Table Of Contents

SSG Implementation Notes

SSG Implementation Notes

---

Table B-1 provides information about how SSG is implemented on the Cisco 10000 series router. For additional information about general SSG limitations, see the "SSG Restrictions" section, the "SSG Prerequisites" section, and also see "Scalability and Performance."

Table B-1 SSG Implementation Notes for the Cisco 10000 Router 

SSG Feature	Implementation Notes
ACLs and QoS	ACL and QoS are applied even if the traffic is to or from an Open Garden or the default network (when port-bundle host key is not enabled). Service ACLs cannot be applied to a connection. The connection will remain active, but the ACLs will have no effect. Modular QoS CLI (MQC) is not supported on SSG interfaces. If an MQC service policy is configured on an SSG interface, SSG ignores the policy. See the "Restrictions for SSG Hierarchical Policing" section for additional implementation information.
AutoDomain	You must enable Cisco Express Forwarding (CEF) before you enable SSG functionality. Passthrough services are available only for services that perform authentication (for example, proxy or VPDN services). This is because AutoDomain bypasses the local authentication that is performed at the network access server (NAS). DHCP requests for IP address assignment must be done before RADIUS negotiation. If an Access-Request does not contain an IP address, you must configure a local per-domain or global IP address pool. "Virtual-user" profiles can contain only one AutoLogon service.
L2TP	Not supported. SSG attempts to set up the tunnel, but does not set up the VRF for tunnel services. Therefore, traffic is not forwarded to the tunnel. The same applies to L2TP dialout.
Logon	A user cannot log on to services on different uplink interfaces. All services that the user connects to must be on the same interface. This is because a user can connect to only one VRF, and in SSG one VRF is used for each uplink interface. To connect to a different service, the user has to logoff from the current service, and log on to the other service.
Local Forwarding	Cannot be enabled or disabled through the CLI. Only seven services (network sets) can be bound to an uplink interface. If a service cannot be created on the toaster, then no connection is created. A service cannot be bound by interface to a broadcast interface. If such a service is configured, the toaster does not see this network in the VRF and might drop traffic to the service. Binding to a next-hop on a broadcast interface is allowed. If two users are connected to services on the same uplink interface, traffic between the users is allowed and all host features are applied (which are the "in" features of the first user and the "out" features of the second user). If an ACL contains more than eight ACEs, the toaster does not apply the ACL; however, the segment continues to exist.
MPLS	Disabled on SSG interfaces.
Open Garden	Service bindings not required for services directly connected to the router. Service bindings are required for any services routed through a next-hop address. RADIUS accounting records not created for Open Garden services. Open Garden services must be created through local profiles, RADIUS profiles are not supported. Overlapping of Open Garden networks is not supported.
Per Service Statistics	Connection-level statistics are not collected for the default network or for Open Garden networks. You cannot display aggregate statistics for a user. For PPP-based users, any link-level control traffic (such as keepalives) are counted separately from the data traffic to support idle timeouts.
Port-Bundle Host Key	The router supports this feature for Cisco SESM Release 3.1(1) or later. The feature is disabled by default. A default network must be configured and routable from SSG. To enable this feature, you must reload SSG and restart SESM. You must separately enable this feature at SESM and at all connected SSG nodes. For each SESM server, all connected SSG nodes must have the same port-bundle length. When you change the port-bundle length, the change does not take effect until after the router reloads. All SSG source IP addresses configured using the ssg port-map source ip command must be routable in the management network where SESM resides. See the "Restrictions for SSG Port-Bundle Host Key" section for additional implementation notes.
PPPoA Connections	The router supports only one host per interface. The customer premises equipment (CPE) must be configured for PAT.
Prepaid Services	Only time-based quotas are supported. Quotas are always measured in seconds. Quotas based on data volume are not supported. If configured, traffic might exceed the quota.
RADIUS Proxy	Not Supported.
Service Profiles	MTU Size Attribute—In Directory Enabled Service Selection Subscription (DESS) mode, SESM does not support the use of the MTU Size attribute. Service-Defined Cookie Attribute—SSG does not parse or interpret the value of this attribute. You must configure the proxy RADIUS server to interpret this attribute. A RADIUS service profile supports only one Service-Defined Cookie.
SMTP Redirect	Not supported, even if it is configured.
TCP Redirect	Supported to default network only. User traffic to services might be dropped, even if it does not match a redirect port. Network-specific redirects do not work unless the network is part of an exclude network or part of an active service. As a workaround, use redirects based on service name. The authentication feature applies only to non-PPP users. PPP users are always authenticated as part of the PPP negotiation process. PPP users logging off from SESM are also redirected. Initial Captivation—If the packet matches the redirection filter, the packet is subject to initial captivation and is redirected. If the packet does not match the redirection filter, the packet is not subject to initial captivation and is dropped. Also see the "Restrictions for SSG TCP Redirect" section.
Transparent Passthrough	Supported only for traffic to the user (host). Not supported for traffic from the user (host). Use Open Garden to allow SSG hosts access to certain networks. Unauthorized downstream traffic is always allowed, but unauthorized upstream traffic from an SSG host is dropped.
Unsupported Features	If an unsupported feature (such as NAT) is applied to an SSG connection, the router does not reject the connection; however, the feature is not applied to traffic over the connection.
VPI/VCI Static Binding to a Service Profile	The feature applies only to PPP sessions. You must statically configure the feature. SESM cannot map the VC to the service.