Cisco 10000 Series Internet Router Service Selection Gateway Configuration Guide - Interface Configuration [Cisco 10000 Series Routers]

Table Of Contents

Interface Configuration

Transparent Passthrough

Access Side Interfaces

Network Side Interfaces

Restrictions of Transparent Passthrough

Configuration of Transparent Passthrough

Multicast Protocols on SSG Interfaces

Configuration of Multicast Protocols on SSG Interfaces

Interface Configuration

When an interface is configured as an SSG uplink or downlink interface, non-SSG traffic is not allowed to pass through the interface. You configure interfaces that are connected to services as uplink interfaces by using the ssg direction uplink command in interface configuration mode. If you use PPP to connect subscribers to SSG, you do not have to configure any downlink interfaces. If you use non-PPP connections, such as bridging or LAN, you must configure at least one downlink interface by using the ssg direction downlink command in interface configuration mode.

For more information, refer to the Service Selection Gateway, Release 12.2(15)B feature module.

The Cisco 10000 series router supports the following features for interfaces:

•Transparent Passthrough

•Multicast Protocols on SSG Interfaces

This chapter describes the SSG features for interfaces.

Transparent Passthrough

The Transparent Passthrough feature allows unauthenticated traffic to pass through an interface. Interfaces configured as transparent passthrough are treated as Cisco IOS interfaces and not SSG interfaces. The Cisco 10000 series router can receive transparent passthrough traffic on both the access side and the network side. When an interface is configured as transparent passthrough, SSG does not process the traffic to and from the interface or apply SSG features. Instead, Cisco IOS software processes the traffic and applies Cisco IOS features.

Note The transparent passthrough feature is supported only for traffic to the host. The feature is not supported for traffic from the host; instead, you can configure an Open Garden network to allow SSG hosts access to certain networks. The default is to allow non-SSG hosts (on non-SSG interfaces) access to Internet services that are reachable through an uplink interface.

Access Side Interfaces

For access side interfaces, the interface type determines the method used to indicate an interface as SSG or transparent passthrough. If you enable SSG globally, SSG automatically configures PPP users as SSG downlink users. To configure a PPP user as a transparent passthrough user, configure the Cisco 10000 router in one of the following ways:

•Do not enable SSG globally on the router. If SSG is not globally enabled, traffic is routed through normal Cisco IOS processing.

•Configure the router as a LAC. The LAC uses L2TP to directly tunnel PPP traffic to the LNS. The LAC does not terminate the PPP traffic; it uses normal Cisco IOS processing to forward the traffic. The LAC uses the following mechanisms to determine that a session should be LAC switched:

–The VPI/VCI can be configured with a specific domain. Using a conventional Cisco IOS configuration, the domain indicates how to LAC switch the session.

–If no domain information is configured specifically on the VC, RADIUS authentication is attempted. If the RADIUS server does not return any SSG vendor specific attributes (VSAs), then normal Cisco IOS processing occurs.

–If the user signals a domain, but that domain is part of a PTA-MD exclusion list, the session is processed by the VPDN software.

–A specific domain can be installed on the VPI/VCI by using the VPI/VCI Index to a Service Profile feature. This domain must be on the PTA-MD exclusion list.

•Configure the router as an LNS. The LNS terminates the PPP traffic on the LNS side of the tunnel and uses normal Cisco IOS processing to forward the traffic. This configuration requires that you use a PTA-MD exclusion list.

To configure a non-PPP user as an SSG user, bind the interface as downlink or uplink by using the ssg direction command in subinterface configuration mode. The command syntax is:
ssg direction {uplink | downlink}
For example:
Router(config)# interface atm 5/0/1.15
Router(config-subif)# ssg direction downlink
Router(config-subif)# interface atm 5/0/1.16
Router(config-subif)# ssg direction uplink
Note The ssg direction command also applies to range commands.

When you bind an interface to a direction, traffic is routed through SSG features and processing. If you do not bind an interface to a direction, the interface is a transparent passthrough interface and traffic is routed through normal Cisco IOS features processing.

Network Side Interfaces

For network side interfaces, SSG uplink interfaces can accept and forward both SSG traffic and transparent passthrough traffic. The SSG software classifies the traffic as transparent passthrough. An interface that is not configured as an SSG uplink can receive transparent passthrough traffic or traffic destined for Cisco IOS interfaces. The traffic is handled using normal Cisco IOS processing.

Typically, SSG uses transparent passthrough access control lists (ACLs) to allow unauthenticated traffic to be routed through normal Cisco IOS processing. However, the Cisco 10000 series router does not require transparent passthrough ACLs (see the "Restrictions of Transparent Passthrough" section).

The following Cisco-AV pair attributes are used to configure transparent passthrough ACLs:

•Downstream Access Control List (outacl)—Specifies either a Cisco IOS standard ACL or an extended ACL to be applied to downstream traffic going to the user.

•Upstream Access Control List (inacl)—Specifies either a Cisco IOS standard ACL or an extended ACL to be applied to upstream traffic coming from the user.

For more information about transparent passthrough ACLs, refer to the Service Selection Gateway, Release 12.2(15)B feature module.

Restrictions of Transparent Passthrough

SSG uplink interfaces can accept and forward both SSG traffic and transparent passthrough traffic. Typically, transparent passthrough ACLs are used to prevent downstream SSG traffic from being forwarded by Cisco IOS software. However, the Cisco 10000 series router does not require transparent passthrough ACLs; therefore, SSG hosts that have not been authorized for specific services might be able to receive traffic from those services. If the host attempts to send traffic, the packets are dropped until authentication occurs.

Configuration of Transparent Passthrough

Transparent passthrough is always enabled for SSG VRFs for uplink interfaces.

Multicast Protocols on SSG Interfaces

SSG supports multicast traffic, which includes normal multicast packets and Internet Group Management Protocol (IGMP) packets. The multicast traffic is separate from the SSG traffic and is routed through normal Cisco IOS processing and features; it is not routed through SSG authentication or features such as per-service statistics or hierarchical policing.

SSG interfaces can simultaneously receive multicast traffic and normal SSG traffic such as traffic to and from the default network, Open Garden network, and service networks. The normal SSG traffic is routed through SSG features and processing.

Configuration of Multicast Protocols on SSG Interfaces

For SSG to forward multicast packets to the Cisco IOS routing engine, configure the following:

•Configure the interface where multicast packets are received as an uplink or downlink interface, or bind a service to the interface.

•Enable SSG multicast by using the ssg multicast command in global configuration mode. When multicast is enabled, the SSG forwards to the Cisco IOS routing engine any multicast packets received on an uplink or downlink interface with a service bound to it.

Note If you do not enable multicast, multicast packets received on the interface are dropped.

•Enable IP multicast routing by using the ip multicast-routing command in global configuration mode. For more information about the IP Multicast feature, refer to the Cisco 10000 Series Router Broadband Aggregation, Leased-Line, and MPLS Configuration Guide.

For more information about multicast protocols on SSG interfaces, refer to "Service Selection Gateway" in the Cisco 6400 Feature Guide, Release 12.2(2)B.

	Cisco 10000 Series Internet Router Service Selection Gateway Configuration Guide
	Interface Configuration
Cisco 10000 Series Internet Router Service Selection Gateway Configuration Guide About This Guide Service Selection Gateway Overview Scaling and Performance SSG Logon and Logoff Authentication and Accounting Service Selection Methods Service Connection Service Profiles and Cached Service Profiles SSG Hierarchical Policing Interface Configuration SSG TCP Redirect Miscellaneous SSG Features Monitoring and Maintaining SSG SSG Implementation Notes Configuration Example for SSG Glossary Index	Download this chapter Interface Configuration Download the complete book Cisco 10000 Series Router Service Selection Gateway Configuration Guide (PDF - 1 MB) Table Of Contents Interface Configuration Transparent Passthrough Access Side Interfaces Network Side Interfaces Restrictions of Transparent Passthrough Configuration of Transparent Passthrough Multicast Protocols on SSG Interfaces Configuration of Multicast Protocols on SSG Interfaces Interface Configuration When an interface is configured as an SSG uplink or downlink interface, non-SSG traffic is not allowed to pass through the interface. You configure interfaces that are connected to services as uplink interfaces by using the ssg direction uplink command in interface configuration mode. If you use PPP to connect subscribers to SSG, you do not have to configure any downlink interfaces. If you use non-PPP connections, such as bridging or LAN, you must configure at least one downlink interface by using the ssg direction downlink command in interface configuration mode. For more information, refer to the Service Selection Gateway, Release 12.2(15)B feature module. The Cisco 10000 series router supports the following features for interfaces: •Transparent Passthrough •Multicast Protocols on SSG Interfaces This chapter describes the SSG features for interfaces. Transparent Passthrough The Transparent Passthrough feature allows unauthenticated traffic to pass through an interface. Interfaces configured as transparent passthrough are treated as Cisco IOS interfaces and not SSG interfaces. The Cisco 10000 series router can receive transparent passthrough traffic on both the access side and the network side. When an interface is configured as transparent passthrough, SSG does not process the traffic to and from the interface or apply SSG features. Instead, Cisco IOS software processes the traffic and applies Cisco IOS features. Note The transparent passthrough feature is supported only for traffic to the host. The feature is not supported for traffic from the host; instead, you can configure an Open Garden network to allow SSG hosts access to certain networks. The default is to allow non-SSG hosts (on non-SSG interfaces) access to Internet services that are reachable through an uplink interface. Access Side Interfaces For access side interfaces, the interface type determines the method used to indicate an interface as SSG or transparent passthrough. If you enable SSG globally, SSG automatically configures PPP users as SSG downlink users. To configure a PPP user as a transparent passthrough user, configure the Cisco 10000 router in one of the following ways: •Do not enable SSG globally on the router. If SSG is not globally enabled, traffic is routed through normal Cisco IOS processing. •Configure the router as a LAC. The LAC uses L2TP to directly tunnel PPP traffic to the LNS. The LAC does not terminate the PPP traffic; it uses normal Cisco IOS processing to forward the traffic. The LAC uses the following mechanisms to determine that a session should be LAC switched: –The VPI/VCI can be configured with a specific domain. Using a conventional Cisco IOS configuration, the domain indicates how to LAC switch the session. –If no domain information is configured specifically on the VC, RADIUS authentication is attempted. If the RADIUS server does not return any SSG vendor specific attributes (VSAs), then normal Cisco IOS processing occurs. –If the user signals a domain, but that domain is part of a PTA-MD exclusion list, the session is processed by the VPDN software. –A specific domain can be installed on the VPI/VCI by using the VPI/VCI Index to a Service Profile feature. This domain must be on the PTA-MD exclusion list. •Configure the router as an LNS. The LNS terminates the PPP traffic on the LNS side of the tunnel and uses normal Cisco IOS processing to forward the traffic. This configuration requires that you use a PTA-MD exclusion list. To configure a non-PPP user as an SSG user, bind the interface as downlink or uplink by using the ssg direction command in subinterface configuration mode. The command syntax is: ssg direction {uplink \| downlink} For example: Router(config)# interface atm 5/0/1.15 Router(config-subif)# ssg direction downlink Router(config-subif)# interface atm 5/0/1.16 Router(config-subif)# ssg direction uplink Note The ssg direction command also applies to range commands. When you bind an interface to a direction, traffic is routed through SSG features and processing. If you do not bind an interface to a direction, the interface is a transparent passthrough interface and traffic is routed through normal Cisco IOS features processing. Network Side Interfaces For network side interfaces, SSG uplink interfaces can accept and forward both SSG traffic and transparent passthrough traffic. The SSG software classifies the traffic as transparent passthrough. An interface that is not configured as an SSG uplink can receive transparent passthrough traffic or traffic destined for Cisco IOS interfaces. The traffic is handled using normal Cisco IOS processing. Typically, SSG uses transparent passthrough access control lists (ACLs) to allow unauthenticated traffic to be routed through normal Cisco IOS processing. However, the Cisco 10000 series router does not require transparent passthrough ACLs (see the "Restrictions of Transparent Passthrough" section). The following Cisco-AV pair attributes are used to configure transparent passthrough ACLs: •Downstream Access Control List (outacl)—Specifies either a Cisco IOS standard ACL or an extended ACL to be applied to downstream traffic going to the user. •Upstream Access Control List (inacl)—Specifies either a Cisco IOS standard ACL or an extended ACL to be applied to upstream traffic coming from the user. For more information about transparent passthrough ACLs, refer to the Service Selection Gateway, Release 12.2(15)B feature module. Restrictions of Transparent Passthrough SSG uplink interfaces can accept and forward both SSG traffic and transparent passthrough traffic. Typically, transparent passthrough ACLs are used to prevent downstream SSG traffic from being forwarded by Cisco IOS software. However, the Cisco 10000 series router does not require transparent passthrough ACLs; therefore, SSG hosts that have not been authorized for specific services might be able to receive traffic from those services. If the host attempts to send traffic, the packets are dropped until authentication occurs. Configuration of Transparent Passthrough Transparent passthrough is always enabled for SSG VRFs for uplink interfaces. Multicast Protocols on SSG Interfaces SSG supports multicast traffic, which includes normal multicast packets and Internet Group Management Protocol (IGMP) packets. The multicast traffic is separate from the SSG traffic and is routed through normal Cisco IOS processing and features; it is not routed through SSG authentication or features such as per-service statistics or hierarchical policing. SSG interfaces can simultaneously receive multicast traffic and normal SSG traffic such as traffic to and from the default network, Open Garden network, and service networks. The normal SSG traffic is routed through SSG features and processing. Configuration of Multicast Protocols on SSG Interfaces For SSG to forward multicast packets to the Cisco IOS routing engine, configure the following: •Configure the interface where multicast packets are received as an uplink or downlink interface, or bind a service to the interface. •Enable SSG multicast by using the ssg multicast command in global configuration mode. When multicast is enabled, the SSG forwards to the Cisco IOS routing engine any multicast packets received on an uplink or downlink interface with a service bound to it. Note If you do not enable multicast, multicast packets received on the interface are dropped. •Enable IP multicast routing by using the ip multicast-routing command in global configuration mode. For more information about the IP Multicast feature, refer to the Cisco 10000 Series Router Broadband Aggregation, Leased-Line, and MPLS Configuration Guide. For more information about multicast protocols on SSG interfaces, refer to "Service Selection Gateway" in the Cisco 6400 Feature Guide, Release 12.2(2)B.
	© 1992-2008 Cisco Systems, Inc. All rights reserved. Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks of Cisco Systems, Inc.