Handle: CF000020, PID: 73Current SIP options: Req Fwding/Req FwdedSession Up-time: 40 minutes, 30 seconds, Last Changed: 40 minutes, 30 secondsAAA unique ID: 135Switch handle: F000086Interface: ATM2/0.53Policy information:Authentication status: unauthenConfig downloaded for session policy:From Access-Type: IP-Interface, Client: SM, Event: Service Selection Request, ServiceProfile name: blind-rdt, 2 referencesusername "blind-rdt"l4redirect "redirect to group sesm-grp"Rules, actions and conditions executed:subscriber rule-map blind-rdtcondition always event session-startaction 1 service-policy type service name blind-rdtSession inbound features:Feature: Layer 4 RedirectRule Cfg Definition#1 SVC Redirect to group sesm-grp !! applied redirectConfiguration sources associated with this session:Service: blind-rdt, Active Time = 40 minutes, 32 secondsInterface: ATM2/0.53, Active Time = 40 minutes, 32 secondsThe following is sample output for the show subscriber session command for a session in which the Layer 4 redirection is applied on the interface:
Router# show subscriber session uid 133Subscriber session handle: D7000110, state: connected, service: Local TermUnique Session ID: 133Identifier:SIP subscriber access type(s): IP-InterfaceRoot SIP Handle: 1E, PID: 73Current SIP options: Req Fwding/Req FwdedSession Up-time: 42 minutes, 54 seconds, Last Changed: 42 minutes, 54 secondsAAA unique ID: 133Switch handle: 17000084Interface: FastEthernet0/0.505Policy information:Authentication status: unauthenSession inbound features:Feature: Layer 4 RedirectRule Cfg Definition#1 INT Redirect to group sesm-grpConfiguration sources associated with this session:Interface: FastEthernet0/0.505, Active Time = 42 minutes, 54 secondsConfiguration Examples for ISG Layer 4 Redirect
This section contains the following examples:
•
•
•
•
Redirecting Unauthenticated Subscriber Traffic: Example
In the following example, Layer 4 redirection is configured in the service policy map "BLIND-RDT". This policy is applied to all sessions at session start and redirects subscriber TCP traffic to the server group called "PORTAL". At account logon the subscriber is authenticated and the redirection is not applied.
Service-policy type control DEFAULT-IP-POLICYpolicy-map type control DEFAULT-IP-POLICYclass type control always event session-start1 service-policy type service BLIND-RDT!class type control always event account-logon1 authenticate aaa list AUTH-LIST2 service-policy type service unapply BLIND-RDTpolicy-map type service BLIND-RDTclass type traffic CLASS-ALLredirect to group PORTAL!redirect server-group PORTALserver ip 10.2.36.253 port 80
Redirecting Unauthorized Subscriber Traffic: Example
The following example shows the configuration of redirection for unauthorized subscribers. If the subscriber is not logged onto the service called "svc", traffic that matches "svc" is redirected to the server group "PORTAL". Once the subscriber logs in to the service, the traffic is no longer redirected. When the subscriber logs out of the service, redirection is applied again.
service-policy type control THE_RULE!class-map type traffic match-any CLASS-ALL!class-map type traffic match-any CLASS-100_110match access-group input 100match access-group output 110!policy-map type service blind-rdtclass type traffic CLASS-ALLredirect to group PORTAL!policy-map type service svc-rdtclass type traffic CLASS-ALLredirect to group PORTAL!policy-map type service svcclass type traffic CLASS-100_110class type traffic default in-outdrop!
policy-map type control THE_RULEclass type control alwyas event account-logon1 authenticate2 service-policy type service name svc-rdtclass type control cond-svc-logon event service-start1 service-policy type service unapply name svc-rdt2 service-policy type service identifier service-nameclass type control cond-svc-logon event service-stop1 service-policy type service unapply name svc2 service-policy type service name svc-rdt!class-map type control match-all cond-svc-logonmatch identifier service-name svc!redirect server-group PORTALserver ip 10.2.36.253 port 80
Initial Redirection: Example
The following example shows ISG configured to redirect user traffic that comes over interface FastEthernet0/0.505 to a server group called "ADVT" for the initial 60 seconds of the session. After the initial 60 seconds, ISG will stop redirecting the traffic for the rest of the lifetime of the session.
interface FastEthernet0/0.505encapsulation dot1Q 505ip address 10.0.0.1 255.255.255.0ip subscriberidentifier interfaceredirect to group ADVT duration 60no cdp enableThe following example shows ISG configured to redirect the Layer 4 traffic of all subscribers to a server group called "ADVT" for the initial 60 seconds of the session. After the initial 60 seconds, ISG will stop redirecting the traffic for the rest of the lifetime of the session.
service-policy type control initial-rdtpolicy-map type control intial-rdtclass type control always event session-start1 service-policy type service name initial-rdt-profile!policy-map type service initial-rdt-profileclass type traffic CLASS-ALLredirect to group ADVT duration 60
Periodic Redirection: Examples
The following example shows how to redirect subscriber traffic coming over FastEthernet interface 0/0.505 for a period of 60 seconds every 3600 seconds.
interface FastEthernet0/0.505encapsulation dot1Q 505ip address 10.50.0.1 255.255.255.0subscriber sessionredirect to group ADVT duration 60 frequency 3600no cdp enable!
The following example shows how to redirect all subscriber traffic for a period of 60 seconds every 3600 seconds.
service-policy control periodic-rdt session-start!policy-map type control periodic-rdtclass type control always event session-start1 service-policy service periodic-rdt-profile!policy-map type service periodic-rdt-profileredirect to group ADVT duration 60 frequency 3600
Redirecting DNS Traffic: Example
The following example shows how to redirect all subscriber DNS packets to the server group "DNS-server".
service-policy type control DNS-rdt
policy-map type control DNS-rdtclass type control event session-start1 service-policy type service name DNS-rdt-profile!policy-map type service DNS-rdt-profileclass type traffic CLASS-ALLredirect to group DNS-server!Additional References
The following sections provide references related to the ISG Layer 4 Redirect feature.
Related Documents
Technical Assistance
Feature Information for Redirecting ISG Subscriber Traffic
Table 1 lists the features in this module and provides links to specific configuration information. Only features that were introduced or modified in Cisco IOS Release 12.2(28)SB or later releases appear in the table. If you are looking for information on a feature in this technology that is not documented here, see the "Intelligent Services Gateway Features Roadmap."
Not all commands may be available in your Cisco IOS software release. For details on when support for specific commands was introduced, see the command reference documents.
Cisco IOS software images are specific to a Cisco IOS software release, a feature set, and a platform. Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.
Note
Table 1 Feature Information for Redirecting ISG Subscriber Traffic
ISG: Flow Control: Flow Redirect
12.2(28)SB
12.2(33)SRC
12.2(33)XNEThe ISG Layer 4 Redirect feature enables service providers to better control the user experience by allowing subscriber TCP or UDP packets to be redirected to specified servers for appropriate handling. ISG Layer 4 redirection can be applied to individual subscriber sessions or flows.
The following sections provide information about this feature:
•
•
In Cisco IOS Release 12.2(33)SRC, support was added for the Cisco 7600 router.
This feature was integrated into Cisco IOS Release 12.2(33)XNE.
CCDE, CCENT, CCSI, Cisco Eos, Cisco HealthPresence, Cisco IronPort, the Cisco logo, Cisco Nurse Connect, Cisco Pulse, Cisco SensorBase, Cisco StackPower, Cisco StadiumVision, Cisco TelePresence, Cisco Unified Computing System, Cisco WebEx, DCE, Flip Channels, Flip for Good, Flip Mino, Flipshare (Design), Flip Ultra, Flip Video, Flip Video (Design), Instant Broadband, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Capital, Cisco Capital (Design), Cisco:Financed (Stylized), Cisco Store, Flip Gift Card, and One Million Acts of Green are service marks; and Access Registrar, Aironet, AllTouch, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Lumin, Cisco Nexus, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, Continuum, EtherFast, EtherSwitch, Event Center, Explorer, Follow Me Browsing, GainMaker, iLYNX, IOS, iPhone, IronPort, the IronPort logo, Laser Link, LightStream, Linksys, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, PCNow, PIX, PowerKEY, PowerPanels, PowerTV, PowerTV (Design), PowerVu, Prisma, ProConnect, ROSA, SenderBase, SMARTnet, Spectrum Expert, StackWise, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0910R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2006-2009 Cisco Systems, Inc. All rights reserved.
Guest
