Cisco 10000 Series Internet Router Service Selection Gateway Configuration Guide - Configuration Example for SSG [Cisco 10000 Series Routers]

SSG Configuration Example

Example A-1 is a sample SSG configuration for the Cisco 10000 series router based on the topology in Figure A-1. The configuration includes AAA, PPP, SSG, and RADIUS. The SSG configuration enables the Port-Bundle Host Key, captive portal, QoS, and Open Garden features.

Figure A-1 SSG Example Topology

Example A-1 Cisco 10000 Router SSG Configuration

version 12.2

no service pad

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

no service password-encryption

hostname c10k-ssg

boot system disk0:c10k2-p11-mz.bilgepump

logging buffered 4096 debugging

no logging rate-limit

no logging console

enable password mrrbu

username cisco password 0 cisco

clock timezone PST -8

clock summer-time PST recurring

facility-alarm intake-temperature major 49

no facility-alarm intake-temperature minor

facility-alarm core-temperature major 53

facility-alarm core-temperature minor 45

card 1/0 1gigethernet-1

card 8/0 4oc3atm-1

aaa new-model

aaa group server radius SSG-RADIUS

server 192.168.2.62 auth-port 1812 acct-port 1813

aaa group server radius SSG-RADIUS-RISM

server-private 192.168.2.62 auth-port 1812 acct-port 1813 key cisco

aaa authentication banner CCC !!! Cisco C10K PRE2 SSG !!!

aaa authentication fail-message CC !!! Unauthorized Access Is Not Permitted !!!

aaa authentication password-prompt Password:

aaa authentication username-prompt Username:

aaa authentication login default local group SSG-RADIUS

aaa authentication login console local

aaa authentication ppp default group SSG-RADIUS

aaa authorization exec vty none

aaa authorization network default group SSG-RADIUS

aaa accounting network default start-stop group SSG-RADIUS

aaa nas port extended

aaa session-id common

ip subnet-zero

ip host-routing

ip ftp username cisco

ip ftp password cisco

no ip domain lookup

ip domain name cisco.com

ip host rism 192.168.2.62

ip host sesm 192.168.2.50

ip name-server 172.16.168.183

ip name-server 172.31.226.120

mpls ldp log-neighbor-changes

ssg enable

ssg accounting interval 300

ssg profile-cache

ssg default-network 192.168.2.50 255.255.255.255

ssg service-password servicecisco

ssg radius-helper auth-port 1812 acct-port 1813

ssg radius-helper key cisco

ssg maxservice 20

ssg port-map enable

ssg port-map destination range 80 to 80 ip 192.168.2.50

ssg port-map source ip 192.168.2.60

ssg bind service video-prepaid 10.1.1.51

ssg bind service zap-com 10.1.1.51

ssg bind service opengarden-helpdesk 10.1.5.51

ssg bind service video-silver 10.1.1.51

ssg bind service proxy-service 10.1.1.51

ssg bind service video-gold 10.1.1.51

ssg bind service internet 10.1.1.51

ssg bind service video-bronze 10.1.1.51

ssg bind direction uplink GigabitEthernet1/0/0.4

ssg bind direction uplink GigabitEthernet1/0/0.5

ssg bind direction uplink GigabitEthernet1/0/0.1

ssg bind direction uplink GigabitEthernet1/0/0.2

ssg bind direction uplink GigabitEthernet1/0/0.3

ssg open-garden opengarden-helpdesk

ssg qos police user

ssg qos police session

ssg tcp-redirect

network-list service-networks

network 192.168.20.0 255.255.255.0

network 192.168.10.0 255.255.255.0

port-list user-tcp-ports

port 80

port 8080

port 443

server-group captive-portal

server 192.168.2.50 80

redirect port-list user-tcp-ports to captive-portal

redirect unauthorized-service destination network-list service-networks to captive-portal

server-group RECHARGE

  server 192.168.2.50 80

redirect unauthenticated-user to captive-portal

redirect unauthorized-service to captive-portal

redirect prepaid-user to RECHARGE

ssg service-search-order local remote

local-profile opengarden-helpdesk

attribute 26 9 251 "Omobile.users.com"

attribute 26 9 251 "R35.1.5.1;255.255.255.255"

buffers small permanent 1500

buffers middle permanent 12000

buffers big permanent 8000

interface Loopback1

description LOOPBACK for DSL/PPPoA/PAT users

ip address 192.168.201.1 255.255.255.255

interface FastEthernet0/0/0

description Connected to LAB Backbone

ip address 192.168.2.60 255.255.255.0

no ip route-cache cef

full-duplex

interface GigabitEthernet1/0/0

no ip address

no negotiation auto

interface GigabitEthernet1/0/0.1

description SSG Service internet

encapsulation dot1Q 10

ip address 10.1.1.1 255.255.255.0

interface GigabitEthernet1/0/0.2

encapsulation dot1Q 2

ip address 10.1.2.1 255.255.255.0

interface GigabitEthernet1/0/0.3

encapsulation dot1Q 3

ip address 10.1.3.1 255.255.255.0

interface GigabitEthernet1/0/0.4

encapsulation dot1Q 4

ip address 10.1.4.1 255.255.255.0

interface GigabitEthernet1/0/0.5

encapsulation dot1Q 5

ip address 10.1.5.1 255.255.255.0

interface GigabitEthernet1/0/0.6

encapsulation dot1Q 6

ip address 10.1.6.1 255.255.255.0

interface GigabitEthernet1/0/0.7

encapsulation dot1Q 7

ip address 10.1.7.1 255.255.255.0

interface GigabitEthernet1/0/0.8

encapsulation dot1Q 8

ip address 10.1.8.1 255.255.255.0

interface GigabitEthernet1/0/0.9

encapsulation dot1Q 9

ip address 10.1.9.1 255.255.255.0

interface GigabitEthernet1/0/0.10

description SSG OpenGarden Service Interface

encapsulation dot1Q 11

ip address 10.1.10.1 255.255.255.0

interface ATM8/0/0

no ip address

load-interval 30

no atm ilmi-keepalive

interface ATM8/0/0.1 point-to-point

pvc 1/32

encapsulation aal5mux ppp Virtual-Template1

interface ATM8/0/1

no ip address

shutdown

no atm ilmi-keepalive

interface ATM8/0/2

no ip address

shutdown

no atm ilmi-keepalive

interface ATM8/0/3

no ip address

shutdown

no atm ilmi-keepalive

interface Virtual-Template1

ip unnumbered Loopback1

peer default ip address pool SSG-POOL

ppp authentication pap chap

ppp ipcp address accept

ip local pool SSG-POOL 10.60.1.1 10.60.1.100

ip classless

ip route 0.0.0.0 0.0.0.0 192.168.2.1

ip route 10.80.1.1 255.255.0.0 11.1.1.51

no ip http server

ip radius source-interface FastEthernet0/0/0

logging trap debugging

logging facility local6

logging 192.168.2.50

access-list 101 permit ip 10.0.0.0 0.255.255.255 172.25.0.0 0.0.255.255

access-list 102 permit ip host 192.168.2.50 any

access-list 102 permit ip any host 192.168.2.50

access-list 103 permit ip host 10.60.1.2 any

access-list 104 permit tcp any any

access-list 105 permit ip 10.60.1.0 0.0.0.255 any

arp 10.27.1.3 3434.3434.3434 ARPA

snmp-server community public RW

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server enable traps tty

snmp-server enable traps alarms

radius-server host 192.168.2.62 auth-port 1812 acct-port 1813 key cisco

radius-server retransmit 5

radius-server timeout 15

radius-server attribute nas-port format d

radius-server key cisco

radius-server authorization permit missing Service-Type

radius-server vsa send accounting

radius-server vsa send authentication

alias exec cpu show proc cpu history

alias exec dcopy copy running-config disk0:ssg-c10k.txt

alias exec zcopy copy running-config tftp://192.168.2.50/rohit/ssg-c10k.txt

line con 0

exec-timeout 0 0

line aux 0

line vty 0 4

 exec-timeout 0 0

 password cisco

line vty 5 99

 exec-timeout 0 0

 password lab

ntp clock-period 17181406

ntp update-calendar

end

	Cisco 10000 Series Internet Router Service Selection Gateway Configuration Guide
	Configuration Example for SSG
Cisco 10000 Series Internet Router Service Selection Gateway Configuration Guide About This Guide Service Selection Gateway Overview Scaling and Performance SSG Logon and Logoff Authentication and Accounting Service Selection Methods Service Connection Service Profiles and Cached Service Profiles SSG Hierarchical Policing Interface Configuration SSG TCP Redirect Miscellaneous SSG Features Monitoring and Maintaining SSG SSG Implementation Notes Configuration Example for SSG Glossary Index	Download this chapter Configuration Example for SSG Download the complete book Cisco 10000 Series Router Service Selection Gateway Configuration Guide (PDF - 1 MB) Table Of Contents SSG Configuration Example SSG Configuration Example Example A-1 is a sample SSG configuration for the Cisco 10000 series router based on the topology in Figure A-1. The configuration includes AAA, PPP, SSG, and RADIUS. The SSG configuration enables the Port-Bundle Host Key, captive portal, QoS, and Open Garden features. Figure A-1 SSG Example Topology Example A-1 Cisco 10000 Router SSG Configuration ! version 12.2 no service pad service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone no service password-encryption ! hostname c10k-ssg ! boot system disk0:c10k2-p11-mz.bilgepump logging buffered 4096 debugging no logging rate-limit no logging console enable password mrrbu ! username cisco password 0 cisco clock timezone PST -8 clock summer-time PST recurring facility-alarm intake-temperature major 49 no facility-alarm intake-temperature minor facility-alarm core-temperature major 53 facility-alarm core-temperature minor 45 ! ! card 1/0 1gigethernet-1 card 8/0 4oc3atm-1 aaa new-model ! ! aaa group server radius SSG-RADIUS server 192.168.2.62 auth-port 1812 acct-port 1813 ! aaa group server radius SSG-RADIUS-RISM server-private 192.168.2.62 auth-port 1812 acct-port 1813 key cisco ! aaa authentication banner CCC !!! Cisco C10K PRE2 SSG !!! aaa authentication fail-message CC !!! Unauthorized Access Is Not Permitted !!! aaa authentication password-prompt Password: aaa authentication username-prompt Username: aaa authentication login default local group SSG-RADIUS aaa authentication login console local aaa authentication ppp default group SSG-RADIUS aaa authorization exec vty none aaa authorization network default group SSG-RADIUS aaa accounting network default start-stop group SSG-RADIUS aaa nas port extended aaa session-id common ip subnet-zero ip host-routing ip ftp username cisco ip ftp password cisco no ip domain lookup ip domain name cisco.com ip host rism 192.168.2.62 ip host sesm 192.168.2.50 ip name-server 172.16.168.183 ip name-server 172.31.226.120 ! mpls ldp log-neighbor-changes ! ! ssg enable ssg accounting interval 300 ssg profile-cache ssg default-network 192.168.2.50 255.255.255.255 ssg service-password servicecisco ssg radius-helper auth-port 1812 acct-port 1813 ssg radius-helper key cisco ssg maxservice 20 ssg port-map enable ssg port-map destination range 80 to 80 ip 192.168.2.50 ssg port-map source ip 192.168.2.60 ssg bind service video-prepaid 10.1.1.51 ssg bind service zap-com 10.1.1.51 ssg bind service opengarden-helpdesk 10.1.5.51 ssg bind service video-silver 10.1.1.51 ssg bind service proxy-service 10.1.1.51 ssg bind service video-gold 10.1.1.51 ssg bind service internet 10.1.1.51 ssg bind service video-bronze 10.1.1.51 ssg bind direction uplink GigabitEthernet1/0/0.4 ssg bind direction uplink GigabitEthernet1/0/0.5 ssg bind direction uplink GigabitEthernet1/0/0.1 ssg bind direction uplink GigabitEthernet1/0/0.2 ssg bind direction uplink GigabitEthernet1/0/0.3 ssg open-garden opengarden-helpdesk ssg qos police user ssg qos police session ssg tcp-redirect network-list service-networks network 192.168.20.0 255.255.255.0 network 192.168.10.0 255.255.255.0 ! port-list user-tcp-ports port 80 port 8080 port 443 ! server-group captive-portal server 192.168.2.50 80 ! redirect port-list user-tcp-ports to captive-portal redirect unauthorized-service destination network-list service-networks to captive-portal ! server-group RECHARGE server 192.168.2.50 80 ! redirect unauthenticated-user to captive-portal redirect unauthorized-service to captive-portal redirect prepaid-user to RECHARGE ssg service-search-order local remote ! local-profile opengarden-helpdesk attribute 26 9 251 "Omobile.users.com" attribute 26 9 251 "R35.1.5.1;255.255.255.255" ! ! buffers small permanent 1500 buffers middle permanent 12000 buffers big permanent 8000 ! interface Loopback1 description LOOPBACK for DSL/PPPoA/PAT users ip address 192.168.201.1 255.255.255.255 ! interface FastEthernet0/0/0 description Connected to LAB Backbone ip address 192.168.2.60 255.255.255.0 no ip route-cache cef full-duplex ! interface GigabitEthernet1/0/0 no ip address no negotiation auto ! interface GigabitEthernet1/0/0.1 description SSG Service internet encapsulation dot1Q 10 ip address 10.1.1.1 255.255.255.0 ! interface GigabitEthernet1/0/0.2 encapsulation dot1Q 2 ip address 10.1.2.1 255.255.255.0 ! interface GigabitEthernet1/0/0.3 encapsulation dot1Q 3 ip address 10.1.3.1 255.255.255.0 ! interface GigabitEthernet1/0/0.4 encapsulation dot1Q 4 ip address 10.1.4.1 255.255.255.0 ! interface GigabitEthernet1/0/0.5 encapsulation dot1Q 5 ip address 10.1.5.1 255.255.255.0 ! interface GigabitEthernet1/0/0.6 encapsulation dot1Q 6 ip address 10.1.6.1 255.255.255.0 ! interface GigabitEthernet1/0/0.7 encapsulation dot1Q 7 ip address 10.1.7.1 255.255.255.0 ! interface GigabitEthernet1/0/0.8 encapsulation dot1Q 8 ip address 10.1.8.1 255.255.255.0 ! interface GigabitEthernet1/0/0.9 encapsulation dot1Q 9 ip address 10.1.9.1 255.255.255.0 ! interface GigabitEthernet1/0/0.10 description SSG OpenGarden Service Interface encapsulation dot1Q 11 ip address 10.1.10.1 255.255.255.0 ! interface ATM8/0/0 no ip address load-interval 30 no atm ilmi-keepalive ! interface ATM8/0/0.1 point-to-point pvc 1/32 encapsulation aal5mux ppp Virtual-Template1 ! ! interface ATM8/0/1 no ip address shutdown no atm ilmi-keepalive ! interface ATM8/0/2 no ip address shutdown no atm ilmi-keepalive ! interface ATM8/0/3 no ip address shutdown no atm ilmi-keepalive ! interface Virtual-Template1 ip unnumbered Loopback1 peer default ip address pool SSG-POOL ppp authentication pap chap ppp ipcp address accept ! ip local pool SSG-POOL 10.60.1.1 10.60.1.100 ip classless ip route 0.0.0.0 0.0.0.0 192.168.2.1 ip route 10.80.1.1 255.255.0.0 11.1.1.51 no ip http server ! ! ip radius source-interface FastEthernet0/0/0 ! logging trap debugging logging facility local6 logging 192.168.2.50 access-list 101 permit ip 10.0.0.0 0.255.255.255 172.25.0.0 0.0.255.255 access-list 102 permit ip host 192.168.2.50 any access-list 102 permit ip any host 192.168.2.50 access-list 103 permit ip host 10.60.1.2 any access-list 104 permit tcp any any access-list 105 permit ip 10.60.1.0 0.0.0.255 any arp 10.27.1.3 3434.3434.3434 ARPA snmp-server community public RW snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart snmp-server enable traps tty snmp-server enable traps alarms ! radius-server host 192.168.2.62 auth-port 1812 acct-port 1813 key cisco radius-server retransmit 5 radius-server timeout 15 radius-server attribute nas-port format d radius-server key cisco radius-server authorization permit missing Service-Type radius-server vsa send accounting radius-server vsa send authentication alias exec cpu show proc cpu history alias exec dcopy copy running-config disk0:ssg-c10k.txt alias exec zcopy copy running-config tftp://192.168.2.50/rohit/ssg-c10k.txt ! line con 0 exec-timeout 0 0 line aux 0 line vty 0 4 exec-timeout 0 0 password cisco line vty 5 99 exec-timeout 0 0 password lab ! ntp clock-period 17181406 ntp update-calendar end
	© 1992-2009 Cisco Systems, Inc. All rights reserved. Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks of Cisco Systems, Inc.

Table Of Contents

SSG Configuration Example