Table Of Contents

Configuring ISG Port-Bundle Host Key

Finding Feature Information

Contents

Prerequisites for the ISG Port-Bundle Host Key Feature

Restrictions for the ISG Port-Bundle Host Key Feature

Information About ISG Port-Bundle Host Key

Overview of ISG Port-Bundle Host Key

Port-Bundle Host Key Mechanism

Benefits of ISG Port-Bundle Host Key

How to Configure ISG Port-Bundle Host Key

Enabling the ISG Port-Bundle Host Key Feature in a Service Policy Map

What to Do Next

Enabling the ISG Port-Bundle Host Key Feature in a User Profile or Service Profile on the AAA Server

What to Do Next

Configuring Port-Bundle Host Key Parameters

Port-Bundle Length

Verifying ISG Port-Bundle Host Key Configuration

Configuration Examples for ISG Port-Bundle Host Key

ISG Port-Bundle Host Key Configuration: Example

Additional References

Related Documents

Technical Assistance

Feature Information for ISG Port-Bundle Host Key

Configuring ISG Port-Bundle Host Key

---

First Published: March 20, 2006

Last Updated: September 22, 2008

Intelligent Services Gateway (ISG) is a Cisco IOS software feature set that provides a structured framework in which edge devices can deliver flexible and scalable services to subscribers. This module contains information on how to configure ISG port-bundle host key functionality, which maps TCP packets from subscribers to a local IP address for the ISG gateway and a range of ports. This mapping allows an external portal to identify the ISG gateway from which a session originated.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for ISG Port-Bundle Host Key" section.

Use Cisco Feature Navigator to find information about platform support and Cisco IOS and Catalyst OS software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.

Contents

•Prerequisites for the ISG Port-Bundle Host Key Feature

•Restrictions for the ISG Port-Bundle Host Key Feature

•Information About ISG Port-Bundle Host Key

•How to Configure ISG Port-Bundle Host Key

•Configuration Examples for ISG Port-Bundle Host Key

•Additional References

•Feature Information for ISG Port-Bundle Host Key

Prerequisites for the ISG Port-Bundle Host Key Feature

For information about release and platform requirements, see the "Feature Information for ISG Port-Bundle Host Key" section.

The external portal must support port-bundle host keys and must be configured with the same port-bundle host key parameters.

Restrictions for the ISG Port-Bundle Host Key Feature

The following restrictions apply to the ISG Port-Bundle Host Key feature:

•The ISG Port-Bundle Host Key feature must be separately enabled at the portal and at all connected ISGs.

•All ISG source IP addresses configured with the source command must be routable in the management network where the portal resides.

•For each portal server, all connected ISGs must have the same port-bundle length.

•The ISG Port-Bundle Host Key feature uses TCP. Packets will not be mapped for a subscriber who is not sending TCP traffic.

•Specifying the Port-Bundle Host Key feature in a user profile will work only when the user profile is available prior to the arrival of IP packets; for example, for PPP sessions or for DHCP-initiated IP sessions with transparent autologon.

•On the Cisco 7600 router, the Port-Bundle Host Key feature can be applied at a session level, but not at a flow level.

•On the Cisco 7600 router, Layer 4 Redirect and Port-Bundle Host Key can be enabled simultaneously on a maximum of 150 concurrent sessions.

Information About ISG Port-Bundle Host Key

Before you configure the ISG Port-Bundle Host Key feature, you should understand the following concepts:

•Overview of ISG Port-Bundle Host Key

•Port-Bundle Host Key Mechanism

•Benefits of ISG Port-Bundle Host Key

Overview of ISG Port-Bundle Host Key

The ISG Port-Bundle Host Key feature serves as an in-band signaling mechanism for session identification at external portals. TCP packets from subscribers are mapped to a local IP address for the ISG gateway and a range of ports. This mapping allows the portal to identify the ISG gateway from which the session originated. The mapping also identifies sessions uniquely even when subscribers have overlapping IP addresses. The ISG Port-Bundle Host Key feature enables a single portal to be deployed for multiple VRFs even when there are subscribers with overlapping IP addresses.

Port-Bundle Host Key Mechanism

With the ISG Port-Bundle Host Key feature, an ISG performs Port-Address Translation (PAT) and Network Address Translation (NAT) on the TCP traffic between the subscriber and the portal. When a subscriber TCP connection is set up, the ISG creates a port mapping that changes the source IP address to a configured ISG IP address and changes the source TCP port to a port allocated by the ISG. The ISG assigns a bundle of ports to each subscriber because one subscriber can have several simultaneous TCP sessions when accessing a web page. The assigned port-bundle host key, or combination of port bundle and ISG source IP address, uniquely identifies each subscriber. The host key is carried in RADIUS packets sent between the portal server and the ISG in the Subscriber IP vendor-specific attribute (VSA). Table 1 describes the Subscriber IP VSA. When the portal server sends a reply to the subscriber, the ISG uses the translation tables to identify the destination IP address and destination TCP port.

Table 1 Subscriber IP VSA Description

Attribute ID	Vendor ID	Subattribute ID and Type	Attribute Name	Attribute Data
26	9	250 Account-Info	Subscriber IP	S subscriber-ip-address [:port-bundle-number] •S—Account-Info code for subscriber IP. •subscriber IP address: port-bundle number —The port-bundle number is used only if the ISG Port-Bundle Host Key feature is configured.

For each TCP session between a subscriber and the portal, the ISG uses one port from the port bundle as the port map. Individual port mappings are flagged as eligible for reuse on the basis of inactivity timers, but are not explicitly removed once assigned. The number of port bundles is limited per ISG address, but there is no limit to the number of ISG IP addresses that can be configured for port bundle usage.

Benefits of ISG Port-Bundle Host Key

Support for Overlapped Subscriber IP Addresses Extended to Include External Portal Usage

The ISG Port-Bundle Host Key feature enables external portal access regardless of subscriber IP address or VRF membership. Without the use of port-bundle host keys, all subscribers accessing a single external portal must have unique IP addresses. Furthermore, since port-bundle host keys isolate VRF-specific addresses from the domain in which the portal resides, routing considerations are simplified.

Portal Provisioning for Subscriber and ISG IP Addresses No Longer Required

Without the ISG Port-Bundle Host Key feature, a portal must be provisioned for subscriber and ISG IP addresses before the portal is able to send RADIUS packets to the ISG or send HTTP packets to subscribers. The ISG Port-Bundle Host Key feature eliminates the need to provision a portal in order to allow one portal server to serve multiple ISGs and to allow one ISG to be served by multiple portal servers.

How to Configure ISG Port-Bundle Host Key

Perform the following tasks to configure the ISG Port-Bundle Host Key feature:

•Enabling the ISG Port-Bundle Host Key Feature in a Service Policy Map

•Enabling the ISG Port-Bundle Host Key Feature in a User Profile or Service Profile on the AAA Server

•Configuring Port-Bundle Host Key Parameters

•Verifying ISG Port-Bundle Host Key Configuration

Enabling the ISG Port-Bundle Host Key Feature in a Service Policy Map

Perform this task to enable the ISG Port-Bundle Host Key feature in a service policy map. The ISG Port-Bundle Host Key feature will be applied to any subscriber who uses this service policy map.

SUMMARY STEPS

1. enable

2. configure terminal

3. policy-map type service policy-name

4. ip portbundle

5. end

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Router> enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	configure terminal Example: Router# configure terminal	Enters global configuration mode.
Step 3	policy-map type service policy-name Example: Router(config)# policy-map type service service1	Creates or defines a service policy map, which is used to define an ISG service.
Step 4	ip portbundle Example: Router(config-service-policymap)# ip portbundle	Enables the ISG Port-Bundle Host Key feature for the service.
Step 5	end Example: Router(config-service-policymap)# end	(Optional) Returns to privileged EXEC mode.

What to Do Next

You may want to configure a method of activating the service policy map or service profile; for example, control policies can be used to activate services. For more information about methods of service activation, see the module "Configuring ISG Subscriber Services."

Enabling the ISG Port-Bundle Host Key Feature in a User Profile or Service Profile on the AAA Server

Perform this task to enable the ISG Port-Bundle Host Key feature in a user profile or service profile on the AAA server.

SUMMARY STEPS

1. Add the Port-Bundle Host Key attribute to the user or service profile.

DETAILED STEPS

	Command or Action	Purpose
Step 1	Add the Port-Bundle Host Key attribute to the user or service profile. 26,9,1 = "ip:portbundle=enable"	Enables the ISG Port-Bundle Host Key feature in the user or service profile.

What to Do Next

If you enabled the ISG Port Bundle Host Key feature in a service profile, you may want to configure a method of activating the service profile; for example, control policies can be used to activate services. For more information about methods of service activation, see the module "Configuring ISG Subscriber Services."

Configuring Port-Bundle Host Key Parameters

Perform this task to configure ISG Port-Bundle Host Key parameters and specify the interface for which ISG will use translation tables to derive the IP address and port number for downstream traffic.

Port-Bundle Length

The port-bundle length is used to determine the number of ports in one bundle. By default, the port-bundle length is four bits. The maximum port-bundle length is ten bits. See Table 2 for available port-bundle length values and the resulting port-per-bundle and bundle-per-group values. You may want to increase the port-bundle length when you see frequent error messages about running out of ports in a port bundle.

Table 2 Port-Bundle Lengths and Resulting Port-per-Bundle and Bundle-per-Group Values 

Port-Bundle Length (in bits)	Number of Ports per Bundle	Number of Bundles per Group (and per ISG Source IP Address)
0	1	64512
1	2	32256
2	4	16128
3	8	8064
4 (default)	16	4032
5	32	2016
6	64	1008
7	128	504
8	256	252
9	512	126
10	1024	63

---

Note For each portal server, all connected ISGs must have the same port-bundle length, which must correspond to the configured value given in the portal server's BUNDLE_LENGTH argument. If you change the port-bundle length on an ISG, be sure to make the corresponding change in the configuration on the portal.

---

SUMMARY STEPS

1. enable

2. configure terminal

3. ip portbundle

4. match access-list access-list-number

5. length bits

6. source interface-type interface-number

7. exit

8. interface type number

9. ip portbundle outside

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Router> enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	configure terminal Example: Router# configure terminal	Enters global configuration mode.
Step 3	ip portbundle Example: Router(config)# ip portbundle	Enters IP portbundle configuration mode.
Step 4	match access-list access-list-number Example: Router(config-portbundle)# match access-list 101	Specifies packets for port-mapping by specifying an access list to compare against the subscriber traffic.
Step 5	length bits Example: Router(config-portbundle)# length 5	Specifies the ISG port-bundle length, which determines the number of ports per bundle and bundles per group. See the section "Port-Bundle Length" for more information. •The default is 4.
Step 6	source interface-type interface-number Example: Router(config-portbundle)# source loopback 0	Specifies the interface for which the main IP address will be mapped by ISG to the destination IP addresses in subscriber traffic. •It is recommended that you use a loopback interface as the source interface.
Step 7	exit Example: Router(config-portbundle)# exit	Returns to privileged EXEC mode.
Step 8	interface type number Example: Router(config)# interface ethernet 0/0	Specifies an interface for configuration.
Step 9	ip portbundle outside Example: Router(config-if)# ip portbundle outside	Configures ISG to reverse translate the destination IP address and TCP port to the actual subscriber IP address and TCP port for traffic going from the portal to the subscriber for the interface being configured.

Verifying ISG Port-Bundle Host Key Configuration

Perform this task to display information about ISG port-bundle host key configuration.

SUMMARY STEPS

1. enable

2. show ip portbundle status [free | inuse]

3. show ip portbundle ip portbundle-ip-address bundle port-bundle-number

4. show subscriber session [detailed] [identifier identifier | uid session-id | username name]

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Router> enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	show ip portbundle status [free | inuse] Example: Router# show ip portbundle status free	Displays information about ISG port-bundle groups.
Step 3	show ip portbundle ip portbundle-ip-address bundle port-bundle-number Example: Router# show ip portbundle ip 10.10.10.10 bundle 65	Displays information about a specific ISG port bundle.
Step 4	show subscriber session [detailed] [identifier identifier | uid session-id | username name] Example: Router# show subscriber session detailed	Displays ISG subscriber session information.

Configuration Examples for ISG Port-Bundle Host Key

This section contains the following example:

•ISG Port-Bundle Host Key Configuration: Example

ISG Port-Bundle Host Key Configuration: Example

The following example shows how to configure the ISG Port-Bundle Host Key feature to apply to all sessions:

policy-map type service ISGPBHKService

 ip portbundle 

! 

policy-map type control PBHKRule 

 class type control always event session-start 

  1 service-policy type service ISGPBHKService

! 

service-policy type control PBHKRule 

interface ethernet0/0

 ip address 10.1.1.1 255.255.255.0

 ip portbundle outside

!

ip portbundle

 match access-list 101

 length 5

 source loopback 0

Additional References

The following sections provide references related to the ISG Port-Bundle Host Key feature.

Related Documents

Related Topic	Document Title
ISG commands	Cisco IOS Intelligent Services Gateway Command Reference

Technical Assistance

Description

Link

The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies. To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

http://www.cisco.com/techsupport

Feature Information for ISG Port-Bundle Host Key

Table 3 lists the features in this module and provides links to specific configuration information. Only features that were introduced or modified in Cisco IOS Release 12.2(28)SB or later releases appear in the table. If you are looking for information on a feature in this technology that is not documented here, see the "Intelligent Services Gateway Features Roadmap."

Not all commands may be available in your Cisco IOS software release. For release information about a specific command, see the command reference documentation.

Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS and Catalyst OS software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.

---

Note Table 3 lists only the Cisco IOS software release that introduced support for a given feature in a given Cisco IOS software release train. Unless noted otherwise, subsequent releases of that Cisco IOS software release train also support that feature.

---

Table 3 Feature Information for ISG Port-Bundle Host Key 

Feature Name	Releases	Feature Configuration Information
ISG: Session: Auth: PBHK	12.2(28)SB 12.2(33)SRC	The ISG Port-Bundle Host Key feature serves as an in-band signaling mechanism for session identification at external portals. TCP packets from subscribers are mapped to a local IP address for the ISG gateway and a range of ports. This mapping allows the portal to identify the ISG gateway from which the session originated. This module provides information about how to configure the ISG Port-Bundle Host Key feature. In Cisco IOS Release 12.2(33)SRC, support was added for the Cisco 7600 router.

Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.

© 2006-2008 Cisco Systems, Inc. All rights reserved.